feat: add vault server profile
- add vault module to puppetfile - define class to manage the install and config of vault - manage the datavol and raft storage - manage the unzip and other compression tools - define custom unseal script and service - add documentation on initial setup of vault
This commit is contained in:
@@ -0,0 +1,3 @@
|
||||
<% @unseal_keys.each do |key| -%>
|
||||
<%= key %>
|
||||
<% end -%>
|
||||
@@ -0,0 +1,14 @@
|
||||
[Unit]
|
||||
Description=Unseal Vault Service
|
||||
After=vault.service network.target
|
||||
Requires=vault.service
|
||||
PartOf=vault.service
|
||||
|
||||
[Service]
|
||||
Type=oneshot
|
||||
ExecStart=/usr/local/bin/vault-unseal.sh
|
||||
RemainAfterExit=yes
|
||||
User=root
|
||||
|
||||
[Install]
|
||||
WantedBy=multi-user.target
|
||||
@@ -0,0 +1,23 @@
|
||||
#!/bin/bash
|
||||
|
||||
# Script to unseal Vault
|
||||
|
||||
VAULT_ADDR='<%= @vault_address %>'
|
||||
UNSEAL_KEYS_FILE='/etc/vault/unseal_keys'
|
||||
|
||||
# Check if Vault is sealed
|
||||
is_sealed=$(curl -s ${VAULT_ADDR}/v1/sys/seal-status | jq -r '.sealed')
|
||||
if [ "$is_sealed" != "true" ]; then
|
||||
echo "Vault is already unsealed."
|
||||
exit 0
|
||||
fi
|
||||
|
||||
# Retrieve unseal keys from plaintext file
|
||||
unseal_keys=$(cat "$UNSEAL_KEYS_FILE")
|
||||
|
||||
# Loop through the unseal keys and use them to unseal Vault
|
||||
for key in $unseal_keys; do
|
||||
curl --request PUT --data '{"key": "'$key'"}' $VAULT_ADDR/v1/sys/unseal
|
||||
done
|
||||
|
||||
echo "Vault has been unsealed."
|
||||
Reference in New Issue
Block a user