Add ca_cert to hashi_vault lookups

2022-11-01 16:02:59 -04:00 · 2022-11-01 16:02:59 -04:00 · 9c0b211db2
commit 9c0b211db2
parent 6225653c56
8 changed files with 16 additions and 17 deletions
--- a/ansible/roles/common/tasks/Debian.yml
+++ b/ansible/roles/common/tasks/Debian.yml
@ -20,12 +20,11 @@
      - git
      - htop
      - inxi
+      - kitty-terminfo
      - make
      - ncdu
-      - netcat-traditional
      - netcat-openbsd
      - ntp
-      - rxvt-unicode
      - screen
      - strace
      - sysstat
--- a/ansible/roles/consul/templates/consul.hcl.j2
+++ b/ansible/roles/consul/templates/consul.hcl.j2
@ -3,7 +3,7 @@ primary_datacenter  = "{{ main_dc_name }}"
 domain              = "{{ consul_domain }}"
 node_name           = "{{ inventory_hostname_short }}"

-encrypt             = "{{ lookup('hashi_vault', 'secret=kv/data/consul:data')['gossip'] }}"
+encrypt             = "{{ lookup('hashi_vault', 'secret=kv/data/consul:data ca_cert=/etc/pki/certs/MaskedName_Root_CA.crt')['gossip'] }}"

 verify_incoming         = false
 verify_outgoing         = true
@ -32,6 +32,6 @@ acl {
  default_policy = "deny"
  enable_token_persistence = true
  tokens {
-    default = "{{ lookup('hashi_vault', 'secret=kv/data/consul:data')['server-acl-token'] }}"
+    default = "{{ lookup('hashi_vault', 'secret=kv/data/consul:data ca_cert=/etc/pki/certs/MaskedName_Root_CA.crt')['server-acl-token'] }}"
  }
 }
--- a/ansible/roles/consul_server/templates/consul.hcl.j2
+++ b/ansible/roles/consul_server/templates/consul.hcl.j2
@ -6,7 +6,7 @@ server              = true
 bootstrap_expect    = 3
 ui                  = true

-encrypt             = "{{ lookup('hashi_vault', 'secret=kv/data/consul:data')['gossip'] }}"
+encrypt             = "{{ lookup('hashi_vault', 'secret=kv/data/consul:data ca_cert=/etc/pki/certs/MaskedName_Root_CA.crt')['gossip'] }}"

 verify_outgoing         = true
 verify_server_hostname  = true
@ -49,6 +49,6 @@ acl {
  default_policy = "deny"
  enable_token_persistence = true
  tokens {
-    default = "{{ lookup('hashi_vault', 'secret=kv/data/consul:data')['server-acl-token'] }}"
+    default = "{{ lookup('hashi_vault', 'secret=kv/data/consul:data ca_cert=/etc/pki/certs/MaskedName_Root_CA.crt')['server-acl-token'] }}"
  }
 }
--- a/ansible/roles/lego/templates/amarpreet@minhas.io.key.j2
+++ b/ansible/roles/lego/templates/amarpreet@minhas.io.key.j2
@ -1 +1 @@
-{{ lookup('hashi_vault', 'secret=kv/data/acme:data')['private_key'] }}
+{{ lookup('hashi_vault', 'secret=kv/data/acme:data ca_cert=/etc/pki/certs/MaskedName_Root_CA.crt')['private_key'] }}
--- a/ansible/roles/lego/templates/defaults
+++ b/ansible/roles/lego/templates/defaults
@ -1,5 +1,5 @@
-export NAMECHEAP_API_USER={{ lookup('hashi_vault', 'secret=kv/data/namecheap:data')['api_user'] }}
-export NAMECHEAP_API_KEY={{ lookup('hashi_vault', 'secret=kv/data/namecheap:data')['api_key'] }}
-export AWS_ACCESS_KEY_ID={{ lookup('hashi_vault', 'secret=kv/data/aws:data')['access_key'] }}
-export AWS_SECRET_ACCESS_KEY={{ lookup('hashi_vault', 'secret=kv/data/aws:data')['secret_key'] }}
-export AWS_HOSTED_ZONE_ID={{ lookup('hashi_vault', 'secret=kv/data/aws:data')['hosted_zone_id'] }}
+export NAMECHEAP_API_USER={{ lookup('hashi_vault', 'secret=kv/data/namecheap:data ca_cert=/etc/pki/certs/MaskedName_Root_CA.crt')['api_user'] }}
+export NAMECHEAP_API_KEY={{ lookup('hashi_vault', 'secret=kv/data/namecheap:data ca_cert=/etc/pki/certs/MaskedName_Root_CA.crt')['api_key'] }}
+export AWS_ACCESS_KEY_ID={{ lookup('hashi_vault', 'secret=kv/data/aws:data ca_cert=/etc/pki/certs/MaskedName_Root_CA.crt')['access_key'] }}
+export AWS_SECRET_ACCESS_KEY={{ lookup('hashi_vault', 'secret=kv/data/aws:data ca_cert=/etc/pki/certs/MaskedName_Root_CA.crt')['secret_key'] }}
+export AWS_HOSTED_ZONE_ID={{ lookup('hashi_vault', 'secret=kv/data/aws:data ca_cert=/etc/pki/certs/MaskedName_Root_CA.crt')['hosted_zone_id'] }}
--- a/ansible/roles/nomad_client/templates/nomad.hcl.j2
+++ b/ansible/roles/nomad_client/templates/nomad.hcl.j2
@ -14,13 +14,13 @@ client {
 }

