secret-engine pki update

marcelvenema · Dec 4, 2023 · 1e43d42 · 1e43d42
1 parent f8139a6
commit 1e43d42
Show file tree

Hide file tree

Showing 14 changed files with 215 additions and 15 deletions.
diff --git a/BACKLOG.md b/BACKLOG.md
@@ -41,7 +41,6 @@
 - Vault service in podman start niet automatisch na reboot. 
 
 - Configuratie van update action.
-- Configuratie van destroy_secret_engine action.
 - Configuratie van destroy_secret action.
 - Configuratie van get_policy action.
 - Configuratie van destroy_policy action.

diff --git a/inventory/hosts.yml b/inventory/hosts.yml
@@ -6,6 +6,6 @@ ansible_host:
 lab_server:
   hosts:
     # 192.168.11.20 # 11 LAB
-    192.168.29.21 # 29 LAB
-    # 192.168.29.21 # 29 TST 
+    # 192.168.29.21 # 29 LAB
+     192.168.11.22 # 11 TST 
     # 192.168.178.107 # TFLab
diff --git a/roles/gogs/tasks/install.yml b/roles/gogs/tasks/install.yml
@@ -109,6 +109,11 @@
         repository_tag: "latest"
       when: repository_tag is not defined or repository_tag == "" or repository_tag == none
 
+    # Show information message
+    - name: Show information message
+      ansible.builtin.debug:
+        msg: "Download container image from registry, this may take a while..."
+
     # Pull image from repository to local image repository. If failed, lookup local image file.
     - name: Pull Gogs container image from repository
       containers.podman.podman_image:

diff --git a/roles/mysql/tasks/install.yml b/roles/mysql/tasks/install.yml
@@ -110,6 +110,11 @@
       when:
         - repository_tag is not defined or repository_tag == "" or repository_tag == none
 
+    # Show information message
+    - name: Show information message
+      ansible.builtin.debug:
+        msg: "Download container image from registry, this may take a while..."
+
     # Pull image from repository to local image repository. If failed, lookup local image file.
     - name: "Pull MySQL container image from repository {{ repository_url}}:{{ repository_tag }}"
       containers.podman.podman_image:

diff --git a/roles/nexus_repository/tasks/install.yml b/roles/nexus_repository/tasks/install.yml
@@ -108,6 +108,11 @@
         repository_tag: "latest"
       when: repository_tag is not defined or repository_tag == "" or repository_tag == none
 
+    # Show information message
+    - name: Show information message
+      ansible.builtin.debug:
+        msg: "Download container image from registry, this may take a while..."
+
     # Pull image from repository to local image repository. If failed, lookup local image file.
     - name: "Pull Nexus container image from repository {{ repository_url }}:{{ repository_tag }}"
       containers.podman.podman_image:

diff --git a/roles/semaphore/tasks/install.yml b/roles/semaphore/tasks/install.yml
@@ -123,6 +123,11 @@
         repository_tag: "latest"
       when: repository_tag is not defined or repository_tag == "" or repository_tag == none
 
+    # Show information message
+    - name: Show information message
+      ansible.builtin.debug:
+        msg: "Download container image from registry, this may take a while..."
+
     # Pull image from repository to local image repository. If failed, lookup local image file.
     - name: Pull Semaphore container image from repository
       containers.podman.podman_image:

diff --git a/roles/server_config_linux/tasks/auto_update.yml b/roles/server_config_linux/tasks/auto_update.yml
@@ -4,6 +4,11 @@
 ## Installation                                        ##
 #########################################################
 
+# Debug messg
+- name: Show message
+  ansible.builtin.debug:
+    msg: "Install auto update packages, this may take a while..."
+
 # Install cockpit packages
 - name: Install auto update package
   ansible.builtin.package:
@@ -13,7 +18,7 @@
 
 # Enable auto update service
 # https://access.redhat.com/solutions/2823901
-- name: Make sure a service unit is running
+- name: Enable auto-update service
   ansible.builtin.systemd:
     enabled: true
     state: started

diff --git a/roles/server_config_linux/tasks/configure_vault.yml b/roles/server_config_linux/tasks/configure_vault.yml
@@ -23,7 +23,7 @@
 
 
 #########################################################
-## Configuration                                       ##
+## Configuration Vault KV                              ##
 #########################################################
 
