Forge Home

vault

Installs and configure Hashicorp Vault project

48,868 downloads

46,880 latest version

3.9 quality score

We run a couple of automated
scans to help you access a
module's quality. Each module is
given a score based on how well
the author has formatted their
code and documentation and
modules are also checked for
malware using VirusTotal.

Please note, the information below
is for guidance only and neither of
these methods should be considered
an endorsement by Puppet.

Version information

  • 0.0.5 (latest)
  • 0.0.4
  • 0.0.3
  • 0.0.2
  • 0.0.1 (deleted)
released Jul 9th 2016
This version is compatible with:
  • ,

Start using this module

  • r10k or Code Manager
  • Bolt
  • Manual installation
  • Direct download

Add this module to your Puppetfile:

mod 'rhoml-vault', '0.0.5'
Learn more about managing modules with a Puppetfile

Add this module to your Bolt project:

bolt module add rhoml-vault
Learn more about using this module with an existing project

Manually install this module globally with Puppet module tool:

puppet module install rhoml-vault --version 0.0.5

Direct download is not typically how you would use a Puppet module to manage your infrastructure, but you may want to download the module in order to inspect the code.

Download

Documentation

rhoml/vault — version 0.0.5 Jul 9th 2016

puppet-vault

Build Status Puppet
Forge Dependency Status

Overview

This is a puppet module to install Hashicorp's vault project to keep your secrets safe. This module doesn't build the Vault packages which should be pretty easy to do using fpm.

Documentation for Vault can be found on their site. Take into consideration:

  • You can only define one storage backend, listener and telemetry on the config file.
  • Other configurations should be set up using Vault API or CLI.

Install Vault

include ::vault

Configure Vault using Hiera

This module enables you to use hiera to configure your Vault server. It also allows you to use module data.

vault::config_hash:
    backend:
        consul:
            address: '127.0.0.1:8500'
            advertise_addr: "http://%{::ipaddress_eth0}"
            path: 'vault/'
    listener:
        tcp:
            address: "%{::fqdn}:8200"
            tls_disable: true
    telemetry:
        statsite_address: '127.0.0.1:8125'
        disable_hostname: true
    disable_mlock: true
vault::manage_user: true
vault::package_ensure: 'latest'
vault::vault_user: 'vault'
vault::restart_cmd: '/etc/init.d/vault restart'

To run multiple listeners, for example disabling TLS on 127.0.0.1, but requiring TLS from external hosts

    listener:
        - tcp:
            address: "127.0.0.1:8200"
            tls_disable: true
        - tcp:
            address: "%{::fqdn}:8200"
            tls_cert_file: "/path/to/cert.pub"
            tls_key_file:  "/path/to/private.key"

Vault Enterprise customers using a PKCS#11 HSM might do...

    hsm:
        pkcs11:
            lib: "/path/to/libpkcs11.so"
            slot: "0"
            key_label: "vault"
            pin: "Goofus commits secrets to repos. Gallant uses $VAULT_HSM_PIN"

The puppet-vault module uses a SysV init script. Those wishing to avoid putting the PIN in Hiera in plaintext could, for example, create an /etc/default/vault, owned by root and only readable by root, looking like...

export VAULT_HSM_PIN="correct horse battery staple"

Uninstalling Vault

Ensure the following hiera key is present so Vault can be correctly uninstalled

vault::package_ensure: absent

See also