feat: add vault server profile
- add vault module to puppetfile - define class to manage the install and config of vault - manage the datavol and raft storage - manage the unzip and other compression tools - define custom unseal script and service - add documentation on initial setup of vault
This commit is contained in:
@@ -24,7 +24,7 @@ class profiles::pki::puppetcerts {
|
||||
ensure => 'file',
|
||||
owner => 'root',
|
||||
group => 'root',
|
||||
mode => '0600',
|
||||
mode => '0644',
|
||||
source => "/etc/puppetlabs/puppet/ssl/private_keys/${facts['networking']['fqdn']}.pem",
|
||||
require => File['/etc/pki/tls/puppet'],
|
||||
}
|
||||
|
||||
@@ -0,0 +1,90 @@
|
||||
# profiles::vault::server
|
||||
class profiles::vault::server (
|
||||
Boolean $members_lookup = false,
|
||||
String $members_role = undef,
|
||||
Array $vault_servers = [],
|
||||
Enum[
|
||||
'archive',
|
||||
'repo'
|
||||
] $install_method = 'archive',
|
||||
Boolean $tls_disable = false,
|
||||
Stdlib::Port $client_port = 8200,
|
||||
Stdlib::Port $cluster_port = 8201,
|
||||
Boolean $manage_storage_dir = false,
|
||||
Stdlib::Absolutepath $data_dir = '/opt/vault',
|
||||
Stdlib::Absolutepath $bin_dir = '/usr/bin',
|
||||
){
|
||||
|
||||
# use puppet certs as base
|
||||
include profiles::pki::puppetcerts
|
||||
|
||||
# set a datacentre/cluster name
|
||||
$vault_cluster = "${::facts['country']}-${::facts['region']}"
|
||||
|
||||
# if lookup is enabled, find all the hosts in the specified role and create the servers_array
|
||||
if $members_lookup {
|
||||
|
||||
# check that the role is also set
|
||||
unless !($members_role == undef) {
|
||||
fail("members_role must be provided for ${title} when members_lookup is True")
|
||||
}
|
||||
|
||||
# if it is, find hosts, sort them so they dont cause changes every run
|
||||
$servers_array = sort(query_nodes("enc_role='${members_role}' and region='${::facts['region']}'", 'networking.fqdn'))
|
||||
|
||||
# else use provided array from params
|
||||
}else{
|
||||
$servers_array = $vault_servers
|
||||
}
|
||||
|
||||
# set http scheme
|
||||
$http_scheme = $tls_disable ? {
|
||||
true => 'http',
|
||||
false => 'https'
|
||||
}
|
||||
|
||||
# create vault urls
|
||||
$server_urls = $servers_array.map |$fqdn| {
|
||||
{
|
||||
leader_api_addr => "${http_scheme}://${fqdn}:${client_port}",
|
||||
leader_client_cert_file => "/etc/pki/tls/puppet/${facts['networking']['fqdn']}.crt",
|
||||
leader_client_key_file => "/etc/pki/tls/puppet/${facts['networking']['fqdn']}.key",
|
||||
leader_ca_cert_file => '/etc/pki/tls/puppet/ca.pem',
|
||||
}
|
||||
}
|
||||
|
||||
class { 'vault':
|
||||
install_method => $install_method,
|
||||
manage_storage_dir => $manage_storage_dir,
|
||||
enable_ui => true,
|
||||
storage => {
|
||||
raft => {
|
||||
node_id => $::facts['networking']['fqdn'],
|
||||
path => $data_dir,
|
||||
retry_join => $server_urls,
|
||||
}
|
||||
},
|
||||
api_addr => "${http_scheme}://${::facts['networking']['fqdn']}:${client_port}",
|
||||
extra_config => {
|
||||
cluster_addr => "${http_scheme}://${::facts['networking']['fqdn']}:${cluster_port}",
|
||||
},
|
||||
listener => [
|
||||
{
|
||||
tcp => {
|
||||
address => "127.0.0.1:${client_port}",
|