 # Clear variable, be sure it is not used from a previous run.
@@ -59,3 +59,32 @@
     vault_name: "{{ ansible_fqdn | replace('.', '-') }}"
     secret_name: "{{ ansible_fqdn | replace('.', '-') }}"
     secret_keyvalue: "{ 'admin_username': '{{ admin_username }}', 'admin_password': '{{ admin_password }}', 'admin_email': '{{ admin_email }}' }"
+
+#########################################################
+## Configuration Vault PKI                             ##
+#########################################################
+
+# Clear variable, be sure it is not used from a previous run.
+- name: Clear variable vault_name
+  ansible.builtin.set_fact:
+    vault_name: ""
+  no_log: true
+
+# Clear variable, be sure it is not used from a previous run.
+- name: Clear variable vault_description
+  ansible.builtin.set_fact:
+    vault_description: ""
+  no_log: true
+
+# Create secret engine
+- name: Create secret engine
+  ansible.builtin.include_role:
+    name: vault
+    tasks_from: secret_engine.yml
+  vars:
+    action: create_secret_engine
+    vault_address: "http://192.168.11.22:8200"
+    vault_token: "hvs.5XYaP4XJwdV5FqeJpQalQRXr"
+    vault_name: "certificates"
+    vault_description: "Certificates secrets store"
+    vault_type: "pki"
diff --git a/roles/vault/tasks/install.yml b/roles/vault/tasks/install.yml
@@ -149,6 +149,11 @@
         repository_tag: "latest"
       when: repository_tag is not defined or repository_tag == "" or repository_tag == none
 
+    # Show information message
+    - name: Show information message
+      ansible.builtin.debug:
+        msg: "Download container image from registry, this may take a while..."
+
     # Pull image from repository to local image repository. If failed, lookup local image file.
     - name: "Pull Vault container image from repository {{ repository_url}}:{{ repository_tag }}"
       containers.podman.podman_image:

diff --git a/roles/vault/tasks/secret_engine.yml b/roles/vault/tasks/secret_engine.yml
@@ -31,3 +31,7 @@
   ansible.builtin.include_tasks: secret_engine_pki.yml
   when: vault_type == 'pki'
 
+# include task if vault_type is pki
+- name: Include SSH Secret Engine
+  ansible.builtin.include_tasks: secret_engine_ssh.yml
+  when: vault_type == 'ssh'
diff --git a/roles/vault/tasks/secret_engine_kv.yml b/roles/vault/tasks/secret_engine_kv.yml
@@ -72,7 +72,6 @@
       loop: 
         - vault_name
         - vault_description
-        - vault_type
 
     # Create Hashicorp secrets engine via api. Authenticate with vault_token.
     - name: Create Hashicorp secrets engine via api
@@ -109,6 +108,12 @@
       loop: 
         - vault_name
 
-    # Stop playbook
-    - name: Stop playbook
-      ansible.builtin.meta: end_play
+    # Destroy Hashicorp secrets engine via api. Authenticate with vault_token.
+    - name: "Destroy Hashicorp secrets engine {{ vault_name }}"
+      ansible.builtin.uri:
+        url: "{{ vault_address }}/v1/sys/mounts/{{ vault_name }}"
+        validate_certs: false
+        method: DELETE
+        status_code: 204
+        headers:
+          X-Vault-Token: "{{ vault_token }}"
diff --git a/roles/vault/tasks/secret_engine_pki.yml b/roles/vault/tasks/secret_engine_pki.yml
@@ -72,7 +72,6 @@
       loop: 
         - vault_name
         - vault_description
-        - vault_type
 
     # Create Hashicorp secrets engine via api. Authenticate with vault_token.
     - name: Create Hashicorp secrets engine via api
@@ -87,8 +86,9 @@
         body:
           type: pki
           description: "{{ vault_description }}"
-          options:
-            version: 2
+          config:
+            max_lease_ttl: "87600h"
+            default_lease_ttl: "87600h"
 
 #########################################################
 ## Destroy PKI Secrets engine                           ##
@@ -109,6 +109,12 @@
       loop: 
         - vault_name
 
