From 6b664761afc1f9838273617f175831610b44c95c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Aur=C3=A9lien=20Maury?= Date: Wed, 3 Jul 2024 14:48:11 +0200 Subject: [PATCH] doc refactoring --- docs/source/conf.py | 10 +- docs/source/reference/_playbooks.md | 6 +- docs/source/reference/_roles.md | 38 ++--- docs/source/reference/playbooks/_ops_vault.md | 12 ++ docs/source/reference/role_common.md | 20 --- docs/source/reference/role_envoy.md | 8 - docs/source/reference/role_vault_sidecar.md | 3 - .../reference/{ => roles}/role_alloy.md | 9 +- docs/source/reference/roles/role_common.md | 57 +++++++ .../reference/{ => roles}/role_consul.md | 12 +- .../reference/{ => roles}/role_custom_ca.md | 12 +- docs/source/reference/roles/role_envoy.md | 8 + .../reference/{ => roles}/role_grafana.md | 14 +- .../reference/{ => roles}/role_infra.md | 15 +- .../source/reference/{ => roles}/role_loki.md | 4 +- .../reference/{ => roles}/role_nomad.md | 4 +- .../reference/{ => roles}/role_prometheus.md | 4 +- .../reference/{ => roles}/role_stage0.md | 7 +- .../{ => roles}/role_stage0_offline.md | 7 +- .../{ => roles}/role_stage1_bootstrap.md | 2 +- .../reference/{ => roles}/role_stage1_dns.md | 2 +- .../reference/{ => roles}/role_stage1_pip.md | 2 +- .../{ => roles}/role_stage1_rproxy.md | 2 +- .../reference/{ => roles}/role_vault.md | 2 +- .../reference/roles/role_vault_sidecar.md | 9 + playbooks/vault_pki_bootstrap.yml | 17 ++ playbooks/vault_pki_enroll.yml | 0 playbooks/vault_pki_trust_root.yml | 17 ++ roles/alloy/defaults/main.yml | 9 +- roles/common_vars/defaults/main.yml | 8 +- roles/consul/defaults/main.yml | 14 +- roles/custom_ca/defaults/main.yml | 14 +- roles/envoy/defaults/main.yml | 6 +- roles/grafana/defaults/main.yml | 14 +- roles/infra/defaults/main.yml | 4 +- roles/loki/defaults/main.yml | 6 +- roles/nomad/defaults/main.yml | 6 +- roles/prometheus/defaults/main.yml | 6 +- roles/stage0/defaults/main.yml | 9 +- roles/stage0_offline/defaults/main.yml | 7 +- roles/stage1_bootstrap/defaults/main.yml | 2 +- roles/stage1_dns/defaults/main.yml | 2 +- roles/stage1_pip/defaults/main.yml | 2 +- roles/stage1_rproxy/defaults/main.yml | 2 +- roles/vault/files/auth_ldap/providers.tf | 2 +- .../files/consul_service_mesh_ca/providers.tf | 2 +- roles/vault/files/nomad/providers.tf | 2 +- roles/vault/files/pki/main.tf | 154 ++++++++++++++++++ roles/vault/files/pki/output.tf | 13 ++ roles/vault/files/pki/policies/pki.tpl | 28 ++++ roles/vault/files/pki/providers.tf | 10 ++ roles/vault/files/pki/variables.tf | 8 + roles/vault/files/telemetry/providers.tf | 2 +- roles/vault/tasks/__bootstrap_pki.yml | 81 +++++++++ roles/vault/tasks/__trust_pki_root.yml | 35 ++++ .../vault/templates/_addon_pki_output.yml.j2 | 10 ++ roles/vault_sidecar/defaults/main.yml | 6 + roles/vault_vars/defaults/main.yml | 2 +- roles/vault_vars/vars/main.yml | 5 +- 59 files changed, 594 insertions(+), 180 deletions(-) create mode 100644 docs/source/reference/playbooks/_ops_vault.md delete mode 100644 docs/source/reference/role_common.md delete mode 100644 docs/source/reference/role_envoy.md delete mode 100644 docs/source/reference/role_vault_sidecar.md rename docs/source/reference/{ => roles}/role_alloy.md (53%) create mode 100644 docs/source/reference/roles/role_common.md rename docs/source/reference/{ => roles}/role_consul.md (90%) rename docs/source/reference/{ => roles}/role_custom_ca.md (92%) create mode 100644 docs/source/reference/roles/role_envoy.md rename docs/source/reference/{ => roles}/role_grafana.md (50%) rename docs/source/reference/{ => roles}/role_infra.md (80%) rename docs/source/reference/{ => roles}/role_loki.md (89%) rename docs/source/reference/{ => roles}/role_nomad.md (97%) rename docs/source/reference/{ => roles}/role_prometheus.md (62%) rename docs/source/reference/{ => roles}/role_stage0.md (79%) rename docs/source/reference/{ => roles}/role_stage0_offline.md (68%) rename docs/source/reference/{ => roles}/role_stage1_bootstrap.md (86%) rename docs/source/reference/{ => roles}/role_stage1_dns.md (58%) rename docs/source/reference/{ => roles}/role_stage1_pip.md (79%) rename docs/source/reference/{ => roles}/role_stage1_rproxy.md (63%) rename docs/source/reference/{ => roles}/role_vault.md (99%) create mode 100644 docs/source/reference/roles/role_vault_sidecar.md create mode 100644 playbooks/vault_pki_bootstrap.yml create mode 100644 playbooks/vault_pki_enroll.yml create mode 100644 playbooks/vault_pki_trust_root.yml create mode 100644 roles/vault/files/pki/main.tf create mode 100644 roles/vault/files/pki/output.tf create mode 100644 roles/vault/files/pki/policies/pki.tpl create mode 100644 roles/vault/files/pki/providers.tf create mode 100644 roles/vault/files/pki/variables.tf create mode 100644 roles/vault/tasks/__bootstrap_pki.yml create mode 100644 roles/vault/tasks/__trust_pki_root.yml create mode 100644 roles/vault/templates/_addon_pki_output.yml.j2 diff --git a/docs/source/conf.py b/docs/source/conf.py index 0ae5d60e..171089f5 100644 --- a/docs/source/conf.py +++ b/docs/source/conf.py @@ -60,9 +60,15 @@ # import os, sys, yaml2md -ignore_role_list = ['cloudalchemy.grafana', 'cloudalchemy.node_exporter', 'cloudalchemy.prometheus', 'vault'] +ignore_role_list = [ + 'cloudalchemy.grafana', + 'cloudalchemy.node_exporter', + 'cloudalchemy.prometheus', + 'wescale.hashistack.common_vars', + 'vault' +] roles_src_path = "../../roles" -roles_doc_path = "reference/role" +roles_doc_path = "reference/roles/role" for element in os.listdir(roles_src_path): if not os.path.isdir(roles_src_path + "/" + element + "/defaults") or element in ignore_role_list: diff --git a/docs/source/reference/_playbooks.md b/docs/source/reference/_playbooks.md index 5982b5b6..943963d1 100644 --- a/docs/source/reference/_playbooks.md +++ b/docs/source/reference/_playbooks.md @@ -4,11 +4,7 @@ :maxdepth: 1 playbooks/init playbooks/observability -playbooks/vault_pt_manage -playbooks/vault_dr_secondary -playbooks/vault_kv_get -playbooks/vault_kv_put -playbooks/vault_tf_policies_samples +playbooks/_ops_vault ``` diff --git a/docs/source/reference/_roles.md b/docs/source/reference/_roles.md index 762d67ac..5d0efe22 100644 --- a/docs/source/reference/_roles.md +++ b/docs/source/reference/_roles.md @@ -1,25 +1,25 @@ -# Ansible roles +# Roles ```{toctree} :maxdepth: 1 -role_infra.md -role_vault.md -role_consul.md -role_nomad.md -role_envoy.md -role_alloy.md -role_loki.md -role_prometheus.md -role_grafana.md -role_prometheus.md -role_loki.md -role_custom_ca.md -role_stage0.md -role_stage0_offline.md -role_stage1_bootstrap.md -role_stage1_dns.md -role_stage1_rproxy.md -role_stage1_pip.md +roles/role_infra.md +roles/role_vault.md +roles/role_consul.md +roles/role_nomad.md +roles/role_envoy.md +roles/role_alloy.md +roles/role_loki.md +roles/role_prometheus.md +roles/role_grafana.md +roles/role_prometheus.md +roles/role_loki.md +roles/role_custom_ca.md +roles/role_stage0.md +roles/role_stage0_offline.md +roles/role_stage1_bootstrap.md +roles/role_stage1_dns.md +roles/role_stage1_rproxy.md +roles/role_stage1_pip.md ``` diff --git a/docs/source/reference/playbooks/_ops_vault.md b/docs/source/reference/playbooks/_ops_vault.md new file mode 100644 index 00000000..403c7b2c --- /dev/null +++ b/docs/source/reference/playbooks/_ops_vault.md @@ -0,0 +1,12 @@ +# Vault operations + +```{toctree} +:maxdepth: 1 + +vault_dr_secondary +vault_kv_get +vault_kv_put +vault_pt_manage +vault_tf_policies_samples +``` + diff --git a/docs/source/reference/role_common.md b/docs/source/reference/role_common.md deleted file mode 100644 index 45387ab9..00000000 --- a/docs/source/reference/role_common.md +++ /dev/null @@ -1,20 +0,0 @@ -``` -tf_action: apply - -hs_public_domain: >- - {{ hs_workspace | regex_replace('_', '-') }}.{{ hs_parent_domain }} - -``` -ID of the vault node. MUST be different for every node in the cluster. -``` -hs_node_id: >- - {{ inventory_hostname | regex_replace('_', '-') }} - -``` -* FQDN of the node on the network. MUST be different for every node in the cluster. MUST -be solvable by any of the other nodes in the cluster. - -``` -hs_node_fqdn: >- - {{ hs_node_id }}.{{ hs_public_domain }} - diff --git a/docs/source/reference/role_envoy.md b/docs/source/reference/role_envoy.md deleted file mode 100644 index d2bf5903..00000000 --- a/docs/source/reference/role_envoy.md +++ /dev/null @@ -1,8 +0,0 @@ - -```{include} ../../../roles/envoy/README.md -``` - -## Defaults - -``` -envoy_version: "1.27.2" diff --git a/docs/source/reference/role_vault_sidecar.md b/docs/source/reference/role_vault_sidecar.md deleted file mode 100644 index 1108605e..00000000 --- a/docs/source/reference/role_vault_sidecar.md +++ /dev/null @@ -1,3 +0,0 @@ -``` -hs_consul_https_address: "0.0.0.0" -hs_consul_api_port: "8501" diff --git a/docs/source/reference/role_alloy.md b/docs/source/reference/roles/role_alloy.md similarity index 53% rename from docs/source/reference/role_alloy.md rename to docs/source/reference/roles/role_alloy.md index 3908b2a5..444be738 100644 --- a/docs/source/reference/role_alloy.md +++ b/docs/source/reference/roles/role_alloy.md @@ -1,16 +1,15 @@ -```{include} ../../../roles/alloy/README.md +```{include} ../../../../roles/alloy/README.md ``` -## Defaults +## Role defaults - -Loki endpoint to forward metrics to. +* Loki endpoint to forward metrics to. ``` hs_alloy_loki_write_url: "http://grafana.{{ hs_public_domain }}:3100" ``` -Prometheus endpoint to forward metrics to. +* Prometheus endpoint to forward metrics to. ``` hs_alloy_prometheus_write_url: "http://grafana.{{ hs_public_domain }}:9090" diff --git a/docs/source/reference/roles/role_common.md b/docs/source/reference/roles/role_common.md new file mode 100644 index 00000000..a2133666 --- /dev/null +++ b/docs/source/reference/roles/role_common.md @@ -0,0 +1,57 @@ + +```{include} ../../../../roles/common_vars/README.md +``` + +## Role defaults + +``` +tf_action: apply + +hs_public_domain: >- + {{ hs_workspace | regex_replace('_', '-') }}.{{ hs_parent_domain }} + +``` +* ID of the vault node. MUST be different for every node in the cluster. +``` +hs_node_id: >- + {{ inventory_hostname | regex_replace('_', '-') }} + +``` +* FQDN of the node on the network. MUST be different for every node in the cluster. MUST +be solvable by any of the other nodes in the cluster. + +``` +hs_node_fqdn: >- + {{ hs_node_id }}.{{ hs_public_domain }} + +collection_root: "{{ (playbook_dir + '/../') | realpath }}" +collection_tf_modules_dir: "{{ collection_root }}/terraform" + +hs_workspace_root: "{{ lookup('env', 'PWD') }}" +hs_workspace_group_vars_root_dir: "{{ hs_workspace_root }}/group_vars" +hs_workspace_host_vars_dir: "{{ hs_workspace_root }}/host_vars" +hs_workspace_group_vars_dir: "{{ hs_workspace_root }}/group_vars/hashistack" +hs_workspace_group_vars_dir_relative_dir: "./group_vars/hashistack" +hs_workspace_sre_group_vars_dir: "{{ hs_workspace_root }}/group_vars/hashistack_sre" +hs_workspace_tf_modules_dir: "{{ hs_workspace_root }}/terraform" +hs_workspace_secrets_dir: "{{ hs_workspace_group_vars_dir }}/secrets" +hs_workspace_secrets_dir_relative_dir: "{{ hs_workspace_group_vars_dir_relative_dir }}/secrets" +hs_workspace_ssh_private_key_file: "{{ hs_workspace_secrets_dir }}/default.key" +hs_workspace_ssh_private_key_file_relative_path: "{{ hs_workspace_secrets_dir_relative_dir }}/default.key" +hs_workspace_ssh_public_key_file: "{{ hs_workspace_ssh_private_key_file }}.pub" +hs_workspace_ssh_public_key_file_relative_path: "{{ hs_workspace_ssh_private_key_file_relative_path }}.pub" + +hs_workspace_group: "hashistack" +hs_workspace_cluster_group: "hashistack_cluster" +hs_workspace_masters_group: "hashistack_masters" +hs_workspace_minions_group: "hashistack_minions" + +host_vars_dir: "{{ hs_workspace_host_vars_dir }}/{{ inventory_hostname }}" +host_secrets_dir: "{{ host_vars_dir }}/secrets" + +tf_module_src: "{{ collection_tf_modules_dir }}/{{ tf_module_name }}/" +tf_module_dest: "{{ hs_workspace_tf_modules_dir }}/{{ tf_module_name }}" + +glxclans_host_service_user_name: "caretaker" + +hs_install_vault_sidecar: true diff --git a/docs/source/reference/role_consul.md b/docs/source/reference/roles/role_consul.md similarity index 90% rename from docs/source/reference/role_consul.md rename to docs/source/reference/roles/role_consul.md index 7123692e..62aa4502 100644 --- a/docs/source/reference/role_consul.md +++ b/docs/source/reference/roles/role_consul.md @@ -1,18 +1,16 @@ -```{include} ../../../roles/consul/README.md +```{include} ../../../../roles/consul/README.md ``` -## Defaults +## Role defaults -* Version of the consul package to install. -* Used to determine which archive to install according to the suffix like -[in the official release repository](https://releases.hashicorp.com/consul/). For example, +* Version of the consul package to install. Used to determine which archive to +install according to the suffix like [in the official release repository](https://releases.hashicorp.com/consul/). For example, valid values are: '1.16.4', '1.17.0+ent', '1.17.2+ent.fips1402', etc. - ``` hs_consul_version: "1.17.2" -``` +``` ### Local paths * Path to local directory containing secrets to be uploaded to nodes. diff --git a/docs/source/reference/role_custom_ca.md b/docs/source/reference/roles/role_custom_ca.md similarity index 92% rename from docs/source/reference/role_custom_ca.md rename to docs/source/reference/roles/role_custom_ca.md index 7f5d0632..64c31b46 100644 --- a/docs/source/reference/role_custom_ca.md +++ b/docs/source/reference/roles/role_custom_ca.md @@ -1,29 +1,25 @@ -```{include} ../../../roles/custom_ca/README.md +```{include} ../../../../roles/custom_ca/README.md ``` ## Role defaults * Local path where the ca certificate should be generated. - ``` hs_custom_ca_certificate: "{{ hs_workspace_secrets_dir }}/ca.cert.pem" -``` +``` * Local path where each node private key should be generated. - ``` hs_custom_ca_host_private_key: "{{ hs_workspace_secrets_dir }}/self.cert.key" -``` +``` * Local path where each node certificate should be generated. - ``` hs_custom_ca_host_certificate: "{{ hs_workspace_secrets_dir }}/self.cert.pem" -``` +``` * Local path where each node fullchain certificate should be generated. - ``` hs_custom_ca_host_fullchain_certificate: "{{ hs_workspace_secrets_dir }}/self.fullchain.cert.pem" diff --git a/docs/source/reference/roles/role_envoy.md b/docs/source/reference/roles/role_envoy.md new file mode 100644 index 00000000..dbc1987d --- /dev/null +++ b/docs/source/reference/roles/role_envoy.md @@ -0,0 +1,8 @@ + +```{include} ../../../../roles/envoy/README.md +``` + +## Role defaults + +``` +envoy_version: "1.27.2" diff --git a/docs/source/reference/role_grafana.md b/docs/source/reference/roles/role_grafana.md similarity index 50% rename from docs/source/reference/role_grafana.md rename to docs/source/reference/roles/role_grafana.md index a7e6850b..85771ab9 100644 --- a/docs/source/reference/role_grafana.md +++ b/docs/source/reference/roles/role_grafana.md @@ -1,31 +1,31 @@ -```{include} ../../../roles/grafana/README.md +```{include} ../../../../roles/grafana/README.md ``` -## defaults/main.yml +## Role defaults -Grafana API endpoint exposure. Will be used from ansible controller to configure +* Grafana API endpoint exposure. Will be used from ansible controller to configure via API. ``` hs_grafana_url: "https://{{ grafana_public_cluster_address }}" ``` -Enable/disable usage of custom CA file for Grafana API certificate validation. +* Enable/disable usage of custom CA file for Grafana API certificate validation. ``` hs_grafana_use_custom_ca: false ``` -Ansible controler path to custom CA file for API certificate validation. +* Ansible controler path to custom CA file for API certificate validation. ``` hs_grafana_custom_ca_cert: "{{ hs_workspace_secrets_dir }}/ca.cert.pem" ``` -Expected Grafana version to install. +* Expected Grafana version to install. ``` hs_grafana_version: "10.2.1" ``` -Ansible controler directory path where the role should +* Ansible controler directory path where the role should copy terraform modules for configuration. ``` hs_grafana_tf_work_dir: >- diff --git a/docs/source/reference/role_infra.md b/docs/source/reference/roles/role_infra.md similarity index 80% rename from docs/source/reference/role_infra.md rename to docs/source/reference/roles/role_infra.md index 46f3d8fc..b2f7ddc8 100644 --- a/docs/source/reference/role_infra.md +++ b/docs/source/reference/roles/role_infra.md @@ -1,29 +1,32 @@ -```{include} ../../../roles/infra/README.md +```{include} ../../../../roles/infra/README.md ``` ## Role defaults -Name of the hashistack instance. +* Name of the hashistack instance. ``` hs_infra_workspace: "{{ hs_workspace }}" ``` -The only provider supported so far is the default. +* The only provider supported so far is the default. ``` hs_infra_flavor: "scw_one" ``` -Directory in which the role will copy its terraform module sources. +* Directory in which the role will copy its terraform module sources. ``` hs_infra_tf_modules_dir: "{{ hs_workspace_tf_modules_dir }}" +``` +* Local directory for secrets storage +``` +hs_infra_local_secrets_dir: "{{ hs_workspace_secrets_dir }}" + ``` ## Terraform variables -Atomic configuration variables for all flavors. ``` hs_infra_private_key_file: "{{ hs_workspace_ssh_private_key_file }}" -hs_infra_local_secrets_dir: "{{ hs_workspace_secrets_dir }}" hs_infra_local_hs_group_vars_dir: "{{ hs_workspace_group_vars_dir }}" hs_infra_local_hs_sre_group_vars_dir: "{{ hs_workspace_sre_group_vars_dir }}" hs_infra_local_expected_dirs: diff --git a/docs/source/reference/role_loki.md b/docs/source/reference/roles/role_loki.md similarity index 89% rename from docs/source/reference/role_loki.md rename to docs/source/reference/roles/role_loki.md index ffc1a25e..89d99f05 100644 --- a/docs/source/reference/role_loki.md +++ b/docs/source/reference/roles/role_loki.md @@ -1,8 +1,8 @@ -```{include} ../../../roles/loki/README.md +```{include} ../../../../roles/loki/README.md ``` -## Defaults +## Role defaults ``` loki_cluster_address: localhost diff --git a/docs/source/reference/role_nomad.md b/docs/source/reference/roles/role_nomad.md similarity index 97% rename from docs/source/reference/role_nomad.md rename to docs/source/reference/roles/role_nomad.md index d864fc32..c84c82ad 100644 --- a/docs/source/reference/role_nomad.md +++ b/docs/source/reference/roles/role_nomad.md @@ -1,8 +1,8 @@ -```{include} ../../../roles/nomad/README.md +```{include} ../../../../roles/nomad/README.md ``` -## Defaults +## Role defaults ``` hs_nomad_datacenter_name: "{{ hs_workspace }}" diff --git a/docs/source/reference/role_prometheus.md b/docs/source/reference/roles/role_prometheus.md similarity index 62% rename from docs/source/reference/role_prometheus.md rename to docs/source/reference/roles/role_prometheus.md index ef66dda6..b782779b 100644 --- a/docs/source/reference/role_prometheus.md +++ b/docs/source/reference/roles/role_prometheus.md @@ -1,8 +1,8 @@ -```{include} ../../../roles/prometheus/README.md +```{include} ../../../../roles/prometheus/README.md ``` -## Defaults +## Role defaults ``` hs_prometheus_scrape_configs: [] diff --git a/docs/source/reference/role_stage0.md b/docs/source/reference/roles/role_stage0.md similarity index 79% rename from docs/source/reference/role_stage0.md rename to docs/source/reference/roles/role_stage0.md index d0a8f4de..eaeef75c 100644 --- a/docs/source/reference/role_stage0.md +++ b/docs/source/reference/roles/role_stage0.md @@ -1,12 +1,7 @@ -```{include} ../../../roles/stage0/README.md +```{include} ../../../../roles/stage0/README.md ``` -## External variables dependencies - -* `hs_workspace_root` defined in `{{ playbook_dir }}/group_vars/all.yml` -* `tf_action` defined in `{{ playbook_dir }}/group_vars/all.yml` - ## Role defaults Name of the hashistack instance. Defaults to a variable: diff --git a/docs/source/reference/role_stage0_offline.md b/docs/source/reference/roles/role_stage0_offline.md similarity index 68% rename from docs/source/reference/role_stage0_offline.md rename to docs/source/reference/roles/role_stage0_offline.md index 1e9ff85c..05edfdae 100644 --- a/docs/source/reference/role_stage0_offline.md +++ b/docs/source/reference/roles/role_stage0_offline.md @@ -1,12 +1,7 @@ -```{include} ../../../roles/stage0_offline/README.md +```{include} ../../../../roles/stage0_offline/README.md ``` -## External variables dependencies - -* `hs_workspace_root` defined in `{{ playbook_dir }}/group_vars/all.yml` -* `tf_action` defined in `{{ playbook_dir }}/group_vars/all.yml` - ## Role defaults Name of the hashistack instance. Defaults to a variable: diff --git a/docs/source/reference/role_stage1_bootstrap.md b/docs/source/reference/roles/role_stage1_bootstrap.md similarity index 86% rename from docs/source/reference/role_stage1_bootstrap.md rename to docs/source/reference/roles/role_stage1_bootstrap.md index a06ef76f..034399bd 100644 --- a/docs/source/reference/role_stage1_bootstrap.md +++ b/docs/source/reference/roles/role_stage1_bootstrap.md @@ -1,5 +1,5 @@ -```{include} ../../../roles/stage1_bootstrap/README.md +```{include} ../../../../roles/stage1_bootstrap/README.md ``` ## Role defaults diff --git a/docs/source/reference/role_stage1_dns.md b/docs/source/reference/roles/role_stage1_dns.md similarity index 58% rename from docs/source/reference/role_stage1_dns.md rename to docs/source/reference/roles/role_stage1_dns.md index 6bdbe9a3..356192b9 100644 --- a/docs/source/reference/role_stage1_dns.md +++ b/docs/source/reference/roles/role_stage1_dns.md @@ -1,5 +1,5 @@ -```{include} ../../../roles/stage1_dns/README.md +```{include} ../../../../roles/stage1_dns/README.md ``` ## Role defaults diff --git a/docs/source/reference/role_stage1_pip.md b/docs/source/reference/roles/role_stage1_pip.md similarity index 79% rename from docs/source/reference/role_stage1_pip.md rename to docs/source/reference/roles/role_stage1_pip.md index 4a138f98..08e7925f 100644 --- a/docs/source/reference/role_stage1_pip.md +++ b/docs/source/reference/roles/role_stage1_pip.md @@ -1,5 +1,5 @@ -```{include} ../../../roles/stage1_pip/README.md +```{include} ../../../../roles/stage1_pip/README.md ``` ## Role defaults diff --git a/docs/source/reference/role_stage1_rproxy.md b/docs/source/reference/roles/role_stage1_rproxy.md similarity index 63% rename from docs/source/reference/role_stage1_rproxy.md rename to docs/source/reference/roles/role_stage1_rproxy.md index 66c35906..d92f10c8 100644 --- a/docs/source/reference/role_stage1_rproxy.md +++ b/docs/source/reference/roles/role_stage1_rproxy.md @@ -1,5 +1,5 @@ -```{include} ../../../roles/stage1_rproxy/README.md +```{include} ../../../../roles/stage1_rproxy/README.md ``` ## Role defaults diff --git a/docs/source/reference/role_vault.md b/docs/source/reference/roles/role_vault.md similarity index 99% rename from docs/source/reference/role_vault.md rename to docs/source/reference/roles/role_vault.md index f1fc8cb5..d68e7d67 100644 --- a/docs/source/reference/role_vault.md +++ b/docs/source/reference/roles/role_vault.md @@ -1,5 +1,5 @@ -```{include} ../../../roles/vault/README.md +```{include} ../../../../roles/vault/README.md ``` ## Role defaults diff --git a/docs/source/reference/roles/role_vault_sidecar.md b/docs/source/reference/roles/role_vault_sidecar.md new file mode 100644 index 00000000..eb983a8d --- /dev/null +++ b/docs/source/reference/roles/role_vault_sidecar.md @@ -0,0 +1,9 @@ + +```{include} ../../../../roles/vault_sidecar/README.md +``` + +## Role defaults + +``` +hs_consul_https_address: "0.0.0.0" +hs_consul_api_port: "8501" diff --git a/playbooks/vault_pki_bootstrap.yml b/playbooks/vault_pki_bootstrap.yml new file mode 100644 index 00000000..09a3b4c1 --- /dev/null +++ b/playbooks/vault_pki_bootstrap.yml @@ -0,0 +1,17 @@ +--- +- name: "[VAULT] Bootstrap pki engine" + hosts: hashistack + become: true + gather_facts: true + + tasks: + - name: "Vault" + include_role: + name: "vault" + tasks_from: "__bootstrap_pki.yml" + apply: + tags: + - vault + tags: + - vault + diff --git a/playbooks/vault_pki_enroll.yml b/playbooks/vault_pki_enroll.yml new file mode 100644 index 00000000..e69de29b diff --git a/playbooks/vault_pki_trust_root.yml b/playbooks/vault_pki_trust_root.yml new file mode 100644 index 00000000..302b29c2 --- /dev/null +++ b/playbooks/vault_pki_trust_root.yml @@ -0,0 +1,17 @@ +--- +- name: "[VAULT] Trust pki root" + hosts: hashistack + become: true + gather_facts: true + + tasks: + - name: "Vault" + include_role: + name: "vault" + tasks_from: "__trust_pki_root.yml" + apply: + tags: + - vault + tags: + - vault + diff --git a/roles/alloy/defaults/main.yml b/roles/alloy/defaults/main.yml index 2489b829..f7e1b0c0 100644 --- a/roles/alloy/defaults/main.yml +++ b/roles/alloy/defaults/main.yml @@ -1,14 +1,13 @@ --- # -# ```{include} ../../../roles/alloy/README.md +# ```{include} ../../../../roles/alloy/README.md # ``` # -# ## Defaults -# +# ## Role defaults -# Loki endpoint to forward metrics to. +# * Loki endpoint to forward metrics to. hs_alloy_loki_write_url: "http://grafana.{{ hs_public_domain }}:3100" -# Prometheus endpoint to forward metrics to. +# * Prometheus endpoint to forward metrics to. hs_alloy_prometheus_write_url: "http://grafana.{{ hs_public_domain }}:9090" diff --git a/roles/common_vars/defaults/main.yml b/roles/common_vars/defaults/main.yml index 6bdab67d..4dd65f55 100644 --- a/roles/common_vars/defaults/main.yml +++ b/roles/common_vars/defaults/main.yml @@ -1,10 +1,16 @@ --- +# +# ```{include} ../../../../roles/common_vars/README.md +# ``` +# +# ## Role defaults + tf_action: apply hs_public_domain: >- {{ hs_workspace | regex_replace('_', '-') }}.{{ hs_parent_domain }} -# ID of the vault node. MUST be different for every node in the cluster. +# * ID of the vault node. MUST be different for every node in the cluster. hs_node_id: >- {{ inventory_hostname | regex_replace('_', '-') }} diff --git a/roles/consul/defaults/main.yml b/roles/consul/defaults/main.yml index 00ea63a3..76d45ac0 100644 --- a/roles/consul/defaults/main.yml +++ b/roles/consul/defaults/main.yml @@ -1,17 +1,15 @@ --- # -# ```{include} ../../../roles/consul/README.md +# ```{include} ../../../../roles/consul/README.md # ``` # -# ## Defaults -# -# * Version of the consul package to install. -# * Used to determine which archive to install according to the suffix like -# [in the official release repository](https://releases.hashicorp.com/consul/). For example, +# ## Role defaults + +# * Version of the consul package to install. Used to determine which archive to +# install according to the suffix like [in the official release repository](https://releases.hashicorp.com/consul/). For example, # valid values are: '1.16.4', '1.17.0+ent', '1.17.2+ent.fips1402', etc. -# hs_consul_version: "1.17.2" -# + # ### Local paths # # * Path to local directory containing secrets to be uploaded to nodes. diff --git a/roles/custom_ca/defaults/main.yml b/roles/custom_ca/defaults/main.yml index aec8c625..f9f17aab 100644 --- a/roles/custom_ca/defaults/main.yml +++ b/roles/custom_ca/defaults/main.yml @@ -1,23 +1,19 @@ --- # -# ```{include} ../../../roles/custom_ca/README.md +# ```{include} ../../../../roles/custom_ca/README.md # ``` # # ## Role defaults -# + # * Local path where the ca certificate should be generated. -# hs_custom_ca_certificate: "{{ hs_workspace_secrets_dir }}/ca.cert.pem" -# + # * Local path where each node private key should be generated. -# hs_custom_ca_host_private_key: "{{ hs_workspace_secrets_dir }}/self.cert.key" -# + # * Local path where each node certificate should be generated. -# hs_custom_ca_host_certificate: "{{ hs_workspace_secrets_dir }}/self.cert.pem" -# + # * Local path where each node fullchain certificate should be generated. -# hs_custom_ca_host_fullchain_certificate: "{{ hs_workspace_secrets_dir }}/self.fullchain.cert.pem" diff --git a/roles/envoy/defaults/main.yml b/roles/envoy/defaults/main.yml index 5ee7b6b6..10945d93 100644 --- a/roles/envoy/defaults/main.yml +++ b/roles/envoy/defaults/main.yml @@ -1,8 +1,8 @@ --- # -# ```{include} ../../../roles/envoy/README.md +# ```{include} ../../../../roles/envoy/README.md # ``` # -# ## Defaults -# +# ## Role defaults + envoy_version: "1.27.2" diff --git a/roles/grafana/defaults/main.yml b/roles/grafana/defaults/main.yml index 2bf3693c..51e5c432 100644 --- a/roles/grafana/defaults/main.yml +++ b/roles/grafana/defaults/main.yml @@ -1,24 +1,24 @@ --- # -# ```{include} ../../../roles/grafana/README.md +# ```{include} ../../../../roles/grafana/README.md # ``` # -# ## defaults/main.yml +# ## Role defaults -# Grafana API endpoint exposure. Will be used from ansible controller to configure +# * Grafana API endpoint exposure. Will be used from ansible controller to configure # via API. hs_grafana_url: "https://{{ grafana_public_cluster_address }}" -# Enable/disable usage of custom CA file for Grafana API certificate validation. +# * Enable/disable usage of custom CA file for Grafana API certificate validation. hs_grafana_use_custom_ca: false -# Ansible controler path to custom CA file for API certificate validation. +# * Ansible controler path to custom CA file for API certificate validation. hs_grafana_custom_ca_cert: "{{ hs_workspace_secrets_dir }}/ca.cert.pem" -# Expected Grafana version to install. +# * Expected Grafana version to install. hs_grafana_version: "10.2.1" -# Ansible controler directory path where the role should +# * Ansible controler directory path where the role should # copy terraform modules for configuration. hs_grafana_tf_work_dir: >- {{ diff --git a/roles/infra/defaults/main.yml b/roles/infra/defaults/main.yml index 92c82269..fe10bcd2 100644 --- a/roles/infra/defaults/main.yml +++ b/roles/infra/defaults/main.yml @@ -1,7 +1,7 @@ --- -# ```{include} ../../../roles/infra/README.md +# ```{include} ../../../../roles/infra/README.md # ``` - +# # ## Role defaults # * Name of the hashistack instance. diff --git a/roles/loki/defaults/main.yml b/roles/loki/defaults/main.yml index 607d2ba3..522e326c 100644 --- a/roles/loki/defaults/main.yml +++ b/roles/loki/defaults/main.yml @@ -1,10 +1,10 @@ --- # -# ```{include} ../../../roles/loki/README.md +# ```{include} ../../../../roles/loki/README.md # ``` # -# ## Defaults -# +# ## Role defaults + loki_cluster_address: localhost loki_url: 'http://{{ loki_cluster_address }}:3100' loki_config_file: 'loki_config.yml.j2' diff --git a/roles/nomad/defaults/main.yml b/roles/nomad/defaults/main.yml index dfc2f3c8..2730128e 100644 --- a/roles/nomad/defaults/main.yml +++ b/roles/nomad/defaults/main.yml @@ -1,10 +1,10 @@ --- # -# ```{include} ../../../roles/nomad/README.md +# ```{include} ../../../../roles/nomad/README.md # ``` # -# ## Defaults -# +# ## Role defaults + hs_nomad_datacenter_name: "{{ hs_workspace }}" hs_nomad_version: "1.4.7-1" diff --git a/roles/prometheus/defaults/main.yml b/roles/prometheus/defaults/main.yml index 45bcc8a4..fda9da34 100644 --- a/roles/prometheus/defaults/main.yml +++ b/roles/prometheus/defaults/main.yml @@ -1,10 +1,10 @@ --- # -# ```{include} ../../../roles/prometheus/README.md +# ```{include} ../../../../roles/prometheus/README.md # ``` # -# ## Defaults -# +# ## Role defaults + hs_prometheus_scrape_configs: [] hs_prometheus_cli_args: >- diff --git a/roles/stage0/defaults/main.yml b/roles/stage0/defaults/main.yml index 2e65ea47..3798eebc 100644 --- a/roles/stage0/defaults/main.yml +++ b/roles/stage0/defaults/main.yml @@ -1,15 +1,10 @@ --- # -# ```{include} ../../../roles/stage0/README.md +# ```{include} ../../../../roles/stage0/README.md # ``` # -# ## External variables dependencies -# -# * `hs_workspace_root` defined in `{{ playbook_dir }}/group_vars/all.yml` -# * `tf_action` defined in `{{ playbook_dir }}/group_vars/all.yml` -# # ## Role defaults -# + # Name of the hashistack instance. Defaults to a variable: # * defined in: `{{ instance_dir }}/group_vars/hashistack/main.yml` # * generated by the playbook: `init.yml` diff --git a/roles/stage0_offline/defaults/main.yml b/roles/stage0_offline/defaults/main.yml index df8da6c8..602f4088 100644 --- a/roles/stage0_offline/defaults/main.yml +++ b/roles/stage0_offline/defaults/main.yml @@ -1,13 +1,8 @@ --- # -# ```{include} ../../../roles/stage0_offline/README.md +# ```{include} ../../../../roles/stage0_offline/README.md # ``` # -# ## External variables dependencies -# -# * `hs_workspace_root` defined in `{{ playbook_dir }}/group_vars/all.yml` -# * `tf_action` defined in `{{ playbook_dir }}/group_vars/all.yml` -# # ## Role defaults # # Name of the hashistack instance. Defaults to a variable: diff --git a/roles/stage1_bootstrap/defaults/main.yml b/roles/stage1_bootstrap/defaults/main.yml index 4d76a4e0..d076b41e 100644 --- a/roles/stage1_bootstrap/defaults/main.yml +++ b/roles/stage1_bootstrap/defaults/main.yml @@ -1,6 +1,6 @@ --- # -# ```{include} ../../../roles/stage1_bootstrap/README.md +# ```{include} ../../../../roles/stage1_bootstrap/README.md # ``` # # ## Role defaults diff --git a/roles/stage1_dns/defaults/main.yml b/roles/stage1_dns/defaults/main.yml index 892c738d..f8e94a6c 100644 --- a/roles/stage1_dns/defaults/main.yml +++ b/roles/stage1_dns/defaults/main.yml @@ -1,6 +1,6 @@ --- # -# ```{include} ../../../roles/stage1_dns/README.md +# ```{include} ../../../../roles/stage1_dns/README.md # ``` # # ## Role defaults diff --git a/roles/stage1_pip/defaults/main.yml b/roles/stage1_pip/defaults/main.yml index af1a62c7..772f7ea0 100644 --- a/roles/stage1_pip/defaults/main.yml +++ b/roles/stage1_pip/defaults/main.yml @@ -1,6 +1,6 @@ --- # -# ```{include} ../../../roles/stage1_pip/README.md +# ```{include} ../../../../roles/stage1_pip/README.md # ``` # # ## Role defaults diff --git a/roles/stage1_rproxy/defaults/main.yml b/roles/stage1_rproxy/defaults/main.yml index f5b8adc3..6657f353 100644 --- a/roles/stage1_rproxy/defaults/main.yml +++ b/roles/stage1_rproxy/defaults/main.yml @@ -1,6 +1,6 @@ --- # -# ```{include} ../../../roles/stage1_rproxy/README.md +# ```{include} ../../../../roles/stage1_rproxy/README.md # ``` # # ## Role defaults diff --git a/roles/vault/files/auth_ldap/providers.tf b/roles/vault/files/auth_ldap/providers.tf index 7bc158d0..e267761b 100644 --- a/roles/vault/files/auth_ldap/providers.tf +++ b/roles/vault/files/auth_ldap/providers.tf @@ -2,7 +2,7 @@ terraform { required_providers { vault = { source = "hashicorp/vault" - version = "3.21.0" + version = "4.3.0" } } } diff --git a/roles/vault/files/consul_service_mesh_ca/providers.tf b/roles/vault/files/consul_service_mesh_ca/providers.tf index 7bc158d0..e267761b 100644 --- a/roles/vault/files/consul_service_mesh_ca/providers.tf +++ b/roles/vault/files/consul_service_mesh_ca/providers.tf @@ -2,7 +2,7 @@ terraform { required_providers { vault = { source = "hashicorp/vault" - version = "3.21.0" + version = "4.3.0" } } } diff --git a/roles/vault/files/nomad/providers.tf b/roles/vault/files/nomad/providers.tf index d4c7872f..bf019807 100644 --- a/roles/vault/files/nomad/providers.tf +++ b/roles/vault/files/nomad/providers.tf @@ -2,7 +2,7 @@ terraform { required_providers { vault = { source = "hashicorp/vault" - version = "3.21.0" + version = "4.3.0" } } } diff --git a/roles/vault/files/pki/main.tf b/roles/vault/files/pki/main.tf new file mode 100644 index 00000000..3e0f9567 --- /dev/null +++ b/roles/vault/files/pki/main.tf @@ -0,0 +1,154 @@ +locals { + root_pki_path = "pki/${var.name}/root" + intermediate_pki_path = "pki/${var.name}/inter" + pki_role_name = "pki_${var.name}_role" + cn_root = "${terraform.workspace}/${var.name} Root CA" + cn_intermediate = "${terraform.workspace}/${var.name} Intermediate CA" + allowed_domain = var.allowed_domain + + pki_root_issuing_server = var.root_pki_issuing_server + pki_root_crl_distribution_point = var.root_pki_crl_distribution_point + + pki_inter_issuing_server = var.intermediate_pki_issuing_server + pki_inter_crl_distribution_point = var.intermediate_pki_crl_distribution_point + token_name = "${terraform.workspace}_pki_${var.name}" + token_ttl = "15d" + token_renew_min_lease = 7 * 24 * 60 * 60 + token_renew_increment = 15 * 24 * 60 * 60 +} + +resource "vault_policy" "pki" { + name = local.token_name + + policy = templatefile("${path.module}/policies/pki.tpl", + { + root_pki_path = local.root_pki_path, + intermediate_pki_path = local.intermediate_pki_path + } + ) +} + +resource "vault_token" "pki" { + no_parent = true + renewable = true + + policies = [ + vault_policy.pki.name + ] + + ttl = local.token_ttl + renew_min_lease = local.token_renew_min_lease + renew_increment = local.token_renew_increment +} + +resource "vault_pki_secret_backend_role" "role" { + backend = vault_mount.pki_inter.path + name = local.pki_role_name + ttl = 60 * 60 * 24 + allow_ip_sans = true + key_type = "rsa" + key_bits = 4096 + allowed_domains = [local.allowed_domain] + allow_subdomains = true + allow_glob_domains = true +} + +# ======= +# Root CA +# ======= +resource "vault_mount" "pki_root" { + path = local.root_pki_path + type = "pki" + + # 1 day + default_lease_ttl_seconds = 60 * 60 * 24 + + # 10 years + max_lease_ttl_seconds = 60 * 60 * 24 * 365 * 10 +} + +resource "vault_pki_secret_backend_config_urls" "pki_root_config_urls" { + backend = vault_mount.pki_root.path + issuing_certificates = [ + "${local.pki_root_issuing_server}/v1/${vault_mount.pki_root.path}/ca" + ] + crl_distribution_points = [ + "${local.pki_inter_crl_distribution_point}/v1/${vault_mount.pki_root.path}/crl" + ] +} + +# =============== +# Intermediary CA +# =============== +resource "vault_mount" "pki_inter" { + path = local.intermediate_pki_path + type = "pki" + + # 1 day + # default_lease_ttl_seconds = 60 * 60 * 24 + default_lease_ttl_seconds = 60 + + # 1 year + max_lease_ttl_seconds = 60 * 60 * 24 * 365 +} + +resource "vault_pki_secret_backend_config_urls" "pki_inter_config_urls" { + backend = vault_mount.pki_inter.path + issuing_certificates = [ + "${local.pki_inter_issuing_server}/v1/${vault_mount.pki_inter.path}/ca" + ] + crl_distribution_points = [ + "${local.pki_inter_crl_distribution_point}/v1/${vault_mount.pki_inter.path}/crl" + ] +} + +# ================ +# Generate Root CA +# ================ +resource "vault_pki_secret_backend_root_cert" "pki_root_cert" { + depends_on = [vault_mount.pki_root] + + backend = vault_mount.pki_root.path + + type = "internal" + common_name = local.cn_root + ttl = 60 * 60 * 24 * 365 * 10 +} + + +# ================== +# Generate Inter CSR +# ================== +resource "vault_pki_secret_backend_intermediate_cert_request" "pki_inter" { + depends_on = [vault_mount.pki_inter] + + backend = vault_mount.pki_inter.path + + type = "internal" + common_name = local.cn_intermediate +} + + + +# ================ +# Root signs Inter +# ================ +resource "vault_pki_secret_backend_root_sign_intermediate" "pki_root_inter" { + depends_on = [vault_pki_secret_backend_intermediate_cert_request.pki_inter] + + backend = vault_mount.pki_root.path + + csr = vault_pki_secret_backend_intermediate_cert_request.pki_inter.csr + common_name = local.cn_intermediate + format = "pem_bundle" + ttl = 60 * 60 * 24 * 365 +} + +# ============ +# Set Inter CA +# ============ +resource "vault_pki_secret_backend_intermediate_set_signed" "pki_inter" { + backend = vault_mount.pki_inter.path + certificate = vault_pki_secret_backend_root_sign_intermediate.pki_root_inter.certificate +} + diff --git a/roles/vault/files/pki/output.tf b/roles/vault/files/pki/output.tf new file mode 100644 index 00000000..2439a0d6 --- /dev/null +++ b/roles/vault/files/pki/output.tf @@ -0,0 +1,13 @@ +output "pki_token" { + sensitive = true + value = vault_token.pki.client_token +} + +output "pki_root_ca_cert" { + sensitive = true + value = vault_pki_secret_backend_root_cert.pki_root_cert.certificate +} + +output "pki_intermediate_path" { + value = vault_mount.pki_inter.path +} diff --git a/roles/vault/files/pki/policies/pki.tpl b/roles/vault/files/pki/policies/pki.tpl new file mode 100644 index 00000000..d400af9f --- /dev/null +++ b/roles/vault/files/pki/policies/pki.tpl @@ -0,0 +1,28 @@ +path "auth/token/lookup-self" { + capabilities = ["read"] +} + +path "auth/token/renew-self" { + capabilities = ["update"] +} + +path "/sys/mounts" { + capabilities = [ "read" ] +} + +path "/sys/mounts/${root_pki_path}" { + capabilities = [ "create", "read", "update", "delete", "list" ] +} + +path "/${root_pki_path}/*" { + capabilities = [ "create", "read", "update", "delete", "list" ] +} + +path "/sys/mounts/${intermediate_pki_path}" { + capabilities = [ "create", "read", "update", "delete", "list" ] +} + +path "/${intermediate_pki_path}/*" { + capabilities = [ "create", "read", "update", "delete", "list" ] +} + diff --git a/roles/vault/files/pki/providers.tf b/roles/vault/files/pki/providers.tf new file mode 100644 index 00000000..e267761b --- /dev/null +++ b/roles/vault/files/pki/providers.tf @@ -0,0 +1,10 @@ +terraform { + required_providers { + vault = { + source = "hashicorp/vault" + version = "4.3.0" + } + } +} + +provider "vault" {} diff --git a/roles/vault/files/pki/variables.tf b/roles/vault/files/pki/variables.tf new file mode 100644 index 00000000..4719b7ce --- /dev/null +++ b/roles/vault/files/pki/variables.tf @@ -0,0 +1,8 @@ +variable "name" {} +variable "allowed_domain" {} + +variable "root_pki_issuing_server" {} +variable "root_pki_crl_distribution_point" {} +variable "intermediate_pki_issuing_server" {} +variable "intermediate_pki_crl_distribution_point" {} + diff --git a/roles/vault/files/telemetry/providers.tf b/roles/vault/files/telemetry/providers.tf index 7bc158d0..e267761b 100644 --- a/roles/vault/files/telemetry/providers.tf +++ b/roles/vault/files/telemetry/providers.tf @@ -2,7 +2,7 @@ terraform { required_providers { vault = { source = "hashicorp/vault" - version = "3.21.0" + version = "4.3.0" } } } diff --git a/roles/vault/tasks/__bootstrap_pki.yml b/roles/vault/tasks/__bootstrap_pki.yml new file mode 100644 index 00000000..3886a172 --- /dev/null +++ b/roles/vault/tasks/__bootstrap_pki.yml @@ -0,0 +1,81 @@ +--- +- name: "Load collection common vars" + import_role: + name: "vault_vars" + tags: + - always + +- name: "Assert inputs" + assert: + that: + - hs_vault_addon_pki_name is match('^[a-z0-9A-Z_-]+$') + - hs_vault_addon_pki_domain is match('^[a-z0-9A-Z.