feat(vault): separated vault binary install and service configuration; use provisioner artifacts directory to store HC vault setup information; set group level HC vault instance info
This commit is contained in:
parent
b6695cf49c
commit
c3305093e4
6 changed files with 69 additions and 62 deletions
|
@ -17,19 +17,19 @@
|
||||||
- name: set init data filename
|
- name: set init data filename
|
||||||
no_log: true
|
no_log: true
|
||||||
ansible.builtin.set_fact:
|
ansible.builtin.set_fact:
|
||||||
hc_vault_init_data_filename: "{{ hc_vault_init_data_filepath | default('/tmp', True) }}/vault_{{ ansible_facts['fqdn'] }}_init.yml"
|
hc_vault_init_data_filename: "{{ hc_vault_init_data_filepath | default(provisioner_facts.artifacts_dir, True) }}/hashicorp_vault_{{ ansible_facts['fqdn'] }}_init.yml"
|
||||||
|
|
||||||
- name: save initialization data
|
- name: save initialization data
|
||||||
connection: local
|
connection: local
|
||||||
no_log: true
|
no_log: true
|
||||||
block:
|
|
||||||
- name: save content to temp file
|
|
||||||
ansible.builtin.copy:
|
ansible.builtin.copy:
|
||||||
content: '{{ init_data.stdout }}'
|
content: '{{ init_data.stdout }}'
|
||||||
dest: '{{ hc_vault_init_data_filename }}'
|
dest: '{{ hc_vault_init_data_filename }}'
|
||||||
mode: '0600'
|
mode: '0600'
|
||||||
owner: "{{ ansible_facts['user_id'] }}"
|
owner: "{{ ansible_facts['user_id'] }}"
|
||||||
group: "{{ ansible_facts['user_id'] }}"
|
group: "{{ ansible_facts['user_id'] }}"
|
||||||
|
vars:
|
||||||
|
ansible_python_interpreter: /usr/bin/python3
|
||||||
|
|
||||||
- name: print init data file location
|
- name: print init data file location
|
||||||
no_log: true
|
no_log: true
|
||||||
|
|
|
@ -0,0 +1,40 @@
|
||||||
|
---
|
||||||
|
- name: install vault binary
|
||||||
|
when: not hc_vault_binary_installed or hc_vault_local_binary_version != hc_vault_version
|
||||||
|
notify:
|
||||||
|
- 'vault : restart vault service'
|
||||||
|
block:
|
||||||
|
- name: download archive
|
||||||
|
ansible.builtin.get_url:
|
||||||
|
url: 'https://releases.hashicorp.com/vault/{{ hc_vault_version }}/vault_{{ hc_vault_version }}_{{ hc_vault_architecture }}.zip'
|
||||||
|
dest: '{{ tmp_file.path }}/vault_{{ hc_vault_version }}_{{ hc_vault_architecture }}.zip'
|
||||||
|
mode: '0600'
|
||||||
|
- name: download SHASUMs file signature
|
||||||
|
ansible.builtin.get_url:
|
||||||
|
url: 'https://releases.hashicorp.com/vault/{{ hc_vault_version }}/vault_{{ hc_vault_version }}_SHA256SUMS.sig'
|
||||||
|
dest: '{{ tmp_file.path }}/shasums.sig'
|
||||||
|
mode: '0600'
|
||||||
|
- name: download SHASUMs files for vault releases
|
||||||
|
ansible.builtin.get_url:
|
||||||
|
url: 'https://releases.hashicorp.com/vault/{{ hc_vault_version }}/vault_{{ hc_vault_version }}_SHA256SUMS'
|
||||||
|
dest: '{{ tmp_file.path }}/shasums.txt'
|
||||||
|
mode: '0600'
|
||||||
|
- name: Verify downloaded files integrity
|
||||||
|
block:
|
||||||
|
- name: check SHASUMs file integrity
|
||||||
|
ansible.builtin.command: 'gpg --verify {{ tmp_file.path }}/shasums.sig {{ tmp_file.path }}/shasums.txt'
|
||||||
|
- name: check SHASUM of the downloaded archive
|
||||||
|
ansible.builtin.command:
|
||||||
|
cmd: 'sha256sum -c {{ tmp_file.path }}/shasums.txt'
|
||||||
|
chdir: '{{ tmp_file.path }}'
|
||||||
|
register: shasum_check
|
||||||
|
failed_when: 'search_string not in shasum_check.stdout'
|
||||||
|
vars:
|
||||||
|
search_string: 'vault_{{ hc_vault_version }}_{{ hc_vault_architecture }}.zip: OK'
|
||||||
|
- name: install vault package
|
||||||
|
become: true
|
||||||
|
ansible.builtin.shell: |
|
||||||
|
cd {{ tmp_file.path }}
|
||||||
|
unzip -o vault_{{ hc_vault_version }}_{{ hc_vault_architecture }}.zip
|
||||||
|
install -g {{ hc_vault_runas }} -o {{ hc_vault_runas }} -p -m 500 ./vault {{ hc_vault_binary_path }}
|
||||||
|
{{ hc_vault_binary_path }} -h > /dev/null || (echo "Unexpected return, binary might be invalid")
|
|
@ -6,46 +6,7 @@
|
||||||
- default_ipv4
|
- default_ipv4
|
||||||
- dns
|
- dns
|
||||||
|
|
||||||
- name: install vault binary
|
- name: prepare directory layout
|
||||||
when: not hc_vault_binary_installed or hc_vault_local_binary_version != hc_vault_version
|
|
||||||
notify:
