diff --git a/.gitignore b/.gitignore index e6c493b8..e6e99227 100644 --- a/.gitignore +++ b/.gitignore @@ -1,8 +1,8 @@ .DS_Store .vagrant -.tm_properties +*.crt +*.key *.retry +*.zip examples/hosts -files/*.zip files/vault - diff --git a/CHANGELOG.md b/CHANGELOG.md index 8aabe878..0e28e884 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -185,4 +185,15 @@ ## v1.3.12 -- Made CONSUL_IFACE environment variable override +- Made VAULT_IFACE environment variable override + +## v1.4.0 + +- Updated many variables with environment variable overrides +- Add `vault_tls_config_path` variable with reasonable default value +- Set currently/reasonably secure `vault_tls_cipher_suites` defaults +- Update listener template to finally close #3 +- Improve cleanup task +- Update versions +- Update documentation +- Update ignores diff --git a/README.md b/README.md index 62a8a8d5..ce30c21e 100644 --- a/README.md +++ b/README.md @@ -18,7 +18,7 @@ This role requires a Debian or RHEL based Linux distribution. It might work with other software versions, but does work with the following specific software and versions: -* Ansible: 2.2.1.0 +* Ansible: 2.2.2.0 * Vault: 0.7.0 * Debian: 8 @@ -26,71 +26,281 @@ software and versions: The role defines variables in `defaults/main.yml`: -| Name | Default Value | Description | -| -------------- | ------------- | -----------------------------------| -| `vault_version` | *0.7.0* | Version to install - can also be specified or overridden with `VAULT_VERSION` environment variable | -| `vault_pkg` | `"vault_{{ vault_version }}_linux_amd64.zip"` | Package filename | -| `vault_zip_url` | `"https://releases.hashicorp.com/vault/{{ vault_version }}/vault_{{ vault_version }}_linux_amd64.zip"` | Download URL | -| `vault_checksum_file_url` | `"https://releases.hashicorp.com/vault/{{ vault_version }}/vault_{{ vault_version}}_SHA256SUMS"` | URL to SHA summaries | -| `vault_bin_path` | `/usr/local/bin` | Binary installation path | -| `vault_config_path` | `/etc/vault.d` | Configuration file path | -| `vault_data_path` | `/var/vault` | Data path | -| `vault_log_path` | `/var/log/vault` | Log path - Not impemented | -| `vault_run_path`| `/var/run/vault` | PID file location | -| `vault_user` | *vault* | OS user | -| `vault_group` | *bin* | OS group | -| `vault_group_name` | `cluster_nodes` | Inventory group name | -| `vault_cluster_name` | *sutakku* | Cluster name label | -| `vault_datacenter` | *dc1* | Datacenter label - Not impemented | -| `vault_consul` | *127.0.0.1:8500* | host:port for Consul HA backend | - `vault_consul_path` | *vault* | Name of Vault's Consul K/V root path | -| `vault_log_level` | *info* | [Log level](https://github.com/hashicorp/vault/blob/b1ed578f3da3263ca1973d16dcb33490125486b8/command/server.go#L1003-L1005) - Supported values: [trace, debug, info, warn, err](https://github.com/hashicorp/vault/blob/b1ed578f3da3263ca1973d16dcb33490125486b8/command/server.go#L87-L103) | -| `vault_syslog_enable` | *true* | Log to syslog - Not impemented | -| `vault_iface` | `eth1` | Network interface can be overridden with `VAULT_IFACE` environment variable | -| `vault_address` | `"{{ hostvars[inventory_hostname]['ansible_eth1']['ipv4']['address'] }}"` | Primary interface address | -| `vault_redirect_addr` | `"{{ hostvars[inventory_hostname]['ansible_'+vault_iface]['ipv4']['address'] }}"` | [HA Client Redirect address](https://www.vaultproject.io/docs/concepts/ha.html#client-redirection) | -| `vault_port` | *8200* | TCP port number to use | -| `vault_node_name` | `"{{ inventory_hostname_short }}"` | Short node name | -| `vault_main_config` | `"{{ vault_config_path }}/vault_main.hcl"` | Main configuration file path | -| `vault_primary_node` | `"{{hostvars[groups['primary'][0]]['ansible_fqdn']}}"` | Active node FQDN | -| `vault_backend` | `backend_consul.j2` | Backend template