Near rewrite, matching consul formula style
This commit is contained in:
parent
1a2b867735
commit
2960b715fd
12 changed files with 443 additions and 226 deletions
16
vault/config.sls
Normal file
16
vault/config.sls
Normal file
|
@ -0,0 +1,16 @@
|
||||||
|
{%- from slspath + '/map.jinja' import vault with context -%}
|
||||||
|
|
||||||
|
vault-config:
|
||||||
|
file.managed:
|
||||||
|
- name: /etc/vault.d/config.hcl
|
||||||
|
- source: salt://vault/files/config.hcl
|
||||||
|
- template: jinja
|
||||||
|
- user: {{ vault.user }}
|
||||||
|
- group: {{ vault.group }}
|
||||||
|
- mode: 0640
|
||||||
|
- require:
|
||||||
|
- user: vault-user
|
||||||
|
{%- if vault.service %}
|
||||||
|
- watch_in:
|
||||||
|
- service: vault
|
||||||
|
{%- endif %}
|
|
@ -1,51 +1,23 @@
|
||||||
vault:
|
vault:
|
||||||
version: 0.10.1
|
version: 0.10.1
|
||||||
listen_protocol: tcp
|
download_host: releases.hashicorp.com
|
||||||
listen_port: 8200
|
|
||||||
listen_address: 0.0.0.0
|
|
||||||
tls_disable: 0
|
|
||||||
tls_cert_file: {}
|
|
||||||
tls_key_file: {}
|
|
||||||
default_lease_ttl: 24h
|
|
||||||
max_lease_ttl: 24h
|
|
||||||
self_signed_cert:
|
|
||||||
enabled: false
|
|
||||||
backend: {}
|
|
||||||
dev_mode: true
|
|
||||||
secure_download: true
|
|
||||||
service:
|
|
||||||
type: systemd
|
|
||||||
user: root
|
|
||||||
group: root
|
|
||||||
hashicorp_gpg_key: |
|
|
||||||
-----BEGIN PGP PUBLIC KEY BLOCK-----
|
|
||||||
Version: GnuPG v1
|
|
||||||
|
|
||||||
mQENBFMORM0BCADBRyKO1MhCirazOSVwcfTr1xUxjPvfxD3hjUwHtjsOy/bT6p9f
|
service: false
|
||||||
W2mRPfwnq2JB5As+paL3UGDsSRDnK9KAxQb0NNF4+eVhr/EJ18s3wwXXDMjpIifq
|
|
||||||
fIm2WyH3G+aRLTLPIpscUNKDyxFOUbsmgXAmJ46Re1fn8uKxKRHbfa39aeuEYWFA
|
user: vault
|
||||||
3drdL1WoUngvED7f+RnKBK2G6ZEpO+LDovQk19xGjiMTtPJrjMjZJ3QXqPvx5wca
|
group: vault
|
||||||
KSZLr4lMTuoTI/ZXyZy5bD4tShiZz6KcyX27cD70q2iRcEZ0poLKHyEIDAi3TM5k
|
|
||||||
SwbbWBFd5RNPOR0qzrb/0p9ksKK48IIfH2FvABEBAAG0K0hhc2hpQ29ycCBTZWN1
|
config:
|
||||||
cml0eSA8c2VjdXJpdHlAaGFzaGljb3JwLmNvbT6JATgEEwECACIFAlMORM0CGwMG
|
data_dir: /var/lib/vault
|
||||||
CwkIBwMCBhUIAgkKCwQWAgMBAh4BAheAAAoJEFGFLYc0j/xMyWIIAIPhcVqiQ59n
|
listen_protocol: tcp
|
||||||
Jc07gjUX0SWBJAxEG1lKxfzS4Xp+57h2xxTpdotGQ1fZwsihaIqow337YHQI3q0i
|
listen_port: 8200
|
||||||
SqV534Ms+j/tU7X8sq11xFJIeEVG8PASRCwmryUwghFKPlHETQ8jJ+Y8+1asRydi
|
listen_address: 0.0.0.0
|
||||||
psP3B/5Mjhqv/uOK+Vy3zAyIpyDOMtIpOVfjSpCplVRdtSTFWBu9Em7j5I2HMn1w
|
tls_disable: 0
|
||||||
sJZnJgXKpybpibGiiTtmnFLOwibmprSu04rsnP4ncdC2XRD4wIjoyA+4PKgX3sCO
|
tls_cert_file: ''
|
||||||
klEzKryWYBmLkJOMDdo52LttP3279s7XrkLEE7ia0fXa2c12EQ0f0DQ1tGUvyVEW
|
tls_key_file: ''
|
||||||
WmJVccm5bq25AQ0EUw5EzQEIANaPUY04/g7AmYkOMjaCZ6iTp9hB5Rsj/4ee/ln9
|
default_lease_ttl: 24h
|
||||||
wArzRO9+3eejLWh53FoN1rO+su7tiXJA5YAzVy6tuolrqjM8DBztPxdLBbEi4V+j
|
