kris/puppet-acme_vault
1
0
Fork 0
mirror of https://github.com/krislamo/puppet-acme_vault synced 2025-01-18 15:30:34 +00:00
Code Issues Releases Wiki Activity

moving docs to README

Browse Source
This commit is contained in:
Bob Belnap 2018-03-01 14:02:28 -05:00
parent 995fdbe13f
commit eb4bf65d8d
4 changed files with 72 additions and 17 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

73
README.md
View File

@ -70,12 +70,76 @@ This section is where you describe how to customize, configure, and do the fancy
#### acme_vault::common #### acme_vault::common
This class needs to be included before acme_vault::request or
acme_vault::deploy and contains configurations common to both. The user,
vault, vault vars, and cron mailto are needed for both request and deploy
##### `user`
user to be created to request/deploy certs
Default value: `acme_vault`
##### `group`
group that the user belongs to. For deploy, this should probably be the webserver group
Default value: `acme_vault`
##### `home_dir`
home dir of the above user, where scripts and config will be stored.
Default value: `/home/$user`
##### `contact_email`
contact email used for cert registration, also used as MAILTO variable for cron jobs
Default value: `''`
##### `domains`
mapping of domains to be included in the cert. The key is the "main" domain,
and the value is the list of extra names to be requested. Both the main domain
and the list of domains are included.
REQUIRED
#### `vault_token`
Vault token for authenticating to vault. This should have appropriate permissions applied in vault. A demo script is provided
REQUIRED
#### `vault_addr`
Address of vault server
REQUIRED
#### `vault_bin`
Path to the vault binary.
Default value: `${home_dir}/vault"`
#### `vault_prefix`
The path within vault where the certificates will be stored and retrieved.
Default value: `/secret/letsencrypt/`
#### acme_vault::request #### acme_vault::request
This class uses acme.sh, and pulls down the git repo for it. It uses the
lexicon provider in acme.sh to do the dns updating for the dns-01 challenge.
It configures a cron job to periodically check if a cert needs renewal.
Note: it does not automatically trigger requesting certs, but relies on cron Note: it does not automatically trigger requesting certs, but relies on cron
coordination to eventually reach the desired end state. Since certificate coordination to eventually reach the desired end state. Since certificate
renewal has a large time window, this is acceptable. renewal has a large time window, this is acceptable. Any urgent issue/renewals
can be triggered by running the cron job manually as needed.
#### Parameters inherited from common, but can be overriden: #### Parameters inherited from common, but can be overriden:
@ -172,6 +236,13 @@ REQUIRED
### acme_vault::deploy ### acme_vault::deploy
This class handles taking a cert/key out of vault, and placing it in a
configured path on the filesystem. It will also accept a restart command to
restart any appropriate services to take advantage of the new cert.
It employs a script, check_cert.sh, to validate the cert in vault exists, and
is appropriate to replace the existing one
#### Parameters inherited from common, but can be overriden: #### Parameters inherited from common, but can be overriden:
##### `user` ##### `user`

3
manifests/common.pp
View File

@ -1,8 +1,5 @@
# Common configuration for acme_vault # Common configuration for acme_vault
# #
# This class needs to be included before acme_vault::request or
# acme_vault::deploy and contains configurations common to both. The user,
# vault, vault vars, and cron mailto are needed for both request and deploy
class acme_vault::common ( class acme_vault::common (
$user = $::acme_vault::params::user, $user = $::acme_vault::params::user,

6
manifests/deploy.pp
View File

@ -1,11 +1,5 @@
# Configuration for deploying certs in vault to the filesystem # Configuration for deploying certs in vault to the filesystem
# #
# This class handles taking a cert/key out of vault, and placing it in a
# configured path on the filesystem. It will also accept a restart command to
# restart any appropriate services to take advantage of the new cert.
#
# It employs a script, check_cert.sh, to validate the cert in vault is
# appropriate to replace the existing one
class acme_vault::deploy( class acme_vault::deploy(
$user = $::acme_vault::common::user, $user = $::acme_vault::common::user,

7
manifests/request.pp
View File

@ -1,12 +1,5 @@
# Configuration for requesting a cert from letsencrypt, and storing it in vault. # Configuration for requesting a cert from letsencrypt, and storing it in vault.
# #
# This class uses acme.sh, and pulls down the git repo for it. It uses the
# lexicon provider in acme.sh to do the dns updating for the dns-01 challenge.
# It configures a cron job to periodically check if a cert needs renewal.
#
# Note: it does not automatically trigger requesting certs, but relies on cron
# coordination to eventually reach the desired end state. Since certificate
# renewal has a large time window, this is acceptable.
class acme_vault::request ( class acme_vault::request (
$user = $::acme_vault::common::user, $user = $::acme_vault::common::user,