hashipi

Raspberry Pi Test Cluster for HashiCorp Vault, Nomad and Consul
git clone https://git.in0rdr.ch/hashipi.git
Log | Files | Refs | README
commit 17fa2ef6e26634657f35702de0271c256bd39969
parent b8f402c6afdef53ffca390f89636e2cabdebdf07
Author: Andreas Gruhler <andreas.gruhler@adfinis.com>
Date:   Tue,  9 Jul 2024 23:11:43 +0200

feat: replace vault with bao

Diffstat:

Mhashi-pi.pkr.hcl | 3+--


Aopenbao.sh | 146+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++


Dvault.sh | 119-------------------------------------------------------------------------------


3 files changed, 147 insertions(+), 121 deletions(-)

diff --git a/hashi-pi.pkr.hcl b/hashi-pi.pkr.hcl
@@ -255,12 +255,11 @@ build {
   }
 
   provisioner "shell" {
-    script        = "vault.sh"
+    script        = "openbah.sh"
     remote_folder = "/home/${var.username}"
     environment_vars = [
       "USERNAME=${var.username}",
       "HOSTNAME=${var.hostname}",
-      "NOMAD_CLIENT=${var.nomad_client}",
       "VAULT_TLS_CA_CERT=/tmp/vault_ca.pem",
       "VAULT_TLS_CA_KEY=/tmp/vault_ca.key",
       "VAULT_TLS_SUBJ_ALT_NAME=${var.vault_tls_subj_alt_name}",
diff --git a/openbao.sh b/openbao.sh
@@ -0,0 +1,146 @@
+#!/usr/bin/env bash
+#
+# Packer shell provisioner for OpenBao on Raspberry Pi
+# https://openbao.org/docs/install
+
+# set -o errexit
+# set -o nounset
+set -o xtrace
+
+cd "/home/${USERNAME}"
+
+# Create bao config directories
+mkdir -p /etc/openbao
+rm -rf /etc/openbao/*
+mkdir -p /opt/openbao/tls
+# The bao systemd service requires this env file, can be empty
+touch /etc/openbao/openbao.env
+cd /opt/openbao/tls
+
+# Specify CSR parameters for server key
+VAULT_TLS_SUBJ_ALT_NAME=${VAULT_TLS_SUBJ_ALT_NAME:+", $VAULT_TLS_SUBJ_ALT_NAME"}
+SERVER_CONFIG="
+[ req ]
+commonName         = $HOSTNAME
+distinguished_name = dn
+req_extensions     = ext
+[ dn ]
+CN                 = Common Name
+[ ext ]
+subjectAltName     = DNS:$HOSTNAME $VAULT_TLS_SUBJ_ALT_NAME
+keyUsage=critical,digitalSignature,keyAgreement
+"
+# Create new private key and CSR
+openssl req -config <(echo "$SERVER_CONFIG") -subj "/CN=${HOSTNAME}" -extensions ext -out "${HOSTNAME}.csr" -new -newkey rsa:2048 -nodes -keyout "${HOSTNAME}.key"
+# Sign the CSR
+openssl x509 -extfile <(echo "$SERVER_CONFIG") -extensions ext -req -in "${HOSTNAME}.csr" -CA "$VAULT_TLS_CA_CERT" -CAkey "$VAULT_TLS_CA_KEY" -CAcreateserial -out "${HOSTNAME}.pem" -days 365
+# Show fingerprint
+openssl x509 -in "${HOSTNAME}.pem" -fingerprint -noout
+
+# Cleanup CA key
+rm -rf "$VAULT_TLS_CA_KEY"
+
+# Change permissions for tls certs
+chmod 640 *.key
+chmod 644 *.pem
+
+# Concatenate CA and server certificate
+cat "$VAULT_TLS_CA_CERT" >> "${HOSTNAME}.pem"
+
+# Trust the CA
+mv "$VAULT_TLS_CA_CERT" /usr/local/share/ca-certificates/
+update-ca-certificates
+
+cat << EOF > /etc/openbao/openbao.hcl
+ui = true
+
+listener "tcp" {
+  address       = "0.0.0.0:8200"
+  tls_cert_file = "/opt/openbao/tls/$HOSTNAME.pem"
+  tls_key_file  = "/opt/openbao/tls/$HOSTNAME.key"
+  tls_disable_client_certs = true
+}
+
+# HA advertisement addresses
+#
+# https://openbao.org/docs/configuration/#high-availability-parameters
+# https://openbao.org/docs/concepts/ha#client-redirection
+#
+# This uses a go-sockaddr template to fetch the actual ip for an interface.
+# This is the address registered in the Consul service. If this is not an ip
