Merge branch 'master' into feature/add_license
This commit is contained in:
myoung34
GitHub
commit
1f01bfb846
32
.kitchen.yml
32
.kitchen.yml
|
|
@ -10,6 +10,10 @@ verifier:
|
|||
|
||||
provisioner:
|
||||
name: salt_solo
|
||||
salt_install: bootstrap
|
||||
salt_bootstrap_url: https://bootstrap.saltstack.com
|
||||
salt_bootstrap_options: -p git -p curl stable 2016.11
|
||||
salt_version: latest
|
||||
log_level: debug
|
||||
require_chef: false
|
||||
formula: vault
|
||||
|
|
@ -24,17 +28,13 @@ platforms:
|
|||
pid_one_command: /usr/lib/systemd/systemd
|
||||
- name: amazonlinux
|
||||
driver_config:
|
||||
provision_command:
|
||||
- yum install -y epel-release
|
||||
image: amazonlinux:latest
|
||||
platform: rhel
|
||||
run_command: /sbin/init
|
||||
|
||||
suites:
|
||||
- name: default
|
||||
provisioner:
|
||||
state_top:
|
||||
base:
|
||||
'*':
|
||||
- vault
|
||||
- name: dev_server_systemd
|
||||
excludes:
|
||||
- amazonlinux
|
||||
|
|
@ -53,7 +53,7 @@ suites:
|
|||
vault:
|
||||
service:
|
||||
type: systemd
|
||||
- name: dev_server_upstart
|
||||
- name: dev_server_upstart_s3
|
||||
includes:
|
||||
- amazonlinux
|
||||
provisioner:
|
||||
|
|
@ -71,24 +71,6 @@ suites:
|
|||
vault:
|
||||
service:
|
||||
type: upstart
|
||||
- name: server_backend_s3
|
||||
includes:
|
||||
- amazonlinux
|
||||
provisioner:
|
||||
state_top:
|
||||
base:
|
||||
'*':
|
||||
- vault
|
||||
- vault.server
|
||||
pillars:
|
||||
top.sls:
|
||||
base:
|
||||
'*':
|
||||
- vault
|
||||
vault.sls:
|
||||
vault:
|
||||
backend:
|
||||
type: s3
|
||||
bucket: com-saltstack-vault
|
||||
service:
|
||||
type: upstart
|
||||
|
|
|
|||
|
|
@ -28,11 +28,11 @@ To use it, just include *vault.server* in your *top.sls*, and configure it using
|
|||
::
|
||||
|
||||
vault:
|
||||
vault_version: 0.7.0
|
||||
version: 0.7.0
|
||||
listen_protocol: tcp
|
||||
listen_port: 8200
|
||||
listen_address: 0.0.0.0
|
||||
strict_tls: 0
|
||||
tls_disable: 0
|
||||
default_lease_ttl: 24h
|
||||
max_lease_ttl: 24h
|
||||
self_signed_cert:
|
||||
|
|
|
|||
|
|
@ -3,7 +3,7 @@ vault:
|
|||
listen_protocol: tcp
|
||||
listen_port: 8200
|
||||
listen_address: 0.0.0.0
|
||||
strict_tls: 0
|
||||
tls_disable: 0
|
||||
tls_cert_file: {}
|
||||
tls_key_file: {}
|
||||
default_lease_ttl: 4380h
|
||||
|
|
@ -14,3 +14,5 @@ vault:
|
|||
dev_mode: true
|
||||
service:
|
||||
type: upstart
|
||||
user: root
|
||||
group: root
|
||||
|
|
|
|||
|
|
@ -1,6 +0,0 @@
|
|||
describe command('/usr/local/bin/vault -version') do
|
||||
its(:exit_status) { should eq 0 }
|
||||
its(:stderr) { should be_empty }
|
||||
its(:stdout) { should match(/^Vault v[0-9\.]+ \('[0-9a-f]+'\)/) }
|
||||
end
|
||||
|
||||
|
|
@ -1,3 +1,9 @@
|
|||
describe command('/usr/local/bin/vault -version') do
|
||||
its(:exit_status) { should eq 0 }
|
||||
its(:stderr) { should be_empty }
|
||||
its(:stdout) { should match(/^Vault v[0-9\.]+ \('[0-9a-f]+'\)/) }
|
||||
end
|
||||
|
||||
describe file('/etc/vault/config/server.hcl') do
|
||||
it { should be_a_file }
|
||||
expected =<<-EOF
|
||||
|
|
|
|||
|
|
@ -1,6 +1,16 @@
|
|||
describe command('/usr/local/bin/vault -version') do
|
||||
its(:exit_status) { should eq 0 }
|
||||
its(:stderr) { should be_empty }
|
||||
its(:stdout) { should match(/^Vault v[0-9\.]+ \('[0-9a-f]+'\)/) }
|
||||
end
|
||||
|
||||
describe file('/etc/vault/config/server.hcl') do
|
||||
it { should be_a_file }
|
||||
expected = <<-EOF
|
||||
|
||||
backend "s3" {
|
||||
bucket = "com-saltstack-vault"
|
||||
}
|
||||
listener "tcp" {
|
||||
address = "0.0.0.0:8200"
|
||||
tls_disable = 0
|
||||
|
|
@ -1,36 +0,0 @@
|
|||
describe file('/etc/vault/config/server.hcl') do