max_lease_ttl: 24h
|
||||||
2tK0dATdBQBHEh3OJApO2UBtcjaZBT31zrG9K55D+CrcgIVEHAKY8Cb4kLBkb5wM
|
self_signed_cert:
|
||||||
skn+DrASKU0BNIV1qRsxfiUdQHZfSqtp004nrql1lbFMLFEuiY8FZrkkQ9qduixo
|
enabled: false
|
||||||
mTT6f34/oiY+Jam3zCK7RDN/OjuWheIPGj/Qbx9JuNiwgX6yRj7OE1tjUx6d8g9y
|
backend: {}
|
||||||
0H1fmLJbb3WZZbuuGFnK6qrE3bGeY8+AWaJAZ37wpWh1p0cAEQEAAYkBHwQYAQIA
|
dev_mode: false
|
||||||
CQUCUw5EzQIbDAAKCRBRhS2HNI/8TJntCAClU7TOO/X053eKF1jqNW4A1qpxctVc
|
|
||||||
z8eTcY8Om5O4f6a/rfxfNFKn9Qyja/OG1xWNobETy7MiMXYjaa8uUx5iFy6kMVaP
|
|
||||||
0BXJ59NLZjMARGw6lVTYDTIvzqqqwLxgliSDfSnqUhubGwvykANPO+93BBx89MRG
|
|
||||||
unNoYGXtPlhNFrAsB1VR8+EyKLv2HQtGCPSFBhrjuzH3gxGibNDDdFQLxxuJWepJ
|
|
||||||
EK1UbTS4ms0NgZ2Uknqn1WRU1Ki7rE4sTy68iZtWpKQXZEJa0IGnuI2sSINGcXCJ
|
|
||||||
oEIgXTMyCILo34Fa/C6VCm2WBgz9zZO8/rHIiQm1J5zqz0DrDwKBUM9C
|
|
||||||
=LYpS
|
|
||||||
-----END PGP PUBLIC KEY BLOCK-----
|
|
||||||
hashicorp_key_id: 51852D87348FFC4C
|
|
||||||
|
|
37
vault/files/config.hcl
Normal file
37
vault/files/config.hcl
Normal file
|
@ -0,0 +1,37 @@
|
||||||
|
{%- from "vault/map.jinja" import vault with context -%}
|
||||||
|
|
||||||
|
listener "{{ vault.config.listen_protocol }}" {
|
||||||
|
address = "{{ vault.config.listen_address }}:{{ vault.config.listen_port }}"
|
||||||
|
tls_disable = {{ vault.config.tls_disable }}
|
||||||
|
{%- if vault.config.self_signed_cert.enabled %}
|
||||||
|
tls_cert_file = "/etc/vault/{{ vault.config.self_signed_cert.hostname }}.pem"
|
||||||
|
tls_key_file = "/etc/vault/{{ vault.config.self_signed_cert.hostname }}-nopass.key"
|
||||||
|
{% else -%}
|
||||||
|
{%- if vault.tls_cert_file %}
|
||||||
|
tls_cert_file = "{{ vault.config.tls_cert_file }}"
|
||||||
|
{% endif -%}
|
||||||
|
{%- if vault.tls_key_file %}
|
||||||
|
tls_key_file = "{{ vault.config.tls_key_file }}"
|
||||||
|
{% endif -%}
|
||||||
|
{% endif %}
|
||||||
|
}
|
||||||
|
|
||||||
|
{%- if vault.config.backend and vault.config.backend.type == "s3" %}
|
||||||
|
backend "s3" {
|
||||||
|
bucket = "{{ vault.config.backend.bucket }}"
|
||||||
|
}
|
||||||
|
{% endif -%}
|
||||||
|
|
||||||
|
{%- if vault.config.storage and vault.config.storage.type == "consul" %}
|
||||||
|
storage "consul" {
|
||||||
|
address = "{{ vault.config.storage.address }}"
|
||||||
|
path = "{{ vault.config.storage.path }}"
|
||||||
|
}
|
||||||
|
{%- else %}
|
||||||
|
storage "file" {
|
||||||
|
path = "{{ vault.config.data_dir }}"
|
||||||
|
}
|
||||||
|
{% endif -%}
|
||||||
|
|
||||||
|
default_lease_ttl="{{ vault.config.default_lease_ttl }}"
|
||||||
|
max_lease_ttl="{{ vault.config.max_lease_ttl }}"
|
|
@ -1,31 +0,0 @@
|
||||||
{%- from "vault/map.jinja" import vault with context -%}
|
|
||||||
{%- if vault.backend and vault.backend.type == "s3" %}
|
|
||||||
backend "s3" {
|
|
||||||
bucket = "{{ vault.backend.bucket }}"
