From ae2cd4da1394de1c23542465a072a28f66bf67ff Mon Sep 17 00:00:00 2001 From: Joris Van Acoleyen Date: Thu, 26 Oct 2023 07:16:08 +0200 Subject: [PATCH] Update key storage parameters The key storage type parameter limits the key storage entries to one. I would be better to simplify this to one configurable hash. Also remove vault specific parameters to limit breaking changes when vault-storage plugin updates config on their side. --- README.md | 77 +++++++++++-------- manifests/config.pp | 8 +- manifests/config/global/rundeck_config.pp | 8 +- manifests/init.pp | 12 +-- manifests/params.pp | 16 +++- .../config/global/rundeck_config_spec.rb | 3 +- templates/rundeck-config.epp | 32 ++++---- 7 files changed, 76 insertions(+), 80 deletions(-) diff --git a/README.md b/README.md index 545759f37..da2a7bc66 100644 --- a/README.md +++ b/README.md @@ -24,7 +24,6 @@ The rundeck puppet module for installing and managing [Rundeck](http://rundeck.org/) - ### Supported Versions of Rundeck | Rundeck Version | Rundeck Puppet module versions | @@ -39,6 +38,7 @@ Rundeck Team decided to mark this package _obsolete_, making it difficult to mai backwards compatibility with releases older than 3.1. Trying to install any version prior to 3.1.0 will throw the following error message: + ``` Resolving Dependencies --> Running transaction check @@ -52,6 +52,7 @@ If you need to downgrade and/or install a specific version of Rundeck older than to do it (v5.4.0 and prior), although you would need to [manually install the packages](https://github.com/rundeck/rundeck/issues/5168) disabling yum's obsoletes processing logic when performing updates. Ex: + ``` yum reinstall --setopt=obsoletes=0 rundeck-config-3.0.24.20190719-1.201907192053 rundeck-3.0.24.20190719-1.201907192053 ``` @@ -65,7 +66,7 @@ rundeck, its projects, jobs and plugins. ## Setup -### Setup requirements +### Setup requirements You need a compatible version of Java installed; you can use the [puppetlabs/java](https://github.com/puppetlabs/puppetlabs-java) module if there @@ -82,6 +83,7 @@ The rundeck module primary class, guides the basic installation and management of rundeck on your system **Parameters within `rundeck`:** + ##### `package_ensure` Ensure the state of the rundeck package, either present, absent or a specific version @@ -304,43 +306,46 @@ Whether to manage `user` (and enforce `user_id` if set). Defaults to false. Whether to create the `rundeck_home` directory. Defaults to true. -##### `keystorage_type` +##### `keystorage_config` -Which keystorage type should be used: +An array with hashes of properties for customizing the [Rundeck Key Storage](https://docs.rundeck.com/docs/manual/key-storage/key-storage.html): -* file - Default file based keystorage -* db - Use DB as keystorage -* vault - Use Hashicorp Vault - - An additional [Rundeck Vault plugin](https://github.com/rundeck-plugins/vault-storage/) is required. +Ex: +key_storage_config => [ + { + 'type' => 'file', + 'path' => '/keys', + 'config' => { + 'baseDir' => /path/to/dir, + }, + }, + { + 'type' => 'db', + 'path' => '/keys/database', + }, + { + 'type' => 'vault-storage', + 'path' => '/keys/vault', + 'config' => { + 'prefix' => 'rundeck', + 'address' => 'http://localhost', + 'storageBehaviour' => 'vault', + 'secretBackend' => 'example', + 'engineVersion' => '2', + 'authBackend' => 'approle', + 'approleAuthMount' => 'approle', + 'approleId' => 'xxx', + 'approleSecretId' => 'xxx', + }, + }, +] + +* For vault-storage type An additional [Rundeck Vault plugin](https://github.com/rundeck-plugins/vault-storage/) is required. ##### `file_keystorage_dir` The location of stored data like public keys, private keys. -##### `vault_keystorage_prefix` - -The prefix for the Hashicorp Vault keys. See [here](https://github.com/rundeck-plugins/vault-storage) for more information. - -##### `vault_keystorage_url` - -The URL for the Hashicorp Vault service - -##### `vault_keystorage_approle_approleid` - -The AppRole ID for the Hashicorp Vault access - -##### `vault_keystorage_approle_secretid` - -The Secret ID for the Hashicorp Vault access. Please note, that the Vault plugin isn't able to refresh the SecretID while running. You have to add a Cron job, to restart Rundeck. See [here](https://github.com/rundeck-plugins/vault-storage/issues/15#issuecomment-512815828) for more information. - -##### `vault_keystorage_approle_authmount` - -The AppRole Authmount for the Hashicorp Vault access - -##### `vault_keystorage_authbackend` - -The AuthBackend for the Hashicorp Vault, which