Compare commits
No commits in common. "1559206ae42c7fb83927efbef8c932d8573bc141" and "4c4134dcdb7425f57dc9acbbcf926a693e5b23bb" have entirely different histories.
1559206ae4
...
4c4134dcdb
17 changed files with 13 additions and 106 deletions
|
@ -56,7 +56,7 @@ vault_ca_cert_payload: |
|
|||
-----END CERTIFICATE-----
|
||||
|
||||
# nomad
|
||||
nomad_version: 0.12.5
|
||||
nomad_version: 0.12.3
|
||||
nomad_podman_driver_version: 0.1.0
|
||||
|
||||
# podman
|
||||
|
|
|
@ -1,6 +1,5 @@
|
|||
---
|
||||
- hosts: consul_server
|
||||
serial: 1
|
||||
roles:
|
||||
- role: consul_server
|
||||
...
|
||||
|
|
|
@ -1,6 +1,5 @@
|
|||
---
|
||||
- hosts: nomad_server
|
||||
serial: 1
|
||||
roles:
|
||||
- role: nomad_server
|
||||
...
|
||||
|
|
|
@ -1,6 +1,5 @@
|
|||
---
|
||||
- hosts: vault_server
|
||||
serial: 1
|
||||
roles:
|
||||
- role: vault_server
|
||||
...
|
||||
|
|
|
@ -72,7 +72,7 @@
|
|||
args:
|
||||
executable: /bin/bash
|
||||
environment:
|
||||
VAULT_ADDR: http://vault.service.masked.name:8200
|
||||
VAULT_ADDR: http://ivyking.minhas.io:8200
|
||||
VAULT_TOKEN: "{{ lookup('file', lookup('env', 'HOME') + '/.vault-token') }}"
|
||||
VAULT_FORMAT: json
|
||||
register: cert_data
|
||||
|
|
|
@ -82,7 +82,7 @@
|
|||
args:
|
||||
executable: /usr/local/bin/bash
|
||||
environment:
|
||||
VAULT_ADDR: http://vault.service.masked.name:8200
|
||||
VAULT_ADDR: http://ivyking.minhas.io:8200
|
||||
VAULT_TOKEN: "{{ lookup('file', lookup('env', 'HOME') + '/.vault-token') }}"
|
||||
VAULT_FORMAT: json
|
||||
register: cert_data
|
||||
|
|
|
@ -20,7 +20,7 @@
|
|||
group: consul
|
||||
mode: 0755
|
||||
|
||||
- name: ensure consul certs dir
|
||||
- name: ensure consul config dir
|
||||
file:
|
||||
path: /etc/consul.d/certs/
|
||||
state: directory
|
||||
|
@ -42,7 +42,7 @@
|
|||
args:
|
||||
executable: /bin/bash
|
||||
environment:
|
||||
VAULT_ADDR: http://vault.service.masked.name:8200
|
||||
VAULT_ADDR: http://ivyking.minhas.io:8200
|
||||
VAULT_TOKEN: "{{ lookup('file', lookup('env', 'HOME') + '/.vault-token') }}"
|
||||
VAULT_FORMAT: json
|
||||
register: cert_data
|
||||
|
|
|
@ -42,7 +42,7 @@
|
|||
args:
|
||||
executable: /usr/local/bin/bash
|
||||
environment:
|
||||
VAULT_ADDR: http://vault.service.masked.name:8200
|
||||
VAULT_ADDR: http://ivyking.minhas.io:8200
|
||||
VAULT_TOKEN: "{{ lookup('file', lookup('env', 'HOME') + '/.vault-token') }}"
|
||||
VAULT_FORMAT: json
|
||||
register: cert_data
|
||||
|
|
|
@ -30,13 +30,11 @@ raft_protocol = 3
|
|||
enable_local_script_checks = true
|
||||
|
||||
addresses {
|
||||
http = "127.0.0.1"
|
||||
https = "0.0.0.0"
|
||||
dns = "0.0.0.0"
|
||||
}
|
||||
|
||||
ports {
|
||||
http = 8500
|
||||
https = 8501
|
||||
}
|
||||
|
||||
|
|
|
@ -18,7 +18,7 @@
|
|||
args:
|
||||
executable: /bin/bash
|
||||
environment:
|
||||
VAULT_ADDR: http://vault.service.masked.name:8200
|
||||
VAULT_ADDR: http://ivyking.minhas.io:8200
|
||||
VAULT_TOKEN: "{{ lookup('file', lookup('env', 'HOME') + '/.vault-token') }}"
|
||||
VAULT_FORMAT: json
|
||||
register: cert_data
|
||||
|
|
|
@ -107,7 +107,7 @@
|
|||
args:
|
||||
executable: /bin/bash
|
||||
environment:
|
||||
VAULT_ADDR: http://vault.service.masked.name:8200
|
||||
VAULT_ADDR: http://ivyking.minhas.io:8200
|
||||
VAULT_TOKEN: "{{ lookup('file', lookup('env', 'HOME') + '/.vault-token') }}"
|
||||
VAULT_FORMAT: json
|
||||
register: cert_data
|
||||
|
|
|
@ -17,15 +17,6 @@ consul {
|
|||
token = "{{ lookup('hashi_vault', 'secret=kv/data/nomad:data')['consul-acl-client'] }}"
|
||||
}
|
||||
|
||||
vault {
|
||||
enabled = true
|
||||
ca_file = "/etc/pki/certs/{{ vault_ca_cert_name }}"
|
||||
token = "{{ lookup('hashi_vault', 'secret=kv/data/nomad:data')['vault-token'] }}"
|
||||
address = "https://vault.service.{{ consul_domain }}:8200"
|
||||
create_from_role = "nomad-cluster"
|
||||
unwrap_token = true
|
||||
}
|
||||
|
||||
tls {
|
||||
http = true
|
||||
rpc = true
|
||||
