From 828f4cd6467a0194850d8d2d6f903ee960c088f7 Mon Sep 17 00:00:00 2001 From: Joris29 Date: Thu, 9 Nov 2023 09:08:57 +0100 Subject: [PATCH] Rebase and apply new refs --- README.md | 48 ++++++++++++++++++++++++++++------- REFERENCE.md | 64 ++++------------------------------------------- manifests/init.pp | 24 +++--------------- 3 files changed, 47 insertions(+), 89 deletions(-) diff --git a/README.md b/README.md index b06c4de2d..4087fcfc4 100644 --- a/README.md +++ b/README.md @@ -114,23 +114,53 @@ class { 'rundeck': } ``` -### Use HashiCorp vault as keystorage +### Configure HashiCorp vault as keystorage An additional [Rundeck Vault plugin](https://github.com/rundeck-plugins/vault-storage/) is required. ```Puppet class { 'rundeck': - key_storage_type => 'vault', - vault_keystorage_url => 'https://vault.example.com', - vault_keystorage_prefix => 'rundeck', - vault_keystorage_approle_approleid => 'xxx-xxx-xxx-xxx-xxx', - vault_keystorage_approle_secretid => 'xxx-xxx-xxx-xxx-xxx', - vault_keystorage_approle_authmount => 'approle', - vault_keystorage_authbackend => 'approle', + key_storage_config => [ + { + 'type' => 'vault-storage', + 'path' => '/keys/vault', + 'config' => { + 'prefix' => 'rundeck', + 'address' => 'https://vault.example.com', + 'storageBehaviour' => 'vault', + 'secretBackend' => 'rundeck', + 'engineVersion' => '2', + 'authBackend' => 'approle', + 'approleAuthMount' => 'approle', + 'approleId' => 'xxx-xxx-xxx-xxx-xxx', + 'approleSecretId' => 'xxx-xxx-xxx-xxx-xxx', + }, + }, + ], +} +``` + +### Configure multiple keystorage types + +```Puppet +class { 'rundeck': + key_storage_config => [ + { + 'type' => 'file', + 'path' => '/keys', + 'config' => { + 'baseDir => '/path/to/dir', + }, + }, + { + 'type' => 'db', + 'path' => '/keys/database', + }, + ], } ``` -### Configuring shared authentication credentials +### Configure shared authentication credentials To perform LDAP authentication and file authorization following code can be used. diff --git a/REFERENCE.md b/REFERENCE.md index 58c3be47b..596a0bbd1 100644 --- a/REFERENCE.md +++ b/REFERENCE.md @@ -70,15 +70,9 @@ The following parameters are available in the `rundeck` class: * [`jvm_args`](#-rundeck--jvm_args) * [`kerberos_realms`](#-rundeck--kerberos_realms) * [`key_password`](#-rundeck--key_password) -* [`key_storage_type`](#-rundeck--key_storage_type) +* [`key_storage_config`](#-rundeck--key_storage_config) * [`keystore`](#-rundeck--keystore) * [`keystore_password`](#-rundeck--keystore_password) -* [`vault_keystorage_url`](#-rundeck--vault_keystorage_url) -* [`vault_keystorage_prefix`](#-rundeck--vault_keystorage_prefix) -* [`vault_keystorage_approle_approleid`](#-rundeck--vault_keystorage_approle_approleid) -* [`vault_keystorage_approle_secretid`](#-rundeck--vault_keystorage_approle_secretid) -* [`vault_keystorage_approle_authmount`](#-rundeck--vault_keystorage_approle_authmount) -* [`vault_keystorage_authbackend`](#-rundeck--vault_keystorage_authbackend) * [`log_properties_template`](#-rundeck--log_properties_template) * [`mail_config`](#-rundeck--mail_config) * [`sshkey_manage`](#-rundeck--sshkey_manage) @@ -286,13 +280,13 @@ The default key password. Default value: `$rundeck::params::key_password` -##### `key_storage_type` +##### `key_storage_config` -Data type: `Enum['db', 'file', 'vault']` +Data type: `Array[Hash]` -Type used to store secrets. Must be 'file', 'db' or 'vault' +An array with hashes of properties for customizing the [Rundeck Key