Merge pull request #4 from saltstack-formulas/bugfix/initial_pass

Add support for tests
This commit is contained in:
myoung34 2017-04-26 09:59:21 -05:00 committed by GitHub
commit aff118493b
19 changed files with 568 additions and 50 deletions

1
.gitignore vendored Normal file
View file

@ -0,0 +1 @@
.kitchen

94
.kitchen.yml Normal file
View file

@ -0,0 +1,94 @@
---
driver:
name: docker
use_sudo: false
privileged: true
verifier:
name: inspec
format: doc
provisioner:
name: salt_solo
log_level: debug
require_chef: false
formula: vault
platforms:
- name: ubuntu-16.04
driver_config:
provision_command:
- apt-get update && apt-get install -y locales && locale-gen en_US.UTF-8
run_command: /sbin/init
privileged: true
pid_one_command: /usr/lib/systemd/systemd
- name: amazonlinux
driver_config:
image: amazonlinux:latest
platform: rhel
run_command: /sbin/init
suites:
- name: default
provisioner:
state_top:
base:
'*':
- vault
- name: dev_server_systemd
excludes:
- amazonlinux
provisioner:
state_top:
base:
'*':
- vault
- vault.server
pillars:
top.sls:
base:
'*':
- vault
vault.sls:
vault:
service:
type: systemd
- name: dev_server_upstart
includes:
- amazonlinux
provisioner:
state_top:
base:
'*':
- vault
- vault.server
pillars:
top.sls:
base:
'*':
- vault
vault.sls:
vault:
service:
type: upstart
- name: server_backend_s3
includes:
- amazonlinux
provisioner:
state_top:
base:
'*':
- vault
- vault.server
pillars:
top.sls:
base:
'*':
- vault
vault.sls:
vault:
backend:
type: s3
bucket: com-saltstack-vault
service:
type: upstart

11
.travis.yml Normal file
View file

@ -0,0 +1,11 @@
sudo: required
language: ruby
services:
- docker
before_install:
- bundle install
script: bundle exec kitchen verify

6
Gemfile Normal file
View file

@ -0,0 +1,6 @@
source "https://rubygems.org"
gem "test-kitchen"
gem "kitchen-docker"
gem "kitchen-salt"
gem 'kitchen-inspec'

