Merge pull request 'fix: vault role fails on new servers' (#120) from neoloc/vault_initial into develop

Reviewed-on: unkinben/puppet-prod#120
2024-02-25 19:43:04 +09:30 · 2024-02-25 19:43:04 +09:30 · b1083df6f1
commit b1083df6f1
parent bc3084a1e7 48e0bd6796
2 changed files with 54 additions and 50 deletions
--- a/site/profiles/manifests/vault/server.pp
+++ b/site/profiles/manifests/vault/server.pp
@ -1,7 +1,10 @@
 # profiles::vault::server
 class profiles::vault::server (
  Boolean   $members_lookup = false,
-  String    $members_role   = undef,
+  Variant[
+    String,
+    Undef
+  ]         $members_role   = undef,
  Array     $vault_servers  = [],
  Enum[
    'archive',
@ -22,12 +25,7 @@ class profiles::vault::server (
  $vault_cluster = "${::facts['country']}-${::facts['region']}"

  # if lookup is enabled, find all the hosts in the specified role and create the servers_array
-  if $members_lookup {
-
-    # check that the role is also set
-    unless !($members_role == undef) {
-      fail("members_role must be provided for ${title} when members_lookup is True")
-    }
+  if $members_lookup and $members_role != undef {

    # if it is, find hosts, sort them so they dont cause changes every run
    $servers_array = sort(query_nodes("enc_role='${members_role}' and region='${::facts['region']}'", 'networking.fqdn'))
@ -37,54 +35,61 @@ class profiles::vault::server (
    $servers_array = $vault_servers
  }

-  # set http scheme
-  $http_scheme = $tls_disable ? {
-    true    => 'http',
-    false   => 'https'
-  }
+  # configure vault if servers_array isnt empty
+  if ! $servers_array.empty() {

-  # create vault urls
-  $server_urls = $servers_array.map |$fqdn| {
-    {
-      leader_api_addr         => "${http_scheme}://${fqdn}:${client_port}",
-      leader_client_cert_file => "/etc/pki/tls/puppet/${facts['networking']['fqdn']}.crt",
-      leader_client_key_file  => "/etc/pki/tls/puppet/${facts['networking']['fqdn']}.key",
-      leader_ca_cert_file     => '/etc/pki/tls/puppet/ca.pem',
+    # set http scheme
+    $http_scheme = $tls_disable ? {
+      true    => 'http',
+      false   => 'https'
    }
-  }

-  class { 'vault':
-    install_method     => $install_method,
-    manage_storage_dir => $manage_storage_dir,
-    enable_ui          => true,
-    storage            => {
-      raft => {
-        node_id    => $::facts['networking']['fqdn'],
-        path       => $data_dir,
-        retry_join => $server_urls,
-      }
-    },
-    api_addr           => "${http_scheme}://${::facts['networking']['fqdn']}:${client_port}",
-    extra_config       => {
-      cluster_addr => "${http_scheme}://${::facts['networking']['fqdn']}:${cluster_port}",
-    },
-    listener           => [
+    # create vault urls
+    $server_urls = $servers_array.map |$fqdn| {
      {
-        tcp => {
-          address         => "127.0.0.1:${client_port}",
-          cluster_address => "127.0.0.1:${cluster_port}",
-          tls_disable     => true,
+        leader_api_addr         => "${http_scheme}://${fqdn}:${client_port}",
+        leader_client_cert_file => "/etc/pki/tls/puppet/${facts['networking']['fqdn']}.crt",
+        leader_client_key_file  => "/etc/pki/tls/puppet/${facts['networking']['fqdn']}.key",
+        leader_ca_cert_file     => '/etc/pki/tls/puppet/ca.pem',
+      }
+    }
+
+    class { 'vault':
+      install_method     => $install_method,
+      manage_storage_dir => $manage_storage_dir,
+      enable_ui          => true,
+      storage            => {
+        raft => {
+          node_id    => $::facts['networking']['fqdn'],
+          path       => $data_dir,
+          retry_join => $server_urls,
        }
      },
-      {
-        tcp => {
-          address         => "${::facts['networking']['ip']}:${client_port}",
-          cluster_address => "${::facts['networking']['ip']}:${cluster_port}",
-          tls_disable     => $tls_disable,
-          tls_cert_file   => "/etc/pki/tls/puppet/${facts['networking']['fqdn']}.crt",
-          tls_key_file    => "/etc/pki/tls/puppet/${facts['networking']['fqdn']}.key",
+      api_addr           => "${http_scheme}://${::facts['networking']['fqdn']}:${client_port}",
+      extra_config       => {
+        cluster_addr => "${http_scheme}://${::facts['networking']['fqdn']}:${cluster_port}",
+      },
+      listener           => [
+        {
+          tcp => {
+            address         => "127.0.0.1:${client_port}",
+            cluster_address => "127.0.0.1:${cluster_port}",
+            tls_disable     => true,
+          }
+        },
+        {
+          tcp => {
+            address         => "${::facts['networking']['ip']}:${client_port}",
+            cluster_address => "${::facts['networking']['ip']}:${cluster_port}",
+            tls_disable     => $tls_disable,
+            tls_cert_file   => "/etc/pki/tls/puppet/${facts['networking']['fqdn']}.crt",
+            tls_key_file    => "/etc/pki/tls/puppet/${facts['networking']['fqdn']}.key",
+          }
        }
-      }
-    ]
+      ]
+    }
+
+    # include unseal class
+    include profiles::vault::unseal
  }
 }
--- a/site/roles/manifests/infra/storage/vault.pp
+++ b/site/roles/manifests/infra/storage/vault.pp
@ -4,5 +4,4 @@ class roles::infra::storage::vault {
  include profiles::base
  include profiles::base::datavol
  include profiles::vault::server
-  include profiles::vault::unseal
 }