Initial commit - not workign as-is

2017-04-11 08:58:37 -05:00 · 2017-04-11 08:58:37 -05:00 · 865ec58732
commit 865ec58732
6 changed files with 227 additions and 0 deletions
--- a/README.md
+++ b/README.md
--- a/vault/init.sls
+++ b/vault/init.sls
@ -0,0 +1,18 @@
+vault packages:
+  pkg.installed:
+    - names:
+      - jq 
+      - unzip
+
+download vault:
+  cmd.run:
+    - name: curl --silent -L https://releases.hashicorp.com/vault/{{ pillar['pkgs']['vault_version'] }}/vault_{{ pillar['pkgs']['vault_version'] }}_linux_amd64.zip -o /tmp/vault.zip
+    - unless: test -e /tmp/vault.zip
+
+install vault:
+  cmd.run:
+    - name:  unzip /tmp/vault.zip -d /usr/local/bin &&  chmod 0755 /usr/local/bin/vault &&  chown root:root /usr/local/bin/vault
+    - require:
+      - cmd: download vault
+      - pkg: unzip
+    - unless: test -e /usr/local/bin/vault
--- a/vault/server.sls
+++ b/vault/server.sls
@ -0,0 +1,41 @@
+#TODO only do this if bool param 'self_signed_cert: true'
+/usr/local/bin/self-cert-gen.sh:
+  file.managed:
+    - source: salt://vault/templates/cert-gen.sh.jinja
+    - template: jinja
+    - user: root
+    - group: root
+    - mode: 644
+
+#TODO only do this if bool param 'self_signed_cert: true'
+#TODO parameterize localhost and 'vault' password
+generate SSL certs:
+  cmd.run:
+    - name: bash /usr/local/bin/cert-gen.sh localhost vault
+    - cwd: /etc/vault
+    - require:
+      - file: /usr/local/bin/self-cert-gen.sh
+
+/etc/vault/config/server.hcl:
+  file.managed:
+    - source: salt://vault/templates/server.hcl.jinja
+    - template: jinja
+    - user: root
+    - group: root
+    - mode: 644
+
+/etc/init/vault.conf:
+  file.managed:
+    - source: salt://vault/templates/vault.conf.jinja
+    - template: jinja
+    - user: root
+    - group: root
+    - mode: 644
+
+vault:
+  service.running:
+    - enable: True
+    - require:
+      - cmd: generate SSL certs #todo only if bool present
+      - file: /etc/vault/config/server.hcl
+      - file: /etc/init/vault.conf
--- a/vault/templates/cert-gen.sh.jinja
+++ b/vault/templates/cert-gen.sh.jinja
@ -0,0 +1,133 @@
+#!/usr/bin/env bash
+
+###
+ # Check for root name.
+ ##
+root=$1
+shift
+if [[ -z "$root" ]]; then
+  echo "you must pass 2 arguments; first for root name, second for child name"
+  exit
+fi
+
+###
+ # Check for child name
+ ##
+child=$1
+if [[ -z "$child" ]]; then
+  echo "you must pass 2 arguments; first for root name ($root), second for child name"
+  exit
+fi
+
+###
+ # Use the child name as the password because Java Keystore requires it
+ ##
+pw="$child"
+
+###
+ # Generate the root certificate
+ ##
+root_key="$root.key"
+root_pem="$root.pem"
+root_key_nopass="$root-nopass.key"
+# TODO parameterize
+root_subj="/C=US/ST=TN/L=Nashville/O=Fixme/OU=Ops/CN=$root\_ca"
+root_p12="$root.p12"
+
+###
+ # Generate the root private key
+ ##
+if [[ -e "$root_key" ]]; then
+  echo "$root_key already exits"
+else
+  echo "generate $root_key"
+  openssl genrsa -aes256 -passout pass:"$pw" -out "$root_key" 4096
+fi
+
+###
+ # Genereate the the root privacy enhanced email (PEM)
+ ##
+if [[ -e "$root_pem" ]]; then
+  echo "$root_pem already exits"
+else
+  echo "generate $root_pem"
+  openssl req -new -x509 -days 3652 -key "$root_key" -out "$root_pem" -passin pass:"$pw" -subj "$root_subj"
+fi
+
+###
+ # Generate the root public key (P12)
+ ##
+if [[ -e "$root_p12" ]]; then
+  echo "$root_p12 already exits"
