├── .kitchen.yml ├── .rspec ├── .rubocop.yml ├── .travis.yml ├── .yardopts ├── LICENSE ├── README.md ├── Rakefile ├── attributes └── default.rb ├── chefignore ├── metadata.rb ├── recipes └── default.rb └── test ├── fixtures ├── data_bags │ └── secrets │ │ ├── consul.json │ │ └── vault.json └── policies │ └── default.rb └── integration └── default └── serverspec └── default_spec.rb /.kitchen.yml: -------------------------------------------------------------------------------- 1 | --- 2 | driver: 3 | name: vagrant 4 | 5 | provisioner: 6 | name: policyfile_zero 7 | data_bags_path: test/fixtures/data_bags 8 | 9 | platforms: 10 | - name: ubuntu-14.04 11 | - name: ubuntu-12.04 12 | - name: centos-7.2 13 | - name: centos-6.7 14 | 15 | suites: 16 | - name: default 17 | provisioner: 18 | policyfile: test/fixtures/policies/default.rb 19 | -------------------------------------------------------------------------------- /.rspec: -------------------------------------------------------------------------------- 1 | --default-path test/spec 2 | --color 3 | -------------------------------------------------------------------------------- /.rubocop.yml: -------------------------------------------------------------------------------- 1 | --- 2 | AllCops: 3 | Exclude: 4 | - 'Guardfile' 5 | - 'Rakefile' 6 | - 'Vagrantfile' 7 | - 'Policyfile.rb' 8 | - 'Berksfile' 9 | - 'Thorfile' 10 | - 'Gemfile' 11 | - 'metadata.rb' 12 | - 'test/**/*' 13 | - 'bin/**' 14 | - 'vendor/**/*' 15 | AlignParameters: 16 | Enabled: false 17 | ClassLength: 18 | Enabled: false 19 | CyclomaticComplexity: 20 | Enabled: false 21 | Documentation: 22 | Enabled: false 23 | Encoding: 24 | Enabled: false 25 | Style/FileName: 26 | Enabled: false 27 | LineLength: 28 | Enabled: false 29 | MethodLength: 30 | Enabled: false 31 | Metrics/AbcSize: 32 | Enabled: false 33 | PerceivedComplexity: 34 | Enabled: false 35 | SpaceBeforeFirstArg: 36 | Enabled: false 37 | Style/ClassAndModuleChildren: 38 | Enabled: false 39 | Style/FileName: 40 | Enabled: false 41 | Style/GuardClause: 42 | Enabled: false 43 | Style/PercentLiteralDelimiters: 44 | Enabled: false 45 | Style/ModuleFunction: 46 | Enabled: false 47 | Style/IndentationWidth: 48 | Enabled: false 49 | Style/IndentArray: 50 | Enabled: false 51 | -------------------------------------------------------------------------------- /.travis.yml: -------------------------------------------------------------------------------- 1 | --- 2 | language: ruby 3 | sudo: false 4 | notifications: 5 | slack: bloomberg-rnd:eHp3Czg42iGzaTgG8sAFeD9v 6 | script: bundle exec rake travis 7 | cache: bundler 8 | rvm: 9 | - 2.1 