Added parameters
This commit is contained in:
Marcus Young
parent
e0b13c665a
commit
db59643941
7 changed files with 62 additions and 33 deletions
|
|
@ -1,7 +1,10 @@
|
|||
vault:
|
||||
vault_version: 0.7.0
|
||||
skip_verify: true
|
||||
protocol: https
|
||||
hostname: vault.hostname.com
|
||||
port: 8200
|
||||
|
||||
listen_protocol: tcp
|
||||
listen_port: 8200
|
||||
listen_address: 0.0.0.0
|
||||
strict_tls: 0
|
||||
default_lease_ttl: '4380h'
|
||||
max_lease_ttl: '43800h'
|
||||
s3_backend:
|
||||
bucket: 'com-foo-vault'
|
||||
|
|
|
|||
|
|
@ -30,8 +30,7 @@ pw="$child"
|
|||
root_key="$root.key"
|
||||
root_pem="$root.pem"
|
||||
root_key_nopass="$root-nopass.key"
|
||||
# TODO parameterize
|
||||
root_subj="/C=US/ST=TN/L=Nashville/O=Fixme/OU=Ops/CN=$root\_ca"
|
||||
root_subj="/C={{ vault.self_signed_cert.country }}/ST={{ vault.self_signed_cert.state }}/L={{ vault.self_signed_cert.city }}/O={{ vault.self_signed_cert.org }}/OU={{ vault.self_signed_cert.org_unit }}/CN=$root\_ca"
|
||||
root_p12="$root.p12"
|
||||
|
||||
###
|
||||
|
|
@ -72,7 +71,7 @@ child_name="${root}_${child}"
|
|||
child_key="$child_name.key"
|
||||
child_pem="$child_name.pem"
|
||||
child_csr="$child_name.csr"
|
||||
child_subj="/C=US/ST=TN/L=Nashville/O=Stratasan/OU=Ops/CN=$child_name"
|
||||
child_subj="/C={{ vault.self_signed_cert.country }}/ST={{ vault.self_signed_cert.state }}/L={{ vault.self_signed_cert.city }}/O={{ vault.self_signed_cert.org }}/OU={{ vault.self_signed_cert.org_unit }}/CN=$child_name"
|
||||
child_p12="$child_name.p12"
|
||||
child_jks="$child_name.jks"
|
||||
|
||||
27
vault/files/server.hcl.jinja
Normal file
27
vault/files/server.hcl.jinja
Normal file
|
|
@ -0,0 +1,27 @@
|
|||
{% from "vault/map.jinja" import vault with context %}
|
||||
|
||||
{% if vault.s3_backend %}
|
||||
backend "s3" {
|
||||
bucket = "{{ vault.s3_backend.bucket }}"
|
||||
}
|
||||
{% endif %}
|
||||
|
||||
listener "{{ vault.listen_protocol }}" {
|
||||
address = "{{ vault.listen_address }}:{{ vault.listen_port }}"
|
||||
tls_disable = {{ vault.strict_tls }}
|
||||
{% if vault.self_signed_cert.enabled %}
|
||||
tls_cert_file = "/etc/vault/{{ vault.self_signed_cert.hostname }}.pem"
|
||||
tls_key_file = "/etc/vault/{{ vault.self_signed_cert.hostname }}-nopass.key"
|
||||
{% else %}
|
||||
{% if vault.tls_cert_file %}
|
||||
tls_cert_file = "{{ vault.tls_cert_file }}"
|
||||
{% endif %}
|
||||
{% if vault.tls_key_file %}
|
||||
tls_key_file = "{{ vault.tls_cert_file }}"
|
||||
{% endif %}
|
||||
{% endif %}
|
||||
}
|
||||
|
||||
#todo parameterize
|
||||
default_lease_ttl="{{ vault.default_lease_ttl }}"
|
||||
max_lease_ttl="{{ vault.max_lease_ttl }}"
|
||||
14
vault/map.jinja
Normal file
14
vault/map.jinja
Normal file
|
|
@ -0,0 +1,14 @@
|
|||
{% set vault = salt['grains.filter_by']({