+else
+  echo "generate $root_p12"
+  openssl pkcs12 -export -in "$root_pem" -inkey "$root_key" -passin pass:"$pw" -passout pass:"$pw" -out "$root_p12" \
+    -name "$root"
+fi
+
+###
+ # Generate the child certificate
+ ##
+child_name="${root}_${child}"
+child_key="$child_name.key"
+child_pem="$child_name.pem"
+child_csr="$child_name.csr"
+child_subj="/C=US/ST=TN/L=Nashville/O=Stratasan/OU=Ops/CN=$child_name"
+child_p12="$child_name.p12"
+child_jks="$child_name.jks"
+
+###
+ # Generate the child private key
+ ##
+if [[ -e "$child_key" ]]; then
+  echo "$child_key already exits"
+else
+  echo "generate $child_key"
+  openssl genrsa -aes256 -passout pass:"$pw" -out "$child_key" 4096
+fi
+
+###
+ # Genereate the the child privacy enhanced email (PEM)
+ ##
+if [[ -e "$child_pem" ]]; then
+  echo "$child_pem already exits"
+else
+  echo "generate $child_csr"
+  openssl req -new -key "$child_key" -passin pass:"$pw" -out "$child_csr" -subj "$child_subj"
+  echo "generate $child_pem"
+  openssl x509 -req -days 36524 -in "$child_csr" -CA "$root_pem" -CAkey "$root_key" -passin pass:"$pw" -set_serial 1 \
+    -out "$child_pem"
+fi
+
+###
+ # Generate the child public key (P12)
+ ##
+if [[ -e "$child_p12" ]]; then
+  echo "$child_p12 already exits"
+else
+  echo "generate $child_p12"
+  openssl pkcs12 -export -in "$child_pem" -inkey "$child_key" -passin pass:"$pw" -passout pass:"$pw" -out "$child_p12" \
+    -certfile "$root_pem" -caname "$root" -name "$child_name"
+fi
+
+###
+ # Generate the Java Keystore (JKS)
+ ##
+if [[ -e "$child_jks" ]]; then
+  echo "$child_jks already exits"
+else
+  keytool="keytool"
+  if [[ -n $(command -v $keytool) ]]; then
+    echo "generate $child_jks with $root trustedCertEntry"
+    $keytool -importcert -trustcacerts -noprompt -file "$root_pem" -destkeystore "$child_jks" -storepass "$pw" \
+      -alias "$root" -v
+    echo "supplement $child_jks with $child PrivateKeyEntry"
+    $keytool -importkeystore -destkeystore "$child_jks" -storepass "$pw" -srckeystore "$child_p12" \
+      -srcstoretype pkcs12 -srcstorepass "$pw" -alias "$child_name" -v
+  else
+    echo "$keytool is not installed"
+  fi
+fi
+
+echo "Generating version of '$root_key' without password as '$root_key_nopass'."
+openssl rsa -in "$root_key" -out "$root_key_nopass" -passin pass:"$pw"
--- a/vault/templates/server.hcl.jinja
+++ b/vault/templates/server.hcl.jinja
@ -0,0 +1,16 @@
+#todo parameterize
+backend "s3" {
+  bucket = "fixme"
+}
+
+# TODO parameterize
+listener "tcp" {
+  address = "0.0.0.0:8200"
+  tls_disable = 0 #todo - only include if bool from server.sls found
+  tls_cert_file = "/etc/vault/localhost.pem" #todo - only include if bool from server.sls found
+  tls_key_file = "/etc/vault/localhost-nopass.key" #todo - only include if bool from server.sls found
+}
+
+#todo parameterize
+default_lease_ttl="4380h"
+max_lease_ttl="43800h"
--- a/vault/templates/vault.conf.jinja
+++ b/vault/templates/vault.conf.jinja
@ -0,0 +1,19 @@
+description "Vault server"
+
+start on (runlevel [345] and started network)
+stop on (runlevel [!345] or stopping network)
+
+respawn
+
+script
+  if [ -f "/etc/service/vault" ]; then
+    . /etc/service/vault
+  fi
+
+  # Make sure to use all our CPUs, because Vault can block a scheduler thread
+  export GOMAXPROCS=`nproc`
+
+  exec /usr/local/bin/vault server \
+    -config="/etc/vault/config/server.hcl" \
+    >>/var/log/vault.log 2>&1
+end script