diff options
author | pmikus <pmikus@cisco.com> | 2021-05-18 13:30:08 +0000 |
---|---|---|
committer | Peter Mikus <pmikus@cisco.com> | 2021-08-09 11:51:31 +0000 |
commit | 73440ab332c51eb11405767d320bc496d9ebdbe7 (patch) | |
tree | 003e06b7ab75c311009516a9872e77fdb00e47a8 /fdio.infra.ansible | |
parent | bbfe9b5ba82a3998687909a833c2646bccbb6aa6 (diff) |
Infra: Vault
Signed-off-by: pmikus <pmikus@cisco.com>
Change-Id: Ia6e728f98d20144c3771405b32933a77fe15b19b
Diffstat (limited to 'fdio.infra.ansible')
9 files changed, 489 insertions, 0 deletions
diff --git a/fdio.infra.ansible/roles/vault/defaults/main.yaml b/fdio.infra.ansible/roles/vault/defaults/main.yaml new file mode 100644 index 0000000000..232dc40694 --- /dev/null +++ b/fdio.infra.ansible/roles/vault/defaults/main.yaml @@ -0,0 +1,159 @@ +--- +# file: roles/vault/defaults/main.yaml + +# Inst - Prerequisites. +packages: "{{ packages_base + packages_by_distro[ansible_distribution | lower] + packages_by_arch[ansible_machine] }}" +packages_base: + - "curl" + - "unzip" +packages_by_distro: + ubuntu: + - [] +packages_by_arch: + aarch64: + - [] + x86_64: + - [] + +# Inst - Vault Map. +vault_version: "1.8.1" +vault_architecture_map: + amd64: "amd64" + x86_64: "amd64" + armv7l: "arm" + aarch64: "arm64" + 32-bit: "386" + 64-bit: "amd64" +vault_architecture: "{{ vault_architecture_map[ansible_architecture] }}" +vault_os: "{{ ansible_system|lower }}" +vault_pkg: "vault_{{ vault_version }}_{{ vault_os }}_{{ vault_architecture }}.zip" +vault_zip_url: "https://releases.hashicorp.com/vault/{{ vault_version }}/{{ vault_pkg }}" + +# Conf - Service. +vault_node_role: "server" +vault_restart_handler_state: "restarted" +vault_systemd_service_name: "vault" + +# Inst - System paths. +vault_bin_dir: "/usr/local/bin" +vault_config_dir: "/etc/vault.d" +vault_data_dir: "/var/vault" +vault_inst_dir: "/opt" +vault_run_dir: "/var/run/vault" +vault_ssl_dir: "/etc/vault.d/ssl" + +# Conf - User and group. +vault_group: "vault" +vault_group_state: "present" +vault_user: "vault" +vault_user_state: "present" + +# Conf - Main +vault_group_name: "vault_instances" +vault_cluster_name: "yul1" +vault_datacenter: "yul1" +vault_log_level: "{{ lookup('env','VAULT_LOG_LEVEL') | default('info', true) }}" +vault_iface: "{{ lookup('env','VAULT_IFACE') | default(ansible_default_ipv4.interface, true) }}" +vault_address: "{{ hostvars[inventory_hostname]['ansible_'+vault_iface]['ipv4']['address'] }}" +vault_ui: "{{ lookup('env', 'VAULT_UI') | default(true, true) }}" +vault_port: 8200 +vault_use_config_path: false +vault_main_config: "{{ vault_config_dir }}/vault_main.hcl" +vault_main_configuration_template: "vault_main_configuration.hcl.j2" +vault_listener_localhost_enable: false +vault_http_proxy: "" +vault_https_proxy: "" +vault_no_proxy: "" + +# Conf - Listeners +vault_tcp_listeners: + - vault_address: "{{ vault_address }}" + vault_port: "{{ vault_port }}" + vault_cluster_address: "{{ vault_cluster_address }}" + vault_tls_disable: "{{ vault_tls_disable }}" + vault_tls_config_path: "{{ vault_tls_config_path }}" + vault_tls_cert_file: "{{ vault_tls_cert_file }}" + vault_tls_key_file: "{{ vault_tls_key_file }}" + vault_tls_ca_file: "{{ vault_tls_ca_file }}" + vault_tls_min_version: "{{ vault_tls_min_version }}" + vault_tls_cipher_suites: "{{ vault_tls_cipher_suites }}" + vault_tls_prefer_server_cipher_suites: "{{ vault_tls_prefer_server_cipher_suites }}" + vault_tls_require_and_verify_client_cert: "{{ vault_tls_require_and_verify_client_cert }}" + vault_tls_disable_client_certs: "{{ vault_tls_disable_client_certs }}" + vault_disable_mlock: true + +# Conf - Backend +vault_backend_consul: "vault_backend_consul.j2" +vault_backend_file: "vault_backend_file.j2" +vault_backend_raft: "vault_backend_raft.j2" +vault_backend_etcd: "vault_backend_etcd.j2" +vault_backend_s3: "vault_backend_s3.j2" +vault_backend_dynamodb: "vault_backend_dynamodb.j2" +vault_backend_mysql: "vault_backend_mysql.j2" +vault_backend_gcs: "vault_backend_gcs.j2" + +vault_cluster_disable: false +vault_cluster_address: "{{ hostvars[inventory_hostname]['ansible_'+vault_iface]['ipv4']['address'] }}:{{ (vault_port | int) + 1}}" +vault_cluster_addr: "{{ vault_protocol }}://{{ vault_cluster_address }}" +vault_api_addr: "{{ vault_protocol }}://{{ vault_redirect_address | default(hostvars[inventory_hostname]['ansible_'+vault_iface]['ipv4']['address']) }}:{{ vault_port }}" + +vault_max_lease_ttl: "768h" +vault_default_lease_ttl: "768h" + +vault_backend_tls_src_files: "{{ vault_tls_src_files }}" +vault_backend_tls_config_path: "{{ vault_tls_config_path }}" +vault_backend_tls_cert_file: "{{ vault_tls_cert_file }}" +vault_backend_tls_key_file: "{{ vault_tls_key_file }}" +vault_backend_tls_ca_file: "{{ vault_tls_ca_file }}" + +vault_consul: "127.0.0.1:8500" +vault_consul_path: "vault" +vault_consul_service: "vault" +vault_consul_scheme: "http" + +vault_backend: "consul" + +# Conf - Service registration +vault_service_registration_consul_enable: true +vault_service_registration_consul_template: "vault_service_registration_consul.hcl.j2" +vault_service_registration_consul_check_timeout: "5s" +vault_service_registration_consul_address: "127.0.0.1:8500" +vault_service_registration_consul_service: "vault" +vault_service_registration_consul_service_tags: "" +vault_service_registration_consul_service_address: +vault_service_registration_consul_disable_registration: false +vault_service_registration_consul_scheme: "http" + +vault_service_registration_consul_tls_config_path: "{{ vault_tls_config_path }}" +vault_service_registration_consul_tls_cert_file: "{{ vault_tls_cert_file }}" +vault_service_registration_consul_tls_key_file: "{{ vault_tls_key_file }}" +vault_service_registration_consul_tls_ca_file: "{{ vault_tls_ca_file }}" +vault_service_registration_consul_tls_min_version: "{{ vault_tls_min_version }}" +vault_service_registration_consul_tls_skip_verify: false + +# Conf - Telemetry +vault_telemetry_enabled: true +vault_telemetry_disable_hostname: false +vault_prometheus_retention_time: 30s + +# Conf - TLS +validate_certs_during_api_reachable_check: true + +vault_tls_config_path: "{{ lookup('env','VAULT_TLS_DIR') | default('/etc/vault/tls', true) }}" +vault_tls_src_files: "{{ lookup('env','VAULT_TLS_SRC_FILES') | default(role_path+'/files', true) }}" + +vault_tls_disable: "{{ lookup('env','VAULT_TLS_DISABLE') | default(1, true) }}" +vault_tls_gossip: "{{ lookup('env','VAULT_TLS_GOSSIP') | default(0, true) }}" + +vault_tls_copy_keys: true +vault_protocol: "{% if