10 | - 2.2 11 | branches: 12 | only: 13 | - master 14 | matrix: 15 | fast_finish: true 16 | -------------------------------------------------------------------------------- /.yardopts: -------------------------------------------------------------------------------- 1 | --plugin classmethods 2 | --embed-mixin ClassMethods 3 | --hide-api private 4 | --markup markdown 5 | --hide-void-return 6 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | Copyright 2015-2016, Bloomberg Finance L.P. 2 | 3 | Licensed under the Apache License, Version 2.0 (the "License"); 4 | you may not use this file except in compliance with the License. 5 | You may obtain a copy of the License at 6 | 7 | http://www.apache.org/licenses/LICENSE-2.0 8 | 9 | Unless required by applicable law or agreed to in writing, software 10 | distributed under the License is distributed on an "AS IS" BASIS, 11 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | See the License for the specific language governing permissions and 13 | limitations under the License. 14 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # vault-cluster-cookbook 2 | [![Build Status](https://img.shields.io/travis/johnbellone/vault-cluster-cookbook.svg)](https://travis-ci.org/johnbellone/vault-cluster-cookbook) 3 | [![Cookbook Version](https://img.shields.io/cookbook/v/hashicorp-vault.svg)](https://supermarket.chef.io/cookbooks/hashicorp-vault) 4 | [![Coverage](https://img.shields.io/codecov/c/github/johnbellone/vault-cluster-cookbook.svg)](https://codecov.io/github/johnbellone/vault-cluster-cookbook) 5 | [![License](https://img.shields.io/badge/license-Apache_2-blue.svg)](https://www.apache.org/licenses/LICENSE-2.0) 6 | 7 | [Wrapper cookbook][0] which installs and configures [Vault][1] with 8 | [Consul][2] as its backend. 9 | 10 | ## Basic Usage 11 | This cookbook was designed as an example on how to use our 12 | [Vault cookbook][3] and [Consul cookbook][4] for providing a highly 13 | available secrets management infrastructure. This cookbook highlights 14 | several of our best practices for developing reusable infrastructure 15 | at Bloomberg. 16 | 17 | It provides a bullet-proof example on how to properly write a 18 | [wrapper cookbook][0] and deploy secrets management infrastructure using 19 | Chef. The values from the node attributes set in the [default recipe](recipes/default.rb) 20 | are passed into the resources for both cookbooks. 