Cut v3.3.0 for Vault v1.3.3

CHANGELOG.md

@@ -1,11 +1,17 @@
-## 3.3.0
+## NEXT
 
 - Vault v1.4.0
 - Introducing flavors
   - Reorganize locations for configuration and data
   - Consistent use of data volume for Raft and Filesystem storage backends
 - Add Vault Integrated Storage (Raft) flavor
 - Add Vault Consul Storage flavor
+- Castle of Lions
+- Update documentation
+
+## 3.3.0
+
+- Vault v1.3.3
 - Update scripts with more helpfulness in error outputs
 - Update documentation
 

black_lion/templates/custom/vault_config_custom.hcl

@@ -3,7 +3,7 @@
 #----------------------------------------------------------------------------
 
 # for debug only
-# raw_storage_endpoint = true
+raw_storage_endpoint = true
 
 # disable_performance_standby = true
 

black_lion/templates/oss/vault_config_1.3.3.hcl

@@ -0,0 +1,37 @@
+# Vault OSS v1.3.3
+
+# -----------------------------------------------------------------------
+# Global configuration
+# -----------------------------------------------------------------------
+
+api_addr         = "${api_addr}"
+cluster_name     = "${cluster_name}"
+cluster_address  = "${cluster_address}"
+log_level        = "${log_level}"
+ui               = true
+plugin_directory = "/vault/plugins"
+
+# -----------------------------------------------------------------------
+# Listener configuration
+# -----------------------------------------------------------------------
+
+listener "tcp" {
+  address       = "${address}"
+  tls_cert_file = "/etc/ssl/certs/vault-server.crt"
+  tls_key_file  = "/etc/ssl/vault-server.key"
+}
+
+# -----------------------------------------------------------------------
+# Optional cloud seal configuration
+# -----------------------------------------------------------------------
+
+# GCPKMS
+
+# -----------------------------------------------------------------------
+# Enable Prometheus metrics by default
+# -----------------------------------------------------------------------
+
+telemetry {
+  prometheus_retention_time = "30s"
+  disable_hostname          = false
+}

black_lion/templates/oss/vault_config_1.3.4.hcl

@@ -0,0 +1,37 @@
+# Vault OSS v1.3.4
+
+# -----------------------------------------------------------------------
+# Global configuration
+# -----------------------------------------------------------------------
+
+api_addr         = "${api_addr}"
+cluster_name     = "${cluster_name}"
+cluster_address  = "${cluster_address}"
+log_level        = "${log_level}"
+ui               = true
+plugin_directory = "/vault/plugins"
+
+# -----------------------------------------------------------------------
+# Listener configuration
+# -----------------------------------------------------------------------
+
+listener "tcp" {
+  address       = "${address}"
+  tls_cert_file = "/etc/ssl/certs/vault-server.crt"
+  tls_key_file  = "/etc/ssl/vault-server.key"
+}
+
+# -----------------------------------------------------------------------
+# Optional cloud seal configuration
+# -----------------------------------------------------------------------
+
+# GCPKMS
+
+# -----------------------------------------------------------------------
+# Enable Prometheus metrics by default
+# -----------------------------------------------------------------------
+
+telemetry {
+  prometheus_retention_time = "30s"
+  disable_hostname          = false
+}

blazing_sword

@@ -2,7 +2,7 @@
 # =======================================================================
 #           ‼️ PLEASE DO NOT USE VAULTRON IN PRODUCTION ‼️
 #
-# blazing_sword.sh
+# blazing_sword
 #
 # Automatically starts and pre-populates Vault cluster for use in development
 # or other evaluation style use cases:

examples/secrets_engines/mongodb/eyebeams_mongodb

@@ -23,7 +23,8 @@ fi
 
 msg greeting "Engage Eye Beams for MongoDB! ..."
 
