ansible-roles/renew_vault_certificates
ansible-roles/renew_vault_certificates
4
0
Fork 0
Code Issues 1 Pull Requests Actions Packages Projects Releases Wiki Activity

added the start of service file, added option for consul service altnames

Browse Source
This commit is contained in:
Bertrand Lanson 2023-04-17 22:45:59 +02:00
parent 124c4cf5b2
commit ac1b63fe6a
9 changed files with 77 additions and 14 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
defaults/main.yml
View File

@ -14,3 +14,6 @@ renew_vault_certificates_info:
common_name: openstack01.ednz.fr common_name: openstack01.ednz.fr
ttl: 90d ttl: 90d
include_localhost: true include_localhost: true
include_consul_service: false
renew_vault_certificates_consul_service_name: vault.service.consul
renew_vault_certificates_start_service: false

17
handlers/main.yml
View File

@ -1,2 +1,19 @@
--- ---
# handlers file for renew_vault_certificates # handlers file for renew_vault_certificates
- name: "Reload service file"
ansible.builtin.systemd:
daemon_reload: true
listen: "systemctl-daemon-reload"
- name: "Enable vault-certs service"
ansible.builtin.service:
name: vault-certs
enabled: true
listen: "systemctl-enable-vault-certs"
- name: "Start vault-certs service"
ansible.builtin.service:
name: vault-certs
state: restarted
listen: "systemctl-restart-vault-certs"
when: renew_vault_certificates_start_service

34
tasks/configure.yml
View File

@ -1,12 +1,40 @@
--- ---
# task/configure file for renew_vault_certificates # task/configure file for renew_vault_certificates
- name: "Configure files for vault certificate renewal"
block:
- name: "Copy vault_cert.pem.tpl template"
ansible.builtin.template:
src: vault_config.hcl.j2
dest: "{{ renew_vault_certificates_config_dir }}/vault_config.hcl"
owner: "{{ renew_vault_certificates_vault_user }}"
group: "{{ renew_vault_certificates_vault_group }}"
mode: '0600'
- name: "Copy vault_cert.pem.tpl template" - name: "Copy vault_cert.pem.tpl template"
ansible.builtin.template: ansible.builtin.template:
src: vault_cert.tpl.j2 src: vault_cert.tpl.j2
dest: "{{ renew_vault_certificates_config_dir }}/vault_cert.pem.tpl" dest: "{{ renew_vault_certificates_config_dir }}/templates/vault_cert.pem.tpl"
owner: "{{ renew_vault_certificates_vault_user }}"
group: "{{ renew_vault_certificates_vault_group }}"
mode: '0600'
- name: "Copy vault_cert.key.tpl template"
ansible.builtin.template:
src: vault_key.pem.tpl.j2
dest: "{{ renew_vault_certificates_config_dir }}/templates/vault_key.pem.tpl"
owner: "{{ renew_vault_certificates_vault_user }}" owner: "{{ renew_vault_certificates_vault_user }}"
group: "{{ renew_vault_certificates_vault_group }}" group: "{{ renew_vault_certificates_vault_group }}"
mode: '0600' mode: '0600'
notify: notify:
- "systemctl-enable-vault-ctpl" - "systemctl-enable-vault-certs"
- "systemctl-restart-vault-ctpl" - "systemctl-restart-vault-certs"
- name: "Configure vault-certs systemd service"
ansible.builtin.template:
src: vault-certs.service.j2
dest: /etc/systemd/system/vault-certs.service
owner: root
group: root
mode: '0644'
notify:
- "systemctl-daemon-reload"

2
tasks/install.yml
View File

@ -8,7 +8,7 @@
manage_repositories_enable_custom_repo: true manage_repositories_enable_custom_repo: true
manage_repositories_custom_repo: "{{ renew_vault_certificates_repository }}" manage_repositories_custom_repo: "{{ renew_vault_certificates_repository }}"
- name: "Install vault:{{ hashi_vault_version }}" - name: "Install consul-template:{{ hashi_vault_version }}"
ansible.builtin.include_role: ansible.builtin.include_role:
name: ednxzu.manage_apt_packages name: ednxzu.manage_apt_packages
vars: vars:

3
tasks/main.yml
View File

@ -5,3 +5,6 @@
- name: "Import install.yml" - name: "Import install.yml"
ansible.builtin.include_tasks: install.yml ansible.builtin.include_tasks: install.yml
- name: "Import configure.yml"
ansible.builtin.include_tasks: configure.yml

12
templates/vault-certs.service.j2 Normal file
View File

@ -0,0 +1,12 @@
[Unit]
Description=Automatic renewal of vault certificate using consul-template
Requires=network-online.target
After=network-online.target vault.service
[Service]
Restart=on-failure
ExecStart=/usr/bin/consul-template $OPTIONS -config={{ renew_vault_certificates_config_dir }}/vault_config.hcl
KillSignal=SIGINT
[Install]
WantedBy=multi-user.target

3
templates/vault_cert.pem.tpl.j2 Normal file
View File

@ -0,0 +1,3 @@
{% raw %}{{ with secret {% endraw %}"{{ renew_vault_certificates_info['issuer_path'] }}" "common_name={{ renew_vault_certificates_info['common_name'] }}" "ttl={{ renew_vault_certificates_info['ttl'] }}"{% if renew_vault_certificates_info['include_consul_service'] %} "alt_names={{ renew_vault_certificates_consul_service_name }}" "alt_names=active.{{ renew_vault_certificates_consul_service_name }}" "alt_names=standby.{{ renew_vault_certificates_consul_service_name }}"{% endif %}{% if renew_vault_certificates_info['include_localhost'] %} "alt_names=localhost" "ip_sans=127.0.0.1"{% endif %}{% raw %} }}{% endraw %}
{% raw %}{{ .Data.certificate }}{% endraw %}
{% raw %}{{ end }}{% endraw %}

3
templates/vault_cert.tpl.j2
View File

@ -1,3 +0,0 @@
{% raw %}{{ with secret {% endraw %}"{{ renew_vault_certificates_info['issuer_path'] }}" "common_name={{ renew_vault_certificates_info['common_name'] }}" "ttl={{ renew_vault_certificates_info['ttl'] }}" {% if renew_vault_certificates_info['include_localhost'] %}"alt_names=localhost" "ip_sans=127.0.0.1" {% endif %}{% raw %}}}{% endraw %}
{% raw %}{{ .Data.certificate }}{% endraw %}
{% raw %}{{ end }}{% endraw %}

0
templates/vault_key.tpl.j2 → templates/vault_key.pem.tpl.j2
View File