21 | 22 | Out of the box the following platforms are certified to work and 23 | are tested using our [Test Kitchen][5] configuration. Additional platforms 24 | _may_ work, but your mileage may vary. 25 | - CentOS (RHEL) 6.6, 7.1 26 | - Ubuntu 12.04, 14.04 27 | 28 | [0]: http://blog.vialstudios.com/the-environment-cookbook-pattern/#thewrappercookbook 29 | [1]: https://www.vaultproject.io 30 | [2]: https://www.consul.io/ 31 | [3]: https://github.com/johnbellone/vault-cookbook 32 | [4]: https://github.com/johnbellone/consul-cookbook 33 | [5]: http://kitchen.ci/ 34 | -------------------------------------------------------------------------------- /Rakefile: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env rake 2 | 3 | require 'bundler/setup' 4 | require 'rspec/core/rake_task' 5 | require 'rubocop/rake_task' 6 | require 'foodcritic' 7 | require 'kitchen' 8 | 9 | namespace :style do 10 | desc 'Run Ruby style checks' 11 | RuboCop::RakeTask.new(:ruby) 12 | 13 | desc 'Run Chef style checks' 14 | FoodCritic::Rake::LintTask.new(:chef) 15 | end 16 | 17 | desc 'Run all style checks' 18 | task style: ['style:chef', 'style:ruby'] 19 | 20 | desc 'Run ChefSpec unit tests' 21 | RSpec::Core::RakeTask.new(:unit) do |t| 22 | t.pattern = 'test/spec/**{,/*/**}/*_spec.rb' 23 | end 24 | 25 | # Integration tests. Kitchen.ci 26 | desc 'Run Test Kitchen with Vagrant' 27 | task :vagrant do 28 | Kitchen.logger = Kitchen.default_file_logger 29 | Kitchen::Config.new.instances.each do |instance| 30 | instance.test(:always) 31 | end 32 | end 33 | 34 | desc 'Run style & unit tests on Travis' 35 | task travis: %w(style unit) 36 | 37 | # Default 38 | desc 'Run style, unit, and Vagrant-based integration tests' 39 | task default: %w(style unit vagrant) 40 | -------------------------------------------------------------------------------- /attributes/default.rb: -------------------------------------------------------------------------------- 1 | # 2 | # Cookbook: vault-cluster 3 | # License: Apache 2.0 4 | # 5 | # Copyright 2015-2016, Bloomberg Finance L.P. 6 | # 7 | default['vault-cluster']['tls']['ssl_key']['path'] = '/etc/vault/ssl/private/vault.key' 8 | default['vault-cluster']['tls']['ssl_key']['source'] = 'chef-vault' 9 | default['vault-cluster']['tls']['ssl_key']['bag'] = 'secrets' 10 | default['vault-cluster']['tls']['ssl_key']['item'] = 'consul' 11 | default['vault-cluster']['tls']['ssl_key']['item_key'] = 'private_key' 12 | default['vault-cluster']['tls']['ssl_cert']['path'] = '/etc/vault/ssl/certs/vault.crt' 13 | default['vault-cluster']['tls']['ssl_cert']['source'] = 'chef-vault' 14 | default['vault-cluster']['tls']['ssl_cert']['bag'] = 'secrets' 15 | default['vault-cluster']['tls']['ssl_cert']['item'] = 'consul' 16 | default['vault-cluster']['tls']['ssl_cert']['item_key'] = 'certificate' 17 | default['vault-cluster']['tls']['ssl_chain']['path'] = '/etc/vault/ssl/certs/chain.crt' 18 | default['vault-cluster']['tls']['ssl_chain']['name'] = 'chain.crt' 19 | default['vault-cluster']['tls']['ssl_chain']['source'] = 'chef-vault' 20 | default['vault-cluster']['tls']['ssl_chain']['bag'] = 'secrets' 21 | default['vault-cluster']['tls']['ssl_chain']['item'] = 'consul' 22 | default['vault-cluster']['tls']['ssl_chain']['item_key'] = 'ca_certificate' 23 | -------------------------------------------------------------------------------- /chefignore: -------------------------------------------------------------------------------- 1 | # Put files/directories that should be ignored in this file when uploading 2 | # or sharing to the community site. 3 | # Lines that start with '# ' are comments. 4 | 5 | # OS generated files # 6 | ###################### 7 | .DS_Store 8 | Icon? 9 | nohup.out 10 | ehthumbs.db 11 | Thumbs.db 12 | 13 | # SASS # 14 | ######## 15 | .sass-cache 16 | 17 | # EDITORS # 18 | ########### 19 | \#* 20 | .#* 21 | *~ 22 | *.sw[a-z] 23 | *.bak 24 | REVISION 25 | TAGS* 26 | tmtags 27 | *_flymake.* 28 | *_flymake 29 | *.tmproj 30 | .project 31 | .settings 32 | mkmf.log 33 | 34 | ## COMPILED ## 35 | ############## 36 | a.out 37 | *.o 38 | *.pyc 39 | *.so 40 | *.com 41 | *.class 42 | *.dll 43 | *.exe 44 | */rdoc/ 45 | 46 | # Testing # 47 | ########### 48 | .watchr 49 | .rspec 50 | spec/* 51 | spec/fixtures/* 52 | test/* 53 | features/* 54 | Guardfile 55 | Procfile 56 | 57 | # SCM # 58 | ####### 59 | .git 60 | */.git 61 | .gitignore 62 | .gitmodules 63 | .gitconfig 64 | .gitattributes 65 | .svn 66 | */.bzr/* 67 | */.hg/* 68 | */.svn/* 69 | 70 | # Berkshelf # 71 | ############# 72 | Berksfile 73 | Berksfile.lock 74 | cookbooks/* 75 | tmp 76 | 77 | # Cookbooks # 78 | ############# 79 | CONTRIBUTING 80 | 81 | # Strainer # 82 | ############ 83 | Colanderfile 84 | Strainerfile 85 | .colander 86 | .strainer 87 | 88 | # Vagrant # 89 | ########### 90 | .vagrant 91 | Vagrantfile 92 | 93 | # Travis # 94 | ########## 95 | .travis.yml 96 | -------------------------------------------------------------------------------- /metadata.rb: -------------------------------------------------------------------------------- 1 | name 'vault-cluster' 2 | maintainer 'Bloomberg Infrastructure Engineering' 3 | maintainer_email 'chef@bloomberg.net' 4 | source_url 'https://github.com/bloomberg/vault-cluster-cookbook' 5 | issues_url 'https://github.com/bloomberg/vault-cluster-cookbook/issues' 6 | license 'Apache 2.0' 7 | description 'Wrapper cookbook which installs and configures Vault with Consul as its backend.' 