vaultbot: Installs and configures vaultbot
vaultbot::config: Manages the vaultbot global configvaultbot::install: Installs vaultbotvaultbot::service: Manages the vaultbot service
vaultbot::bundle: Manages a certificate bundle with vaultbot
Installs and configures vaultbot
- See also
include vaultbotclass { 'vaultbot':
FIXME
}The following parameters are available in the vaultbot class:
versionensureinstall_methoddownload_urldownload_extensionchecksum_verifychecksum_urlbinary_namebin_dirarchives_top_diretc_dirproxy_urlservice_manageon_calendaron_boot_secrandomized_delay_secexec_startsyslog_identifierauto_confirmvault_addrvault_cacertvault_capathvault_client_certvault_client_keyvault_client_timeoutvault_skip_verifyvault_tls_server_namevault_max_retriesvault_tokenvault_renew_tokenvault_auth_methodvault_certificate_rolevault_aws_auth_rolevault_aws_auth_mountvault_aws_auth_headervault_aws_auth_noncevault_aws_auth_nonce_pathvault_gcp_auth_rolevault_gcp_auth_service_account_emailvault_gcp_auth_mountvault_app_role_mountvault_app_role_role_idvault_app_role_secret_idpki_mountpki_role_namepki_ttlpki_exclude_cn_from_sanspki_private_key_formatpki_renew_percentpki_renew_timepki_force_renew
Data type: String[1]
The vaultbot version to install.
Default value: '1.14.3'
Data type: Enum['absent','present']
This specifies whether to install vaultbot. Should be one of [present, absent].
Default value: 'present'
Data type: Enum['archive']
This sets the installation method. Only 'archive' method is supported at the moment.
Default value: 'archive'
Data type: String[1]
URL template to download the vaultbot release from. This is inline_epp()-processed template with the following variables
available:
- version: See
versionparameter - os: OS kernel (windows/linux/darwin)
- arch: Machine architecture (amd64/arm64)
- download_extension: See
download_extensionparameter
Default value: 'https://gitlab.com/msvechla/vaultbot/-/releases/v<%= $version %>/downloads/vaultbot_<%= $version %>_<%= $os %>_<%= $arch %><%= $download_extension %>'
Data type: String[1]
Extension of the archive to download. This determines extractor indirectly.
Default value: '.tar.gz'
Data type: Boolean
If set to 'true', checksum of the archive downloaded will be verified.
Default value: true
Data type: String[1]
URL of a file containing the archive checksums.
Default value: 'https://gitlab.com/msvechla/vaultbot/-/releases/v<%= $version %>/downloads/vaultbot_<%= $version %>_checksums.txt'
Data type: String[1]
Name of vaultbot binary to install into.
Default value: 'vaultbot'
Data type: Stdlib::AbsolutePath
Path to install vaultbot into.
Default value: '/usr/local/bin'
Data type: Stdlib::AbsolutePath
Path to store downloaded archive into.
Default value: '/opt/vaultbot'
Data type: Stdlib::AbsolutePath
Path to store vaultbot configs into.
Default value: '/etc/vaultbot'
Data type: Optional[String[1]]
If set, use the URL as a HTTP proxy to use when downloading files.
Default value: undef
Data type: Boolean
If set to true, manage the vaultbot timer and service.
Default value: true
Data type: String[1]
Systemd timer OnCalendar value. This defines when to run the vaultbot service.
Default value: 'daily'
Data type: String
Systemd timer OnBootSec value. This defines how long to wait before starting the vaultbot service after system reboot.
Disabled if set to empty string ('').
Default value: '15min'
Data type: String
Systemd timer RandomizedDelaySec value. This defines a random delay before starting the service from the timer.
Disabled if set to empty string ('').
Default value: '15min'
Data type: String[1]
Systemd service ExecStart value.
Default value: "${bin_dir}/${binary_name}"
Data type: String[1]
Systemd service SyslogIdentifier value.
