Merge pull request 'Vaultサーバのセットアップファイルのデプロイ' (#2) from vault-server into master

Reviewed-on: #2
2022-03-13 12:50:29 +00:00 · 2022-03-13 12:50:29 +00:00 · 34a2f107e7
parent 9be1deae21 3bd4973c90
commit 34a2f107e7
6 changed files with 101 additions and 0 deletions
--- a/cookbooks/vault/attributes.rb
+++ b/cookbooks/vault/attributes.rb
@ -1,8 +1,26 @@
 # -------------------------------------------
 # Specifying the default settings:
 # -------------------------------------------
+
+case run_command('grep VERSION_ID /etc/os-release | awk -F\" \'{print $2}\'').stdout.chomp
+when "20.04"
+  cmd = 'LANG=C ip a | grep "inet " | grep -v -E "(127|172)" | cut -d" " -f6 | perl -pe "s/\/.+//g"'
+
+when "18.04"
+  cmd = 'LANG=C /sbin/ifconfig | grep "inet " | grep -v -E "(127|172)" | cut -d" " -f10'
+
+else
+  cmd = 'LANG=C /sbin/ifconfig | grep "inet addr" | grep -v -E "(127|172)" | awk "{print $2;}" | cut -d: -f2 | cut -f 1 -d " " | tail -1'
+end
+ipaddr = run_command(cmd).stdout.chomp
+
+hostname = run_command('uname -n').stdout.chomp
+
 node.reverse_merge!({
  'vault' => {
    'manager' => false,
+    'ipaddr' => ipaddr,
+    'hostname' => hostname,
+    'ips' => ['192.168.10.141', '192.168.10.142', '192.168.10.143'],
  }
 })
--- a/cookbooks/vault/default.rb
+++ b/cookbooks/vault/default.rb
@ -2,3 +2,6 @@ include_recipe './attributes.rb'

 include_recipe './install.rb'

+if node['vault']['manager']
+  include_recipe './setup.rb'
+end
--- a/cookbooks/vault/files/etc/vault.d/policies/consul-auto-config.hcl
+++ b/cookbooks/vault/files/etc/vault.d/policies/consul-auto-config.hcl
@ -0,0 +1,7 @@
+{
+  "path": {
+    "identity/oidc/token/oidc-role": {
+      "policy": "read"
+    }
+  }
+}
--- a/cookbooks/vault/files/etc/vault.d/policies/consul-connect-vault.hcl
+++ b/cookbooks/vault/files/etc/vault.d/policies/consul-connect-vault.hcl
@ -0,0 +1,20 @@
+# Consul Managed PKI Mounts
+path "/sys/mounts" {
+  capabilities = [ "read" ]
+}
+
+path "/sys/mounts/connect_root" {
+  capabilities = [ "create", "read", "update", "delete", "list" ]
+}
+
+path "/sys/mounts/connect_inter" {
+  capabilities = [ "create", "read", "update", "delete", "list" ]
+}
+
+path "/connect_root/*" {
+  capabilities = [ "create", "read", "update", "delete", "list" ]
+}
+
+path "/connect_inter/*" {
+  capabilities = [ "create", "read", "update", "delete", "list" ]
+}
--- a/cookbooks/vault/setup.rb
+++ b/cookbooks/vault/setup.rb
@ -0,0 +1,22 @@
+# Deploy `Vault` server config:
+template '/etc/vault.d/vault.hcl' do
+  owner 'vault'
+  group 'vault'
+  mode '644'
+
+  variables(HOSTNAME: node['vault']['hostname'],  IPADDR: node['vault']['ipaddr'], IPS: node['vault']['ips'])
+end
+
+directory '/etc/vault.d/policies' do
+  owner 'vault'
+  group 'vault'
+  mode '755'
+end
+
+%w( consul-auto-config consul-connect-vault ).each do |conf|
+  remote_file "/etc/vault.d/policies/#{conf}.hcl" do
+    owner 'vault'
+    group 'vault'
+    mode '644'
+  end
+end
--- a/cookbooks/vault/templates/etc/vault.d/vault.hcl
+++ b/cookbooks/vault/templates/etc/vault.d/vault.hcl
@ -0,0 +1,31 @@
+ui = true
+
+disable_mlock = true
+
+# service_registration "consul" {
+#   address = "127.0.0.1:8500"
+#   token = "19149728-ce09-2a72-26b6-d2fc3aeecdd8"
+# }
+
+storage "raft" {
+  path    = "/opt/vault/data"
+  node_id = "<%= @HOSTNAME %>"
+<% @IPS.each do |ip| %>
+  retry_join {
+    leader_api_addr = "http://<%= ip %>:8200"
+  }
+<% end %>
+}
+
+api_addr = "http://<%= @IPADDR %>:8200"
+cluster_addr = "http://<%= @IPADDR %>::8201"
+
+# HTTPS listener
+listener "tcp" {
+  address       = "0.0.0.0:8200"
+  cluster_address = "0.0.0.0:8201"
+
+  tls_disable = true
+  # tls_cert_file = "/opt/vault/tls/tls.crt"
+  # tls_key_file  = "/opt/vault/tls/tls.key"
+}