Merge branch 'devel' of psi-jack/vault-formula into master

This commit is contained in:
Eric Renfro 2018-05-16 08:18:12 -04:00 committed by Gitea
commit c7b8b44d41
16 changed files with 509 additions and 315 deletions

View file

@ -46,7 +46,6 @@ suites:
base:
'*':
- vault
- vault.server
pillars:
top.sls:
base:
@ -64,7 +63,6 @@ suites:
base:
'*':
- vault
- vault.server
pillars:
top.sls:
base:

View file

@ -15,32 +15,31 @@ Available states
``vault``
----------
Install the vault binary
Installs and configures the Vault service.
``vault.server``
---------------------
``vault.install``
-----------------
Install and configure the vault server
Downloads and installs the Vault binary file.
To use it, just include *vault.server* in your *top.sls*, and configure it using pillars:
``vault.config``
----------------
::
Provision the Vault configuration files and sources.
``vault.service``
-----------------
Adds the Vault service startup configuration or script to an operating system.
To start the service during Salt run and enable it at boot time, you need to set the following Pillar:
.. code:: yaml
vault:
version: 0.7.0
listen_protocol: tcp
listen_port: 8200
listen_address: 0.0.0.0
tls_disable: 0
default_lease_ttl: 24h
max_lease_ttl: 24h
self_signed_cert:
enabled: false
backend: {}
dev_mode: true
service:
type: systemd
service: true
Testing
=======

View file

@ -1,51 +1,25 @@
vault:
version: 0.7.0
# Start Vault agent service and enable it at boot time
service: True
# Set user and group for Vault config files and running service
user: vault
group: vault
version: 0.10.1
config:
data_dir: /var/lib/vault
listen_protocol: tcp
listen_port: 8200
listen_address: 0.0.0.0
tls_disable: 0
tls_cert_file: {}
tls_key_file: {}
tls_cert_file: ''
tls_key_file: ''
storage:
type: file
default_lease_ttl: 4380h
max_lease_ttl: 43800h
self_signed_cert:
enabled: false
backend: {}
dev_mode: true
secure_download: true
service:
type: upstart
user: root
group: root
hashicorp_gpg_key: |
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1
mQENBFMORM0BCADBRyKO1MhCirazOSVwcfTr1xUxjPvfxD3hjUwHtjsOy/bT6p9f
W2mRPfwnq2JB5As+paL3UGDsSRDnK9KAxQb0NNF4+eVhr/EJ18s3wwXXDMjpIifq
fIm2WyH3G+aRLTLPIpscUNKDyxFOUbsmgXAmJ46Re1fn8uKxKRHbfa39aeuEYWFA
3drdL1WoUngvED7f+RnKBK2G6ZEpO+LDovQk19xGjiMTtPJrjMjZJ3QXqPvx5wca
KSZLr4lMTuoTI/ZXyZy5bD4tShiZz6KcyX27cD70q2iRcEZ0poLKHyEIDAi3TM5k
SwbbWBFd5RNPOR0qzrb/0p9ksKK48IIfH2FvABEBAAG0K0hhc2hpQ29ycCBTZWN1
cml0eSA8c2VjdXJpdHlAaGFzaGljb3JwLmNvbT6JATgEEwECACIFAlMORM0CGwMG
CwkIBwMCBhUIAgkKCwQWAgMBAh4BAheAAAoJEFGFLYc0j/xMyWIIAIPhcVqiQ59n
Jc07gjUX0SWBJAxEG1lKxfzS4Xp+57h2xxTpdotGQ1fZwsihaIqow337YHQI3q0i
SqV534Ms+j/tU7X8sq11xFJIeEVG8PASRCwmryUwghFKPlHETQ8jJ+Y8+1asRydi
psP3B/5Mjhqv/uOK+Vy3zAyIpyDOMtIpOVfjSpCplVRdtSTFWBu9Em7j5I2HMn1w
sJZnJgXKpybpibGiiTtmnFLOwibmprSu04rsnP4ncdC2XRD4wIjoyA+4PKgX3sCO
klEzKryWYBmLkJOMDdo52LttP3279s7XrkLEE7ia0fXa2c12EQ0f0DQ1tGUvyVEW
WmJVccm5bq25AQ0EUw5EzQEIANaPUY04/g7AmYkOMjaCZ6iTp9hB5Rsj/4ee/ln9
wArzRO9+3eejLWh53FoN1rO+su7tiXJA5YAzVy6tuolrqjM8DBztPxdLBbEi4V+j
2tK0dATdBQBHEh3OJApO2UBtcjaZBT31zrG9K55D+CrcgIVEHAKY8Cb4kLBkb5wM
skn+DrASKU0BNIV1qRsxfiUdQHZfSqtp004nrql1lbFMLFEuiY8FZrkkQ9qduixo
mTT6f34/oiY+Jam3zCK7RDN/OjuWheIPGj/Qbx9JuNiwgX6yRj7OE1tjUx6d8g9y
0H1fmLJbb3WZZbuuGFnK6qrE3bGeY8+AWaJAZ37wpWh1p0cAEQEAAYkBHwQYAQIA
CQUCUw5EzQIbDAAKCRBRhS2HNI/8TJntCAClU7TOO/X053eKF1jqNW4A1qpxctVc
z8eTcY8Om5O4f6a/rfxfNFKn9Qyja/OG1xWNobETy7MiMXYjaa8uUx5iFy6kMVaP
0BXJ59NLZjMARGw6lVTYDTIvzqqqwLxgliSDfSnqUhubGwvykANPO+93BBx89MRG
unNoYGXtPlhNFrAsB1VR8+EyKLv2HQtGCPSFBhrjuzH3gxGibNDDdFQLxxuJWepJ
EK1UbTS4ms0NgZ2Uknqn1WRU1Ki7rE4sTy68iZtWpKQXZEJa0IGnuI2sSINGcXCJ
oEIgXTMyCILo34Fa/C6VCm2WBgz9zZO8/rHIiQm1J5zqz0DrDwKBUM9C
=LYpS
-----END PGP PUBLIC KEY BLOCK-----
hashicorp_key_id: 51852D87348FFC4C

