Add TLS certificate auth for HashiCorp Vault (#14534)

* Add TLS certificate auth for HashiCorp Vault Add support for AWX to authenticate with HashiCorp Vault using TLS client certificates. Also updates the documentation for the HashiCorp Vault secret management plugins to include both the new TLS options and the missing Kubernetes auth method options. Signed-off-by: Andrew Austin <aaustin@redhat.com> * Refactor docker-compose vault for TLS cert auth Add TLS configuration to the docker-compose Vault configuration and use that method by default in vault plumbing. This ensures that the result of bringing up the docker-compose stack with vault enabled and running the plumb-vault playbook is a fully working credential retrieval setup using TLS client cert authentication. Signed-off-by: Andrew Austin <aaustin@redhat.com> * Remove incorrect trailing space Co-authored-by: Hao Liu <44379968+TheRealHaoLiu@users.noreply.github.com> * Make vault init idempotent - improve error handling for vault_initialization - ignore error if vault cert auth is already configured - removed unused register * Add VAULT_TLS option Make TLS for HashiCorp Vault optional and configurable via VAULT_TLS env var * Add retries for vault init Sometime it took longer for vault to fully come up and init will fail --------- Signed-off-by: Andrew Austin <aaustin@redhat.com> Co-authored-by: Hao Liu <44379968+TheRealHaoLiu@users.noreply.github.com> Co-authored-by: Hao Liu <haoli@redhat.com>
2026-01-11 01:57:35 -03:30 · 2023-12-06 13:12:15 -06:00 · 2023-12-06 13:12:15 -06:00 · 6aa2997dce
commit 6aa2997dce
parent dd00bbba42
14 changed files with 280 additions and 20 deletions
--- a/6
+++ b/6
@ -43,6 +43,8 @@ PROMETHEUS ?= false
 GRAFANA ?= false
 # If set to true docker-compose will also start a hashicorp vault instance
 VAULT ?= false
+# If set to true docker-compose will also start a hashicorp vault instance with TLS enabled
+VAULT_TLS ?= false
 # If set to true docker-compose will also start a tacacs+ instance
 TACACS ?= false

@ -528,13 +530,15 @@ docker-compose-sources: .git/hooks/pre-commit
 	    -e enable_prometheus=$(PROMETHEUS) \
 	    -e enable_grafana=$(GRAFANA) \
 	    -e enable_vault=$(VAULT) \
+	    -e vault_tls=$(VAULT_TLS) \
 	    -e enable_tacacs=$(TACACS) \
            $(EXTRA_SOURCES_ANSIBLE_OPTS)

 docker-compose: awx/projects docker-compose-sources
 	ansible-galaxy install --ignore-certs -r tools/docker-compose/ansible/requirements.yml;
 	ansible-playbook -i tools/docker-compose/inventory tools/docker-compose/ansible/initialize_containers.yml \
-	  -e enable_vault=$(VAULT);
+	    -e enable_vault=$(VAULT) \
+	    -e vault_tls=$(VAULT_TLS);
 	$(DOCKER_COMPOSE) -f tools/docker-compose/_sources/docker-compose.yml $(COMPOSE_OPTS) up $(COMPOSE_UP_OPTS) --remove-orphans

 docker-compose-credential-plugins: awx/projects docker-compose-sources
--- a/awx/main/credential_plugins/hashivault.py
+++ b/awx/main/credential_plugins/hashivault.py
@ -41,6 +41,34 @@ base_inputs = {
            'secret': True,
            'help_text': _('The Secret ID for AppRole Authentication'),
        },
+        {
+            'id': 'client_cert_public',
+            'label': _('Client Certificate'),
+            'type': 'string',
+            'multiline': True,
+            'help_text': _(
+                'The PEM-encoded client certificate used for TLS client authentication.'
+                ' This should include the certificate and any intermediate certififcates.'
+            ),
+        },
+        {
+            'id': 'client_cert_private',
+            'label': _('Client Certificate Key'),
+            'type': 'string',
+            'multiline': True,
+            'secret': True,
+            'help_text': _('The certificate private key used for TLS client authentication.'),
+        },
+        {
+            'id': 'client_cert_role',
+            'label': _('TLS Authentication Role'),
+            'type': 'string',
+            'multiline': False,
+            'help_text': _(
+                'The role configured in Hashicorp Vault for TLS client authentication.'
+                ' If not provided, Hashicorp Vault may assign roles based on the certificate used.'
+            ),
+        },
        {
            'id': 'namespace',
            'label': _('Namespace name (Vault Enterprise only)'),
@ -164,8 +192,10 @@ def handle_auth(**kwargs):
        token = method_auth(**kwargs, auth_param=approle_auth(**kwargs))
    elif kwargs.get('kubernetes_role'):
        token = method_auth(**kwargs, auth_param=kubernetes_auth(**kwargs))
+    elif kwargs.get('client_cert_public') and kwargs.get('client_cert_private'):
+        token = method_auth(**kwargs, auth_param=client_cert_auth(**kwargs))
    else:
-        raise Exception('Either token or AppRole/Kubernetes authentication parameters must be set')
+        raise Exception('Either a token or AppRole, Kubernetes, or TLS authentication parameters must be set')

