sous-chefs / hashicorp-vault Goto Github PK

View Code? Open in Web Editor NEW

46.0 28.0 88.0 613 KB

Development repository for the hashicorp-vault cookbook

Home Page: https://supermarket.chef.io/cookbooks/hashicorp-vault

License: Apache License 2.0

Ruby 97.32% HTML 2.68%

chef-cookbook chef-resource chef hacktoberfest hashicorp-vault managed-by-terraform

hashicorp-vault's Introduction

hashicorp-vault cookbook

Install and configure Hashicorp Vault in server and agent mode.

Version 5.0.0 constitutes a major change and rewrite, please see UPGRADING.md.

Maintainers

This cookbook is maintained by the Sous Chefs. The Sous Chefs are a community of Chef cookbook maintainers working together to maintain important cookbooks. If you’d like to know more please visit sous-chefs.org or come chat with us on the Chef Community Slack in #sous-chefs.

Platforms

The following platforms have been certified with integration tests using Test Kitchen:

Debian/Ubuntu
RHEL/CentOS and derivatives
Fedora and derivatives

Requirements

Chef 14+
ark Community Cookbook (https://supermarket.chef.io/cookbooks/ark)

Usage

It is recommended to create a project or organization specific wrapper cookbook and add the desired custom resources to the run list of a node. Depending on your environment, you may have multiple roles that use different recipes from this cookbook. Adjust any attributes as desired.

Example of a basic server configuration using Hashicorp HCL for configuration

hashicorp_vault_install 'package' do
  action :upgrade
end

hashicorp_vault_config_global 'vault' do
  sensitive false
  telemetry(
    statsite_address: '127.0.0.1:8125',
    disable_hostname: true
  )

  notifies :restart, 'hashicorp_vault_service[vault]', :delayed

  action :create
end

hashicorp_vault_config_listener 'tcp' do
  options(
    'address' => '127.0.0.1:8200',
    'cluster_address' => '127.0.0.1:8201',
    'tls_cert_file' => '/opt/vault/tls/tls.crt',
    'tls_key_file' => '/opt/vault/tls/tls.key',
    'telemetry' => {
      'unauthenticated_metrics_access' => false,
    }
  )

  notifies :restart, 'hashicorp_vault_service[vault]', :delayed
end

hashicorp_vault_config_storage 'Test file storage' do
  type 'file'
  options(
    'path' => '/opt/vault/data'
  )

  notifies :restart, 'hashicorp_vault_service[vault]', :delayed
end

hashicorp_vault_service 'vault' do
  action %i(create enable start)
end

External Documentation

Resources

Contributors

This project exists thanks to all the people who contribute.

Backers

Thank you to all our backers!

hashicorp-vault's People

Contributors

Stargazers

Watchers

hashicorp-vault's Issues

Vault archive download address should be configurable

Something like sous-chefs/consul#342

If it is configurable, then document it somewhere?

Release a version with support for > 0.6.5

It looks like support has been in master for a while now. Please create a release.

Fails to start vault server on CentOS 7.1

Getting following error:

localhost systemd: [/etc/systemd/system/vault.service:6] Executable path is not absolute, ignoring: vault server -config=/home/vault/.vault.json

No such file or directory setcap

I worked around this at first by manually running setcap cap_ipc_lock=+ep /opt/vault/0.10.1/vault and then running chef-client on the node, but it seems to subsequently fail if chef-client is run without manually running that command. This seems to have cropped up because of a recent chef-client upgrade so I suspect it has something to do with that. I recall the issue having something to do with enforce_path_sanity but I'm not sure how to set that.

ERROR: vault_service[vault] (hashicorp-vault::default line 28) had an error: Errno::ENOENT: execute[setcap cap_ipc_lock=+ep /opt/vault/0.10.1/vault] (/var/chef/cache/cookbooks/hashicorp-vault/libraries/vault_service.rb line 81) had an error: Errno::ENOENT: No such file or directory - setcap

Support Vault agent.

The recipe should allow configuring Vault agents.
https://www.vaultproject.io/docs/agent/index.html

Service doesn't come back after reboot because the default service directory is missing

The default service directory is /var/run/vault, which is created by the cookbook - but on many systems, /var/run is mounted as tmpfs. This means that /var/run/vault is not present if the server reboots. The creation of /var/run/vault should be the responsibility of the init script, so that we don't run into this problem.

vault-ssh-helper inclusion in this cookbook

Hi, I'm curious if you feel that this cookbook is the right place to include the installation of https://releases.hashicorp.com/vault-ssh-helper/

If so, I'm willing to put in the work, otherwise I will create a new cookbook for it

Error executing action `create` on resource 'vault_config[/home/vault/.vault.json]'

Error with Default Recipe

The README doesn't document any special configuration instructions. Including the cookbook via Berkshelf and adding the recipe to the run_list results in the following errors:

