From 6ae40d18557c972085a8bf1335649c41e00a9468 Mon Sep 17 00:00:00 2001 From: Dafydd Jones Date: Mon, 8 Oct 2018 19:03:31 +0100 Subject: [PATCH 01/17] use grains.init instead of pillar item service.type so that we don't have to configure this in pillar, and/or potentially get it wrong --- README.rst | 2 -- pillar.example | 4 +--- vault/defaults.yaml | 2 -- vault/server.sls | 4 ++-- 4 files changed, 3 insertions(+), 9 deletions(-) diff --git a/README.rst b/README.rst index a68eac7..f317efe 100644 --- a/README.rst +++ b/README.rst @@ -39,8 +39,6 @@ To use it, just include *vault.server* in your *top.sls*, and configure it using enabled: false backend: {} dev_mode: true - service: - type: systemd Issues ====== diff --git a/pillar.example b/pillar.example index 6b484e7..7ff1655 100644 --- a/pillar.example +++ b/pillar.example @@ -13,8 +13,6 @@ vault: backend: {} dev_mode: true secure_download: true - service: - type: upstart user: root group: root hashicorp_gpg_key: | @@ -48,4 +46,4 @@ vault: oEIgXTMyCILo34Fa/C6VCm2WBgz9zZO8/rHIiQm1J5zqz0DrDwKBUM9C =LYpS -----END PGP PUBLIC KEY BLOCK----- - hashicorp_key_id: 51852D87348FFC4C \ No newline at end of file + hashicorp_key_id: 51852D87348FFC4C diff --git a/vault/defaults.yaml b/vault/defaults.yaml index 5c0a851..bf06573 100644 --- a/vault/defaults.yaml +++ b/vault/defaults.yaml @@ -13,8 +13,6 @@ vault: backend: {} dev_mode: true secure_download: true - service: - type: systemd user: root group: root hashicorp_gpg_key: | diff --git a/vault/server.sls b/vault/server.sls index aa8dd54..9a7c014 100644 --- a/vault/server.sls +++ b/vault/server.sls @@ -40,7 +40,7 @@ generate self signed SSL certs: - require: - file: /etc/vault/config -{%- if vault.service.type == 'systemd' %} +{%- if grains.init == 'systemd' %} /etc/systemd/system/vault.service: file.managed: - source: salt://vault/files/vault_systemd.service.jinja @@ -51,7 +51,7 @@ generate self signed SSL certs: - require_in: - service: vault -{% elif vault.service.type == 'upstart' %} +{% elif grains.init == 'upstart' %} /etc/init/vault.conf: file.managed: - source: salt://vault/files/vault_upstart.conf.jinja From f08b68eaa85cc14b5b4e83d1b42446165c663373 Mon Sep 17 00:00:00 2001 From: Dafydd Jones Date: Mon, 8 Oct 2018 19:05:01 +0100 Subject: [PATCH 02/17] tests: remove service.type pillar, and test for case when no pillar is supplied --- .kitchen.yml | 11 ----------- 1 file changed, 11 deletions(-) diff --git a/.kitchen.yml b/.kitchen.yml index 34948a3..f3005d1 100644 --- a/.kitchen.yml +++ b/.kitchen.yml @@ -43,15 +43,6 @@ suites: '*': - vault - vault.server - pillars: - top.sls: - base: - '*': - - vault - vault.sls: - vault: - service: - type: systemd - name: dev_server_upstart_s3 includes: - amazonlinux @@ -68,8 +59,6 @@ suites: - vault vault.sls: vault: - service: - type: upstart backend: type: s3 bucket: com-saltstack-vault From 774920e04c52c30d1b17a53735c2394803a53a9d Mon Sep 17 00:00:00 2001 From: Dafydd Jones Date: Thu, 11 Oct 2018 10:56:50 +0100 Subject: [PATCH 03/17] test: combine tests for systemd/upstart into one dev mode test and add test for production mode test two main modes of operation: dev - no config file needed, but service up and running prod - installs a config file and tests service is up and running production mode was previously untested and formula contained errors turn off salt debug logging to speed things up a little --- .kitchen.yml | 24 +++----- test/integration/dev_server/vault_spec.rb | 52 ++++++++++++++++ .../dev_server_systemd/vault_spec.rb | 41 ------------- .../dev_server_upstart_s3/vault_spec.rb | 60 ------------------- test/integration/prod_server/vault_spec.rb | 52 ++++++++++++++++ 5 files changed, 111 insertions(+), 118 deletions(-) create mode 100644 test/integration/dev_server/vault_spec.rb delete mode 100644 test/integration/dev_server_systemd/vault_spec.rb delete mode 100644 test/integration/dev_server_upstart_s3/vault_spec.rb create mode 100644 test/integration/prod_server/vault_spec.rb diff --git a/.kitchen.yml b/.kitchen.yml index f3005d1..2566dd9 100644 --- a/.kitchen.yml +++ b/.kitchen.yml @@ -3,6 +3,7 @@ driver: name: docker use_sudo: false privileged: true + run_command: /sbin/init verifier: name: inspec @@ -10,7 +11,6 @@ verifier: provisioner: name: salt_solo salt_version: latest - log_level: debug require_chef: false formula: vault @@ -19,38 +19,29 @@ platforms: driver_config: provision_command: - apt-get update && apt-get install -y locales && locale-gen en_US.UTF-8 - run_command: /sbin/init - pid_one_command: /usr/lib/systemd/systemd - name: centos-7 driver_config: - run_command: /sbin/init - pid_one_command: /usr/lib/systemd/systemd + provision_command: + - yum -y install net-tools # needed by inspec - name: amazonlinux driver_config: provision_command: - yum install -y epel-release image: amazonlinux:1 platform: rhel - run_command: /sbin/init suites: - - name: dev_server_systemd - excludes: - - amazonlinux + - name: dev_server provisioner: state_top: base: '*': - - vault - vault.server - - name: dev_server_upstart_s3 - includes: - - amazonlinux + - name: prod_server provisioner: state_top: base: '*': - - vault - vault.server pillars: top.sls: @@ -59,6 +50,5 @@ suites: - vault vault.sls: vault: - backend: - type: s3 - bucket: com-saltstack-vault + dev_mode: false + tls_disable: 1 diff --git a/test/integration/dev_server/vault_spec.rb b/test/integration/dev_server/vault_spec.rb new file mode 100644 index 0000000..2a79a68 --- /dev/null +++ b/test/integration/dev_server/vault_spec.rb @@ -0,0 +1,52 @@ +describe command('/usr/local/bin/vault -version') do + its(:exit_status) { should eq 0 } + its(:stderr) { should be_empty } + its(:stdout) { should match(/^Vault v[0-9\.]