-start_docker_container() {
+run_docker_container() {
+  msg info "Run MongoDB Docker container ..."
   docker run \
     --detach \
     --rm \
@@ -35,13 +36,12 @@ start_docker_container() {
 }
 
 if ! docker ps -a | grep vaultron-mongodb > /dev/null 2>&1; then
-msg info "Run MongoDB Docker container ..."
-  if ! start_docker_container; then
+  if ! run_docker_container; then
     msg alert "Problem Starting MongoDB Docker container!"
     exit 1
   else
     msg complete "MongoDB Docker container running!"
-    msg info "$(docker ps -f name=vaultron-mysql --format "table {{.Names}}\t{{.Status}}")"
+    msg info "$(docker ps -f name=vaultron-mongodb --format "table {{.Names}}\t{{.Status}}"| tail -n +2)"
   fi
 fi
 

examples/secrets_engines/mysql/eyebeams_mysql

@@ -36,6 +36,7 @@ run_docker_container() {
     exit 1
   else
     msg complete "MySQL Docker container running!"
+    msg info "$(docker ps -f name=vaultron-mysql --format "table {{.Names}}\t{{.Status}}"| tail -n +2)"
 fi
 }
 

flavors/consul/vaultron.tf

@@ -12,12 +12,12 @@ terraform {
 
 # Set TF_VAR_vault_version to set this
 variable "vault_version" {
-  default = "1.3.2"
+  default = "1.3.3"
 }
 
 # Set TF_VAR_consul_version to set this
 variable "consul_version" {
-  default = "1.7.1"
+  default = "1.7.2"
 }
 
 # -----------------------------------------------------------------------

flavors/raft/vaultron.tf

@@ -13,7 +13,7 @@ terraform {
 
 # Set TF_VAR_vault_version to set this
 variable "vault_version" {
-  default = "1.3.2"
+  default = "1.3.3"
 }
 
 # -----------------------------------------------------------------------

ion_darts

@@ -11,44 +11,64 @@
 
 . ./skydome
 
+TF_VAR_vault_flavor=$TF_VAR_vault_flavor
+
 # ChromeOS Linux CrosVM environment
 crosvm_env() {
+	if [ "$TF_VAR_vault_flavor" != "raft" ]; then
 	ETH0IP="$(/sbin/ifconfig eth0 | grep -w 'inet' | awk '{print $2}')"
 	CONSUL_CACERT="$(pwd)/red_lion/tls/ca.pem"
 	CONSUL_HTTP_ADDR="$ETH0IP:8500"
 	CONSUL_HTTP_SSL=true
 	CONSUL_HTTP_TOKEN="b4c0ffee-3b77-04af-36d6-738b697872e6"
+    fi
+
 	VAULT_ADDR="https://$ETH0IP:8200"
 	VAULT_CACERT="$(pwd)/black_lion/tls/ca.pem"
+
+	if [ "$TF_VAR_vault_flavor" != "raft" ]; then
 	export \
 	CONSUL_CACERT \
 	CONSUL_HTTP_ADDR \
 	CONSUL_HTTP_SSL \
-	CONSUL_HTTP_TOKEN \
-	VAULT_ADDR \
+	CONSUL_HTTP_TOKEN;
+    fi
+
+	export VAULT_ADDR \
 	VAULT_CACERT
+
 	msg success "Exported Vaultron environment variables:"
+	if [ "$TF_VAR_vault_flavor" != "raft" ]; then
 	msg success "CONSUL_HTTP_ADDR: $CONSUL_HTTP_ADDR"
+    fi
 	msg success "VAULT_ADDR: $VAULT_ADDR"
 }
 
