diff options
| author | Andrew Austin <acaustin@summerpanic.com> | 2023-12-06 20:12:15 +0100 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2023-12-06 20:12:15 +0100 |
| commit | 6aa2997dcec6516bbfab427fcbdb17474644d605 (patch) | |
| tree | 7569342eca7a0a29be06e2dc7e20449aee465605 | |
| parent | separate tox calls in readthedocs config (#14673) (diff) | |
| download | awx-6aa2997dcec6516bbfab427fcbdb17474644d605.tar.xz awx-6aa2997dcec6516bbfab427fcbdb17474644d605.zip | |
Add TLS certificate auth for HashiCorp Vault (#14534)
* Add TLS certificate auth for HashiCorp Vault
Add support for AWX to authenticate with HashiCorp Vault using
TLS client certificates.
Also updates the documentation for the HashiCorp Vault secret management
plugins to include both the new TLS options and the missing Kubernetes
auth method options.
Signed-off-by: Andrew Austin <aaustin@redhat.com>
* Refactor docker-compose vault for TLS cert auth
Add TLS configuration to the docker-compose Vault configuration and
use that method by default in vault plumbing.
This ensures that the result of bringing up the docker-compose stack
with vault enabled and running the plumb-vault playbook is a fully
working credential retrieval setup using TLS client cert authentication.
Signed-off-by: Andrew Austin <aaustin@redhat.com>
* Remove incorrect trailing space
Co-authored-by: Hao Liu <44379968+TheRealHaoLiu@users.noreply.github.com>
* Make vault init idempotent
- improve error handling for vault_initialization
- ignore error if vault cert auth is already configured
- removed unused register
* Add VAULT_TLS option
Make TLS for HashiCorp Vault optional and configurable via VAULT_TLS env var
* Add retries for vault init
Sometime it took longer for vault to fully come up and init will fail
---------
Signed-off-by: Andrew Austin <aaustin@redhat.com>
Co-authored-by: Hao Liu <44379968+TheRealHaoLiu@users.noreply.github.com>
Co-authored-by: Hao Liu <haoli@redhat.com>
14 files changed, 280 insertions, 20 deletions
@@ -43,6 +43,8 @@ PROMETHEUS ?= false GRAFANA ?= false # If set to true docker-compose will also start a hashicorp vault instance VAULT ?= false +# If set to true docker-compose will also start a hashicorp vault instance with TLS enabled +VAULT_TLS ?= false # If set to true docker-compose will also start a tacacs+ instance TACACS ?= false @@ -528,13 +530,15 @@ docker-compose-sources: .git/hooks/pre-commit -e enable_prometheus=$(PROMETHEUS) \ -e enable_grafana=$(GRAFANA) \ -e enable_vault=$(VAULT) \ + -e vault_tls=$(VAULT_TLS) \ -e enable_tacacs=$(TACACS) \ $(EXTRA_SOURCES_ANSIBLE_OPTS) docker-compose: awx/projects docker-compose-sources ansible-galaxy install --ignore-certs -r tools/docker-compose/ansible/requirements.yml; ansible-playbook -i tools/docker-compose/inventory tools/docker-compose/ansible/initialize_containers.yml \ - -e enable_vault=$(VAULT); + -e enable_vault=$(VAULT) \ + -e vault_tls=$(VAULT_TLS); $(DOCKER_COMPOSE) -f tools/docker-compose/_sources/docker-compose.yml $(COMPOSE_OPTS) up $(COMPOSE_UP_OPTS) --remove-orphans docker-compose-credential-plugins: awx/projects docker-compose-sources diff --git a/awx/main/credential_plugins/hashivault.py b/awx/main/credential_plugins/hashivault.py index ffd0de06fc..62aabade61 100644 --- a/awx/main/credential_plugins/hashivault.py +++ b/awx/main/credential_plugins/hashivault.py @@ -42,6 +42,34 @@ base_inputs = { 'help_text': _('The Secret ID for AppRole Authentication'), }, { + 'id': 'client_cert_public', + 'label': _('Client Certificate'), + 