+ \('[0-9a-f]+'\)/) } +end + +describe.one do + describe file('/etc/systemd/system/vault.service') do + it { should be_a_file } + its(:content) { should_not match /syslog/ } + end + + describe file('/etc/init/vault.conf') do + it { should be_a_file } + end +end + +describe service('vault') do + it { should be_enabled } + it { should be_running } +end + +describe file("/etc/vault/config/server.hcl") do + it { should_not be_a_file } +end + +describe.one do + describe command('journalctl -u vault') do + its(:exit_status) { should eq 0 } + its(:stderr) { should be_empty } + its(:stdout) { should match /WARNING! dev mode is enabled!/ } + end + + describe file('/var/log/vault.log') do + it { should be_a_file } + its(:content) { should match(/WARNING! dev mode is enabled!/) } + end +end + +describe port(8200) do + it { should be_listening } + its('processes') { should include 'vault' } +end + +describe http('http://127.0.0.1:8200/v1/sys/seal-status') do + its('status') { should cmp 200 } +end + +describe json(content: http('http://127.0.0.1:8200/v1/sys/seal-status').body) do + its('initialized') { should eq true } + its('sealed') { should eq false } +end diff --git a/test/integration/dev_server_systemd/vault_spec.rb b/test/integration/dev_server_systemd/vault_spec.rb deleted file mode 100644 index 9c1b841..0000000 --- a/test/integration/dev_server_systemd/vault_spec.rb +++ /dev/null @@ -1,41 +0,0 @@ -describe command('/usr/local/bin/vault -version') do - its(:exit_status) { should eq 0 } - its(:stderr) { should be_empty } - its(:stdout) { should match(/^Vault v[0-9\.]+ \('[0-9a-f]+'\)/) } -end - -describe file('/etc/vault/config/server.hcl') do - it { should be_a_file } - expected =<<-EOF -listener "tcp" { - address = "0.0.0.0:8200" - tls_disable = 0 - -} - -default_lease_ttl="24h" -max_lease_ttl="24h" -EOF - its(:content) { should eq(expected) } -end - -describe file('/etc/systemd/system/vault.service') do - it { should be_a_file } - its(:content) { should_not match /syslog/ } -end - -describe file('/etc/init/vault.conf') do - it { should_not be_a_file } -end - -describe service('vault') do - it { should be_enabled } - it { should be_running } -end - -describe command('journalctl -u vault') do - its(:exit_status) { should eq 0 } - its(:stderr) { should be_empty } - its(:stdout) { should match(/WARNING! dev mode is enabled!/) } -end - diff --git a/test/integration/dev_server_upstart_s3/vault_spec.rb b/test/integration/dev_server_upstart_s3/vault_spec.rb deleted file mode 100644 index 61f5ce9..0000000 --- a/test/integration/dev_server_upstart_s3/vault_spec.rb +++ /dev/null @@ -1,60 +0,0 @@ -describe command('/usr/local/bin/vault -version') do - its(:exit_status) { should eq 0 } - its(:stderr) { should be_empty } - its(:stdout) { should match(/^Vault v[0-9\.]+ \('[0-9a-f]+'\)/) } -end - -describe file('/etc/vault/config/server.hcl') do - it { should be_a_file } - expected = <<-EOF - -backend "s3" { - bucket = "com-saltstack-vault" -} -listener "tcp" { - address = "0.0.0.0:8200" - tls_disable = 0 - -} - -default_lease_ttl="24h" -max_lease_ttl="24h" -EOF - its(:content) { should eq(expected) } -end - -describe file('/etc/systemd/system/vault.service') do - it { should_not be_a_file } -end - -describe file('/etc/init/vault.conf') do - it { should be_a_file } - its(:content) { should_not match /syslog/ } -end - -if os[:family] == 'amazon' - # serverspec assumes 'service' resource to be - # init.d for rhel-based os. have to just check - # that it is running, that means that it started - # with the instance - describe command('sudo initctl list | grep vault | grep -v grep') do - its(:stdout) { should match(/vault start\/running/) } - its(:stderr) { should be_empty } - end - - describe processes("vault") do - its('users') { should eq ['root'] } - end - -else - describe service('vault') do - it { should be_enabled } - it { should be_running } - end -end - -describe file('/var/log/vault.log') do - it { should be_a_file } - its(:content) { should match(/WARNING! dev mode is enabled!/) } -end - diff --git a/test/integration/prod_server/vault_spec.rb b/test/integration/prod_server/vault_spec.rb new file mode 100644 index 0000000..f7b6592 --- /dev/null +++ b/test/integration/prod_server/vault_spec.rb @@ -0,0 +1,52 @@ +describe command('/usr/local/bin/vault -version') do + its(:exit_status) { should eq 0 } + its(:stderr) { should be_empty } + its(:stdout) { should match(/^Vault v[0-9\.]+ \('[0-9a-f]+'\)/) } +end + +describe file('/etc/vault/config/server.hcl') do + it { should be_a_file } +end + +describe.one do + describe file('/etc/systemd/system/vault.service') do + it { should be_a_file } + its(:content) { should_not match /syslog/ } + end + + describe file('/etc/init/vault.conf') do + it { should be_a_file } + end +end + +describe service('vault') do + it { should be_enabled } + it { should be_running } +end + +describe.one do + describe command('journalctl -u vault') do + its(:exit_status) { should eq 0 } + its(:stderr) { should be_empty } + its(:stdout) { should match /Vault server started/ } + end + + describe file('/var/log/vault.log') do + it { should be_a_file } + its(:content) { should match(/Vault server started/) } + end +end + +describe port(8200) do + it { should be_listening } + its('processes') { should include 'vault' } +end + +describe http('http://127.0.0.1:8200/v1/sys/seal-status') do + its('status') { should cmp 200 } +end + +describe json(content: http('http://127.0.0.1:8200/v1/sys/seal-status').body) do + its('initialized') { should eq false } + its('sealed') { should eq true } +end From b23f917f2d8035dde8b22c46353e2385f0f939ff Mon Sep 17 00:00:00 2001 From: Dafydd Jones Date: Thu, 11 Oct 2018 12:03:33 +0100 Subject: [PATCH 04/17] add file backend, configured by default in prod mode, vault requires a backend to be configured, so add file backend to defaults so that formula works without pillar. fixes #18 --- vault/defaults.yaml | 4 +++- vault/files/server.hcl.jinja | 10 +++++++--- 2 files changed, 10 insertions(+), 4 deletions(-) diff --git a/vault/defaults.yaml b/vault/defaults.yaml index bf06573..dc2f6f4 100644 --- a/vault/defaults.yaml +++ b/vault/defaults.yaml @@ -10,7 +10,9 @@ vault: max_lease_ttl: 24h self_signed_cert: enabled: false - backend: {} + backend: + type: file + path: /var/lib/vault/data dev_mode: true secure_download: true user: root diff --git a/vault/files/server.hcl.jinja b/vault/files/server.hcl.jinja index 528f415..1a065d6 100644 --- a/vault/files/server.hcl.jinja +++ b/vault/files/server.hcl.jinja @@ -1,7 +1,11 @@ {%- from "vault/map.jinja" import vault with context -%} -{%- if vault.backend and vault.backend.type == "s3" %} -backend "s3" { - bucket = "{{ vault.backend.bucket }}" +{%- if vault.backend %} +backend "{{ vault.backend.type }}" { + {%- if vault.backend.type == "s3" %} + bucket = "{{ vault.backend.bucket }}" + {%- elif vault.backend.type == "file" %} + path = "{{ vault.backend.path }}" + {% endif -%} } {% endif -%} From 7fc267125ea8205ba50cb59955f8272e8c09b296 Mon Sep 17 00:00:00 2001 From: Dafydd Jones Date: Thu, 11 Oct 2018 13:47:26 +0100 Subject: [PATCH 05/17] systemd: add install target; fix quoting; restart on abnormal exits only install to multi-user target (equiv. to runlevel 3) on-failure restarts on non-zero exit codes. afaict vault exits with exit code 1 when it encounters problems starting up e.g. no config file, wrong settings. in this case, what is the point restarting the service automatically? --- vault/files/vault_systemd.service.jinja | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/vault/files/vault_systemd.service.jinja b/vault/files/vault_systemd.service.jinja index a6417b7..d9d604e 100644 --- a/vault/files/vault_systemd.service.jinja +++ b/vault/files/vault_systemd.service.jinja @@ -1,12 +1,15 @@ {%- from "vault/map.jinja" import vault with context -%} [Unit] -Description=vault server +Description=Hashicorp Vault server Requires=network-online.target After=network-online.target consul.service [Service] EnvironmentFile=-/etc/sysconfig/vault -Restart=on-failure -ExecStart=/usr/local/bin/vault server {% if vault.dev_mode %}-dev{% else %} -config="/etc/vault/config/server.hcl"{% endif %} +Restart=on-abnormal +ExecStart=/usr/local/bin/vault server {% if vault.dev_mode %}-dev{% else %} -config=/etc/vault/config/server.hcl{% endif %} User={{ vault.user }} Group={{ vault.group }} + +[Install] +WantedBy=multi-user.target From 9fdebc6cf2d80b8cced651ccbf19007f438cbedb Mon Sep 17 00:00:00 2001 From: Dafydd Jones Date: Thu, 11 Oct 2018 13:50:11 +0100 Subject: [PATCH 06/17] simplify and rationalise requisites in server.sls --- vault/server.sls | 51 ++++++++++++++++++++++++++++-------------------- 1 file changed, 30 insertions(+), 21 deletions(-) diff --git a/vault/server.sls b/vault/server.sls index 9a7c014..c866e21 100644 --- a/vault/server.sls +++ b/vault/server.sls @@ -1,5 +1,9 @@ -{% from "vault/map.jinja" import vault with context %} -{%- if vault.self_signed_cert.enabled %} +{% from "vault/map.jinja" import vault with context -%} + +include: + - vault + +{% if vault.self_signed_cert.enabled -%} /usr/local/bin/self-cert-gen.sh: file.managed: - source: salt://vault/files/cert-gen.sh.jinja @@ -14,21 +18,17 @@ generate self signed SSL certs: - cwd: /etc/vault - require: - file: /usr/local/bin/self-cert-gen.sh + - require_in: + - service: vault {% endif -%} -/etc/vault: - file.directory: - - user: root - - group: root - - mode: 755 - +{% if not vault.dev_mode %} /etc/vault/config: file.directory: + - makedirs: true - user: root - group: root - mode: 755 - - require: - - file: /etc/vault /etc/vault/config/server.hcl: file.managed: @@ -39,6 +39,9 @@ generate self signed SSL certs: - mode: 644 - require: - file: /etc/vault/config + - watch_in: + - service: vault +{% endif %} {%- if grains.init == 'systemd' %} /etc/systemd/system/vault.service: @@ -48,8 +51,14 @@ generate self signed SSL certs: - user: root - group: root - mode: 644 - - require_in: + - order: 1 + - watch_in: - service: vault + cmd.run: + - name: systemctl daemon-reload + - order: 1 + - onchanges: + - file: /etc/systemd/system/vault.service {% elif grains.init == 'upstart' %} /etc/init/vault.conf: @@ -58,19 +67,19 @@ generate self signed SSL certs: - template: jinja - user: root - group: root - - require_in: + - mode: 644 + - order: 1 + - watch_in: - service: vault + cmd.run: + - name: initctl reload-configuration + - order: 1 + - onchanges: + - file: /etc/init/vault.conf {% endif -%} vault: service.running: - - enable: True - - require: - {%- if vault.self_signed_cert.enabled %} - - cmd: generate self signed SSL certs - {% endif %} - - file: /etc/vault/config/server.hcl - - cmd: install vault - - onchanges: + - enable: true + - watch: - cmd: install vault - - file: /etc/vault/config/server.hcl From 82b07dbdfb416e921baf07779fb793f1f4089fe7 Mon Sep 17 00:00:00 2001 From: Dafydd Jones Date: Thu, 11 Oct 2018 19:06:22 +0100 Subject: [PATCH 07/17] update gems --- Gemfile.lock | 217 +++++++++++++++++++++++++++++++++++---------------- 1 file changed, 149 insertions(+), 68 deletions(-) diff --git a/Gemfile.lock b/Gemfile.lock index d4b5acc..96a2b03 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -1,127 +1,205 @@ GEM remote: https://rubygems.org/ specs: - addressable (2.5.1) - public_suffix (~> 2.0, >= 2.0.2) - artifactory (2.8.1) - blankslate (2.1.2.4) + addressable (2.5.2) + public_suffix (>= 2.0.2, < 4.0) + aws-sdk (2.11.147) + aws-sdk-resources (= 2.11.147) + aws-sdk-core (2.11.147) + aws-sigv4 (~> 1.0) + jmespath (~> 1.0) + aws-sdk-resources (2.11.147) + aws-sdk-core (= 2.11.147) + aws-sigv4 (1.0.3) + azure_graph_rbac (0.17.0) + ms_rest_azure (~> 0.11.0) + azure_mgmt_resources (0.17.2) + ms_rest_azure (~> 