add some default variable with iface dynamic

2024-01-30 18:22:36 +01:00 · 2024-01-30 18:22:36 +01:00 · 60fb2b5cef
commit 60fb2b5cef
parent f47f085693
3 changed files with 23 additions and 18 deletions
--- a/defaults/main.yml
+++ b/defaults/main.yml
@ -1,21 +1,14 @@
 ---
 vault_listener_address: 0.0.0.0
+vault_iface: "{{ lookup('env', 'VAULT_IFACE') | default(ansible_default_ipv4.interface, true) }}"
 vault_port: 8200
 vault_protocol: "http"
-vault_api_addr: "{{ vault_protocol }}://{{ ansible_default_ipv4.address }}:{{ vault_port }}"
+vault_address: "{{ hostvars[inventory_hostname]['ansible_' + vault_iface]['ipv4']['address'] }}"
+vault_cluster_address: "{{ hostvars[inventory_hostname]['ansible_' + vault_iface]['ipv4']['address'] }}:{{ (vault_port | int) + 1 }}"
+vault_cluster_addr: "{{ vault_protocol }}://{{ vault_cluster_address }}"
+vault_api_addr: "{{ vault_protocol }}://{{ vault_redirect_address | default(hostvars[inventory_hostname]['ansible_' + vault_iface]['ipv4']['address']) }}:{{ vault_port }}"
 vault_tls_disable: true

-vault_raft_group_name: "vault_raft_servers"
-vault_raft_cluster_members: |
-  [
-  {% for server in groups[vault_raft_group_name] %}
-    {
-      "peer": "{{ server }}",
-      "api_addr": "{{ hostvars[server]['vault_api_addr'] |
-      default(vault_protocol + '://' + hostvars[server]['ansible_' + hostvars[server]['ansible_default_ipv4']['interface']]['ipv4']['address'] + ':' + (vault_port|string)) }}"
-    },
-  {% endfor %}
-  ]
 # vault backup variable
 vault_snapshot: false
 vault_backup_location: /tmp
@ -26,3 +19,15 @@ vault_secretid: ''

 vault_unseal_keys_dir_output: "~/vaultUnseal"
 vault_unseal_token: ""
+
+vault_raft_group_name: "vault_raft_servers"
+vault_raft_cluster_members: |
+  [
+  {% for server in groups[vault_raft_group_name] %}
+    {
+      "peer": "{{ server }}",
+      "api_addr": "{{ hostvars[server]['vault_api_addr'] |
+  default( vault_protocol + '://' + hostvars[server]['ansible_' + hostvars[server][vault_iface]]['ipv4']['address'] ) }}"
+    },
+  {% endfor %}
+  ]
--- a/tasks/unseal.yml
+++ b/tasks/unseal.yml
@ -37,6 +37,6 @@
  ansible.builtin.shell: |
    vault operator unseal {{ item }}
  environment:
-    VAULT_ADDR: "http://127.0.0.1:8200"
+    VAULT_ADDR: "{{ vault_api_addr }}"
  with_items: "{{vault_unseal_token}}"
  when: check_result1.status == 503
--- a/templates/config.hcl.j2
+++ b/templates/config.hcl.j2
@ -2,6 +2,7 @@
 storage "raft" {
  path = "/opt/vault/raft/"
  node_id = "{{ inventory_hostname }}"
+
 {% for raft_peer in vault_raft_cluster_members | rejectattr('peer', 'equalto', inventory_hostname) %}
  retry_join {
        leader_api_addr =  "{{ raft_peer.api_addr }}"
@ -10,17 +11,16 @@ storage "raft" {
 }

 listener "tcp" {
-  address     = "{{ vault_listener_address}}:{{vault_port}}"
-  cluster_address = "{{ vault_listener_address}}:8201"
+  address     = "{{ vault_address }}:{{vault_port}}"
+  cluster_address = "{{ vault_cluster_address }}"
  tls_disable = 1
 }
-api_addr =  "http://{{ vault_listener_address}}:{{vault_port}}"
-cluster_addr =  "http://{{ ansible_default_ipv4.address }}:8201"
+api_addr =  "{{ vault_api_addr }}"
+cluster_addr =  "{{vault_cluster_addr}}"
 ui= true
 disable_mlock = true

 service_registration "consul" {
  address      = "127.0.0.1:8500"
-  service_address = "{{ ansible_default_ipv4.address }}"
 }