Merge pull request #1 from lucywyman/GH-1292

(GH-1292) Port ruby Vault plugin to be a task plugin

.gitignore

@@ -0,0 +1,2 @@
+modules/
+bolt.yaml

.rubocop.yml

@@ -0,0 +1,88 @@
+AllCops:
+  TargetRubyVersion: 2.3
+  Exclude:
+    - 'vendor/**/*'
+    - 'vendored/**/*'
+    - 'acceptance/vendor/**/*'
+    - 'modules/**/*'
+    - 'docs/**/*'
+    - 'site-modules/**/*'
+    - 'Puppetfile'
+
+# Checks for if and unless statements that would fit on one line if written as a
+# modifier if/unless.
+Style/IfUnlessModifier:
+  Enabled: false
+
+Style/StringLiterals:
+  Enabled: false
+
+Style/Documentation:
+  Enabled: false
+
+Style/BlockDelimiters:
+  Enabled: false
+
+Style/NumericLiterals:
+  Enabled: false
+
+Style/NumericPredicate:
+  Enabled: false
+
+Layout/IndentHeredoc:
+  Enabled: false
+
+Style/GuardClause:
+  Enabled: false
+
+Style/MultilineBlockChain:
+  Enabled: false
+
+Style/DoubleNegation:
+  Enabled: false
+
+Style/SafeNavigation:
+  Enabled: false
+
+# Disable nearly all Metrics checks. These seem better off left to judgement.
+
+Metrics/AbcSize:
+  Enabled: false
+
+Metrics/BlockLength:
+  Enabled: false
+
+Metrics/BlockNesting:
+  Enabled: false
+
+Metrics/ClassLength:
+  Enabled: false
+
+Metrics/CyclomaticComplexity:
+  Enabled: false
+
+Metrics/LineLength:
+  Max: 120
+
+Metrics/MethodLength:
+  Enabled: false
+
+Metrics/ModuleLength:
+  Enabled: false
+
+Metrics/ParameterLists:
+  Enabled: false
+
+Metrics/PerceivedComplexity:
+  Enabled: false
+
+Lint/HandleExceptions:
+  Exclude:
+    - lib/bolt/transport/local/shell.rb
+
+Lint/ScriptPermission:
+  Enabled: false
+
+# Enforce LF line endings, even when on Windows
+Layout/EndOfLine:
+  EnforcedStyle: lf

.travis.yml

@@ -0,0 +1,14 @@
+language: ruby
+cache: bundler
+rvm:
+- 2.5
+
+before_install:
+- git clone https://github.com/puppetlabs/puppetlabs-ruby_task_helper ../ruby_task_helper
+script:
+- bundle exec rake spec
+- bundle exec rubocop
+
+notifications:
+  email: false
+

CHANGELOG.md

@@ -0,0 +1,3 @@
+## Release 0.1.0
+
+This is the initial release.

CODEOWNERS

@@ -0,0 +1,2 @@
+# Default to Bolt team
+* @puppetlabs/bolt

Gemfile

@@ -0,0 +1,15 @@
+# frozen_string_literal: true
+
+source ENV['GEM_SOURCE'] || 'https://rubygems.org'
+
+ruby_version_segments = Gem::Version.new(RUBY_VERSION.dup).segments
+minor_version = ruby_version_segments[0..1].join('.')
+
+group :development do
+  gem 'puppet'
+  gem 'puppetlabs_spec_helper'
+
+  # Dependencies used by Rake to ship the module
+  gem "puppet-module-posix-default-r#{minor_version}", require: false, platforms: [:ruby]
+  gem "puppet-module-posix-dev-r#{minor_version}",     require: false, platforms: [:ruby]
+end

