diff --git a/.github/CONTRIBUTING.md b/.github/CONTRIBUTING.md index 8b466cfb..88093274 100644 --- a/.github/CONTRIBUTING.md +++ b/.github/CONTRIBUTING.md @@ -131,19 +131,29 @@ You can install all needed gems for spec tests into the modules directory by running: ```sh -bundle install --path .vendor/ --without development system_tests release --jobs "$(nproc)" +bundle config set --local path '.vendor/' +bundle config set --local without 'development system_tests release' +bundle install --jobs "$(nproc)" ``` If you also want to run acceptance tests: ```sh -bundle install --path .vendor/ --with system_tests --without development release --jobs "$(nproc)" +bundle config set --local path '.vendor/' +bundle config set --local without 'development release' +bundle config set --local with 'system_tests' +bundle install --jobs "$(nproc)" ``` Our all in one solution if you don't know if you need to install or update gems: ```sh -bundle install --path .vendor/ --with system_tests --without development release --jobs "$(nproc)"; bundle update; bundle clean +bundle config set --local path '.vendor/' +bundle config set --local without 'development release' +bundle config set --local with 'system_tests' +bundle install --jobs "$(nproc)" +bundle update +bundle clean ``` As an alternative to the `--jobs "$(nproc)` parameter, you can set an @@ -232,18 +242,21 @@ simple tests against it after applying the module. You can run this with: ```sh -BEAKER_setfile=debian11-64 bundle exec rake beaker +BEAKER_PUPPET_COLLECTION=puppet7 BEAKER_setfile=debian11-64 bundle exec rake beaker ``` -You can replace the string `debian10` with any common operating system. +You can replace the string `debian11` with any common operating system. The following strings are known to work: -* ubuntu1804 * ubuntu2004 -* debian10 +* ubuntu2204 * debian11 * centos7 * centos8 +* centos9 +* almalinux8 +* almalinux9 +* fedora36 For more information and tips & tricks, see [voxpupuli-acceptance's documentation](https://github.com/voxpupuli/voxpupuli-acceptance#running-tests). diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 8a077911..7216724f 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -4,7 +4,12 @@ name: CI -on: pull_request +on: + pull_request: {} + push: + branches: + - main + - master concurrency: group: ${{ github.ref_name }} @@ -13,6 +18,6 @@ concurrency: jobs: puppet: name: Puppet - uses: voxpupuli/gha-puppet/.github/workflows/beaker.yml@v1 + uses: voxpupuli/gha-puppet/.github/workflows/beaker.yml@v2 with: pidfile_workaround: 'false' diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 15f17213..55324aa6 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -12,7 +12,7 @@ on: jobs: release: name: Release - uses: voxpupuli/gha-puppet/.github/workflows/release.yml@v1 + uses: voxpupuli/gha-puppet/.github/workflows/release.yml@v2 with: allowed_owner: 'voxpupuli' secrets: diff --git a/.gitignore b/.gitignore index 9b95224c..adea1b01 100644 --- a/.gitignore +++ b/.gitignore @@ -1,23 +1,25 @@ # Managed by modulesync - DO NOT EDIT # https://voxpupuli.org/docs/updating-files-managed-with-modulesync/ -pkg/ -Gemfile.lock -Gemfile.local -vendor/ -.vendor/ -spec/fixtures/manifests/ -spec/fixtures/modules/ -.vagrant/ -.bundle/ -.ruby-version -coverage/ -log/ -.idea/ -.dependencies/ -.librarian/ -Puppetfile.lock +/pkg/ +/Gemfile.lock +/Gemfile.local +/vendor/ +/.vendor/ +/spec/fixtures/manifests/ +/spec/fixtures/modules/ +/.vagrant/ +/.bundle/ +/.ruby-version +/coverage/ +/log/ +/.idea/ +/.dependencies/ +/.librarian/ +/Puppetfile.lock *.iml .*.sw? -.yardoc/ -Guardfile +/.yardoc/ +/Guardfile +bolt-debug.log +.rerun.json diff --git a/.msync.yml b/.msync.yml index f3156d15..ade23f9e 100644 --- a/.msync.yml +++ b/.msync.yml @@ -2,4 +2,4 @@ # Managed by modulesync - DO NOT EDIT # https://voxpupuli.org/docs/updating-files-managed-with-modulesync/ -modulesync_config_version: '5.4.0' +modulesync_config_version: '7.5.0' diff --git a/.pmtignore b/.pmtignore index 65f50514..10b98306 100644 --- a/.pmtignore +++ b/.pmtignore @@ -1,37 +1,38 @@ # Managed by modulesync - DO NOT EDIT # https://voxpupuli.org/docs/updating-files-managed-with-modulesync/ -docs/ -pkg/ -Gemfile -Gemfile.lock -Gemfile.local -vendor/ -.vendor/ -spec/ -Rakefile -.vagrant/ -.bundle/ -.ruby-version -coverage/ -log/ -.idea/ -.dependencies/ -.github/ -.librarian/ -Puppetfile.lock +/docs/ +/pkg/ +/Gemfile +/Gemfile.lock +/Gemfile.local +/vendor/ +/.vendor/ +/spec/ +/Rakefile +/.vagrant/ +/.bundle/ +/.ruby-version +/coverage/ +/log/ +/.idea/ +/.dependencies/ +/.github/ +/.librarian/ +/Puppetfile.lock *.iml -.editorconfig -.fixtures.yml -.gitignore -.msync.yml -.overcommit.yml -.pmtignore -.rspec -.rspec_parallel -.rubocop.yml -.sync.yml +/.editorconfig +/.fixtures.yml +/.gitignore +/.msync.yml +/.overcommit.yml +/.pmtignore +/.rspec +/.rspec_parallel +/.rubocop.yml +/.sync.yml .*.sw? -.yardoc/ -.yardopts -Dockerfile +/.yardoc/ +/.yardopts +/Dockerfile +/HISTORY.md diff --git a/CHANGELOG.md b/CHANGELOG.md index ddb95895..4ee9937a 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -4,6 +4,33 @@ All notable changes to this project will be documented in this file. Each new release typically also includes the latest modulesync defaults. These should not affect the functionality of the module. +## [v4.1.0](https://github.com/voxpupuli/puppet-vault/tree/v4.1.0) (2023-11-19) + +[Full Changelog](https://github.com/voxpupuli/puppet-vault/compare/v4.0.0...v4.1.0) + +**Implemented enhancements:** + +- puppet/systemd: Allow 6.x [\#43](https://github.com/voxpupuli/puppet-vault/pull/43) ([bastelfreak](https://github.com/bastelfreak)) +- Add Debian 12 support [\#42](https://github.com/voxpupuli/puppet-vault/pull/42) ([bastelfreak](https://github.com/bastelfreak)) + +## [v4.0.0](https://github.com/voxpupuli/puppet-vault/tree/v4.0.0) (2023-08-21) + +[Full Changelog](https://github.com/voxpupuli/puppet-vault/compare/v3.0.0...v4.0.0) + +**Breaking changes:** + +- Drop Puppet 6 support [\#30](https://github.com/voxpupuli/puppet-vault/pull/30) ([bastelfreak](https://github.com/bastelfreak)) + +**Implemented enhancements:** + +- Add EL8/9 & Rocky/AlmaLinux/OracleLinux support [\#40](https://github.com/voxpupuli/puppet-vault/pull/40) ([bastelfreak](https://github.com/bastelfreak)) +- stm/file\_capability: Allow 6.x [\#39](https://github.com/voxpupuli/puppet-vault/pull/39) ([bastelfreak](https://github.com/bastelfreak)) +- puppet/systemd: Allow 5.x [\#38](https://github.com/voxpupuli/puppet-vault/pull/38) ([bastelfreak](https://github.com/bastelfreak)) +- puppet/hashi\_stack: Allow 3.x [\#37](https://github.com/voxpupuli/puppet-vault/pull/37) ([bastelfreak](https://github.com/bastelfreak)) +- puppet/archive: Allow 7.x [\#36](https://github.com/voxpupuli/puppet-vault/pull/36) ([bastelfreak](https://github.com/bastelfreak)) +- puppetlabs/stdlib: Allow 9.x [\#35](https://github.com/voxpupuli/puppet-vault/pull/35) ([bastelfreak](https://github.com/bastelfreak)) +- Add Puppet 8 support [\#34](https://github.com/voxpupuli/puppet-vault/pull/34) ([bastelfreak](https://github.com/bastelfreak)) + ## [v3.0.0](https://github.com/voxpupuli/puppet-vault/tree/v3.0.0) (2023-02-24) [Full Changelog](https://github.com/voxpupuli/puppet-vault/compare/v2.3.0...v3.0.0) diff --git a/Dockerfile b/Dockerfile deleted file mode 100644 index 8dd82d63..00000000 --- a/Dockerfile +++ /dev/null @@ -1,24 +0,0 @@ -# MANAGED BY MODULESYNC -# https://voxpupuli.org/docs/updating-files-managed-with-modulesync/ - -FROM ruby:2.7 - -WORKDIR /opt/puppet - -# https://github.com/puppetlabs/puppet/blob/06ad255754a38f22fb3a22c7c4f1e2ce453d01cb/lib/puppet/provider/service/runit.rb#L39 -RUN mkdir -p /etc/sv - -ARG PUPPET_GEM_VERSION="~> 6.0" -ARG PARALLEL_TEST_PROCESSORS=4 - -# Cache gems -COPY Gemfile . -RUN bundle install --without system_tests development release --path=${BUNDLE_PATH:-vendor/bundle} - -COPY . . - -RUN bundle install -RUN bundle exec rake release_checks - -# Container should not saved -RUN exit 1 diff --git a/Gemfile b/Gemfile index 3d25e88a..ef3d7e77 100644 --- a/Gemfile +++ b/Gemfile @@ -4,10 +4,10 @@ source ENV['GEM_SOURCE'] || 'https://rubygems.org' group :test do - gem 'voxpupuli-test', '~> 5.4', :require => false + gem 'voxpupuli-test', '~> 7.0', :require => false gem 'coveralls', :require => false gem 'simplecov-console', :require => false - gem 'puppet_metadata', '~> 2.0', :require => false + gem 'puppet_metadata', '~> 3.5', :require => false gem 'rspec-json_expectations', :require => false end @@ -17,19 +17,17 @@ group :development do end group :system_tests do - gem 'voxpupuli-acceptance', '~> 1.0', :require => false + gem 'voxpupuli-acceptance', '~> 3.0', :require => false end group :release do - gem 'github_changelog_generator', '>= 1.16.1', :require => false if RUBY_VERSION >= '2.5' - gem 'voxpupuli-release', '>= 1.2.0', :require => false - gem 'puppet-strings', '>= 2.2', :require => false + gem 'voxpupuli-release', '~> 3.0', :require => false end gem 'rake', :require => false gem 'facter', ENV['FACTER_GEM_VERSION'], :require => false, :groups => [:test] -puppetversion = ENV['PUPPET_GEM_VERSION'] || '>= 6.0' +puppetversion = ENV['PUPPET_GEM_VERSION'] || '~> 7.24' gem 'puppet', puppetversion, :require => false, :groups => [:test] # vim: syntax=ruby diff --git a/README.md b/README.md index 70133d77..62749199 100644 --- a/README.md +++ b/README.md @@ -6,7 +6,7 @@ [![Puppet Forge - downloads](https://img.shields.io/puppetforge/dt/puppet/vault.svg)](https://forge.puppetlabs.com/puppet/vault) [![Puppet Forge - endorsement](https://img.shields.io/puppetforge/e/puppet/vault.svg)](https://forge.puppetlabs.com/puppet/vault) [![Puppet Forge - scores](https://img.shields.io/puppetforge/f/puppet/vault.svg)](https://forge.puppetlabs.com/puppet/vault) -[![puppetmodule.info docs](http://www.puppetmodule.info/images/badge.png)](http://www.puppetmodule.info/m/puppet-catalog-diff) +[![puppetmodule.info docs](https://www.puppetmodule.info/images/badge.png)](https://www.puppetmodule.info/m/puppet-catalog-diff) [![Apache-2 License](https://img.shields.io/github/license/voxpupuli/puppet-vault.svg)](LICENSE) [![Donated by jsok](https://img.shields.io/badge/donated%20by-jsok-fb7047.svg)](#transfer-notice) @@ -36,6 +36,7 @@ Please see [The official documentation](https://www.vaultproject.io/docs/configu * `manage_group`: Whether or not the module should create the group. * `bin_dir`: Directory the vault executable will be installed in. * `config_dir`: Directory the vault configuration will be kept in. +* `config_output`: What format to output the configuration in (`hcl` or `json`) (default: `json`) * `config_mode`: Mode of the configuration file (config.json). Defaults to '0750' * `purge_config_dir`: Whether the `config_dir` should be purged before installing the generated config. * `install_method`: Supports the values `repo` or `archive`. See [Installation parameters](#installation-parameters). @@ -84,7 +85,7 @@ By default, with no parameters the module will configure vault with some sensibl ``` { 'file' => { 'path' => '/var/lib/vault' }} ``` - +* `ha_storage`: An optional hash containing the `ha_storage` configuration * `listener`: A hash or array of hashes containing the listener configuration(s), default: ``` @@ -95,31 +96,51 @@ By default, with no parameters the module will configure vault with some sensibl } } ``` - -* `ha_storage`: An optional hash containing the `ha_storage` configuration - -* `seal`: An optional hash containing the `seal` configuration - -* `telemetry`: An optional hash containing the `telemetry` configuration - +* `user_lockout` An optional hash for configuring failed user login behavior. (default: `undef`) +* `seal`: An optional hash containing the `seal` configuration (default: `undef`) +* `cluster_name`: An optional string containing the name of the cluster (default: `undef`) +* `cache_size`: An optional string containing the cache size (default: `undef`) * `disable_cache`: A boolean to disable or enable the cache (default: `undef`) - -* `disable_mlock`: A boolean to disable or enable mlock [See below](#mlock) (default: `undef`) - +* `disable_mlock`: An optional boolean to disable or enable mlock [See below](#mlock) (default: `undef`) +* `plugin_directory`: An optional string containing the plugin directory path (default: `undef`) +* `plugin_file_uid`: An optional integer containing uid for the owning user (default: `undef`) +* `plugin_file_permissions`: An optional integer containing file permissions (default: `undef`) +* `telemetry`: An optional hash containing the `telemetry` configuration * `default_lease_ttl`: A string containing the default lease TTL (default: `undef`) - * `max_lease_ttl`: A string containing the max lease TTL (default: `undef`) - -* `enable_ui`: Enable the vault UI (requires vault 0.10.0+ or Enterprise) (default: `undef`) - +* `default_max_request_duration`: A string containing the default max request duration (default: `undef`) +* `detect_deadlocks`: An optional boolean indicating whether to detect deadlocks (default: `undef`) +* `raw_storage_endpoint`: An optional boolean enabling sys/raw endpoint (default: `undef`) +* `introspection_endpoint`: An optional boolean enabling sys/internal/inspect endpoints (default: `undef`) +* `enable_ui`: An optional boolean to enable the vault UI (requires vault 0.10.0+ or Enterprise) (default: `undef`) +* `pid_file`: An optional string containing path to the pid file (default: `undef`) +* `enable_response_header_hostname`: An optional boolean controlling whether to enable the hostname response header (default: `undef`) +* `enable_response_header_raft_node_id`: An optional boolean controlling whether to enable the raft node id response header (default: `undef`) +* `log_level`: An optional string containing the log level (default: `undef`) +* `log_format`: An optional string equivalent to the -log-format command-line flag (default: `undef`) +* `log_file`: An optional string equivalent to the -log-file command-line flag (default `undef`) +* `log_rotate_duration`: An optional string equivalent to the -log-rotate-duration command-line flag (default: `undef`) +* `log_rotate_bytes`: An optional string equivalent to the -log-rotate-bytes command-line flag (default: `undef`) +* `log_rotate_max_files`: An optional string equivalent to the -log-rotate-max-files command-line flag (default: `undef`) +* `experiments`: An optional array of experiments to enable (default: `undef`) * `api_addr`: Specifies the address (full URL) to advertise to other Vault servers in the cluster for client redirection. This value is also used for plugin backends. This can also be provided via the environment variable VAULT_API_ADDR. In general this should be set as a full URL that points to the value of the listener address (default: `undef`) - -* `extra_config`: A hash containing extra configuration, intended for newly released configuration not yet supported by the module. This hash will get merged with other configuration attributes into the JSON config file. +* `cluster_addr`: An optional string specifying the address to advertise to other Vault servers in the cluster for request forwarding +* `disable_clustering`: An optional boolean used to disable clustering features (default: `undef`) +* `disable_sealwrap`: An optional boolean to disable seal wrapping for any value except root key (default: `undef`) +* `disable_performance_standby`: An optional boolean to disable perfomance standbys (default: `undef`) +* `license_path`: An optional string to specify the path to the license file (default: `undef`) +* `replication`: An optional hash containing various parameters for tuning replication (default: `undef`) +* `sentinel`: An optional hash containing configuration for vault's sentinel integration (default: `undef`) +* `service_registration`: An optional hash for configuring vault's mechanims for service registration (default: `undef`) +* `log_requests_level`: An optional string to configure logging completed requests (default: `undef`) +* `entropy_augmentation`: An optional string for configuring Vault's entropy sampling (default: `undef`) +* `kms_library`: An optional string for configuring platform specific isolation for managed keys (default: `undef`) +* `extra_config`: A hash containing extra configuration, intended for newly released configuration not yet supported by the module. This hash will get merged with other configuration attributes into the config file. ## Examples ```puppet -class { '::vault': +class { 'vault': storage => { file => { path => '/tmp', @@ -181,7 +202,7 @@ The module will use `setcap` on the vault binary to enable this. If you do not wish to use `mlock`, set the `disable_mlock` attribute to `true` ```puppet -class { '::vault': +class { 'vault': disable_mlock => true } ``` diff --git a/REFERENCE.md b/REFERENCE.md index 8a8368c2..3de0401e 100644 --- a/REFERENCE.md +++ b/REFERENCE.md @@ -8,7 +8,7 @@ #### Public Classes -* [`vault`](#vault): install hashicorp vault +* [`vault`](#vault) #### Private Classes @@ -21,424 +21,753 @@ ### `vault` -install hashicorp vault +The vault class. #### Parameters The following parameters are available in the `vault` class: +* [`service_provider`](#-vault--service_provider) +* [`service_options`](#-vault--service_options) +* [`manage_service`](#-vault--manage_service) +* [`manage_service_file`](#-vault--manage_service_file) +* [`manage_storage_dir`](#-vault--manage_storage_dir) +* [`manage_repo`](#-vault--manage_repo) +* [`num_procs`](#-vault--num_procs) +* [`install_method`](#-vault--install_method) +* [`package_name`](#-vault--package_name) +* [`package_ensure`](#-vault--package_ensure) +* [`download_dir`](#-vault--download_dir) +* [`manage_download_dir`](#-vault--manage_download_dir) +* [`download_filename`](#-vault--download_filename) +* [`version`](#-vault--version) +* [`os`](#-vault--os) +* [`arch`](#-vault--arch) +* [`storage`](#-vault--storage) +* [`ha_storage`](#-vault--ha_storage) +* [`listener`](#-vault--listener) +* [`user_lockout`](#-vault--user_lockout) +* [`seal`](#-vault--seal) +* [`cluster_name`](#-vault--cluster_name) +* [`cache_size`](#-vault--cache_size) +* [`disable_cache`](#-vault--disable_cache) +* [`disable_mlock`](#-vault--disable_mlock) +* [`manage_file_capabilities`](#-vault--manage_file_capabilities) +* [`plugin_directory`](#-vault--plugin_directory) +* [`plugin_file_uid`](#-vault--plugin_file_uid) +* [`plugin_file_permissions`](#-vault--plugin_file_permissions) +* [`telemetry`](#-vault--telemetry) +* [`default_lease_ttl`](#-vault--default_lease_ttl) +* [`max_lease_ttl`](#-vault--max_lease_ttl) +* [`default_max_request_duration`](#-vault--default_max_request_duration) +* [`detect_deadlocks`](#-vault--detect_deadlocks) +* [`raw_storage_endpoint`](#-vault--raw_storage_endpoint) +* [`introspection_endpoint`](#-vault--introspection_endpoint) +* [`enable_ui`](#-vault--enable_ui) +* [`pid_file`](#-vault--pid_file) +* [`enable_response_header_hostname`](#-vault--enable_response_header_hostname) +* [`enable_response_header_raft_node_id`](#-vault--enable_response_header_raft_node_id) +* [`log_level`](#-vault--log_level) +* [`log_format`](#-vault--log_format) +* [`log_file`](#-vault--log_file) +* [`log_rotate_duration`](#-vault--log_rotate_duration) +* [`log_rotate_bytes`](#-vault--log_rotate_bytes) +* [`log_rotate_max_files`](#-vault--log_rotate_max_files) +* [`experiments`](#-vault--experiments) +* [`api_addr`](#-vault--api_addr) +* [`cluster_addr`](#-vault--cluster_addr) +* [`disable_clustering`](#-vault--disable_clustering) +* [`disable_sealwrap`](#-vault--disable_sealwrap) +* [`disable_performance_standby`](#-vault--disable_performance_standby) +* [`license_path`](#-vault--license_path) +* [`replication`](#-vault--replication) +* [`sentinel`](#-vault--sentinel) +* [`service_registration`](#-vault--service_registration) +* [`log_requests_level`](#-vault--log_requests_level) +* [`entropy_augmentation`](#-vault--entropy_augmentation) +* [`kms_library`](#-vault--kms_library) +* [`extra_config`](#-vault--extra_config) * [`user`](#-vault--user) * [`manage_user`](#-vault--manage_user) * [`group`](#-vault--group) * [`manage_group`](#-vault--manage_group) * [`bin_dir`](#-vault--bin_dir) * [`config_dir`](#-vault--config_dir) +* [`manage_config_dir`](#-vault--manage_config_dir) +* [`manage_config_file`](#-vault--manage_config_file) +* [`config_output`](#-vault--config_output) * [`config_mode`](#-vault--config_mode) * [`purge_config_dir`](#-vault--purge_config_dir) +* [`create_env_file`](#-vault--create_env_file) * [`download_url`](#-vault--download_url) * [`download_url_base`](#-vault--download_url_base) * [`download_extension`](#-vault--download_extension) * [`service_name`](#-vault--service_name) -* [`service_provider`](#-vault--service_provider) -* [`service_options`](#-vault--service_options) -* [`manage_repo`](#-vault--manage_repo) -* [`manage_service`](#-vault--manage_service) -* [`num_procs`](#-vault--num_procs) -* [`api_addr`](#-vault--api_addr) -* [`version`](#-vault--version) -* [`extra_config`](#-vault--extra_config) -* [`enable_ui`](#-vault--enable_ui) -* [`arch`](#-vault--arch) -* [`os`](#-vault--os) -* [`manage_download_dir`](#-vault--manage_download_dir) -* [`download_dir`](#-vault--download_dir) -* [`package_ensure`](#-vault--package_ensure) -* [`package_name`](#-vault--package_name) -* [`install_method`](#-vault--install_method) -* [`manage_file_capabilities`](#-vault--manage_file_capabilities) -* [`disable_mlock`](#-vault--disable_mlock) -* [`max_lease_ttl`](#-vault--max_lease_ttl) -* [`default_lease_ttl`](#-vault--default_lease_ttl) -* [`telemetry`](#-vault--telemetry) -* [`disable_cache`](#-vault--disable_cache) -* [`seal`](#-vault--seal) -* [`ha_storage`](#-vault--ha_storage) -* [`listener`](#-vault--listener) -* [`manage_storage_dir`](#-vault--manage_storage_dir) -* [`storage`](#-vault--storage) -* [`manage_service_file`](#-vault--manage_service_file) -* [`service_ensure`](#-vault--service_ensure) * [`service_enable`](#-vault--service_enable) -* [`manage_config_file`](#-vault--manage_config_file) -* [`download_filename`](#-vault--download_filename) -* [`manage_config_dir`](#-vault--manage_config_dir) +* [`service_ensure`](#-vault--service_ensure) -##### `user` +##### `service_provider` -Data type: `Any` +Data type: `String` -Customise the user vault runs as, will also create the user unless `manage_user` is false. +Customise the name of the system service provider; this also controls the +init configuration files that are installed. -Default value: `'vault'` +Default value: `$facts['service_provider']` -##### `manage_user` +##### `service_options` + +Data type: `Optional[String]` -Data type: `Any` +Extra argument to pass to `vault server`, as per: `vault server --help` -Whether or not the module should create the user. +Default value: `undef` + +##### `manage_service` + +Data type: `Boolean` + +Instruct puppet to manage service or not Default value: `true` -##### `group` +##### `manage_service_file` -Data type: `Any` +Data type: `Optional[Boolean]` + +Whether or not this module should manage the service file + +Default value: `$vault::params::manage_service_file` + +##### `manage_storage_dir` + +Data type: `Boolean` + +Whether or not this module should concern itself with the storage directory + +Default value: `false` -Customise the group vault runs as, will also create the user unless `manage_group` is false. +##### `manage_repo` + +Data type: `Boolean` + +Configure the upstream HashiCorp repository. Only relevant when +$nomad::install_method = 'repo'. + +Default value: `$vault::params::manage_repo` + +##### `num_procs` + +Data type: `Variant[Integer, String]` + +Sets the GOMAXPROCS environment variable, to determine how many CPUs Vault +can use. The official Vault Terraform install.sh script sets this to the +output of ``nprocs``, with the comment, "Make sure to use all our CPUs, +because Vault can block a scheduler thread". Default: number of CPUs +on the system, retrieved from the ``processorcount`` Fact. + +Default value: `$facts['processors']['count']` + +##### `install_method` + +Data type: `Enum['archive', 'repo']` + +How to install vault (i.e. from the official Hashicorp repo or archive) + +Default value: `$vault::params::install_method` + +##### `package_name` + +Data type: `String` + +The name of the package to install Default value: `'vault'` -##### `manage_group` +##### `package_ensure` -Data type: `Any` +Data type: `String` -Whether or not the module should create the group. +State of the package to ensure (i.e. installed) -Default value: `true` +Default value: `'installed'` -##### `bin_dir` +##### `download_dir` -Data type: `Any` +Data type: `StdLib::AbsolutePath` -Directory the vault executable will be installed in. +The directory to download the archive to for extraction -Default value: `$vault::params::bin_dir` +Default value: `'/tmp'` -##### `config_dir` +##### `manage_download_dir` -Data type: `Any` +Data type: `Boolean` -Directory the vault configuration will be kept in. +Whether or not to manage the download directory -Default value: `if $install_method == 'repo' and $manage_repo { '/etc/vault.d' } else { '/etc/vault'` +Default value: `false` -##### `config_mode` +##### `download_filename` + +Data type: `String` -Data type: `Any` +The filename to write the downloaded archive to -Mode of the configuration file (config.json). Defaults to '0750' +Default value: `'vault.zip'` -Default value: `'0750'` +##### `version` -##### `purge_config_dir` +Data type: `String` -Data type: `Any` +The version of Vault to download and install (for archive installation) -Whether the `config_dir` should be purged before installing the generated config. +Default value: `'1.12.0'` -Default value: `true` +##### `os` -##### `download_url` +Data type: `String` -Data type: `Any` +The operating system name -Manual URL to download the vault zip distribution from. +Default value: `downcase($facts['kernel'])` + +##### `arch` + +Data type: `String` + +The cpu architecture + +Default value: `$vault::params::arch` + +##### `storage` + +Data type: `Hash` + +Configures the storage backend where Vault data is stored. + +Default value: `{ 'file' => { 'path' => '/var/lib/vault' }, }` + +##### `ha_storage` + +Data type: `Optional[Hash]` + +Configures the storage backend where Vault HA coordination will take place. Default value: `undef` -##### `download_url_base` +##### `listener` -Data type: `Any` +Data type: `Variant[Hash, Array[Hash]]` -Hashicorp base URL to download vault zip distribution from. +Configures how Vault is listening for API requests. -Default value: `'https://releases.hashicorp.com/vault/'` +Default value: `{ 'tcp' => { 'address' => '127.0.0.1:8200', 'tls_disable' => 1 }, }` -##### `download_extension` +##### `user_lockout` -Data type: `Any` +Data type: `Optional[Hash]` -The extension of the vault download +Configures the user-lockout behaviour for failed logins. -Default value: `'zip'` +Default value: `undef` -##### `service_name` +##### `seal` -Data type: `Any` +Data type: `Optional[Hash]` -Customise the name of the system service +Configures the seal type to use for auto-unsealing, as well as for seal +wrapping as an additional layer of data protection. -Default value: `'vault'` +Default value: `undef` -##### `service_provider` +##### `cluster_name` -Data type: `Any` +Data type: `Optional[String]` -Customise the name of the system service provider; this -also controls the init configuration files that are installed. +Specifies the identifier for the Vault cluster -Default value: `$facts['service_provider']` +Default value: `undef` -##### `service_options` +##### `cache_size` -Data type: `Any` +Data type: `Optional[String]` -Extra argument to pass to `vault server`, as per: `vault server --help` +Specifies the size of the read cache used by the physical storage subsystem. -Default value: `''` +Default value: `undef` -##### `manage_repo` +##### `disable_cache` -Data type: `Boolean` +Data type: `Optional[Boolean]` -Configure the upstream HashiCorp repository. Only relevant when $nomad::install_method = 'repo'. +Disables all caches within Vault, including the read cache used by the +physical storage subsystem. -Default value: `$vault::params::manage_repo` +Default value: `undef` -##### `manage_service` +##### `disable_mlock` -Data type: `Any` +Data type: `Optional[Boolean]` -Instruct puppet to manage service or not +Disables the server from executing the mlock syscall. -Default value: `true` +Default value: `undef` -##### `num_procs` +##### `manage_file_capabilities` -Data type: `Any` +Data type: `Optional[Boolean]` -Sets the GOMAXPROCS environment variable, to determine how many CPUs Vault -can use. The official Vault Terraform install.sh script sets this to the -output of ``nprocs``, with the comment, "Make sure to use all our CPUs, -because Vault can block a scheduler thread". Default: number of CPUs -on the system, retrieved from the ``processorcount`` Fact. +Whether or not to control the ipc_lock capability on the vault binary -Default value: `$facts['processors']['count']` +Default value: `undef` -##### `api_addr` +##### `plugin_directory` Data type: `Optional[String]` -Specifies the address (full URL) to advertise to other Vault servers in the -cluster for client redirection. This value is also used for plugin backends. -This can also be provided via the environment variable VAULT_API_ADDR. In -general this should be set as a full URL that points to the value of the -listener address +A directory from which plugins are allowed to be loaded. Default value: `undef` -##### `version` +##### `plugin_file_uid` -Data type: `Any` +Data type: `Optional[Integer]` -The version of Vault to install +Uid of the plugin directories and plugin binaries if they are owned by an +user other than the user running Vault. -Default value: `'1.12.0'` +Default value: `undef` -##### `extra_config` +##### `plugin_file_permissions` -Data type: `Hash` +Data type: `Optional[String]` +Octal permission string of the plugin directories and plugin binaries if +they have write or execute permissions for group or others. +Default value: `undef` -Default value: `{}` +##### `telemetry` -##### `enable_ui` +Data type: `Optional[Hash]` -Data type: `Optional[Boolean]` +Specifies the telemetry reporting system. +Default value: `undef` +##### `default_lease_ttl` + +Data type: `Optional[String]` + +Specifies the default lease duration for tokens and secrets. Default value: `undef` -##### `arch` +##### `max_lease_ttl` -Data type: `Any` +Data type: `Optional[String]` +Specifies the maximum possible lease duration for tokens and secrets. +Default value: `undef` -Default value: `$vault::params::arch` +##### `default_max_request_duration` -##### `os` +Data type: `Optional[String]` -Data type: `Any` +Specifies the default maximum request duration allowed before Vault cancels +the request. +Default value: `undef` +##### `detect_deadlocks` -Default value: `downcase($facts['kernel'])` +Data type: `Optional[String]` -##### `manage_download_dir` +Specifies the internal mutex locks that should be monitored for potential +deadlocks. -Data type: `Any` +Default value: `undef` +##### `raw_storage_endpoint` +Data type: `Optional[Boolean]` -Default value: `false` +Enables the sys/raw endpoint which allows the decryption/encryption of raw +data into and out of the security barrier. -##### `download_dir` +Default value: `undef` -Data type: `Any` +##### `introspection_endpoint` +Data type: `Optional[Boolean]` +Enables the sys/internal/inspect endpoint which allows users with a root +token or sudo privileges to inspect certain subsystems inside Vault. -Default value: `'/tmp'` +Default value: `undef` -##### `package_ensure` +##### `enable_ui` -Data type: `Any` +Data type: `Optional[Boolean]` +Enables the built-in web UI, which is available on all listeners (address + +port) at the /ui path. +Default value: `undef` -Default value: `'installed'` +##### `pid_file` -##### `package_name` +Data type: `Optional[String]` -Data type: `Any` +Path to the file in which the Vault server's Process ID (PID) should be +stored. +Default value: `undef` +##### `enable_response_header_hostname` -Default value: `'vault'` +Data type: `Optional[Boolean]` -##### `install_method` +Enables the addition of an HTTP header in all of Vault's HTTP responses: +X-Vault-Hostname. -Data type: `Any` +Default value: `undef` +##### `enable_response_header_raft_node_id` +Data type: `Optional[Boolean]` -Default value: `$vault::params::install_method` +Enables the addition of an HTTP header in all of Vault's HTTP responses: +X-Vault-Raft-Node-ID. -##### `manage_file_capabilities` +Default value: `undef` + +##### `log_level` -Data type: `Any` +Data type: +```puppet +Optional[ + Enum['trace', 'debug', 'info', 'warn', 'error'] + ] +``` +Log verbosity level. Supported values (in order of descending detail) are +trace, debug, info, warn, and error. Default value: `undef` -##### `disable_mlock` +##### `log_format` + +Data type: `Optional[String]` -Data type: `Any` +Equivalent to the -log-format command-line flag. +Default value: `undef` + +##### `log_file` + +Data type: `Optional[String]` +Equivalent to the -log-file command-line flag. Default value: `undef` -##### `max_lease_ttl` +##### `log_rotate_duration` Data type: `Optional[String]` +Equivalent to the -log-rotate-duration command-line flag. + +Default value: `undef` + +##### `log_rotate_bytes` + +Data type: `Optional[String]` +Equivalent to the -log-rotate-bytes command-line flag. Default value: `undef` -##### `default_lease_ttl` +##### `log_rotate_max_files` Data type: `Optional[String]` +Equivalent to the -log-rotate-max-files command-line flag. + +Default value: `undef` + +##### `experiments` +Data type: `Optional[Array]` + +The list of experiments to enable for this node. Default value: `undef` -##### `telemetry` +##### `api_addr` -Data type: `Optional[Hash]` +Data type: `Optional[String]` +Specifies the address (full URL) to advertise to other Vault servers in the +cluster for client redirection. +Default value: `undef` + +##### `cluster_addr` + +Data type: `Optional[String]` + +Specifies the address to advertise to other Vault servers in the cluster for +request forwarding. Default value: `undef` -##### `disable_cache` +##### `disable_clustering` Data type: `Optional[Boolean]` +Specifies whether clustering features such as request forwarding are +enabled. + +Default value: `undef` + +##### `disable_sealwrap` + +Data type: `Optional[Boolean]` +Disables using seal wrapping for any value except the root key. Default value: `undef` -##### `seal` +##### `disable_performance_standby` -Data type: `Optional[Hash]` +Data type: `Optional[Boolean]` + +Specifies whether performance standbys should be disabled on this node. + +Default value: `undef` +##### `license_path` +Data type: `Optional[String]` + +Path to license file. Default value: `undef` -##### `ha_storage` +##### `replication` Data type: `Optional[Hash]` +The replication stanza specifies various parameters for tuning replication +related values. + +Default value: `undef` + +##### `sentinel` + +Data type: `Optional[Hash]` +The sentinel stanza specifies configurations for Vault's Sentinel +integration. Default value: `undef` -##### `listener` +##### `service_registration` -Data type: `Variant[Hash, Array[Hash]]` +Data type: `Optional[Hash]` +The optional service_registration stanza configures Vault's mechanism for +service registration. +Default value: `undef` -Default value: `{ 'tcp' => { 'address' => '127.0.0.1:8200', 'tls_disable' => 1 }, }` +##### `log_requests_level` -##### `manage_storage_dir` +Data type: `Optional[String]` -Data type: `Any` +Vault can be configured to log completed requests using the +log_requests_level configuration parameter. +Default value: `undef` +##### `entropy_augmentation` -Default value: `false` +Data type: `Optional[String]` -##### `storage` +Entropy augmentation enables Vault to sample entropy from external +cryptographic modules. -Data type: `Hash` +Default value: `undef` +##### `kms_library` +Data type: `Optional[String]` -Default value: `{ 'file' => { 'path' => '/var/lib/vault' } }` +The kms_library stanza isolates platform specific configuration for managed +keys. -##### `manage_service_file` +Default value: `undef` -Data type: `Optional[Boolean]` +##### `extra_config` +Data type: `Hash` +Extra configuration options not covered by the rest of the parameters -Default value: `$vault::params::manage_service_file` +Default value: `{}` -##### `service_ensure` +##### `user` -Data type: `Any` +Data type: `String` -Default value: `'running'` +Default value: `'vault'` -##### `service_enable` +##### `manage_user` -Data type: `Any` +Data type: `Boolean` Default value: `true` -##### `manage_config_file` +##### `group` -Data type: `Any` +Data type: `String` + + + +Default value: `'vault'` + +##### `manage_group` + +Data type: `Boolean` Default value: `true` -##### `download_filename` +##### `bin_dir` -Data type: `Any` +Data type: `StdLib::AbsolutePath` -Default value: `'vault.zip'` +Default value: `$vault::params::bin_dir` + +##### `config_dir` + +Data type: `StdLib::AbsolutePath` + + + +Default value: `if $install_method == 'repo' and $manage_repo { '/etc/vault.d' } else { '/etc/vault'` ##### `manage_config_dir` Data type: `Boolean` -enable/disable the directory management. not required for package based installations + Default value: `$install_method == 'archive'` +##### `manage_config_file` + +Data type: `Boolean` + + + +Default value: `true` + +##### `config_output` + +Data type: `Enum['hcl', 'json']` + + + +Default value: `'json'` + +##### `config_mode` + +Data type: `StdLib::Filemode` + + + +Default value: `'0444'` + +##### `purge_config_dir` + +Data type: `Boolean` + + + +Default value: `true` + +##### `create_env_file` + +Data type: `Boolean` + + + +Default value: `false` + +##### `download_url` + +Data type: `Optional[StdLib::HTTPUrl]` + + + +Default value: `undef` + +##### `download_url_base` + +Data type: `StdLib::HTTPUrl` + + + +Default value: `$vault::params::download_base` + +##### `download_extension` + +Data type: `String` + + + +Default value: `'zip'` + +##### `service_name` + +Data type: `String` + + + +Default value: `'vault'` + +##### `service_enable` + +Data type: `Boolean` + + + +Default value: `true` + +##### `service_ensure` + +Data type: + +```puppet +Variant[ + Boolean, + Enum['running', 'stopped'] + ] +``` + + + +Default value: `'running'` + diff --git a/Rakefile b/Rakefile index 9869ea81..b9e0370d 100644 --- a/Rakefile +++ b/Rakefile @@ -24,6 +24,10 @@ end begin require 'voxpupuli/release/rake_tasks' rescue LoadError + # voxpupuli-release not present +else + GCGConfig.user = 'voxpupuli' + GCGConfig.project = 'puppet-vault' end desc "Run main 'test' task and report merged results to coveralls" @@ -37,36 +41,4 @@ task test_with_coveralls: [:test] do end end -desc 'Generate REFERENCE.md' -task :reference, [:debug, :backtrace] do |t, args| - patterns = '' - Rake::Task['strings:generate:reference'].invoke(patterns, args[:debug], args[:backtrace]) -end - -begin - require 'github_changelog_generator/task' - require 'puppet_blacksmith' - GitHubChangelogGenerator::RakeTask.new :changelog do |config| - metadata = Blacksmith::Modulefile.new - config.future_release = "v#{metadata.version}" if metadata.version =~ /^\d+\.\d+.\d+$/ - config.header = "# Changelog\n\nAll notable changes to this project will be documented in this file.\nEach new release typically also includes the latest modulesync defaults.\nThese should not affect the functionality of the module." - config.exclude_labels = %w{duplicate question invalid wontfix wont-fix modulesync skip-changelog} - config.user = 'voxpupuli' - config.project = 'puppet-vault' - end - - # Workaround for https://github.com/github-changelog-generator/github-changelog-generator/issues/715 - require 'rbconfig' - if RbConfig::CONFIG['host_os'] =~ /linux/ - task :changelog do - puts 'Fixing line endings...' - changelog_file = File.join(__dir__, 'CHANGELOG.md') - changelog_txt = File.read(changelog_file) - new_contents = changelog_txt.gsub(%r{\r\n}, "\n") - File.open(changelog_file, "w") {|file| file.puts new_contents } - end - end - -rescue LoadError -end # vim: syntax=ruby diff --git a/manifests/config.pp b/manifests/config.pp index 01586318..28d32bf1 100644 --- a/manifests/config.pp +++ b/manifests/config.pp @@ -16,24 +16,106 @@ } if $vault::manage_config_file { - $_config_hash = delete_undef_values({ - 'listener' => $vault::listener, - 'storage' => $vault::storage, - 'ha_storage' => $vault::ha_storage, - 'seal' => $vault::seal, - 'telemetry' => $vault::telemetry, - 'disable_cache' => $vault::disable_cache, - 'default_lease_ttl' => $vault::default_lease_ttl, - 'max_lease_ttl' => $vault::max_lease_ttl, - 'disable_mlock' => $vault::disable_mlock, - 'ui' => $vault::enable_ui, - 'api_addr' => $vault::api_addr, - }) + if $vault::config_output == 'json' { + $_config_hash = delete_undef_values({ + 'storage' => $vault::storage, + 'ha_storage' => $vault::ha_storage, + 'listener' => $vault::listener, + 'user_lockout' => $vault::user_lockout, + 'seal' => $vault::seal, + 'cluster_name' => $vault::cluster_name, + 'cache_size' => $vault::cache_size, + 'disable_cache' => $vault::disable_cache, + 'disable_mlock' => $vault::disable_mlock, + 'plugin_directory' => $vault::plugin_directory, + 'plugin_file_uid' => $vault::plugin_file_uid, + 'plugin_file_permissions' => $vault::plugin_file_permissions, + 'telemetry' => $vault::telemetry, + 'default_lease_ttl' => $vault::default_lease_ttl, + 'max_lease_ttl' => $vault::max_lease_ttl, + 'default_max_request_duration' => $vault::default_max_request_duration, + 'detect_deadlocks' => $vault::detect_deadlocks, + 'raw_storage_endpoint' => $vault::raw_storage_endpoint, + 'introspection_endpoint' => $vault::introspection_endpoint, + 'ui' => $vault::enable_ui, + 'pid_file' => $vault::pid_file, + 'enable_response_header_hostname' => $vault::enable_response_header_hostname, + 'enable_response_header_raft_node_id' => $vault::enable_response_header_raft_node_id, + 'log_level' => $vault::log_level, + 'log_format' => $vault::log_format, + 'log_file' => $vault::log_file, + 'log_rotate_duration' => $vault::log_rotate_duration, + 'log_rotate_bytes' => $vault::log_rotate_bytes, + 'log_rotate_max_files' => $vault::log_rotate_max_files, + 'experiments' => $vault::experiments, + 'api_addr' => $vault::api_addr, + 'cluster_addr' => $vault::cluster_addr, + 'disable_clustering' => $vault::disable_clustering, + 'disable_sealwrap' => $vault::disable_sealwrap, + 'disable_performance_standby' => $vault::disable_performance_standby, + 'license_path' => $vault::license_path, + 'replication' => $vault::replication, + 'sentinel' => $vault::sentinel, + 'service_registration' => $vault::service_registration, + 'log_requests_level' => $vault::log_requests_level, + 'entropy_augmentation' => $vault::entropy_augmentation, + 'kms_library' => $vault::kms_library, + }) - $config_hash = merge($_config_hash, $vault::extra_config) - - file { "${vault::config_dir}/config.json": - content => to_json_pretty($config_hash), + $config_hash = stdlib::merge($_config_hash, $vault::extra_config) + $content = stdlib::to_json_pretty($config_hash) + } else { + $content = epp( + 'vault/vault.hcl.epp', + { + storage => $vault::storage, + ha_storage => $vault::ha_storage, + listener => $vault::listener, + user_lockout => $vault::user_lockout, + seal => $vault::seal, + cluster_name => $vault::cluster_name, + cache_size => $vault::cache_size, + disable_cache => $vault::disable_cache, + disable_mlock => $vault::disable_mlock, + plugin_directory => $vault::plugin_directory, + plugin_file_uid => $vault::plugin_file_uid, + plugin_file_permissions => $vault::plugin_file_permissions, + telemetry => $vault::telemetry, + default_lease_ttl => $vault::default_lease_ttl, + max_lease_ttl => $vault::max_lease_ttl, + default_max_request_duration => $vault::default_max_request_duration, + detect_deadlocks => $vault::detect_deadlocks, + raw_storage_endpoint => $vault::raw_storage_endpoint, + introspection_endpoint => $vault::introspection_endpoint, + ui => $vault::enable_ui, + pid_file => $vault::pid_file, + enable_response_header_hostname => $vault::enable_response_header_hostname, + enable_response_header_raft_node_id => $vault::enable_response_header_raft_node_id, + log_level => $vault::log_level, + log_format => $vault::log_format, + log_file => $vault::log_file, + log_rotate_duration => $vault::log_rotate_duration, + log_rotate_bytes => $vault::log_rotate_bytes, + log_rotate_max_files => $vault::log_rotate_max_files, + experiments => $vault::experiments, + api_addr => $vault::api_addr, + cluster_addr => $vault::cluster_addr, + disable_clustering => $vault::disable_clustering, + disable_sealwrap => $vault::disable_sealwrap, + disable_performance_standby => $vault::disable_performance_standby, + license_path => $vault::license_path, + replication => $vault::replication, + sentinel => $vault::sentinel, + service_registration => $vault::service_registration, + log_requests_level => $vault::log_requests_level, + entropy_augmentation => $vault::entropy_augmentation, + kms_library => $vault::kms_library, + extra_config => $vault::extra_config, + } + ) + } + file { "${vault::config_dir}/vault.${vault::config_output}": + content => $content, owner => $vault::user, group => $vault::group, mode => $vault::config_mode, @@ -81,7 +163,23 @@ case $vault::service_provider { 'systemd': { systemd::unit_file { 'vault.service': - content => template('vault/vault.systemd.erb'), + content => epp( + 'vault/vault.service.epp', + { + user => $vault::user, + group => $vault::group, + bin_dir => $vault::bin_dir, + service_options => $vault::service_options, + config_dir => $vault::config_dir, + config_output => $vault::config_output, + create_env_file => $vault::create_env_file, + num_procs => $vault::num_procs, + disable_mlock => $vault::disable_mlock, + } + ), + mode => '0444', + owner => 'root', + group => 'root', } } default: { diff --git a/manifests/init.pp b/manifests/init.pp index da997dee..bbf59ef2 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -1,38 +1,85 @@ # # @summary install hashicorp vault # -# @param user Customise the user vault runs as, will also create the user unless `manage_user` is false. +# @param user +# Customise the user vault runs as, will also create the user unless +# `manage_user` is false. # -# @param manage_user Whether or not the module should create the user. +# @param manage_user +# Whether or not the module should create the user. # -# @param group Customise the group vault runs as, will also create the user unless `manage_group` is false. +# @param group +# Customise the group vault runs as, will also create the user unless +# `manage_group` is false. # -# @param manage_group Whether or not the module should create the group. +# @param manage_group +# Whether or not the module should create the group. # -# @param bin_dir Directory the vault executable will be installed in. +# @param bin_dir +# Directory the vault executable will be installed in. # -# @param config_dir Directory the vault configuration will be kept in. +# @param config_dir +# Directory the vault configuration will be kept in. # -# @param config_mode Mode of the configuration file (config.json). Defaults to '0750' +# @param manage_config_dir +# Enable/disable the directory management. not required for package based +# installations # -# @param purge_config_dir Whether the `config_dir` should be purged before installing the generated config. +# @param manage_config_file +# Enable/disable managing the config file +# +# @param config_output +# The language to use for the configuration output +# +# @param config_mode +# Mode of the configuration file (config.json). Defaults to '0750' +# +# @param purge_config_dir +# Whether the `config_dir` should be purged before installing the generated +# config. +# +# @param create_env_file +# Cause a blank vault.env file to be created in the config_dir. This also adds +# the EnvironmentFile directive to the service file (if manage_service_file is +# enabled) +# +# @param download_url +# Manual URL to download the vault zip distribution from. +# +# @param download_url_base +# Hashicorp base URL to download vault zip distribution from. # -# @param download_url Manual URL to download the vault zip distribution from. +# @param download_extension +# The extension of the vault download # -# @param download_url_base Hashicorp base URL to download vault zip distribution from. +# @param service_name +# Customise the name of the system service # -# @param download_extension The extension of the vault download +# @param service_enable +# Whether or not to enable the vault service # -# @param service_name Customise the name of the system service +# @param service_ensure +# State in which the service is ensured to be + +# @param service_provider +# Customise the name of the system service provider; this also controls the +# init configuration files that are installed. # -# @param service_provider Customise the name of the system service provider; this -# also controls the init configuration files that are installed. +# @param service_options +# Extra argument to pass to `vault server`, as per: `vault server --help` # -# @param service_options Extra argument to pass to `vault server`, as per: `vault server --help` +# @param manage_service +# Instruct puppet to manage service or not # -# @param manage_repo Configure the upstream HashiCorp repository. Only relevant when $nomad::install_method = 'repo'. +# @param manage_service_file +# Whether or not this module should manage the service file # -# @param manage_service Instruct puppet to manage service or not +# @param manage_storage_dir +# Whether or not this module should concern itself with the storage directory +# +# @param manage_repo +# Configure the upstream HashiCorp repository. Only relevant when +# $nomad::install_method = 'repo'. # # @param num_procs # Sets the GOMAXPROCS environment variable, to determine how many CPUs Vault @@ -41,87 +88,273 @@ # because Vault can block a scheduler thread". Default: number of CPUs # on the system, retrieved from the ``processorcount`` Fact. # -# @param api_addr -# Specifies the address (full URL) to advertise to other Vault servers in the -# cluster for client redirection. This value is also used for plugin backends. -# This can also be provided via the environment variable VAULT_API_ADDR. In -# general this should be set as a full URL that points to the value of the -# listener address +# @param install_method +# How to install vault (i.e. from the official Hashicorp repo or archive) # -# @param version The version of Vault to install +# @param package_name +# The name of the package to install # -# @param extra_config -# @param enable_ui -# @param arch -# @param os -# @param manage_download_dir -# @param download_dir # @param package_ensure -# @param package_name -# @param install_method -# @param manage_file_capabilities -# @param disable_mlock -# @param max_lease_ttl -# @param default_lease_ttl -# @param telemetry -# @param disable_cache -# @param seal +# State of the package to ensure (i.e. installed) +# +# @param download_dir +# The directory to download the archive to for extraction +# +# @param manage_download_dir +# Whether or not to manage the download directory +# +# @param download_filename +# The filename to write the downloaded archive to +# +# @param version +# The version of Vault to download and install (for archive installation) +# +# @param os +# The operating system name +# +# @param arch +# The cpu architecture +# +# @param storage +# Configures the storage backend where Vault data is stored. +# # @param ha_storage +# Configures the storage backend where Vault HA coordination will take place. +# # @param listener -# @param manage_storage_dir -# @param storage -# @param manage_service_file -# @param service_ensure -# @param service_enable -# @param manage_config_file -# @param download_filename -# @param manage_config_dir enable/disable the directory management. not required for package based installations +# Configures how Vault is listening for API requests. +# +# @param user_lockout +# Configures the user-lockout behaviour for failed logins. +# +# @param seal +# Configures the seal type to use for auto-unsealing, as well as for seal +# wrapping as an additional layer of data protection. +# +# @param cluster_name +# Specifies the identifier for the Vault cluster +# +# @param cache_size +# Specifies the size of the read cache used by the physical storage subsystem. +# +# @param disable_cache +# Disables all caches within Vault, including the read cache used by the +# physical storage subsystem. +# +# @param disable_mlock +# Disables the server from executing the mlock syscall. +# +# @param manage_file_capabilities +# Whether or not to control the ipc_lock capability on the vault binary +# +# @param plugin_directory +# A directory from which plugins are allowed to be loaded. +# +# @param plugin_file_uid +# Uid of the plugin directories and plugin binaries if they are owned by an +# user other than the user running Vault. +# +# @param plugin_file_permissions +# Octal permission string of the plugin directories and plugin binaries if +# they have write or execute permissions for group or