Ben Vincent
35935db963
- manage openbao audit devices in the configuration file - enable audit and audit_raw logs - enable api access to creating audit devices - restart vault service when changing the configuration file
102 lines
3.2 KiB
Puppet
102 lines
3.2 KiB
Puppet
# profiles::vault::server
|
|
class profiles::vault::server (
|
|
Boolean $members_lookup = false,
|
|
Variant[
|
|
String,
|
|
Undef
|
|
] $members_role = undef,
|
|
Array $vault_servers = [],
|
|
Boolean $tls_disable = false,
|
|
Stdlib::Port $client_port = 8200,
|
|
Stdlib::Port $cluster_port = 8201,
|
|
Boolean $manage_storage_dir = false,
|
|
Stdlib::Absolutepath $data_dir = '/opt/vault',
|
|
Stdlib::Absolutepath $bin_dir = '/usr/bin',
|
|
Stdlib::Absolutepath $ssl_crt = '/etc/pki/tls/vault/certificate.crt',
|
|
Stdlib::Absolutepath $ssl_key = '/etc/pki/tls/vault/private.key',
|
|
Stdlib::Absolutepath $ssl_ca = '/etc/pki/tls/certs/ca-bundle.crt',
|
|
Optional[Array[Hash]] $audit_devices = undef,
|
|
){
|
|
|
|
# set a datacentre/cluster name
|
|
$vault_cluster = "${::facts['country']}-${::facts['region']}"
|
|
|
|
# if lookup is enabled, find all the hosts in the specified role and create the servers_array
|
|
if $members_lookup and $members_role != undef {
|
|
|
|
# if it is, find hosts, sort them so they dont cause changes every run
|
|
$servers_array = sort(query_nodes("enc_role='${members_role}' and region='${::facts['region']}'", 'networking.fqdn'))
|
|
|
|
# else use provided array from params
|
|
}else{
|
|
$servers_array = $vault_servers
|
|
}
|
|
|
|
# configure vault if servers_array isnt empty
|
|
if ! $servers_array.empty() {
|
|
|
|
# set http scheme
|
|
$http_scheme = $tls_disable ? {
|
|
true => 'http',
|
|
false => 'https'
|
|
}
|
|
|
|
# create vault urls
|
|
$server_urls = $servers_array.map |$fqdn| {
|
|
{
|
|
leader_api_addr => "${http_scheme}://${fqdn}:${client_port}",
|
|
leader_client_cert_file => $ssl_crt,
|
|
leader_client_key_file => $ssl_key,
|
|
leader_ca_cert_file => $ssl_ca,
|
|
}
|
|
}
|
|
|
|
class { 'vault':
|
|
manage_service => false,
|
|
manage_storage_dir => $manage_storage_dir,
|
|
enable_ui => true,
|
|
storage => {
|
|
raft => {
|
|
node_id => $::facts['networking']['fqdn'],
|
|
path => $data_dir,
|
|
retry_join => $server_urls,
|
|
}
|
|
},
|
|
api_addr => "${http_scheme}://${::facts['networking']['fqdn']}:${client_port}",
|
|
extra_config => {
|
|
cluster_addr => "${http_scheme}://${::facts['networking']['fqdn']}:${cluster_port}",
|
|
audit => $audit_devices,
|
|
unsafe_allow_api_audit_creation => true,
|
|
},
|
|
listener => [
|
|
{
|
|
tcp => {
|
|
address => "127.0.0.1:${client_port}",
|
|
cluster_address => "127.0.0.1:${cluster_port}",
|
|
tls_disable => true,
|
|
}
|
|
},
|
|
{
|
|
tcp => {
|
|
address => "${::facts['networking']['ip']}:${client_port}",
|
|
cluster_address => "${::facts['networking']['ip']}:${cluster_port}",
|
|
tls_disable => $tls_disable,
|
|
tls_cert_file => $ssl_crt,
|
|
tls_key_file => $ssl_key,
|
|
}
|
|
}
|
|
]
|
|
}
|
|
|
|
|
|
service { 'vault':
|
|
ensure => true,
|
|
enable => true,
|
|
subscribe => [File[$ssl_crt], File[$ssl_key], File['/etc/vault/config.json']],
|
|
}
|
|
|
|
# include classes to manage vault
|
|
include profiles::vault::unseal
|
|
}
|
|
}
|