Initial commit

Author: mnasiadka

README.md

@@ -0,0 +1,37 @@
+# StackHPC pulp collection
+
+This repo contains `stackhpc.hashicorp` Ansible Collection. The collection includes roles supported by StackHPC for Hashicorp Vault/Consul deployment and configuration.
+
+## Tested with Ansible
+
+Tested with the current Ansible 2.9-2.10 releases.
+
+## Included content
+
+* `vault` role
+
+## Using this collection
+
+Before using the collection, you need to install the collection with the `ansible-galaxy` CLI:
+
+    ansible-galaxy collection install stackhpc.hashicorp
+
+You can also include it in a `requirements.yml` file and install it via ansible-galaxy collection install -r requirements.yml` using format:
+
+```yaml
+collections:
+- name: stackhpc.hashicorp
+```
+
+See [Ansible Using collections](https://docs.ansible.com/ansible/latest/user_guide/collections_using.html) for more details.
+
+## More information
+
+- [Ansible Collection overview](https://github.com/ansible-collections/overview)
+- [Ansible User guide](https://docs.ansible.com/ansible/latest/user_guide/index.html)
+- [Ansible Developer guide](https://docs.ansible.com/ansible/latest/dev_guide/index.html)
+- [Ansible Community code of conduct](https://docs.ansible.com/ansible/latest/community/code_of_conduct.html)
+
+## Licensing
+
+Apache License Version 2.0

galaxy.yml

@@ -0,0 +1,13 @@
+namespace: "stackhpc"
+name: "hashicorp"
+version: "1.0.0"
+readme: "README.md"
+authors:
+  - "Michał Nasiadka"
+license:
+  - "Apache-2.0"
+tags:
+  - hashicorp
+  - vault
+  - consul
+repository: "https://github.com/stackhpc/ansible-collection-hashicorp"

roles/vault/README.md

@@ -0,0 +1,103 @@
+This role deploys and initializes Hashicorp Vault with Consul backend
+
+Role variables
+--------------
+
+* Consul
+  * Mandatory
+    * `consul_bind_interface`: Which interface should be used for Consul
+    * `consul_vip_address`: Under which IP address consul should be available (this role does not deploy keepalived)
+  * Optional
+    * `consul_docker_name`: Docker - under which name to run the Consul image (default: "consul")
+    * `consul_docker_image`: Docker image for Consul (default: "consul")
+    * `consul_docker_tag`: Docker image tag for Consul (default: "latest")
+    * `consul_docker_volume`: Docker volume name for Consul data (default: "consul_data")
+* Vault
+  * Mandatory
+    * `vault_cluster_name`: Vault cluster name (e.g. "prod_cluster")
+    * `vault_tls_key`: Path to TLS key to use by Vault
+    * `vault_tls_cert`: Path to TLS cert to use by Vault
+
+
+Example playbook (used with OpenStack Kayobe)
+---------------------------------------------
+
+```
+---
+- name: Prepare for hashicorp-vault role
+  any_errors_fatal: True
+  gather_facts: True
+  hosts: consul
+  tasks:
+    - name: Ensure /opt/kayobe/vault exists
+      file:
+        state: present
+        path: /opt/kayobe/vault
+        state: directory
+
+    - name: Template out tls key and cert
+      vars:
+        tls_files:
+          - content: "{{ secrets_external_tls_cert }}"
+            dest: "tls.cert"
+          - content: "{{ secrets_external_tls_key }}"
+            dest: "tls.key"
+      copy:
+        content: "{{ item.content }}"
+        dest: "/opt/kayobe/vault/{{ item.dest }}"
+        owner: 100
+        group: 1001
+        mode: 0600
+      loop: "{{ tls_files }}"
+      no_log: True
+      become: true
+
+- name: Run hashicorp-vault role
+  any_errors_fatal: True
+  gather_facts: True
+  hosts: consul
+  roles:
+    - role: stackhpc.hashicorp.vault
+      consul_bind_interface: "{{ internal_net_interface }}"
+      consul_bind_ip: "{{ internal_net_ips[ansible_hostnanme] }}"
+      consul_vip_address: "{{ internal_net_vip_address }}"
+      vault_bind_address: "{{ external_net_ips[ansible_hostname] }}"
+      vault_vip_url: "{{ external_net_fqdn }}"
+      vault_config_dir: "/opt/kayobe/vault"
+```
+
+Example post-config playbook to enable secrets engines:
+```
+---
+- name: Vault post deployment config
+  any_errors_fatal: True
+  gather_facts: True
+  hosts: vault
+  tasks:
+    - name: Enable vault secrets engines
+      hashivault_secret_engine:
+        url: "https://sparrow.cf.ac.uk:8200"
+        token: "{{ secrets_vault_keys.root_token }}"
+        name: pki
+        backend: pki
+      run_once: True
+```
+
+Example vault unseal playbook based on Kayobe's secrets.yml
+```
+---
+- name: Unseal vault
+  any_errors_fatal: True
+  gather_facts: True
+  hosts: vault
+  tasks:
+    - name: Unseal vault
+      hashivault_unseal:
+        url: "https://sparrow.cf.ac.uk:8200"
+        keys: "{{ item }}"
+      run_once: True
+      with_items: "{{ secrets_vault_keys.unseal_keys_b64 }}"
+      no_log: True
+```
+
+NOTE: secrets_external_tls_cert/key are variables in Kayobe's secrets.yml

