refactor vault role (#2733)

* Move front-proxy-client certs back to kube mount We want the same CA for all k8s certs * Refactor vault to use a third party module The module adds idempotency and reduces some of the repetitive logic in the vault role Requires ansible-modules-hashivault on ansible node and hvac on the vault hosts themselves Add upgrade test scenario Remove bootstrap-os tags from tasks * fix upgrade issues * improve unseal logic * specify ca and fix etcd check * Fix initialization check bump machine size
2026-05-15 05:17:38 -02:30 · 2018-05-11 19:11:38 +03:00
parent e23fd5ca44
commit 07cc981971
49 changed files with 437 additions and 375 deletions
--- a/roles/vault/tasks/cluster/init.yml
+++ b/roles/vault/tasks/cluster/init.yml
@@ -1,36 +1,28 @@
 ---

+- name: cluster/init | wait for vault
+  command: /bin/true
+  notify: wait for vault up
+
+- meta: flush_handlers
+
 - name: cluster/init | Initialize Vault
-  uri:
-    url: "https://{{ groups.vault|first }}:{{ vault_port }}/v1/sys/init"
-    headers: "{{ vault_client_headers }}"
-    method: POST
-    body_format: json
-    body:
-      secret_shares: "{{ vault_secret_shares }}"
-      secret_threshold: "{{ vault_secret_threshold }}"
-    validate_certs: false
+  hashivault_init:
+    url: "https://localhost:{{ vault_port }}/"
+    ca_cert: "{{ vault_cert_dir }}/ca.pem"
+    secret_shares: "{{ vault_secret_shares }}"
+    secret_threshold: "{{ vault_secret_threshold }}"
+  run_once: true
  register: vault_init_result
-  when: not vault_cluster_is_initialized and inventory_hostname == groups.vault|first
+  when: not vault_cluster_is_initialized

 - name: cluster/init | Set facts on the results of the initialization
  set_fact:
-    vault_unseal_keys: "{{ vault_init_result.json['keys'] }}"
-    vault_root_token: "{{ vault_init_result.json.root_token }}"
-    vault_headers: "{{ vault_client_headers|combine({'X-Vault-Token': vault_init_result.json.root_token}) }}"
-  when: not vault_cluster_is_initialized and inventory_hostname == groups.vault|first
-
- name: cluster/init | Ensure all hosts have these facts
-  set_fact:
-    vault_unseal_keys: "{{ hostvars[groups.vault|first]['vault_unseal_keys'] }}"
-    vault_root_token: "{{ hostvars[groups.vault|first]['vault_root_token'] }}"
-  when: not vault_cluster_is_initialized and inventory_hostname != groups.vault|first
-
- name: cluster/init | Ensure the vault_secrets_dir exists
-  file:
-    mode: 0750
-    path: "{{ vault_secrets_dir }}"
-    state: directory
+    vault_unseal_keys: "{{ vault_init_result.keys_base64 }}"
+    vault_root_token: "{{ vault_init_result.root_token }}"
+    vault_headers: "{{ vault_client_headers|combine({'X-Vault-Token': vault_init_result.root_token}) }}"
+  run_once: true
+  when: not vault_cluster_is_initialized

 - name: cluster/init | Ensure all in groups.vault have the unseal_keys locally
  copy:
@@ -48,5 +40,5 @@

 - name: cluster/init | Ensure vault_headers and vault statuses are updated
  set_fact:
-    vault_headers: "{{ vault_client_headers | combine({'X-Vault-Token': vault_root_token})}}"
    vault_cluster_is_initialized: true
+  run_once: true