Merge pull request 'feat/rolling-vault-unseal' (#20) from feat/rolling-vault-unseal into main
All checks were successful
build-deploy / Bump version and create changelog with commitizen (push) Successful in 33s
All checks were successful
build-deploy / Bump version and create changelog with commitizen (push) Successful in 33s
Reviewed-on: ansible-collections/hashistack#20
This commit is contained in:
commit
519858db1d
@ -45,6 +45,11 @@
|
|||||||
- name: "Include ednz_cloud.hashistack.vault"
|
- name: "Include ednz_cloud.hashistack.vault"
|
||||||
ansible.builtin.include_role:
|
ansible.builtin.include_role:
|
||||||
name: ednz_cloud.hashistack.vault
|
name: ednz_cloud.hashistack.vault
|
||||||
|
vars:
|
||||||
|
vault_enable_auto_unseal: true
|
||||||
|
vault_unseal_url: "{{ vault_configuration['api_addr'] }}"
|
||||||
|
vault_unseal_tls_verify: false
|
||||||
|
vault_unseal_keys: "{{ _credentials.vault['keys'] | default([]) }}"
|
||||||
|
|
||||||
- name: "Vault | Initialize vault cluster" # noqa: run-once[task]
|
- name: "Vault | Initialize vault cluster" # noqa: run-once[task]
|
||||||
ednz_cloud.hashistack.vault_init:
|
ednz_cloud.hashistack.vault_init:
|
||||||
|
@ -11,7 +11,7 @@ module: ednz_cloud.hashistack.consul_acl_bootstrap
|
|||||||
|
|
||||||
short_description: Bootstraps ACL for a Consul cluster.
|
short_description: Bootstraps ACL for a Consul cluster.
|
||||||
|
|
||||||
version_added: "1.0.0"
|
version_added: "0.1.0"
|
||||||
|
|
||||||
description:
|
description:
|
||||||
- This module bootstraps ACL (Access Control List) for a Consul cluster. It performs the ACL bootstrap operation,
|
- This module bootstraps ACL (Access Control List) for a Consul cluster. It performs the ACL bootstrap operation,
|
||||||
|
@ -11,6 +11,8 @@ module: ednz_cloud.hashistack.vault_init
|
|||||||
|
|
||||||
short_description: Manages the initialization of HashiCorp Vault.
|
short_description: Manages the initialization of HashiCorp Vault.
|
||||||
|
|
||||||
|
version_added: "0.1.0"
|
||||||
|
|
||||||
description:
|
description:
|
||||||
- This module initializes HashiCorp Vault, ensuring that it is securely set up for use.
|
- This module initializes HashiCorp Vault, ensuring that it is securely set up for use.
|
||||||
|
|
||||||
|
@ -7,66 +7,70 @@ __metaclass__ = type
|
|||||||
|
|
||||||
DOCUMENTATION = r"""
|
DOCUMENTATION = r"""
|
||||||
---
|
---
|
||||||
module: my_test
|
module: ednz_cloud.hashistack.vault_unseal
|
||||||
|
|
||||||
short_description: This is my test module
|
short_description: Unseals a Vault cluster.
|
||||||
|
|
||||||
# If this is part of a collection, you need to use semantic versioning,
|
version_added: "0.1.0"
|
||||||
# i.e. the version is of the form "2.5.0" and not "2.4".
|
|
||||||
version_added: "1.0.0"
|
|
||||||
|
|
||||||
description: This is my longer description explaining my test module.
|
description:
|
||||||
|
- This module unseals a Vault cluster by submitting the necessary unseal keys. It checks whether the Vault is sealed and performs the unseal operation if needed. The response will reflect the state after the last unseal key is submitted.
|
||||||
|
|
||||||
|
requirements:
|
||||||
|
- C(hvac) (L(Python library,https://hvac.readthedocs.io/en/stable/overview.html))
|
||||||
|
|
||||||
options:
|
options:
|
||||||
name:
|
api_url:
|
||||||
description: This is the message to send to the test module.
|
description: The URL of the Vault API.
|
||||||
required: true
|
required: true
|
||||||
type: str
|
type: str
|
||||||
new:
|
tls_verify:
|
||||||
description:
|
description: Whether to verify TLS certificates.
