ansible-collections/hcp-ansible
ansible-collections/hcp-ansible
4
0
Fork 0
Code Issues 3 Pull Requests Actions Packages Projects 1 Releases Wiki Activity
main
hcp-ansible/roles/vault/tasks/configure.yml
Bertrand Lanson 20344bdebe
All checks were successful
development / Check commit compliance (push) Successful in 25s
Details
pull-requests-open / Check commit compliance (pull_request) Successful in 8s
Details
test / Retrieve Credentials (pull_request) Successful in 32s
Details
test / end_to_end_consul (consul_default, debian11) (pull_request) Successful in 3m33s
Details
test / end_to_end_consul (consul_default, debian12) (pull_request) Successful in 3m32s
Details
test / end_to_end_consul (consul_default, ubuntu2004) (pull_request) Successful in 3m45s
Details
test / end_to_end_consul (consul_default, ubuntu2204) (pull_request) Successful in 1m35s
Details
test / end_to_end_consul (consul_default, ubuntu2404) (pull_request) Successful in 1m34s
Details
test / end_to_end_consul (consul_with_acl_enabled, debian11) (pull_request) Successful in 1m23s
Details
test / end_to_end_consul (consul_with_acl_enabled, debian12) (pull_request) Successful in 1m36s
Details
test / end_to_end_consul (consul_with_acl_enabled, ubuntu2204) (pull_request) Successful in 1m33s
Details
test / end_to_end_consul (consul_with_acl_enabled, ubuntu2004) (pull_request) Successful in 1m47s
Details
test / end_to_end_nomad (nomad_default, debian11) (pull_request) Successful in 1m6s
Details
test / end_to_end_nomad (nomad_default, debian12) (pull_request) Successful in 1m8s
Details
test / end_to_end_consul (consul_with_acl_enabled, ubuntu2404) (pull_request) Successful in 1m33s
Details
test / end_to_end_nomad (nomad_default, ubuntu2004) (pull_request) Successful in 1m13s
Details
test / end_to_end_nomad (nomad_default, ubuntu2404) (pull_request) Successful in 1m15s
Details
test / end_to_end_nomad (nomad_default, ubuntu2204) (pull_request) Successful in 1m31s
Details
test / end_to_end_nomad (nomad_with_acl_enabled, debian11) (pull_request) Successful in 1m7s
Details
test / end_to_end_nomad (nomad_with_acl_enabled, debian12) (pull_request) Successful in 1m9s
Details
test / end_to_end_nomad (nomad_with_acl_enabled, ubuntu2004) (pull_request) Successful in 1m15s
Details
test / end_to_end_nomad (nomad_with_acl_enabled, ubuntu2204) (pull_request) Successful in 1m12s
Details
test / end_to_end_nomad (nomad_with_acl_enabled, ubuntu2404) (pull_request) Successful in 1m17s
Details
test / end_to_end_vault (vault_default, debian11) (pull_request) Successful in 1m32s
Details
test / end_to_end_vault (vault_default, debian12) (pull_request) Successful in 1m39s
Details
test / end_to_end_vault (vault_default, ubuntu2004) (pull_request) Successful in 1m36s
Details
test / end_to_end_vault (vault_default, ubuntu2204) (pull_request) Successful in 1m24s
Details
test / end_to_end_vault (vault_default, ubuntu2404) (pull_request) Successful in 1m41s
Details
test / end_to_end_vault (vault_with_raft_enabled, debian11) (pull_request) Successful in 1m23s
Details
test / end_to_end_vault (vault_with_raft_enabled, debian12) (pull_request) Successful in 1m24s
Details
test / end_to_end_vault (vault_with_raft_enabled, ubuntu2004) (pull_request) Successful in 1m28s
Details
test / end_to_end_vault (vault_with_raft_enabled, ubuntu2204) (pull_request) Successful in 1m30s
Details
test / end_to_end_vault (vault_with_raft_enabled, ubuntu2404) (pull_request) Successful in 1m32s
Details
feat: add automatic reload of vault service for certificate reloading 
This feature adds logic to automatically reload the vault service if tls is
enbabled and the certificates have changed. This only tracks certificates copied
by the extra_files logic.
