Merge pull request 'feat: vault use vault' (#226) from neoloc/vault_use_vault into develop

Reviewed-on: unkinben/puppet-prod#226
2024-05-26 00:38:55 +09:30 · 2024-05-26 00:38:55 +09:30 · ad268e8977
commit ad268e8977
parent ad4f9b81f4 7c0bf4a398
2 changed files with 7 additions and 11 deletions
--- a/hieradata/country/au/region/syd1/infra/storage/vault.yaml
+++ b/hieradata/country/au/region/syd1/infra/storage/vault.yaml
@ -16,11 +16,11 @@ consul::services:
      - 'https'
      - 'secure'
    address: "%{facts.networking.ip}"
-    port: 443
+    port: 8200
    checks:
      - id: 'vault_https_check'
        name: 'Vault HTTPS Check'
-        http: "https://%{facts.networking.fqdn}:443/v1/sys/health"
+        http: "https://%{facts.networking.fqdn}:8200/v1/sys/health"
        method: 'GET'
        tls_skip_verify: true
        interval: '10s'
--- a/site/profiles/manifests/vault/server.pp
+++ b/site/profiles/manifests/vault/server.pp
@ -18,9 +18,6 @@ class profiles::vault::server (
  Stdlib::Absolutepath $bin_dir     = '/usr/bin',
 ){

-  # use puppet certs as base
-  include profiles::pki::puppetcerts
-
  # set a datacentre/cluster name
  $vault_cluster = "${::facts['country']}-${::facts['region']}"

@ -48,9 +45,9 @@ class profiles::vault::server (
    $server_urls = $servers_array.map |$fqdn| {
      {
        leader_api_addr         => "${http_scheme}://${fqdn}:${client_port}",
-        leader_client_cert_file => "/etc/pki/tls/puppet/${facts['networking']['fqdn']}.crt",
-        leader_client_key_file  => "/etc/pki/tls/puppet/${facts['networking']['fqdn']}.key",
-        leader_ca_cert_file     => '/etc/pki/tls/puppet/ca.pem',
+        leader_client_cert_file => '/etc/pki/tls/vault/certificate.crt',
+        leader_client_key_file  => '/etc/pki/tls/vault/private.key',
+        leader_ca_cert_file     => '/etc/pki/tls/certs/ca-bundle.crt',
      }
    }

@ -82,8 +79,8 @@ class profiles::vault::server (
            address         => "${::facts['networking']['ip']}:${client_port}",
            cluster_address => "${::facts['networking']['ip']}:${cluster_port}",
            tls_disable     => $tls_disable,
-            tls_cert_file   => "/etc/pki/tls/puppet/${facts['networking']['fqdn']}.crt",
-            tls_key_file    => "/etc/pki/tls/puppet/${facts['networking']['fqdn']}.key",
+            tls_cert_file   => '/etc/pki/tls/vault/certificate.crt',
+            tls_key_file    => '/etc/pki/tls/vault/private.key',
          }
        }
      ]
@ -91,6 +88,5 @@ class profiles::vault::server (

    # include classes to manage vault
    include profiles::vault::unseal
-    include profiles::nginx::simpleproxy
  }
 }