diff --git a/defaults/main.yml b/defaults/main.yml index a354eb4..2803d32 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -14,3 +14,6 @@ renew_vault_certificates_info: common_name: openstack01.ednz.fr ttl: 90d include_localhost: true + include_consul_service: false +renew_vault_certificates_consul_service_name: vault.service.consul +renew_vault_certificates_start_service: false diff --git a/handlers/main.yml b/handlers/main.yml index 0333991..1791821 100644 --- a/handlers/main.yml +++ b/handlers/main.yml @@ -1,2 +1,19 @@ --- # handlers file for renew_vault_certificates +- name: "Reload service file" + ansible.builtin.systemd: + daemon_reload: true + listen: "systemctl-daemon-reload" + +- name: "Enable vault-certs service" + ansible.builtin.service: + name: vault-certs + enabled: true + listen: "systemctl-enable-vault-certs" + +- name: "Start vault-certs service" + ansible.builtin.service: + name: vault-certs + state: restarted + listen: "systemctl-restart-vault-certs" + when: renew_vault_certificates_start_service diff --git a/tasks/configure.yml b/tasks/configure.yml index 52e3e40..ff613a3 100644 --- a/tasks/configure.yml +++ b/tasks/configure.yml @@ -1,12 +1,40 @@ --- # task/configure file for renew_vault_certificates -- name: "Copy vault_cert.pem.tpl template" - ansible.builtin.template: - src: vault_cert.tpl.j2 - dest: "{{ renew_vault_certificates_config_dir }}/vault_cert.pem.tpl" - owner: "{{ renew_vault_certificates_vault_user }}" - group: "{{ renew_vault_certificates_vault_group }}" - mode: '0600' +- name: "Configure files for vault certificate renewal" + block: + - name: "Copy vault_cert.pem.tpl template" + ansible.builtin.template: + src: vault_config.hcl.j2 + dest: "{{ renew_vault_certificates_config_dir }}/vault_config.hcl" + owner: "{{ renew_vault_certificates_vault_user }}" + group: "{{ renew_vault_certificates_vault_group }}" + mode: '0600' + + - name: "Copy vault_cert.pem.tpl template" + ansible.builtin.template: + src: vault_cert.tpl.j2 + dest: "{{ renew_vault_certificates_config_dir }}/templates/vault_cert.pem.tpl" + owner: "{{ renew_vault_certificates_vault_user }}" + group: "{{ renew_vault_certificates_vault_group }}" + mode: '0600' + + - name: "Copy vault_cert.key.tpl template" + ansible.builtin.template: + src: vault_key.pem.tpl.j2 + dest: "{{ renew_vault_certificates_config_dir }}/templates/vault_key.pem.tpl" + owner: "{{ renew_vault_certificates_vault_user }}" + group: "{{ renew_vault_certificates_vault_group }}" + mode: '0600' notify: - - "systemctl-enable-vault-ctpl" - - "systemctl-restart-vault-ctpl" \ No newline at end of file + - "systemctl-enable-vault-certs" + - "systemctl-restart-vault-certs" + +- name: "Configure vault-certs systemd service" + ansible.builtin.template: + src: vault-certs.service.j2 + dest: /etc/systemd/system/vault-certs.service + owner: root + group: root + mode: '0644' + notify: + - "systemctl-daemon-reload" diff --git a/tasks/install.yml b/tasks/install.yml index 0c0891f..2473a0e 100644 --- a/tasks/install.yml +++ b/tasks/install.yml @@ -8,7 +8,7 @@ manage_repositories_enable_custom_repo: true manage_repositories_custom_repo: "{{ renew_vault_certificates_repository }}" -- name: "Install vault:{{ hashi_vault_version }}" +- name: "Install consul-template:{{ hashi_vault_version }}" ansible.builtin.include_role: name: ednxzu.manage_apt_packages vars: diff --git a/tasks/main.yml b/tasks/main.yml index 0e05a2f..b037c6c 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -4,4 +4,7 @@ ansible.builtin.include_tasks: prerequisites.yml - name: "Import install.yml" - ansible.builtin.include_tasks: install.yml \ No newline at end of file + ansible.builtin.include_tasks: install.yml + +- name: "Import configure.yml" + ansible.builtin.include_tasks: configure.yml diff --git a/templates/vault-certs.service.j2 b/templates/vault-certs.service.j2 new file mode 100644 index 0000000..65596c7 --- /dev/null +++ b/templates/vault-certs.service.j2 @@ -0,0 +1,12 @@ +[Unit] +Description=Automatic renewal of vault certificate using consul-template +Requires=network-online.target +After=network-online.target vault.service + +[Service] +Restart=on-failure +ExecStart=/usr/bin/consul-template $OPTIONS -config={{ renew_vault_certificates_config_dir }}/vault_config.hcl +KillSignal=SIGINT + +[Install] +WantedBy=multi-user.target \ No newline at end of file diff --git a/templates/vault_cert.pem.tpl.j2 b/templates/vault_cert.pem.tpl.j2 new file mode 100644 index 0000000..9c0a260 --- /dev/null +++ b/templates/vault_cert.pem.tpl.j2 @@ -0,0 +1,3 @@ +{% raw %}{{ with secret {% endraw %}"{{ renew_vault_certificates_info['issuer_path'] }}" "common_name={{ renew_vault_certificates_info['common_name'] }}" "ttl={{ renew_vault_certificates_info['ttl'] }}"{% if renew_vault_certificates_info['include_consul_service'] %} "alt_names={{ renew_vault_certificates_consul_service_name }}" "alt_names=active.{{ renew_vault_certificates_consul_service_name }}" "alt_names=standby.{{ renew_vault_certificates_consul_service_name }}"{% endif %}{% if renew_vault_certificates_info['include_localhost'] %} "alt_names=localhost" "ip_sans=127.0.0.1"{% endif %}{% raw %} }}{% endraw %} +{% raw %}{{ .Data.certificate }}{% endraw %} +{% raw %}{{ end }}{% endraw %} \ No newline at end of file diff --git a/templates/vault_cert.tpl.j2 b/templates/vault_cert.tpl.j2 deleted file mode 100644 index aaab373..0000000 --- a/templates/vault_cert.tpl.j2 +++ /dev/null @@ -1,3 +0,0 @@ -{% raw %}{{ with secret {% endraw %}"{{ renew_vault_certificates_info['issuer_path'] }}" "common_name={{ renew_vault_certificates_info['common_name'] }}" "ttl={{ renew_vault_certificates_info['ttl'] }}" {% if renew_vault_certificates_info['include_localhost'] %}"alt_names=localhost" "ip_sans=127.0.0.1" {% endif %}{% raw %}}}{% endraw %} -{% raw %}{{ .Data.certificate }}{% endraw %} -{% raw %}{{ end }}{% endraw %} \ No newline at end of file diff --git a/templates/vault_key.tpl.j2 b/templates/vault_key.pem.tpl.j2 similarity index 100% rename from templates/vault_key.tpl.j2 rename to templates/vault_key.pem.tpl.j2