From db5964394179da51e137ca3d217456f1dd312329 Mon Sep 17 00:00:00 2001
From: Marcus Young <myoung34@my.apsu.edu>
Date: Tue, 11 Apr 2017 09:55:31 -0500
Subject: [PATCH] Added parameters

---
 pillar.example                               | 13 ++++++----
 vault/{templates => files}/cert-gen.sh.jinja |  5 ++--
 vault/files/server.hcl.jinja                 | 27 ++++++++++++++++++++
 vault/{templates => files}/vault.conf.jinja  |  0
 vault/map.jinja                              | 14 ++++++++++
 vault/server.sls                             | 20 ++++++++-------
 vault/templates/server.hcl.jinja             | 16 ------------
 7 files changed, 62 insertions(+), 33 deletions(-)
 rename vault/{templates => files}/cert-gen.sh.jinja (88%)
 create mode 100644 vault/files/server.hcl.jinja
 rename vault/{templates => files}/vault.conf.jinja (100%)
 create mode 100644 vault/map.jinja
 delete mode 100644 vault/templates/server.hcl.jinja

diff --git a/pillar.example b/pillar.example
index def7b49..bc06e10 100644
--- a/pillar.example
+++ b/pillar.example
@@ -1,7 +1,10 @@
 vault:
   vault_version: 0.7.0
-  skip_verify: true
-  protocol: https
-  hostname: vault.hostname.com
-  port: 8200
-
+  listen_protocol: tcp
+  listen_port: 8200
+  listen_address: 0.0.0.0
+  strict_tls: 0
+  default_lease_ttl: '4380h'
+  max_lease_ttl: '43800h'
+  s3_backend:
+    bucket: 'com-foo-vault'
diff --git a/vault/templates/cert-gen.sh.jinja b/vault/files/cert-gen.sh.jinja
similarity index 88%
rename from vault/templates/cert-gen.sh.jinja
rename to vault/files/cert-gen.sh.jinja
index 5091f34..9092278 100644
--- a/vault/templates/cert-gen.sh.jinja
+++ b/vault/files/cert-gen.sh.jinja
@@ -30,8 +30,7 @@ pw="$child"
 root_key="$root.key"
 root_pem="$root.pem"
 root_key_nopass="$root-nopass.key"
-# TODO parameterize
-root_subj="/C=US/ST=TN/L=Nashville/O=Fixme/OU=Ops/CN=$root\_ca"
+root_subj="/C={{ vault.self_signed_cert.country }}/ST={{ vault.self_signed_cert.state }}/L={{ vault.self_signed_cert.city }}/O={{ vault.self_signed_cert.org }}/OU={{ vault.self_signed_cert.org_unit }}/CN=$root\_ca"
 root_p12="$root.p12"
 
 ###
@@ -72,7 +71,7 @@ child_name="${root}_${child}"
 child_key="$child_name.key"
 child_pem="$child_name.pem"
 child_csr="$child_name.csr"
-child_subj="/C=US/ST=TN/L=Nashville/O=Stratasan/OU=Ops/CN=$child_name"
+child_subj="/C={{ vault.self_signed_cert.country }}/ST={{ vault.self_signed_cert.state }}/L={{ vault.self_signed_cert.city }}/O={{ vault.self_signed_cert.org }}/OU={{ vault.self_signed_cert.org_unit }}/CN=$child_name"
 child_p12="$child_name.p12"
 child_jks="$child_name.jks"
 