    return token

@ -181,6 +211,10 @@ def kubernetes_auth(**kwargs):
    return {'role': kwargs['kubernetes_role'], 'jwt': jwt}


+def client_cert_auth(**kwargs):
+    return {'name': kwargs.get('client_cert_role')}
+
+
 def method_auth(**kwargs):
    # get auth method specific params
    request_kwargs = {'json': kwargs['auth_param'], 'timeout': 30}
@ -193,13 +227,22 @@ def method_auth(**kwargs):
    cacert = kwargs.get('cacert', None)

    sess = requests.Session()
+
    # Namespace support
    if kwargs.get('namespace'):
        sess.headers['X-Vault-Namespace'] = kwargs['namespace']
    request_url = '/'.join([url, 'auth', auth_path, 'login']).rstrip('/')
    with CertFiles(cacert) as cert:
        request_kwargs['verify'] = cert
-        resp = sess.post(request_url, **request_kwargs)
+        # TLS client certificate support
+        if kwargs.get('client_cert_public') and kwargs.get('client_cert_private'):
+            # Add client cert to requests Session before making call
+            with CertFiles(kwargs['client_cert_public'], key=kwargs['client_cert_private']) as client_cert:
+                sess.cert = client_cert
+                resp = sess.post(request_url, **request_kwargs)
+        else:
+            # Make call without client certificate
+            resp = sess.post(request_url, **request_kwargs)
    resp.raise_for_status()
    token = resp.json()['auth']['client_token']
    return token
--- a/awx/main/tests/functional/test_credential_plugins.py
+++ b/awx/main/tests/functional/test_credential_plugins.py
@ -40,6 +40,26 @@ def test_hashivault_kubernetes_auth():
        assert res == expected_res


+def test_hashivault_client_cert_auth_explicit_role():
+    kwargs = {
+        'client_cert_role': 'test-cert-1',
+    }
+    expected_res = {
+        'name': 'test-cert-1',
+    }
+    res = hashivault.client_cert_auth(**kwargs)
+    assert res == expected_res
+
+
+def test_hashivault_client_cert_auth_no_role():
+    kwargs = {}
+    expected_res = {
+        'name': None,
+    }
+    res = hashivault.client_cert_auth(**kwargs)
+    assert res == expected_res
+
+
 def test_hashivault_handle_auth_token():
    kwargs = {
        'token': 'the_token',
@ -73,6 +93,22 @@ def test_hashivault_handle_auth_kubernetes():
            assert token == 'the_token'


+def test_hashivault_handle_auth_client_cert():
+    kwargs = {
+        'client_cert_public': "foo",
+        'client_cert_private': "bar",
+        'client_cert_role': 'test-cert-1',
+    }
+    auth_params = {
+        'name': 'test-cert-1',
+    }
+    with mock.patch.object(hashivault, 'method_auth') as method_mock:
+        method_mock.return_value = 'the_token'
+        token = hashivault.handle_auth(**kwargs)
+        method_mock.assert_called_with(**kwargs, auth_param=auth_params)
+        assert token == 'the_token'
+
+
 def test_hashivault_handle_auth_not_enough_args():
    with pytest.raises(Exception):
        hashivault.handle_auth()
--- a/docs/docsite/rst/userguide/credential_plugins.rst
+++ b/docs/docsite/rst/userguide/credential_plugins.rst
@ -265,10 +265,21 @@ When **HashiCorp Vault Secret Lookup** is selected for **Credential Type**, prov
 - **CA Certificate**: specify the CA certificate used to verify HashiCorp's server
 - **Approle Role_ID**: specify the ID for Approle authentication
 - **Approle Secret_ID**: specify the corresponding secret ID for Approle authentication
- **Path to Approle Auth**: specify a path if other than the default path of ``/approle``
+- **Client Certificate**: specify a PEM-encoded client certificate when using the TLS auth method including any required intermediate certificates expected by Vault
+- **Client Certificate Key**: specify a PEM-encoded certificate private key when using the TLS auth method
+- **TLS Authentication Role**: specify the role or certificate name in Vault that corresponds to your client certificate when using the TLS auth method. If it is not provided, Vault will attempt to match the certificate automatically
+- **Namespace name** specify the namespace name (Vault Enterprise only)
+- **Kubernetes role** specify the role name when using Kubernetes authentication
+- **Path to Auth**: specify a path if other than the default path of ``/approle``
 - **API Version** (required): select v1 for static lookups and v2 for versioned lookups

