Initial commit - not workign as-is
This commit is contained in:
Marcus Young
commit
865ec58732
6 changed files with 227 additions and 0 deletions
0
README.md
Normal file
0
README.md
Normal file
18
vault/init.sls
Normal file
18
vault/init.sls
Normal file
|
|
@ -0,0 +1,18 @@
|
|||
vault packages:
|
||||
pkg.installed:
|
||||
- names:
|
||||
- jq
|
||||
- unzip
|
||||
|
||||
download vault:
|
||||
cmd.run:
|
||||
- name: curl --silent -L https://releases.hashicorp.com/vault/{{ pillar['pkgs']['vault_version'] }}/vault_{{ pillar['pkgs']['vault_version'] }}_linux_amd64.zip -o /tmp/vault.zip
|
||||
- unless: test -e /tmp/vault.zip
|
||||
|
||||
install vault:
|
||||
cmd.run:
|
||||
- name: unzip /tmp/vault.zip -d /usr/local/bin && chmod 0755 /usr/local/bin/vault && chown root:root /usr/local/bin/vault
|
||||
- require:
|
||||
- cmd: download vault
|
||||
- pkg: unzip
|
||||
- unless: test -e /usr/local/bin/vault
|
||||
41
vault/server.sls
Normal file
41
vault/server.sls
Normal file
|
|
@ -0,0 +1,41 @@
|
|||
#TODO only do this if bool param 'self_signed_cert: true'
|
||||
/usr/local/bin/self-cert-gen.sh:
|
||||
file.managed:
|
||||
- source: salt://vault/templates/cert-gen.sh.jinja
|
||||
- template: jinja
|
||||
- user: root
|
||||
- group: root
|
||||
- mode: 644
|
||||
|
||||
#TODO only do this if bool param 'self_signed_cert: true'
|
||||
#TODO parameterize localhost and 'vault' password
|
||||
generate SSL certs:
|
||||
cmd.run:
|
||||
- name: bash /usr/local/bin/cert-gen.sh localhost vault
|
||||
- cwd: /etc/vault
|
||||
- require:
|
||||
- file: /usr/local/bin/self-cert-gen.sh
|
||||
|
||||
/etc/vault/config/server.hcl:
|
||||
file.managed:
|
||||
- source: salt://vault/templates/server.hcl.jinja
|
||||
- template: jinja
|
||||
- user: root
|
||||
- group: root
|
||||
- mode: 644
|
||||
|
||||
/etc/init/vault.conf:
|
||||
file.managed:
|
||||
- source: salt://vault/templates/vault.conf.jinja
|
||||
- template: jinja
|
||||
- user: root
|
||||
- group: root
|
||||
- mode: 644
|
||||
|
||||
vault:
|
||||
service.running:
|
||||
- enable: True
|
||||
- require:
|
||||
- cmd: generate SSL certs #todo only if bool present
|
||||
- file: /etc/vault/config/server.hcl
|
||||
- file: /etc/init/vault.conf
|
||||
133
vault/templates/cert-gen.sh.jinja
Normal file
133
vault/templates/cert-gen.sh.jinja
Normal file
|
|
@ -0,0 +1,133 @@
|
|||
#!/usr/bin/env bash
|
||||
|
||||
###
|
||||
# Check for root name.
|
||||
##
|
||||
root=$1
|
||||
shift
|
||||
if [[ -z "$root" ]]; then
|
||||
echo "you must pass 2 arguments; first for root name, second for child name"
|
||||
exit
|
||||
fi
|
||||
|
||||
###
|
||||
# Check for child name
|
||||
##
|
||||
child=$1
|
||||
if [[ -z "$child" ]]; then
|
||||
echo "you must pass 2 arguments; first for root name ($root), second for child name"
|
||||
exit
|
||||
fi
|
||||
|
||||
###
|
||||
# Use the child name as the password because Java Keystore requires it
|
||||
##
|
||||
pw="$child"
|
||||
|
||||
###
|
||||
# Generate the root certificate
|
||||
##
|
||||
root_key="$root.key"
|
||||
root_pem="$root.pem"
|
||||
root_key_nopass="$root-nopass.key"
|
||||
# TODO parameterize
|
||||
root_subj="/C=US/ST=TN/L=Nashville/O=Fixme/OU=Ops/CN=$root\_ca"
|
||||
root_p12="$root.p12"
|
||||
|
||||
###
|
||||
# Generate the root private key
|
||||
##
|
||||
if [[ -e "$root_key" ]]; then
|
||||
echo "$root_key already exits"
|
||||
else
|
||||
echo "generate $root_key"
|
||||
openssl genrsa -aes256 -passout pass:"$pw" -out "$root_key" 4096
|
||||
fi
|
||||
|
||||
###
|
||||
# Genereate the the root privacy enhanced email (PEM)
|
||||
##
|
||||
if [[ -e "$root_pem" ]]; then
|
||||
echo "$root_pem already exits"
|
||||
else
|
||||
echo "generate $root_pem"
|
||||
openssl req -new -x509 -days 3652 -key "$root_key" -out "$root_pem" -passin pass:"$pw" -subj "$root_subj"
|
||||
fi
|
||||
|
||||
###
|
||||
# Generate the root public key (P12)
|
||||
##
|
||||
if [[ -e "$root_p12" ]]; then
|
||||
echo "$root_p12 already exits"
|
||||
else
|
||||
