ansible-roles/ansible-hashicorp-vault
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

add some default variable with iface dynamic

Browse Source
This commit is contained in:
vincent 2024-01-30 18:22:36 +01:00
parent f47f085693
commit 60fb2b5cef
3 changed files with 23 additions and 18 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

29
defaults/main.yml
View File

@ -1,21 +1,14 @@
--- ---
vault_listener_address: 0.0.0.0 vault_listener_address: 0.0.0.0
vault_iface: "{{ lookup('env', 'VAULT_IFACE') | default(ansible_default_ipv4.interface, true) }}"
vault_port: 8200 vault_port: 8200
vault_protocol: "http" vault_protocol: "http"
vault_api_addr: "{{ vault_protocol }}://{{ ansible_default_ipv4.address }}:{{ vault_port }}" vault_address: "{{ hostvars[inventory_hostname]['ansible_' + vault_iface]['ipv4']['address'] }}"
vault_cluster_address: "{{ hostvars[inventory_hostname]['ansible_' + vault_iface]['ipv4']['address'] }}:{{ (vault_port | int) + 1 }}"
vault_cluster_addr: "{{ vault_protocol }}://{{ vault_cluster_address }}"
vault_api_addr: "{{ vault_protocol }}://{{ vault_redirect_address | default(hostvars[inventory_hostname]['ansible_' + vault_iface]['ipv4']['address']) }}:{{ vault_port }}"
vault_tls_disable: true vault_tls_disable: true
vault_raft_group_name: "vault_raft_servers"
vault_raft_cluster_members: |
[
{% for server in groups[vault_raft_group_name] %}
{
"peer": "{{ server }}",
"api_addr": "{{ hostvars[server]['vault_api_addr'] |
default(vault_protocol + '://' + hostvars[server]['ansible_' + hostvars[server]['ansible_default_ipv4']['interface']]['ipv4']['address'] + ':' + (vault_port|string)) }}"
},
{% endfor %}
]
# vault backup variable # vault backup variable
vault_snapshot: false vault_snapshot: false
vault_backup_location: /tmp vault_backup_location: /tmp
@ -26,3 +19,15 @@ vault_secretid: ''
vault_unseal_keys_dir_output: "~/vaultUnseal" vault_unseal_keys_dir_output: "~/vaultUnseal"
vault_unseal_token: "" vault_unseal_token: ""
vault_raft_group_name: "vault_raft_servers"
vault_raft_cluster_members: |
[
{% for server in groups[vault_raft_group_name] %}
{
"peer": "{{ server }}",
"api_addr": "{{ hostvars[server]['vault_api_addr'] |
default( vault_protocol + '://' + hostvars[server]['ansible_' + hostvars[server][vault_iface]]['ipv4']['address'] ) }}"
},
{% endfor %}
]

2
tasks/unseal.yml
View File

@ -37,6 +37,6 @@
ansible.builtin.shell: | ansible.builtin.shell: |
vault operator unseal {{ item }} vault operator unseal {{ item }}
environment: environment:
VAULT_ADDR: "http://127.0.0.1:8200" VAULT_ADDR: "{{ vault_api_addr }}"
with_items: "{{vault_unseal_token}}" with_items: "{{vault_unseal_token}}"
when: check_result1.status == 503 when: check_result1.status == 503

10
templates/config.hcl.j2
View File

@ -2,6 +2,7 @@
storage "raft" { storage "raft" {
path = "/opt/vault/raft/" path = "/opt/vault/raft/"
node_id = "{{ inventory_hostname }}" node_id = "{{ inventory_hostname }}"
{% for raft_peer in vault_raft_cluster_members | rejectattr('peer', 'equalto', inventory_hostname) %} {% for raft_peer in vault_raft_cluster_members | rejectattr('peer', 'equalto', inventory_hostname) %}
retry_join { retry_join {
leader_api_addr = "{{ raft_peer.api_addr }}" leader_api_addr = "{{ raft_peer.api_addr }}"
@ -10,17 +11,16 @@ storage "raft" {
} }
listener "tcp" { listener "tcp" {
address = "{{ vault_listener_address}}:{{vault_port}}" address = "{{ vault_address }}:{{vault_port}}"
cluster_address = "{{ vault_listener_address}}:8201" cluster_address = "{{ vault_cluster_address }}"
tls_disable = 1 tls_disable = 1
} }
api_addr = "http://{{ vault_listener_address}}:{{vault_port}}" api_addr = "{{ vault_api_addr }}"
cluster_addr = "http://{{ ansible_default_ipv4.address }}:8201" cluster_addr = "{{vault_cluster_addr}}"
ui= true ui= true
disable_mlock = true disable_mlock = true
service_registration "consul" { service_registration "consul" {
address = "127.0.0.1:8500" address = "127.0.0.1:8500"
service_address = "{{ ansible_default_ipv4.address }}"
} }