Add support for tests
This commit is contained in:
parent
213d512994
commit
6d6e7051f3
19 changed files with 568 additions and 50 deletions
1
.gitignore
vendored
Normal file
1
.gitignore
vendored
Normal file
|
@ -0,0 +1 @@
|
||||||
|
.kitchen
|
94
.kitchen.yml
Normal file
94
.kitchen.yml
Normal file
|
@ -0,0 +1,94 @@
|
||||||
|
---
|
||||||
|
driver:
|
||||||
|
name: docker
|
||||||
|
use_sudo: false
|
||||||
|
privileged: true
|
||||||
|
|
||||||
|
verifier:
|
||||||
|
name: inspec
|
||||||
|
format: doc
|
||||||
|
|
||||||
|
provisioner:
|
||||||
|
name: salt_solo
|
||||||
|
log_level: debug
|
||||||
|
require_chef: false
|
||||||
|
formula: vault
|
||||||
|
|
||||||
|
platforms:
|
||||||
|
- name: ubuntu-16.04
|
||||||
|
driver_config:
|
||||||
|
provision_command:
|
||||||
|
- locale-gen en_US.UTF-8
|
||||||
|
run_command: /sbin/init
|
||||||
|
privileged: true
|
||||||
|
pid_one_command: /usr/lib/systemd/systemd
|
||||||
|
- name: amazonlinux
|
||||||
|
driver_config:
|
||||||
|
image: amazonlinux:latest
|
||||||
|
platform: rhel
|
||||||
|
run_command: /sbin/init
|
||||||
|
|
||||||
|
suites:
|
||||||
|
- name: default
|
||||||
|
provisioner:
|
||||||
|
state_top:
|
||||||
|
base:
|
||||||
|
'*':
|
||||||
|
- vault
|
||||||
|
- name: dev_server_systemd
|
||||||
|
excludes:
|
||||||
|
- amazonlinux
|
||||||
|
provisioner:
|
||||||
|
state_top:
|
||||||
|
base:
|
||||||
|
'*':
|
||||||
|
- vault
|
||||||
|
- vault.server
|
||||||
|
pillars:
|
||||||
|
top.sls:
|
||||||
|
base:
|
||||||
|
'*':
|
||||||
|
- vault
|
||||||
|
vault.sls:
|
||||||
|
vault:
|
||||||
|
service:
|
||||||
|
type: systemd
|
||||||
|
- name: dev_server_upstart
|
||||||
|
includes:
|
||||||
|
- amazonlinux
|
||||||
|
provisioner:
|
||||||
|
state_top:
|
||||||
|
base:
|
||||||
|
'*':
|
||||||
|
- vault
|
||||||
|
- vault.server
|
||||||
|
pillars:
|
||||||
|
top.sls:
|
||||||
|
base:
|
||||||
|
'*':
|
||||||
|
- vault
|
||||||
|
vault.sls:
|
||||||
|
vault:
|
||||||
|
service:
|
||||||
|
type: upstart
|
||||||
|
- name: server_backend_s3
|
||||||
|
includes:
|
||||||
|
- amazonlinux
|
||||||
|
provisioner:
|
||||||
|
state_top:
|
||||||
|
base:
|
||||||
|
'*':
|
||||||
|
- vault
|
||||||
|
- vault.server
|
||||||
|
pillars:
|
||||||
|
top.sls:
|
||||||
|
base:
|
||||||
|
'*':
|
||||||
|
- vault
|
||||||
|
vault.sls:
|
||||||
|
vault:
|
||||||
|
backend:
|
||||||
|
type: s3
|
||||||
|
bucket: com-saltstack-vault
|
||||||
|
service:
|
||||||
|
type: upstart
|
11
.travis.yml
Normal file
11
.travis.yml
Normal file
|
@ -0,0 +1,11 @@
|
||||||
|
sudo: required
|
||||||
|
|
||||||
|
language: ruby
|
||||||
|
|
||||||
|
services:
|
||||||
|
- docker
|
||||||
|
|
||||||
|
before_install:
|
||||||
|
- bundle install
|
||||||
|
|
||||||
|
script: bundle exec kitchen verify
|
6
Gemfile
Normal file
6
Gemfile
Normal file
|
@ -0,0 +1,6 @@
|
||||||
|
source "https://rubygems.org"
|
||||||
|
|
||||||
|
gem "test-kitchen"
