Ansible role to setup automatic renewal of Vault tls certificates from Vault PKI engine, using consul-template, on debian-based systems. https://ednz.fr
Go to file
Renovate Bot 1dc4248175
Some checks reported warnings
test / Linting (push) Successful in 6s
test / Molecule tests (default, debian11) (push) Has been cancelled
test / Molecule tests (default, debian12) (push) Has been cancelled
test / Molecule tests (default, ubuntu2004) (push) Has been cancelled
test / Molecule tests (default, ubuntu2204) (push) Has been cancelled
test / Molecule tests (with_custom_config, debian11) (push) Has been cancelled
test / Molecule tests (with_custom_config, debian12) (push) Has been cancelled
test / Molecule tests (with_custom_config, ubuntu2004) (push) Has been cancelled
test / Molecule tests (with_custom_config, ubuntu2204) (push) Has been cancelled
Add renovate.json
2023-07-26 17:26:24 +00:00
.gitea/workflows added gitea actions, debian 12 support and some linting 2023-07-07 15:58:16 +02:00
.github/workflows publish time 2023-04-20 00:09:10 +02:00
defaults added ip_san for external IP in to be able to define ip addresses in vault (issue with consul pointing to cname when resolving dns) 2023-06-18 14:34:42 +02:00
handlers added the start of service file, added option for consul service altnames 2023-04-17 22:45:59 +02:00
meta added gitea actions, debian 12 support and some linting 2023-07-07 15:58:16 +02:00
molecule remove old python tests 2023-07-07 18:14:56 +02:00
tasks do not escalate privileges on install prereqs 2023-05-28 13:46:01 +02:00
templates added ip_san for external IP in to be able to define ip addresses in vault (issue with consul pointing to cname when resolving dns) 2023-06-18 14:34:42 +02:00
vars always install consul-template lastest 2023-04-29 19:24:30 +02:00
.ansible-lint good start 2023-04-16 22:26:14 +02:00
.gitignore ignore .vscode 2023-05-21 20:19:38 +02:00
.yamllint good start 2023-04-16 22:26:14 +02:00
LICENSE added gitea actions, debian 12 support and some linting 2023-07-07 15:58:16 +02:00
README.md fix readme 2023-07-11 22:57:33 +02:00
renovate.json Add renovate.json 2023-07-26 17:26:24 +00:00

renew_vault_certificates

This repository is only a mirror. Development and testing is done on a private gitea server.

This role install consul-template and configure a service to automate renewal of TLS certificates for Hashicorp Vault on debian-based distributions.

Requirements

This role assume that you already have installed a vault server on the host, and is only here to assist in automating the certificate renewal process.

Role Variables

Available variables are listed below, along with default values. A sample file for the default values is available in default/renew_vault_certificates.yml.sample in case you need it for any group_vars or host_vars configuration.

renew_vault_certificates_config_dir: /etc/consul-template.d/vault # by default, set to /etc/consul-template.d/vault

This variable defines where the files for the role are stored (consul-template configuration + templates).

renew_vault_certificates_vault_user: vault # by default, set to vault

This variable defines the user that'll be running the certificate renewal service. Defaults to vault, and should be present on the host prior to playing this role (ideally when installing vault).

renew_vault_certificates_vault_group: vault # by default, set to vault

This variable defines the group that'll be running the certificate renewal service. Defaults to vault, and should be present on the host prior to playing this role (ideally when installing vault).

renew_vault_certificates_vault_addr: https://127.0.0.1:8200 # by default, set to https://127.0.0.1:8200

This variable defines the address the consul-template service will query to get the new certificates. Defaults to localhost, but can be changed if vault isnt reachable on localhost (because of missing certificates SANs for example).

renew_vault_certificates_vault_token: mysupersecretvaulttokenthatyoushouldchange # by default, set to a dummy string

This variable defines the vault token top use to access vault and renew the certificate. Default is a dummy string to pass unit tests.

renew_vault_certificates_vault_token_unwrap: false # by default, set to false

Defines whether or not the token is wrapped and should be unwrapped (this is an enterprise-only feature of vault at the moment).

renew_vault_certificates_vault_token_renew: true # by default, set to true

This variable defines whether or not to renew the vault token. It should probably be true, and you should have a periodic token to handle this.

renew_vault_certificates_cert_dest: /opt/vault/tls/cert.pem # by default, set to /opt/vault/tls/cert.pem

This variable defines where to copy the certificates upon renewal. Default to /opt/vault/tls/cert.pem but should be changed depending on where you store the certificates.

renew_vault_certificates_key_dest: /opt/vault/tls/key.pem # by default, set to /opt/vault/tls/cert.pem

This variable defines where to copy the private keys upon renewal. Default to /opt/vault/tls/key.pem but should be changed depending on where you store the keys.

renew_vault_certificates_info: # by default, set to:
  issuer_path: pki/issue/your-issuer
  common_name: vault01.example.com
  ip_addr: "192.168.1.1"
  ttl: 90d
  include_consul_service: false

This variable defines the path on vault to retrieve the certificates, as well as the common name and TTL to use for it. It can also include vault aliases in case you have registered vault services in a consul cluster (active.vault.service.consul, standby.vault.service.consul, vault.service.consul).

renew_vault_certificates_consul_service_name: vault.service.consul # by default, set to vault.service.consul

This variable defines the vault service name in consul. Default is vault.service.consul

renew_vault_certificates_start_service: false

This variable defines whether or not to start the service after creating it. By default, it is only enabled, but not started, in case you're building golden images (in which case you probably don't want a certificate generated during the build process).

Dependencies

This role has a task that installs its own dependencies located in task/prerequisites.yml, so that you don't need to manage them. This role requires both ednxzu.manage_repositories and ednxzu.manage_apt_packages to install consul-template.

Example Playbook

Including an example of how to use your role (for instance, with variables passed in as parameters) is always nice for users too:

# calling the role inside a playbook with either the default or group_vars/host_vars
- hosts: servers
  roles:
    - ednxzu.renew_vault_certificates

License

MIT / BSD

Author Information

This role was created by Bertrand Lanson in 2023.