From 9417437715133d94c278dd30e4b61e96177a73f8 Mon Sep 17 00:00:00 2001 From: Bertrand Lanson Date: Wed, 3 Jul 2024 22:17:57 +0200 Subject: [PATCH] feat: add docs on generating credentials --- docs/quick_start.md | 16 ++++++++++++++++ playbooks/generate_credentials.yml | 8 ++++++++ 2 files changed, 24 insertions(+) diff --git a/docs/quick_start.md b/docs/quick_start.md index 3e1c54b..8c26845 100644 --- a/docs/quick_start.md +++ b/docs/quick_start.md @@ -113,3 +113,19 @@ This will install roles that are not packaged with the collection, but are still You should now have some roles inside `./roles/`. ## Generate Credentials + +Before deploying your infrastructure with hashistack-ansible, you need to generate credentials that will be used to bootstrap the various clusters. + +This can be done by running the `generate_credentials.yml` playbook. + +```bash +ansible-playbook -i inventory/inventory.ini ednz_cloud.hashistack.generate_credentials.yml +``` + +This will create and populate `etc/hashistack/secrets/credentials.yml` + +> :warning: This file is VERY SENSITIVE, as it holds the root tokens and other credentials for consul and nomad clusters. + +This does not generate vault credentials, as it is not possible to generate those in advance. These credentials will be generated, if you enable the vault deployment, during the bootstrap process of the vault cluster, and stored in `etc/hashistack/secrets/vault.yml` + +> :warning: It is HIGHLY recommended to encrypt these two files before enventually commiting them to source control. You can do so using tools like [ansible-vault](https://docs.ansible.com/ansible/latest/cli/ansible-vault.html) or [sops](https://github.com/getsops/sops). diff --git a/playbooks/generate_credentials.yml b/playbooks/generate_credentials.yml index 98ea991..c6133ff 100644 --- a/playbooks/generate_credentials.yml +++ b/playbooks/generate_credentials.yml @@ -46,6 +46,14 @@ ansible.builtin.set_fact: _nomad_root_token: "{{ lookup('ansible.builtin.password', '/dev/null', chars=['ascii_letters','digits']) | to_uuid }}" + - name: "Ensure secrets directory is created" + ansible.builtin.file: + path: "{{ sub_configuration_directories['secrets'] }}" + state: directory + owner: "{{ lookup('env', 'USER') }}" + group: "{{ lookup('env', 'USER') }}" + mode: '0755' + - name: "Write credentials file" ansible.builtin.template: src: templates/credentials.yml.j2