README.md

@@ -1,2 +1,94 @@
-# puppetlabs-vault
-Puppet module that provides the Vault plugin for Bolt
+## Bolt Vault plugin
+
+This module provides a plugin which allows config values to be set by accessing secrets from a
+Key/Value engine on a Vault server.
+
+#### Table of Contents
+
+1. [Requirements](#requirements)
+2. [Usage](#usage)
+3. [Examples](#examples)
+
+## Requirements
+
+You will need to have a Vault server running, and a way to [authenticate](#authentication-methods) with the server
+
+## Usage
+
+The Vault plugin supports several options:
+- `server_url`: The URL of the Vault server (optional, defaults to `ENV['VAULT_ADDR']`)
+- `auth`: The method for authorizing with the Vault server and any necessary parameters (optional, defaults to `ENV['VAULT_TOKEN']`)
+- `path`: The path to the secrets engine (required)
+- `field`: The specific secret being used (optional, defaults to a Ruby hash of all secrets at the `path`)
+- `version`: The version of the K/V engine (optional, defaults to 1)
+
+If Vault server uses TLS, you can use the following config to authenticate with the server:
+- `cacert`: Path to the CA certificate (optional)
+- `cert`: Path to the SSL certificate (optional)
+- `key`: Path to the SSL key (optional)
+
+### Authentication Methods
+
+Vault requires a token to assign an identity and set of policies to a user before accessing secrets.
+The Vault plugin offers 2 authentication methods:
+
+#### Token
+
+Authenticate using a token. This method requires the following fields:
+
+-   `method`: The value of `method` must be `token`
+-   `token`: The token to authenticate with
+
+#### Userpass
+
+Request a token by logging into the Vault server with a username and password. This method requires
+the following fields:
+
+-   `method`: The value of `method` must be `userpass`
+-   `user`: The username
+-   `pass`: The password
+
+## Examples
+
+You can add any Vault plugin field to the inventory configuration. The following example shows how
+you would access the `private-key` secret on a KVv2 engine mounted at `secrets/bolt`:
+
+```
+version: 2
+targets:
+  - ...
+config:
+  ssh:
+    user: root
+    private-key:
+      key-data:
+        _plugin: vault
+        server_url: http://127.0.0.1:8200
+        auth:
+          method: userpass
+          user: bolt
+          pass: bolt
+        path: secrets/bolt
+        field: private-key
+        version: 2
+```
+
+You can also set configuration in your [Bolt config file](https://puppet.com/docs/bolt/latest/configuring_bolt.html) 
+under the `plugins` field. If a field is set in both the inventory file and the config file, Bolt
+will use the value set in the inventory file. The available fields for the config file are:
+
+-   `server_url`
+-   `cacert`
+-   `auth`
+
+```
+plugins:
+  vault:
+    server_url: https://127.0.0.1:8200
+    cacert: /path/to/ca
+    cert: /path/to/cert
+    key: /path/to/key
+    auth:
+      method: token
+      token: xxxxx-xxxxx
+```

Rakefile

@@ -0,0 +1,4 @@
+# frozen_string_literal: true
+
+require 'puppetlabs_spec_helper/rake_tasks'
+require 'puppet_blacksmith/rake_tasks' if Bundler.rubygems.find_name('puppet-blacksmith').any?

bolt_plugin.json

@@ -0,0 +1 @@
+{}

metadata.json

@@ -0,0 +1,63 @@
+{
+  "name": "puppetlabs-vault",
+  "version": "0.1.0",
+  "author": "Puppet, Inc.",
+  "summary": "A task to access Bolt configuration from secrets stored in a Hashicorp Vault server",
+  "license": "Apache-2.0",
+  "source": "git@github.com/puppetlabs/puppetlabs-vault",
+  "project_page": "https://github.com/puppetlabs/puppetlabs-vault",
+  "dependencies": [
+
+  ],
+  "operatingsystem_support": [
+    {
+      "operatingsystem": "CentOS",
+      "operatingsystemrelease": [
+        "7"
+      ]
+    },
+    {
+      "operatingsystem": "OracleLinux",
+      "operatingsystemrelease": [
+        "7"
+      ]
+    },
+    {
+      "operatingsystem": "RedHat",
+      "operatingsystemrelease": [
+        "8"
+      ]
+    },
+    {
+      "operatingsystem": "Scientific",
+      "operatingsystemrelease": [
+        "7"
+      ]
+    },
+    {
+      "operatingsystem": "Debian",
+      "operatingsystemrelease": [
+        "9"
+      ]
+    },
+    {
+      "operatingsystem": "Ubuntu",
+      "operatingsystemrelease": [
+        "18.04"
+      ]
+    },
+    {
+      "operatingsystem": "windows",
+      "operatingsystemrelease": [
+        "2019",
+        "10"
+      ]
+    }
+  ],
+  "requirements": [
+    {
+      "name": "puppet",
+      "version_requirement": ">= 4.10.0 < 7.0.0"
+    }
+  ]
+}

spec/spec_helper.rb

@@ -0,0 +1,7 @@
+# frozen_string_literal: true
+
+RSpec.configure do |config|
+  config.mock_with :rspec
+end
+
+require 'puppetlabs_spec_helper/module_spec_helper'