From 21ee55b1ef26a1f9dd5886b3ca2c5fe9a7307b8e Mon Sep 17 00:00:00 2001 From: "Cobb, Randy" Date: Tue, 10 Apr 2018 08:39:52 -0700 Subject: [PATCH] Several refactorings of ports, and more after pull-request recommendations were suggested by rawmind0 --- templates/vault/0/README.md | 14 +++++ templates/vault/0/docker-compose.yml.tpl | 13 +++-- templates/vault/0/rancher-compose.yml | 71 ++++++++++++++++++------ 3 files changed, 76 insertions(+), 22 deletions(-) diff --git a/templates/vault/0/README.md b/templates/vault/0/README.md index 5202f76..592a8a1 100644 --- a/templates/vault/0/README.md +++ b/templates/vault/0/README.md @@ -19,3 +19,17 @@ This catalog item uses these two main containers: 4. Specify the Volume Driver for pesistent mounting of Vault's FILE backing store, and CONFIGURATION 5. Finally, once the stack is up, you can use your normal Vault process to init, unseal, and more. 6. Enjoy! + +## Backend Configuration +This field is for specifying your backend configuration values. You enter them in a name=value pair format with each separate element being on its own line. For example: +``` +address = "http://locahost:2379" +etcd_api = "v3" +``` +would be a valid configuration for Etcd and +``` +access_key = "abcd1234" +secret_key = "defg5678" +bucket = "my-bucket" +``` +would be valid for Amazon S3 buckets. diff --git a/templates/vault/0/docker-compose.yml.tpl b/templates/vault/0/docker-compose.yml.tpl index a7b5d78..0584a06 100755 --- a/templates/vault/0/docker-compose.yml.tpl +++ b/templates/vault/0/docker-compose.yml.tpl @@ -11,7 +11,9 @@ services: - ${VAULT_LISTEN_PORT}:8200/tcp - ${VAULT_CLUSTER_PORT}:8201/tcp labels: - io.rancher.scheduler.affinity:host_label: lbhost=true +{{- if .Values.HOST_LABEL }} + io.rancher.scheduler.affinity:host_label: ${HOST_LABEL} +{{- end }} io.rancher.container.agent.role: environmentAdmin,agent io.rancher.container.agent_service.drain_provider: 'true' io.rancher.container.create_agent: 'true' @@ -20,13 +22,14 @@ services: - IPC_LOCK image: vault:0.9.6 environment: - VAULT_LOCAL_CONFIG: ${VAULT_LOCAL_CONFIG} VAULT_REDIRECT_INTERFACE: "eth0" VAULT_CLUSTER_INTERFACE: "eth0" -{{- if eq .Values.USE_CONSUL "true"}} + VAULT_LOCAL_CONFIG: | + { "backend": "{{.Values.VAULT_BACKEND}}": { {{.Values.BACKEND_CONFIGURATION}} },"listener":{"tcp":{"address":"0.0.0.0:8200","tls_disable":1}}, "cluster_name":"{{.Values.VAULT_CLUSTER_NAME}}" } +{{- if .Values.VAULT_BACKEND }} external_links: - - ${CONSUL_SERVICE}:consul -{{- end}} + - ${VAULT_BACKEND}:SERVICE +{{- end }} volumes: - vault-file:/vault/file - vault-config:/vault/config diff --git a/templates/vault/0/rancher-compose.yml b/templates/vault/0/rancher-compose.yml index 8205dc3..272fd41 100755 --- a/templates/vault/0/rancher-compose.yml +++ b/templates/vault/0/rancher-compose.yml @@ -6,38 +6,75 @@ catalog: Installs a Vault container, internal (Rancher) load-balancer, and allows connection to a Consul cluster uuid: vault-rac-0 questions: - - variable: VAULT_LOCAL_CONFIG - label: Provide a default config? + - variable: VAULT_CLUSTER_NAME + label: Vault Cluster Name description: | - This is the embedded JSON format config file that vault will use at startup - type: multiline - default: | - {"backend":{"consul":{"address":"consul:8500", "path":"vault"}}, "listener":{"tcp":{"address":"0.0.0.0:8200","tls_disable":1}}, "cluster_name": "myCluster" } + Provide a name for this Vault cluster + type: string + default: myCluster + required: true + - variable: VAULT_BACKEND + label: Backend for Vault + description: | + Provide the backend engine for Vault (i.e., Consul, File, etc.) - variable: VAULT_LISTEN_PORT label: Vault Listen Port - description: + description: | This is the port number you want Vault to listen on. Actually, Vault ALWAYS listens on port 8200, but it isn't exposed, so you can set the port you want the LoadBalancer to listen on. default: 8200 type: int + required: true - variable: VAULT_CLUSTER_PORT label: Vault Cluster Port - description: + description: | Similar to the Vault Listen Port, this is the VAULT CLUSTER listen port to use. default: 8201 type: int - - variable: USE_CONSUL - label: Would you like to back Vault with Consul? + required: true + - variable: VAULT_BACKEND + label: Select a backend for Vault description: | - Selecting yes or no allows you to back your vault repoository with a pre-installed - Consul cluster/server - default: false - type: boolean - - variable: CONSUL_SERVICE - label: Specify the Consul service to connect to + Vault supports several different backend storage engines. Please select the one you are interested in using. (NOTE: Must be pre-installed or added to a different stack) + default: Filesystem + type: enum + required: true + options: + - azure + - cockroachdb + - consul + - couchdb + - dynamodb + - etcd + - filesystem + - gcs + - inmem + - manta + - mysql + - postgresql + - spanner + - cassandra + - s3 + - swift + - zookeeper + - variable: BACKEND_SERVICE + label: Specify the Backend service to connect to description: | - The pre-installed Consul server to back to + The pre-installed Backend server to back to. To reference, you can use the memory variable "$SERVICE" in your URLs. For example: "consul://$SERVICE:8500" default: "select" type: service + - variable: BACKEND_CONFIGURATION + label: Specify the backend configuration in name=value format + default: "path=\"/mnt/vault/data\"" + required: true + description: | + Enter the configuration block for the backend (Refer to Vault documentation for valid backend configuration elements) put each item on a separate line + type: multiline + - variable: HOST_LABEL + label: Optional Host label to bind LoadBalancer to + description: | + If you wish to bind your LoadBalancer to a specific host node, you can specify the label and value here in name=value pair format + default: "lbhost=true" + type: string - variable: VOLUME_DRIVER label: Driver for volumes description: |