19
vault/config.sls Normal file
View file

@ -0,0 +1,19 @@
{%- from slspath + '/map.jinja' import vault with context -%}
vault-config:
file.managed:
- name: /etc/vault.d/config.hcl
- source: salt://vault/files/config.hcl
- template: jinja
- context:
self_signed_cert: {{ vault.self_signed_cert }}
config: {{ vault.config }}
- user: {{ vault.user }}
- group: {{ vault.group }}
- mode: 0640
- require:
- user: vault-user
{%- if vault.service %}
- watch_in:
- service: vault
{%- endif %}

View file

@ -1,52 +1,24 @@
vault:
version: 0.9.1
version: 0.10.1
download_host: releases.hashicorp.com
service: false
user: vault
group: vault
config:
data_dir: /var/lib/vault
listen_protocol: tcp
listen_port: 8200
listen_address: 0.0.0.0
tls_disable: 0
service: upstart
tls_cert_file: {}
tls_key_file: {}
tls_cert_file: ''
tls_key_file: ''
default_lease_ttl: 24h
max_lease_ttl: 24h
backend: {}
dev_mode: false
self_signed_cert:
enabled: false
backend: {}
dev_mode: true
secure_download: true
service:
type: systemd
user: root
group: root
hashicorp_gpg_key: |
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1
mQENBFMORM0BCADBRyKO1MhCirazOSVwcfTr1xUxjPvfxD3hjUwHtjsOy/bT6p9f
W2mRPfwnq2JB5As+paL3UGDsSRDnK9KAxQb0NNF4+eVhr/EJ18s3wwXXDMjpIifq
fIm2WyH3G+aRLTLPIpscUNKDyxFOUbsmgXAmJ46Re1fn8uKxKRHbfa39aeuEYWFA
3drdL1WoUngvED7f+RnKBK2G6ZEpO+LDovQk19xGjiMTtPJrjMjZJ3QXqPvx5wca
KSZLr4lMTuoTI/ZXyZy5bD4tShiZz6KcyX27cD70q2iRcEZ0poLKHyEIDAi3TM5k
SwbbWBFd5RNPOR0qzrb/0p9ksKK48IIfH2FvABEBAAG0K0hhc2hpQ29ycCBTZWN1
cml0eSA8c2VjdXJpdHlAaGFzaGljb3JwLmNvbT6JATgEEwECACIFAlMORM0CGwMG
CwkIBwMCBhUIAgkKCwQWAgMBAh4BAheAAAoJEFGFLYc0j/xMyWIIAIPhcVqiQ59n
Jc07gjUX0SWBJAxEG1lKxfzS4Xp+57h2xxTpdotGQ1fZwsihaIqow337YHQI3q0i
SqV534Ms+j/tU7X8sq11xFJIeEVG8PASRCwmryUwghFKPlHETQ8jJ+Y8+1asRydi
psP3B/5Mjhqv/uOK+Vy3zAyIpyDOMtIpOVfjSpCplVRdtSTFWBu9Em7j5I2HMn1w
sJZnJgXKpybpibGiiTtmnFLOwibmprSu04rsnP4ncdC2XRD4wIjoyA+4PKgX3sCO
klEzKryWYBmLkJOMDdo52LttP3279s7XrkLEE7ia0fXa2c12EQ0f0DQ1tGUvyVEW
