-
-
Notifications
You must be signed in to change notification settings - Fork 88
/
vault_config.rb
135 lines (117 loc) · 3.97 KB
/
vault_config.rb
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
#
# Cookbook: hashicorp-vault-cookbook
# License: Apache 2.0
#
# Copyright (C) 2015 Bloomberg Finance L.P.
#
require 'poise'
module VaultCookbook
module Resource
# @since 1.0.0
class VaultConfig < Chef::Resource
include Poise(fused: true)
provides(:vault_config)
default_action(:create)
# @!attribute path
# @return [String]
attribute(:path, kind_of: String, name_attribute: true)
# @!attribute owner
# @return [String]
attribute(:owner, kind_of: String, default: 'vault')
# @!attribute group
# @return [String]
attribute(:group, kind_of: String, default: 'vault')
# @see https://vaultproject.io/docs/config/index.html
attribute(:address, kind_of: String)
attribute(:tls_disable, kind_of: String, default: '')
attribute(:tls_cert_file, kind_of: String)
attribute(:tls_key_file, kind_of: String)
attribute(:bag_name, kind_of: String, default: 'secrets')
attribute(:bag_item, kind_of: String, default: 'vault')
attribute(:disable_mlock, equal_to: [true, false], default: false)
attribute(:statsite_addr, kind_of: String)
attribute(:statsd_addr, kind_of: String)
attribute(:backend_type, default: 'inmem', equal_to: %w{consul inmem zookeeper file})
attribute(:backend_options, option_collector: true)
def tls?
return true if tls_disable.match(/^$/) && node['vault']['manage_certificate']
false
end
# Transforms the resource into a JSON format which matches the
# Vault service's configuration format.
# @see https://vaultproject.io/docs/config/index.html
def to_json
listener_keeps = %i{address tls_disable tls_cert_file tls_key_file}
listener_options = to_hash.keep_if do |k, _|
listener_keeps.include?(k.to_sym)
end
config_keeps = %i{disable_mlock statsite_addr statsd_addr}
config = to_hash.keep_if do |k, _|
config_keeps.include?(k.to_sym)
end.merge('backend' => { backend_type => (backend_options || {}) })
config.merge!('listener' => { 'tcp' => listener_options })
JSON.pretty_generate(config, quirks_mode: true)
end
action(:create) do
notifying_block do
if new_resource.tls?
include_recipe 'chef-vault::default'
directory ::File.dirname(new_resource.tls_cert_file) do
recursive true
owner 'root'
group new_resource.group
mode '0755'
end
item = chef_vault_item(
new_resource.bag_name,
new_resource.bag_item
)
file new_resource.tls_cert_file do
content item['certificate']
mode '0644'
owner new_resource.owner
group new_resource.group
end
directory ::File.dirname(new_resource.tls_key_file) do
recursive true
mode '0750'
owner 'root'
group new_resource.group
end
file new_resource.tls_key_file do
sensitive true
content item['private_key']
mode '0640'
owner new_resource.owner
group new_resource.group
end
end
directory ::File.dirname(new_resource.path) do
recursive true
end
file new_resource.path do
content new_resource.to_json
owner new_resource.owner
group new_resource.group
mode '0640'
end
end
end
action(:delete) do
notifying_block do
if new_resource.tls?
file new_resource.tls_cert_file do
action :delete
end
file new_resource.tls_key_file do
action :delete
end
end
file new_resource.path do
action :delete
end
end
end
end
end
end