From ca87702466b9e5e14542bec623bd1c8a34e9782e Mon Sep 17 00:00:00 2001 From: Ben Vincent Date: Sun, 27 Oct 2024 12:59:36 +1100 Subject: [PATCH] feat: ensure vault restarts with ssl cert - ensure the vault service resource subscribes to the ssl crt/key - update unseal script to retry unseal process until it completes --- site/profiles/manifests/vault/server.pp | 20 ++++++++++---- .../templates/vault/vault_unseal.sh.erb | 27 +++++++++++-------- 2 files changed, 31 insertions(+), 16 deletions(-) diff --git a/site/profiles/manifests/vault/server.pp b/site/profiles/manifests/vault/server.pp index d07e8ba..a27ef46 100644 --- a/site/profiles/manifests/vault/server.pp +++ b/site/profiles/manifests/vault/server.pp @@ -16,6 +16,9 @@ class profiles::vault::server ( Boolean $manage_storage_dir = false, Stdlib::Absolutepath $data_dir = '/opt/vault', Stdlib::Absolutepath $bin_dir = '/usr/bin', + Stdlib::Absolutepath $ssl_crt = '/etc/pki/tls/vault/certificate.crt', + Stdlib::Absolutepath $ssl_key = '/etc/pki/tls/vault/private.key', + Stdlib::Absolutepath $ssl_ca = '/etc/pki/tls/certs/ca-bundle.crt', ){ # set a datacentre/cluster name @@ -45,13 +48,14 @@ class profiles::vault::server ( $server_urls = $servers_array.map |$fqdn| { { leader_api_addr => "${http_scheme}://${fqdn}:${client_port}", - leader_client_cert_file => '/etc/pki/tls/vault/certificate.crt', - leader_client_key_file => '/etc/pki/tls/vault/private.key', - leader_ca_cert_file => '/etc/pki/tls/certs/ca-bundle.crt', + leader_client_cert_file => $ssl_crt, + leader_client_key_file => $ssl_key, + leader_ca_cert_file => $ssl_ca, } } class { 'vault': + manage_service => false, install_method => $install_method, manage_storage_dir => $manage_storage_dir, enable_ui => true, @@ -79,13 +83,19 @@ class profiles::vault::server ( address => "${::facts['networking']['ip']}:${client_port}", cluster_address => "${::facts['networking']['ip']}:${cluster_port}", tls_disable => $tls_disable, - tls_cert_file => '/etc/pki/tls/vault/certificate.crt', - tls_key_file => '/etc/pki/tls/vault/private.key', + tls_cert_file => $ssl_crt, + tls_key_file => $ssl_key, } } ] } + service { 'vault': + ensure => true, + enable => true, + subscribe => [File[$ssl_crt], File[$ssl_key]], + } + # include classes to manage vault include profiles::vault::unseal } diff --git a/site/profiles/templates/vault/vault_unseal.sh.erb b/site/profiles/templates/vault/vault_unseal.sh.erb index 5e4d5aa..4cdb2de 100644 --- a/site/profiles/templates/vault/vault_unseal.sh.erb +++ b/site/profiles/templates/vault/vault_unseal.sh.erb @@ -5,19 +5,24 @@ VAULT_ADDR='<%= @vault_address %>' UNSEAL_KEYS_FILE='/etc/vault/unseal_keys' -# Check if Vault is sealed -is_sealed=$(curl -s ${VAULT_ADDR}/v1/sys/seal-status | jq -r '.sealed') -if [ "$is_sealed" != "true" ]; then - echo "Vault is already unsealed." - exit 0 -fi +while true; do + # Check if Vault is sealed + is_sealed=$(curl -s ${VAULT_ADDR}/v1/sys/seal-status | jq -r '.sealed') + if [ "$is_sealed" == "false" ]; then + echo "Vault is already unsealed." + break + fi -# Retrieve unseal keys from plaintext file -unseal_keys=$(cat "$UNSEAL_KEYS_FILE") + # Retrieve unseal keys from plaintext file + unseal_keys=$(cat "$UNSEAL_KEYS_FILE") -# Loop through the unseal keys and use them to unseal Vault -for key in $unseal_keys; do - curl --request PUT --data '{"key": "'$key'"}' $VAULT_ADDR/v1/sys/unseal + # Loop through the unseal keys and use them to unseal Vault + for key in $unseal_keys; do + curl --request PUT --data '{"key": "'$key'"}' $VAULT_ADDR/v1/sys/unseal + done + + echo "Attempted to unseal Vault. Checking if still sealed..." + sleep 1 done echo "Vault has been unsealed." -- 2.47.3