From 34f243dd6f78c7db0af15bbd2b9c0d5567a81c66 Mon Sep 17 00:00:00 2001
From: "Cobb, Randy" <randy.cobb@nordstrom.com>
Date: Mon, 9 Apr 2018 14:43:15 -0700
Subject: [PATCH] Several refactorings of ports, and more after pull-request
 recommendations were suggested by rawmind0

---
 templates/vault/0/README.md              | 21 +++++++
 templates/vault/0/docker-compose.yml.tpl | 71 ++++++++++++------------
 templates/vault/0/rancher-compose.yml    | 26 ++++++---
 templates/vault/config.yml               |  7 +--
 4 files changed, 78 insertions(+), 47 deletions(-)
 create mode 100644 templates/vault/0/README.md

diff --git a/templates/vault/0/README.md b/templates/vault/0/README.md
new file mode 100644
index 0000000..5202f76
--- /dev/null
+++ b/templates/vault/0/README.md
@@ -0,0 +1,21 @@
+# Vault #
+
+### Info:
+
+This template deploys a Hashicorp Vault server along with a Rancher LoadBalancer.  Once it is deployed, you will have a working Vault server ready to be scaled up to meet your environment's needs.
+
+The template is designed to be flexible in how you configure it; you can either statically bind Vault to an existing Consul stack, or ignore Consul all together and paste in your own Vault configuration.
+
+This catalog item uses these two main containers:
+* [Vault](https://www.vaultproject.io) - The official Hashicorp Vault image
+* [Rancher LoadBalancer](https://hub.docker.com/r/rancher/lb-service-haproxy/) - Rancher's own official HAProxy load balancer
+
+## Deployment:
+1. Select the catalog item and choose a version from the drop-down box
+2. Adjust any values on the page to meet your needs.
+3. Make any adjustments to the default config provided, such as:
+   * A different backend than the Consul server specified.
+   * Different ports to listen on (NOTE: Vault ALWAYS listens on port 8200, but you can adjust the LoadBalancer ports to any that are acceptable to your environment; the LoadBalancer handles routing between the port you specify and port 8200 (and 8201) in Vault itself.
+4. Specify the Volume Driver for pesistent mounting of Vault's FILE backing store, and CONFIGURATION
+5. Finally, once the stack is up, you can use your normal Vault process to init, unseal, and more.
+6. Enjoy!
diff --git a/templates/vault/0/docker-compose.yml.tpl b/templates/vault/0/docker-compose.yml.tpl
index 2bb41c8..a7b5d78 100755
--- a/templates/vault/0/docker-compose.yml.tpl
+++ b/templates/vault/0/docker-compose.yml.tpl
@@ -1,36 +1,35 @@
-version: '2'
-volumes:
-  vault-config:
-    driver: ${volumeDriver}
-  vault-file:
-    driver: ${volumeDriver}
-services:
-  vault-lb:
-    image: rancher/lb-service-haproxy:v0.7.15
-    ports:
-    - 8200:8200/tcp
-    - 8201:8201/tcp
-    labels:
-      io.rancher.scheduler.affinity:host_label: lbhost=true
-      io.rancher.container.agent.role: environmentAdmin,agent
-      io.rancher.container.agent_service.drain_provider: 'true'
-      io.rancher.container.create_agent: 'true'
-  vault:
-    cap_add:
-    - IPC_LOCK
-    image: vault
-    environment:
-      VAULT_LOCAL_CONFIG: ${VAULT_LOCAL_CONFIG}
-{{- if eq .Values.useConsul "true"}}
-    external_links:
-    - ${consulService}:consul
-{{- end}}
-    volumes:
-    - vault-file:/vault/file
-    - vault-config:/vault/config
-    logging:
-      driver: journald
-    command:
-    - server
-    labels:
-      io.rancher.container.pull_image: always
+version: '2'
+volumes:
+  vault-config:
+    driver: ${VOLUME_DRIVER}
+  vault-file:
+    driver: ${VOLUME_DRIVER}
+services:
+  vault-lb:
+    image: rancher/lb-service-haproxy:v0.9.1
+    ports:
+    - ${VAULT_LISTEN_PORT}:8200/tcp
+    - ${VAULT_CLUSTER_PORT}:8201/tcp
+    labels:
+      io.rancher.scheduler.affinity:host_label: lbhost=true
+      io.rancher.container.agent.role: environmentAdmin,agent
