Merge branch 'master' into master

2017-08-08 08:21:46 -05:00 · 2017-08-08 08:21:46 -05:00 · 0df28ebc50
parent 3ce5c1f46f 5a0e165862
commit 0df28ebc50
7 changed files with 23 additions and 5 deletions
--- a/.kitchen.yml
+++ b/.kitchen.yml
@ -10,6 +10,10 @@ verifier:

 provisioner:
  name: salt_solo
+  salt_install: bootstrap
+  salt_bootstrap_url: https://bootstrap.saltstack.com
+  salt_bootstrap_options: -p git -p curl stable 2016.11
+  salt_version: latest
  log_level: debug
  require_chef: false
  formula: vault
@ -24,6 +28,8 @@ platforms:
      pid_one_command: /usr/lib/systemd/systemd
  - name: amazonlinux
    driver_config:
+      provision_command:
+        - yum install -y epel-release
      image: amazonlinux:latest
      platform: rhel
      run_command: /sbin/init
--- a/README.rst
+++ b/README.rst
@ -32,7 +32,7 @@ To use it, just include *vault.server* in your *top.sls*, and configure it using
    listen_protocol: tcp
    listen_port: 8200
    listen_address: 0.0.0.0
-    strict_tls: 0
+    tls_disable: 0
    default_lease_ttl: 24h
    max_lease_ttl: 24h
    self_signed_cert:
--- a/pillar.example
+++ b/pillar.example
@ -3,7 +3,7 @@ vault:
  listen_protocol: tcp
  listen_port: 8200
  listen_address: 0.0.0.0
-  strict_tls: 0
+  tls_disable: 0
  tls_cert_file: {}
  tls_key_file: {}
  default_lease_ttl: 4380h
@ -14,3 +14,5 @@ vault:
  dev_mode: true
  service:
    type: upstart
+  user: root
+  group: root
--- a/vault/defaults.yaml
+++ b/vault/defaults.yaml
@ -3,7 +3,7 @@ vault:
  listen_protocol: tcp
  listen_port: 8200
  listen_address: 0.0.0.0
-  strict_tls: 0
+  tls_disable: 0
  service: upstart
  tls_cert_file: {}
  tls_key_file: {}
@ -15,3 +15,5 @@ vault:
  dev_mode: true
  service:
    type: systemd
+  user: root
+  group: root
--- a/vault/files/server.hcl.jinja
+++ b/vault/files/server.hcl.jinja
@ -7,7 +7,7 @@ backend "s3" {

 listener "{{ vault.listen_protocol }}" {
  address = "{{ vault.listen_address }}:{{ vault.listen_port }}"
-  tls_disable = {{ vault.strict_tls }}
+  tls_disable = {{ vault.tls_disable }}
 {% if vault.self_signed_cert.enabled %}
  tls_cert_file = "/etc/vault/{{ vault.self_signed_cert.hostname }}.pem"
  tls_key_file = "/etc/vault/{{ vault.self_signed_cert.hostname }}-nopass.key"
--- a/vault/files/vault_systemd.service.jinja
+++ b/vault/files/vault_systemd.service.jinja
@ -8,3 +8,5 @@ After=network-online.target consul.service
 EnvironmentFile=-/etc/sysconfig/vault
 Restart=on-failure
 ExecStart=/usr/local/bin/vault server {% if vault.dev_mode %}-dev{% else %} -config="/etc/vault/config/server.hcl"{% endif %}
+User={{ vault.user }}
+Group={{ vault.group }}
--- a/vault/init.sls
+++ b/vault/init.sls
@ -13,8 +13,14 @@ download vault:

 install vault:
  cmd.run:
-    - name:  unzip /tmp/vault.zip -d /usr/local/bin &&  chmod 0755 /usr/local/bin/vault &&  chown root:root /usr/local/bin/vault
+    - name: unzip /tmp/vault.zip -d /usr/local/bin && chmod 0755 /usr/local/bin/vault && chown root:root /usr/local/bin/vault
    - require:
      - cmd: download vault
      - pkg: unzip
    - unless: test -e /usr/local/bin/vault
+
+vault set cap mlock:
+  cmd.run:
+    - name: "setcap cap_ipc_lock=+ep /usr/local/bin/vault"
+    - onchanges:
+      - cmd: install vault