diff --git a/cookbooks/vault/attributes.rb b/cookbooks/vault/attributes.rb index 4124518..1b6468d 100644 --- a/cookbooks/vault/attributes.rb +++ b/cookbooks/vault/attributes.rb @@ -1,8 +1,26 @@ # ------------------------------------------- # Specifying the default settings: # ------------------------------------------- + +case run_command('grep VERSION_ID /etc/os-release | awk -F\" \'{print $2}\'').stdout.chomp +when "20.04" + cmd = 'LANG=C ip a | grep "inet " | grep -v -E "(127|172)" | cut -d" " -f6 | perl -pe "s/\/.+//g"' + +when "18.04" + cmd = 'LANG=C /sbin/ifconfig | grep "inet " | grep -v -E "(127|172)" | cut -d" " -f10' + +else + cmd = 'LANG=C /sbin/ifconfig | grep "inet addr" | grep -v -E "(127|172)" | awk "{print $2;}" | cut -d: -f2 | cut -f 1 -d " " | tail -1' +end +ipaddr = run_command(cmd).stdout.chomp + +hostname = run_command('uname -n').stdout.chomp + node.reverse_merge!({ 'vault' => { 'manager' => false, + 'ipaddr' => ipaddr, + 'hostname' => hostname, + 'ips' => ['192.168.10.141', '192.168.10.142', '192.168.10.143'], } }) diff --git a/cookbooks/vault/default.rb b/cookbooks/vault/default.rb index ab8f639..33e6a83 100644 --- a/cookbooks/vault/default.rb +++ b/cookbooks/vault/default.rb @@ -2,3 +2,6 @@ include_recipe './attributes.rb' include_recipe './install.rb' +if node['vault']['manager'] + include_recipe './setup.rb' +end diff --git a/cookbooks/vault/files/etc/vault.d/policies/consul-auto-config.hcl b/cookbooks/vault/files/etc/vault.d/policies/consul-auto-config.hcl new file mode 100644 index 0000000..ea38308 --- /dev/null +++ b/cookbooks/vault/files/etc/vault.d/policies/consul-auto-config.hcl @@ -0,0 +1,7 @@ +{ + "path": { + "identity/oidc/token/oidc-role": { + "policy": "read" + } + } +} diff --git a/cookbooks/vault/files/etc/vault.d/policies/consul-connect-vault.hcl b/cookbooks/vault/files/etc/vault.d/policies/consul-connect-vault.hcl new file mode 100644 index 0000000..de60791 --- /dev/null +++ b/cookbooks/vault/files/etc/vault.d/policies/consul-connect-vault.hcl @@ -0,0 +1,20 @@ +# Consul Managed PKI Mounts +path "/sys/mounts" { + capabilities = [ "read" ] +} + +path "/sys/mounts/connect_root" { + capabilities = [ "create", "read", "update", "delete", "list" ] +} + +path "/sys/mounts/connect_inter" { + capabilities = [ "create", "read", "update", "delete", "list" ] +} + +path "/connect_root/*" { + capabilities = [ "create", "read", "update", "delete", "list" ] +} + +path "/connect_inter/*" { + capabilities = [ "create", "read", "update", "delete", "list" ] +} diff --git a/cookbooks/vault/setup.rb b/cookbooks/vault/setup.rb new file mode 100644 index 0000000..2c0e2ce --- /dev/null +++ b/cookbooks/vault/setup.rb @@ -0,0 +1,22 @@ +# Deploy `Vault` server config: +template '/etc/vault.d/vault.hcl' do + owner 'vault' + group 'vault' + mode '644' + + variables(HOSTNAME: node['vault']['hostname'], IPADDR: node['vault']['ipaddr'], IPS: node['vault']['ips']) +end + +directory '/etc/vault.d/policies' do + owner 'vault' + group 'vault' + mode '755' +end + +%w( consul-auto-config consul-connect-vault ).each do |conf| + remote_file "/etc/vault.d/policies/#{conf}.hcl" do + owner 'vault' + group 'vault' + mode '644' + end +end diff --git a/cookbooks/vault/templates/etc/vault.d/vault.hcl b/cookbooks/vault/templates/etc/vault.d/vault.hcl new file mode 100644 index 0000000..eccbb78 --- /dev/null +++ b/cookbooks/vault/templates/etc/vault.d/vault.hcl @@ -0,0 +1,31 @@ +ui = true + +disable_mlock = true + +# service_registration "consul" { +# address = "127.0.0.1:8500" +# token = "19149728-ce09-2a72-26b6-d2fc3aeecdd8" +# } + +storage "raft" { + path = "/opt/vault/data" + node_id = "<%= @HOSTNAME %>" +<% @IPS.each do |ip| %> + retry_join { + leader_api_addr = "http://<%= ip %>:8200" + } +<% end %> +} + +api_addr = "http://<%= @IPADDR %>:8200" +cluster_addr = "http://<%= @IPADDR %>::8201" + +# HTTPS listener +listener "tcp" { + address = "0.0.0.0:8200" + cluster_address = "0.0.0.0:8201" + + tls_disable = true + # tls_cert_file = "/opt/vault/tls/tls.crt" + # tls_key_file = "/opt/vault/tls/tls.key" +}