-]+$') + run_once: true + +- name: "Set terraform work dir" + set_fact: + _hs_vault_current_tf_work_dir: >- + {{ hs_vault_terraform_work_dir }}/vault_addon_pki_{{ hs_vault_addon_pki_name }} + +- name: "[LOCAL] Render pki addon" # noqa risky-file-permissions name[template] + copy: + src: "{{ role_path }}/files/pki/" + dest: "{{ _hs_vault_current_tf_work_dir }}/" + delegate_to: localhost + become: false + when: + - __hs_vault_is_first_master + +- name: "[LOCAL] Render backend tf file" + template: + src: "tf_backend_{{ hs_vault_terraform_backend_type }}.tf.j2" + dest: "{{ _hs_vault_current_tf_work_dir }}/backend.tf" + mode: 0644 + delegate_to: localhost + become: false + when: + - __hs_vault_is_first_master + - hs_vault_terraform_backend_type in ['s3'] + +- name: "[LOCAL] Apply pki addon" # noqa name[template] + cloud.terraform.terraform: + project_path: "{{ _hs_vault_current_tf_work_dir }}" + state: "present" # noqa args + force_init: true + backend_config: "{{ hs_vault_terraform_backend_config }}" + init_reconfigure: true + provider_upgrade: "{{ hs_tf_provider_upgrade | default(true) }}" + workspace: "{{ hs_vault_cluster_name }}" + variables: + name: "{{ hs_vault_addon_pki_name }}" + allowed_domain: "{{ hs_vault_addon_pki_domain }}" + root_pki_issuing_server: "{{ hs_vault_external_url }}" + root_pki_crl_distribution_point: "{{ hs_vault_external_url }}" + intermediate_pki_issuing_server: "{{ hs_vault_external_url }}" + intermediate_pki_crl_distribution_point: "{{ hs_vault_external_url }}" + environment: + VAULT_ADDR: "{{ hs_vault_external_url }}" + VAULT_TOKEN: "{{ vault_init_content.root_token }}" + VAULT_CACERT: "{{ hs_vault_use_custom_ca | ternary(hs_vault_local_ca_cert, '') }}" + TF_CLI_ARGS: "" + TF_CLI_ARGS_init: "" + TF_CLI_ARGS_plan: "" + TF_CLI_ARGS_apply: "" + TF_CLI_ARGS_destroy: "" + register: tf_result + throttle: 1 + delegate_to: localhost + become: false + when: + - __hs_vault_is_first_master + +- name: "[LOCAL] Render pki addon outputs" # noqa name[template] + template: + src: "_addon_pki_output.yml.j2" + dest: "{{ hs_vault_local_secret_dir }}/vault_addon_pki.{{ hs_vault_addon_pki_name }}.yml" + mode: 0600 + delegate_to: localhost + become: false + when: + - __hs_vault_is_first_master + diff --git a/roles/vault/tasks/__trust_pki_root.yml b/roles/vault/tasks/__trust_pki_root.yml new file mode 100644 index 00000000..5a1855c2 --- /dev/null +++ b/roles/vault/tasks/__trust_pki_root.yml @@ -0,0 +1,35 @@ +--- +- name: "Load collection common vars" + import_role: + name: "vault_vars" + tags: + - always + +- debug: + msg: >- + {{ hostvars[__hs_vault_first_master]['hs_vault_pki_'+ hs_vault_addon_pki_name +'_root_certificate_b64'] }} +- name: "Assert inputs" + assert: + that: + - hs_vault_addon_pki_name is match('^[a-z0-9A-Z_-]+$') + - hostvars[__hs_vault_first_master]['hs_vault_pki_'+ hs_vault_addon_pki_name +'_root_certificate_b64'] is defined + run_once: true + +- name: Upload CA certificate + copy: + dest: >- + {{ __hs_vault_certs_truststore_dir }}/pki_{{ hs_vault_addon_pki_name }}.ca.crt + + content: |- + {{ + hostvars[__hs_vault_first_master]['hs_vault_pki_'+ hs_vault_addon_pki_name +'_root_certificate_b64'] + | b64decode + }} + owner: root + group: "{{ __hs_vault_ssl_cert_group }}" + mode: 0644 + notify: "Update ca trust" + +- name: "Vault end-role flush" + meta: flush_handlers + tags: always diff --git a/roles/vault/templates/_addon_pki_output.yml.j2 b/roles/vault/templates/_addon_pki_output.yml.j2 new file mode 100644 index 00000000..dd313f86 --- /dev/null +++ b/roles/vault/templates/_addon_pki_output.yml.j2 @@ -0,0 +1,10 @@ +--- +hs_vault_pki_{{ hs_vault_addon_pki_name }}_token: >- + {{ tf_result.outputs.pki_token.value }} + +hs_vault_pki_{{ hs_vault_addon_pki_name }}_intermediate_path: >- + {{ tf_result.outputs.pki_intermediate_path.value }} + +hs_vault_pki_{{ hs_vault_addon_pki_name }}_root_certificate_b64: >- + {{ tf_result.outputs.pki_root_ca_cert.value | b64encode }} + diff --git a/roles/vault_sidecar/defaults/main.yml b/roles/vault_sidecar/defaults/main.yml index b54f01e8..b57ccecf 100644 --- a/roles/vault_sidecar/defaults/main.yml +++ b/roles/vault_sidecar/defaults/main.yml @@ -1,3 +1,9 @@ --- +# +# ```{include} ../../../../roles/vault_sidecar/README.md +# ``` +# +# ## Role defaults + hs_consul_https_address: "0.0.0.0" hs_consul_api_port: "8501" diff --git a/roles/vault_vars/defaults/main.yml b/roles/vault_vars/defaults/main.yml index 23d070f5..040cb75b 100644 --- a/roles/vault_vars/defaults/main.yml +++ b/roles/vault_vars/defaults/main.yml @@ -1,6 +1,6 @@ --- # -# ```{include} ../../../roles/vault/README.md +# ```{include} ../../../../roles/vault/README.md # ``` # # ## Role defaults diff --git a/roles/vault_vars/vars/main.yml b/roles/vault_vars/vars/main.yml index 9f494cac..db43ee50 100644 --- a/roles/vault_vars/vars/main.yml +++ b/roles/vault_vars/vars/main.yml @@ -44,8 +44,11 @@ __hs_vault_is_master: >- }} __hs_vault_is_minion: "{{ not __hs_vault_is_master }}" +__hs_vault_first_master: >- + {{ groups[hs_vault_inventory_masters_group][0] }} + __hs_vault_is_first_master: >- - {{ inventory_hostname == groups[hs_vault_inventory_masters_group][0] }} + {{ inventory_hostname == __hs_vault_first_master }} __hs_vault_master_partners: >- {{