-For more detail about Approle and its fields, refer to the `Vault documentation for Approle Auth Method <https://www.vaultproject.io/docs/auth/approle>`_.  Below shows an example of a configured HashiCorp Vault Secret Lookup credential.
+For more detail about the Approle auth method and its fields, refer to the `Vault documentation for Approle Auth Method <https://www.vaultproject.io/docs/auth/approle>`_.
+
+For more detail about the Kubernetes auth method and its fields, refer to the `Vault documentation for Kubernetes auth method <https://developer.hashicorp.com/vault/docs/auth/kubernetes>` _.
+
+For more detail about the TLS certificate auth method and its fields, refer to the `Vault documentation for TLS certificates auth method <https://developer.hashicorp.com/vault/docs/auth/cert>` _.
+
+Below shows an example of a configured HashiCorp Vault Secret Lookup credential.

 .. image:: ../common/images/credentials-create-hashicorp-kv-credential.png 
   :alt: Example new HashiCorp Vault Secret lookup dialog
@ -288,9 +299,18 @@ When **HashiCorp Vault Signed SSH** is selected for **Credential Type**, provide
 - **CA Certificate**: specify the CA certificate used to verify HashiCorp's server
 - **Approle Role_ID**: specify the ID for Approle authentication
 - **Approle Secret_ID**: specify the corresponding secret ID for Approle authentication
- **Path to Approle Auth**: specify a path if other than the default path of ``/approle``
+- **Client Certificate**: specify a PEM-encoded client certificate when using the TLS auth method including any required intermediate certificates expected by Vault
+- **Client Certificate Key**: specify a PEM-encoded certificate private key when using the TLS auth method
+- **TLS Authentication Role**: specify the role or certificate name in Vault that corresponds to your client certificate when using the TLS auth method. If it is not provided, Vault will attempt to match the certificate automatically
+- **Namespace name** specify the namespace name (Vault Enterprise only)
+- **Kubernetes role** specify the role name when using Kubernetes authentication
+- **Path to Auth**: specify a path if other than the default path of ``/approle``

-For more detail about Approle and its fields, refer to the `Vault documentation for Approle Auth Method <https://www.vaultproject.io/docs/auth/approle>`_. 
+For more detail about the Approle auth method and its fields, refer to the `Vault documentation for Approle Auth Method <https://www.vaultproject.io/docs/auth/approle>`_.
+
+For more detail about the Kubernetes auth method and its fields, refer to the `Vault documentation for Kubernetes auth method <https://developer.hashicorp.com/vault/docs/auth/kubernetes>` _.
+
+For more detail about the TLS certificate auth method and its fields, refer to the `Vault documentation for TLS certificates auth method <https://developer.hashicorp.com/vault/docs/auth/cert>` _.

 Below shows an example of a configured HashiCorp SSH Secrets Engine credential.

--- a/tools/docker-compose/ansible/plumb_vault.yml
+++ b/tools/docker-compose/ansible/plumb_vault.yml
@ -2,6 +2,8 @@
 - name: Plumb AWX for Vault
  hosts: localhost
  gather_facts: False
+  vars:
+    awx_host: "https://127.0.0.1:8043"
  tasks:
    - include_role:
        name: vault
--- a/tools/docker-compose/ansible/roles/sources/defaults/main.yml
+++ b/tools/docker-compose/ansible/roles/sources/defaults/main.yml
@ -30,6 +30,24 @@ ldap_public_key_file: '{{ ldap_cert_dir }}/{{ ldap_public_key_file_name }}'
 ldap_private_key_file: '{{ ldap_cert_dir }}/{{ ldap_private_key_file_name }}'
 ldap_cert_subject: "/C=US/ST=NC/L=Durham/O=awx/CN="

