Added parameters

2017-04-11 09:55:31 -05:00 · 2017-04-11 09:55:31 -05:00 · db59643941
parent e0b13c665a
commit db59643941
7 changed files with 62 additions and 33 deletions
--- a/pillar.example
+++ b/pillar.example
@ -1,7 +1,10 @@
 vault:
  vault_version: 0.7.0
-  skip_verify: true
-  protocol: https
-  hostname: vault.hostname.com
-  port: 8200
-
+  listen_protocol: tcp
+  listen_port: 8200
+  listen_address: 0.0.0.0
+  strict_tls: 0
+  default_lease_ttl: '4380h'
+  max_lease_ttl: '43800h'
+  s3_backend:
+    bucket: 'com-foo-vault'
--- a/vault/templates/cert-gen.sh.jinja
+++ b/vault/templates/cert-gen.sh.jinja
@ -30,8 +30,7 @@ pw="$child"
 root_key="$root.key"
 root_pem="$root.pem"
 root_key_nopass="$root-nopass.key"
-# TODO parameterize
-root_subj="/C=US/ST=TN/L=Nashville/O=Fixme/OU=Ops/CN=$root\_ca"
+root_subj="/C={{ vault.self_signed_cert.country }}/ST={{ vault.self_signed_cert.state }}/L={{ vault.self_signed_cert.city }}/O={{ vault.self_signed_cert.org }}/OU={{ vault.self_signed_cert.org_unit }}/CN=$root\_ca"
 root_p12="$root.p12"

 ###
@ -72,7 +71,7 @@ child_name="${root}_${child}"
 child_key="$child_name.key"
 child_pem="$child_name.pem"
 child_csr="$child_name.csr"
-child_subj="/C=US/ST=TN/L=Nashville/O=Stratasan/OU=Ops/CN=$child_name"
+child_subj="/C={{ vault.self_signed_cert.country }}/ST={{ vault.self_signed_cert.state }}/L={{ vault.self_signed_cert.city }}/O={{ vault.self_signed_cert.org }}/OU={{ vault.self_signed_cert.org_unit }}/CN=$child_name"
 child_p12="$child_name.p12"
 child_jks="$child_name.jks"

--- a/vault/files/server.hcl.jinja
+++ b/vault/files/server.hcl.jinja
@ -0,0 +1,27 @@
+{% from "vault/map.jinja" import vault with context %}
+
+{% if vault.s3_backend %}
+backend "s3" {
+  bucket = "{{ vault.s3_backend.bucket }}"
+}
+{% endif %}
+
+listener "{{ vault.listen_protocol }}" {
+  address = "{{ vault.listen_address }}:{{ vault.listen_port }}"
+  tls_disable = {{ vault.strict_tls }} 
+  {% if vault.self_signed_cert.enabled %}
+  tls_cert_file = "/etc/vault/{{ vault.self_signed_cert.hostname }}.pem"
+  tls_key_file = "/etc/vault/{{ vault.self_signed_cert.hostname }}-nopass.key"
+  {% else %}
+  {% if vault.tls_cert_file %}
+  tls_cert_file = "{{ vault.tls_cert_file }}"
+  {% endif %}
+  {% if vault.tls_key_file %}
+  tls_key_file = "{{ vault.tls_cert_file }}"
+  {% endif %}
+  {% endif %}
+}
+
+#todo parameterize
+default_lease_ttl="{{ vault.default_lease_ttl }}"
+max_lease_ttl="{{ vault.max_lease_ttl }}"
--- a/vault/templates/vault.conf.jinja
+++ b/vault/templates/vault.conf.jinja
--- a/vault/map.jinja
+++ b/vault/map.jinja
@ -0,0 +1,14 @@
+{% set vault = salt['grains.filter_by']({
+    'default': {
+      listen_protocol: 'tcp',
+      listen_address: 0.0.0.0,
+      listen_port: 8200,
+      strict_tls: 1,
+      default_lease_ttl: '72h',
+      max_lease_ttl: '72h',
+      vault_version: '0.7.0',
+      self_signed_cert: {
+        enabled: false,
+      }
+    },
+}, merge=salt['pillar.get']('vault:lookup')) %}
--- a/vault/server.sls
+++ b/vault/server.sls
@ -1,24 +1,24 @@
-#TODO only do this if bool param 'self_signed_cert: true'
+{% from "vault/map.jinja" import vault with context %}
+{% if vault.self_signed_cert.enabled %}
 /usr/local/bin/self-cert-gen.sh:
  file.managed:
-    - source: salt://vault/templates/cert-gen.sh.jinja
+    - source: salt://vault/files/cert-gen.sh.jinja
    - template: jinja
    - user: root
    - group: root
    - mode: 644

-#TODO only do this if bool param 'self_signed_cert: true'
-#TODO parameterize localhost and 'vault' password
-generate SSL certs:
+generate self signed SSL certs:
  cmd.run:
-    - name: bash /usr/local/bin/cert-gen.sh localhost vault
+    - name: bash /usr/local/bin/cert-gen.sh {{ vault.self_signed_cert.hostname }} {{ vault.self_signed_cert.password }}
    - cwd: /etc/vault
    - require:
      - file: /usr/local/bin/self-cert-gen.sh
+{% endif %}

 /etc/vault/config/server.hcl:
  file.managed:
-    - source: salt://vault/templates/server.hcl.jinja
+    - source: salt://vault/files/server.hcl.jinja
    - template: jinja
    - user: root
    - group: root
@ -26,7 +26,7 @@ generate SSL certs:

 /etc/init/vault.conf:
  file.managed:
-    - source: salt://vault/templates/vault.conf.jinja
+    - source: salt://vault/files/vault.conf.jinja
    - template: jinja
    - user: root
    - group: root
@ -36,6 +36,8 @@ vault:
  service.running:
    - enable: True
    - require:
-      - cmd: generate SSL certs #todo only if bool present
+      {% if vault.self_signed_cert.enabled %}
+      - cmd: generate self signed SSL certs
+      {% endif %}
      - file: /etc/vault/config/server.hcl
      - file: /etc/init/vault.conf
--- a/vault/templates/server.hcl.jinja
+++ b/vault/templates/server.hcl.jinja
@ -1,16 +0,0 @@
-#todo parameterize
-backend "s3" {
-  bucket = "fixme"
-}
-
-# TODO parameterize
-listener "tcp" {
-  address = "0.0.0.0:8200"
-  tls_disable = 0 #todo - only include if bool from server.sls found
-  tls_cert_file = "/etc/vault/localhost.pem" #todo - only include if bool from server.sls found
-  tls_key_file = "/etc/vault/localhost-nopass.key" #todo - only include if bool from server.sls found
-}
-
-#todo parameterize
-default_lease_ttl="4380h"
-max_lease_ttl="43800h"