From 7f8d8654a4771cb35fbe312a174686424d06e0d0 Mon Sep 17 00:00:00 2001 From: Bertrand Lanson Date: Sun, 14 Jul 2024 16:15:21 +0200 Subject: [PATCH] feat(deployment): Implement new structure for deploying components This allows operators to target specific groups when deploying using the --tags flag of ansible. You can, for now, target consul, consul_servers, consul_agents, nomad, nomad_servers, nomad_clients, vault and haproxy --- .pre-commit-config.yaml | 1 + playbooks/deploy.yml | 62 +++++-------- playbooks/tasks/consul/consul_agents.yml | 6 ++ .../tasks/consul/consul_control_plane.yml | 78 ++++++++++++++++ playbooks/tasks/consul/consul_deploy.yml | 85 +++--------------- playbooks/tasks/nomad/nomad_clients.yml | 11 +++ playbooks/tasks/nomad/nomad_control_plane.yml | 82 +++++++++++++++++ playbooks/tasks/nomad/nomad_deploy.yml | 89 +++--------------- playbooks/tasks/nomad/nomad_vars.yml | 4 - playbooks/tasks/vault/vault_control_plane.yml | 90 +++++++++++++++++++ playbooks/tasks/vault/vault_deploy.yml | 90 ++----------------- 11 files changed, 323 insertions(+), 275 deletions(-) create mode 100644 playbooks/tasks/consul/consul_agents.yml create mode 100644 playbooks/tasks/consul/consul_control_plane.yml create mode 100644 playbooks/tasks/nomad/nomad_clients.yml create mode 100644 playbooks/tasks/nomad/nomad_control_plane.yml create mode 100644 playbooks/tasks/vault/vault_control_plane.yml diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 81f2416..6403a89 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -1,3 +1,4 @@ +--- repos: - repo: https://github.com/pre-commit/pre-commit-hooks rev: v4.5.0 diff --git a/playbooks/deploy.yml b/playbooks/deploy.yml index 8fd7af2..a4e8da7 100644 --- a/playbooks/deploy.yml +++ b/playbooks/deploy.yml @@ -1,9 +1,10 @@ --- # hashistack deployment playbook - name: "Deploy" - hosts: all, !deployment + hosts: "{{ target | default('all, !deployment') }}" strategy: linear gather_facts: true + any_errors_fatal: true become: true tasks: - name: "Import variables" @@ -12,57 +13,42 @@ tags: - always + # Consul nodes deployment - name: "Deploy Consul" tags: - consul when: - enable_consul | bool - block: - - name: "Deploy Consul Control Plane" - ansible.builtin.import_tasks: - file: tasks/consul/consul_deploy.yml - when: - - "'consul_servers' in group_names" - - - name: "Deploy Consul Agents" - ansible.builtin.include_role: - name: ednz_cloud.hashicorp_consul - when: - - "'consul_agents' in group_names" - - - name: "Deploy Haproxy & Keepalived" ansible.builtin.import_tasks: - file: tasks/haproxy/haproxy_deploy.yml - when: - - enable_haproxy | bool - - "'haproxy_servers' in group_names" + file: tasks/consul/consul_deploy.yml + + # Haproxy nodes deployment + - name: "Deploy Proxies" tags: - haproxy - - - name: "Deploy Vault" - ansible.builtin.import_tasks: - file: tasks/vault/vault_deploy.yml when: - - enable_vault | bool - - "'vault_servers' in group_names" + - enable_haproxy | bool + block: + - name: "Deploy Haproxy & Keepalived" + ansible.builtin.import_tasks: + file: tasks/haproxy/haproxy_deploy.yml + when: + - "'haproxy_servers' in group_names" + + # Vault nodes deployment + - name: "Deploy Vault" tags: - vault + when: + - enable_vault | bool + ansible.builtin.import_tasks: + file: tasks/vault/vault_deploy.yml + # Nomad nodes deployment - name: "Deploy Nomad" tags: - nomad when: - enable_nomad | bool - block: - - name: "Deploy Nomad Control Plane" - ansible.builtin.import_tasks: - file: tasks/nomad/nomad_deploy.yml - when: - - "('nomad_servers' in group_names)" - - - name: "Deploy Nomad Clients" - ansible.builtin.include_role: - name: ednz_cloud.hashicorp_nomad - when: - - "('nomad_clients' in group_names)" - - "('nomad_servers' not in group_names)" + ansible.builtin.import_tasks: + file: tasks/nomad/nomad_deploy.yml diff --git a/playbooks/tasks/consul/consul_agents.yml b/playbooks/tasks/consul/consul_agents.yml new file mode 100644 index 0000000..5d3f446 --- /dev/null +++ b/playbooks/tasks/consul/consul_agents.yml @@ -0,0 +1,6 @@ +--- +- name: "Consul agents" + block: + - name: "Deploy Consul Agents" + ansible.builtin.include_role: + name: ednz_cloud.hashicorp_consul diff --git a/playbooks/tasks/consul/consul_control_plane.yml b/playbooks/tasks/consul/consul_control_plane.yml new file mode 100644 index 0000000..21f8b2f --- /dev/null +++ b/playbooks/tasks/consul/consul_control_plane.yml @@ -0,0 +1,78 @@ +--- +- name: "Consul control plane" + block: + - name: "Include ednz_cloud.hashicorp_consul" + ansible.builtin.include_role: + name: ednz_cloud.hashicorp_consul + + - name: "Wait for consul cluster to initialize" # noqa: run-once[task] + block: + - name: "Wait for consul nodes to stabilize" + ansible.builtin.wait_for: + host: "{{ api_interface_address }}" + port: "{{ consul_api_port[consul_api_scheme] }}" + delay: 10 + + - name: "Waiting for consul api to respond" + ansible.builtin.uri: + url: "{{ consul_api_addr }}" + validate_certs: no + return_content: yes + status_code: + - 200 + until: uri_output.status == 200 + retries: 24 + delay: 5 + register: uri_output + + - name: "Initialize consul cluster" # noqa: run-once[task] + community.general.consul_acl_bootstrap: + bootstrap_secret: "{{ _credentials.consul.root_token.secret_id }}" + host: "{{ api_interface_address }}" + port: "{{ consul_api_port[consul_api_scheme] }}" + scheme: "{{ consul_api_scheme }}" + state: present + register: _consul_init_secret + when: + - consul_init_server + - hashicorp_consul_configuration.acl.enabled + + - name: "Create consul agents token" + when: + - consul_init_server + - hashicorp_consul_configuration.acl.enabled + block: + - name: "Create consul agents token" # noqa: run-once[task] no-handler + block: + - name: "Create consul agent policy" + community.general.consul_policy: + token: "{{ _credentials.consul.root_token.secret_id }}" + host: "{{ api_interface_address }}" + port: "{{ consul_api_port[consul_api_scheme] }}" + scheme: "{{ consul_api_scheme }}" + validate_certs: false + state: present + name: agents-policy + rules: "{{ consul_default_agent_policy }}" + register: _consul_agent_policy + + - name: "Create consul agents token" + community.general.consul_token: + token: "{{ _credentials.consul.root_token.secret_id }}" + host: "{{ api_interface_address }}" + port: "{{ consul_api_port[consul_api_scheme] }}" + scheme: "{{ consul_api_scheme }}" + validate_certs: false + accessor_id: "{{ _credentials.consul.tokens.agent.accessor_id }}" + secret_id: "{{ _credentials.consul.tokens.agent.secret_id }}" + policies: + - id: "{{ _consul_agent_policy.policy.ID }}" + state: present + register: _consul_agent_token + + - name: "Restart consul service" # noqa: no-handler + ansible.builtin.service: + name: "{{ hashicorp_consul_service_name }}" + state: restarted + throttle: 1 + when: _consul_agent_token.changed diff --git a/playbooks/tasks/consul/consul_deploy.yml b/playbooks/tasks/consul/consul_deploy.yml index cb92c82..4271b3f 100644 --- a/playbooks/tasks/consul/consul_deploy.yml +++ b/playbooks/tasks/consul/consul_deploy.yml @@ -1,78 +1,19 @@ --- - name: "Consul" block: - - name: "Include ednz_cloud.hashicorp_consul" - ansible.builtin.include_role: - name: ednz_cloud.hashicorp_consul - - - name: "Wait for consul cluster to initialize" # noqa: run-once[task] - block: - - name: "Wait for consul nodes to stabilize" - ansible.builtin.wait_for: - host: "{{ api_interface_address }}" - port: "{{ consul_api_port[consul_api_scheme] }}" - delay: 10 - - - name: "Waiting for consul api to respond" - ansible.builtin.uri: - url: "{{ consul_api_addr }}" - validate_certs: no - return_content: yes - status_code: - - 200 - until: uri_output.status == 200 - retries: 24 - delay: 5 - register: uri_output - - - name: "Initialize consul cluster" # noqa: run-once[task] - community.general.consul_acl_bootstrap: - bootstrap_secret: "{{ _credentials.consul.root_token.secret_id }}" - host: "{{ api_interface_address }}" - port: "{{ consul_api_port[consul_api_scheme] }}" - scheme: "{{ consul_api_scheme }}" - state: present - register: _consul_init_secret + - name: "Deploy Consul Control Plane" + ansible.builtin.import_tasks: + file: consul_control_plane.yml when: - - consul_init_server - - hashicorp_consul_configuration.acl.enabled + - "'consul_servers' in group_names" + tags: + - consul_servers - - name: "Create consul agents token" + - name: "Deploy Consul Agents" + ansible.builtin.import_tasks: + file: consul_agents.yml when: - - consul_init_server - - hashicorp_consul_configuration.acl.enabled - block: - - name: "Create consul agents token" # noqa: run-once[task] no-handler - block: - - name: "Create consul agent policy" - community.general.consul_policy: - token: "{{ _credentials.consul.root_token.secret_id }}" - host: "{{ api_interface_address }}" - port: "{{ consul_api_port[consul_api_scheme] }}" - scheme: "{{ consul_api_scheme }}" - validate_certs: false - state: present - name: agents-policy - rules: "{{ consul_default_agent_policy }}" - register: _consul_agent_policy - - - name: "Create consul agents token" - community.general.consul_token: - token: "{{ _credentials.consul.root_token.secret_id }}" - host: "{{ api_interface_address }}" - port: "{{ consul_api_port[consul_api_scheme] }}" - scheme: "{{ consul_api_scheme }}" - validate_certs: false - accessor_id: "{{ _credentials.consul.tokens.agent.accessor_id }}" - secret_id: "{{ _credentials.consul.tokens.agent.secret_id }}" - policies: - - id: "{{ _consul_agent_policy.policy.ID }}" - state: present - register: _consul_agent_token - - - name: "Restart consul service" # noqa: no-handler - ansible.builtin.service: - name: "{{ hashicorp_consul_service_name }}" - state: restarted - throttle: 1 - when: _consul_agent_token.changed + - "'consul_agents' in group_names" + - "'consul_servers' not in group_names" + tags: + - consul_agents diff --git a/playbooks/tasks/nomad/nomad_clients.yml b/playbooks/tasks/nomad/nomad_clients.yml new file mode 100644 index 0000000..cc64582 --- /dev/null +++ b/playbooks/tasks/nomad/nomad_clients.yml @@ -0,0 +1,11 @@ +--- +- name: "Nomad clients" + block: + - name: "Install docker driver" + ansible.builtin.include_role: + name: ednz_cloud.install_docker + when: nomad_driver_enable_docker + + - name: "Deploy Nomad Clients" + ansible.builtin.include_role: + name: ednz_cloud.hashicorp_nomad diff --git a/playbooks/tasks/nomad/nomad_control_plane.yml b/playbooks/tasks/nomad/nomad_control_plane.yml new file mode 100644 index 0000000..df7fdaf --- /dev/null +++ b/playbooks/tasks/nomad/nomad_control_plane.yml @@ -0,0 +1,82 @@ +--- +- name: "Nomad control plane" + block: + - name: "Create consul tokens for service registration" + when: + - nomad_init_server + - enable_consul + - nomad_enable_consul_integration + vars: + _consul_host: "{{ hostvars[groups['consul_servers'][0]].api_interface_address }}" + _consul_port: "{{ hostvars[groups['consul_servers'][0]].consul_api_port[hostvars[groups['consul_servers'][0]].consul_api_scheme] }}" + _consul_scheme: "{{ hostvars[groups['consul_servers'][0]].consul_api_scheme }}" + block: + - name: "Create server credentials" + block: + - name: "Create consul server policy" + community.general.consul_policy: + token: "{{ _credentials.consul.root_token.secret_id }}" + host: "{{ _consul_host }}" + port: "{{ _consul_port }}" + scheme: "{{ _consul_scheme }}" + validate_certs: false + state: present + name: nomad-server-policy + rules: "{{ nomad_consul_integration_server_policy }}" + register: _consul_nomad_server_policy + + - name: "Create consul server token" # noqa: no-handler + community.general.consul_token: + token: "{{ _credentials.consul.root_token.secret_id }}" + host: "{{ _consul_host }}" + port: "{{ _consul_port }}" + scheme: "{{ _consul_scheme }}" + validate_certs: false + accessor_id: "{{ _credentials.consul.tokens.nomad.server.accessor_id }}" + secret_id: "{{ _credentials.consul.tokens.nomad.server.secret_id }}" + policies: + - id: "{{ _consul_nomad_server_policy.policy.ID }}" + state: present + when: _consul_nomad_server_policy.changed + + - name: "Create client credentials" + block: + - name: "Create consul client policy" + community.general.consul_policy: + token: "{{ _credentials.consul.root_token.secret_id }}" + host: "{{ _consul_host }}" + port: "{{ _consul_port }}" + scheme: "{{ _consul_scheme }}" + validate_certs: false + state: present + name: nomad-client-policy + rules: "{{ nomad_consul_integration_client_policy }}" + register: _consul_nomad_client_policy + + - name: "Create consul client token" # noqa: no-handler + community.general.consul_token: + token: "{{ _credentials.consul.root_token.secret_id }}" + host: "{{ _consul_host }}" + port: "{{ _consul_port }}" + scheme: "{{ _consul_scheme }}" + validate_certs: false + accessor_id: "{{ _credentials.consul.tokens.nomad.client.accessor_id }}" + secret_id: "{{ _credentials.consul.tokens.nomad.client.secret_id }}" + policies: + - id: "{{ _consul_nomad_client_policy.policy.ID }}" + state: present + when: _consul_nomad_client_policy.changed + + - name: "Include ednz_cloud.hashicorp_nomad" + ansible.builtin.include_role: + name: ednz_cloud.hashicorp_nomad + + - name: "Initialize nomad cluster" # noqa: run-once[task] + ednz_cloud.hashistack.nomad_acl_bootstrap: + bootstrap_secret: "{{ _credentials.nomad.root_token.secret_id }}" + api_url: "{{ nomad_api_addr }}" + tls_verify: false + register: _nomad_init_secret + when: + - nomad_init_server + - hashicorp_nomad_configuration.acl.enabled diff --git a/playbooks/tasks/nomad/nomad_deploy.yml b/playbooks/tasks/nomad/nomad_deploy.yml index dde9fa8..64dfd8b 100644 --- a/playbooks/tasks/nomad/nomad_deploy.yml +++ b/playbooks/tasks/nomad/nomad_deploy.yml @@ -1,82 +1,19 @@ --- - name: "Nomad" block: - - name: "Create consul tokens for service registration" + - name: "Deploy Nomad Control Plane" + ansible.builtin.import_tasks: + file: nomad_control_plane.yml when: - - nomad_init_server - - enable_consul - - nomad_enable_consul_integration - vars: - _consul_host: "{{ hostvars[groups['consul_servers'][0]].api_interface_address }}" - _consul_port: "{{ hostvars[groups['consul_servers'][0]].consul_api_port[hostvars[groups['consul_servers'][0]].consul_api_scheme] }}" - _consul_scheme: "{{ hostvars[groups['consul_servers'][0]].consul_api_scheme }}" - block: - - name: "Create server credentials" - block: - - name: "Create consul server policy" - community.general.consul_policy: - token: "{{ _credentials.consul.root_token.secret_id }}" - host: "{{ _consul_host }}" - port: "{{ _consul_port }}" - scheme: "{{ _consul_scheme }}" - validate_certs: false - state: present - name: nomad-server-policy - rules: "{{ nomad_consul_integration_server_policy }}" - register: _consul_nomad_server_policy + - "'nomad_servers' in group_names" + tags: + - nomad_servers - - name: "Create consul server token" - community.general.consul_token: - token: "{{ _credentials.consul.root_token.secret_id }}" - host: "{{ _consul_host }}" - port: "{{ _consul_port }}" - scheme: "{{ _consul_scheme }}" - validate_certs: false - accessor_id: "{{ _credentials.consul.tokens.nomad.server.accessor_id }}" - secret_id: "{{ _credentials.consul.tokens.nomad.server.secret_id }}" - policies: - - id: "{{ _consul_nomad_server_policy.policy.ID }}" - state: present - when: _consul_nomad_server_policy.changed - - - name: "Create client credentials" - block: - - name: "Create consul client policy" - community.general.consul_policy: - token: "{{ _credentials.consul.root_token.secret_id }}" - host: "{{ _consul_host }}" - port: "{{ _consul_port }}" - scheme: "{{ _consul_scheme }}" - validate_certs: false - state: present - name: nomad-client-policy - rules: "{{ nomad_consul_integration_client_policy }}" - register: _consul_nomad_client_policy - - - name: "Create consul client token" - community.general.consul_token: - token: "{{ _credentials.consul.root_token.secret_id }}" - host: "{{ _consul_host }}" - port: "{{ _consul_port }}" - scheme: "{{ _consul_scheme }}" - validate_certs: false - accessor_id: "{{ _credentials.consul.tokens.nomad.client.accessor_id }}" - secret_id: "{{ _credentials.consul.tokens.nomad.client.secret_id }}" - policies: - - id: "{{ _consul_nomad_client_policy.policy.ID }}" - state: present - when: _consul_nomad_client_policy.changed - - - name: "Include ednz_cloud.hashicorp_nomad" - ansible.builtin.include_role: - name: ednz_cloud.hashicorp_nomad - - - name: "Initialize nomad cluster" # noqa: run-once[task] - ednz_cloud.hashistack.nomad_acl_bootstrap: - bootstrap_secret: "{{ _credentials.nomad.root_token.secret_id }}" - api_url: "{{ nomad_api_addr }}" - tls_verify: false - register: _nomad_init_secret + - name: "Deploy Nomad Clients" + ansible.builtin.import_tasks: + file: nomad_clients.yml when: - - nomad_init_server - - hashicorp_nomad_configuration.acl.enabled + - "'nomad_clients' in group_names" + - "'nomad_servers' not in group_names" + tags: + - nomad_clients diff --git a/playbooks/tasks/nomad/nomad_vars.yml b/playbooks/tasks/nomad/nomad_vars.yml index 97c6af2..522af01 100644 --- a/playbooks/tasks/nomad/nomad_vars.yml +++ b/playbooks/tasks/nomad/nomad_vars.yml @@ -123,7 +123,3 @@ combine(_config_to_merge, recursive=true) }}" when: nomad_extra_configuration is defined - -- name: "Print nomad configuration" - ansible.builtin.debug: - msg: "{{ hashicorp_nomad_configuration }}" diff --git a/playbooks/tasks/vault/vault_control_plane.yml b/playbooks/tasks/vault/vault_control_plane.yml new file mode 100644 index 