==> default: ================================================================================
==> default:     
==> default: Error executing action `create` on resource 'vault_config[/home/vault/.vault.json]'
==> default:     
==> default: ================================================================================
==> default:     
==> default: 
==> default: 
==> default:     
==> default: NoMethodError
==> default:     
==> default: -------------
==> default:     
==> default: undefined method `delete' for nil:NilClass
==> default:     
==> default: 
==> default: 
==> default:     
==> default: Cookbook Trace:
==> default:     
==> default: ---------------
==> default:     
==> default: /tmp/vagrant-chef/48858a378e29c892aa9eae9959029b86/cookbooks/chef-vault/libraries/helpers.rb:36:in `chef_vault_item'
==> default: 
==> default:     
==> default: /tmp/vagrant-chef/48858a378e29c892aa9eae9959029b86/cookbooks/hashicorp-vault/libraries/vault_config.rb:77:in `block (2 levels) in <class:VaultConfig>'
==> default: 
==> default:     
==> default: /tmp/vagrant-chef/48858a378e29c892aa9eae9959029b86/cookbooks/poise/files/halite_gem/poise/helpers/subcontext_block.rb:54:in `instance_eval'
==> default: 
==> default:     
==> default: /tmp/vagrant-chef/48858a378e29c892aa9eae9959029b86/cookbooks/poise/files/halite_gem/poise/helpers/subcontext_block.rb:54:in `subcontext_block'
==> default: 
==> default:     
==> default: /tmp/vagrant-chef/48858a378e29c892aa9eae9959029b86/cookbooks/poise/files/halite_gem/poise/helpers/notifying_block.rb:67:in `notifying_block'
==> default:     /tmp/vagrant-chef/48858a378e29c892aa9eae9959029b86/cookbooks/hashicorp-vault/libraries/vault_config.rb:67:in `block in <class:VaultConfig>'
==> default:     
==> default:     Resource Declaration:
==> default:     ---------------------
==> default:     # In /tmp/vagrant-chef/48858a378e29c892aa9eae9959029b86/cookbooks/hashicorp-vault/recipes/default.rb
==> default:     
==> default:      11: config = vault_config node['vault']['config']['path'] do |r|
==> default:      12:   owner node['vault']['service_user']
==> default:      13:   group node['vault']['service_group']
==> default:      14: 
==> default:      15:   node['vault']['config'].each_pair { |k, v| r.send(k, v) }
==> default:      16:   notifies :restart, "vault_service[#{node['vault']['service_name']}]", :delayed
==> default:      17: end
==> default:      18: 
==> default:     
==> default:     Compiled Resource:
==> default:     ------------------
==> default:     # Declared in /tmp/vagrant-chef/48858a378e29c892aa9eae9959029b86/cookbooks/hashicorp-vault/recipes/default.rb:11:in `from_file'
==> default:     
==> default:     vault_config("/home/vault/.vault.json") do
==> default:       provider #<Class:0x000000025d2080>
==> default:       action [:create]
==> default:       retries 0
==> default:       retry_delay 2
==> default:       default_guard_interpreter :default
==> default:       declared_type :vault_config
==> default:       cookbook_name :"hashicorp-vault"
==> default:       recipe_name "default"
==> default:       owner "vault"
==> default:       group "vault"
==> default:       path "/home/vault/.vault.json"
==> default:       address "127.0.0.1:8200"
==> default:       manage_certificate true
==> default:       tls_cert_file "/etc/vault/ssl/certs/vault.crt"
==> default:       tls_key_file "/etc/vault/ssl/private/vault.key"
==> default:       tls_disable "false"
==> default:       bag_name "secrets"
==> default:       bag_item "vault"
==> default:     end

Expected Behavior

The recipe should either run in some vanilla configuration out of the box, or any required attributes or configuration settings should be documented in the README.

Cannot enable ui with vault 0.10.x

The vault_config resource does not accept ui true.

fix failing tests

Circle CI is failing: https://circleci.com/gh/sous-chefs/vault/54

The errors are:



An error occurred while loading ./spec/libraries/vault_config_spec.rb.
Failure/Error: require 'poise_boiler/spec_helper'

LoadError:
  cannot load such file -- poise_boiler/spec_helper
# ./spec/libraries/vault_config_spec.rb:3:in `<top (required)>'

An error occurred while loading ./spec/libraries/vault_service_spec.rb.
Failure/Error: require 'poise_boiler/spec_helper'

LoadError:
  cannot load such file -- poise_boiler/spec_helper
# ./spec/libraries/vault_service_spec.rb:3:in `<top (required)>'

disable_cache option

Hi,

I'd like to use vault with the disable_cache option set to true. It's for use with a multi DC setup of consul.

Is this something that would be appropriate for this cookbook? If so, I'll make a PR.

vault_secret resource missing

Hi!

Please restore the vault_secret resource, it's needed to read secrets from Vault using Chef.

Looks like it went missing in this PR.

Thanks in advance,

Stephen

metadata updates

When you bump the vault version in the attributes, is it at all possible to bump the last number in your cookbook version in your metadata?

This is extremely important for berks and version locking.