vault_tls_disable %}http{% else %}https{% endif %}" +vault_tls_cert_file: "{{ lookup('env','VAULT_TLS_CERT_FILE') | default('server.crt', true) }}" +vault_tls_key_file: "{{ lookup('env','VAULT_TLS_KEY_FILE') | default('server.key', true) }}" +vault_tls_ca_file: "{{ lookup('env','VAULT_TLS_CA_CRT') | default('ca.crt', true) }}" + +vault_tls_min_version: "{{ lookup('env','VAULT_TLS_MIN_VERSION') | default('tls12', true) }}" +vault_tls_cipher_suites: "" +vault_tls_prefer_server_cipher_suites: "{{ lookup('env','VAULT_TLS_PREFER_SERVER_CIPHER_SUITES') | default('false', true) }}" +vault_tls_files_remote_src: false +vault_tls_require_and_verify_client_cert: false +vault_tls_disable_client_certs: false
\ No newline at end of file diff --git a/fdio.infra.ansible/roles/vault/handlers/main.yaml b/fdio.infra.ansible/roles/vault/handlers/main.yaml new file mode 100644 index 0000000000..35841c7bc3 --- /dev/null +++ b/fdio.infra.ansible/roles/vault/handlers/main.yaml @@ -0,0 +1,9 @@ +--- +# file roles/vault/handlers/main.yaml + +- name: Restart Vault + systemd: + daemon_reload: true + enabled: true + name: "{{ vault_systemd_service_name }}" + state: "{{ vault_restart_handler_state }}" diff --git a/fdio.infra.ansible/roles/vault/meta/main.yaml b/fdio.infra.ansible/roles/vault/meta/main.yaml new file mode 100644 index 0000000000..b97486a6e7 --- /dev/null +++ b/fdio.infra.ansible/roles/vault/meta/main.yaml @@ -0,0 +1,23 @@ +--- +# file: roles/vault/meta/main.yaml + +# desc: Install vault from repo and configure service. +# inst: Vault +# conf: ? +# info: 1.0 - added role + +dependencies: [ ] + +galaxy_info: + role_name: vault + author: fd.io + description: Hashicorp Vault. + company: none + license: "license (Apache)" + min_ansible_version: 2.9 + platforms: + - name: Ubuntu + versions: + - focal + galaxy_tags: + - vault diff --git a/fdio.infra.ansible/roles/vault/tasks/main.yaml b/fdio.infra.ansible/roles/vault/tasks/main.yaml new file mode 100644 index 0000000000..8b9e3bf76f --- /dev/null +++ b/fdio.infra.ansible/roles/vault/tasks/main.yaml @@ -0,0 +1,133 @@ +--- +# file: roles/vault/tasks/main.yaml + +- name: Inst - Update Package Cache (APT) + apt: + update_cache: true + cache_valid_time: 3600 + when: + - ansible_distribution|lower == 'ubuntu' + tags: + - vault-inst-prerequisites + +- name: Inst - Prerequisites + package: + name: "{{ packages | flatten(levels=1) }}" + state: latest + tags: + - vault-inst-prerequisites + +- name: Conf - Add Vault Group + group: + name: "{{ vault_group }}" + state: "{{ vault_user_state }}" + tags: + - vault-conf-user + +- name: Conf - Add Vault user + user: + name: "{{ vault_user }}" + group: "{{ vault_group }}" + state: "{{ vault_group_state }}" + system: true + tags: + - vault-conf-user + +- name: Inst - Clean Vault + file: + path: "{{ vault_inst_dir }}/vault" + state: "absent" + tags: + - vault-inst-package + +- name: Inst - Download Vault + get_url: + url: "{{ vault_zip_url }}" + dest: "{{ vault_inst_dir }}/{{ vault_pkg }}" + tags: + - vault-inst-package + +- name: Inst - Unarchive Vault + unarchive: + src: "{{ vault_inst_dir }}/{{ vault_pkg }}" + dest: "{{ vault_inst_dir }}/" + creates: "{{ vault_inst_dir }}/vault" + remote_src: true + tags: + - vault-inst-package + +- name: Inst - Vault + copy: + src: "{{ vault_inst_dir }}/vault" + dest: "{{ vault_bin_dir }}" + owner: "{{ vault_user }}" + group: "{{ vault_group }}" + force: true + mode: 0755 + remote_src: true + tags: + - vault-inst-package + +- name: Inst - Check Vault mlock capability + command: "setcap cap_ipc_lock=+ep {{ vault_bin_dir }}/vault" + changed_when: false # read-only task + ignore_errors: true + register: vault_mlock_capability + tags: + - vault-inst-package + +- name: Inst - Enable non root mlock capability + command: "setcap cap_ipc_lock=+ep {{ vault_bin_dir }}/vault" + when: vault_mlock_capability is failed + tags: + - vault-inst-package + +- name: Conf - Create directories + file: + dest: "{{ item }}" + state: directory + owner: "{{ vault_user }}" + group: "{{ vault_group }}" + mode: 0750 + with_items: + - "{{ vault_data_dir }}" + - "{{ vault_config_dir }}" + - "{{ vault_ssl_dir }}" + tags: + - vault-conf + +- name: Conf - Vault main configuration + template: + src: "{{ vault_main_configuration_template }}" + dest: "{{ vault_main_config }}" + owner: "{{ vault_user }}" + group: "{{ vault_group }}" + mode: 0400 + tags: + - vault-conf + +#- name: Conf - Copy Certificates And Keys +# copy: +# content: "{{ item.src }}" +# dest: "{{ item.dest }}" +# owner: "{{ vault_user }}" +# group: "{{ vault_group }}" +# mode: 0600 +# no_log: true +# loop: "{{ vault_certificates | flatten(levels=1) }}" +# tags: +# - vault-conf + +- name: Conf - System.d Script + template: + src: "vault_systemd.service.j2" + dest: "/lib/systemd/system/vault.service" + owner: "root" + group: "root" + mode: 0644 + notify: + - "Restart Vault" + tags: + - vault-conf + +- meta: flush_handlers diff --git a/fdio.infra.ansible/roles/vault/templates/vault_backend_consul.j2 b/fdio.infra.ansible/roles/vault/templates/vault_backend_consul.j2 new file mode 100644 index 0000000000..c45498af90 --- /dev/null +++ b/fdio.infra.ansible/roles/vault/templates/vault_backend_consul.j2 @@ -0,0 +1,15 @@ +backend "consul" { + address = "{{ vault_consul }}" + path = "{{ vault_consul_path }}" + service = "{{ vault_consul_service }}" + {% if vault_consul_token is defined and vault_consul_token -%} + token = "{{ vault_consul_token }}" + {% endif -%} + scheme = "{{ vault_consul_scheme }}" + {% if vault_tls_gossip | bool -%} + tls_cert_file = "{{ vault_backend_tls_config_path }}/{{ vault_backend_tls_cert_file }}" + tls_key_file = "{{ vault_backend_tls_config_path }}/{{ vault_backend_tls_key_file }}" + tls_ca_file="{{ vault_backend_tls_config_path }}/{{ vault_backend_tls_ca_file }}" + {% endif %} + +}
\ No newline at end of file diff --git a/fdio.infra.ansible/roles/vault/templates/vault_main_configuration.hcl.j2 b/fdio.infra.ansible/roles/vault/templates/vault_main_configuration.hcl.j2 new file mode 100644 index 0000000000..dec4fff8d9 --- /dev/null +++ b/fdio.infra.ansible/roles/vault/templates/vault_main_configuration.hcl.j2 @@ -0,0 +1,93 @@ +cluster_name = "{{ vault_cluster_name }}" +max_lease_ttl = "{{ vault_max_lease_ttl }}" +default_lease_ttl = "{{ vault_default_lease_ttl }}" + +disable_clustering = "{{ vault_cluster_disable | bool | lower }}" +cluster_addr = "{{ vault_cluster_addr }}" +api_addr = "{{ vault_api_addr }}" + +{% for l in vault_tcp_listeners %} +listener "tcp" { + address = "{{ l.vault_address }}:{{ l.vault_port }}" + cluster_address = "{{ l.vault_cluster_address }}" + {% if (l.vault_proxy_protocol_behavior is defined and l.vault_proxy_protocol_behavior) -%} + proxy_protocol_behavior = "{{ l.vault_proxy_protocol_behavior }}" + {% if (l.vault_proxy_protocol_authorized_addrs is defined) -%} + proxy_protocol_authorized_addrs = "{{ l.vault_proxy_protocol_authorized_addrs }}" + {% endif -%} + {% endif -%} + {% if not (l.vault_tls_disable | bool) -%} + tls_cert_file = "{{ l.vault_tls_config_path }}/{{ l.vault_tls_cert_file }}" + tls_key_file = "{{ l.vault_tls_config_path }}/{{ l.vault_tls_key_file }}" + tls_client_ca_file="{{ l.vault_tls_config_path }}/{{ l.vault_tls_ca_file }}" + tls_min_version = "{{ l.vault_tls_min_version }}" + {% if vault_tls_cipher_suites is defined and vault_tls_cipher_suites -%} + tls_cipher_suites = "{{ l.vault_tls_cipher_suites}}" + {% endif -%} + tls_prefer_server_cipher_suites = "{{ l.vault_tls_prefer_server_cipher_suites }}" + {% if (l.vault_tls_require_and_verify_client_cert | bool) -%} + tls_require_and_verify_client_cert = "{{ l.vault_tls_require_and_verify_client_cert | bool | lower}}" + {% endif -%} + {% if (l.vault_tls_disable_client_certs | bool) -%} + tls_disable_client_certs = "{{ l.vault_tls_disable_client_certs | bool | lower}}" + {% endif -%} + {% endif -%} + tls_disable = "{{ l.vault_tls_disable | bool | lower }}" +} +{% endfor %} + +{% if (vault_listener_localhost_enable | bool) -%} +listener "tcp" { + address = "127.0.0.1:{{ vault_port }}" + cluster_address = "127.0.0.1:8201" + tls_disable = "true" +} +{% endif -%} + +{# + Select which storage backend you want generated and placed + in the vault configuration file. +#} +{%- if vault_backend == 'consul' -%} + {% include vault_backend_consul with context %} +{% elif vault_backend == 'etcd' -%} + {% include vault_backend_etcd with context %} +{% elif vault_backend == 'file' -%} + {% include vault_backend_file with context %} +{% elif vault_backend == 's3' -%} + {% include vault_backend_s3 with context %} +{% elif vault_backend == 'dynamodb' -%} + {% include vault_backend_dynamodb with context %} +{% elif vault_backend == 'mysql' -%} + {% include vault_backend_mysql with context %} +{% elif vault_backend == 'gcs' -%} + {% include vault_backend_gcs with context %} +{% elif vault_backend == 'raft' -%} + {% include vault_backend_raft with context %} +{% endif %} + +{% if vault_service_registration_consul_enable -%} + {% include vault_service_registration_consul_template with context %} +{% endif %} + +{% if vault_ui %} +ui = {{ vault_ui | bool | lower }} +{% endif %} + +{% if vault_telemetry_enabled | bool -%} +telemetry { + {% if vault_statsite_address is defined -%} + statsite_address = "{{vault_statsite_address}}" + {% endif -%} + {% if vault_statsd_address is defined -%} + statsd_address = "{{vault_statsd_address}}" + {% endif -%} + {% if vault_prometheus_retention_time is defined -%} + prometheus_retention_time = "{{ vault_prometheus_retention_time }}" + {% endif -%} + {% if vault_telemetry_disable_hostname is defined -%} + disable_hostname = {{vault_telemetry_disable_hostname | bool | lower }} + {% endif %} + +} +{% endif %}