|
||||||
|
gem "kitchen-docker"
|
||||||
|
gem "kitchen-salt"
|
||||||
|
gem 'kitchen-inspec'
|
149
Gemfile.lock
Normal file
149
Gemfile.lock
Normal file
|
@ -0,0 +1,149 @@
|
||||||
|
GEM
|
||||||
|
remote: https://rubygems.org/
|
||||||
|
specs:
|
||||||
|
addressable (2.5.1)
|
||||||
|
public_suffix (~> 2.0, >= 2.0.2)
|
||||||
|
artifactory (2.8.1)
|
||||||
|
blankslate (2.1.2.4)
|
||||||
|
builder (3.2.3)
|
||||||
|
coderay (1.1.1)
|
||||||
|
diff-lcs (1.3)
|
||||||
|
docker-api (1.33.4)
|
||||||
|
excon (>= 0.38.0)
|
||||||
|
json
|
||||||
|
erubis (2.7.0)
|
||||||
|
excon (0.55.0)
|
||||||
|
faraday (0.12.1)
|
||||||
|
multipart-post (>= 1.2, < 3)
|
||||||
|
ffi (1.9.18)
|
||||||
|
gssapi (1.2.0)
|
||||||
|
ffi (>= 1.0.1)
|
||||||
|
gyoku (1.3.1)
|
||||||
|
builder (>= 2.1.2)
|
||||||
|
hashie (3.5.5)
|
||||||
|
httpclient (2.8.3)
|
||||||
|
inspec (1.20.0)
|
||||||
|
addressable (~> 2.4)
|
||||||
|
faraday (>= 0.9.0)
|
||||||
|
hashie (~> 3.4)
|
||||||
|
json (>= 1.8, < 3.0)
|
||||||
|
method_source (~> 0.8)
|
||||||
|
mixlib-log
|
||||||
|
parallel (~> 1.9)
|
||||||
|
parslet (~> 1.5)
|
||||||
|
pry (~> 0)
|
||||||
|
rainbow (~> 2)
|
||||||
|
rspec (~> 3)
|
||||||
|
rspec-its (~> 1.2)
|
||||||
|
rubyzip (~> 1.1)
|
||||||
|
sslshake (~> 1.1)
|
||||||
|
thor (~> 0.19)
|
||||||
|
toml (~> 0.1)
|
||||||
|
train (>= 0.22.0, < 1.0)
|
||||||
|
json (2.1.0)
|
||||||
|
kitchen-docker (2.6.0)
|
||||||
|
test-kitchen (>= 1.0.0)
|
||||||
|
kitchen-inspec (0.18.0)
|
||||||
|
hashie (~> 3.4)
|
||||||
|
inspec (>= 0.34.0, < 2.0.0)
|
||||||
|
test-kitchen (~> 1.6)
|
||||||
|
kitchen-salt (0.0.24)
|
||||||
|
test-kitchen (~> 1.4)
|
||||||
|
little-plugger (1.1.4)
|
||||||
|
logging (2.2.2)
|
||||||
|
little-plugger (~> 1.1)
|
||||||
|
multi_json (~> 1.10)
|
||||||
|
method_source (0.8.2)
|
||||||
|
mixlib-install (2.1.12)
|
||||||
|
artifactory
|
||||||
|
mixlib-shellout
|
||||||
|
mixlib-versioning
|
||||||
|
thor
|
||||||
|
mixlib-log (1.7.1)
|
||||||
|
mixlib-shellout (2.2.7)
|
||||||
|
mixlib-versioning (1.1.0)
|
||||||
|
multi_json (1.12.1)
|
||||||
|
multipart-post (2.0.0)
|
||||||
|
net-scp (1.2.1)
|
||||||
|
net-ssh (>= 2.6.5)
|
||||||
|
net-ssh (4.1.0)
|
||||||
|
net-ssh-gateway (1.3.0)
|
||||||
|
net-ssh (>= 2.6.5)
|
||||||
|
nori (2.6.0)
|
||||||
|
parallel (1.11.1)
|
||||||
|
parslet (1.5.0)
|
||||||
|
blankslate (~> 2.0)
|
||||||
|
pry (0.10.4)
|
||||||
|
coderay (~> 1.1.0)
|
||||||
|
method_source (~> 0.8.1)
|
||||||
|
slop (~> 3.4)
|
||||||
|
public_suffix (2.0.5)
|
||||||
|
rainbow (2.2.2)
|
||||||
|
rake
|
||||||
|
rake (12.0.0)
|
||||||
|
rspec (3.5.0)
|
||||||
|
rspec-core (~> 3.5.0)
|
||||||
|
rspec-expectations (~> 3.5.0)
|
||||||
|
rspec-mocks (~> 3.5.0)
|
||||||
|
rspec-core (3.5.4)
|
||||||
|
rspec-support (~> 3.5.0)
|
||||||
|
rspec-expectations (3.5.0)
|
||||||
|
diff-lcs (>= 1.2.0, < 2.0)
|
||||||
|
rspec-support (~> 3.5.0)
|
||||||
|
rspec-its (1.2.0)
