Skip to content

Commit 4f3b694

Browse files
committed
Add vault_unseal role
1 parent 1493f96 commit 4f3b694

File tree

5 files changed

+51
-17
lines changed

5 files changed

+51
-17
lines changed

roles/vault/README.md

Lines changed: 0 additions & 17 deletions
Original file line numberDiff line numberDiff line change
@@ -126,21 +126,4 @@ Example post-config playbook to enable secrets engines:
126126
run_once: True
127127
```
128128

129-
Example vault unseal playbook based on Kayobe's secrets.yml
130-
```
131-
---
132-
- name: Unseal vault
133-
any_errors_fatal: True
134-
gather_facts: True
135-
hosts: vault
136-
tasks:
137-
- name: Unseal vault
138-
hashivault_unseal:
139-
url: "https://sparrow.cf.ac.uk:8200"
140-
keys: "{{ item }}"
141-
run_once: True
142-
with_items: "{{ secrets_vault_keys.unseal_keys_b64 }}"
143-
no_log: True
144-
```
145-
146129
NOTE: secrets_external_tls_cert/key are variables in Kayobe's secrets.yml

roles/vault_unseal/README.md

Lines changed: 33 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,33 @@
1+
This role unseals Hashicorp Vault.
2+
3+
Note that in a Vault cluster, each Vault server must be unsealed individually.
4+
5+
Requirements
6+
------------
7+
8+
``ansible-modules-hashivault`` PyPI package installed
9+
10+
Role variables
11+
--------------
12+
13+
* `vault_api_addr`: Vault [API addr](https://www.vaultproject.io/docs/configuration#api_addr) - Full URL including protocol and port (e.g. "http://127.0.0.1:8200"). In a Vault cluster, this should point to an individual Vault server, rather than a load balancer.
14+
* `vault_unseal_keys`: List of unseal key shards.
15+
16+
Example playbook
17+
----------------
18+
19+
Example vault unseal playbook:
20+
```
21+
---
22+
- name: Unseal vault
23+
any_errors_fatal: True
24+
gather_facts: True
25+
hosts: vault
26+
tasks:
27+
- name: Unseal vault
28+
import_role:
29+
name: stackhpc.vault_unseal
30+
vars:
31+
vault_api_addr: "https://vault.example.com"
32+
vault_keys: "{{ vault_keys.keys_base64 }}"
33+
```

roles/vault_unseal/defaults/main.yml

Lines changed: 7 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,7 @@
1+
---
2+
# Allow vault_vip_url and vault_vip_address for backwards compatibility.
3+
vault_vip_address: "{{ vault_vip_url | default('') }}"
4+
vault_api_addr: "{{ ('https://' ~ vault_vip_address ~ ':8200') if vault_vip_address else '' }}"
5+
6+
# List of unseal key shards.
7+
vault_unseal_keys: []

roles/vault_unseal/tasks/main.yml

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,5 @@
1+
---
2+
- name: Unseal Vault
3+
hashivault_unseal:
4+
url: "{{ vault_api_addr }}"
5+
keys: "{{ vault_unseal_keys | join(' ') }}"

tests/test_vault.yml

Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -23,3 +23,9 @@
2323
# Idempotence test
2424
- include_role:
2525
name: vault
26+
27+
- name: Unseal vault
28+
import_role:
29+
name: vault_unseal
30+
vars:
31+
vault_keys: "{{ vault_keys.keys_base64 }}"

0 commit comments

Comments
 (0)