|
|
||||||
- 'vault : restart vault service'
|
|
||||||
block:
|
|
||||||
- name: download archive
|
|
||||||
ansible.builtin.get_url:
|
|
||||||
url: 'https://releases.hashicorp.com/vault/{{ hc_vault_version }}/vault_{{ hc_vault_version }}_{{ hc_vault_architecture }}.zip'
|
|
||||||
dest: '{{ tmp_file.path }}/vault_{{ hc_vault_version }}_{{ hc_vault_architecture }}.zip'
|
|
||||||
mode: '0600'
|
|
||||||
- name: download SHASUMs file signature
|
|
||||||
ansible.builtin.get_url:
|
|
||||||
url: 'https://releases.hashicorp.com/vault/{{ hc_vault_version }}/vault_{{ hc_vault_version }}_SHA256SUMS.sig'
|
|
||||||
dest: '{{ tmp_file.path }}/shasums.sig'
|
|
||||||
mode: '0600'
|
|
||||||
- name: download SHASUMs files for vault releases
|
|
||||||
ansible.builtin.get_url:
|
|
||||||
url: 'https://releases.hashicorp.com/vault/{{ hc_vault_version }}/vault_{{ hc_vault_version }}_SHA256SUMS'
|
|
||||||
dest: '{{ tmp_file.path }}/shasums.txt'
|
|
||||||
mode: '0600'
|
|
||||||
- name: Verify downloaded files integrity
|
|
||||||
block:
|
|
||||||
- name: check SHASUMs file integrity
|
|
||||||
ansible.builtin.command: 'gpg --verify {{ tmp_file.path }}/shasums.sig {{ tmp_file.path }}/shasums.txt'
|
|
||||||
- name: check SHASUM of the downloaded archive
|
|
||||||
ansible.builtin.command:
|
|
||||||
cmd: 'sha256sum -c {{ tmp_file.path }}/shasums.txt'
|
|
||||||
chdir: '{{ tmp_file.path }}'
|
|
||||||
register: shasum_check
|
|
||||||
failed_when: 'search_string not in shasum_check.stdout'
|
|
||||||
vars:
|
|
||||||
search_string: 'vault_{{ hc_vault_version }}_{{ hc_vault_architecture }}.zip: OK'
|
|
||||||
- name: install vault package
|
|
||||||
become: true
|
|
||||||
ansible.builtin.shell: |
|
|
||||||
cd {{ tmp_file.path }}
|
|
||||||
unzip -o vault_{{ hc_vault_version }}_{{ hc_vault_architecture }}.zip
|
|
||||||
install -g {{ hc_vault_runas }} -o {{ hc_vault_runas }} -p -m 500 ./vault {{ hc_vault_binary_path }}
|
|
||||||
{{ hc_vault_binary_path }} -h > /dev/null || (echo "Unexpected return, binary might be invalid")
|
|
||||||
- name: prepare directory layout
|
|
||||||
become: true
|
become: true
|
||||||
ansible.builtin.file:
|
ansible.builtin.file:
|
||||||
path: '{{ item }}'
|
path: '{{ item }}'
|
|
@ -30,8 +30,11 @@
|
||||||
- name: run prerequisite tasks
|
- name: run prerequisite tasks
|
||||||
ansible.builtin.import_tasks: prerequisites.yml
|
ansible.builtin.import_tasks: prerequisites.yml
|
||||||
|
|
||||||
- name: install vault
|
- name: install vault binary
|
||||||
ansible.builtin.import_tasks: install.yml
|
ansible.builtin.import_tasks: install_binary.yml
|
||||||
|
|
||||||
|
- name: install vault service
|
||||||
|
ansible.builtin.import_tasks: install_service.yml
|
||||||
|
|
||||||
- name: run security configuration
|
- name: run security configuration
|
||||||
ansible.builtin.import_tasks: security.yml
|
ansible.builtin.import_tasks: security.yml
|
||||||
|
|
|
@ -2,6 +2,8 @@
|
||||||
# global parameters
|
# global parameters
|
||||||
custom_base_user_account: "{{ vault_custom_base_user_account }}"
|
custom_base_user_account: "{{ vault_custom_base_user_account }}"
|
||||||
custom_github_token: "{{ vault_custom_github_token | default('') }}"
|
custom_github_token: "{{ vault_custom_github_token | default('') }}"
|
||||||
|
hc_vault_instance: "{{ vault_hc_vault_instance }}"
|
||||||
|
hc_vault_instance_options: "{{ vault_hc_vault_instance_options }}"
|
||||||
|
|
||||||
# security parameters
|
# security parameters
|
||||||
security_clamav_version: 1.3.1
|
security_clamav_version: 1.3.1
|
||||||
|
|
|
@ -6,3 +6,4 @@ provisioner_kubeconfig_repository: /srv/ansible/kubeconfig
|
||||||
provisioner_kubectl_binary_path: /usr/local/bin/kubectl
|
provisioner_kubectl_binary_path: /usr/local/bin/kubectl
|
||||||
provisioner_k3sup_binary_path: /usr/local/bin/k3sup
|
provisioner_k3sup_binary_path: /usr/local/bin/k3sup
|
||||||
provisioner_tofu_binary_path: /usr/bin/tofu #do not change this, the path is decided by the .deb package
|
provisioner_tofu_binary_path: /usr/bin/tofu #do not change this, the path is decided by the .deb package
|
||||||
|
provisioner_vault_binary_path: /usr/local/bin/vault
|
||||||
|
|
Loading…
Add table
Reference in a new issue