From 15d4e34f2dc06036cdbf360765978ee19bf58730 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Robin=20Bj=C3=B6rklin?= Date: Sat, 23 Mar 2019 18:33:09 -0700 Subject: [PATCH 01/14] refactor(everything): overhaul to align with the template-formula * see: https://github.com/saltstack-formulas/template-formula * systemd unit file:https://learn.hashicorp.com/vault/operations/ops-vault-ha-consul#vault-server-systemd-unit-file * currently the self-signed certificate part has not been ported but that can be done upon request BREAKING CHANGE: This renames all states and the config file being generated. --- .kitchen.yml | 13 ++- README.rst | 29 +++--- pillar.example | 39 ++++---- vault/clean.sls | 7 ++ vault/config/clean.sls | 6 ++ vault/config/init.sls | 17 ++++ vault/files/hashicorp.asc.jinja | 2 - vault/files/server.hcl.jinja | 29 ------ ...vault_upstart.conf.jinja => vault.conf.j2} | 0 vault/files/vault.service.j2 | 20 +++++ vault/files/vault_systemd.service.jinja | 15 ---- vault/init.sls | 65 ++------------ vault/map.jinja | 22 +++-- vault/osfamilymap.yaml | 2 - vault/package/clean.sls | 24 +++++ vault/package/gpg.sls | 20 +++++ vault/package/init.sls | 11 +++ vault/package/install.sls | 41 +++++++++ vault/package/signature.sls | 25 ++++++ vault/server.sls | 90 ------------------- vault/service/clean.sls | 11 +++ vault/service/init.sls | 21 +++++ vault/{ => yaml}/defaults.yaml | 40 ++++----- vault/yaml/initfamilymap.yaml | 12 +++ vault/yaml/osfamilymap.yaml | 8 ++ 25 files changed, 311 insertions(+), 258 deletions(-) create mode 100644 vault/clean.sls create mode 100644 vault/config/clean.sls create mode 100644 vault/config/init.sls delete mode 100644 vault/files/hashicorp.asc.jinja delete mode 100644 vault/files/server.hcl.jinja rename vault/files/{vault_upstart.conf.jinja => vault.conf.j2} (100%) create mode 100644 vault/files/vault.service.j2 delete mode 100644 vault/files/vault_systemd.service.jinja delete mode 100644 vault/osfamilymap.yaml create mode 100644 vault/package/clean.sls create mode 100644 vault/package/gpg.sls create mode 100644 vault/package/init.sls create mode 100644 vault/package/install.sls create mode 100644 vault/package/signature.sls delete mode 100644 vault/server.sls create mode 100644 vault/service/clean.sls create mode 100644 vault/service/init.sls rename vault/{ => yaml}/defaults.yaml (80%) create mode 100644 vault/yaml/initfamilymap.yaml create mode 100644 vault/yaml/osfamilymap.yaml diff --git a/.kitchen.yml b/.kitchen.yml index 2ca5abd..999a42e 100644 --- a/.kitchen.yml +++ b/.kitchen.yml @@ -59,13 +59,21 @@ suites: state_top: base: '*': - - vault.server + - vault + pillars: + top.sls: + base: + '*': + - vault + vault.sls: + vault: + dev_mode: True - name: prod_server provisioner: state_top: base: '*': - - vault.server + - vault pillars: top.sls: base: @@ -73,7 +81,6 @@ suites: - vault vault.sls: vault: - dev_mode: false tls_disable: 1 self_signed_cert: enabled: true diff --git a/README.rst b/README.rst index f317efe..73e2465 100644 --- a/README.rst +++ b/README.rst @@ -23,22 +23,27 @@ Install the vault binary Install and configure the vault server -To use it, just include *vault.server* in your *top.sls*, and configure it using pillars: +To use it, just include *vault* in your *top.sls*, and configure it using pillars: :: vault: - version: 0.7.0 - listen_protocol: tcp - listen_port: 8200 - listen_address: 0.0.0.0 - tls_disable: 0 - default_lease_ttl: 24h - max_lease_ttl: 24h - self_signed_cert: - enabled: false - backend: {} - dev_mode: true + version: 1.1.0 + platform: linux_amd64 + dev_mode: True + verify_download: True + config: + storage: + file: + path: /var/lib/vault/data + listener: + tcp: + address: "127.0.0.1:8200" + tls_disable: True + tls_cert_file: "" + tls_key_file: "" + default_lease_ttl: 768h + max_lease_ttl: 768h Issues ====== diff --git a/pillar.example b/pillar.example index 7ff1655..58f32af 100644 --- a/pillar.example +++ b/pillar.example @@ -1,20 +1,25 @@ +# -*- coding: utf-8 -*- +# vim: ft=sls syntax=yaml softtabstop=2 tabstop=2 shiftwidth=2 expandtab autoindent + vault: - version: 0.7.0 - listen_protocol: tcp - listen_port: 8200 - listen_address: 0.0.0.0 - tls_disable: 0 - tls_cert_file: {} - tls_key_file: {} - default_lease_ttl: 4380h - max_lease_ttl: 43800h - self_signed_cert: - enabled: false - backend: {} - dev_mode: true - secure_download: true - user: root - group: root + version: 1.1.0 + platform: linux_amd64 + dev_mode: False + verify_download: True + config: + storage: + consul: + address: "127.0.0.1:8500" + path: "vault" + listener: + tcp: + address: "127.0.0.1:8200" + tls_disable: True + tls_cert_file: "" + tls_key_file: "" + default_lease_ttl: 768h + max_lease_ttl: 768h + hashicorp_key_id: 51852D87348FFC4C hashicorp_gpg_key: | -----BEGIN PGP PUBLIC KEY BLOCK----- Version: GnuPG v1 @@ -46,4 +51,4 @@ vault: oEIgXTMyCILo34Fa/C6VCm2WBgz9zZO8/rHIiQm1J5zqz0DrDwKBUM9C =LYpS -----END PGP PUBLIC KEY BLOCK----- - hashicorp_key_id: 51852D87348FFC4C + diff --git a/vault/clean.sls b/vault/clean.sls new file mode 100644 index 0000000..68c1023 --- /dev/null +++ b/vault/clean.sls @@ -0,0 +1,7 @@ +# -*- coding: utf-8 -*- +# vim: ft=sls syntax=yaml softtabstop=2 tabstop=2 shiftwidth=2 expandtab autoindent + +include: + - .service.clean + - .config.clean + - .package.clean diff --git a/vault/config/clean.sls b/vault/config/clean.sls new file mode 100644 index 0000000..b0e338a --- /dev/null +++ b/vault/config/clean.sls @@ -0,0 +1,6 @@ +# -*- coding: utf-8 -*- +# vim: ft=sls syntax=yaml softtabstop=2 tabstop=2 shiftwidth=2 expandtab autoindent + +vault-config-clean-file-absent: + file.absent: + - name: /etc/vault diff --git a/vault/config/init.sls b/vault/config/init.sls new file mode 100644 index 0000000..364021c --- /dev/null +++ b/vault/config/init.sls @@ -0,0 +1,17 @@ +# -*- coding: utf-8 -*- +# vim: ft=sls syntax=yaml softtabstop=2 tabstop=2 shiftwidth=2 expandtab autoindent + +{% from "vault/map.jinja" import vault with context -%} + +vault-config-init-file-serialize: + file.serialize: + - name: /etc/vault/conf.d/config.json + - encoding: utf-8 + - formatter: json + - dataset: {{ vault.config | json }} + - user: root + - group: vault + - mode: 640 + - makedirs: True + - watch_in: + - service: vault diff --git a/vault/files/hashicorp.asc.jinja b/vault/files/hashicorp.asc.jinja deleted file mode 100644 index ae466a7..0000000 --- a/vault/files/hashicorp.asc.jinja +++ /dev/null @@ -1,2 +0,0 @@ -{%- from "vault/map.jinja" import vault with context -%} -{{ vault.hashicorp_gpg_key }} diff --git