8 | long_description 'Wrapper cookbook which installs and configures Vault with Consul as its backend.' 9 | version '2.1.0' 10 | 11 | supports 'ubuntu', '>= 12.04' 12 | supports 'redhat', '>= 6.6' 13 | supports 'centos', '>= 6.6' 14 | 15 | depends 'ssl_certificate', '~> 1.11' 16 | depends 'consul-cluster', '~> 2.0' 17 | depends 'hashicorp-vault', '~> 2.1' 18 | -------------------------------------------------------------------------------- /recipes/default.rb: -------------------------------------------------------------------------------- 1 | # 2 | # Cookbook: vault-cluster 3 | # License: Apache 2.0 4 | # 5 | # Copyright 2015-2016, Bloomberg Finance L.P. 6 | # 7 | include_recipe 'consul-cluster::default' 8 | 9 | poise_service_user node['hashicorp-vault']['service_user'] do 10 | group node['hashicorp-vault']['service_group'] 11 | end 12 | 13 | directory File.dirname(node['vault-cluster']['tls']['ssl_key']['path']) do 14 | recursive true 15 | owner node['hashicorp-vault']['service_user'] 16 | group node['hashicorp-vault']['service_group'] 17 | end 18 | 19 | directory File.dirname(node['vault-cluster']['tls']['ssl_cert']['path']) do 20 | recursive true 21 | owner node['hashicorp-vault']['service_user'] 22 | group node['hashicorp-vault']['service_group'] 23 | end 24 | 25 | ssl_certificate node['hashicorp-vault']['service_name'] do 26 | owner node['hashicorp-vault']['service_user'] 27 | group node['hashicorp-vault']['service_group'] 28 | namespace node['vault-cluster']['tls'] 29 | notifies :reload, "vault_service[#{name}]", :delayed 30 | end 31 | 32 | node.default['hashicorp-vault']['config']['backend_type'] = 'consul' 33 | node.default['hashicorp-vault']['config']['tls_disable'] = false 34 | include_recipe 'hashicorp-vault::default' 35 | -------------------------------------------------------------------------------- /test/fixtures/data_bags/secrets/consul.json: -------------------------------------------------------------------------------- 1 | { 2 | "id": "consul", 3 | "certificate": "-----BEGIN CERTIFICATE-----\nMIIDjzCCAnegAwIBAgIBCjANBgkqhkiG9w0BAQUFADB8MQswCQYDVQQGEwJVUzER\nMA8GA1UECBMITmV3IFlvcmsxFjAUBgNVBAcTDU5ldyBZb3JrIENpdHkxHzAdBgNV\nBAoTFkJsb29tYmVyZyBGaW5hbmNlIEwuUC4xITAfBgNVBAsUGFImRCBQbGF0Zm9y\nbSBFbmdpbmVlcmluZzAeFw0xNTA2MTUxMTM1MDhaFw0yNTA2MTIxMTM1MDhaMIGi\nMRUwEwYDVQQDEwxKb2huIEJlbGxvbmUxETAPBgNVBAgTCE5ldyBZb3JrMQswCQYD\nVQQGEwJVUzElMCMGCSqGSIb3DQEJARYWamJlbGxvbmVAYmxvb21iZXJnLm5ldDEf\nMB0GA1UEChMWQmxvb21iZXJnIEZpbmFuY2UgTC5QLjEhMB8GA1UECxQYUiZEIFBs\nYXRmb3JtIEVuZ2luZWVyaW5nMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDO\nJTDt2WDTCKeB2ubzvBbE5ziCQZwGj1T4/uzlXlrybQ9q5M+oQDD44WRzSANx3Vx