vault_tools
Version information
This version is compatible with:
- Puppet Enterprise 2023.8.x, 2023.7.x, 2023.6.x, 2023.5.x, 2023.4.x, 2023.3.x, 2023.2.x, 2023.1.x, 2021.7.x
- Puppet >= 7.24 < 9.0.0
- , , , , , , , ,
Start using this module
Add this module to your Puppetfile:
mod 'none0nfg-vault_tools', '0.2.0'Learn more about managing modules with a PuppetfileDocumentation
vault_tools
Table of Contents
- Description
- Setup - The basics of getting started with vault_tools
- Usage - Configuration options and additional functionality
- Limitations - OS compatibility, etc.
- Development - Guide for contributing to the module
Description
Provides usefull utils for vault. Such as:
- sync vault secrets with files
Developers suggest to render manifests of this module on serverside, so it's easy to manage credentials for vault. Simply add ENVs to /etc/puppetlabs/puppetserver/conf.d/puppetserver.conf as described here, in docs.
Setup
Beginning with vault_tools
To install this module you can simply follow default instructions:
Add following line into your Puppetfile:
mod 'none0nfg-vault_tools', '<VERSION>'
or manually
puppet module install none0nfg-vault_tools --version <VERSION>
Usage
Just sync some secret from vault to filesystem
vault_tools::vault_file_sync { 'secret/data/certs':
dest => '/etc/ssl',
file_specs => {
owner => 'nginx',
group => 'nginx',
mode => '0664'
},
vault_client => {approle_path_segment => 'v1/auth/approle/'},
}
Current example will produce each key of 'secret/data/certs' as file, using key as a filename, and content will be the values of that keys
Remeber that approle_path_segment shoud ends with / or it will raise a error.
Limitations
No specific limitations
Development
There is no way to contribute for now.
Reference
Table of Contents
Defined types
vault_tools::vault_file_sync: This defined_type provides way to sync vault's secret content with files in filesystem.
Defined types
vault_tools::vault_file_sync
A description of what this defined type does
Examples
vault_tools::vault_file_sync { 'secret/data/certs':
dest => '/tmp',
file_specs => {
owner => 'nginx',
group => 'nginx',
},
keys_to_place => ["cert.pem","fullchain.pem","privkey.pem"],
per_file_specs => {
'cert.pem' => {
owner => 'root',
group => 'root',
}
},
vault_client => {approle_path_segment => 'v1/auth/approle/'},
}
Parameters
The following parameters are available in the vault_tools::vault_file_sync defined type:
vault_path
Data type: String
Defines path to get secret from
Default value: $title
vault_client
Data type: Hash
Hash defines vault connection parametes, check available parameters in (vault-lookup)[https://forge.puppet.com/modules/puppet/vault_lookup/readme] module
Default value: {}
dest
Data type: String
Defines path to place files into
Default value: undef
keys_to_place
Data type: Optional[Array[String]]
Define keys from vault's secret to place in $dest directory
Default value: undef
per_file_specs
Data type: Hash
Define per file config in format of file resource type, e.g.
file_specs => {
'<VAULT_FILE_KEY>' => {
<any param of `file` type> => ...
},
'<VAULT_FILE_KEY_2>' => {
<any param of `file` type> => ...
}
}
Default value: {}
file_specs
Data type: Hash
Define linux permissions for each file created by this resource type
Default value:
{
owner => 'root',
group => 'root',
mode => '0644',
}
Dependencies
- puppet-vault_lookup (>= 1.0.0 <= 1.1.0)
- puppet-stdlib (>= 4.13.1 < 10.0.0)