feat: ensure vault restarts with ssl cert
- ensure the vault service resource subscribes to the ssl crt/key - update unseal script to retry unseal process until it completes
This commit is contained in:
@@ -16,6 +16,9 @@ class profiles::vault::server (
|
||||
Boolean $manage_storage_dir = false,
|
||||
Stdlib::Absolutepath $data_dir = '/opt/vault',
|
||||
Stdlib::Absolutepath $bin_dir = '/usr/bin',
|
||||
Stdlib::Absolutepath $ssl_crt = '/etc/pki/tls/vault/certificate.crt',
|
||||
Stdlib::Absolutepath $ssl_key = '/etc/pki/tls/vault/private.key',
|
||||
Stdlib::Absolutepath $ssl_ca = '/etc/pki/tls/certs/ca-bundle.crt',
|
||||
){
|
||||
|
||||
# set a datacentre/cluster name
|
||||
@@ -45,13 +48,14 @@ class profiles::vault::server (
|
||||
$server_urls = $servers_array.map |$fqdn| {
|
||||
{
|
||||
leader_api_addr => "${http_scheme}://${fqdn}:${client_port}",
|
||||
leader_client_cert_file => '/etc/pki/tls/vault/certificate.crt',
|
||||
leader_client_key_file => '/etc/pki/tls/vault/private.key',
|
||||
leader_ca_cert_file => '/etc/pki/tls/certs/ca-bundle.crt',
|
||||
leader_client_cert_file => $ssl_crt,
|
||||
leader_client_key_file => $ssl_key,
|
||||
leader_ca_cert_file => $ssl_ca,
|
||||
}
|
||||
}
|
||||
|
||||
class { 'vault':
|
||||
manage_service => false,
|
||||
install_method => $install_method,
|
||||
manage_storage_dir => $manage_storage_dir,
|
||||
enable_ui => true,
|
||||
@@ -79,13 +83,19 @@ class profiles::vault::server (
|
||||
address => "${::facts['networking']['ip']}:${client_port}",
|
||||
cluster_address => "${::facts['networking']['ip']}:${cluster_port}",
|
||||
tls_disable => $tls_disable,
|
||||
tls_cert_file => '/etc/pki/tls/vault/certificate.crt',
|
||||
tls_key_file => '/etc/pki/tls/vault/private.key',
|
||||
tls_cert_file => $ssl_crt,
|
||||
tls_key_file => $ssl_key,
|
||||
}
|
||||
}
|
||||
]
|
||||
}
|
||||
|
||||
service { 'vault':
|
||||
ensure => true,
|
||||
enable => true,
|
||||
subscribe => [File[$ssl_crt], File[$ssl_key]],
|
||||
}
|
||||
|
||||
# include classes to manage vault
|
||||
include profiles::vault::unseal
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user