+# here, requests to the Consul DNS will also not return an A record (only
+# CNAME). This leads to problems with Haproxy server-template.
+#
+# API_ADDR for client redirection (fallback, if request forwarding is disabled)
+api_addr = "https://{{GetPrivateInterfaces | exclude \"type\" \"IPv6\" | include \"name\" \"eth0\" | attr \"address\" }}:8200"
+# CLUSTER_ADDR: Vault listens for server-to-server cluster requests
+cluster_addr = "https://{{GetPrivateInterfaces | exclude \"type\" \"IPv6\" | include \"name\" \"eth0\" | attr \"address\" }}:8201"
+
+storage "raft" {
+  path = "/opt/openbao/data"
+  node_id = "$HOSTNAME"
+
+  retry_join {
+    leader_api_addr = "https://pi0.lan:8200"
+    leader_tls_servername = "vault.in0rdr.ch"
+    leader_ca_cert_file = "/opt/openbao/tls/$HOSTNAME.pem"
+    leader_client_cert_file = "/opt/openbao/tls/$HOSTNAME.pem"
+    leader_client_key_file = "/opt/openbao/tls/$HOSTNAME.key"
+  } 
+  retry_join {
+    leader_api_addr = "https://pi1.lan:8200"
+    leader_tls_servername = "vault.in0rdr.ch"
+    leader_ca_cert_file = "/opt/openbao/tls/$HOSTNAME.pem"
+    leader_client_cert_file = "/opt/openbao/tls/$HOSTNAME.pem"
+    leader_client_key_file = "/opt/openbao/tls/$HOSTNAME.key"
+  } 
+  retry_join {
+    leader_api_addr = "https://pi2.lan:8200"
+    leader_tls_servername = "vault.in0rdr.ch"
+    leader_ca_cert_file = "/opt/openbao/tls/$HOSTNAME.pem"
+    leader_client_cert_file = "/opt/openbao/tls/$HOSTNAME.pem"
+    leader_client_key_file = "/opt/openbao/tls/$HOSTNAME.key"
+  } 
+  retry_join {
+    leader_api_addr = "https://pi3.lan:8200"
+    leader_tls_servername = "vault.in0rdr.ch"
+    leader_ca_cert_file = "/opt/openbao/tls/$HOSTNAME.pem"
+    leader_client_cert_file = "/opt/openbao/tls/$HOSTNAME.pem"
+    leader_client_key_file = "/opt/openbao/tls/$HOSTNAME.key"
+  } 
+  retry_join {
+    leader_api_addr = "https://pi4.lan:8200"
+    leader_tls_servername = "vault.in0rdr.ch"
+    leader_ca_cert_file = "/opt/openbao/tls/$HOSTNAME.pem"
+    leader_client_cert_file = "/opt/openbao/tls/$HOSTNAME.pem"
+    leader_client_key_file = "/opt/openbao/tls/$HOSTNAME.key"
+  } 
+}
+
+seal "transit" {
+  address = "$VAULT_TRANSIT_SERVER"
+  disable_renewal = "false"
+  key_name = "autounseal"
+  mount_path = "transit/"
+  tls_skip_verify = "true"
+}
+EOF
+
+echo "VAULT_TOKEN=$VAULT_TRANSIT_TOKEN" > /etc/openbao/openbao.env
+
+chmod 640 /etc/openbao/openbao.hcl
+
+systemctl enable openbao
+
+# Configure .bashrc
+cat << EOF >> "/home/${USERNAME}/.bashrc"
+
+complete -C /usr/bin/bao boa
+export VAULT_ADDR="https://$HOSTNAME:8200"
+export VAULT_SKIP_VERIFY=true
+EOF
+
+# Change ownership for config directory 
+chown -R openbao: /etc/openbao/
+
+echo 0
diff --git a/vault.sh b/vault.sh
@@ -1,119 +0,0 @@
-#!/usr/bin/env bash
-#
-# Packer shell provisioner for HashiCorp Vault on Raspberry Pi
-# https://learn.hashicorp.com/vault/operations/ops-deployment-guide
-
-# set -o errexit
-# set -o nounset
-set -o xtrace
-
-cd "/home/${USERNAME}"
-
-# Create Vault config directories
-mkdir -p /etc/vault.d
-rm -rf /etc/vault.d/*
-mkdir -p /etc/vault.d/tls
-# The vault systemd service requires this env file, can be empty
-touch /etc/vault.d/vault.env
-cd /etc/vault.d/tls
-
-# Specify CSR parameters for server key
-VAULT_TLS_SUBJ_ALT_NAME=${VAULT_TLS_SUBJ_ALT_NAME:+", $VAULT_TLS_SUBJ_ALT_NAME"}
