Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add support for Vault Agent #163

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Add support for Vault Agent #163

wants to merge 1 commit into from

Conversation

jeffbyrnes
Copy link

@jeffbyrnes jeffbyrnes commented Aug 20, 2020
edited
Loading

SUMMARY

  • Add ability to run vault agent instead of vault server

TESTS/SPECS

  • Add tests to assert that the service command has been changed to start Vault in agent mode

@jeffbyrnes
Copy link
Author

jeffbyrnes commented Aug 20, 2020
edited
Loading

Currently seeing these unit test failures; I’m still getting the hang of Puppet module development (been using Chef until last February):

1) vault on ubuntu-14.04-x86_64  on Debian OS family service with modified options and sysv init contains /etc/init/vault.conf is expected to contain File[/etc/init.d/vault.conf] with content =~ /exec start-stop-daemon -u \$USER -g \$GROUP -p \$PID_FILE -x \$VAULT -S -- agent -config=\$CONFIG $/
   Failure/Error:
     is_expected.to contain_file('/etc/init.d/vault.conf').
       with_content(%r{exec start-stop-daemon -u \$USER -g \$GROUP -p \$PID_FILE -x \$VAULT -S -- agent -config=\$CONFIG $})

     expected that the catalogue would contain File[/etc/init.d/vault.conf]
   # ./spec/classes/vault_spec.rb:775:in `block (7 levels) in <top (required)>'

2) vault on debian-9-x86_64  on Debian OS family service with modified options and sysv init contains /etc/init/vault.conf is expected to contain File[/etc/init.d/vault.conf] with content =~ /exec start-stop-daemon -u \$USER -g \$GROUP -p \$PID_FILE -x \$VAULT -S -- agent -config=\$CONFIG $/
   Failure/Error:
     is_expected.to contain_file('/etc/init.d/vault.conf').
       with_content(%r{exec start-stop-daemon -u \$USER -g \$GROUP -p \$PID_FILE -x \$VAULT -S -- agent -config=\$CONFIG $})

     expected that the catalogue would contain File[/etc/init.d/vault.conf]
   # ./spec/classes/vault_spec.rb:775:in `block (7 levels) in <top (required)>'

3) vault on debian-8-x86_64  on Debian OS family service with modified options and sysv init contains /etc/init/vault.conf is expected to contain File[/etc/init.d/vault.conf] with content =~ /exec start-stop-daemon -u \$USER -g \$GROUP -p \$PID_FILE -x \$VAULT -S -- agent -config=\$CONFIG $/
   Failure/Error:
     is_expected.to contain_file('/etc/init.d/vault.conf').
       with_content(%r{exec start-stop-daemon -u \$USER -g \$GROUP -p \$PID_FILE -x \$VAULT -S -- agent -config=\$CONFIG $})

     expected that the catalogue would contain File[/etc/init.d/vault.conf]
   # ./spec/classes/vault_spec.rb:775:in `block (7 levels) in <top (required)>'

4) vault on ubuntu-16.04-x86_64  on Debian OS family service with modified options and sysv init contains /etc/init/vault.conf is expected to contain File[/etc/init.d/vault.conf] with content =~ /exec start-stop-daemon -u \$USER -g \$GROUP -p \$PID_FILE -x \$VAULT -S -- agent -config=\$CONFIG $/
   Failure/Error:
     is_expected.to contain_file('/etc/init.d/vault.conf').
       with_content(%r{exec start-stop-daemon -u \$USER -g \$GROUP -p \$PID_FILE -x \$VAULT -S -- agent -config=\$CONFIG $})

     expected that the catalogue would contain File[/etc/init.d/vault.conf]
   # ./spec/classes/vault_spec.rb:775:in `block (7 levels) in <top (required)>'

5) vault on ubuntu-18.04-x86_64  on Debian OS family service with modified options and sysv init contains /etc/init/vault.conf is expected to contain File[/etc/init.d/vault.conf] with content =~ /exec start-stop-daemon -u \$USER -g \$GROUP -p \$PID_FILE -x \$VAULT -S -- agent -config=\$CONFIG $/
   Failure/Error:
     is_expected.to contain_file('/etc/init.d/vault.conf').
       with_content(%r{exec start-stop-daemon -u \$USER -g \$GROUP -p \$PID_FILE -x \$VAULT -S -- agent -config=\$CONFIG $})

     expected that the catalogue would contain File[/etc/init.d/vault.conf]
   # ./spec/classes/vault_spec.rb:775:in `block (7 levels) in <top (required)>'

@rgevaert
Copy link
Contributor

Hi @jeffbyrnes . I am in need of this! 👍

I have fork too with adds some more things, but I would love to include this work!
https://github.com/UGent-DICT/puppet-vault

@jeffbyrnes
Copy link
Author

@rgevaert cool! I am hoping to work on this some more next week; swamped with some other things at the moment. I’ll take a look at your fork & see if I can synthesize it with this PR.

@rgevaert
Copy link
Contributor

rgevaert commented Sep 17, 2020
edited
Loading

@jeffbyrnes I had a look too, and I hope you don't mind, I have some questions/remarks

On the one hand, I like the approach of using the service_type parameter, but this rules out of running a vault server and a vault agent on the same node. As you can only include this class once (it is a puppet thing).

Also, this puppet module uses json format for its server config. As far as I can see in the documentation of vault agent it only supports HCL syntax.

The module has a lot of settings for building config.json but all of them aren't compatible with the vault agent config.

Maybe you have some other work already lined up, but I just wanted to share my comments. Hopefully, I am wrong, am I am saving you from going a dead end.

Also, I found this https://github.com/walkamongus/puppet-vault_agent. This seems what you are looking for too. (And I too :)

@jeffbyrnes
Copy link
Author

@rgevaert that is a good point. Running an agent & server on the same node is not something we planned on doing, though obviously you could (provided you customize the ports involved).

And yeah, the config options that the agent does not understand are simply ignored.

You may be on to something with a separate module for the agent…

@jsok
Copy link
Owner

jsok commented Sep 25, 2020

You may be on to something with a separate module for the agent…

Yes I agree, this would be much more flexible 👍

@jeffbyrnes
Copy link
Author

@jsok I still need to circle back on this, and I’d like to cite kyleanderson/consul as an example of a similar Hashi product Puppet module, which covers both the server & agent config.

I’ll come back to this pretty soon; I’m finishing up some sorting some production issues in our Vault setup overall, and then I’ll open up again to clean this up & see it working well.

@TJM
Copy link

TJM commented Apr 26, 2022

We also made #191 for this, but apparently this module is "abandoned" ?? Does anyone know if we could get puppet community ( @voxpupuli ) to take over the management of this? or maybe whoever has the best fork should just take it over?

@jeffbyrnes
Copy link
Author

@TJM less abandoned, more “stable & not needing much lately”.

That said, that’s now two PRs that provide this functionality. The KyleAnderson/consul module (which is found here on GitHub at https://github.com/solarkennedy/puppet-consul) provides for both server & agent modes, and since they are the same binary, and share some config options, it seems best to provide for either via the same module (contrary to the above conversation).

@TJM TJM mentioned this pull request Apr 29, 2022
Closed
@jeffbyrnes jeffbyrnes marked this pull request as ready for review May 5, 2022 16:46
@jeffbyrnes jeffbyrnes changed the title Add support for vault agent Add support for Vault Agent May 5, 2022
@jeffbyrnes jeffbyrnes mentioned this pull request Jul 28, 2022
Open
@muhammeddanish muhammeddanish mentioned this pull request Mar 7, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
4 participants
@jeffbyrnes @rgevaert @jsok @TJM