|
|
||||||
}
|
|
||||||
{% endif -%}
|
|
||||||
{%- if vault.storage and vault.storage.type == "consul" %}
|
|
||||||
storage "consul" {
|
|
||||||
address = "{{ vault.storage.address }}"
|
|
||||||
path = "{{ vault.storage.path }}"
|
|
||||||
}
|
|
||||||
{% endif -%}
|
|
||||||
|
|
||||||
listener "{{ vault.listen_protocol }}" {
|
|
||||||
address = "{{ vault.listen_address }}:{{ vault.listen_port }}"
|
|
||||||
tls_disable = {{ vault.tls_disable }}
|
|
||||||
{% if vault.self_signed_cert.enabled %}
|
|
||||||
tls_cert_file = "/etc/vault/{{ vault.self_signed_cert.hostname }}.pem"
|
|
||||||
tls_key_file = "/etc/vault/{{ vault.self_signed_cert.hostname }}-nopass.key"
|
|
||||||
{% else %}
|
|
||||||
{%- if vault.tls_cert_file %}
|
|
||||||
tls_cert_file = "{{ vault.tls_cert_file }}"
|
|
||||||
{% endif -%}
|
|
||||||
{%- if vault.tls_key_file %}
|
|
||||||
tls_key_file = "{{ vault.tls_key_file }}"
|
|
||||||
{% endif -%}
|
|
||||||
{% endif %}
|
|
||||||
}
|
|
||||||
|
|
||||||
default_lease_ttl="{{ vault.default_lease_ttl }}"
|
|
||||||
max_lease_ttl="{{ vault.max_lease_ttl }}"
|
|
196
vault/files/vault.sysvinit
Normal file
196
vault/files/vault.sysvinit
Normal file
|
@ -0,0 +1,196 @@
|
||||||
|
#!/bin/bash
|
||||||
|
#
|
||||||
|
# vault Manage the vault agent
|
||||||
|
#
|
||||||
|
# chkconfig: 2345 95 95
|
||||||
|
# description: Vault is a tool for service discovery and configuration
|
||||||
|
# processname: vault
|
||||||
|
# config: /etc/vault.conf
|
||||||
|
# pidfile: /var/run/vault.pid
|
||||||
|
|
||||||
|
### BEGIN INIT INFO
|
||||||
|
# Provides: vault
|
||||||
|
# Required-Start: $local_fs $network
|
||||||
|
# Required-Stop:
|
||||||
|
# Should-Start:
|
||||||
|
# Should-Stop:
|
||||||
|
# Default-Start: 2 3 4 5
|
||||||
|
# Default-Stop: 0 1 6
|
||||||
|
# Short-Description: Manage the vault agent
|
||||||
|
# Description: Vault is a tool for service discovery and configuration
|
||||||
|
### END INIT INFO
|
||||||
|
|
||||||
|
# source function library
|
||||||
|
. /etc/rc.d/init.d/functions
|
||||||
|
|
||||||
|
prog="vault"
|
||||||
|
exec="/usr/local/bin/$prog"
|
||||||
|
pidfile="/var/run/$prog.pid"
|
||||||
|
lockfile="/var/lock/subsys/$prog"
|
||||||
|
logfile="/var/log/$prog"
|
||||||
|
confdir="/etc/vault.d"
|
||||||
|
|
||||||
|
# pull in sysconfig settings
|
||||||
|
[ -e /etc/sysconfig/$prog ] && . /etc/sysconfig/$prog
|
||||||
|
|
||||||
|
user=${VAULT_USER:-vault}
|
||||||
|
group=${VAULT_GROUP:-vault}
|
||||||
|
|
||||||
|
export GOMAXPROCS=${GOMAXPROCS:-2}
|
||||||
|
|
||||||
|
start() {
|
||||||
|
[ -x $exec ] || exit 5
|
||||||
|
|
||||||
|
[ -d $confdir ] || exit 6
|
||||||
|
|
||||||
|
umask 077
|
||||||
|
|
||||||
|
touch $logfile $pidfile
|
||||||
|
chown "$user:$group" $logfile $pidfile
|
||||||
|
|
||||||
|
echo -n $"Starting $prog: "