||||
cluster_address => "127.0.0.1:${cluster_port}",
|
||||
tls_disable => true,
|
||||
}
|
||||
},
|
||||
{
|
||||
tcp => {
|
||||
address => "${::facts['networking']['ip']}:${client_port}",
|
||||
cluster_address => "${::facts['networking']['ip']}:${cluster_port}",
|
||||
tls_disable => $tls_disable,
|
||||
tls_cert_file => "/etc/pki/tls/puppet/${facts['networking']['fqdn']}.crt",
|
||||
tls_key_file => "/etc/pki/tls/puppet/${facts['networking']['fqdn']}.key",
|
||||
}
|
||||
}
|
||||
]
|
||||
}
|
||||
}
|
||||
@@ -0,0 +1,37 @@
|
||||
# profiles::vault::unseal
|
||||
class profiles::vault::unseal (
|
||||
Array[String] $unseal_keys = lookup('vault::unseal_keys', Array[String], 'first', []),
|
||||
Variant[
|
||||
Stdlib::HTTPSUrl,
|
||||
Stdlib::HTTPUrl
|
||||
] $vault_address = 'http://127.0.0.1:8200',
|
||||
){
|
||||
|
||||
# deploy the unseal keys file
|
||||
file { '/etc/vault/unseal_keys':
|
||||
ensure => file,
|
||||
owner => 'root',
|
||||
group => 'root',
|
||||
mode => '0600',
|
||||
content => Sensitive(template('profiles/vault/unseal_keys.erb')),
|
||||
require => Class['vault'],
|
||||
}
|
||||
|
||||
# deploy the unseal script
|
||||
file { '/usr/local/bin/vault-unseal.sh':
|
||||
ensure => file,
|
||||
owner => 'root',
|
||||
group => 'root',
|
||||
mode => '0750',
|
||||
content => template('profiles/vault/vault_unseal.sh.erb'),
|
||||
}
|
||||
|
||||
# create systemd service unit
|
||||
systemd::unit_file { 'vault-unseal.service':
|
||||
content => template('profiles/vault/vault-unseal.service.erb'),
|
||||
active => true,
|
||||
enable => true,
|
||||
require => File['/usr/local/bin/vault-unseal.sh'],
|
||||
subscribe => Service['vault'],
|
||||
}
|
||||
}
|
||||
@@ -0,0 +1,3 @@
|
||||
<% @unseal_keys.each do |key| -%>
|
||||
<%= key %>
|
||||
<% end -%>
|
||||
@@ -0,0 +1,14 @@
|
||||
[Unit]
|
||||
Description=Unseal Vault Service
|
||||
After=vault.service network.target
|
||||
Requires=vault.service
|
||||
PartOf=vault.service
|
||||
|
||||
[Service]
|
||||
Type=oneshot
|
||||
ExecStart=/usr/local/bin/vault-unseal.sh
|
||||
RemainAfterExit=yes
|
||||
User=root
|
||||
|
||||
[Install]
|
||||
WantedBy=multi-user.target
|
||||
@@ -0,0 +1,23 @@
|
||||
#!/bin/bash
|
||||
|
||||
# Script to unseal Vault
|
||||
|
||||
VAULT_ADDR='<%= @vault_address %>'
|
||||
UNSEAL_KEYS_FILE='/etc/vault/unseal_keys'
|
||||
|
||||
# Check if Vault is sealed
|
||||
is_sealed=$(curl -s ${VAULT_ADDR}/v1/sys/seal-status | jq -r '.sealed')
|
||||
if [ "$is_sealed" != "true" ]; then
|
||||
echo "Vault is already unsealed."
|
||||
exit 0
|
||||
fi
|
||||
|
||||
# Retrieve unseal keys from plaintext file
|
||||
unseal_keys=$(cat "$UNSEAL_KEYS_FILE")
|
||||
|
||||
# Loop through the unseal keys and use them to unseal Vault
|
||||
for key in $unseal_keys; do
|
||||
curl --request PUT --data '{"key": "'$key'"}' $VAULT_ADDR/v1/sys/unseal
|
||||
done
|
||||
|
||||
echo "Vault has been unsealed."
|
||||
@@ -2,4 +2,7 @@
|
||||
class roles::infra::storage::vault {
|
||||
include profiles::defaults
|
||||
include profiles::base
|
||||
include profiles::base::datavol
|
||||
include profiles::vault::server
|
||||
include profiles::vault::unseal
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user