'type': 'string', + 'multiline': True, + 'help_text': _( + 'The PEM-encoded client certificate used for TLS client authentication.' + ' This should include the certificate and any intermediate certififcates.' + ), + }, + { + 'id': 'client_cert_private', + 'label': _('Client Certificate Key'), + 'type': 'string', + 'multiline': True, + 'secret': True, + 'help_text': _('The certificate private key used for TLS client authentication.'), + }, + { + 'id': 'client_cert_role', + 'label': _('TLS Authentication Role'), + 'type': 'string', + 'multiline': False, + 'help_text': _( + 'The role configured in Hashicorp Vault for TLS client authentication.' + ' If not provided, Hashicorp Vault may assign roles based on the certificate used.' + ), + }, + { 'id': 'namespace', 'label': _('Namespace name (Vault Enterprise only)'), 'type': 'string', @@ -164,8 +192,10 @@ def handle_auth(**kwargs): token = method_auth(**kwargs, auth_param=approle_auth(**kwargs)) elif kwargs.get('kubernetes_role'): token = method_auth(**kwargs, auth_param=kubernetes_auth(**kwargs)) + elif kwargs.get('client_cert_public') and kwargs.get('client_cert_private'): + token = method_auth(**kwargs, auth_param=client_cert_auth(**kwargs)) else: - raise Exception('Either token or AppRole/Kubernetes authentication parameters must be set') + raise Exception('Either a token or AppRole, Kubernetes, or TLS authentication parameters must be set') return token @@ -181,6 +211,10 @@ def kubernetes_auth(**kwargs): return {'role': kwargs['kubernetes_role'], 'jwt': jwt} +def client_cert_auth(**kwargs): + return {'name': kwargs.get('client_cert_role')} + + def method_auth(**kwargs): # get auth method specific params request_kwargs = {'json': kwargs['auth_param'], 'timeout': 30} @@ -193,13 +227,22 @@ def method_auth(**kwargs): cacert = kwargs.get('cacert', None) sess = requests.Session() + # Namespace support if kwargs.get('namespace'): sess.headers['X-Vault-Namespace'] = kwargs['namespace'] request_url = '/'.join([url, 'auth', auth_path, 'login']).rstrip('/') with CertFiles(cacert) as cert: request_kwargs['verify'] = cert - resp = sess.post(request_url, **request_kwargs) + # TLS client certificate support + if kwargs.get('client_cert_public') and kwargs.get('client_cert_private'): + # Add client cert to requests Session before making call + with CertFiles(kwargs['client_cert_public'], key=kwargs['client_cert_private']) as client_cert: + sess.cert = client_cert + resp = sess.post(request_url, **request_kwargs) + else: + # Make call without client certificate + resp = sess.post(request_url, **request_kwargs) resp.raise_for_status() token = resp.json()['auth']['client_token'] return token diff --git a/awx/main/tests/functional/test_credential_plugins.py b/awx/main/tests/functional/test_credential_plugins.py index 8cd2389255..9d199c31f5 100644 --- a/awx/main/tests/functional/test_credential_plugins.py +++ b/awx/main/tests/functional/test_credential_plugins.py @@ -40,6 +40,26 @@ def test_hashivault_kubernetes_auth(): assert res == expected_res +def test_hashivault_client_cert_auth_explicit_role(): + kwargs = { + 'client_cert_role': 'test-cert-1', + } + expected_res = { + 'name': 'test-cert-1', + } + res = hashivault.client_cert_auth(**kwargs) + assert res == expected_res + + +def test_hashivault_client_cert_auth_no_role(): + kwargs = {} + expected_res = { + 'name': None, + } + res = hashivault.client_cert_auth(**kwargs) + assert res == expected_res + + def test_hashivault_handle_auth_token(): kwargs = { 'token': 'the_token', @@ -73,6 +93,22 @@ def test_hashivault_handle_auth_kubernetes(): assert token == 'the_token' +def test_hashivault_handle_auth_client_cert(): + kwargs = { + 'client_cert_public': "foo", + 'client_cert_private': "bar", + 'client_cert_role': 'test-cert-1', + } + auth_params = { + 'name': 'test-cert-1', + } + with mock.patch.object(hashivault, 'method_auth') as method_mock: + method_mock.return_value = 'the_token' + token = hashivault.handle_auth(**kwargs) + method_mock.assert_called_with(**kwargs, auth_param=auth_params) + assert token == 'the_token' + + def test_hashivault_handle_auth_not_enough_args(): with pytest.raises(Exception): hashivault.handle_auth() diff --git a/docs/docsite/rst/userguide/credential_plugins.rst b/docs/docsite/rst/userguide/credential_plugins.rst index e222538746..9bd9655df8 100644 --- a/docs/docsite/rst/userguide/credential_plugins.rst +++ b/docs/docsite/rst/userguide/credential_plugins.rst @@ -265,10 +265,21 @@ When **HashiCorp Vault Secret Lookup** is selected for **Credential Type**, prov - **CA Certificate**: specify the CA certificate used to verify HashiCorp's server - **Approle Role_ID**: specify the ID for Approle authentication - **Approle Secret_ID**: specify the corresponding secret ID for Approle authentication -- **Path to Approle Auth**: specify a path if other than the default path of ``/approle`` +- **Client Certificate**: specify a PEM-encoded client certificate when using the TLS auth method including any required intermediate certificates expected by Vault +- **Client Certificate Key**: specify a PEM-encoded certificate private key when using the TLS auth method +- **TLS Authentication Role**: specify the role or certificate name in Vault that corresponds to your client certificate when using the TLS auth method. If it is not provided, Vault will attempt to match the certificate automatically +- **Namespace name** specify the namespace name (Vault Enterprise only) +- **Kubernetes role** specify the role name when using Kubernetes authentication +- **Path to Auth**: specify a path if other than the default path of ``/approle`` - **API Version** (required): select v1 for static lookups and v2 for versioned lookups -For more detail about Approle and its fields, refer to the `Vault documentation for Approle Auth Method <https://www.vaultproject.io/docs/auth/approle>`_. Below shows an example of a configured HashiCorp Vault Secret Lookup credential. +For more detail about the Approle auth method and its fields, refer to the `Vault documentation for Approle Auth Method <https://www.vaultproject.io/docs/auth/approle>`_. + +For more detail about the Kubernetes auth method and its fields, refer to the `Vault documentation for Kubernetes auth method <https://developer.hashicorp.com/vault/docs/auth/kubernetes>` _. + +For more detail about the TLS certificate auth method and its fields, refer to the `Vault documentation for TLS certificates auth method <https://developer.hashicorp.com/vault/docs/auth/cert>` _. + +Below shows an example of a configured HashiCorp Vault Secret Lookup credential. .. image:: ../common/images/credentials-create-hashicorp-kv-credential.png :alt: Example new HashiCorp Vault Secret lookup dialog @@ -288,9 +299,18 @@ When **HashiCorp Vault Signed SSH** is selected for **Credential Type**, provide - **CA Certificate**: specify the CA certificate used to verify HashiCorp's server - **Approle Role_ID**: specify the ID for Approle authentication - **Approle Secret_ID**: specify the corresponding secret ID for