promote develop to master #6
@ -1,7 +1,10 @@
|
|||||||
# profiles::vault::server
|
# profiles::vault::server
|
||||||
class profiles::vault::server (
|
class profiles::vault::server (
|
||||||
Boolean $members_lookup = false,
|
Boolean $members_lookup = false,
|
||||||
String $members_role = undef,
|
Variant[
|
||||||
|
String,
|
||||||
|
Undef
|
||||||
|
] $members_role = undef,
|
||||||
Array $vault_servers = [],
|
Array $vault_servers = [],
|
||||||
Enum[
|
Enum[
|
||||||
'archive',
|
'archive',
|
||||||
@ -22,12 +25,7 @@ class profiles::vault::server (
|
|||||||
$vault_cluster = "${::facts['country']}-${::facts['region']}"
|
$vault_cluster = "${::facts['country']}-${::facts['region']}"
|
||||||
|
|
||||||
# if lookup is enabled, find all the hosts in the specified role and create the servers_array
|
# if lookup is enabled, find all the hosts in the specified role and create the servers_array
|
||||||
if $members_lookup {
|
if $members_lookup and $members_role != undef {
|
||||||
|
|
||||||
# check that the role is also set
|
|
||||||
unless !($members_role == undef) {
|
|
||||||
fail("members_role must be provided for ${title} when members_lookup is True")
|
|
||||||
}
|
|
||||||
|
|
||||||
# if it is, find hosts, sort them so they dont cause changes every run
|
# if it is, find hosts, sort them so they dont cause changes every run
|
||||||
$servers_array = sort(query_nodes("enc_role='${members_role}' and region='${::facts['region']}'", 'networking.fqdn'))
|
$servers_array = sort(query_nodes("enc_role='${members_role}' and region='${::facts['region']}'", 'networking.fqdn'))
|
||||||
@ -37,54 +35,61 @@ class profiles::vault::server (
|
|||||||
$servers_array = $vault_servers
|
$servers_array = $vault_servers
|
||||||
}
|
}
|
||||||
|
|
||||||
# set http scheme
|
# configure vault if servers_array isnt empty
|
||||||
$http_scheme = $tls_disable ? {
|
if ! $servers_array.empty() {
|
||||||
true => 'http',
|
|
||||||
false => 'https'
|
|
||||||
}
|
|
||||||
|
|
||||||
# create vault urls
|
# set http scheme
|
||||||
$server_urls = $servers_array.map |$fqdn| {
|
$http_scheme = $tls_disable ? {
|
||||||
{
|
true => 'http',
|
||||||
leader_api_addr => "${http_scheme}://${fqdn}:${client_port}",
|
false => 'https'
|
||||||
leader_client_cert_file => "/etc/pki/tls/puppet/${facts['networking']['fqdn']}.crt",
|
|
||||||
leader_client_key_file => "/etc/pki/tls/puppet/${facts['networking']['fqdn']}.key",
|
|
||||||
leader_ca_cert_file => '/etc/pki/tls/puppet/ca.pem',
|
|
||||||
}
|
}
|
||||||
}
|
|
||||||
|
|
||||||
class { 'vault':
|
# create vault urls
|
||||||
install_method => $install_method,
|
$server_urls = $servers_array.map |$fqdn| {
|
||||||
manage_storage_dir => $manage_storage_dir,
|
|
||||||
enable_ui => true,
|
|
||||||
storage => {
|
|
||||||
raft => {
|
|
||||||
node_id => $::facts['networking']['fqdn'],
|
|
||||||
path => $data_dir,
|
|
||||||
retry_join => $server_urls,
|
|
||||||
}
|
|
||||||
},
|
|
||||||
api_addr => "${http_scheme}://${::facts['networking']['fqdn']}:${client_port}",
|
|
||||||
extra_config => {
|
|
||||||
cluster_addr => "${http_scheme}://${::facts['networking']['fqdn']}:${cluster_port}",
|
|
||||||
},
|
|
||||||
listener => [
|
|
||||||
{
|
{
|
||||||
tcp => {
|
leader_api_addr => "${http_scheme}://${fqdn}:${client_port}",
|
||||||
address => "127.0.0.1:${client_port}",
|
leader_client_cert_file => "/etc/pki/tls/puppet/${facts['networking']['fqdn']}.crt",
|
||||||
cluster_address => "127.0.0.1:${cluster_port}",
|
leader_client_key_file => "/etc/pki/tls/puppet/${facts['networking']['fqdn']}.key",
|
||||||
tls_disable => true,
|
leader_ca_cert_file => '/etc/pki/tls/puppet/ca.pem',
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
class { 'vault':
|
||||||
|
install_method => $install_method,
|
||||||
|
manage_storage_dir => $manage_storage_dir,
|
||||||
|
enable_ui => true,
|
||||||
|
storage => {
|
||||||
|
raft => {
|
||||||
|
node_id => $::facts['networking']['fqdn'],
|
||||||
|
path => $data_dir,
|
||||||
|
retry_join => $server_urls,
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
{
|
api_addr => "${http_scheme}://${::facts['networking']['fqdn']}:${client_port}",
|
||||||
tcp => {
|
extra_config => {
|
||||||
address => "${::facts['networking']['ip']}:${client_port}",
|
cluster_addr => "${http_scheme}://${::facts['networking']['fqdn']}:${cluster_port}",
|
||||||
cluster_address => "${::facts['networking']['ip']}:${cluster_port}",
|
},
|
||||||
tls_disable => $tls_disable,
|
listener => [
|
||||||
tls_cert_file => "/etc/pki/tls/puppet/${facts['networking']['fqdn']}.crt",
|
{
|
||||||
tls_key_file => "/etc/pki/tls/puppet/${facts['networking']['fqdn']}.key",
|
tcp => {
|
||||||
|
address => "127.0.0.1:${client_port}",
|
||||||
|
cluster_address => "127.0.0.1:${cluster_port}",
|
||||||
|
tls_disable => true,
|
||||||
|
}
|
||||||
|
},
|
||||||
|
{
|
||||||
|
tcp => {
|
||||||
|
address => "${::facts['networking']['ip']}:${client_port}",
|
||||||
|
cluster_address => "${::facts['networking']['ip']}:${cluster_port}",
|
||||||
|
tls_disable => $tls_disable,
|
||||||
|
tls_cert_file => "/etc/pki/tls/puppet/${facts['networking']['fqdn']}.crt",
|
||||||
|
tls_key_file => "/etc/pki/tls/puppet/${facts['networking']['fqdn']}.key",
|
||||||
|
}
|
||||||
}
|
}
|
||||||
}
|
]
|
||||||
]
|
}
|
||||||
|
|
||||||
|
# include unseal class
|
||||||
|
include profiles::vault::unseal
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|||||||
@ -4,5 +4,4 @@ class roles::infra::storage::vault {
|
|||||||
include profiles::base
|
include profiles::base
|
||||||
include profiles::base::datavol
|
include profiles::base::datavol
|
||||||
include profiles::vault::server
|
include profiles::vault::server
|
||||||
include profiles::vault::unseal
|
|
||||||
}
|
}
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user