Merge branch 'master' into feature/add_license

This commit is contained in:
myoung34 2017-08-17 10:46:58 -05:00 committed by GitHub
commit 1f01bfb846
12 changed files with 41 additions and 77 deletions

View file

@ -10,6 +10,10 @@ verifier:
provisioner: provisioner:
name: salt_solo name: salt_solo
salt_install: bootstrap
salt_bootstrap_url: https://bootstrap.saltstack.com
salt_bootstrap_options: -p git -p curl stable 2016.11
salt_version: latest
log_level: debug log_level: debug
require_chef: false require_chef: false
formula: vault formula: vault
@ -24,17 +28,13 @@ platforms:
pid_one_command: /usr/lib/systemd/systemd pid_one_command: /usr/lib/systemd/systemd
- name: amazonlinux - name: amazonlinux
driver_config: driver_config:
provision_command:
- yum install -y epel-release
image: amazonlinux:latest image: amazonlinux:latest
platform: rhel platform: rhel
run_command: /sbin/init run_command: /sbin/init
suites: suites:
- name: default
provisioner:
state_top:
base:
'*':
- vault
- name: dev_server_systemd - name: dev_server_systemd
excludes: excludes:
- amazonlinux - amazonlinux
@ -53,7 +53,7 @@ suites:
vault: vault:
service: service:
type: systemd type: systemd
- name: dev_server_upstart - name: dev_server_upstart_s3
includes: includes:
- amazonlinux - amazonlinux
provisioner: provisioner:
@ -71,24 +71,6 @@ suites:
vault: vault:
service: service:
type: upstart type: upstart
- name: server_backend_s3
includes:
- amazonlinux
provisioner:
state_top:
base:
'*':
- vault
- vault.server
pillars:
top.sls:
base:
'*':
- vault
vault.sls:
vault:
backend: backend:
type: s3 type: s3
bucket: com-saltstack-vault bucket: com-saltstack-vault
service:
type: upstart

View file

@ -28,11 +28,11 @@ To use it, just include *vault.server* in your *top.sls*, and configure it using
:: ::
vault: vault:
vault_version: 0.7.0 version: 0.7.0
listen_protocol: tcp listen_protocol: tcp
listen_port: 8200 listen_port: 8200
listen_address: 0.0.0.0 listen_address: 0.0.0.0
strict_tls: 0 tls_disable: 0
default_lease_ttl: 24h default_lease_ttl: 24h
max_lease_ttl: 24h max_lease_ttl: 24h
self_signed_cert: self_signed_cert:

View file

@ -3,7 +3,7 @@ vault:
listen_protocol: tcp listen_protocol: tcp
listen_port: 8200 listen_port: 8200
listen_address: 0.0.0.0 listen_address: 0.0.0.0
strict_tls: 0 tls_disable: 0
tls_cert_file: {} tls_cert_file: {}
tls_key_file: {} tls_key_file: {}
default_lease_ttl: 4380h default_lease_ttl: 4380h
@ -14,3 +14,5 @@ vault:
dev_mode: true dev_mode: true
service: service:
type: upstart type: upstart
user: root
group: root

View file

@ -1,6 +0,0 @@
describe command('/usr/local/bin/vault -version') do
its(:exit_status) { should eq 0 }
its(:stderr) { should be_empty }
its(:stdout) { should match(/^Vault v[0-9\.]+ \('[0-9a-f]+'\)/) }
end

View file

@ -1,3 +1,9 @@
describe command('/usr/local/bin/vault -version') do
its(:exit_status) { should eq 0 }
its(:stderr) { should be_empty }
its(:stdout) { should match(/^Vault v[0-9\.]+ \('[0-9a-f]+'\)/) }
end
describe file('/etc/vault/config/server.hcl') do describe file('/etc/vault/config/server.hcl') do
it { should be_a_file } it { should be_a_file }
expected =<<-EOF expected =<<-EOF

View file

@ -1,6 +1,16 @@
describe command('/usr/local/bin/vault -version') do
its(:exit_status) { should eq 0 }
its(:stderr) { should be_empty }
its(:stdout) { should match(/^Vault v[0-9\.]+ \('[0-9a-f]+'\)/) }
end
describe file('/etc/vault/config/server.hcl') do describe file('/etc/vault/config/server.hcl') do
it { should be_a_file } it { should be_a_file }
expected = <<-EOF expected = <<-EOF
backend "s3" {
bucket = "com-saltstack-vault"
}
listener "tcp" { listener "tcp" {
address = "0.0.0.0:8200" address = "0.0.0.0:8200"
tls_disable = 0 tls_disable = 0

View file

@ -1,36 +0,0 @@
describe file('/etc/vault/config/server.hcl') do
it { should be_a_file }
its(:content) { should match /bucket = "com-saltstack-vault"/ }
end
describe file('/etc/init/vault.conf') do
it { should be_a_file }
its(:content) { should_not match /syslog/ }
end
if os[:family] == 'amazon'
# serverspec assumes 'service' resource to be
# init.d for rhel-based os. have to just check
# that it is running, that means that it started
# with the instance
describe command('sudo initctl list | grep vault | grep -v grep') do
its(:stdout) { should match(/vault start\/running/) }
its(:stderr) { should be_empty }
end
describe processes("vault") do
its('users') { should eq ['root'] }
end
else
describe service('vault') do
it { should be_enabled }
it { should be_running }
end
end
describe file('/var/log/vault.log') do
it { should be_a_file }
its(:content) { should match(/WARNING: Dev mode is enabled!/) }
end

View file

@ -3,7 +3,7 @@ vault:
listen_protocol: tcp listen_protocol: tcp
listen_port: 8200 listen_port: 8200
listen_address: 0.0.0.0 listen_address: 0.0.0.0
strict_tls: 0 tls_disable: 0
service: upstart service: upstart
tls_cert_file: {} tls_cert_file: {}
tls_key_file: {} tls_key_file: {}
@ -15,3 +15,5 @@ vault:
dev_mode: true dev_mode: true
service: service:
type: systemd type: systemd
user: root
group: root

View file

@ -7,7 +7,7 @@ backend "s3" {
listener "{{ vault.listen_protocol }}" { listener "{{ vault.listen_protocol }}" {
address = "{{ vault.listen_address }}:{{ vault.listen_port }}" address = "{{ vault.listen_address }}:{{ vault.listen_port }}"
tls_disable = {{ vault.strict_tls }} tls_disable = {{ vault.tls_disable }}
{% if vault.self_signed_cert.enabled %} {% if vault.self_signed_cert.enabled %}
tls_cert_file = "/etc/vault/{{ vault.self_signed_cert.hostname }}.pem" tls_cert_file = "/etc/vault/{{ vault.self_signed_cert.hostname }}.pem"
tls_key_file = "/etc/vault/{{ vault.self_signed_cert.hostname }}-nopass.key" tls_key_file = "/etc/vault/{{ vault.self_signed_cert.hostname }}-nopass.key"

View file

@ -8,3 +8,5 @@ After=network-online.target consul.service
EnvironmentFile=-/etc/sysconfig/vault EnvironmentFile=-/etc/sysconfig/vault
Restart=on-failure Restart=on-failure
ExecStart=/usr/local/bin/vault server {% if vault.dev_mode %}-dev{% else %} -config="/etc/vault/config/server.hcl"{% endif %} ExecStart=/usr/local/bin/vault server {% if vault.dev_mode %}-dev{% else %} -config="/etc/vault/config/server.hcl"{% endif %}
User={{ vault.user }}
Group={{ vault.group }}

View file

@ -13,8 +13,14 @@ download vault:
install vault: install vault:
cmd.run: cmd.run:
- name: unzip /tmp/vault.zip -d /usr/local/bin && chmod 0755 /usr/local/bin/vault && chown root:root /usr/local/bin/vault - name: unzip /tmp/vault.zip -d /usr/local/bin && chmod 0755 /usr/local/bin/vault && chown root:root /usr/local/bin/vault
- require: - require:
- cmd: download vault - cmd: download vault
- pkg: unzip - pkg: unzip
- unless: test -e /usr/local/bin/vault - unless: test -e /usr/local/bin/vault
vault set cap mlock:
cmd.run:
- name: "setcap cap_ipc_lock=+ep /usr/local/bin/vault"
- onchanges:
- cmd: install vault

View file

@ -22,7 +22,6 @@ generate self signed SSL certs:
- group: root - group: root
- mode: 755 - mode: 755
{%- if vault.dev_mode %}
/etc/vault/config: /etc/vault/config:
file.directory: file.directory:
- user: root - user: root
@ -40,7 +39,6 @@ generate self signed SSL certs:
- mode: 644 - mode: 644
- require: - require:
- file: /etc/vault/config - file: /etc/vault/config
{% endif -%}
{%- if vault.service.type == 'systemd' %} {%- if vault.service.type == 'systemd' %}
/etc/systemd/system/vault.service: /etc/systemd/system/vault.service:
@ -71,6 +69,4 @@ vault:
{%- if vault.self_signed_cert.enabled %} {%- if vault.self_signed_cert.enabled %}
- cmd: generate self signed SSL certs - cmd: generate self signed SSL certs
{% endif -%} {% endif -%}
{%- if vault.dev_mode %}
- file: /etc/vault/config/server.hcl - file: /etc/vault/config/server.hcl
{% endif -%}