Adds sealing

bumps version

Signed-off-by: PowerSchill <Mark.Schill@cmschill.net>

documentation/Storage_Backend.md

@@ -7,8 +7,8 @@
 The Azure storage backend is used to persist Vault's data in an [Azure Storage Container](https://azure.microsoft.com/en-us/services/storage/). The storage container must already exist and the provided account credentials must have read and write permissions to the storage container.
 
 ```ruby
-storage_type = 'azure',
-storage_options = {
+storage_type 'azure',
+storage_options {
   accountName: 'my-storage-account',
   accountKey:  'abcd1234',
   container:   'container-efgh5678',
@@ -21,8 +21,8 @@ storage_options = {
 The Cassandra storage backend is used to persist Vault's data in an [Apache Cassandra](http://cassandra.apache.org/) cluster.
 
 ```ruby
-storage_type = 'cassandra',
-storage_options = {
+storage_type 'cassandra',
+storage_options {
   hosts: 'localhost',
   consistency: 'LOCAL_QUORUM',
   protocol_version: '3',
@@ -34,8 +34,8 @@ storage_options = {
 The Filesystem storage backend stores Vault's data on the filesystem using a standard directory structure. It can be used for durable single server situations, or to develop locally where durability is not critical.
 
 ```ruby
-storage_type = 'file'
-storage_options = {
+storage_type 'file'
+storage_options {
   path: '/mnt/vault/data',
 }
 ```

documentation/configuration_seals.md

@@ -1 +1,97 @@
-<!-- TODO: Document Seal values -->
+# Seal Configurations
+
+<!-- TODO: Document Seal values -->
+
+## [AliCloud KMS](https://www.vaultproject.io/docs/configuration/seal/alicloudkms.html)
+
+The AliCloud KMS seal configures Vault to use AliCloud KMS as the seal wrapping mechanism.
+
+```ruby
+seal_type = 'alicloudkms'
+seal_options = {
+  region: 'us-east-1',
+  access_key: '0wNEpMMlzy7szvai',
+  secret_key: 'PupkTg8jdmau1cXxYacgE736PJj4cA',
+  kms_key_id: '08c33a6f-4e0a-4a1b-a3fa-7ddfa1d4fb73',
+}
+```
+
+## [AWS KMS](https://www.vaultproject.io/docs/configuration/seal/awskms.html)
+
+The AWS KMS seal configures Vault to use AWS KMS as the seal wrapping mechanism.
+
+```ruby
+seal_type 'awskms'
+seal_options {
+  region: 'us-east-1',
+  access_key: 'AKIAIOSFODNN7EXAMPLE',
+  secret_key: 'wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY',
+  kms_key_id: '19ec80b0-dfdd-4d97-8164-c6examplekey',
+  endpoint: 'https://vpce-0e1bb1852241f8cc6-pzi0do8n.kms.us-east-1.vpce.amazonaws.com',
+}
+```
+
+## [Azure Key Vault](https://www.vaultproject.io/docs/configuration/seal/azurekeyvault.html)
+
+The Azure Key Vault seal configures Vault to use Azure Key Vault as the seal wrapping mechanism.
+
+```ruby
+seal_type 'azurekeyvault',
+seal_options {
+  tenant_id: '46646709-b63e-4747-be42-516edeaf1e14',
+  client_id: '03dc33fc-16d9-4b77-8152-3ec568f8af6e',
+  client_secret: 'DUJDS3...',
+  vault_name: 'hc-vault',
+  key_name: 'vault_key',
+}
+```
+
+## [GCP Cloud KMS](https://www.vaultproject.io/docs/configuration/seal/gcpckms.html)
+
+The GCP Cloud KMS seal configures Vault to use GCP Cloud KMS as the seal wrapping mechanism.
+
+```ruby
+seal_type 'gcpckms'
+seal_options  {
+  credentials: '/usr/vault/vault-project-user-creds.json',
+  project: 'vault-project',
+  region: 'global',
+  key_ring: 'vault-keyring',
+  crypto_key: 'vault-key',
+}
+```
+
+## [HSM PKCS11 (ENT)](https://www.vaultproject.io/docs/configuration/seal/pkcs11.html)
+
+The PKCS11 seal configures Vault to use an HSM with PKCS11 as the seal wrapping mechanism.
+
+```ruby
+seal_type 'pkcs11'
+seal_options {
+  lib: '/usr/vault/lib/libCryptoki2_64.so',
+  slot: '0',
+  pin: 'AAAA-BBBB-CCCC-DDDD',
+  key_label: 'vault-hsm-key',
+  hmac_key_label: 'vault-hsm-hmac-key',
+}
+```
+
+## [Vault Transit](https://www.vaultproject.io/docs/configuration/seal/transit.html)
+
+The Transit seal configures Vault to use Vault's Transit Secret Engine as the autoseal mechanism.
+
+```ruby
+seal_type 'transit'
+seal_options {
+  address: 'https://vault:8200',
+  token: 's.Qf1s5zigZ4OX6akYjQXJC1jY',
+  disable_renewal: 'false',
+  key_name: 'transit_key_name',
+  mount_path: 'transit/',
+  namespace: 'ns1/',
+  tls_ca_cert: '/etc/vault/ca_cert.pem',
+  tls_client_cert: '/etc/vault/client_cert.pem',
+  tls_client_key: '/etc/vault/ca_cert.pem',
+  tls_server_name: 'vault',
+  tls_skip_verify: 'false',
+}

metadata.rb

@@ -7,7 +7,7 @@
 issues_url        'https://github.com/sous-chefs/vault/issues'
 source_url        'https://github.com/sous-chefs/vault'
 chef_version      '>= 13'
-version           '3.0.2'
+version           '4.0.0'
 
 supports 'ubuntu'
 supports 'redhat'

resources/install.rb

@@ -213,6 +213,26 @@
     action :install
   end
 
+  execute 'setcap cap_ipc_lock' do
+    command "setcap cap_ipc_lock=+ep $(readlink -f /usr/local/bin/vault)"
+    not_if "setcap -v cap_ipc_lock+ep $(readlink -f /usr/local/bin/vault)"
+    action :run
+  end
+
+  file new_resource.tls_cert_file do
+    owner new_resource.vault_user
+    group new_resource.vault_group
+    mode '0644'
+    action :create
+  end
+
+  file new_resource.tls_key_file do
+    owner new_resource.vault_user
+    group new_resource.vault_group
+    mode '0600'
+    action :create
+  end
+
   hashicorp_vault_config new_resource.config_location do
     api_addr new_resource.api_addr
     cache_size new_resource.cache_size
@@ -231,6 +251,8 @@
     pid_file new_resource.pid_file
     plugin_directory new_resource.plugin_directory
     raw_storage_endpoint new_resource.raw_storage_endpoint
+    seal_options new_resource.seal_options
+    seal_type new_resource.seal_type
     storage_options new_resource.storage_options
     storage_type new_resource.storage_type
     telemetry new_resource.telemetry