-
Notifications
You must be signed in to change notification settings - Fork 7
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #1 from lucywyman/GH-1292
(GH-1292) Port ruby Vault plugin to be a task plugin
- Loading branch information
Showing
14 changed files
with
593 additions
and
2 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,2 @@ | ||
modules/ | ||
bolt.yaml |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,88 @@ | ||
AllCops: | ||
TargetRubyVersion: 2.3 | ||
Exclude: | ||
- 'vendor/**/*' | ||
- 'vendored/**/*' | ||
- 'acceptance/vendor/**/*' | ||
- 'modules/**/*' | ||
- 'docs/**/*' | ||
- 'site-modules/**/*' | ||
- 'Puppetfile' | ||
|
||
# Checks for if and unless statements that would fit on one line if written as a | ||
# modifier if/unless. | ||
Style/IfUnlessModifier: | ||
Enabled: false | ||
|
||
Style/StringLiterals: | ||
Enabled: false | ||
|
||
Style/Documentation: | ||
Enabled: false | ||
|
||
Style/BlockDelimiters: | ||
Enabled: false | ||
|
||
Style/NumericLiterals: | ||
Enabled: false | ||
|
||
Style/NumericPredicate: | ||
Enabled: false | ||
|
||
Layout/IndentHeredoc: | ||
Enabled: false | ||
|
||
Style/GuardClause: | ||
Enabled: false | ||
|
||
Style/MultilineBlockChain: | ||
Enabled: false | ||
|
||
Style/DoubleNegation: | ||
Enabled: false | ||
|
||
Style/SafeNavigation: | ||
Enabled: false | ||
|
||
# Disable nearly all Metrics checks. These seem better off left to judgement. | ||
|
||
Metrics/AbcSize: | ||
Enabled: false | ||
|
||
Metrics/BlockLength: | ||
Enabled: false | ||
|
||
Metrics/BlockNesting: | ||
Enabled: false | ||
|
||
Metrics/ClassLength: | ||
Enabled: false | ||
|
||
Metrics/CyclomaticComplexity: | ||
Enabled: false | ||
|
||
Metrics/LineLength: | ||
Max: 120 | ||
|
||
Metrics/MethodLength: | ||
Enabled: false | ||
|
||
Metrics/ModuleLength: | ||
Enabled: false | ||
|
||
Metrics/ParameterLists: | ||
Enabled: false | ||
|
||
Metrics/PerceivedComplexity: | ||
Enabled: false | ||
|
||
Lint/HandleExceptions: | ||
Exclude: | ||
- lib/bolt/transport/local/shell.rb | ||
|
||
Lint/ScriptPermission: | ||
Enabled: false | ||
|
||
# Enforce LF line endings, even when on Windows | ||
Layout/EndOfLine: | ||
EnforcedStyle: lf |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,14 @@ | ||
language: ruby | ||
cache: bundler | ||
rvm: | ||
- 2.5 | ||
|
||
before_install: | ||
- git clone https://github.com/puppetlabs/puppetlabs-ruby_task_helper ../ruby_task_helper | ||
script: | ||
- bundle exec rake spec | ||
- bundle exec rubocop | ||
|
||
notifications: | ||
email: false | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,3 @@ | ||
## Release 0.1.0 | ||
|
||
This is the initial release. |
Validating CODEOWNERS rules …
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,2 @@ | ||
# Default to Bolt team | ||
* @puppetlabs/bolt |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,15 @@ | ||
# frozen_string_literal: true | ||
|
||
source ENV['GEM_SOURCE'] || 'https://rubygems.org' | ||
|
||
ruby_version_segments = Gem::Version.new(RUBY_VERSION.dup).segments | ||
minor_version = ruby_version_segments[0..1].join('.') | ||
|
||
group :development do | ||
gem 'puppet' | ||
gem 'puppetlabs_spec_helper' | ||
|
||
# Dependencies used by Rake to ship the module | ||
gem "puppet-module-posix-default-r#{minor_version}", require: false, platforms: [:ruby] | ||
gem "puppet-module-posix-dev-r#{minor_version}", require: false, platforms: [:ruby] | ||
end |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,2 +1,94 @@ | ||
# puppetlabs-vault | ||
Puppet module that provides the Vault plugin for Bolt | ||
## Bolt Vault plugin | ||
|
||
This module provides a plugin which allows config values to be set by accessing secrets from a | ||
Key/Value engine on a Vault server. | ||
|
||
#### Table of Contents | ||
|
||
1. [Requirements](#requirements) | ||
2. [Usage](#usage) | ||
3. [Examples](#examples) | ||
|
||
## Requirements | ||
|
||
You will need to have a Vault server running, and a way to [authenticate](#authentication-methods) with the server | ||
|
||
## Usage | ||
|
||
The Vault plugin supports several options: | ||
- `server_url`: The URL of the Vault server (optional, defaults to `ENV['VAULT_ADDR']`) | ||
- `auth`: The method for authorizing with the Vault server and any necessary parameters (optional, defaults to `ENV['VAULT_TOKEN']`) | ||