|
||||||
|
rspec-core (>= 3.0.0)
|
||||||
|
rspec-expectations (>= 3.0.0)
|
||||||
|
rspec-mocks (3.5.0)
|
||||||
|
diff-lcs (>= 1.2.0, < 2.0)
|
||||||
|
rspec-support (~> 3.5.0)
|
||||||
|
rspec-support (3.5.0)
|
||||||
|
rubyntlm (0.6.1)
|
||||||
|
rubyzip (1.2.1)
|
||||||
|
safe_yaml (1.0.4)
|
||||||
|
slop (3.6.0)
|
||||||
|
sslshake (1.2.0)
|
||||||
|
test-kitchen (1.16.0)
|
||||||
|
mixlib-install (>= 1.2, < 3.0)
|
||||||
|
mixlib-shellout (>= 1.2, < 3.0)
|
||||||
|
net-scp (~> 1.1)
|
||||||
|
net-ssh (>= 2.9, < 5.0)
|
||||||
|
net-ssh-gateway (~> 1.2)
|
||||||
|
safe_yaml (~> 1.0)
|
||||||
|
thor (~> 0.19, < 0.19.2)
|
||||||
|
thor (0.19.1)
|
||||||
|
toml (0.1.2)
|
||||||
|
parslet (~> 1.5.0)
|
||||||
|
train (0.23.0)
|
||||||
|
docker-api (~> 1.26)
|
||||||
|
json (>= 1.8, < 3.0)
|
||||||
|
mixlib-shellout (~> 2.0)
|
||||||
|
net-scp (~> 1.2)
|
||||||
|
net-ssh (>= 2.9, < 5.0)
|
||||||
|
winrm (~> 2.0)
|
||||||
|
winrm-fs (~> 1.0)
|
||||||
|
winrm (2.2.2)
|
||||||
|
builder (>= 2.1.2)
|
||||||
|
erubis (~> 2.7)
|
||||||
|
gssapi (~> 1.2)
|
||||||
|
gyoku (~> 1.0)
|
||||||
|
httpclient (~> 2.2, >= 2.2.0.2)
|
||||||
|
logging (>= 1.6.1, < 3.0)
|
||||||
|
nori (~> 2.0)
|
||||||
|
rubyntlm (~> 0.6.0, >= 0.6.1)
|
||||||
|
winrm-fs (1.0.1)
|
||||||
|
erubis (~> 2.7)
|
||||||
|
logging (>= 1.6.1, < 3.0)
|
||||||
|
rubyzip (~> 1.1)
|
||||||
|
winrm (~> 2.0)
|
||||||
|
|
||||||
|
PLATFORMS
|
||||||
|
ruby
|
||||||
|
|
||||||
|
DEPENDENCIES
|
||||||
|
kitchen-docker
|
||||||
|
kitchen-inspec
|
||||||
|
kitchen-salt
|
||||||
|
test-kitchen
|
||||||
|
|
||||||
|
BUNDLED WITH
|
||||||
|
1.14.6
|
62
README.rst
Normal file
62
README.rst
Normal file
|
@ -0,0 +1,62 @@
|
||||||
|
======
|
||||||
|
Vault
|
||||||
|
======
|
||||||
|
|
||||||
|
.. image:: https://travis-ci.org/saltstack-formulas/vault-formula.svg?branch=master
|
||||||
|
|
||||||
|
Formulas for working with `Vault <http://www.vaultproject.io>`_
|
||||||
|
|
||||||
|
Available states
|
||||||
|
================
|
||||||
|
|
||||||
|
.. contents::
|
||||||
|
:local:
|
||||||
|
|
||||||
|
``vault``
|
||||||
|
----------
|
||||||
|
|
||||||
|
Install the vault binary
|
||||||
|
|
||||||
|
|
||||||
|
``vault.server``
|
||||||
|
---------------------
|
||||||
|
|
||||||
|
Install and configure the vault server
|
||||||
|
|
||||||
|
To use it, just include *vault.server* in your *top.sls*, and configure it using pillars:
|
||||||
|
|
||||||
|
::
|
||||||
|
|
||||||
|
vault:
|
||||||
|
vault_version: 0.7.0
|
||||||
|
listen_protocol: tcp
|
||||||
|
listen_port: 8200
|
||||||
|
listen_address: 0.0.0.0
|
||||||
|
strict_tls: 0
|
||||||
|
default_lease_ttl: 24h
|
||||||
|
max_lease_ttl: 24h
|
||||||
|
self_signed_cert:
|
||||||
|
enabled: false
|
||||||
|
backend: {}
|
||||||
|
dev_mode: true
|
||||||
|
service:
|
||||||
|
type: systemd
|
||||||
|
|
||||||
|
Testing
|
||||||
|
=======
|
||||||
|
|
||||||
|
