diff --git a/CHANGELOG.md b/CHANGELOG.md index 11bbc2ac..f9d2953f 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -148,3 +148,10 @@ ## v1.3.5 - Remove explicit cluster_addr and let Vault default the value for now + +## v1.3.6 + +- Handle cluster_addre differently +- Cleanup tasks +- Consistent variable style +- Cleanup meta diff --git a/defaults/main.yml b/defaults/main.yml index 652b9a3d..1210cd05 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -4,35 +4,37 @@ vault_version: "{{ lookup('env','VAULT_VERSION') | default('0.7.0', true) }}" vault_pkg: "vault_{{ vault_version }}_linux_amd64.zip" vault_zip_url: "https://releases.hashicorp.com/vault/{{ vault_version }}/{{ vault_pkg }}" -vault_zip_sha256: "91432c812b1264306f8d1ecf7dd237c3d7a8b2b6aebf4f887e487c4e7f69338c" vault_checksum_file_url: "https://releases.hashicorp.com/vault/{{ vault_version }}/vault_{{ vault_version}}_SHA256SUMS" -vault_bin_path: "/usr/local/bin" -vault_config_path: "/etc/vault.d" -vault_data_path: "/var/vault" -vault_log_path: "/var/log/vault" -vault_user: "vault" -vault_group: "bin" -vault_group_name: "cluster_nodes" -vault_cluster_name: "sutakku" -vault_datacenter: "dc1" -vault_consul: "127.0.0.1:8500" -vault_consul_path: "vault" -vault_log_level: "info" -vault_syslog_enable: "true" -vault_iface: "eth1" +vault_bin_path: /usr/local/bin +vault_config_path: /etc/vault.d +vault_data_path: /var/vault +vault_log_path: /var/log/vault +vault_run_path: /var/run/vault +vault_user: vault +vault_group: bin +vault_group_name: cluster_nodes +vault_cluster_name: sutakku +vault_datacenter: dc1 +vault_consul: 127.0.0.1:8500 +vault_consul_path: vault +vault_log_level: info +vault_syslog_enable: true +vault_iface: eth1 vault_address: "0.0.0.0" vault_redirect_addr: "{{ hostvars[inventory_hostname]['ansible_'+vault_iface]['ipv4']['address'] }}" -vault_port: "8200" +vault_port: 8200 vault_node_name: "{{ inventory_hostname_short }}" vault_main_config: "{{ vault_config_path }}/vault_main.hcl" vault_primary_node: "{{hostvars[groups['primary'][0]]['ansible_fqdn']}}" vault_backend: vault_backend_consul.j2 +vault_cluster_address: "{{hostvars[groups['primary'][0]]['ansible_default_ipv4']['address']}}" +vault_cluster_disable: false +vault_cluster_address: "{{ hostvars[inventory_hostname]['ansible_'+vault_iface]['ipv4']['address'] }}" vault_tls_disable: 1 -vault_cluster_address: vault_tls_cert_file: -vault_tls_cert_file_dest: "{{ vault_config_path }}/vault.crt" # "/etc/pki/tls/certs/vault.crt" +vault_tls_cert_file_dest: "{{ vault_config_path }}/vault.crt" # /etc/pki/tls/certs/vault.crt vault_tls_key_file: vault_tls_key_file_dest: "{{ vault_config_path }}/vault.key" # "/etc/pki/tls/private/vault.key" -vault_tls_min_version: "tls12" +vault_tls_min_version: tls12 vault_tls_cipher_suites: -vault_tls_prefer_server_cipher_suites: "false" +vault_tls_prefer_server_cipher_suites: false diff --git a/meta/main.yml b/meta/main.yml index d5ddce98..809ab25a 100644 --- a/meta/main.yml +++ b/meta/main.yml @@ -3,132 +3,28 @@ galaxy_info: author: Brian Shumate description: Vault server role company: your company (optional) - # If the issue tracker for your role is not on github, uncomment the - # next line and provide a value - # issue_tracker_url: http://example.com/issue/tracker - # Some suggested licenses: - # - BSD (default) - # - MIT - # - GPLv2 - # - GPLv3 - # - Apache - # - CC-BY license: license BSD - min_ansible_version: 2.0 - # - # Below are all platforms currently available. Just uncomment - # the ones that apply to your role. If you don't see your - # platform on this list, let us know and we'll get it added! - # + min_ansible_version: 2.1.0.0 platforms: - name: EL versions: - # - all - # - 5 - 6 - 7 - #- name: GenericUNIX - # versions: - # - all - # - any - #- name: Fedora - # versions: - # - all - # - 16 - # - 17 - # - 18 - # - 19 - # - 20 - # - 21 - # - 22 #- name: SmartOS # versions: # - all # - any - #- name: opensuse - # versions: - # - all - # - 12.1 - # - 12.2 - # - 12.3 - # - 13.1 - # - 13.2 - #- name: Amazon - # versions: - # - all - # - 2013.03 - # - 2013.09 - #- name: GenericBSD - # versions: - # - all - # - any #- name: FreeBSD # versions: - # - all - # - 8.0 - # - 8.1 - # - 8.2 - # - 8.3 - # - 8.4 - # - 9.0 - # - 9.1 - # - 9.1 - # - 9.2 + # - 11.0 - name: Ubuntu versions: - # - all - # - lucid - # - maverick - # - natty - # - oneiric - # - precise - # - quantal - # - raring - # - saucy - - trusty - # - utopic - - vivid - #- name: SLES - # versions: - # - all - # - 10SP3 - # - 10SP4 - # - 11 - # - 11SP1 - # - 11SP2 - # - 11SP3 - #- name: GenericLinux - # versions: - # - all - # - any + - xenial - name: Debian versions: - # - all - # - etch - jessie - # - lenny - # - squeeze - # - wheezy - # - # Below are all categories currently available. Just as with - # the platforms above, uncomment those that apply to your role. - # galaxy_tags: - #- cloud - #- cloud:ec2 - #- cloud:gce - #- cloud:rax - #- clustering - #- database - #- database:nosql - #- database:sql - #- development - #- monitoring - networking - #- packaging + - security - system - #- web dependencies: [] - # List your role dependencies here, one per line. - # Be sure to remove the '[]' above if you add dependencies - # to this list. diff --git a/tasks/main.yml b/tasks/main.yml index 08f044d8..5ef484bc 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -29,7 +29,7 @@ group_by: key: "{{ vault_node_role }}" -- name: "Add Vault user" +- name: "Add Vault user user: name: "{{ vault_user }}" comment: "Vault user" @@ -52,10 +52,10 @@ owner: "{{ vault_user }}" group: "{{ vault_group}}" with_items: + - "{{ vault_config_path }}" - "{{ vault_data_path }}" - "{{ vault_log_path }}" - - /var/run/vault - - "{{ vault_config_path }}" + - "{{ vault_run_path }}" - name: Vault SSL Certificate and Key copy: @@ -67,13 +67,13 @@ with_items: - src: "{{ vault_tls_cert_file }}" dest: "{{ vault_tls_cert_file_dest }}" - mode: "0644" + mode: 0644 - src: "{{ vault_tls_key_file }}" dest: "{{ vault_tls_key_file_dest }}" - mode: "0600" + mode: 0600 when: vault_tls_cert_file is defined and vault_tls_key_file is defined -- name: Vault listener configuration section +- name: Vault listener configuration template: src: vault_listener.hcl.j2 dest: "{{ vault_main_config }}" @@ -96,7 +96,7 @@ mode: 0755 when: ansible_distribution == "Debian" and ansible_distribution_major_version|int <= 7 -- name: systemd script +- name: systemd unit template: src: vault_systemd.service.j2 dest: /lib/systemd/system/vault.service @@ -111,7 +111,7 @@ state: started enabled: yes -- name: Vault running? +- name: Vault API reachable? wait_for: host: "{{ vault_address}}" port: "{{ vault_port }}" diff --git a/templates/vault_backend_consul.j2 b/templates/vault_backend_consul.j2 index c74596d4..f10d830d 100644 --- a/templates/vault_backend_consul.j2 +++ b/templates/vault_backend_consul.j2 @@ -1,5 +1,9 @@ +{% set _vault_plus_one_port = vault_port | int + 1 | abs %} + backend "consul" { address = "{{ vault_consul }}" - redirect_addr = "http://{{ vault_redirect_addr }}:{{ vault_port }}" path = "vault" + redirect_addr = "http://{{ vault_redirect_addr }}:{{ vault_port }}" + cluster_addr = "http://{{ vault_cluster_address }}:{{ _vault_plus_one_port }}" + disable_clustering = "{{ vault_cluster_disable }}" } diff --git a/version.txt b/version.txt index 3252f641..dd2cf2f2 100644 --- a/version.txt +++ b/version.txt @@ -1 +1 @@ -v1.3.5 +v1.3.6