- `path`: The path to the secrets engine (required) | ||
- `field`: The specific secret being used (optional, defaults to a Ruby hash of all secrets at the `path`) | ||
- `version`: The version of the K/V engine (optional, defaults to 1) | ||
|
||
If Vault server uses TLS, you can use the following config to authenticate with the server: | ||
- `cacert`: Path to the CA certificate (optional) | ||
- `cert`: Path to the SSL certificate (optional) | ||
- `key`: Path to the SSL key (optional) | ||
|
||
### Authentication Methods | ||
|
||
Vault requires a token to assign an identity and set of policies to a user before accessing secrets. | ||
The Vault plugin offers 2 authentication methods: | ||
|
||
#### Token | ||
|
||
Authenticate using a token. This method requires the following fields: | ||
|
||
- `method`: The value of `method` must be `token` | ||
- `token`: The token to authenticate with | ||
|
||
#### Userpass | ||
|
||
Request a token by logging into the Vault server with a username and password. This method requires | ||
the following fields: | ||
|
||
- `method`: The value of `method` must be `userpass` | ||
- `user`: The username | ||
- `pass`: The password | ||
|
||
## Examples | ||
|
||
You can add any Vault plugin field to the inventory configuration. The following example shows how | ||
you would access the `private-key` secret on a KVv2 engine mounted at `secrets/bolt`: | ||
|
||
``` | ||
version: 2 | ||
targets: | ||
- ... | ||
config: | ||
ssh: | ||
user: root | ||
private-key: | ||
key-data: | ||
_plugin: vault | ||
server_url: http://127.0.0.1:8200 | ||
auth: | ||
method: userpass | ||
user: bolt | ||
pass: bolt | ||
path: secrets/bolt | ||
field: private-key | ||
version: 2 | ||
``` | ||
|
||
You can also set configuration in your [Bolt config file](https://puppet.com/docs/bolt/latest/configuring_bolt.html) | ||
under the `plugins` field. If a field is set in both the inventory file and the config file, Bolt | ||
will use the value set in the inventory file. The available fields for the config file are: | ||
|
||
- `server_url` | ||
- `cacert` | ||
- `auth` | ||
|
||
``` | ||
plugins: | ||
vault: | ||
server_url: https://127.0.0.1:8200 | ||
cacert: /path/to/ca | ||
cert: /path/to/cert | ||
key: /path/to/key | ||
auth: | ||
method: token | ||
token: xxxxx-xxxxx | ||
``` |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,4 @@ | ||
# frozen_string_literal: true | ||
|
||
require 'puppetlabs_spec_helper/rake_tasks' | ||
require 'puppet_blacksmith/rake_tasks' if Bundler.rubygems.find_name('puppet-blacksmith').any? |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1 @@ | ||
{} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,63 @@ | ||
{ | ||
"name": "puppetlabs-vault", | ||
"version": "0.1.0", | ||
"author": "Puppet, Inc.", | ||
"summary": "A task to access Bolt configuration from secrets stored in a Hashicorp Vault server", | ||
"license": "Apache-2.0", | ||
"source": "git@github.com/puppetlabs/puppetlabs-vault", | ||
"project_page": "https://github.com/puppetlabs/puppetlabs-vault", | ||
"dependencies": [ | ||
|
||
], | ||
"operatingsystem_support": [ | ||
{ | ||
"operatingsystem": "CentOS", | ||
"operatingsystemrelease": [ | ||
"7" | ||
] | ||
}, | ||
{ | ||
"operatingsystem": "OracleLinux", | ||
"operatingsystemrelease": [ | ||
"7" | ||
] | ||
}, | ||
{ | ||
"operatingsystem": "RedHat", | ||
"operatingsystemrelease": [ | ||
"8" | ||
] | ||
}, | ||
{ | ||
"operatingsystem": "Scientific", | ||
"operatingsystemrelease": [ | ||
"7" | ||
] | ||
}, | ||
{ | ||
"operatingsystem": "Debian", | ||
"operatingsystemrelease": [ | ||
"9" | ||
] | ||
}, | ||
{ | ||
"operatingsystem": "Ubuntu", | ||
"operatingsystemrelease": [ | ||
"18.04" | ||
] | ||
}, | ||
{ | ||
"operatingsystem": "windows", | ||
"operatingsystemrelease": [ | ||
"2019", | ||
"10" | ||
] | ||
} | ||
], | ||
"requirements": [ | ||
{ | ||
"name": "puppet", | ||
"version_requirement": ">= 4.10.0 < 7.0.0" | ||
} | ||
] | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,7 @@ | ||
# frozen_string_literal: true | ||
|
||
RSpec.configure do |config| | ||
config.mock_with :rspec | ||
end | ||
|
||
require 'puppetlabs_spec_helper/module_spec_helper' |
Oops, something went wrong.