[[TOC]]
This collection will be about services provided by HashiCorp. More precisely about:
Using this collection, you will have access to the following roles:
This role will allow you to install Vault with the following features:
| Features | Tag | Branch |
|---|---|---|
| Vault - Install | 0.1.0 | roles/vault_install |
| Vault - Configure HCL | 0.1.0 | roles/vault_install |
| Vault - Configure systemd service | 0.1.0 | roles/vault_install |
| ------- | --- | --- |
| Vault K8s - Install | --- | --- |
Please refer to the role vault_install/README.md for more informations.
This role will allow you to configure your Vault after the installation with the following features:
| Features | Tag | Branch |
|---|---|---|
| Vault - Operator init | 0.2.0 | roles/vault_config |
| Vault - Operator unseal | 0.2.0 | roles/vault_config |
| Vault - Login CLI | 0.2.0 | roles/vault_config |
| Vault - Operator seal | 0.2.0 | roles/vault_config |
| Vault - Logout CLI | 0.2.0 | roles/vault_config |
| Vault - Login API | --- | --- |
| ------- | --- | --- |
| Vault - Operator generate-root | --- | --- |
| Vault - Auth enable | --- | --- |
| Vault - Auth disable | --- | --- |
| Vault - Raft join | --- | --- |
| Vault - Raft remove-peer | --- | --- |
| Vault - Raft snapshot save | --- | --- |
| Vault - Raft snapshot restore | --- | --- |
Please refer to the role vault_config/README.md for more informations.
This role will allow you to manage the Vault PKI Secrets Engine with the following features:
| Features | Tag | Branch |
|---|---|---|
| Vault - Engine enable PKI | 0.3.0 | roles/vault_pki |
| Vault - Policies creation | 0.3.0 | roles/vault_pki |
| Vault - PKI Role creation | 0.3.0 | roles/vault_pki |
| Vault - PKI Root CA creation | 0.3.0 | roles/vault_pki |
| Vault - PKI Endpoints configuration | 0.3.0 | roles/vault_pki |
| Vault - PKI Intermediate CA creation | 0.3.0 | roles/vault_pki |
| Vault - PKI Intermediate CA import | 0.3.0 | roles/vault_pki |
| Vault - PKI Leaf certificate creation | 0.3.0 | roles/vault_pki |
| Vault - PKI Leaf certificate revokation | 0.3.0 | roles/vault_pki |
| -------- | --- | --- |
| Vault - Policy read | --- | --- |
| Vault - Policy update | --- | --- |
| Vault - Policy delete | --- | --- |
| Vault - Policy list | --- | --- |
| Vault - Role read | --- | --- |
| Vault - Role update | --- | --- |
| Vault - Role delete | --- | --- |
| Vault - Role list | --- | --- |
| Vault - PKI Root CA sunset | --- | --- |
| Vault - PKI Root CA rotate | --- | --- |
| Vault - PKI Intermediate CA cross-sign | --- | --- |
| Vault - PKI Leaf certificate remove expired and revoked | --- | --- |
Please refer to the role vault_pki/README.md for more informations.
- Ansible 2.12 or higher
An example can be found at molecule/default/converge.yml.
