feat: ensure vault restarts with ssl cert

- ensure the vault service resource subscribes to the ssl crt/key
- update unseal script to retry unseal process until it completes
This commit is contained in:
2024-10-27 12:59:36 +11:00
parent 09a448ea52
commit ca87702466
2 changed files with 31 additions and 16 deletions
+15 -5
View File
@@ -16,6 +16,9 @@ class profiles::vault::server (
Boolean $manage_storage_dir = false,
Stdlib::Absolutepath $data_dir = '/opt/vault',
Stdlib::Absolutepath $bin_dir = '/usr/bin',
Stdlib::Absolutepath $ssl_crt = '/etc/pki/tls/vault/certificate.crt',
Stdlib::Absolutepath $ssl_key = '/etc/pki/tls/vault/private.key',
Stdlib::Absolutepath $ssl_ca = '/etc/pki/tls/certs/ca-bundle.crt',
){
# set a datacentre/cluster name
@@ -45,13 +48,14 @@ class profiles::vault::server (
$server_urls = $servers_array.map |$fqdn| {
{
leader_api_addr => "${http_scheme}://${fqdn}:${client_port}",
leader_client_cert_file => '/etc/pki/tls/vault/certificate.crt',
leader_client_key_file => '/etc/pki/tls/vault/private.key',
leader_ca_cert_file => '/etc/pki/tls/certs/ca-bundle.crt',
leader_client_cert_file => $ssl_crt,
leader_client_key_file => $ssl_key,
leader_ca_cert_file => $ssl_ca,
}
}
class { 'vault':
manage_service => false,
install_method => $install_method,
manage_storage_dir => $manage_storage_dir,
enable_ui => true,
@@ -79,13 +83,19 @@ class profiles::vault::server (
address => "${::facts['networking']['ip']}:${client_port}",
cluster_address => "${::facts['networking']['ip']}:${cluster_port}",
tls_disable => $tls_disable,
tls_cert_file => '/etc/pki/tls/vault/certificate.crt',
tls_key_file => '/etc/pki/tls/vault/private.key',
tls_cert_file => $ssl_crt,
tls_key_file => $ssl_key,
}
}
]
}
service { 'vault':
ensure => true,
enable => true,
subscribe => [File[$ssl_crt], File[$ssl_key]],
}
# include classes to manage vault
include profiles::vault::unseal
}