Add vault playbooks

Author: k-s-dean

etc/kayobe/ansible/overcloud-update-trust-store.yml

@@ -0,0 +1,15 @@
+---
+- name: Install CA into system trust store
+  hosts: seed:overcloud
+  tasks:
+    - name: Copy the rootCA
+      copy:
+        content: |
+          {{ secrets_vault_root_cert }}
+        dest: "{{ '/etc/pki/ca-trust/source/anchors/rootCA.crt' if ansible_os_family == 'RedHat' else '/usr/local/share/ca-certificates/rootCA.crt' }}"
+        mode: 0600
+      become: true
+
+    - name: update system CA
+      become: true
+      shell: "{{ 'update-ca-trust' if ansible_os_family == 'RedHat' else 'update-ca-certificates' }}"

etc/kayobe/ansible/vault-seed-deploy.yml

@@ -0,0 +1,78 @@
+---
+- name: Run hashicorp-vault role seed
+  any_errors_fatal: true
+  gather_facts: true
+  hosts: seed
+  vars:
+    # Consul and Vault Server Options
+    consul_bind_interface: "{{ ansible_default_ipv4.interface }}"
+    consul_bind_ip: "{{ admin_oc_net_ips[ansible_hostname] }}"
+    consul_vip_address: "{{ admin_oc_net_ips[ansible_hostname] }}"
+    vault_bind_address: "{{ admin_oc_net_ips[ansible_hostname] }}"
+    vault_api_addr: "http://{{ admin_oc_net_ips[ansible_hostname] }}:8200"
+    vault_config_dir: "/opt/kayobe/vault"
+    vault_cluster_name: "vault_{{ lookup('env', 'KAYOBE_ENVIRONMENT') }}"
+    vault_vip_url: "{{ admin_oc_net_ips[ansible_hostname] }}"
+    # Vault initalise keys
+    vault_write_keys_file: true
+    vault_write_keys_file_host: localhost
+    vault_write_keys_file_path: "{{ lookup('env', 'KAYOBE_CONFIG_PATH') }}/environments/{{ lookup('env', 'KAYOBE_ENVIRONMENT') }}/keys.json"
+
+  tasks:
+    - name: Set a fact about the virtualenv on the remote system
+      set_fact:
+        virtualenv: "{{ ansible_python_interpreter | dirname | dirname }}"
+      when:
+        - ansible_python_interpreter is defined
+        - not ansible_python_interpreter.startswith('/bin/')
+        - not ansible_python_interpreter.startswith('/usr/bin/')
+
+    - name: Ensure Python hvac module is installed
+      pip:
+        name: hvac
+        state: latest
+        virtualenv: "{{ virtualenv is defined | ternary(virtualenv, omit) }}"
+      become: "{{ virtualenv is not defined }}"
+
+    - import_role:
+        name: stackhpc.hashicorp.vault
+
+    - name: "Collect the vault keys"
+      slurp:
+        src: "{{ vault_write_keys_file_path }}"
+      delegate_to: localhost
+      register: vault_keys
+      when:
+        - secrets_vault_keys is not defined
+
+    - name: "Delete the vault keys from the file system"
+      file:
+        path: "{{ vault_write_keys_file_path }}"
+        state: absent
+      delegate_to: localhost
+      when: not vault_keys.skipped | default('false') | bool
+
+    - name: Set Vault keys
+      set_fact:
+        new_secrets:
+          secrets_vault_keys: "{{ vault_keys.content| b64decode | from_json | to_nice_json(indent=2) }}"
+      when:
+        - secrets_vault_keys is not defined
+
+    - name: Touch vault-secrets.yml
+      file:
+        path: "{{ lookup('env', 'KAYOBE_CONFIG_PATH') }}/environments/staging/vault-secrets.yml"
+        state: touch
+        mode: 0660
+      delegate_to: localhost
+      when:
+        - new_secrets is defined
+
+    - name: "Store vault keys securely"
+      copy:
+        content: |
+          {{ new_secrets | to_nice_yaml(default_style='|', explicit_start=True) }}
+        dest: "{{ lookup('env', 'KAYOBE_CONFIG_PATH') }}/environments/staging/vault-secrets.yml"
+      delegate_to: localhost
+      when:
+        - new_secrets is defined