Testing is done with `Test Kitchen <http://kitchen.ci/>`_
|
||||||
|
for machine setup and `inspec <https://github.com/chef/inspec/>`_
|
||||||
|
for integration tests.
|
||||||
|
|
||||||
|
Requirements
|
||||||
|
------------
|
||||||
|
|
||||||
|
* Ruby
|
||||||
|
* Docker
|
||||||
|
|
||||||
|
::
|
||||||
|
|
||||||
|
gem install bundler
|
||||||
|
bundle install
|
||||||
|
bundle exec kitchen test all
|
|
@ -1,11 +1,16 @@
|
||||||
vault:
|
vault:
|
||||||
vault_version: 0.7.0
|
version: 0.7.0
|
||||||
source_hash: c6d97220e75335f75bd6f603bb23f1f16fe8e2a9d850ba59599b1a0e4d067aaa
|
|
||||||
listen_protocol: tcp
|
listen_protocol: tcp
|
||||||
listen_port: 8200
|
listen_port: 8200
|
||||||
listen_address: 0.0.0.0
|
listen_address: 0.0.0.0
|
||||||
strict_tls: 0
|
strict_tls: 0
|
||||||
default_lease_ttl: '4380h'
|
tls_cert_file: {}
|
||||||
max_lease_ttl: '43800h'
|
tls_key_file: {}
|
||||||
s3_backend:
|
default_lease_ttl: 4380h
|
||||||
bucket: 'com-foo-vault'
|
max_lease_ttl: 43800h
|
||||||
|
self_signed_cert:
|
||||||
|
enabled: false
|
||||||
|
backend: {}
|
||||||
|
dev_mode: true
|
||||||
|
service:
|
||||||
|
type: upstart
|
||||||
|
|
6
test/integration/default/vault_spec.rb
Normal file
6
test/integration/default/vault_spec.rb
Normal file
|
@ -0,0 +1,6 @@
|
||||||
|
describe command('/usr/local/bin/vault -version') do
|
||||||
|
its(:exit_status) { should eq 0 }
|
||||||
|
its(:stderr) { should be_empty }
|
||||||
|
its(:stdout) { should match(/^Vault v[0-9\.]+ \('[0-9a-f]+'\)/) }
|
||||||
|
end
|
||||||
|
|
35
test/integration/dev_server_systemd/vault_spec.rb
Normal file
35
test/integration/dev_server_systemd/vault_spec.rb
Normal file
|
@ -0,0 +1,35 @@
|
||||||
|
describe file('/etc/vault/config/server.hcl') do
|
||||||
|
it { should be_a_file }
|
||||||
|
expected =<<-EOF
|
||||||
|
listener "tcp" {
|
||||||
|
address = "0.0.0.0:8200"
|
||||||
|
tls_disable = 0
|
||||||
|
|
||||||
|
}
|
||||||
|
|
||||||
|
default_lease_ttl="24h"
|
||||||
|
max_lease_ttl="24h"
|
||||||
|
EOF
|
||||||
|
its(:content) { should eq(expected) }
|
||||||
|
end
|
||||||
|
|
||||||
|
describe file('/etc/systemd/system/vault.service') do
|
||||||
|
it { should be_a_file }
|
||||||
|
its(:content) { should_not match /syslog/ }
|
||||||
|
end
|
||||||
|
|
||||||
|
describe file('/etc/init/vault.conf') do
|
||||||
|
it { should_not be_a_file }
|
||||||
|
end
|
||||||
|
|
||||||
|
describe service('vault') do
|
||||||
|
it { should be_enabled }
|
||||||
|
it { should be_running }
|
||||||
|
end
|
||||||
|
|
||||||
|
describe command('journalctl -u vault') do
|
||||||
|
its(:exit_status) { should eq 0 }
|
||||||
|
its(:stderr) { should be_empty }
|
||||||
|
its(:stdout) { should match(/WARNING: Dev mode is enabled!/) }
|
||||||
|
end
|
||||||
|
|
50
test/integration/dev_server_upstart/vault_spec.rb
Normal file
50
test/integration/dev_server_upstart/vault_spec.rb
Normal file
|
@ -0,0 +1,50 @@
|
||||||
|