\ No newline at end of file diff --git a/fdio.infra.ansible/roles/vault/templates/vault_service_registration_consul.hcl.j2 b/fdio.infra.ansible/roles/vault/templates/vault_service_registration_consul.hcl.j2 new file mode 100644 index 0000000000..cd5da1ffb6 --- /dev/null +++ b/fdio.infra.ansible/roles/vault/templates/vault_service_registration_consul.hcl.j2 @@ -0,0 +1,22 @@ +service_registration "consul" { + address = "{{ vault_service_registration_consul_address }}" + check_timeout = "{{ vault_service_registration_consul_check_timeout }}" + disable_registration = "{{ vault_service_registration_consul_disable_registration | bool | lower }}" + scheme = "{{ vault_service_registration_consul_scheme }}" + service = "{{ vault_service_registration_consul_service }}" + service_tags = "{{ vault_service_registration_consul_service_tags }}" + {% if vault_service_registration_consul_service_address is defined and vault_service_registration_consul_service_address -%} + service_address = "{{ vault_service_registration_consul_service_address }}" + {% endif -%} + {% if vault_service_registration_consul_token is defined and vault_service_registration_consul_token -%} + token = "{{ vault_service_registration_consul_token }}" + {% endif -%} + {% if vault_service_registration_consul_scheme == "https" -%} + tls_ca_file="{{ vault_service_registration_consul_tls_config_path }}/{{ vault_service_registration_consul_tls_ca_file }}" + tls_cert_file = "{{ vault_service_registration_consul_tls_config_path }}/{{ vault_service_registration_consul_tls_cert_file }}" + tls_key_file = "{{ vault_service_registration_consul_tls_config_path }}/{{ vault_service_registration_consul_tls_key_file }}" + tls_min_version = "{{ vault_service_registration_consul_tls_min_version }}" + tls_skip_verify = "{{ vault_service_registration_consul_tls_skip_verify }}" + {% endif %} + +}
\ No newline at end of file diff --git a/fdio.infra.ansible/roles/vault/templates/vault_systemd.service.j2 b/fdio.infra.ansible/roles/vault/templates/vault_systemd.service.j2 new file mode 100644 index 0000000000..5d2ca78b2e --- /dev/null +++ b/fdio.infra.ansible/roles/vault/templates/vault_systemd.service.j2 @@ -0,0 +1,30 @@ +[Unit] +Description=Vault +Documentation=https://www.vaultproject.io/docs/ +Requires=network-online.target +After=network-online.target + +[Service] +User={{ vault_user }} +Group={{ vault_group }} +ProtectSystem=full +ProtectHome=read-only +PrivateTmp=yes +PrivateDevices=yes +NoNewPrivileges=yes +ExecReload=/bin/kill -HUP $MAINPID +ExecStart={{ vault_bin_dir }}/vault {{ vault_node_role }} -config={{ vault_config_dir }} +KillMode=process +KillSignal=SIGINT +Restart=on-failure +RestartSec=5 +TimeoutStopSec=30 +StartLimitInterval=60 +StartLimitBurst=3 +LimitNOFILE=524288 +LimitNPROC=524288 +LimitMEMLOCK=infinity +LimitCORE=0 + +[Install] +WantedBy=multi-user.target
\ No newline at end of file diff --git a/fdio.infra.ansible/roles/vault/vars/main.yaml b/fdio.infra.ansible/roles/vault/vars/main.yaml new file mode 100644 index 0000000000..2b16a63fdf --- /dev/null +++ b/fdio.infra.ansible/roles/vault/vars/main.yaml @@ -0,0 +1,5 @@ +--- +# file: roles/vault/vars/main.yaml + +vault_node_client: "{{ (vault_node_role == 'client') or (vault_node_role == 'both') }}" +vault_node_server: "{{ (vault_node_role == 'server') or (vault_node_role == 'both') }}" |