|
||||||
|
|
||||||
|
## holy shell shenanigans, batman!
|
||||||
|
## daemon can't be backgrounded. we need the pid of the spawned process,
|
||||||
|
## which is actually done via runuser thanks to --user.
|
||||||
|
## you can't do "cmd &; action" but you can do "{cmd &}; action".
|
||||||
|
## vault 0.2.1 added -pid-file; although the following creates $pidfile
|
||||||
|
## owned by vault:vault, using -pid-file results in a permission error.
|
||||||
|
daemon \
|
||||||
|
--pidfile=$pidfile \
|
||||||
|
--user="$user" \
|
||||||
|
" { $exec agent -config=$confdir/config.hcl &>> $logfile & } ; echo \$! >| $pidfile "
|
||||||
|
|
||||||
|
RETVAL=$?
|
||||||
|
echo
|
||||||
|
|
||||||
|
[ $RETVAL -eq 0 ] && touch $lockfile
|
||||||
|
|
||||||
|
echo -n $"Waiting for Vault ready: "
|
||||||
|
|
||||||
|
## wait up to 60s for the rpc port to become listened-upon
|
||||||
|
## vault 0.2.1 got much slower to start!
|
||||||
|
count=0
|
||||||
|
ready=0
|
||||||
|
pid=$( cat ${pidfile} )
|
||||||
|
while checkpid ${pid} && [ $count -lt 60 ] && [ $ready -ne 1 ]; do
|
||||||
|
count=$(( count + 1 ))
|
||||||
|
|
||||||
|
if netstat -lptn | egrep -q ":8400.*LISTEN +${pid}/" ; then
|
||||||
|
ready=1
|
||||||
|
else
|
||||||
|
sleep 1
|
||||||
|
fi
|
||||||
|
done
|
||||||
|
|
||||||
|
if [ $ready -eq 1 ]; then
|
||||||
|
RETVAL=0
|
||||||
|
success
|
||||||
|
else
|
||||||
|
RETVAL=1
|
||||||
|
failure
|
||||||
|
fi
|
||||||
|
|
||||||
|
echo
|
||||||
|
return $RETVAL
|
||||||
|
}
|
||||||
|
|
||||||
|
stop() {
|
||||||
|
echo -n $"Shutting down $prog: "
|
||||||
|
|
||||||
|
## graceful shutdown with leave
|
||||||
|
$exec leave &> /dev/null
|
||||||
|
RETVAL=$?
|
||||||
|
|
||||||
|
## wait up to 10s for the daemon to exit
|
||||||
|
if [ $RETVAL -eq 0 ]; then
|
||||||
|
count=0
|
||||||
|
stopped=0
|
||||||
|
pid=$( cat ${pidfile} )
|
||||||
|
while [ $count -lt 10 ] && [ $stopped -ne 1 ]; do
|
||||||
|
count=$(( count + 1 ))
|
||||||
|
|
||||||
|
if ! checkpid ${pid} ; then
|
||||||
|
stopped=1
|
||||||
|
else
|
||||||
|
sleep 1
|
||||||
|
fi
|
||||||
|
done
|
||||||
|
|
||||||
|
if [ $stopped -ne 1 ]; then
|
||||||
|
RETVAL=125
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
|
||||||
|
if [ $RETVAL -eq 0 ]; then
|
||||||
|
success
|
||||||
|
rm -f $lockfile $pidfile
|
||||||
|
else
|
||||||
|
failure
|
||||||
|
fi
|
||||||
|
|
||||||
|
echo
|
||||||
|
return $RETVAL
|
||||||
|
}
|
||||||
|
|
||||||
|
restart() {
|
||||||
|
stop
|
||||||
|
start
|
||||||
|
}
|
||||||
|
|
||||||
|
reload() {
|
||||||
|
echo -n $"Reloading $prog: "
|
||||||
|
killproc -p $pidfile $exec -HUP
|
||||||
|
echo
|
||||||
|
}
|
||||||
|
|
||||||
|
force_reload() {
|
||||||
|
restart
|
||||||
|
}
|
||||||
|
|
||||||
|
rh_status() {
|
||||||
|
status -p "$pidfile" -l $prog $exec
|
||||||
|
|
||||||
|
RETVAL=$?