WmJVccm5bq25AQ0EUw5EzQEIANaPUY04/g7AmYkOMjaCZ6iTp9hB5Rsj/4ee/ln9
wArzRO9+3eejLWh53FoN1rO+su7tiXJA5YAzVy6tuolrqjM8DBztPxdLBbEi4V+j
2tK0dATdBQBHEh3OJApO2UBtcjaZBT31zrG9K55D+CrcgIVEHAKY8Cb4kLBkb5wM
skn+DrASKU0BNIV1qRsxfiUdQHZfSqtp004nrql1lbFMLFEuiY8FZrkkQ9qduixo
mTT6f34/oiY+Jam3zCK7RDN/OjuWheIPGj/Qbx9JuNiwgX6yRj7OE1tjUx6d8g9y
0H1fmLJbb3WZZbuuGFnK6qrE3bGeY8+AWaJAZ37wpWh1p0cAEQEAAYkBHwQYAQIA
CQUCUw5EzQIbDAAKCRBRhS2HNI/8TJntCAClU7TOO/X053eKF1jqNW4A1qpxctVc
z8eTcY8Om5O4f6a/rfxfNFKn9Qyja/OG1xWNobETy7MiMXYjaa8uUx5iFy6kMVaP
0BXJ59NLZjMARGw6lVTYDTIvzqqqwLxgliSDfSnqUhubGwvykANPO+93BBx89MRG
unNoYGXtPlhNFrAsB1VR8+EyKLv2HQtGCPSFBhrjuzH3gxGibNDDdFQLxxuJWepJ
EK1UbTS4ms0NgZ2Uknqn1WRU1Ki7rE4sTy68iZtWpKQXZEJa0IGnuI2sSINGcXCJ
oEIgXTMyCILo34Fa/C6VCm2WBgz9zZO8/rHIiQm1J5zqz0DrDwKBUM9C
=LYpS
-----END PGP PUBLIC KEY BLOCK-----
hashicorp_key_id: 51852D87348FFC4C

35
vault/files/config.hcl Normal file
View file

@ -0,0 +1,35 @@
listener "{{ config.listen_protocol }}" {
address = "{{ config.listen_address }}:{{ config.listen_port }}"
tls_disable = {{ config.tls_disable }}
{%- if self_signed_cert.enabled %}
tls_cert_file = "/etc/vault/{{ self_signed_cert.hostname }}.pem"
tls_key_file = "/etc/vault/{{ self_signed_cert.hostname }}-nopass.key"
{% else -%}
{%- if config.tls_cert_file %}
tls_cert_file = "{{ config.tls_cert_file }}"
{%- endif -%}
{%- if config.tls_key_file %}
tls_key_file = "{{ config.tls_key_file }}"
{% endif -%}
{% endif -%}
}
{%- if config.backend and config.backend.type == "s3" %}
backend "s3" {
bucket = "{{ config.backend.bucket }}"
}
{% endif -%}
{%- if config.storage and config.storage.type == "consul" %}
storage "consul" {
address = "{{ config.storage.address }}"
path = "{{ config.storage.path }}"
}
{%- else -%}
storage "file" {
path = "{{ config.data_dir }}"
}
{%- endif %}
default_lease_ttl="{{ config.default_lease_ttl }}"
max_lease_ttl="{{ config.max_lease_ttl }}"