roles/vault/defaults/main.yml

@@ -0,0 +1,42 @@
+---
+consul_docker_name: "consul"
+consul_docker_image: "consul"
+consul_docker_tag: "latest"
+consul_docker_volume: "consul_data"
+
+vault_docker_name: "vault"
+vault_docker_image: "vault"
+vault_docker_tag: "latest"
+
+vault_cluster_name: ""
+vault_tls_key: ""
+vault_tls_cert: ""
+
+vault_config: >
+  {
+    "cluster_name": "{{ vault_cluster_name }}",
+    "ui": true,
+    "api_addr": "https://{{ vault_vip_url }}:8200",
+    "listener": [{
+      "tcp": {
+        "address": "{{ vault_bind_address }}:8200",
+        "tls_min_version": "tls12",
+        "tls_key_file": "/vault/config/tls.key",
+        "tls_cert_file": "/vault/config/tls.cert"
+      }
+    }],
+    "storage": {
+    "consul": {
+       "address": "127.0.0.1:8500",
+       "path": "vault/"
+      }
+    },
+    "telemetry": {
+      "prometheus_retention_time": "30s",
+      "disable_hostname": true
+    }
+  }
+
+consul_bind_interface: ""
+consul_bind_ip: "{{ hostvars[inventory_hostname]['ansible_'~consul_bind_interface].ipv4.address }}"
+consul_vip_address: ""

roles/vault/tasks/consul.yml

@@ -0,0 +1,25 @@
+---
+- name: Ensure consul_server container is running
+  docker_container:
+    name: "{{ consul_docker_name }}"
+    image: "{{ consul_docker_image }}:{{ consul_docker_tag }}"
+    network_mode: host
+    volumes:
+      - "{{ consul_docker_volume }}:/consul/data"
+    comparisons:
+      '*': strict
+    env:
+      CONSUL_BIND_INTERFACE: "{{ consul_bind_interface }}"
+      CONSUL_CLIENT_INTERFACE: "{{ consul_bind_interface }}"
+    command: >
+      consul agent
+      -bind "{{  hostvars[inventory_hostname]['ansible_'~consul_bind_interface].ipv4.address }}"
+      -data-dir /consul/data
+      -server
+      -bootstrap-expect "{{ groups['consul'] | length }}"
+      {% for host in groups['consul'] %}
+      {% if host != inventory_hostname %}
+      -retry-join "{{ hostvars[host]['ansible_'~consul_bind_interface].ipv4.address }}"
+      {% endif %}
+      {% endfor %}
+  become: True

roles/vault/tasks/main.yml

@@ -0,0 +1,4 @@
+---
+- import_tasks: prechecks.yml
+- import_tasks: consul.yml
+- import_tasks: vault.yml

roles/vault/tasks/prechecks.yml

@@ -0,0 +1,5 @@
+---
+- name: Check if consul_bind_interface is defined
+  fail:
+    msg: "ERROR: consul_bind_interface must be defined"
+  when: not consul_bind_interface

roles/vault/tasks/vault.yml

@@ -0,0 +1,36 @@
+---
+- name: Ensure vault container is running
+  docker_container:
+    name: "{{ vault_docker_name }}"
+    image: "{{ vault_docker_image }}:{{ vault_docker_tag }}"
+    network_mode: host
+    capabilities: IPC_LOCK
+    volumes:
+      - "{{ vault_config_dir }}:/vault/config"
+    comparisons:
+      '*': strict
+    env:
+      VAULT_LOCAL_CONFIG: "{{ vault_config | to_json }}"
+    command: >
+      server
+  become: True
+
+- name: Check if vault is initialized
+  uri:
+    url: "https://{{ vault_vip_url }}:8200/v1/sys/init"
+  register: vault_init_status
+  retries: 10
+
+- name: Initialize vault
+  command: "docker exec -e 'VAULT_ADDR=https://{{ vault_vip_url }}:8200' {{ vault_docker_name }} vault operator init -format yaml"
+  when: not vault_init_status.json.initialized
+  run_once: True
+  register: vault_init_output
+
+- name: Set fact
+  set_fact:
+    vault_keys: "{{ vault_init_output.stdout | from_yaml }}"
+
+- name: Print vault keys
+  debug:
+    var: vault_keys