From 32aad6e68e820fe85a2517a3997ef04e00918a5d Mon Sep 17 00:00:00 2001 From: Jonathan Mickle Date: Fri, 28 Apr 2017 09:26:32 -0700 Subject: [PATCH 1/9] fixing the requires list --- vault/server.sls | 2 ++ 1 file changed, 2 insertions(+) diff --git a/vault/server.sls b/vault/server.sls index 15dc4ba..77ef5f5 100644 --- a/vault/server.sls +++ b/vault/server.sls @@ -67,6 +67,7 @@ generate self signed SSL certs: vault: service.running: - enable: True +{%- if vault.self_signed_cert.enabled or vault.dev_mode %} - require: {%- if vault.self_signed_cert.enabled %} - cmd: generate self signed SSL certs @@ -74,3 +75,4 @@ vault: {%- if vault.dev_mode %} - file: /etc/vault/config/server.hcl {% endif -%} +{% endif -%} From da9c643213e6879b7adc1b7393a43c322d9119de Mon Sep 17 00:00:00 2001 From: Jonathan Mickle Date: Fri, 28 Apr 2017 09:52:19 -0700 Subject: [PATCH 2/9] vault should always configure itself --- vault/server.sls | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/vault/server.sls b/vault/server.sls index 77ef5f5..e5c88c0 100644 --- a/vault/server.sls +++ b/vault/server.sls @@ -21,8 +21,7 @@ generate self signed SSL certs: - user: root - group: root - mode: 755 - -{%- if vault.dev_mode %} + /etc/vault/config: file.directory: - user: root @@ -40,7 +39,6 @@ generate self signed SSL certs: - mode: 644 - require: - file: /etc/vault/config -{% endif -%} {%- if vault.service.type == 'systemd' %} /etc/systemd/system/vault.service: From aafb5a1ae042f8df7b30cafc1792e6fc9f672ab5 Mon Sep 17 00:00:00 2001 From: Marcus Young Date: Fri, 28 Apr 2017 15:02:17 -0500 Subject: [PATCH 3/9] Merge some tests to make travis faster (less permutations) --- .kitchen.yml | 26 +------------- test/integration/default/vault_spec.rb | 6 ---- .../dev_server_systemd/vault_spec.rb | 6 ++++ .../vault_spec.rb | 10 ++++++ .../server_backend_s3/vault_spec.rb | 36 ------------------- vault/server.sls | 6 +--- 6 files changed, 18 insertions(+), 72 deletions(-) delete mode 100644 test/integration/default/vault_spec.rb rename test/integration/{dev_server_upstart => dev_server_upstart_s3}/vault_spec.rb (82%) delete mode 100644 test/integration/server_backend_s3/vault_spec.rb diff --git a/.kitchen.yml b/.kitchen.yml index b9272f2..3956e76 100644 --- a/.kitchen.yml +++ b/.kitchen.yml @@ -29,12 +29,6 @@ platforms: run_command: /sbin/init suites: - - name: default - provisioner: - state_top: - base: - '*': - - vault - name: dev_server_systemd excludes: - amazonlinux @@ -53,7 +47,7 @@ suites: vault: service: type: systemd - - name: dev_server_upstart + - name: dev_server_upstart_s3 includes: - amazonlinux provisioner: @@ -71,24 +65,6 @@ suites: vault: service: type: upstart - - name: server_backend_s3 - includes: - - amazonlinux - provisioner: - state_top: - base: - '*': - - vault - - vault.server - pillars: - top.sls: - base: - '*': - - vault - vault.sls: - vault: backend: type: s3 bucket: com-saltstack-vault - service: - type: upstart diff --git a/test/integration/default/vault_spec.rb b/test/integration/default/vault_spec.rb deleted file mode 100644 index b27fa42..0000000 --- a/test/integration/default/vault_spec.rb +++ /dev/null @@ -1,6 +0,0 @@ -describe command('/usr/local/bin/vault -version') do - its(:exit_status) { should eq 0 } - its(:stderr) { should be_empty } - its(:stdout) { should match(/^Vault v[0-9\.]+ \('[0-9a-f]+'\)/) } -end - diff --git a/test/integration/dev_server_systemd/vault_spec.rb b/test/integration/dev_server_systemd/vault_spec.rb index bdef182..0034098 100644 --- a/test/integration/dev_server_systemd/vault_spec.rb +++ b/test/integration/dev_server_systemd/vault_spec.rb @@ -1,3 +1,9 @@ +describe command('/usr/local/bin/vault -version') do + its(:exit_status) { should eq 0 } + its(:stderr) { should be_empty } + its(:stdout) { should match(/^Vault v[0-9\.]+ \('[0-9a-f]+'\)/) } +end + describe file('/etc/vault/config/server.hcl') do it { should be_a_file } expected =<<-EOF diff --git a/test/integration/dev_server_upstart/vault_spec.rb b/test/integration/dev_server_upstart_s3/vault_spec.rb similarity index 82% rename from test/integration/dev_server_upstart/vault_spec.rb rename to test/integration/dev_server_upstart_s3/vault_spec.rb index 1e8db72..2904404 100644 --- a/test/integration/dev_server_upstart/vault_spec.rb +++ b/test/integration/dev_server_upstart_s3/vault_spec.rb @@ -1,6 +1,16 @@ +describe command('/usr/local/bin/vault -version') do + its(:exit_status) { should eq 0 } + its(:stderr) { should be_empty } + its(:stdout) { should match(/^Vault v[0-9\.]