diff --git a/README.md b/README.md
index 43273ce99..4d102d282 100644
--- a/README.md
+++ b/README.md
@@ -87,7 +87,12 @@ associated parameters.
```puppet
class { 'rundeck':
- key_storage_type => 'db',
+ key_storage_config => [
+ {
+ 'type' => 'db',
+ 'path' => '/',
+ },
+ ],
projects_storage_type => 'db',
database_config => {
'type' => 'mysql',
@@ -109,23 +114,53 @@ class { 'rundeck':
}
```
-### Use HashiCorp vault as keystorage
+### Configure HashiCorp vault as keystorage
An additional [Rundeck Vault plugin](https://github.com/rundeck-plugins/vault-storage/) is required.
```Puppet
class { 'rundeck':
- key_storage_type => 'vault',
- vault_keystorage_url => 'https://vault.example.com',
- vault_keystorage_prefix => 'rundeck',
- vault_keystorage_approle_approleid => 'xxx-xxx-xxx-xxx-xxx',
- vault_keystorage_approle_secretid => 'xxx-xxx-xxx-xxx-xxx',
- vault_keystorage_approle_authmount => 'approle',
- vault_keystorage_authbackend => 'approle',
+ key_storage_config => [
+ {
+ 'type' => 'vault-storage',
+ 'path' => '/',
+ 'config' => {
+ 'prefix' => 'rundeck',
+ 'address' => 'https://vault.example.com',
+ 'storageBehaviour' => 'vault',
+ 'secretBackend' => 'rundeck',
+ 'engineVersion' => '2',
+ 'authBackend' => 'approle',
+ 'approleAuthMount' => 'approle',
+ 'approleId' => 'xxx-xxx-xxx-xxx-xxx',
+ 'approleSecretId' => 'xxx-xxx-xxx-xxx-xxx',
+ },
+ },
+ ],
+}
+```
+
+### Configure multiple keystorage types
+
+```Puppet
+class { 'rundeck':
+ key_storage_config => [
+ {
+ 'type' => 'file',
+ 'path' => '/keys',
+ 'config' => {
+ 'baseDir => '/path/to/dir',
+ },
+ },
+ {
+ 'type' => 'db',
+ 'path' => '/keys/database',
+ },
+ ],
}
```
-### Configuring shared authentication credentials
+### Configure shared authentication credentials
To perform LDAP authentication and file authorization following code can be used.
diff --git a/REFERENCE.md b/REFERENCE.md
index 58c3be47b..596a0bbd1 100644
--- a/REFERENCE.md
+++ b/REFERENCE.md
@@ -70,15 +70,9 @@ The following parameters are available in the `rundeck` class:
* [`jvm_args`](#-rundeck--jvm_args)
* [`kerberos_realms`](#-rundeck--kerberos_realms)
* [`key_password`](#-rundeck--key_password)
-* [`key_storage_type`](#-rundeck--key_storage_type)
+* [`key_storage_config`](#-rundeck--key_storage_config)
* [`keystore`](#-rundeck--keystore)
* [`keystore_password`](#-rundeck--keystore_password)
-* [`vault_keystorage_url`](#-rundeck--vault_keystorage_url)
-* [`vault_keystorage_prefix`](#-rundeck--vault_keystorage_prefix)
-* [`vault_keystorage_approle_approleid`](#-rundeck--vault_keystorage_approle_approleid)
-* [`vault_keystorage_approle_secretid`](#-rundeck--vault_keystorage_approle_secretid)
-* [`vault_keystorage_approle_authmount`](#-rundeck--vault_keystorage_approle_authmount)
-* [`vault_keystorage_authbackend`](#-rundeck--vault_keystorage_authbackend)
* [`log_properties_template`](#-rundeck--log_properties_template)
* [`mail_config`](#-rundeck--mail_config)
* [`sshkey_manage`](#-rundeck--sshkey_manage)
@@ -286,13 +280,13 @@ The default key password.