149
Gemfile.lock Normal file
View file

@ -0,0 +1,149 @@
GEM
remote: https://rubygems.org/
specs:
addressable (2.5.1)
public_suffix (~> 2.0, >= 2.0.2)
artifactory (2.8.1)
blankslate (2.1.2.4)
builder (3.2.3)
coderay (1.1.1)
diff-lcs (1.3)
docker-api (1.33.4)
excon (>= 0.38.0)
json
erubis (2.7.0)
excon (0.55.0)
faraday (0.12.1)
multipart-post (>= 1.2, < 3)
ffi (1.9.18)
gssapi (1.2.0)
ffi (>= 1.0.1)
gyoku (1.3.1)
builder (>= 2.1.2)
hashie (3.5.5)
httpclient (2.8.3)
inspec (1.20.0)
addressable (~> 2.4)
faraday (>= 0.9.0)
hashie (~> 3.4)
json (>= 1.8, < 3.0)
method_source (~> 0.8)
mixlib-log
parallel (~> 1.9)
parslet (~> 1.5)
pry (~> 0)
rainbow (~> 2)
rspec (~> 3)
rspec-its (~> 1.2)
rubyzip (~> 1.1)
sslshake (~> 1.1)
thor (~> 0.19)
toml (~> 0.1)
train (>= 0.22.0, < 1.0)
json (2.1.0)
kitchen-docker (2.6.0)
test-kitchen (>= 1.0.0)
kitchen-inspec (0.18.0)
hashie (~> 3.4)
inspec (>= 0.34.0, < 2.0.0)
test-kitchen (~> 1.6)
kitchen-salt (0.0.24)
test-kitchen (~> 1.4)
little-plugger (1.1.4)
logging (2.2.2)
little-plugger (~> 1.1)
multi_json (~> 1.10)
method_source (0.8.2)
mixlib-install (2.1.12)
artifactory
mixlib-shellout
mixlib-versioning
thor
mixlib-log (1.7.1)
mixlib-shellout (2.2.7)
mixlib-versioning (1.1.0)
multi_json (1.12.1)
multipart-post (2.0.0)
net-scp (1.2.1)
net-ssh (>= 2.6.5)
net-ssh (4.1.0)
net-ssh-gateway (1.3.0)
net-ssh (>= 2.6.5)
nori (2.6.0)
parallel (1.11.1)
parslet (1.5.0)
blankslate (~> 2.0)
pry (0.10.4)
coderay (~> 1.1.0)
method_source (~> 0.8.1)
slop (~> 3.4)
public_suffix (2.0.5)
rainbow (2.2.2)
rake
rake (12.0.0)
rspec (3.5.0)
rspec-core (~> 3.5.0)
rspec-expectations (~> 3.5.0)
rspec-mocks (~> 3.5.0)
rspec-core (3.5.4)
rspec-support (~> 3.5.0)
rspec-expectations (3.5.0)
diff-lcs (>= 1.2.0, < 2.0)
rspec-support (~> 3.5.0)
rspec-its (1.2.0)
rspec-core (>= 3.0.0)
rspec-expectations (>= 3.0.0)
rspec-mocks (3.5.0)
diff-lcs (>= 1.2.0, < 2.0)
rspec-support (~> 3.5.0)
rspec-support (3.5.0)
rubyntlm (0.6.1)
rubyzip (1.2.1)
safe_yaml (1.0.4)
slop (3.6.0)
sslshake (1.2.0)
test-kitchen (1.16.0)
mixlib-install (>= 1.2, < 3.0)
mixlib-shellout (>= 1.2, < 3.0)
net-scp (~> 1.1)
net-ssh (>= 2.9, < 5.0)
net-ssh-gateway (~> 1.2)
safe_yaml (~> 1.0)
thor (~> 0.19, < 0.19.2)
thor (0.19.1)
toml (0.1.2)
parslet (~> 1.5.0)
train (0.23.0)
docker-api (~> 1.26)
json (>= 1.8, < 3.0)
mixlib-shellout (~> 2.0)
net-scp (~> 1.2)
net-ssh (>= 2.9, < 5.0)
winrm (~> 2.0)
winrm-fs (~> 1.0)
winrm (2.2.2)
builder (>= 2.1.2)
erubis (~> 2.7)
gssapi (~> 1.2)
gyoku (~> 1.0)
httpclient (~> 2.2, >= 2.2.0.2)
logging (>= 1.6.1, < 3.0)
nori (~> 2.0)
rubyntlm (~> 0.6.0, >= 0.6.1)
winrm-fs (1.0.1)
erubis (~> 2.7)
logging (>= 1.6.1, < 3.0)
rubyzip (~> 1.1)
winrm (~> 2.0)
PLATFORMS
ruby
DEPENDENCIES
kitchen-docker
kitchen-inspec
kitchen-salt
test-kitchen
BUNDLED WITH
1.14.6

View file

62
README.rst Normal file
View file

@ -0,0 +1,62 @@
======
Vault
======
.. image:: https://travis-ci.org/saltstack-formulas/vault-formula.svg?branch=master
Formulas for working with `Vault <http://www.vaultproject.io>`_
Available states
================
.. contents::
:local:
``vault``
----------
Install the vault binary
``vault.server``
---------------------
Install and configure the vault server
To use it, just include *vault.server* in your *top.sls*, and configure it using pillars:
::
vault:
vault_version: 0.7.0
listen_protocol: tcp
listen_port: 8200
listen_address: 0.0.0.0
strict_tls: 0
default_lease_ttl: 24h
max_lease_ttl: 24h
self_signed_cert:
enabled: false
backend: {}
dev_mode: true
service:
type: systemd
Testing
=======
Testing is done with `Test Kitchen <http://kitchen.ci/>`_
for machine setup and `inspec <https://github.com/chef/inspec/>`_
for integration tests.
Requirements
------------
* Ruby
* Docker
::
gem install bundler
bundle install
bundle exec kitchen test all