describe file('/etc/vault/config/server.hcl') do
|
||||||
|
it { should be_a_file }
|
||||||
|
expected = <<-EOF
|
||||||
|
listener "tcp" {
|
||||||
|
address = "0.0.0.0:8200"
|
||||||
|
tls_disable = 0
|
||||||
|
|
||||||
|
}
|
||||||
|
|
||||||
|
default_lease_ttl="24h"
|
||||||
|
max_lease_ttl="24h"
|
||||||
|
EOF
|
||||||
|
its(:content) { should eq(expected) }
|
||||||
|
end
|
||||||
|
|
||||||
|
describe file('/etc/systemd/system/vault.service') do
|
||||||
|
it { should_not be_a_file }
|
||||||
|
end
|
||||||
|
|
||||||
|
describe file('/etc/init/vault.conf') do
|
||||||
|
it { should be_a_file }
|
||||||
|
its(:content) { should_not match /syslog/ }
|
||||||
|
end
|
||||||
|
|
||||||
|
if os[:family] == 'amazon'
|
||||||
|
# serverspec assumes 'service' resource to be
|
||||||
|
# init.d for rhel-based os. have to just check
|
||||||
|
# that it is running, that means that it started
|
||||||
|
# with the instance
|
||||||
|
describe command('sudo initctl list | grep vault | grep -v grep') do
|
||||||
|
its(:stdout) { should match(/vault start\/running/) }
|
||||||
|
its(:stderr) { should be_empty }
|
||||||
|
end
|
||||||
|
|
||||||
|
describe processes("vault") do
|
||||||
|
its('users') { should eq ['root'] }
|
||||||
|
end
|
||||||
|
|
||||||
|
else
|
||||||
|
describe service('vault') do
|
||||||
|
it { should be_enabled }
|
||||||
|
it { should be_running }
|
||||||
|
end
|
||||||
|
end
|
||||||
|
|
||||||
|
describe file('/var/log/vault.log') do
|
||||||
|
it { should be_a_file }
|
||||||
|
its(:content) { should match(/WARNING: Dev mode is enabled!/) }
|
||||||
|
end
|
||||||
|
|
36
test/integration/server_backend_s3/vault_spec.rb
Normal file
36
test/integration/server_backend_s3/vault_spec.rb
Normal file
|
@ -0,0 +1,36 @@
|
||||||
|
describe file('/etc/vault/config/server.hcl') do
|
||||||
|
it { should be_a_file }
|
||||||
|
its(:content) { should match /bucket = "com-saltstack-vault"/ }
|
||||||
|
end
|
||||||
|
|
||||||
|
describe file('/etc/init/vault.conf') do
|
||||||
|
it { should be_a_file }
|
||||||
|
its(:content) { should_not match /syslog/ }
|
||||||
|
end
|
||||||
|
|
||||||
|
if os[:family] == 'amazon'
|
||||||
|
# serverspec assumes 'service' resource to be
|
||||||
|
# init.d for rhel-based os. have to just check
|
||||||
|
# that it is running, that means that it started
|
||||||
|
# with the instance
|
||||||
|
describe command('sudo initctl list | grep vault | grep -v grep') do
|
||||||
|
its(:stdout) { should match(/vault start\/running/) }
|
||||||
|
its(:stderr) { should be_empty }
|
||||||
|
end
|
||||||
|
|
||||||
|
describe processes("vault") do
|
||||||
|
its('users') { should eq ['root'] }
|
||||||
|
end
|
||||||
|
|
||||||
|
else
|
||||||
|
describe service('vault') do
|
||||||
|
it { should be_enabled }
|
||||||
|
it { should be_running }
|
||||||
|
end
|
||||||
|
end
|
||||||
|
|
||||||
|
describe file('/var/log/vault.log') do
|
