feat(vault): enable rolling restart with no full seal

2024-09-02 22:24:58 +02:00 · 2024-09-02 22:24:58 +02:00 · 66a4f6b5da
commit 66a4f6b5da
parent 71ea3d1f76
6 changed files with 41 additions and 10 deletions
--- a/playbooks/tasks/vault/vault_control_plane.yml
+++ b/playbooks/tasks/vault/vault_control_plane.yml
@ -45,6 +45,11 @@
    - name: "Include ednz_cloud.hashistack.vault"
      ansible.builtin.include_role:
        name: ednz_cloud.hashistack.vault
+      vars:
+        vault_enable_auto_unseal: true
+        vault_unseal_url: "{{ vault_configuration['api_addr'] }}"
+        vault_unseal_tls_verify: false
+        vault_unseal_keys: "{{ _credentials.vault['keys'] | default([]) }}"

    - name: "Vault | Initialize vault cluster" # noqa: run-once[task]
      ednz_cloud.hashistack.vault_init:
--- a/roles/vault/defaults/main.yml
+++ b/roles/vault/defaults/main.yml
@ -42,6 +42,15 @@ vault_storage_configuration:
  file:
    path: "{{ vault_data_dir }}"

+#############################
+# auto-unseal configuration #
+#############################
+
+vault_enable_auto_unseal: false
+vault_unseal_url: "https://127.0.0.1:8200"
+vault_unseal_tls_verify: true
+vault_unseal_keys: []
+
 ##########################
 # listener configuration #
 ##########################
--- a/roles/vault/tasks/install.yml
+++ b/roles/vault/tasks/install.yml
@ -36,8 +36,10 @@
      register: _vault_current_version

 - name: "Vault | Download and install vault binary"
-  when: _vault_current_version is not defined
-    or _vault_wanted_version != (_vault_current_version.content|default('')|b64decode)
+  when:
+    - _vault_current_version is not defined
+      or _vault_wanted_version != (_vault_current_version.content|default('')|b64decode)
+    - not ansible_check_mode
  block:
    - name: "Vault | Set vault package name to download"
      ansible.builtin.set_fact:
@ -77,7 +79,6 @@
      until: _vault_binary_archive is succeeded
      retries: 5
      delay: 2
-      check_mode: false

    - name: "Vault | Create temporary directory for archive decompression"
      ansible.builtin.file:
--- a/roles/vault/tasks/main.yml
+++ b/roles/vault/tasks/main.yml
@ -36,8 +36,10 @@
  when: _vault_service_need_reload

 - name: "Vault | Start service: {{ vault_service_name }}"
-  ansible.builtin.service:
-    name: "{{ vault_service_name }}"
-    state: restarted
-  throttle: 1
-  when: _vault_service_need_restart
+  ansible.builtin.include_tasks: rolling_restart.yml
+  when:
+    - _vault_service_need_restart
+    - "hostvars[host_item].inventory_hostname == inventory_hostname"
+  with_items: "{{ ansible_play_batch }}"
+  loop_control:
+    loop_var: host_item
--- a/roles/vault/tasks/recursive_copy_extra_dirs.yml
+++ b/roles/vault/tasks/recursive_copy_extra_dirs.yml
@ -5,13 +5,13 @@
    path: "{{ dir_source_item.dest }}"
    recurse: true
    state: directory
-    mode: "0775"
+    mode: "0755"

 - name: "Vault | Create extra directory sources"
  ansible.builtin.file:
    path: "{{ dir_source_item.dest }}/{{ item.path }}"
    state: directory
-    mode: "0775"
+    mode: "0755"
  with_community.general.filetree: "{{ dir_source_item.src }}/"
  when: item.state == 'directory'

--- a/roles/vault/tasks/rolling_restart.yml
+++ b/roles/vault/tasks/rolling_restart.yml
@ -0,0 +1,14 @@
+---
+- name: "Vault | Start service: {{ vault_service_name }}"
+  ansible.builtin.service:
+    name: "{{ vault_service_name }}"
+    state: restarted
+
+- name: "Vault | Unseal node"
+  ednz_cloud.hashistack.vault_unseal:
+    api_url: "{{ vault_unseal_url }}"
+    tls_verify: "{{ vault_unseal_tls_verify }}"
+    key_shares: "{{ vault_unseal_keys }}"
+  when:
+    - vault_enable_auto_unseal
+    - vault_unseal_keys|length > 0