echo "generate $root_p12"
|
||||
openssl pkcs12 -export -in "$root_pem" -inkey "$root_key" -passin pass:"$pw" -passout pass:"$pw" -out "$root_p12" \
|
||||
-name "$root"
|
||||
fi
|
||||
|
||||
###
|
||||
# Generate the child certificate
|
||||
##
|
||||
child_name="${root}_${child}"
|
||||
child_key="$child_name.key"
|
||||
child_pem="$child_name.pem"
|
||||
child_csr="$child_name.csr"
|
||||
child_subj="/C=US/ST=TN/L=Nashville/O=Stratasan/OU=Ops/CN=$child_name"
|
||||
child_p12="$child_name.p12"
|
||||
child_jks="$child_name.jks"
|
||||
|
||||
###
|
||||
# Generate the child private key
|
||||
##
|
||||
if [[ -e "$child_key" ]]; then
|
||||
echo "$child_key already exits"
|
||||
else
|
||||
echo "generate $child_key"
|
||||
openssl genrsa -aes256 -passout pass:"$pw" -out "$child_key" 4096
|
||||
fi
|
||||
|
||||
###
|
||||
# Genereate the the child privacy enhanced email (PEM)
|
||||
##
|
||||
if [[ -e "$child_pem" ]]; then
|
||||
echo "$child_pem already exits"
|
||||
else
|
||||
echo "generate $child_csr"
|
||||
openssl req -new -key "$child_key" -passin pass:"$pw" -out "$child_csr" -subj "$child_subj"
|
||||
echo "generate $child_pem"
|
||||
openssl x509 -req -days 36524 -in "$child_csr" -CA "$root_pem" -CAkey "$root_key" -passin pass:"$pw" -set_serial 1 \
|
||||
-out "$child_pem"
|
||||
fi
|
||||
|
||||
###
|
||||
# Generate the child public key (P12)
|
||||
##
|
||||
if [[ -e "$child_p12" ]]; then
|
||||
echo "$child_p12 already exits"
|
||||
else
|
||||
echo "generate $child_p12"
|
||||
openssl pkcs12 -export -in "$child_pem" -inkey "$child_key" -passin pass:"$pw" -passout pass:"$pw" -out "$child_p12" \
|
||||
-certfile "$root_pem" -caname "$root" -name "$child_name"
|
||||
fi
|
||||
|
||||
###
|
||||
# Generate the Java Keystore (JKS)
|
||||
##
|
||||
if [[ -e "$child_jks" ]]; then
|
||||
echo "$child_jks already exits"
|
||||
else
|
||||
keytool="keytool"
|
||||
if [[ -n $(command -v $keytool) ]]; then
|
||||
echo "generate $child_jks with $root trustedCertEntry"
|
||||
$keytool -importcert -trustcacerts -noprompt -file "$root_pem" -destkeystore "$child_jks" -storepass "$pw" \
|
||||
-alias "$root" -v
|
||||
echo "supplement $child_jks with $child PrivateKeyEntry"
|
||||
$keytool -importkeystore -destkeystore "$child_jks" -storepass "$pw" -srckeystore "$child_p12" \
|
||||
-srcstoretype pkcs12 -srcstorepass "$pw" -alias "$child_name" -v
|
||||
else
|
||||
echo "$keytool is not installed"
|
||||
fi
|
||||
fi
|
||||
|
||||
echo "Generating version of '$root_key' without password as '$root_key_nopass'."
|
||||
openssl rsa -in "$root_key" -out "$root_key_nopass" -passin pass:"$pw"
|
||||
16
vault/templates/server.hcl.jinja
Normal file
16
vault/templates/server.hcl.jinja
Normal file
|
|
@ -0,0 +1,16 @@
|
|||
#todo parameterize
|
||||
backend "s3" {
|
||||
bucket = "fixme"
|
||||
}
|
||||
|
||||
# TODO parameterize
|
||||
listener "tcp" {
|
||||
address = "0.0.0.0:8200"
|
||||
tls_disable = 0 #todo - only include if bool from server.sls found
|
||||
tls_cert_file = "/etc/vault/localhost.pem" #todo - only include if bool from server.sls found
|
||||
tls_key_file = "/etc/vault/localhost-nopass.key" #todo - only include if bool from server.sls found
|
||||
}
|
||||
|
||||
#todo parameterize
|
||||
default_lease_ttl="4380h"
|
||||
max_lease_ttl="43800h"
|
||||
19
vault/templates/vault.conf.jinja
Normal file
19
vault/templates/vault.conf.jinja
Normal file
|
|
@ -0,0 +1,19 @@
|
|||
description "Vault server"
|
||||
|
||||
start on (runlevel [345] and started network)
|
||||
stop on (runlevel [!345] or stopping network)
|
||||
|
||||
respawn
|
||||
|
||||
script
|
||||
if [ -f "/etc/service/vault" ]; then
|
||||
. /etc/service/vault
|
||||
fi
|
||||
|
||||
# Make sure to use all our CPUs, because Vault can block a scheduler thread
|
||||
export GOMAXPROCS=`nproc`
|
||||
|
||||
exec /usr/local/bin/vault server \
|
||||
-config="/etc/vault/config/server.hcl" \
|
||||
>>/var/log/vault.log 2>&1
|
||||
end script
|
||||
Loading…
Reference in a new issue