southalc / vault Goto Github PK
View Code? Open in Web Editor NEWPuppet module for use with Hashicorp Vault
vault's People
Contributors
Stargazers
Watchers
vault's Issues
Server Error: no parameter named 'cert_chain_owner'
It seems I can´t make the new cert_chain parameters work. Am I doing something stupid?
Error: Could not retrieve catalog from remote server: Error 500 on SERVER: Server Error: no parameter named 'cert_chain_owner' (file: /etc/puppetlabs/code/environments/production/manifests/site.pp, line: 76) on Vault_cert[traefik] (file: /etc/puppetlabs/code/environments/production/manifests/site.pp, line: 76)
vault_cert improvements
I'm forking this out of #1 to keep the discussions scoped appropriately.
Renewal of the certificate should be driven by the "vault_cert" fact. Verify this fact is being reported correctly. If there's an issue I'd appreciate the feedback to fix the problem.
The problem I was seeing with renewal on every puppet run is user-error. I am trying to use the Deferred('vault_cert', ...) directly to generate multiple certificates on the host, rather than the vault_secrets main class to implement a single cert for the host. I've just checked the init.pp logic for using the fact and conditionally making the vault call, so I see I need to implement or wrap some of that logic myself. The reason for wanting multiple certs issued by vault is so that a puppet profile class responsible for deploying each service would install a corresponding certificate for that service to use. I don't want to have to maintain a single global cert with aliases for every service used on the host, and then have to deal with constructing that alias list dynamically based on what puppet profiles have been included on the host - that way madness lies.
This had been what I was trying to do which does successfully deploy a cert to the host, but renews each time puppet runs. I have generate_lease turned on in my vault pki role (as described here: https://www.nomadproject.io/docs/job-specification/template#pki-certificate), which I was hoping would be enough to prevent re-issuing the cert, but that logic must be implemented in consul-template rather than in vault itself, so is something I need to do.
$cert = Deferred('vault_cert', [
"${vault_address}/v1/pki/consul_int/issue/hashistack",
'puppet-pki',
{
'common_name' => $::fqdn,
'alt_names' => $aliases.join(','),
'ip_sans' => [$::facts['networking']['ip'], $::facts['networking']['ip6'], '127.0.0.1'],
'ttl' => '2160h', # 90days
}
])
file {
'/etc/pki/consul':
ensure => directory,
owner => 'root',
group => 'root',
mode => '0644';
}
file {
default:
ensure => present,
owner => 'consul',
group => 'consul',
notify => Class['consul::run_service'];
'/etc/pki/consul/ca.crt':
content => Deferred('dig', [$cert, 'ca_chain']),
mode => '0644';
'/etc/pki/consul/server.key':
content => Deferred('dig', [$cert, 'private_key']),
mode => '0400',
show_diff => false;
'/etc/pki/consul/server.crt':
content => Deferred('dig', [$cert, 'certificate']),
mode => '0644';
}I think I need to change my logic to:
- Deploy all
vault_certissued certs to a specific directory (say/etc/pki/vault_certs) - Add a
vault_certsfact which can enumerate all of the certs from that directory, rather than a single cert with a fixed filename - Use similar logic to what you have in the main class, to only call the deferred function and update the file contents if a renewal is needed
- Permit setting file ownership/mode such that only the target application user can read the private key
- Wrap the logic for deferred renewal into a defined type so it can be easily reused.
I think this would be useful and worth upstreaming into this module, do you?
