unkin/puppet-prod
2
0
Fork 0
Code Issues 10 Pull Requests Actions Packages Projects Releases Wiki Activity

feat: vault use vault

Browse Source 
- change vault to use vault ephemeral certificates
- remove nginx frontend to vault
This commit is contained in:
Ben Vincent 2024-05-26 01:06:48 +10:00
parent 22af602510
commit 7c0bf4a398
2 changed files with 7 additions and 11 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
hieradata/country/au/region/syd1/infra/storage/vault.yaml
View File

@ -7,11 +7,11 @@ consul::services:
- 'https' - 'https'
- 'secure' - 'secure'
address: "%{facts.networking.ip}" address: "%{facts.networking.ip}"
port: 443 port: 8200
checks: checks:
- id: 'vault_https_check' - id: 'vault_https_check'
name: 'Vault HTTPS Check' name: 'Vault HTTPS Check'
http: "https://%{facts.networking.fqdn}:443/v1/sys/health" http: "https://%{facts.networking.fqdn}:8200/v1/sys/health"
method: 'GET' method: 'GET'
tls_skip_verify: true tls_skip_verify: true
interval: '10s' interval: '10s'

14
site/profiles/manifests/vault/server.pp
View File

@ -18,9 +18,6 @@ class profiles::vault::server (
Stdlib::Absolutepath $bin_dir = '/usr/bin', Stdlib::Absolutepath $bin_dir = '/usr/bin',
){ ){
# use puppet certs as base
include profiles::pki::puppetcerts
# set a datacentre/cluster name # set a datacentre/cluster name
$vault_cluster = "${::facts['country']}-${::facts['region']}" $vault_cluster = "${::facts['country']}-${::facts['region']}"
@ -48,9 +45,9 @@ class profiles::vault::server (
$server_urls = $servers_array.map |$fqdn| { $server_urls = $servers_array.map |$fqdn| {
{ {
leader_api_addr => "${http_scheme}://${fqdn}:${client_port}", leader_api_addr => "${http_scheme}://${fqdn}:${client_port}",
leader_client_cert_file => "/etc/pki/tls/puppet/${facts['networking']['fqdn']}.crt", leader_client_cert_file => '/etc/pki/tls/vault/certificate.crt',
leader_client_key_file => "/etc/pki/tls/puppet/${facts['networking']['fqdn']}.key", leader_client_key_file => '/etc/pki/tls/vault/private.key',
leader_ca_cert_file => '/etc/pki/tls/puppet/ca.pem', leader_ca_cert_file => '/etc/pki/tls/certs/ca-bundle.crt',
} }
} }
@ -82,8 +79,8 @@ class profiles::vault::server (
address => "${::facts['networking']['ip']}:${client_port}", address => "${::facts['networking']['ip']}:${client_port}",
cluster_address => "${::facts['networking']['ip']}:${cluster_port}", cluster_address => "${::facts['networking']['ip']}:${cluster_port}",
tls_disable => $tls_disable, tls_disable => $tls_disable,
tls_cert_file => "/etc/pki/tls/puppet/${facts['networking']['fqdn']}.crt", tls_cert_file => '/etc/pki/tls/vault/certificate.crt',
tls_key_file => "/etc/pki/tls/puppet/${facts['networking']['fqdn']}.key", tls_key_file => '/etc/pki/tls/vault/private.key',
} }
} }
] ]
@ -91,6 +88,5 @@ class profiles::vault::server (
# include classes to manage vault # include classes to manage vault
include profiles::vault::unseal include profiles::vault::unseal
include profiles::nginx::simpleproxy
} }
} }