+# Hashicorp Vault
+enable_vault: false
+vault_tls: false
+hashivault_cert_dir: '{{ sources_dest }}/vault_certs'
+hashivault_server_cert_subject: "/C=US/ST=NC/L=Durham/O=awx/CN=tools-vault-1"
+hashivault_server_cert_extensions:
+  - "subjectAltName = DNS:tools_vault_1, DNS:localhost"
+  - "keyUsage = digitalSignature, nonRepudiation"
+  - "extendedKeyUsage = serverAuth"
+hashivault_client_cert_extensions:
+  - "subjectAltName = DNS:awx-vault-client"
+  - "keyUsage = digitalSignature, nonRepudiation"
+  - "extendedKeyUsage = serverAuth, clientAuth"
+hashivault_client_cert_subject: "/C=US/ST=NC/L=Durham/O=awx/CN=awx-vault-client"
+hashivault_server_public_keyfile: '{{ hashivault_cert_dir }}/server.crt'
+hashivault_server_private_keyfile: '{{ hashivault_cert_dir }}/server.key'
+hashivault_client_public_keyfile: '{{ hashivault_cert_dir }}/client.crt'
+hashivault_client_private_keyfile: '{{ hashivault_cert_dir }}/client.key'
 # Metrics
 enable_splunk: false
 enable_grafana: false
--- a/tools/docker-compose/ansible/roles/sources/tasks/main.yml
+++ b/tools/docker-compose/ansible/roles/sources/tasks/main.yml
@ -101,6 +101,10 @@
  include_tasks: ldap.yml
  when: enable_ldap | bool

+- name: Include vault TLS tasks if enabled
+  include_tasks: vault_tls.yml
+  when: enable_vault | bool
+
 - name: Render Docker-Compose
  template:
    src: docker-compose.yml.j2
--- a/tools/docker-compose/ansible/roles/sources/tasks/vault_tls.yml
+++ b/tools/docker-compose/ansible/roles/sources/tasks/vault_tls.yml
@ -0,0 +1,31 @@
+---
+- name: Create Certificates for HashiCorp Vault
+  block:
+    - name: Create Hashicorp Vault cert directory
+      file:
+        path: "{{ hashivault_cert_dir }}"
+        state: directory
+
+    - name: Generate vault server certificate
+      command: 'openssl req -new -newkey rsa:2048 -x509 -days 365 -nodes -out {{ hashivault_server_public_keyfile }} -keyout {{ hashivault_server_private_keyfile }} -subj "{{ hashivault_server_cert_subject }}"{% for ext in hashivault_server_cert_extensions %} -addext "{{ ext }}"{% endfor %}'
+      args:
+        creates: "{{ hashivault_server_public_keyfile }}"
+
+    - name: Generate vault test client certificate
+      command: 'openssl req -new -newkey rsa:2048 -x509 -days 365 -nodes -out {{ hashivault_client_public_keyfile }} -keyout {{ hashivault_client_private_keyfile }} -subj "{{ hashivault_client_cert_subject }}"{% for ext in hashivault_client_cert_extensions %} -addext "{{ ext }}"{% endfor %}'
+      args:
+        creates: "{{ hashivault_client_public_keyfile }}"
+
+    - name: Set mode for vault certificates
+      ansible.builtin.file:
+        path: "{{ hashivault_cert_dir }}"
+        recurse: true
+        state: directory
+        mode: 0777
+  when: vault_tls | bool
+
+- name: Delete Certificates for HashiCorp Vault
+  file:
+    path: "{{ hashivault_cert_dir }}"
+    state: absent
+  when: vault_tls | bool == false
--- a/tools/docker-compose/ansible/roles/sources/templates/docker-compose.yml.j2
+++ b/tools/docker-compose/ansible/roles/sources/templates/docker-compose.yml.j2
@ -252,7 +252,7 @@ services:
    privileged: true
  {% endfor %}
 {% endif %}
-{% if enable_vault|bool %}
+{% if enable_vault | bool %}
  vault:
    image: hashicorp/vault:1.14
    container_name: tools_vault_1
@ -261,10 +261,17 @@ services:
    ports:
      - "1234:1234"
    environment:
+{% if vault_tls | bool %}
+      VAULT_LOCAL_CONFIG: '{"storage": {"file": {"path": "/vault/file"}}, "listener": [{"tcp": { "address": "0.0.0.0:1234", "tls_disable": false, "tls_cert_file": "/vault/tls/server.crt", "tls_key_file": "/vault/tls/server.key"}}], "default_lease_ttl": "168h", "max_lease_ttl": "720h", "ui": true}'
+{% else %}
      VAULT_LOCAL_CONFIG: '{"storage": {"file": {"path": "/vault/file"}}, "listener": [{"tcp": { "address": "0.0.0.0:1234", "tls_disable": true}}], "default_lease_ttl": "168h", "max_lease_ttl": "720h", "ui": true}'
+{% endif %}
    cap_add:
      - IPC_LOCK
    volumes:
+{% if vault_tls | bool %}
+      - '../../docker-compose/_sources/vault_certs:/vault/tls'
+{% endif %}
      - 'hashicorp_vault_data:/vault/file'
 {% endif %}