Storage](https://docs.rundeck.com/docs/manual/key-storage/key-storage.html) -Default value: `$rundeck::params::key_storage_type` +Default value: `$rundeck::params::key_storage_config` ##### `keystore` @@ -310,54 +304,6 @@ The password for the given keystore. Default value: `$rundeck::params::keystore_password` -##### `vault_keystorage_url` - -Data type: `Optional[Stdlib::HTTPSUrl]` - -A url to a HashiCorp vault instance. - -Default value: `undef` - -##### `vault_keystorage_prefix` - -Data type: `Optional[String[1]]` - -HashiCorp vault kv path prefix. - -Default value: `undef` - -##### `vault_keystorage_approle_approleid` - -Data type: `Optional[String[1]]` - -HashiCorp vault approle role id. - -Default value: `undef` - -##### `vault_keystorage_approle_secretid` - -Data type: `Optional[String[1]]` - -HashiCorp vault approle secret id. - -Default value: `undef` - -##### `vault_keystorage_approle_authmount` - -Data type: `Optional[String[1]]` - -HashiCorp vault auth sys mount. - -Default value: `undef` - -##### `vault_keystorage_authbackend` - -Data type: `Optional[String[1]]` - -HashiCorp vault authentication backend. - -Default value: `undef` - ##### `log_properties_template` Data type: `String` diff --git a/manifests/init.pp b/manifests/init.pp index 895655d93..456deaadf 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -38,24 +38,12 @@ # A hash of mappings between Kerberos domain DNS names and realm names # @param key_password # The default key password. -# @param key_storage_type -# Type used to store secrets. Must be 'file', 'db' or 'vault' +# @param key_storage_config +# An array with hashes of properties for customizing the [Rundeck Key Storage](https://docs.rundeck.com/docs/manual/key-storage/key-storage.html) # @param keystore # Full path to the java keystore to be used by Rundeck. # @param keystore_password # The password for the given keystore. -# @param vault_keystorage_url -# A url to a HashiCorp vault instance. -# @param vault_keystorage_prefix -# HashiCorp vault kv path prefix. -# @param vault_keystorage_approle_approleid -# HashiCorp vault approle role id. -# @param vault_keystorage_approle_secretid -# HashiCorp vault approle secret id. -# @param vault_keystorage_approle_authmount -# HashiCorp vault auth sys mount. -# @param vault_keystorage_authbackend -# HashiCorp vault authentication backend. # @param log_properties_template # The template used for log properties. Default is rundeck/log4j.properties.erb. # @param mail_config @@ -186,15 +174,9 @@ String $jvm_args = $rundeck::params::jvm_args, Hash $kerberos_realms = $rundeck::params::kerberos_realms, String $key_password = $rundeck::params::key_password, - Enum['db', 'file', 'vault'] $key_storage_type = $rundeck::params::key_storage_type, + Array[Hash] $key_storage_config = $rundeck::params::key_storage_config, Stdlib::Absolutepath $keystore = $rundeck::params::keystore, String $keystore_password = $rundeck::params::keystore_password, - Optional[Stdlib::HTTPSUrl] $vault_keystorage_url = undef, - Optional[String[1]] $vault_keystorage_prefix = undef, - Optional[String[1]] $vault_keystorage_approle_approleid = undef, - Optional[String[1]] $vault_keystorage_approle_secretid = undef, - Optional[String[1]] $vault_keystorage_approle_authmount = undef, - Optional[String[1]] $vault_keystorage_authbackend = undef, String $log_properties_template = $rundeck::params::log_properties_template, Hash $mail_config = $rundeck::params::mail_config, Boolean $sshkey_manage = $rundeck::params::sshkey_manage,