unkin/puppet-prod
2
0
Fork 0
Code Issues 10 Pull Requests Actions Packages Projects Releases Wiki Activity

feat: ensure vault restarts with ssl cert #170

Merged
unkinben merged 1 commits from neoloc/vault_reload into develop 2024-10-27 13:10:51 +11:00
Conversation 0 Commits 1 Files Changed 2 +31 -16
2 changed files with 31 additions and 16 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

20
site/profiles/manifests/vault/server.pp
View File

@ -16,6 +16,9 @@ class profiles::vault::server (
Boolean $manage_storage_dir = false, Boolean $manage_storage_dir = false,
Stdlib::Absolutepath $data_dir = '/opt/vault', Stdlib::Absolutepath $data_dir = '/opt/vault',
Stdlib::Absolutepath $bin_dir = '/usr/bin', Stdlib::Absolutepath $bin_dir = '/usr/bin',
Stdlib::Absolutepath $ssl_crt = '/etc/pki/tls/vault/certificate.crt',
Stdlib::Absolutepath $ssl_key = '/etc/pki/tls/vault/private.key',
Stdlib::Absolutepath $ssl_ca = '/etc/pki/tls/certs/ca-bundle.crt',
){ ){
# set a datacentre/cluster name # set a datacentre/cluster name
@ -45,13 +48,14 @@ class profiles::vault::server (
$server_urls = $servers_array.map |$fqdn| { $server_urls = $servers_array.map |$fqdn| {
{ {
leader_api_addr => "${http_scheme}://${fqdn}:${client_port}", leader_api_addr => "${http_scheme}://${fqdn}:${client_port}",
leader_client_cert_file => '/etc/pki/tls/vault/certificate.crt', leader_client_cert_file => $ssl_crt,
leader_client_key_file => '/etc/pki/tls/vault/private.key', leader_client_key_file => $ssl_key,
leader_ca_cert_file => '/etc/pki/tls/certs/ca-bundle.crt', leader_ca_cert_file => $ssl_ca,
} }
} }
class { 'vault': class { 'vault':
manage_service => false,
install_method => $install_method, install_method => $install_method,
manage_storage_dir => $manage_storage_dir, manage_storage_dir => $manage_storage_dir,
enable_ui => true, enable_ui => true,
@ -79,13 +83,19 @@ class profiles::vault::server (
address => "${::facts['networking']['ip']}:${client_port}", address => "${::facts['networking']['ip']}:${client_port}",
cluster_address => "${::facts['networking']['ip']}:${cluster_port}", cluster_address => "${::facts['networking']['ip']}:${cluster_port}",
tls_disable => $tls_disable, tls_disable => $tls_disable,
tls_cert_file => '/etc/pki/tls/vault/certificate.crt', tls_cert_file => $ssl_crt,
tls_key_file => '/etc/pki/tls/vault/private.key', tls_key_file => $ssl_key,
} }
} }
] ]
} }
service { 'vault':
ensure => true,
enable => true,
subscribe => [File[$ssl_crt], File[$ssl_key]],
}
# include classes to manage vault # include classes to manage vault
include profiles::vault::unseal include profiles::vault::unseal
} }

23
site/profiles/templates/vault/vault_unseal.sh.erb
View File

@ -5,19 +5,24 @@
VAULT_ADDR='<%= @vault_address %>' VAULT_ADDR='<%= @vault_address %>'
UNSEAL_KEYS_FILE='/etc/vault/unseal_keys' UNSEAL_KEYS_FILE='/etc/vault/unseal_keys'
# Check if Vault is sealed while true; do
is_sealed=$(curl -s ${VAULT_ADDR}/v1/sys/seal-status | jq -r '.sealed') # Check if Vault is sealed
if [ "$is_sealed" != "true" ]; then is_sealed=$(curl -s ${VAULT_ADDR}/v1/sys/seal-status | jq -r '.sealed')
if [ "$is_sealed" == "false" ]; then
echo "Vault is already unsealed." echo "Vault is already unsealed."
exit 0 break
fi fi
# Retrieve unseal keys from plaintext file # Retrieve unseal keys from plaintext file
unseal_keys=$(cat "$UNSEAL_KEYS_FILE") unseal_keys=$(cat "$UNSEAL_KEYS_FILE")
# Loop through the unseal keys and use them to unseal Vault # Loop through the unseal keys and use them to unseal Vault
for key in $unseal_keys; do for key in $unseal_keys; do
curl --request PUT --data '{"key": "'$key'"}' $VAULT_ADDR/v1/sys/unseal curl --request PUT --data '{"key": "'$key'"}' $VAULT_ADDR/v1/sys/unseal
done
echo "Attempted to unseal Vault. Checking if still sealed..."
sleep 1
done done
echo "Vault has been unsealed." echo "Vault has been unsealed."