Skip to content

Commit d4875df

Browse files
sasudi90sasudi90
committed
Add Vault agent support in service and configuration file
1 parent 2ff48e2 commit d4875df

File tree

6 files changed

+312
-85
lines changed

6 files changed

+312
-85
lines changed

README.md

Lines changed: 37 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -171,6 +171,42 @@ vault::storage:
171171
- leader_api_addr: https://vault3:8200
172172
```
173173
174+
## Vault Agent Configuration
175+
176+
When running Vault in agent mode (`mode => 'agent'`), you can configure the agent behavior using these parameters:
177+
178+
```puppet
179+
class { 'vault':
180+
mode => 'agent',
181+
agent_vault => {
182+
'address' => 'https://vault.example.com:8200'
183+
},
184+
agent_auto_auth => {
185+
'method' => [{
186+
'type' => 'approle',
187+
'mount_path' => 'auth/approle',
188+
'config' => {
189+
'role_id_file_path' => '/etc/vault/role-id',
190+
'secret_id_file_path' => '/etc/vault/secret-id'
191+
}
192+
}
193+
}],
194+
agent_cache => {
195+
'use_auto_auth_token' => true
196+
},
197+
agent_listeners => [{
198+
'tcp' => {
199+
'address' => '127.0.0.1:8100',
200+
'tls_disable' => true
201+
}
202+
}],
203+
agent_template => {
204+
'source' => '/etc/vault/template.ctmpl',
205+
'destination' => '/etc/myapp/config.yml'
206+
}
207+
}
208+
```
209+
174210
## mlock
175211

176212
By default vault will use the `mlock` system call, therefore the executable will need the corresponding capability.
@@ -205,4 +241,4 @@ This module was forked from https://github.com/jsok/puppet-vault
205241
## Related Projects
206242

207243
* [hiera-vault](https://github.com/petems/petems-hiera_vault): A Hiera storage backend to retrieve secrets from Hashicorp's Vault
208-
* [vault_lookup](https://github.com/voxpupuli/puppet-vault_lookup): A puppet (deferred) function to do lookups in Vault
244+
* [vault_lookup](https://github.com/voxpupuli/puppet-vault_lookup): A puppet (deferred) function to do lookups in Vault

REFERENCE.md

Lines changed: 99 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -46,6 +46,7 @@ The following parameters are available in the `vault` class:
4646
* [`num_procs`](#-vault--num_procs)
4747
* [`api_addr`](#-vault--api_addr)
4848
* [`version`](#-vault--version)
49+
* [`mode`](#-vault--mode)
4950
* [`extra_config`](#-vault--extra_config)
5051
* [`enable_ui`](#-vault--enable_ui)
5152
* [`arch`](#-vault--arch)
@@ -72,6 +73,16 @@ The following parameters are available in the `vault` class:
7273
* [`manage_config_file`](#-vault--manage_config_file)
7374
* [`download_filename`](#-vault--download_filename)
7475
* [`manage_config_dir`](#-vault--manage_config_dir)
76+
* [`agent_vault`](#-vault--agent_vault)
77+
* [`agent_auto_auth`](#-vault--agent_auto_auth)
78+
* [`agent_api_proxy`](#-vault--agent_api_proxy)
79+
* [`agent_cache`](#-vault--agent_cache)
80+
* [`agent_listeners`](#-vault--agent_listeners)
81+
* [`agent_template`](#-vault--agent_template)
82+
* [`agent_template_config`](#-vault--agent_template_config)
83+
* [`agent_exec`](#-vault--agent_exec)
84+
* [`agent_env_template`](#-vault--agent_env_template)
85+
* [`agent_telemetry`](#-vault--agent_telemetry)
7586

7687
##### <a name="-vault--user"></a>`user`
7788

@@ -234,6 +245,14 @@ The version of Vault to install
234245

235246
Default value: `'1.12.0'`
236247

248+
##### <a name="-vault--mode"></a>`mode`
249+
250+
Data type: `Enum['server', 'agent']`
251+
252+
start vault in server or agent mode
253+
254+
Default value: `'server'`
255+
237256
##### <a name="-vault--extra_config"></a>`extra_config`
238257

239258
Data type: `Hash`
@@ -442,3 +461,83 @@ enable/disable the directory management. not required for package based installa
442461

443462
Default value: `$install_method == 'archive'`
444463

464+
##### <a name="-vault--agent_vault"></a>`agent_vault`
465+
466+
Data type: `Optional[Hash]`
467+
468+
