Update key storage parameters

The key storage type parameter limits the key storage entries to one.
I would be better to simplify this to one configurable hash.
Also remove vault specific parameters to limit breaking changes when vault-storage plugin updates config on their side.

README.md

@@ -24,7 +24,6 @@
 
 The rundeck puppet module for installing and managing [Rundeck](http://rundeck.org/)
 
-
 ### Supported Versions of Rundeck
 
 | Rundeck Version  | Rundeck Puppet module versions |
@@ -39,6 +38,7 @@ Rundeck Team decided to mark this package _obsolete_, making it difficult to mai
 backwards compatibility with releases older than 3.1.
 
 Trying to install any version prior to 3.1.0 will throw the following error message:
+
 ```
 Resolving Dependencies
 --> Running transaction check
@@ -52,6 +52,7 @@ If you need to downgrade and/or install a specific version of Rundeck older than
 to do it (v5.4.0 and prior), although you would need to [manually install the packages](https://github.com/rundeck/rundeck/issues/5168) disabling yum's obsoletes processing logic when performing updates.
 
 Ex:
+
 ```
 yum reinstall --setopt=obsoletes=0 rundeck-config-3.0.24.20190719-1.201907192053 rundeck-3.0.24.20190719-1.201907192053
 ```
@@ -65,7 +66,7 @@ rundeck, its projects, jobs and plugins.
 
 ## Setup
 
-###  Setup requirements
+### Setup requirements
 
 You need a compatible version of Java installed; you can use the
 [puppetlabs/java](https://github.com/puppetlabs/puppetlabs-java) module if there
@@ -82,6 +83,7 @@ The rundeck module primary class, guides the basic installation and management
 of rundeck on your system
 
 **Parameters within `rundeck`:**
+
 ##### `package_ensure`
 
 Ensure the state of the rundeck package, either present, absent or a specific version
@@ -304,43 +306,46 @@ Whether to manage `user` (and enforce `user_id` if set). Defaults to false.
 
 Whether to create the `rundeck_home` directory. Defaults to true.
 
-##### `keystorage_type`
+##### `keystorage_config`
 
-Which keystorage type should be used:
+An array with hashes of properties for customizing the [Rundeck Key Storage](https://docs.rundeck.com/docs/manual/key-storage/key-storage.html):
 
-* file - Default file based keystorage
-* db - Use DB as keystorage
-* vault - Use Hashicorp Vault
-  - An additional [Rundeck Vault plugin](https://github.com/rundeck-plugins/vault-storage/) is required.
+Ex:
+key_storage_config => [
+  {
+    'type' => 'file',
+    'path' => '/keys',
+    'config' => {
+      'baseDir' => /path/to/dir,
+    },
+  },
+  {
+    'type' => 'db',
+    'path' => '/keys/database',
+  },
+  {
+    'type' => 'vault-storage',
+    'path' => '/keys/vault',
+    'config'           => {
+      'prefix'           => 'rundeck',
+      'address'          => 'http://localhost',
+      'storageBehaviour' => 'vault',
+      'secretBackend'    => 'example',
+      'engineVersion'    => '2',
+      'authBackend'      => 'approle',
+      'approleAuthMount' => 'approle',
+      'approleId'        => 'xxx',
+      'approleSecretId'  => 'xxx',
+    },
+  },
+]
+
+* For vault-storage type An additional [Rundeck Vault plugin](https://github.com/rundeck-plugins/vault-storage/) is required.
 
 ##### `file_keystorage_dir`
 
 The location of stored data like public keys, private keys.
 
-##### `vault_keystorage_prefix`
-
-The prefix for the Hashicorp Vault keys. See [here](https://github.com/rundeck-plugins/vault-storage) for more information.
-
-##### `vault_keystorage_url`
-
-The URL for the Hashicorp Vault service
-
-##### `vault_keystorage_approle_approleid`
-
-The AppRole ID for the Hashicorp Vault access
-
-##### `vault_keystorage_approle_secretid`
-
-The Secret ID for the Hashicorp Vault access. Please note, that the Vault plugin isn't able to refresh the SecretID while running. You have to add a Cron job, to restart Rundeck. See [here](https://github.com/rundeck-plugins/vault-storage/issues/15#issuecomment-512815828) for more information.
-
-##### `vault_keystorage_approle_authmount`
-
-The AppRole Authmount for the Hashicorp Vault access
-
-##### `vault_keystorage_authbackend`
-
-The AuthBackend for the Hashicorp Vault, which should used
-
 #### Define: `rundeck::config::aclpolicyfile`
 
 A definition for creating custom acl policy files
@@ -512,7 +517,12 @@ associated parameters.
 
