Skip to content

Commit

Permalink
add concourse-specific configuration options
Browse files Browse the repository at this point in the history
  • Loading branch information
Jamie Klassen committed Aug 8, 2017
1 parent 8fe9895 commit 48fef60
Show file tree
Hide file tree
Showing 6 changed files with 90 additions and 4 deletions.
13 changes: 9 additions & 4 deletions jobs/vault/spec
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,9 +3,13 @@ name: vault

templates:
vault_ctl: bin/vault_ctl
vault_init.sh: bin/post-start
config.hcl.erb: config/config.hcl
ca.crt.erb: config/ca.crt
ssl.key.erb: config/ssl.key
ssl.crt.erb: config/ssl.crt
concourse.crt.erb: config/concourse.crt
concourse.key.erb: config/concourse.key

packages:
- vault
Expand All @@ -20,9 +24,10 @@ properties:
Port for the TCP connection to listen on
default: 8200

tls.certificate:
tls:
description: |
Content of the PEM-encoded TLS server cert
tls.private_key:
TLS server certificate

concourse:
description: |
Content of the PEM-encoded TLS server private key
certificate of concourse client
1 change: 1 addition & 0 deletions jobs/vault/templates/ca.crt.erb
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
<%= p("tls.ca", "") %>
1 change: 1 addition & 0 deletions jobs/vault/templates/concourse.crt.erb
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
<%= p("concourse.certificate", "") %>
1 change: 1 addition & 0 deletions jobs/vault/templates/concourse.key.erb
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
<%= p("concourse.private_key", "") %>
23 changes: 23 additions & 0 deletions jobs/vault/templates/vault_init.sh
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,23 @@
#!/bin/bash

echo 'export VAULT_CACERT=/var/vcap/jobs/vault/config/ca.crt' >> /home/vcap/.bashrc
echo 'export PATH=/var/vcap/packages/vault:$PATH' >> /home/vcap/.bashrc
export VAULT_CACERT=/var/vcap/jobs/vault/config/ca.crt
export PATH=/var/vcap/packages/vault:$PATH

function unseal_keys {
cat /home/vcap/init_results | sed -n 's/.*Unseal Key [0-9]*: \(.*\)$/\1/p' | head -n3
}

function root_token {
cat /home/vcap/init_results | sed -n 's/^Initial Root Token: \(.*\)$/\1/p'
}

# TODO: write this to lastpass, not VM filesystem
vault init > /home/vcap/init_results
for key in $(unseal_keys); do vault unseal $key; done
vault auth $(root_token)
vault mount -path=concourse generic
vault auth-enable cert
echo 'path "concourse/main/*" { policy = "read" }' | vault policy-write concourse -
pushd /var/vcap/jobs/vault/config/ && vault write auth/cert/certs/concourse policies=concourse [email protected] && popd
55 changes: 55 additions & 0 deletions vault.yml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,55 @@
---
name: vault

variables:
- name: ca
type: certificate
options:
is_ca: true
alternative_names:
- 127.0.0.1
- name: tls
type: certificate
options:
ca: ca
alternative_names:
- 127.0.0.1
- name: concourse
type: certificate
options:
ca: ca
alternative_names:
- 127.0.0.1
extended_key_usage:
- client_auth


stemcells:
- alias: trusty
os: ubuntu-trusty
version: latest

releases:
- name: vault
version: latest

instance_groups:
- name: vault
instances: 1
vm_type: default
azs: [z1]
stemcell: trusty
networks: [{name: default, static_ips: [10.244.0.2]}]
jobs:
- name: vault
release: vault
properties:
tls: ((tls))
concourse: ((concourse))

update:
canaries: 0
max_in_flight: 5
serial: false
canary_watch_time: 1000-60000
update_watch_time: 1000-60000

0 comments on commit 48fef60

Please sign in to comment.