||||||
|
it { should be_a_file }
|
||||||
|
its(:content) { should match(/WARNING: Dev mode is enabled!/) }
|
||||||
|
end
|
||||||
|
|
17
vault/defaults.yaml
Normal file
17
vault/defaults.yaml
Normal file
|
@ -0,0 +1,17 @@
|
||||||
|
vault:
|
||||||
|
version: 0.7.0
|
||||||
|
listen_protocol: tcp
|
||||||
|
listen_port: 8200
|
||||||
|
listen_address: 0.0.0.0
|
||||||
|
strict_tls: 0
|
||||||
|
service: upstart
|
||||||
|
tls_cert_file: {}
|
||||||
|
tls_key_file: {}
|
||||||
|
default_lease_ttl: 24h
|
||||||
|
max_lease_ttl: 24h
|
||||||
|
self_signed_cert:
|
||||||
|
enabled: false
|
||||||
|
backend: {}
|
||||||
|
dev_mode: true
|
||||||
|
service:
|
||||||
|
type: systemd
|
|
@ -1,10 +1,9 @@
|
||||||
{% from "vault/map.jinja" import vault with context %}
|
{%- from "vault/map.jinja" import vault with context -%}
|
||||||
|
{%- if vault.backend and vault.backend.type == "s3" %}
|
||||||
{% if vault.s3_backend %}
|
|
||||||
backend "s3" {
|
backend "s3" {
|
||||||
bucket = "{{ vault.s3_backend.bucket }}"
|
bucket = "{{ vault.backend.bucket }}"
|
||||||
}
|
}
|
||||||
{% endif %}
|
{% endif -%}
|
||||||
|
|
||||||
listener "{{ vault.listen_protocol }}" {
|
listener "{{ vault.listen_protocol }}" {
|
||||||
address = "{{ vault.listen_address }}:{{ vault.listen_port }}"
|
address = "{{ vault.listen_address }}:{{ vault.listen_port }}"
|
||||||
|
@ -13,15 +12,14 @@ listener "{{ vault.listen_protocol }}" {
|
||||||
tls_cert_file = "/etc/vault/{{ vault.self_signed_cert.hostname }}.pem"
|
tls_cert_file = "/etc/vault/{{ vault.self_signed_cert.hostname }}.pem"
|
||||||
tls_key_file = "/etc/vault/{{ vault.self_signed_cert.hostname }}-nopass.key"
|
tls_key_file = "/etc/vault/{{ vault.self_signed_cert.hostname }}-nopass.key"
|
||||||
{% else %}
|
{% else %}
|
||||||
{% if vault.tls_cert_file %}
|
{%- if vault.tls_cert_file %}
|
||||||
tls_cert_file = "{{ vault.tls_cert_file }}"
|
tls_cert_file = "{{ vault.tls_cert_file }}"
|
||||||
{% endif %}
|
{% endif -%}
|
||||||
{% if vault.tls_key_file %}
|
{%- if vault.tls_key_file %}
|
||||||
tls_key_file = "{{ vault.tls_cert_file }}"
|
tls_key_file = "{{ vault.tls_key_file }}"
|
||||||
{% endif %}
|
{% endif -%}
|
||||||
{% endif %}
|
{% endif %}
|
||||||
}
|
}
|
||||||
|
|
||||||
#todo parameterize
|
|
||||||
default_lease_ttl="{{ vault.default_lease_ttl }}"
|
default_lease_ttl="{{ vault.default_lease_ttl }}"
|
||||||
max_lease_ttl="{{ vault.max_lease_ttl }}"
|
max_lease_ttl="{{ vault.max_lease_ttl }}"
|
||||||
|
|
10
vault/files/vault_systemd.service.jinja
Normal file
10
vault/files/vault_systemd.service.jinja
Normal file
|
@ -0,0 +1,10 @@
|
||||||
|
{%- from "vault/map.jinja" import vault with context -%}
|
||||||
|
[Unit]
|
||||||
|
Description=vault server
|
||||||
|
Requires=network-online.target
|
||||||
|
After=network-online.target consul.service
|
||||||
|
|
||||||
|
[Service]
|
||||||
|
EnvironmentFile=-/etc/sysconfig/vault
|