filename | -| `vault_cluster_address` | `"{{ hostvars[inventory_hostname]['ansible_'+vault_iface]['ipv4']['address'] }}"` | Address for intra-cluster communication | -| `vault_cluster_disable` | *false* | Disable HA clustering | -| `vault_tls_disable` | *1* | [Disable TLS](https://www.vaultproject.io/docs/configuration/listener/tcp.html#tls_disable) | -| `vault_tls_cert_file` | None | [Vault TLS certificate file path](https://www.vaultproject.io/docs/configuration/listener/tcp.html#tls_cert_file) | -| `vault_tls_cert_file_dest` | `"{{ vault_config_path }}/vault.crt" # /etc/pki/tls/certs/vault.crt` | Destination path for Vault TLS certificate | -| `vault_tls_key_file` | None | [Vault TLS key file path](https://www.vaultproject.io/docs/configuration/listener/tcp.html#tls_key_file) | -| `vault_tls_key_file_dest` | `"{{ vault_config_path }}/vault.key"` | Destination path for Vault TLS key | -| `vault_tls_min_version` | *tls12* | [Minimum acceptable TLS version](https://www.vaultproject.io/docs/configuration/listener/tcp.html#tls_min_version) | -| `vault_tls_cipher_suites` | None | [comma-separated list of supported ciphersuites](https://www.vaultproject.io/docs/configuration/listener/tcp.html#tls_cipher_suites) | -| `vault_tls_prefer_server_cipher_suites` | false | [prefer the server's ciphersuite over the client ciphersuites](https://www.vaultproject.io/docs/configuration/listener/tcp.html#tls_prefer_server_cipher_suites) | - -### OS Distribution Variables + +### `vault_version` + +- version to install - can be overridden with `VAULT_VERSION` environment variable +- Default value: *0.7.0* + +### `vault_pkg` + +- package filename +- Default value: `"vault_{{ vault_version }}_linux_amd64.zip"` + +### `vault_zip_url` + +- Package download URL +- Default value: `"https://releases.hashicorp.com/vault/{{ vault_version }}/vault_{{ vault_version }}_linux_amd64.zip"` + +### `vault_checksum_file_url` + +- SHA summaries URL +- Default value: `"https://releases.hashicorp.com/vault/{{ vault_version }}/vault_{{ vault_version}}_SHA256SUMS"` + +### `vault_bin_path` + +- Binary installation path +- Default value: `/usr/local/bin` + +### `vault_config_path` + +- Configuration file path +- Default value: `/etc/vault.d` + +### `vault_data_path` + +- Data path +- Default value: `/var/vault` + +### `vault_log_path` + +- Log path - (not yet implemented) +- Default value: `/var/log/vault` + +### `vault_run_path` + +- PID file location +- Default value: `/var/run/vault` + +### `vault_user` + +- OS user name +- Default value: *vault* + +### `vault_group` + +- OS group name +- Default value: *bin* + +### `vault_group_name` + +- Inventory group name +- Default value: `cluster_nodes` + +### `vault_cluster_name` + +- Cluster name label +- Default value: *dc1* + +### `vault_datacenter` + +- Datacenter label +- Default value: *dc1* + +### `vault_consul` + +- host:port value for connecting to Consul HA backend +- Default value: *127.0.0.1:8500* + +### `vault_consul_path` + +- Name of Vault's Consul K/V root path +- Default value: *vault* + +### `vault_log_level` + +- [Log level](https://www.consul.io/docs/agent/options.html#_log_level) + - Supported values: trace, debug, info, warn, err +- Default value: *info* + +### `vault_syslog_enable` + +- Log to syslog (not yet impemented) +- Default value: *true* + +### `vault_iface` + +- Network interface can be overridden with `VAULT_IFACE` environment variable +- Default value: `eth1` + +### `vault_address` + +- Primary network interface address to use +- Default value: `"{{ hostvars[inventory_hostname]['ansible_eth1']['ipv4']['address'] }}"` + +### `vault_redirect_addr` + +- [HA Client Redirect address](https://www.vaultproject.io/docs/concepts/ha.html#client-redirection) +- Default value: `"{{ hostvars[inventory_hostname]['ansible_'+vault_iface]['ipv4']['address'] }}"` + +### `vault_port` + +- TCP