|
||||||
|
|
||||||
|
[ $RETVAL -eq 0 ] && $exec members
|
||||||
|
|
||||||
|
return $RETVAL
|
||||||
|
}
|
||||||
|
|
||||||
|
rh_status_q() {
|
||||||
|
rh_status >/dev/null 2>&1
|
||||||
|
}
|
||||||
|
|
||||||
|
case "$1" in
|
||||||
|
start)
|
||||||
|
rh_status_q && exit 0
|
||||||
|
$1
|
||||||
|
;;
|
||||||
|
stop)
|
||||||
|
rh_status_q || exit 0
|
||||||
|
$1
|
||||||
|
;;
|
||||||
|
restart)
|
||||||
|
$1
|
||||||
|
;;
|
||||||
|
reload)
|
||||||
|
rh_status_q || exit 7
|
||||||
|
$1
|
||||||
|
;;
|
||||||
|
force-reload)
|
||||||
|
force_reload
|
||||||
|
;;
|
||||||
|
status)
|
||||||
|
rh_status
|
||||||
|
;;
|
||||||
|
condrestart|try-restart)
|
||||||
|
rh_status_q || exit 0
|
||||||
|
restart
|
||||||
|
;;
|
||||||
|
*)
|
||||||
|
echo $"Usage: $0 {start|stop|status|restart|condrestart|try-restart|reload|force-reload}"
|
||||||
|
exit 2
|
||||||
|
esac
|
||||||
|
|
||||||
|
exit $?
|
|
@ -1,78 +1,6 @@
|
||||||
{% from "vault/map.jinja" import vault with context %}
|
{%- from slspath + "/map.jinja" import vault with context -%}
|
||||||
# using archive.extracted causes: 'Comment: Failed to cache https://releases.hashicorp.com/vault/0.7.0/vault_0.7.0_linux_amd64.zip: [Errno 1] _ssl.c:493: error:1409442E:SSL routines:SSL3_READ_BYTES:tlsv1 alert protocol version'
|
|
||||||
vault packages:
|
|
||||||
pkg.installed:
|
|
||||||
- names:
|
|
||||||
- unzip
|
|
||||||
- curl
|
|
||||||
{% if vault.secure_download %}
|
|
||||||
{% if grains['os'] == 'CentOS' or grains['os'] == 'Amazon' %}
|
|
||||||
- gnupg2
|
|
||||||
- perl-Digest-SHA
|
|
||||||
{% elif grains['os'] == 'Ubuntu' %}
|
|
||||||
- gnupg
|
|
||||||
- libdigest-sha-perl
|
|
||||||
{% endif %}
|
|
||||||
{% endif %}
|
|
||||||
|
|
||||||
download vault:
|
include:
|
||||||
cmd.run:
|
- {{ slspath }}.install
|
||||||
- name: curl --silent -L https://releases.hashicorp.com/vault/{{ vault.version }}/vault_{{ vault.version }}_linux_amd64.zip -o /tmp/vault_{{ vault.version }}_linux_amd64.zip
|
- {{ slspath }}.config
|
||||||
- creates: /tmp/vault_{{ vault.version }}_linux_amd64.zip
|
- {{ slspath }}.service
|
||||||
|
|
||||||
{% if vault.secure_download %}
|
|
||||||
download shasums:
|
|
||||||
cmd.run:
|
|
||||||
- name: curl --silent -L https://releases.hashicorp.com/vault/{{ vault.version }}/vault_{{ vault.version }}_SHA256SUMS -o /tmp/vault_{{ vault.version }}_SHA256SUMS
|
|
||||||
- creates: /tmp/vault_{{ vault.version }}_SHA256SUMS
|
|
||||||
|
|
||||||
download shasums sig:
|
|
||||||
cmd.run:
|
|
||||||
- name: curl --silent -L https://releases.hashicorp.com/vault/{{ vault.version }}/vault_{{ vault.version }}_SHA256SUMS.sig -o /tmp/vault_{{ vault.version }}_SHA256SUMS.sig
|
|
||||||
- creates: /tmp/vault_{{ vault.version }}_SHA256SUMS.sig
|
|
||||||
|
|
||||||
/tmp/hashicorp.asc:
|
|
||||||
file.managed:
|
|
||||||
- source: salt://vault/files/hashicorp.asc.jinja
|
|
||||||
- template: jinja
|
|
||||||
|
|
||||||
import key:
|
|
||||||
cmd.run:
|
|
||||||
- name: gpg --import /tmp/hashicorp.asc
|
|
||||||
- unless: gpg --list-keys {{ vault.hashicorp_key_id }}
|
|
||||||
- requires:
|
|
||||||
- file: /tmp/hashicorp.asc