Vault service fails to start

Vault service is not starting properly. Looks like it requires root access but we run it as the vault user? @johnbellone how are you tackling this? I grabbed this snippet from the /etc/init/vault.conf.

Have any way we can chat re: this? Maybe slack? I am on the chef-brigade channel. https://brigade-slackin.herokuapp.com/

% sudo su -c "vault server -config=/home/vault/.vault.json" -s /bin/sh vault
Error initializing core: Failed to lock memory: cannot allocate memory

This usually means that the mlock syscall is not available.
Vault uses mlock to prevent memory from being swapped to
disk. This requires root privileges as well as a machine
that supports mlock. Please enable mlock on your system or
disable Vault from using it. To disable Vault from using it,
set the `disable_mlock` configuration option in your configuration
file.

Side Note: I worked around this issue by setting the service_user to root in my wrapper cookbook. Mostly asking if this should be the default as opposed to vault that is currently the default.

Specifying 'root' removes root login shell

So, if you override the default['hashicorp-vault']['service_user'] = 'vault' and decide to run as:

['hashicorp-vault']['service_user'] = 'root' via an override or whatever, you'll become unable to operate as root on next login.

Probably because the config process turns the root user into a service account. Your entry in passwd winds up looking like:

root:x:0:0:Service user for root:/root:/bin/false

Can we get a new release?

Hello, I see that support for user interface configuration is in the master for a while now. Could you release it so we could use this feature?

Configure and usage

Hello,

I don't know how to use this cookbook or modify it for configuring an endpoint or different tcp listeners. There isn't any example on how to create a vault with a PostgreSQL endpoint and two tcp listeners?

How I can init the backend with some information?

Where are the keys and root-key after installing vault? I try to vault auth but I can't because i don't have the keys, and I can't vault init because I have no access.

Thanks

consul 3.1.0 issue when testing with hashicorp-vault 3.0.0 git code

Linking issue: sous-chefs/consul#498

Evaluate https://github.com/cbp-group/vault_resources

Review the vault_resources cookbook and decide if and how we want to incorporate or use this resource.

Test against newer build-essential

Upstream has moved onto 3.x

No method chef_vault_item

Hello,
I'm getting No resource or method named chef_vault_item' for VaultCookbook::Resource::VaultConfig (fused) ""'"
Any idea what I could be doing wrong? I'm using the recipes from your vault-cluster-cookbook

Spec test issue for vault_config: Chef::Provider does not implement #chef_vault_item

It seems the Rspec tests have been broken for a while, as a number of them issue this failure: Chef::Provider does not implement #chef_vault_item

See lines 316–9 of Travis CI Job#21.2 for an example.

Vault 0.5.3 -> 0.6.0 is breaking. Cookbook major version should have been rev'd.

See the Vault docs on breaking changes in 0.6.

CentOS-* kitchen tests fail w/ sudo issue

There's an issue with converging the cookbook on CentOS (6.x, 7.x) that is related to sudo:

...
>>>>>> ------Exception-------
>>>>>> Class: Kitchen::ActionFailed
>>>>>> Message: 1 actions failed.
>>>>>>     Failed to complete #verify action: [Sudo failed: Sudo requires a password, please configure it.] on default-centos-72

While there's probably a better approach, at least one successful way around this issue seems to be to modify[1] the .kitchen.yml by adding this to each of the centos boxes:

    attributes:
      authorization:
        sudo:
          users: ['kitchen']
          passwordless: true
          include_sudoers_d: true

This issue is coming up in bento/* base boxes, as well as puppetlabs-centos-66-64-nocm (nocm == no pre-installed config management tools). If it matters, running Kitchen version 1.13.2 from the chefdk 0.18.30-1.

[1] http://stackoverflow.com/questions/39523883/kitchen-test-failed-sudo-requires-a-password-please-configure-it-on-default-ce

Vault 0.2.0 - Does not like tls_disable entered as empty string

According to the documentation this field should be omitted if it is not planned on being used. With the current implementation, vault is failing to start because tls_disable is ""

% sudo su -c "vault server -config=/home/vault/.vault.json" -s /bin/sh vault
Error detecting advertise address: tls_disable: strconv.ParseBool: parsing "": invalid syntax
Error initializing core: missing advertisement address

The documentation on strconv.ParseBool makes it look like we should set the value to false inside of a string.

http://golang.org/pkg/strconv/#ParseBool

Again, I will likely get a PR for this.

Add note into documentation about chef-vault coobook version

Running cookbook with TLS enabled just doesn't work.

================================================================================
Error executing action `create` on resource 'vault_config[/home/vault/.vault.json]'
================================================================================
NoMethodError
-------------
No resource or method named `chef_vault_item' for `VaultCookbook::Resource::VaultConfig (fused) ""'

['vault']['config']['manage_certificate'] = false does not end up getting set on vault_config resource

When setting manage_certificate = false it is not reflected on the resource definition. This then attempts to execute chef_vault behavior which fails. I have added some print statements and can see the attribute being set and printing out but when the resource is defined there is no manage_certificate set. If I set the attribute value to true, I DO see manage certificate in the resource definition.

