ai-workspace-infra/playbooks
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
edc70fb658
playbooks/roles/vhosts/vault/tasks/main.yml

136 lines
3.9 KiB
YAML
Executable File
Raw Blame History

- name: Prepare Kubernetes Vault secrets
ansible.builtin.include_role:
name: secret-manger
when:
- vault_deploy_mode == "kubernetes"
- inventory_hostname in groups.get(group, [])
- name: Setup Vault Server on Kubernetes
script: files/setup.sh {{ domain }} {{ namespace }} {{ item.secret_name }} {{ vault_public_access | bool | lower }}
loop: "{{ tls }}"
when:
- vault_deploy_mode == "kubernetes"
- inventory_hostname in groups.get(group, [])
- name: Install standalone Vault dependencies
ansible.builtin.apt:
name:
- ca-certificates
- curl
- unzip
- jq
state: present
update_cache: true
when:
- vault_deploy_mode == "standalone"
- ansible_os_family != 'Darwin'
- name: Check standalone Vault binary
ansible.builtin.command: "{{ vault_binary_path }} version"
register: vault_binary_check
changed_when: false
failed_when: false
when:
- vault_deploy_mode == "standalone"
- ansible_os_family != 'Darwin'
- name: Download standalone Vault release
ansible.builtin.unarchive:
src: "https://releases.hashicorp.com/vault/{{ vault_version }}/vault_{{ vault_version }}_linux_amd64.zip"
dest: /usr/local/bin
remote_src: true
mode: "0755"
when:
- vault_deploy_mode == "standalone"
- ansible_os_family != 'Darwin'
- vault_binary_check.rc != 0 or (vault_binary_check.stdout | default('')) is not search(vault_version)
- name: Ensure standalone Vault directories exist
ansible.builtin.file:
path: "{{ item }}"
state: directory
owner: root
group: root
mode: "0755"
loop:
- "{{ vault_config_dir }}"
- "{{ vault_data_dir }}"
when:
- vault_deploy_mode == "standalone"
- name: Deploy standalone Vault systemd service
ansible.builtin.copy:
dest: "/etc/systemd/system/{{ vault_service_name }}.service"
owner: root
group: root
mode: "0644"
content: |
[Unit]
Description=HashiCorp Vault standalone dev server
Documentation=https://developer.hashicorp.com/vault/docs
After=network-online.target
Wants=network-online.target
[Service]
Type=simple
Environment="VAULT_DEV_ROOT_TOKEN_ID={{ vault_server_root_access_token }}"
ExecStart={{ vault_binary_path }} server -dev -dev-listen-address={{ vault_listen_addr }} -dev-root-token-id={{ vault_server_root_access_token }}
Restart=always
RestartSec=5
LimitNOFILE=65536
[Install]
WantedBy=multi-user.target
no_log: true
when:
- vault_deploy_mode == "standalone"
- ansible_os_family != 'Darwin'
- name: Start standalone Vault service
ansible.builtin.systemd:
name: "{{ vault_service_name }}"
enabled: true
state: restarted
daemon_reload: true
when:
- vault_deploy_mode == "standalone"
- ansible_os_family != 'Darwin'
- name: Import macOS specific Vault tasks
ansible.builtin.import_tasks: macos.yml
when: ansible_os_family == 'Darwin'
- name: Wait for standalone Vault API
ansible.builtin.uri:
url: "{{ vault_admin_addr }}/v1/sys/health"
status_code:
- 200
- 429
- 472
- 473
- 501
- 503
return_content: true
register: vault_health
until: vault_health.status in [200, 429, 472, 473, 501, 503]
retries: 12
delay: 5
changed_when: false
when:
- vault_deploy_mode == "standalone"
- name: Bootstrap Vault admin userpass auth
ansible.builtin.script: >-
files/init_vault_admin.sh
--username {{ vault_admin_username | quote }}
--password {{ vault_admin_password | quote }}
--vault-addr {{ vault_admin_addr | quote }}
--root-token {{ vault_server_root_access_token | quote }}
--output-dir {{ vault_admin_output_dir | quote }}
--ui-url {{ vault_admin_ui_url | quote }}
no_log: true
when:
- not ansible_check_mode
- vault_deploy_mode == "standalone" or inventory_hostname in groups.get(group, [])
- vault_admin_init_enabled | bool
Reference in New Issue View Git Blame Copy Permalink