From add2a72c0a71393258a0ac1095209ea97392131a Mon Sep 17 00:00:00 2001 From: Asara Date: Mon, 12 Oct 2020 21:59:24 -0400 Subject: [PATCH] Add ssl to vault --- ansible/roles/consul_server/tasks/Debian.yml | 4 +- ansible/roles/vault_server/handlers/main.yml | 5 ++ ansible/roles/vault_server/tasks/main.yml | 49 +++++++++++++++++++ .../roles/vault_server/templates/vault.hcl.j2 | 5 +- 4 files changed, 58 insertions(+), 5 deletions(-) diff --git a/ansible/roles/consul_server/tasks/Debian.yml b/ansible/roles/consul_server/tasks/Debian.yml index 68e926e..98f4ee3 100644 --- a/ansible/roles/consul_server/tasks/Debian.yml +++ b/ansible/roles/consul_server/tasks/Debian.yml @@ -20,7 +20,7 @@ group: consul mode: 0755 -- name: ensure consul config dir +- name: ensure consul certs dir file: path: /etc/consul.d/certs/ state: directory @@ -42,7 +42,7 @@ args: executable: /bin/bash environment: - VAULT_ADDR: http://ivyking.minhas.io:8200 + VAULT_ADDR: http://vault.service.masked.name:8200 VAULT_TOKEN: "{{ lookup('file', lookup('env', 'HOME') + '/.vault-token') }}" VAULT_FORMAT: json register: cert_data diff --git a/ansible/roles/vault_server/handlers/main.yml b/ansible/roles/vault_server/handlers/main.yml index 0fd2b41..1c79b92 100644 --- a/ansible/roles/vault_server/handlers/main.yml +++ b/ansible/roles/vault_server/handlers/main.yml @@ -7,3 +7,8 @@ systemd: name: vault state: restarted + +- name: reload_vault + systemd: + name: vault + state: reloaded diff --git a/ansible/roles/vault_server/tasks/main.yml b/ansible/roles/vault_server/tasks/main.yml index 7288fc3..98c3013 100644 --- a/ansible/roles/vault_server/tasks/main.yml +++ b/ansible/roles/vault_server/tasks/main.yml @@ -29,6 +29,55 @@ group: root notify: daemon_reload +- name: ensure vault certs dir + file: + path: /etc/vault.d/certs/ + state: directory + owner: vault + group: vault + mode: 0755 + +- name: check if server cert is expiring in the next 5 days + shell: "openssl x509 -checkend 432000 -noout -in /etc/vault.d/certs/vault.pem" + args: + executable: /bin/bash + failed_when: False + check_mode: False + changed_when: False + register: exp + +- name: get cert + shell: "vault write pki_int/issue/{{ vault_pki_policy }} common_name=vault.service.{{ consul_domain }} alt_names=vault.service.{{ main_dc_name }}.{{ consul_domain }} ttl=43200m" + args: + executable: /bin/bash + environment: + VAULT_ADDR: http://vault.service.masked.name:8200 + VAULT_TOKEN: "{{ lookup('file', lookup('env', 'HOME') + '/.vault-token') }}" + VAULT_FORMAT: json + register: cert_data + when: exp.rc != 0 + notify: reload_vault + +- name: write cert data to server + copy: + content: "{{ item.content }}" + dest: "/etc/vault.d/certs/{{ item.path }}" + mode: '{{ item.mode }}' + owner: vault + group: vault + when: cert_data.changed + loop: + - { + content: "{{ (cert_data.stdout | from_json).data.certificate }}", + path: "vault.pem", + mode: "0755" + } + - { + content: "{{ (cert_data.stdout | from_json).data.private_key }}", + path: "vault.key", + mode: "0600" + } + - name: template vault config template: src: templates/vault.hcl.j2 diff --git a/ansible/roles/vault_server/templates/vault.hcl.j2 b/ansible/roles/vault_server/templates/vault.hcl.j2 index 3d89bca..706a112 100644 --- a/ansible/roles/vault_server/templates/vault.hcl.j2 +++ b/ansible/roles/vault_server/templates/vault.hcl.j2 @@ -1,9 +1,8 @@ ui = true listener "tcp" { address = "0.0.0.0:8200" - tls_disable = true -# tls_cert_file = "/path/to/fullchain.pem" -# tls_key_file = "/path/to/privkey.pem" + tls_cert_file = "/etc/vault.d/certs/vault.pem" + tls_key_file = "/etc/vault.d/certs/vault.key" } storage "consul" { address = "localhost:8500"