View file

@ -1,25 +0,0 @@
{%- from "vault/map.jinja" import vault with context -%}
{%- if vault.backend and vault.backend.type == "s3" %}
backend "s3" {
bucket = "{{ vault.backend.bucket }}"
}
{% endif -%}
listener "{{ vault.listen_protocol }}" {
address = "{{ vault.listen_address }}:{{ vault.listen_port }}"
tls_disable = {{ vault.tls_disable }}
{% if vault.self_signed_cert.enabled %}
tls_cert_file = "/etc/vault/{{ vault.self_signed_cert.hostname }}.pem"
tls_key_file = "/etc/vault/{{ vault.self_signed_cert.hostname }}-nopass.key"
{% else %}
{%- if vault.tls_cert_file %}
tls_cert_file = "{{ vault.tls_cert_file }}"
{% endif -%}
{%- if vault.tls_key_file %}
tls_key_file = "{{ vault.tls_key_file }}"
{% endif -%}
{% endif %}
}
default_lease_ttl="{{ vault.default_lease_ttl }}"
max_lease_ttl="{{ vault.max_lease_ttl }}"

18
vault/files/vault.service Normal file
View file

@ -0,0 +1,18 @@
[Unit]
Description=vault server
Requires=network-online.target
After=network-online.target{% if config.storage and config.storage.type == "consul" %} consul.service{% endif %}
[Service]
EnvironmentFile=-/etc/sysconfig/vault
User={{ user }}
Group={{ group }}
ExecStart=/usr/local/bin/vault server {% if config.dev_mode %}-dev{% else %}-config="/etc/vault.d/config.hcl"{% endif %}
ExecReload=/bin/kill -signal HUP $MAINPID
ExecStop=/usr/local/bin/vault operator step-down
Restart=on-failure
CapabilityBoundingSet=CAP_SYSLOG CAP_IPC_LOCK
AmbientCapabilities=CAP_IPC_LOCK
SecureBits=keep-caps
NoNewPrivileges=yes
KillSignal=SIGINT

196
vault/files/vault.sysvinit Normal file
View file

@ -0,0 +1,196 @@
#!/bin/bash
#
# vault Manage the vault agent
#
# chkconfig: 2345 95 95
# description: Vault is a tool for service discovery and configuration
# processname: vault
# config: /etc/vault.d/config.hcl
# pidfile: /var/run/vault.pid
### BEGIN INIT INFO
# Provides: vault
# Required-Start: $local_fs $network
# Required-Stop:
# Should-Start:
# Should-Stop:
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: Manage the vault agent
# Description: Vault is a tool for service discovery and configuration
### END INIT INFO
# source function library
. /etc/rc.d/init.d/functions
prog="vault"
exec="/usr/local/bin/$prog"
pidfile="/var/run/$prog.pid"
lockfile="/var/lock/subsys/$prog"
logfile="/var/log/$prog"
confdir="/etc/vault.d"
# pull in sysconfig settings
[ -e /etc/sysconfig/$prog ] && . /etc/sysconfig/$prog
user=${VAULT_USER:-vault}
group=${VAULT_GROUP:-vault}
export GOMAXPROCS=${GOMAXPROCS:-2}
start() {
[ -x $exec ] || exit 5
[ -d $confdir ] || exit 6
umask 077
touch $logfile $pidfile
chown "$user:$group" $logfile $pidfile
echo -n $"Starting $prog: "
## holy shell shenanigans, batman!
## daemon can't be backgrounded. we need the pid of the spawned process,
## which is actually done via runuser thanks to --user.
## you can't do "cmd &; action" but you can do "{cmd &}; action".
## vault 0.2.1 added -pid-file; although the following creates $pidfile
## owned by vault:vault, using -pid-file results in a permission error.
daemon \
--pidfile=$pidfile \
--user="$user" \
" { $exec agent -config=$confdir/config.hcl &>> $logfile & } ; echo \$! >| $pidfile "
RETVAL=$?
echo
[ $RETVAL -eq 0 ] && touch $lockfile
echo -n $"Waiting for Vault ready: "
## wait up to 60s for the rpc port to become listened-upon
## vault 0.2.1 got much slower to start!
count=0
ready=0
pid=$( cat ${pidfile} )
while checkpid ${pid} && [ $count -lt 60 ] && [ $ready -ne 1 ]; do
count=$(( count + 1 ))
if netstat -lptn | egrep -q ":8400.*LISTEN +${pid}/" ; then
ready=1
else
sleep 1
fi
done
if [ $ready -eq 1 ]; then
RETVAL=0
success
else
RETVAL=1
failure
fi
echo
return $RETVAL
}
stop() {
echo -n $"Shutting down $prog: "
## graceful shutdown with leave
$exec leave &> /dev/null
RETVAL=$?
## wait up to 10s for the daemon to exit
if [ $RETVAL -eq 0 ]; then
count=0
stopped=0
pid=$( cat ${pidfile} )
while [ $count -lt 10 ] && [ $stopped -ne 1 ]; do
count=$(( count + 1 ))
if ! checkpid ${pid} ; then
stopped=1
else
sleep 1
fi
done
if [ $stopped -ne 1 ]; then
RETVAL=125
fi
fi
if [ $RETVAL -eq 0 ]; then
success
rm -f $lockfile $pidfile
else
failure
fi
echo
return $RETVAL
}
restart() {
stop
start
}
reload() {
echo -n $"Reloading $prog: "
killproc -p $pidfile $exec -HUP
echo
}
force_reload() {
restart
}
rh_status() {
status -p "$pidfile" -l $prog $exec
RETVAL=$?
[ $RETVAL -eq 0 ] && $exec members
return $RETVAL
}
rh_status_q() {
rh_status >/dev/null 2>&1
}
case "$1" in
start)
rh_status_q && exit 0
$1
;;
stop)
rh_status_q || exit 0
$1
;;
restart)
$1
;;
reload)
rh_status_q || exit 7
$1
;;
force-reload)
force_reload
;;
status)
rh_status
;;
condrestart|try-restart)
rh_status_q || exit 0
restart
;;
*)
echo $"Usage: $0 {start|stop|status|restart|condrestart|try-restart|reload|force-reload}"
exit 2
esac
exit $?