a/vault/files/server.hcl.jinja b/vault/files/server.hcl.jinja deleted file mode 100644 index 1a065d6..0000000 --- a/vault/files/server.hcl.jinja +++ /dev/null @@ -1,29 +0,0 @@ -{%- from "vault/map.jinja" import vault with context -%} -{%- if vault.backend %} -backend "{{ vault.backend.type }}" { - {%- if vault.backend.type == "s3" %} - bucket = "{{ vault.backend.bucket }}" - {%- elif vault.backend.type == "file" %} - path = "{{ vault.backend.path }}" - {% endif -%} -} -{% endif -%} - -listener "{{ vault.listen_protocol }}" { - address = "{{ vault.listen_address }}:{{ vault.listen_port }}" - tls_disable = {{ vault.tls_disable }} -{% if vault.self_signed_cert.enabled %} - tls_cert_file = "/etc/vault/{{ vault.self_signed_cert.hostname }}.pem" - tls_key_file = "/etc/vault/{{ vault.self_signed_cert.hostname }}-nopass.key" -{% else %} -{%- if vault.tls_cert_file %} - tls_cert_file = "{{ vault.tls_cert_file }}" -{% endif -%} -{%- if vault.tls_key_file %} - tls_key_file = "{{ vault.tls_key_file }}" -{% endif -%} -{% endif %} -} - -default_lease_ttl="{{ vault.default_lease_ttl }}" -max_lease_ttl="{{ vault.max_lease_ttl }}" diff --git a/vault/files/vault_upstart.conf.jinja b/vault/files/vault.conf.j2 similarity index 100% rename from vault/files/vault_upstart.conf.jinja rename to vault/files/vault.conf.j2 diff --git a/vault/files/vault.service.j2 b/vault/files/vault.service.j2 new file mode 100644 index 0000000..940d895 --- /dev/null +++ b/vault/files/vault.service.j2 @@ -0,0 +1,20 @@ +{%- from "vault/map.jinja" import vault with context -%} +[Unit] +Description=Vault secret management tool +Requires=network-online.target +After=network-online.target + +[Service] +User=vault +Group=vault +PIDFile=/var/run/vault/vault.pid +ExecStart=/usr/local/bin/vault server {% if vault.dev_mode %} -dev {% else %} -config=/etc/vault/conf.d {% endif %} +ExecReload=/bin/kill -HUP $MAINPID +KillMode=process +KillSignal=SIGTERM +Restart=on-failure +RestartSec=42s +LimitMEMLOCK=infinity + +[Install] +WantedBy=multi-user.target diff --git a/vault/files/vault_systemd.service.jinja b/vault/files/vault_systemd.service.jinja deleted file mode 100644 index d9d604e..0000000 --- a/vault/files/vault_systemd.service.jinja +++ /dev/null @@ -1,15 +0,0 @@ -{%- from "vault/map.jinja" import vault with context -%} -[Unit] -Description=Hashicorp Vault server -Requires=network-online.target -After=network-online.target consul.service - -[Service] -EnvironmentFile=-/etc/sysconfig/vault -Restart=on-abnormal -ExecStart=/usr/local/bin/vault server {% if vault.dev_mode %}-dev{% else %} -config=/etc/vault/config/server.hcl{% endif %} -User={{ vault.user }} -Group={{ vault.group }} - -[Install] -WantedBy=multi-user.target diff --git a/vault/init.sls b/vault/init.sls index 35002c0..4773d86 100644 --- a/vault/init.sls +++ b/vault/init.sls @@ -1,60 +1,7 @@ -{% from "vault/map.jinja" import vault with context %} +# -*- coding: utf-8 -*- +# vim: ft=sls syntax=yaml softtabstop=2 tabstop=2 shiftwidth=2 expandtab autoindent -{% set version = vault.version %} - -/opt/vault/{{ version }}/vault_{{ version }}_SHA256SUMS: - file.managed: - - source: https://releases.hashicorp.com/vault/{{ version }}/vault_{{ version }}_SHA256SUMS - - makedirs: true - - skip_verify: true - -/opt/vault/{{ version }}/bin: - archive.extracted: - - source: https://releases.hashicorp.com/vault/{{ version }}/vault_{{ version }}_linux_amd64.zip - - source_hash: /opt/vault/{{ version }}/vault_{{ version }}_SHA256SUMS - - enforce_toplevel: false - - require: - - /opt/vault/{{ version }}/vault_{{ version }}_SHA256SUMS - -/usr/local/bin/vault: - file.symlink: - - target: /opt/vault/{{ version }}/bin/vault - - force: true - - require: - - /opt/vault/{{ version }}/bin - -{% if vault.secure_download -%} -/opt/vault/{{ version }}/vault_{{ version }}_SHA256SUMS.sig: - file.managed: - - source: https://releases.hashicorp.com/vault/{{ version }}/vault_{{ version }}_SHA256SUMS.sig - - skip_verify: true - - require: - - /opt/vault/{{ version }}/vault_{{ version }}_SHA256SUMS - - -/tmp/hashicorp.asc: - file.managed: - - source: salt://vault/files/hashicorp.asc.jinja - - template: jinja - -vault_gpg_pkg: - pkg.installed: - - name: {{ vault.gpg_pkg }} - -import key: - cmd.run: - - name: gpg --import /tmp/hashicorp.asc - - unless: gpg --list-keys {{ vault.hashicorp_key_id }} - - require: - - /tmp/hashicorp.asc - - vault_gpg_pkg - -verify shasums sig: - cmd.run: - - name: gpg --verify /opt/vault/{{ version }}/vault_{{ version }}_SHA256SUMS.sig /opt/vault/{{ version }}/vault_{{ version }}_SHA256SUMS - - require: - - /opt/vault/{{ version }}/vault_{{ version }}_SHA256SUMS.sig - - import key - - prereq: - - /usr/local/bin/vault -{%- endif %} +include: + - .package + - .config + - .service diff --git a/vault/map.jinja b/vault/map.jinja index c98de32..812ce2d 100644 --- a/vault/map.jinja +++ b/vault/map.jinja @@ -1,11 +1,15 @@ -{% import_yaml "vault/defaults.yaml" as defaults %} -{% import_yaml "vault/osfamilymap.yaml" as osfamilymap %} +# -*- coding: utf-8 -*- +# vim: ft=sls syntax=yaml softtabstop=2 tabstop=2 shiftwidth=2 expandtab autoindent + +{% import_yaml "vault/yaml/defaults.yaml" as defaults %} +{% import_yaml "vault/yaml/osfamilymap.yaml" as osfamilymap %} +{% import_yaml "vault/yaml/initfamilymap.yaml" as initfamilymap %} {% set vault = salt['grains.filter_by']( - defaults, - merge=salt['grains.filter_by']( - osfamilymap, - merge=salt['pillar.get']('vault', {}), - ), - base='vault') - %} + defaults, merge=salt['grains.filter_by']( + osfamilymap, merge=salt['grains.filter_by']( + initfamilymap, grain='init', merge=salt['pillar.get']('vault', {}), + base='vault'), + base='vault'), + base='vault') +%} diff --git a/vault/osfamilymap.yaml b/vault/osfamilymap.yaml deleted file mode 100644 index eb6ab15..0000000 --- a/vault/osfamilymap.yaml +++ /dev/null @@ -1,2 +0,0 @@ -RedHat: - gpg_pkg: gnupg2 diff --git a/vault/package/clean.sls b/vault/package/clean.sls new file mode 100644 index 0000000..9b35503 --- /dev/null +++ b/vault/package/clean.sls @@ -0,0 +1,24 @@ +# -*- coding: utf-8 -*- +# vim: ft=sls syntax=yaml softtabstop=2 tabstop=2 shiftwidth=2 expandtab autoindent + +{% from "vault/map.jinja" import vault with context %} + +vault-package-clean-file-absent: + file.absent: + - name: /opt/vault + +vault-package-clean-file-absent-data: + file.absent: + - name: /var/lib/vault + +vault-package-clean-cmd-run: + cmd.run: + - name: gpg --batch --yes --delete-key {{ vault.hashicorp_key_id }} + +vault-package-clean-user-absent: + user.absent: + - name: vault + +vault-package-clean-group-absent: + group.absent: + - name: vault diff --git a/vault/package/gpg.sls b/vault/package/gpg.sls new file mode 100644 index 0000000..b34f104 --- /dev/null +++ b/vault/package/gpg.sls @@ -0,0 +1,20 @@ +# -*- coding: utf-8 -*- +# vim: ft=sls syntax=yaml softtabstop=2 tabstop=2 shiftwidth=2 expandtab autoindent + +{% from "vault/map.jinja" import vault with context %} + +vault-package-gpg-file-managed: + file.managed: + - name: /opt/vault/hashicorp.asc + - contents: | + {{ vault.hashicorp_gpg_key | indent(8) }} + - makedirs: True + +vault-package-gpg-pkg-installed: + pkg.installed: + - name: {{ vault.gpg_pkg }} + +vault-package-gpg-cmd-run: + cmd.run: + - name: gpg --import /opt/vault/hashicorp.asc + - unless: gpg --list-keys {{ vault.hashicorp_key_id }} diff --git a/vault/package/init.sls b/vault/package/init.sls new file mode 100644 index 0000000..ab8f360 --- /dev/null +++ b/vault/package/init.sls @@ -0,0 +1,11 @@ +# -*- coding: utf-8 -*- +# vim: ft=sls syntax=yaml softtabstop=2 tabstop=2 shiftwidth=2 expandtab autoindent + +{% from "vault/map.jinja" import vault with context %} + +include: + - .install +{%- if vault.verify_download %} + - .gpg + - .signature +{%- endif %} diff --git a/vault/package/install.sls b/vault/package/install.sls new file mode 100644 index 0000000..9da4b8d --- /dev/null +++ b/vault/package/install.sls @@ -0,0 +1,41 @@ +# -*- coding: utf-8 -*- +# vim: ft=sls syntax=yaml softtabstop=2 tabstop=2 shiftwidth=2 expandtab autoindent + +{% from "vault/map.jinja" import vault with context %} + +vault-package-install-group-present: + group.present: + - name: vault + - system: True + +vault-package-install-user-present: + user.present: + - name: vault + - system: True + - gid_from_name: True + - home: /var/lib/vault + +vault-package-install-file-directory: + file.directory: + - name: /opt/vault/bin + - makedirs: True + +vault-package-install-archive-extracted: + archive.extracted: + - name: /opt/vault/bin + - source: https://releases.hashicorp.com/vault/{{ vault.version }}/vault_{{ vault.version }}_{{ vault.platform }}.zip + - source_hash: https://releases.hashicorp.com/vault/{{ vault.version }}/vault_{{ vault.version }}_SHA256SUMS + - source_hash_name: vault_{{ vault.version }}_{{ vault.platform }}.zip + - enforce_toplevel: false + +vault-package-install-file-symlink: + file.symlink: + - name: /usr/local/bin/vault + - target: /opt/vault/bin/vault + - force: true + +vault-package-install-cmd-run: + cmd.run: + - name: setcap cap_ipc_lock=+ep /opt/vault/bin/vault + - onchanges: + - vault-package-install-archive-extracted diff --git a/vault/package/signature.sls b/vault/package/signature.sls new file mode 100644 index 0000000..47a0d17 --- /dev/null +++ b/vault/package/signature.sls @@ -0,0 +1,25 @@ +# -*- coding: utf-8 -*- +# vim: ft=sls syntax=yaml softtabstop=2 tabstop=2 shiftwidth=2 expandtab autoindent + +{% from "vault/map.jinja" import vault with context %} + +vault-package-signature-file-managed-checksum: + file.managed: + - name: /opt/vault/{{ vault.version }}_SHA256SUMS + - source: https://releases.hashicorp.com/vault/{{ vault.version }}/vault_{{ vault.version }}_SHA256SUMS + - skip_verify: True + - makedirs: True + +vault-package-signature-file-managed-signature: + file.managed: + - name: /opt/vault/{{ vault.version }}_SHA256SUMS.sig + - source: https://releases.hashicorp.com/vault/{{ vault.version }}/vault_{{ vault.version }}_SHA256SUMS.sig + - skip_verify: True + - makedirs: True + +vault-package-signature-cmd-run: + cmd.run: + - name: gpg --verify /opt/vault/{{ vault.version }}_SHA256SUMS.sig /opt/vault/{{ vault.version }}_SHA256SUMS + - onchanges: + - vault-package-signature-file-managed-checksum + - vault-package-signature-file-managed-signature diff --git a/vault/server.sls b/vault/server.sls deleted file mode 100644 index 45298fe..0000000 --- a/vault/server.sls +++ /dev/null @@ -1,90 +0,0 @@ -{% from "vault/map.jinja" import vault with context -%} - -include: - - vault - -{% if not vault.dev_mode %} -/etc/vault/config: - file.directory: - - makedirs: true - - user: root - - group: root - - mode: 755 - -/etc/vault/config/server.hcl: - file.managed: - - source: salt://vault/files/server.hcl.jinja - - template: jinja - - user: root - - group: root - - mode: 644 - - require: - - file: /etc/vault/config - - watch_in: - - service: vault - -vault_set_cap_mlock: - cmd.run: - - name: setcap cap_ipc_lock=+ep $(readlink -f /usr/local/bin/vault) - - onchanges: - - /usr/local/bin/vault - -{% if vault.self_signed_cert.enabled -%} -openssl: - pkg.installed - -generate self signed SSL certs: - cmd.script: - - source: salt://vault/files/cert-gen.sh.jinja - - template: jinja - - args: {{ vault.self_signed_cert.hostname }} {{ vault.self_signed_cert.password }} - - cwd: /etc/vault - - creates: /etc/vault/{{ vault.self_signed_cert.hostname }}.pem - - require: - - openssl - - /etc/vault/config - - require_in: - - service: vault -{% endif %} -{%- endif %} - -{%- if grains.init == 'systemd' %} -/etc/systemd/system/vault.service: - file.managed: - - source: salt://vault/files/vault_systemd.service.jinja - - template: jinja - - user: root - - group: root - - mode: 644 - - order: 1 - - watch_in: - - service: vault - cmd.run: - - name: systemctl daemon-reload - - order: 1 - - onchanges: - - file: /etc/systemd/system/vault.service - -{% elif grains.init == 'upstart' %} -/etc/init/vault.conf: - file.managed: - - source: salt://vault/files/vault_upstart.conf.jinja - - template: jinja - - user: root - - group: root - - mode: 644 - - order: 1 - - watch_in: - - service: vault - cmd.run: - - name: initctl reload-configuration - - order: 1 - - onchanges: - - file: /etc/init/vault.conf -{% endif -%} - -vault: - service.running: - - enable: true - - watch: - - /usr/local/bin/vault diff --git a/vault/service/clean.sls b/vault/service/clean.sls new file mode 100644 index 0000000..0af4ea5 --- /dev/null +++ b/vault/service/clean.sls @@ -0,0 +1,11 @@ +# -*- coding: utf-8 -*- +# vim: ft=sls syntax=yaml softtabstop=2 tabstop=2 shiftwidth=2 expandtab autoindent + +vault-service-clean-service-dead: + service.dead: + - name: vault + - enable: False + +vault-service-clean-file-absent: + file.absent: + - name: /etc/systemd/system/vault.service diff --git a/vault/service/init.sls b/vault/service/init.sls new file mode 100644 index 0000000..8654698 --- /dev/null +++ b/vault/service/init.sls @@ -0,0 +1,21 @@ +# -*- coding: utf-8 -*- +# vim: ft=sls syntax=yaml softtabstop=2 tabstop=2 shiftwidth=2 expandtab autoindent + +{% from "vault/map.jinja" import