Merge pull request #23 from rbjorklin/align-with-template-formula

major overhaul to align with the template-formula
saltstack-formulas · Apr 1, 2019 · 529bf8b · 529bf8b
2 parents fb07381 + 7fed7e6
commit 529bf8b
Show file tree

Hide file tree

Showing 30 changed files with 391 additions and 266 deletions.
diff --git a/.kitchen.yml b/.kitchen.yml
@@ -42,41 +42,52 @@ suites:
       state_top:
         base:
           '*':
-            - vault
+            - vault.package
       pillars:
         top.sls:
           base:
             '*':
               - vault
         vault.sls:
           vault:
-#            version: 0.11.1    # test upgrades by doing a double-converge, changing the version pillar between each one
-            version: 0.11.2
-            secure_download: false
+#            version: 1.0.3    # test upgrades by doing a double-converge, changing the version pillar between each one
+            version: 1.1.0
+            verify_download: False
 
   - name: dev_server
     provisioner:
       state_top:
         base:
           '*':
-            - vault.server
+            - vault
+      pillars:
+        top.sls:
+          base:
+            '*':
+              - vault
+        vault.sls:
+          vault:
+            dev_mode: True
   - name: prod_server
     provisioner:
       state_top:
         base:
           '*':
-            - vault.server
+            - vault
       pillars:
         top.sls:
           base:
             '*':
               - vault
         vault.sls:
           vault:
-            dev_mode: false
+            config:
+              storage:
+                file:
+                  path: /var/lib/vault/data
             tls_disable: 1
             self_signed_cert:
-              enabled: true
+              enabled: True
               hostname: localhost
               password: localhost
               country: GB

diff --git a/README.rst b/README.rst
@@ -23,22 +23,27 @@ Install the vault binary
 
 Install and configure the vault server
 
-To use it, just include *vault.server* in your *top.sls*, and configure it using pillars:
+To use it, just include *vault* in your *top.sls*, and configure it using pillars:
 
 ::
 
   vault:
-    version: 0.7.0
-    listen_protocol: tcp
-    listen_port: 8200
-    listen_address: 0.0.0.0
-    tls_disable: 0
-    default_lease_ttl: 24h
-    max_lease_ttl: 24h
-    self_signed_cert:
-      enabled: false
-    backend: {}
-    dev_mode: true
+    version: 1.1.0
+    platform: linux_amd64
+    dev_mode: True
+    verify_download: True
+    config:
+      storage:
+        file:
+          path: /var/lib/vault/data
+      listener:
+        tcp:
+          address: "127.0.0.1:8200"
+          tls_disable: True
+          tls_cert_file: ""
+          tls_key_file: ""
+      default_lease_ttl: 768h
+      max_lease_ttl: 768h
 
 Issues
 ======

diff --git a/pillar.example b/pillar.example
@@ -1,20 +1,25 @@
+# -*- coding: utf-8 -*-
+# vim: ft=sls syntax=yaml softtabstop=2 tabstop=2 shiftwidth=2 expandtab autoindent
+
 vault:
-  version: 0.7.0
-  listen_protocol: tcp
-  listen_port: 8200
-  listen_address: 0.0.0.0
-  tls_disable: 0
-  tls_cert_file: {}
-  tls_key_file: {}
-  default_lease_ttl: 4380h
-  max_lease_ttl: 43800h
-  self_signed_cert:
-    enabled: false
-  backend: {}
-  dev_mode: true
-  secure_download: true
-  user: root
-  group: root
+  version: 1.1.0
+  platform: linux_amd64
+  dev_mode: False
+  verify_download: True
+  config:
+    storage:
+      consul:
+        address: "127.0.0.1:8500"
+        path: "vault"
+    listener:
+      tcp:
+        address: "0.0.0.0:8200"
+        tls_disable: "true"
+        tls_cert_file: ""
+        tls_key_file: ""
+    default_lease_ttl: 768h
+    max_lease_ttl: 768h
+  hashicorp_key_id: 51852D87348FFC4C
   hashicorp_gpg_key: |
     -----BEGIN PGP PUBLIC KEY BLOCK-----
     Version: GnuPG v1
@@ -46,4 +51,4 @@ vault:
     oEIgXTMyCILo34Fa/C6VCm2WBgz9zZO8/rHIiQm1J5zqz0DrDwKBUM9C
     =LYpS
     -----END PGP PUBLIC KEY BLOCK-----
-  hashicorp_key_id: 51852D87348FFC4C
+
diff --git a/test/integration/dev_server/vault_spec.rb b/test/integration/dev_server/vault_spec.rb
@@ -20,7 +20,7 @@
   it { should be_running }
 end
 
