Update to 2022-09-06 18:00

2025-07-27 00:05:44 +02:00 · 2022-09-06 18:00:22 +02:00
parent ac46e06fb3
commit 382804b568
33 changed files with 311 additions and 113 deletions
--- a/roles/vault/tasks/conf.yml
+++ b/roles/vault/tasks/conf.yml
@@ -22,3 +22,20 @@
 - name: Setup logrotate
  template: src=logrotate.conf.j2 dest=/etc/logrotate.d/vault
  tags: vault
+
+- when: vault_secrets.nomad.enabled
+  block:
+
+    - name: Deploy the consul-template conf
+      template: src=consul-template.hcl.j2 dest={{ vault_root_dir }}/consul-template/consul-template.hcl
+      notify: restart consul-template-vault
+
+    - name: Deploy Nomad certificate bundle template for consul-template
+      template: src=nomad_client_bundle.json.tpl.j2 dest={{ vault_root_dir }}/consul-template/nomad_client_bundle.json.tpl
+      notify: restart consul-template-vault
+
+    - name: Deploy the update cert hook
+      template: src=update_nomad_cert.j2 dest={{ vault_root_dir }}/bin/update_nomad_cert mode=755
+      notify: restart consul-template-vault
+
+  tags: vault
--- a/roles/vault/tasks/directories.yml
+++ b/roles/vault/tasks/directories.yml
@@ -44,4 +44,5 @@
      owner: root
      group: "{{ vault_user }}"
      mode: 750
+    - dir: consul-template
  tags: vault
--- a/roles/vault/tasks/install.yml
+++ b/roles/vault/tasks/install.yml
@@ -6,6 +6,7 @@
      - tar
      - zstd
      - unzip
+      - jq
  tags: vault

 - when: vault_install_mode != 'none'
@@ -48,9 +49,16 @@
  notify: restart vault
  tags: vault

+- name: Install consul-template unit
+  template: src=consul-template-vault.service.j2 dest=/etc/systemd/system/consul-template-vault.service
+  notify: restart consul-template-vault
+  when: vault_secrets.nomad.enabled
+  register: vault_secrets_nomad_unit
+  tags: vault
+
 - name: Reload systemd
  systemd: daemon_reload=True
-  when: vault_unit.changed
+  when: vault_unit.changed or (vault_secrets_nomad_unit is defined and vault_secrets_nomad_unit.changed)
  tags: vault

 - name: Install dehydrated hook
@@ -65,3 +73,4 @@
    dest: /etc/profile.d/vault.sh
    mode: 0755
  tags: vault
+
--- a/roles/vault/tasks/services.yml
+++ b/roles/vault/tasks/services.yml
@@ -4,3 +4,10 @@
  service: name=vault state=started enabled=True
  register: vault_service_started
  tags: vault
+
+- name: Handle consul-template-vault service
+  service:
+    name: consul-template-vault
+    state: "{{ vault_secrets.nomad.enabled | ternary('started', 'stopped') }}"
+    enabled: "{{ vault_secrets.nomad.enabled | ternary(True, False) }}"
+  tags: vault