-    # Stop playbook
-    - name: Stop playbook
-      ansible.builtin.meta: end_play
+    # Destroy Hashicorp secrets engine via api. Authenticate with vault_token.
+    - name: "Destroy Hashicorp secrets engine {{ vault_name }}"
+      ansible.builtin.uri:
+        url: "{{ vault_address }}/v1/sys/mounts/{{ vault_name }}"
+        validate_certs: false
+        method: DELETE
+        status_code: 204
+        headers:
+          X-Vault-Token: "{{ vault_token }}"
diff --git a/roles/vault/tasks/secret_engine_ssh.yml b/roles/vault/tasks/secret_engine_ssh.yml
@@ -0,0 +1,76 @@
+---
+
+#########################################################
+## Hashicorp Vault SSH Secret Engine module            ##
+#########################################################
+
+#########################################################
+## Get SSH Secrets engine                              ##
+#########################################################
+
+
+#########################################################
+## Create SSH Secrets engine                           ##
+#########################################################
+
+- name: Create Vault KV secret engine
+  when: action == 'create_secret_engine'
+  block:
+
+  # Validate variables
+    - name: Validate variables for Vault create_secret_engine action.
+      ansible.builtin.assert:
+        that: "{{ varitem }} is defined"
+        fail_msg: "Required variable '{{ varitem }}' has not been provided."
+        quiet: true
+      loop_control:
+        loop_var: varitem
+      loop: 
+        - vault_name
+        - vault_description
+
+    # Create Hashicorp secrets engine via api. Authenticate with vault_token.
+    - name: Create Hashicorp secrets engine via api
+      ansible.builtin.uri:
+        url: "{{ vault_address }}/v1/sys/mounts/{{ vault_name }}"
+        validate_certs: false
+        method: POST
+        status_code: 204
+        headers:
+          X-Vault-Token: "{{ vault_token }}"
+        body_format: json
+        body:
+          type: ssh
+          description: "{{ vault_description }}"
+
+
+
+
+#########################################################
+## Destroy KV Secrets engine                           ##
+#########################################################
+
+- name: Destroy Vault SSH secret engine
+  when: action == 'destroy_secret_engine'
+  block:
+
+  # Validate local variables
+    - name: Validate variables for Vault destroy_secret_engine action.
+      ansible.builtin.assert:
+        that: "{{ varitem }} is defined"
+        fail_msg: "Required variable '{{ varitem }}' has not been provided."
+        quiet: true
+      loop_control:
+        loop_var: varitem
+      loop: 
+        - vault_name
+
+    # Destroy Hashicorp secrets engine via api. Authenticate with vault_token.
+    - name: "Destroy Hashicorp secrets engine {{ vault_name }}"
+      ansible.builtin.uri:
+        url: "{{ vault_address }}/v1/sys/mounts/{{ vault_name }}"
+        validate_certs: false
+        method: DELETE
+        status_code: 204
+        headers:
+          X-Vault-Token: "{{ vault_token }}"
diff --git a/test.yml b/test.yml
@@ -0,0 +1,51 @@
+---
+
+- name: Playbook to test development
+  hosts: lab_server
+  tasks:
+
+
+
+
+  #########################################################
+  ## Configuration Vault PKI                             ##
+  #########################################################
+
+  # Clear variable, be sure it is not used from a previous run.
+  - name: Clear variable vault_name
+    ansible.builtin.set_fact:
+      vault_name: ""
+    no_log: true
+
+  # Clear variable, be sure it is not used from a previous run.
+  - name: Clear variable vault_description
+    ansible.builtin.set_fact:
+      vault_description: ""
+    no_log: true
+
+  # Create secret engine
+  - name: Create secret engine
+    ansible.builtin.include_role:
+      name: vault
+      tasks_from: secret_engine.yml
+    vars:
+      action: create_secret_engine
+      vault_address: "http://192.168.11.22:8200"
+      vault_token: "hvs.5XYaP4XJwdV5FqeJpQalQRXr"
+      vault_name: "certificates"
+      vault_description: "Certificates secrets store"
+      vault_type: "pki"
+
+  # Delete secret engine
+  - name: Delete secret engine
+    ansible.builtin.include_role:
+      name: vault
+      tasks_from: secret_engine.yml
+    vars:
+      action: destroy_secret_engine
+      vault_address: "http://192.168.11.22:8200"
+      vault_token: "hvs.5XYaP4XJwdV5FqeJpQalQRXr"
+      vault_name: "lab-marcelvenema-com"
+      vault_type: "kv"
+
+