|
|
||||||
- cmd: vault packages
|
|
||||||
|
|
||||||
verify shasums sig:
|
|
||||||
cmd.run:
|
|
||||||
- name: gpg --verify /tmp/vault_{{ vault.version }}_SHA256SUMS.sig /tmp/vault_{{ vault.version }}_SHA256SUMS
|
|
||||||
- require:
|
|
||||||
- cmd: download shasums
|
|
||||||
- cmd: import key
|
|
||||||
|
|
||||||
verify vault:
|
|
||||||
cmd.run:
|
|
||||||
- name: "shasum -a 256 -c vault_{{ vault.version }}_SHA256SUMS 2>&1 | grep -q \"vault_{{ vault.version }}_linux_amd64.zip: OK\""
|
|
||||||
- cwd: /tmp
|
|
||||||
- require:
|
|
||||||
- cmd: download vault
|
|
||||||
- cmd: verify shasums sig
|
|
||||||
{% endif %}
|
|
||||||
|
|
||||||
install vault:
|
|
||||||
cmd.run:
|
|
||||||
- name: unzip /tmp/vault_{{ vault.version }}_linux_amd64.zip -d /usr/local/bin && chmod 0755 /usr/local/bin/vault && chown root:root /usr/local/bin/vault
|
|
||||||
- require:
|
|
||||||
- cmd: download vault
|
|
||||||
- pkg: unzip
|
|
||||||
{% if vault.secure_download %}
|
|
||||||
- cmd: verify vault
|
|
||||||
{% endif %}
|
|
||||||
- creates: /usr/local/bin/vault
|
|
||||||
|
|
||||||
vault set cap mlock:
|
|
||||||
cmd.run:
|
|
||||||
- name: "setcap cap_ipc_lock=+ep /usr/local/bin/vault"
|
|
||||||
- onchanges:
|
|
||||||
- cmd: install vault
|
|
||||||
|
|
84
vault/install.sls
Normal file
84
vault/install.sls
Normal file
|
@ -0,0 +1,84 @@
|
||||||
|
{%- from slspath + '/map.jinja' import vault with context -%}
|
||||||
|
|
||||||
|
vault-dep-unzp:
|
||||||
|
pkg.installed:
|
||||||
|
- name: unzip
|
||||||
|
|
||||||
|
vault-bin-dir:
|
||||||
|
file.directory:
|
||||||
|
- name: /usr/local/bin
|
||||||
|
- makedirs: True
|
||||||
|
|
||||||
|
# Create vault user
|
||||||
|
vault-group:
|
||||||
|
group.present:
|
||||||
|
- name: {{ vault.group }}
|
||||||
|
|
||||||
|
vault-user:
|
||||||
|
user.present:
|
||||||
|
- name: {{ vault.user }}
|
||||||
|
- groups:
|
||||||
|
- {{ vault.group }}
|
||||||
|
- home: {{ salt['user.info'](vault.user)['home']|default(vault.config.data_dir) }}
|
||||||
|
- createhome: False
|
||||||
|
- system: True
|
||||||
|
- require:
|
||||||
|
- group: vault-group
|
||||||
|
|
||||||
|
# Create directories
|
||||||
|
vault-config-dir:
|
||||||
|
file.directory:
|
||||||
|
- name: /etc/vault.d
|
||||||
|
- user: {{ vault.user }}
|
||||||
|
- group: {{ vault.group }}
|
||||||
|
- mode: 0750
|
||||||
|
|
||||||
|
vault-data-dir:
|
||||||
|
file.directory:
|
||||||
|
- name: {{ vault.config.data_dir }}
|
||||||
|
- makedirs: True
|
||||||
|
- user: {{ vault.user }}
|
||||||
|
- group: {{ vault.group }}
|
||||||
|
- mode: 0750
|
||||||
|
|
||||||
|
# Install agent
|
||||||
|
vault-download:
|
||||||
|
file.managed:
|
||||||
|
- name: /tmp/vault_{{ vault.version }}_linux_{{ vault.arch }}.zip
|
||||||
|
- source: https://{{ vault.download_host }}/vault/{{ vault.version }}/vault_{{ vault.version }}_linux_{{ vault.arch }}.zip
|
||||||
|
- source_hash: https://releases.hashicorp.com/vault/{{ vault.version }}/vault_{{ vault.version }}_SHA256SUMS
|
||||||
|
- unless: test -f /usr/local/bin/vault-{{ vault.version }}
|
||||||
|
|
||||||
|
vault-extract:
|
||||||
|