Approle authentication -- **Path to Approle Auth**: specify a path if other than the default path of ``/approle`` +- **Client Certificate**: specify a PEM-encoded client certificate when using the TLS auth method including any required intermediate certificates expected by Vault +- **Client Certificate Key**: specify a PEM-encoded certificate private key when using the TLS auth method +- **TLS Authentication Role**: specify the role or certificate name in Vault that corresponds to your client certificate when using the TLS auth method. If it is not provided, Vault will attempt to match the certificate automatically +- **Namespace name** specify the namespace name (Vault Enterprise only) +- **Kubernetes role** specify the role name when using Kubernetes authentication +- **Path to Auth**: specify a path if other than the default path of ``/approle`` + +For more detail about the Approle auth method and its fields, refer to the `Vault documentation for Approle Auth Method <https://www.vaultproject.io/docs/auth/approle>`_. + +For more detail about the Kubernetes auth method and its fields, refer to the `Vault documentation for Kubernetes auth method <https://developer.hashicorp.com/vault/docs/auth/kubernetes>` _. -For more detail about Approle and its fields, refer to the `Vault documentation for Approle Auth Method <https://www.vaultproject.io/docs/auth/approle>`_. +For more detail about the TLS certificate auth method and its fields, refer to the `Vault documentation for TLS certificates auth method <https://developer.hashicorp.com/vault/docs/auth/cert>` _. Below shows an example of a configured HashiCorp SSH Secrets Engine credential. diff --git a/tools/docker-compose/ansible/plumb_vault.yml b/tools/docker-compose/ansible/plumb_vault.yml index a9cadf1554..b6db6aaeaa 100644 --- a/tools/docker-compose/ansible/plumb_vault.yml +++ b/tools/docker-compose/ansible/plumb_vault.yml @@ -2,6 +2,8 @@ - name: Plumb AWX for Vault hosts: localhost gather_facts: False + vars: + awx_host: "https://127.0.0.1:8043" tasks: - include_role: name: vault diff --git a/tools/docker-compose/ansible/roles/sources/defaults/main.yml b/tools/docker-compose/ansible/roles/sources/defaults/main.yml index b918104c6a..94e0a8f31d 100644 --- a/tools/docker-compose/ansible/roles/sources/defaults/main.yml +++ b/tools/docker-compose/ansible/roles/sources/defaults/main.yml @@ -30,6 +30,24 @@ ldap_public_key_file: '{{ ldap_cert_dir }}/{{ ldap_public_key_file_name }}' ldap_private_key_file: '{{ ldap_cert_dir }}/{{ ldap_private_key_file_name }}' ldap_cert_subject: "/C=US/ST=NC/L=Durham/O=awx/CN=" +# Hashicorp Vault +enable_vault: false +vault_tls: false +hashivault_cert_dir: '{{ sources_dest }}/vault_certs' +hashivault_server_cert_subject: "/C=US/ST=NC/L=Durham/O=awx/CN=tools-vault-1" +hashivault_server_cert_extensions: + - "subjectAltName = DNS:tools_vault_1, DNS:localhost" + - "keyUsage = digitalSignature, nonRepudiation" + - "extendedKeyUsage = serverAuth" +hashivault_client_cert_extensions: + - "subjectAltName = DNS:awx-vault-client" + - "keyUsage = digitalSignature, nonRepudiation" + - "extendedKeyUsage = serverAuth, clientAuth" +hashivault_client_cert_subject: "/C=US/ST=NC/L=Durham/O=awx/CN=awx-vault-client" +hashivault_server_public_keyfile: '{{ hashivault_cert_dir }}/server.crt' +hashivault_server_private_keyfile: '{{ hashivault_cert_dir }}/server.key' +hashivault_client_public_keyfile: '{{ hashivault_cert_dir }}/client.crt' +hashivault_client_private_keyfile: '{{ hashivault_cert_dir }}/client.key' # Metrics enable_splunk: false enable_grafana: false diff --git a/tools/docker-compose/ansible/roles/sources/tasks/main.yml b/tools/docker-compose/ansible/roles/sources/tasks/main.yml index c684a9f10c..def04456ed 100644 --- a/tools/docker-compose/ansible/roles/sources/tasks/main.yml +++ b/tools/docker-compose/ansible/roles/sources/tasks/main.yml @@ -101,6 +101,10 @@ include_tasks: ldap.yml when: enable_ldap | bool +- name: Include vault TLS tasks if enabled + include_tasks: vault_tls.yml + when: enable_vault | bool + - name: Render Docker-Compose template: src: docker-compose.yml.j2 diff --git a/tools/docker-compose/ansible/roles/sources/tasks/vault_tls.yml b/tools/docker-compose/ansible/roles/sources/tasks/vault_tls.yml new file mode 100644 index 0000000000..5b669afbf3 --- /dev/null +++ b/tools/docker-compose/ansible/roles/sources/tasks/vault_tls.yml @@ -0,0 +1,31 @@ +--- +- name: Create Certificates for HashiCorp Vault + block: + - name: Create Hashicorp Vault cert directory + file: + path: "{{ hashivault_cert_dir }}" + state: directory + + - name: Generate vault server certificate + command: 'openssl req -new -newkey rsa:2048 -x509 -days 365 -nodes -out {{ hashivault_server_public_keyfile }} -keyout {{ hashivault_server_private_keyfile }} -subj "{{ hashivault_server_cert_subject }}"{% for ext in hashivault_server_cert_extensions %} -addext "{{ ext }}"{% endfor %}' + args: + creates: "{{ hashivault_server_public_keyfile }}" + + - name: Generate vault test client certificate + command: 'openssl req -new -newkey rsa:2048 -x509 -days 365 -nodes -out {{ hashivault_client_public_keyfile }} -keyout {{ hashivault_client_private_keyfile }} -subj "{{ hashivault_client_cert_subject }}"{% for ext in hashivault_client_cert_extensions %} -addext "{{ ext }}"{% endfor %}' + args: + creates: "{{ hashivault_client_public_keyfile }}" + + - name: Set mode for vault certificates + ansible.builtin.file: + path: "{{ hashivault_cert_dir }}" + recurse: true + state: directory + mode: 0777 + when: vault_tls | bool + +- name: Delete Certificates for HashiCorp Vault + file: + path: "{{ hashivault_cert_dir }}" + state: absent + when: vault_tls | bool == false diff --git a/tools/docker-compose/ansible/roles/sources/templates/docker-compose.yml.j2 b/tools/docker-compose/ansible/roles/sources/templates/docker-compose.yml.j2 index e1942d0d37..1ffb052f8a 100644 --- a/tools/docker-compose/ansible/roles/sources/templates/docker-compose.yml.j2 +++ b/tools/docker-compose/ansible/roles/sources/templates/docker-compose.yml.j2 @@ -252,7 +252,7 @@ services: privileged: true {% endfor %} {% endif %} -{% if enable_vault|bool %} +{% if enable_vault | bool %} vault: image: hashicorp/vault:1.14 container_name: tools_vault_1 @@ -261,10 +261,17 @@ services: ports: - "1234:1234" environment: +{% if vault_tls | bool %} + VAULT_LOCAL_CONFIG: '{"storage": {"file": {"path": "/vault/file"}}, "listener": [{"tcp": { "address": "0.0.0.0:1234", "tls_disable": false, "tls_cert_file": "/vault/tls/server.crt", "tls_key_file": "/vault/tls/server.key"}}], "default_lease_ttl": "168h", "max_lease_ttl": "720h", "ui": true}' +{% else %} VAULT_LOCAL_CONFIG: '{"storage": {"file": {"path": "/vault/file"}}, "listener": [{"tcp": { "address": "0.0.0.0:1234", "tls_disable": true}}], "default_lease_ttl": "168h", "max_lease_ttl": "720h", "ui": true}' +{% endif %} cap_add: - IPC_LOCK volumes: +{% if vault_tls | bool %} + - '../../docker-compose/_sources/vault_certs:/vault/tls' +{% endif %} - 'hashicorp_vault_data:/vault/file' {% endif %} diff --git a/tools/docker-compose/ansible/roles/vault/defaults/main.yml b/tools/docker-compose/ansible/roles/vault/defaults/main.yml index 7aac7ecf60..f535e16ad6 100644 --- a/tools/docker-compose/ansible/roles/vault/defaults/main.yml +++ b/tools/docker-compose/ansible/roles/vault/defaults/main.yml @@ -1,2 +1,7 @@ --- vault_file: "{{ sources_dest }}/secrets/vault_init.yml" +admin_password_file: "{{ sources_dest }}/secrets/admin_password.yml" +vault_cert_dir: '{{ sources_dest }}/vault_certs' +vault_server_cert: "{{ vault_cert_dir }}/server.crt" +vault_client_cert: "{{ vault_cert_dir }}/client.crt" +vault_client_key: "{{ vault_cert_dir }}/client.key" diff --git a/tools/docker-compose/ansible/roles/vault/tasks/initialize.yml b/tools/docker-compose/ansible/roles/vault/tasks/initialize.yml index 2576376133..0d4ab8e3d3 100644 --- a/tools/docker-compose/ansible/roles/vault/tasks/initialize.yml +++ b/tools/docker-compose/ansible/roles/vault/tasks/initialize.yml @@ -1,4 +1,7 @@ --- +- name: Set vault_addr + include_tasks: set_vault_addr.yml + - block: - name: Start the vault community.docker.docker_compose: @@ -12,9 +15,16 @@ command: vault operator init container: tools_vault_1 env: - VAULT_ADDR: "http://127.0.0.1:1234" + VAULT_ADDR: "{{ vault_addr }}" + VAULT_SKIP_VERIFY: "true" register: vault_initialization - ignore_errors: true + failed_when: + - vault_initialization.rc != 0 + - vault_initialization.stderr.find("Vault is already initialized") == -1 + changed_when: + - vault_initialization.rc == 0 + retries: 5 + delay: 5 - name: Write out initialization file copy: @@ -34,21 +44,52 @@ name: vault tasks_from: unseal.yml + - name: Configure the vault with cert auth + block: + - name: Create a cert auth mount + flowerysong.hvault.write: + path: "sys/auth/cert" + vault_addr: "{{ vault_addr_from_host }}" + validate_certs: false + token: "{{ Initial_Root_Token }}" + data: + type: "cert" + register: vault_auth_cert + failed_when: + - vault_auth_cert.result.errors | default([]) | length > 0 + - "'path is already in use at cert/' not in vault_auth_cert.result.errors | default([])" + changed_when: + - vault_auth_cert.result.errors | default([]) | length == 0 + + - name: Configure client certificate + flowerysong.hvault.write: + path: "auth/cert/certs/awx-client" + vault_addr: "{{ vault_addr_from_host }}" + validate_certs: false + token: "{{ Initial_Root_Token }}" + data: + name: awx-client + certificate: "{{ lookup('ansible.builtin.file', '{{ vault_client_cert }}') }}" + policies: + - root + when: vault_tls | bool + - name: Create an engine flowerysong.hvault.engine: path: "my_engine" type: "kv" - vault_addr: "http://localhost:1234" + vault_addr: "{{ vault_addr_from_host }}" + validate_certs: false token: "{{ Initial_Root_Token }}" - register: engine - - name: Create a secret + - name: Create a demo secret flowerysong.hvault.kv: mount_point: "my_engine/my_root" key: "my_folder" value: my_key: "this_is_the_secret_value" - vault_addr: "http://localhost:1234" + vault_addr: "{{ vault_addr_from_host }}" + validate_certs: false token: "{{ Initial_Root_Token }}" always: diff --git a/tools/docker-compose/ansible/roles/vault/tasks/plumb.yml b/tools/docker-compose/ansible/roles/vault/tasks/plumb.yml index 8690050f74..1e804fb672 100644 --- a/tools/docker-compose/ansible/roles/vault/tasks/plumb.yml +++ b/tools/docker-compose/ansible/roles/vault/tasks/plumb.yml @@ -1,29 +1,45 @@ --- +- name: Set vault_addr + include_tasks: set_vault_addr.yml + - name: Load vault keys include_vars: file: "{{ vault_file }}" +- name: Get AWX admin password + include_vars: + file: "{{ admin_password_file }}" + - name: Create a HashiCorp Vault Credential awx.awx.credential: credential_type: HashiCorp Vault Secret Lookup name: Vault Lookup Cred organization: Default + controller_host: "{{ awx_host }}" + controller_username: admin + controller_password: "{{ admin_password }}" + validate_certs: false inputs: api_version: "v1" - cacert: "" - default_auth_path: "approle" + cacert: "{{ lookup('ansible.builtin.file', '{{ vault_server_cert }}', errors='ignore') }}" + default_auth_path: "cert" kubernetes_role: "" namespace: "" - role_id: "" - secret_id: "" + client_cert_public: "{{ lookup('ansible.builtin.file', '{{ vault_client_cert }}', errors='ignore') }}" + client_cert_private: "{{ lookup('ansible.builtin.file', '{{ vault_client_key }}', errors='ignore') }}" token: "{{ Initial_Root_Token }}" - url: "http://tools_vault_1:1234" + url: "{{ vault_addr_from_container }}" register: vault_cred - name: Create a custom credential type awx.awx.credential_type: name: Vault Custom Cred Type kind: cloud + controller_host: "{{ awx_host }}" + controller_username: admin + controller_password: "{{ admin_password }}" + + validate_certs: false injectors: extra_vars: the_secret_from_vault: "{{ '{{' }} password {{ '}}' }}" @@ -38,6 +54,11 @@ - name: Create a credential of the custom type awx.awx.credential: credential_type: "{{ custom_vault_cred_type.id }}" + controller_host: "{{ awx_host }}" + controller_username: admin + controller_password: "{{ admin_password }}" + + validate_certs: false name: Credential From Vault inputs: {} organization: Default @@ -48,6 +69,11 @@ input_field_name: password target_credential: "{{ custom_credential.id }}" source_credential: "{{ vault_cred.id }}" + controller_host: "{{ awx_host }}" + controller_username: admin + controller_password: "{{ admin_password }}" + + validate_certs: false metadata: auth_path: "" secret_backend: "my_engine" diff --git a/tools/docker-compose/ansible/roles/vault/tasks/set_vault_addr.yml b/tools/docker-compose/ansible/roles/vault/tasks/set_vault_addr.yml new file mode 100644 index 0000000000..88910db40a --- /dev/null +++ b/tools/docker-compose/ansible/roles/vault/tasks/set_vault_addr.yml @@ -0,0 +1,19 @@ +--- +- name: Detect if vault cert directory exist + stat: + path: "{{ vault_cert_dir }}" + register: vault_cert_dir_stat + +- name: Set vault_addr for http + set_fact: + vault_addr: "http://127.0.0.1:1234" + vault_addr_from_host: "http://localhost:1234" + vault_addr_from_container: "http://tools_vault_1:1234" + when: vault_cert_dir_stat.stat.exists == false + +- name: Set vault_addr for https + set_fact: + vault_addr: "https://127.0.0.1:1234" + vault_addr_from_host: "https://localhost:1234" + vault_addr_from_container: "https://tools_vault_1:1234" + when: vault_cert_dir_stat.stat.exists == true diff --git a/tools/docker-compose/ansible/roles/vault/tasks/unseal.yml b/tools/docker-compose/ansible/roles/vault/tasks/unseal.yml index e0cb3c4a2a..e34ca632bc 100644 --- a/tools/docker-compose/ansible/roles/vault/tasks/unseal.yml +++ b/tools/docker-compose/ansible/roles/vault/tasks/unseal.yml @@ -1,11 +1,15 @@ --- +- name: Set vault_addr + include_tasks: set_vault_addr.yml + - name: Load vault keys include_vars: file: "{{ vault_file }}" - name: Unseal the vault flowerysong.hvault.seal: - vault_addr: "http://localhost:1234" + vault_addr: "{{ vault_addr_from_host }}" + validate_certs: false state: unsealed key: "{{ item }}" loop: |