feat(vault): enable rolling restart with no full seal

2024-09-02 22:24:58 +02:00 · 2024-09-02 22:24:58 +02:00 · 66a4f6b5da
commit 66a4f6b5da
parent 71ea3d1f76
6 changed files with 41 additions and 10 deletions
--- a/playbooks/tasks/vault/vault_control_plane.yml
+++ b/playbooks/tasks/vault/vault_control_plane.yml
@ -45,6 +45,11 @@
    - name: "Include ednz_cloud.hashistack.vault"
      ansible.builtin.include_role:
        name: ednz_cloud.hashistack.vault
      vars:
        vault_enable_auto_unseal: true
        vault_unseal_url: "{{ vault_configuration['api_addr'] }}"
        vault_unseal_tls_verify: false
        vault_unseal_keys: "{{ _credentials.vault['keys'] | default([]) }}"
    - name: "Vault | Initialize vault cluster" # noqa: run-once[task]
      ednz_cloud.hashistack.vault_init:
--- a/roles/vault/defaults/main.yml
+++ b/roles/vault/defaults/main.yml
@ -42,6 +42,15 @@ vault_storage_configuration:
  file:
    path: "{{ vault_data_dir }}"
 #############################
 # auto-unseal configuration #
 #############################
 vault_enable_auto_unseal: false
 vault_unseal_url: "https://127.0.0.1:8200"
 vault_unseal_tls_verify: true
 vault_unseal_keys: []
 ##########################
 # listener configuration #
 ##########################
--- a/roles/vault/tasks/install.yml
+++ b/roles/vault/tasks/install.yml
@ -36,8 +36,10 @@
      register: _vault_current_version
 - name: "Vault | Download and install vault binary"
-  when: _vault_current_version is not defined
+  when:
-    or _vault_wanted_version != (_vault_current_version.content|default('')|b64decode)
+    - _vault_current_version is not defined
      or _vault_wanted_version != (_vault_current_version.content|default('')|b64decode)
    - not ansible_check_mode
  block:
    - name: "Vault | Set vault package name to download"
      ansible.builtin.set_fact:
@ -77,7 +79,6 @@
      until: _vault_binary_archive is succeeded
      retries: 5
      delay: 2
      check_mode: false
    - name: "Vault | Create temporary directory for archive decompression"
      ansible.builtin.file:
--- a/roles/vault/tasks/main.yml
+++ b/roles/vault/tasks/main.yml
@ -36,8 +36,10 @@
  when: _vault_service_need_reload
 - name: "Vault | Start service: {{ vault_service_name }}"
-  ansible.builtin.service:
+  ansible.builtin.include_tasks: rolling_restart.yml
-    name: "{{ vault_service_name }}"
+  when:
-    state: restarted
+    - _vault_service_need_restart
-  throttle: 1
+    - "hostvars[host_item].inventory_hostname == inventory_hostname"
-  when: _vault_service_need_restart
+  with_items: "{{ ansible_play_batch }}"
  loop_control:
    loop_var: host_item
--- a/roles/vault/tasks/recursive_copy_extra_dirs.yml
+++ b/roles/vault/tasks/recursive_copy_extra_dirs.yml
@ -5,13 +5,13 @@
    path: "{{ dir_source_item.dest }}"
    recurse: true
    state: directory
-    mode: "0775"
+    mode: "0755"
 - name: "Vault | Create extra directory sources"
  ansible.builtin.file:
    path: "{{ dir_source_item.dest }}/{{ item.path }}"
    state: directory
-    mode: "0775"
+    mode: "0755"
  with_community.general.filetree: "{{ dir_source_item.src }}/"
  when: item.state == 'directory'
--- a/roles/vault/tasks/rolling_restart.yml
+++ b/roles/vault/tasks/rolling_restart.yml
@ -0,0 +1,14 @@
 ---
 - name: "Vault | Start service: {{ vault_service_name }}"
  ansible.builtin.service:
    name: "{{ vault_service_name }}"
    state: restarted
 - name: "Vault | Unseal node"
  ednz_cloud.hashistack.vault_unseal:
    api_url: "{{ vault_unseal_url }}"
    tls_verify: "{{ vault_unseal_tls_verify }}"
    key_shares: "{{ vault_unseal_keys }}"
  when:
    - vault_enable_auto_unseal
    - vault_unseal_keys|length > 0