From 968b7ddb72776c7a709c2f0c0893b16e7ad87ab0 Mon Sep 17 00:00:00 2001 From: Ian Fijolek Date: Tue, 15 Mar 2022 11:57:00 -0700 Subject: [PATCH] Add vault setup: Not secured --- nomad/Makefile | 4 +++- nomad/ansible_hosts.yml | 3 +++ nomad/setup-cluster.yml | 33 +++++++++++++++++++++++++++++++++ nomad/traefik/traefik.nomad | 24 +++++++++++++++++++----- 4 files changed, 58 insertions(+), 6 deletions(-) diff --git a/nomad/Makefile b/nomad/Makefile index 7ede4e2..d10cdc8 100644 --- a/nomad/Makefile +++ b/nomad/Makefile @@ -61,7 +61,9 @@ venv/bin/ansible: .PHONY: ansible-cluster ansible-cluster: venv/bin/ansible ./venv/bin/ansible-galaxy install -p roles -r roles/requirements.yml - ./venv/bin/ansible-playbook -K -vv -i ansible_hosts.yml -M ./roles ./setup-cluster.yml + ./venv/bin/ansible-playbook -K -vv \ + -e "@vault-keys.json" \ + -i ansible_hosts.yml -M ./roles ./setup-cluster.yml .PHONY: plan plan: diff --git a/nomad/ansible_hosts.yml b/nomad/ansible_hosts.yml index 83081a5..3935b21 100644 --- a/nomad/ansible_hosts.yml +++ b/nomad/ansible_hosts.yml @@ -28,3 +28,6 @@ all: nomad_instances: children: servers: {} + vault_instances: + children: + servers: {} diff --git a/nomad/setup-cluster.yml b/nomad/setup-cluster.yml index 1c1d1df..12f924a 100644 --- a/nomad/setup-cluster.yml +++ b/nomad/setup-cluster.yml @@ -59,6 +59,34 @@ delegate_to: localhost run_once: true +- name: Setup Vault cluster + hosts: vault_instances + + roles: + - name: ansible-vault + vars: + # Doesn't support multi-arch installs + vault_install_hashi_repo: true + vault_bin_path: /usr/bin + vault_harden_file_perms: true + vault_address: 0.0.0.0 + + vault_backend: consul + become: true + + tasks: + - name: Unseal vault + command: + argv: + - "vault" + - "operator" + - "unseal" + - "-address=http://127.0.0.1:8200/" + - "{{ item }}" + loop: "{{ vault_keys }}" + # no_log: true + when: vault_keys is defined + # Not on Ubuntu 20.04 # - name: Install Podman # hosts: nomad_instances @@ -144,11 +172,16 @@ interface: lo reserved_ports: "22" + # Enable vault integration + # nomad_vault_enabled: true + nomad_config_custom: ui: enabled: true consul: ui_url: "http://{{ ansible_hostname }}:8500/ui" + vault: + ui_url: "http://{{ ansible_hostname }}:8200/ui" tasks: - name: Start Nomad diff --git a/nomad/traefik/traefik.nomad b/nomad/traefik/traefik.nomad index 728f847..3ab082e 100644 --- a/nomad/traefik/traefik.nomad +++ b/nomad/traefik/traefik.nomad @@ -133,26 +133,40 @@ job "traefik" { [http] [http.routers] [http.routers.nomad] - entryPoints = ["web", "websecure"] + entryPoints = ["websecure"] # middlewares = [] service = "nomad" rule = "Host(`nomad.${var.base_hostname}`)" [http.routers.consul] - entryPoints = ["web", "websecure"] + entryPoints = ["websecure"] # middlewares = [] service = "consul" rule = "Host(`consul.${var.base_hostname}`)" + [http.routers.vault] + entryPoints = ["websecure"] + # middlewares = [] + service = "vault" + rule = "Host(`vault.${var.base_hostname}`)" [http.services] [http.services.nomad] [http.services.nomad.loadBalancer] + << range service "nomad-client" >> [[http.services.nomad.loadBalancer.servers]] - url = "http://<< env "NOMAD_IP_web" >>:4646" + url = "http://<< .Address >>:<< .Port >>" + << end >> [http.services.consul] [http.services.consul.loadBalancer] + << range service "consul" >> [[http.services.consul.loadBalancer.servers]] - url = "http://<< env "NOMAD_IP_web" >>:8500" - + url = "http://<< .Address >>:<< .Port >>" + << end >> + [http.services.vault] + [http.services.vault.loadBalancer] + << range service "vault" >> + [[http.services.vault.loadBalancer.servers]] + url = "http://<< .Address >>:<< .Port >>" + << end >> EOH destination = "/config/conf/route-hashi.toml" change_mode = "noop"