Merge branch 'master' into feature/add_license

2017-08-17 10:46:58 -05:00 · 2017-08-17 10:46:58 -05:00 · 1f01bfb846
commit 1f01bfb846
parent 384a62a59f e9c5af4b86
12 changed files with 41 additions and 77 deletions
--- a/.kitchen.yml
+++ b/.kitchen.yml
@ -10,6 +10,10 @@ verifier:
 provisioner:
  name: salt_solo
  salt_install: bootstrap
  salt_bootstrap_url: https://bootstrap.saltstack.com
  salt_bootstrap_options: -p git -p curl stable 2016.11
  salt_version: latest
  log_level: debug
  require_chef: false
  formula: vault
@ -24,17 +28,13 @@ platforms:
      pid_one_command: /usr/lib/systemd/systemd
  - name: amazonlinux
    driver_config:
      provision_command:
        - yum install -y epel-release
      image: amazonlinux:latest
      platform: rhel
      run_command: /sbin/init
 suites:
  - name: default
    provisioner:
      state_top:
        base:
          '*':
            - vault
  - name: dev_server_systemd
    excludes:
      - amazonlinux
@ -53,7 +53,7 @@ suites:
          vault:
            service:
              type: systemd
-  - name: dev_server_upstart
+  - name: dev_server_upstart_s3
    includes:
      - amazonlinux
    provisioner:
@ -71,24 +71,6 @@ suites:
          vault:
            service:
              type: upstart
  - name: server_backend_s3
    includes:
      - amazonlinux
    provisioner:
      state_top:
        base:
          '*':
            - vault
            - vault.server
      pillars:
        top.sls:
          base:
            '*':
              - vault
        vault.sls:
          vault:
            backend:
              type: s3
              bucket: com-saltstack-vault
            service:
              type: upstart
--- a/README.rst
+++ b/README.rst
@ -28,11 +28,11 @@ To use it, just include *vault.server* in your *top.sls*, and configure it using
 ::
  vault:
-    vault_version: 0.7.0
+    version: 0.7.0
    listen_protocol: tcp
    listen_port: 8200
    listen_address: 0.0.0.0
-    strict_tls: 0
+    tls_disable: 0
    default_lease_ttl: 24h
    max_lease_ttl: 24h
    self_signed_cert:
--- a/pillar.example
+++ b/pillar.example
@ -3,7 +3,7 @@ vault:
  listen_protocol: tcp
  listen_port: 8200
  listen_address: 0.0.0.0
-  strict_tls: 0
+  tls_disable: 0
  tls_cert_file: {}
  tls_key_file: {}
  default_lease_ttl: 4380h
@ -14,3 +14,5 @@ vault:
  dev_mode: true
  service:
    type: upstart
  user: root
  group: root
--- a/test/integration/default/vault_spec.rb
+++ b/test/integration/default/vault_spec.rb
@ -1,6 +0,0 @@
 describe command('/usr/local/bin/vault -version') do
  its(:exit_status) { should eq 0 }
  its(:stderr) { should be_empty }
  its(:stdout) { should match(/^Vault v[0-9\.]+ \('[0-9a-f]+'\)/) }
 end
--- a/test/integration/dev_server_systemd/vault_spec.rb
+++ b/test/integration/dev_server_systemd/vault_spec.rb
@ -1,3 +1,9 @@
 describe command('/usr/local/bin/vault -version') do
  its(:exit_status) { should eq 0 }
  its(:stderr) { should be_empty }
  its(:stdout) { should match(/^Vault v[0-9\.]+ \('[0-9a-f]+'\)/) }
 end
 describe file('/etc/vault/config/server.hcl') do
  it { should be_a_file }
  expected =<<-EOF
--- a/test/integration/dev_server_upstart_s3/vault_spec.rb
+++ b/test/integration/dev_server_upstart_s3/vault_spec.rb
@ -1,6 +1,16 @@
 describe command('/usr/local/bin/vault -version') do
  its(:exit_status) { should eq 0 }
  its(:stderr) { should be_empty }
  its(:stdout) { should match(/^Vault v[0-9\.]+ \('[0-9a-f]+'\)/) }
 end
 describe file('/etc/vault/config/server.hcl') do
  it { should be_a_file }
  expected = <<-EOF
 backend "s3" {
  bucket = "com-saltstack-vault"