Default value: 'vaultbot-%i'
Data type: Optional[Boolean]
If set to true, user prompts will be auto confirmed with yes.
Default value: undef
Data type: Optional[String[1]]
The address of the Vault server expressed as a URL and port.
Default value: undef
Data type: Optional[Stdlib::Absolutepath]
Path to a PEM-encoded CA cert file to use to verify the Vault server SSL certificate.
Default value: undef
Data type: Optional[Stdlib::Absolutepath]
Path to a directory of PEM-encoded CA cert files to verify the Vault server SSL certificate. If vault_cacert is specified,
its value will take precedence.
Default value: undef
Data type: Optional[Stdlib::Absolutepath]
Path to a PEM-encoded client certificate for TLS authentication to the Vault server.
Default value: undef
Data type: Optional[Stdlib::Absolutepath]
Path to an unencrypted PEM-encoded private key matching the client certificate.
Default value: undef
Data type: Optional[Integer[0]]
Timeout variable for the vault client.
Default value: undef
Data type: Optional[Boolean]
If set to true, do not verify Vault's presented certificate before communicating with it. Setting this variable is not
recommended except during testing.
Default value: undef
Data type: Optional[String]
If set, use the given name as the SNI host when connecting via TLS.
Default value: undef
Data type: Optional[Integer[0]]
The maximum number of retries when a 5xx error code is encountered.
Default value: undef
Data type: Optional[String[1]]
The Vault authentication token.
Default value: undef
Data type: Optional[Boolean]
If set, vaultbot tries to automatically renew the current token.
Default value: undef
Data type: Optional[Enum['agent','cert','approle','token','aws-iam','aws-ec2','gcp-gce','gcp-iam']]
The method used to authenticate to vault. Should be one of [agent, cert, approle, token, aws-iam, aws-ec2, gcp-gce, gcp-iam].
Default value: undef
Data type: Optional[String[1]]
The certificate role to authenticate against, when using the cert auth method.
Default value: undef
Data type: Optional[String[1]]
The role to use for AWS IAM authentication.
Default value: undef
Data type: Optional[String[1]]
The mount path for the vault AWS auth method.
Default value: undef
Data type: Optional[String[1]]
The header to use during vault AWS IAM authentication. If empty no header will be set.
Default value: undef
Data type: Optional[String[1]]
The nonce to use during vault AWS EC2 authentication.
Default value: undef
Data type: Optional[String[1]]
If set, the nonce that is used during vault AWS EC2 authentication will be written to this path.
Default value: undef
Data type: Optional[String[1]]
The role to use for GCP authentication.
Default value: undef
Data type: Optional[String[1]]
The service account email to use for GCP IAM authentication.
Default value: undef
Data type: Optional[String[1]]
The mount path for the vault GCP auth method.
Default value: undef
Data type: Optional[String[1]]
The mount path for the AppRole backend.
Default value: undef
Data type: Optional[String[1]]
RoleID of the AppRole.
Default value: undef
Data type: Optional[String[1]]
SecretID belonging to AppRole.
Default value: undef
Data type: Optional[String[1]]
Specifies the PKI backend mount path.
Default value: undef
Data type: Optional[String[1]]
Specifies the name of the role to create the certificate against.
Default value: undef
Data type: Optional[String[1]]
Specifies requested Time To Live.
Default value: undef
Data type: Optional[Boolean]
If set to true, the given pki_common_name will not be included in Subject Alternate Names.
Default value: undef
Data type: Optional[Enum['der','pkcs8']]
Specifies the format for marshaling the private key. Should be one of [der, pkcs8].
Default value: undef
Data type: Optional[Float[0.00,1.00]]
Percentage of requested certificate TTL, which triggers a renewal when passed (>0.00, <1.00).
Default value: undef
Data type: Optional[String[1]]
Time in hours before certificate expiry, which triggers a renewal (e.g. 12h, 1m). Takes precedence over pki_renew_percent
when set.
Default value: undef
Data type: Optional[Boolean]
If set to true, the certificate will be renewed without checking the expiry.