Using hiera_data_hash causes puppet stack trace
When I attempt to retrieve secrets from vault, I get the following:
[root@dt-conf01 vault]# puppet lookup --environment production --verbose --trace profile_dns_cache::search_domain
s
Info: Loading facts
Info: Loading facts
Info: Loading facts
Info: Loading facts
Info: Loading facts
Info: Loading facts
Info: Loading facts
Info: Loading facts
Info: Loading facts
Info: Loading facts
Warning: Undefined variable 'site';
(file & line not available)
Warning: Undefined variable 'cluster';
(file & line not available)
Warning: Undefined variable 'role';
(file & line not available)
Error: Could not run: undefined method `scrub' for nil:NilClass
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/error.rb:6:in `initialize'
/etc/puppetlabs/code/environments/production/modules/vault_secrets/lib/puppet/shared/vault_common.rb:35:in `exception'
/etc/puppetlabs/code/environments/production/modules/vault_secrets/lib/puppet/shared/vault_common.rb:35:in `raise'
/etc/puppetlabs/code/environments/production/modules/vault_secrets/lib/puppet/shared/vault_common.rb:35:in `vault_http_get'
/etc/puppetlabs/code/environments/production/modules/vault_secrets/lib/puppet/functions/vault_hiera_hash.rb:57:in `vault_hiera_hash'
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/pops/functions/dispatch.rb:60:in `invoke'
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/pops/functions/dispatcher.rb:43:in `block in dispatch'
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/pops/functions/dispatcher.rb:42:in `catch'
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/pops/functions/dispatcher.rb:42:in `dispatch'
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/pops/functions/function.rb:46:in `block in call'
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/pops/functions/function.rb:45:in `catch'
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/pops/functions/function.rb:45:in `call'
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/pops/lookup/data_hash_function_provider.rb:77:in `call_data_hash_function'
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/pops/lookup/data_hash_function_provider.rb:70:in `data_hash'
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/pops/lookup/data_hash_function_provider.rb:55:in `data_value'
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/pops/lookup/data_hash_function_provider.rb:51:in `lookup_key'
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/pops/lookup/data_hash_function_provider.rb:41:in `block in invoke_with_location'
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/pops/lookup/invocation.rb:136:in `with'
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/pops/lookup/data_hash_function_provider.rb:39:in `invoke_with_location'
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/pops/lookup/data_hash_function_provider.rb:28:in `block (2 levels) in unchecked_key_lookup'
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/pops/merge_strategy.rb:126:in `lookup'
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/pops/lookup/data_hash_function_provider.rb:27:in `block in unchecked_key_lookup'
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/pops/lookup/invocation.rb:136:in `with'
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/pops/lookup/data_hash_function_provider.rb:26:in `unchecked_key_lookup'
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/pops/lookup/configured_data_provider.rb:56:in `block (2 levels) in unchecked_key_lookup'
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/pops/merge_strategy.rb:132:in `block (3 levels) in lookup'
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/pops/merge_strategy.rb:131:in `catch'
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/pops/merge_strategy.rb:131:in `block (2 levels) in lookup'
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/pops/merge_strategy.rb:129:in `each'
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/pops/merge_strategy.rb:129:in `reduce'
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/pops/merge_strategy.rb:129:in `block in lookup'
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/pops/lookup/invocation.rb:136:in `with'
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/pops/merge_strategy.rb:128:in `lookup'
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/pops/lookup/configured_data_provider.rb:55:in `block in unchecked_key_lookup'
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/pops/lookup/invocation.rb:136:in `with'
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/pops/lookup/configured_data_provider.rb:48:in `unchecked_key_lookup'
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/pops/lookup/data_provider.rb:26:in `block in key_lookup'
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/pops/lookup/invocation.rb:97:in `check'
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/pops/lookup/data_provider.rb:26:in `key_lookup'
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/pops/lookup/lookup_adapter.rb:157:in `lookup_in_environment'
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/pops/lookup/lookup_adapter.rb:384:in `block in env_lookup_opti
ons'
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/pops/lookup/lookup_adapter.rb:384:in `catch'
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/pops/lookup/lookup_adapter.rb:384:in `env_lookup_options'
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/pops/lookup/lookup_adapter.rb:348:in `block (2 levels) in retrieve_lookup_options'
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/pops/lookup/invocation.rb:136:in `with'
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/pops/lookup/lookup_adapter.rb:344:in `block in retrieve_lookup_options'
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/pops/lookup/invocation.rb:82:in `lookup'
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/pops/lookup/lookup_adapter.rb:343:in `retrieve_lookup_options'
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/pops/lookup/lookup_adapter.rb:237:in `lookup_lookup_options'
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/pops/lookup/lookup_adapter.rb:64:in `block in lookup'
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/pops/lookup/invocation.rb:82:in `lookup'
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/pops/lookup/lookup_adapter.rb:59:in `lookup'
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/pops/lookup.rb:76:in `search_and_merge'
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/pops/lookup.rb:31:in `block (2 levels) in lookup'
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/pops/lookup.rb:31:in `catch'
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/pops/lookup.rb:31:in `block in lookup'
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/pops/lookup.rb:29:in `each'
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/pops/lookup.rb:29:in `reduce'
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/pops/lookup.rb:29:in `lookup'
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/application/lookup.rb:322:in `block in main'
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/application/lookup.rb:378:in `block in generate_scope'
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/parser/compiler.rb:153:in `block in compile'
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/context.rb:62:in `override'
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet.rb:302:in `override'
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/parser/compiler.rb:123:in `compile'
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/application/lookup.rb:378:in `generate_scope'
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/application/lookup.rb:318:in `main'
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/application.rb:437:in `run_command'
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/application.rb:421:in `block in run'
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/util.rb:744:in `exit_on_fail'
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/application.rb:421:in `run'
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/util/command_line.rb:143:in `run'
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/util/command_line.rb:77:in `execute'
/opt/puppetlabs/puppet/bin/puppet:5:in `<main>'
I am running
[root@dt-conf01 ~]# puppet --version
7.11.0
I have tried both PKI cert and using a token and they both result in the same issue.
