feat: ensure vault restarts with ssl cert #170
@ -16,6 +16,9 @@ class profiles::vault::server (
|
||||
Boolean $manage_storage_dir = false,
|
||||
Stdlib::Absolutepath $data_dir = '/opt/vault',
|
||||
Stdlib::Absolutepath $bin_dir = '/usr/bin',
|
||||
Stdlib::Absolutepath $ssl_crt = '/etc/pki/tls/vault/certificate.crt',
|
||||
Stdlib::Absolutepath $ssl_key = '/etc/pki/tls/vault/private.key',
|
||||
Stdlib::Absolutepath $ssl_ca = '/etc/pki/tls/certs/ca-bundle.crt',
|
||||
){
|
||||
|
||||
# set a datacentre/cluster name
|
||||
@ -45,13 +48,14 @@ class profiles::vault::server (
|
||||
$server_urls = $servers_array.map |$fqdn| {
|
||||
{
|
||||
leader_api_addr => "${http_scheme}://${fqdn}:${client_port}",
|
||||
leader_client_cert_file => '/etc/pki/tls/vault/certificate.crt',
|
||||
leader_client_key_file => '/etc/pki/tls/vault/private.key',
|
||||
leader_ca_cert_file => '/etc/pki/tls/certs/ca-bundle.crt',
|
||||
leader_client_cert_file => $ssl_crt,
|
||||
leader_client_key_file => $ssl_key,
|
||||
leader_ca_cert_file => $ssl_ca,
|
||||
}
|
||||
}
|
||||
|
||||
class { 'vault':
|
||||
manage_service => false,
|
||||
install_method => $install_method,
|
||||
manage_storage_dir => $manage_storage_dir,
|
||||
enable_ui => true,
|
||||
@ -79,13 +83,19 @@ class profiles::vault::server (
|
||||
address => "${::facts['networking']['ip']}:${client_port}",
|
||||
cluster_address => "${::facts['networking']['ip']}:${cluster_port}",
|
||||
tls_disable => $tls_disable,
|
||||
tls_cert_file => '/etc/pki/tls/vault/certificate.crt',
|
||||
tls_key_file => '/etc/pki/tls/vault/private.key',
|
||||
tls_cert_file => $ssl_crt,
|
||||
tls_key_file => $ssl_key,
|
||||
}
|
||||
}
|
||||
]
|
||||
}
|
||||
|
||||
service { 'vault':
|
||||
ensure => true,
|
||||
enable => true,
|
||||
subscribe => [File[$ssl_crt], File[$ssl_key]],
|
||||
}
|
||||
|
||||
# include classes to manage vault
|
||||
include profiles::vault::unseal
|
||||
}
|
||||
|
||||
@ -5,11 +5,12 @@
|
||||
VAULT_ADDR='<%= @vault_address %>'
|
||||
UNSEAL_KEYS_FILE='/etc/vault/unseal_keys'
|
||||
|
||||
while true; do
|
||||
# Check if Vault is sealed
|
||||
is_sealed=$(curl -s ${VAULT_ADDR}/v1/sys/seal-status | jq -r '.sealed')
|
||||
if [ "$is_sealed" != "true" ]; then
|
||||
if [ "$is_sealed" == "false" ]; then
|
||||
echo "Vault is already unsealed."
|
||||
exit 0
|
||||
break
|
||||
fi
|
||||
|
||||
# Retrieve unseal keys from plaintext file
|
||||
@ -20,4 +21,8 @@ for key in $unseal_keys; do
|
||||
curl --request PUT --data '{"key": "'$key'"}' $VAULT_ADDR/v1/sys/unseal
|
||||
done
|
||||
|
||||
echo "Attempted to unseal Vault. Checking if still sealed..."
|
||||
sleep 1
|
||||
done
|
||||
|
||||
echo "Vault has been unsealed."
|
||||
|
||||
Loading…
Reference in New Issue
Block a user