+\nI6ao57z6QtA5qOG9cw3csFgsMn6lVLzoegm2wQ7UhvqfcD2SOOWHBBsXp8VmX+ay\nOXpKRT5UOdLx3AczoUTua7aVsXDk/FJ9D4NV8NOF5wIDAQABo3kwdzAJBgNVHRME\nAjAAMB0GA1UdDgQWBBRo/0cnJ6coZaWuE+M7oqSsZ52vBjAfBgNVHSMEGDAWgBS5\nzSJ2wMBbmqDs6IlOdrUynXj8gTALBgNVHQ8EBAMCBaAwHQYDVR0lBBYwFAYIKwYB\nBQUHAwEGCCsGAQUFBwMCMA0GCSqGSIb3DQEBBQUAA4IBAQCzqVLJ+v+yzvA0RFif\nf6j4DMj8MT/bxyaaX6SwYoC4ILIZjJ9Pn/1LwxZUfOkpEXwOQnT4G1epvuJIhXL7\nkILMoewMxseY6laHW4vCo3w4UJsKKlSnGinSkUun+CtI2CpPaIZ4bRnKsYGdqzeN\nShbn7xVc+oVS4tQA72T4g7WltVGTM+At6EKhKCvbEUiZ3OznFHEmvxYzrGZGii18\nyamF6DtSIS4a6E1G5zDGr2ba4THcHBuV9JsZeQhg9UlGdyA30n9zz5M8QJpUr34Z\nfRGmyGq+fIwpH639F/I2sLNIcZKsPbjfVojK+4e6d4t4rQiqo1jv9YZUvgvDIiu8\nWatv\n-----END CERTIFICATE-----\n", 4 | "ca_certificate": "-----BEGIN CERTIFICATE-----\nMIIEXjCCA0agAwIBAgIJAJ4alkWMxGdeMA0GCSqGSIb3DQEBBQUAMHwxCzAJBgNV\nBAYTAlVTMREwDwYDVQQIEwhOZXcgWW9yazEWMBQGA1UEBxMNTmV3IFlvcmsgQ2l0\neTEfMB0GA1UEChMWQmxvb21iZXJnIEZpbmFuY2UgTC5QLjEhMB8GA1UECxQYUiZE\nIFBsYXRmb3JtIEVuZ2luZWVyaW5nMB4XDTE1MDYxNTExMzEyMVoXDTI1MDYxMjEx\nMzEyMVowfDELMAkGA1UEBhMCVVMxETAPBgNVBAgTCE5ldyBZb3JrMRYwFAYDVQQH\nEw1OZXcgWW9yayBDaXR5MR8wHQYDVQQKExZCbG9vbWJlcmcgRmluYW5jZSBMLlAu\nMSEwHwYDVQQLFBhSJkQgUGxhdGZvcm0gRW5naW5lZXJpbmcwggEiMA0GCSqGSIb3\nDQEBAQUAA4IBDwAwggEKAoIBAQDnEeVEYXozw1TPU15hyGN89eD07MOLHF4eAU7n\neZXNNHNYuuX4Ub2nbpAbekO7Muq2s9I3x+CzGfMSkKSxSh8aT+S1Fu9xxA91VE8L\nMIFZTy+O4CFWYzYaRXI+hJ5Hf0JF/pHPyfZbYX2gSUIWmxjBDnpUNeCfr/LrWRpn\nXL8GoIeKrINXGwJJas7ZLuW/TmaOIlwFD+mRl6hAlyYbekozSnCLL8PfE+F5iVK2\nRbra1z3WFiHNvMnBRaZIiUdci0JRmccdc3IEM301ZJjD0PbXpoW+4r/bAiJxT3Gw\n6X2rjES6du/MnlApr3yUuGhF46Eb5RrTRZSRRWDiqOqWNSy/AgMBAAGjgeIwgd8w\nHQYDVR0OBBYEFLnNInbAwFuaoOzoiU52tTKdePyBMIGvBgNVHSMEgacwgaSAFLnN\nInbAwFuaoOzoiU52tTKdePyBoYGApH4wfDELMAkGA1UEBhMCVVMxETAPBgNVBAgT\nCE5ldyBZb3JrMRYwFAYDVQQHEw1OZXcgWW9yayBDaXR5MR8wHQYDVQQKExZCbG9v\nbWJlcmcgRmluYW5jZSBMLlAuMSEwHwYDVQQLFBhSJkQgUGxhdGZvcm0gRW5naW5l\nZXJpbmeCCQCeGpZFjMRnXjAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBBQUAA4IB\nAQBGyM0eOlHYyGFyYs/mPZv+UMifwITnUqnDBpbMZmoWUFBQMqAbc/XRbrBH5bpm\nXuEoV4PqEnkzSsMZN2bHulyor2wrgh5AoO1rEW6QghGlMG0dbwcqtA0D+JPzb13c\nw3TLD6LOo8O+1lymNe18nhdye3xxN+IYzxwAvQwszbupFqQ1f8EiNcTgxTfiVr56\n84ca5/3YRtV12CiFy0RICjw062UeJ03ki15HNp0bLWXnZFcK+MqL7sH9/ZoKBfKq\n3WXH3r45LJlMpNxZJYIAODMKe8WGj8Y61cfyYEed3wszEYqe7u6L+2Hee5XWDSi4\n91WN5l6KnBpBpYOERH1BfEie\n-----END CERTIFICATE-----\n", 5 | "private_key": "-----BEGIN RSA PRIVATE