feat: add vault server profile

- add vault module to puppetfile
- define class to manage the install and config of vault
- manage the datavol and raft storage
- manage the unzip and other compression tools
- define custom unseal script and service
- add documentation on initial setup of vault
This commit is contained in:
2024-02-13 22:48:23 +11:00
parent f8b30f335b
commit fe05c86463
12 changed files with 237 additions and 1 deletions
+1 -1
View File
@@ -24,7 +24,7 @@ class profiles::pki::puppetcerts {
ensure => 'file',
owner => 'root',
group => 'root',
mode => '0600',
mode => '0644',
source => "/etc/puppetlabs/puppet/ssl/private_keys/${facts['networking']['fqdn']}.pem",
require => File['/etc/pki/tls/puppet'],
}
+90
View File
@@ -0,0 +1,90 @@
# profiles::vault::server
class profiles::vault::server (
Boolean $members_lookup = false,
String $members_role = undef,
Array $vault_servers = [],
Enum[
'archive',
'repo'
] $install_method = 'archive',
Boolean $tls_disable = false,
Stdlib::Port $client_port = 8200,
Stdlib::Port $cluster_port = 8201,
Boolean $manage_storage_dir = false,
Stdlib::Absolutepath $data_dir = '/opt/vault',
Stdlib::Absolutepath $bin_dir = '/usr/bin',
){
# use puppet certs as base
include profiles::pki::puppetcerts
# set a datacentre/cluster name
$vault_cluster = "${::facts['country']}-${::facts['region']}"
# if lookup is enabled, find all the hosts in the specified role and create the servers_array
if $members_lookup {
# check that the role is also set
unless !($members_role == undef) {
fail("members_role must be provided for ${title} when members_lookup is True")
}
# if it is, find hosts, sort them so they dont cause changes every run
$servers_array = sort(query_nodes("enc_role='${members_role}' and region='${::facts['region']}'", 'networking.fqdn'))
# else use provided array from params
}else{
$servers_array = $vault_servers
}
# set http scheme
$http_scheme = $tls_disable ? {
true => 'http',
false => 'https'
}
# create vault urls
$server_urls = $servers_array.map |$fqdn| {
{
leader_api_addr => "${http_scheme}://${fqdn}:${client_port}",
leader_client_cert_file => "/etc/pki/tls/puppet/${facts['networking']['fqdn']}.crt",
leader_client_key_file => "/etc/pki/tls/puppet/${facts['networking']['fqdn']}.key",
leader_ca_cert_file => '/etc/pki/tls/puppet/ca.pem',
}
}
class { 'vault':
install_method => $install_method,
manage_storage_dir => $manage_storage_dir,
enable_ui => true,
storage => {
raft => {
node_id => $::facts['networking']['fqdn'],
path => $data_dir,
retry_join => $server_urls,
}
},
api_addr => "${http_scheme}://${::facts['networking']['fqdn']}:${client_port}",
extra_config => {
cluster_addr => "${http_scheme}://${::facts['networking']['fqdn']}:${cluster_port}",
},
listener => [
{
tcp => {
address => "127.0.0.1:${client_port}",
cluster_address => "127.0.0.1:${cluster_port}",
tls_disable => true,
}
},
{
tcp => {
address => "${::facts['networking']['ip']}:${client_port}",
cluster_address => "${::facts['networking']['ip']}:${cluster_port}",
tls_disable => $tls_disable,
tls_cert_file => "/etc/pki/tls/puppet/${facts['networking']['fqdn']}.crt",
tls_key_file => "/etc/pki/tls/puppet/${facts['networking']['fqdn']}.key",
}
}
]
}
}
+37
View File
@@ -0,0 +1,37 @@
# profiles::vault::unseal
class profiles::vault::unseal (
Array[String] $unseal_keys = lookup('vault::unseal_keys', Array[String], 'first', []),
Variant[
Stdlib::HTTPSUrl,
Stdlib::HTTPUrl
] $vault_address = 'http://127.0.0.1:8200',
){
# deploy the unseal keys file
file { '/etc/vault/unseal_keys':
ensure => file,
owner => 'root',
group => 'root',
mode => '0600',
content => Sensitive(template('profiles/vault/unseal_keys.erb')),
require => Class['vault'],
}
# deploy the unseal script
file { '/usr/local/bin/vault-unseal.sh':
ensure => file,
owner => 'root',
group => 'root',
mode => '0750',
content => template('profiles/vault/vault_unseal.sh.erb'),
}
# create systemd service unit
systemd::unit_file { 'vault-unseal.service':
content => template('profiles/vault/vault-unseal.service.erb'),
active => true,
enable => true,
require => File['/usr/local/bin/vault-unseal.sh'],
subscribe => Service['vault'],
}
}
@@ -0,0 +1,3 @@
<% @unseal_keys.each do |key| -%>
<%= key %>
<% end -%>
@@ -0,0 +1,14 @@
[Unit]
Description=Unseal Vault Service
After=vault.service network.target
Requires=vault.service
PartOf=vault.service
[Service]
Type=oneshot
ExecStart=/usr/local/bin/vault-unseal.sh
RemainAfterExit=yes
User=root
[Install]
WantedBy=multi-user.target
@@ -0,0 +1,23 @@
#!/bin/bash
# Script to unseal Vault
VAULT_ADDR='<%= @vault_address %>'
UNSEAL_KEYS_FILE='/etc/vault/unseal_keys'
# Check if Vault is sealed
is_sealed=$(curl -s ${VAULT_ADDR}/v1/sys/seal-status | jq -r '.sealed')
if [ "$is_sealed" != "true" ]; then
echo "Vault is already unsealed."
exit 0
fi
# Retrieve unseal keys from plaintext file
unseal_keys=$(cat "$UNSEAL_KEYS_FILE")
# Loop through the unseal keys and use them to unseal Vault
for key in $unseal_keys; do
curl --request PUT --data '{"key": "'$key'"}' $VAULT_ADDR/v1/sys/unseal
done
echo "Vault has been unsealed."