 }
 listener "tcp" {
  address = "0.0.0.0:8200"
  tls_disable = 0
--- a/test/integration/server_backend_s3/vault_spec.rb
+++ b/test/integration/server_backend_s3/vault_spec.rb
@ -1,36 +0,0 @@
 describe file('/etc/vault/config/server.hcl') do
  it { should be_a_file }
  its(:content) { should match /bucket = "com-saltstack-vault"/ }
 end
 describe file('/etc/init/vault.conf') do
  it { should be_a_file }
  its(:content) { should_not match /syslog/ }
 end
 if os[:family] == 'amazon'
  # serverspec assumes 'service' resource to be
  # init.d for rhel-based os. have to just check
  # that it is running, that means that it started
  # with the instance
  describe command('sudo initctl list | grep vault | grep -v grep') do
    its(:stdout) { should match(/vault start\/running/) }
    its(:stderr) { should be_empty }
  end
  describe processes("vault") do
    its('users') { should eq ['root'] }
  end
 else
  describe service('vault') do
    it { should be_enabled }
    it { should be_running }
  end
 end
 describe file('/var/log/vault.log') do
  it { should be_a_file }
  its(:content) { should match(/WARNING: Dev mode is enabled!/) }
 end
--- a/vault/defaults.yaml
+++ b/vault/defaults.yaml
@ -3,7 +3,7 @@ vault:
  listen_protocol: tcp
  listen_port: 8200
  listen_address: 0.0.0.0
-  strict_tls: 0
+  tls_disable: 0
  service: upstart
  tls_cert_file: {}
  tls_key_file: {}
@ -15,3 +15,5 @@ vault:
  dev_mode: true
  service:
    type: systemd
  user: root
  group: root
--- a/vault/files/server.hcl.jinja
+++ b/vault/files/server.hcl.jinja
@ -7,7 +7,7 @@ backend "s3" {
 listener "{{ vault.listen_protocol }}" {
  address = "{{ vault.listen_address }}:{{ vault.listen_port }}"
-  tls_disable = {{ vault.strict_tls }}
+  tls_disable = {{ vault.tls_disable }}
 {% if vault.self_signed_cert.enabled %}
  tls_cert_file = "/etc/vault/{{ vault.self_signed_cert.hostname }}.pem"
  tls_key_file = "/etc/vault/{{ vault.self_signed_cert.hostname }}-nopass.key"
--- a/vault/files/vault_systemd.service.jinja
+++ b/vault/files/vault_systemd.service.jinja
@ -8,3 +8,5 @@ After=network-online.target consul.service
 EnvironmentFile=-/etc/sysconfig/vault
 Restart=on-failure
 ExecStart=/usr/local/bin/vault server {% if vault.dev_mode %}-dev{% else %} -config="/etc/vault/config/server.hcl"{% endif %}
 User={{ vault.user }}
 Group={{ vault.group }}
--- a/vault/init.sls
+++ b/vault/init.sls
@ -13,8 +13,14 @@ download vault:
 install vault:
  cmd.run:
-    - name:  unzip /tmp/vault.zip -d /usr/local/bin &&  chmod 0755 /usr/local/bin/vault &&  chown root:root /usr/local/bin/vault
+    - name: unzip /tmp/vault.zip -d /usr/local/bin && chmod 0755 /usr/local/bin/vault && chown root:root /usr/local/bin/vault
    - require:
      - cmd: download vault
      - pkg: unzip
    - unless: test -e /usr/local/bin/vault
 vault set cap mlock:
  cmd.run:
    - name: "setcap cap_ipc_lock=+ep /usr/local/bin/vault"
    - onchanges:
      - cmd: install vault
--- a/vault/server.sls
+++ b/vault/server.sls
@ -22,7 +22,6 @@ generate self signed SSL certs:
    - group: root
    - mode: 755
 {%- if vault.dev_mode %}
 /etc/vault/config:
  file.directory:
    - user: root
@ -40,7 +39,6 @@ generate self signed SSL certs:
    - mode: 644
    - require:
      - file: /etc/vault/config
 {% endif -%}
 {%- if vault.service.type == 'systemd' %}
 /etc/systemd/system/vault.service:
@ -71,6 +69,4 @@ vault:
      {%- if vault.self_signed_cert.enabled %}
      - cmd: generate self signed SSL certs
      {% endif -%}
      {%- if vault.dev_mode %}
      - file: /etc/vault/config/server.hcl
      {% endif -%}