KEY-----\nMIICXQIBAAKBgQDOJTDt2WDTCKeB2ubzvBbE5ziCQZwGj1T4/uzlXlrybQ9q5M+o\nQDD44WRzSANx3Vx+I6ao57z6QtA5qOG9cw3csFgsMn6lVLzoegm2wQ7UhvqfcD2S\nOOWHBBsXp8VmX+ayOXpKRT5UOdLx3AczoUTua7aVsXDk/FJ9D4NV8NOF5wIDAQAB\nAoGBAKmI+KaD4hdsxKYM62eERo2FQ3oMj07tzgpBTX6NjOpXOxjEOOu8bwogA8az\ncPHSBWFP3J6Ih2iiTjE9bPmrh7d/feEArjNUAL0ntcM3VFDX3IcZis8ZjgVqQG1J\nwvpn2o1qP37FJE1JSVdzN0MvWzFzgmhewxLqJcnFbUJysbaBAkEA8oW5EEd5beZO\nZ7V71C6EfOQw3HeCo34M5ndhI7rIa4MeLnLMVYBYodIezNdWHsFV7lqSkJamrKH9\nfLzjrsvMYQJBANmZ8d9QmfYJfBlJqZQziUqmEXQ8a7A0zW8WnFWgQrpLojs+eEMm\nx0Xb1IdyQT3Irl9+cE8lVoAiF8RxWd+FN0cCQQCR2IE2nQUVZk74Z1eUfnUGdmQ7\n8VMK5x7y6g/s4MLuhOd9n2Pqd0jV5/rFzSnpTPNUZ/uEIFUTtEcw4Jc74yuBAkBh\n15KmMvvHYWRninOxq6qj4iAe/7v8MwHcXXJWHgVi9vcvZFt29kzL4JijfoBPY5jk\nX1nofIV0f9/n+H/MvX2pAkBtiZ0gtW35QOmWdhqnOqpToOcNdzw6ON8d2bAx2mA1\nQm5P2pmsxEBJ3cSElRvOK+36OMWr0uMjUz5IogI6Fas7\n-----END RSA PRIVATE KEY-----\n" 6 | } 7 | -------------------------------------------------------------------------------- /test/fixtures/data_bags/secrets/vault.json: -------------------------------------------------------------------------------- 1 | { 2 | "id": "vault", 3 | "certificate": "-----BEGIN CERTIFICATE-----\nMIIDbDCCAlQCCQCEivjA4CyI3zANBgkqhkiG9w0BAQUFADB4MQswCQYDVQQGEwJV\nUzERMA8GA1UECBMITmV3IFlvcmsxFjAUBgNVBAcTDU5ldyBZb3JrIENpdHkxHzAd\nBgNVBAoTFkJsb29tYmVyZyBGaW5hbmNlIEwuUC4xHTAbBgNVBAsTFFBsYXRmb3Jt\nIEVuZ2luZWVyaW5nMB4XDTE1MDYxMjE0MTQyMloXDTE2MDYxMTE0MTQyMloweDEL\nMAkGA1UEBhMCVVMxETAPBgNVBAgTCE5ldyBZb3JrMRYwFAYDVQQHEw1OZXcgWW9y\nayBDaXR5MR8wHQYDVQQKExZCbG9vbWJlcmcgRmluYW5jZSBMLlAuMR0wGwYDVQQL\nExRQbGF0Zm9ybSBFbmdpbmVlcmluZzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC\nAQoCggEBAM5NUNNG/45HpUAOhWYJV1WpUVJBWmU3CwsgLB2SPeUkJO7cOUnhAK56\nNLDEiD6oXBWEUhZU+Hdu0lzuiJUefIQtzCMwd2qB24DvcY3xTQv5QO2glE5TGEFm\nFfVv79B1TFHkpjsuGVaSH+g4jzJYcsUSeYv6a+9RO4jstVUCD3lnYi5UbdT4LpCN\nNGVwHlL5P/MWwx8w1/nPSCHPyX6TPiVsyyCKYazgocJkssyaVpmsCneGJJTFPEOA\nsl0amruqBEUzu8W6+8/u0//DnE5jZq0YzTT4bFzA1SGBRZlsIMFGnR4SZ5kQavDD\nxEXXHyBGIpoawrA1nKuKiH8oldePnRsCAwEAATANBgkqhkiG9w0BAQUFAAOCAQEA\nZh6bldNPG/JGU/WdJR3YXlfBOVQIlqffc0V6eYgQcQcSfPH1qNdH9l05R2hLPvOR\nRodGRdEQ4/bTqy93q0sTA1y3ycot1myaYh03B1RE3DHtpdtLRkYsx0xB4J0S5jIW\n0sellSzzZeCRefBXmeL6iIcv1bg/BWS8PKB2wkQi0b7Az4iunWmUoZPZqLfy0Xov\nHTpuVYh9Ta+LsnLH8Ky5Q1aT8/teisZjVd0T3N5q0zFGHs1Lz9sYSyYX1NPT2BQS\nwxjGs/dJGTj2Ffer8/cWJl3zZI4MaKzWN4U/epfUSL6Js5uRaHLPfbTbVJz8zVDL\nivopCLCv4biFhKWc3CnndA==\n-----END CERTIFICATE-----\n", 4 | "private_key": "-----BEGIN RSA PRIVATE KEY-----\nMIIEowIBAAKCAQEAzk1Q00b/jkelQA6FZglXValRUkFaZTcLCyAsHZI95SQk7tw5\nSeEArno0sMSIPqhcFYRSFlT4d27SXO6IlR58hC3MIzB3aoHbgO9xjfFNC/lA7aCU\nTlMYQWYV9W/v0HVMUeSmOy4ZVpIf6DiPMlhyxRJ5i/pr71E7iOy1VQIPeWdiLlRt\n1PgukI00ZXAeUvk/8xbDHzDX+c9IIc/JfpM+JWzLIIphrOChwmSyzJpWmawKd4Yk\nlMU8Q4CyXRqau6oERTO7xbr7z+7T/8OcTmNmrRjNNPhsXMDVIYFFmWwgwUadHhJn\nmRBq8MPERdcfIEYimhrCsDWcq4qIfyiV14+dGwIDAQABAoIBACYKwc3D+