Add vault setup: Not secured
This commit is contained in:
parent
a46d3d8807
commit
4d4bf36d3c
4
Makefile
4
Makefile
@ -61,7 +61,9 @@ venv/bin/ansible:
|
|||||||
.PHONY: ansible-cluster
|
.PHONY: ansible-cluster
|
||||||
ansible-cluster: venv/bin/ansible
|
ansible-cluster: venv/bin/ansible
|
||||||
./venv/bin/ansible-galaxy install -p roles -r roles/requirements.yml
|
./venv/bin/ansible-galaxy install -p roles -r roles/requirements.yml
|
||||||
./venv/bin/ansible-playbook -K -vv -i ansible_hosts.yml -M ./roles ./setup-cluster.yml
|
./venv/bin/ansible-playbook -K -vv \
|
||||||
|
-e "@vault-keys.json" \
|
||||||
|
-i ansible_hosts.yml -M ./roles ./setup-cluster.yml
|
||||||
|
|
||||||
.PHONY: plan
|
.PHONY: plan
|
||||||
plan:
|
plan:
|
||||||
|
@ -28,3 +28,6 @@ all:
|
|||||||
nomad_instances:
|
nomad_instances:
|
||||||
children:
|
children:
|
||||||
servers: {}
|
servers: {}
|
||||||
|
vault_instances:
|
||||||
|
children:
|
||||||
|
servers: {}
|
||||||
|
@ -59,6 +59,34 @@
|
|||||||
delegate_to: localhost
|
delegate_to: localhost
|
||||||
run_once: true
|
run_once: true
|
||||||
|
|
||||||
|
- name: Setup Vault cluster
|
||||||
|
hosts: vault_instances
|
||||||
|
|
||||||
|
roles:
|
||||||
|
- name: ansible-vault
|
||||||
|
vars:
|
||||||
|
# Doesn't support multi-arch installs
|
||||||
|
vault_install_hashi_repo: true
|
||||||
|
vault_bin_path: /usr/bin
|
||||||
|
vault_harden_file_perms: true
|
||||||
|
vault_address: 0.0.0.0
|
||||||
|
|
||||||
|
vault_backend: consul
|
||||||
|
become: true
|
||||||
|
|
||||||
|
tasks:
|
||||||
|
- name: Unseal vault
|
||||||
|
command:
|
||||||
|
argv:
|
||||||
|
- "vault"
|
||||||
|
- "operator"
|
||||||
|
- "unseal"
|
||||||
|
- "-address=http://127.0.0.1:8200/"
|
||||||
|
- "{{ item }}"
|
||||||
|
loop: "{{ vault_keys }}"
|
||||||
|
# no_log: true
|
||||||
|
when: vault_keys is defined
|
||||||
|
|
||||||
# Not on Ubuntu 20.04
|
# Not on Ubuntu 20.04
|
||||||
# - name: Install Podman
|
# - name: Install Podman
|
||||||
# hosts: nomad_instances
|
# hosts: nomad_instances
|
||||||
@ -144,11 +172,16 @@
|
|||||||
interface: lo
|
interface: lo
|
||||||
reserved_ports: "22"
|
reserved_ports: "22"
|
||||||
|
|
||||||
|
# Enable vault integration
|
||||||
|
# nomad_vault_enabled: true
|
||||||
|
|
||||||
nomad_config_custom:
|
nomad_config_custom:
|
||||||
ui:
|
ui:
|
||||||
enabled: true
|
enabled: true
|
||||||
consul:
|
consul:
|
||||||
ui_url: "http://{{ ansible_hostname }}:8500/ui"
|
ui_url: "http://{{ ansible_hostname }}:8500/ui"
|
||||||
|
vault:
|
||||||
|
ui_url: "http://{{ ansible_hostname }}:8200/ui"
|
||||||
|
|
||||||
tasks:
|
tasks:
|
||||||
- name: Start Nomad
|
- name: Start Nomad
|
||||||
|
@ -133,26 +133,40 @@ job "traefik" {
|
|||||||
[http]
|
[http]
|
||||||
[http.routers]
|
[http.routers]
|
||||||
[http.routers.nomad]
|
[http.routers.nomad]
|
||||||
entryPoints = ["web", "websecure"]
|
entryPoints = ["websecure"]
|
||||||
# middlewares = []
|
# middlewares = []
|
||||||
service = "nomad"
|
service = "nomad"
|
||||||
rule = "Host(`nomad.${var.base_hostname}`)"
|
rule = "Host(`nomad.${var.base_hostname}`)"
|
||||||
[http.routers.consul]
|
[http.routers.consul]
|
||||||
entryPoints = ["web", "websecure"]
|
entryPoints = ["websecure"]
|
||||||
# middlewares = []
|
# middlewares = []
|
||||||
service = "consul"
|
service = "consul"
|
||||||
rule = "Host(`consul.${var.base_hostname}`)"
|
rule = "Host(`consul.${var.base_hostname}`)"
|
||||||
|
[http.routers.vault]
|
||||||
|
entryPoints = ["websecure"]
|
||||||
|
# middlewares = []
|
||||||
|
service = "vault"
|
||||||
|
rule = "Host(`vault.${var.base_hostname}`)"
|
||||||
|
|
||||||
[http.services]
|
[http.services]
|
||||||
[http.services.nomad]
|
[http.services.nomad]
|
||||||
[http.services.nomad.loadBalancer]
|
[http.services.nomad.loadBalancer]
|
||||||
|
<< range service "nomad-client" >>
|
||||||
[[http.services.nomad.loadBalancer.servers]]
|
[[http.services.nomad.loadBalancer.servers]]
|
||||||
url = "http://<< env "NOMAD_IP_web" >>:4646"
|
url = "http://<< .Address >>:<< .Port >>"
|
||||||
|
<< end >>
|
||||||
[http.services.consul]
|
[http.services.consul]
|
||||||
[http.services.consul.loadBalancer]
|
[http.services.consul.loadBalancer]
|
||||||
|
<< range service "consul" >>
|
||||||
[[http.services.consul.loadBalancer.servers]]
|
[[http.services.consul.loadBalancer.servers]]
|
||||||
url = "http://<< env "NOMAD_IP_web" >>:8500"
|
url = "http://<< .Address >>:<< .Port >>"
|
||||||
|
<< end >>
|
||||||
|
[http.services.vault]
|
||||||
|
[http.services.vault.loadBalancer]
|
||||||
|
<< range service "vault" >>
|
||||||
|
[[http.services.vault.loadBalancer.servers]]
|
||||||
|
url = "http://<< .Address >>:<< .Port >>"
|
||||||
|
<< end >>
|
||||||
EOH
|
EOH
|
||||||
destination = "/config/conf/route-hashi.toml"
|
destination = "/config/conf/route-hashi.toml"
|
||||||
change_mode = "noop"
|
change_mode = "noop"
|
||||||
|
Loading…
Reference in New Issue
Block a user