 consul {
-  token     = "{{ lookup('hashi_vault', 'secret=kv/data/nomad:data')['consul-acl-client'] }}"
+  token     = "{{ lookup('hashi_vault', 'secret=kv/data/nomad:data ca_cert=/etc/pki/certs/MaskedName_Root_CA.crt')['consul-acl-client'] }}"
 }

 vault {
  enabled           = true
  ca_file           = "/etc/pki/certs/{{ vault_ca_cert_name }}"
-  token             = "{{ lookup('hashi_vault', 'secret=kv/data/nomad:data')['vault-token'] }}"
+  token             = "{{ lookup('hashi_vault', 'secret=kv/data/nomad:data ca_cert=/etc/pki/certs/MaskedName_Root_CA.crt')['vault-token'] }}"
  address           = "https://vault.service.{{ consul_domain }}:8200"
  create_from_role  = "nomad-cluster"
  unwrap_token      = true
--- a/ansible/roles/nomad_server/templates/nomad.hcl.j2
+++ b/ansible/roles/nomad_server/templates/nomad.hcl.j2
@ -9,14 +9,14 @@ server {
 vault {
  enabled           = true
  ca_file           = "/etc/pki/certs/{{ vault_ca_cert_name }}"
-  token             = "{{ lookup('hashi_vault', 'secret=kv/data/nomad:data')['vault-token'] }}"
+  token             = "{{ lookup('hashi_vault', 'secret=kv/data/nomad:data ca_cert=/etc/pki/certs/MaskedName_Root_CA.crt')['vault-token'] }}"
  address           = "https://vault.service.{{ consul_domain }}:8200"
  create_from_role  = "nomad-cluster"
  unwrap_token      = true
 }

 consul {
-  token     = "{{ lookup('hashi_vault', 'secret=kv/data/nomad:data')['consul-acl-server'] }}"
+  token     = "{{ lookup('hashi_vault', 'secret=kv/data/nomad:data ca_cert=/etc/pki/certs/MaskedName_Root_CA.crt')['consul-acl-server'] }}"
 }

 tls {
--- a/ansible/roles/vault_server/templates/vault.hcl.j2
+++ b/ansible/roles/vault_server/templates/vault.hcl.j2
@ -18,5 +18,5 @@ cluster_addr      = "https://{{ ansible_default_ipv4.address }}:8201"
 storage "consul" {
  address   = "localhost:8500"
  path      = "vault/"
-  token     = "{{ lookup('hashi_vault', 'secret=kv/data/vault:data')['consul-acl'] }}"
+  token     = "{{ lookup('hashi_vault', 'secret=kv/data/vault:data ca_cert=/etc/pki/certs/MaskedName_Root_CA.crt')['consul-acl'] }}"
 }