-describe file("/etc/vault/config/server.hcl") do
+describe file("/etc/vault/conf.d/config.json") do
   it { should_not be_a_file }
 end
 

diff --git a/test/integration/install_binary/vault_spec.rb b/test/integration/install_binary/vault_spec.rb
@@ -6,7 +6,7 @@
 describe command('/usr/local/bin/vault -version') do
   its(:exit_status) { should eq 0 }
   its(:stderr) { should be_empty }
-  its(:stdout) { should match(/^Vault v0.11.2 \('2b1a4304374712953ff606c6a925bbe90a4e85dd'\)/) }
+  its(:stdout) { should match(/^Vault v1.1.0 \('36aa8c8dd1936e10ebd7a4c1d412ae0e6f7900bd'\)/) }
 end
 
 describe service('vault') do
@@ -15,6 +15,6 @@
   it { should_not be_running }
 end
 
-describe file("/etc/vault/config/server.hcl") do
+describe file("/etc/vault/conf.d/config.json") do
   it { should_not be_a_file }
 end
diff --git a/test/integration/prod_server/vault_spec.rb b/test/integration/prod_server/vault_spec.rb
@@ -10,7 +10,7 @@
   its(:stdout) { should match(/\/vault = cap_ipc_lock\+ep$/) }
 end
 
-describe file('/etc/vault/config/server.hcl') do
+describe file('/etc/vault/conf.d/config.json') do
   it { should be_a_file }
 end
 

