From b9c327799f7b247a1406740bfb9cf2304887ee49 Mon Sep 17 00:00:00 2001 From: Ben Vincent Date: Sat, 25 May 2024 14:37:13 +1000 Subject: [PATCH] feat: add vault service/query altnames - add nginx aliases for vault services - add additional vault certificates - change certmanager script to use vault.service.consul --- hieradata/common.yaml | 3 +++ .../country/au/region/drw1/infra/storage/vault.yaml | 7 +++++++ .../country/au/region/syd1/infra/storage/vault.yaml | 9 +++++++++ hieradata/roles/infra/puppet/master.yaml | 2 +- hieradata/roles/infra/storage/vault.yaml | 3 ++- 5 files changed, 22 insertions(+), 2 deletions(-) diff --git a/hieradata/common.yaml b/hieradata/common.yaml index 66fddb6..54d0318 100644 --- a/hieradata/common.yaml +++ b/hieradata/common.yaml @@ -105,6 +105,9 @@ lookup_options: profiles::yum::global::repos: merge: strategy: deep + profiles::nginx::simpleproxy::nginx_aliases: + merge: + strategy: deep facts_path: '/opt/puppetlabs/facter/facts.d' diff --git a/hieradata/country/au/region/drw1/infra/storage/vault.yaml b/hieradata/country/au/region/drw1/infra/storage/vault.yaml index 2d3ed4e..3994ded 100644 --- a/hieradata/country/au/region/drw1/infra/storage/vault.yaml +++ b/hieradata/country/au/region/drw1/infra/storage/vault.yaml @@ -1,2 +1,9 @@ --- +# additional altnames +profiles::pki::vault::alt_names: + - vault.service.au-drw1.consul + +profiles::nginx::simpleproxy::nginx_aliases: + - vault.service.au-drw1.consul + profiles::vault::server::primary_datacenter: 'au-drw1' diff --git a/hieradata/country/au/region/syd1/infra/storage/vault.yaml b/hieradata/country/au/region/syd1/infra/storage/vault.yaml index d66aeea..cd463f7 100644 --- a/hieradata/country/au/region/syd1/infra/storage/vault.yaml +++ b/hieradata/country/au/region/syd1/infra/storage/vault.yaml @@ -1,4 +1,13 @@ --- +# additional altnames +profiles::pki::vault::alt_names: + - vault.service.au-syd1.consul + - vault.query.consul + +profiles::nginx::simpleproxy::nginx_aliases: + - vault.service.au-syd1.consul + - vault.query.consul + profiles::vault::server::primary_datacenter: 'au-syd1' consul::services: vault: diff --git a/hieradata/roles/infra/puppet/master.yaml b/hieradata/roles/infra/puppet/master.yaml index 07ae874..f00b558 100644 --- a/hieradata/roles/infra/puppet/master.yaml +++ b/hieradata/roles/infra/puppet/master.yaml @@ -30,7 +30,7 @@ profiles::puppet::gems::puppet: - 'hiera-eyaml' profiles::helpers::certmanager::vault_config: - addr: 'https://198.18.17.39:8200' + addr: 'https://vault.service.consul:8200' mount_point: 'pki_int' approle_path: 'approle' role_name: 'servers_default' diff --git a/hieradata/roles/infra/storage/vault.yaml b/hieradata/roles/infra/storage/vault.yaml index 1209319..7d5cc42 100644 --- a/hieradata/roles/infra/storage/vault.yaml +++ b/hieradata/roles/infra/storage/vault.yaml @@ -10,13 +10,14 @@ vault::download_url: http://repos.main.unkin.net/unkin/8/x86_64/os/Archives/vaul profiles::pki::vault::alt_names: - vault.main.unkin.net - vault.service.consul + - vault.service.consul - vault # manage a simple nginx reverse proxy profiles::nginx::simpleproxy::nginx_vhost: 'vault.service.consul' profiles::nginx::simpleproxy::nginx_aliases: - - vault - vault.main.unkin.net + - vault profiles::nginx::simpleproxy::proxy_scheme: 'http' profiles::nginx::simpleproxy::proxy_host: '127.0.0.1' profiles::nginx::simpleproxy::proxy_port: 8200