feat(vault): break things trying to fix vault unseal not returning anything on mulitple retries

2024-01-24 23:54:58 +01:00 · 2024-01-24 23:54:58 +01:00 · 8ce66d42a7
commit 8ce66d42a7
parent 3bb8eb8775
5 changed files with 41 additions and 25 deletions
--- a/playbooks/deploy.yml
+++ b/playbooks/deploy.yml
@ -61,17 +61,26 @@
          ednxzu.hashistack.vault_unseal:
            api_url: "{{ hashi_vault_configuration['api_addr'] }}"
            key_shares: "{{ _vault_cluster_config['keys'] }}"
-            max_retries: "{{ (_vault_cluster_config['keys'] | length) - 1 }}"
+            # max_retries: "{{ (_vault_cluster_config['keys'] | length) - 1 }}"
          run_once: true
          delegate_to: "{{ groups['vault_servers'] | first }}"
          when: _vault_init_secret.changed
          register: _vault_unseal_secret
        - name: "Print unseal status"
          ansible.builtin.debug:
            msg: "{{ _vault_unseal_secret }}"
        - name: "Unseal all vault nodes"
          ednxzu.hashistack.vault_unseal:
            api_url: "{{ hashi_vault_configuration['api_addr'] }}"
            key_shares: "{{ _vault_cluster_config['keys'] }}"
-            max_retries: "{{ (_vault_cluster_config['keys'] | length) - 1 }}"
+            # max_retries: "{{ (_vault_cluster_config['keys'] | length) - 1 }}"
          retries: 5
          delay: 5
          register: _unseal_status
-          until: not _unseal_status.failed
+          until: _unseal_status.changed
        - name: "Print unseal status"
          ansible.builtin.debug:
            msg: "{{ _unseal_status }}"
--- a/playbooks/group_vars/all.yml
+++ b/playbooks/group_vars/all.yml
@ -150,6 +150,12 @@ vault_logging_configuration:
 #########################
 extra_vault_container_volumes: []
 #####################
 # extra configuration
 #####################
 vault_extra_configuration: {}
 ###############
 # configuration
 ###############
--- a/playbooks/tasks/vault_vars.yml
+++ b/playbooks/tasks/vault_vars.yml
@ -1,6 +1,6 @@
 ---
 # hashistack configuration merging for vault
- name: "Merge listener configuration"
+- name: "Vault | Merge listener configuration"
  ansible.builtin.set_fact:
    vault_listener_configuration: "{{
      vault_listener_configuration |
@ -8,7 +8,7 @@
      combine(vault_extra_listener_configuration | default({}))
      }}"
- name: "Merge service registration configuration"
+- name: "Vault | Merge service registration configuration"
  vars:
    _config_to_merge:
      service_registration: "{{ vault_service_registration_configuration }}"
@ -19,7 +19,7 @@
      }}"
  when: vault_enable_service_registration
- name: "Merge plugins configuration"
+- name: "Vault | Merge plugins configuration"
  vars:
    _config_to_merge:
      plugin_directory: "{{ vault_plugin_directory }}"
@ -30,7 +30,7 @@
      }}"
  when: vault_enable_plugins
- name: "Merge logging configuration"
+- name: "Vault | Merge logging configuration"
  vars:
    _config_to_merge: "{{ vault_logging_configuration }}"
  ansible.builtin.set_fact:
@ -39,3 +39,13 @@
      combine(_config_to_merge)
      }}"
  when: vault_enable_log_to_file
 - name: "Vault | Merge extra configuration settings"
  vars:
    _config_to_merge: "{{ vault_extra_configuration }}"
  ansible.builtin.set_fact:
    hashi_vault_configuration: "{{
      hashi_vault_configuration |
      combine(_config_to_merge)
      }}"
  when: vault_extra_configuration is defined
--- a/plugins/modules/vault_init.py
+++ b/plugins/modules/vault_init.py
@ -6,7 +6,7 @@ __metaclass__ = type
 DOCUMENTATION = r"""
 ---
-module: my_test
+module: ednxzu.hashistack.vault_init
 short_description: Manages the initialization of HashiCorp Vault.
@ -93,7 +93,7 @@ def run_module():
        key_threshold=dict(type="int", required=False, default=3),
    )
-    result = dict(changed=False, original_message="", state="")
+    result = dict(changed=False, state="")
    module = AnsibleModule(argument_spec=module_args, supports_check_mode=True)
--- a/plugins/modules/vault_unseal.py
+++ b/plugins/modules/vault_unseal.py
@ -84,10 +84,9 @@ def run_module():
    module_args = dict(
        api_url=dict(type="str", required=True),
        key_shares=dict(type="list", required=False, default=[]),
        max_retries=dict(type="int", required=False, default=3),
    )
-    result = dict(changed=False, original_message="", state=None)
+    result = dict(changed=False, state="")
    module = AnsibleModule(argument_spec=module_args, supports_check_mode=True)
@ -108,24 +107,16 @@ def run_module():
    # Unseal Vault
    try:
-        retries = 0
+        key_shares = module.params["key_shares"]
-        vault_unseal_result = None
+        vault_unseal_result = client.sys.submit_unseal_keys(key_shares)
-        while client.sys.is_sealed() and retries < module.params["max_retries"]:
+        result["state"] = vault_unseal_result
            key_share = module.params["key_shares"][
                min(retries, len(module.params["key_shares"]) - 1)
            ]
            vault_unseal_result = client.sys.submit_unseal_key(key_share)
            retries += 1
    except hvac.exceptions.VaultError as ve:
        module.fail_json(msg=f"Vault unsealing failed: {ve}")
    # Check if the Vault is successfully unsealed
    if client.sys.is_sealed():
-        module.fail_json(msg="Vault unsealing failed: Maximum retries reached.")
+        module.fail_json(msg="Vault unsealing failed.")
    result["state"] = vault_unseal_result
    result["changed"] = True
    module.exit_json(**result)