||||||
|
Restart=on-failure
|
||||||
|
ExecStart=/usr/local/bin/vault server {% if vault.dev_mode %}-dev{% else %} -config="/etc/vault/config/server.hcl"{% endif %}
|
|
@ -1,3 +1,4 @@
|
||||||
|
{%- from "vault/map.jinja" import vault with context -%}
|
||||||
description "Vault server"
|
description "Vault server"
|
||||||
|
|
||||||
start on (runlevel [345] and started network)
|
start on (runlevel [345] and started network)
|
||||||
|
@ -14,6 +15,10 @@ script
|
||||||
export GOMAXPROCS=`nproc`
|
export GOMAXPROCS=`nproc`
|
||||||
|
|
||||||
exec /usr/local/bin/vault server \
|
exec /usr/local/bin/vault server \
|
||||||
|
{%- if vault.dev_mode %}
|
||||||
|
-dev \
|
||||||
|
{% else %}
|
||||||
-config="/etc/vault/config/server.hcl" \
|
-config="/etc/vault/config/server.hcl" \
|
||||||
|
{% endif -%}
|
||||||
>>/var/log/vault.log 2>&1
|
>>/var/log/vault.log 2>&1
|
||||||
end script
|
end script
|
|
@ -1,8 +1,20 @@
|
||||||
{%- set version = salt.pillar.get('vault:vault_version', '0.7.0') %}
|
{% from "vault/map.jinja" import vault with context %}
|
||||||
{%- set source_hash = salt.pillar.get('vault:source_hash', 'c6d97220e75335f75bd6f603bb23f1f16fe8e2a9d850ba59599b1a0e4d067aaa') %}
|
# using archive.extracted causes: 'Comment: Failed to cache https://releases.hashicorp.com/vault/0.7.0/vault_0.7.0_linux_amd64.zip: [Errno 1] _ssl.c:493: error:1409442E:SSL routines:SSL3_READ_BYTES:tlsv1 alert protocol version'
|
||||||
install Vault:
|
vault packages:
|
||||||
archive.extracted:
|
pkg.installed:
|
||||||
- name: /usr/local/bin
|
- names:
|
||||||
- source: https://releases.hashicorp.com/vault/{{ version }}/vault_{{ version }}_linux_amd64.zip
|
- unzip
|
||||||
- source_hash: {{ source_hash }}
|
- curl
|
||||||
- enforce_toplevel: False
|
|
||||||
|
download vault:
|
||||||
|
cmd.run:
|
||||||
|
- name: curl --silent -L https://releases.hashicorp.com/vault/{{ vault.version }}/vault_{{ vault.version }}_linux_amd64.zip -o /tmp/vault.zip
|
||||||
|
- unless: test -e /tmp/vault.zip
|
||||||
|
|
||||||
|
install vault:
|
||||||
|
cmd.run:
|
||||||
|
- name: unzip /tmp/vault.zip -d /usr/local/bin && chmod 0755 /usr/local/bin/vault && chown root:root /usr/local/bin/vault
|
||||||
|
- require:
|
||||||
|
- cmd: download vault
|
||||||
|
- pkg: unzip
|
||||||
|
- unless: test -e /usr/local/bin/vault
|
||||||
|
|
|
@ -1,14 +1,2 @@
|
||||||
{% set vault = salt['grains.filter_by']({
|
{% import_yaml "vault/defaults.yaml" as defaults %}
|
||||||
'default': {
|
{% set vault = salt['pillar.get']('vault', default=defaults['vault'], merge=True) %}
|
||||||
listen_protocol: 'tcp',
|
|
||||||
listen_address: 0.0.0.0,
|
|
||||||
listen_port: 8200,
|
|
||||||
strict_tls: 1,
|
|
||||||
default_lease_ttl: '72h',
|
|
||||||
max_lease_ttl: '72h',
|
|
||||||
vault_version: '0.7.0',
|
|
||||||
self_signed_cert: {
|
|
||||||
enabled: false,
|
|
||||||
}
|
|
||||||
},
|
|
||||||
}, merge=salt['pillar.get']('vault:lookup')) %}