|
||||||
- Control to demo if the result of this module is changed or not.
|
|
||||||
- Parameter description can be a list as well.
|
|
||||||
required: false
|
required: false
|
||||||
type: bool
|
type: bool
|
||||||
# Specify this value according to your collection
|
default: true
|
||||||
# in format of namespace.collection.doc_fragment_name
|
key_shares:
|
||||||
# extends_documentation_fragment:
|
description: List of unseal keys required to unseal the Vault.
|
||||||
# - my_namespace.my_collection.my_doc_fragment_name
|
required: false
|
||||||
|
type: list
|
||||||
|
default: []
|
||||||
|
|
||||||
author:
|
author:
|
||||||
- Your Name (@yourGitHubHandle)
|
- Bertrand Lanson (@ednz_cloud)
|
||||||
"""
|
"""
|
||||||
|
|
||||||
EXAMPLES = r"""
|
EXAMPLES = r"""
|
||||||
# Pass in a message
|
# Example: Unseal a Vault cluster
|
||||||
- name: Test with a message
|
- name: Unseal Vault cluster
|
||||||
my_namespace.my_collection.my_test:
|
ednz_cloud.hashistack.vault_unseal:
|
||||||
name: hello world
|
api_url: "https://127.0.0.1:8200"
|
||||||
|
tls_verify: true
|
||||||
|
key_shares:
|
||||||
|
- "key1"
|
||||||
|
- "key2"
|
||||||
|
- "key3"
|
||||||
|
|
||||||
# pass in a message and have changed true
|
# Example: Unseal Vault cluster with no TLS verification
|
||||||
- name: Test with a message and changed output
|
- name: Unseal Vault cluster without TLS verification
|
||||||
my_namespace.my_collection.my_test:
|
ednz_cloud.hashistack.vault_unseal:
|
||||||
name: hello world
|
api_url: "https://127.0.0.1:8200"
|
||||||
new: true
|
tls_verify: false
|
||||||
|
key_shares:
|
||||||
# fail the module
|
- "key1"
|
||||||
- name: Test failure of the module
|
- "key2"
|
||||||
my_namespace.my_collection.my_test:
|
|
||||||
name: fail me
|
|
||||||
"""
|
"""
|
||||||
|
|
||||||
RETURN = r"""
|
RETURN = r"""
|
||||||
# These are examples of possible return values, and in general should use other names for return values.
|
state:
|
||||||
original_message:
|
description: Information about the state of the Vault unseal operation.
|
||||||
description: The original name param that was passed in.
|
type: dict
|
||||||
type: str
|
|
||||||
returned: always
|
returned: always
|
||||||
sample: 'hello world'
|
sample:
|
||||||
message:
|
sealed: true,
|
||||||
description: The output message that the test module generates.
|
t: 3,
|
||||||
type: str
|
n: 5,
|
||||||
returned: always
|
progress: 2,
|
||||||
sample: 'goodbye'
|
version: "0.6.2"
|
||||||
"""
|
"""
|
||||||
from ansible.module_utils.basic import AnsibleModule
|
from ansible.module_utils.basic import AnsibleModule
|
||||||
import traceback
|
import traceback
|
||||||
|
@ -42,6 +42,15 @@ vault_storage_configuration:
|
|||||||
file:
|
file:
|
||||||
path: "{{ vault_data_dir }}"
|
path: "{{ vault_data_dir }}"
|
||||||
|
|
||||||
|
#############################
|
||||||
|
# auto-unseal configuration #
|
||||||
|
#############################
|
||||||
|
|
||||||
|
vault_enable_auto_unseal: false
|
||||||
|
vault_unseal_url: "https://127.0.0.1:8200"
|
||||||
|
vault_unseal_tls_verify: true
|
||||||
|
vault_unseal_keys: []
|
||||||
|
|
||||||
##########################
|
##########################
|
||||||
# listener configuration #
|
# listener configuration #
|
||||||
##########################
|
##########################
|
||||||
|
@ -36,8 +36,10 @@
|