diff --git a/vault/files/server.hcl.jinja b/vault/files/server.hcl.jinja
new file mode 100644
index 0000000..c927079
--- /dev/null
+++ b/vault/files/server.hcl.jinja
@@ -0,0 +1,27 @@
+{% from "vault/map.jinja" import vault with context %}
+
+{% if vault.s3_backend %}
+backend "s3" {
+  bucket = "{{ vault.s3_backend.bucket }}"
+}
+{% endif %}
+
+listener "{{ vault.listen_protocol }}" {
+  address = "{{ vault.listen_address }}:{{ vault.listen_port }}"
+  tls_disable = {{ vault.strict_tls }} 
+  {% if vault.self_signed_cert.enabled %}
+  tls_cert_file = "/etc/vault/{{ vault.self_signed_cert.hostname }}.pem"
+  tls_key_file = "/etc/vault/{{ vault.self_signed_cert.hostname }}-nopass.key"
+  {% else %}
+  {% if vault.tls_cert_file %}
+  tls_cert_file = "{{ vault.tls_cert_file }}"
+  {% endif %}
+  {% if vault.tls_key_file %}
+  tls_key_file = "{{ vault.tls_cert_file }}"
+  {% endif %}
+  {% endif %}
+}
+
+#todo parameterize
+default_lease_ttl="{{ vault.default_lease_ttl }}"
+max_lease_ttl="{{ vault.max_lease_ttl }}"
diff --git a/vault/templates/vault.conf.jinja b/vault/files/vault.conf.jinja
similarity index 100%
rename from vault/templates/vault.conf.jinja
rename to vault/files/vault.conf.jinja
diff --git a/vault/map.jinja b/vault/map.jinja
new file mode 100644
index 0000000..5d5200c
--- /dev/null
+++ b/vault/map.jinja
@@ -0,0 +1,14 @@
+{% set vault = salt['grains.filter_by']({
+    'default': {
+      listen_protocol: 'tcp',
+      listen_address: 0.0.0.0,
+      listen_port: 8200,
+      strict_tls: 1,
+      default_lease_ttl: '72h',
+      max_lease_ttl: '72h',
+      vault_version: '0.7.0',
+      self_signed_cert: {
+        enabled: false,
+      }
+    },
+}, merge=salt['pillar.get']('vault:lookup')) %}
diff --git a/vault/server.sls b/vault/server.sls
index 2f085bd..33d2c26 100644
--- a/vault/server.sls
+++ b/vault/server.sls
@@ -1,24 +1,24 @@
-#TODO only do this if bool param 'self_signed_cert: true'
+{% from "vault/map.jinja" import vault with context %}
+{% if vault.self_signed_cert.enabled %}
 /usr/local/bin/self-cert-gen.sh:
   file.managed:
-    - source: salt://vault/templates/cert-gen.sh.jinja
+    - source: salt://vault/files/cert-gen.sh.jinja
     - template: jinja
     - user: root
     - group: root
     - mode: 644
 
-#TODO only do this if bool param 'self_signed_cert: true'
-#TODO parameterize localhost and 'vault' password
-generate SSL certs:
+generate self signed SSL certs:
   cmd.run:
-    - name: bash /usr/local/bin/cert-gen.sh localhost vault
+    - name: bash /usr/local/bin/cert-gen.sh {{ vault.self_signed_cert.hostname }} {{ vault.self_signed_cert.password }}
     - cwd: /etc/vault
     - require:
       - file: /usr/local/bin/self-cert-gen.sh
+{% endif %}
 
 /etc/vault/config/server.hcl:
   file.managed:
-    - source: salt://vault/templates/server.hcl.jinja
+    - source: salt://vault/files/server.hcl.jinja
     - template: jinja
     - user: root
     - group: root
@@ -26,7 +26,7 @@ generate SSL certs:
 
 /etc/init/vault.conf:
   file.managed:
-    - source: salt://vault/templates/vault.conf.jinja
+    - source: salt://vault/files/vault.conf.jinja
     - template: jinja
     - user: root
     - group: root
@@ -36,6 +36,8 @@ vault:
   service.running:
     - enable: True
     - require:
-      - cmd: generate SSL certs #todo only if bool present
+      {% if vault.self_signed_cert.enabled %}
+      - cmd: generate self signed SSL certs
+      {% endif %}
       - file: /etc/vault/config/server.hcl
       - file: /etc/init/vault.conf
diff --git a/vault/templates/server.hcl.jinja b/vault/templates/server.hcl.jinja
deleted file mode 100644
index 2f8de6a..0000000
--- a/vault/templates/server.hcl.jinja
+++ /dev/null
@@ -1,16 +0,0 @@
-#todo parameterize
-backend "s3" {
-  bucket = "fixme"
-}
-
-# TODO parameterize
-listener "tcp" {
-  address = "0.0.0.0:8200"
-  tls_disable = 0 #todo - only include if bool from server.sls found
-  tls_cert_file = "/etc/vault/localhost.pem" #todo - only include if bool from server.sls found
-  tls_key_file = "/etc/vault/localhost-nopass.key" #todo - only include if bool from server.sls found
-}
-
-#todo parameterize
-default_lease_ttl="4380h"
-max_lease_ttl="43800h"