diff --git a/REFERENCE.md b/REFERENCE.md
index 8a8368c2..7eb1f23a 100644
--- a/REFERENCE.md
+++ b/REFERENCE.md
@@ -46,6 +46,7 @@ The following parameters are available in the `vault` class:
* [`num_procs`](#-vault--num_procs)
* [`api_addr`](#-vault--api_addr)
* [`version`](#-vault--version)
+* [`mode`](#-vault--mode)
* [`extra_config`](#-vault--extra_config)
* [`enable_ui`](#-vault--enable_ui)
* [`arch`](#-vault--arch)
@@ -234,6 +235,14 @@ The version of Vault to install
Default value: `'1.12.0'`
+##### `mode`
+
+Data type: `Enum['server', 'agent']`
+
+start vault in server or agent mode
+
+Default value: `'server'`
+
##### `extra_config`
Data type: `Hash`
diff --git a/manifests/init.pp b/manifests/init.pp
index da997dee..33468be3 100644
--- a/manifests/init.pp
+++ b/manifests/init.pp
@@ -50,6 +50,7 @@
#
# @param version The version of Vault to install
#
+# @param mode start vault in server or agent mode
# @param extra_config
# @param enable_ui
# @param arch
@@ -77,51 +78,52 @@
# @param download_filename
# @param manage_config_dir enable/disable the directory management. not required for package based installations
class vault (
- $user = 'vault',
- $manage_user = true,
- $group = 'vault',
- $manage_group = true,
- $bin_dir = $vault::params::bin_dir,
- $manage_config_file = true,
- $config_mode = '0750',
- $purge_config_dir = true,
- $download_url = undef,
- $download_url_base = 'https://releases.hashicorp.com/vault/',
- $download_extension = 'zip',
- $service_name = 'vault',
- $service_enable = true,
- $service_ensure = 'running',
- $service_provider = $facts['service_provider'],
- Boolean $manage_repo = $vault::params::manage_repo,
- $manage_service = true,
+ $user = 'vault',
+ $manage_user = true,
+ $group = 'vault',
+ $manage_group = true,
+ $bin_dir = $vault::params::bin_dir,
+ $manage_config_file = true,
+ Enum['server', 'agent'] $mode = 'server',
+ $config_mode = '0750',
+ $purge_config_dir = true,
+ $download_url = undef,
+ $download_url_base = 'https://releases.hashicorp.com/vault/',
+ $download_extension = 'zip',
+ $service_name = 'vault',
+ $service_enable = true,
+ $service_ensure = 'running',
+ $service_provider = $facts['service_provider'],
+ Boolean $manage_repo = $vault::params::manage_repo,
+ $manage_service = true,
Optional[Boolean] $manage_service_file = $vault::params::manage_service_file,
- Hash $storage = { 'file' => { 'path' => '/var/lib/vault' } },
- $manage_storage_dir = false,
- Variant[Hash, Array[Hash]] $listener = { 'tcp' => { 'address' => '127.0.0.1:8200', 'tls_disable' => 1 }, },
- Optional[Hash] $ha_storage = undef,
- Optional[Hash] $seal = undef,
- Optional[Boolean] $disable_cache = undef,
- Optional[Hash] $telemetry = undef,
- Optional[String] $default_lease_ttl = undef,
- Optional[String] $max_lease_ttl = undef,
- $disable_mlock = undef,
- $manage_file_capabilities = undef,
- $service_options = '',
- $num_procs = $facts['processors']['count'],
- $install_method = $vault::params::install_method,
- $config_dir = if $install_method == 'repo' and $manage_repo { '/etc/vault.d' } else { '/etc/vault' },
- $package_name = 'vault',
- $package_ensure = 'installed',
- $download_dir = '/tmp',
- $manage_download_dir = false,
- $download_filename = 'vault.zip',
- $version = '1.12.0',
- $os = downcase($facts['kernel']),
- $arch = $vault::params::arch,
- Optional[Boolean] $enable_ui = undef,
- Optional[String] $api_addr = undef,
- Hash $extra_config = {},
- Boolean $manage_config_dir = $install_method == 'archive',
+ Hash $storage = { 'file' => { 'path' => '/var/lib/vault' } },
+ $manage_storage_dir = false,
+ Variant[Hash, Array[Hash]] $listener = { 'tcp' => { 'address' => '127.0.0.1:8200', 'tls_disable' => 1 }, },