+ \('[0-9a-f]+'\)/) } +end + describe file('/etc/vault/config/server.hcl') do it { should be_a_file } expected = <<-EOF + +backend "s3" { + bucket = "com-saltstack-vault" +} listener "tcp" { address = "0.0.0.0:8200" tls_disable = 0 diff --git a/test/integration/server_backend_s3/vault_spec.rb b/test/integration/server_backend_s3/vault_spec.rb deleted file mode 100644 index af2a05a..0000000 --- a/test/integration/server_backend_s3/vault_spec.rb +++ /dev/null @@ -1,36 +0,0 @@ -describe file('/etc/vault/config/server.hcl') do - it { should be_a_file } - its(:content) { should match /bucket = "com-saltstack-vault"/ } -end - -describe file('/etc/init/vault.conf') do - it { should be_a_file } - its(:content) { should_not match /syslog/ } -end - -if os[:family] == 'amazon' - # serverspec assumes 'service' resource to be - # init.d for rhel-based os. have to just check - # that it is running, that means that it started - # with the instance - describe command('sudo initctl list | grep vault | grep -v grep') do - its(:stdout) { should match(/vault start\/running/) } - its(:stderr) { should be_empty } - end - - describe processes("vault") do - its('users') { should eq ['root'] } - end - -else - describe service('vault') do - it { should be_enabled } - it { should be_running } - end -end - -describe file('/var/log/vault.log') do - it { should be_a_file } - its(:content) { should match(/WARNING: Dev mode is enabled!/) } -end - diff --git a/vault/server.sls b/vault/server.sls index e5c88c0..f6dc522 100644 --- a/vault/server.sls +++ b/vault/server.sls @@ -21,7 +21,7 @@ generate self signed SSL certs: - user: root - group: root - mode: 755 - + /etc/vault/config: file.directory: - user: root @@ -65,12 +65,8 @@ generate self signed SSL certs: vault: service.running: - enable: True -{%- if vault.self_signed_cert.enabled or vault.dev_mode %} - require: {%- if vault.self_signed_cert.enabled %} - cmd: generate self signed SSL certs {% endif -%} - {%- if vault.dev_mode %} - file: /etc/vault/config/server.hcl - {% endif -%} -{% endif -%} From 3ce5c1f46fd3f22df4e270a59660e92ed012482f Mon Sep 17 00:00:00 2001 From: John Sigvald Skauge Date: Fri, 28 Jul 2017 16:23:12 +0200 Subject: [PATCH 4/9] vault_version is not used anywhere vault:version, on the other hand, is. Corrected this in the readme --- README.rst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.rst b/README.rst index ea17c31..7526526 100644 --- a/README.rst +++ b/README.rst @@ -28,7 +28,7 @@ To use it, just include *vault.server* in your *top.sls*, and configure it using :: vault: - vault_version: 0.7.0 + version: 0.7.0 listen_protocol: tcp listen_port: 8200 listen_address: 0.0.0.0 From 08876c2b19145ec0f36a9b6b5ecb4bea39522385 Mon Sep 17 00:00:00 2001 From: Marcus Young Date: Fri, 4 Aug 2017 10:41:43 -0500 Subject: [PATCH 5/9] Attempting to fix tests --- .kitchen.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/.kitchen.yml b/.kitchen.yml index 3956e76..110e569 100644 --- a/.kitchen.yml +++ b/.kitchen.yml @@ -10,6 +10,10 @@ verifier: provisioner: name: salt_solo + salt_install: bootstrap + salt_bootstrap_url: https://bootstrap.saltstack.com + salt_bootstrap_options: -p git -p curl stable 2016.11 + salt_version: latest log_level: debug require_chef: false formula: vault From d3ba4453f2e9972e3fb606a877ca2992bbae0a04 Mon Sep 17 00:00:00 2001 From: Marcus Young Date: Fri, 4 Aug 2017 10:51:42 -0500 Subject: [PATCH 6/9] Adding epel to amazonlinux --- .kitchen.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.kitchen.yml b/.kitchen.yml index 110e569..bbc52cb 100644 --- a/.kitchen.yml +++ b/.kitchen.yml @@ -28,6 +28,8 @@ platforms: pid_one_command: /usr/lib/systemd/systemd - name: amazonlinux driver_config: + provision_command: + - yum install -y epel-release image: amazonlinux:latest platform: rhel run_command: /sbin/init From 045ee3cbda28aa27119a2a55d9df9bed8dd82307 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Matthias=20K=C3=BChne?