View file

@ -1,4 +1,4 @@
{%- from "vault/map.jinja" import vault with context -%}
{%- from slspath + '/map.jinja' import vault with context -%}
description "Vault server"
start on (runlevel [345] and started network)
@ -15,10 +15,10 @@ script
export GOMAXPROCS=`nproc`
exec /usr/local/bin/vault server \
{%- if vault.dev_mode %}
{%- if vault.config.dev_mode %}
-dev \
{% else %}
-config="/etc/vault/config/server.hcl" \
-config="/etc/vault.d/config.hcl" \
{% endif -%}
>>/var/log/vault.log 2>&1
end script

View file

@ -1,12 +0,0 @@
{%- from "vault/map.jinja" import vault with context -%}
[Unit]
Description=vault server
Requires=network-online.target
After=network-online.target consul.service
[Service]
EnvironmentFile=-/etc/sysconfig/vault
Restart=on-failure
ExecStart=/usr/local/bin/vault server {% if vault.dev_mode %}-dev{% else %} -config="/etc/vault/config/server.hcl"{% endif %}
User={{ vault.user }}
Group={{ vault.group }}

View file

@ -1,78 +1,6 @@
{% from "vault/map.jinja" import vault with context %}
# using archive.extracted causes: 'Comment: Failed to cache https://releases.hashicorp.com/vault/0.7.0/vault_0.7.0_linux_amd64.zip: [Errno 1] _ssl.c:493: error:1409442E:SSL routines:SSL3_READ_BYTES:tlsv1 alert protocol version'
vault packages:
pkg.installed:
- names:
- unzip
- curl
{% if vault.secure_download %}
{% if grains['os'] == 'CentOS' or grains['os'] == 'Amazon' %}
- gnupg2
- perl-Digest-SHA
{% elif grains['os'] == 'Ubuntu' %}
- gnupg
- libdigest-sha-perl
{% endif %}
{% endif %}
{%- from slspath + "/map.jinja" import vault with context -%}
download vault:
cmd.run:
- name: curl --silent -L https://releases.hashicorp.com/vault/{{ vault.version }}/vault_{{ vault.version }}_linux_amd64.zip -o /tmp/vault_{{ vault.version }}_linux_amd64.zip
- creates: /tmp/vault_{{ vault.version }}_linux_amd64.zip
{% if vault.secure_download %}
download shasums:
cmd.run:
- name: curl --silent -L https://releases.hashicorp.com/vault/{{ vault.version }}/vault_{{ vault.version }}_SHA256SUMS -o /tmp/vault_{{ vault.version }}_SHA256SUMS
- creates: /tmp/vault_{{ vault.version }}_SHA256SUMS
download shasums sig:
cmd.run:
- name: curl --silent -L https://releases.hashicorp.com/vault/{{ vault.version }}/vault_{{ vault.version }}_SHA256SUMS.sig -o /tmp/vault_{{ vault.version }}_SHA256SUMS.sig
- creates: /tmp/vault_{{ vault.version }}_SHA256SUMS.sig
/tmp/hashicorp.asc:
file.managed:
- source: salt://vault/files/hashicorp.asc.jinja
- template: jinja
import key:
cmd.run:
- name: gpg --import /tmp/hashicorp.asc
- unless: gpg --list-keys {{ vault.hashicorp_key_id }}
- requires:
- file: /tmp/hashicorp.asc
- cmd: vault packages
verify shasums sig:
cmd.run:
- name: gpg --verify /tmp/vault_{{ vault.version }}_SHA256SUMS.sig /tmp/vault_{{ vault.version }}_SHA256SUMS
