From a917563b06b807b7c93955e55ac0a4b46440ba7b Mon Sep 17 00:00:00 2001 From: Kazuhiro MUSASHI Date: Sat, 12 Mar 2022 21:13:22 +0900 Subject: [PATCH 1/7] Conduct setup procedures, when explicitly requested. --- cookbooks/vault/default.rb | 3 +++ 1 file changed, 3 insertions(+) diff --git a/cookbooks/vault/default.rb b/cookbooks/vault/default.rb index ab8f639..33e6a83 100644 --- a/cookbooks/vault/default.rb +++ b/cookbooks/vault/default.rb @@ -2,3 +2,6 @@ include_recipe './attributes.rb' include_recipe './install.rb' +if node['vault']['manager'] + include_recipe './setup.rb' +end From 6fa35a923b2fcfafe8626c8dcff298af2db7a419 Mon Sep 17 00:00:00 2001 From: Kazuhiro MUSASHI Date: Sun, 13 Mar 2022 14:06:36 +0900 Subject: [PATCH 2/7] Retrieve IP address. --- cookbooks/vault/attributes.rb | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/cookbooks/vault/attributes.rb b/cookbooks/vault/attributes.rb index 4124518..eb30f07 100644 --- a/cookbooks/vault/attributes.rb +++ b/cookbooks/vault/attributes.rb @@ -1,8 +1,22 @@ # ------------------------------------------- # Specifying the default settings: # ------------------------------------------- + +case run_command('grep VERSION_ID /etc/os-release | awk -F\" \'{print $2}\'').stdout.chomp +when "20.04" + cmd = 'LANG=C ip a | grep "inet " | grep -v -E "(127|172)" | cut -d" " -f6 | perl -pe "s/\/.+//g"' + +when "18.04" + cmd = 'LANG=C /sbin/ifconfig | grep "inet " | grep -v -E "(127|172)" | cut -d" " -f10' + +else + cmd = 'LANG=C /sbin/ifconfig | grep "inet addr" | grep -v -E "(127|172)" | awk "{print $2;}" | cut -d: -f2 | cut -f 1 -d " " | tail -1' +end +ipaddr = run_command(cmd).stdout.chomp + node.reverse_merge!({ 'vault' => { 'manager' => false, + 'ipaddr' => ipaddr, } }) From 67fab4951aeeae5af52d0f31688cc14efab33d2d Mon Sep 17 00:00:00 2001 From: Kazuhiro MUSASHI Date: Sun, 13 Mar 2022 14:08:14 +0900 Subject: [PATCH 3/7] Retrieve hostname. --- cookbooks/vault/attributes.rb | 3 +++ 1 file changed, 3 insertions(+) diff --git a/cookbooks/vault/attributes.rb b/cookbooks/vault/attributes.rb index eb30f07..60e15a6 100644 --- a/cookbooks/vault/attributes.rb +++ b/cookbooks/vault/attributes.rb @@ -14,9 +14,12 @@ else end ipaddr = run_command(cmd).stdout.chomp +hostname = run_command('uname -n').stdout.chomp + node.reverse_merge!({ 'vault' => { 'manager' => false, 'ipaddr' => ipaddr, + 'hostname' => hostname, } }) From 7681522b6bb364816c8e72fdc86634a773fb5153 Mon Sep 17 00:00:00 2001 From: Kazuhiro MUSASHI Date: Sun, 13 Mar 2022 14:13:52 +0900 Subject: [PATCH 4/7] Specify the default `Vault` managers. ``` --- a/cookbooks/vault/attributes.rb +++ b/cookbooks/vault/attributes.rb @@ -21,5 +21,6 @@ node.reverse_merge!({ 'manager' => false, 'ipaddr' => ipaddr, 'hostname' => hostname, + 'ips' => ['192.168.10.141', '192.168.10.142', '192.168.10.143'], } }) ``` --- cookbooks/vault/attributes.rb | 1 + 1 file changed, 1 insertion(+) diff --git a/cookbooks/vault/attributes.rb b/cookbooks/vault/attributes.rb index 60e15a6..1b6468d 100644 --- a/cookbooks/vault/attributes.rb +++ b/cookbooks/vault/attributes.rb @@ -21,5 +21,6 @@ node.reverse_merge!({ 'manager' => false, 'ipaddr' => ipaddr, 'hostname' => hostname, + 'ips' => ['192.168.10.141', '192.168.10.142', '192.168.10.143'], } }) From da78e76d1927f11535fba41b0b7e133db2fe07c4 Mon Sep 17 00:00:00 2001 From: Kazuhiro MUSASHI Date: Sun, 13 Mar 2022 14:35:31 +0900 Subject: [PATCH 5/7] Deploy `/etc/vault.d/vault.hcl`. --- cookbooks/vault/setup.rb | 9 ++++++ .../vault/templates/etc/vault.d/vault.hcl | 31 +++++++++++++++++++ 2 files changed, 40 insertions(+) create mode 100644 cookbooks/vault/setup.rb create mode 100644 cookbooks/vault/templates/etc/vault.d/vault.hcl diff --git a/cookbooks/vault/setup.rb b/cookbooks/vault/setup.rb new file mode 100644 index 0000000..5def717 --- /dev/null +++ b/cookbooks/vault/setup.rb @@ -0,0 +1,9 @@ +# Deploy `Vault` server