Merge pull request #33 from stackhpc/vault_ca_cert

mnasiadka · web-flow · commit a720537319c5 · 2022-12-06T16:19:40.000+01:00
Fix prechecks, add vault_ca_cert
diff --git a/roles/vault/README.md b/roles/vault/README.md
@@ -33,6 +33,7 @@ Role variables
     * `consul_container.etc_hosts`: Dict; `{<hostname>:<ip_address>}` to be added to container /etc/host
 s (default: Omitted)
     * `vault_extra_volumes`: List of `"<host_location>:<container_mountpoint>"`
+    * `vault_ca_cert`: Path to CA certificate used to verify Vault server TLS cert
     * `vault_tls_key`: Path to TLS key to use by Vault
     * `vault_tls_cert`: Path to TLS cert to use by Vault
     * `vault_log_keys`: Whether to log the root token and unseal keys in the Ansible output. Default `false`
diff --git a/roles/vault/tasks/vault.yml b/roles/vault/tasks/vault.yml
@@ -30,6 +30,7 @@
     - name: Initialize vault
       hashivault_init:
         url: "{{ vault_api_addr }}"
+        ca_cert: "{{ vault_ca_cert | default(omit) }}"
       no_log: true
       register: vault_keys_result
 
diff --git a/roles/vault_pki/tasks/create_cert.yml b/roles/vault_pki/tasks/create_cert.yml
@@ -3,6 +3,7 @@
   hashivault_pki_cert_issue:
     url: "{{ vault_api_addr }}"
     token: "{{ vault_token }}"
+    ca_cert: "{{ vault_ca_cert | default(omit) }}"
     mount_point: "{{ vault_pki_intermediate_ca_name }}"
     common_name: "{{ item.common_name }}"
     role: "{{ item.role }}"
diff --git a/roles/vault_pki/tasks/intermediate.yml b/roles/vault_pki/tasks/intermediate.yml
@@ -3,6 +3,7 @@
   hashivault_secret_engine:
     url: "{{ vault_api_addr }}"
     token: "{{ vault_token }}"
+    ca_cert: "{{ vault_ca_cert | default(omit) }}"
     name: "{{ vault_pki_intermediate_ca_name }}"
     description: "{{ vault_pki_intermediate_ca_name }} CA"
     backend: "pki"
@@ -16,6 +17,7 @@
       hashivault_pki_ca:
         url: "{{ vault_api_addr }}"
         token: "{{ vault_token }}"
+        ca_cert: "{{ vault_ca_cert | default(omit) }}"
         mount_point: "{{ vault_pki_intermediate_ca_name }}"
         type: "{% if vault_pki_intermediate_export | bool %}exported{% else %}internal{% endif %}"
         common_name: "{{ vault_pki_intermediate_ca_common_name }}"
@@ -29,6 +31,7 @@
       hashivault_pki_cert_sign:
         url: "{{ vault_api_addr }}"
         token: "{{ vault_token }}"
+        ca_cert: "{{ vault_ca_cert | default(omit) }}"
         mount_point: "{{ vault_pki_root_ca_name }}"
         csr: "{{ intermediate_ca_csr.data.csr }}"
         common_name: "{{ vault_pki_intermediate_ca_common_name }}"
@@ -39,6 +42,7 @@
       hashivault_pki_set_signed:
         url: "{{ vault_api_addr }}"
         token: "{{ vault_token }}"
+        ca_cert: "{{ vault_ca_cert | default(omit) }}"
         mount_point: "{{ vault_pki_intermediate_ca_name }}"
         certificate: |
           {{ intermediate_ca_csr_signed.data.certificate }}
@@ -50,6 +54,7 @@
       hashivault_pki_ca_set:
         url: "{{ vault_api_addr }}"
         token: "{{ vault_token }}"
+        ca_cert: "{{ vault_ca_cert | default(omit) }}"
         mount_point: "{{ vault_pki_intermediate_ca_name }}"
         pem_bundle: |
           {{ intermediate_ca_csr_signed.data.certificate }}
@@ -78,6 +83,7 @@
       hashivault_pki_ca_set:
         url: "{{ vault_api_addr }}"
         token: "{{ vault_token }}"
+        ca_cert: "{{ vault_ca_cert | default(omit) }}"
         mount_point: "{{ vault_pki_intermediate_ca_name }}"
         pem_bundle: "{{ vault_pki_intermediate_ca_bundle }}"
 
diff --git a/roles/vault_pki/tasks/prechecks.yml b/roles/vault_pki/tasks/prechecks.yml
@@ -1,12 +1,12 @@
 ---
 - name: "Fail if variables are not set"
   fail:
-    msg: "variable {{ item }} is not set"
+    msg: "variable {{ item.name }} is not set"
   when:
     - vars[item.name] | length == 0
     - item.when
   loop:
     - { "name": "vault_api_addr", "when": true }
     - { "name": "vault_token", when: true }
-    - { "name": "vault_pki_root_ca_name", "when": "vault_pki_root_create | bool" }
-    - { "name": "vault_pki_intermediate_ca_name", "when": "vault_pki_intermediate_create | bool" }
+    - { "name": "vault_pki_root_ca_name", "when": "{{ vault_pki_root_create | bool }}" }
+    - { "name": "vault_pki_intermediate_ca_name", "when": "{{ vault_pki_intermediate_create | bool }}" }
diff --git a/roles/vault_pki/tasks/roles.yml b/roles/vault_pki/tasks/roles.yml
@@ -3,6 +3,7 @@
   hashivault_pki_role:
     url: "{{ vault_api_addr }}"
     token: "{{ vault_token }}"
+    ca_cert: "{{ vault_ca_cert | default(omit) }}"
     mount_point: "{{ vault_pki_intermediate_ca_name }}"
     name: "{{ item.name }}"
     config: "{{ item.config }}"
diff --git a/roles/vault_pki/tasks/root.yml b/roles/vault_pki/tasks/root.yml
@@ -3,6 +3,7 @@
   hashivault_secret_engine:
     url: "{{ vault_api_addr }}"
     token: "{{ vault_token }}"
+    ca_cert: "{{ vault_ca_cert | default(omit) }}"
     name: "{{ vault_pki_root_ca_name }}"
     description: "{{ vault_pki_root_ca_name }} CA"
     backend: "pki"
@@ -14,6 +15,7 @@
   hashivault_pki_ca:
     url: "{{ vault_api_addr }}"
     token: "{{ vault_token }}"
+    ca_cert: "{{ vault_ca_cert | default(omit) }}"
     mount_point: "{{ vault_pki_root_ca_name }}"
     type: "internal"
     common_name: "{{ vault_pki_root_ca_common_name }}"