Default value: `$rundeck::params::key_password`
-##### `key_storage_type`
+##### `key_storage_config`
-Data type: `Enum['db', 'file', 'vault']`
+Data type: `Array[Hash]`
-Type used to store secrets. Must be 'file', 'db' or 'vault'
+An array with hashes of properties for customizing the [Rundeck Key Storage](https://docs.rundeck.com/docs/manual/key-storage/key-storage.html)
-Default value: `$rundeck::params::key_storage_type`
+Default value: `$rundeck::params::key_storage_config`
##### `keystore`
@@ -310,54 +304,6 @@ The password for the given keystore.
Default value: `$rundeck::params::keystore_password`
-##### `vault_keystorage_url`
-
-Data type: `Optional[Stdlib::HTTPSUrl]`
-
-A url to a HashiCorp vault instance.
-
-Default value: `undef`
-
-##### `vault_keystorage_prefix`
-
-Data type: `Optional[String[1]]`
-
-HashiCorp vault kv path prefix.
-
-Default value: `undef`
-
-##### `vault_keystorage_approle_approleid`
-
-Data type: `Optional[String[1]]`
-
-HashiCorp vault approle role id.
-
-Default value: `undef`
-
-##### `vault_keystorage_approle_secretid`
-
-Data type: `Optional[String[1]]`
-
-HashiCorp vault approle secret id.
-
-Default value: `undef`
-
-##### `vault_keystorage_approle_authmount`
-
-Data type: `Optional[String[1]]`
-
-HashiCorp vault auth sys mount.
-
-Default value: `undef`
-
-##### `vault_keystorage_authbackend`
-
-Data type: `Optional[String[1]]`
-
-HashiCorp vault authentication backend.
-
-Default value: `undef`
-
##### `log_properties_template`
Data type: `String`
diff --git a/manifests/config.pp b/manifests/config.pp
index 55a61d35d..5d08d042e 100644
--- a/manifests/config.pp
+++ b/manifests/config.pp
@@ -17,12 +17,6 @@
$file_default_mode = $rundeck::file_default_mode
$file_keystorage_dir = $rundeck::file_keystorage_dir
$file_keystorage_keys = $rundeck::file_keystorage_keys
- $vault_keystorage_prefix = $rundeck::vault_keystorage_prefix
- $vault_keystorage_url = $rundeck::vault_keystorage_url
- $vault_keystorage_approle_approleid = $rundeck::vault_keystorage_approle_approleid
- $vault_keystorage_approle_secretid = $rundeck::vault_keystorage_approle_secretid
- $vault_keystorage_approle_authmount = $rundeck::vault_keystorage_approle_authmount
- $vault_keystorage_authbackend = $rundeck::vault_keystorage_authbackend
$grails_server_url = $rundeck::grails_server_url
$group = $rundeck::group
$gui_config = $rundeck::gui_config
@@ -30,7 +24,7 @@
$jvm_args = $rundeck::jvm_args
$kerberos_realms = $rundeck::kerberos_realms
$key_password = $rundeck::key_password
- $key_storage_type = $rundeck::key_storage_type
+ $key_storage_config = $rundeck::key_storage_config
$keystore = $rundeck::keystore
$keystore_password = $rundeck::keystore_password
$log_properties_template = $rundeck::log_properties_template
diff --git a/manifests/config/global/rundeck_config.pp b/manifests/config/global/rundeck_config.pp
index 9d2ce15c6..107cf6e03 100644
--- a/manifests/config/global/rundeck_config.pp
+++ b/manifests/config/global/rundeck_config.pp
@@ -8,16 +8,10 @@
$clustermode_enabled = $rundeck::config::clustermode_enabled
$execution_mode = $rundeck::config::execution_mode
$file_keystorage_dir = $rundeck::config::file_keystorage_dir
- $vault_keystorage_prefix = $rundeck::config::vault_keystorage_prefix
- $vault_keystorage_url = $rundeck::config::vault_keystorage_url
- $vault_keystorage_approle_approleid = $rundeck::config::vault_keystorage_approle_approleid
- $vault_keystorage_approle_secretid = $rundeck::config::vault_keystorage_approle_secretid
- $vault_keystorage_approle_authmount = $rundeck::config::vault_keystorage_approle_authmount