vault with context %} + +vault-service-init-file-managed: + file.managed: + - name: {{ vault.service.path }} + - source: {{ vault.service.source }} + - template: jinja + - watch_in: + - service: vault + +vault-service-init-service-running: + service.running: + - name: vault + - enable: true + - watch: + - vault-package-install-archive-extracted + - vault-service-init-file-managed + - vault-config-init-file-serialize diff --git a/vault/defaults.yaml b/vault/yaml/defaults.yaml similarity index 80% rename from vault/defaults.yaml rename to vault/yaml/defaults.yaml index 70592f1..59eb5e6 100644 --- a/vault/defaults.yaml +++ b/vault/yaml/defaults.yaml @@ -1,23 +1,24 @@ +# -*- coding: utf-8 -*- +# vim: ft=sls syntax=yaml softtabstop=2 tabstop=2 shiftwidth=2 expandtab autoindent + vault: - version: 0.11.2 - listen_protocol: tcp - listen_port: 8200 - listen_address: 0.0.0.0 - tls_disable: 0 - tls_cert_file: {} - tls_key_file: {} - default_lease_ttl: 24h - max_lease_ttl: 24h - self_signed_cert: - enabled: false - backend: - type: file - path: /var/lib/vault/data - dev_mode: true - secure_download: true - gpg_pkg: gnupg - user: root - group: root + version: 1.1.0 + platform: linux_amd64 + dev_mode: False + verify_download: True + config: + storage: + file: + path: /var/lib/vault/data + listener: + tcp: + address: "127.0.0.1:8200" + tls_disable: True + tls_cert_file: "" + tls_key_file: "" + default_lease_ttl: 768h + max_lease_ttl: 768h + hashicorp_key_id: 51852D87348FFC4C hashicorp_gpg_key: | -----BEGIN PGP PUBLIC KEY BLOCK----- Version: GnuPG v1 @@ -49,4 +50,3 @@ vault: oEIgXTMyCILo34Fa/C6VCm2WBgz9zZO8/rHIiQm1J5zqz0DrDwKBUM9C =LYpS -----END PGP PUBLIC KEY BLOCK----- - hashicorp_key_id: 51852D87348FFC4C diff --git a/vault/yaml/initfamilymap.yaml b/vault/yaml/initfamilymap.yaml new file mode 100644 index 0000000..b68f4e0 --- /dev/null +++ b/vault/yaml/initfamilymap.yaml @@ -0,0 +1,12 @@ +# -*- coding: utf-8 -*- +# vim: ft=sls syntax=yaml softtabstop=2 tabstop=2 shiftwidth=2 expandtab autoindent + +systemd: + service: + path: /etc/systemd/system/vault.service + source: salt://vault/files/vault.service.j2 + +upstart: + service: + path: /etc/init/vault.conf + source: salt://vault/files/vault.conf.j2 diff --git a/vault/yaml/osfamilymap.yaml b/vault/yaml/osfamilymap.yaml new file mode 100644 index 0000000..63343a0 --- /dev/null +++ b/vault/yaml/osfamilymap.yaml @@ -0,0 +1,8 @@ +# -*- coding: utf-8 -*- +# vim: ft=sls syntax=yaml softtabstop=2 tabstop=2 shiftwidth=2 expandtab autoindent + +RedHat: + gpg_pkg: gnupg2 + +Debian: + gpg_pkg: gnupg2 From 297d7842c93246b63daf3b87df7cdf9dfb222d66 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Robin=20Bj=C3=B6rklin?= Date: Sat, 23 Mar 2019 19:50:43 -0700 Subject: [PATCH 02/14] fix(everything): review comments & tests --- .kitchen.yml | 6 +++--- test/integration/dev_server/vault_spec.rb | 2 +- test/integration/install_binary/vault_spec.rb | 2 +- test/integration/prod_server/vault_spec.rb | 2 +- vault/config/config.sls | 15 +++++++++++++++ vault/config/init.sls | 19 ++++++------------- vault/config/self-sign.sls | 16 ++++++++++++++++ vault/{yaml => }/defaults.yaml | 2 ++ .../{cert-gen.sh.jinja => cert-gen.sh.j2} | 0 vault/{yaml => }/initfamilymap.yaml | 0 vault/map.jinja | 6 +++--- vault/{yaml => }/osfamilymap.yaml | 0 vault/package/init.sls | 4 ++-- vault/service/clean.sls | 4 +++- vault/service/init.sls | 2 -- 15 files changed, 53 insertions(+), 27 deletions(-) create mode 100644 vault/config/config.sls create mode 100644 vault/config/self-sign.sls rename vault/{yaml => }/defaults.yaml (98%) rename vault/files/{cert-gen.sh.jinja => cert-gen.sh.j2} (100%) rename vault/{yaml => }/initfamilymap.yaml (100%) rename vault/{yaml => }/osfamilymap.yaml (100%) diff --git a/.kitchen.yml b/.kitchen.yml index 999a42e..06907c0 100644 --- a/.kitchen.yml +++ b/.kitchen.yml @@ -42,7 +42,7 @@ suites: state_top: base: '*': - - vault + - vault.package pillars: top.sls: base: @@ -52,7 +52,7 @@ suites: vault: # version: 0.11.1 # test upgrades by doing a double-converge, changing the version pillar between each one version: 0.11.2 - secure_download: false + verify_download: False - name: dev_server provisioner: @@ -83,7 +83,7 @@ suites: vault: tls_disable: 1 self_signed_cert: - enabled: true + enabled: True hostname: localhost password: localhost country: GB diff --git a/test/integration/dev_server/vault_spec.rb b/test/integration/dev_server/vault_spec.rb index 2a79a68..8ad9c2b 100644 --- a/test/integration/dev_server/vault_spec.rb +++ b/test/integration/dev_server/vault_spec.rb @@ -20,7 +20,7 @@ it { should be_running } end -describe file("/etc/vault/config/server.hcl") do +describe file("/etc/vault/conf.d/config.json") do it { should_not be_a_file } end diff --git a/test/integration/install_binary/vault_spec.rb b/test/integration/install_binary/vault_spec.rb index 0c01d52..34dbb74 100644 --- a/test/integration/install_binary/vault_spec.rb +++ b/test/integration/install_binary/vault_spec.rb @@ -15,6 +15,6 @@ it { should_not be_running } end -describe file("/etc/vault/config/server.hcl") do +describe file("/etc/vault/conf.d/config.json") do it { should_not be_a_file } end diff --git a/test/integration/prod_server/vault_spec.rb b/test/integration/prod_server/vault_spec.rb index 6dfebb7..15a4d5a 100644 --- a/test/integration/prod_server/vault_spec.rb +++ b/test/integration/prod_server/vault_spec.rb @@ -10,7 +10,7 @@ its(:stdout) { should match(/\/vault = cap_ipc_lock\+ep$/) } end -describe file('/etc/vault/config/server.hcl') do +describe file('/etc/vault/conf.d/config.json') do it { should be_a_file } end diff --git a/vault/config/config.sls b/vault/config/config.sls new file mode 100644 index 0000000..7550665 --- /dev/null +++ b/vault/config/config.sls @@ -0,0 +1,15 @@ +# -*- coding: utf-8 -*- +# vim: ft=sls syntax=yaml softtabstop=2 tabstop=2 shiftwidth=2 expandtab autoindent + +{% from "vault/map.jinja" import vault with context -%} + +vault-config-init-file-serialize: + file.serialize: + - name: /etc/vault/conf.d/config.json + - encoding: utf-8 + - formatter: json + - dataset: {{ vault.config | json }} + - user: root + - group: vault + - mode: 640 + - makedirs: True diff --git a/vault/config/init.sls b/vault/config/init.sls index 364021c..60d1c47 100644 --- a/vault/config/init.sls +++ b/vault/config/init.sls @@ -1,17 +1,10 @@ # -*- coding: utf-8 -*- # vim: ft=sls syntax=yaml softtabstop=2 tabstop=2 shiftwidth=2 expandtab autoindent -{% from "vault/map.jinja" import vault with context -%} +{% from "vault/map.jinja" import vault with context %} -vault-config-init-file-serialize: - file.serialize: - - name: /etc/vault/conf.d/config.json - - encoding: utf-8 - - formatter: json - - dataset: {{ vault.config | json }} - - user: root - - group: vault - - mode: 640 - - makedirs: True - - watch_in: - - service: vault +include: + - .config + {%- if vault.self_signed_cert.enabled %} + - .self-sign + {%- endif %} diff --git a/vault/config/self-sign.sls b/vault/config/self-sign.sls new file mode 100644 index 0000000..16d2bd5 --- /dev/null +++ b/vault/config/self-sign.sls @@ -0,0 +1,16 @@ +# -*- coding: utf-8 -*- +# vim: ft=sls syntax=yaml softtabstop=2 tabstop=2 shiftwidth=2 expandtab autoindent + +{% from "vault/map.jinja" import vault with context -%} + +vault-config-self-signed-pkg-installed: + pkg.installed: + - name: openssl + +vault-config-self-signed-cmd-script: + cmd.script: + - source: salt://vault/files/cert-gen.sh.j2 + - template: jinja + - args: {{ vault.self_signed_cert.hostname }} {{ vault.self_signed_cert.password }} + - cwd: /etc/vault + - creates: /etc/vault/{{ vault.self_signed_cert.hostname }}.pem diff --git a/vault/yaml/defaults.yaml b/vault/defaults.yaml similarity index 98% rename from vault/yaml/defaults.yaml rename to vault/defaults.yaml index 59eb5e6..1283296 100644 --- a/vault/yaml/defaults.yaml +++ b/vault/defaults.yaml @@ -6,6 +6,8 @@ vault: platform: linux_amd64 dev_mode: False verify_download: True + self_signed_cert: + enabled: False config: storage: file: diff --git a/vault/files/cert-gen.sh.jinja b/vault/files/cert-gen.sh.j2 similarity index 100% rename from vault/files/cert-gen.sh.jinja rename to vault/files/cert-gen.sh.j2 diff --git a/vault/yaml/initfamilymap.yaml b/vault/initfamilymap.yaml similarity index 100% rename from vault/yaml/initfamilymap.yaml rename to vault/initfamilymap.yaml diff --git a/vault/map.jinja b/vault/map.jinja index 812ce2d..ca31ed2 100644 --- a/vault/map.jinja +++ b/vault/map.jinja @@ -1,9 +1,9 @@ # -*- coding: utf-8 -*- # vim: ft=sls syntax=yaml softtabstop=2 tabstop=2 shiftwidth=2 expandtab autoindent -{% import_yaml "vault/yaml/defaults.yaml" as defaults %} -{% import_yaml "vault/yaml/osfamilymap.yaml" as osfamilymap %} -{% import_yaml "vault/yaml/initfamilymap.yaml" as initfamilymap %} +{% import_yaml "vault/defaults.yaml" as defaults %} +{% import_yaml "vault/osfamilymap.yaml" as osfamilymap %} +{% import_yaml "vault/initfamilymap.yaml" as initfamilymap %} {% set vault = salt['grains.filter_by']( defaults, merge=salt['grains.filter_by']( diff --git a/vault/yaml/osfamilymap.yaml b/vault/osfamilymap.yaml similarity index 100% rename from vault/yaml/osfamilymap.yaml rename to vault/osfamilymap.yaml diff --git a/vault/package/init.sls b/vault/package/init.sls index ab8f360..252c4c0 100644 --- a/vault/package/init.sls +++ b/vault/package/init.sls @@ -5,7 +5,7 @@ include: - .install -{%- if vault.verify_download %} + {%- if vault.verify_download %} - .gpg - .signature -{%- endif %} + {%- endif %} diff --git a/vault/service/clean.sls b/vault/service/clean.sls index 0af4ea5..8d8a033 100644 --- a/vault/service/clean.sls +++ b/vault/service/clean.sls @@ -1,6 +1,8 @@ # -*- coding: utf-8 -*- # vim: ft=sls syntax=yaml softtabstop=2 tabstop=2 shiftwidth=2 expandtab autoindent +{% from "vault/map.jinja" import vault with context %} + vault-service-clean-service-dead: service.dead: - name: vault @@ -8,4 +10,4 @@ vault-service-clean-service-dead: vault-service-clean-file-absent: file.absent: - - name: /etc/systemd/system/vault.service + - name: {{ vault.service.path }} diff --git a/vault/service/init.sls b/vault/service/init.sls index 8654698..2cb5b44 100644 --- a/vault/service/init.sls +++ b/vault/service/init.sls @@ -8,8 +8,6 @@ vault-service-init-file-managed: - name: {{ vault.service.path }} - source: {{ vault.service.source }} - template: jinja - - watch_in: - - service: vault vault-service-init-service-running: service.running: From 507ee9f5ca10e8c1afdb2ea0a8b82951cce43296 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Robin=20Bj=C3=B6rklin?= Date: Sat, 23 Mar 2019 20:02:27 -0700 Subject: [PATCH 03/14] test(config): correct more test cases --- vault/config/init.sls | 2 ++ vault/files/vault.conf.j2 | 2 +- 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/vault/config/init.sls b/vault/config/init.sls index 60d1c47..eaecf6c 100644 --- a/vault/config/init.sls +++ b/vault/config/init.sls @@ -4,7 +4,9 @@ {% from "vault/map.jinja" import vault with context %} include: + {%- if not vault.dev_mode %} - .config + {%- endif %} {%- if vault.self_signed_cert.enabled %} - .self-sign {%- endif %} diff --git a/vault/files/vault.conf.j2 b/vault/files/vault.conf.j2 index 0feb2f5..d40c9ca 100644 --- a/vault/files/vault.conf.j2 +++ b/vault/files/vault.conf.j2 @@ -18,7 +18,7 @@ script {%- if vault.dev_mode %} -dev \ {% else %} - -config="/etc/vault/config/server.hcl" \ + -config="/etc/vault/conf.d/config.json" \ {% endif -%} >>/var/log/vault.log 2>&1 end script From 140db23a2ecc6ef2a2dbe46d3d22ebfe8d462611 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Robin=20Bj=C3=B6rklin?= Date: Sat, 23 Mar 2019 20:32:30 -0700 Subject: [PATCH 04/14] revert(defaults): some defaults were incorrectly changed --- pillar.example | 4 ++-- vault/config/init.sls | 4 ++-- vault/defaults.yaml | 4 ++-- 3 files changed, 6 insertions(+), 6 deletions(-) diff --git a/pillar.example b/pillar.example index 58f32af..a7ad891 100644 --- a/pillar.example +++ b/pillar.example @@ -13,8 +13,8 @@ vault: path: "vault" listener: tcp: - address: "127.0.0.1:8200" - tls_disable: True + address: "0.0.0.0:8200" + tls_disable: "true" tls_cert_file: "" tls_key_file: "" default_lease_ttl: 768h diff --git a/vault/config/init.sls b/vault/config/init.sls index eaecf6c..e876b60 100644 --- a/vault/config/init.sls +++ b/vault/config/init.sls @@ -3,10 +3,10 @@ {% from "vault/map.jinja" import vault with context %} +{%- if not vault.dev_mode %} include: - {%- if not vault.dev_mode %} - .config - {%- endif %} {%- if vault.self_signed_cert.enabled %} - .self-sign {%- endif %} +{%- endif %} diff --git a/vault/defaults.yaml b/vault/defaults.yaml index 1283296..5292c68 100644 --- a/vault/defaults.yaml +++ b/vault/defaults.yaml @@ -14,8 +14,8 @@ vault: path: /var/lib/vault/data listener: tcp: - address: "127.0.0.1:8200" - tls_disable: True + address: "0.0.0.0:8200" + tls_disable: "true" tls_cert_file: "" tls_key_file: "" default_lease_ttl: 768h From c6ce242833e44a51e17fe973163fdcfb81b2887e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Robin=20Bj=C3=B6rklin?