Add vault setup: Not secured

This commit is contained in:
IamTheFij 2022-03-15 11:57:00 -07:00
parent b8fc4016cb
commit 968b7ddb72
4 changed files with 58 additions and 6 deletions

View File

@ -61,7 +61,9 @@ venv/bin/ansible:
.PHONY: ansible-cluster .PHONY: ansible-cluster
ansible-cluster: venv/bin/ansible ansible-cluster: venv/bin/ansible
./venv/bin/ansible-galaxy install -p roles -r roles/requirements.yml ./venv/bin/ansible-galaxy install -p roles -r roles/requirements.yml
./venv/bin/ansible-playbook -K -vv -i ansible_hosts.yml -M ./roles ./setup-cluster.yml ./venv/bin/ansible-playbook -K -vv \
-e "@vault-keys.json" \
-i ansible_hosts.yml -M ./roles ./setup-cluster.yml
.PHONY: plan .PHONY: plan
plan: plan:

View File

@ -28,3 +28,6 @@ all:
nomad_instances: nomad_instances:
children: children:
servers: {} servers: {}
vault_instances:
children:
servers: {}

View File

@ -59,6 +59,34 @@
delegate_to: localhost delegate_to: localhost
run_once: true run_once: true
- name: Setup Vault cluster
hosts: vault_instances
roles:
- name: ansible-vault
vars:
# Doesn't support multi-arch installs
vault_install_hashi_repo: true
vault_bin_path: /usr/bin
vault_harden_file_perms: true
vault_address: 0.0.0.0
vault_backend: consul
become: true
tasks:
- name: Unseal vault
command:
argv:
- "vault"
- "operator"
- "unseal"
- "-address=http://127.0.0.1:8200/"
- "{{ item }}"
loop: "{{ vault_keys }}"
# no_log: true
when: vault_keys is defined
# Not on Ubuntu 20.04 # Not on Ubuntu 20.04
# - name: Install Podman # - name: Install Podman
# hosts: nomad_instances # hosts: nomad_instances
@ -144,11 +172,16 @@
interface: lo interface: lo
reserved_ports: "22" reserved_ports: "22"
# Enable vault integration
# nomad_vault_enabled: true
nomad_config_custom: nomad_config_custom:
ui: ui:
enabled: true enabled: true
consul: consul:
ui_url: "http://{{ ansible_hostname }}:8500/ui" ui_url: "http://{{ ansible_hostname }}:8500/ui"
vault:
ui_url: "http://{{ ansible_hostname }}:8200/ui"
tasks: tasks:
- name: Start Nomad - name: Start Nomad

View File

@ -133,26 +133,40 @@ job "traefik" {
[http] [http]
[http.routers] [http.routers]
[http.routers.nomad] [http.routers.nomad]
entryPoints = ["web", "websecure"] entryPoints = ["websecure"]
# middlewares = [] # middlewares = []
service = "nomad" service = "nomad"
rule = "Host(`nomad.${var.base_hostname}`)" rule = "Host(`nomad.${var.base_hostname}`)"
[http.routers.consul] [http.routers.consul]
entryPoints = ["web", "websecure"] entryPoints = ["websecure"]
# middlewares = [] # middlewares = []
service = "consul" service = "consul"
rule = "Host(`consul.${var.base_hostname}`)" rule = "Host(`consul.${var.base_hostname}`)"
[http.routers.vault]
entryPoints = ["websecure"]
# middlewares = []
service = "vault"
rule = "Host(`vault.${var.base_hostname}`)"
[http.services] [http.services]
[http.services.nomad] [http.services.nomad]
[http.services.nomad.loadBalancer] [http.services.nomad.loadBalancer]
<< range service "nomad-client" >>
[[http.services.nomad.loadBalancer.servers]] [[http.services.nomad.loadBalancer.servers]]
url = "http://<< env "NOMAD_IP_web" >>:4646" url = "http://<< .Address >>:<< .Port >>"
<< end >>
[http.services.consul] [http.services.consul]
[http.services.consul.loadBalancer] [http.services.consul.loadBalancer]
<< range service "consul" >>
[[http.services.consul.loadBalancer.servers]] [[http.services.consul.loadBalancer.servers]]
url = "http://<< env "NOMAD_IP_web" >>:8500" url = "http://<< .Address >>:<< .Port >>"
<< end >>
[http.services.vault]
[http.services.vault.loadBalancer]
<< range service "vault" >>
[[http.services.vault.loadBalancer.servers]]
url = "http://<< .Address >>:<< .Port >>"
<< end >>
EOH EOH
destination = "/config/conf/route-hashi.toml" destination = "/config/conf/route-hashi.toml"
change_mode = "noop" change_mode = "noop"