Hash containing Vault server connection configuration for agent mode
469+
470+
Default value: `undef`
471+
472+
##### <a name="-vault--agent_auto_auth"></a>`agent_auto_auth`
473+
474+
Data type: `Optional[Hash]`
475+
476+
Hash containing auto-auth configuration for agent mode
477+
478+
Default value: `undef`
479+
480+
##### <a name="-vault--agent_api_proxy"></a>`agent_api_proxy`
481+
482+
Data type: `Optional[Hash]`
483+
484+
Hash containing API proxy configuration for agent mode
485+
486+
Default value: `undef`
487+
488+
##### <a name="-vault--agent_cache"></a>`agent_cache`
489+
490+
Data type: `Optional[Hash]`
491+
492+
Hash containing cache configuration for agent mode
493+
494+
Default value: `undef`
495+
496+
##### <a name="-vault--agent_listeners"></a>`agent_listeners`
497+
498+
Data type: `Optional[Array[Hash]]`
499+
500+
Array of hashes containing listener configuration for agent mode
501+
502+
Default value: `undef`
503+
504+
##### <a name="-vault--agent_template"></a>`agent_template`
505+
506+
Data type: `Optional[Hash]`
507+
508+
Hash containing template configuration for agent mode
509+
510+
Default value: `undef`
511+
512+
##### <a name="-vault--agent_template_config"></a>`agent_template_config`
513+
514+
Data type: `Optional[Hash]`
515+
516+
Hash containing template engine configuration for agent mode
517+
518+
Default value: `undef`
519+
520+
##### <a name="-vault--agent_exec"></a>`agent_exec`
521+
522+
Data type: `Optional[Hash]`
523+
524+
Hash containing exec configuration for agent mode
525+
526+
Default value: `undef`
527+
528+
##### <a name="-vault--agent_env_template"></a>`agent_env_template`
529+
530+
Data type: `Optional[Hash]`
531+
532+
Hash containing environment template configuration for agent mode
533+
534+
Default value: `undef`
535+
536+
##### <a name="-vault--agent_telemetry"></a>`agent_telemetry`
537+
538+
Data type: `Optional[Hash]`
539+
540+
Hash containing telemetry configuration for agent mode
541+
542+
Default value: `undef`
543+

manifests/config.pp

Lines changed: 34 additions & 13 deletions
Original file line numberDiff line numberDiff line change
@@ -16,19 +16,40 @@
1616
}
1717

1818
if $vault::manage_config_file {
19-
$_config_hash = delete_undef_values({
20-
'listener' => $vault::listener,
21-
'storage' => $vault::storage,
22-
'ha_storage' => $vault::ha_storage,
23-
'seal' => $vault::seal,
24-
'telemetry' => $vault::telemetry,
25-
'disable_cache' => $vault::disable_cache,
26-
'default_lease_ttl' => $vault::default_lease_ttl,
27-
'max_lease_ttl' => $vault::max_lease_ttl,
28-
'disable_mlock' => $vault::disable_mlock,
29-
'ui' => $vault::enable_ui,
30-
'api_addr' => $vault::api_addr,
31-
})
19+
case $vault::mode {
20+
'server': {
21+
$_config_hash = delete_undef_values({
22+
'listener' => $vault::listener,
23+
'storage' => $vault::storage,
24+
'ha_storage' => $vault::ha_storage,
25+
'seal' => $vault::seal,
26+
'telemetry' => $vault::telemetry,
27+
'disable_cache' => $vault::disable_cache,
28+
'default_lease_ttl' => $vault::default_lease_ttl,
29+
'max_lease_ttl' => $vault::max_lease_ttl,
30+
'disable_mlock' => $vault::disable_mlock,
31+
'ui' => $vault::enable_ui,
32+
'api_addr' => $vault::api_addr,
33+
})
34+
}
35+
'agent': {
36+
$_config_hash = delete_undef_values({
37+
'vault' => $vault::agent_vault,
38+
'auto_auth' => $vault::agent_auto_auth,
39+
'api_proxy' => $vault::agent_api_proxy,
40+
'cache' => $vault::agent_cache,
41+
'listener' => $vault::agent_listeners,
42+
'template' => $vault::agent_template,
43+
'template_config' => $vault::agent_template_config,
44+
'exec' => $vault::exec,
45+
'env_template' => $vault::agent_env_template,
46+
'telemetry' => $vault::agent_telemetry,
47+
})
48+
}
49+
default: {
50+
fail("Unsupported vault mode: ${vault::mode}")
51+
}
52+
}
3253

3354
$config_hash = merge($_config_hash, $vault::extra_config)
3455

0 commit comments

Comments
 (0)