= Date: Sat, 23 Mar 2019 20:51:30 -0700 Subject: [PATCH 05/14] refactor(service): move config watch statement as it breaks in dev_mode --- vault/config/config.sls | 4 +++- vault/service/init.sls | 1 - 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/vault/config/config.sls b/vault/config/config.sls index 7550665..0c3e60e 100644 --- a/vault/config/config.sls +++ b/vault/config/config.sls @@ -3,7 +3,7 @@ {% from "vault/map.jinja" import vault with context -%} -vault-config-init-file-serialize: +vault-config-config-file-serialize: file.serialize: - name: /etc/vault/conf.d/config.json - encoding: utf-8 @@ -13,3 +13,5 @@ vault-config-init-file-serialize: - group: vault - mode: 640 - makedirs: True + - watch_in: + - vault-service-init-service-running diff --git a/vault/service/init.sls b/vault/service/init.sls index 2cb5b44..9d95692 100644 --- a/vault/service/init.sls +++ b/vault/service/init.sls @@ -16,4 +16,3 @@ vault-service-init-service-running: - watch: - vault-package-install-archive-extracted - vault-service-init-file-managed - - vault-config-init-file-serialize From a640f019242271e9d7868fbc65e607d51b43d40b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Robin=20Bj=C3=B6rklin?= Date: Sun, 24 Mar 2019 14:25:54 -0700 Subject: [PATCH 06/14] refactor(map.jinja): cleanup map.jinja merge & add lookup --- vault/map.jinja | 19 +++++++++++-------- 1 file changed, 11 insertions(+), 8 deletions(-) diff --git a/vault/map.jinja b/vault/map.jinja index ca31ed2..d0199e2 100644 --- a/vault/map.jinja +++ b/vault/map.jinja @@ -5,11 +5,14 @@ {% import_yaml "vault/osfamilymap.yaml" as osfamilymap %} {% import_yaml "vault/initfamilymap.yaml" as initfamilymap %} -{% set vault = salt['grains.filter_by']( - defaults, merge=salt['grains.filter_by']( - osfamilymap, merge=salt['grains.filter_by']( - initfamilymap, grain='init', merge=salt['pillar.get']('vault', {}), - base='vault'), - base='vault'), - base='vault') -%} +{%- set merged_defaults = salt['grains.filter_by'](defaults, + default='vault', + merge=salt['grains.filter_by'](osfamilymap, grain='os_family', + merge=salt['grains.filter_by'](initfamilymap, grain='init', + merge=salt['pillar.get']('vault:lookup', default={}) + ) + ) +) %} + +{#- Merge the vault pillar #} +{%- set vault = salt['pillar.get']('vault', default=merged_defaults, merge=True) %} From 65482c2ffbdf173c1eddb87f0760f2cb1683f0d6 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Robin=20Bj=C3=B6rklin?= Date: Mon, 25 Mar 2019 08:06:27 -0700 Subject: [PATCH 07/14] fix(package): fix more review comments * remove "backend file" from defaults as it was always added due to being a default --- vault/config/config.sls | 2 +- vault/defaults.yaml | 3 --- vault/map.jinja | 6 ++--- vault/package/clean.sls | 7 +++-- vault/package/gpg.sls | 20 -------------- vault/package/{signature.sls => gpg/init.sls} | 26 +++++++++++++++---- vault/package/init.sls | 1 - vault/package/install.sls | 2 +- vault/service/init.sls | 4 +-- 9 files changed, 31 insertions(+), 40 deletions(-) delete mode 100644 vault/package/gpg.sls rename vault/package/{signature.sls => gpg/init.sls} (54%) diff --git a/vault/config/config.sls b/vault/config/config.sls index 0c3e60e..a238964 100644 --- a/vault/config/config.sls +++ b/vault/config/config.sls @@ -14,4 +14,4 @@ vault-config-config-file-serialize: - mode: 640 - makedirs: True - watch_in: - - vault-service-init-service-running + - service: vault-service-init-service-running diff --git a/vault/defaults.yaml b/vault/defaults.yaml index 5292c68..6680566 100644 --- a/vault/defaults.yaml +++ b/vault/defaults.yaml @@ -9,9 +9,6 @@ vault: self_signed_cert: enabled: False config: - storage: - file: - path: /var/lib/vault/data listener: tcp: address: "0.0.0.0:8200" diff --git a/vault/map.jinja b/vault/map.jinja index d0199e2..8c84916 100644 --- a/vault/map.jinja +++ b/vault/map.jinja @@ -1,9 +1,9 @@ # -*- coding: utf-8 -*- # vim: ft=sls syntax=yaml softtabstop=2 tabstop=2 shiftwidth=2 expandtab autoindent -{% import_yaml "vault/defaults.yaml" as defaults %} -{% import_yaml "vault/osfamilymap.yaml" as osfamilymap %} -{% import_yaml "vault/initfamilymap.yaml" as initfamilymap %} +{% import_yaml "vault/defaults.yaml" or {} as defaults %} +{% import_yaml "vault/osfamilymap.yaml" or {} as osfamilymap %} +{% import_yaml "vault/initfamilymap.yaml" or {} as initfamilymap %} {%- set merged_defaults = salt['grains.filter_by'](defaults, default='vault', diff --git a/vault/package/clean.sls b/vault/package/clean.sls index 9b35503..a31d808 100644 --- a/vault/package/clean.sls +++ b/vault/package/clean.sls @@ -3,6 +3,9 @@ {% from "vault/map.jinja" import vault with context %} +include: + - .gpg.clean + vault-package-clean-file-absent: file.absent: - name: /opt/vault @@ -11,10 +14,6 @@ vault-package-clean-file-absent-data: file.absent: - name: /var/lib/vault -vault-package-clean-cmd-run: - cmd.run: - - name: gpg --batch --yes --delete-key {{ vault.hashicorp_key_id }} - vault-package-clean-user-absent: user.absent: - name: vault diff --git a/vault/package/gpg.sls b/vault/package/gpg.sls deleted file mode 100644 index b34f104..0000000 --- a/vault/package/gpg.sls +++ /dev/null @@ -1,20 +0,0 @@ -# -*- coding: utf-8 -*- -# vim: ft=sls syntax=yaml softtabstop=2 tabstop=2 shiftwidth=2 expandtab autoindent - -{% from "vault/map.jinja" import vault with context %} - -vault-package-gpg-file-managed: - file.managed: - - name: /opt/vault/hashicorp.asc - - contents: | - {{ vault.hashicorp_gpg_key | indent(8) }} - - makedirs: True - -vault-package-gpg-pkg-installed: - pkg.installed: - - name: {{ vault.gpg_pkg }} - -vault-package-gpg-cmd-run: - cmd.run: - - name: gpg --import /opt/vault/hashicorp.asc - - unless: gpg --list-keys {{ vault.hashicorp_key_id }} diff --git a/vault/package/signature.sls b/vault/package/gpg/init.sls similarity index 54% rename from vault/package/signature.sls rename to vault/package/gpg/init.sls index 47a0d17..e5b7000 100644 --- a/vault/package/signature.sls +++ b/vault/package/gpg/init.sls @@ -3,23 +3,39 @@ {% from "vault/map.jinja" import vault with context %} -vault-package-signature-file-managed-checksum: +vault-package-gpg-file-managed: + file.managed: + - name: /opt/vault/hashicorp.asc + - contents: | + {{ vault.hashicorp_gpg_key | indent(8) }} + - makedirs: True + +vault-package-gpg-pkg-installed: + pkg.installed: + - name: {{ vault.gpg_pkg }} + +vault-package-gpg-cmd-run-import: + cmd.run: + - name: gpg --import /opt/vault/hashicorp.asc + - unless: gpg --list-keys {{ vault.hashicorp_key_id }} + +vault-package-gpg-file-managed-checksum: file.managed: - name: /opt/vault/{{ vault.version }}_SHA256SUMS - source: https://releases.hashicorp.com/vault/{{ vault.version }}/vault_{{ vault.version }}_SHA256SUMS - skip_verify: True - makedirs: True -vault-package-signature-file-managed-signature: +vault-package-gpg-file-managed-signature: file.managed: - name: /opt/vault/{{ vault.version }}_SHA256SUMS.sig - source: https://releases.hashicorp.com/vault/{{ vault.version }}/vault_{{ vault.version }}_SHA256SUMS.sig - skip_verify: True - makedirs: True -vault-package-signature-cmd-run: +vault-package-gpg-cmd-run-verify: cmd.run: - name: gpg --verify /opt/vault/{{ vault.version }}_SHA256SUMS.sig /opt/vault/{{ vault.version }}_SHA256SUMS - onchanges: - - vault-package-signature-file-managed-checksum - - vault-package-signature-file-managed-signature + - file: vault-package-gpg-file-managed-checksum + - file: vault-package-gpg-file-managed-signature diff --git a/vault/package/init.sls b/vault/package/init.sls index 252c4c0..4e8caba 100644 --- a/vault/package/init.sls +++ b/vault/package/init.sls @@ -7,5 +7,4 @@ include: - .install {%- if vault.verify_download %} - .gpg - - .signature {%- endif %} diff --git a/vault/package/install.sls b/vault/package/install.sls index 9da4b8d..ae2e420 100644 --- a/vault/package/install.sls +++ b/vault/package/install.sls @@ -38,4 +38,4 @@ vault-package-install-cmd-run: cmd.run: - name: setcap cap_ipc_lock=+ep /opt/vault/bin/vault - onchanges: - - vault-package-install-archive-extracted + - archive: vault-package-install-archive-extracted diff --git a/vault/service/init.sls b/vault/service/init.sls index 9d95692..61e5835 100644 --- a/vault/service/init.sls +++ b/vault/service/init.sls @@ -14,5 +14,5 @@ vault-service-init-service-running: - name: vault - enable: true - watch: - - vault-package-install-archive-extracted - - vault-service-init-file-managed + - archive: vault-package-install-archive-extracted + - file: vault-service-init-file-managed From d0ed5e5a98423f567c74fd903e611047ea03f8da Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Robin=20Bj=C3=B6rklin?= Date: Mon, 25 Mar 2019 22:27:45 -0700 Subject: [PATCH 08/14] fix(package): add missed cleanup & add storage backend to prod test --- .kitchen.yml | 4 ++++ vault/package/gpg/clean.sls | 21 +++++++++++++++++++++ 2 files changed, 25 insertions(+) create mode 100644 vault/package/gpg/clean.sls diff --git a/.kitchen.yml b/.kitchen.yml index 06907c0..b70ad56 100644 --- a/.kitchen.yml +++ b/.kitchen.yml @@ -81,6 +81,10 @@ suites: - vault vault.sls: vault: + config: + storage: + file: + path: /var/lib/vault/data tls_disable: 1 self_signed_cert: enabled: True diff --git a/vault/package/gpg/clean.sls b/vault/package/gpg/clean.sls new file mode 100644 index 0000000..d31f2f0 --- /dev/null +++ b/vault/package/gpg/clean.sls @@ -0,0 +1,21 @@ +# -*- coding: utf-8 -*- +# vim: ft=sls syntax=yaml softtabstop=2 tabstop=2 shiftwidth=2 expandtab autoindent + +{% from "vault/map.jinja" import vault with context %} + +vault-package-gpg-clean-cmd-run: + cmd.run: + - name: gpg --batch --yes --delete-key {{ vault.hashicorp_key_id }} + - onlyif: gpg --list-keys {{ vault.hashicorp_key_id }} + +vault-package-gpg-clean-file-absent: + file.absent: + - name: /opt/vault/hashicorp.asc + +vault-package-gpg-clean-file-absent-checksum: + file.absent: + - name: /opt/vault/{{ vault.version }}_SHA256SUMS + +vault-package-gpg-clean-file-absent-signature: + file.absent: + - name: /opt/vault/{{ vault.version }}_SHA256SUMS.sig From b7b0d1d59caac2aadfeeaac1e0168daeb6a45f99 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Robin=20Bj=C3=B6rklin?= Date: Tue, 26 Mar 2019 21:10:02 -0700 Subject: [PATCH 09/14] fix(upgrade): upgrade procedure & add MacOS platform --- .kitchen.yml | 4 ++-- vault/defaults.yaml | 3 +-- vault/osfamilymap.yaml | 5 +++++ vault/package/gpg/init.sls | 9 +-------- vault/package/install.sls | 18 +++++++++++++++++- 5 files changed, 26 insertions(+), 13 deletions(-) diff --git a/.kitchen.yml b/.kitchen.yml index b70ad56..aa52c30 100644 --- a/.kitchen.yml +++ b/.kitchen.yml @@ -50,8 +50,8 @@ suites: - vault vault.sls: vault: -# version: 0.11.1 # test upgrades by doing a double-converge, changing the version pillar between each one - version: 0.11.2 +# version: 1.0.3 # test upgrades by doing a double-converge, changing the version pillar between each one + version: 1.1.0 verify_download: False - name: dev_server diff --git a/vault/defaults.yaml b/vault/defaults.yaml index 6680566..7283c30 100644 --- a/vault/defaults.yaml +++ b/vault/defaults.yaml @@ -2,8 +2,7 @@ # vim: ft=sls syntax=yaml softtabstop=2 tabstop=2 shiftwidth=2 expandtab autoindent vault: - version: 1.1.0 - platform: linux_amd64 + version: 1.0.3 dev_mode: False verify_download: True self_signed_cert: diff --git a/vault/osfamilymap.yaml b/vault/osfamilymap.yaml index 63343a0..d15d7f4 100644 --- a/vault/osfamilymap.yaml +++ b/vault/osfamilymap.yaml @@ -2,7 +2,12 @@ # vim: ft=sls syntax=yaml softtabstop=2 tabstop=2 shiftwidth=2 expandtab autoindent RedHat: + platform: linux_amd64 gpg_pkg: gnupg2 Debian: gpg_pkg: gnupg2 + platform: linux_amd64 + +MacOS: + platform: darwin_amd64 diff --git a/vault/package/gpg/init.sls b/vault/package/gpg/init.sls index e5b7000..a1e6ef6 100644 --- a/vault/package/gpg/init.sls +++ b/vault/package/gpg/init.sls @@ -19,13 +19,6 @@ vault-package-gpg-cmd-run-import: - name: gpg --import /opt/vault/hashicorp.asc - unless: gpg --list-keys {{ vault.hashicorp_key_id }} -vault-package-gpg-file-managed-checksum: - file.managed: - - name: /opt/vault/{{ vault.version }}_SHA256SUMS - - source: https://releases.hashicorp.com/vault/{{ vault.version }}/vault_{{ vault.version }}_SHA256SUMS - - skip_verify: True - - makedirs: True - vault-package-gpg-file-managed-signature: file.managed: - name: /opt/vault/{{ vault.version }}_SHA256SUMS.sig @@ -37,5 +30,5 @@ vault-package-gpg-cmd-run-verify: cmd.run: - name: gpg --verify /opt/vault/{{ vault.version }}_SHA256SUMS.sig /opt/vault/{{ vault.version }}_SHA256SUMS - onchanges: - - file: vault-package-gpg-file-managed-checksum + - file: vault-package-install-file-managed - file: vault-package-gpg-file-managed-signature diff --git a/vault/package/install.sls b/vault/package/install.sls index ae2e420..f940580 100644 --- a/vault/package/install.sls +++ b/vault/package/install.sls @@ -20,13 +20,29 @@ vault-package-install-file-directory: - name: /opt/vault/bin - makedirs: True +vault-package-install-file-managed: + file.managed: + - name: /opt/vault/{{ vault.version }}_SHA256SUMS + - source: https://releases.hashicorp.com/vault/{{ vault.version }}/vault_{{ vault.version }}_SHA256SUMS + - skip_verify: True + - makedirs: True + +vault-package-install-service-dead: + service.dead: + - name: vault + - onchanges: + - file: vault-package-install-file-managed + vault-package-install-archive-extracted: archive.extracted: - name: /opt/vault/bin - source: https://releases.hashicorp.com/vault/{{ vault.version }}/vault_{{ vault.version }}_{{ vault.platform }}.zip - source_hash: https://releases.hashicorp.com/vault/{{ vault.version }}/vault_{{ vault.version }}_SHA256SUMS - source_hash_name: vault_{{ vault.version }}_{{ vault.platform }}.zip - - enforce_toplevel: false + - enforce_toplevel: False + - overwrite: True + - onchanges: + - file: vault-package-install-file-managed vault-package-install-file-symlink: file.symlink: From 1f533d3c3107ce99c4840cee210bea09471a46ea Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Robin=20Bj=C3=B6rklin?