Default value: undef
Manages a certificate bundle with vaultbot
- See also
FIXMEThe following parameters are available in the vaultbot::bundle defined type:
ensurebundle_namelogfilerenew_hookauto_confirmvault_addrvault_cacertvault_capathvault_client_certvault_client_keyvault_client_timeoutvault_skip_verifyvault_tls_server_namevault_max_retriesvault_tokenvault_renew_tokenvault_auth_methodvault_certificate_rolevault_aws_auth_rolevault_aws_auth_mountvault_aws_auth_headervault_aws_auth_noncevault_aws_auth_nonce_pathvault_gcp_auth_rolevault_gcp_auth_service_account_emailvault_gcp_auth_mountvault_app_role_mountvault_app_role_role_idvault_app_role_secret_idpki_mountpki_role_namepki_common_namepki_alt_namespki_ip_sanspki_ttlpki_exclude_cn_from_sanspki_private_key_formatpki_renew_percentpki_renew_timepki_force_renewpki_cert_pathpki_cachain_pathpki_privkey_pathpki_pembundle_pathpki_jks_pathpki_jks_passwordpki_jks_cert_aliaspki_jks_cachain_aliaspki_jks_privkey_aliaspki_pkcs12_pathpki_pkcs12_umaskpki_pkcs12_password
Data type: Enum['absent','present']
This specifies whether to create the bundle. Should be one of [present, absent].
Default value: 'present'
Data type: String[1]
This sets the certificate bundle name.
Default value: $title
Data type: Optional[Stdlib::Absolutepath]
Path to the vaultbot logfile.
Default value: undef
Data type: Optional[Stdlib::Absolutepath]
Command to execute after certificate has been updated.
Default value: undef
Data type: Optional[Boolean]
If set to true, user prompts will be auto confirmed with yes.
Default value: undef
Data type: Optional[String[1]]
The address of the Vault server expressed as a URL and port.
Default value: undef
Data type: Optional[Stdlib::Absolutepath]
Path to a PEM-encoded CA cert file to use to verify the Vault server SSL certificate.
Default value: undef
Data type: Optional[Stdlib::Absolutepath]
Path to a directory of PEM-encoded CA cert files to verify the Vault server SSL certificate. If vault_cacert is specified,
its value will take precedence.
Default value: undef
Data type: Optional[Stdlib::Absolutepath]
Path to a PEM-encoded client certificate for TLS authentication to the Vault server.
Default value: undef
Data type: Optional[Stdlib::Absolutepath]
Path to an unencrypted PEM-encoded private key matching the client certificate.
Default value: undef
Data type: Optional[Integer[0]]
Timeout variable for the vault client.
Default value: undef
Data type: Optional[Boolean]
If set to true, do not verify Vault's presented certificate before communicating with it. Setting this variable is not
recommended except during testing.
Default value: undef
Data type: Optional[String]
If set, use the given name as the SNI host when connecting via TLS.
Default value: undef
Data type: Optional[Integer[0]]
The maximum number of retries when a 5xx error code is encountered.
Default value: undef
Data type: Optional[String[1]]
The Vault authentication token.
Default value: undef
Data type: Optional[Boolean]
If set to true, vaultbot tries to automatically renew the current token.
Default value: undef
Data type: Optional[Enum['agent','cert','approle','token','aws-iam','aws-ec2','gcp-gce','gcp-iam']]
The method used to authenticate to vault. Should be one of [agent, cert, approle, token, aws-iam, aws-ec2, gcp-gce, gcp-iam].
Default value: undef
Data type: Optional[String[1]]
The certificate role to authenticate against, when using the cert auth method.
Default value: undef
Data type: Optional[String[1]]
The role to use for AWS IAM authentication.
Default value: undef
Data type: Optional[String[1]]
The mount path for the vault AWS auth method (default: aws).
Default value: undef
Data type: Optional[String[1]]
The header to use during vault AWS IAM authentication. If empty no header will be set.