etc/kayobe/ansible/vault-seed-gen-certs.yml

@@ -0,0 +1,103 @@
+- name: Run hashicorp-vault role seed
+  any_errors_fatal: true
+  gather_facts: true
+  hosts: seed
+  vars:
+    # Consul and Vault Server Options
+    vault_api_addr: "http://{{ admin_oc_net_ips[ansible_hostname] }}:8200"
+    vault_vip_url: "{{ admin_oc_net_ips[ansible_hostname] }}"
+    vault_keys: "{{ secrets_vault_keys | from_json }}"
+
+    # Root CA Options
+    vault_pki_root_create: false
+    vault_pki_root_ca_name: "arcus-{{ lookup('env', 'KAYOBE_ENVIRONMENT') }}-internal-tls-root"
+
+    # Intermediate CA Options
+    vault_pki_intermediate_create: false
+    vault_pki_intermediate_ca_name: "arcus-{{ lookup('env', 'KAYOBE_ENVIRONMENT') }}-internal-tls-int"
+
+    # Certificate options
+    vault_pki_generate_certificates: True
+    vault_pki_write_certificate_files: True
+    vault_pki_certificates_directory: "{{ lookup('env', 'KAYOBE_CONFIG_PATH') }}/environments/{{ lookup('env', 'KAYOBE_ENVIRONMENT') }}/"
+    vault_pki_generate_pulp_cert: true
+    # Certificates to create
+    # Add additional certificates here
+    # e.g.
+    #vault_pki_certificate_subject:
+    #  - role: 'ClientServer'
+    #    common_name: "seed-tls-cert-test"
+    #    extra_params:
+    #      ttl: "8760h"
+    #      ip_sans: "{{ admin_oc_net_ips[ansible_hostname] }}"
+    #      alt_sans: "{{ admin_oc_net_ips[ansible_hostname] }}"
+
+
+  tasks:
+    - name: Set a fact about the virtualenv on the remote system
+      set_fact:
+        virtualenv: "{{ ansible_python_interpreter | dirname | dirname }}"
+      when:
+        - ansible_python_interpreter is defined
+        - not ansible_python_interpreter.startswith('/bin/')
+        - not ansible_python_interpreter.startswith('/usr/bin/')
+
+    - name: Unseal vault
+      vars:
+        vault_unseal_keys: "{{ vault_keys.keys_base64 }}"
+      import_role:
+        name: stackhpc.hashicorp.vault_unseal
+      when:
+        - vault_keys is defined
+
+    - name: Add the Pulp certificate attributes
+      vars:
+        pulp_cert:
+          - role: 'ClientServer'
+            common_name: "seed-tls-cert"
+            extra_params:
+              ttl: "8760h"
+              ip_sans: "{{ admin_oc_net_ips[ansible_hostname] }}"
+              alt_sans: "{{ admin_oc_net_ips[ansible_hostname] }}"
+      set_fact:
+        vault_pki_certificate_subject: "{{ vault_pki_certificate_subject | d([]) + [vault_pki_certificate_subject|combine(item)] }}"
+      loop:
+        - "{{ pulp_cert }}"
+      when:
+        - vault_pki_generate_pulp_cert | bool and secrets_pulp_tls_cert is not defined
+
+    - name: Create Certificates
+      vars:
+        vault_token: "{{ vault_keys.root_token }}"
+      import_role:
+        name: stackhpc.hashicorp.vault_pki
+      when:
+        - vault_pki_certificate_subject != none
+
+    - name: Set facts about pulp certificate and key
+      vars:
+        cert_name: "{{ item.item.common_name if item.item.common_name | length > 0 else item.item.extra_params.ip_sans }}"
+      set_fact:
+        new_secrets:
+          secrets_pulp_tls_cert: |
+            {{ item.data.certificate }}
+            {{ item.data.issuing_ca }}
+          secrets_pulp_tls_key: |
+            {{ item.data.private_key }}
+      loop: "{{ certificate_data.results }}"
+      when:
+        - vault_pki_generate_pulp_cert | bool and secrets_pulp_tls_cert is not defined
+        - item.item.common_name == 'seed-tls-cert'
+
+    - name: "Add to vault secrets"
+      blockinfile:
+        content: |
+          {{ new_secrets | to_nice_yaml(default_style='|') }}
+        dest: "{{ vault_pki_certificates_directory }}vault-secrets.yml"
+        marker: ""
+        marker_begin: ""
+        marker_end: ""
+        insertafter: "EOF"
+        mode: 0660
+      delegate_to: localhost
+      when: vault_pki_generate_pulp_cert | bool and secrets_pulp_tls_cert is not defined

