From db5964394179da51e137ca3d217456f1dd312329 Mon Sep 17 00:00:00 2001 From: Marcus Young Date: Tue, 11 Apr 2017 09:55:31 -0500 Subject: [PATCH] Added parameters --- pillar.example | 13 ++++++---- vault/{templates => files}/cert-gen.sh.jinja | 5 ++-- vault/files/server.hcl.jinja | 27 ++++++++++++++++++++ vault/{templates => files}/vault.conf.jinja | 0 vault/map.jinja | 14 ++++++++++ vault/server.sls | 20 ++++++++------- vault/templates/server.hcl.jinja | 16 ------------ 7 files changed, 62 insertions(+), 33 deletions(-) rename vault/{templates => files}/cert-gen.sh.jinja (88%) create mode 100644 vault/files/server.hcl.jinja rename vault/{templates => files}/vault.conf.jinja (100%) create mode 100644 vault/map.jinja delete mode 100644 vault/templates/server.hcl.jinja diff --git a/pillar.example b/pillar.example index def7b49..bc06e10 100644 --- a/pillar.example +++ b/pillar.example @@ -1,7 +1,10 @@ vault: vault_version: 0.7.0 - skip_verify: true - protocol: https - hostname: vault.hostname.com - port: 8200 - + listen_protocol: tcp + listen_port: 8200 + listen_address: 0.0.0.0 + strict_tls: 0 + default_lease_ttl: '4380h' + max_lease_ttl: '43800h' + s3_backend: + bucket: 'com-foo-vault' diff --git a/vault/templates/cert-gen.sh.jinja b/vault/files/cert-gen.sh.jinja similarity index 88% rename from vault/templates/cert-gen.sh.jinja rename to vault/files/cert-gen.sh.jinja index 5091f34..9092278 100644 --- a/vault/templates/cert-gen.sh.jinja +++ b/vault/files/cert-gen.sh.jinja @@ -30,8 +30,7 @@ pw="$child" root_key="$root.key" root_pem="$root.pem" root_key_nopass="$root-nopass.key" -# TODO parameterize -root_subj="/C=US/ST=TN/L=Nashville/O=Fixme/OU=Ops/CN=$root\_ca" +root_subj="/C={{ vault.self_signed_cert.country }}/ST={{ vault.self_signed_cert.state }}/L={{ vault.self_signed_cert.city }}/O={{ vault.self_signed_cert.org }}/OU={{ vault.self_signed_cert.org_unit }}/CN=$root\_ca" root_p12="$root.p12" ### @@ -72,7 +71,7 @@ child_name="${root}_${child}" child_key="$child_name.key" child_pem="$child_name.pem" child_csr="$child_name.csr" -child_subj="/C=US/ST=TN/L=Nashville/O=Stratasan/OU=Ops/CN=$child_name" +child_subj="/C={{ vault.self_signed_cert.country }}/ST={{ vault.self_signed_cert.state }}/L={{ vault.self_signed_cert.city }}/O={{ vault.self_signed_cert.org }}/OU={{ vault.self_signed_cert.org_unit }}/CN=$child_name" child_p12="$child_name.p12" child_jks="$child_name.jks" diff --git a/vault/files/server.hcl.jinja b/vault/files/server.hcl.jinja new file mode 100644 index 0000000..c927079 --- /dev/null +++ b/vault/files/server.hcl.jinja @@ -0,0 +1,27 @@ +{% from "vault/map.jinja" import vault with context %} + +{% if vault.s3_backend %} +backend "s3" { + bucket = "{{ vault.s3_backend.bucket }}" +} +{% endif %} + +listener "{{ vault.listen_protocol }}" { + address = "{{ vault.listen_address }}:{{ vault.listen_port }}" + tls_disable = {{ vault.strict_tls }} + {% if vault.self_signed_cert.enabled %} + tls_cert_file = "/etc/vault/{{ vault.self_signed_cert.hostname }}.pem" + tls_key_file = "/etc/vault/{{ vault.self_signed_cert.hostname }}-nopass.key" + {% else %} + {% if vault.tls_cert_file %} + tls_cert_file = "{{ vault.tls_cert_file }}" + {% endif %} + {% if vault.tls_key_file %} + tls_key_file = "{{ vault.tls_cert_file }}" + {% endif %} + {% endif %} +} + +#todo parameterize +default_lease_ttl="{{ vault.default_lease_ttl }}" +max_lease_ttl="{{ vault.max_lease_ttl }}" diff --git a/vault/templates/vault.conf.jinja b/vault/files/vault.conf.jinja similarity index 100% rename from vault/templates/vault.conf.jinja rename to vault/files/vault.conf.jinja diff --git a/vault/map.jinja b/vault/map.jinja new file mode 100644 index 0000000..5d5200c --- /dev/null +++ b/vault/map.jinja @@ -0,0 +1,14 @@ +{% set vault = salt['grains.filter_by']({ + 'default': { + listen_protocol: 'tcp', + listen_address: 0.0.0.0, + listen_port: 8200, + strict_tls: 1, + default_lease_ttl: '72h', + max_lease_ttl: '72h', + vault_version: '0.7.0', + self_signed_cert: { + enabled: false, + } + }, +}, merge=salt['pillar.get']('vault:lookup')) %} diff --git a/vault/server.sls b/vault/server.sls index 2f085bd..33d2c26 100644 --- a/vault/server.sls +++ b/vault/server.sls @@ -1,24 +1,24 @@ -#TODO only do this if bool param 'self_signed_cert: true' +{% from "vault/map.jinja" import vault with context %} +{% if vault.self_signed_cert.enabled %} /usr/local/bin/self-cert-gen.sh: file.managed: - - source: salt://vault/templates/cert-gen.sh.jinja + - source: salt://vault/files/cert-gen.sh.jinja - template: jinja - user: root - group: root - mode: 644 -#TODO only do this if bool param 'self_signed_cert: true' -#TODO parameterize localhost and 'vault' password -generate SSL certs: +generate self signed SSL certs: cmd.run: - - name: bash /usr/local/bin/cert-gen.sh localhost vault + - name: bash /usr/local/bin/cert-gen.sh {{ vault.self_signed_cert.hostname }} {{ vault.self_signed_cert.password }} - cwd: /etc/vault - require: - file: /usr/local/bin/self-cert-gen.sh +{% endif %} /etc/vault/config/server.hcl: file.managed: - - source: salt://vault/templates/server.hcl.jinja + - source: salt://vault/files/server.hcl.jinja - template: jinja - user: root - group: root @@ -26,7 +26,7 @@ generate SSL certs: /etc/init/vault.conf: file.managed: - - source: salt://vault/templates/vault.conf.jinja + - source: salt://vault/files/vault.conf.jinja - template: jinja - user: root - group: root @@ -36,6 +36,8 @@ vault: service.running: - enable: True - require: - - cmd: generate SSL certs #todo only if bool present + {% if vault.self_signed_cert.enabled %} + - cmd: generate self signed SSL certs + {% endif %} - file: /etc/vault/config/server.hcl - file: /etc/init/vault.conf diff --git a/vault/templates/server.hcl.jinja b/vault/templates/server.hcl.jinja deleted file mode 100644 index 2f8de6a..0000000 --- a/vault/templates/server.hcl.jinja +++ /dev/null @@ -1,16 +0,0 @@ -#todo parameterize -backend "s3" { - bucket = "fixme" -} - -# TODO parameterize -listener "tcp" { - address = "0.0.0.0:8200" - tls_disable = 0 #todo - only include if bool from server.sls found - tls_cert_file = "/etc/vault/localhost.pem" #todo - only include if bool from server.sls found - tls_key_file = "/etc/vault/localhost-nopass.key" #todo - only include if bool from server.sls found -} - -#todo parameterize -default_lease_ttl="4380h" -max_lease_ttl="43800h"