0000000..5246405 --- /dev/null +++ b/playbooks/tasks/vault/vault_control_plane.yml @@ -0,0 +1,90 @@ +--- +- name: "Vault control plane" + block: + - name: "Create consul token for service registration" + when: + - vault_init_server + - enable_consul + - vault_enable_service_registration + vars: + _consul_vault_sr_host: "{{ hostvars[groups['consul_servers'][0]].api_interface_address }}" + _consul_vault_sr_port: "{{ hostvars[groups['consul_servers'][0]].consul_api_port[hostvars[groups['consul_servers'][0]].consul_api_scheme] }}" + _consul_vault_sr_scheme: "{{ hostvars[groups['consul_servers'][0]].consul_api_scheme }}" + block: + - name: "Create consul vault policy" + community.general.consul_policy: + token: "{{ _credentials.consul.root_token.secret_id }}" + host: "{{ _consul_vault_sr_host }}" + port: "{{ _consul_vault_sr_port }}" + scheme: "{{ _consul_vault_sr_scheme }}" + validate_certs: false + state: present + name: vault-policy + rules: "{{ vault_service_registration_policy }}" + register: _consul_vault_policy + + - name: "Create consul vault token" # noqa: no-handler + community.general.consul_token: + token: "{{ _credentials.consul.root_token.secret_id }}" + host: "{{ _consul_vault_sr_host }}" + port: "{{ _consul_vault_sr_port }}" + scheme: "{{ _consul_vault_sr_scheme }}" + validate_certs: false + accessor_id: "{{ _credentials.consul.tokens.vault.accessor_id }}" + secret_id: "{{ _credentials.consul.tokens.vault.secret_id }}" + policies: + - id: "{{ _consul_vault_policy.policy.ID }}" + state: present + when: _consul_vault_policy.changed + + - name: "Include ednz_cloud.hashicorp_consul" + ansible.builtin.include_role: + name: ednz_cloud.hashicorp_vault + + - name: "Initialize vault cluster" # noqa: run-once[task] + ednz_cloud.hashistack.vault_init: + api_url: "{{ hashicorp_vault_configuration['api_addr'] }}" + tls_verify: "{{ vault_tls_verify }}" + key_shares: "{{ vault_seal_configuration['key_shares'] }}" + key_threshold: "{{ vault_seal_configuration['key_threshold'] }}" + retries: 5 + delay: 5 + register: _vault_init_secret + until: not _vault_init_secret.failed + when: vault_init_server + + - name: "Write vault configuration to file" # noqa: run-once[task] no-handler + ansible.builtin.copy: + content: "{{ _vault_init_secret.state | to_nice_yaml(indent=2) }}" + dest: "{{ sub_configuration_directories.secrets }}/vault.yml" + owner: "{{ lookup('env', 'USER') }}" + group: "{{ lookup('env', 'USER') }}" + mode: "0644" + when: + - vault_init_server + - _vault_init_secret.changed + delegate_to: localhost + + - name: "Load vault cluster variables necessary for unseal operation" + ansible.builtin.import_tasks: + file: ../misc/load_credentials_vars.yml + + - name: "Unseal the bootstrap node" # noqa: run-once[task] no-handler + ednz_cloud.hashistack.vault_unseal: + api_url: "{{ hashicorp_vault_configuration['api_addr'] }}" + tls_verify: "{{ vault_tls_verify }}" + key_shares: "{{ _credentials.vault['keys'] }}" + when: + - vault_init_server + - _vault_init_secret.changed + register: _vault_unseal_secret + + - name: "Unseal all vault nodes" + ednz_cloud.hashistack.vault_unseal: + api_url: "{{ hashicorp_vault_configuration['api_addr'] }}" + tls_verify: "{{ vault_tls_verify }}" + key_shares: "{{ _credentials.vault['keys'] }}" + retries: 5 + delay: 5 + until: _unseal_status.changed or not _unseal_status.failed + register: _unseal_status diff --git a/playbooks/tasks/vault/vault_deploy.yml b/playbooks/tasks/vault/vault_deploy.yml index dbbb348..21c1016 