Default value: undef
Data type: Optional[String[1]]
The nonce to use during vault AWS EC2 authentication.
Default value: undef
Data type: Optional[String[1]]
If set, the nonce that is used during vault AWS EC2 authentication will be written to this path.
Default value: undef
Data type: Optional[String[1]]
The role to use for GCP authentication.
Default value: undef
Data type: Optional[String[1]]
The service account email to use for GCP IAM authentication.
Default value: undef
Data type: Optional[String[1]]
The mount path for the vault GCP auth method.
Default value: undef
Data type: Optional[String[1]]
The mount path for the AppRole backend.
Default value: undef
Data type: Optional[String[1]]
RoleID of the AppRole.
Default value: undef
Data type: Optional[String[1]]
SecretID belonging to AppRole.
Default value: undef
Data type: Optional[String[1]]
Specifies the PKI backend mount path.
Default value: undef
Data type: Optional[String[1]]
Specifies the name of the role to create the certificate against.
Default value: undef
Data type: Optional[String[1]]
Specifies the requested CN for the certificate.
Default value: undef
Data type: Optional[Array[String[1]]]
Array of strings which specifies requested Subject Alternative Names.
Default value: undef
Data type: Optional[Array[String[1]]]
Array of strings which specifies requested IP Subject Alternative Names.
Default value: undef
Data type: Optional[String[1]]
Specifies requested Time To Live.
Default value: undef
Data type: Optional[Boolean]
If set to true, the given pki_common_name will not be included in Subject Alternate Names.
Default value: undef
Data type: Optional[Enum['der','pkcs8']]
Specifies the format for marshaling the private key. Should be one of [der, pkcs8].
Default value: undef
Data type: Optional[Float[0.00,1.00]]
Percentage of requested certificate TTL, which triggers a renewal when passed (>0.00, <1.00).
Default value: undef
Data type: Optional[String[1]]
Time in hours before certificate expiry, which triggers a renewal (e.g. 12h, 1m). Takes precedence over pki_renew_percent
when set.
Default value: undef
Data type: Optional[Boolean]
If set to true, the certificate will be renewed without checking the expiry.
Default value: undef
Data type: Optional[Stdlib::Absolutepath]
Path to the requested / to be updated certificate.
Default value: undef
Data type: Optional[Stdlib::Absolutepath]
Path to the CA Chain of the requested / to be updated certificate.
Default value: undef
Data type: Optional[Stdlib::Absolutepath]
Path to the private key of the requested / to be updated certificate.
Default value: undef
Data type: Optional[Stdlib::Absolutepath]
Path to the PEM bundle of the requested / to be updated certificate, private key and ca chain.
Default value: undef
Data type: Optional[Stdlib::Absolutepath]
Path to a JAVA KeyStore where the certificates should be exported.
Default value: undef
Data type: Optional[Sensitive[String[1]]]
JAVA KeyStore password.
Default value: undef
Data type: Optional[String[1]]
Alias in the JAVA KeyStore of the requested / to be updated certificate.
Default value: undef
Data type: Optional[String[1]]
Alias in the JAVA KeyStore of the CA Chain of the requested / to be updated certificate.
Default value: undef
Data type: Optional[String[1]]
Alias in the JAVA KeyStore of the private key of the requested / to be updated certificate.
Default value: undef
Data type: Optional[Stdlib::Absolutepath]
Path to a PKCS#12 KeyStore where the certificates should be exported to.
Default value: undef
Data type: Optional[String[1]]
File mode of the generated PKCS#12 KeyStore. Existing keystore will keep it's mode. Octal format required (e.g. 0644).
Default value: undef
Data type: Optional[Sensitive[String[1]]]
Default password is "ChangeIt", a commonly-used password for PKCS#12 files. Due to the weak encryption used by PKCS#12, it is RECOMMENDED that you use the default password when encoding PKCS#12 files, and protect the PKCS#12 files using other means.
Default value: undef