playbooks/tasks/vault/vault_control_plane.yml

@@ -45,6 +45,11 @@
     - name: "Include ednz_cloud.hashistack.vault"
       ansible.builtin.include_role:
         name: ednz_cloud.hashistack.vault
+      vars:
+        vault_enable_auto_unseal: true
+        vault_unseal_url: "{{ vault_configuration['api_addr'] }}"
+        vault_unseal_tls_verify: false
+        vault_unseal_keys: "{{ _credentials.vault['keys'] | default([]) }}"
 
     - name: "Vault | Initialize vault cluster" # noqa: run-once[task]
       ednz_cloud.hashistack.vault_init:

roles/vault/defaults/main.yml

@@ -42,6 +42,15 @@ vault_storage_configuration:
   file:
     path: "{{ vault_data_dir }}"
 
+#############################
+# auto-unseal configuration #
+#############################
+
+vault_enable_auto_unseal: false
+vault_unseal_url: "https://127.0.0.1:8200"
+vault_unseal_tls_verify: true
+vault_unseal_keys: []
+
 ##########################
 # listener configuration #
 ##########################

roles/vault/tasks/install.yml

@@ -36,8 +36,10 @@
       register: _vault_current_version
 
 - name: "Vault | Download and install vault binary"
-  when: _vault_current_version is not defined
-    or _vault_wanted_version != (_vault_current_version.content|default('')|b64decode)
+  when:
+    - _vault_current_version is not defined
+      or _vault_wanted_version != (_vault_current_version.content|default('')|b64decode)
+    - not ansible_check_mode
   block:
     - name: "Vault | Set vault package name to download"
       ansible.builtin.set_fact:
@@ -77,7 +79,6 @@
       until: _vault_binary_archive is succeeded
       retries: 5
       delay: 2
-      check_mode: false
 
     - name: "Vault | Create temporary directory for archive decompression"
       ansible.builtin.file:

roles/vault/tasks/main.yml

@@ -36,8 +36,10 @@
   when: _vault_service_need_reload
 
 - name: "Vault | Start service: {{ vault_service_name }}"
-  ansible.builtin.service:
-    name: "{{ vault_service_name }}"
-    state: restarted
-  throttle: 1
-  when: _vault_service_need_restart
+  ansible.builtin.include_tasks: rolling_restart.yml
+  when:
+    - _vault_service_need_restart
+    - "hostvars[host_item].inventory_hostname == inventory_hostname"
+  with_items: "{{ ansible_play_batch }}"
+  loop_control:
+    loop_var: host_item

roles/vault/tasks/recursive_copy_extra_dirs.yml

@@ -5,13 +5,13 @@
     path: "{{ dir_source_item.dest }}"
     recurse: true
     state: directory
-    mode: "0775"
+    mode: "0755"
 
 - name: "Vault | Create extra directory sources"
   ansible.builtin.file:
     path: "{{ dir_source_item.dest }}/{{ item.path }}"
     state: directory
-    mode: "0775"
+    mode: "0755"
   with_community.general.filetree: "{{ dir_source_item.src }}/"
   when: item.state == 'directory'
 

roles/vault/tasks/rolling_restart.yml

@@ -0,0 +1,14 @@
+---
+- name: "Vault | Start service: {{ vault_service_name }}"
+  ansible.builtin.service:
+    name: "{{ vault_service_name }}"
+    state: restarted
+
+- name: "Vault | Unseal node"
+  ednz_cloud.hashistack.vault_unseal:
+    api_url: "{{ vault_unseal_url }}"
+    tls_verify: "{{ vault_unseal_tls_verify }}"
+    key_shares: "{{ vault_unseal_keys }}"
+  when:
+    - vault_enable_auto_unseal
+    - vault_unseal_keys|length > 0