At the moment I don't see a way I can get this to properly pass in false for manage certificate and skip over the chef-vault stuff. Any help would be appreciated!

_False_
default['vault']['config']['manage_certificate'] = false

           vault_config("/home/vault/.vault.json") do

             action [:create]
             retries 0
             retry_delay 2
             default_guard_interpreter :default
             declared_type :vault_config
             cookbook_name "hashicorp-vault"
             recipe_name "default"
             owner "vault"
             group "vault"
             path "/home/vault/.vault.json"
             address "0.0.0.0:8200"
             tls_cert_file "/etc/vault/ssl/ssl.crt"
             tls_key_file "/etc/vault/ssl/ssl.key"
             backend_type "inmem"
             backend_options {"address"=>"127.0.0.1:8500", "path"=>"vault", "scheme"=>"http"}
             statsd_addr "stats02.nexus.commercehub.com:8125"
             tls_disable "false"
             bag_name "secrets"
             bag_item "vault"
           end

_True_
default['vault']['config']['manage_certificate'] = true

           vault_config("/home/vault/.vault.json") do
             provider #<Class:0x00000001e89508>
             action [:create]
             retries 0
             retry_delay 2
             default_guard_interpreter :default
             declared_type :vault_config
             cookbook_name "hashicorp-vault"
             recipe_name "default"
             owner "vault"
             group "vault"
             path "/home/vault/.vault.json"
             address "0.0.0.0:8200"
             manage_certificate true
             tls_cert_file "/etc/vault/ssl/ssl.crt"
             tls_key_file "/etc/vault/ssl/ssl.key"
             backend_type "inmem"
             backend_options {"address"=>"127.0.0.1:8500", "path"=>"vault", "scheme"=>"http"}
             statsd_addr "stats02.nexus.commercehub.com:8125"
             tls_disable "false"
             bag_name "secrets"
             bag_item "vault"
           end

Getting warning message in Chef run

Hi,

I am using chef 12.4.0 and I am getting warning message like below:

[2016-03-14T14:49:37+00:00] WARN: You declared a new resource PoiseService::ServiceProviders::Inittab for resource poise_service, but it comes alphabetically after PoiseService::ServiceProviders::Dummy and has the same filters ({}), so it will not be used. Use override: true if you want to use it for poise_service.

How do I get rid of them?

undefined method `delete' for nil:NilClass

I'm getting this error when running the default recipe:

ERROR: vault_config[/home/vault/.vault.json] (hashicorp-vault::default line 11) had an error: NoMethodError: undefined method `delete' for nil:NilClass

My wrapper notebook

include_recipe 'wrap-consul::default'

node.default['vault']['config']['backend_type'] = 'consul'
include_recipe 'hashicorp-vault::default'

I'm using version 1.4

Here is the stack trace:

Generated at 2016-01-24 12:23:25 +0000
NoMethodError: vault_config[/home/vault/.vault.json] (hashicorp-vault::default line 11) had an error: NoMethodError: undefined method `delete' for nil:NilClass
/opt/chef/embedded/lib/ruby/gems/2.1.0/gems/chef-12.6.0/lib/chef/data_bag_item.rb:129:in `from_hash'
/opt/chef/embedded/lib/ruby/gems/2.1.0/gems/chef-12.6.0/lib/chef/data_bag_item.rb:160:in `load'
/opt/chef/embedded/lib/ruby/gems/2.1.0/gems/chef-vault-2.6.1/lib/chef-vault/item.rb:318:in `data_bag_item_type'
/opt/chef/embedded/lib/ruby/gems/2.1.0/gems/chef-vault-2.6.1/lib/chef-vault/item.rb:296:in `vault?'
/tmp/vagrant-chef/bff31c3b408ec7b44050af611ad8ca88/cookbooks/chef-vault/libraries/helpers.rb:36:in `chef_vault_item'
/tmp/vagrant-chef/bff31c3b408ec7b44050af611ad8ca88/cookbooks/hashicorp-vault/libraries/vault_config.rb:76:in `block (2 levels) in <class:VaultConfig>'
/tmp/vagrant-chef/bff31c3b408ec7b44050af611ad8ca88/cookbooks/poise/files/halite_gem/poise/helpers/subcontext_block.rb:54:in `instance_eval'
/tmp/vagrant-chef/bff31c3b408ec7b44050af611ad8ca88/cookbooks/poise/files/halite_gem/poise/helpers/subcontext_block.rb:54:in `subcontext_block'
/tmp/vagrant-chef/bff31c3b408ec7b44050af611ad8ca88/cookbooks/poise/files/halite_gem/poise/helpers/notifying_block.rb:67:in `notifying_block'
/tmp/vagrant-chef/bff31c3b408ec7b44050af611ad8ca88/cookbooks/hashicorp-vault/libraries/vault_config.rb:66:in `block in <class:VaultConfig>'
/opt/chef/embedded/lib/ruby/gems/2.1.0/gems/chef-12.6.0/lib/chef/provider.rb:144:in `run_action'
/opt/chef/embedded/lib/ruby/gems/2.1.0/gems/chef-12.6.0/lib/chef/resource.rb:596:in `run_action'
/opt/chef/embedded/lib/ruby/gems/2.1.0/gems/chef-12.6.0/lib/chef/runner.rb:74:in `run_action'
/opt/chef/embedded/lib/ruby/gems/2.1.0/gems/chef-12.6.0/lib/chef/runner.rb:106:in `block (2 levels) in converge'
/opt/chef/embedded/lib/ruby/gems/2.1.0/gems/chef-12.6.0/lib/chef/runner.rb:106:in `each'
/opt/chef/embedded/lib/ruby/gems/2.1.0/gems/chef-12.6.0/lib/chef/runner.rb:106:in `block in converge'
/opt/chef/embedded/lib/ruby/gems/2.1.0/gems/chef-12.6.0/lib/chef/resource_collection/resource_list.rb:83:in `block in execute_each_resource'
/opt/chef/embedded/lib/ruby/gems/2.1.0/gems/chef-12.6.0/lib/chef/resource_collection/stepable_iterator.rb:116:in `call'
/opt/chef/embedded/lib/ruby/gems/2.1.0/gems/chef-12.6.0/lib/chef/resource_collection/stepable_iterator.rb:116:in `call_iterator_block'
/opt/chef/embedded/lib/ruby/gems/2.1.0/gems/chef-12.6.0/lib/chef/resource_collection/stepable_iterator.rb:85:in `step'
/opt/chef/embedded/lib/ruby/gems/2.1.0/gems/chef-12.6.0/lib/chef/resource_collection/stepable_iterator.rb:104:in `iterate'
/opt/chef/embedded/lib/ruby/gems/2.1.0/gems/chef-12.6.0/lib/chef/resource_collection/stepable_iterator.rb:55:in `each_with_index'
/opt/chef/embedded/lib/ruby/gems/2.1.0/gems/chef-12.6.0/lib/chef/resource_collection/resource_list.rb:81:in `execute_each_resource'
/opt/chef/embedded/lib/ruby/gems/2.1.0/gems/chef-12.6.0/lib/chef/runner.rb:105:in `converge'
/opt/chef/embedded/lib/ruby/gems/2.1.0/gems/chef-12.6.0/lib/chef/client.rb:647:in `block in converge'
/opt/chef/embedded/lib/ruby/gems/2.1.0/gems/chef-12.6.0/lib/chef/client.rb:642:in `catch'
/opt/chef/embedded/lib/ruby/gems/2.1.0/gems/chef-12.6.0/lib/chef/client.rb:642:in `converge'
/opt/chef/embedded/lib/ruby/gems/2.1.0/gems/chef-12.6.0/lib/chef/client.rb:681:in `converge_and_save'
/opt/chef/embedded/lib/ruby/gems/2.1.0/gems/chef-12.6.0/lib/chef/client.rb:271:in `run'
/opt/chef/embedded/lib/ruby/gems/2.1.0/gems/chef-12.6.0/lib/chef/application.rb:261:in `block in fork_chef_client'
/opt/chef/embedded/lib/ruby/gems/2.1.0/gems/chef-12.6.0/lib/chef/application.rb:249:in `fork'
/opt/chef/embedded/lib/ruby/gems/2.1.0/gems/chef-12.6.0/lib/chef/application.rb:249:in `fork_chef_client'
/opt/chef/embedded/lib/ruby/gems/2.1.0/gems/chef-12.6.0/lib/chef/application.rb:215:in `block in run_chef_client'
/opt/chef/embedded/lib/ruby/gems/2.1.0/gems/chef-12.6.0/lib/chef/local_mode.rb:44:in `with_server_connectivity'
/opt/chef/embedded/lib/ruby/gems/2.1.0/gems/chef-12.6.0/lib/chef/application.rb:203:in `run_chef_client'
/opt/chef/embedded/lib/ruby/gems/2.1.0/gems/chef-12.6.0/lib/chef/application/solo.rb:286:in `block in interval_run_chef_client'
/opt/chef/embedded/lib/ruby/gems/2.1.0/gems/chef-12.6.0/lib/chef/application/solo.rb:275:in `loop'
/opt/chef/embedded/lib/ruby/gems/2.1.0/gems/chef-12.6.0/lib/chef/application/solo.rb:275:in `interval_run_chef_client'
/opt/chef/embedded/lib/ruby/gems/2.1.0/gems/chef-12.6.0/lib/chef/application/solo.rb:253:in `run_application'
/opt/chef/embedded/lib/ruby/gems/2.1.0/gems/chef-12.6.0/lib/chef/application.rb:58:in `run'
/opt/chef/embedded/lib/ruby/gems/2.1.0/gems/chef-12.6.0/bin/chef-solo:25:in `<top (required)>'
/usr/bin/chef-solo:54:in `load'
/usr/bin/chef-solo:54:in `<main>'