- $vault_keystorage_authbackend = $rundeck::config::vault_keystorage_authbackend
$grails_server_url = $rundeck::config::grails_server_url
$group = $rundeck::config::group
$gui_config = $rundeck::config::gui_config
- $key_storage_type = $rundeck::config::key_storage_type
+ $key_storage_config = $rundeck::config::key_storage_config
$mail_config = $rundeck::config::mail_config
$preauthenticated_config = $rundeck::config::preauthenticated_config
$projects_storage_type = $rundeck::config::projects_storage_type
diff --git a/manifests/init.pp b/manifests/init.pp
index 895655d93..456deaadf 100644
--- a/manifests/init.pp
+++ b/manifests/init.pp
@@ -38,24 +38,12 @@
# A hash of mappings between Kerberos domain DNS names and realm names
# @param key_password
# The default key password.
-# @param key_storage_type
-# Type used to store secrets. Must be 'file', 'db' or 'vault'
+# @param key_storage_config
+# An array with hashes of properties for customizing the [Rundeck Key Storage](https://docs.rundeck.com/docs/manual/key-storage/key-storage.html)
# @param keystore
# Full path to the java keystore to be used by Rundeck.
# @param keystore_password
# The password for the given keystore.
-# @param vault_keystorage_url
-# A url to a HashiCorp vault instance.
-# @param vault_keystorage_prefix
-# HashiCorp vault kv path prefix.
-# @param vault_keystorage_approle_approleid
-# HashiCorp vault approle role id.
-# @param vault_keystorage_approle_secretid
-# HashiCorp vault approle secret id.
-# @param vault_keystorage_approle_authmount
-# HashiCorp vault auth sys mount.
-# @param vault_keystorage_authbackend
-# HashiCorp vault authentication backend.
# @param log_properties_template
# The template used for log properties. Default is rundeck/log4j.properties.erb.
# @param mail_config
@@ -186,15 +174,9 @@
String $jvm_args = $rundeck::params::jvm_args,
Hash $kerberos_realms = $rundeck::params::kerberos_realms,
String $key_password = $rundeck::params::key_password,
- Enum['db', 'file', 'vault'] $key_storage_type = $rundeck::params::key_storage_type,
+ Array[Hash] $key_storage_config = $rundeck::params::key_storage_config,
Stdlib::Absolutepath $keystore = $rundeck::params::keystore,
String $keystore_password = $rundeck::params::keystore_password,
- Optional[Stdlib::HTTPSUrl] $vault_keystorage_url = undef,
- Optional[String[1]] $vault_keystorage_prefix = undef,
- Optional[String[1]] $vault_keystorage_approle_approleid = undef,
- Optional[String[1]] $vault_keystorage_approle_secretid = undef,
- Optional[String[1]] $vault_keystorage_approle_authmount = undef,
- Optional[String[1]] $vault_keystorage_authbackend = undef,
String $log_properties_template = $rundeck::params::log_properties_template,
Hash $mail_config = $rundeck::params::mail_config,
Boolean $sshkey_manage = $rundeck::params::sshkey_manage,
diff --git a/manifests/params.pp b/manifests/params.pp
index b224fbd72..e26a72e65 100644
--- a/manifests/params.pp
+++ b/manifests/params.pp
@@ -275,8 +275,19 @@
$kerberos_realms = {}
+ $file_keystorage_keys = {}
+ $file_keystorage_dir = "${framework_config['framework.var.dir']}/storage"
+
$keystore = '/etc/rundeck/ssl/keystore'
- $key_storage_type = 'file'
+ $key_storage_config = [
+ {
+ 'type' => 'file',
+ 'path' => '/',
+ 'config' => {
+ 'baseDir' => $file_keystorage_dir,
+ },
+ },
+ ]
$projects_storage_type = 'filesystem'
$keystore_password = 'adminadmin'
$key_password = 'adminadmin'
@@ -314,9 +325,6 @@
$rdeck_config_template = 'rundeck/rundeck-config.epp'
- $file_keystorage_keys = {}