--- a/tools/docker-compose/ansible/roles/vault/defaults/main.yml
+++ b/tools/docker-compose/ansible/roles/vault/defaults/main.yml
@ -1,2 +1,7 @@
 ---
 vault_file: "{{ sources_dest }}/secrets/vault_init.yml"
+admin_password_file: "{{ sources_dest }}/secrets/admin_password.yml"
+vault_cert_dir: '{{ sources_dest }}/vault_certs'
+vault_server_cert: "{{ vault_cert_dir }}/server.crt"
+vault_client_cert: "{{ vault_cert_dir }}/client.crt"
+vault_client_key: "{{ vault_cert_dir }}/client.key"
--- a/tools/docker-compose/ansible/roles/vault/tasks/initialize.yml
+++ b/tools/docker-compose/ansible/roles/vault/tasks/initialize.yml
@ -1,4 +1,7 @@
 ---
+- name: Set vault_addr
+  include_tasks: set_vault_addr.yml
+
 - block:
    - name: Start the vault
      community.docker.docker_compose:
@ -12,9 +15,16 @@
        command: vault operator init
        container: tools_vault_1
        env:
-          VAULT_ADDR: "http://127.0.0.1:1234"
+          VAULT_ADDR: "{{ vault_addr }}"
+          VAULT_SKIP_VERIFY: "true"
      register: vault_initialization
-      ignore_errors: true
+      failed_when:
+        - vault_initialization.rc != 0
+        - vault_initialization.stderr.find("Vault is already initialized") == -1
+      changed_when:
+        - vault_initialization.rc == 0
+      retries: 5
+      delay: 5

    - name: Write out initialization file
      copy:
@ -34,21 +44,52 @@
        name: vault
        tasks_from: unseal.yml

+    - name: Configure the vault with cert auth
+      block:
+        - name: Create a cert auth mount
+          flowerysong.hvault.write:
+            path: "sys/auth/cert"
+            vault_addr: "{{ vault_addr_from_host }}"
+            validate_certs: false
+            token: "{{ Initial_Root_Token }}"
+            data:
+              type: "cert"
+          register: vault_auth_cert
+          failed_when:
+            - vault_auth_cert.result.errors | default([]) | length > 0
+            - "'path is already in use at cert/' not in vault_auth_cert.result.errors | default([])"
+          changed_when:
+            - vault_auth_cert.result.errors | default([]) | length == 0
+
+        - name: Configure client certificate
+          flowerysong.hvault.write:
+            path: "auth/cert/certs/awx-client"
+            vault_addr: "{{ vault_addr_from_host }}"
+            validate_certs: false
+            token: "{{ Initial_Root_Token }}"
+            data:
+              name: awx-client
+              certificate: "{{ lookup('ansible.builtin.file', '{{ vault_client_cert }}') }}"
+              policies:
+                - root
+      when: vault_tls | bool
+
    - name: Create an engine
      flowerysong.hvault.engine:
        path: "my_engine"
        type: "kv"
-        vault_addr: "http://localhost:1234"
+        vault_addr: "{{ vault_addr_from_host }}"
+        validate_certs: false
        token: "{{ Initial_Root_Token }}"
-      register: engine

-    - name: Create a secret
+    - name: Create a demo secret
      flowerysong.hvault.kv:
        mount_point: "my_engine/my_root"
        key: "my_folder"
        value:
          my_key: "this_is_the_secret_value"
-        vault_addr: "http://localhost:1234"
+        vault_addr: "{{ vault_addr_from_host }}"
+        validate_certs: false
        token: "{{ Initial_Root_Token }}"

  always:
--- a/tools/docker-compose/ansible/roles/vault/tasks/plumb.yml
+++ b/tools/docker-compose/ansible/roles/vault/tasks/plumb.yml
@ -1,29 +1,45 @@
 ---
+- name: Set vault_addr
+  include_tasks: set_vault_addr.yml
+
 - name: Load vault keys
  include_vars:
    file: "{{ vault_file }}"

