Add Vault agent support in service and configuration file

voxpupuli · Jan 16, 2025 · d4875df · d4875df
1 parent 2ff48e2
commit d4875df
Show file tree

Hide file tree

Showing 6 changed files with 312 additions and 85 deletions.
diff --git a/README.md b/README.md
@@ -171,6 +171,42 @@ vault::storage:
     - leader_api_addr: https://vault3:8200
 ```
 
+## Vault Agent Configuration
+
+When running Vault in agent mode (`mode => 'agent'`), you can configure the agent behavior using these parameters:
+
+```puppet
+class { 'vault':
+  mode => 'agent',
+  agent_vault => {
+    'address' => 'https://vault.example.com:8200'
+  },
+  agent_auto_auth => {
+    'method' => [{
+      'type'       => 'approle',
+      'mount_path' => 'auth/approle',
+      'config'     => {
+        'role_id_file_path'   => '/etc/vault/role-id',
+        'secret_id_file_path' => '/etc/vault/secret-id'
+      }
+    }
+  }],
+  agent_cache => {
+    'use_auto_auth_token' => true
+  },
+  agent_listeners => [{
+    'tcp' => {
+      'address'     => '127.0.0.1:8100',
+      'tls_disable' => true
+    }
+  }],
+  agent_template => {
+    'source'      => '/etc/vault/template.ctmpl',
+    'destination' => '/etc/myapp/config.yml'
+  }
+}
+```
+
 ## mlock
 
 By default vault will use the `mlock` system call, therefore the executable will need the corresponding capability.
@@ -205,4 +241,4 @@ This module was forked from https://github.com/jsok/puppet-vault
 ## Related Projects
 
  * [hiera-vault](https://github.com/petems/petems-hiera_vault): A Hiera storage backend to retrieve secrets from Hashicorp's Vault
- * [vault_lookup](https://github.com/voxpupuli/puppet-vault_lookup): A puppet (deferred) function to do lookups in Vault
+ * [vault_lookup](https://github.com/voxpupuli/puppet-vault_lookup): A puppet (deferred) function to do lookups in Vault
diff --git a/REFERENCE.md b/REFERENCE.md
@@ -46,6 +46,7 @@ The following parameters are available in the `vault` class:
 * [`num_procs`](#-vault--num_procs)
 * [`api_addr`](#-vault--api_addr)
 * [`version`](#-vault--version)
+* [`mode`](#-vault--mode)
 * [`extra_config`](#-vault--extra_config)
 * [`enable_ui`](#-vault--enable_ui)
 * [`arch`](#-vault--arch)
@@ -72,6 +73,16 @@ The following parameters are available in the `vault` class:
 * [`manage_config_file`](#-vault--manage_config_file)
 * [`download_filename`](#-vault--download_filename)
 * [`manage_config_dir`](#-vault--manage_config_dir)
+* [`agent_vault`](#-vault--agent_vault)
+* [`agent_auto_auth`](#-vault--agent_auto_auth)
+* [`agent_api_proxy`](#-vault--agent_api_proxy)
+* [`agent_cache`](#-vault--agent_cache)
+* [`agent_listeners`](#-vault--agent_listeners)
+* [`agent_template`](#-vault--agent_template)
+* [`agent_template_config`](#-vault--agent_template_config)
+* [`agent_exec`](#-vault--agent_exec)
+* [`agent_env_template`](#-vault--agent_env_template)
+* [`agent_telemetry`](#-vault--agent_telemetry)
 
 ##### <a name="-vault--user"></a>`user`
 
@@ -234,6 +245,14 @@ The version of Vault to install
 
 Default value: `'1.12.0'`
 
+##### <a name="-vault--mode"></a>`mode`
+
+Data type: `Enum['server', 'agent']`
+
+start vault in server or agent mode
+
+Default value: `'server'`
+
 ##### <a name="-vault--extra_config"></a>`extra_config`
 
 Data type: `Hash`
@@ -442,3 +461,83 @@ enable/disable the directory management. not required for package based installa
 
 Default value: `$install_method == 'archive'`
 
+##### <a name="-vault--agent_vault"></a>`agent_vault`
+
+Data type: `Optional[Hash]`
+
+Hash containing Vault server connection configuration for agent mode
+
+Default value: `undef`
+
+##### <a name="-vault--agent_auto_auth"></a>`agent_auto_auth`
+
+Data type: `Optional[Hash]`
+
+Hash containing auto-auth configuration for agent mode
+
+Default value: `undef`
