From 66a4f6b5daf5cb6072f3c12469d16db57f74a4db Mon Sep 17 00:00:00 2001
From: Bertrand Lanson <bertrand.lanson@protonmail.com>
Date: Mon, 2 Sep 2024 22:24:58 +0200
Subject: [PATCH] feat(vault): enable rolling restart with no full seal

---
 playbooks/tasks/vault/vault_control_plane.yml   |  5 +++++
 roles/vault/defaults/main.yml                   |  9 +++++++++
 roles/vault/tasks/install.yml                   |  7 ++++---
 roles/vault/tasks/main.yml                      | 12 +++++++-----
 roles/vault/tasks/recursive_copy_extra_dirs.yml |  4 ++--
 roles/vault/tasks/rolling_restart.yml           | 14 ++++++++++++++
 6 files changed, 41 insertions(+), 10 deletions(-)
 create mode 100644 roles/vault/tasks/rolling_restart.yml

diff --git a/playbooks/tasks/vault/vault_control_plane.yml b/playbooks/tasks/vault/vault_control_plane.yml
index c0ace90..7eb8c90 100644
--- a/playbooks/tasks/vault/vault_control_plane.yml
+++ b/playbooks/tasks/vault/vault_control_plane.yml
@@ -45,6 +45,11 @@
     - name: "Include ednz_cloud.hashistack.vault"
       ansible.builtin.include_role:
         name: ednz_cloud.hashistack.vault
+      vars:
+        vault_enable_auto_unseal: true
+        vault_unseal_url: "{{ vault_configuration['api_addr'] }}"
+        vault_unseal_tls_verify: false
+        vault_unseal_keys: "{{ _credentials.vault['keys'] | default([]) }}"
 
     - name: "Vault | Initialize vault cluster" # noqa: run-once[task]
       ednz_cloud.hashistack.vault_init:
diff --git a/roles/vault/defaults/main.yml b/roles/vault/defaults/main.yml
index 5b9f5d9..c39380c 100644
--- a/roles/vault/defaults/main.yml
+++ b/roles/vault/defaults/main.yml
@@ -42,6 +42,15 @@ vault_storage_configuration:
   file:
     path: "{{ vault_data_dir }}"
 
+#############################
+# auto-unseal configuration #
+#############################
+
+vault_enable_auto_unseal: false
+vault_unseal_url: "https://127.0.0.1:8200"
+vault_unseal_tls_verify: true
+vault_unseal_keys: []
+
 ##########################
 # listener configuration #
 ##########################
diff --git a/roles/vault/tasks/install.yml b/roles/vault/tasks/install.yml
index 625651a..269dd4b 100644
--- a/roles/vault/tasks/install.yml
+++ b/roles/vault/tasks/install.yml
@@ -36,8 +36,10 @@
       register: _vault_current_version
 
 - name: "Vault | Download and install vault binary"
-  when: _vault_current_version is not defined
-    or _vault_wanted_version != (_vault_current_version.content|default('')|b64decode)
+  when:
+    - _vault_current_version is not defined
+      or _vault_wanted_version != (_vault_current_version.content|default('')|b64decode)
+    - not ansible_check_mode
   block:
     - name: "Vault | Set vault package name to download"
       ansible.builtin.set_fact:
@@ -77,7 +79,6 @@
       until: _vault_binary_archive is succeeded
       retries: 5
       delay: 2
-      check_mode: false
 
     - name: "Vault | Create temporary directory for archive decompression"
       ansible.builtin.file:
diff --git a/roles/vault/tasks/main.yml b/roles/vault/tasks/main.yml
index e1af6da..6a0466d 100644
--- a/roles/vault/tasks/main.yml
+++ b/roles/vault/tasks/main.yml
@@ -36,8 +36,10 @@
   when: _vault_service_need_reload
 
 - name: "Vault | Start service: {{ vault_service_name }}"
-  ansible.builtin.service:
-    name: "{{ vault_service_name }}"
-    state: restarted
-  throttle: 1
-  when: _vault_service_need_restart
+  ansible.builtin.include_tasks: rolling_restart.yml
+  when:
+    - _vault_service_need_restart
+    - "hostvars[host_item].inventory_hostname == inventory_hostname"
+  with_items: "{{ ansible_play_batch }}"
+  loop_control:
+    loop_var: host_item
diff --git a/roles/vault/tasks/recursive_copy_extra_dirs.yml b/roles/vault/tasks/recursive_copy_extra_dirs.yml
index 22feb1f..147ea35 100644
--- a/roles/vault/tasks/recursive_copy_extra_dirs.yml
+++ b/roles/vault/tasks/recursive_copy_extra_dirs.yml
@@ -5,13 +5,13 @@
     path: "{{ dir_source_item.dest }}"
     recurse: true
     state: directory
-    mode: "0775"
+    mode: "0755"
 
 - name: "Vault | Create extra directory sources"
   ansible.builtin.file:
     path: "{{ dir_source_item.dest }}/{{ item.path }}"
     state: directory
-    mode: "0775"
+    mode: "0755"
   with_community.general.filetree: "{{ dir_source_item.src }}/"
   when: item.state == 'directory'
 
diff --git a/roles/vault/tasks/rolling_restart.yml b/roles/vault/tasks/rolling_restart.yml
new file mode 100644
index 0000000..d4e3754
--- /dev/null
+++ b/roles/vault/tasks/rolling_restart.yml
@@ -0,0 +1,14 @@
+---
+- name: "Vault | Start service: {{ vault_service_name }}"
+  ansible.builtin.service:
+    name: "{{ vault_service_name }}"
+    state: restarted
+
+- name: "Vault | Unseal node"
+  ednz_cloud.hashistack.vault_unseal:
+    api_url: "{{ vault_unseal_url }}"
+    tls_verify: "{{ vault_unseal_tls_verify }}"
+    key_shares: "{{ vault_unseal_keys }}"
+  when:
+    - vault_enable_auto_unseal
+    - vault_unseal_keys|length > 0