Merge pull request 'Vaultサーバのセットアップファイルのデプロイ' (#2) from vault-server into master

Reviewed-on: #2

cookbooks/vault/attributes.rb

@@ -1,8 +1,26 @@
 # -------------------------------------------
 # Specifying the default settings:
 # -------------------------------------------
+
+case run_command('grep VERSION_ID /etc/os-release | awk -F\" \'{print $2}\'').stdout.chomp
+when "20.04"
+  cmd = 'LANG=C ip a | grep "inet " | grep -v -E "(127|172)" | cut -d" " -f6 | perl -pe "s/\/.+//g"'
+
+when "18.04"
+  cmd = 'LANG=C /sbin/ifconfig | grep "inet " | grep -v -E "(127|172)" | cut -d" " -f10'
+
+else
+  cmd = 'LANG=C /sbin/ifconfig | grep "inet addr" | grep -v -E "(127|172)" | awk "{print $2;}" | cut -d: -f2 | cut -f 1 -d " " | tail -1'
+end
+ipaddr = run_command(cmd).stdout.chomp
+
+hostname = run_command('uname -n').stdout.chomp
+
 node.reverse_merge!({
   'vault' => {
     'manager' => false,
+    'ipaddr' => ipaddr,
+    'hostname' => hostname,
+    'ips' => ['192.168.10.141', '192.168.10.142', '192.168.10.143'],
   }
 })

cookbooks/vault/default.rb

@@ -2,3 +2,6 @@ include_recipe './attributes.rb'
 
 include_recipe './install.rb'
 
+if node['vault']['manager']
+  include_recipe './setup.rb'
+end

cookbooks/vault/files/etc/vault.d/policies/consul-auto-config.hcl

@@ -0,0 +1,7 @@
+{
+  "path": {
+    "identity/oidc/token/oidc-role": {
+      "policy": "read"
+    }
+  }
+}

cookbooks/vault/files/etc/vault.d/policies/consul-connect-vault.hcl

@@ -0,0 +1,20 @@
+# Consul Managed PKI Mounts
+path "/sys/mounts" {
+  capabilities = [ "read" ]
+}
+
+path "/sys/mounts/connect_root" {
+  capabilities = [ "create", "read", "update", "delete", "list" ]
+}
+
+path "/sys/mounts/connect_inter" {
+  capabilities = [ "create", "read", "update", "delete", "list" ]
+}
+
+path "/connect_root/*" {
+  capabilities = [ "create", "read", "update", "delete", "list" ]
+}
+
+path "/connect_inter/*" {
+  capabilities = [ "create", "read", "update", "delete", "list" ]
+}

cookbooks/vault/setup.rb

@@ -0,0 +1,22 @@
+# Deploy `Vault` server config:
+template '/etc/vault.d/vault.hcl' do
+  owner 'vault'
+  group 'vault'
+  mode '644'
+
+  variables(HOSTNAME: node['vault']['hostname'],  IPADDR: node['vault']['ipaddr'], IPS: node['vault']['ips'])
+end
+
+directory '/etc/vault.d/policies' do
+  owner 'vault'
+  group 'vault'
+  mode '755'
+end
+
+%w( consul-auto-config consul-connect-vault ).each do |conf|
+  remote_file "/etc/vault.d/policies/#{conf}.hcl" do
+    owner 'vault'
+    group 'vault'
+    mode '644'
+  end
+end

cookbooks/vault/templates/etc/vault.d/vault.hcl

@@ -0,0 +1,31 @@
+ui = true
+
+disable_mlock = true
+
+# service_registration "consul" {
+#   address = "127.0.0.1:8500"
+#   token = "19149728-ce09-2a72-26b6-d2fc3aeecdd8"
+# }
+
+storage "raft" {
+  path    = "/opt/vault/data"
+  node_id = "<%= @HOSTNAME %>"
+<% @IPS.each do |ip| %>
+  retry_join {
+    leader_api_addr = "http://<%= ip %>:8200"
+  }
+<% end %>
+}
+
+api_addr = "http://<%= @IPADDR %>:8200"
+cluster_addr = "http://<%= @IPADDR %>::8201"
+
+# HTTPS listener
+listener "tcp" {
+  address       = "0.0.0.0:8200"
+  cluster_address = "0.0.0.0:8201"
+
+  tls_disable = true
+  # tls_cert_file = "/opt/vault/tls/tls.crt"
+  # tls_key_file  = "/opt/vault/tls/tls.key"
+}