+      io.rancher.container.agent_service.drain_provider: 'true'
+      io.rancher.container.create_agent: 'true'
+  vault:
+    cap_add:
+    - IPC_LOCK
+    image: vault:0.9.6
+    environment:
+      VAULT_LOCAL_CONFIG: ${VAULT_LOCAL_CONFIG}
+      VAULT_REDIRECT_INTERFACE: "eth0"
+      VAULT_CLUSTER_INTERFACE: "eth0"
+{{- if eq .Values.USE_CONSUL "true"}}
+    external_links:
+    - ${CONSUL_SERVICE}:consul
+{{- end}}
+    volumes:
+    - vault-file:/vault/file
+    - vault-config:/vault/config
+    command:
+    - server
+
diff --git a/templates/vault/0/rancher-compose.yml b/templates/vault/0/rancher-compose.yml
index 83c84c0..8205dc3 100755
--- a/templates/vault/0/rancher-compose.yml
+++ b/templates/vault/0/rancher-compose.yml
@@ -1,7 +1,7 @@
 version: '2'
 catalog:
   name: Vault
-  version: 1.0-test-rancher1
+  version: 1.0-rancher1
   description: |
     Installs a Vault container, internal (Rancher) load-balancer, and allows connection to a Consul cluster
   uuid: vault-rac-0
@@ -12,21 +12,33 @@ catalog:
         This is the embedded JSON format config file that vault will use at startup
       type: multiline
       default: |
-        {"backend":{"consul":{"address":"http://<listenAddress>:<listenPort>", "advertise_addr":"http://<advertiseAddress>","path":"<Path>"}}, "listener":{"tcp":{"address":"0.0.0.0:18200","tls_disable":1}}}
-    - variable: useConsul
+        {"backend":{"consul":{"address":"consul:8500", "path":"vault"}}, "listener":{"tcp":{"address":"0.0.0.0:8200","tls_disable":1}}, "cluster_name": "myCluster" }
+    - variable: VAULT_LISTEN_PORT
+      label: Vault Listen Port
+      description:
+        This is the port number you want Vault to listen on.  Actually, Vault ALWAYS listens on port 8200, but it isn't exposed, so you can set the port you want the LoadBalancer to listen on.
+      default: 8200
+      type: int
+    - variable: VAULT_CLUSTER_PORT
+      label: Vault Cluster Port
+      description:
+        Similar to the Vault Listen Port, this is the VAULT CLUSTER listen port to use.
+      default: 8201
+      type: int
+    - variable: USE_CONSUL
       label: Would you like to back Vault with Consul?
       description: |
         Selecting yes or no allows you to back your vault repoository with a pre-installed
         Consul cluster/server
       default: false
       type: boolean
-    - variable: consulService
+    - variable: CONSUL_SERVICE
       label: Specify the Consul service to connect to
       description: |
         The pre-installed Consul server to back to
       default: "select"
       type: service
-    - variable: volumeDriver
+    - variable: VOLUME_DRIVER
       label: Driver for volumes
       description: |
         How/Where to store your vault config and logs
@@ -47,12 +59,12 @@ services:
       - priority: 1
         protocol: tcp
         service: vault
-        source_port: 8200
+        source_port: ${VAULT_LISTEN_PORT}
         target_port: 8200
       - priority: 2
         protocol: tcp
         service: vault
-        source_port: 8201
+        source_port: ${VAULT_CLUSTER_PORT}
         target_port: 8201
     health_check:
       response_timeout: 2000
diff --git a/templates/vault/config.yml b/templates/vault/config.yml
index 58b1095..6a48877 100644
--- a/templates/vault/config.yml
+++ b/templates/vault/config.yml
@@ -1,8 +1,7 @@
 name: Vault
 description: |
-  This template installs a Vault server with optional configuration items, including backing store
-version: 1.0-test-rancher1
+  An OFFICIAL Vault server with optional configuration items, including backing store
+version: 1.0-rancher1
 category: Platform
 maintainer: Randal Cobb <randy.cobb@nordstrom.com>
-license: 
-projectURL: http://www.nordstrom.com/tech/givingBack
+