 ```puppet
 class { 'rundeck':
-  key_storage_type      => 'db',
+  key_storage_config => [
+    {
+      'type' => 'db',
+      'path' => '/',
+    },
+  ],
   projects_storage_type => 'db',
   database_config       => {
     'type'              => 'mysql',
@@ -574,6 +584,7 @@ It is tested with the OSS version of Puppet only.
 ## Development
 
 ### Contributing
+
 This module is maintained by [Vox Pupuli](https://voxpupuli.org/). Vox Pupuli
 welcomes new contributions to this module, especially those that include
 documentation and rspec tests. We are happy to provide guidance if necessary.

manifests/config.pp

@@ -21,20 +21,14 @@
   $file_default_mode                  = $rundeck::file_default_mode
   $file_keystorage_dir                = $rundeck::file_keystorage_dir
   $file_keystorage_keys               = $rundeck::file_keystorage_keys
-  $vault_keystorage_prefix            = $rundeck::vault_keystorage_prefix
-  $vault_keystorage_url               = $rundeck::vault_keystorage_url
-  $vault_keystorage_approle_approleid = $rundeck::vault_keystorage_approle_approleid
-  $vault_keystorage_approle_secretid  = $rundeck::vault_keystorage_approle_secretid
-  $vault_keystorage_approle_authmount = $rundeck::vault_keystorage_approle_authmount
-  $vault_keystorage_authbackend       = $rundeck::vault_keystorage_authbackend
   $grails_server_url                  = $rundeck::grails_server_url
   $group                              = $rundeck::group
   $gui_config                         = $rundeck::gui_config
   $java_home                          = $rundeck::java_home
   $jvm_args                           = $rundeck::jvm_args
   $kerberos_realms                    = $rundeck::kerberos_realms
   $key_password                       = $rundeck::key_password
-  $key_storage_type                   = $rundeck::key_storage_type
+  $key_storage_config                 = $rundeck::key_storage_config
   $keystore                           = $rundeck::keystore
   $keystore_password                  = $rundeck::keystore_password
   $log_properties_template            = $rundeck::log_properties_template

manifests/config/global/rundeck_config.pp

@@ -12,16 +12,10 @@
   $clustermode_enabled                  = $rundeck::config::clustermode_enabled
   $execution_mode                       = $rundeck::config::execution_mode
   $file_keystorage_dir                  = $rundeck::config::file_keystorage_dir
-  $vault_keystorage_prefix              = $rundeck::config::vault_keystorage_prefix
-  $vault_keystorage_url                 = $rundeck::config::vault_keystorage_url
-  $vault_keystorage_approle_approleid   = $rundeck::config::vault_keystorage_approle_approleid
-  $vault_keystorage_approle_secretid    = $rundeck::config::vault_keystorage_approle_secretid
-  $vault_keystorage_approle_authmount   = $rundeck::config::vault_keystorage_approle_authmount
-  $vault_keystorage_authbackend         = $rundeck::config::vault_keystorage_authbackend
   $grails_server_url                    = $rundeck::config::grails_server_url
   $group                                = $rundeck::config::group
   $gui_config                           = $rundeck::config::gui_config
-  $key_storage_type                     = $rundeck::config::key_storage_type
+  $key_storage_config                   = $rundeck::config::key_storage_config
   $mail_config                          = $rundeck::config::mail_config
   $preauthenticated_config              = $rundeck::config::preauthenticated_config
   $projects_storage_type                = $rundeck::config::projects_storage_type

manifests/init.pp

@@ -74,8 +74,8 @@
 # [*key_password*]
 #  The default key password.
 #
-# [*key_storage_type*]
-#  Type used to store secrets. Must be 'file', 'db' or 'vault'
+# [*key_storage_config*]
+#  An array with hashes of properties for customizing the [Rundeck Key Storage](https://docs.rundeck.com/docs/manual/key-storage/key-storage.html)
 #
 # [*keystore*]
 #  Full path to the java keystore to be used by Rundeck.
@@ -241,14 +241,8 @@
   String $jvm_args                                              = $rundeck::params::jvm_args,
   Hash $kerberos_realms                                         = $rundeck::params::kerberos_realms,
   String $key_password                                          = $rundeck::params::key_password,
-  Enum['db', 'file', 'vault'] $key_storage_type                 = $rundeck::params::key_storage_type,
+  Array[Hash] $key_storage_config                               = $rundeck::params::key_storage_config,
   Stdlib::Absolutepath $keystore                                = $rundeck::params::keystore,
-  Optional[Stdlib::HTTPSUrl] $vault_keystorage_url              = undef,
-  Optional[String[1]] $vault_keystorage_prefix                  = undef,
-  Optional[String[1]] $vault_keystorage_approle_approleid       = undef,
-  Optional[String[1]] $vault_keystorage_approle_secretid        = undef,
-  Optional[String[1]] $vault_keystorage_approle_authmount       = undef,
-  Optional[String[1]] $vault_keystorage_authbackend             = undef,
   String $keystore_password                                     = $rundeck::params::keystore_password,
   String $log_properties_template                               = $rundeck::params::log_properties_template,
   Hash $mail_config                                             = $rundeck::params::mail_config,