port number to on which to listen +- Default value: *8200* + +### `vault_node_name` + +- Short node name +- Default value: `"{{ inventory_hostname_short }}"` + +### `vault_main_config` + +- Main configuration file name (full path) +- Default value: `"{{ vault_config_path }}/vault_main.hcl"` + +### `vault_primary_node` + +- Active node FQDN +- Default value: `"{{hostvars[groups['primary'][0]]['ansible_fqdn']}}"` + +### `vault_backend` + +- Backend template filename +- Default value: `backend_consul.j2` + +### `vault_cluster_address` + +- Address for intra-cluster communication +- Default value: `"{{ hostvars[inventory_hostname]['ansible_'+vault_iface]['ipv4']['address'] }}"` + +### `vault_cluster_disable` + +- Disable HA clustering +- Default value: *false* + +### `vault_tls_config_path` + +- Path to TLS certificate and key +- Default value `/etc/vault/tls` + +### `vault_tls_disable` + +- [Disable TLS](https://www.vaultproject.io/docs/configuration/listener/tcp.html#tls_disable) +- Default value: *1* + +### `vault_tls_cert_file` + +- [Vault TLS certificate file path](https://www.vaultproject.io/docs/configuration/listener/tcp.html#tls_cert_file) +- Default value: None + +### `vault_tls_cert_file_dest` + +- Vault TLS certificate destination (full path) +- Default value: `"{{ vault_config_path }}/vault.crt" # /etc/pki/tls/certs/vault.crt` + +### `vault_tls_key_file` + +- [Vault TLS key file path](https://www.vaultproject.io/docs/configuration/listener/tcp.html#tls_key_file) +- Default value: None + +### `vault_tls_key_file_dest` + +- Vault TLS key destination (full path) +- Default value: `"{{ vault_config_path }}/vault.key"` + +### `vault_tls_min_version` + +- [Minimum acceptable TLS version](https://www.vaultproject.io/docs/configuration/listener/tcp.html#tls_min_version) can be overridden with `VAULT_TLS_MIN_VERSION` environment variable +- Default value: *tls12* + +### `vault_tls_cipher_suites` + +- [Comma-separated list of supported ciphersuites](https://www.vaultproject.io/docs/configuration/listener/tcp.html#tls_cipher_suites) +- Default value: "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA" + +### `vault_tls_prefer_server_cipher_suites` + +- [Prefer server's cipher suite over client cipher suite](https://www.vaultproject.io/docs/configuration/listener/tcp.html#tls_prefer_server_cipher_suites) can be overridden by `VAULT_TLS_PREFER_SERVER_CIPHER_SUITES` environment variable +- Default value: *false* + +## OS Distribution Variables The `consul` binary works on most Linux platforms and is not distribution specific. However, some distributions require installation of specific OS packages with different naming, so this role was built with support for popular Linux distributions and defines these variables to deal with the -differences acros distros: - -| Name | Default Value | Description | -| -------------- | ------------- | -----------------------------------| -| `vault_pkg` | `{{ vault_version }}_linux_amd64.zip` | Vault package filename | -| `vault_centos_url` | `{{ vault_zip_url }}` | Vault package download URL | -| `vault_sha256` | SHA256 SUM | Vault download SHA256 summary | -| `vault_centos_os_packages` | list | List of OS packages to install | -| `vault_pkg` | `{{ vault_version }}_linux_amd64.zip` | Vault package filename | -| `vault_debian_url` | `{{ vault_zip_url }}` | Vault package download URL | -| `vault_sha256` | SHA256 SUM | Vault download SHA256 summary | -| `vault_debian_os_packages` | list | List of OS packages to install | -| `vault_pkg` | `{{ vault_version }}_linux_amd64.zip` | Vault package filename | -| `vault_redhat_url` | `{{ vault_zip_url }}` | Vault package download URL | -| `vault_sha256` | SHA256 SUM | Vault download SHA256 summary | -| `vault_redhat_os_packages` | list | List of OS packages to install | -| `vault_pkg` | `{{ vault_version }}_linux_amd64.zip` | Vault package filename | -| `vault_ubuntu_url` | `{{ vault_zip_url }}` | Vault package download URL | -| `vault_sha256` | SHA256 SUM | Vault download SHA256 summary | -| `vault_ubuntu_os_packages` | list | List of OS packages to install | +differences across distributions: + + +### `vault_pkg` + +- Vault package filename +- Default value: `{{ vault_version }}_linux_amd64.zip` + +### `vault_centos_url` + +- Vault package download URL +- Default value: `{{ vault_zip_url }}` + +### `vault_sha256` + +- Vault download SHA256 summary +- Default value: SHA256 SUM + +### `vault_centos_os_packages` + +- List of OS packages to install +- Default value: list + +### `vault_pkg` + +- Vault package filename +- Default value: `"{{ vault_version }}_linux_amd64.zip"` + +### `vault_debian_url` + +- Vault package download URL +- Default value: `"{{ vault_zip_url }}"` + +### `vault_sha256` + +- Vault download SHA256 summary +- Default value: SHA256 SUM + +### `vault_debian_os_packages` + +- List of OS packages to install +- Default value: list + +### `vault_pkg` + +- Vault package filename +- Default value: `"{{ vault_version }}_linux_amd64.zip"` + +### `vault_redhat_url` + +- Vault package download URL +- Default value: `"{{ vault_zip_url }}"` + +### `vault_sha256` + +- Vault package SHA256 summary +- Default value: SHA256 SUM + +### `vault_redhat_os_packages` + +- List of OS packages to install +- Default value: list + +### `vault_pkg` + +- Vault package filename +- Default value: `"{{ vault_version }}_linux_amd64.zip"` + +### `vault_ubuntu_url` + +- Vault package download URL +- Default value: `"{{ vault_zip_url }}"` + +### `vault_sha256` + +- Vault package SHA256 summary +- Default value: SHA256 SUM + +### `vault_ubuntu_os_packages` + +- List of OS packages to install +- Default value: list ## Dependencies diff --git a/defaults/main.yml b/defaults/main.yml index 07123c21..3b52c942 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -13,7 +13,7 @@ vault_run_path: /var/run/vault vault_user: vault vault_group: bin vault_group_name: cluster_nodes -vault_cluster_name: sutakku +vault_cluster_name: dc1 vault_datacenter: dc1 vault_consul: 127.0.0.1:8500 vault_consul_path: vault @@ -29,11 +29,19 @@ vault_primary_node: "{{hostvars[groups['primary'][0]]['ansible_fqdn']}}" vault_backend: vault_backend_consul.j2 vault_cluster_disable: false vault_cluster_address: "{{ hostvars[inventory_hostname]['ansible_'+vault_iface]['ipv4']['address'] }}" -vault_tls_disable: 1 -vault_tls_cert_file: "../files/dummy.crt" -vault_tls_cert_file_dest: "{{ vault_config_path }}/vault.crt" # /etc/pki/tls/certs/vault.crt -vault_tls_key_file: "../files/dummy.key" -vault_tls_key_file_dest: "{{ vault_config_path }}/vault.key" # "/etc/pki/tls/private/vault.key" -vault_tls_min_version: tls12 -vault_tls_cipher_suites: -vault_tls_prefer_server_cipher_suites: false + +## TLS + +vault_tls_config_path: /etc/vault/tls +vault_tls_disable: "{{ lookup('env','VAULT_TLS_DISABLE') | default(1, true) }}" +vault_tls_cert_file: "../files/{{ vault_node_name.crt }}" +# /etc/pki/tls/certs/vault.crt is distribution-specific/not a good default +# a distribution-specific play to link into expected destination is preferred +vault_tls_cert_file_dest: "{{ vault_tls_config_path }}/vault.crt" +vault_tls_key_file: "../files/{{ vault_node_name.key }}" +# "/etc/pki/tls/private/vault.key" is distribution-specific/not a good default +# a distribution-specific play to link into expected destination is preferred +vault_tls_key_file_dest: "{{ vault_tls_config_path }}/vault.key" +vault_tls_min_version: "{{ lookup('env','VAULT_TLS_MIN_VERSION') | default("tls12") }}" +vault_tls_cipher_suites: "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA" +vault_tls_prefer_server_cipher_suites: "{{ lookup('env','VAULT_TLS_PREFER_SERVER_CIPHER_SUITES') | default("false") }}" diff --git a/examples/README_VAGRANT.md b/examples/README_VAGRANT.md index 43cae70e..5db21a01 100644 --- a/examples/README_VAGRANT.md +++ b/examples/README_VAGRANT.md @@ -89,7 +89,7 @@ BOX_NAME="centos/7" vagrant up 1. This project functions with the following software versions: * Vault version 0.7.0 - * Ansible: 2.2.1.0 + * Ansible: 2.2.2.0 * VirtualBox version 5.1.18 * Vagrant version 1.9.3 * Vagrant Hosts version 2.8.0 diff --git a/tasks/install.yml b/tasks/install.yml index 23fd7e8e..93c76de5 100644 --- a/tasks/install.yml +++ b/tasks/install.yml @@ -77,7 +77,8 @@ become: no connection: local file: - dest: "{{ role_path }}/files/vault*" + path: "{{ item }}" state: absent + with_fileglob: "{{ role_path }}/files/vault" run_once: true tags: installation diff --git a/tasks/main.yml b/tasks/main.yml index 74cf9a0d..ed1ae68f 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -21,7 +21,7 @@ msg: "{{ ansible_distribution_version }} is not an acceptable version of {{ ansible_distribution }} for this role" when: ansible_distribution == "Ubuntu" and ansible_distribution_version|version_compare(13.04, '<') -- name: Create cluster groupings +- name: Create cluster grouping group_by: key: "os_{{ ansible_os_family }}" @@ -36,7 +36,7 @@ group: "{{ vault_group }}" system: yes -- name: Include OS-specific variables. +- name: Include OS-specific variables include_vars: "{{ ansible_os_family }}.yml" - name: Install OS packages @@ -61,7 +61,7 @@ include: ../tasks/tls.yml when: vault_tls_disable == 0 -- name: Vault listener configuration +- name: Listener configuration template: src: vault_listener.hcl.j2 dest: "{{ vault_main_config }}" @@ -87,7 +87,7 @@ mode: 0755 when: not ansible_service_mgr == "systemd" and ansible_os_family == "Debian" and not ansible_os_family == "FreeBSD" and not ansible_os_family == "Solaris" -- name: systemd script +- name: systemd unit template: src: vault_systemd.service.j2 dest: /lib/systemd/system/vault.service diff --git a/tasks/tls.yml b/tasks/tls.yml index a1ee14f8..bf8bed0d 100644 --- a/tasks/tls.yml +++ b/tasks/tls.yml @@ -15,5 +15,3 @@ - src: "{{ vault_tls_key_file }}" dest: "{{ vault_tls_key_file_dest }}" mode: "0600" - # These checks fail even though there are no values for the vars - when: vault_tls_cert_file is defined and vault_tls_key_file is defined diff --git a/templates/vault_backend_consul.j2 b/templates/vault_backend_consul.j2 index f10d830d..8c871a4f 100644 --- a/templates/vault_backend_consul.j2 +++ b/templates/vault_backend_consul.j2 @@ -2,6 +2,7 @@ backend "consul" { address = "{{ vault_consul }}" + datacenter = "{{ vault_datacenter }}" path = "vault" redirect_addr = "http://{{ vault_redirect_addr }}:{{ vault_port }}" cluster_addr = "http://{{ vault_cluster_address }}:{{ _vault_plus_one_port }}" diff --git a/templates/vault_listener.hcl.j2 b/templates/vault_listener.hcl.j2 index 40c3b91d..029a2e35 100644 --- a/templates/vault_listener.hcl.j2 +++ b/templates/vault_listener.hcl.j2 @@ -11,11 +11,11 @@ listener "tcp" { ) %} tls_cert_file = "{{ vault_tls_cert_file_dest }}" tls_key_file = "{{ vault_tls_key_file_dest }}" - tls_min_version = "{{ vault_tls_min_version | default("tls12") }}" # default "tls12" + tls_min_version = "{{ vault_tls_min_version }}" {% if vault_tls_cipher_suites is defined and vault_tls_cipher_suites %} tls_cipher_suites = "{{ vault_tls_cipher_suites}}" {% endif %} - tls_prefer_server_cipher_suites = "{{ vault_tls_prefer_server_cipher_suites | default("false") }}" # default "false" + tls_prefer_server_cipher_suites = "{{ vault_tls_prefer_server_cipher_suites }}" {% else %} tls_disable = "true" {% endif %} diff --git a/version.txt b/version.txt index 65c670ff..ec7b9678 100644 --- a/version.txt +++ b/version.txt @@ -1 +1 @@ -v1.3.12 +v1.4.0 \ No newline at end of file