|||||||
register: _vault_current_version
|
register: _vault_current_version
|
||||||
|
|
||||||
- name: "Vault | Download and install vault binary"
|
- name: "Vault | Download and install vault binary"
|
||||||
when: _vault_current_version is not defined
|
when:
|
||||||
|
- _vault_current_version is not defined
|
||||||
or _vault_wanted_version != (_vault_current_version.content|default('')|b64decode)
|
or _vault_wanted_version != (_vault_current_version.content|default('')|b64decode)
|
||||||
|
- not ansible_check_mode
|
||||||
block:
|
block:
|
||||||
- name: "Vault | Set vault package name to download"
|
- name: "Vault | Set vault package name to download"
|
||||||
ansible.builtin.set_fact:
|
ansible.builtin.set_fact:
|
||||||
@ -77,7 +79,6 @@
|
|||||||
until: _vault_binary_archive is succeeded
|
until: _vault_binary_archive is succeeded
|
||||||
retries: 5
|
retries: 5
|
||||||
delay: 2
|
delay: 2
|
||||||
check_mode: false
|
|
||||||
|
|
||||||
- name: "Vault | Create temporary directory for archive decompression"
|
- name: "Vault | Create temporary directory for archive decompression"
|
||||||
ansible.builtin.file:
|
ansible.builtin.file:
|
||||||
|
@ -36,8 +36,10 @@
|
|||||||
when: _vault_service_need_reload
|
when: _vault_service_need_reload
|
||||||
|
|
||||||
- name: "Vault | Start service: {{ vault_service_name }}"
|
- name: "Vault | Start service: {{ vault_service_name }}"
|
||||||
ansible.builtin.service:
|
ansible.builtin.include_tasks: rolling_restart.yml
|
||||||
name: "{{ vault_service_name }}"
|
when:
|
||||||
state: restarted
|
- _vault_service_need_restart
|
||||||
throttle: 1
|
- "hostvars[host_item].inventory_hostname == inventory_hostname"
|
||||||
when: _vault_service_need_restart
|
with_items: "{{ ansible_play_batch }}"
|
||||||
|
loop_control:
|
||||||
|
loop_var: host_item
|
||||||
|
@ -5,13 +5,13 @@
|
|||||||
path: "{{ dir_source_item.dest }}"
|
path: "{{ dir_source_item.dest }}"
|
||||||
recurse: true
|
recurse: true
|
||||||
state: directory
|
state: directory
|
||||||
mode: "0775"
|
mode: "0755"
|
||||||
|
|
||||||
- name: "Vault | Create extra directory sources"
|
- name: "Vault | Create extra directory sources"
|
||||||
ansible.builtin.file:
|
ansible.builtin.file:
|
||||||
path: "{{ dir_source_item.dest }}/{{ item.path }}"
|
path: "{{ dir_source_item.dest }}/{{ item.path }}"
|
||||||
state: directory
|
state: directory
|
||||||
mode: "0775"
|
mode: "0755"
|
||||||
with_community.general.filetree: "{{ dir_source_item.src }}/"
|
with_community.general.filetree: "{{ dir_source_item.src }}/"
|
||||||
when: item.state == 'directory'
|
when: item.state == 'directory'
|
||||||
|
|
||||||
|
14
roles/vault/tasks/rolling_restart.yml
Normal file
14
roles/vault/tasks/rolling_restart.yml
Normal file
@ -0,0 +1,14 @@
|
|||||||
|
---
|
||||||
|
- name: "Vault | Start service: {{ vault_service_name }}"
|
||||||
|
ansible.builtin.service:
|
||||||
|
name: "{{ vault_service_name }}"
|
||||||
|
state: restarted
|
||||||
|
|
||||||
|
- name: "Vault | Unseal node"
|
||||||
|
ednz_cloud.hashistack.vault_unseal:
|
||||||
|
api_url: "{{ vault_unseal_url }}"
|
||||||
|
tls_verify: "{{ vault_unseal_tls_verify }}"
|
||||||
|
key_shares: "{{ vault_unseal_keys }}"
|
||||||
|
when:
|
||||||
|
- vault_enable_auto_unseal
|
||||||
|
- vault_unseal_keys|length > 0
|
Loading…
Reference in New Issue
Block a user