should used - #### Define: `rundeck::config::aclpolicyfile` A definition for creating custom acl policy files @@ -512,7 +517,12 @@ associated parameters. ```puppet class { 'rundeck': - key_storage_type => 'db', + key_storage_config => [ + { + 'type' => 'db', + 'path' => '/', + }, + ], projects_storage_type => 'db', database_config => { 'type' => 'mysql', @@ -574,6 +584,7 @@ It is tested with the OSS version of Puppet only. ## Development ### Contributing + This module is maintained by [Vox Pupuli](https://voxpupuli.org/). Vox Pupuli welcomes new contributions to this module, especially those that include documentation and rspec tests. We are happy to provide guidance if necessary. diff --git a/manifests/config.pp b/manifests/config.pp index e646dffff..f835a76a1 100644 --- a/manifests/config.pp +++ b/manifests/config.pp @@ -21,12 +21,6 @@ $file_default_mode = $rundeck::file_default_mode $file_keystorage_dir = $rundeck::file_keystorage_dir $file_keystorage_keys = $rundeck::file_keystorage_keys - $vault_keystorage_prefix = $rundeck::vault_keystorage_prefix - $vault_keystorage_url = $rundeck::vault_keystorage_url - $vault_keystorage_approle_approleid = $rundeck::vault_keystorage_approle_approleid - $vault_keystorage_approle_secretid = $rundeck::vault_keystorage_approle_secretid - $vault_keystorage_approle_authmount = $rundeck::vault_keystorage_approle_authmount - $vault_keystorage_authbackend = $rundeck::vault_keystorage_authbackend $grails_server_url = $rundeck::grails_server_url $group = $rundeck::group $gui_config = $rundeck::gui_config @@ -34,7 +28,7 @@ $jvm_args = $rundeck::jvm_args $kerberos_realms = $rundeck::kerberos_realms $key_password = $rundeck::key_password - $key_storage_type = $rundeck::key_storage_type + $key_storage_config = $rundeck::key_storage_config $keystore = $rundeck::keystore $keystore_password = $rundeck::keystore_password $log_properties_template = $rundeck::log_properties_template diff --git a/manifests/config/global/rundeck_config.pp b/manifests/config/global/rundeck_config.pp index 2e355e7bb..d36aea5a0 100644 --- a/manifests/config/global/rundeck_config.pp +++ b/manifests/config/global/rundeck_config.pp @@ -12,16 +12,10 @@ $clustermode_enabled = $rundeck::config::clustermode_enabled $execution_mode = $rundeck::config::execution_mode $file_keystorage_dir = $rundeck::config::file_keystorage_dir - $vault_keystorage_prefix = $rundeck::config::vault_keystorage_prefix - $vault_keystorage_url = $rundeck::config::vault_keystorage_url - $vault_keystorage_approle_approleid = $rundeck::config::vault_keystorage_approle_approleid - $vault_keystorage_approle_secretid = $rundeck::config::vault_keystorage_approle_secretid - $vault_keystorage_approle_authmount = $rundeck::config::vault_keystorage_approle_authmount - $vault_keystorage_authbackend = $rundeck::config::vault_keystorage_authbackend $grails_server_url = $rundeck::config::grails_server_url $group = $rundeck::config::group $gui_config = $rundeck::config::gui_config - $key_storage_type = $rundeck::config::key_storage_type + $key_storage_config = $rundeck::config::key_storage_config $mail_config = $rundeck::config::mail_config $preauthenticated_config = $rundeck::config::preauthenticated_config $projects_storage_type = $rundeck::config::projects_storage_type diff --git a/manifests/init.pp b/manifests/init.pp index 056c77e05..95eb99f19 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -74,8 +74,8 @@ # [*key_password*] # The default key password. # -# [*key_storage_type*] -# Type used to store secrets. Must be 'file', 'db' or 'vault' +# [*key_storage_config*] +# An array with hashes of properties for customizing the [Rundeck Key Storage](https://docs.rundeck.com/docs/manual/key-storage/key-storage.html) # # [*keystore*] # Full path to the java keystore to be used by Rundeck. @@ -241,14 +241,8 @@ String $jvm_args = $rundeck::params::jvm_args, Hash $kerberos_realms = $rundeck::params::kerberos_realms, String $key_password = $rundeck::params::key_password, - Enum['db', 'file', 'vault'] $key_storage_type = $rundeck::params::key_storage_type, + Array[Hash] $key_storage_config = $rundeck::params::key_storage_config, Stdlib::Absolutepath $keystore = $rundeck::params::keystore, - Optional[Stdlib::HTTPSUrl] $vault_keystorage_url = undef, - Optional[String[1]] $vault_keystorage_prefix = undef, - Optional[String[1]] $vault_keystorage_approle_approleid = undef, - Optional[String[1]] $vault_keystorage_approle_secretid = undef, - Optional[String[1]] $vault_keystorage_approle_authmount = undef, - Optional[String[1]] $vault_keystorage_authbackend = undef, String $keystore_password = $rundeck::params::keystore_password, String $log_properties_template = $rundeck::params::log_properties_template, Hash $mail_config = $rundeck::params::mail_config, diff --git a/manifests/params.pp b/manifests/params.pp index b224fbd72..e26a72e65 100644 --- a/manifests/params.pp +++ b/manifests/params.pp @@ -275,8 +275,19 @@ $kerberos_realms = {} + $file_keystorage_keys = {} + $file_keystorage_dir = "${framework_config['framework.var.dir']}/storage" + $keystore = '/etc/rundeck/ssl/keystore' - $key_storage_type = 'file' + $key_storage_config = [ + { + 'type' => 'file', + 'path' => '/', + 'config' => { + 'baseDir' => $file_keystorage_dir, + }, + }, + ] $projects_storage_type = 'filesystem' $keystore_password = 'adminadmin' $key_password = 'adminadmin' @@ -314,9 +325,6 @@ $rdeck_config_template = 'rundeck/rundeck-config.epp' - $file_keystorage_keys = {} - $file_keystorage_dir = "${framework_config['framework.var.dir']}/storage" - $manage_default_admin_policy = true $manage_default_api_policy = true diff --git a/spec/classes/config/global/rundeck_config_spec.rb b/spec/classes/config/global/rundeck_config_spec.rb index 19ab0c292..0571c3ca4 100644 --- a/spec/classes/config/global/rundeck_config_spec.rb +++ b/spec/classes/config/global/rundeck_config_spec.rb @@ -98,8 +98,9 @@ quartz.threadPool.threadCount = "10" rundeck.storage.provider."1".type = "file" - rundeck.storage.provider."1".config.baseDir = "/var/lib/rundeck/var/storage" rundeck.storage.provider."1".path = "/" + rundeck.storage.provider."1".config.baseDir = "/var/lib/rundeck/var/storage" + rundeck.security.authorization.preauthenticated.enabled = "false" rundeck.security.authorization.preauthenticated.attributeName = "REMOTE_USER_GROUPS" diff --git a/templates/rundeck-config.epp b/templates/rundeck-config.epp index 31e81de6d..c769053cd 100644 --- a/templates/rundeck-config.epp +++ b/templates/rundeck-config.epp @@ -69,25 +69,19 @@ rundeck.executionMode = "<%= $rundeck::config::global::rundeck_config::execution rundeck.projectsStorageType = "<%= $rundeck::config::global::rundeck_config::projects_storage_type %>" quartz.threadPool.threadCount = "<%= $rundeck::config::global::rundeck_config::quartz_job_threadcount %>" -<%- if $rundeck::config::global::rundeck_config::key_storage_type == 'file' {-%> -rundeck.storage.provider."1".type = "file" -rundeck.storage.provider."1".config.baseDir = "<%= $rundeck::config::global::rundeck_config::file_keystorage_dir %>" -<%-} elsif $rundeck::config::global::rundeck_config::key_storage_type == 'vault' {-%> -rundeck.storage.provider."1".type = "vault-storage" -rundeck.storage.provider."1".path = "keys" -rundeck.storage.provider."1".config.prefix = "<%= $rundeck::config::global::rundeck_config::vault_keystorage_prefix %>" -rundeck.storage.provider."1".config.address = "<%= $rundeck::config::global::rundeck_config::vault_keystorage_url %>" -rundeck.storage.provider."1".config.storageBehaviour = "rundeck" -rundeck.storage.provider."1".config.secretBackend = "kv" -rundeck.storage.provider."1".config.approleId = "<%= $rundeck::config::global::rundeck_config::vault_keystorage_approle_approleid %>" -rundeck.storage.provider."1".config.approleSecretId = "<%= $rundeck::config::global::rundeck_config::vault_keystorage_approle_secretid %>" -rundeck.storage.provider."1".config.approleAuthMount = "<%= $rundeck::config::global::rundeck_config::vault_keystorage_approle_authmount %>" -rundeck.storage.provider."1".config.authBackend = "<%= $rundeck::config::global::rundeck_config::vault_keystorage_authbackend %>" -rundeck.storage.provider."1".removePathPrefix = true -<%-} else {-%> -rundeck.storage.provider."1".type = "db" -<%- } -%> -rundeck.storage.provider."1".path = "/" +<%- $rundeck::config::global::rundeck_config::key_storage_config.each |$i, $cfg| { -%> +rundeck.storage.provider."<%= $i+1 %>".type = "<%= $cfg['type'] %>" +rundeck.storage.provider."<%= $i+1 %>".path = "<%= $cfg['path'] %>" +<%- if $cfg['removePathPrefix'] { -%> +rundeck.storage.provider."<%= $i+1 %>".removePathPrefix = <%= $cfg['removePathPrefix'] %> +<%- } -%> +<%- if $cfg['config'] { -%> +<%- $cfg['config'].each |$k, $v| { -%> +rundeck.storage.provider."<%= $i+1 %>".config.<%= $k %> = "<%= $v %>" +<%- } -%> +<%- } -%> +<%- } -%> + <%- if !$rundeck::config::global::rundeck_config::storage_encrypt_config.empty { -%> <%- $rundeck::config::global::rundeck_config::storage_encrypt_config.keys.sort.each |$k| { -%>