download, verify, install logic

This commit is contained in:
Alexis Vanier 2018-01-10 15:12:09 -05:00
parent 8f558b0f30
commit 5d14e6ede2
No known key found for this signature in database
GPG key ID: 6B7049C3203BCBF9
2 changed files with 59 additions and 4 deletions

View file

@ -5,19 +5,71 @@ vault packages:
- names: - names:
- unzip - unzip
- curl - curl
{% if vault.secure_download %}
{% if grains['os'] == 'CentOS' or grains['os'] == 'Amazon' %}
- gnupg2
- perl-Digest-SHA
{% elif grains['os'] == 'Ubuntu' %}
- gnupg
- libdigest-sha-perl
{% endif %}
{% endif %}
download vault: download vault:
cmd.run: cmd.run:
- name: curl --silent -L https://releases.hashicorp.com/vault/{{ vault.version }}/vault_{{ vault.version }}_linux_amd64.zip -o /tmp/vault.zip - name: curl --silent -L https://releases.hashicorp.com/vault/{{ vault.version }}/vault_{{ vault.version }}_linux_amd64.zip -o /tmp/vault_{{ vault.version }}_linux_amd64.zip
- unless: test -e /tmp/vault.zip - creates: /tmp/vault_{{ vault.version }}_linux_amd64.zip
{% if vault.secure_download %}
download shasums:
cmd.run:
- name: curl --silent -L https://releases.hashicorp.com/vault/{{ vault.version }}/vault_{{ vault.version }}_SHA256SUMS -o /tmp/vault_{{ vault.version }}_SHA256SUMS
- creates: /tmp/vault_{{ vault.version }}_SHA256SUMS
download shasums sig:
cmd.run:
- name: curl --silent -L https://releases.hashicorp.com/vault/{{ vault.version }}/vault_{{ vault.version }}_SHA256SUMS.sig -o /tmp/vault_{{ vault.version }}_SHA256SUMS.sig
- creates: /tmp/vault_{{ vault.version }}_SHA256SUMS.sig
/tmp/hashicorp.asc:
file.managed:
- source: salt://vault/files/hashicorp.asc.jinja
- template: jinja
import key:
cmd.run:
- name: gpg --import /tmp/hashicorp.asc
- unless: gpg --list-keys {{ vault.hashicorp_key_id }}
- requires:
- file: /tmp/hashicorp.asc
- cmd: vault packages
verify shasums sig:
cmd.run:
- name: gpg --verify /tmp/vault_{{ vault.version }}_SHA256SUMS.sig /tmp/vault_{{ vault.version }}_SHA256SUMS
- require:
- cmd: download shasums
- cmd: import key
verify vault:
cmd.run:
- name: "shasum -a 256 -c vault_{{ vault.version }}_SHA256SUMS | grep -q \"vault_{{ vault.version }}_linux_amd64.zip: OK\""
- cwd: /tmp
- require:
- cmd: download vault
- cmd: verify shasums sig
{% endif %}
install vault: install vault:
cmd.run: cmd.run:
- name: unzip /tmp/vault.zip -d /usr/local/bin && chmod 0755 /usr/local/bin/vault && chown root:root /usr/local/bin/vault - name: unzip /tmp/vault_{{ vault.version }}_linux_amd64.zip -d /usr/local/bin && chmod 0755 /usr/local/bin/vault && chown root:root /usr/local/bin/vault
- require: - require:
- cmd: download vault - cmd: download vault
- pkg: unzip - pkg: unzip
- unless: test -e /usr/local/bin/vault {% if vault.secure_download %}
- cmd: verify vault
{% endif %}
- creates: /usr/local/bin/vault
vault set cap mlock: vault set cap mlock:
cmd.run: cmd.run:

View file

@ -70,3 +70,6 @@ vault:
- cmd: generate self signed SSL certs - cmd: generate self signed SSL certs
{% endif -%} {% endif -%}
- file: /etc/vault/config/server.hcl - file: /etc/vault/config/server.hcl
- onchanges:
- cmd: install vault
- file: /etc/vault/config/server.hcl