Poise::Error: Unable to find cookbook for file

When creating a wrapper cookbook I get the following error:

================================================================================
           Error executing action `restart` on resource 'vault_service[vault]'
           ================================================================================

           Poise::Error
           ------------
           poise_service[vault] (/tmp/kitchen/cache/cookbooks/wrapper-vault/recipes/server.rb line 17) had an error: Poise::Error: Unable to find cookbook for file "/tmp/kitchen/cache/cookbooks/poise-service/files/halite_gem/poise_service/service_providers/base.rb"

           Cookbook Trace:
           ---------------
           /tmp/kitchen/cache/cookbooks/poise/files/halite_gem/poise/utils.rb:64:in `find_cookbook_name'
           /tmp/kitchen/cache/cookbooks/poise/files/halite_gem/poise/helpers/defined_in.rb:69:in `poise_defined_in_cookbook'
           /tmp/kitchen/cache/cookbooks/poise/files/halite_gem/poise/helpers/inversion.rb:237:in `default_inversion_attributes'
           /tmp/kitchen/cache/cookbooks/poise/files/halite_gem/poise/helpers/inversion.rb:256:in `resolve_inversion_attribute'
           /tmp/kitchen/cache/cookbooks/poise-service/files/halite_gem/poise_service/service_providers/base.rb:30:in `resolve_inversion_provider'
       m/poise/helpers/inversion.rb:354:in `provides?'
           /tmp/kitchen/cache/cookbooks/poise-service/files/halite_gem/poise_service/service_mixin.rb:125:in `block in action_restart'
           /tmp/kitchen/cache/cookbooks/poise-service/files/halite_gem/poise_service/service_mixin.rb:154:in `call'
           /tmp/kitchen/cache/cookbooks/poise-service/files/halite_gem/poise_service/service_mixin.rb:154:in `notify_if_service'
           /tmp/kitchen/cache/cookbooks/poise-service/files/halite_gem/poise_service/service_mixin.rb:124:in `action_restart'

It works fine when not in a wrapper.

I managed to track the issue down to the following code:

vault_binary = File.join(service.install_path, 'vault', 'current', 'vault')
execute "setcap cap_ipc_lock=+ep #{vault_binary}" do
  not_if { node['platform_family'] == 'windows' }
  not_if { node['platform_family'] == 'mac_os_x' }
  not_if { config.disable_mlock }
  not_if "getcap #{vault_binary}|grep cap_ipc_lock+ep"
end

It doesn't feel like I am fixing the root cause but using the following resolved the issue:

vault_binary = File.join(service.install_path, 'vault', 'current', 'vault')
bash 'vault_mlock' do
  code "setcap cap_ipc_lock=+ep #{vault_binary}"
  not_if { node['platform_family'] == 'windows' }
  not_if { node['platform_family'] == 'mac_os_x' }
  not_if { config.disable_mlock }
  not_if "getcap #{vault_binary}|grep cap_ipc_lock+ep"
end

I am using the following settings:
Ubuntu 14.04
test-kitchen - 1.4.2

tls_disable attribute only accepts strings

When 'tls_disable' = true, the recipe blows up because it's expecting a String rather than a Boolean or Fixnum. The attribute parser really ought to be more flexible and accept:

true
false
0
1

and then coerce to String if necessary to fit Vault's expectations. Pull request to follow.

Generated configuration contains 'backend' which is not a valid configuration option?

With my cookbook attributes looking like this:

default['hashicorp-vault']['version'] = '0.7.3'

default['hashicorp-vault']['config']['habackend_type'] = 'consul'
default['hashicorp-vault']['config']['habackend_options']['address'] = '127.0.0.1:8500'
default['hashicorp-vault']['config']['habackend_options']['check_timeout'] = '10s'
default['hashicorp-vault']['config']['habackend_options']['disable_registration'] = false
default['hashicorp-vault']['config']['habackend_options']['path'] = 'vault/'
default['hashicorp-vault']['config']['habackend_options']['scheme'] = 'http'

default['hashicorp-vault']['config']['tls_disable'] = true

I get a configuration that looks like this:

{
  "disable_mlock": false,
  "listener": {
    "tcp": {
      "address": "127.0.0.1:8200",
      "tls_disable": "true"
    }
  },
  "backend": {
    "inmem": {
    }
  },
  "ha_backend": {
    "consul": {
      "address": "127.0.0.1:8500",
      "check_timeout": "10s",
      "disable_registration": false,
      "path": "vault/",
      "scheme": "http"
    }
  }
}

Vault complains that:

Error loading configuration from /etc/vault/vault.json: error parsing 'ha_backend': ha_backend.consul: At -: root.disable_registration: unknown type for string *ast.LiteralType

But if I change ha_backend to storage everything works. However storage is not a valid configuration option (see #95). So how do I get the cookbook to generate the correct configuration file?

api_addr

How can I set the api_addr and cluster_addr config when using HA config?

