parent
b413e7fd2a
commit
653f18b48f
@ -0,0 +1,70 @@ |
||||
/* This test checks that |
||||
- multiple config files can be loaded |
||||
- the storage backend can be in a file outside the nix store |
||||
as is required for security (required because while confidentiality is |
||||
always covered, availability isn't) |
||||
- the postgres integration works |
||||
*/ |
||||
import ./make-test-python.nix ({ pkgs, ... }: |
||||
{ |
||||
name = "vault-postgresql"; |
||||
meta = with pkgs.stdenv.lib.maintainers; { |
||||
maintainers = [ lnl7 roberth ]; |
||||
}; |
||||
machine = { lib, pkgs, ... }: { |
||||
virtualisation.memorySize = 512; |
||||
environment.systemPackages = [ pkgs.vault ]; |
||||
environment.variables.VAULT_ADDR = "http://127.0.0.1:8200"; |
||||
services.vault.enable = true; |
||||
services.vault.extraConfigPaths = [ "/run/vault.hcl" ]; |
||||
|
||||
systemd.services.vault = { |
||||
after = [ |
||||
"postgresql.service" |
||||
]; |
||||
# Try for about 10 minutes rather than the default of 5 attempts. |
||||
serviceConfig.RestartSec = 1; |
||||
serviceConfig.StartLimitBurst = 600; |
||||
}; |
||||
# systemd.services.vault.unitConfig.RequiresMountsFor = "/run/keys/"; |
||||
|
||||
services.postgresql.enable = true; |
||||
services.postgresql.initialScript = pkgs.writeText "init.psql" '' |
||||
CREATE USER vaultuser WITH ENCRYPTED PASSWORD 'thisisthepass'; |
||||
GRANT CONNECT ON DATABASE postgres TO vaultuser; |
||||
|
||||
-- https://www.vaultproject.io/docs/configuration/storage/postgresql |
||||
CREATE TABLE vault_kv_store ( |
||||
parent_path TEXT COLLATE "C" NOT NULL, |
||||
path TEXT COLLATE "C", |
||||
key TEXT COLLATE "C", |
||||
value BYTEA, |
||||
CONSTRAINT pkey PRIMARY KEY (path, key) |
||||
); |
||||
CREATE INDEX parent_path_idx ON vault_kv_store (parent_path); |
||||
|
||||
GRANT SELECT, INSERT, UPDATE, DELETE ON ALL TABLES IN SCHEMA public TO vaultuser; |
||||
''; |
||||
}; |
||||
|
||||
testScript = |
||||
'' |
||||
secretConfig = """ |
||||
storage "postgresql" { |
||||
connection_url = "postgres://vaultuser:thisisthepass@localhost/postgres?sslmode=disable" |
||||
} |
||||
""" |
||||
|
||||
start_all() |
||||
|
||||
machine.wait_for_unit("multi-user.target") |
||||
machine.succeed("cat >/root/vault.hcl <<EOF\n%s\nEOF\n" % secretConfig) |
||||
machine.succeed( |
||||
"install --owner vault --mode 0400 /root/vault.hcl /run/vault.hcl; rm /root/vault.hcl" |
||||
) |
||||
machine.wait_for_unit("vault.service") |
||||
machine.wait_for_open_port(8200) |
||||
machine.succeed("vault operator init") |
||||
machine.succeed("vault status | grep Sealed | grep true") |
||||
''; |
||||
}) |
Loading…
Reference in new issue