|
|
||||||
|
|
|
@ -1,5 +1,5 @@
|
||||||
{% from "vault/map.jinja" import vault with context %}
|
{% from "vault/map.jinja" import vault with context %}
|
||||||
{% if vault.self_signed_cert.enabled %}
|
{%- if vault.self_signed_cert.enabled %}
|
||||||
/usr/local/bin/self-cert-gen.sh:
|
/usr/local/bin/self-cert-gen.sh:
|
||||||
file.managed:
|
file.managed:
|
||||||
- source: salt://vault/files/cert-gen.sh.jinja
|
- source: salt://vault/files/cert-gen.sh.jinja
|
||||||
|
@ -14,7 +14,22 @@ generate self signed SSL certs:
|
||||||
- cwd: /etc/vault
|
- cwd: /etc/vault
|
||||||
- require:
|
- require:
|
||||||
- file: /usr/local/bin/self-cert-gen.sh
|
- file: /usr/local/bin/self-cert-gen.sh
|
||||||
{% endif %}
|
{% endif -%}
|
||||||
|
|
||||||
|
/etc/vault:
|
||||||
|
file.directory:
|
||||||
|
- user: root
|
||||||
|
- group: root
|
||||||
|
- mode: 755
|
||||||
|
|
||||||
|
{%- if vault.dev_mode %}
|
||||||
|
/etc/vault/config:
|
||||||
|
file.directory:
|
||||||
|
- user: root
|
||||||
|
- group: root
|
||||||
|
- mode: 755
|
||||||
|
- require:
|
||||||
|
- file: /etc/vault
|
||||||
|
|
||||||
/etc/vault/config/server.hcl:
|
/etc/vault/config/server.hcl:
|
||||||
file.managed:
|
file.managed:
|
||||||
|
@ -23,21 +38,39 @@ generate self signed SSL certs:
|
||||||
- user: root
|
- user: root
|
||||||
- group: root
|
- group: root
|
||||||
- mode: 644
|
- mode: 644
|
||||||
|
- require:
|
||||||
|
- file: /etc/vault/config
|
||||||
|
{% endif -%}
|
||||||
|
|
||||||
/etc/init/vault.conf:
|
{%- if vault.service.type == 'systemd' %}
|
||||||
|
/etc/systemd/system/vault.service:
|
||||||
file.managed:
|
file.managed:
|
||||||
- source: salt://vault/files/vault.conf.jinja
|
- source: salt://vault/files/vault_systemd.service.jinja
|
||||||
- template: jinja
|
- template: jinja
|
||||||
- user: root
|
- user: root
|
||||||
- group: root
|
- group: root
|
||||||
- mode: 644
|
- mode: 644
|
||||||
|
- require_in:
|
||||||
|
- service: vault
|
||||||
|
|
||||||
|
{% elif vault.service.type == 'upstart' %}
|
||||||
|
/etc/init/vault.conf:
|
||||||
|
file.managed:
|
||||||
|
- source: salt://vault/files/vault_upstart.conf.jinja
|
||||||
|
- template: jinja
|
||||||
|
- user: root
|
||||||
|
- group: root
|
||||||
|
- require_in:
|
||||||
|
- service: vault
|
||||||
|
{% endif -%}
|
||||||
|
|
||||||
vault:
|
vault:
|
||||||
service.running:
|
service.running:
|
||||||
- enable: True
|
- enable: True
|
||||||
- require:
|
- require:
|
||||||
{% if vault.self_signed_cert.enabled %}
|
{%- if vault.self_signed_cert.enabled %}
|
||||||
- cmd: generate self signed SSL certs
|
- cmd: generate self signed SSL certs
|
||||||
{% endif %}
|
{% endif -%}
|
||||||
|
{%- if vault.dev_mode %}
|
||||||
- file: /etc/vault/config/server.hcl
|
- file: /etc/vault/config/server.hcl
|
||||||
- file: /etc/init/vault.conf
|
{% endif -%}
|
||||||
|
|
Loading…
Reference in a new issue