cookbooks/mu-master/recipes/vault.rb
# Cookbook Name:: mu-master
# Recipe:: vault
#
# Copyright:: Copyright (c) 2017 eGlobalTech, Inc., all rights reserved
#
# Licensed under the BSD-3 license (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License in the root of the project or at
#
# http://egt-labs.com/mu/LICENSE.html
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
# This recipe is meant to be invoked standalone, by chef-apply. It can safely
# be invoked during a regular chef-client run.
#
# When modifying this recipe, DO NOT ADD EXTERNAL DEPENDENCIES. That means no
# references to other cookbooks, no include_recipes, no cookbook_files, no
# templates.
include_recipe 'mu-master::firewall-holes'
# Mangle a bunch of values used by the Consul and Vault community cookbooks
#node.normal['consul']['config']['bootstrap_expect'] = 1 # XXX we only want this on our first run, maybe figure out how to toss it later
#node.normal['consul']['config']['start_join'] = ["127.0.0.1"]
#node.normal['consul']['config']['ca_file'] = "#{$MU_CFG['datadir']}/ssl/Mu_CA.pem"
#node.normal['consul']['config']['key_file'] = "#{$MU_CFG['datadir']}/ssl/consul.key"
#node.normal['consul']['config']['cert_file'] = "#{$MU_CFG['datadir']}/ssl/consul.crt"
#consul_public = $MU_CFG['public_address']
#if !consul_public.match(/^\d+\.\d+\.\d+\.\d+$/)
# resolver = Resolv::DNS.new
# begin
# consul_public = resolver.getaddress(consul_public).to_s
# end
#end
## strictly speaking we could split internal vs. external IPs here, but atm
## we're treating everything not local to this machine as public anyway
#node.normal['consul']['config']['advertise_addr'] = consul_public
#node.normal['consul']['config']['advertise_addr_wan'] = consul_public
#node.normal['consul']['config']['bind_addr'] = "0.0.0.0"
#node.normal['consul-cluster']['tls']
#node.normal['hashicorp-vault']['config']['tls_key_file'] = "#{$MU_CFG['datadir']}/ssl/vault.key"
#node.normal['hashicorp-vault']['config']['tls_cert_file'] = "#{$MU_CFG['datadir']}/ssl/vault.crt"
#node.normal['hashicorp-vault']['config']['address'] = '0.0.0.0:8200'
#node.save
#["consul", "vault"].each { |cert|
# # These community cookbooks aren't bright enough to deal with a stringent
# # umask, and create these unreadable by the application if we don't do it for
# # them.
# directory "fix /opt/#{cert} permissions" do
# path "/opt/#{cert}"
# mode 0755
# notifies :restart, "service[#{cert}]", :delayed
# end
#}
#include_recipe "consul-cluster"
#include_recipe "vault-cluster"
#["consul", "vault"].each { |cert|
# file "fix #{cert} cert permissions" do
# path "#{$MU_CFG['datadir']}/ssl/#{cert}.crt"
# owner cert
# notifies :restart, "service[#{cert}]", :delayed
# end
# file "fix #{cert} key permissions" do
# path "#{$MU_CFG['datadir']}/ssl/#{cert}.key"
# notifies :restart, "service[#{cert}]", :delayed
# owner cert
# end
# }
#directory "/opt/vault/#{node['hashicorp-vault']['version']}" do
# mode 0755
# notifies :restart, "service[vault]", :delayed
#end
#directory "/etc/consul/ssl" do
# owner "consul"
# group "consul"
# mode 0755
#end
#directory "/etc/vault" do
# owner "root"
# mode 0755
#end
#directory "/etc/vault/ssl" do
# owner "root"
# mode 0755
#end
#directory "/etc/consul/ssl/CA" do
# owner "root"
# mode 0755
#end
#include_recipe 'chef-vault'
#file "/etc/consul/ssl/CA/ca.crt" do
# mode 0644
# content chef_vault_item("secrets", "consul")["ca_certificate"]
#end
#service "consul" do
# action [:enable, :start]
#end
#service "vault" do
# action [:enable, :start]
#end