diff --git a/vault/clean.sls b/vault/clean.sls
@@ -0,0 +1,7 @@
+# -*- coding: utf-8 -*-
+# vim: ft=sls syntax=yaml softtabstop=2 tabstop=2 shiftwidth=2 expandtab autoindent
+
+include:
+  - .service.clean
+  - .config.clean
+  - .package.clean
diff --git a/vault/config/clean.sls b/vault/config/clean.sls
@@ -0,0 +1,6 @@
+# -*- coding: utf-8 -*-
+# vim: ft=sls syntax=yaml softtabstop=2 tabstop=2 shiftwidth=2 expandtab autoindent
+
+vault-config-clean-file-absent:
+  file.absent:
+    - name: /etc/vault
diff --git a/vault/config/config.sls b/vault/config/config.sls
@@ -0,0 +1,17 @@
+# -*- coding: utf-8 -*-
+# vim: ft=sls syntax=yaml softtabstop=2 tabstop=2 shiftwidth=2 expandtab autoindent
+
+{% from "vault/map.jinja" import vault with context -%}
+
+vault-config-config-file-serialize:
+  file.serialize:
+    - name: /etc/vault/conf.d/config.json
+    - encoding: utf-8
+    - formatter: json
+    - dataset: {{ vault.config | json }}
+    - user: root
+    - group: vault
+    - mode: 640
+    - makedirs: True
+    - watch_in:
+      - service: vault-service-init-service-running
diff --git a/vault/config/init.sls b/vault/config/init.sls
@@ -0,0 +1,12 @@
+# -*- coding: utf-8 -*-
+# vim: ft=sls syntax=yaml softtabstop=2 tabstop=2 shiftwidth=2 expandtab autoindent
+
+{% from "vault/map.jinja" import vault with context %}
+
+{%- if not vault.dev_mode %}
+include:
+  - .config
+  {%- if vault.self_signed_cert.enabled %}
+  - .self-sign
+  {%- endif %}
+{%- endif %}
diff --git a/vault/config/self-sign.sls b/vault/config/self-sign.sls
@@ -0,0 +1,16 @@
+# -*- coding: utf-8 -*-
+# vim: ft=sls syntax=yaml softtabstop=2 tabstop=2 shiftwidth=2 expandtab autoindent
+
+{% from "vault/map.jinja" import vault with context -%}
+
+vault-config-self-signed-pkg-installed:
+  pkg.installed:
+    - name: openssl
+
+vault-config-self-signed-cmd-script:
+  cmd.script:
+    - source: salt://vault/files/cert-gen.sh.j2
+    - template: jinja
+    - args: {{ vault.self_signed_cert.hostname }} {{ vault.self_signed_cert.password }}
+    - cwd: /etc/vault
+    - creates: /etc/vault/{{ vault.self_signed_cert.hostname }}.pem
diff --git a/vault/defaults.yaml b/vault/defaults.yaml
@@ -1,23 +1,22 @@
+# -*- coding: utf-8 -*-
+# vim: ft=sls syntax=yaml softtabstop=2 tabstop=2 shiftwidth=2 expandtab autoindent
+
 vault:
-  version: 0.11.2
-  listen_protocol: tcp
-  listen_port: 8200
-  listen_address: 0.0.0.0
-  tls_disable: 0
-  tls_cert_file: {}
-  tls_key_file: {}
-  default_lease_ttl: 24h
-  max_lease_ttl: 24h
+  version: 1.1.0
+  dev_mode: False
+  verify_download: True
   self_signed_cert:
-    enabled: false
-  backend:
-    type: file
-    path: /var/lib/vault/data
-  dev_mode: true
-  secure_download: true
-  gpg_pkg: gnupg
-  user: root
-  group: root
+    enabled: False
+  config:
+    listener:
+      tcp:
+        address: "0.0.0.0:8200"
+        tls_disable: "true"
+        tls_cert_file: ""
+        tls_key_file: ""
+    default_lease_ttl: 768h
+    max_lease_ttl: 768h
+  hashicorp_key_id: 51852D87348FFC4C
   hashicorp_gpg_key: |
     -----BEGIN PGP PUBLIC KEY BLOCK-----
     Version: GnuPG v1
@@ -49,4 +48,3 @@ vault:
     oEIgXTMyCILo34Fa/C6VCm2WBgz9zZO8/rHIiQm1J5zqz0DrDwKBUM9C
     =LYpS
     -----END PGP PUBLIC KEY BLOCK-----
-  hashicorp_key_id: 51852D87348FFC4C
diff --git a/vault/files/cert-gen.sh.jinja → vault/files/cert-gen.sh.j2 b/vault/files/cert-gen.sh.jinja → vault/files/cert-gen.sh.j2
diff --git a/vault/files/hashicorp.asc.jinja b/vault/files/hashicorp.asc.jinja
diff --git a/vault/files/server.hcl.jinja b/vault/files/server.hcl.jinja
diff --git a/vault/files/vault_upstart.conf.jinja → vault/files/vault.conf.j2 b/vault/files/vault_upstart.conf.jinja → vault/files/vault.conf.j2
@@ -18,7 +18,7 @@ script
 {%- if vault.dev_mode %}
     -dev \
 {% else %}
-    -config="/etc/vault/config/server.hcl" \
+    -config="/etc/vault/conf.d/config.json" \
 {% endif -%}
     >>/var/log/vault.log 2>&1
 end script
diff --git a/vault/files/vault.service.j2 b/vault/files/vault.service.j2
@@ -0,0 +1,20 @@
+{%- from "vault/map.jinja" import vault with context -%}
+[Unit]
+Description=Vault secret management tool
+Requires=network-online.target
+After=network-online.target
+
+[Service]
+User=vault
+Group=vault
+PIDFile=/var/run/vault/vault.pid
+ExecStart=/usr/local/bin/vault server {% if vault.dev_mode %} -dev {% else %} -config=/etc/vault/conf.d {% endif %}
+ExecReload=/bin/kill -HUP $MAINPID
+KillMode=process
+KillSignal=SIGTERM
+Restart=on-failure
+RestartSec=42s
+LimitMEMLOCK=infinity
+
+[Install]
+WantedBy=multi-user.target
diff --git a/vault/files/vault_systemd.service.jinja b/vault/files/vault_systemd.service.jinja