Add vault setup: Not secured
This commit is contained in:
parent
a46d3d8807
commit
4d4bf36d3c
4
Makefile
4
Makefile
@ -61,7 +61,9 @@ venv/bin/ansible:
|
||||
.PHONY: ansible-cluster
|
||||
ansible-cluster: venv/bin/ansible
|
||||
./venv/bin/ansible-galaxy install -p roles -r roles/requirements.yml
|
||||
./venv/bin/ansible-playbook -K -vv -i ansible_hosts.yml -M ./roles ./setup-cluster.yml
|
||||
./venv/bin/ansible-playbook -K -vv \
|
||||
-e "@vault-keys.json" \
|
||||
-i ansible_hosts.yml -M ./roles ./setup-cluster.yml
|
||||
|
||||
.PHONY: plan
|
||||
plan:
|
||||
|
@ -28,3 +28,6 @@ all:
|
||||
nomad_instances:
|
||||
children:
|
||||
servers: {}
|
||||
vault_instances:
|
||||
children:
|
||||
servers: {}
|
||||
|
@ -59,6 +59,34 @@
|
||||
delegate_to: localhost
|
||||
run_once: true
|
||||
|
||||
- name: Setup Vault cluster
|
||||
hosts: vault_instances
|
||||
|
||||
roles:
|
||||
- name: ansible-vault
|
||||
vars:
|
||||
# Doesn't support multi-arch installs
|
||||
vault_install_hashi_repo: true
|
||||
vault_bin_path: /usr/bin
|
||||
vault_harden_file_perms: true
|
||||
vault_address: 0.0.0.0
|
||||
|
||||
vault_backend: consul
|
||||
become: true
|
||||
|
||||
tasks:
|
||||
- name: Unseal vault
|
||||
command:
|
||||
argv:
|
||||
- "vault"
|
||||
- "operator"
|
||||
- "unseal"
|
||||
- "-address=http://127.0.0.1:8200/"
|
||||
- "{{ item }}"
|
||||
loop: "{{ vault_keys }}"
|
||||
# no_log: true
|
||||
when: vault_keys is defined
|
||||
|
||||
# Not on Ubuntu 20.04
|
||||
# - name: Install Podman
|
||||
# hosts: nomad_instances
|
||||
@ -144,11 +172,16 @@
|
||||
interface: lo
|
||||
reserved_ports: "22"
|
||||
|
||||
# Enable vault integration
|
||||
# nomad_vault_enabled: true
|
||||
|
||||
nomad_config_custom:
|
||||
ui:
|
||||
enabled: true
|
||||
consul:
|
||||
ui_url: "http://{{ ansible_hostname }}:8500/ui"
|
||||
vault:
|
||||
ui_url: "http://{{ ansible_hostname }}:8200/ui"
|
||||
|
||||
tasks:
|
||||
- name: Start Nomad
|
||||
|
@ -133,26 +133,40 @@ job "traefik" {
|
||||
[http]
|
||||
[http.routers]
|
||||
[http.routers.nomad]
|
||||
entryPoints = ["web", "websecure"]
|
||||
entryPoints = ["websecure"]
|
||||
# middlewares = []
|
||||
service = "nomad"
|
||||
rule = "Host(`nomad.${var.base_hostname}`)"
|
||||
[http.routers.consul]
|
||||
entryPoints = ["web", "websecure"]
|
||||
entryPoints = ["websecure"]
|
||||
# middlewares = []
|
||||
service = "consul"
|
||||
rule = "Host(`consul.${var.base_hostname}`)"
|
||||
[http.routers.vault]
|
||||
entryPoints = ["websecure"]
|
||||
# middlewares = []
|
||||
service = "vault"
|
||||
rule = "Host(`vault.${var.base_hostname}`)"
|
||||
|
||||
[http.services]
|
||||
[http.services.nomad]
|
||||
[http.services.nomad.loadBalancer]
|
||||
<< range service "nomad-client" >>
|
||||
[[http.services.nomad.loadBalancer.servers]]
|
||||
url = "http://<< env "NOMAD_IP_web" >>:4646"
|
||||
url = "http://<< .Address >>:<< .Port >>"
|
||||
<< end >>
|
||||
[http.services.consul]
|
||||
[http.services.consul.loadBalancer]
|
||||
<< range service "consul" >>
|
||||
[[http.services.consul.loadBalancer.servers]]
|
||||
url = "http://<< env "NOMAD_IP_web" >>:8500"
|
||||
|
||||
url = "http://<< .Address >>:<< .Port >>"
|
||||
<< end >>
|
||||
[http.services.vault]
|
||||
[http.services.vault.loadBalancer]
|
||||
<< range service "vault" >>
|
||||
[[http.services.vault.loadBalancer.servers]]
|
||||
url = "http://<< .Address >>:<< .Port >>"
|
||||
<< end >>
|
||||
EOH
|
||||
destination = "/config/conf/route-hashi.toml"
|
||||
change_mode = "noop"
|
||||
|
Loading…
Reference in New Issue
Block a user