+ Optional[Hash] $ha_storage = undef,
+ Optional[Hash] $seal = undef,
+ Optional[Boolean] $disable_cache = undef,
+ Optional[Hash] $telemetry = undef,
+ Optional[String] $default_lease_ttl = undef,
+ Optional[String] $max_lease_ttl = undef,
+ $disable_mlock = undef,
+ $manage_file_capabilities = undef,
+ $service_options = '',
+ $num_procs = $facts['processors']['count'],
+ $install_method = $vault::params::install_method,
+ $config_dir = if $install_method == 'repo' and $manage_repo { '/etc/vault.d' } else { '/etc/vault' },
+ $package_name = 'vault',
+ $package_ensure = 'installed',
+ $download_dir = '/tmp',
+ $manage_download_dir = false,
+ $download_filename = 'vault.zip',
+ $version = '1.12.0',
+ $os = downcase($facts['kernel']),
+ $arch = $vault::params::arch,
+ Optional[Boolean] $enable_ui = undef,
+ Optional[String] $api_addr = undef,
+ Hash $extra_config = {},
+ Boolean $manage_config_dir = $install_method == 'archive',
) inherits vault::params {
# lint:ignore:140chars
$real_download_url = pick($download_url, "${download_url_base}${version}/${package_name}_${version}_${os}_${arch}.${download_extension}")
diff --git a/spec/classes/vault_spec.rb b/spec/classes/vault_spec.rb
index 3b680a7a..256dcf0a 100644
--- a/spec/classes/vault_spec.rb
+++ b/spec/classes/vault_spec.rb
@@ -467,6 +467,29 @@
}
end
+ context 'start in agent mode' do
+ let(:params) do
+ { mode: 'agent' }
+ end
+
+ it {
+ is_expected.to contain_file('/etc/systemd/system/vault.service').
+ with_mode('0444').
+ with_ensure('file').
+ with_owner('root').
+ with_group('root').
+ with_content(%r{^# vault systemd unit file}).
+ with_content(%r{^User=vault$}).
+ with_content(%r{^Group=vault$}).
+ with_content(%r{Environment=GOMAXPROCS=3}).
+ with_content(%r{^ExecStart=/usr/local/bin/vault agent -config=/etc/vault/config.json $}).
+ with_content(%r{SecureBits=keep-caps}).
+ with_content(%r{Capabilities=CAP_IPC_LOCK\+ep}).
+ with_content(%r{CapabilityBoundingSet=CAP_SYSLOG CAP_IPC_LOCK}).
+ with_content(%r{NoNewPrivileges=yes})
+ }
+ end
+
context 'with mlock disabled' do
let(:params) do
{ disable_mlock: true }
@@ -641,6 +664,29 @@
}
end
+ context 'start in agent mode' do
+ let(:params) do
+ { mode: 'agent' }
+ end
+
+ it {
+ is_expected.to contain_file('/etc/systemd/system/vault.service').
+ with_mode('0444').
+ with_ensure('file').
+ with_owner('root').
+ with_group('root').
+ with_content(%r{^# vault systemd unit file}).
+ with_content(%r{^User=vault$}).
+ with_content(%r{^Group=vault$}).
+ with_content(%r{Environment=GOMAXPROCS=3}).
+ with_content(%r{^ExecStart=/usr/local/bin/vault agent -config=/etc/vault/config.json $}).
+ with_content(%r{SecureBits=keep-caps}).
+ with_content(%r{Capabilities=CAP_IPC_LOCK\+ep}).
+ with_content(%r{CapabilityBoundingSet=CAP_SYSLOG CAP_IPC_LOCK}).
+ with_content(%r{NoNewPrivileges=yes})
+ }
+ end
+
context 'with mlock disabled' do
let(:params) do
{ disable_mlock: true }
diff --git a/templates/vault.systemd.erb b/templates/vault.systemd.erb
index 9cb1d711..26f891d6 100644
--- a/templates/vault.systemd.erb
+++ b/templates/vault.systemd.erb
@@ -30,7 +30,7 @@ CapabilityBoundingSet=CAP_SYSLOG CAP_IPC_LOCK
<% end -%>
NoNewPrivileges=yes
Environment=GOMAXPROCS=<%= scope['vault::num_procs'] %>
-ExecStart=<%= scope['vault::bin_dir'] %>/vault server -config=<%= scope['vault::config_dir'] %>/config.json <%= scope['vault::service_options'] %>
+ExecStart=<%= scope['vault::bin_dir'] %>/vault <%= scope['vault::mode'] %> -config=<%= scope['vault::config_dir'] %>/config.json <%= scope['vault::service_options'] %>
KillSignal=SIGINT
TimeoutStopSec=30s
Restart=on-failure