Bertrand Lanson
20344bdebe
All checks were successful
development / Check commit compliance (push) Successful in 25s
pull-requests-open / Check commit compliance (pull_request) Successful in 8s
test / Retrieve Credentials (pull_request) Successful in 32s
test / end_to_end_consul (consul_default, debian11) (pull_request) Successful in 3m33s
test / end_to_end_consul (consul_default, debian12) (pull_request) Successful in 3m32s
test / end_to_end_consul (consul_default, ubuntu2004) (pull_request) Successful in 3m45s
test / end_to_end_consul (consul_default, ubuntu2204) (pull_request) Successful in 1m35s
test / end_to_end_consul (consul_default, ubuntu2404) (pull_request) Successful in 1m34s
test / end_to_end_consul (consul_with_acl_enabled, debian11) (pull_request) Successful in 1m23s
test / end_to_end_consul (consul_with_acl_enabled, debian12) (pull_request) Successful in 1m36s
test / end_to_end_consul (consul_with_acl_enabled, ubuntu2204) (pull_request) Successful in 1m33s
test / end_to_end_consul (consul_with_acl_enabled, ubuntu2004) (pull_request) Successful in 1m47s
test / end_to_end_nomad (nomad_default, debian11) (pull_request) Successful in 1m6s
test / end_to_end_nomad (nomad_default, debian12) (pull_request) Successful in 1m8s
test / end_to_end_consul (consul_with_acl_enabled, ubuntu2404) (pull_request) Successful in 1m33s
test / end_to_end_nomad (nomad_default, ubuntu2004) (pull_request) Successful in 1m13s
test / end_to_end_nomad (nomad_default, ubuntu2404) (pull_request) Successful in 1m15s
test / end_to_end_nomad (nomad_default, ubuntu2204) (pull_request) Successful in 1m31s
test / end_to_end_nomad (nomad_with_acl_enabled, debian11) (pull_request) Successful in 1m7s
test / end_to_end_nomad (nomad_with_acl_enabled, debian12) (pull_request) Successful in 1m9s
test / end_to_end_nomad (nomad_with_acl_enabled, ubuntu2004) (pull_request) Successful in 1m15s
test / end_to_end_nomad (nomad_with_acl_enabled, ubuntu2204) (pull_request) Successful in 1m12s
test / end_to_end_nomad (nomad_with_acl_enabled, ubuntu2404) (pull_request) Successful in 1m17s
test / end_to_end_vault (vault_default, debian11) (pull_request) Successful in 1m32s
test / end_to_end_vault (vault_default, debian12) (pull_request) Successful in 1m39s
test / end_to_end_vault (vault_default, ubuntu2004) (pull_request) Successful in 1m36s
test / end_to_end_vault (vault_default, ubuntu2204) (pull_request) Successful in 1m24s
test / end_to_end_vault (vault_default, ubuntu2404) (pull_request) Successful in 1m41s
test / end_to_end_vault (vault_with_raft_enabled, debian11) (pull_request) Successful in 1m23s
test / end_to_end_vault (vault_with_raft_enabled, debian12) (pull_request) Successful in 1m24s
test / end_to_end_vault (vault_with_raft_enabled, ubuntu2004) (pull_request) Successful in 1m28s
test / end_to_end_vault (vault_with_raft_enabled, ubuntu2204) (pull_request) Successful in 1m30s
test / end_to_end_vault (vault_with_raft_enabled, ubuntu2404) (pull_request) Successful in 1m32s
This feature adds logic to automatically reload the vault service if tls is enbabled and the certificates have changed. This only tracks certificates copied by the extra_files logic.
153 lines
5.0 KiB
YAML
153 lines
5.0 KiB
YAML
---
|
|
# task/install file for vault
|
|
- name: "Vault | Get latest release of vault"
|
|
when: vault_version == 'latest'
|
|
block:
|
|
- name: "Vault | Get latest vault release from github api"
|
|
ansible.builtin.uri:
|
|
url: "{{ vault_github_api }}/hashicorp/vault/releases/latest"
|
|
return_content: true
|
|
register: _vault_latest_release
|
|
|
|
- name: "Vault | Set wanted vault version to latest tag"
|
|
ansible.builtin.set_fact:
|
|
_vault_wanted_version: "{{ _vault_latest_release.json['tag_name']|regex_replace('v', '') }}"
|
|
|
|
- name: "Vault | Set wanted vault version to {{ vault_version }}"
|
|
ansible.builtin.set_fact:
|
|
_vault_wanted_version: "{{ vault_version|regex_replace('v', '') }}"
|
|
when: vault_version != 'latest'
|
|
|
|
- name: "Vault | Get current vault version"
|
|
block:
|
|
- name: "Vault | Stat vault version file"
|
|
ansible.builtin.stat:
|
|
path: "{{ vault_config_dir }}/.version"
|
|
changed_when: false
|
|
check_mode: false
|
|
register: _vault_version_file
|
|
|
|
- name: "Vault | Get current vault version"
|
|
ansible.builtin.slurp:
|
|
src: "{{ _vault_version_file.stat.path }}"
|
|
when:
|
|
- _vault_version_file.stat.exists
|
|
- _vault_version_file.stat.isreg
|
|
register: _vault_current_version
|
|
|
|
- name: "Vault | Download and install vault binary"
|
|
when:
|
|
- _vault_current_version is not defined
|
|
or _vault_wanted_version != (_vault_current_version.content|default('')|b64decode)
|
|
- not ansible_check_mode
|
|
block:
|
|
- name: "Vault | Set vault package name to download"
|
|
ansible.builtin.set_fact:
|
|
_vault_package_name: >-
|
|
vault_{{ _vault_wanted_version }}_linux_{{ vault_deb_architecture_map[ansible_architecture] }}.zip
|
|
_vault_shasum_file_name: >-
|
|
vault_{{ _vault_wanted_version }}_SHA256SUMS
|
|
|
|
- name: "Vault | Download checksum file for vault archive"
|
|
ansible.builtin.get_url:
|
|
url: "{{ vault_repository_url }}/{{ _vault_wanted_version }}/{{ _vault_shasum_file_name }}"
|
|
dest: "/tmp/{{ _vault_shasum_file_name }}"
|
|
mode: "0644"
|
|
register: _vault_checksum_file
|
|
until: _vault_checksum_file is succeeded
|
|
retries: 5
|
|
delay: 2
|
|
check_mode: false
|
|
|
|
- name: "Vault | Extract correct checksum from checksum file"
|
|
ansible.builtin.command:
|
|
cmd: 'grep "{{ _vault_package_name }}" /tmp/{{ _vault_shasum_file_name }}'
|
|
changed_when: false
|
|
register: _vault_expected_checksum_line
|
|
|
|
- name: "Vault | Parse the expected checksum"
|
|
ansible.builtin.set_fact:
|
|
_vault_expected_checksum: "{{ _vault_expected_checksum_line.stdout.split()[0] }}"
|
|
|
|
- name: "Vault | Download vault binary archive"
|
|
ansible.builtin.get_url:
|
|
url: "{{ vault_repository_url }}/{{ _vault_wanted_version }}/{{ _vault_package_name }}"
|
|
dest: "/tmp/{{ _vault_package_name }}"
|
|
mode: "0644"
|
|
checksum: "sha256:{{ _vault_expected_checksum }}"
|
|
register: _vault_binary_archive
|
|
until: _vault_binary_archive is succeeded
|
|
retries: 5
|
|
delay: 2
|
|
|
|
- name: "Vault | Create temporary directory for archive decompression"
|
|
ansible.builtin.file:
|
|
path: /tmp/vault
|
|
state: directory
|
|
mode: "0755"
|
|
|
|
- name: "Vault | Unpack vault archive"
|
|
ansible.builtin.unarchive:
|
|
src: "/tmp/{{ _vault_package_name }}"
|
|
dest: "/tmp/vault"
|
|
owner: "{{ vault_user }}"
|
|
group: "{{ vault_group }}"
|
|
mode: "0755"
|
|
remote_src: true
|
|
|
|
- name: "Vault | Copy vault binary to {{ vault_binary_path }}"
|
|
ansible.builtin.copy:
|
|
src: /tmp/vault/vault
|
|
dest: "{{ vault_binary_path }}"
|
|
owner: root
|
|
group: root
|
|
mode: "0755"
|
|
remote_src: true
|
|
force: true
|
|
|
|
- name: "Vault | Update vault version file"
|
|
ansible.builtin.copy:
|
|
content: "{{ _vault_wanted_version }}"
|
|
dest: "{{ vault_config_dir }}/.version"
|
|
owner: "{{ vault_user }}"
|
|
group: "{{ vault_group }}"
|
|
mode: "0600"
|
|
|
|
- name: "Vault | Set restart-check variable"
|
|
ansible.builtin.set_fact:
|
|
_vault_service_need_restart: true
|
|
|
|
- name: "Vault | Cleanup temporary directory"
|
|
ansible.builtin.file:
|
|
path: "{{ item }}"
|
|
state: absent
|
|
loop:
|
|
- /tmp/vault
|
|
- /tmp/{{ _vault_package_name }}
|
|
- /tmp/{{ _vault_shasum_file_name }}
|
|
|
|
- name: "Vault | Copy systemd service file for vault"
|
|
ansible.builtin.template:
|
|
src: "vault.service.j2"
|
|
dest: "/etc/systemd/system/{{ vault_service_name }}.service"
|
|
owner: root
|
|
group: root
|
|
mode: "0644"
|
|
register: _vault_unit_file
|
|
|
|
- name: "Vault | Set reload-check & restart-check variable"
|
|
ansible.builtin.set_fact:
|
|
_vault_service_need_daemon_reload: true
|
|
_vault_service_need_restart: true
|
|
when: _vault_unit_file.changed # noqa: no-handler
|
|
|
|
- name: "Vault | Copy systemd service file for vault"
|
|
ansible.builtin.template:
|
|
src: "vault.service.j2"
|
|
dest: "/etc/systemd/system/vault.service"
|
|
owner: root
|
|
group: root
|
|
mode: "0644"
|
|
notify:
|
|
- "systemctl-daemon-reload"
|