= Date: Tue, 6 Jun 2017 17:37:05 +0200 Subject: [PATCH 7/9] Rename strict_tls to tls_disable --- README.rst | 2 +- pillar.example | 2 +- vault/defaults.yaml | 2 +- vault/files/server.hcl.jinja | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/README.rst b/README.rst index ea17c31..093fea9 100644 --- a/README.rst +++ b/README.rst @@ -32,7 +32,7 @@ To use it, just include *vault.server* in your *top.sls*, and configure it using listen_protocol: tcp listen_port: 8200 listen_address: 0.0.0.0 - strict_tls: 0 + tls_disable: 0 default_lease_ttl: 24h max_lease_ttl: 24h self_signed_cert: diff --git a/pillar.example b/pillar.example index 4e67e56..cc91871 100644 --- a/pillar.example +++ b/pillar.example @@ -3,7 +3,7 @@ vault: listen_protocol: tcp listen_port: 8200 listen_address: 0.0.0.0 - strict_tls: 0 + tls_disable: 0 tls_cert_file: {} tls_key_file: {} default_lease_ttl: 4380h diff --git a/vault/defaults.yaml b/vault/defaults.yaml index 5dc73dc..4d4e712 100644 --- a/vault/defaults.yaml +++ b/vault/defaults.yaml @@ -3,7 +3,7 @@ vault: listen_protocol: tcp listen_port: 8200 listen_address: 0.0.0.0 - strict_tls: 0 + tls_disable: 0 service: upstart tls_cert_file: {} tls_key_file: {} diff --git a/vault/files/server.hcl.jinja b/vault/files/server.hcl.jinja index 41355f5..528f415 100644 --- a/vault/files/server.hcl.jinja +++ b/vault/files/server.hcl.jinja @@ -7,7 +7,7 @@ backend "s3" { listener "{{ vault.listen_protocol }}" { address = "{{ vault.listen_address }}:{{ vault.listen_port }}" - tls_disable = {{ vault.strict_tls }} + tls_disable = {{ vault.tls_disable }} {% if vault.self_signed_cert.enabled %} tls_cert_file = "/etc/vault/{{ vault.self_signed_cert.hostname }}.pem" tls_key_file = "/etc/vault/{{ vault.self_signed_cert.hostname }}-nopass.key" From 44aaee6628fa572b5d856e6d6e0a532fb47b2570 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Matthias=20K=C3=BChne?= Date: Tue, 6 Jun 2017 17:20:44 +0200 Subject: [PATCH 8/9] Add ability to run server as non root --- pillar.example | 2 ++ vault/defaults.yaml | 2 ++ vault/files/vault_systemd.service.jinja | 2 ++ vault/init.sls | 8 +++++++- 4 files changed, 13 insertions(+), 1 deletion(-) diff --git a/pillar.example b/pillar.example index 4e67e56..15ba3a0 100644 --- a/pillar.example +++ b/pillar.example @@ -14,3 +14,5 @@ vault: dev_mode: true service: type: upstart + user: root + group: root diff --git a/vault/defaults.yaml b/vault/defaults.yaml index 5dc73dc..9039a96 100644 --- a/vault/defaults.yaml +++ b/vault/defaults.yaml @@ -15,3 +15,5 @@ vault: dev_mode: true service: type: systemd + user: root + group: root diff --git a/vault/files/vault_systemd.service.jinja b/vault/files/vault_systemd.service.jinja index 7042a30..a6417b7 100644 --- a/vault/files/vault_systemd.service.jinja +++ b/vault/files/vault_systemd.service.jinja @@ -8,3 +8,5 @@ After=network-online.target consul.service EnvironmentFile=-/etc/sysconfig/vault Restart=on-failure ExecStart=/usr/local/bin/vault server {% if vault.dev_mode %}-dev{% else %} -config="/etc/vault/config/server.hcl"{% endif %} +User={{ vault.user }} +Group={{ vault.group }} diff --git a/vault/init.sls b/vault/init.sls index 045d200..a6943fd 100644 --- a/vault/init.sls +++ b/vault/init.sls @@ -13,8 +13,14 @@ download vault: install vault: cmd.run: - - name: unzip /tmp/vault.zip -d /usr/local/bin && chmod 0755 /usr/local/bin/vault && chown root:root /usr/local/bin/vault + - name: unzip /tmp/vault.zip -d /usr/local/bin && chmod 0755 /usr/local/bin/vault && chown root:root /usr/local/bin/vault - require: - cmd: download vault - pkg: unzip - unless: test -e /usr/local/bin/vault + +vault set cap mlock: + cmd.run: + - name: "setcap cap_ipc_lock=+ep /usr/local/bin/vault" + - watch: + - cmd: install vault From 09cec65355dd9615eef4c557a89b329fa79d722d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Matthias=20K=C3=BChne?= Date: Tue, 6 Jun 2017 17:54:57 +0200 Subject: [PATCH 9/9] watch => onchanges --- vault/init.sls | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/vault/init.sls b/vault/init.sls index a6943fd..6e4958d 100644 --- a/vault/init.sls +++ b/vault/init.sls @@ -22,5 +22,5 @@ install vault: vault set cap mlock: cmd.run: - name: "setcap cap_ipc_lock=+ep /usr/local/bin/vault" - - watch: + - onchanges: - cmd: install vault