|
||||
'default': {
|
||||
listen_protocol: 'tcp',
|
||||
listen_address: 0.0.0.0,
|
||||
listen_port: 8200,
|
||||
strict_tls: 1,
|
||||
default_lease_ttl: '72h',
|
||||
max_lease_ttl: '72h',
|
||||
vault_version: '0.7.0',
|
||||
self_signed_cert: {
|
||||
enabled: false,
|
||||
}
|
||||
},
|
||||
}, merge=salt['pillar.get']('vault:lookup')) %}
|
||||
|
|
@ -1,24 +1,24 @@
|
|||
#TODO only do this if bool param 'self_signed_cert: true'
|
||||
{% from "vault/map.jinja" import vault with context %}
|
||||
{% if vault.self_signed_cert.enabled %}
|
||||
/usr/local/bin/self-cert-gen.sh:
|
||||
file.managed:
|
||||
- source: salt://vault/templates/cert-gen.sh.jinja
|
||||
- source: salt://vault/files/cert-gen.sh.jinja
|
||||
- template: jinja
|
||||
- user: root
|
||||
- group: root
|
||||
- mode: 644
|
||||
|
||||
#TODO only do this if bool param 'self_signed_cert: true'
|
||||
#TODO parameterize localhost and 'vault' password
|
||||
generate SSL certs:
|
||||
generate self signed SSL certs:
|
||||
cmd.run:
|
||||
- name: bash /usr/local/bin/cert-gen.sh localhost vault
|
||||
- name: bash /usr/local/bin/cert-gen.sh {{ vault.self_signed_cert.hostname }} {{ vault.self_signed_cert.password }}
|
||||
- cwd: /etc/vault
|
||||
- require:
|
||||
- file: /usr/local/bin/self-cert-gen.sh
|
||||
{% endif %}
|
||||
|
||||
/etc/vault/config/server.hcl:
|
||||
file.managed:
|
||||
- source: salt://vault/templates/server.hcl.jinja
|
||||
- source: salt://vault/files/server.hcl.jinja
|
||||
- template: jinja
|
||||
- user: root
|
||||
- group: root
|
||||
|
|
@ -26,7 +26,7 @@ generate SSL certs:
|
|||
|
||||
/etc/init/vault.conf:
|
||||
file.managed:
|
||||
- source: salt://vault/templates/vault.conf.jinja
|
||||
- source: salt://vault/files/vault.conf.jinja
|
||||
- template: jinja
|
||||
- user: root
|
||||
- group: root
|
||||
|
|
@ -36,6 +36,8 @@ vault:
|
|||
service.running:
|
||||
- enable: True
|
||||
- require:
|
||||
- cmd: generate SSL certs #todo only if bool present
|
||||
{% if vault.self_signed_cert.enabled %}
|
||||
- cmd: generate self signed SSL certs
|
||||
{% endif %}
|
||||
- file: /etc/vault/config/server.hcl
|
||||
- file: /etc/init/vault.conf
|
||||
|
|
|
|||
|
|
@ -1,16 +0,0 @@
|
|||
#todo parameterize
|
||||
backend "s3" {
|
||||
bucket = "fixme"
|
||||
}
|
||||
|
||||
# TODO parameterize
|
||||
listener "tcp" {
|
||||
address = "0.0.0.0:8200"
|
||||
tls_disable = 0 #todo - only include if bool from server.sls found
|
||||
tls_cert_file = "/etc/vault/localhost.pem" #todo - only include if bool from server.sls found
|
||||
tls_key_file = "/etc/vault/localhost-nopass.key" #todo - only include if bool from server.sls found
|
||||
}
|
||||
|
||||
#todo parameterize
|
||||
default_lease_ttl="4380h"
|
||||
max_lease_ttl="43800h"
|
||||
Loading…
Reference in a new issue