Puppet Class: vault

Inherits:
vault::params
Defined in:
manifests/init.pp

Summary

install hashicorp vault

Overview

Agent specific parameters

Parameters:

  • user (Any) (defaults to: 'vault')

    Customise the user vault runs as, will also create the user unless ‘manage_user` is false.

  • manage_user (Any) (defaults to: true)

    Whether or not the module should create the user.

  • group (Any) (defaults to: 'vault')

    Customise the group vault runs as, will also create the user unless ‘manage_group` is false.

  • manage_group (Any) (defaults to: true)

    Whether or not the module should create the group.

  • bin_dir (Any) (defaults to: $vault::params::bin_dir)

    Directory the vault executable will be installed in.

  • config_dir (Any) (defaults to: if $install_method == 'repo' and $manage_repo { '/etc/vault.d' } else { '/etc/vault')

    Directory the vault configuration will be kept in.

  • config_mode (Any) (defaults to: '0750')

    Mode of the configuration file (config.json). Defaults to ‘0750’

  • purge_config_dir (Any) (defaults to: true)

    Whether the ‘config_dir` should be purged before installing the generated config.

  • download_url (Any) (defaults to: undef)

    Manual URL to download the vault zip distribution from.

  • download_url_base (Any) (defaults to: 'https://releases.hashicorp.com/vault/')

    Hashicorp base URL to download vault zip distribution from.

  • download_extension (Any) (defaults to: 'zip')

    The extension of the vault download

  • service_name (Any) (defaults to: 'vault')

    Customise the name of the system service

  • service_provider (Any) (defaults to: $facts['service_provider'])

    Customise the name of the system service provider; this also controls the init configuration files that are installed.

  • service_options (Any) (defaults to: '')

    Extra argument to pass to ‘vault server`, as per: `vault server –help`

  • manage_repo (Boolean) (defaults to: $vault::params::manage_repo)

    Configure the upstream HashiCorp repository. Only relevant when $nomad::install_method = ‘repo’.

  • manage_service (Any) (defaults to: true)

    Instruct puppet to manage service or not

  • num_procs (Any) (defaults to: $facts['processors']['count'])

    Sets the GOMAXPROCS environment variable, to determine how many CPUs Vault can use. The official Vault Terraform install.sh script sets this to the output of “nprocs“, with the comment, “Make sure to use all our CPUs, because Vault can block a scheduler thread”. Default: number of CPUs on the system, retrieved from the “processorcount“ Fact.

  • api_addr (Optional[String]) (defaults to: undef)

    Specifies the address (full URL) to advertise to other Vault servers in the cluster for client redirection. This value is also used for plugin backends. This can also be provided via the environment variable VAULT_API_ADDR. In general this should be set as a full URL that points to the value of the listener address

  • version (Any) (defaults to: '1.12.0')

    The version of Vault to install

  • mode (Enum['server', 'agent']) (defaults to: 'server')

    Whether to start vault in ‘server’ or ‘agent’ mode

  • extra_config (Hash) (defaults to: {})

    Hash containing extra configuration options to merge with the generated config

  • enable_ui (Optional[Boolean]) (defaults to: undef)

    Whether to enable the Vault web UI

  • arch (Any) (defaults to: $vault::params::arch)

    System architecture for the Vault binary (automatically determined)

  • os (Any) (defaults to: downcase($facts['kernel']))

    Operating system for the Vault binary (automatically determined)

  • manage_download_dir (Any) (defaults to: false)

    Whether to manage the download directory

  • download_dir (Any) (defaults to: '/tmp')

    Directory where the Vault archive will be downloaded

  • package_ensure (Any) (defaults to: 'installed')

    The state the package should be in (installed, absent, latest)

  • package_name (Any) (defaults to: 'vault')

    Name of the Vault package

  • install_method (Any) (defaults to: $vault::params::install_method)

    Installation method: ‘archive’ or ‘repo’

  • manage_file_capabilities (Any) (defaults to: undef)

    Whether to manage Linux file capabilities for vault binary

  • disable_mlock (Any) (defaults to: undef)

    Whether to disable the memory lock capability

  • max_lease_ttl (Optional[String]) (defaults to: undef)

    Specifies the maximum possible lease duration for tokens and secrets

  • default_lease_ttl (Optional[String]) (defaults to: undef)

    Specifies the default lease duration for tokens and secrets

  • telemetry (Optional[Hash]) (defaults to: undef)

    Hash containing Vault telemetry configuration

  • disable_cache (Optional[Boolean]) (defaults to: undef)

    Disable caching

  • seal (Optional[Hash]) (defaults to: undef)

    Hash containing seal configuration options

  • ha_storage (Optional[Hash]) (defaults to: undef)

    Hash containing storage configuration for HA setup

  • listener (Variant[Hash, Array[Hash]]) (defaults to: { 'tcp' => { 'address' => '127.0.0.1:8200', 'tls_disable' => 1 }, })

    Hash or Array of hashes containing listener configuration

  • manage_storage_dir (Any) (defaults to: false)

    Whether to manage the storage directory

  • storage (Hash) (defaults to: { 'file' => { 'path' => '/var/lib/vault' } })