0.11.0) builder (3.2.3) - coderay (1.1.1) + coderay (1.1.2) + concurrent-ruby (1.0.5) + declarative (0.0.10) + declarative-option (0.1.0) diff-lcs (1.3) - docker-api (1.33.4) - excon (>= 0.38.0) - json + docker-api (1.34.2) + excon (>= 0.47.0) + multi_json + domain_name (0.5.20180417) + unf (>= 0.0.5, < 1.0.0) erubis (2.7.0) - excon (0.55.0) - faraday (0.12.1) + excon (0.62.0) + faraday (0.15.3) multipart-post (>= 1.2, < 3) - ffi (1.9.18) + faraday-cookie_jar (0.0.6) + faraday (>= 0.7.4) + http-cookie (~> 1.0.0) + faraday_middleware (0.12.2) + faraday (>= 0.7.4, < 1.0) + ffi (1.9.25) + google-api-client (0.23.9) + addressable (~> 2.5, >= 2.5.1) + googleauth (>= 0.5, < 0.7.0) + httpclient (>= 2.8.1, < 3.0) + mime-types (~> 3.0) + representable (~> 3.0) + retriable (>= 2.0, < 4.0) + signet (~> 0.9) + googleauth (0.6.6) + faraday (~> 0.12) + jwt (>= 1.4, < 3.0) + memoist (~> 0.12) + multi_json (~> 1.11) + os (>= 0.9, < 2.0) + signet (~> 0.7) gssapi (1.2.0) ffi (>= 1.0.1) gyoku (1.3.1) builder (>= 2.1.2) - hashie (3.5.5) + hashie (3.6.0) + htmlentities (4.3.4) + http-cookie (1.0.3) + domain_name (~> 0.5) httpclient (2.8.3) - inspec (1.20.0) + inifile (3.0.0) + inspec (2.3.10) addressable (~> 2.4) faraday (>= 0.9.0) + faraday_middleware (~> 0.12.2) hashie (~> 3.4) + htmlentities json (>= 1.8, < 3.0) method_source (~> 0.8) mixlib-log + multipart-post parallel (~> 1.9) parslet (~> 1.5) pry (~> 0) - rainbow (~> 2) rspec (~> 3) rspec-its (~> 1.2) - rubyzip (~> 1.1) - sslshake (~> 1.1) - thor (~> 0.19) - toml (~> 0.1) - train (>= 0.22.0, < 1.0) + rubyzip (~> 1.2, >= 1.2.2) + semverse + sslshake (~> 1.2) + term-ansicolor + thor (~> 0.20) + tomlrb (~> 1.2) + train (~> 1.5) + jmespath (1.4.0) json (2.1.0) - kitchen-docker (2.6.0) + jwt (2.1.0) + kitchen-docker (2.7.0) test-kitchen (>= 1.0.0) - kitchen-inspec (0.18.0) + kitchen-inspec (0.24.0) hashie (~> 3.4) - inspec (>= 0.34.0, < 2.0.0) + inspec (>= 0.34.0, < 3.0.0) test-kitchen (~> 1.6) - kitchen-salt (0.0.24) + kitchen-salt (0.2.5) + hashie (>= 3.5) test-kitchen (~> 1.4) little-plugger (1.1.4) logging (2.2.2) little-plugger (~> 1.1) multi_json (~> 1.10) - method_source (0.8.2) - mixlib-install (2.1.12) - artifactory + memoist (0.16.0) + method_source (0.9.0) + mime-types (3.2.2) + mime-types-data (~> 3.2015) + mime-types-data (3.2018.0812) + mixlib-install (3.11.5) mixlib-shellout mixlib-versioning thor - mixlib-log (1.7.1) - mixlib-shellout (2.2.7) - mixlib-versioning (1.1.0) - multi_json (1.12.1) + mixlib-log (2.0.4) + mixlib-shellout (2.4.0) + mixlib-versioning (1.2.2) + ms_rest (0.7.3) + concurrent-ruby (~> 1.0) + faraday (~> 0.9) + timeliness (~> 0.3) + ms_rest_azure (0.11.0) + concurrent-ruby (~> 1.0) + faraday (~> 0.9) + faraday-cookie_jar (~> 0.0.6) + ms_rest (~> 0.7.2) + multi_json (1.13.1) multipart-post (2.0.0) net-scp (1.2.1) net-ssh (>= 2.6.5) - net-ssh (4.1.0) + net-ssh (4.2.0) net-ssh-gateway (1.3.0) net-ssh (>= 2.6.5) nori (2.6.0) - parallel (1.11.1) - parslet (1.5.0) - blankslate (~> 2.0) - pry (0.10.4) + os (1.0.0) + parallel (1.12.1) + parslet (1.8.2) + pry (0.11.3) coderay (~> 1.1.0) - method_source (~> 0.8.1) - slop (~> 3.4) - public_suffix (2.0.5) - rainbow (2.2.2) - rake - rake (12.0.0) - rspec (3.5.0) - rspec-core (~> 3.5.0) - rspec-expectations (~> 3.5.0) - rspec-mocks (~> 3.5.0) - rspec-core (3.5.4) - rspec-support (~> 3.5.0) - rspec-expectations (3.5.0) + method_source (~> 0.9.0) + public_suffix (3.0.3) + representable (3.0.4) + declarative (< 0.1.0) + declarative-option (< 0.2.0) + uber (< 0.2.0) + retriable (3.1.2) + rspec (3.8.0) + rspec-core (~> 3.8.0) + rspec-expectations (~> 3.8.0) + rspec-mocks (~> 3.8.0) + rspec-core (3.8.0) + rspec-support (~> 3.8.0) + rspec-expectations (3.8.2) diff-lcs (>= 1.2.0, < 2.0) - rspec-support (~> 3.5.0) + rspec-support (~> 3.8.0) rspec-its (1.2.0) rspec-core (>= 3.0.0) rspec-expectations (>= 3.0.0) - rspec-mocks (3.5.0) + rspec-mocks (3.8.0) diff-lcs (>= 1.2.0, < 2.0) - rspec-support (~> 3.5.0) - rspec-support (3.5.0) - rubyntlm (0.6.1) - rubyzip (1.2.1) - safe_yaml (1.0.4) - slop (3.6.0) + rspec-support (~> 3.8.0) + rspec-support (3.8.0) + rubyntlm (0.6.2) + rubyzip (1.2.2) + semverse (2.0.0) + signet (0.11.0) + addressable (~> 2.3) + faraday (~> 0.9) + jwt (>= 1.5, < 3.0) + multi_json (~> 1.10) sslshake (1.2.0) - test-kitchen (1.16.0) - mixlib-install (>= 1.2, < 3.0) + term-ansicolor (1.6.0) + tins (~> 1.0) + test-kitchen (1.23.2) + mixlib-install (~> 3.6) mixlib-shellout (>= 1.2, < 3.0) net-scp (~> 1.1) net-ssh (>= 2.9, < 5.0) net-ssh-gateway (~> 1.2) - safe_yaml (~> 1.0) - thor (~> 0.19, < 0.19.2) - thor (0.19.1) - toml (0.1.2) - parslet (~> 1.5.0) - train (0.23.0) + thor (~> 0.19) + winrm (~> 2.0) + winrm-elevated (~> 1.0) + winrm-fs (~> 1.1) + thor (0.20.0) + timeliness (0.3.8) + tins (1.16.3) + tomlrb (1.2.7) + train (1.5.0) + aws-sdk (~> 2) + azure_graph_rbac (~> 0.16) + azure_mgmt_resources (~> 0.15) docker-api (~> 1.26) + google-api-client (~> 0.23.9) + googleauth (~> 0.6.6) + inifile json (>= 1.8, < 3.0) mixlib-shellout (~> 2.0) net-scp (~> 1.2) - net-ssh (>= 2.9, < 5.0) + net-ssh (>= 2.9, < 6.0) winrm (~> 2.0) winrm-fs (~> 1.0) - winrm (2.2.2) + uber (0.1.0) + unf (0.1.4) + unf_ext + unf_ext (0.0.7.5) + winrm (2.2.3) builder (>= 2.1.2) erubis (~> 2.7) gssapi (~> 1.2) @@ -130,7 +208,10 @@ GEM logging (>= 1.6.1, < 3.0) nori (~> 2.0) rubyntlm (~> 0.6.0, >= 0.6.1) - winrm-fs (1.0.1) + winrm-elevated (1.1.0) + winrm (~> 2.0) + winrm-fs (~> 1.0) + winrm-fs (1.3.0) erubis (~> 2.7) logging (>= 1.6.1, < 3.0) rubyzip (~> 1.1) @@ -146,4 +227,4 @@ DEPENDENCIES test-kitchen BUNDLED WITH - 1.14.6 + 1.16.6 From c026d462551c6c8d3bf0eee25b287d840653d11a Mon Sep 17 00:00:00 2001 From: Dafydd Jones Date: Thu, 11 Oct 2018 20:30:40 +0100 Subject: [PATCH 08/17] travis: test instead of verify (containers are destoryed before moving on to next) --- .travis.