Page MenuHomeDevCentral
Files F4032107

D2772.id7045.diff
No OneTemporary
Actions

D2772.id7045.diff
View Options

diff --git a/pillar/credentials/vault.sls b/pillar/credentials/vault.sls
--- a/pillar/credentials/vault.sls
+++ b/pillar/credentials/vault.sls
@@ -49,6 +49,7 @@
vault_policies:
- salt-primary
+ - vault_bootstrap
- viperserv
# -------------------------------------------------------------
diff --git a/roles/vault/bootstrap/files/vault-initialize.sh b/roles/vault/bootstrap/files/vault-initialize.sh
new file mode 100755
--- /dev/null
+++ b/roles/vault/bootstrap/files/vault-initialize.sh
@@ -0,0 +1,112 @@
+#!/usr/bin/env bash
+# -------------------------------------------------------------
+# Vault initialize script
+# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+# Project: Nasqueron
+# License: Trivial work, not eligible to copyright
+# Description: Recreate the engines and configure them.
+#
+# Should be run only once for the cluster
+# for disaster recovery purpose if the storage
+# back-end can't be restored.
+#
+# Will issue a new root CA certificate.
+#
+# Dependencies: bash is used as shebang to allow >() process
+# execution, undefined in POSIX sh.
+# To sync with: roles/vault/policies/files/vault_bootstrap.hcl
+# Source file: roles/vault/vault/files/vault-initialize.sh
+# -------------------------------------------------------------
+#
+# <auto-generated>
+# This file is managed by our rOPS SaltStack repository.
+#
+# Changes to this file may cause incorrect behavior
+# and will be lost if the state is redeployed.
+# </auto-generated>
+
+set -e
+
+PREFIX_PKI=pki_
+DOMAIN=nasqueron.drake
+CERTS_PATH=/usr/local/share/certs
+PUBLIC_URL=https://api.nasqueron.org/infra/security/pki
+
+VAULT_CERTS_PATH=/usr/local/etc/certificates/vault
+
+# -------------------------------------------------------------
+# PKI :: root CA
+# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+CA_ROOT_NAME=root
+CA_ROOT_PATH=$PREFIX_PKI$CA_ROOT_NAME
+
+vault secrets enable -path=$CA_ROOT_PATH pki
+vault secrets tune -max-lease-ttl=87600h
+
+vault write -field=certificate $CA_ROOT_PATH/root/generate/internal \
+ common_name=$DOMAIN \
+ ttl=87600h > $CERTS_PATH/nasqueron-vault-ca.crt
+
+vault write $CA_ROOT_PATH/config/urls \
+ issuing_certificates="$PUBLIC_URL/$CA_ROOT_NAME/ca" \
+ crl_distribution_points="$PUBLIC_URL/$CA_ROOT_NAME/crl"
+
+
+# -------------------------------------------------------------
+# PKI :: intermediate CA for Vault own certificates
+#
+# Intermediate certificate is signed by the root CA one.
+# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+CA_VAULT_NAME=vault
+CA_VAULT_PATH=$PREFIX_PKI$CA_VAULT_NAME
+
+vault secrets enable -path=$CA_VAULT_PATH pki
+vault secrets tune -max-lease-ttl=2160h "$CA_VAULT"
+
+CSR=$(mktemp /tmp/csr.XXXX)
+vault write -format=json $CA_VAULT_PATH/intermediate/generate/internal \
+ common_name="$DOMAIN Intermediate Authority" \
+ | jq -r '.data.csr' > "$CSR"
+vault write -format=json $CA_ROOT_PATH/root/sign-intermediate csr=@"$CSR" \
+ format=pem_bundle ttl="2160h" \
+ | jq -r '.data.certificate' > $CERTS_PATH/nasqueron-vault-intermediate.crt
+rm "$CSR"
+
+vault write $CA_VAULT_PATH/intermediate/set-signed \
+ certificate=@$CERTS_PATH/nasqueron-vault-intermediate.crt
+
+vault write $CA_VAULT_PATH/config/urls \
+ issuing_certificates="$PUBLIC_URL/$CA_VAULT_NAME/ca" \
+ crl_distribution_points="$PUBLIC_URL/$CA_VAULT_NAME/crl"
+
+vault write $CA_VAULT_PATH/roles/nasqueron-drake \
+ allowed_domains="nasqueron.drake" \
+ allow_subdomains=true \
+ max_ttl="2160h"
+
+# -------------------------------------------------------------
+# Vault configuration artifacts
+#
+# :: TLS certificate generated by intermediate PKI
+# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+mkdir -p $VAULT_CERTS_PATH
+
+vault write -format=json $CA_VAULT_PATH/issue/nasqueron-drake \
+ common_name="complector.nasqueron.drake" ttl="2160h" \