View file

@ -1,11 +1,16 @@
vault: vault:
vault_version: 0.7.0 version: 0.7.0
source_hash: c6d97220e75335f75bd6f603bb23f1f16fe8e2a9d850ba59599b1a0e4d067aaa
listen_protocol: tcp listen_protocol: tcp
listen_port: 8200 listen_port: 8200
listen_address: 0.0.0.0 listen_address: 0.0.0.0
strict_tls: 0 strict_tls: 0
default_lease_ttl: '4380h' tls_cert_file: {}
max_lease_ttl: '43800h' tls_key_file: {}
s3_backend: default_lease_ttl: 4380h
bucket: 'com-foo-vault' max_lease_ttl: 43800h
self_signed_cert:
enabled: false
backend: {}
dev_mode: true
service:
type: upstart

View file

@ -0,0 +1,6 @@
describe command('/usr/local/bin/vault -version') do
its(:exit_status) { should eq 0 }
its(:stderr) { should be_empty }
its(:stdout) { should match(/^Vault v[0-9\.]+ \('[0-9a-f]+'\)/) }
end

View file

@ -0,0 +1,35 @@
describe file('/etc/vault/config/server.hcl') do
it { should be_a_file }
expected =<<-EOF
listener "tcp" {
address = "0.0.0.0:8200"
tls_disable = 0
}
default_lease_ttl="24h"
max_lease_ttl="24h"
EOF
its(:content) { should eq(expected) }
end
describe file('/etc/systemd/system/vault.service') do
it { should be_a_file }
its(:content) { should_not match /syslog/ }
end
describe file('/etc/init/vault.conf') do
it { should_not be_a_file }
end
describe service('vault') do
it { should be_enabled }
it { should be_running }
end
describe command('journalctl -u vault') do
its(:exit_status) { should eq 0 }
its(:stderr) { should be_empty }
its(:stdout) { should match(/WARNING: Dev mode is enabled!/) }
end

View file

@ -0,0 +1,50 @@
describe file('/etc/vault/config/server.hcl') do
it { should be_a_file }
expected = <<-EOF
listener "tcp" {
address = "0.0.0.0:8200"
tls_disable = 0
}
default_lease_ttl="24h"
max_lease_ttl="24h"
EOF
its(:content) { should eq(expected) }
end
describe file('/etc/systemd/system/vault.service') do
it { should_not be_a_file }
end
describe file('/etc/init/vault.conf') do
it { should be_a_file }
its(:content) { should_not match /syslog/ }
end
if os[:family] == 'amazon'
# serverspec assumes 'service' resource to be
# init.d for rhel-based os. have to just check
# that it is running, that means that it started
# with the instance
describe command('sudo initctl list | grep vault | grep -v grep') do
its(:stdout) { should match(/vault start\/running/) }
its(:stderr) { should be_empty }
end
describe processes("vault") do
its('users') { should eq ['root'] }
end
else
describe service('vault') do
it { should be_enabled }
it { should be_running }
end
end
describe file('/var/log/vault.log') do
it { should be_a_file }
its(:content) { should match(/WARNING: Dev mode is enabled!/) }
end

View file

@ -0,0 +1,36 @@
describe file('/etc/vault/config/server.hcl') do
it { should be_a_file }
its(:content) { should match /bucket = "com-saltstack-vault"/ }
end
describe file('/etc/init/vault.conf') do
it { should be_a_file }
its(:content) { should_not match /syslog/ }
end
if os[:family] == 'amazon'
# serverspec assumes 'service' resource to be
# init.d for rhel-based os. have to just check
# that it is running, that means that it started
# with the instance
describe command('sudo initctl list | grep vault | grep -v grep') do
its(:stdout) { should match(/vault start\/running/) }
its(:stderr) { should be_empty }
end
describe processes("vault") do
its('users') { should eq ['root'] }
end
else
describe service('vault') do
it { should be_enabled }
it { should be_running }
end
end
describe file('/var/log/vault.log') do
it { should be_a_file }
its(:content) { should match(/WARNING: Dev mode is enabled!/) }
end