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.travis.yml b/.travis.yml index 3706915..7c0ccc9 100644 --- a/.travis.yml +++ b/.travis.yml @@ -8,4 +8,4 @@ services: before_install: - bundle install -script: bundle exec kitchen verify +script: bundle exec kitchen test From 85a7a9a1dfbe9f3dfcffdd8eb9b5af4d89583d45 Mon Sep 17 00:00:00 2001 From: Dafydd Jones Date: Fri, 12 Oct 2018 16:49:23 +0100 Subject: [PATCH 09/17] travis: parallel tests --- .travis.yml | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/.travis.yml b/.travis.yml index 7c0ccc9..b6049b8 100644 --- a/.travis.yml +++ b/.travis.yml @@ -1,5 +1,5 @@ sudo: required - +cache: bundler language: ruby services: @@ -8,4 +8,9 @@ services: before_install: - bundle install -script: bundle exec kitchen test +env: + matrix: + - INSTANCE: dev + - INSTANCE: prod + +script: bundle exec kitchen test ${INSTANCE} From 8c7dba2915b9ff0efe78cb27ba9a614b7650e21d Mon Sep 17 00:00:00 2001 From: Dafydd Jones Date: Tue, 25 Sep 2018 17:07:07 +0100 Subject: [PATCH 10/17] fix cert-gen.sh script --- vault/files/cert-gen.sh.jinja | 1 + vault/server.sls | 33 ++++++++++++++------------------- 2 files changed, 15 insertions(+), 19 deletions(-) diff --git a/vault/files/cert-gen.sh.jinja b/vault/files/cert-gen.sh.jinja index 9092278..bf4644e 100644 --- a/vault/files/cert-gen.sh.jinja +++ b/vault/files/cert-gen.sh.jinja @@ -1,3 +1,4 @@ +{% from "vault/map.jinja" import vault with context -%} #!/usr/bin/env bash ### diff --git a/vault/server.sls b/vault/server.sls index c866e21..11cf3fb 100644 --- a/vault/server.sls +++ b/vault/server.sls @@ -3,25 +3,6 @@ include: - vault -{% if vault.self_signed_cert.enabled -%} -/usr/local/bin/self-cert-gen.sh: - file.managed: - - source: salt://vault/files/cert-gen.sh.jinja - - template: jinja - - user: root - - group: root - - mode: 644 - -generate self signed SSL certs: - cmd.run: - - name: bash /usr/local/bin/cert-gen.sh {{ vault.self_signed_cert.hostname }} {{ vault.self_signed_cert.password }} - - cwd: /etc/vault - - require: - - file: /usr/local/bin/self-cert-gen.sh - - require_in: - - service: vault -{% endif -%} - {% if not vault.dev_mode %} /etc/vault/config: file.directory: @@ -41,6 +22,20 @@ generate self signed SSL certs: - file: /etc/vault/config - watch_in: - service: vault + + {%- if vault.self_signed_cert.enabled %} +generate self signed SSL certs: + cmd.script: + - source: salt://vault/files/cert-gen.sh.jinja + - template: jinja + - args: {{ vault.self_signed_cert.hostname }} {{ vault.self_signed_cert.password }} + - cwd: /etc/vault + - creates: /etc/vault/{{ vault.self_signed_cert.hostname }}.pem + - require: + - /etc/vault/config + - require_in: + - service: vault + {%- endif %} {% endif %} {%- if grains.init == 'systemd' %} From 14b01b103cb71d594452887599b75717a382b412 Mon Sep 17 00:00:00 2001 From: Dafydd Jones Date: Fri, 12 Oct 2018 18:35:01 +0100 Subject: [PATCH 11/17] test: creation of self-signed certificate (was broken) --- .kitchen.yml | 9 +++++++++ test/integration/prod_server/vault_spec.rb | 8 ++++++++ 2 files changed, 17 insertions(+) diff --git a/.kitchen.yml b/.kitchen.yml index 2566dd9..dbfdf3b 100644 --- a/.kitchen.yml +++ b/.kitchen.yml @@ -52,3 +52,12 @@ suites: vault: dev_mode: false tls_disable: 1 + self_signed_cert: + enabled: true + hostname: localhost + password: localhost + country: GB + state: England + city: London + org: example.com + org_unit: testing diff --git a/test/integration/prod_server/vault_spec.rb b/test/integration/prod_server/vault_spec.rb index f7b6592..8117d4e 100644 --- a/test/integration/prod_server/vault_spec.rb +++ b/test/integration/prod_server/vault_spec.rb @@ -50,3 +50,11 @@ its('initialized') { should eq false } its('sealed') { should eq true } end + +describe file('/etc/vault/localhost.pem') do + it { should be_a_file } +end + +describe file('/etc/vault/localhost-nopass.key') do + it { should be_a_file } +end From fe3e0bbd39f063e09ab7262845c96b9de08ddbbd Mon Sep 17 00:00:00 2001 From: Dafydd Jones Date: Fri, 12 Oct 2018 19:16:55 +0100 Subject: [PATCH 12/17] depend on openssl when generating certs --- vault/server.sls | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/vault/server.sls b/vault/server.sls index 11cf3fb..829e990 100644 --- a/vault/server.sls +++ b/vault/server.sls @@ -24,6 +24,9 @@ include: - service: vault {%- if vault.self_signed_cert.enabled %} +openssl: + pkg.installed + generate self signed SSL certs: cmd.script: - source: salt://vault/files/cert-gen.sh.jinja @@ -32,6 +35,7 @@ generate self signed SSL certs: - cwd: /etc/vault - creates: /etc/vault/{{ vault.self_signed_cert.hostname }}.pem - require: + - openssl - /etc/vault/config - require_in: - service: vault From 3067eb89cf47680cc058df4a7f7320d3d1010642 Mon Sep 17 00:00:00 2001 From: Dafydd Jones Date: Sat, 13 Oct 2018 01:09:35 +0100 Subject: [PATCH 13/17] test --- .kitchen.yml | 17 +++++++++++------ .travis.yml | 14 ++++++++------ 2 files changed, 19 insertions(+), 12 deletions(-) diff --git a/.kitchen.yml b/.kitchen.yml index dbfdf3b..1ec99ba 100644 --- a/.kitchen.yml +++ b/.kitchen.yml @@ -4,6 +4,8 @@ driver: use_sudo: false privileged: true run_command: /sbin/init + provision_command: + - curl -L https://bootstrap.saltstack.com | sh -s -- -X verifier: name: inspec @@ -16,17 +18,20 @@ provisioner: platforms: - name: ubuntu-16.04 - driver_config: + driver: + name: docker provision_command: - - apt-get update && apt-get install -y locales && locale-gen en_US.UTF-8 + - apt-get install -y locales && locale-gen en_US.UTF-8 + - curl -L https://bootstrap.saltstack.com | sh -s -- -X - name: centos-7 - driver_config: + driver: + name: docker provision_command: - yum -y install net-tools # needed by inspec + - curl -L https://bootstrap.saltstack.com | sh -s -- -X - name: amazonlinux - driver_config: - provision_command: - - yum install -y epel-release + driver: + name: docker image: amazonlinux:1 platform: rhel diff --git a/.travis.yml b/.travis.yml index b6049b8..aeee963 100644 --- a/.travis.yml +++ b/.travis.yml @@ -1,16 +1,18 @@ sudo: required -cache: bundler language: ruby services: - docker +cache: + bundler: true + before_install: - - bundle install + - gem install bundler --no-document env: - matrix: - - INSTANCE: dev - - INSTANCE: prod + - PLATFORM=ubuntu + - PLATFORM=centos + - PLATFORM=amazon -script: bundle exec kitchen test ${INSTANCE} +script: bundle exec kitchen test ${PLATFORM} From a16d2661904e02f79a21a7c37f46b848141f947d Mon Sep 17 00:00:00 2001 From: Dafydd Jones Date: Tue, 16 Oct 2018 16:50:05 +0100 Subject: [PATCH 14/17] travis: optimise .travis.yml and .kitchen.yml make use of docker build cache by installing Salt and dependencies when kitchen-docker build the docker image - speeding up testing massively --- .kitchen.yml | 3 ++- .travis.yml | 3 +-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/.kitchen.yml b/.kitchen.yml index 1ec99ba..a6004e7 100644 --- a/.kitchen.yml +++ b/.kitchen.yml @@ -5,7 +5,7 @@ driver: privileged: true run_command: /sbin/init provision_command: - - curl -L https://bootstrap.saltstack.com | sh -s -- -X + - curl -L https://bootstrap.saltstack.com | sh -s -- -X # install Salt and dependencies here to make use of Docker build cache, speeding up tests massively verifier: name: inspec @@ -13,6 +13,7 @@ verifier: provisioner: name: salt_solo salt_version: latest + log_level: info require_chef: false formula: vault diff --git a/.travis.yml b/.travis.yml index aeee963..f25c307 100644 --- a/.travis.yml +++ b/.travis.yml @@ -1,11 +1,10 @@ sudo: required language: ruby +cache: bundler services: - docker -cache: - bundler: true before_install: - gem install bundler --no-document From 1b086c5d709ad37af96cd3c89e8b8c73712f2161 Mon Sep 17 00:00:00 2001 From: Dafydd Jones Date: Tue, 16 Oct 2018 20:40:19 +0100 Subject: [PATCH 15/17] test for installation of binary, and test upgrades manually --- .kitchen.yml | 18 ++++++++++++++++- test/integration/install_binary/vault_spec.rb | 20 +++++++++++++++++++ 2 files changed, 37 insertions(+), 1 deletion(-) create mode 100644 test/integration/install_binary/vault_spec.rb diff --git a/.kitchen.yml b/.kitchen.yml index a6004e7..be0f512 100644 --- a/.kitchen.yml +++ b/.kitchen.yml @@ -22,7 +22,7 @@ platforms: driver: name: docker provision_command: - - apt-get install -y locales && locale-gen en_US.UTF-8 + - apt-get install -y locales net-tools && locale-gen en_US.UTF-8 - curl -L https://bootstrap.saltstack.com | sh -s -- -X - name: centos-7 driver: @@ -37,6 +37,22 @@ platforms: platform: rhel suites: + - name: install_binary + provisioner: + state_top: + base: + '*': + - vault + pillars: + top.sls: + base: + '*': + - vault + vault.sls: + vault: +# version: 0.11.1 # test upgrades by doing a double-converge, changing the version pillar between each one + version: 0.11.2 + - name: dev_server provisioner: state_top: diff --git a/test/integration/install_binary/vault_spec.rb b/test/integration/install_binary/vault_spec.rb new file mode 100644 index 0000000..0c01d52 --- /dev/null +++ b/test/integration/install_binary/vault_spec.rb @@ -0,0 +1,20 @@ +describe file('/usr/local/bin/vault') do + it { should be_a_file } + it { should be_executable } +end + +describe command('/usr/local/bin/vault -version') do + its(:exit_status) { should eq 0 } + its(:stderr) { should be_empty } + its(:stdout) { should match(/^Vault v0.11.2 \('2b1a4304374712953ff606c6a925bbe90a4e85dd'\)/) } +end + +describe service('vault') do + it { should_not be_installed } + it { should_not be_enabled } + it { should_not be_running } +end + +describe file("/etc/vault/config/server.hcl") do + it { should_not be_a_file } +end From c391faa19c2f8672ffc37ab2dfaaf1926c57e8a5 Mon Sep 17 00:00:00 2001 From: Dafydd Jones Date: Tue, 16 Oct 2018 20:40:58 +0100 Subject: [PATCH 16/17] fix upgrades, and simplify formula --- vault/init.sls | 153 +++++++++++++++++++++++++---------------------- vault/server.sls | 2 +- 2 files changed, 81 insertions(+), 74 deletions(-) diff --git a/vault/init.sls b/vault/init.sls index 968622c..211bd65 100644 --- a/vault/init.sls +++ b/vault/init.sls @@ -1,78 +1,85 @@ {% from "vault/map.jinja" import vault with context %} # using archive.extracted causes: 'Comment: Failed to cache https://releases.hashicorp.com/vault/0.7.0/vault_0.7.0_linux_amd64.zip: [Errno 1] _ssl.c:493: error:1409442E:SSL routines:SSL3_READ_BYTES:tlsv1 alert protocol version' -vault packages: - pkg.installed: - - names: - - unzip - - curl - {% if vault.secure_download %} - {% if grains['os'] == 'CentOS' or grains['os'] == 'Amazon' %} - - gnupg2 - - perl-Digest-SHA - {% elif grains['os'] == 'Ubuntu' %} - - gnupg - - libdigest-sha-perl - {% endif %} - {% endif %} +#vault packages: +# pkg.installed: +# - names: +# - unzip +# - curl +# {% if vault.secure_download %} +# {% if grains['os'] == 'CentOS' or grains['os'] == 'Amazon' %} +# - gnupg2 +# - perl-Digest-SHA +# {% elif grains['os'] == 'Ubuntu' %} +# - gnupg +# - libdigest-sha-perl +# {% endif %} +# {% endif %} +/opt/vault/{{ vault.version }}/bin: + archive.extracted: + - source: https://releases.hashicorp.com/vault/{{ vault.version }}/vault_{{ vault.version }}_linux_amd64.zip + - source_hash: https://releases.hashicorp.com/vault/{{ vault.version }}/vault_{{ vault.version }}_SHA256SUMS + - enforce_toplevel: false -download vault: - cmd.run: - - name: curl --silent -L https://releases.hashicorp.com/vault/{{ vault.version }}/vault_{{ vault.version }}_linux_amd64.zip -o /tmp/vault_{{ vault.version }}_linux_amd64.zip - - creates: /tmp/vault_{{ vault.version }}_linux_amd64.zip - -{% if vault.secure_download %} -download shasums: - cmd.run: - - name: curl --silent -L https://releases.hashicorp.com/vault/{{ vault.version }}/vault_{{ vault.version }}_SHA256SUMS -o /tmp/vault_{{ vault.version }}_SHA256SUMS - - creates: /tmp/vault_{{ vault.version }}_SHA256SUMS - -download shasums sig: - cmd.run: - - name: curl --silent -L https://releases.hashicorp.com/vault/{{ vault.version }}/vault_{{ vault.version }}_SHA256SUMS.sig -o /tmp/vault_{{ vault.version }}_SHA256SUMS.sig - - creates: /tmp/vault_{{ vault.version }}_SHA256SUMS.sig - -/tmp/hashicorp.asc: - file.managed: - - source: salt://vault/files/hashicorp.asc.jinja - - template: jinja - -import key: - cmd.run: - - name: gpg --import /tmp/hashicorp.asc - - unless: gpg --list-keys {{ vault.hashicorp_key_id }} - - requires: - - file: /tmp/hashicorp.asc - - cmd: vault packages - -verify shasums sig: - cmd.run: - - name: gpg --verify /tmp/vault_{{ vault.version }}_SHA256SUMS.sig /tmp/vault_{{ vault.version }}_SHA256SUMS - - require: - - cmd: download shasums - - cmd: import key - -verify vault: - cmd.run: - - name: "shasum -a 256 -c vault_{{ vault.version }}_SHA256SUMS 2>&1 | grep -q \"vault_{{ vault.version }}_linux_amd64.zip: OK\"" - - cwd: /tmp - - require: - - cmd: download vault - - cmd: verify shasums sig -{% endif %} - -install vault: - cmd.run: - - name: unzip /tmp/vault_{{ vault.version }}_linux_amd64.zip -d /usr/local/bin && chmod 0755 /usr/local/bin/vault && chown root:root /usr/local/bin/vault +/usr/local/bin/vault: + file.symlink: + - target: /opt/vault/{{ vault.version }}/bin/vault + - force: true - require: - - cmd: download vault - - pkg: unzip - {% if vault.secure_download %} - - cmd: verify vault - {% endif %} - - creates: /usr/local/bin/vault + - /opt/vault/{{ vault.version }}/bin -vault set cap mlock: - cmd.run: - - name: "setcap cap_ipc_lock=+ep /usr/local/bin/vault" - - onchanges: - - cmd: install vault +#{% if vault.secure_download %} +#download shasums: +# cmd.run: +# - name: curl --silent -L https://releases.hashicorp.com/vault/{{ vault.version }}/vault_{{ vault.version }}_SHA256SUMS -o /tmp/vault_{{ vault.version }}_SHA256SUMS +# - creates: /tmp/vault_{{ vault.version }}_SHA256SUMS +# +#download shasums sig: +# cmd.run: +# - name: curl --silent -L https://releases.hashicorp.com/vault/{{ vault.version }}/vault_{{ vault.version }}_SHA256SUMS.sig -o /tmp/vault_{{ vault.version }}_SHA256SUMS.sig +# - creates: /tmp/vault_{{ vault.version }}_SHA256SUMS.sig +# +#/tmp/hashicorp.asc: +# file.managed: +# - source: salt://vault/files/hashicorp.asc.jinja +# - template: jinja +# +#import key: +# cmd.run: +# - name: gpg --import /tmp/hashicorp.asc +# - unless: gpg --list-keys {{ vault.hashicorp_key_id }} +# - requires: +# - file: /tmp/hashicorp.asc +# - cmd: vault packages +# +#verify shasums sig: +# cmd.run: +# - name: gpg --verify /tmp/vault_{{ vault.version }}_SHA256SUMS.sig /tmp/vault_{{ vault.version }}_SHA256SUMS +# - require: +# - cmd: download shasums +# - cmd: import key +# +#verify vault: +# cmd.run: +# - name: "shasum -a 256 -c vault_{{ vault.version }}_SHA256SUMS 2>&1 | grep -q \"vault_{{ vault.version }}_linux_amd64.zip: OK\"" +# - cwd: /tmp +# - require: +# - cmd: download vault +# - cmd: verify shasums sig +#{% endif %} +# +#install vault: +# cmd.run: +# - name: unzip /tmp/vault_{{ vault.version }}_linux_amd64.zip -d /usr/local/bin && chmod 0755 /usr/local/bin/vault && chown root:root /usr/local/bin/vault +# - require: +# - cmd: download vault +# - pkg: unzip +# {% if vault.secure_download %} +# - cmd: verify vault +# {% endif %} +# - creates: /usr/local/bin/vault +# +#vault set cap mlock: +# cmd.run: +# - name: "setcap cap_ipc_lock=+ep /usr/local/bin/vault" +# - onchanges: +# - cmd: install vault diff --git a/vault/server.sls b/vault/server.sls index 829e990..00c65c3 100644 --- a/vault/server.sls +++ b/vault/server.sls @@ -81,4 +81,4 @@ vault: service.running: - enable: true - watch: - - cmd: install vault + - /usr/local/bin/vault From c829eac420c5b603912a241efc4e05b4fe62272e Mon Sep 17 00:00:00 2001 From: Dafydd Jones Date: Fri, 19 Oct 2018 16:43:16 +0100 Subject: [PATCH 17/17] simplify shasums signature verification; move setcap to server state --- .kitchen.yml | 1 + test/integration/prod_server/vault_spec.rb | 6 + vault/defaults.yaml | 1 + vault/init.sls | 127 +++++++++------------ vault/map.jinja | 11 +- vault/osfamilymap.yaml | 2 + vault/server.sls | 12 +- 7 files changed, 80 insertions(+), 80 deletions(-) create mode 100644 vault/osfamilymap.yaml diff --git a/.kitchen.yml b/.kitchen.yml index be0f512..2ca5abd 100644 --- a/.kitchen.yml +++ b/.kitchen.yml @@ -52,6 +52,7 @@ suites: vault: # version: 0.11.1 # test upgrades by doing a double-converge, changing the version pillar between each one version: 0.11.2 + secure_download: false - name: dev_server provisioner: diff --git a/test/integration/prod_server/vault_spec.rb b/test/integration/prod_server/vault_spec.rb index 8117d4e..6dfebb7 100644 --- a/test/integration/prod_server/vault_spec.rb +++ b/test/integration/prod_server/vault_spec.rb @@ -4,6 +4,12 @@ its(:stdout) { should match(/^Vault v[0-9\.]