Puppet Class: vault_secrets

Defined in:
manifests/init.pp

Summary

Issue and renew PKI certificates from Hashicorp Vault

Overview

Examples:

Issue a host certificate from a Vault server with PKI secrets engine

class { 'vault_secrets':
  vault_uri  => 'https://vault.example.com:8200/v1/pki/issue/example-com',
  auth_path  => 'puppet-pki',
}

Parameters:

  • vault_uri (String)

    The complete URL of the the Hashicorp Vault certificate issuing role API endpoint

  • auth_path (String)

    The Vault mount path of the authentication provider used by Puppet certificates. (‘path’ shown by ‘vault secrets list’)

  • days_before_renewal (Integer[1, 30]) (defaults to: 3)

    The number of days before expiration where the host certificate will be re-issued.

  • cert_data (Hash) (defaults to: {})

    A hash of values to be submitted with the certificate request. The hash contents should adhere to the keys/values supported/permitted by the PKI role and policy. Basic default values are defined in module hiera.



19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
 
# File 'manifests/init.pp', line 19

class vault_secrets (
  String $vault_uri,
  String $auth_path,
  Integer[1, 30] $days_before_renewal = 3,
  Hash $cert_data                     = {},
) {
  $vault_cert = fact('vault_cert')
  $cert = $vault_cert.dig('cert')
  $key = $vault_cert.dig('key')
  $ca_chain = $vault_cert.dig('ca_chain')
  $v = $vault_cert.dig('valid')
  $valid = $v ? {
    undef   => false,
    default => $v,
  }
  $x = $vault_cert.dig('days_remaining')
  $days_remaining = $x ? {
    undef     => 0,
    'unknown' => 0,
    default   => $x,
  }

  if !$valid or $days_remaining < $days_before_renewal {
    # Issue a new certificate from the Vault PKI endpoint
    $host_cert = vault_cert($vault_uri, $auth_path, $cert_data)

    # Create certificate and key files from the 'host_cert' hash data
    file {
      default:
        ensure => file,
        owner  => 'root',
        group  => 'root',
        ;
      $cert:
        mode      => '0644',
        content   => $host_cert['certificate'],
        show_diff => false,
        ;
      $key:
        mode      => '0600',
        content   => $host_cert['private_key'],
        show_diff => false,
        ;
      $ca_chain:
        mode    => '0644',
        content => join($host_cert['ca_chain'], "\n"),
        notify  => Exec['vault update-ca-trust'],
    }
  } else {
    # When certificate files are not being updated, we still define them in the
    # catalog as file resources so they can always be referenced by other resources.
    file {
      default:
        ensure => file,
        owner  => 'root',
        group  => 'root',
        ;
      $cert:
        mode    => '0644',
        ;
      $key:
        mode    => '0600',
        ;
      $ca_chain:
        mode    => '0644',
    }
  }

  exec { 'vault update-ca-trust':
    path        => '/sbin:/usr/sbin:/bin:/usr/bin',
    command     => lookup('vault_secrets::update_trust_cmd'),
    refreshonly => true,
  }
}