First, you need to install hashicorp vault:
- name: "Install Hashicorp Vault"
hosts: vault
collections:
- kakudou.hashicorp
tasks:
- name: "Install the vault"
ansible.builtin.include_role:
name: vault_installThen you want to configure the vault
- name: "Configure Hashicorp Vault"
hosts: vault
collections:
- kakudou.hashicorp
tasks:
- name: "Configure the vault"
ansible.builtin.include_role:
name: vault_configAt this step the vault is sealed by 3 keys, and 5 generated. You have two options:
- Retrieve the keys by default in /tmp/vault_keys and type them when prompt
- name: "Unseal Hashicorp Vault"
hosts: vault
collections:
- kakudou.hashicorp
tasks:
- name: "Unseal the vault"
ansible.builtin.include_role:
name: vault_config
tasks_from: vault_operator_unseal
vars:
vault_operator_unseal: true- Use that little trick to make ansible gather and use them for you, useful for the first install
- name: "Unseal Hashicorp Vault"
hosts: vault
collections:
- kakudou.hashicorp
tasks:
- name: "Configure vars to unseal the vault"
block:
- name: "Retrieve keys from the /tmp/vault_keys"
ansible.builtin.slurp:
src: "/tmp/vault_keys"
register: __keys
- name: "Override the <vault_config_keys> var, since we can't set it before"
ansible.builtin.set_fact:
vault_config_keys: "{{ __keys['content'] | b64decode }}"
- name: "Unseal the vault"
ansible.builtin.include_role:
name: vault_config
tasks_from: vault_operator_unseal
vars:
vault_operator_unseal: true
vault_config_prompt_keys: falseThen you will probably want to configure the PKI engine, generate a root and an intermediate CA. You also have two options:
- Get the token in /tmp/vault_token, and configure
vault_pki_api_tokenaccordingly - Make that a little more autonomous for the first install:
- name: "Configure Hashicorp Vault PKI Engine, generate a root and an intermediate CA"
hosts: vault-root
vars:
vault_pki_roles_creation: true
vault_pki_policies_creation: true
vault_policies:
- policy_name: "admin-policy"
policy_file: "admin-policy.hcl"
vault_pki_endpoints_configuration: true
vault_pki_engine_path: "pki"
vault_pki_roles:
- role_name: "root_ca"
role_file: "payload-role.json"
vault_pki_root_ca_creation: true
vault_pki_root_ca_attribute_file: "payload-root-ca.json"
vault_pki_intermediate_ca_creation: true
vault_pki_intermediate_ca_attribute_file: "payload-intermediate-ca.json"
collections:
- kakudou.hashicorp
tasks:
- name: "Retrieve token from the /tmp/vault_token"
ansible.builtin.slurp:
src: "/tmp/vault_token"
register: __token
- name: "Override the <vault_config_login_token> var"
ansible.builtin.set_fact:
vault_pki_api_token: "{{ __token['content'] | b64decode }}"
- name: "Configure the PKI engine, generate root and intermediate CA"
ansible.builtin.include_role:
name: vault_pkiFor this to work, you need to have payload-role.json, payload-root-ca.json, and payload-intermediate-ca.json
configured for your needed (example in the molecule's files folder).
Then you will probably want to configure the PKI engine, and import the Intermediate CA You also have two options:
- Get the token in /tmp/vault_token, and configure
vault_pki_api_tokenaccordingly Get the intermediate CA PEM from the vault root server, and configurevault_pki_intermediate_ca_import_pem_fileto point to the file - Make that a little more autonomous for the first install:
- name: "Configure the Vault PKI to import and configure the Intermediate CA"
hosts: vault-intermediate
vars:
vault_pki_roles_creation: true
vault_pki_policies_creation: true
vault_policies:
- policy_name: "admin-policy"
policy_file: "admin-policy.hcl"
vault_pki_endpoints_configuration: true
vault_pki_engine_path: "pki_int"
vault_pki_roles:
- role_name: "intermediate_ca"
role_file: "payload-role.json"
vault_pki_intermediate_ca_import: true
collections:
- kakudou.hashicorp
tasks:
- name: "Retrieve token from the /tmp/vault_token"
ansible.builtin.slurp:
src: "/tmp/vault_token"
register: __token
- name: "Override the <vault_config_login_token> var, since we can't set it before"
ansible.builtin.set_fact:
vault_pki_api_token: "{{ __token['content'] | b64decode }}"
- name: "Get the certificate from vault-root"
block:
- name: "Retrieve key from the /tmp/intermediate_ca.key"
ansible.builtin.slurp:
src: "/tmp/intermediate_ca.key"
register: __key
- name: "Retrieve crt from the /tmp/intermediate_ca.crt"
ansible.builtin.slurp:
src: "/tmp/intermediate_ca.crt"
register: __crt
delegate_to: vault-root
- name: "Make pem bundle from key and crt"
ansible.builtin.copy:
content: "{{ __crt['content'] | b64decode }}\n{{ __key['content'] | b64decode }}"
dest: "/tmp/intermediate_ca.pem"
mode: 0644
- name: "Configure the PKI engine, generate root and intermediate CA"
ansible.builtin.include_role:
name: vault_pkiFor this to work, you need to have payload-role.json configured for your needed (example in the molecule's files folder).
To generate a leaf certificate, you need to simply call the feature
- name: "Generate a leaf certificate"
hosts: vault-intermediate
collections:
- kakudou.hashicorp
tasks:
- name: "Generate leaf certificate"
ansible.builtin.include_role:
name: vault_pki
tasks_from: vault_pki_leaf_certificate_creation
vars:
vault_pki_leaf_certificate_creation: true
vault_pki_leaf_certificate_common_name: "test.example.com"
vault_pki_leaf_certificate_issuer_role: "intermediate_ca"