|
||||
it { should be_a_file }
|
||||
its(:content) { should match /bucket = "com-saltstack-vault"/ }
|
||||
end
|
||||
|
||||
describe file('/etc/init/vault.conf') do
|
||||
it { should be_a_file }
|
||||
its(:content) { should_not match /syslog/ }
|
||||
end
|
||||
|
||||
if os[:family] == 'amazon'
|
||||
# serverspec assumes 'service' resource to be
|
||||
# init.d for rhel-based os. have to just check
|
||||
# that it is running, that means that it started
|
||||
# with the instance
|
||||
describe command('sudo initctl list | grep vault | grep -v grep') do
|
||||
its(:stdout) { should match(/vault start\/running/) }
|
||||
its(:stderr) { should be_empty }
|
||||
end
|
||||
|
||||
describe processes("vault") do
|
||||
its('users') { should eq ['root'] }
|
||||
end
|
||||
|
||||
else
|
||||
describe service('vault') do
|
||||
it { should be_enabled }
|
||||
it { should be_running }
|
||||
end
|
||||
end
|
||||
|
||||
describe file('/var/log/vault.log') do
|
||||
it { should be_a_file }
|
||||
its(:content) { should match(/WARNING: Dev mode is enabled!/) }
|
||||
end
|
||||
|
||||
|
|
@ -3,7 +3,7 @@ vault:
|
|||
listen_protocol: tcp
|
||||
listen_port: 8200
|
||||
listen_address: 0.0.0.0
|
||||
strict_tls: 0
|
||||
tls_disable: 0
|
||||
service: upstart
|
||||
tls_cert_file: {}
|
||||
tls_key_file: {}
|
||||
|
|
@ -15,3 +15,5 @@ vault:
|
|||
dev_mode: true
|
||||
service:
|
||||
type: systemd
|
||||
user: root
|
||||
group: root
|
||||
|
|
|
|||
|
|
@ -7,7 +7,7 @@ backend "s3" {
|
|||
|
||||
listener "{{ vault.listen_protocol }}" {
|
||||
address = "{{ vault.listen_address }}:{{ vault.listen_port }}"
|
||||
tls_disable = {{ vault.strict_tls }}
|
||||
tls_disable = {{ vault.tls_disable }}
|
||||
{% if vault.self_signed_cert.enabled %}
|
||||
tls_cert_file = "/etc/vault/{{ vault.self_signed_cert.hostname }}.pem"
|
||||
tls_key_file = "/etc/vault/{{ vault.self_signed_cert.hostname }}-nopass.key"
|
||||
|
|
|
|||
|
|
@ -8,3 +8,5 @@ After=network-online.target consul.service
|
|||
EnvironmentFile=-/etc/sysconfig/vault
|
||||
Restart=on-failure
|
||||
ExecStart=/usr/local/bin/vault server {% if vault.dev_mode %}-dev{% else %} -config="/etc/vault/config/server.hcl"{% endif %}
|
||||
User={{ vault.user }}
|
||||
Group={{ vault.group }}
|
||||
|
|
|
|||
|
|
@ -13,8 +13,14 @@ download vault:
|
|||
|
||||
install vault:
|
||||
cmd.run:
|
||||
- name: unzip /tmp/vault.zip -d /usr/local/bin && chmod 0755 /usr/local/bin/vault && chown root:root /usr/local/bin/vault
|
||||
- name: unzip /tmp/vault.zip -d /usr/local/bin && chmod 0755 /usr/local/bin/vault && chown root:root /usr/local/bin/vault
|
||||
- require:
|
||||
- cmd: download vault
|
||||
- pkg: unzip
|
||||
- unless: test -e /usr/local/bin/vault
|
||||
|
||||
vault set cap mlock:
|
||||
cmd.run:
|
||||
- name: "setcap cap_ipc_lock=+ep /usr/local/bin/vault"
|
||||
- onchanges:
|
||||
- cmd: install vault
|
||||
|
|
|
|||
|
|
@ -22,7 +22,6 @@ generate self signed SSL certs:
|
|||
- group: root
|
||||
- mode: 755
|
||||
|
||||
{%- if vault.dev_mode %}
|
||||
/etc/vault/config:
|
||||
file.directory:
|
||||
- user: root
|
||||
|
|
@ -40,7 +39,6 @@ generate self signed SSL certs:
|
|||
- mode: 644
|
||||
- require:
|
||||
- file: /etc/vault/config
|
||||
{% endif -%}
|
||||
|
||||
{%- if vault.service.type == 'systemd' %}
|
||||
/etc/systemd/system/vault.service:
|
||||
|
|
@ -71,6 +69,4 @@ vault:
|
|||
{%- if vault.self_signed_cert.enabled %}
|
||||
- cmd: generate self signed SSL certs
|
||||
{% endif -%}
|
||||
{%- if vault.dev_mode %}
|
||||
- file: /etc/vault/config/server.hcl
|
||||
{% endif -%}
|
||||
|
|
|
|||
Loading…
Reference in New Issue