Skip to content

Commit

Permalink
simplify shasums signature verification; move setcap to server state
Browse files Browse the repository at this point in the history
  • Loading branch information
dafyddj committed Oct 21, 2018

Verified

This commit was signed with the committer’s verified signature.
lukaszlenart Lukasz Lenart
1 parent c391faa commit c829eac
Showing 7 changed files with 80 additions and 80 deletions.
1 change: 1 addition & 0 deletions .kitchen.yml
Original file line number Diff line number Diff line change
@@ -52,6 +52,7 @@ suites:
vault:
# version: 0.11.1 # test upgrades by doing a double-converge, changing the version pillar between each one
version: 0.11.2
secure_download: false

- name: dev_server
provisioner:
6 changes: 6 additions & 0 deletions test/integration/prod_server/vault_spec.rb
Original file line number Diff line number Diff line change
@@ -4,6 +4,12 @@
its(:stdout) { should match(/^Vault v[0-9\.]+ \('[0-9a-f]+'\)/) }
end

describe command('getcap $(readlink -f /usr/local/bin/vault)') do
its(:exit_status) { should eq 0 }
its(:stderr) { should be_empty }
its(:stdout) { should match(/\/vault = cap_ipc_lock\+ep$/) }
end

describe file('/etc/vault/config/server.hcl') do
it { should be_a_file }
end
1 change: 1 addition & 0 deletions vault/defaults.yaml
Original file line number Diff line number Diff line change
@@ -15,6 +15,7 @@ vault:
path: /var/lib/vault/data
dev_mode: true
secure_download: true
gpg_pkg: gnupg
user: root
group: root
hashicorp_gpg_key: |
127 changes: 51 additions & 76 deletions vault/init.sls
Original file line number Diff line number Diff line change
@@ -1,85 +1,60 @@
{% from "vault/map.jinja" import vault with context %}
# using archive.extracted causes: 'Comment: Failed to cache https://releases.hashicorp.com/vault/0.7.0/vault_0.7.0_linux_amd64.zip: [Errno 1] _ssl.c:493: error:1409442E:SSL routines:SSL3_READ_BYTES:tlsv1 alert protocol version'
#vault packages:
# pkg.installed:
# - names:
# - unzip
# - curl
# {% if vault.secure_download %}
# {% if grains['os'] == 'CentOS' or grains['os'] == 'Amazon' %}
# - gnupg2
# - perl-Digest-SHA
# {% elif grains['os'] == 'Ubuntu' %}
# - gnupg
# - libdigest-sha-perl
# {% endif %}
# {% endif %}
/opt/vault/{{ vault.version }}/bin:
{% set version = vault.version %}
/opt/vault/{{ version }}/vault_{{ version }}_SHA256SUMS:
file.managed:
- source: https://releases.hashicorp.com/vault/{{ version }}/vault_{{ version }}_SHA256SUMS
- makedirs: true
- skip_verify: true
/opt/vault/{{ version }}/bin:
archive.extracted:
- source: https://releases.hashicorp.com/vault/{{ vault.version }}/vault_{{ vault.version }}_linux_amd64.zip
- source_hash: https://releases.hashicorp.com/vault/{{ vault.version }}/vault_{{ vault.version }}_SHA256SUMS
- source: https://releases.hashicorp.com/vault/{{ version }}/vault_{{ version }}_linux_amd64.zip
- source_hash: /opt/vault/{{ version }}/vault_{{ version }}_SHA256SUMS
- enforce_toplevel: false
- require:
- /opt/vault/{{ version }}/vault_{{ version }}_SHA256SUMS
/usr/local/bin/vault:
file.symlink:
- target: /opt/vault/{{ vault.version }}/bin/vault
- target: /opt/vault/{{ version }}/bin/vault
- force: true
- require:
- /opt/vault/{{ vault.version }}/bin
- /opt/vault/{{ version }}/bin
{% if vault.secure_download -%}
/opt/vault/{{ version }}/vault_{{ version }}_SHA256SUMS.sig:
file.managed:
- source: https://releases.hashicorp.com/vault/{{ version }}/vault_{{ version }}_SHA256SUMS.sig
- skip_verify: true
- require:
- /opt/vault/{{ version }}/vault_{{ version }}_SHA256SUMS
#{% if vault.secure_download %}
#download shasums:
