diff --git a/molecule/default/tests/test_default.py b/molecule/default/tests/test_default.py index 0cff669..638e390 100644 --- a/molecule/default/tests/test_default.py +++ b/molecule/default/tests/test_default.py @@ -3,8 +3,44 @@ def test_hosts_file(host): """Validate /etc/hosts file.""" - f = host.file("/etc/hosts") + etc_hosts = host.file("/etc/hosts") + assert etc_hosts.exists + assert etc_hosts.user == "root" + assert etc_hosts.group == "root" - assert f.exists - assert f.user == "root" - assert f.group == "root" +def test_consul_template_config(host): + """Validate /etc/consul-template.d/vault/ files.""" + etc_consul_template_d_vault_config_hcl = host.file("/etc/consul-template.d/vault/vault_config.hcl") + assert etc_consul_template_d_vault_config_hcl.exists + assert etc_consul_template_d_vault_config_hcl.user == "vault" + assert etc_consul_template_d_vault_config_hcl.group == "vault" + assert etc_consul_template_d_vault_config_hcl.mode == 0o600 + +def test_template_files(host): + """Validate /etc/consul-template.d/vault/templates/ files.""" + vault_cert_pem_tpl = host.file("/etc/consul-template.d/vault/templates/vault_cert.pem.tpl") + vault_key_pem_tpl = host.file("/etc/consul-template.d/vault/templates/vault_key.pem.tpl") + for file in vault_cert_pem_tpl, vault_key_pem_tpl: + assert file.exists + assert file.user == "vault" + assert file.group == "vault" + assert file.mode == 0o600 + +def test_vault_certs_service_file(host): + """Validate vault-certs service file.""" + etc_systemd_system_vault_certs_service = host.file("/etc/systemd/system/vault-certs.service") + assert etc_systemd_system_vault_certs_service.exists + assert etc_systemd_system_vault_certs_service.user == "root" + assert etc_systemd_system_vault_certs_service.group == "root" + assert etc_systemd_system_vault_certs_service.mode == 0o644 + assert etc_systemd_system_vault_certs_service.content_string != "" + +def test_vault_certs_service(host): + """Validate vault-certs service.""" + vault_certs_service = host.service("vault-certs.service") + assert vault_certs_service.is_enabled + assert not vault_certs_service.is_running + assert vault_certs_service.systemd_properties["Restart"] == "on-failure" + assert vault_certs_service.systemd_properties["User"] == "vault" + assert vault_certs_service.systemd_properties["Group"] == "vault" + assert vault_certs_service.systemd_properties["FragmentPath"] == "/etc/systemd/system/vault-certs.service" diff --git a/tasks/prerequisites.yml b/tasks/prerequisites.yml index fcd0be4..d53d3fe 100644 --- a/tasks/prerequisites.yml +++ b/tasks/prerequisites.yml @@ -16,7 +16,7 @@ group: "{{ renew_vault_certificates_vault_group }}" mode: '0755' -- name: "Create directory {{ renew_vault_certificates_config_dir }}/templates" +- name: "Create directory templates directory in {{ renew_vault_certificates_config_dir }}" ansible.builtin.file: path: "{{ renew_vault_certificates_config_dir }}/templates" state: directory diff --git a/templates/vault-certs.service.j2 b/templates/vault-certs.service.j2 index 65596c7..07a71fa 100644 --- a/templates/vault-certs.service.j2 +++ b/templates/vault-certs.service.j2 @@ -2,11 +2,15 @@ Description=Automatic renewal of vault certificate using consul-template Requires=network-online.target After=network-online.target vault.service +ConditionFileNotEmpty={{ renew_vault_certificates_config_dir }}/vault_config.hcl [Service] -Restart=on-failure +User={{ renew_vault_certificates_vault_user }} +Group={{ renew_vault_certificates_vault_group }} ExecStart=/usr/bin/consul-template $OPTIONS -config={{ renew_vault_certificates_config_dir }}/vault_config.hcl +ExecReload=/bin/kill --signal HUP $MAINPID KillSignal=SIGINT +Restart=on-failure [Install] WantedBy=multi-user.target \ No newline at end of file