17
vault/defaults.yaml Normal file
View file

@ -0,0 +1,17 @@
vault:
version: 0.7.0
listen_protocol: tcp
listen_port: 8200
listen_address: 0.0.0.0
strict_tls: 0
service: upstart
tls_cert_file: {}
tls_key_file: {}
default_lease_ttl: 24h
max_lease_ttl: 24h
self_signed_cert:
enabled: false
backend: {}
dev_mode: true
service:
type: systemd

View file

@ -1,27 +1,25 @@
{% from "vault/map.jinja" import vault with context %} {%- from "vault/map.jinja" import vault with context -%}
{%- if vault.backend and vault.backend.type == "s3" %}
{% if vault.s3_backend %}
backend "s3" { backend "s3" {
bucket = "{{ vault.s3_backend.bucket }}" bucket = "{{ vault.backend.bucket }}"
} }
{% endif %} {% endif -%}
listener "{{ vault.listen_protocol }}" { listener "{{ vault.listen_protocol }}" {
address = "{{ vault.listen_address }}:{{ vault.listen_port }}" address = "{{ vault.listen_address }}:{{ vault.listen_port }}"
tls_disable = {{ vault.strict_tls }} tls_disable = {{ vault.strict_tls }}
{% if vault.self_signed_cert.enabled %} {% if vault.self_signed_cert.enabled %}
tls_cert_file = "/etc/vault/{{ vault.self_signed_cert.hostname }}.pem" tls_cert_file = "/etc/vault/{{ vault.self_signed_cert.hostname }}.pem"
tls_key_file = "/etc/vault/{{ vault.self_signed_cert.hostname }}-nopass.key" tls_key_file = "/etc/vault/{{ vault.self_signed_cert.hostname }}-nopass.key"
{% else %} {% else %}
{% if vault.tls_cert_file %} {%- if vault.tls_cert_file %}
tls_cert_file = "{{ vault.tls_cert_file }}" tls_cert_file = "{{ vault.tls_cert_file }}"
{% endif %} {% endif -%}
{% if vault.tls_key_file %} {%- if vault.tls_key_file %}
tls_key_file = "{{ vault.tls_cert_file }}" tls_key_file = "{{ vault.tls_key_file }}"
{% endif %} {% endif -%}
{% endif %} {% endif %}
} }
#todo parameterize
default_lease_ttl="{{ vault.default_lease_ttl }}" default_lease_ttl="{{ vault.default_lease_ttl }}"
max_lease_ttl="{{ vault.max_lease_ttl }}" max_lease_ttl="{{ vault.max_lease_ttl }}"

View file

@ -0,0 +1,10 @@
{%- from "vault/map.jinja" import vault with context -%}
[Unit]
Description=vault server
Requires=network-online.target
After=network-online.target consul.service
[Service]
EnvironmentFile=-/etc/sysconfig/vault
Restart=on-failure
ExecStart=/usr/local/bin/vault server {% if vault.dev_mode %}-dev{% else %} -config="/etc/vault/config/server.hcl"{% endif %}

View file

@ -1,3 +1,4 @@
{%- from "vault/map.jinja" import vault with context -%}
description "Vault server" description "Vault server"
start on (runlevel [345] and started network) start on (runlevel [345] and started network)
@ -14,6 +15,10 @@ script
export GOMAXPROCS=`nproc` export GOMAXPROCS=`nproc`
exec /usr/local/bin/vault server \ exec /usr/local/bin/vault server \
{%- if vault.dev_mode %}
-dev \
{% else %}
-config="/etc/vault/config/server.hcl" \ -config="/etc/vault/config/server.hcl" \
{% endif -%}
>>/var/log/vault.log 2>&1 >>/var/log/vault.log 2>&1
end script end script