+ ip_sans="127.0.0.1,172.27.27.7" | tee \
+ >(jq -r .data.certificate > $VAULT_CERTS_PATH/certificate.pem) \
+ >(jq -r .data.issuing_ca > $VAULT_CERTS_PATH/ca.pem) \
+ >(jq -r .data.private_key > $VAULT_CERTS_PATH/private.key)
+
+cat $VAULT_CERTS_PATH/certificate.pem $VAULT_CERTS_PATH/ca.pem > $VAULT_CERTS_PATH/fullchain.pem
+
+# -------------------------------------------------------------
+# Vault configuration autounseal
+#
+# :: create an encryption key
+# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+vault write -f transit/keys/autounseal
diff --git a/roles/vault/bootstrap/init.sls b/roles/vault/bootstrap/init.sls
new file mode 100644
--- /dev/null
+++ b/roles/vault/bootstrap/init.sls
@@ -0,0 +1,33 @@
+# -------------------------------------------------------------
+# Salt — Vault
+# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+# Project: Nasqueron
+# License: Trivial work, not eligible to copyright
+# -------------------------------------------------------------
+# , ,
+# / \/ \
+# (/ //_ \_
+# .-._ \|| . \
+# \ '-._ _,:__.-"/---\_ \
+# ______/___ '. .--------------------'~-'--.)__( , )\ \
+# `'--.___ _\ / | HERE BE DRAGONS. ,' \)|\ `\|
+# /_.-' _\ \ _:,_ " || (
+# .'__ _.' \'-/,`-~` This unit is only intended |/
+# '. ___.> /=,| for disaster recovery plan B. |
+# / .-'/_ ) | Plan A is to restore storage. |
+# snd )' ( /(/ '---------------------------------'
+# \\ "
+# '=='
+
+vault_bootstrap_dependencies:
+ pkg.installed:
+ - jq
+
+/usr/local/bin/vault-initialize:
+ file.managed:
+ - source: salt://roles/vault/bootstrap/files/vault-initialize.sh
+ - mode: 755
+
+# As Salt doesn't have a token for the Vault installation,
+# we can't run this script. Run it with a root token or
+# a token with the "vault_bootstrap" policy.
diff --git a/roles/vault/init.sls b/roles/vault/init.sls
--- a/roles/vault/init.sls
+++ b/roles/vault/init.sls
@@ -10,3 +10,13 @@
# Depends of Vault installed
- .policies
+
+# -------------------------------------------------------------
+# Disaster recovery process
+# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+# The bootstrap unit can be run once for the whole cluster
+# if you wish to regerate the Vault configuration from scratch
+# instead of restoring the storage back-end.
+#
+# As such, .bootstrap should NOT be included in the includes list.
diff --git a/roles/vault/policies/files/vault_bootstrap.hcl b/roles/vault/policies/files/vault_bootstrap.hcl
new file mode 100644
--- /dev/null
+++ b/roles/vault/policies/files/vault_bootstrap.hcl
@@ -0,0 +1,34 @@
+# -------------------------------------------------------------
+# Vault configuration - Policy to run DRP bootstrap script
+# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+# Project: Nasqueron
+# License: Trivial work, not eligible to copyright
+# Source file: roles/vault/vault/files/vault_boostrap.hcl
+# -------------------------------------------------------------
+#
+# <auto-generated>
+# This file is managed by our rOPS SaltStack repository.
+#
+# Changes to this file may cause incorrect behavior
+# and will be lost if the state is redeployed.
+# </auto-generated>
+
+# -------------------------------------------------------------
+# Secrets engine management
+# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+path "sys/mounts/*" {
+ capabilities = [ "create", "read", "update", "delete", "list" ]
+}
+
+path "sys/mounts" {
+ capabilities = [ "read", "list" ]
+}
+
+# -------------------------------------------------------------
+# PKI
+# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+path "pki*" {
+ capabilities = [ "create", "read", "update", "delete", "list", "sudo" ]
+}

File Metadata

Mime Type
text/plain
Expires
Wed, Jan 22, 07:06 (20 h, 16 m)
Storage Engine
blob
Storage Format
Raw Data
Storage Handle
2368171
Default Alt Text
D2772.id7045.diff (8 KB)

Event Timeline

Nasqueron DevCentral · If it had been much bigger the moon would have had a core of ice. · Powered by Phabricator