feat(vault): start of unseal module, and start of default variables
This commit is contained in:
parent
2c0515cfd7
commit
0929f25f5d
@ -3,7 +3,13 @@
|
|||||||
- name: "Deploy"
|
- name: "Deploy"
|
||||||
hosts: all
|
hosts: all
|
||||||
gather_facts: true
|
gather_facts: true
|
||||||
|
become: true
|
||||||
tasks:
|
tasks:
|
||||||
- name: "Debug"
|
# - name: "Include ednxzu.hashicorp_vault"
|
||||||
ansible.builtin.debug:
|
# ansible.builtin.include_role:
|
||||||
msg: "{{ ansible_hostname }}"
|
# name: ednxzu.hashicorp_vault
|
||||||
|
|
||||||
|
- name: "Test module"
|
||||||
|
ednxzu.hashistack.vault_init:
|
||||||
|
name: "Test"
|
||||||
|
new: true
|
||||||
|
@ -28,7 +28,6 @@ hashistack_supported_distribution_versions:
|
|||||||
- "22.04"
|
- "22.04"
|
||||||
|
|
||||||
preflight_enable_host_ntp_checks: true
|
preflight_enable_host_ntp_checks: true
|
||||||
|
|
||||||
vault_required_ports: [8200,8201]
|
vault_required_ports: [8200,8201]
|
||||||
consul_required_ports: [8300,8301,8302,8500,8501,8502,8503,8600]
|
consul_required_ports: [8300,8301,8302,8500,8501,8502,8503,8600]
|
||||||
nomad_required_ports: []
|
nomad_required_ports: []
|
||||||
@ -72,13 +71,47 @@ hashi_consul_configuration: {}
|
|||||||
# Vault options ##########
|
# Vault options ##########
|
||||||
##########################
|
##########################
|
||||||
|
|
||||||
|
vault_cluster_name: vault
|
||||||
|
vault_storage_configuration:
|
||||||
|
raft:
|
||||||
|
path: "{{ hashi_vault_data_dir }}/data"
|
||||||
|
node_id: "{{ ansible_hostname }}"
|
||||||
|
retry_join: |
|
||||||
|
[
|
||||||
|
{% for host in groups['vault_servers'] %}
|
||||||
|
{
|
||||||
|
'leader_api_addr': 'http://{{ hostvars[host].api_interface_address }}:8200'
|
||||||
|
}{% if not loop.last %},{% endif %}
|
||||||
|
{% endfor %}
|
||||||
|
]
|
||||||
|
|
||||||
|
extra_vault_container_volumes: []
|
||||||
|
default_container_extra_volumes:
|
||||||
|
- "/etc/timezone:/etc/timezone"
|
||||||
|
- "/etc/localtime:/etc/localtime"
|
||||||
|
|
||||||
hashi_vault_start_service: true
|
hashi_vault_start_service: true
|
||||||
hashi_vault_version: latest
|
hashi_vault_version: latest
|
||||||
hashi_vault_deploy_method: host # deployment method, either host or docker
|
hashi_vault_deploy_method: "{{ deployment_method }}" # deployment method, either host or docker
|
||||||
hashi_vault_env_variables: {}
|
hashi_vault_env_variables: {}
|
||||||
hashi_vault_data_dir: "/opt/vault"
|
hashi_vault_data_dir: "/opt/vault"
|
||||||
hashi_vault_extra_files: false
|
hashi_vault_extra_files: false
|
||||||
hashi_vault_extra_files_src: /tmp/extra_files
|
hashi_vault_extra_files_src: /tmp/extra_files
|
||||||
hashi_vault_extra_files_dst: /etc/vault.d/extra_files
|
hashi_vault_extra_files_dst: /etc/vault.d/extra_files
|
||||||
|
hashi_vault_extra_container_volumes: "{{ default_container_extra_volumes | union(extra_vault_container_volumes) | unique }}"
|
||||||
#! vault configuration
|
#! vault configuration
|
||||||
hashi_vault_configuration: {}
|
hashi_vault_configuration:
|
||||||
|
cluster_name: "{{ vault_cluster_name }}"
|
||||||
|
cluster_addr: "http://{{ api_interface_address }}:8201"
|
||||||
|
api_addr: "http://{{ api_interface_address }}:8200"
|
||||||
|
ui: true
|
||||||
|
disable_mlock: false
|
||||||
|
disable_cache: false
|
||||||
|
listener:
|
||||||
|
tcp:
|
||||||
|
address: "0.0.0.0:8200"
|
||||||
|
tls_disable: true
|
||||||
|
#tls_disable_client_certs: true
|
||||||
|
#tls_cert_file: "{{ hashi_vault_data_dir }}/tls/cert.pem"
|
||||||
|
#tls_key_file: "{{ hashi_vault_data_dir }}/tls/key.pem"
|
||||||
|
storage: "{{ vault_storage_configuration }}"
|
||||||
|
@ -170,6 +170,26 @@
|
|||||||
with_items: "{{ vault_port_results.results }}"
|
with_items: "{{ vault_port_results.results }}"
|
||||||
when: vault_port_results.results | length > 0
|
when: vault_port_results.results | length > 0
|
||||||
|
|
||||||
|
- name: "Checking if consul ports are available"
|
||||||
|
when: inventory_hostname in groups['consul_servers']
|
||||||
|
block:
|
||||||
|
- name: "Checking if consul ports are available"
|
||||||
|
ansible.builtin.wait_for:
|
||||||
|
host: "{{ inventory_hostname }}"
|
||||||
|
port: "{{ item }}"
|
||||||
|
state: "stopped"
|
||||||
|
timeout: 5
|
||||||
|
loop: "{{ consul_required_ports }}"
|
||||||
|
ignore_errors: true
|
||||||
|
register: consul_port_results
|
||||||
|
|
||||||
|
- name: "Assert that consul ports are not currently in use"
|
||||||
|
ansible.builtin.assert:
|
||||||
|
that:
|
||||||
|
- item.failed == false
|
||||||
|
with_items: "{{ consul_port_results.results }}"
|
||||||
|
when: consul_port_results.results | length > 0
|
||||||
|
|
||||||
- name: "Checking if system uses systemd"
|
- name: "Checking if system uses systemd"
|
||||||
become: true
|
become: true
|
||||||
ansible.builtin.assert:
|
ansible.builtin.assert:
|
||||||
@ -198,4 +218,12 @@
|
|||||||
The python sdk for docker is really out of date, you need to install
|
The python sdk for docker is really out of date, you need to install
|
||||||
a more recent version of it in order to use this tool.
|
a more recent version of it in order to use this tool.
|
||||||
|
|
||||||
- ansible.builtin.fail:
|
- name: "Debug"
|
||||||
|
ansible.builtin.debug:
|
||||||
|
msg: "{{ groups['vault_servers'] }}"
|
||||||
|
|
||||||
|
- name: "Debug"
|
||||||
|
ansible.builtin.debug:
|
||||||
|
msg: "{{ hashi_vault_configuration.storage }}"
|
||||||
|
|
||||||
|
# - ansible.builtin.fail:
|
||||||
|
135
plugins/modules/vault_init.py
Normal file
135
plugins/modules/vault_init.py
Normal file
@ -0,0 +1,135 @@
|
|||||||
|
#!/usr/bin/python
|
||||||
|
|
||||||
|
from __future__ import (absolute_import, division, print_function)
|
||||||
|
__metaclass__ = type
|
||||||
|
|
||||||
|
DOCUMENTATION = r'''
|
||||||
|
---
|
||||||
|
module: my_test
|
||||||
|
|
||||||
|
short_description: This is my test module
|
||||||
|
|
||||||
|
# If this is part of a collection, you need to use semantic versioning,
|
||||||
|
# i.e. the version is of the form "2.5.0" and not "2.4".
|
||||||
|
version_added: "1.0.0"
|
||||||
|
|
||||||
|
description: This is my longer description explaining my test module.
|
||||||
|
|
||||||
|
options:
|
||||||
|
name:
|
||||||
|
description: This is the message to send to the test module.
|
||||||
|
required: true
|
||||||
|
type: str
|
||||||
|
new:
|
||||||
|
description:
|
||||||
|
- Control to demo if the result of this module is changed or not.
|
||||||
|
- Parameter description can be a list as well.
