feat(vault/docs/license): added plugin ability to vault, update documentation and license

2024-01-06 15:50:51 +01:00 · 2024-01-06 15:50:51 +01:00 · 7b10b55fa7
commit 7b10b55fa7
parent ba6bab9a92
9 changed files with 144 additions and 18 deletions
--- a/2
+++ b/2
@ -1,6 +1,6 @@
 The MIT License (MIT)

-Copyright (c) 2017 Bertrand Lanson
+Copyright (c) 2023 Bertrand Lanson

 Permission is hereby granted, free of charge, to any person obtaining a copy of
 this software and associated documentation files (the "Software"), to deal in
--- a/docs/general.md
+++ b/docs/general.md
@ -0,0 +1,103 @@
+# General documentation
+
+## Configuration directory
+
+### Main configuration directory
+
+Hashistack Ansible uses a configuration directory to store all the configuration files and other artifacts.
+
+This directory is defined with the variable `configuration_directory`. By default, it will look at `{{ lookup('env', 'PWD') }}/etc/hashistack`, which equals `$(pwd)/etc/hashistack`.
+
+Under this directory, you are expected to place the `globals.yml` file, with your configuration.
+
+### Sub configuration directories
+
+#### Group configuration directories
+
+Additionally, subdirectories can be used to tailor the configuration further.
+
+Each group within the `inventory` will look at a directory named after itself:
+
+- nomad_servers group will look for `{{ configuration_directory }}/nomad_servers`
+- vault_servers group will look for `{{ configuration_directory }}/vault_servers`
+- consul_servers group will look for `{{ configuration_directory }}/consul_servers`
+
+Within each of these directories, you can place an additional `globals.yml file`, that will superseed the file at the root of the configuration directory.
+
+- **Example**:
+
+  If `etc/hashistack/globals.yml` looks like:
+
+  ```yaml
+  ---
+  enable_vault: "no"
+  enable_consul: "no"
+  enable_nomad: "no"
+  ```
+
+  And `etc/hashistack/nomad_servers/globals.yml` looks like:
+
+  ```yaml
+  ---
+  enable_nomad: "yes"
+  ```
+
+  Servers in the `nomad_servers` group will end up with the following configuration:
+
+  ```yaml
+  ---
+  enable_vault: "no"
+  enable_consul: "no"
+  enable_nomad: "yes"
+  ```
+
+This approach lets you customize your deployment for your exact needs.
+
+#### Host configuration directories
+
+Additionally, within each `group configuration directory`, you can add `host configuration directory`, that will be named after the hosts defined in your `inventory`. These host directories can also be populated with a `globals.yml` file, that will superseed the `group` and `deployment` configuration files.
+
+- **Example**
+
+  If `etc/hashistack/globals.yml` looks like:
+
+  ```yaml
+  ---
+  enable_vault: "no"
+  enable_consul: "no"
+  enable_nomad: "no"
+  api_interface: "eth0"
+  ```
+
+  And `etc/hashistack/nomad_servers/globals.yml` looks like:
+
+  ```yaml
+  ---
+  enable_nomad: "yes"
+  api_interface: "eth1"
+  ```
+
+  And `etc/hashistack/nomad_servers/nomad-master-01/globals.yml` looks like:
+
+  ```yaml
+    api_interface: "eth0.vlan40"
+  ```
+
+  Servers in the `nomad_servers` group will end up with the following configuration:
+
+  ```yaml
+  ---
+  enable_vault: "no"
+  enable_consul: "no"
+  enable_nomad: "yes"
+  api_interface: "eth1"
+  ```
+  Except for host `nomad-master-1`, who will have the following:
+
+  ```yaml
+  ---
+  enable_vault: "no"
+  enable_consul: "no"
+  enable_nomad: "yes"
+  api_interface: "eth0.vlan40"
+  ```
--- a/molecule/no_tls_multi_node/etc/hashistack/vault_servers/config/plugin/vault-plugin-auth-openstack
+++ b/molecule/no_tls_multi_node/etc/hashistack/vault_servers/config/plugin/vault-plugin-auth-openstack
--- a/molecule/no_tls_multi_node/etc/hashistack/vault_servers/config/tls/cert.pem
+++ b/molecule/no_tls_multi_node/etc/hashistack/vault_servers/config/tls/cert.pem
--- a/molecule/no_tls_multi_node/etc/hashistack/vault_servers/config/tls/key.pem
+++ b/molecule/no_tls_multi_node/etc/hashistack/vault_servers/config/tls/key.pem
--- a/playbooks/deploy.yml
+++ b/playbooks/deploy.yml
@ -18,7 +18,7 @@
      ansible.builtin.debug:
        msg: "{{ hashi_vault_configuration }}"