100644 --- a/playbooks/tasks/vault/vault_deploy.yml +++ b/playbooks/tasks/vault/vault_deploy.yml @@ -1,90 +1,10 @@ --- - name: "Vault" block: - - name: "Create consul token for service registration" - when: - - vault_init_cluster - - enable_consul - - vault_enable_service_registration - vars: - _consul_vault_sr_host: "{{ hostvars[groups['consul_servers'][0]].api_interface_address }}" - _consul_vault_sr_port: "{{ hostvars[groups['consul_servers'][0]].consul_api_port[hostvars[groups['consul_servers'][0]].consul_api_scheme] }}" - _consul_vault_sr_scheme: "{{ hostvars[groups['consul_servers'][0]].consul_api_scheme }}" - block: - - name: "Create consul vault policy" - community.general.consul_policy: - token: "{{ _credentials.consul.root_token.secret_id }}" - host: "{{ _consul_vault_sr_host }}" - port: "{{ _consul_vault_sr_port }}" - scheme: "{{ _consul_vault_sr_scheme }}" - validate_certs: false - state: present - name: vault-policy - rules: "{{ vault_service_registration_policy }}" - register: _consul_vault_policy - - - name: "Create consul vault token" - community.general.consul_token: - token: "{{ _credentials.consul.root_token.secret_id }}" - host: "{{ _consul_vault_sr_host }}" - port: "{{ _consul_vault_sr_port }}" - scheme: "{{ _consul_vault_sr_scheme }}" - validate_certs: false - accessor_id: "{{ _credentials.consul.tokens.vault.accessor_id }}" - secret_id: "{{ _credentials.consul.tokens.vault.secret_id }}" - policies: - - id: "{{ _consul_vault_policy.policy.ID }}" - state: present - when: _consul_vault_policy.changed - - - name: "Include ednz_cloud.hashicorp_consul" - ansible.builtin.include_role: - name: ednz_cloud.hashicorp_vault - - - name: "Initialize vault cluster" # noqa: run-once[task] - ednz_cloud.hashistack.vault_init: - api_url: "{{ hashicorp_vault_configuration['api_addr'] }}" - tls_verify: "{{ vault_tls_verify }}" - key_shares: "{{ vault_seal_configuration['key_shares'] }}" - key_threshold: "{{ vault_seal_configuration['key_threshold'] }}" - retries: 5 - delay: 5 - register: _vault_init_secret - until: not _vault_init_secret.failed - when: vault_init_cluster - - - name: "Write vault configuration to file" # noqa: run-once[task] no-handler - ansible.builtin.copy: - content: "{{ _vault_init_secret.state | to_nice_yaml(indent=2) }}" - dest: "{{ sub_configuration_directories.secrets }}/vault.yml" - owner: "{{ lookup('env', 'USER') }}" - group: "{{ lookup('env', 'USER') }}" - mode: "0644" - when: - - vault_init_cluster - - _vault_init_secret.changed - delegate_to: localhost - - - name: "Load vault cluster variables necessary for unseal operation" + - name: "Deploy Vault Control Plane" ansible.builtin.import_tasks: - file: ../misc/load_credentials_vars.yml - - - name: "Unseal the bootstrap node" # noqa: run-once[task] no-handler - ednz_cloud.hashistack.vault_unseal: - api_url: "{{ hashicorp_vault_configuration['api_addr'] }}" - tls_verify: "{{ vault_tls_verify }}" - key_shares: "{{ _credentials.vault['keys'] }}" + file: vault_control_plane.yml when: - - vault_init_cluster - - _vault_init_secret.changed - register: _vault_unseal_secret - - - name: "Unseal all vault nodes" - ednz_cloud.hashistack.vault_unseal: - api_url: "{{ hashicorp_vault_configuration['api_addr'] }}" - tls_verify: "{{ vault_tls_verify }}" - key_shares: "{{ _credentials.vault['keys'] }}" - retries: 5 - delay: 5 - until: _unseal_status.changed or not _unseal_status.failed - register: _unseal_status + - "'vault_servers' in group_names" + tags: + - vault_servers