I get this error if I try to set default['hashicorp-vault']['config']['api_addr']

[2018-03-14T21:24:00+00:00] ERROR: undefined method `api_addr' for VaultCookbook::Resource::VaultConfig

The pull requests for 2.5.1 and 2.5.2 cover these 2 variables and they seem to be the right config for aws implementations of vault in an HA cluster mode.

Failing to run service as nonroot

Running the default recipe as a root user, but with a nonroot service user attribute (the default 'vault') results in a service start failure:

``systemd[1]: vault.service: control process exited, code=exited status=1
Apr 18 18:43:29 APP systemd[1]: Reload failed for LSB: Init script for vault.
`

Which doesn't tell me much. Deconstructing the command from /etc/rc.d/init.d/vault and running manually like this:

# /opt/vault/0.5.2/vault server -config=/etc/vault/vault.json

works just fine. Anyone know a way to kick up the log level to see just what is dying?

Initializing and unsealing

Just want to discuss how you guys handle initializing and unsealing business.

We are trying to do this through chef, because it's not practical to unseal in the middle of night when something goes wrong & the service gets restarted and when it happens on 2 nodes in a 3 node cluster. The whole idea of cheffing is to automate setup and recovery mechanism. So wondering what's the process everybody following in this regard.

What are bag_name, bag_item attributes used for?

I see the attributes, and they even get set from the linked cluster example cookbook, but I haven't tracked down what they're used to do.

etcd in not supported as backend secret storage

Please add etcd to https://github.com/johnbellone/vault-cookbook/blob/master/libraries/vault_config.rb#L39 .

No storage config?

I'm trying to configure storage options here, but I can't seem to get it to work.

I did this thinking it would magically work:

node.default['hashicorp-vault']['config']['storage'] = {
    'path' => node['stack_name'],
    'address' => 'consul.nmgcloudapps.com:8500'
}

I get this:

/tmp/local-mode-cache/cache/cookbooks/hashicorp-vault/recipes/default.rb:

 16:  end
 17:  
 18:  config = vault_config node['hashicorp-vault']['config']['path'] do |r|
 19:    owner node['hashicorp-vault']['service_user']
 20:    group node['hashicorp-vault']['service_group']
 21:  
 22:    if node['hashicorp-vault']['config']
 23>>     node['hashicorp-vault']['config'].each_pair { |k, v| r.send(k, v) }
 24:    end
 25:    notifies :reload, "vault_service[#{node['hashicorp-vault']['service_name']}]", :delayed
 26:  end

I'm going to try some things locally on this project, we'll see where this goes.

Am I doing something wrong here?

module_function travisci LINT failure

the helpers.rb needs to use module_function : after the method ends instead of extend self.

Since I'm not sure what that the module function is, please change that to that format to fix the LINT issue.

module VaultCookbook

  module Helpers

    extend self

undefined method `cluster_address' for VaultCookbook::Resource::VaultConfig

When I try to set the node attribute, I get the following error:

     NoMethodError:
       undefined method `cluster_address' for VaultCookbook::Resource::VaultConfig
     # /var/folders/5y/2xp1l2t158g3_c33zyz6slvr0000gn/T/d20170131-13941-1dc3mak/cookbooks/hashicorp-vault/recipes/default.rb:23:in `block (2 levels) in from_file'
     # /var/folders/5y/2xp1l2t158g3_c33zyz6slvr0000gn/T/d20170131-13941-1dc3mak/cookbooks/hashicorp-vault/recipes/default.rb:23:in `each_pair'
     # /var/folders/5y/2xp1l2t158g3_c33zyz6slvr0000gn/T/d20170131-13941-1dc3mak/cookbooks/hashicorp-vault/recipes/default.rb:23:in `block in from_file'
     # /var/folders/5y/2xp1l2t158g3_c33zyz6slvr0000gn/T/d20170131-13941-1dc3mak/cookbooks/hashicorp-vault/recipes/default.rb:18:in `from_file'

Kitchen tests with cookbooks using vault_secret are non-trivial

It would be nice to be able to do kitchen testing on cookbooks using vault_secret. Should we support a databag fallback (similar to chef-vault) for kitchen testing?

node_exporter 0.15 not getting installed on amazon linux

I am getting below error while executing node_exporter.

[prometheus@ip-172-30-2-163 node_exporter-0.15.2.linux-amd64]$ ./node_exporter
bash: ./node_exporter: cannot execute binary file
[prometheus@ip-172-30-2-163 node_exporter-0.15.2.linux-amd64]$ arch
i686

vault_config.rb doesn't writes out telemetry section properly

Based on this documentation found @ http://vaultproject.io/docs/config/index.html#telemetry, I don't believe we are writing the telemetry section properly.

Currently I end up with statsd_addr just dropped right in the json at the same level as backend and listener. I think this should be nested under a telemetry section.

I will throw together a PR for this, just wanted to get this out here in case you had other thoughts before I get around to the PR.

amazon linux

Can you please add support for amazon linux? There are just a few areas where it checks for rhel, which should also consider amazon as it is the same.

I can submit a PR.