+
+##### <a name="-vault--agent_api_proxy"></a>`agent_api_proxy`
+
+Data type: `Optional[Hash]`
+
+Hash containing API proxy configuration for agent mode
+
+Default value: `undef`
+
+##### <a name="-vault--agent_cache"></a>`agent_cache`
+
+Data type: `Optional[Hash]`
+
+Hash containing cache configuration for agent mode
+
+Default value: `undef`
+
+##### <a name="-vault--agent_listeners"></a>`agent_listeners`
+
+Data type: `Optional[Array[Hash]]`
+
+Array of hashes containing listener configuration for agent mode
+
+Default value: `undef`
+
+##### <a name="-vault--agent_template"></a>`agent_template`
+
+Data type: `Optional[Hash]`
+
+Hash containing template configuration for agent mode
+
+Default value: `undef`
+
+##### <a name="-vault--agent_template_config"></a>`agent_template_config`
+
+Data type: `Optional[Hash]`
+
+Hash containing template engine configuration for agent mode
+
+Default value: `undef`
+
+##### <a name="-vault--agent_exec"></a>`agent_exec`
+
+Data type: `Optional[Hash]`
+
+Hash containing exec configuration for agent mode
+
+Default value: `undef`
+
+##### <a name="-vault--agent_env_template"></a>`agent_env_template`
+
+Data type: `Optional[Hash]`
+
+Hash containing environment template configuration for agent mode
+
+Default value: `undef`
+
+##### <a name="-vault--agent_telemetry"></a>`agent_telemetry`
+
+Data type: `Optional[Hash]`
+
+Hash containing telemetry configuration for agent mode
+
+Default value: `undef`
+
diff --git a/manifests/config.pp b/manifests/config.pp
@@ -16,19 +16,40 @@
   }
 
   if $vault::manage_config_file {
-    $_config_hash = delete_undef_values({
-        'listener'          => $vault::listener,
-        'storage'           => $vault::storage,
-        'ha_storage'        => $vault::ha_storage,
-        'seal'              => $vault::seal,
-        'telemetry'         => $vault::telemetry,
-        'disable_cache'     => $vault::disable_cache,
-        'default_lease_ttl' => $vault::default_lease_ttl,
-        'max_lease_ttl'     => $vault::max_lease_ttl,
-        'disable_mlock'     => $vault::disable_mlock,
-        'ui'                => $vault::enable_ui,
-        'api_addr'          => $vault::api_addr,
-    })
+    case $vault::mode {
+      'server': {
+        $_config_hash = delete_undef_values({
+            'listener'          => $vault::listener,
+            'storage'           => $vault::storage,
+            'ha_storage'        => $vault::ha_storage,
+            'seal'              => $vault::seal,
+            'telemetry'         => $vault::telemetry,
+            'disable_cache'     => $vault::disable_cache,
+            'default_lease_ttl' => $vault::default_lease_ttl,
+            'max_lease_ttl'     => $vault::max_lease_ttl,
+            'disable_mlock'     => $vault::disable_mlock,
+            'ui'                => $vault::enable_ui,
+            'api_addr'          => $vault::api_addr,
+        })
+      }
+      'agent': {
+        $_config_hash = delete_undef_values({
+            'vault'             => $vault::agent_vault,
+            'auto_auth'         => $vault::agent_auto_auth,
+            'api_proxy'         => $vault::agent_api_proxy,
+            'cache'             => $vault::agent_cache,
+            'listener'          => $vault::agent_listeners,
+            'template'          => $vault::agent_template,
+            'template_config'   => $vault::agent_template_config,
+            'exec'              => $vault::exec,
+            'env_template'      => $vault::agent_env_template,
+            'telemetry'         => $vault::agent_telemetry,
+        })
+      }
+      default: {
+        fail("Unsupported vault mode: ${vault::mode}")
+      }
+    }
 
     $config_hash = merge($_config_hash, $vault::extra_config)