feat: add vault server profile
- add vault module to puppetfile - define class to manage the install and config of vault - manage the datavol and raft storage - manage the unzip and other compression tools - define custom unseal script and service - add documentation on initial setup of vault
This commit is contained in:
@@ -0,0 +1,90 @@
|
||||
# profiles::vault::server
|
||||
class profiles::vault::server (
|
||||
Boolean $members_lookup = false,
|
||||
String $members_role = undef,
|
||||
Array $vault_servers = [],
|
||||
Enum[
|
||||
'archive',
|
||||
'repo'
|
||||
] $install_method = 'archive',
|
||||
Boolean $tls_disable = false,
|
||||
Stdlib::Port $client_port = 8200,
|
||||
Stdlib::Port $cluster_port = 8201,
|
||||
Boolean $manage_storage_dir = false,
|
||||
Stdlib::Absolutepath $data_dir = '/opt/vault',
|
||||
Stdlib::Absolutepath $bin_dir = '/usr/bin',
|
||||
){
|
||||
|
||||
# use puppet certs as base
|
||||
include profiles::pki::puppetcerts
|
||||
|
||||
# set a datacentre/cluster name
|
||||
$vault_cluster = "${::facts['country']}-${::facts['region']}"
|
||||
|
||||
# if lookup is enabled, find all the hosts in the specified role and create the servers_array
|
||||
if $members_lookup {
|
||||
|
||||
# check that the role is also set
|
||||
unless !($members_role == undef) {
|
||||
fail("members_role must be provided for ${title} when members_lookup is True")
|
||||
}
|
||||
|
||||
# if it is, find hosts, sort them so they dont cause changes every run
|
||||
$servers_array = sort(query_nodes("enc_role='${members_role}' and region='${::facts['region']}'", 'networking.fqdn'))
|
||||
|
||||
# else use provided array from params
|
||||
}else{
|
||||
$servers_array = $vault_servers
|
||||
}
|
||||
|
||||
# set http scheme
|
||||
$http_scheme = $tls_disable ? {
|
||||
true => 'http',
|
||||
false => 'https'
|
||||
}
|
||||
|
||||
# create vault urls
|
||||
$server_urls = $servers_array.map |$fqdn| {
|
||||
{
|
||||
leader_api_addr => "${http_scheme}://${fqdn}:${client_port}",
|
||||
leader_client_cert_file => "/etc/pki/tls/puppet/${facts['networking']['fqdn']}.crt",
|
||||
leader_client_key_file => "/etc/pki/tls/puppet/${facts['networking']['fqdn']}.key",
|
||||
leader_ca_cert_file => '/etc/pki/tls/puppet/ca.pem',
|
||||
}
|
||||
}
|
||||
|
||||
class { 'vault':
|
||||
install_method => $install_method,
|
||||
manage_storage_dir => $manage_storage_dir,
|
||||
enable_ui => true,
|
||||
storage => {
|
||||
raft => {
|
||||
node_id => $::facts['networking']['fqdn'],
|
||||
path => $data_dir,
|
||||
retry_join => $server_urls,
|
||||
}
|
||||
},
|
||||
api_addr => "${http_scheme}://${::facts['networking']['fqdn']}:${client_port}",
|
||||
extra_config => {
|
||||
cluster_addr => "${http_scheme}://${::facts['networking']['fqdn']}:${cluster_port}",
|
||||
},
|
||||
listener => [
|
||||
{
|
||||
tcp => {
|
||||
address => "127.0.0.1:${client_port}",
|
||||
cluster_address => "127.0.0.1:${cluster_port}",
|
||||
tls_disable => true,
|
||||
}
|
||||
},
|
||||
{
|
||||
tcp => {
|
||||
address => "${::facts['networking']['ip']}:${client_port}",
|
||||
cluster_address => "${::facts['networking']['ip']}:${cluster_port}",
|
||||
tls_disable => $tls_disable,
|
||||
tls_cert_file => "/etc/pki/tls/puppet/${facts['networking']['fqdn']}.crt",
|
||||
tls_key_file => "/etc/pki/tls/puppet/${facts['networking']['fqdn']}.key",
|
||||
}
|
||||
}
|
||||
]
|
||||
}
|
||||
}
|
||||
@@ -0,0 +1,37 @@
|
||||
# profiles::vault::unseal
|
||||
class profiles::vault::unseal (
|
||||
Array[String] $unseal_keys = lookup('vault::unseal_keys', Array[String], 'first', []),
|
||||
Variant[
|
||||
Stdlib::HTTPSUrl,
|
||||
Stdlib::HTTPUrl
|
||||
] $vault_address = 'http://127.0.0.1:8200',
|
||||
){
|
||||
|
||||
# deploy the unseal keys file
|
||||
file { '/etc/vault/unseal_keys':
|
||||
ensure => file,
|
||||
owner => 'root',
|
||||
group => 'root',
|
||||
mode => '0600',
|
||||
content => Sensitive(template('profiles/vault/unseal_keys.erb')),
|
||||
require => Class['vault'],
|
||||
}
|
||||
|
||||
# deploy the unseal script
|
||||
file { '/usr/local/bin/vault-unseal.sh':
|
||||
ensure => file,
|
||||
owner => 'root',
|
||||
group => 'root',
|
||||
mode => '0750',
|
||||
content => template('profiles/vault/vault_unseal.sh.erb'),
|
||||
}
|
||||
|
||||
# create systemd service unit
|
||||
systemd::unit_file { 'vault-unseal.service':
|
||||
content => template('profiles/vault/vault-unseal.service.erb'),
|
||||
active => true,
|
||||
enable => true,
|
||||
require => File['/usr/local/bin/vault-unseal.sh'],
|
||||
subscribe => Service['vault'],
|
||||
}
|
||||
}
|
||||
Reference in New Issue
Block a user