View file

@ -1,8 +1,20 @@
{%- set version = salt.pillar.get('vault:vault_version', '0.7.0') %} {% from "vault/map.jinja" import vault with context %}
{%- set source_hash = salt.pillar.get('vault:source_hash', 'c6d97220e75335f75bd6f603bb23f1f16fe8e2a9d850ba59599b1a0e4d067aaa') %} # using archive.extracted causes: 'Comment: Failed to cache https://releases.hashicorp.com/vault/0.7.0/vault_0.7.0_linux_amd64.zip: [Errno 1] _ssl.c:493: error:1409442E:SSL routines:SSL3_READ_BYTES:tlsv1 alert protocol version'
install Vault: vault packages:
archive.extracted: pkg.installed:
- name: /usr/local/bin - names:
- source: https://releases.hashicorp.com/vault/{{ version }}/vault_{{ version }}_linux_amd64.zip - unzip
- source_hash: {{ source_hash }} - curl
- enforce_toplevel: False
download vault:
cmd.run:
- name: curl --silent -L https://releases.hashicorp.com/vault/{{ vault.version }}/vault_{{ vault.version }}_linux_amd64.zip -o /tmp/vault.zip
- unless: test -e /tmp/vault.zip
install vault:
cmd.run:
- name: unzip /tmp/vault.zip -d /usr/local/bin && chmod 0755 /usr/local/bin/vault && chown root:root /usr/local/bin/vault
- require:
- cmd: download vault
- pkg: unzip
- unless: test -e /usr/local/bin/vault

View file

@ -1,14 +1,2 @@
{% set vault = salt['grains.filter_by']({ {% import_yaml "vault/defaults.yaml" as defaults %}
'default': { {% set vault = salt['pillar.get']('vault', default=defaults['vault'], merge=True) %}
listen_protocol: 'tcp',
listen_address: 0.0.0.0,
listen_port: 8200,
strict_tls: 1,
default_lease_ttl: '72h',
max_lease_ttl: '72h',
vault_version: '0.7.0',
self_signed_cert: {
enabled: false,
}
},
}, merge=salt['pillar.get']('vault:lookup')) %}

View file

@ -1,5 +1,5 @@
{% from "vault/map.jinja" import vault with context %} {% from "vault/map.jinja" import vault with context %}
{% if vault.self_signed_cert.enabled %} {%- if vault.self_signed_cert.enabled %}
/usr/local/bin/self-cert-gen.sh: /usr/local/bin/self-cert-gen.sh:
file.managed: file.managed:
- source: salt://vault/files/cert-gen.sh.jinja - source: salt://vault/files/cert-gen.sh.jinja
@ -14,7 +14,22 @@ generate self signed SSL certs:
- cwd: /etc/vault - cwd: /etc/vault
- require: - require:
- file: /usr/local/bin/self-cert-gen.sh - file: /usr/local/bin/self-cert-gen.sh
{% endif %} {% endif -%}
/etc/vault:
file.directory:
- user: root
- group: root
- mode: 755
{%- if vault.dev_mode %}
/etc/vault/config:
file.directory:
- user: root
- group: root
- mode: 755
- require:
- file: /etc/vault
/etc/vault/config/server.hcl: /etc/vault/config/server.hcl:
file.managed: file.managed:
@ -23,21 +38,39 @@ generate self signed SSL certs:
- user: root - user: root
- group: root - group: root
- mode: 644 - mode: 644
- require:
- file: /etc/vault/config
{% endif -%}
/etc/init/vault.conf: {%- if vault.service.type == 'systemd' %}
/etc/systemd/system/vault.service:
file.managed: file.managed:
- source: salt://vault/files/vault.conf.jinja - source: salt://vault/files/vault_systemd.service.jinja
- template: jinja - template: jinja
- user: root - user: root
- group: root - group: root
- mode: 644 - mode: 644
- require_in:
- service: vault
{% elif vault.service.type == 'upstart' %}
/etc/init/vault.conf:
file.managed:
- source: salt://vault/files/vault_upstart.conf.jinja
- template: jinja
- user: root
- group: root
- require_in:
- service: vault
{% endif -%}
vault: vault:
service.running: service.running:
- enable: True - enable: True
- require: - require:
{% if vault.self_signed_cert.enabled %} {%- if vault.self_signed_cert.enabled %}
- cmd: generate self signed SSL certs - cmd: generate self signed SSL certs
{% endif %} {% endif -%}
{%- if vault.dev_mode %}
- file: /etc/vault/config/server.hcl - file: /etc/vault/config/server.hcl
- file: /etc/init/vault.conf {% endif -%}