- require:
- cmd: download shasums
- cmd: import key
verify vault:
cmd.run:
- name: "shasum -a 256 -c vault_{{ vault.version }}_SHA256SUMS 2>&1 | grep -q \"vault_{{ vault.version }}_linux_amd64.zip: OK\""
- cwd: /tmp
- require:
- cmd: download vault
- cmd: verify shasums sig
{% endif %}
install vault:
cmd.run:
- name: unzip /tmp/vault_{{ vault.version }}_linux_amd64.zip -d /usr/local/bin && chmod 0755 /usr/local/bin/vault && chown root:root /usr/local/bin/vault
- require:
- cmd: download vault
- pkg: unzip
{% if vault.secure_download %}
- cmd: verify vault
{% endif %}
- creates: /usr/local/bin/vault
vault set cap mlock:
cmd.run:
- name: "setcap cap_ipc_lock=+ep /usr/local/bin/vault"
- onchanges:
- cmd: install vault
include:
- {{ slspath }}.install
- {{ slspath }}.config
- {{ slspath }}.service

84
vault/install.sls Normal file
View file

@ -0,0 +1,84 @@
{%- from slspath + '/map.jinja' import vault with context -%}
vault-dep-unzp:
pkg.installed:
- name: unzip
vault-bin-dir:
file.directory:
- name: /usr/local/bin
- makedirs: True
# Create vault user
vault-group:
group.present:
- name: {{ vault.group }}
vault-user:
user.present:
- name: {{ vault.user }}
- groups:
- {{ vault.group }}
- home: {{ salt['user.info'](vault.user)['home']|default(vault.config.data_dir) }}
- createhome: False
- system: True
- require:
- group: vault-group
# Create directories
vault-config-dir:
file.directory:
- name: /etc/vault.d
- user: {{ vault.user }}
- group: {{ vault.group }}
- mode: 0750
vault-data-dir:
file.directory:
- name: {{ vault.config.data_dir }}
- makedirs: True
- user: {{ vault.user }}
- group: {{ vault.group }}
- mode: 0750
# Install agent
vault-download:
file.managed:
- name: /tmp/vault_{{ vault.version }}_linux_{{ vault.arch }}.zip
- source: https://{{ vault.download_host }}/vault/{{ vault.version }}/vault_{{ vault.version }}_linux_{{ vault.arch }}.zip
- source_hash: https://releases.hashicorp.com/vault/{{ vault.version }}/vault_{{ vault.version }}_SHA256SUMS
- unless: test -f /usr/local/bin/vault-{{ vault.version }}
vault-extract:
cmd.wait:
- name: unzip /tmp/vault_{{ vault.version }}_linux_{{ vault.arch }}.zip -d /tmp
- watch:
- file: vault-download
vault-install:
file.rename:
- name: /usr/local/bin/vault-{{ vault.version }}
- source: /tmp/vault
- require:
- file: /usr/local/bin
- watch:
- cmd: vault-extract
vault-clean:
file.absent:
- name: /tmp/vault_{{ vault.version }}_linux_{{ vault.arch }}.zip
- watch:
- file: vault-install
vault-link:
file.symlink:
- target: vault-{{ vault.version }}
- name: /usr/local/bin/vault
- watch:
- file: vault-install
vault-set-cap-mlock:
cmd.run:
- name: "setcap cap_ipc_lock=+ep /usr/local/bin/vault-{{ vault.version }}"
- onchanges:
- file: vault-install