-    - ansible.builtin.fail:
+    # - ansible.builtin.fail:

    - name: "Vault"
      when:
--- a/playbooks/group_vars/all.yml
+++ b/playbooks/group_vars/all.yml
@ -23,9 +23,9 @@ default_container_extra_volumes:
  - "/etc/timezone:/etc/timezone"
  - "/etc/localtime:/etc/localtime"

-##########################
-# Support options ########
-##########################
+#################
+# Support options
+#################

 hashistack_supported_distributions:
  - ubuntu
@ -114,8 +114,8 @@ vault_listener_configuration:
 vault_tls_listener_configuration:
  tcp:
    tls_disable: false
-    tls_cert_file: "{{ hashi_vault_config_dir }}/cert.pem"
-    tls_key_file: "{{ hashi_vault_config_dir }}/key.pem"
+    tls_cert_file: "{{ hashi_vault_extra_files_dst }}/tls/cert.pem"
+    tls_key_file: "{{ hashi_vault_extra_files_dst }}/tls/key.pem"

 vault_extra_listener_configuration: {}

@ -131,8 +131,8 @@ vault_service_registration_configuration:
 #############################
 # vault plugins configuration
 #############################
-vault_enable_plugins: false
-
+vault_enable_plugins: true
+vault_plugin_directory: "{{ hashi_vault_extra_files_dst }}/plugin"

 #########################
 # vault container volumes
@ -148,9 +148,9 @@ hashi_vault_deploy_method: "{{ deployment_method }}"
 hashi_vault_env_variables: {}
 hashi_vault_config_dir: "/etc/vault.d"
 hashi_vault_data_dir: "/opt/vault"
-hashi_vault_extra_files: false
-hashi_vault_extra_files_src: /tmp/extra_files
-hashi_vault_extra_files_dst: /etc/vault.d/extra_files
+hashi_vault_extra_files: true
+hashi_vault_extra_files_src: "{{ sub_configuration_directories.vault_servers }}/config"
+hashi_vault_extra_files_dst: "{{ hashi_vault_config_dir }}/config"
 hashi_vault_extra_container_volumes: "{{ default_container_extra_volumes | union(extra_vault_container_volumes) | unique }}"
 hashi_vault_configuration:
  cluster_name: "{{ vault_cluster_name }}"
@ -159,7 +159,5 @@ hashi_vault_configuration:
  ui: true
  disable_mlock: false
  disable_cache: false
-  listener: "{{ vault_listener_configuration
-    | combine((vault_enable_tls | bool) | ternary(vault_tls_listener_configuration, {}))
-    | combine(vault_extra_listener_configuration | default({})) }}"
+  listener: "{{ vault_listener_configuration }}"
  storage: "{{ vault_storage_configuration }}"
--- a/playbooks/tasks/vault_vars.yml
+++ b/playbooks/tasks/vault_vars.yml
@ -1,6 +1,31 @@
 ---
 # hashistack configuration merging for vault
- name: "Merge service registration configuration"
+- name: "Merge listener configuration"
  ansible.builtin.set_fact:
-    hashi_vault_configuration: "{{ hashi_vault_configuration | combine({'service_registration': vault_service_registration_configuration}) }}"
+    vault_listener_configuration: "{{
+      vault_listener_configuration |
+      combine((vault_enable_tls | bool) | ternary(vault_tls_listener_configuration, {})) |
+      combine(vault_extra_listener_configuration | default({}))
+      }}"
+
+- name: "Merge service registration configuration"
+  vars:
+    _config_to_merge:
+      service_registration: "{{ vault_service_registration_configuration }}"
+  ansible.builtin.set_fact:
+    hashi_vault_configuration: "{{
+      hashi_vault_configuration |
+      combine(_config_to_merge)
+      }}"
  when: vault_enable_service_registration
+
+- name: "Merge plugins configuration"
+  vars:
+    _config_to_merge:
+      plugin_directory: "{{ vault_plugin_directory }}"
+  ansible.builtin.set_fact:
+    hashi_vault_configuration: "{{
+      hashi_vault_configuration |
+      combine(_config_to_merge)
+      }}"
+  when: vault_enable_plugins
--- a/roles/hashicorp_vault
+++ b/roles/hashicorp_vault
@ -1 +1 @@
-Subproject commit daa7aec43351c7fdc6f7cde1ef59d0021fe9fe47
+Subproject commit 581c2eec65eee201f34d585480f33eeed415ee23