others. +# +# @param telemetry +# Specifies the telemetry reporting system. +# +# @param default_lease_ttl +# Specifies the default lease duration for tokens and secrets. +# +# @param max_lease_ttl +# Specifies the maximum possible lease duration for tokens and secrets. +# +# @param default_max_request_duration +# Specifies the default maximum request duration allowed before Vault cancels +# the request. +# +# @param detect_deadlocks +# Specifies the internal mutex locks that should be monitored for potential +# deadlocks. +# +# @param raw_storage_endpoint +# Enables the sys/raw endpoint which allows the decryption/encryption of raw +# data into and out of the security barrier. +# +# @param introspection_endpoint +# Enables the sys/internal/inspect endpoint which allows users with a root +# token or sudo privileges to inspect certain subsystems inside Vault. +# +# @param enable_ui +# Enables the built-in web UI, which is available on all listeners (address + +# port) at the /ui path. +# +# @param pid_file +# Path to the file in which the Vault server's Process ID (PID) should be +# stored. +# +# @param enable_response_header_hostname +# Enables the addition of an HTTP header in all of Vault's HTTP responses: +# X-Vault-Hostname. +# +# @param enable_response_header_raft_node_id +# Enables the addition of an HTTP header in all of Vault's HTTP responses: +# X-Vault-Raft-Node-ID. +# +# @param log_level +# Log verbosity level. Supported values (in order of descending detail) are +# trace, debug, info, warn, and error. +# +# @param log_format +# Equivalent to the -log-format command-line flag. +# +# @param log_file +# Equivalent to the -log-file command-line flag. +# +# @param log_rotate_duration +# Equivalent to the -log-rotate-duration command-line flag. +# +# @param log_rotate_bytes +# Equivalent to the -log-rotate-bytes command-line flag. +# +# @param log_rotate_max_files +# Equivalent to the -log-rotate-max-files command-line flag. +# +# @param experiments +# The list of experiments to enable for this node. +# +# @param api_addr +# Specifies the address (full URL) to advertise to other Vault servers in the +# cluster for client redirection. +# +# @param cluster_addr +# Specifies the address to advertise to other Vault servers in the cluster for +# request forwarding. +# +# @param disable_clustering +# Specifies whether clustering features such as request forwarding are +# enabled. +# +# @param disable_sealwrap +# Disables using seal wrapping for any value except the root key. +# +# @param disable_performance_standby +# Specifies whether performance standbys should be disabled on this node. +# +# @param license_path +# Path to license file. +# +# @param replication +# The replication stanza specifies various parameters for tuning replication +# related values. +# +# @param sentinel +# The sentinel stanza specifies configurations for Vault's Sentinel +# integration. +# +# @param service_registration +# The optional service_registration stanza configures Vault's mechanism for +# service registration. +# +# @param log_requests_level +# Vault can be configured to log completed requests using the +# log_requests_level configuration parameter. +# +# @param entropy_augmentation +# Entropy augmentation enables Vault to sample entropy from external +# cryptographic modules. +# +# @param kms_library +# The kms_library stanza isolates platform specific configuration for managed +# keys. +# +# @param extra_config +# Extra configuration options not covered by the rest of the parameters +# class vault ( - $user = 'vault', - $manage_user = true, - $group = 'vault', - $manage_group = true, - $bin_dir = $vault::params::bin_dir, - $manage_config_file = true, - $config_mode = '0750', - $purge_config_dir = true, - $download_url = undef, - $download_url_base = 'https://releases.hashicorp.com/vault/', - $download_extension = 'zip', - $service_name = 'vault', - $service_enable = true, - $service_ensure = 'running', - $service_provider = $facts['service_provider'], - Boolean $manage_repo = $vault::params::manage_repo, - $manage_service = true, - Optional[Boolean] $manage_service_file = $vault::params::manage_service_file, - Hash $storage = { 'file' => { 'path' => '/var/lib/vault' } }, - $manage_storage_dir = false, - Variant[Hash, Array[Hash]] $listener = { 'tcp' => { 'address' => '127.0.0.1:8200', 'tls_disable' => 1 }, }, - Optional[Hash] $ha_storage = undef, - Optional[Hash] $seal = undef, - Optional[Boolean] $disable_cache = undef, - Optional[Hash] $telemetry = undef, - Optional[String] $default_lease_ttl = undef, - Optional[String] $max_lease_ttl = undef, - $disable_mlock = undef, - $manage_file_capabilities = undef, - $service_options = '', - $num_procs = $facts['processors']['count'], - $install_method = $vault::params::install_method, - $config_dir = if $install_method == 'repo' and $manage_repo { '/etc/vault.d' } else { '/etc/vault' }, - $package_name = 'vault', - $package_ensure = 'installed', - $download_dir = '/tmp', - $manage_download_dir = false, - $download_filename = 'vault.zip', - $version = '1.12.0', - $os = downcase($facts['kernel']), - $arch = $vault::params::arch, - Optional[Boolean] $enable_ui = undef, - Optional[String] $api_addr = undef, - Hash $extra_config = {}, - Boolean $manage_config_dir = $install_method == 'archive', + Enum['archive', 'repo'] $install_method = $vault::params::install_method, + String $user = 'vault', + Boolean $manage_user = true, + String $group = 'vault', + Boolean $manage_group = true, + Boolean $manage_repo = $vault::params::manage_repo, + StdLib::AbsolutePath $bin_dir = $vault::params::bin_dir, + # lint:ignore:140chars + StdLib::AbsolutePath $config_dir = if $install_method == 'repo' and $manage_repo { '/etc/vault.d' } else { '/etc/vault' }, + # lint:endignore + Boolean $manage_config_dir = $install_method == 'archive', + Boolean $manage_config_file = true, + Enum['hcl', 'json'] $config_output = 'json', + StdLib::Filemode $config_mode = '0444', + Boolean $purge_config_dir = true, + Boolean $create_env_file = false, + Optional[StdLib::HTTPUrl] $download_url = undef, + StdLib::HTTPUrl $download_url_base = $vault::params::download_base, + String $download_extension = 'zip', + String $service_name = 'vault', + Boolean $service_enable = true, + Variant[ + Boolean, + Enum['running', 'stopped'] + ] $service_ensure = 'running', + String $service_provider = $facts['service_provider'], + Optional[String] $service_options = undef, + Boolean $manage_service = true, + Optional[Boolean] $manage_service_file = $vault::params::manage_service_file, + Boolean $manage_storage_dir = false, + Variant[Integer, String] $num_procs = $facts['processors']['count'], + String $package_name = 'vault', + String $package_ensure = 'installed', + StdLib::AbsolutePath $download_dir = '/tmp', + Boolean $manage_download_dir = false, + String $download_filename = 'vault.zip', + String $version = '1.12.0', + String $os = downcase($facts['kernel']), + String $arch = $vault::params::arch, + Hash $storage = { 'file' => { 'path' => '/var/lib/vault' }, }, + Optional[Hash] $ha_storage = undef, + Variant[Hash, Array[Hash]] $listener = { 'tcp' => { 'address' => '127.0.0.1:8200', 'tls_disable' => 1 }, }, + Optional[Hash] $user_lockout = undef, + Optional[Hash] $seal = undef, + Optional[String] $cluster_name = undef, + Optional[String] $cache_size = undef, + Optional[Boolean] $disable_cache = undef, + Optional[Boolean] $disable_mlock = undef, + Optional[Boolean] $manage_file_capabilities = undef, + Optional[String] $plugin_directory = undef, + Optional[Integer] $plugin_file_uid = undef, + Optional[String] $plugin_file_permissions = undef, + Optional[Hash] $telemetry = undef, + Optional[String] $default_lease_ttl = undef, + Optional[String] $max_lease_ttl = undef, + Optional[String] $default_max_request_duration = undef, + Optional[String] $detect_deadlocks = undef, + Optional[Boolean] $raw_storage_endpoint = undef, + Optional[Boolean] $introspection_endpoint = undef, + Optional[Boolean] $enable_ui = undef, + Optional[String] $pid_file = undef, + Optional[Boolean] $enable_response_header_hostname = undef, + Optional[Boolean] $enable_response_header_raft_node_id = undef, + Optional[ + Enum['trace', 'debug', 'info', 'warn', 'error'] + ] $log_level = undef, + Optional[String] $log_format = undef, + Optional[String] $log_file = undef, + Optional[String] $log_rotate_duration = undef, + Optional[String] $log_rotate_bytes = undef, + Optional[String] $log_rotate_max_files = undef, + Optional[Array] $experiments = undef, + Optional[String] $api_addr = undef, + Optional[String] $cluster_addr = undef, + Optional[Boolean] $disable_clustering = undef, + Optional[Boolean] $disable_sealwrap = undef, + Optional[Boolean] $disable_performance_standby = undef, + Optional[String] $license_path = undef, + Optional[Hash] $replication = undef, + Optional[Hash] $sentinel = undef, + Optional[Hash] $service_registration = undef, + Optional[String] $log_requests_level = undef, + Optional[String] $entropy_augmentation = undef, + Optional[String] $kms_library = undef, + Hash $extra_config = {}, ) inherits vault::params { # lint:ignore:140chars $real_download_url = pick($download_url, "${download_url_base}${version}/${package_name}_${version}_${os}_${arch}.${download_extension}") diff --git a/manifests/install.pp b/manifests/install.pp index fe2abeb5..f4c17114 100644 --- a/manifests/install.pp +++ b/manifests/install.pp @@ -13,6 +13,18 @@ } } + # + # Delete the vault binary if it exists and is not the version specified. This + # is required because the archive statement only applies if there isn't + # already a version installed, thus making upgrades not work. + # + exec { 'delete_vault_if_incorrect_version': + command => "rm ${vault_bin}/vault", + path => ['/bin', '/usr/bin'], + onlyif => "test \$(${vault_bin}/vault --version|awk '{print \$2}'|tr -cd '[:digit:].') != ${vault::version}", + unless => "test ! -f ${vault_bin}/vault", + } + archive { "${vault::download_dir}/${vault::download_filename}": ensure => present, extract => true, @@ -21,6 +33,7 @@ cleanup => true, creates => $vault_bin, before => File['vault_binary'], + require => Exec['delete_vault_if_incorrect_version'], } $_manage_file_capabilities = true @@ -58,7 +71,7 @@ } if $vault::install_method == 'repo' { - Package['vault'] ~> File_capability['vault_binary_capability'] + Package[$vault::package_name] ~> File_capability['vault_binary_capability'] } } diff --git a/manifests/params.pp b/manifests/params.pp index e13a8c6f..91f7ddfc 100644 --- a/manifests/params.pp +++ b/manifests/params.pp @@ -26,4 +26,6 @@ $manage_repo = true } } + + $download_base = 'https://releases.hashicorp.com/vault/' } diff --git a/metadata.json b/metadata.json index 98ae039c..9480ca5c 100644 --- a/metadata.json +++ b/metadata.json @@ -1,6 +1,6 @@ { "name": "puppet-vault", - "version": "3.0.1-rc0", + "version": "4.1.1-rc0", "author": "Vox Pupuli", "summary": "Puppet module to manage Vault (https://vaultproject.io)", "license": "Apache-2.0", @@ -15,23 +15,23 @@ "dependencies": [ { "name": "puppetlabs/stdlib", - "version_requirement": ">= 4.24.0 < 9.0.0" + "version_requirement": ">= 4.24.0 < 10.0.0" }, { "name": "puppet/archive", - "version_requirement": ">= 2.0.0 < 7.0.0" + "version_requirement": ">= 2.0.0 < 8.0.0" }, { "name": "puppet/hashi_stack", - "version_requirement": ">= 1.0.0 < 3.0.0" + "version_requirement": ">= 1.0.0 < 4.0.0" }, { "name": "puppet/systemd", - "version_requirement": ">= 3.1.0 < 5.0.0" + "version_requirement": ">= 3.1.0 < 8.0.0" }, { "name": "stm/file_capability", - "version_requirement": ">= 1.0.1 < 6.0.0" + "version_requirement": ">= 1.0.1 < 7.0.0" } ], "operatingsystem_support": [ @@ -45,19 +45,45 @@ "operatingsystem": "Debian", "operatingsystemrelease": [ "10", - "11" + "11", + "12" + ] + }, + { + "operatingsystem": "Rocky", + "operatingsystemrelease": [ + "8", + "9" + ] + }, + { + "operatingsystem": "AlmaLinux", + "operatingsystemrelease": [ + "8", + "9" + ] + }, + { + "operatingsystem": "OracleLinux", + "operatingsystemrelease": [ + "8", + "9" ] }, { "operatingsystem": "RedHat", "operatingsystemrelease": [ - "7.0" + "7", + "8", + "9" ] }, { "operatingsystem": "CentOS", "operatingsystemrelease": [ - "7.0" + "7", + "8", + "9" ] }, { @@ -73,7 +99,7 @@ "requirements": [ { "name": "puppet", - "version_requirement": ">= 6.1.0 < 8.0.0" + "version_requirement": ">= 7.0.0 < 9.0.0" } ] } diff --git a/spec/acceptance/class_spec.rb b/spec/acceptance/class_spec.rb index 2147a5d8..26c250ab 100644 --- a/spec/acceptance/class_spec.rb +++ b/spec/acceptance/class_spec.rb @@ -23,7 +23,6 @@ class { 'file_capability': }, bin_dir => '/usr/local/bin', install_method => 'archive', - require => Class['file_capability'], } PUPPET end @@ -57,7 +56,7 @@ class { 'file_capability': it { is_expected.to be_grouped_into 'root' } its(:content) { is_expected.to include 'User=vault' } its(:content) { is_expected.to include 'Group=vault' } - its(:content) { is_expected.to include 'ExecStart=/usr/local/bin/vault server -config=/etc/vault/config.json ' } + its(:content) { is_expected.to include 'ExecStart=/usr/local/bin/vault server -config=/etc/vault/vault.json' } its(:content) { is_expected.to match %r{Environment=GOMAXPROCS=\d+} } end @@ -69,7 +68,7 @@ class { 'file_capability': it { is_expected.to be_directory } end - describe file('/etc/vault/config.json') do + describe file('/etc/vault/vault.json') do it { is_expected.to be_file } its(:content) { is_expected.to include('"address": "127.0.0.1:8200"') } end @@ -102,7 +101,6 @@ class { 'vault': } }, install_method => 'repo', - require => Class['file_capability'], } PUPPET end diff --git a/spec/classes/vault_spec.rb b/spec/classes/vault_spec.rb index 3b680a7a..844698e7 100644 --- a/spec/classes/vault_spec.rb +++ b/spec/classes/vault_spec.rb @@ -55,13 +55,13 @@ end it { - is_expected.to contain_file('/etc/vault/config.json'). + is_expected.to contain_file('/etc/vault/vault.json'). with_owner('vault'). with_group('vault') } context 'vault JSON config' do - subject { param_value(catalogue, 'File', '/etc/vault/config.json', 'content') } + subject { param_value(catalogue, 'File', '/etc/vault/vault.json', 'content') } it { is_expected.to include_json( @@ -111,7 +111,7 @@ it { is_expected.not_to contain_file_capability('vault_binary_capability') } it { - expect(param_value(catalogue, 'File', '/etc/vault/config.json', 'content')).to include_json( + expect(param_value(catalogue, 'File', '/etc/vault/vault.json', 'content')).to include_json( disable_mlock: true ) } @@ -125,7 +125,7 @@ end it { - expect(param_value(catalogue, 'File', '/etc/vault/config.json', 'content')).to include_json( + expect(param_value(catalogue, 'File', '/etc/vault/vault.json', 'content')).to include_json( api_addr: 'something' ) } @@ -243,7 +243,7 @@ it { is_expected.not_to compile } else it { is_expected.not_to contain_file('/etc/vault') } - it { is_expected.to contain_file('/etc/vault.d/config.json') } + it { is_expected.to contain_file('/etc/vault.d/vault.json') } end case os_facts[:os]['family'] @@ -287,7 +287,7 @@ end it { - expect(param_value(catalogue, 'File', '/etc/vault/config.json', 'content')).to include_json( + expect(param_value(catalogue, 'File', '/etc/vault/vault.json', 'content')).to include_json( ui: true ) } @@ -300,7 +300,7 @@ } end - it { is_expected.to contain_file('/etc/vault/config.json').with_mode('0700') } + it { is_expected.to contain_file('/etc/vault/vault.json').with_mode('0700') } end context 'when specifying an array of listeners' do @@ -314,7 +314,7 @@ end it { - expect(param_value(catalogue, 'File', '/etc/vault/config.json', 'content')).to include_json( + expect(param_value(catalogue, 'File', '/etc/vault/vault.json', 'content')).to include_json( listener: [ { tcp: { @@ -398,7 +398,7 @@ end it { - is_expected.not_to contain_file('/etc/vault/config.json') + is_expected.not_to contain_file('/etc/vault/vault.json') } end @@ -424,16 +424,15 @@ context 'RedHat >=7 specific' do context 'includes systemd init script' do it { - is_expected.to contain_file('/etc/systemd/system/vault.service'). + is_expected.to contain_systemd__unit_file('vault.service'). with_mode('0444'). - with_ensure('file'). with_owner('root'). with_group('root'). with_content(%r{^# vault systemd unit file}). with_content(%r{^User=vault$}). with_content(%r{^Group=vault$}). with_content(%r{Environment=GOMAXPROCS=3}). - with_content(%r{^ExecStart=/usr/local/bin/vault server -config=/etc/vault/config.json $}). + with_content(%r{^ExecStart=/usr/local/bin/vault server -config=/etc/vault/vault.json $}). with_content(%r{SecureBits=keep-caps}). with_content(%r{Capabilities=CAP_IPC_LOCK\+ep}). with_content(%r{CapabilityBoundingSet=CAP_SYSLOG CAP_IPC_LOCK}). @@ -454,16 +453,15 @@ end it { - is_expected.to contain_file('/etc/systemd/system/vault.service'). + is_expected.to contain_systemd__unit_file('vault.service'). with_mode('0444'). - with_ensure('file'). with_owner('root'). with_group('root'). with_content(%r{^# vault systemd unit file}). with_content(%r{^User=root$}). with_content(%r{^Group=admin$}). with_content(%r{Environment=GOMAXPROCS=8}). - with_content(%r{^ExecStart=/opt/bin/vault server -config=/opt/etc/vault/config.json -log-level=info$}) + with_content(%r{^ExecStart=/opt/bin/vault server -config=/opt/etc/vault/vault.json -log-level=info$}) } end @@ -473,15 +471,14 @@ end it { - is_expected.to contain_file('/etc/systemd/system/vault.service'). + is_expected.to contain_systemd__unit_file('vault.service'). with_mode('0444'). - with_ensure('file'). with_owner('root'). with_group('root'). with_content(%r{^# vault systemd unit file}). with_content(%r{^User=vault$}). with_content(%r{^Group=vault$}). - with_content(%r{^ExecStart=/usr/local/bin/vault server -config=/etc/vault/config.json $}). + with_content(%r{^ExecStart=/usr/local/bin/vault server -config=/etc/vault/vault.json $}). without_content(%r{SecureBits=keep-caps}). without_content(%r{Capabilities=CAP_IPC_LOCK\+ep}). with_content(%r{CapabilityBoundingSet=CAP_SYSLOG}). @@ -598,16 +595,15 @@ context 'on Debian based with systemd' do context 'includes systemd init script' do it { - is_expected.to contain_file('/etc/systemd/system/vault.service'). - with_mode('0444'). - with_ensure('file'). + is_expected.to contain_systemd__unit_file('vault.service'). with_owner('root'). with_group('root'). + with_mode('0444'). with_content(%r{^# vault systemd unit file}). with_content(%r{^User=vault$}). with_content(%r{^Group=vault$}). with_content(%r{Environment=GOMAXPROCS=3}). - with_content(%r{^ExecStart=/usr/local/bin/vault server -config=/etc/vault/config.json $}). + with_content(%r{^ExecStart=/usr/local/bin/vault server -config=/etc/vault/vault.json $}). with_content(%r{SecureBits=keep-caps}). with_content(%r{Capabilities=CAP_IPC_LOCK\+ep}). with_content(%r{CapabilityBoundingSet=CAP_SYSLOG CAP_IPC_LOCK}). @@ -628,16 +624,15 @@ end it { - is_expected.to contain_file('/etc/systemd/system/vault.service'). + is_expected.to contain_systemd__unit_file('vault.service'). with_mode('0444'). - with_ensure('file'). with_owner('root'). with_group('root'). with_content(%r{^# vault systemd unit file}). with_content(%r{^User=root$}). with_content(%r{^Group=admin$}). with_content(%r{Environment=GOMAXPROCS=8}). - with_content(%r{^ExecStart=/opt/bin/vault server -config=/opt/etc/vault/config.json -log-level=info$}) + with_content(%r{^ExecStart=/opt/bin/vault server -config=/opt/etc/vault/vault.json -log-level=info$}) } end @@ -647,15 +642,14 @@ end it { - is_expected.to contain_file('/etc/systemd/system/vault.service'). + is_expected.to contain_systemd__unit_file('vault.service'). with_mode('0444'). - with_ensure('file'). with_owner('root'). with_group('root'). with_content(%r{^# vault systemd unit file}). with_content(%r{^User=vault$}). with_content(%r{^Group=vault$}). - with_content(%r{^ExecStart=/usr/local/bin/vault server -config=/etc/vault/config.json $}). + with_content(%r{^ExecStart=/usr/local/bin/vault server -config=/etc/vault/vault.json $}). without_content(%r{SecureBits=keep-caps}). without_content(%r{Capabilities=CAP_IPC_LOCK\+ep}). with_content(%r{CapabilityBoundingSet=CAP_SYSLOG}). diff --git a/spec/spec_helper.rb b/spec/spec_helper.rb index b6b3fc96..a8866721 100644 --- a/spec/spec_helper.rb +++ b/spec/spec_helper.rb @@ -19,3 +19,4 @@ end require 'rspec/json_expectations' +Dir['./spec/support/spec/**/*.rb'].sort.each { |f| require f } diff --git a/spec/spec_helper_acceptance.rb b/spec/spec_helper_acceptance.rb index d3a6e23c..2681792e 100644 --- a/spec/spec_helper_acceptance.rb +++ b/spec/spec_helper_acceptance.rb @@ -5,6 +5,6 @@ require 'voxpupuli/acceptance/spec_helper_acceptance' -configure_beaker +configure_beaker(modules: :metadata) Dir['./spec/support/acceptance/**/*.rb'].sort.each { |f| require f } diff --git a/templates/elements/extra_config.hcl.epp b/templates/elements/extra_config.hcl.epp new file mode 100644 index 00000000..22ebc8dc --- /dev/null +++ b/templates/elements/extra_config.hcl.epp @@ -0,0 +1,8 @@ +<%- | + Optional[Hash] $config = undef +| -%> +<%- if $config != undef { -%> +<%- $config.each |$key,$value| { -%> +<%= $key -%> = "<%= $value -%>" +<%- } -%> +<%- } -%> diff --git a/templates/elements/kms_library.hcl.epp b/templates/elements/kms_library.hcl.epp new file mode 100644 index 00000000..431c01c3 --- /dev/null +++ b/templates/elements/kms_library.hcl.epp @@ -0,0 +1,8 @@ +<%- | + Optional[Hash] $kms_library +| -%> +<%- if $kms_library != undef { -%> + <%- if $kms_library['pkcs11'] != undef { -%> +<%= epp('vault/element/kms_library/pkcs11.hcl.epp', { settings => $kms_library['pkcs11'] }) %> + <%- } -%> +<%- } -%> diff --git a/templates/elements/kms_library/pkcs11.hcl.epp b/templates/elements/kms_library/pkcs11.hcl.epp new file mode 100644 index 00000000..ee3794db --- /dev/null +++ b/templates/elements/kms_library/pkcs11.hcl.epp @@ -0,0 +1,7 @@ +<%- | + Hash $settings +| -%> +kms_library "pkcs11" { + name = "<%= $settings['name'] %>" + library = "<%= $settings['library'] %>" +} diff --git a/templates/elements/listener/tcp.hcl.epp b/templates/elements/listener/tcp.hcl.epp new file mode 100644 index 00000000..0ac3aa48 --- /dev/null +++ b/templates/elements/listener/tcp.hcl.epp @@ -0,0 +1,102 @@ +<%- | + Hash $listener +| -%> +listener "tcp" { + <%- if $listener['address'] != undef { -%> + address = "<%= $listener['address'] %>" + <%- } -%> + <%- if $listener['cluster_address'] != undef { -%> + cluster_address = "<%= $listener['cluster_address'] %>" + <%- } -%> + <%- if $listener['http_idle_timeout'] != undef { -%> + http_idle_timeout = "<%= $listener['http_idle_timeout'] %>" + <%- } -%> + <%- if $listener['http_read_header_timeout'] != undef { -%> + http_read_header_timeout = "<%= $listener['http_read_header_timeout'] %>" + <%- } -%> + <%- if $listener['http_read_timeout'] != undef { -%> + http_read_timeout = "<%= $listener['http_read_timeout'] %>" + <%- } -%> + <%- if $listener['http_write_timeout'] != undef { -%> + http_write_timeout = "<%= $listener['http_write_timeout'] %>" + <%- } -%> + <%- if $listener['max_request_size'] != undef { -%> + max_request_size = <%= $listener['max_request_size'] %> + <%- } -%> + <%- if $listener['max_request_duration'] != undef { -%> + max_request_duration = "<%= $listener['max_request_duration'] %>" + <%- } -%> + <%- if $listener['proxy_protocol_behavior'] != undef { -%> + proxy_protocol_behavior = "<%= $listener['proxy_protocol_behavior'] %>" + <%- } -%> + <%- if $listener['proxy_protocol_authorized_addrs'] != undef { -%> + proxy_protocol_authorized_addrs = "<%= $listener['proxy_protocol_authorized_addrs'] %>" + <%- } -%> + <%- if $listener['tls_disable'] != undef { -%> + tls_disable = "<%= $listener['tls_disable'] %>" + <%- } -%> + <%- if $listener['tls_cert_file'] != undef { -%> + tls_cert_file = "<%= $listener['tls_cert_file'] %>" + <%- } -%> + <%- if $listener['tls_key_file'] != undef { -%> + tls_key_file = "<%= $listener['tls_key_file'] %>" + <%- } -%> + <%- if $listener['tls_min_version'] != undef { -%> + tls_min_version = "<%= $listener['tls_min_version'] %>" + <%- } -%> + <%- if $listener['tls_max_version'] != undef { -%> + tls_max_version = "<%= $listener['tls_max_version'] %>" + <%- } -%> + <%- if $listener['tls_cipher_suites'] != undef { -%> + tls_cipher_suites = "<%= $listener['tls_cipher_suites'] %>" + <%- } -%> + <%- if $listener['tls_require_and_verify_client_cert'] != undef { -%> + tls_require_and_verify_client_cert = "<%= $listener['tls_require_and_verify_client_cert'] %>" + <%- } -%> + <%- if $listener['tls_client_ca_file'] != undef { -%> + tls_client_ca_file = "<%= $listener['tls_client_ca_file'] %>" + <%- } -%> + <%- if $listener['tls_disable_client_certs'] != undef { -%> + tls_disable_client_certs = "<%= $listener['tls_disable_client_certs'] %>" + <%- } -%> + <%- if $listener['x_forwarded_for_authorized_addrs'] != undef { -%> + x_forwarded_for_authorized_addrs = "<%= $listener['x_forwarded_for_authorized_addrs'] %>" + <%- } -%> + <%- if $listener['x_forwarded_for_hop_skips'] != undef { -%> + x_forwarded_for_hop_skips = "<%= $listener['x_forwarded_for_hop_skips'] %>" + <%- } -%> + <%- if $listener['x_forwarded_for_reject_not_authorized'] != undef { -%> + x_forwarded_for_reject_not_authorized = "<%= $listener['x_forwarded_reject_not_authorized'] %>" + <%- } -%> + <%- if $listener['x_forwarded_for_reject_not_present'] != undef { -%> + x_forwarded_for_reject_not_present = "<%= $listener['x_forwarded_for_reject_not_present'] %>" + <%- } -%> + <%- if $listener['telemetry'] != undef { -%> + telemetry { + <%- if $listener['telemetry']['unauthenticated_metrics_access'] != undef { -%> + unauthenticated_metrics_access = <%= $listener['telemetry']['unauthenticated_metrics_access'] %> + <%- } -%> + } + <%- } -%> + <%- if $listener['profiling'] != undef { -%> + profiling { + <%- if $listener['profiling']['unauthenticated_pprof_access'] != undef { -%> + unauthenticated_metrics_access = <%= $listener['profiling']['unauthenticated_pprof_access'] %> + <%- } -%> + <%- if $listener['profiling']['unauthenticated_in_flight_request_access'] != undef { -%> + unauthenticated_in_flight_request_access = <%= $listener['profiling']['unauthenticated_in_flight_request_access'] %> + <%- } -%> + } + <%- } -%> + <%- if $listener['custom_response_headers'] != undef { -%> + custom_response_headers { + <%- $listener['custom_response_headers'].each |$key, $headers| { -%> + "<%= $key %>" { + <%- $headers.each |$header, $values| { -%> + "<%= $header %>" = [<%- $values.each |$value| { -%>"<%= $value %>",<%- } -%>] + <%- } -%> + } + <%- } -%> + } + <%- } -%> +} diff --git a/templates/elements/listener/unix.hcl.epp b/templates/elements/listener/unix.hcl.epp new file mode 100644 index 00000000..082f7f70 --- /dev/null +++ b/templates/elements/listener/unix.hcl.epp @@ -0,0 +1,16 @@ +<%- | + Hash $listener +| -%> + +listener "unix" { + address = "<%= $listener['address'] %>" + <%- if $listener['mode'] != undef and $listener['mode'] != '' { -%> + socket_mode = "<%= $listener['mode'] %>" + <%- } -%> + <%- if $listener['user'] != undef and $listener['user'] != '' { -%> + socket_user = "<%= $listener['user'] %>" + <%- } -%> + <%- if $listener['group'] != undef and $listener['group'] != '' { -%> + socket_group = "<%= $listener['group'] %>" + <%- } -%> +} diff --git a/templates/elements/listeners.hcl.epp b/templates/elements/listeners.hcl.epp new file mode 100644 index 00000000..242890a0 --- /dev/null +++ b/templates/elements/listeners.hcl.epp @@ -0,0 +1,9 @@ +<%- | + Variant[Hash, Array[Hash]] $listener +| -%> +<%- if $listener['unix'] != undef { -%> +<%= epp('vault/elements/listener/unix.hcl.epp', { listener => $listener['unix'] }) -%> +<%- } -%> +<%- if $listener['tcp'] != undef { -%> +<%= epp('vault/elements/listener/tcp.hcl.epp', { listener => $listener['tcp'] }) -%> +<%- } -%> diff --git a/templates/elements/replication.hcl.epp b/templates/elements/replication.hcl.epp new file mode 100644 index 00000000..168dae94 --- /dev/null +++ b/templates/elements/replication.hcl.epp @@ -0,0 +1,25 @@ +<%- | + Optional[Hash] $replication +| -%> +<%- if $replication != undef { -%> +replication { + <%- if $replication['resolver_discover_servers'] != undef { -%> + resolver_discover_servers = <%= $replication['resolver_discover_servers'] %> + <%- } -%> + <%- if $replication['logshipper_buffer_length'] != undef { -%> + logshipper_buffer_length = <%= $replication['logshipper_buffer_length'] %> + <%- } -%> + <%- if $replication['logshipper_buffer_size'] != undef { -%> + logshipper_buffer_size = "<%= $replication['logshipper_buffer_size'] %>" + <%- } -%> + <%- if $replication['allow_forwarding_via_header'] != undef { -%> + allow_forwarding_via_header = <%= $replication['allow_forwarding_via_header'] %> + <%- } -%> + <%- if $replication['best_effort_wal_wait_duration'] != undef { -%> + best_effort_wal_wait_duration = "<%= $replication['best_effort_wal_wait_duration'] %>" + <%- } -%> + <%- if $replication['allow_forwarding_via_token'] != undef { -%> + allow_forwarding_via_token = "<%= $replication['allow_forwarding_via_token'] %>" + <%- } -%> +} +<%- } -%> diff --git a/templates/elements/seal.hcl.epp b/templates/elements/seal.hcl.epp new file mode 100644 index 00000000..8f940bda --- /dev/null +++ b/templates/elements/seal.hcl.epp @@ -0,0 +1,26 @@ +<%- | + Optional[Hash] $seal +| -%> +<%- if $seal != undef { -%> + <%- if $seal['alicloudkms'] != undef { -%> +<%= epp('vault/elements/seal/alicloudkms.hcl.epp', { seal => $seal['alicloudkms'] }) %> + <%- } -%> + <%- if $seal['awskms'] != undef { -%> +<%= epp('vault/elements/seal/awskms.hcl.epp', { seal => $seal['awskms'] }) %> + <%- } -%> + <%- if $seal['azurekeyvault'] != undef { -%> +<%= epp('vault/elements/seal/azurekeyvault.hcl.epp', { seal => $seal['azurekeyvault'] }) %> + <%- } -%> + <%- if $seal['gcpckms'] != undef { -%> +<%= epp('vault/elements/seal/gcpckms.hcl.epp', { seal => $seal['gcpckms'] }) %> + <%- } -%> + <%- if $seal['ocikms'] != undef { -%> +<%= epp('vault/elements/seal/ocikms.hcl.epp', { seal => $seal['ocikms'] }) %> + <%- } -%> + <%- if $seal['pkcs11'] != undef { -%> +<%= epp('vault/elements/seal/pkcs11.hcl.epp', { seal => $seal['pkcs11'] }) %> + <%- } -%> + <%- if $seal['transit'] != undef { -%> +<%= epp('vault/elements/seal/transit.hcl.epp', { seal => $seal['transit'] }) %> + <%- } -%> +<%- } -%> diff --git a/templates/elements/seal/alicloudkms.hcl.epp b/templates/elements/seal/alicloudkms.hcl.epp new file mode 100644 index 00000000..4973f3cc --- /dev/null +++ b/templates/elements/seal/alicloudkms.hcl.epp @@ -0,0 +1,15 @@ +<%- | + Hash $seal +| -%> +seal "alicloudkms" { + region = "<%= $seal['region'] %>" + <%- if $seal['domain'] != undef { -%> + domain = "<%= $seal['domain'] %>" + <%- } -%> + access_key = "<%= $seal['access_key'] %>" + secret_key = "<%= $seal['secret_key'] %>" + kms_key_id = "<%= $seal['kms_key_id'] %>" + <% if $seal['disabled'] != undef { -%> + disabled = "<%= $seal['disabled'] %>" + <%- } -%> +} diff --git a/templates/elements/seal/awskms.hcl.epp b/templates/elements/seal/awskms.hcl.epp new file mode 100644 index 00000000..eaa47632 --- /dev/null +++ b/templates/elements/seal/awskms.hcl.epp @@ -0,0 +1,20 @@ +<%- | + Hash $seal +| -%> +seal "awskms" { + <%- if $seal['region'] != undef { -%> + region = "<%= $seal['region'] %>" + <%- } -%> + access_key = "<%= $seal['access_key'] %>" + <%- if $seal['session_token'] != undef { -%> + session_token = "<%= ['awskms']['session_token'] %>" + <%- } -%> + secret_key = "<%= $seal['secret_key'] %>" + kms_key_id = "<%= $seal['kms_key_id'] %>" + <%- if $seal['disabled'] != undef { -%> + disabled = "<%= $seal['disabled'] %>" + <%- } -%> + <%- if $seal['endpoint'] != undef { -%> + endpoint = "<%= $seal['endpoint'] %>" + <%- } -%> +} diff --git a/templates/elements/seal/azurekeyvault.hcl.epp b/templates/elements/seal/azurekeyvault.hcl.epp new file mode 100644 index 00000000..110f104b --- /dev/null +++ b/templates/elements/seal/azurekeyvault.hcl.epp @@ -0,0 +1,16 @@ +<%- | + Hash $seal +| -%> +seal "azurekeyvault" { + tenant_id = "<%= $seal['tenant_id'] %>" + client_id = "<%= $seal['client_id'] %>" + client_secret = "<%= $seal['client_secret'] %>" + <%- if $seal['environment'] != undef { -%> + environment = "<%= ['azurekeyvault']['environment'] %>" + <%- } -%> + vault_name = "<%= $seal['vault_name'] %>" + key_name = "<%= $seal['key_name'] %>" + <%- if $seal['disabled'] != undef { -%> + disabled = "<%= $seal['disabled'] %>" + <%- } -%> +} diff --git a/templates/elements/seal/gcpckms.hcl.epp b/templates/elements/seal/gcpckms.hcl.epp new file mode 100644 index 00000000..629e404a --- /dev/null +++ b/templates/elements/seal/gcpckms.hcl.epp @@ -0,0 +1,15 @@ +<%- | + Hash $seal +| -%> +seal "gcpckms" { + credentials = "<%= $seal['credentials'] %>" + project = "<%= $seal['project'] %>" + <%- if $seal['region'] != undef { -%> + region = "<%= $seal['region'] %>" + <%- } -%> + key_ring = "<%= $seal['key_ring'] %>" + crypto_key = "<%= $seal['crypto_key'] %>" + <%- if $seal['disabled'] != undef { -%> + disabled = "<%= $seal['disabled'] %>" + <%- } -%> +} diff --git a/templates/elements/seal/ocikms.hcl.epp b/templates/elements/seal/ocikms.hcl.epp new file mode 100644 index 00000000..2cc95a4e --- /dev/null +++ b/templates/elements/seal/ocikms.hcl.epp @@ -0,0 +1,14 @@ +<%- | + Hash $seal +| -%> +seal "ocikms" { + key_id = "<%= $seal['key_id'] %>" + crypto_endpoint = "<%= $seal['crypto_endpoint'] %>" + management_endpoint = "<%= $seal['management_endpoint'] %>" + <%- if $seal['auth_type_api_key'] != undef { -%> + auth_type_api_key = <%= $seal['auth_type_api_key'] %> + <%- } -%> + <%- if $seal['disabled'] != undef { -%> + disabled = "<%= $seal['disabled'] %>" + <%- } -%> +} diff --git a/templates/elements/seal/pkcs11.hcl.epp b/templates/elements/seal/pkcs11.hcl.epp new file mode 100644 index 00000000..b015fbb3 --- /dev/null +++ b/templates/elements/seal/pkcs11.hcl.epp @@ -0,0 +1,44 @@ +<%- | + Hash $seal +| -%> +seal "pkcs11" { + lib = "<%= $seal['lib'] %>" + slot = "<%= $seal['slot'] %>" + token_label = "<%= $seal['token_label'] %>" + pin = "<%= $seal['pin'] %>" + key_label = "<%= $seal['key_label'] %>" + <%- if $seal['default_key_label'] != undef { -%> + default_key_label = "<%= $seal['default_key_label'] %>" + <%- } -%> + <%- if $seal['key_id'] != undef { -%> + key_id = "<%= $seal['key_id'] %>" + <%- } -%> + hmac_key_label = "<%= $seal['hmac_key_label'] %>" + <%- if $seal['default_hmac_key_label'] != undef { -%> + default_hmac_key_label = "<%= $seal['default_hmac_key_label'] %>" + <%- } -%> + <%- if $seal['hmac_key_id'] != undef { -%> + hmac_key_id = "<%= $seal['hmac_key_id'] %>" + <%- } -%> + <%- if $seal['mechanism'] != undef { -%> + mechanism = "<%= $seal['mechanism'] %>" + <%- } -%> + <%- if $seal['hmac_mechanism'] != undef { -%> + hmac_mechanism = "<%= $seal['hmac_mechanism'] %>" + <%- } -%> + <%- if $seal['generate_key'] != undef { -%> + generate_key = "<%= $seal['generate_key'] %>" + <%- } -%> + <%- if $seal['force_rw_sessions'] != undef { -%> + force_rw_session = "<%= $seal['force_rw_session'] %>" + <%- } -%> + <%- if $seal['disabled'] != undef { -%> + disabled = "<%= $seal['disabled'] %>" + <%- } -%> + <%- if $seal['rsa_encrypt_local'] != undef { -%> + rsa_encrypt_local = "<%= $seal['rsa_encrypt_local'] %>" + <%- } -%> + <%- if $seal['rsa_oaep_hash'] != undef { -%> + rsa_oaep_hash = "<%= $seal['rsa_oaep_hash'] %>" + <%- } -%> +} diff --git a/templates/elements/seal/transit.hcl.epp b/templates/elements/seal/transit.hcl.epp new file mode 100644 index 00000000..eb30a4e2 --- /dev/null +++ b/templates/elements/seal/transit.hcl.epp @@ -0,0 +1,33 @@ +<%- | + Hash $seal +| -%> +seal "transit" { + address = "<%= $seal['address'] %>" + token = "<%= $seal['token'] %>" + key_name = "<%= $seal['key_name'] %>" + mount_path = "<%= $seal['mount_path'] %>" + <%- if $seal['namespace'] != undef { -%> + namespace = "<%= $seal['namespace'] %>" + <%- } -%> + <%- if $seal['disable_renewal'] != undef { -%> + disable_renewal = "<%= $seal['disable_renewal'] %>" + <%- } -%> + <%- if $seal['tls_ca_cert'] != undef { -%> + tls_ca_cert = "<%= $seal['tls_ca_cert'] %>" + <%- } -%> + <%- if $seal['tls_client_cert'] != undef { -%> + tls_client_cert = "<%= $seal['tls_client_cert'] %>" + <%- } -%> + <%- if $seal['tls_client_key'] != undef { -%> + tls_client_key = "<%= $seal['tls_client_key'] %>" + <%- } -%> + <%- if $seal['tls_server_name'] != undef { -%> + tls_server_name = "<%= $seal['tls_server_name'] %>" + <%- } -%> + <%- if $seal['tls_skip_verify'] != undef { -%> + tls_skip_verify = "<%= $seal['tls_skip_verify'] %>" + <%- } -%> + <%- if $seal['disabled'] != undef { -%> + disabled = "<%= $seal['disabled'] %>" + <%- } -%> +} diff --git a/templates/elements/sentinel.hcl.epp b/templates/elements/sentinel.hcl.epp new file mode 100644 index 00000000..3785e096 --- /dev/null +++ b/templates/elements/sentinel.hcl.epp @@ -0,0 +1,14 @@ +<%- | + Optional[Hash] $sentinel +| -%> +<%- if $sentinel != undef { -%> +sentinel { + <%- if $sentinel['additional_enabled_modules'] != undef { -%> + additional_enabled_modules = [ + <%- $sentinel['additional_enabled_modules'].each |$module| { -%> + "<%= $module %>", + <%- } -%> + ] + <%- } -%> +} +<%- } -%> diff --git a/templates/elements/service_registration.hcl.epp b/templates/elements/service_registration.hcl.epp new file mode 100644 index 00000000..4e0c50e1 --- /dev/null +++ b/templates/elements/service_registration.hcl.epp @@ -0,0 +1,11 @@ +<%- | + Optional[Hash] $service_registration +| -%> +<%- if $service_registration != undef { -%> + <%- if $service_registration['consul'] != undef { -%> +<%= epp('vault/elements/service_registration/consul.hcl.epp', { registration => $service_registration['consul'] }) %> + <%- } -%> + <%- if $service_registration['kubernetes'] != undef { -%> +<%= epp('vault/elements/service_registration/kubernetes.hcl.epp', { registration => $service_registration['kubernetes'] }) %> + <%- } -%> +<%- } -%> diff --git a/templates/elements/service_registration/consul.hcl.epp b/templates/elements/service_registration/consul.hcl.epp new file mode 100644 index 00000000..79639243 --- /dev/null +++ b/templates/elements/service_registration/consul.hcl.epp @@ -0,0 +1,44 @@ +<%- | + Hash $registration +| -%> +service_registration "consul" { + <%- if $registration['address'] != undef { -%> + address = "<%= $registration['address'] %>" + <%- } -%> + <%- if $registration['check_timeout'] != undef { -%> + check_timeout = "<%= $registration['check_timeout'] %>" + <%- } -%> + <%- if $registration['disable_registration'] != undef { -%> + disable_registration = "<%= $registration['disable_registration'] %>" + <%- } -%> + <%- if $registration['scheme'] != undef { -%> + scheme = "<%= $registration['scheme'] %>" + <%- } -%> + <%- if $registration['service'] != undef { -%> + service = "<%= $registration['service'] %>" + <%- } -%> + <%- if $registration['service_tags'] != undef { -%> + service_tags = "<%= registration['service_tags'] %>" + <%- } -%> + <%- if $registration['service_address'] != undef { -%> + service_address = "<%= $registration['service_address'] %>" + <%- } -%> + <%- if $registration['token'] != undef { -%> + token = "<%= $registration['token'] %>" + <%- } -%> + <%- if $registration['tls_ca_file'] != undef { -%> + tls_ca_file = "<%= $registration['tls_ca_file'] %>" + <%- } -%> + <%- if $registration['tls_cert_file'] != undef { -%> + tls_cert_file = "<%= $registration['tls_cert_file'] %>" + <%- } -%> + <%- if $registration['tls_key_file'] != undef { -%> + tls_key_file = "<%= $registration['tls_key_file'] %>" + <%- } -%> + <%- if $registration['tls_min_version'] != undef { -%> + tls_min_version = "<%= $registration['tls_min_version'] %>" + <%- } -%> + <%- if $registration['tls_skip_verify'] != undef { -%> + tls_skip_verify = "<%= $registration['tls_skip_verify'] %>" + <%- } -%> +} diff --git a/templates/elements/service_registration/kubernetes.hcl.epp b/templates/elements/service_registration/kubernetes.hcl.epp new file mode 100644 index 00000000..9748b238 --- /dev/null +++ b/templates/elements/service_registration/kubernetes.hcl.epp @@ -0,0 +1,11 @@ +<%- | + Hash $registration +| -%> +service_registration "kubernetes" { + <%- if $registration['namespace'] != undef { -%> + namespace = "<%= $registration['namespace'] %>" + <%- } -%> + <%- if $registration['pod_name'] != undef { -%> + pod_name = "<%= $registration['pod_name'] %>" + <%- } -%> +} diff --git a/templates/elements/storage.hcl.epp b/templates/elements/storage.hcl.epp new file mode 100644 index 00000000..75be1229 --- /dev/null +++ b/templates/elements/storage.hcl.epp @@ -0,0 +1,75 @@ +<%- | + Optional[Hash] $storage = undef, + Boolean $is_ha = false +| -%> +<%- if $storage != undef { -%> + <%- if $storage['aerospike'] != undef { -%> +<%= epp('vault/elements/storage/aerospike.hcl.epp', { storage => $storage['aerospike'], is_ha => $is_ha }) %> + <%- } -%> + <%- if $storage['alicloudoss'] != undef { -%> +<%= epp('vault/elements/storage/alicloudoss.hcl.epp', { storage => $storage['alicloudoss'], is_ha => $is_ha }) %> + <%- } -%> + <%- if $storage['azure'] != undef { -%> +<%= epp('vault/elements/storage/azure.hcl.epp', { storage => $storage['azure'], is_ha => $is_ha }) %> + <%- } -%> + <%- if $storage['cassandra'] != undef { -%> +<%= epp('vault/elements/storage/cassandra.hcl.epp', { storage => $storage['cassandra'], is_ha => $is_ha }) %> + <%- } -%> + <%- if $storage['cockroachdb'] != undef { -%> +<%= epp('vault/elements/storage/cockroachdb.hcl.epp', { storage => $storage['cockroachdb'], is_ha => $is_ha }) %> + <%- } -%> + <%- if $storage['consul'] != undef { -%> +<%= epp('vault/elements/storage/consul.hcl.epp', { storage => $storage['consul'], is_ha => $is_ha }) %> + <%- } -%> + <%- if $storage['couchdb'] != undef { -%> +<%= epp('vault/elements/storage/couch.hcl.epp', { storage => $storage['couchdb'], is_ha => $is_ha }) %> + <%- } -%> + <%- if $storage['dynamodb'] != undef { -%> +<%= epp('vault/elements/storage/dynamodb.hcl.epp', { storage => $storage['dynamodb'], is_ha => $is_ha }) %> + <%- } -%> + <%- if $storage['etcd'] != undef { -%> +<%= epp('vault/elements/storage/etcd.hcl.epp', { storage => $storage['etcd'], is_ha => $is_ha }) %> + <%- } -%> + <%- if $storage['file'] != undef { -%> +<%= epp('vault/elements/storage/file.hcl.epp', { storage => $storage['file'], is_ha => $is_ha }) %> + <%- } -%> + <%- if $storage['foundationdb'] != undef { -%> +<%= epp('vault/elements/storage/foundation.hcl.epp', { storage => $storage['foundationdb'], is_ha => $is_ha }) %> + <%- } -%> + <%- if $storage['gcs'] != undef { -%> +<%= epp('vault/elements/storage/gcs.hcl.epp', { storage => $storage['gcs'], is_ha => $is_ha }) %> + <%- } -%> + <%- if $storage['inmem'] != undef { -%> +<%= epp('vault/elements/storage/inmem.hcl.epp', { storage => $storage['inmem'], is_ha => $is_ha }) %> + <%- } -%> + <%- if $storage['manta'] != undef { -%> +<%= epp('vault/elements/storage/manta.hcl.epp', { storage => $storage['manta'], is_ha => $is_ha }) %> + <%- } -%> + <%- if $storage['mssql'] != undef { -%> +<%= epp('vault/elements/storage/mssql.hcl.epp', { storage => $storage['mssql'], is_ha => $is_ha }) %> + <%- } -%> + <%- if $storage['mysql'] != undef { -%> +<%= epp('vault/elements/storage/mysql.hcl.epp', { storage => $storage['mysql'], is_ha => $is_ha }) %> + <%- } -%> + <%- if $storage['oci'] != undef { -%> +<%= epp('vault/element/storage/oci.hcl.epp', { storage => $storage['oci'], is_ha => $is_ha }) %> + <%- } -%> + <%- if $storage['postgresql'] != undef { -%> +<%= epp('vault/element/storage/postgresql.hcl.epp', { storage => $storage['postgresql'], is_ha => $is_ha }) %> + <%- } -%> + <%- if $storage['raft'] != undef { -%> +<%= epp('vault/element/storage/raft.hcl.epp', { storage => $storage['raft'], is_ha => $is_ha }) %> + <%- } -%> + <%- if $storage['s3'] != undef { -%> +<%= epp('vault/element/storage/s3.hcl.epp', { storage => $storage['s3'], is_ha => $is_ha }) %> + <%- } -%> + <%- if $storage['spanner'] != undef { -%> +<%= epp('vault/element/storage/spanner.hcl.epp', { storage => $storage['spanner'], is_ha => $is_ha }) %> + <%- } -%> + <%- if $storage['swift'] != undef { -%> +<%= epp('vault/element/storage/swift.hcl.epp', { storage => $storage['swift'], is_ha => $is_ha }) %> + <%- } -%> + <%- if $storage['zookeeper'] != undef { -%> +<%= epp('vault/element/storage/zookeeper.hcl.epp', { storage => $storage['zookeeper'], is_ha => $is_ha }) %> + <%- } -%> +<%- } -%> diff --git a/templates/elements/storage/aerospike.hcl.epp b/templates/elements/storage/aerospike.hcl.epp new file mode 100644 index 00000000..dd06b9ba --- /dev/null +++ b/templates/elements/storage/aerospike.hcl.epp @@ -0,0 +1,40 @@ +<%- | + Hash $storage, + Boolean $is_ha = false +| -%> +<%- if $is_ha { fail('The Aerospike storage backend is not highly available') } -%> +storage "aerospike" { + <%- if $storage['hostname'] != undef { -%> + hostname = "<%= $storage['hostname'] %>" + <%- } -%> + <%- if $storage['port'] != undef { -%> + port = "<%= $storage['port'] %>" + <%- } -%> + <%- if $storage['hostlist'] != undef { -%> + hostlist = "<%= $storage['hostlist'] %>" + <%- } -%> + <%- if $storage['namespace'] != undef { -%> + namespace = "<%= $storage['namespace'] %>" + <%- } -%> + <%- if $storage['set'] != undef { -%> + set = "<%= $storage['set'] %>" + <%- } -%> + <%- if $storage['username'] != undef { -%> + username = "<%= $storage['username'] %>" + <%- } -%> + <%- if $storage['password'] != undef { -%> + password = "<%= $storage['password'] %>" + <%- } -%> + <%- if $storage['cluster_name'] != undef { -%> + cluster_name = "<%= $storage['cluster_name'] %>" + <%- } -%> + <%- if $storage['auth_mode'] != undef { -%> + auth_mode = "<%= $storage['auth_mode'] %>" + <%- } -%> + <%- if $storage['timeout'] != undef { -%> + timeout = <%= $storage['timeout'] %> + <%- } -%> + <%- if $storage['idle_timeout'] != undef { -%> + idle_timeout = <%= $storage['idle_timeout'] %> + <%- } -%> +} diff --git a/templates/elements/storage/alicloudoss.hcl.epp b/templates/elements/storage/alicloudoss.hcl.epp new file mode 100644 index 00000000..bcf18c4d --- /dev/null +++ b/templates/elements/storage/alicloudoss.hcl.epp @@ -0,0 +1,20 @@ +<%- | + Hash $storage, + Boolean $is_ha = false +| -%> +<%- if $is_ha { fail('The Alicloud OSS storage backend is not highly available') } -%> +storage "alicloudoss" { + bucket = "<%= $storage['bucket'] %>" + <%- if $storage['endpoint'] != undef { -%> + endpoint = "<%= $storage['endpoint'] %>" + <%- } -%> + <%- if $storage['access_key'] != undef { -%> + access_key "<%= $storage['access_key'] %>" + <%- } -%> + <%- if $storage['secret_key'] != undef { -%> + secret_key "<%= $storage['secret_key'] %>" + <%- } -%> + <%- if $storage['max_parallel'] != undef { -%> + max_parallel = "<%= $storage['max_parallel'] %>" + <%- } -%> +} diff --git a/templates/elements/storage/azure.hcl.epp b/templates/elements/storage/azure.hcl.epp new file mode 100644 index 00000000..7083062c --- /dev/null +++ b/templates/elements/storage/azure.hcl.epp @@ -0,0 +1,21 @@ +<%- | + Hash $storage, + Boolean $is_ha = false +| -%> +<%- if $is_ha { fail('The Azure storage backend is not highly available') } -%> +storage "azure" { + accountName = "<%= $storage['accountName'] %>" + <%- if $storage['accountKey'] != undef { -%> + accountKey = "<%= $storage['accountKey'] %>" + <%- } -%> + container = "<%= $storage['container'] %>" + <%- if $storage['environment'] != undef { -%> + environment = "<%= $storage['environment'] %>" + <%- } -%> + <%- if $storage['arm_endpoint'] != undef { -%> + arm_endpoint = "<%= $storage['arm_endpoint'] %>" + <%- } -%> + <%- if $storage['max_parallel'] != undef { -%> + max_parallel = "<%= $storage['max_parallel'] %>" + <%- } -%> +} diff --git a/templates/elements/storage/cassandra.hcl.epp b/templates/elements/storage/cassandra.hcl.epp new file mode 100644 index 00000000..afcb9c80 --- /dev/null +++ b/templates/elements/storage/cassandra.hcl.epp @@ -0,0 +1,52 @@ +<%- | + Hash $storage, + Boolean $is_ha = false +| -%> +<%- if $is_ha { fail('The Cassandra storage backend is not highly available') } -%> +storage "cassandra" { + <%- if $storage['hosts'] != undef { -%> + hosts = "<%= $storage['hosts'] %>" + <%- } -%> + <%- if $storage['keyspace'] != undef { -%> + keyspace = "<%= $storage['keyspace'] %>" + <%- } -%> + <%- if $storage['table'] != undef { -%> + table = "<%= $storage['table'] %>" + <%- } -%> + <%- if $storage['consistency'] != undef { -%> + consistency = "<%= $storage['consistency'] %>" + <%- } -%> + <%- if $storage['protocol_version'] != undef { -%> + protocol_version = "<%= $storage['protocol_version'] %>" + <%- } -%> + <%- if $storage['username'] != undef { -%> + username = "<%= $storage['username'] %>" + <%- } -%> + <%- if $storage['password'] != undef { -%> + password = "<%= $storage['password'] %>" + <%- } -%> + <%- if $storage['initial_connection_timeout'] != undef { -%> + initial_connection_timeout = <%= $storage['initial_connection_timeout'] %> + <%- } -%> + <%- if $storage['connection_timeout'] != undef { -%> + connection_timeout = <%= $storage['connection_timeout'] %> + <%- } -%> + <%- if $storage['simple_retry_policy_retries'] != undef { -%> + simple_retry_policy_retries = <%= $storage['simple_retry_policy_retries'] %> + <%- } -%> + <%- if $storage['tls'] != undef { -%> + tls = <%= $storage['tls'] %> + <%- } -%> + <%- if $storage['pem_bundle_file'] != undef { -%> + pem_bundle_file = "<%= $storage['pem_bundle_file'] %>" + <%- } -%> + <%- if $storage['pem_json_file'] != undef { -%> + pem_json_file = "<%= $storage['pem_json_file'] %>" + <%- } -%> + <%- if $storage['tls_skip_verify'] != undef { -%> + tls_skip_verify = <%= $storage['tls_skip_verify'] %> + <%- } -%> + <%- if $storage['tls_min_version'] != undef { -%> + tls_min_version = "<%= $storage['tls_min_version'] %>" + <%- } -%> +} diff --git a/templates/elements/storage/cockroachdb.hcl.epp b/templates/elements/storage/cockroachdb.hcl.epp new file mode 100644 index 00000000..957f0b24 --- /dev/null +++ b/templates/elements/storage/cockroachdb.hcl.epp @@ -0,0 +1,19 @@ +<%- | + Hash $storage, + Boolean $is_ha = false +| -%> +<% if $is_ha { %>ha_<% } %>storage "cockroachdb" { + connection_url = "<%= $storage['connection_url'] %>" + <%- if $storage['table'] != undef { -%> + table = "<%= $storage['table'] %>" + <%- } -%> + <%- if $storage['max_parallel'] != undef { -%> + max_parallel = "<%= $storage['max_parallel'] %>" + <%- } -%> + <%- if $storage['ha_enabled'] != undef { -%> + ha_enabled = "<%= $storage['ha_enabled'] %>" + <%- } -%> + <%- if $storage['ha_table'] != undef { -%> + ha_table = "<%= $storage['ha_table'] %>" + <%- } -%> +} diff --git a/templates/elements/storage/consul.hcl.epp b/templates/elements/storage/consul.hcl.epp new file mode 100644 index 00000000..9137c739 --- /dev/null +++ b/templates/elements/storage/consul.hcl.epp @@ -0,0 +1,60 @@ +<%- | + Hash $storage, + Boolean $is_ha = false +| -%> +<% if $is_ha { %>ha_<% } %>storage "consul" { + <%- if $storage['address'] != undef { -%> + address = "<%= $storage['address'] %>" + <%- } -%> + <%- if $storage['check_timeout'] != undef { -%> + check_timeout = "<%= $storage['check_timeout'] %>" + <%- } -%> + <%- if $storage['consistency_mode'] != undef { -%> + consistency_mode = "<%= $storage['consistency_mode'] %>" + <%- } -%> + <%- if $storage['disable_registration'] != undef { -%> + disable_registration = "<%= $storage['disable_registration'] %>" + <%- } -%> + <%- if $storage['max_parallel'] != undef { -%> + max_parallel = "<%= $storage['max_parallel'] %>" + <%- } -%> + <%- if $storage['path'] != undef { -%> + path = "<%= $storage['path'] %>" + <%- } -%> + <%- if $storage['scheme'] != undef { -%> + scheme = "<%= $storage['scheme'] %>" + <%- } -%> + <%- if $storage['service'] != undef { -%> + service = "<%= $storage['service'] %>" + <%- } -%> + <%- if $storage['service_tags'] != undef { -%> + service_tags = "<%= $storage['service_tags'] %>" + <%- } -%> + <%- if $storage['service_address'] != undef { -%> + service_address = "<%= $storage['service_address'] %>" + <%- } -%> + <%- if $storage['token'] != undef { -%> + token = "<%= $storage['token'] %>" + <%- } -%> + <%- if $storage['session_ttl'] != undef { -%> + session_ttl = "<%= $storage['session_ttl'] %>" + <%- } -%> + <%- if $storage['lock_wait_time'] != undef { -%> + lock_wait_time = "<%= $storage['lock_wait_time'] %>" + <%- } -%> + <%- if $storage['tls_ca_file'] != undef { -%> + tls_ca_file = "<%= $storage['tls_ca_file'] %>" + <%- } -%> + <%- if $storage['tls_cert_file'] != undef { -%> + tls_cert_file = "<%= $storage['tls_cert_file'] %>" + <%- } -%> + <%- if $storage['tls_key_file'] != undef { -%> + tls_key_file = "<%= $storage['tls_key_file'] %>" + <%- } -%> + <%- if $storage['tls_min_version'] != undef { -%> + tls_min_version = "<%= $storage['tls_min_version'] %>" + <%- } -%> + <%- if $storage['tls_skip_verify'] != undef { -%> + tls_skip_verify = "<%= $storage['tls_skip_verify'] %>" + <%- } -%> +} diff --git a/templates/elements/storage/couchdb.hcl.epp b/templates/elements/storage/couchdb.hcl.epp new file mode 100644 index 00000000..09335a0d --- /dev/null +++ b/templates/elements/storage/couchdb.hcl.epp @@ -0,0 +1,19 @@ +<%- | + Hash $storage, + Boolean $is_ha = false +| -%> +<%- if $is_ha { fail('The CouchDB storage backend is not highly available') } -%> +storage "couchdb" { + <%- if $storage['endpoint'] != undef { -%> + endpoint = "<%= $storage['endpoint'] %>" + <%- } -%> + <%- if $storage['username'] != undef { -%> + username = "<%= $storage['username'] %>" + <%- } -%> + <%- if $storage['password'] != undef { -%> + password = "<%= $storage['password'] %>" + <%- } -%> + <%- if $storage['max_parallel'] != undef { -%> + max_parallel = "<%= $storage['max_parallel'] %>" + <%- } -%> +} diff --git a/templates/elements/storage/dynamodb.hcl.epp b/templates/elements/storage/dynamodb.hcl.epp new file mode 100644 index 00000000..53e95dea --- /dev/null +++ b/templates/elements/storage/dynamodb.hcl.epp @@ -0,0 +1,36 @@ +<%- | + Hash $storage, + Boolean $is_ha = false +| -%> +<% if $is_ha { %>ha_<% } %>storage "dynamodb" { + <%- if $storage['endpoint'] != undef { -%> + endpoint = "<%= $storage['endpoint'] %>" + <%- } -%> + <%- if $storage['ha_enabled'] != undef { -%> + ha_enabled = "<%= $storage['ha_enabled'] %>" + <%- } -%> + <%- if $storage['max_parallel'] != undef { -%> + max_parallel = "<%= $storage['max_parallel'] %>" + <%- } -%> + <%- if $storage['region'] != undef { -%> + region = "<%= $storage['region'] %>" + <%- } -%> + <%- if $storage['read_capacity'] != undef { -%> + read_capacity = <%= $storage['read_capacity'] %> + <%- } -%> + <%- if $storage['table'] != undef { -%> + table = "<%= $storage['table'] %>" + <%- } -%> + <%- if $storage['write_capacity'] != undef { -%> + write_capacity = <%= $storage['write_capacity'] %> + <%- } -%> + <%- if $storage['access_key'] != undef { -%> + access_key = "<%= $storage['access_key'] %>" + <%- } -%> + <%- if $storage['secret_key'] != undef { -%> + secret_key = "<%= $storage['secret_key'] %>" + <%- } -%> + <%- if $storage['session_token'] != undef { -%> + session_token = "<%= $storage['session_token'] %>" + <%- } -%> +} diff --git a/templates/elements/storage/etcd.hcl.epp b/templates/elements/storage/etcd.hcl.epp new file mode 100644 index 00000000..170dec30 --- /dev/null +++ b/templates/elements/storage/etcd.hcl.epp @@ -0,0 +1,48 @@ +<%- | + Hash $storage, + Boolean $is_ha = false +| -%> +<% if $is_ha { %>ha_<% } %>storage "etcd" { + <%- if $storage['address'] != undef { -%> + address = "<%= $storage['address'] %>" + <%- } -%> + <%- if $storage['discovery_srv'] != undef { -%> + discovery_srv = "<%= $storage['discovery_srv'] %>" + <%- } -%> + <%- if $storage['discovery_srv_name'] != undef { -%> + discovery_srv_name = "<%= $storage['discovery_srv_name'] %>" + <%- } -%> + <%- if $storage['etcd_api'] != undef { -%> + etcd_api = "<%= $storage['etcd_api'] %>" + <%- } -%> + <%- if $storage['ha_enabled'] != undef { -%> + ha_enabled = "<%= $storage['ha_enabled'] %>" + <%- } -%> + <%- if $storage['path'] != undef { -%> + path = "<%= $storage['path'] %>" + <%- } -%> + <%- if $storage['sync'] != undef { -%> + sync = "<%= $storage['sync'] %>" + <%- } -%> + <%- if $storage['username'] != undef { -%> + username = "<%= $storage['username'] %>" + <%- } -%> + <%- if $storage['password'] != undef { -%> + password = "<%= $storage['password'] %>" + <%- } -%> + <%- if $storage['tls_ca_file'] != undef { -%> + tls_ca_file = "<%= $storage['tls_ca_file'] %>" + <%- } -%> + <%- if $storage['tls_cert_file'] != undef { -%> + tls_cert_file = "<%= $storage['tls_cert_file'] %>" + <%- } -%> + <%- if $storage['tls_key_file'] != undef { -%> + tls_key_file = "<%= $storage['tls_key_file'] %>" + <%- } -%> + <%- if $storage['request_timeout'] != undef { -%> + request_timeout = "<%= $storage['request_timeout'] %>" + <%- } -%> + <%- if $storage['lock_timeout'] != undef { -%> + lock_timeout = "<%= $storage['lock_timeout'] %>" + <%- } -%> +} diff --git a/templates/elements/storage/file.hcl.epp b/templates/elements/storage/file.hcl.epp new file mode 100644 index 00000000..1561013c --- /dev/null +++ b/templates/elements/storage/file.hcl.epp @@ -0,0 +1,8 @@ +<%- | + Hash $storage, + Boolean $is_ha = false +| -%> +<%- if $is_ha { fail('The Filesystem storage backend is not highly available') } -%> +storage "file" { + path = "<%= $storage['path'] %>" +} diff --git a/templates/elements/storage/foundationdb.hcl.epp b/templates/elements/storage/foundationdb.hcl.epp new file mode 100644 index 00000000..d59fec07 --- /dev/null +++ b/templates/elements/storage/foundationdb.hcl.epp @@ -0,0 +1,33 @@ +<%- | + Hash $storage, + Boolean $is_ha = false +| -%> +<% if $is_ha { %>ha_<% } %>storage "foundationdb" { + <%- if $storage['api_version'] != undef { -%> + api_version = <%= $storage['api_version'] %> + <%- } -%> + <%- if $storage['cluster_file'] != undef { -%> + cluster_file = "<%= $storage['cluster_file'] %>" + <%- } -%> + <%- if $storage['tls_verify_peers'] != undef { -%> + tls_verify_peers = <%= $storage['tls_verify_peers'] %> + <%- } -%> + <%- if $storage['tls_ca_file'] != undef { -%> + tls_ca_file = "<%= $storage['tls_ca_file'] %>" + <%- } -%> + <%- if $storage['tls_cert_file'] != undef { -%> + tls_cert_file = "<%= $storage['tls_cert_file'] %>" + <%- } -%> + <%- if $storage['tls_key_file'] != undef { -%> + tls_key_file = "<%= $storage['tls_key_file'] %>" + <%- } -%> + <%- if $storage['tls_password'] != undef { -%> + tls_password = "<%= $storage['tls_password'] %>" + <%- } -%> + <%- if $storage['path'] != undef { -%> + path = "<%= $storage['path'] %>" + <%- } -%> + <%- if $storage['ha_enabled'] != undef { -%> + ha_enabled = "<%= $storage['ha_enabled'] %>" + <%- } -%> +} diff --git a/templates/elements/storage/gcs.hcl.epp b/templates/elements/storage/gcs.hcl.epp new file mode 100644 index 00000000..15c9f218 --- /dev/null +++ b/templates/elements/storage/gcs.hcl.epp @@ -0,0 +1,16 @@ +<%- | + Hash $storage, + Boolean $is_ha = false +| -%> +<% if $is_ha { %>ha_<% } %>storage "gcs" { + bucket = "<%= $storage['bucket'] %>" + <%- if $storage['chunk_size'] != undef { -%> + chunk_size = "<%= $storage['chunk_size'] %>" + <%- } -%> + <%- if $storage['max_parallel'] != undef { -%> + max_parallel = <%= $storage['max_parallel'] %> + <%- } -%> + <%- if $storage['ha_enabled'] != undef { -%> + ha_enabled = "<%= $storage['ha_enabled'] %>" + <%- } -%> +} diff --git a/templates/elements/storage/inmem.hcl.epp b/templates/elements/storage/inmem.hcl.epp new file mode 100644 index 00000000..9a4ca4cf --- /dev/null +++ b/templates/elements/storage/inmem.hcl.epp @@ -0,0 +1,5 @@ +<%- | + Boolean $is_ha = false +| -%> +<%- if $is_ha { fail('The In-Memory storage backend is not highly available') } -%> +storage "inmem" {} diff --git a/templates/elements/storage/manta.hcl.epp b/templates/elements/storage/manta.hcl.epp new file mode 100644 index 00000000..81d94ba6 --- /dev/null +++ b/templates/elements/storage/manta.hcl.epp @@ -0,0 +1,19 @@ +<%- | + Hash $storage, + Boolean $is_ha = false +| -%> +<%- if $is_ha { fail('The Manta storage backend is not highly available') } -%> +storage "manta" { + directory = "<%= $storage['directory'] %>" + user = "<%= $storage['user'] %>" + key_id = "<%= $storage['key_id'] %>" + <%- if $storage['subuser'] != undef { %> + subuser = "<%= $storage['subuser'] %>" + <%- } %> + <%- if $storage['url'] != undef { %> + url = "<%= $storage['url'] %>" + <%- } -%> + <%- if $storage['max_parallel'] != undef { %> + max_parallel = "<%= $storage['max_parallel'] %>" + <%- } -%> +} diff --git a/templates/elements/storage/mssql.hcl.epp b/templates/elements/storage/mssql.hcl.epp new file mode 100644 index 00000000..31f8e908 --- /dev/null +++ b/templates/elements/storage/mssql.hcl.epp @@ -0,0 +1,38 @@ +<%- | + Hash $storage, + Boolean $is_ha = false +| -%> +<%- if $is_ha { fail('The MSSQL storage backend is not highly available') } -%> +storage "mssql" { + server = "<%= $storage['server'] %>" + <%- if $storage['port'] != undef { -%> + port = <%= $storage['port'] %> + <%- } -%> + <%- if $storage['username'] != undef { -%> + username = "<%= $storage['username'] %>" + <%- } -%> + <%- if $storage['password'] != undef { -%> + password = "<%= $storage['password'] %>" + <%- } -%> + <%- if $storage['database'] != undef { -%> + database = "<%= $storage['database'] %>" + <%- } -%> + <%- if $storage['table'] != undef { -%> + table = "<%= $storage['table'] %>" + <%- } -%> + <%- if $storage['schema'] != undef { -%> + schema = "<%= $storage['schema'] %>" + <%- } -%> + <%- if $storage['appname'] != undef { -%> + appname = "<%= $storage['appname'] %>" + <%- } -%> + <%- if $storage['connectionTimeout'] != undef { -%> + connection_timeout = <%= $storage['connectionTimeout'] %> + <%- } -%> + <%- if $storage['logLevel'] != undef { -%> + logLevel = <%= $storage['logLevel'] %> + <%- } -%> + <%- if $storage['max_parallel'] != undef { -%> + max_parallel = "<%= $storage['max_parallel'] %>" + <%- } -%> +} diff --git a/templates/elements/storage/mysql.hcl.epp b/templates/elements/storage/mysql.hcl.epp new file mode 100644 index 00000000..8495fcac --- /dev/null +++ b/templates/elements/storage/mysql.hcl.epp @@ -0,0 +1,38 @@ +<%- | + Hash $storage, + Boolean $is_ha = false +| -%> +<% if $is_ha { %>ha_<% } %>storage "mysql" { + <%- if $storage['address'] != undef { -%> + address = "<%= $storage['address'] %>" + <%- } -%> + username = "<%= $storage['username'] %>" + password = "<%= $storage['password'] %>" + <%- if $storage['database'] != undef { -%> + database = "<%= $storage['database'] %>" + <%- } -%> + <%- if $storage['table'] != undef { -%> + table = "<%= $storage['table'] %>" + <%- } -%> + <%- if $storage['tls_ca_file'] != undef { -%> + tls_ca_file = "<%= $storage['tls_ca_file'] %>" + <%- } -%> + <%- if $storage['plaintext_credentials_transmission'] != undef { -%> + plaintext_credentials_transmission = "<%= $storage['plaintext_credentials_transmission'] %>" + <%- } -%> + <%- if $storage['max_parallel'] != undef { -%> + max_parallel = "<%= $storage['max_parallel'] %>" + <%- } -%> + <%- if $storage['max_idle_connections'] != undef { -%> + max_idle_connections = "<%= $storage['max_idle_connections'] %>" + <%- } -%> + <%- if $storage['max_connection_lifetime'] != undef { -%> + max_connection_lifetime = "<%= $storage['max_connection_lifetime'] %>" + <%- } -%> + <%- if $storage['ha_enabled'] != undef { -%> + ha_enabled = "<%= $storage['ha_enabled'] %>" + <%- } -%> + <%- if $storage['lock_table'] != undef { -%> + lock_table = "<%= $storage['lock_table'] %>" + <%- } -%> +} diff --git a/templates/elements/storage/oci.hcl.epp b/templates/elements/storage/oci.hcl.epp new file mode 100644 index 00000000..71c60bc7 --- /dev/null +++ b/templates/elements/storage/oci.hcl.epp @@ -0,0 +1,13 @@ +<%- | + Hash $storage, + Boolean $is_ha = false +| -%> +<% if $is_ha { %>ha_<% } %>storage "oci" { + bucket_name = "<%= $storage['bucket_name'] %>" + namespace_name = "<%= $storage['namespace_name'] %>" + <%- if $storage['region'] != undef { -%> + region = "<%= $storage['region'] %>" + <%- } -%> + ha_enabled = "<%= $storage['ha_enabled'] %>" + lock_bucket_name = "<%= $storage['lock_bucket_name'] %>" +} diff --git a/templates/elements/storage/postgresql.hcl.epp b/templates/elements/storage/postgresql.hcl.epp new file mode 100644 index 00000000..ae42a94b --- /dev/null +++ b/templates/elements/storage/postgresql.hcl.epp @@ -0,0 +1,22 @@ +<%- | + Hash $storage, + Boolean $is_ha = false +| -%> +<% if $is_ha { %>ha_<% } %>storage "postgresql" { + connection_url = "<%= $storage['connection_url'] %>" + <%- if $storage['table'] != undef { -%> + table = "<%= $storage['table'] %>" + <%- } -%> + <%- if $storage['max_idle_connections'] != undef { -%> + max_idle_connections = <%= $storage['max_idle_connections'] %> + <%- } -%> + <%- if $storage['max_parallel'] != undef { -%> + max_parallel = "<%= $storage['max_parallel'] %>" + <%- } -%> + <%- if $storage['ha_enabled'] != undef { -%> + ha_enabled = "<%= $storage['ha_enabled'] %>" + <%- } -%> + <%- if $storage['ha_table'] != undef { -%> + ha_enabled = "<%= $storage['ha_table'] %>" + <%- } -%> +} diff --git a/templates/elements/storage/raft.hcl.epp b/templates/elements/storage/raft.hcl.epp new file mode 100644 index 00000000..b8b11019 --- /dev/null +++ b/templates/elements/storage/raft.hcl.epp @@ -0,0 +1,75 @@ +<%- | + Hash $storage, + Boolean $is_ha = false +| -%> +<% if $is_ha { %>ha_<% } %>storage "raft" { + <%- if $storage['path'] != undef { -%> + path = "<%= $storage['path'] %>" + <%- } -%> + <%- if $storage['node'] != undef { -%> + node_id = "<%= $storage['node_id'] %>" + <%- } -%> + <%- if $storage['performance_multiplier'] != undef { -%> + performance_multiplier = <%= $storage['performance_multiplier'] %> + <%- } -%> + <%- if $storage['trailing_logs'] != undef { -%> + trailing_logs = <%= $storage['trailing_logs'] %> + <%- } -%> + <%- if $storage['snapshot_threshold'] != undef { -%> + snapshot_threshold = <%= $storage['snapshot_threshold'] %> + <%- } -%> + <%- if $storage['retry_join'] != undef { -%> + <%- $storage['retry_join'].each |$retry_join| { -%> + retry_join { + <%- if $retry_join['leader_api_addr'] != undef { -%> + leader_api_addr = "<%= $retry_join['leader_api_addr'] %>" + <%- } -%> + <%- if $retry_join['auto_join'] != undef { -%> + auto_join = "<%= $retry_join['auto_join'] %>" + <%- } -%> + <%- if $retry_join['auto_join_scheme'] != undef { -%> + auto_join_scheme = "<%= $retry_join['auto_join_scheme'] %>" + <%- } -%> + <%- if $retry_join['auto_join_port'] != undef { -%> + auto_join_port = <%= $retry_join['auto_join_port'] %> + <%- } -%> + <%- if $retry_join['leader_ca_cert_file'] != undef { -%> + leader_ca_cert_file = "<%= $retry_join['leader_ca_cert_file'] %>" + <%- } -%> + <%- if $retry_join['leader_client_cert_file'] != undef { -%> + leader_client_cert_file = "<%= $retry_join['leader_client_cert_file'] %>" + <%- } -%> + <%- if $retry_join['leader_client_key_file'] != undef { -%> + leader_client_key_file = "<%= $retry_join['leader_client_key_file'] %>" + <%- } -%> + <%- if $retry_join['leader_ca_cert'] != undef { -%> + leader_ca_cert = "<%= $retry_join['leader_ca_cert'] %>" + <%- } -%> + <%- if $retry_join['leader_client_cert'] != undef { -%> + leader_client_cert = "<%= $retry_join['leader_client_cert'] %>" + <%- } -%> + <%- if $retry_join['leader_client_key'] != undef { -%> + leader_client_key = "<%= $retry_join['leader_client_key'] %>" + <%- } -%> + } + <%- } -%> + <%- } -%> + <%- if $storage['retry_join_as_non_voter'] != undef { -%> + retry_join_as_non_voter = <%= $storage['retry_join_as_non_voter'] %> + <%- } -%> + <%- if $storage['max_entry_size'] != undef { -%> + max_entry_size = <%= $storage['max_entry_size'] %> + <%- } -%> + <%- if $storage['autopilot_reconcile_interval'] != undef { -%> + autopilot_reconcile_interval = "<%= $storage['autopilot_reconcile_interval'] %>" + <%- } -%> + <%- if $storage['autopilot_update_interval'] != undef { -%> + autopilot_update_interval = "<%= $storage['autopilot_update_interval'] %>" + <%- } -%> + <%- if $storage['autopilot_upgrade_version'] != undef { -%> + autopilot_upgrade_version = "<%= $storage['autopilot_upgrade_version'] %>" + <%- } -%> + <%- if $storage['autopilot_redundancy_zone'] != undef { -%> + autopilot_redundancy_zone = "<%= $storage['autopilot_redundancy_zone'] %>" + <%- } -%> +} diff --git a/templates/elements/storage/s3.hcl.epp b/templates/elements/storage/s3.hcl.epp new file mode 100644 index 00000000..9877e31a --- /dev/null +++ b/templates/elements/storage/s3.hcl.epp @@ -0,0 +1,34 @@ +<%- | + Hash $storage, + Boolean $is_ha = false +| -%> +<%- if $is_ha { fail('The S3 storage backend is not highly available') } -%> +storage "s3" { + bucket = "<%= $storage['bucket'] %>" + endpoint = "<%= $storage['endpoint'] %>" + region = "<%= $storage['region'] %>" + <%- if $storage['access_key'] != undef { -%> + access_key = "<%= $storage['access_key'] %>" + <%- } -%> + <%- if $storage['secret_key'] != undef { -%> + secret_key = "<%= $storage['secret_key'] %>" + <%- } -%> + <%- if $storage['session_token'] != undef { -%> + session_token = "<%= $storage['session_token'] %>" + <%- } -%> + <%- if $storage['max_parallel'] != undef { -%> + max_parallel = "<%= $storage['max_parallel'] %>" + <%- } -%> + <%- if $storage['s3_force_path_style'] != undef { -%> + s3_force_path_style = "<%= $storage['s3_force_path_style'] %>" + <%- } -%> + <%- if $storage['disable_ssl'] != undef { -%> + disable_ssl = "<%= $storage['disable_ssl'] %>" + <%- } -%> + <%- if $storage['kms_key_id'] != undef { -%> + kms_key_id = "<%= $storage['kms_key_id'] %>" + <%- } -%> + <%- if $storage['path'] != undef { -%> + path = "<%= $storage['path'] %>" + <%- } -%> +} diff --git a/templates/elements/storage/spanner.hcl.epp b/templates/elements/storage/spanner.hcl.epp new file mode 100644 index 00000000..b5d7f6b8 --- /dev/null +++ b/templates/elements/storage/spanner.hcl.epp @@ -0,0 +1,19 @@ +<%- | + Hash $storage, + Boolean $is_ha = false +| -%> +<% if $is_ha { %>ha_<% } %>storage "spanner" { + database = "<%= $storage['database'] %>" + <%- if $storage['table'] != undef { -%> + table = "<%= $storage['table'] %>" + <%- } -%> + <%- if $storage['max_parallel'] != undef { -%> + max_parallel = <%= $storage['max_parallel'] %> + <%- } -%> + <%- if $storage['ha_enabled'] != undef { -%> + ha_enabled = "<%= $storage['ha_enabled'] %>" + <%- } -%> + <%- if $storage['ha_table'] != undef { -%> + ha_table = "<%= $storage['ha_table'] %>" + <%- } -%> +} diff --git a/templates/elements/storage/swift.hcl.epp b/templates/elements/storage/swift.hcl.epp new file mode 100644 index 00000000..e62e433a --- /dev/null +++ b/templates/elements/storage/swift.hcl.epp @@ -0,0 +1,38 @@ +<%- | + Hash $storage, + Boolean $is_ha = false +| -%> +<%- if $is_ha { fail('The Swift storage backend is not highly available') } -%> +storage "swift" { + auth_url = "<%= $storage['auth_url'] %>" + container = "<%= $storage['container'] %>" + <%- if $storage['max_parallel'] != undef { -%> + max_parallel = "<%= $storage['max_parallel'] %>" + <%- } -%> + password = "<%= $storage['password'] %>" + <%- if $storage['tenant'] != undef { -%> + tenant = "<%= $storage['tenant'] %>" + <%- } -%> + username = "<%= $storage['username'] %>" + <%- if $storage['region'] != undef { -%> + region = "<%= $storage['region'] %>" + <%- } -%> + <%- if $storage['tenant_id'] != undef { -%> + tenant_id = "<%= $storage['tenant_id'] %>" + <%- } -%> + <%- if $storage['domain'] != undef { -%> + domain = "<%= $storage['domain'] %>" + <%- } -%> + <%- if $storage['project-domain'] != undef { -%> + project-domain = "<%= $storage['project-domain'] %>" + <%- } -%> + <%- if $storage['trust_id'] != undef { -%> + trust_id = "<%= $storage['trust_id'] %>" + <%- } -%> + <%- if $storage['storage_url'] != undef { -%> + storage_url = "<%= $storage['storage_url'] %>" + <%- } -%> + <%- if $storage['auth_token'] != undef { -%> + auth_token = "<%= $storage['auth_token'] %>" + <%- } -%> +} diff --git a/templates/elements/storage/zookeeper.hcl.epp b/templates/elements/storage/zookeeper.hcl.epp new file mode 100644 index 00000000..7585356a --- /dev/null +++ b/templates/elements/storage/zookeeper.hcl.epp @@ -0,0 +1,39 @@ +<%- | + Hash $storage, + Boolean $is_ha = false +| -%> +<% if $is_ha { %>ha_<% } %>storage "zookeeper" { + <%- if $storage['address'] != undef { -%> + address = "<%= $storage['address'] %>" + <%- } -%> + <%- if $storage['path'] != undef { -%> + path = "<%= $storage['path'] %>" + <%- } -%> + <%- if $storage['auth_info'] != undef { -%> + auth_info = "<%= $storage['auth_info'] %>" + <%- } -%> + <%- if $storage['znode_owner'] != undef { -%> + znode_owner = "<%= $storage['znode_owner'] %>" + <%- } -%> + <%- if $storage['tls_enabled'] != undef { -%> + tls_enabled = <%= $storage['tls_enabled'] %> + <%- } -%> + <%- if $storage['tls_ca_file'] != undef { -%> + tls_ca_file = "<%= $storage['tls_ca_file'] %>" + <%- } -%> + <%- if $storage['tls_cert_file'] != undef { -%> + tls_cert_file = "<%= $storage['tls_cert_file'] %>" + <%- } -%> + <%- if $storage['tls_key_file'] != undef { -%> + tls_key_file = "<%= $storage['tls_key_file'] %>" + <%- } -%> + <%- if $storage['tls_min_version'] != undef { -%> + tls_min_version = "<%= $storage['tls_min_version'] %>" + <%- } -%> + <%- if $storage['tls_skip_verify'] != undef { -%> + tls_skip_verify = <%= $storage['tls_skip_verify'] %> + <%- } -%> + <%- if $storage['tls_verify_ip'] != undef { -%> + tls_verify_ip = <%= $storage['tls_verify_ip'] %> + <%- } -%> +} diff --git a/templates/elements/telemetry.hcl.epp b/templates/elements/telemetry.hcl.epp new file mode 100644 index 00000000..863fec51 --- /dev/null +++ b/templates/elements/telemetry.hcl.epp @@ -0,0 +1,108 @@ +<%- | + Optional[Hash] $telemetry +| -%> +<%- if $telemetry != undef { -%> +telemetry { + <%- if $telemetry['usage_gauge_period'] != undef { -%> + usage_gauge_period = "<%= $telemetry['usage_gauge_period'] %>" + <%- } -%> + <%- if $telemetry['maximum_gauge_cardinality'] != undef { -%> + maximum_gauge_cardinality = <%= $telemetry['maximum_gauge_cardinality'] %> + <%- } -%> + <%- if $telemetry['disable_hostname'] != undef { -%> + disable_hostname = <%= $telemetry['disable_hostname'] %> + <%- } -%> + <%- if $telemetry['enable_hostname_label'] != undef { -%> + enable_hostname_label = <%= $telemetry['enable_hostname_label'] %> + <%- } -%> + <%- if $telemetry['lease_metrics_epsilon'] != undef { -%> + lease_metrics_epsilon = "<%= $telemetry['lease_metrics_epsilon'] %>" + <%- } -%> + <%- if $telemetry['num_lease_metrics_buckets'] != undef { -%> + num_lease_metrics_buckets = <%= $telemetry['num_lease_metrics_buckets'] %> + <%- } -%> + <%- if $telemetry['add_lease_metrics_namespace_labels'] != undef { -%> + add_lease_metrics_namespace_labels = <%= $telemetry['add_lease_metrics_namespace_labels'] %> + <%- } -%> + <%- if $telemetry['filter_default'] != undef { -%> + filter_default = <%= $telemetry['filter_default'] %> + <%- } -%> + <%- if $telemetry['prefix_filter'] != undef { -%> + prefix_filter = [ + <%- $telemetry['prefix_filter'].each |$prefix| { -%> + "<%= $prefix %>", + <%- } -%> + ] + <%- } -%> + <%- if $telemetry['statsite_address'] != undef { -%> + statsite_address = "<%= $telemetry['statsite_address'] %>" + <%- } -%> + <%- if $telemetry['statsd_address'] != undef { -%> + statsd_address = "<%= $telemetry['statsd_address'] %>" + <%- } -%> + <%- if $telemetry['circonus_api_token'] != undef { -%> + circonus_api_token = "<%= $telemetry['circonus_api_token'] %>" + <%- } -%> + <%- if $telemetry['circonus_api_app'] != undef { -%> + circonus_api_app = "<%= $telemetry['circonus_api_app'] %>" + <%- } -%> + <%- if $telemetry['circonus_api_url'] != undef { -%> + circonus_api_url = "<%= $telemetry['circonus_api_url'] %>" + <%- } -%> + <%- if $telemetry['circonus_submission_interval'] != undef { -%> + circonus_submission_interval = "<%= $telemetry['circonus_submission_interval'] %>" + <%- } -%> + <%- if $telemetry['circonus_submission_url'] != undef { -%> + circonus_api_url = "<%= $telemetry['circonus_submission_url'] %>" + <%- } -%> + <%- if $telemetry['circonus_check_id'] != undef { -%> + circonus_check_id = "<%= $telemetry['circonus_check_id'] %>" + <%- } -%> + <%- if $telemetry['circonus_check_force_metric_activation'] != undef { -%> + circonus_check_force_metric_activation = <%= $telemetry['circonus_check_force_metric_activation'] %> + <%- } -%> + <%- if $telemetry['circonus_check_instance_id'] != undef { -%> + circonus_check_instance_id = "<%= $telemetry['circonus_check_instance_id'] %>" + <%- } -%> + <%- if $telemetry['circonus_check_search_tag'] != undef { -%> + circonus_check_search_tag = "<%= $telemetry['circonus_check_search_tag'] %>" + <%- } -%> + <%- if $telemetry['circonus_check_display_name'] != undef { -%> + circonus_check_display_name = "<%= $telemetry['circonus_check_display_name'] %>" + <%- } -%> + <%- if $telemetry['circonus_check_tags'] != undef { -%> + circonus_check_tags = "<%= $telemetry['circonus_check_tags'] %>" + <%- } -%> + <%- if $telemetry['circonus_broker_id'] != undef { -%> + circonus_broker_id = "<%= $telemetry['circonus_broker_id'] %>" + <%- } -%> + <%- if $telemetry['circonus_broker_select_tag'] != undef { -%> + circonus_broker_select_tag = "<%= $telemetry['circonus_broker_select_tag'] %>" + <%- } -%> + <%- if $telemetry['dogstatsd_addr'] != undef { -%> + dogstatsd_addr = "<%= $telemetry['dogstatsd_addr'] %>" + <%- } -%> + <%- if $telemetry['dogstatsd_tags'] != undef { -%> + dogstatsd_tags = [ + <%- $telemetry['dogstatsd_tags'].each |$tag| { -%> + "<%= $tag %>", + <%- } -%> + ] + <%- } -%> + <%- if $telemetry['prometheus_retention_time'] != undef { -%> + prometheus_retention_time = "<%= $telemetry['prometheus_retention_time'] %>" + <%- } -%> + <%- if $telemetry['stackdriver_project_id'] != undef { -%> + stackdriver_project_id = "<%= $telemetry['stackdriver_project_id'] %>" + <%- } -%> + <%- if $telemetry['stackdriver_location'] != undef { -%> + stackdriver_location = "<%= $telemetry['stackdriver_location'] %>" + <%- } -%> + <%- if $telemetry['stackdriver_namespace'] != undef { -%> + stackdriver_namespace = "<%= $telemetry['stackdriver_namespace'] %>" + <%- } -%> + <%- if $telemetry['stackdriver_debug_logs'] != undef { -%> + stackdriver_debug_logs = <%= $telemetry['stackdriver_debug_logs'] %> + <%- } -%> +} +<%- } -%> diff --git a/templates/elements/user_lockout.hcl.epp b/templates/elements/user_lockout.hcl.epp new file mode 100644 index 00000000..f3366c0b --- /dev/null +++ b/templates/elements/user_lockout.hcl.epp @@ -0,0 +1,21 @@ +<%- | + Optional[Hash] $user_lockout +| -%> +<%- if $user_lockout != undef { -%> + <%- $user_lockout.each |$name, $settings| { -%> +user_lockout "<%= $name %>" { + <%- if $settings['lockout_threshold'] != undef { -%> + user_lockout = "<%= $settings['user_lockout'] %>" + <%- } -%> + <%- if $settings['lockout_duration'] != undef { -%> + lockout_duration = "<%= $settings['lockout_duration'] %>" + <%- } -%> + <%- if $settings['lockout_counter_reset'] != undef { -%> + lockout_counter_reset = "<%= $settings['lockout_counter_reset'] %>" + <%- } -%> + <%- if $settings['disable_lockout'] != undef { -%> + disable_lockout = <%= $settings['disable_lockout'] %> + <%- } -%> +} + <%- } -%> +<%- } -%> diff --git a/templates/vault.hcl.epp b/templates/vault.hcl.epp new file mode 100644 index 00000000..be99c4da --- /dev/null +++ b/templates/vault.hcl.epp @@ -0,0 +1,178 @@ +<%- | + Hash $storage, + Optional[Hash] $ha_storage = undef, + Variant[Hash, Array[Hash]] $listener, + Optional[Hash] $user_lockout = undef, + Optional[Hash] $seal = undef, + Optional[String] $cluster_name = undef, + Optional[String] $cache_size = undef, # 131072 + Optional[Boolean] $disable_cache = undef, # false + Optional[Boolean] $disable_mlock = undef, # false + Optional[String] $plugin_directory = undef, # "" + Optional[Integer] $plugin_file_uid = undef, # 0 + Optional[String] $plugin_file_permissions = undef, # "" + Optional[Hash] $telemetry = undef, + Optional[String] $default_lease_ttl = undef, # "768h" + Optional[String] $max_lease_ttl = undef, # "768h" + Optional[String] $default_max_request_duration = undef, + Optional[String] $detect_deadlocks = undef, + Optional[Boolean] $raw_storage_endpoint = undef, + Optional[Boolean] $introspection_endpoint = undef, + Optional[Boolean] $ui = undef, + Optional[String] $pid_file = undef, + Optional[Boolean] $enable_response_header_hostname = undef, + Optional[Boolean] $enable_response_header_raft_node_id = undef, + Optional[String] $log_level = undef, + Optional[String] $log_format = undef, + Optional[String] $log_file = undef, + Optional[String] $log_rotate_duration = undef, + Optional[String] $log_rotate_bytes = undef, + Optional[String] $log_rotate_max_files = undef, + Optional[Array] $experiments = undef, + Optional[String] $api_addr = undef, + Optional[String] $cluster_addr = undef, + Optional[Boolean] $disable_clustering = undef, + Optional[Boolean] $disable_sealwrap = undef, + Optional[Boolean] $disable_performance_standby = undef, + Optional[String] $license_path = undef, + Optional[Hash] $replication = undef, + Optional[Hash] $sentinel = undef, + Optional[Hash] $service_registration = undef, + Optional[String] $log_requests_level = undef, + Optional[String] $entropy_augmentation = undef, + Optional[String] $kms_library = undef, + Optional[Hash] $extra_config = undef, +| -%> +# +# This file is managed by puppet, any changes made to this file will be +# automatically overwritten the next time it runs. +# +<%- unless $ui == undef { -%> +ui = "<%= $ui -%>" +<%- } -%> +<%- unless $cluster_name == undef { -%> +cluster_name = "<%= $cluster_name -%>" +<%- } -%> +<%- unless $cache_size == undef { -%> +cache_size = "<%= $cache_size -%>" +<%- } -%> +<%- unless $disable_cache == undef { -%> +disable_cache = <%= $disable_cache -%> +<%- } -%> +<%- unless $disable_mlock == undef { -%> +disable_mlock = <%= $disable_mlock -%> +<%- } -%> +<%- unless $plugin_directory == undef { -%> +plugin_directory = "<%= $plugin_directory -%>" +<%- } -%> +<%- unless $plugin_file_uid == undef { -%> +plugin_file_uid = <%= $plugin_file_uid -%> +<%- } -%> +<%- unless $plugin_file_permissions == undef { -%> +plugin_file_permissions = "<%= $plugin_file_permissions -%>" +<%- } -%> +<%- unless $storage == undef { -%> +<%= epp('vault/elements/storage.hcl.epp', { storage => $storage }) -%> +<%- } -%> +<%- unless $ha_storage == undef { -%> +<%= epp('vault/elements/storage.hcl.epp', { storage => $storage, is_ha => true }) -%> +<%- } -%> +<%- unless $listener == undef { -%> +<%= epp('vault/elements/listeners.hcl.epp', { listener => $listener }) -%> +<%- } -%> +<%- unless $user_lockout == undef { -%> +<%= epp('vault/elements/user_lockout.hcl.epp', { user_lockout => $user_lockout }) -%> +<%- } -%> +<%- unless $seal == undef { -%> +<%= epp('vault/elements/seal.hcl.epp', { seal => $seal }) -%> +<%- } -%> +<%- unless $telemetry == undef { -%> +<%= epp('vault/elements/telemetry.hcl.epp', { telemetry => $telemetry }) -%> +<%- } -%> +<%- unless $default_lease_ttl == undef { -%> +default_lease_ttl = "<%= $default_lease_ttl -%>" +<%- } -%> +<%- unless $max_lease_ttl == undef { -%> +max_lease_ttl = "<%= $max_lease_ttl -%>" +<%- } -%> +<%- unless $default_max_request_duration == undef { -%> +default_max_request_duration = "<%= $default_max_request_duration -%>" +<%- } -%> +<%- unless $detect_deadlocks == undef { -%> +detect_deadlocks = <%= $detect_deadlocks -%> +<%- } -%> +<%- unless $raw_storage_endpoint == undef { -%> +raw_storage_endpoint = <%= $raw_storage_endpoint -%> +<%- } -%> +<%- unless $introspection_endpoint == undef { -%> +introspection_endpoint = <%= $introspection_endpoint -%> +<%- } -%> +<%- unless $pid_file == undef { -%> +pid_file = "<%= $pid_file -%>" +<%- } -%> +<%- unless $enable_response_header_hostname == undef { -%> +enable_response_header_hostname = <%= $enable_response_header_hostname -%> +<%- } -%> +<%- unless $enable_response_header_raft_node_id == undef { -%> +enable_response_header_raft_node_id = <%= $enable_response_header_raft_node_id -%> +<%- } -%> +<%- unless $log_level == undef { -%> +log_level = "<%= $log_level -%>" +<%- } -%> +<%- unless $log_requests_level == undef { -%> +log_requests_level = "<%= $log_requests_level -%>" +<%- } -%> +<%- unless $log_format == undef { -%> +log_format = "<%= $log_format -%>" +<%- } -%> +<%- unless $log_file == undef { -%> +log_file = "<%= $log_file -%>" +<%- } -%> +<%- unless $log_rotate_duration == undef { -%> +log_rotate_duration = "<%= $log_rotate_duration -%>" +<%- } -%> +<%- unless $log_rotate_bytes == undef { -%> +log_rotate_bytes = "<%= $log_rotate_bytes -%>" +<%- } -%> +<%- unless $log_rotate_max_files == undef { -%> +log_rotate_max_files = "<%= $log_rotate_max_files -%>" +<%- } -%> +<%- unless $experiments == undef { -%> +experiments = <%= $experiments -%> +<%- } -%> +<%- unless $api_addr == undef { -%> +api_addr = "<%= $api_addr -%>" +<%- } -%> +<%- unless $cluster_addr == undef { -%> +cluster_addr = "<%= $cluster_addr -%>" +<%- } -%> +<%- unless $disable_clustering == undef { -%> +disable_clustering = <%= $disable_clustering -%> +<%- } -%> +<%- unless $disable_sealwrap == undef { -%> +disable_sealwrap = <%= $disable_sealwrap -%> +<%- } -%> +<%- unless $disable_performance_standby == undef { -%> +disable_performance_standby = <%= $disable_performance_standby -%> +<%- } -%> +<%- unless $license_path == undef { -%> +license_path = "<%= $license_path -%>" +<%- } -%> +<%- unless $replication == undef { -%> +<%= epp('vault/elements/replication.hcl.epp', { replication => $replication }) -%> +<%- } -%> +<%- unless $sentinel == undef { -%> +<%= epp('vault/elements/sentinel.hcl.epp', { sentinel => $sentinel }) -%> +<%- } -%> +<%- unless $service_registration == undef { -%> +<%= epp('vault/elements/service_registration.hcl.epp', { service_registration => $service_registration }) -%> +<%- } -%> +# <%- unless $entropy_augmentation == undef { -%> +# <%= epp('vault/elements/entropy_augmentation.hcl.epp', { entropy_augmentation => $entropy_augmentation }) -%> +# <%- } -%> +<%- unless $kms_library == undef { -%> +<%= epp('vault/elements/kms_library.hcl.epp', { kms_library => $kms_library }) -%> +<%- } -%> +<%- $extra_config.each |$key, $value| { -%> +<%= $key -%> = "<%= $value -%>" +<%- } -%> diff --git a/templates/vault.service.epp b/templates/vault.service.epp new file mode 100644 index 00000000..49c9e37d --- /dev/null +++ b/templates/vault.service.epp @@ -0,0 +1,62 @@ +<% | + String $user, + String $group, + String $bin_dir, + String $service_options = "", + String $config_dir, + String $config_output, + Boolean $create_env_file, + Integer $num_procs, + Boolean $disable_mlock = false, +| %> +# vault systemd unit file +########################################################################################################### +# this file has been put in place by the jsok/vault Puppet module (https://forge.puppetlabs.com/jsok/vault) +# any changes will be overwritten if Puppet is run again. +# +# This unit file originally from official vault package. +########################################################################################################### + +[Unit] +Description="HashiCorp Vault - A tool for managing secrets" +Documentation=https://www.vaultproject.io/docs/ +Requires=network-online.target +After=network-online.target +ConditionFileNotEmpty=<%= $config_dir %>/vault.<%= $config_output %> +StartLimitIntervalSec=60 +StartLimitBurst=3 + +[Service] +Type=notify +<%- if $create_env_file == true { -%> + <%= $config_dir %>/vault.env +<%- } -%> +User=<%= $user %> +Group=<%= $group %> +ProtectSystem=full +ProtectHome=read-only +PrivateTmp=yes +PrivateDevices=yes +<%- if $disable_mlock == true { -%> +CapabilityBoundingSet=CAP_SYSLOG +<%- } else { -%> +SecureBits=keep-caps +Capabilities=CAP_IPC_LOCK+ep +AmbientCapabilities=CAP_IPC_LOCK +CapabilityBoundingSet=CAP_SYSLOG CAP_IPC_LOCK +<%- } -%> + +NoNewPrivileges=yes +Environment=GOMAXPROCS=<%= $num_procs %> +ExecStart=<%= $bin_dir %>/vault server -config=<%= $config_dir %>/vault.<%= $config_output %> <%= $service_options %> +ExecReload=/bin/kill --signal HUP $MAINPID +KillMode=process +KillSignal=SIGINT +Restart=on-failure +RestartSec=5 +TimeoutStopSec=30 +LimitNOFILE=65536 +LimitMEMLOCK=infinity + +[Install] +WantedBy=multi-user.target diff --git a/templates/vault.systemd.erb b/templates/vault.systemd.erb index 9cb1d711..807fec9a 100644 --- a/templates/vault.systemd.erb +++ b/templates/vault.systemd.erb @@ -30,7 +30,7 @@ CapabilityBoundingSet=CAP_SYSLOG CAP_IPC_LOCK <% end -%> NoNewPrivileges=yes Environment=GOMAXPROCS=<%= scope['vault::num_procs'] %> -ExecStart=<%= scope['vault::bin_dir'] %>/vault server -config=<%= scope['vault::config_dir'] %>/config.json <%= scope['vault::service_options'] %> +ExecStart=<%= scope['vault::bin_dir'] %>/vault server -config=<%= scope['vault::config_dir'] %>/vault.<%= scope['vault::config_output'] %> <%= scope['vault::service_options'] %> KillSignal=SIGINT TimeoutStopSec=30s Restart=on-failure