cmd.wait:
|
||||||
|
- name: unzip /tmp/vault_{{ vault.version }}_linux_{{ vault.arch }}.zip -d /tmp
|
||||||
|
- watch:
|
||||||
|
- file: vault-download
|
||||||
|
|
||||||
|
vault-install:
|
||||||
|
file.rename:
|
||||||
|
- name: /usr/local/bin/vault-{{ vault.version }}
|
||||||
|
- source: /tmp/vault
|
||||||
|
- require:
|
||||||
|
- file: /usr/local/bin
|
||||||
|
- watch:
|
||||||
|
- cmd: vault-extract
|
||||||
|
|
||||||
|
vault-clean:
|
||||||
|
file.absent:
|
||||||
|
- name: /tmp/vault_{{ vault.version }}_linux_{{ vault.arch }}.zip
|
||||||
|
- watch:
|
||||||
|
- file: vault-install
|
||||||
|
|
||||||
|
vault-link:
|
||||||
|
file.symlink:
|
||||||
|
- target: vault-{{ vault.version }}
|
||||||
|
- name: /usr/local/bin/vault
|
||||||
|
- watch:
|
||||||
|
- file: vault-install
|
||||||
|
|
||||||
|
vault-set-cap-mlock:
|
||||||
|
cmd.run:
|
||||||
|
- name: "setcap cap_ipc_lock=+ep /usr/local/bin/vault-{{ vault.version }}"
|
||||||
|
- onchanges:
|
||||||
|
- file: vault-install
|
|
@ -1,2 +1,19 @@
|
||||||
{% import_yaml "vault/defaults.yaml" as defaults %}
|
{% import_yaml slspath+"/defaults.yaml" as defaults %}
|
||||||
{% set vault = salt['pillar.get']('vault', default=defaults['vault'], merge=True) %}
|
|
||||||
|
{% set vault = salt['pillar.get']('vault', default=defaults.vault, merge=True) %}
|
||||||
|
|
||||||
|
{## Add any overrides based on CPU architecture. ##}
|
||||||
|
{% set vault = salt['grains.filter_by']({
|
||||||
|
'armv6l': {
|
||||||
|
"arch": 'arm'
|
||||||
|
},
|
||||||
|
'armv7l': {
|
||||||
|
"arch": 'arm'
|
||||||
|
},
|
||||||
|
'x86_64': {
|
||||||
|
"arch": 'amd64'
|
||||||
|
}
|
||||||
|
}
|
||||||
|
,grain="cpuarch"
|
||||||
|
,merge=vault)
|
||||||
|
%}
|
||||||
|
|
|
@ -1,68 +0,0 @@
|
||||||
{% from "vault/map.jinja" import vault with context %}
|
|
||||||
{%- if vault.self_signed_cert.enabled %}
|
|
||||||
/usr/local/bin/self-cert-gen.sh:
|
|
||||||
file.managed:
|
|
||||||
- source: salt://vault/files/cert-gen.sh.jinja
|
|
||||||
- template: jinja
|
|
||||||
- user: root
|
|
||||||
- group: root
|
|
||||||
- mode: 644
|
|
||||||
|
|
||||||
generate self signed SSL certs:
|
|
||||||
cmd.run:
|
|
||||||
- name: bash /usr/local/bin/cert-gen.sh {{ vault.self_signed_cert.hostname }} {{ vault.self_signed_cert.password }}
|
|
||||||
- cwd: /etc/vault
|
|
||||||
- require:
|
|
||||||
- file: /usr/local/bin/self-cert-gen.sh
|
|
||||||
{% endif -%}
|
|
||||||
|
|
||||||
/etc/vault.d:
|
|
||||||
file.directory:
|
|
||||||
- user: root
|
|
||||||
- group: root
|
|
||||||
- mode: 755
|
|
||||||
|
|
||||||
/etc/vault.d/config.hcl:
|
|
||||||
file.managed:
|
|
||||||
- source: salt://vault/files/config.hcl.jinja
|
|
||||||
- template: jinja
|
|
||||||
- user: root
|
|
||||||
- group: root
|
|
||||||
- mode: 644
|
|
||||||
- require:
|
|
||||||
- file: /etc/vault.d
|
|
||||||
|
|
||||||
{%- if vault.service.type == 'systemd' %}
|
|
||||||
/etc/systemd/system/vault.service:
|
|
||||||
file.managed:
|
|
||||||
- source: salt://vault/files/vault_systemd.service.jinja
|
|
||||||
- template: jinja
|
|
||||||
- user: root
|
|
||||||
- group: root
|
|
||||||