+ \('[0-9a-f]+'\)/) } end +describe command('getcap $(readlink -f /usr/local/bin/vault)') do + its(:exit_status) { should eq 0 } + its(:stderr) { should be_empty } + its(:stdout) { should match(/\/vault = cap_ipc_lock\+ep$/) } +end + describe file('/etc/vault/config/server.hcl') do it { should be_a_file } end diff --git a/vault/defaults.yaml b/vault/defaults.yaml index dc2f6f4..70592f1 100644 --- a/vault/defaults.yaml +++ b/vault/defaults.yaml @@ -15,6 +15,7 @@ vault: path: /var/lib/vault/data dev_mode: true secure_download: true + gpg_pkg: gnupg user: root group: root hashicorp_gpg_key: | diff --git a/vault/init.sls b/vault/init.sls index 211bd65..35002c0 100644 --- a/vault/init.sls +++ b/vault/init.sls @@ -1,85 +1,60 @@ {% from "vault/map.jinja" import vault with context %} -# using archive.extracted causes: 'Comment: Failed to cache https://releases.hashicorp.com/vault/0.7.0/vault_0.7.0_linux_amd64.zip: [Errno 1] _ssl.c:493: error:1409442E:SSL routines:SSL3_READ_BYTES:tlsv1 alert protocol version' -#vault packages: -# pkg.installed: -# - names: -# - unzip -# - curl -# {% if vault.secure_download %} -# {% if grains['os'] == 'CentOS' or grains['os'] == 'Amazon' %} -# - gnupg2 -# - perl-Digest-SHA -# {% elif grains['os'] == 'Ubuntu' %} -# - gnupg -# - libdigest-sha-perl -# {% endif %} -# {% endif %} -/opt/vault/{{ vault.version }}/bin: + +{% set version = vault.version %} + +/opt/vault/{{ version }}/vault_{{ version }}_SHA256SUMS: + file.managed: + - source: https://releases.hashicorp.com/vault/{{ version }}/vault_{{ version }}_SHA256SUMS + - makedirs: true + - skip_verify: true + +/opt/vault/{{ version }}/bin: archive.extracted: - - source: https://releases.hashicorp.com/vault/{{ vault.version }}/vault_{{ vault.version }}_linux_amd64.zip - - source_hash: https://releases.hashicorp.com/vault/{{ vault.version }}/vault_{{ vault.version }}_SHA256SUMS + - source: https://releases.hashicorp.com/vault/{{ version }}/vault_{{ version }}_linux_amd64.zip + - source_hash: /opt/vault/{{ version }}/vault_{{ version }}_SHA256SUMS - enforce_toplevel: false + - require: + - /opt/vault/{{ version }}/vault_{{ version }}_SHA256SUMS /usr/local/bin/vault: file.symlink: - - target: /opt/vault/{{ vault.version }}/bin/vault + - target: /opt/vault/{{ version }}/bin/vault - force: true - require: - - /opt/vault/{{ vault.version }}/bin + - /opt/vault/{{ version }}/bin + +{% if vault.secure_download -%} +/opt/vault/{{ version }}/vault_{{ version }}_SHA256SUMS.sig: + file.managed: + - source: https://releases.hashicorp.com/vault/{{ version }}/vault_{{ version }}_SHA256SUMS.sig + - skip_verify: true + - require: + - /opt/vault/{{ version }}/vault_{{ version }}_SHA256SUMS -#{% if vault.secure_download %} -#download shasums: -# cmd.run: -# - name: curl --silent -L https://releases.hashicorp.com/vault/{{ vault.version }}/vault_{{ vault.version }}_SHA256SUMS -o /tmp/vault_{{ vault.version }}_SHA256SUMS -# - creates: /tmp/vault_{{ vault.version }}_SHA256SUMS -# -#download shasums sig: -# cmd.run: -# - name: curl --silent -L https://releases.hashicorp.com/vault/{{ vault.version }}/vault_{{ vault.version }}_SHA256SUMS.sig -o /tmp/vault_{{ vault.version }}_SHA256SUMS.sig -# - creates: /tmp/vault_{{ vault.version }}_SHA256SUMS.sig -# -#/tmp/hashicorp.asc: -# file.managed: -# - source: salt://vault/files/hashicorp.asc.jinja -# - template: jinja -# -#import key: -# cmd.run: -# - name: gpg --import /tmp/hashicorp.asc -# - unless: gpg --list-keys {{ vault.hashicorp_key_id }} -# - requires: -# - file: /tmp/hashicorp.asc -# - cmd: vault packages -# -#verify shasums sig: -# cmd.run: -# - name: gpg --verify /tmp/vault_{{ vault.version }}_SHA256SUMS.sig /tmp/vault_{{ vault.version }}_SHA256SUMS -# - require: -# - cmd: download shasums -# - cmd: import key -# -#verify vault: -# cmd.run: -# - name: "shasum -a 256 -c vault_{{ vault.version }}_SHA256SUMS 2>&1 | grep -q \"vault_{{ vault.version }}_linux_amd64.zip: OK\"" -# - cwd: /tmp -# - require: -# - cmd: download vault -# - cmd: verify shasums sig -#{% endif %} -# -#install vault: -# cmd.run: -# - name: unzip /tmp/vault_{{ vault.version }}_linux_amd64.zip -d /usr/local/bin && chmod 0755 /usr/local/bin/vault && chown root:root /usr/local/bin/vault -# - require: -# - cmd: download vault -# - pkg: unzip -# {% if vault.secure_download %} -# - cmd: verify vault -# {% endif %} -# - creates: /usr/local/bin/vault -# -#vault set cap mlock: -# cmd.run: -# - name: "setcap cap_ipc_lock=+ep /usr/local/bin/vault" -# - onchanges: -# - cmd: install vault + +/tmp/hashicorp.asc: + file.managed: + - source: salt://vault/files/hashicorp.asc.jinja + - template: jinja + +vault_gpg_pkg: + pkg.installed: + - name: {{ vault.gpg_pkg }} + +import key: + cmd.run: + - name: gpg --import /tmp/hashicorp.asc + - unless: gpg --list-keys {{ vault.hashicorp_key_id }} + - require: + - /tmp/hashicorp.asc + - vault_gpg_pkg + +verify shasums sig: + cmd.run: + - name: gpg --verify /opt/vault/{{ version }}/vault_{{ version }}_SHA256SUMS.sig /opt/vault/{{ version }}/vault_{{ version }}_SHA256SUMS + - require: + - /opt/vault/{{ version }}/vault_{{ version }}_SHA256SUMS.sig + - import key + - prereq: + - /usr/local/bin/vault +{%- endif %} diff --git a/vault/map.jinja b/vault/map.jinja index 3c3da4f..c98de32 100644 --- a/vault/map.jinja +++ b/vault/map.jinja @@ -1,2 +1,11 @@ {% import_yaml "vault/defaults.yaml" as defaults %} -{% set vault = salt['pillar.get']('vault', default=defaults['vault'], merge=True) %} +{% import_yaml "vault/osfamilymap.yaml" as osfamilymap %} + +{% set vault = salt['grains.filter_by']( + defaults, + merge=salt['grains.filter_by']( + osfamilymap, + merge=salt['pillar.get']('vault', {}), + ), + base='vault') + %} diff --git a/vault/osfamilymap.yaml b/vault/osfamilymap.yaml new file mode 100644 index 0000000..eb6ab15 --- /dev/null +++ b/vault/osfamilymap.yaml @@ -0,0 +1,2 @@ +RedHat: + gpg_pkg: gnupg2 diff --git a/vault/server.sls b/vault/server.sls index 00c65c3..45298fe 100644 --- a/vault/server.sls +++ b/vault/server.sls @@ -23,7 +23,13 @@ include: - watch_in: - service: vault - {%- if vault.self_signed_cert.enabled %} +vault_set_cap_mlock: + cmd.run: + - name: setcap cap_ipc_lock=+ep $(readlink -f /usr/local/bin/vault) + - onchanges: + - /usr/local/bin/vault + +{% if vault.self_signed_cert.enabled -%} openssl: pkg.installed @@ -39,8 +45,8 @@ generate self signed SSL certs: - /etc/vault/config - require_in: - service: vault - {%- endif %} -{% endif %} +{% endif %} +{%- endif %} {%- if grains.init == 'systemd' %} /etc/systemd/system/vault.service: