Skip to content
/ puppet-vault Public

A set of tools to integrate puppet with Hashicorp vault.

License

Apache-2.0 license
0 stars 0 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

d0td0td0t/puppet-vault

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

3 Commits
LICENSE
LICENSE
 
 
README.md
README.md
 
 

Repository files navigation

puppet-vault

A set of tools for puppet <-> Hashicorp vault integration. Though a hiera-based solution exists, we chose a different solution to provide credentials to the puppet.

design description

facter plugin

A facter plugin is used to fetch credentials from the vault credentials storage. The plugin expects either $VAULT_TOKEN and $VAULT_HOST variables to be set, or a config file /etc/vault.conf to exist. If none provided, the plugin gracefully exits. The plugin populates a $::vault hash with variables available for the specific token.

vault-token puppet module

A vault-token puppet module is used to generate a new accessor token using a pre-defined policy. This token is stored in a /etc/vault.conf file.

workflow

  1. unseal vault credential storage
  2. set a FACTER_vault_token environment variable with a root or other token with 'token creation capabilities'
  3. enable vault_token module: class{'vault_token': host => 'vault.domain.com', require => Package['curl'], }
  4. use variable: user{'vasya': password => "$::vault['users/vasya']", }

About

A set of tools to integrate puppet with Hashicorp vault.

Resources

Readme

License

Apache-2.0 license
Activity

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published