summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorTristan Weil2019-03-28 14:59:13 +0100
committerTristan Weil2019-04-18 15:10:01 +0200
commit0032a5e5622fe3b43e624bcf37723021698240f3 (patch)
tree60483c6e9197b6b2d76160111f0e8fe73151aced
parent74e803f348bd7236090ef8da5ca21590263c60cf (diff)
downloadrepository-0032a5e5622fe3b43e624bcf37723021698240f3.zip
repository-0032a5e5622fe3b43e624bcf37723021698240f3.tar.gz
repository-0032a5e5622fe3b43e624bcf37723021698240f3.tar.bz2
Remove the hashi_vaut lookup and use Ansible role to retrieve secrets
-rw-r--r--Project_Install.yml34
-rw-r--r--inventories/t18s.fr/group_vars/all/caddy.yml2
-rw-r--r--inventories/t18s.fr/group_vars/all/hashi_vault.yml5
-rw-r--r--inventories/t18s.fr/group_vars/all/vault.yml15
-rw-r--r--inventories/t18s.fr/group_vars/repository/ssl_caa.yml2
-rw-r--r--requirements_galaxy.yml20
-rw-r--r--requirements_pip.txt3
7 files changed, 72 insertions, 9 deletions
diff --git a/Project_Install.yml b/Project_Install.yml
index 584a07a..b2aed7c 100644
--- a/Project_Install.yml
+++ b/Project_Install.yml
@@ -5,6 +5,23 @@
#
###################################################
+# Vault
+###################################################
+- hosts: 127.0.0.1
+ name: '!!!!!!!!!! Get Vault Token !!!!!!!!!!'
+ connection: local
+ become: False
+
+ roles:
+ - role: t18s.fr_vault_auth_userpass
+
+ - role: t18s.fr_vault_secret_kv1
+
+ tags:
+ - always
+ - Project::repository::vault
+
+###################################################
# repository
###################################################
- hosts: repository
@@ -39,3 +56,20 @@
tags:
- Project::repository::ssh_keygen
+
+###################################################
+# Vault
+###################################################
+- hosts: 127.0.0.1
+ name: '!!!!!!!!!! Revoke Vault Token !!!!!!!!!!'
+ connection: local
+ become: False
+
+ roles:
+ - role: t18s.fr_vault_auth_token
+ vault_auth_token_step: revoke
+ vault_auth_token_vault_token: "{{ vault_auth_current_token }}"
+
+ tags:
+ - always
+ - Project::repository::vault
diff --git a/inventories/t18s.fr/group_vars/all/caddy.yml b/inventories/t18s.fr/group_vars/all/caddy.yml
index 8722dff..e63504e 100644
--- a/inventories/t18s.fr/group_vars/all/caddy.yml
+++ b/inventories/t18s.fr/group_vars/all/caddy.yml
@@ -4,7 +4,7 @@ caddy_dns_provider: gandiv5
caddy_main_instance_envs:
- name: GANDIV5_API_KEY
- value: "{{ lookup('hashi_vault', 'url={{ hashi_vault_url }} {{ hashi_vault_cx }} secret=secret/v1/common/gandi')['v5_api_key'] }}"
+ value: "{{ _vault_data['v1/common/gandi']['v5_api_key'] }}"
caddy_artifact_options:
os: linux
diff --git a/inventories/t18s.fr/group_vars/all/hashi_vault.yml b/inventories/t18s.fr/group_vars/all/hashi_vault.yml
deleted file mode 100644
index d35352b..0000000
--- a/inventories/t18s.fr/group_vars/all/hashi_vault.yml
+++ /dev/null
@@ -1,5 +0,0 @@
----
-
-hashi_vault_url: "http://127.0.0.1:8200"
-# hashi_vault_cx: "auth_method=userpass username={{ hashi_vault_username }} password={{ hashi_vault_password }}"
-hashi_vault_cx: "mount_point=secret token={{ hashi_vault_token }}"
diff --git a/inventories/t18s.fr/group_vars/all/vault.yml b/inventories/t18s.fr/group_vars/all/vault.yml
new file mode 100644
index 0000000..129934d
--- /dev/null
+++ b/inventories/t18s.fr/group_vars/all/vault.yml
@@ -0,0 +1,15 @@
+---
+
+vault_auth_userpass_vault_url: http://127.0.0.1:8200
+vault_auth_userpass_vault_path: userpass
+vault_auth_userpass_username: "{{ my_vault_username }}"
+vault_auth_userpass_password: "{{ my_vault_password }}"
+
+vault_secret_kv1_vault_url: http://127.0.0.1:8200
+vault_secret_kv1_vault_path: secret
+vault_secret_kv1_vault_token: "{{ vault_auth_current_token }}"
+vault_secret_kv1_secrets:
+ - v1/common/gandi
+vault_secret_kv1_step: read
+
+_vault_data: "{{ hostvars['127.0.0.1']['vault_secret_kv1_current_data'] }}"
diff --git a/inventories/t18s.fr/group_vars/repository/ssl_caa.yml b/inventories/t18s.fr/group_vars/repository/ssl_caa.yml
index 3ea234f..4d5844e 100644
--- a/inventories/t18s.fr/group_vars/repository/ssl_caa.yml
+++ b/inventories/t18s.fr/group_vars/repository/ssl_caa.yml
@@ -2,7 +2,7 @@
ssl_caa_dns_provider: gandi
ssl_caa_dns_provider_api_protocol: rest
-ssl_caa_dns_provider_auth_token: "{{ lookup('hashi_vault', 'url={{ hashi_vault_url }} {{ hashi_vault_cx }} secret=secret/v1/common/gandi')['v5_api_key'] }}"
+ssl_caa_dns_provider_auth_token: "{{ _vault_data['v1/common/gandi']['v5_api_key'] }}"
ssl_caa_domains:
- "{{ inventory_hostname }}"
diff --git a/requirements_galaxy.yml b/requirements_galaxy.yml
index c709689..bd45ced 100644
--- a/requirements_galaxy.yml
+++ b/requirements_galaxy.yml
@@ -59,3 +59,23 @@
version: master
scm: git
name: t18s.fr_ssl_caa
+
+- src: https://git.t18s.fr/ansible/syslog.git
+ version: master
+ scm: git
+ name: t18s.fr_syslog
+
+- src: https://git.t18s.fr/ansible/vault_auth_token.git
+ version: master
+ scm: git
+ name: t18s.fr_vault_auth_token
+
+- src: https://git.t18s.fr/ansible/vault_auth_userpass.git
+ version: master
+ scm: git
+ name: t18s.fr_vault_auth_userpass
+
+- src: https://git.t18s.fr/ansible/vault_secret_kv1.git
+ version: master
+ scm: git
+ name: t18s.fr_vault_secret_kv1 \ No newline at end of file
diff --git a/requirements_pip.txt b/requirements_pip.txt
index 702e6d2..c30ddaa 100644
--- a/requirements_pip.txt
+++ b/requirements_pip.txt
@@ -1,3 +1,2 @@
ansible
-jmespath
-hvac \ No newline at end of file
+jmespath \ No newline at end of file