+- name: Get AWX admin password
+  include_vars:
+    file: "{{ admin_password_file }}"
+
 - name: Create a HashiCorp Vault Credential
  awx.awx.credential:
    credential_type: HashiCorp Vault Secret Lookup
    name: Vault Lookup Cred
    organization: Default
+    controller_host: "{{ awx_host }}"
+    controller_username: admin
+    controller_password: "{{ admin_password }}"
+    validate_certs: false
    inputs:
      api_version: "v1"
-      cacert: ""
-      default_auth_path: "approle"
+      cacert: "{{ lookup('ansible.builtin.file', '{{ vault_server_cert }}', errors='ignore') }}"
+      default_auth_path: "cert"
      kubernetes_role: ""
      namespace: ""
-      role_id: ""
-      secret_id: ""
+      client_cert_public: "{{ lookup('ansible.builtin.file', '{{ vault_client_cert }}', errors='ignore') }}"
+      client_cert_private: "{{ lookup('ansible.builtin.file', '{{ vault_client_key }}', errors='ignore') }}"
      token: "{{ Initial_Root_Token }}"
-      url: "http://tools_vault_1:1234"
+      url: "{{ vault_addr_from_container }}"
  register: vault_cred

 - name: Create a custom credential type
  awx.awx.credential_type:
    name: Vault Custom Cred Type
    kind: cloud
+    controller_host: "{{ awx_host }}"
+    controller_username: admin
+    controller_password: "{{ admin_password }}"
+
+    validate_certs: false
    injectors:
      extra_vars:
        the_secret_from_vault: "{{ '{{' }} password {{ '}}' }}"
@ -38,6 +54,11 @@
 - name: Create a credential of the custom type
  awx.awx.credential:
    credential_type: "{{ custom_vault_cred_type.id }}"
+    controller_host: "{{ awx_host }}"
+    controller_username: admin
+    controller_password: "{{ admin_password }}"
+
+    validate_certs: false
    name: Credential From Vault
    inputs: {}
    organization: Default
@ -48,6 +69,11 @@
    input_field_name: password
    target_credential: "{{ custom_credential.id }}"
    source_credential: "{{ vault_cred.id }}"
+    controller_host: "{{ awx_host }}"
+    controller_username: admin
+    controller_password: "{{ admin_password }}"
+
+    validate_certs: false
    metadata:
      auth_path: ""
      secret_backend: "my_engine"
--- a/tools/docker-compose/ansible/roles/vault/tasks/set_vault_addr.yml
+++ b/tools/docker-compose/ansible/roles/vault/tasks/set_vault_addr.yml
@ -0,0 +1,19 @@
+---
+- name: Detect if vault cert directory exist
+  stat:
+    path: "{{ vault_cert_dir }}"
+  register: vault_cert_dir_stat
+
+- name: Set vault_addr for http
+  set_fact:
+    vault_addr: "http://127.0.0.1:1234"
+    vault_addr_from_host: "http://localhost:1234"
+    vault_addr_from_container: "http://tools_vault_1:1234"
+  when: vault_cert_dir_stat.stat.exists == false
+
+- name: Set vault_addr for https
+  set_fact:
+    vault_addr: "https://127.0.0.1:1234"
+    vault_addr_from_host: "https://localhost:1234"
+    vault_addr_from_container: "https://tools_vault_1:1234"
+  when: vault_cert_dir_stat.stat.exists == true
--- a/tools/docker-compose/ansible/roles/vault/tasks/unseal.yml
+++ b/tools/docker-compose/ansible/roles/vault/tasks/unseal.yml
@ -1,11 +1,15 @@
 ---
+- name: Set vault_addr
+  include_tasks: set_vault_addr.yml
+
 - name: Load vault keys
  include_vars:
    file: "{{ vault_file }}"

 - name: Unseal the vault
  flowerysong.hvault.seal:
-    vault_addr: "http://localhost:1234"
+    vault_addr: "{{ vault_addr_from_host }}"
+    validate_certs: false
    state: unsealed
    key: "{{ item }}"
  loop: