Merge pull request 'feat/rolling-vault-unseal' (#20) from feat/rolling-vault-unseal into main
All checks were successful
build-deploy / Bump version and create changelog with commitizen (push) Successful in 33s

Reviewed-on: ansible-collections/hashistack#20
This commit is contained in:
Bertrand Lanson 2024-09-02 20:29:54 +00:00
commit 519858db1d
10 changed files with 104 additions and 67 deletions

View File

@ -45,6 +45,11 @@
- name: "Include ednz_cloud.hashistack.vault" - name: "Include ednz_cloud.hashistack.vault"
ansible.builtin.include_role: ansible.builtin.include_role:
name: ednz_cloud.hashistack.vault name: ednz_cloud.hashistack.vault
vars:
vault_enable_auto_unseal: true
vault_unseal_url: "{{ vault_configuration['api_addr'] }}"
vault_unseal_tls_verify: false
vault_unseal_keys: "{{ _credentials.vault['keys'] | default([]) }}"
- name: "Vault | Initialize vault cluster" # noqa: run-once[task] - name: "Vault | Initialize vault cluster" # noqa: run-once[task]
ednz_cloud.hashistack.vault_init: ednz_cloud.hashistack.vault_init:

View File

@ -11,7 +11,7 @@ module: ednz_cloud.hashistack.consul_acl_bootstrap
short_description: Bootstraps ACL for a Consul cluster. short_description: Bootstraps ACL for a Consul cluster.
version_added: "1.0.0" version_added: "0.1.0"
description: description:
- This module bootstraps ACL (Access Control List) for a Consul cluster. It performs the ACL bootstrap operation, - This module bootstraps ACL (Access Control List) for a Consul cluster. It performs the ACL bootstrap operation,

View File

@ -11,6 +11,8 @@ module: ednz_cloud.hashistack.vault_init
short_description: Manages the initialization of HashiCorp Vault. short_description: Manages the initialization of HashiCorp Vault.
version_added: "0.1.0"
description: description:
- This module initializes HashiCorp Vault, ensuring that it is securely set up for use. - This module initializes HashiCorp Vault, ensuring that it is securely set up for use.

View File

@ -7,66 +7,70 @@ __metaclass__ = type
DOCUMENTATION = r""" DOCUMENTATION = r"""
--- ---
module: my_test module: ednz_cloud.hashistack.vault_unseal
short_description: This is my test module short_description: Unseals a Vault cluster.
# If this is part of a collection, you need to use semantic versioning, version_added: "0.1.0"
# i.e. the version is of the form "2.5.0" and not "2.4".
version_added: "1.0.0"
description: This is my longer description explaining my test module. description:
- This module unseals a Vault cluster by submitting the necessary unseal keys. It checks whether the Vault is sealed and performs the unseal operation if needed. The response will reflect the state after the last unseal key is submitted.
requirements:
- C(hvac) (L(Python library,https://hvac.readthedocs.io/en/stable/overview.html))
options: options:
name: api_url:
description: This is the message to send to the test module. description: The URL of the Vault API.
required: true required: true
type: str type: str
new: tls_verify:
description: description: Whether to verify TLS certificates.
- Control to demo if the result of this module is changed or not.
- Parameter description can be a list as well.
required: false required: false
type: bool type: bool
# Specify this value according to your collection default: true
# in format of namespace.collection.doc_fragment_name key_shares:
# extends_documentation_fragment: description: List of unseal keys required to unseal the Vault.
# - my_namespace.my_collection.my_doc_fragment_name required: false
type: list
default: []
author: author:
- Your Name (@yourGitHubHandle) - Bertrand Lanson (@ednz_cloud)
""" """
EXAMPLES = r""" EXAMPLES = r"""
# Pass in a message # Example: Unseal a Vault cluster
- name: Test with a message - name: Unseal Vault cluster
my_namespace.my_collection.my_test: ednz_cloud.hashistack.vault_unseal:
name: hello world api_url: "https://127.0.0.1:8200"
tls_verify: true
key_shares:
- "key1"
- "key2"
- "key3"
# pass in a message and have changed true # Example: Unseal Vault cluster with no TLS verification
- name: Test with a message and changed output - name: Unseal Vault cluster without TLS verification
my_namespace.my_collection.my_test: ednz_cloud.hashistack.vault_unseal:
name: hello world api_url: "https://127.0.0.1:8200"
new: true tls_verify: false
key_shares:
# fail the module - "key1"
- name: Test failure of the module - "key2"
my_namespace.my_collection.my_test:
name: fail me
""" """
RETURN = r""" RETURN = r"""
# These are examples of possible return values, and in general should use other names for return values. state:
original_message: description: Information about the state of the Vault unseal operation.
description: The original name param that was passed in. type: dict
type: str
returned: always returned: always
sample: 'hello world' sample:
message: sealed: true,
description: The output message that the test module generates. t: 3,
type: str n: 5,
returned: always progress: 2,
sample: 'goodbye' version: "0.6.2"
""" """
from ansible.module_utils.basic import AnsibleModule from ansible.module_utils.basic import AnsibleModule
import traceback import traceback

View File

@ -42,6 +42,15 @@ vault_storage_configuration:
file: file:
path: "{{ vault_data_dir }}" path: "{{ vault_data_dir }}"
#############################
# auto-unseal configuration #
#############################
vault_enable_auto_unseal: false
vault_unseal_url: "https://127.0.0.1:8200"
vault_unseal_tls_verify: true
vault_unseal_keys: []
########################## ##########################
# listener configuration # # listener configuration #
########################## ##########################

View File

@ -36,8 +36,10 @@
register: _vault_current_version register: _vault_current_version
- name: "Vault | Download and install vault binary" - name: "Vault | Download and install vault binary"
when: _vault_current_version is not defined when:
- _vault_current_version is not defined
or _vault_wanted_version != (_vault_current_version.content|default('')|b64decode) or _vault_wanted_version != (_vault_current_version.content|default('')|b64decode)
- not ansible_check_mode
block: block:
- name: "Vault | Set vault package name to download" - name: "Vault | Set vault package name to download"
ansible.builtin.set_fact: ansible.builtin.set_fact:
@ -77,7 +79,6 @@
until: _vault_binary_archive is succeeded until: _vault_binary_archive is succeeded
retries: 5 retries: 5
delay: 2 delay: 2
check_mode: false
- name: "Vault | Create temporary directory for archive decompression" - name: "Vault | Create temporary directory for archive decompression"
ansible.builtin.file: ansible.builtin.file:

View File

@ -36,8 +36,10 @@
when: _vault_service_need_reload when: _vault_service_need_reload
- name: "Vault | Start service: {{ vault_service_name }}" - name: "Vault | Start service: {{ vault_service_name }}"
ansible.builtin.service: ansible.builtin.include_tasks: rolling_restart.yml
name: "{{ vault_service_name }}" when:
state: restarted - _vault_service_need_restart
throttle: 1 - "hostvars[host_item].inventory_hostname == inventory_hostname"
when: _vault_service_need_restart with_items: "{{ ansible_play_batch }}"
loop_control:
loop_var: host_item

View File

@ -5,13 +5,13 @@
path: "{{ dir_source_item.dest }}" path: "{{ dir_source_item.dest }}"
recurse: true recurse: true
state: directory state: directory
mode: "0775" mode: "0755"
- name: "Vault | Create extra directory sources" - name: "Vault | Create extra directory sources"
ansible.builtin.file: ansible.builtin.file:
path: "{{ dir_source_item.dest }}/{{ item.path }}" path: "{{ dir_source_item.dest }}/{{ item.path }}"
state: directory state: directory
mode: "0775" mode: "0755"
with_community.general.filetree: "{{ dir_source_item.src }}/" with_community.general.filetree: "{{ dir_source_item.src }}/"
when: item.state == 'directory' when: item.state == 'directory'

View File

@ -0,0 +1,14 @@
---
- name: "Vault | Start service: {{ vault_service_name }}"
ansible.builtin.service:
name: "{{ vault_service_name }}"
state: restarted
- name: "Vault | Unseal node"
ednz_cloud.hashistack.vault_unseal:
api_url: "{{ vault_unseal_url }}"
tls_verify: "{{ vault_unseal_tls_verify }}"
key_shares: "{{ vault_unseal_keys }}"
when:
- vault_enable_auto_unseal
- vault_unseal_keys|length > 0