# cmd.run:
# - name: curl --silent -L https://releases.hashicorp.com/vault/{{ vault.version }}/vault_{{ vault.version }}_SHA256SUMS -o /tmp/vault_{{ vault.version }}_SHA256SUMS
# - creates: /tmp/vault_{{ vault.version }}_SHA256SUMS
#
#download shasums sig:
# cmd.run:
# - name: curl --silent -L https://releases.hashicorp.com/vault/{{ vault.version }}/vault_{{ vault.version }}_SHA256SUMS.sig -o /tmp/vault_{{ vault.version }}_SHA256SUMS.sig
# - creates: /tmp/vault_{{ vault.version }}_SHA256SUMS.sig
#
#/tmp/hashicorp.asc:
# file.managed:
# - source: salt://vault/files/hashicorp.asc.jinja
# - template: jinja
#
#import key:
# cmd.run:
# - name: gpg --import /tmp/hashicorp.asc
# - unless: gpg --list-keys {{ vault.hashicorp_key_id }}
# - requires:
# - file: /tmp/hashicorp.asc
# - cmd: vault packages
#
#verify shasums sig:
# cmd.run:
# - name: gpg --verify /tmp/vault_{{ vault.version }}_SHA256SUMS.sig /tmp/vault_{{ vault.version }}_SHA256SUMS
# - require:
# - cmd: download shasums
# - cmd: import key
#
#verify vault:
# cmd.run:
# - name: "shasum -a 256 -c vault_{{ vault.version }}_SHA256SUMS 2>&1 | grep -q \"vault_{{ vault.version }}_linux_amd64.zip: OK\""
# - cwd: /tmp
# - require:
# - cmd: download vault
# - cmd: verify shasums sig
#{% endif %}
#
#install vault:
# cmd.run:
# - name: unzip /tmp/vault_{{ vault.version }}_linux_amd64.zip -d /usr/local/bin && chmod 0755 /usr/local/bin/vault && chown root:root /usr/local/bin/vault
# - require:
# - cmd: download vault
# - pkg: unzip
# {% if vault.secure_download %}
# - cmd: verify vault
# {% endif %}
# - creates: /usr/local/bin/vault
#
#vault set cap mlock:
# cmd.run:
# - name: "setcap cap_ipc_lock=+ep /usr/local/bin/vault"
# - onchanges:
# - cmd: install vault
/tmp/hashicorp.asc:
file.managed:
- source: salt://vault/files/hashicorp.asc.jinja
- template: jinja
vault_gpg_pkg:
pkg.installed:
- name: {{ vault.gpg_pkg }}
import key:
cmd.run:
- name: gpg --import /tmp/hashicorp.asc
- unless: gpg --list-keys {{ vault.hashicorp_key_id }}
- require:
- /tmp/hashicorp.asc
- vault_gpg_pkg
verify shasums sig:
cmd.run:
- name: gpg --verify /opt/vault/{{ version }}/vault_{{ version }}_SHA256SUMS.sig /opt/vault/{{ version }}/vault_{{ version }}_SHA256SUMS
- require:
- /opt/vault/{{ version }}/vault_{{ version }}_SHA256SUMS.sig
- import key
- prereq:
- /usr/local/bin/vault
{%- endif %}
11 changes: 10 additions & 1 deletion vault/map.jinja
Original file line number Diff line number Diff line change
@@ -1,2 +1,11 @@
{% import_yaml "vault/defaults.yaml" as defaults %}
{% set vault = salt['pillar.get']('vault', default=defaults['vault'], merge=True) %}
{% import_yaml "vault/osfamilymap.yaml" as osfamilymap %}

{% set vault = salt['grains.filter_by'](
defaults,
merge=salt['grains.filter_by'](
osfamilymap,
merge=salt['pillar.get']('vault', {}),
),
base='vault')
%}
2 changes: 2 additions & 0 deletions vault/osfamilymap.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,2 @@
RedHat:
gpg_pkg: gnupg2
12 changes: 9 additions & 3 deletions vault/server.sls
Original file line number Diff line number Diff line change
@@ -23,7 +23,13 @@ include:
- watch_in:
- service: vault
{%- if vault.self_signed_cert.enabled %}
vault_set_cap_mlock:
cmd.run:
- name: setcap cap_ipc_lock=+ep $(readlink -f /usr/local/bin/vault)
- onchanges:
- /usr/local/bin/vault
{% if vault.self_signed_cert.enabled -%}
openssl:
pkg.installed
@@ -39,8 +45,8 @@ generate self signed SSL certs:
- /etc/vault/config
- require_in:
- service: vault
{%- endif %}
{% endif %}
{% endif %}
{%- endif %}
{%- if grains.init == 'systemd' %}
/etc/systemd/system/vault.service:

0 comments on commit c829eac

Please sign in to comment.