From 1dad4d22a1c693e817c5771e61350443ca766430 Mon Sep 17 00:00:00 2001 From: Ian Fijolek Date: Tue, 28 Jun 2022 12:09:07 -0700 Subject: [PATCH] Bootstrap vault secrets --- Makefile | 2 ++ collections/requirements.yml | 4 ++++ roles/requirements.yml | 33 +++++++++++++++++---------------- setup-cluster.yml | 22 ++++++++++++++++++++++ 4 files changed, 45 insertions(+), 16 deletions(-) create mode 100644 collections/requirements.yml diff --git a/Makefile b/Makefile index 76689b4..0c07f62 100644 --- a/Makefile +++ b/Makefile @@ -57,10 +57,12 @@ venv/bin/ansible: python3 -m venv venv ./venv/bin/pip install ansible ./venv/bin/pip install python-consul + ./venv/bin/pip install hvac .PHONY: ansible-cluster ansible-cluster: venv/bin/ansible ./venv/bin/ansible-galaxy install -p roles -r roles/requirements.yml + ./venv/bin/ansible-galaxy collection install -r collections/requirements.yml env VIRTUAL_ENV=/Users/ifij/workspace/iamthefij/orchestration-tests/nomad/venv ./venv/bin/ansible-playbook -K -vv \ $(shell test -f vault-keys.json && echo '-e "@vault-keys.json"') \ -i ansible_hosts.yml -M ./roles ./setup-cluster.yml diff --git a/collections/requirements.yml b/collections/requirements.yml new file mode 100644 index 0000000..c9f27c4 --- /dev/null +++ b/collections/requirements.yml @@ -0,0 +1,4 @@ +--- +collections: + - name: community.hashi_vault + version: 3.0.0 diff --git a/roles/requirements.yml b/roles/requirements.yml index eaf1652..a33ec80 100644 --- a/roles/requirements.yml +++ b/roles/requirements.yml @@ -1,17 +1,18 @@ --- -- src: https://github.com/IamTheFij/ansible-consul.git - name: ansible-consul - scm: git - version: my-main -- src: https://github.com/ansible-community/ansible-nomad.git - name: ansible-nomad - scm: git - version: master -- src: https://github.com/ansible-community/ansible-vault.git - name: ansible-vault - scm: git - version: master -# - src: maxhoesel.smallstep -# version: 0.4.10 -- src: geerlingguy.docker - version: 4.2.2 +roles: + - src: https://github.com/IamTheFij/ansible-consul.git + name: ansible-consul + scm: git + version: my-main + - src: https://github.com/ansible-community/ansible-nomad.git + name: ansible-nomad + scm: git + version: master + - src: https://github.com/ansible-community/ansible-vault.git + name: ansible-vault + scm: git + version: master + # - src: maxhoesel.smallstep + # version: 0.4.10 + - src: geerlingguy.docker + version: 4.2.2 diff --git a/setup-cluster.yml b/setup-cluster.yml index a44aab2..6069168 100644 --- a/setup-cluster.yml +++ b/setup-cluster.yml @@ -78,6 +78,9 @@ - name: Setup Vault cluster hosts: vault_instances + vars_files: + - ./vault_hashi_vault_values.yml + roles: - name: ansible-vault vars: @@ -149,6 +152,25 @@ loop: "{{ unseal_keys_hex }}" when: unseal_keys_hex is defined + - name: Bootstrap Vault secrets + delegate_to: localhost + run_once: true + block: + - name: Install hvac + pip: + name: hvac + extra_args: --index-url https://pypi.org/simple + + - name: Write values + community.hashi_vault.vault_write: + url: "http://{{ inventory_hostname }}:8200" + token: "{{ root_token }}" + path: "kv/data/{{ item.key }}" + data: + data: + "{{ item.value }}" + loop: "{{ hashi_vault_values | default({}) | dict2items }}" + # Not on Ubuntu 20.04 # - name: Install Podman # hosts: nomad_instances