    Hash containing storage configuration

  • manage_service_file (Optional[Boolean]) (defaults to: $vault::params::manage_service_file)

    Whether to manage the service file

  • service_ensure (Any) (defaults to: 'running')

    Desired state of the Vault service (running, stopped)

  • service_enable (Any) (defaults to: true)

    Whether to enable the Vault service on boot

  • manage_config_file (Any) (defaults to: true)

    Whether to manage the Vault config file

  • download_filename (Any) (defaults to: 'vault.zip')

    Filename for the downloaded archive

  • manage_config_dir (Boolean) (defaults to: $install_method == 'archive')

    Whether to manage the configuration directory

  • agent_vault (Optional[Hash]) (defaults to: undef)

    Hash containing Vault server connection configuration for agent mode

  • agent_auto_auth (Optional[Hash]) (defaults to: undef)

    Hash containing auto-auth configuration for agent mode

  • agent_api_proxy (Optional[Hash]) (defaults to: undef)

    Hash containing API proxy configuration for agent mode

  • agent_cache (Optional[Hash]) (defaults to: undef)

    Hash containing cache configuration for agent mode

  • agent_listeners (Optional[Array[Hash]]) (defaults to: undef)

    Array of hashes containing listener configuration for agent mode

  • agent_template (Optional[Hash]) (defaults to: undef)

    Hash containing template configuration for agent mode

  • agent_template_config (Optional[Hash]) (defaults to: undef)

    Hash containing template engine configuration for agent mode

  • agent_exec (Optional[Hash]) (defaults to: undef)

    Hash containing exec configuration for agent mode

  • agent_env_template (Optional[Hash]) (defaults to: undef)

    Hash containing environment template configuration for agent mode

  • agent_telemetry (Optional[Hash]) (defaults to: undef)

    Hash containing telemetry configuration for agent mode



92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
 
# File 'manifests/init.pp', line 92

class vault (
  $user                                  = 'vault',
  $manage_user                           = true,
  $group                                 = 'vault',
  $manage_group                          = true,
  $bin_dir                               = $vault::params::bin_dir,
  $manage_config_file                    = true,
  Enum['server', 'agent'] $mode          = 'server',
  $config_mode                           = '0750',
  $purge_config_dir                      = true,
  $download_url                          = undef,
  $download_url_base                     = 'https://releases.hashicorp.com/vault/',
  $download_extension                    = 'zip',
  $service_name                          = 'vault',
  $service_enable                        = true,
  $service_ensure                        = 'running',
  $service_provider                      = $facts['service_provider'],
  Boolean $manage_repo                   = $vault::params::manage_repo,
  $manage_service                        = true,
  Optional[Boolean] $manage_service_file = $vault::params::manage_service_file,
  Hash $storage                          = { 'file' => { 'path' => '/var/lib/vault' } },
  $manage_storage_dir                    = false,
  Variant[Hash, Array[Hash]] $listener   = { 'tcp' => { 'address' => '127.0.0.1:8200', 'tls_disable' => 1 }, },
  Optional[Hash] $ha_storage             = undef,
  Optional[Hash] $seal                   = undef,
  Optional[Boolean] $disable_cache       = undef,
  Optional[Hash] $telemetry              = undef,
  Optional[String] $default_lease_ttl    = undef,
  Optional[String] $max_lease_ttl        = undef,
  $disable_mlock                         = undef,
  $manage_file_capabilities              = undef,
  $service_options                       = '',
  $num_procs                             = $facts['processors']['count'],
  $install_method                        = $vault::params::install_method,
  $config_dir                            = if $install_method == 'repo' and $manage_repo { '/etc/vault.d' } else { '/etc/vault' },
  $package_name                          = 'vault',
  $package_ensure                        = 'installed',
  $download_dir                          = '/tmp',
  $manage_download_dir                   = false,
  $download_filename                     = 'vault.zip',
  $version                               = '1.12.0',
  $os                                    = downcase($facts['kernel']),
  $arch                                  = $vault::params::arch,
  Optional[Boolean] $enable_ui           = undef,
  Optional[String] $api_addr             = undef,
  Hash $extra_config                     = {},
  Boolean $manage_config_dir             = $install_method == 'archive',
  # Agent specific parameters
  Optional[Hash] $agent_vault            = undef,
  Optional[Hash] $agent_auto_auth        = undef,
  Optional[Hash] $agent_api_proxy        = undef,
  Optional[Hash] $agent_cache            = undef,
  Optional[Array[Hash]] $agent_listeners = undef,
  Optional[Hash] $agent_template         = undef,
  Optional[Hash] $agent_template_config  = undef,
  Optional[Hash] $agent_exec             = undef,
  Optional[Hash] $agent_env_template     = undef,
  Optional[Hash] $agent_telemetry        = undef,
) inherits vault::params {
  # lint:ignore:140chars
  $real_download_url = pick($download_url, "${download_url_base}${version}/${package_name}_${version}_${os}_${arch}.${download_extension}")
  # lint:endignore

  contain vault::install
  contain vault::config
  contain vault::service

  Class['vault::install'] -> Class['vault::config']
  Class['vault::config'] ~> Class['vault::service']
}