manifests/params.pp

@@ -275,8 +275,19 @@
 
   $kerberos_realms = {}
 
+  $file_keystorage_keys = {}
+  $file_keystorage_dir = "${framework_config['framework.var.dir']}/storage"
+
   $keystore = '/etc/rundeck/ssl/keystore'
-  $key_storage_type = 'file'
+  $key_storage_config = [
+    {
+      'type'   => 'file',
+      'path'   => '/',
+      'config' => {
+        'baseDir' => $file_keystorage_dir,
+      },
+    },
+  ]
   $projects_storage_type = 'filesystem'
   $keystore_password = 'adminadmin'
   $key_password = 'adminadmin'
@@ -314,9 +325,6 @@
 
   $rdeck_config_template = 'rundeck/rundeck-config.epp'
 
-  $file_keystorage_keys = {}
-  $file_keystorage_dir = "${framework_config['framework.var.dir']}/storage"
-
   $manage_default_admin_policy = true
   $manage_default_api_policy   = true
 

spec/classes/config/global/rundeck_config_spec.rb

@@ -98,8 +98,9 @@
           quartz.threadPool.threadCount = "10"
 
           rundeck.storage.provider."1".type = "file"
-          rundeck.storage.provider."1".config.baseDir = "/var/lib/rundeck/var/storage"
           rundeck.storage.provider."1".path = "/"
+          rundeck.storage.provider."1".config.baseDir = "/var/lib/rundeck/var/storage"
+
 
           rundeck.security.authorization.preauthenticated.enabled = "false"
           rundeck.security.authorization.preauthenticated.attributeName = "REMOTE_USER_GROUPS"

templates/rundeck-config.epp

@@ -69,25 +69,19 @@ rundeck.executionMode = "<%= $rundeck::config::global::rundeck_config::execution
 rundeck.projectsStorageType = "<%= $rundeck::config::global::rundeck_config::projects_storage_type %>"
 quartz.threadPool.threadCount = "<%= $rundeck::config::global::rundeck_config::quartz_job_threadcount %>"
 
-<%- if $rundeck::config::global::rundeck_config::key_storage_type == 'file' {-%>
-rundeck.storage.provider."1".type = "file"
-rundeck.storage.provider."1".config.baseDir = "<%= $rundeck::config::global::rundeck_config::file_keystorage_dir %>"
-<%-} elsif $rundeck::config::global::rundeck_config::key_storage_type == 'vault' {-%>
-rundeck.storage.provider."1".type = "vault-storage"
-rundeck.storage.provider."1".path = "keys"
-rundeck.storage.provider."1".config.prefix = "<%= $rundeck::config::global::rundeck_config::vault_keystorage_prefix %>"
-rundeck.storage.provider."1".config.address = "<%= $rundeck::config::global::rundeck_config::vault_keystorage_url %>"
-rundeck.storage.provider."1".config.storageBehaviour = "rundeck"
-rundeck.storage.provider."1".config.secretBackend = "kv"
-rundeck.storage.provider."1".config.approleId = "<%= $rundeck::config::global::rundeck_config::vault_keystorage_approle_approleid %>"
-rundeck.storage.provider."1".config.approleSecretId = "<%= $rundeck::config::global::rundeck_config::vault_keystorage_approle_secretid %>"
-rundeck.storage.provider."1".config.approleAuthMount = "<%= $rundeck::config::global::rundeck_config::vault_keystorage_approle_authmount %>"
-rundeck.storage.provider."1".config.authBackend = "<%= $rundeck::config::global::rundeck_config::vault_keystorage_authbackend %>"
-rundeck.storage.provider."1".removePathPrefix = true
-<%-} else {-%>
-rundeck.storage.provider."1".type = "db"
-<%- } -%>
-rundeck.storage.provider."1".path = "/"
+<%- $rundeck::config::global::rundeck_config::key_storage_config.each |$i, $cfg| { -%>
+rundeck.storage.provider."<%= $i+1 %>".type = "<%= $cfg['type'] %>"
+rundeck.storage.provider."<%= $i+1 %>".path = "<%= $cfg['path'] %>"
+<%- if $cfg['removePathPrefix'] { -%>
+rundeck.storage.provider."<%= $i+1 %>".removePathPrefix = <%= $cfg['removePathPrefix'] %>
+<%- } -%>
+<%- if $cfg['config'] { -%>
+<%- $cfg['config'].each |$k, $v| { -%>
+rundeck.storage.provider."<%= $i+1 %>".config.<%= $k %> = "<%= $v %>"
+<%- } -%>
+<%- } -%>
+<%- } -%>
+
 <%- if !$rundeck::config::global::rundeck_config::storage_encrypt_config.empty { -%>
 
   <%- $rundeck::config::global::rundeck_config::storage_encrypt_config.keys.sort.each |$k| { -%>