Linux-Help/formula-vault
1
0
Fork 0
Code Issues Pull requests Releases Wiki Activity

Added parameters

Browse source
This commit is contained in:
Marcus Young 2017-04-11 09:55:31 -05:00
parent e0b13c665a
commit db59643941
7 changed files with 62 additions and 33 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

13
pillar.example
View file

@ -1,7 +1,10 @@
vault: vault:
vault_version: 0.7.0 vault_version: 0.7.0
skip_verify: true listen_protocol: tcp
protocol: https listen_port: 8200
hostname: vault.hostname.com listen_address: 0.0.0.0
port: 8200 strict_tls: 0
default_lease_ttl: '4380h'
max_lease_ttl: '43800h'
s3_backend:
bucket: 'com-foo-vault'

5
vault/templates/cert-gen.sh.jinja → vault/files/cert-gen.sh.jinja
View file

@ -30,8 +30,7 @@ pw="$child"
root_key="$root.key" root_key="$root.key"
root_pem="$root.pem" root_pem="$root.pem"
root_key_nopass="$root-nopass.key" root_key_nopass="$root-nopass.key"
# TODO parameterize root_subj="/C={{ vault.self_signed_cert.country }}/ST={{ vault.self_signed_cert.state }}/L={{ vault.self_signed_cert.city }}/O={{ vault.self_signed_cert.org }}/OU={{ vault.self_signed_cert.org_unit }}/CN=$root\_ca"
root_subj="/C=US/ST=TN/L=Nashville/O=Fixme/OU=Ops/CN=$root\_ca"
root_p12="$root.p12" root_p12="$root.p12"
### ###
@ -72,7 +71,7 @@ child_name="${root}_${child}"
child_key="$child_name.key" child_key="$child_name.key"
child_pem="$child_name.pem" child_pem="$child_name.pem"
child_csr="$child_name.csr" child_csr="$child_name.csr"
child_subj="/C=US/ST=TN/L=Nashville/O=Stratasan/OU=Ops/CN=$child_name" child_subj="/C={{ vault.self_signed_cert.country }}/ST={{ vault.self_signed_cert.state }}/L={{ vault.self_signed_cert.city }}/O={{ vault.self_signed_cert.org }}/OU={{ vault.self_signed_cert.org_unit }}/CN=$child_name"
child_p12="$child_name.p12" child_p12="$child_name.p12"
child_jks="$child_name.jks" child_jks="$child_name.jks"

27
vault/files/server.hcl.jinja Normal file
View file

@ -0,0 +1,27 @@
{% from "vault/map.jinja" import vault with context %}
{% if vault.s3_backend %}
backend "s3" {
bucket = "{{ vault.s3_backend.bucket }}"
}
{% endif %}
listener "{{ vault.listen_protocol }}" {
address = "{{ vault.listen_address }}:{{ vault.listen_port }}"
tls_disable = {{ vault.strict_tls }}
{% if vault.self_signed_cert.enabled %}
tls_cert_file = "/etc/vault/{{ vault.self_signed_cert.hostname }}.pem"
tls_key_file = "/etc/vault/{{ vault.self_signed_cert.hostname }}-nopass.key"
{% else %}
{% if vault.tls_cert_file %}
tls_cert_file = "{{ vault.tls_cert_file }}"
{% endif %}
{% if vault.tls_key_file %}
tls_key_file = "{{ vault.tls_cert_file }}"
{% endif %}
{% endif %}
}
#todo parameterize
default_lease_ttl="{{ vault.default_lease_ttl }}"
max_lease_ttl="{{ vault.max_lease_ttl }}"

0
vault/templates/vault.conf.jinja → vault/files/vault.conf.jinja
View file

14
vault/map.jinja Normal file
View file

@ -0,0 +1,14 @@
{% set vault = salt['grains.filter_by']({
'default': {
listen_protocol: 'tcp',
listen_address: 0.0.0.0,
listen_port: 8200,
strict_tls: 1,
default_lease_ttl: '72h',
max_lease_ttl: '72h',
vault_version: '0.7.0',
self_signed_cert: {
enabled: false,
}
},
}, merge=salt['pillar.get']('vault:lookup')) %}

20
vault/server.sls
View file

@ -1,24 +1,24 @@
#TODO only do this if bool param 'self_signed_cert: true' {% from "vault/map.jinja" import vault with context %}
{% if vault.self_signed_cert.enabled %}
/usr/local/bin/self-cert-gen.sh: /usr/local/bin/self-cert-gen.sh:
file.managed: file.managed:
- source: salt://vault/templates/cert-gen.sh.jinja - source: salt://vault/files/cert-gen.sh.jinja
- template: jinja - template: jinja
- user: root - user: root
- group: root - group: root
- mode: 644 - mode: 644
#TODO only do this if bool param 'self_signed_cert: true' generate self signed SSL certs:
#TODO parameterize localhost and 'vault' password
generate SSL certs:
cmd.run: cmd.run:
- name: bash /usr/local/bin/cert-gen.sh localhost vault - name: bash /usr/local/bin/cert-gen.sh {{ vault.self_signed_cert.hostname }} {{ vault.self_signed_cert.password }}
- cwd: /etc/vault - cwd: /etc/vault
- require: - require:
- file: /usr/local/bin/self-cert-gen.sh - file: /usr/local/bin/self-cert-gen.sh
{% endif %}
/etc/vault/config/server.hcl: /etc/vault/config/server.hcl:
file.managed: file.managed:
- source: salt://vault/templates/server.hcl.jinja - source: salt://vault/files/server.hcl.jinja
- template: jinja - template: jinja
- user: root - user: root
- group: root - group: root
@ -26,7 +26,7 @@ generate SSL certs:
/etc/init/vault.conf: /etc/init/vault.conf:
file.managed: file.managed:
- source: salt://vault/templates/vault.conf.jinja - source: salt://vault/files/vault.conf.jinja
- template: jinja - template: jinja
- user: root - user: root
- group: root - group: root
@ -36,6 +36,8 @@ vault:
service.running: service.running:
- enable: True - enable: True
- require: - require:
- cmd: generate SSL certs #todo only if bool present {% if vault.self_signed_cert.enabled %}
- cmd: generate self signed SSL certs
{% endif %}
- file: /etc/vault/config/server.hcl - file: /etc/vault/config/server.hcl
- file: /etc/init/vault.conf - file: /etc/init/vault.conf

16
vault/templates/server.hcl.jinja
View file

@ -1,16 +0,0 @@
#todo parameterize
backend "s3" {
bucket = "fixme"
}
# TODO parameterize
listener "tcp" {
address = "0.0.0.0:8200"
tls_disable = 0 #todo - only include if bool from server.sls found
tls_cert_file = "/etc/vault/localhost.pem" #todo - only include if bool from server.sls found
tls_key_file = "/etc/vault/localhost-nopass.key" #todo - only include if bool from server.sls found
}
#todo parameterize
default_lease_ttl="4380h"
max_lease_ttl="43800h"