= Date: Tue, 26 Mar 2019 21:35:59 -0700 Subject: [PATCH 10/14] test(manual): update test, clean link * don't try to stop non-existing service --- .kitchen.yml | 4 ++-- test/integration/install_binary/vault_spec.rb | 2 +- vault/package/clean.sls | 4 ++++ vault/package/install.sls | 1 + vault/service/init.sls | 2 +- 5 files changed, 9 insertions(+), 4 deletions(-) diff --git a/.kitchen.yml b/.kitchen.yml index aa52c30..60865a0 100644 --- a/.kitchen.yml +++ b/.kitchen.yml @@ -50,8 +50,8 @@ suites: - vault vault.sls: vault: -# version: 1.0.3 # test upgrades by doing a double-converge, changing the version pillar between each one - version: 1.1.0 +# version: 1.1.0 # test upgrades by doing a double-converge, changing the version pillar between each one + version: 1.0.3 verify_download: False - name: dev_server diff --git a/test/integration/install_binary/vault_spec.rb b/test/integration/install_binary/vault_spec.rb index 34dbb74..33a6892 100644 --- a/test/integration/install_binary/vault_spec.rb +++ b/test/integration/install_binary/vault_spec.rb @@ -6,7 +6,7 @@ describe command('/usr/local/bin/vault -version') do its(:exit_status) { should eq 0 } its(:stderr) { should be_empty } - its(:stdout) { should match(/^Vault v0.11.2 \('2b1a4304374712953ff606c6a925bbe90a4e85dd'\)/) } + its(:stdout) { should match(/^Vault v1.0.3 \('85909e3373aa743c34a6a0ab59131f61fd9e8e43'\)/) } end describe service('vault') do diff --git a/vault/package/clean.sls b/vault/package/clean.sls index a31d808..4bdf556 100644 --- a/vault/package/clean.sls +++ b/vault/package/clean.sls @@ -14,6 +14,10 @@ vault-package-clean-file-absent-data: file.absent: - name: /var/lib/vault +vault-package-clean-file-absent-link: + file.absent: + - name: /usr/local/bin/vault + vault-package-clean-user-absent: user.absent: - name: vault diff --git a/vault/package/install.sls b/vault/package/install.sls index f940580..038e479 100644 --- a/vault/package/install.sls +++ b/vault/package/install.sls @@ -32,6 +32,7 @@ vault-package-install-service-dead: - name: vault - onchanges: - file: vault-package-install-file-managed + - onlyif: test -f /etc/systemd/system/vault.service vault-package-install-archive-extracted: archive.extracted: diff --git a/vault/service/init.sls b/vault/service/init.sls index 61e5835..53d28f3 100644 --- a/vault/service/init.sls +++ b/vault/service/init.sls @@ -12,7 +12,7 @@ vault-service-init-file-managed: vault-service-init-service-running: service.running: - name: vault - - enable: true + - enable: True - watch: - archive: vault-package-install-archive-extracted - file: vault-service-init-file-managed From 1b1611fb3ef4111129b431542e5f7d2b341a88e7 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Robin=20Bj=C3=B6rklin?= Date: Fri, 29 Mar 2019 21:31:43 -0700 Subject: [PATCH 11/14] fix(service): re-add support for Ubuntu 14.04 and older --- vault/service/init.sls | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/vault/service/init.sls b/vault/service/init.sls index 53d28f3..2717c65 100644 --- a/vault/service/init.sls +++ b/vault/service/init.sls @@ -8,6 +8,12 @@ vault-service-init-file-managed: - name: {{ vault.service.path }} - source: {{ vault.service.source }} - template: jinja +{% if grains.init == 'upstart' %} + cmd.run: + - name: initctl reload-configuration + - onchanges: + - file: vault-service-init-file-managed +{% endif -%} vault-service-init-service-running: service.running: From 8d74960669413bd1571eefbe9d596b135ebe00d7 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Robin=20Bj=C3=B6rklin?= Date: Fri, 29 Mar 2019 21:36:13 -0700 Subject: [PATCH 12/14] test(install_binary): fix version & hash returned by vault v1.1.0 --- test/integration/install_binary/vault_spec.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/test/integration/install_binary/vault_spec.rb b/test/integration/install_binary/vault_spec.rb index 33a6892..0c4aeaa 100644 --- a/test/integration/install_binary/vault_spec.rb +++ b/test/integration/install_binary/vault_spec.rb @@ -6,7 +6,7 @@ describe command('/usr/local/bin/vault -version') do its(:exit_status) { should eq 0 } its(:stderr) { should be_empty } - its(:stdout) { should match(/^Vault v1.0.3 \('85909e3373aa743c34a6a0ab59131f61fd9e8e43'\)/) } + its(:stdout) { should match(/^Vault v1.1.0 \('36aa8c8dd1936e10ebd7a4c1d412ae0e6f7900bd'\)/) } end describe service('vault') do From 7671f87710fbebf8041f8c96a395abaaff42e5fb Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Robin=20Bj=C3=B6rklin?= Date: Fri, 29 Mar 2019 22:05:18 -0700 Subject: [PATCH 13/14] feat(version): bump version to 1.1.0 --- vault/defaults.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/vault/defaults.yaml b/vault/defaults.yaml index 7283c30..3357b68 100644 --- a/vault/defaults.yaml +++ b/vault/defaults.yaml @@ -2,7 +2,7 @@ # vim: ft=sls syntax=yaml softtabstop=2 tabstop=2 shiftwidth=2 expandtab autoindent vault: - version: 1.0.3 + version: 1.1.0 dev_mode: False verify_download: True self_signed_cert: From 7fed7e67252604a4f94678e5607224356ea965c6 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Robin=20Bj=C3=B6rklin?= Date: Fri, 29 Mar 2019 22:27:19 -0700 Subject: [PATCH 14/14] test(kitchen): change version pillar --- .kitchen.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.kitchen.yml b/.kitchen.yml index 60865a0..aa52c30 100644 --- a/.kitchen.yml +++ b/.kitchen.yml @@ -50,8 +50,8 @@ suites: - vault vault.sls: vault: -# version: 1.1.0 # test upgrades by doing a double-converge, changing the version pillar between each one - version: 1.0.3 +# version: 1.0.3 # test upgrades by doing a double-converge, changing the version pillar between each one + version: 1.1.0 verify_download: False - name: dev_server