-SERVER_CONFIG="
-[ req ]
-commonName         = $HOSTNAME
-distinguished_name = dn
-req_extensions     = ext
-[ dn ]
-CN                 = Common Name
-[ ext ]
-subjectAltName     = DNS:$HOSTNAME $VAULT_TLS_SUBJ_ALT_NAME
-keyUsage=critical,digitalSignature,keyAgreement
-"
-# Create new private key and CSR
-openssl req -config <(echo "$SERVER_CONFIG") -subj "/CN=${HOSTNAME}" -extensions ext -out "${HOSTNAME}.csr" -new -newkey rsa:2048 -nodes -keyout "${HOSTNAME}.key"
-# Sign the CSR
-openssl x509 -extfile <(echo "$SERVER_CONFIG") -extensions ext -req -in "${HOSTNAME}.csr" -CA "$VAULT_TLS_CA_CERT" -CAkey "$VAULT_TLS_CA_KEY" -CAcreateserial -out "${HOSTNAME}.pem" -days 365
-# Show fingerprint
-openssl x509 -in "${HOSTNAME}.pem" -fingerprint -noout
-
-# Cleanup CA key
-rm -rf "$VAULT_TLS_CA_KEY"
-
-# Change permissions for tls certs
-chmod 640 *.key
-chmod 644 *.pem
-
-# Concatenate CA and server certificate
-cat "$VAULT_TLS_CA_CERT" >> "${HOSTNAME}.pem"
-
-# Trust the CA
-mv "$VAULT_TLS_CA_CERT" /usr/local/share/ca-certificates/
-update-ca-certificates
-
-cat << EOF > /etc/vault.d/vault.hcl
-ui = true
-
-listener "tcp" {
-  address       = "0.0.0.0:8200"
-  tls_cert_file = "/etc/vault.d/tls/$HOSTNAME.pem"
-  tls_key_file  = "/etc/vault.d/tls/$HOSTNAME.key"
-  tls_disable_client_certs = true
-}
-
-# HA advertisement addresses
-#
-# https://www.vaultproject.io/docs/configuration#high-availability-parameters
-# https://www.vaultproject.io/docs/concepts/ha#client-redirection
-#
-# This uses a go-sockaddr template to fetch the actual ip for an interface.
-# This is the address registered in the Consul service. If this is not an ip
-# here, requests to the Consul DNS will also not return an A record (only
-# CNAME). This leads to problems with Haproxy server-template.
-#
-# API_ADDR for client redirection (fallback, if request forwarding is disabled)
-api_addr = "https://{{GetPrivateInterfaces | exclude \"type\" \"IPv6\" | include \"name\" \"eth0\" | attr \"address\" }}:8200"
-# CLUSTER_ADDR: Vault listens for server-to-server cluster requests
-cluster_addr = "https://{{GetPrivateInterfaces | exclude \"type\" \"IPv6\" | include \"name\" \"eth0\" | attr \"address\" }}:8201"
-
-storage "consul" {
-  address = "https://127.0.0.1:8501"
-  path = "vault/"
-  #token = "tbd"
-  tls_ca_file = "/opt/consul/tls/consul-agent-ca.pem"
-  tls_cert_file = "/opt/consul/tls/dc1-client-consul.pem"
-  tls_key_file = "/opt/consul/tls/dc1-client-consul-key.pem"
-$(if [[ "$NOMAD_CLIENT" = false ]]; then
-  # This nodes TLS certificate cannot be updated by Nomad jobs,
-  # because it serves as Nomad server exclusively. Don't expose
-  # it to the load balancer by disabling Consul service discovery.
-  echo -e "  disable_registration = true\n\r"
-fi)}
-
-seal "transit" {
-  address = "$VAULT_TRANSIT_SERVER"
-  disable_renewal = "false"
-  key_name = "autounseal"
-  mount_path = "transit/"
-  tls_skip_verify = "true"
-}
-EOF
-
-echo "VAULT_TOKEN=$VAULT_TRANSIT_TOKEN" > /etc/vault.d/vault.env
-
-chmod 640 /etc/vault.d/vault.hcl
-
-systemctl enable vault
-
-# Configure .bashrc
-cat << EOF >> "/home/${USERNAME}/.bashrc"
-
-complete -C /usr/bin/vault vault
-export VAULT_ADDR="https://$HOSTNAME:8200"
-export VAULT_SKIP_VERIFY=true
-EOF
-
-# Change ownership for config directory 
-chown -R vault: /etc/vault.d/
-
-echo 0