Thanks,
Dan

platform_family? regression

Getting an error using Chef 12.5.1 that was fixed previously in #96 but then undone by #104.

I can't tell if the changes to libraries/vault_service.rb in 104 were intentional or accidental, because I don't have enough context about Chef version-specific behaviors... so I didn't want to blindly reopen a PR that does the same thing as 96 if there's a better solution going forward.

================================================================================
    Error executing action `enable` on resource 'vault_service[vault]'
    ================================================================================
    
    NoMethodError
    -------------
    No resource or method named `platform_family?' for `VaultCookbook::Provider::VaultService ""'
    
    Cookbook Trace:
    ---------------
    /var/chef/cache/cookbooks/hashicorp-vault/libraries/vault_service.rb:100:in `service_options'
    /var/chef/cache/cookbooks/poise-service/files/halite_gem/poise_service/service_mixin.rb:175:in `block in service_resource'
    /var/chef/cache/cookbooks/poise-service/files/halite_gem/poise_service/service_mixin.rb:168:in `tap'
    /var/chef/cache/cookbooks/poise-service/files/halite_gem/poise_service/service_mixin.rb:168:in `service_resource'
    /var/chef/cache/cookbooks/poise-service/files/halite_gem/poise_service/service_mixin.rb:153:in `notify_if_service'
    /var/chef/cache/cookbooks/poise-service/files/halite_gem/poise_service/service_mixin.rb:88:in `action_enable'
    /var/chef/cache/cookbooks/hashicorp-vault/libraries/vault_service.rb:88:in `action_enable'
    
    Resource Declaration:
    ---------------------
    # In /var/chef/cache/cookbooks/hashicorp-vault/recipes/server.rb
    
     28: vault_service node['hashicorp-vault']['service_name'] do |r|
     29:   user node['hashicorp-vault']['service_user']
     30:   group node['hashicorp-vault']['service_group']
     31:   config_path node['hashicorp-vault']['config']['path']
     32:   disable_mlock config.disable_mlock
     33:   program install.vault_program
     34: 
     35:   if node['hashicorp-vault']['service']
     36:     node['hashicorp-vault']['service'].each_pair { |k, v| r.send(k, v) }
     37:   end
     38:   action [:enable, :start]

Can we get a new minor release?

A new minor release to supermarket would be helpful since 0.6.2 vault is not in the current release.

Support plugin_directory setting

vault_config.rb should allow the setting plugin_directory.

Configure consul backend in hashicorp-vault > 1.5.x

Greetings,

I'm currently working on upgrading our internal vault wrapper cookbook to use hashicorp-vault 2.1.1 from 1.5.x and I'm running into some issues with configuring consul as the secret backend.

With 1.5.x we'd use:

node.override['vault']['config']['backend_type'] = 'consul'
node.override['vault']['config']['backend_options']['address'] = '127.0.0.1:8500'
node.override['vault']['config']['backend_options']['path'] = 'vault'

to generate a configuration file with the following:

"backend": {
    "consul": {
      "address": "127.0.0.1:8500",
      "path": "vault"
    }
},

However, this no longer appears to work with 2.x and instead yields:

"backend": {
    "inmem": {
    }
}

I can't see anything significantly in the diffs between 1.5.0 and 2.1.1 that would stop this from working. Please advise!

Many thanks!

Service Logging

Is there a way to have the system service (/etc/init.d/vault) send its output to a log file?

Upgrading to Vault 0.2.0

cannot create pull request so here's the changes:

attributes/default.rb

default['vault']['version'] = '0.2.0'

default['vault']['checksums'] = {
'0.2.0_darwin_386' => '22f003b89dc34e6601f8d6cbcd79915bd010e0fa1a14fc291adc4905c5abcc00',
'0.2.0_darwin_amd64' => '73dfa187a01fd4490b4c8a62a4316a4bd054538d4fd2df869415b0b00f37d654',
'0.2.0_linux_386' => '9a4cb5470182e163eaa9d2526beb60c6a215c931c15452065f8caa4aa5821816',
'0.2.0_linux_amd64' => 'b4b64fcea765ebfc7cdbae9cdd2c32bff130ca51f15b9cf47194f112fd5515cf',
'0.2.0_linux_arm' => '883414010c26104889505aee69b461d1ca9378725dd2c7caafdcd1bba2d9c039',
'0.2.0_windows_386' => '64aa7893678ae047c61021c97499feb20f924e51f65e9b7ea257cc17355182ec',
'0.2.0_windows_amd64' => '1905354ad1652a8bd33c23f546b9df0e22b2c20a157c28545ff20b3cd74ea9e9'
}

sous-chefs / hashicorp-vault Goto Github PK

hashicorp-vault's Introduction

hashicorp-vault cookbook

Maintainers

Platforms

Requirements

Usage

External Documentation

Resources

Contributors

Backers

Sponsors

hashicorp-vault's People

Contributors

Stargazers

Watchers

Forkers

hashicorp-vault's Issues

Error with Default Recipe

Expected Behavior

Recommend Projects

Recommend Topics

Recommend Org

Jobs