config: +template '/etc/vault.d/vault.hcl' do + owner 'vault' + group 'vault' + mode '644' + + variables(HOSTNAME: node['vault']['hostname'], IPADDR: node['vault']['ipaddr'], IPS: node['vault']['ips']) +end + diff --git a/cookbooks/vault/templates/etc/vault.d/vault.hcl b/cookbooks/vault/templates/etc/vault.d/vault.hcl new file mode 100644 index 0000000..eccbb78 --- /dev/null +++ b/cookbooks/vault/templates/etc/vault.d/vault.hcl @@ -0,0 +1,31 @@ +ui = true + +disable_mlock = true + +# service_registration "consul" { +# address = "127.0.0.1:8500" +# token = "19149728-ce09-2a72-26b6-d2fc3aeecdd8" +# } + +storage "raft" { + path = "/opt/vault/data" + node_id = "<%= @HOSTNAME %>" +<% @IPS.each do |ip| %> + retry_join { + leader_api_addr = "http://<%= ip %>:8200" + } +<% end %> +} + +api_addr = "http://<%= @IPADDR %>:8200" +cluster_addr = "http://<%= @IPADDR %>::8201" + +# HTTPS listener +listener "tcp" { + address = "0.0.0.0:8200" + cluster_address = "0.0.0.0:8201" + + tls_disable = true + # tls_cert_file = "/opt/vault/tls/tls.crt" + # tls_key_file = "/opt/vault/tls/tls.key" +} From cf79f30c4dfe0df2947f65638b25e282fc99da0d Mon Sep 17 00:00:00 2001 From: Kazuhiro MUSASHI Date: Sun, 13 Mar 2022 21:16:08 +0900 Subject: [PATCH 6/7] Create `/etc/vault.d/policies/`. --- cookbooks/vault/setup.rb | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/cookbooks/vault/setup.rb b/cookbooks/vault/setup.rb index 5def717..fd42d85 100644 --- a/cookbooks/vault/setup.rb +++ b/cookbooks/vault/setup.rb @@ -7,3 +7,8 @@ template '/etc/vault.d/vault.hcl' do variables(HOSTNAME: node['vault']['hostname'], IPADDR: node['vault']['ipaddr'], IPS: node['vault']['ips']) end +directory '/etc/vault.d/policies' do + owner 'vault' + group 'vault' + mode '755' +end From 3bd4973c90f7dcf7697fa4b9c29654f24b74d0f4 Mon Sep 17 00:00:00 2001 From: Kazuhiro MUSASHI Date: Sun, 13 Mar 2022 21:34:14 +0900 Subject: [PATCH 7/7] Deploy `Vault` policies. --- .../vault.d/policies/consul-auto-config.hcl | 7 +++++++ .../vault.d/policies/consul-connect-vault.hcl | 20 +++++++++++++++++++ cookbooks/vault/setup.rb | 8 ++++++++ 3 files changed, 35 insertions(+) create mode 100644 cookbooks/vault/files/etc/vault.d/policies/consul-auto-config.hcl create mode 100644 cookbooks/vault/files/etc/vault.d/policies/consul-connect-vault.hcl diff --git a/cookbooks/vault/files/etc/vault.d/policies/consul-auto-config.hcl b/cookbooks/vault/files/etc/vault.d/policies/consul-auto-config.hcl new file mode 100644 index 0000000..ea38308 --- /dev/null +++ b/cookbooks/vault/files/etc/vault.d/policies/consul-auto-config.hcl @@ -0,0 +1,7 @@ +{ + "path": { + "identity/oidc/token/oidc-role": { + "policy": "read" + } + } +} diff --git a/cookbooks/vault/files/etc/vault.d/policies/consul-connect-vault.hcl b/cookbooks/vault/files/etc/vault.d/policies/consul-connect-vault.hcl new file mode 100644 index 0000000..de60791 --- /dev/null +++ b/cookbooks/vault/files/etc/vault.d/policies/consul-connect-vault.hcl @@ -0,0 +1,20 @@ +# Consul Managed PKI Mounts +path "/sys/mounts" { + capabilities = [ "read" ] +} + +path "/sys/mounts/connect_root" { + capabilities = [ "create", "read", "update", "delete", "list" ] +} + +path "/sys/mounts/connect_inter" { + capabilities = [ "create", "read", "update", "delete", "list" ] +} + +path "/connect_root/*" { + capabilities = [ "create", "read", "update", "delete", "list" ] +} + +path "/connect_inter/*" { + capabilities = [ "create", "read", "update", "delete", "list" ] +} diff --git a/cookbooks/vault/setup.rb b/cookbooks/vault/setup.rb index fd42d85..2c0e2ce 100644 --- a/cookbooks/vault/setup.rb +++ b/cookbooks/vault/setup.rb @@ -12,3 +12,11 @@ directory '/etc/vault.d/policies' do group 'vault' mode '755' end + +%w( consul-auto-config consul-connect-vault ).each do |conf| + remote_file "/etc/vault.d/policies/#{conf}.hcl" do + owner 'vault' + group 'vault' + mode '644' + end +end