|
|
|
@ -87,7 +87,7 @@
|
|||
args:
|
||||
executable: /bin/bash
|
||||
environment:
|
||||
VAULT_ADDR: http://vault.service.masked.name:8200
|
||||
VAULT_ADDR: http://ivyking.minhas.io:8200
|
||||
VAULT_TOKEN: "{{ lookup('file', lookup('env', 'HOME') + '/.vault-token') }}"
|
||||
VAULT_FORMAT: json
|
||||
register: cert_data
|
||||
|
@ -114,12 +114,6 @@
|
|||
mode: "0600"
|
||||
}
|
||||
|
||||
- name: append cacert to vault cert
|
||||
blockinfile:
|
||||
path: /etc/nomad.d/certs/nomad.pem
|
||||
block: |
|
||||
{{ vault_ca_cert_payload }}
|
||||
|
||||
- name: ensure nomad is started and enabled
|
||||
systemd:
|
||||
name: nomad
|
||||
|
|
|
@ -6,15 +6,6 @@ server {
|
|||
bootstrap_expect = 1
|
||||
}
|
||||
|
||||
vault {
|
||||
enabled = true
|
||||
ca_file = "/etc/pki/certs/{{ vault_ca_cert_name }}"
|
||||
token = "{{ lookup('hashi_vault', 'secret=kv/data/nomad:data')['vault-token'] }}"
|
||||
address = "https://vault.service.{{ consul_domain }}:8200"
|
||||
create_from_role = "nomad-cluster"
|
||||
unwrap_token = true
|
||||
}
|
||||
|
||||
consul {
|
||||
token = "{{ lookup('hashi_vault', 'secret=kv/data/nomad:data')['consul-acl-server'] }}"
|
||||
}
|
||||
|
|
|
@ -7,8 +7,3 @@
|
|||
systemd:
|
||||
name: vault
|
||||
state: restarted
|
||||
|
||||
- name: reload_vault
|
||||
systemd:
|
||||
name: vault
|
||||
state: reloaded
|
||||
|
|
|
@ -29,55 +29,6 @@
|
|||
group: root
|
||||
notify: daemon_reload
|
||||
|
||||
- name: ensure vault certs dir
|
||||
file:
|
||||
path: /etc/vault.d/certs/
|
||||
state: directory
|
||||
owner: vault
|
||||
group: vault
|
||||
mode: 0755
|
||||
|
||||
- name: check if server cert is expiring in the next 5 days
|
||||
shell: "openssl x509 -checkend 432000 -noout -in /etc/vault.d/certs/vault.pem"
|
||||
args:
|
||||
executable: /bin/bash
|
||||
failed_when: False
|
||||
check_mode: False
|
||||
changed_when: False
|
||||
register: exp
|
||||
|
||||
- name: get cert
|
||||
shell: "vault write pki_int/issue/{{ vault_pki_policy }} common_name=vault.service.{{ consul_domain }} alt_names=vault.service.{{ main_dc_name }}.{{ consul_domain }} ttl=43200m"
|
||||
args:
|
||||
executable: /bin/bash
|
||||
environment:
|
||||
VAULT_ADDR: http://vault.service.masked.name:8200
|
||||
VAULT_TOKEN: "{{ lookup('file', lookup('env', 'HOME') + '/.vault-token') }}"
|
||||
VAULT_FORMAT: json
|
||||
register: cert_data
|
||||
when: exp.rc != 0
|
||||
notify: reload_vault
|
||||
|
||||
- name: write cert data to server
|
||||
copy:
|
||||
content: "{{ item.content }}"
|
||||
dest: "/etc/vault.d/certs/{{ item.path }}"
|
||||
mode: '{{ item.mode }}'
|
||||
owner: vault
|
||||
group: vault
|
||||
when: cert_data.changed
|
||||
loop:
|
||||
- {
|
||||
content: "{{ (cert_data.stdout | from_json).data.certificate }}",
|
||||
path: "vault.pem",
|
||||
mode: "0755"
|
||||
}
|
||||
- {
|
||||
content: "{{ (cert_data.stdout | from_json).data.private_key }}",
|
||||
path: "vault.key",
|
||||
mode: "0600"
|
||||
}
|
||||
|
||||
- name: template vault config
|
||||
template:
|
||||
src: templates/vault.hcl.j2
|
||||
|
|
|
@ -1,20 +1,10 @@
|
|||
ui = true
|
||||
|
||||
listener "tcp" {
|
||||
address = "127.0.0.1:8200"
|
||||
tls_cert_file = "/etc/vault.d/certs/vault.pem"
|
||||
tls_key_file = "/etc/vault.d/certs/vault.key"
|
||||
address = "0.0.0.0:8200"
|
||||
tls_disable = true
|
||||
# tls_cert_file = "/path/to/fullchain.pem"
|
||||
# tls_key_file = "/path/to/privkey.pem"
|
||||
}
|
||||
|
||||
listener "tcp" {
|
||||
address = "{{ ansible_default_ipv4.address }}:8200"
|
||||
tls_cert_file = "/etc/vault.d/certs/vault.pem"
|
||||
tls_key_file = "/etc/vault.d/certs/vault.key"
|
||||
}
|
||||
|
||||
api_addr = "https://{{ ansible_default_ipv4.address }}:8200"
|
||||
cluster_addr = "https://{{ ansible_default_ipv4.address }}:8201"
|
||||
|
||||
storage "consul" {
|
||||
address = "localhost:8500"
|
||||
path = "vault/"
|
||||
|
|
Loading…
Reference in a new issue