|
||||||
|
required: false
|
||||||
|
type: bool
|
||||||
|
# Specify this value according to your collection
|
||||||
|
# in format of namespace.collection.doc_fragment_name
|
||||||
|
# extends_documentation_fragment:
|
||||||
|
# - my_namespace.my_collection.my_doc_fragment_name
|
||||||
|
|
||||||
|
author:
|
||||||
|
- Your Name (@yourGitHubHandle)
|
||||||
|
'''
|
||||||
|
|
||||||
|
EXAMPLES = r'''
|
||||||
|
# Pass in a message
|
||||||
|
- name: Test with a message
|
||||||
|
my_namespace.my_collection.my_test:
|
||||||
|
name: hello world
|
||||||
|
|
||||||
|
# pass in a message and have changed true
|
||||||
|
- name: Test with a message and changed output
|
||||||
|
my_namespace.my_collection.my_test:
|
||||||
|
name: hello world
|
||||||
|
new: true
|
||||||
|
|
||||||
|
# fail the module
|
||||||
|
- name: Test failure of the module
|
||||||
|
my_namespace.my_collection.my_test:
|
||||||
|
name: fail me
|
||||||
|
'''
|
||||||
|
|
||||||
|
RETURN = r'''
|
||||||
|
# These are examples of possible return values, and in general should use other names for return values.
|
||||||
|
original_message:
|
||||||
|
description: The original name param that was passed in.
|
||||||
|
type: str
|
||||||
|
returned: always
|
||||||
|
sample: 'hello world'
|
||||||
|
message:
|
||||||
|
description: The output message that the test module generates.
|
||||||
|
type: str
|
||||||
|
returned: always
|
||||||
|
sample: 'goodbye'
|
||||||
|
'''
|
||||||
|
|
||||||
|
from ansible.module_utils.basic import AnsibleModule
|
||||||
|
import hvac
|
||||||
|
|
||||||
|
def run_module():
|
||||||
|
# define available arguments/parameters a user can pass to the module
|
||||||
|
module_args = dict(
|
||||||
|
api_url=dict(type='str', required=True),
|
||||||
|
key_shares=dict(type='int', required=False,default=5)
|
||||||
|
key_treshold=dict(type='int',required=False,default=3)
|
||||||
|
name=dict(type='str', required=True),
|
||||||
|
new=dict(type='bool', required=False, default=False)
|
||||||
|
)
|
||||||
|
|
||||||
|
# seed the result dict in the object
|
||||||
|
# we primarily care about changed and state
|
||||||
|
# changed is if this module effectively modified the target
|
||||||
|
# state will include any data that you want your module to pass back
|
||||||
|
# for consumption, for example, in a subsequent task
|
||||||
|
result = dict(
|
||||||
|
changed=False,
|
||||||
|
original_message='',
|
||||||
|
message=''
|
||||||
|
)
|
||||||
|
|
||||||
|
# the AnsibleModule object will be our abstraction working with Ansible
|
||||||
|
# this includes instantiation, a couple of common attr would be the
|
||||||
|
# args/params passed to the execution, as well as if the module
|
||||||
|
# supports check mode
|
||||||
|
module = AnsibleModule(
|
||||||
|
argument_spec=module_args,
|
||||||
|
supports_check_mode=True
|
||||||
|
)
|
||||||
|
|
||||||
|
# if the user is working with this module in only check mode we do not
|
||||||
|
# want to make any changes to the environment, just return the current
|
||||||
|
# state with no modifications
|
||||||
|
if module.check_mode:
|
||||||
|
module.exit_json(**result)
|
||||||
|
|
||||||
|
# manipulate or modify the state as needed (this is going to be the
|
||||||
|
# part where your module will do what it needs to do)
|
||||||
|
result['original_message'] = module.params['name']
|
||||||
|
result['message'] = 'goodbye'
|
||||||
|
|
||||||
|
# use whatever logic you need to determine whether or not this module
|
||||||
|
# made any modifications to your target
|
||||||
|
if module.params['new']:
|
||||||
|
result['changed'] = True
|
||||||
|
|
||||||
|
# during the execution of the module, if there is an exception or a
|
||||||
|
# conditional state that effectively causes a failure, run
|
||||||
|
# AnsibleModule.fail_json() to pass in the message and the result
|
||||||
|
if module.params['name'] == 'fail me':
|
||||||
|
module.fail_json(msg='You requested this to fail', **result)
|
||||||
|
|
||||||
|
# in the event of a successful module execution, you will want to
|
||||||
|
# simple AnsibleModule.exit_json(), passing the key/value results
|
||||||
|
module.exit_json(**result)
|
||||||
|
|
||||||
|
|
||||||
|
def main():
|
||||||
|
run_module()
|
||||||
|
|
||||||
|
|
||||||
|
if __name__ == '__main__':
|
||||||
|
main()
|
Loading…
Reference in New Issue
Block a user