2024-11-10 17:07:14 +01:00

141 lines
4.5 KiB
YAML
Raw Permalink Blame History

---
# task/configure file for vault
- name: "Vault | Create vault.env"
ansible.builtin.template:
src: vault.env.j2
dest: "{{ vault_config_dir }}/vault.env"
owner: "{{ vault_user }}"
group: "{{ vault_group }}"
mode: "0600"
register: _vault_env_file
- name: "Vault | Copy vault.json template"
ansible.builtin.template:
src: vault.json.j2
dest: "{{ vault_config_dir }}/vault.json"
owner: "{{ vault_user }}"
group: "{{ vault_group }}"
mode: "0600"
register: _vault_config_file
- name: "Vault | Set restart-check variable"
ansible.builtin.set_fact:
_vault_service_need_restart: true
when: _vault_env_file.changed or
_vault_config_file.changed
- name: "Vault | Gather initial checksums for certificate files"
ansible.builtin.stat:
path: "{{ item }}"
checksum_algorithm: sha1
loop: "{{ vault_certificates_reload_watchlist }}"
when: vault_enable_tls
register: _vault_initial_cert_checksums
- name: "Vault | Normalize initial checksums"
ansible.builtin.set_fact:
# This needs to be optimized, but I have spent so much time on it not
# working that I will keep it as is for now, and we'll see later.
_vault_initial_checksums_normalized: >-
{% filter trim %}
{% set checksums = [] %}
{% for item in _vault_initial_cert_checksums.results %}
{% set _ = checksums.append({
'item': item.item,
'initial_checksum': (item.stat.checksum | default('absent'))
}) %}
{% endfor %}
{{ checksums }}
{% endfilter %}
when: vault_enable_tls
- name: "Vault | Copy extra configuration files"
when: vault_extra_files
block:
- name: "Vault | Get extra file types"
ansible.builtin.stat:
path: "{{ item.src }}"
loop: "{{ vault_extra_files_list }}"
register: vault_extra_file_stat
delegate_to: localhost
- name: "Vault | Set list for file sources"
vars:
_vault_file_sources: []
ansible.builtin.set_fact:
_vault_file_sources: "{{ _vault_file_sources + [item.item] }}"
when: item.stat.isreg
loop: "{{ vault_extra_file_stat.results }}"
loop_control:
loop_var: item
delegate_to: localhost
- name: "Vault | Set list for directory sources"
vars:
_vault_dir_sources: []
ansible.builtin.set_fact:
_vault_dir_sources: "{{ _vault_dir_sources + [item.item] }}"
when: item.stat.isdir
loop: "{{ vault_extra_file_stat.results }}"
loop_control:
loop_var: item
delegate_to: localhost
- name: "Vault | Template extra file sources"
ansible.builtin.template:
src: "{{ item.src }}"
dest: "{{ item.dest | regex_replace('\\.j2$', '') }}"
owner: "{{ vault_user }}"
group: "{{ vault_group }}"
mode: "0700"
loop: "{{ _vault_file_sources }}"
when: _vault_file_sources is defined
- name: "Vault | Template extra directory sources"
ansible.builtin.include_tasks: recursive_copy_extra_dirs.yml
loop: "{{ _vault_dir_sources }}"
loop_control:
loop_var: dir_source_item
when: _vault_dir_sources is defined
- name: "Vault | Gather final checksums for certificate files"
ansible.builtin.stat:
path: "{{ item }}"
checksum_algorithm: sha1
loop: "{{ vault_certificates_reload_watchlist }}"
when: vault_enable_tls
register: _vault_final_cert_checksums
- name: "Vault | Normalize final checksums"
ansible.builtin.set_fact:
# This needs to be optimized, but I have spent so much time on it not
# working that I will keep it as is for now, and we'll see later.
_vault_final_checksums_normalized: >-
{% filter trim %}
{% set checksums = [] %}
{% for item in _vault_final_cert_checksums.results %}
{% set _ = checksums.append({
'item': item.item,
'final_checksum': (item.stat.checksum | default('absent'))
}) %}
{% endfor %}
{{ checksums }}
{% endfilter %}
when: vault_enable_tls
- name: "Vault | Merge initial and final checksum lists"
ansible.builtin.set_fact:
_vault_checksums_list: >-
{{
_vault_initial_checksums_normalized |
community.general.lists_mergeby(_vault_final_checksums_normalized, 'item')
}}
when: vault_enable_tls
- name: "Vault | Determine if certificates have changed or were newly added"
ansible.builtin.set_fact:
_vault_service_need_reload: true
when:
- vault_enable_tls
- _vault_checksums_list | json_query('[?initial_checksum!=final_checksum]') | list| length > 0
Reference in New Issue View Git Blame Copy Permalink