If the authentication is incorrect or the path is incorrect, the error is a standard error.
hiera.yaml:
- name: "Secrets from Vault"
data_hash: "vault_hiera_hash"
uris:
- "https://asd-vault1.internal.ncsa.edu:8202/v1/delta/"
options:
timeout: 3
token_file: "/etc/puppetlabs/puppet/vault/delta-vault-token"
ca_trust: "/etc/puppetlabs/puppet/ssl/certs/ca.pem"
Puppet CA not being loaded by default (I.. think?)
Howdy! So we've been happily using this module after switching away from vault_lookup for quite some time now. Today, we installed two new machines and much to our surprise, vault_secrets failed. I've lost the stack trace is as follows:
Error: Failed to apply catalog: SSL_connect returned=1 errno=0 state=error: certificate verify failed (unable to get local issuer certificate)
/opt/puppetlabs/puppet/lib/ruby/2.7.0/net/protocol.rb:44:in `connect_nonblock'
/opt/puppetlabs/puppet/lib/ruby/2.7.0/net/protocol.rb:44:in `ssl_socket_connect'
/opt/puppetlabs/puppet/lib/ruby/2.7.0/net/http.rb:1009:in `connect'
/opt/puppetlabs/puppet/lib/ruby/2.7.0/net/http.rb:943:in `do_start'
/opt/puppetlabs/puppet/lib/ruby/2.7.0/net/http.rb:932:in `start'
/opt/puppetlabs/puppet/lib/ruby/2.7.0/net/http.rb:1483:in `request'
/opt/puppetlabs/puppet/cache/lib/puppet_x/vault_secrets/vaultsession.rb:159:in `post'
/opt/puppetlabs/puppet/cache/lib/puppet_x/vault_secrets/vaultsession.rb:179:in `get_token'
/opt/puppetlabs/puppet/cache/lib/puppet_x/vault_secrets/vaultsession.rb:66:in `initialize'
/opt/puppetlabs/puppet/cache/lib/puppet/functions/vault_key.rb:32:in `new'
/opt/puppetlabs/puppet/cache/lib/puppet/functions/vault_key.rb:32:in `vault_key'
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/pops/functions/dispatch.rb:60:in `invoke'
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/pops/functions/dispatcher.rb:47:in `block in dispatch'
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/pops/functions/dispatcher.rb:46:in `catch'
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/pops/functions/dispatcher.rb:46:in `dispatch'
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/pops/functions/function.rb:46:in `block in call'
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/pops/functions/function.rb:45:in `catch'
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/pops/functions/function.rb:45:in `call'
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/pops/evaluator/runtime3_support.rb:283:in `block in external_call_function'
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/util/profiler/around_profiler.rb:58:in `profile'
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/util/profiler.rb:51:in `profile'
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/pops/evaluator/runtime3_support.rb:282:in `external_call_function'
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/parser/scope.rb:1102:in `call_function'
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/pops/evaluator/deferred_resolver.rb:151:in `resolve_future'
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/pops/evaluator/deferred_resolver.rb:102:in `resolve'
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/pops/evaluator/deferred_resolver.rb:84:in `block (2 levels) in resolve_futures'
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/pops/evaluator/deferred_resolver.rb:83:in `each_pair'
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/pops/evaluator/deferred_resolver.rb:83:in `block in resolve_futures'
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/pops/evaluator/deferred_resolver.rb:81:in `each'
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/pops/evaluator/deferred_resolver.rb:81:in `resolve_futures'
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/pops/evaluator/deferred_resolver.rb:44:in `resolve_and_replace'
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/configurer.rb:115:in `block in convert_catalog'
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/util.rb:556:in `block in thinmark'
/opt/puppetlabs/puppet/lib/ruby/2.7.0/benchmark.rb:308:in `realtime'
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/util.rb:555:in `thinmark'
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/configurer.rb:112:in `convert_catalog'
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/configurer.rb:481:in `run_internal'
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/configurer.rb:339:in `run'
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/agent.rb:83:in `block (6 levels) in run'
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/context.rb:62:in `override'
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet.rb:289:in `override'
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/agent.rb:82:in `block (5 levels) in run'
/opt/puppetlabs/puppet/lib/ruby/2.7.0/timeout.rb:95:in `block in timeout'
/opt/puppetlabs/puppet/lib/ruby/2.7.0/timeout.rb:105:in `timeout'
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/agent.rb:81:in `block (4 levels) in run'
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/agent/locker.rb:21:in `lock'
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/agent.rb:71:in `block (3 levels) in run'
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/agent.rb:162:in `with_client'
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/agent.rb:67:in `block (2 levels) in run'
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/agent.rb:127:in `run_in_fork'
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/agent.rb:66:in `block in run'
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/application.rb:172:in `controlled_run'
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/agent.rb:47:in `run'
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/application/agent.rb:433:in `onetime'
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/application/agent.rb:393:in `block in run_command'
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/context.rb:62:in `override'
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet.rb:289:in `override'
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/application/agent.rb:390:in `run_command'
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/application.rb:421:in `block in run'
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/util.rb:745:in `exit_on_fail'
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/application.rb:421:in `run'
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/util/command_line.rb:143:in `run'
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/util/command_line.rb:77:in `execute'
/opt/puppetlabs/puppet/bin/puppet:5:in `<main>'
The reason for this I believe is that get_ca_file is only looking at the system level CA files, rather than the CA provided by Puppet. We use puppet to configure the system level CA trust so -- chicken and egg. I believe it would make more sense to have get_ca_file retrieve /etc/puppetlabs/puppet/ssl/certs/ca.pem -- what do you think?
