diff --git a/documentation/Storage_Backend.md b/documentation/Storage_Backend.md index 43b9dcf5..5e8d13cb 100644 --- a/documentation/Storage_Backend.md +++ b/documentation/Storage_Backend.md @@ -7,8 +7,8 @@ The Azure storage backend is used to persist Vault's data in an [Azure Storage Container](https://azure.microsoft.com/en-us/services/storage/). The storage container must already exist and the provided account credentials must have read and write permissions to the storage container. ```ruby -storage_type = 'azure', -storage_options = { +storage_type 'azure', +storage_options { accountName: 'my-storage-account', accountKey: 'abcd1234', container: 'container-efgh5678', @@ -21,8 +21,8 @@ storage_options = { The Cassandra storage backend is used to persist Vault's data in an [Apache Cassandra](http://cassandra.apache.org/) cluster. ```ruby -storage_type = 'cassandra', -storage_options = { +storage_type 'cassandra', +storage_options { hosts: 'localhost', consistency: 'LOCAL_QUORUM', protocol_version: '3', @@ -34,8 +34,8 @@ storage_options = { The Filesystem storage backend stores Vault's data on the filesystem using a standard directory structure. It can be used for durable single server situations, or to develop locally where durability is not critical. ```ruby -storage_type = 'file' -storage_options = { +storage_type 'file' +storage_options { path: '/mnt/vault/data', } ``` \ No newline at end of file diff --git a/documentation/configuration_seals.md b/documentation/configuration_seals.md index 4c133451..893880f5 100644 --- a/documentation/configuration_seals.md +++ b/documentation/configuration_seals.md @@ -1 +1,97 @@ - \ No newline at end of file +# Seal Configurations + + + +## [AliCloud KMS](https://www.vaultproject.io/docs/configuration/seal/alicloudkms.html) + +The AliCloud KMS seal configures Vault to use AliCloud KMS as the seal wrapping mechanism. + +```ruby +seal_type = 'alicloudkms' +seal_options = { + region: 'us-east-1', + access_key: '0wNEpMMlzy7szvai', + secret_key: 'PupkTg8jdmau1cXxYacgE736PJj4cA', + kms_key_id: '08c33a6f-4e0a-4a1b-a3fa-7ddfa1d4fb73', +} +``` + +## [AWS KMS](https://www.vaultproject.io/docs/configuration/seal/awskms.html) + +The AWS KMS seal configures Vault to use AWS KMS as the seal wrapping mechanism. + +```ruby +seal_type 'awskms' +seal_options { + region: 'us-east-1', + access_key: 'AKIAIOSFODNN7EXAMPLE', + secret_key: 'wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY', + kms_key_id: '19ec80b0-dfdd-4d97-8164-c6examplekey', + endpoint: 'https://vpce-0e1bb1852241f8cc6-pzi0do8n.kms.us-east-1.vpce.amazonaws.com', +} +``` + +## [Azure Key Vault](https://www.vaultproject.io/docs/configuration/seal/azurekeyvault.html) + +The Azure Key Vault seal configures Vault to use Azure Key Vault as the seal wrapping mechanism. + +```ruby +seal_type 'azurekeyvault', +seal_options { + tenant_id: '46646709-b63e-4747-be42-516edeaf1e14', + client_id: '03dc33fc-16d9-4b77-8152-3ec568f8af6e', + client_secret: 'DUJDS3...', + vault_name: 'hc-vault', + key_name: 'vault_key', +} +``` + +## [GCP Cloud KMS](https://www.vaultproject.io/docs/configuration/seal/gcpckms.html) + +The GCP Cloud KMS seal configures Vault to use GCP Cloud KMS as the seal wrapping mechanism. + +```ruby +seal_type 'gcpckms' +seal_options { + credentials: '/usr/vault/vault-project-user-creds.json', + project: 'vault-project', + region: 'global', + key_ring: 'vault-keyring', + crypto_key: 'vault-key', +} +``` + +## [HSM PKCS11 (ENT)](https://www.vaultproject.io/docs/configuration/seal/pkcs11.html) + +The PKCS11 seal configures Vault to use an HSM with PKCS11 as the seal wrapping mechanism. + +```ruby +seal_type 'pkcs11' +seal_options { + lib: '/usr/vault/lib/libCryptoki2_64.so', + slot: '0', + pin: 'AAAA-BBBB-CCCC-DDDD', + key_label: 'vault-hsm-key', + hmac_key_label: 'vault-hsm-hmac-key', +} +``` + +## [Vault Transit](https://www.vaultproject.io/docs/configuration/seal/transit.html) + +The Transit seal configures Vault to use Vault's Transit Secret Engine as the autoseal mechanism. + +```ruby +seal_type 'transit' +seal_options { + address: 'https://vault:8200', + token: 's.Qf1s5zigZ4OX6akYjQXJC1jY', + disable_renewal: 'false', + key_name: 'transit_key_name', + mount_path: 'transit/', + namespace: 'ns1/', + tls_ca_cert: '/etc/vault/ca_cert.pem', + tls_client_cert: '/etc/vault/client_cert.pem', + tls_client_key: '/etc/vault/ca_cert.pem', + tls_server_name: 'vault', + tls_skip_verify: 'false', +} diff --git a/metadata.rb b/metadata.rb index d99db640..51bfd845 100644 --- a/metadata.rb +++ b/metadata.rb @@ -7,7 +7,7 @@ issues_url 'https://github.com/sous-chefs/vault/issues' source_url 'https://github.com/sous-chefs/vault' chef_version '>= 13' -version '3.0.2' +version '4.0.0' supports 'ubuntu' supports 'redhat' diff --git a/resources/install.rb b/resources/install.rb index b047f6e7..50a3439c 100644 --- a/resources/install.rb +++ b/resources/install.rb @@ -213,6 +213,26 @@ action :install end + execute 'setcap cap_ipc_lock' do + command "setcap cap_ipc_lock=+ep $(readlink -f /usr/local/bin/vault)" + not_if "setcap -v cap_ipc_lock+ep $(readlink -f /usr/local/bin/vault)" + action :run + end + + file new_resource.tls_cert_file do + owner new_resource.vault_user + group new_resource.vault_group + mode '0644' + action :create + end + + file new_resource.tls_key_file do + owner new_resource.vault_user + group new_resource.vault_group + mode '0600' + action :create + end + hashicorp_vault_config new_resource.config_location do api_addr new_resource.api_addr cache_size new_resource.cache_size @@ -231,6 +251,8 @@ pid_file new_resource.pid_file plugin_directory new_resource.plugin_directory raw_storage_endpoint new_resource.raw_storage_endpoint + seal_options new_resource.seal_options + seal_type new_resource.seal_type storage_options new_resource.storage_options storage_type new_resource.storage_type telemetry new_resource.telemetry