- mode: 644
|
|
||||||
- require_in:
|
|
||||||
- service: vault
|
|
||||||
|
|
||||||
{% elif vault.service.type == 'upstart' %}
|
|
||||||
/etc/init/vault.conf:
|
|
||||||
file.managed:
|
|
||||||
- source: salt://vault/files/vault_upstart.conf.jinja
|
|
||||||
- template: jinja
|
|
||||||
- user: root
|
|
||||||
- group: root
|
|
||||||
- require_in:
|
|
||||||
- service: vault
|
|
||||||
{% endif -%}
|
|
||||||
|
|
||||||
vault:
|
|
||||||
service.running:
|
|
||||||
- enable: True
|
|
||||||
- require:
|
|
||||||
{%- if vault.self_signed_cert.enabled %}
|
|
||||||
- cmd: generate self signed SSL certs
|
|
||||||
{% endif %}
|
|
||||||
- file: /etc/vault.d/config.hcl
|
|
||||||
- cmd: install vault
|
|
||||||
- onchanges:
|
|
||||||
- cmd: install vault
|
|
||||||
- file: /etc/vault.d/config.hcl
|
|
66
vault/service.sls
Normal file
66
vault/service.sls
Normal file
|
@ -0,0 +1,66 @@
|
||||||
|
{%- from slspath + '/map.jinja' import vault with context -%}
|
||||||
|
|
||||||
|
{%- if vault.self_signed_cert.enabled %}
|
||||||
|
self-cert-gen-script:
|
||||||
|
file.managed:
|
||||||
|
- name: /usr/local/bin/self-cert-gen.sh
|
||||||
|
- source: salt://vault/files/cert-gen.sh.jinja
|
||||||
|
- template: jinja
|
||||||
|
- user: root
|
||||||
|
- group: root
|
||||||
|
- mode: 644
|
||||||
|
|
||||||
|
generate-self-signed-SSL-certs:
|
||||||
|
cmd.run:
|
||||||
|
- name: bash /usr/local/bin/cert-gen.sh {{ vault.self_signed_cert.hostname }} {{ vault.self_signed_cert.password }}
|
||||||
|
- cwd: /etc/vault
|
||||||
|
- require:
|
||||||
|
- file: self-cert-gen-script
|
||||||
|
{% endif -%}
|
||||||
|
|
||||||
|
vault-init-env:
|
||||||
|
file.managed:
|
||||||
|
{%- if grains['os_family'] == 'Debian' %}
|
||||||
|
- name: /etc/default/vault
|
||||||
|
{%- else %}
|
||||||
|
- name: /etc/sysconfig/vault
|
||||||
|
- makedirs: True
|
||||||
|
{%- endif %}
|
||||||
|
- user: root
|
||||||
|
- group: root
|
||||||
|
- mode: 0644
|
||||||
|
- contents:
|
||||||
|
- VAULT_USER={{ vault.user }}
|
||||||
|
- VAULT_GROUP={{ vault.group }}
|
||||||
|
|
||||||
|
vault-init-file:
|
||||||
|
file.managed:
|
||||||
|
{%- if salt['test.provider']('service') == 'systemd' %}
|
||||||
|
- source: salt://{{ slspath }}/files/vault.service
|
||||||
|
- name: /etc/systemd/system/vault.service
|
||||||
|
- template: jinja
|
||||||
|
- context:
|
||||||
|
user: {{ vault.user }}
|
||||||
|
group: {{ vault.group }}
|
||||||
|
- mode: 0644
|
||||||
|
{%- elif salt['test.provider']('service') == 'upstart' %}
|
||||||
|
- source: salt://{{ slspath }}/files/vault.upstart
|
||||||
|
- name: /etc/init/vault.conf
|
||||||
|
- mode: 0644
|
||||||
|
{%- else %}
|
||||||
|
- source: salt://{{ slspath }}/files/vault.sysvinit
|
||||||
|
- name: /etc/init.d/vault
|
||||||
|
- mode: 0755
|
||||||
|
{%- endif %}
|
||||||
|
|
||||||
|
{%- if vault.service %}
|
||||||
|
|
||||||
|
vault-service:
|
||||||
|
service.running:
|
||||||
|
- name: vault
|
||||||
|
- enable: True
|
||||||
|
- watch:
|
||||||
|
- file: vault-init-env
|
||||||
|
- file: vault-init-file
|
||||||
|
|
||||||
|
{%- endif %}
|
Loading…
Reference in a new issue