- $file_keystorage_dir = "${framework_config['framework.var.dir']}/storage"
-
$manage_default_admin_policy = true
$manage_default_api_policy = true
diff --git a/spec/classes/config/global/rundeck_config_spec.rb b/spec/classes/config/global/rundeck_config_spec.rb
index 19ab0c292..0571c3ca4 100644
--- a/spec/classes/config/global/rundeck_config_spec.rb
+++ b/spec/classes/config/global/rundeck_config_spec.rb
@@ -98,8 +98,9 @@
quartz.threadPool.threadCount = "10"
rundeck.storage.provider."1".type = "file"
- rundeck.storage.provider."1".config.baseDir = "/var/lib/rundeck/var/storage"
rundeck.storage.provider."1".path = "/"
+ rundeck.storage.provider."1".config.baseDir = "/var/lib/rundeck/var/storage"
+
rundeck.security.authorization.preauthenticated.enabled = "false"
rundeck.security.authorization.preauthenticated.attributeName = "REMOTE_USER_GROUPS"
diff --git a/templates/rundeck-config.epp b/templates/rundeck-config.epp
index 31e81de6d..c769053cd 100644
--- a/templates/rundeck-config.epp
+++ b/templates/rundeck-config.epp
@@ -69,25 +69,19 @@ rundeck.executionMode = "<%= $rundeck::config::global::rundeck_config::execution
rundeck.projectsStorageType = "<%= $rundeck::config::global::rundeck_config::projects_storage_type %>"
quartz.threadPool.threadCount = "<%= $rundeck::config::global::rundeck_config::quartz_job_threadcount %>"
-<%- if $rundeck::config::global::rundeck_config::key_storage_type == 'file' {-%>
-rundeck.storage.provider."1".type = "file"
-rundeck.storage.provider."1".config.baseDir = "<%= $rundeck::config::global::rundeck_config::file_keystorage_dir %>"
-<%-} elsif $rundeck::config::global::rundeck_config::key_storage_type == 'vault' {-%>
-rundeck.storage.provider."1".type = "vault-storage"
-rundeck.storage.provider."1".path = "keys"
-rundeck.storage.provider."1".config.prefix = "<%= $rundeck::config::global::rundeck_config::vault_keystorage_prefix %>"
-rundeck.storage.provider."1".config.address = "<%= $rundeck::config::global::rundeck_config::vault_keystorage_url %>"
-rundeck.storage.provider."1".config.storageBehaviour = "rundeck"
-rundeck.storage.provider."1".config.secretBackend = "kv"
-rundeck.storage.provider."1".config.approleId = "<%= $rundeck::config::global::rundeck_config::vault_keystorage_approle_approleid %>"
-rundeck.storage.provider."1".config.approleSecretId = "<%= $rundeck::config::global::rundeck_config::vault_keystorage_approle_secretid %>"
-rundeck.storage.provider."1".config.approleAuthMount = "<%= $rundeck::config::global::rundeck_config::vault_keystorage_approle_authmount %>"
-rundeck.storage.provider."1".config.authBackend = "<%= $rundeck::config::global::rundeck_config::vault_keystorage_authbackend %>"
-rundeck.storage.provider."1".removePathPrefix = true
-<%-} else {-%>
-rundeck.storage.provider."1".type = "db"
-<%- } -%>
-rundeck.storage.provider."1".path = "/"
+<%- $rundeck::config::global::rundeck_config::key_storage_config.each |$i, $cfg| { -%>
+rundeck.storage.provider."<%= $i+1 %>".type = "<%= $cfg['type'] %>"
+rundeck.storage.provider."<%= $i+1 %>".path = "<%= $cfg['path'] %>"
+<%- if $cfg['removePathPrefix'] { -%>
+rundeck.storage.provider."<%= $i+1 %>".removePathPrefix = <%= $cfg['removePathPrefix'] %>
+<%- } -%>
+<%- if $cfg['config'] { -%>
+<%- $cfg['config'].each |$k, $v| { -%>
+rundeck.storage.provider."<%= $i+1 %>".config.<%= $k %> = "<%= $v %>"
+<%- } -%>
+<%- } -%>
+<%- } -%>
+
<%- if !$rundeck::config::global::rundeck_config::storage_encrypt_config.empty { -%>
<%- $rundeck::config::global::rundeck_config::storage_encrypt_config.keys.sort.each |$k| { -%>