That all said, I don't see any obvious evidence that vault_lookup uses the puppet ca pem directly so ???? I'm not sure why that worked and this doesn't.
Vault is not a class?
Hi there! I'm trying to transition from vault_lookup to vault_secrets and am running into a ... very difficult to track down issue. When I try to use vault_hash or vault_key, I get:
Error for function 'vault_hash': Vault is not a class
Scanning around the code, it's clear to me that both are including the puppet_x file and at least to my eyes it's most certainly "a class" lol. =) So .. I'm at a loss. I am also using jsok/vault but I even temporarily disabled that module to see if that was causing some conflict, but nothing. I still have vault_lookup installed as well, but I can't find any reason why that would conflict.
Any ideas?
Puppet Agent 7.16.0
Puppet Server 7.7.0
Tested on Ubuntu 20.04
Consider renaming to avoid conflict with jsok/vault?
Hi,
First up, thanks for publishing this module, it looks like it will be very useful!
Due to puppet modules needing to be uniquely named within a single puppet environment, would you consider renaming this one so that it can be used in conjunction with https://forge.puppet.com/modules/jsok/vault, which is used to deploy vault itself? Currently, because both modules are named the same, puppet cannot be used to both deploy the vault service, and also consume secrets from it to manage other services using these two modules together.
Perhaps something like vault_functions, or vault_secrets as an alternative?
Thanks,
Ben
Certificate chain with intermediate authority
Hi, I have a setup where my vault has a root CA (which we call a), which was used to sign an intermediate CA (b). b is then used to sign server (s) certificates.
I think this module produces certificates in vault/lib/puppet/provider/vault_cert/vault_cert.rb in a way that is harder to use in my (relatively common) use case.
We get three files, containing:
ca_chain: [b, a]
cert: [s, b]
privkey: [s]
As a result, whenever I distribute the cert file to applications that only have the [a] ca file, they are not able to verify it.
I think we should follow the way that letsencrypt's certbot is using:
fullchain: [s, b, a]
cert: [s]
privkey: [s]
they also provide a chain with only [b, a], but I've never seen it used anywhere, plus it would be more work to add another output, while here we can just reuse either cert (for backwards compatibility within this package) or ca_chain (closer to certbot's fullchain name):
# line 330
@property_flush[:ca_chain] = cert_info['data']['ca_chain'].join("\n")
@property_flush[:cert] = [cert_info['data']['certificate'], cert_info['data']['ca_chain'].join("\n")].join("\n")
@property_flush[:key] = cert_info['data']['private_key']
## or
@property_flush[:ca_chain] = [cert_info['data']['certificate'], cert_info['data']['ca_chain'].join("\n")].join("\n")
@property_flush[:cert] = cert_info['data']['certificate']
@property_flush[:key] = cert_info['data']['private_key']I went with option 1 in my fork
vault_cert causes corrective changes if info metadata is changed
If the info metadata is changed, i.e. the path to a cert file is updated, the json info file is not updated on disk, which means every time puppet runs, a corrective change is applied. It is only updated if a new certificate is issued.
The faulty code path is around https://github.com/southalc/vault/blob/master/lib/puppet/provider/vault_cert/vault_cert.rb#L321. The parsed info file should be checked against the desired state, and updated on disk with the updated attributes.
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.