View file

@ -1,2 +1,19 @@
{% import_yaml "vault/defaults.yaml" as defaults %}
{% set vault = salt['pillar.get']('vault', default=defaults['vault'], merge=True) %}
{% import_yaml slspath+"/defaults.yaml" as defaults %}
{% set vault = salt['pillar.get']('vault', default=defaults.vault, merge=True) %}
{## Add any overrides based on CPU architecture. ##}
{% set vault = salt['grains.filter_by']({
'armv6l': {
"arch": 'arm'
},
'armv7l': {
"arch": 'arm'
},
'x86_64': {
"arch": 'amd64'
}
}
,grain="cpuarch"
,merge=vault)
%}

View file

@ -1,76 +0,0 @@
{% from "vault/map.jinja" import vault with context %}
{%- if vault.self_signed_cert.enabled %}
/usr/local/bin/self-cert-gen.sh:
file.managed:
- source: salt://vault/files/cert-gen.sh.jinja
- template: jinja
- user: root
- group: root
- mode: 644
generate self signed SSL certs:
cmd.run:
- name: bash /usr/local/bin/cert-gen.sh {{ vault.self_signed_cert.hostname }} {{ vault.self_signed_cert.password }}
- cwd: /etc/vault
- require:
- file: /usr/local/bin/self-cert-gen.sh
{% endif -%}
/etc/vault:
file.directory:
- user: root
- group: root
- mode: 755
/etc/vault/config:
file.directory:
- user: root
- group: root
- mode: 755
- require:
- file: /etc/vault
/etc/vault/config/server.hcl:
file.managed:
- source: salt://vault/files/server.hcl.jinja
- template: jinja
- user: root
- group: root
- mode: 644
- require:
- file: /etc/vault/config
{%- if vault.service.type == 'systemd' %}
/etc/systemd/system/vault.service:
file.managed:
- source: salt://vault/files/vault_systemd.service.jinja
- template: jinja
- user: root
- group: root
- mode: 644
- require_in:
- service: vault
{% elif vault.service.type == 'upstart' %}
/etc/init/vault.conf:
file.managed:
- source: salt://vault/files/vault_upstart.conf.jinja
- template: jinja
- user: root
- group: root
- require_in:
- service: vault
{% endif -%}
vault:
service.running:
- enable: True
- require:
{%- if vault.self_signed_cert.enabled %}
- cmd: generate self signed SSL certs
{% endif %}
- file: /etc/vault/config/server.hcl
- cmd: install vault
- onchanges:
- cmd: install vault
- file: /etc/vault/config/server.hcl

67
vault/service.sls Normal file
View file

@ -0,0 +1,67 @@
{%- from slspath + '/map.jinja' import vault with context -%}
{%- if vault.self_signed_cert.enabled %}
self-cert-gen-script:
file.managed:
- name: /usr/local/bin/self-cert-gen.sh
- source: salt://vault/files/cert-gen.sh.jinja
- template: jinja
- user: root
- group: root
- mode: 644
generate-self-signed-SSL-certs:
cmd.run:
- name: bash /usr/local/bin/cert-gen.sh {{ vault.self_signed_cert.hostname }} {{ vault.self_signed_cert.password }}
- cwd: /etc/vault
- require:
- file: self-cert-gen-script
{% endif -%}
vault-init-env:
file.managed:
{%- if grains['os_family'] == 'Debian' %}
- name: /etc/default/vault
{%- else %}
- name: /etc/sysconfig/vault
- makedirs: True
{%- endif %}
- user: root
- group: root
- mode: 0644
- contents:
- VAULT_USER={{ vault.user }}
- VAULT_GROUP={{ vault.group }}
vault-init-file:
file.managed:
{%- if salt['test.provider']('service') == 'systemd' %}
- source: salt://{{ slspath }}/files/vault.service
- name: /etc/systemd/system/vault.service
- template: jinja
- context:
user: {{ vault.user }}
group: {{ vault.group }}
config: {{ vault.config }}
- mode: 0644
{%- elif salt['test.provider']('service') == 'upstart' %}
- source: salt://{{ slspath }}/files/vault.upstart
- name: /etc/init/vault.conf
- mode: 0644
{%- else %}
- source: salt://{{ slspath }}/files/vault.sysvinit
- name: /etc/init.d/vault
- mode: 0755
{%- endif %}
{%- if vault.service %}
vault-service:
service.running:
- name: vault
- enable: True
- watch:
- file: vault-init-env
- file: vault-init-file
{%- endif %}