etc/kayobe/ansible/vault-seed-gen-roots.yml

@@ -0,0 +1,108 @@
+---
+- name: Run hashicorp-vault role seed
+  any_errors_fatal: true
+  gather_facts: true
+  hosts: seed
+  vars:
+    # Consul and Vault Server Options
+    vault_api_addr: "http://{{ admin_oc_net_ips[ansible_hostname] }}:8200"
+    vault_vip_url: "{{ admin_oc_net_ips[ansible_hostname] }}"
+    vault_keys: "{{ secrets_vault_keys | from_json }}"
+
+    # Root CA Options
+    vault_pki_root_create: true
+    vault_pki_root_ca_name: "arcus-{{ lookup('env', 'KAYOBE_ENVIRONMENT') }}-internal-tls-root"
+    vault_pki_root_ca_common_name: "{{ vault_pki_root_ca_name }}"
+    vault_pki_write_root_ca_to_file: true
+    vault_pki_certificates_directory: "{{ lookup('env', 'KAYOBE_CONFIG_PATH') }}/environments/{{ lookup('env', 'KAYOBE_ENVIRONMENT') }}/"
+    vault_pki_root_default_lease_ttl: "43830h"
+    vault_pki_root_max_lease_ttl: "43830h"
+    vault_pki_root_ttl: "43830h"
+    vault_pki_root_key_bits: 4096
+
+    # Intermediate CA Options
+    vault_pki_intermediate_create: true
+    vault_pki_intermediate_import: false
+    vault_pki_intermediate_export: false
+    vault_pki_intermediate_ca_name: "arcus-{{ lookup('env', 'KAYOBE_ENVIRONMENT') }}-internal-tls-int"
+    vault_pki_intermediate_ca_common_name: "{{ vault_pki_intermediate_ca_name }}"
+    vault_pki_intermediate_default_lease_ttl: "43830h"
+    vault_pki_intermediate_max_lease_ttl: "43830h"
+    vault_pki_intermediate_ttl: "43830h"
+    vault_pki_intermediate_key_bits: 4096
+
+    # Certificate Roles to Create
+    vault_pki_intermediate_roles:
+      - name: 'ClientServer'
+        config:
+          max_ttl: "8760h"
+          ttl: "8760h"
+          require_cn: false
+          allow_localhost: true
+          allow_any_name: true
+          allow_ip_sans: true
+          server_flag: true
+          client_flag: true
+          key_type: rsa
+          key_bits: 4096
+          country: ["GB"]
+          locality: ["England"]
+          organization: ["arcus"]
+          ou: ["ops"]
+
+  tasks:
+    - name: Set a fact about the virtualenv on the remote system
+      set_fact:
+        virtualenv: "{{ ansible_python_interpreter | dirname | dirname }}"
+      when:
+        - ansible_python_interpreter is defined
+        - not ansible_python_interpreter.startswith('/bin/')
+        - not ansible_python_interpreter.startswith('/usr/bin/')
+
+    - name: Unseal vault
+      vars:
+        vault_unseal_keys: "{{ vault_keys.keys_base64 }}"
+      import_role:
+        name: stackhpc.hashicorp.vault_unseal
+
+    - name: Generate Roots
+      vars:
+        vault_token: "{{ vault_keys.root_token }}"
+      import_role:
+        name: stackhpc.hashicorp.vault_pki
+
+    - name: "Collect the root Cert"
+      slurp:
+        src: "{{vault_pki_certificates_directory}}{{vault_pki_root_ca_name}}.pem"
+      delegate_to: localhost
+      register: vault_root
+      when:
+        - secrets_vault_root_cert is not defined
+
+    - name: "Delete the root cert from the file system"
+      file:
+        path: "{{ vault_pki_certificates_directory }}{{vault_pki_root_ca_name}}.pem"
+        state: absent
+      delegate_to: localhost
+      when: not vault_root.skipped | default('false') | bool
+
+    - name: Set root cert
+      set_fact:
+        new_secrets:
+          secrets_vault_root_cert: "{{ vault_root.content| b64decode }}"
+      when:
+        - secrets_vault_root_cert is not defined
+
+    - name: add vault secrets
+      blockinfile:
+        content: |
+          {{ new_secrets | to_nice_yaml(default_style='|') }}
+        dest: "{{vault_pki_certificates_directory}}vault-secrets.yml"
+        marker: ""
+        marker_begin: ""
+        marker_end: ""
+        insertafter: "EOF"
+        mode: 0660
+      delegate_to: localhost
+      when:
+        - new_secrets is defined

requirements.txt

@@ -1 +1,3 @@
 kayobe@git+https://github.com/stackhpc/kayobe@stackhpc/yoga
+ansible-modules-hashivault==4.7.1
+hvac