4 This cookbook sets up a HashiCorp Vault service.
8 - [Requirements](#requirements)
9 - [platforms](#platforms)
10 - [packages](#packages)
11 - [Attributes](#attributes)
14 - [hc-vault::default](#hc-vaultdefault)
15 - [hc-vault::docker-compose](#hc-vaultdocker-compose)
16 - [Role Examples](#role-examples)
17 - [SSL server keys and certificates management by `ssl_cert` cookbook](#ssl-server-keys-and-certificates-management-by-ssl_cert-cookbook)
18 - [License and Authors](#license-and-authors)
33 |Key|Type|Description, example|Default|
35 |`['hc-vault']['with_ssl_cert_cookbook']`|Boolean|If this attribute is true, `node['hc-vault']['docker-compose']['config']` are are overridden by the following `common_name` attributes.|`false`|
36 |`['hc-vault']['ssl_cert']['common_name']`|String|Vault server common name for TLS|`node['fqdn']`|
37 |`['hc-vault']['config']`|Hash|Vault configurations. This Hash is expanded to a `/vault/config/config.json` in Docker container.|See `attributes/default.rb`|
38 |`['hc-vault']['docker-compose']['vault_owner']`|Integer|Vault owner UID (read only).|`100`|
39 |`['hc-vault']['docker-compose']['vault_group']`|Integer|Vault group GID (read only).|`1000`|
40 |`['hc-vault']['docker-compose']['app_dir']`|String||`"#{node['docker-grid']['compose']['app_dir']}/vault"`|
41 |`['hc-vault']['docker-compose']['config_dir']`|String||`"#{node['hc-vault']['docker-compose']['app_dir']}/config"`|
42 |`['hc-vault']['docker-compose']['file_dir']`|String|Default backend storage.|`"#{node['hc-vault']['docker-compose']['app_dir']}/file"`|
43 |`['hc-vault']['docker-compose']['logs_dir']`|String||`"#{node['hc-vault']['docker-compose']['app_dir']}/logs"`|
44 |`['hc-vault']['docker-compose']['certs_dir']`|String||`"#{node['hc-vault']['docker-compose']['app_dir']}/certs"`|
45 |`['hc-vault']['docker-compose']['config']`|Hash|`docker-compose.yml` configurations.|See `attributes/default.rb`|
51 #### hc-vault::default
53 This recipe does nothing.
55 #### hc-vault::docker-compose
57 This recipe generates a `docker-compose.yml` for the HashiCorp Vault service.
61 - `roles/vault-on-docker.rb`
64 name 'vault-on-docker'
65 description 'Vault on Docker'
70 # see https://osdn.net/projects/metasearch/scm/git/grid-chef-repo/blobs/master/roles/docker-new-repo.rb
72 'recipe[hc-vault::docker-compose]',
82 'skip_setup' => false,
85 'skip_setup' => false,
90 #'default_lease_ttl' => '768h',
91 #'max_lease_ttl' => '768h',
95 # Version 2 docker-compose format
100 "#{vault_port}:8200",
103 # These volumes will be set by the hc-vault::docker-compose recipe automatically.
104 #"#{node['hc-vault']['docker-compose']['config_dir']}/config.json:/vault/config/config.json:ro",
105 #"#{node['hc-vault']['docker-compose']['file_dir']}:/vault/file:rw",
106 #"#{node['hc-vault']['docker-compose']['logs_dir']}:/vault/logs:rw",
109 # use the ['hc-vault']['config'] attribute instead of this variable.
110 #'VAULT_LOCAL_CONFIG' => '', # expanded to /vault/config/local.json
120 - `roles/vault-with-ssl-on-docker.rb`
123 name 'vault-with-ssl-on-docker'
124 description 'Vault setup with ssl_cert cookbook'
126 vault_cn = 'vault.io.example.com'
131 'recipe[hc-vault::docker-compose]',
136 #default_attributes()
141 'skip_setup' => false,
144 'skip_setup' => false,
149 # vault_cn, # hc-vault cookbook < 0.1.3
153 'with_ssl_cert_cookbook' => true,
155 'common_name' => vault_cn,
160 # These configurations will be set by the hc-vault::docker-compose recipe automatically.
161 #'tls_disable' => false
162 #'tls_cert_file' => '/vault/server.crt',
163 #'tls_key_file' => '/vault/server.key',
166 #'default_lease_ttl' => '768h',
167 #'max_lease_ttl' => '768h',
169 'docker-compose' => {
171 # Version 2 docker-compose format
176 "#{vault_port}:8200",
179 # These volumes will be set by the hc-vault::docker-compose recipe automatically.
180 #"#{node['hc-vault']['docker-compose']['config_dir']}/config.json:/vault/config/config.json:ro",
181 #"#{node['hc-vault']['docker-compose']['file_dir']}:/vault/file:rw",
182 #"#{node['hc-vault']['docker-compose']['logs_dir']}:/vault/logs:rw",
183 #"#{server_cert_path(node['hc-vault']['ssl_cert']['common_name'])}:/vault/server.crt:ro",
184 #"#{node['hc-vault']['docker-compose']['certs_dir']}/server.key:/vault/server.key:ro",
187 # use the ['hc-vault']['config'] attribute instead of this variable.
188 #'VAULT_LOCAL_CONFIG' => '', # expanded to /vault/config/local.json
198 ### SSL server keys and certificates management by `ssl_cert` cookbook
200 - create chef-vault items.
203 $ ruby -rjson -e 'puts JSON.generate({"private" => File.read("vault.io.example.com.prod.key")})' \
204 > > ~/tmp/vault.io.example.com.prod.key.json
206 $ ruby -rjson -e 'puts JSON.generate({"public" => File.read("vault.io.example.com.prod.crt")})' \
207 > > ~/tmp/vault.io.example.com.prod.crt.json
211 $ knife vault create ssl_server_keys vault.io.example.com.prod \
212 > --json ~/tmp/vault.io.example.com.prod.key.json
214 $ knife vault create ssl_server_certs vault.io.example.com.prod \
215 > --json ~/tmp/vault.io.example.com.prod.crt.json
218 - grant reference permission to the Vault host
221 $ knife vault update ssl_server_keys vault.io.example.com.prod -S 'name:vault-host.example.com'
222 $ knife vault update ssl_server_certs vault.io.example.com.prod -S 'name:vault-host.example.com'
225 - modify run_list and attributes
229 'recipe[hc-vault::docker-compose]',
235 # 'vault.io.example.com', # hc-vault cookbook < 0.1.3
239 'with_ssl_cert_cookbook' => true,
241 'common_name' => 'vault.io.example.com',
248 ## License and Authors
250 - Author:: whitestar at osdn.jp
253 Copyright 2017, whitestar
255 Licensed under the Apache License, Version 2.0 (the "License");
256 you may not use this file except in compliance with the License.
257 You may obtain a copy of the License at
259 http://www.apache.org/licenses/LICENSE-2.0
261 Unless required by applicable law or agreed to in writing, software
262 distributed under the License is distributed on an "AS IS" BASIS,
263 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
264 See the License for the specific language governing permissions and
265 limitations under the License.