NoOwh02\n0EiJjm5AY7uMS5QAe2vYyenGDt3TNXBKcdH6yLpj1JWIGCudtiVNmil+D7dOW0JB\nxjPhRErHey4+ALdGLOjwvnrTNUbw9pUbGF39GqrsnT3+HzXMe39ab4DYNlntZi7X\nRyicgMVwa7NxQTgHPbg5FhMP5zSWk8ymA/FzK/pybZ4E2kx5CwKudXgl4rg+aZhZ\nclPjqe+eveN+R7GvQihHCHeSS7dx0pgFUpULtlFpjMBfYpto23eoLJykZmb11Ry3\nDGb8IKg2TwxHxmKT+sei/UHGxV0d9t4mAMy2Bu35ijMKPYJmTlYgsMAe7MSJ1NEo\nPR4DNQECgYEA+XnUlfhsellXnyH2uTFCjk4ME27gG2pL6hZi69IquAmZNysTRP/W\nU98hceGmuv1DaHep4P5IHygYwZ4GQDuUe9telt4b0Jf+yfqxZC+aDW08zIiqVLXf\nKv5cUmXaxL/tl6qM6+81gtdgOZqQoqifzmlNfbeIfvkfRZQ3nO8ygoECgYEA07Jy\n0vrAKngFhE62atgjCUO8qkDBtbc1NFb8MuhrtH573k6kscksM2sg1g51taEp3a0T\n8S1UIzSIPdAWN9PgFwz+bLhRuMddXVJzR07XFT5w2iDRHjt+5on5D3xwDmnLqmHF\nxoKVwDYEyP/JjoXuYPnk6ZykSPGC5PhZYP88GZsCgYEA6qFHa+jh9Uvzmamyxsfq\nhbYnq1s7EO2vCjEVxh66qK32WKl9jQZkyCrx5I5KZlDtxeHNdtsQb6Uha2+5B05B\nvx85XgD0/gEF02ag0c3nQDt91AuwzsziYCgsIh7DWwn7Zgo0UW1/0VfIm0SgRSr8\naYAmLlef23NnkuPsTf+1bIECgYAwl35ZxSrE1MXXZ8XhYnkwUDcHEVQlZMc2m1zK\nRqUqSfoevgh5soaNyuI/oBQOu86DTo4MRu5QIme/YHspF14RjG79/5TqiAB7Qkip\nroQaIToAJ5Y4jUmEm1jq4BJMjKYuFsEx3pmHBB83D9dw+ncMFXAg206uW5lC+2pw\npEVkTwKBgHsLXlkEIo6DnWiwn5P85Vk+IdjmV8ltJz1Rxf7PcfeM0ziiQWwQs2k3\nggTkJePLr+nqwPL3PKDU8l4Oj04MMFv+mCFByMhpNOt3DxWTGDD+QdN5KEvFrT7c\nMaoB5ERpUrZrP40dW1ZKIuyhvNuXPgYx89mC6GTtKBS86PsP9kba\n-----END RSA PRIVATE KEY-----\n" 5 | } 6 | -------------------------------------------------------------------------------- /test/fixtures/policies/default.rb: -------------------------------------------------------------------------------- 1 | name 'vault-cluster' 2 | run_list 'vault-cluster::default' 3 | default_source :community 4 | cookbook 'vault-cluster', path: File.expand_path('../../../..', __FILE__) 5 | 6 | override['consul']['config']['bootstrap_expect'] = 1 7 | -------------------------------------------------------------------------------- /test/integration/default/serverspec/default_spec.rb: -------------------------------------------------------------------------------- 1 | require 'chef-vault/test_fixtures' 2 | require 'serverspec' 3 | set :backend, :exec 4 | 5 | describe command('which vault') do 6 | its(:exit_status) { should eq 0 } 7 | its(:stdout) { should match '/usr/local/bin/vault' } 8 | end 9 | 10 | describe service('vault') do 11 | it { should be_enabled } 12 | it { should be_running } 13 | end 14 | 15 | describe command('which consul') do 16 | its(:exit_status) { should eq 0 } 17 | its(:stdout) { should match '/usr/local/bin/consul' } 18 | end 19 | 20 | describe service('consul') do 21 | it { should be_enabled } 22 | it { should be_running } 23 | end 24 | --------------------------------------------------------------------------------