Vault agent role for ansible #10
Conversation
Co-authored-by: Thomas Gaudin <[email protected]>
roles/vault_agent/tasks/main.yml
Outdated
| - name: Copy retrieving_cert.tmpl | ||
| ansible.builtin.template: | ||
| src: retrieving_cert.tmpl.j2 | ||
| dest: /root/vault_agent_certificat/retrieving_cert.tmpl |
There was a problem hiding this comment.
It may be a good idea to change the template variable delimiters for this task so we don't have to escape all the {{ and }} in the retrieving_cert.tmpl file. This can be achieved by adding the following line : variable_start_string: << (see variable_start_string)
| @@ -0,0 +1,10 @@ | |||
| {{ '{{' }}with secret "secret/certificat-web"{{ '}}' }} | |||
| {{ '{{' }} index .Data.data "privkey.pem" | writeToFile "{{vault_agent_certificate_directory}}/privkey.pem" "" "" "0400"{{ '}}' }} | |||
There was a problem hiding this comment.
e.g. with the delimiters << and >>
| {{ '{{' }} index .Data.data "privkey.pem" | writeToFile "{{vault_agent_certificate_directory}}/privkey.pem" "" "" "0400"{{ '}}' }} | |
| {{ index .Data.data "privkey.pem" | writeToFile "<< vault_agent_certificate_directory>>/privkey.pem" "" "" "0400"}} |
| perms = "0600" | ||
|
|
||
| exec { | ||
| command = {{vault_agent_command | tojson}} |
There was a problem hiding this comment.
@nymous suggested renaming the variable vault_agent_command to something more descriptive, such as service_reload_command, to make its purpose clearer. Additionally, a comment could be added to explain the expected structure or functionality of the command.
Changign variables string in templates Clearer variable name and comments for reload command
|
|
||
| [Service] | ||
| Type=notify | ||
| WorkingDirectory=/root/vault_agent_certificat |
There was a problem hiding this comment.
| WorkingDirectory=/root/vault_agent_certificat | |
| WorkingDirectory=/root/vault_agent_certificates |
Just to be consistent ^^
And when you have a path that is repeated in many places (here and in tasks.yml), you can create a default variable (in roles/vault_agent/defaults/main.yml) and reuse it everywhere, e.g.
vault_agent_working_directory: /root/vault_agent_certificates| perms = "0600" | ||
|
|
||
| exec { | ||
| command = {{service_reload_command | tojson}} {# to reload the service after retrieving the certificate #} |
There was a problem hiding this comment.
| command = {{service_reload_command | tojson}} {# to reload the service after retrieving the certificate #} | |
| // command used to to reload the service after retrieving the certificate, in the form of ["binary", "arg1", "arg2"] | |
| command = {{ vault_agent_service_reload_command | tojson }} |
Also I found out that since we did this last year, the command is deprecated and replaced with exec 😅 https://developer.hashicorp.com/vault/docs/agent-and-proxy/agent/template#command
There was a problem hiding this comment.
If I am not mistaken the parameter command is not used directly but as a parameter of exec. Thus, I think this way of doing is not deprecated https://developer.hashicorp.com/vault/docs/agent-and-proxy/agent/template#exec
There was a problem hiding this comment.
Mondays are hard... You are right, sorry 😅
| - name: Intall Vault | ||
| ansible.builtin.apt: | ||
| update_cache: true | ||
| name: | ||
| - vault |
There was a problem hiding this comment.
Maybe not for this PR as our needs are simple and Vault-Agent should be mostly compatible with any version of Vault server (https://developer.hashicorp.com/vault/docs/agent-and-proxy/agent/versions), but at some point we might want to pin a specific version of packages, especially Vault since it's a critical part of our infrastructure and we should check changelogs and ensure backups before upgrades.
The Ansible docs hint at vault=1.18.2 for example, however this doesn't prevent someone on the server from running apt update && apt upgrade and installing a different version, as this does not pin it for apt itself.
The surefire way to pin a version is to create a /etc/apt/preferences.d/vault.pref:
Explanation: Ansible - Vault pinning
Package: vault
Pin: version 1.18.2-*
Pin-Priority: 1000Pinned Vault package Created working directory default variable
This Ansible role may be used to deploy automatic retrieving of SSL certificate on Vault. --------- Co-authored-by: Thomas Gaudin <[email protected]>
This Ansible role may be used to deploy automatic retrieving of SSL certificate on Vault.