 # All others
 default_env() {
+	if [ "$TF_VAR_vault_flavor" != "raft" ]; then
 	CONSUL_CACERT="$(pwd)/red_lion/tls/ca.pem"
 	CONSUL_HTTP_ADDR="127.0.0.1:8500"
 	CONSUL_HTTP_SSL=true
 	CONSUL_HTTP_TOKEN="b4c0ffee-3b77-04af-36d6-738b697872e6"
+    fi
 	VAULT_ADDR="https://127.0.0.1:8200"
 	VAULT_CACERT="$(pwd)/black_lion/tls/ca.pem"
+
+	if [ "$TF_VAR_vault_flavor" != "raft" ]; then
 	export \
 	CONSUL_CACERT \
 	CONSUL_HTTP_ADDR \
 	CONSUL_HTTP_SSL \
-	CONSUL_HTTP_TOKEN \
-	VAULT_ADDR \
+	CONSUL_HTTP_TOKEN;
+    fi
+
+	export VAULT_ADDR \
 	VAULT_CACERT
 	msg success "Exported Vaultron environment variables:"
+	if [ "$TF_VAR_vault_flavor" != "raft" ]; then
 	msg success "CONSUL_HTTP_ADDR: $CONSUL_HTTP_ADDR"
+    fi
 	msg success "VAULT_ADDR: $VAULT_ADDR"
 }
 

lion_torches

@@ -1,8 +1,12 @@
 #!/bin/sh
 # =======================================================================
+#           ‼️ PLEASE DO NOT USE VAULTRON IN PRODUCTION ‼️
+#
+# lion_torches
+#
 # This script is the nuclear option; it removes all traces of Vaultron
 # created data so that the user can start over. It does not invoke
-# Terraform and instead uses OS and docker commands only
+# Terraform and instead uses only OS and docker commands.
 #
 # shellcheck disable=SC1091
 # =======================================================================
@@ -20,7 +24,9 @@ msg greeting "Lion Torches removing all Vaultron generated data ..."
 
 cd "flavors/$TF_VAR_vault_flavor" || echo "Cannot select flavor" && exit 1
 
-if ! docker stop vaultron-vault
+#if ! docker stop vaultron-\*
+#fi
+
 # If we cannot write to the Consul data, alert user and attempt to change
 # ownership of consul/vault folders to avoid failure with Terraform destroy
 # NB: This occurs on Docker on Linux but not Docker for Mac

red_lion/templates/oss/consul_oss_client_config_1.7.2.hcl

@@ -0,0 +1,15 @@
+{
+  "node_id": "${agent_node_id}",
+  "raft_protocol": 3,
+  "acl_datacenter": "arus",
+  "acl_master_token": "b4c0ffee-3b77-04af-36d6-738b697872e6",
+  "acl_default_policy": "allow",
+  "acl_down_policy": "allow",
+  "cert_file": "/etc/ssl/certs/consul-client.crt",
+  "key_file": "/etc/ssl/consul-client.key",
+  "ca_file": "/etc/ssl/certs/ca.pem",
+  "ports": {
+    "http": -1,
+    "https": 8500
+  }
+}

red_lion/templates/oss/consul_oss_server_config_1.7.2.hcl

@@ -0,0 +1,22 @@
+{
+  "bootstrap_expect": 3,
+  "datacenter": "${datacenter}",
+  "data_dir": "${data_dir}",
+  "raft_protocol": 3,
+  "acl_datacenter": "arus",
+  "acl_master_token": "b4c0ffee-3b77-04af-36d6-738b697872e6",
+  "acl_default_policy": "allow",
+  "acl_down_policy": "allow",
+  "recursors": [
+    "${recursor1}",
+    "${recursor2}"
+  ],
+  "cert_file": "/etc/ssl/certs/consul-server.crt",
+  "key_file": "/etc/ssl/consul-server.key",
+  "ca_file": "/etc/ssl/certs/ca.pem",
+  "ports": {
+    "http": -1,
+    "https": 8500
+  },
+  "ui": true
+}

unform

@@ -19,12 +19,14 @@ fi
 
 check_flavor
 
-check_docker
+TF_VAR_vault_flavor=$TF_VAR_vault_flavor
 
-msg greeting "Unform Vaultron ..."
+check_docker
 
 cd "flavors/$TF_VAR_vault_flavor" || exit 1
 
+msg greeting "Unform Vaultron ..."
+
 if ! destroy; then
   msg alert "Terraform destroy failed, infrastructure may still exist."
   msg info "You can manually clean up Vaultron with lion_torches."