diff --git a/roles/consul/templates/pre-backup.j2 b/roles/consul/templates/pre-backup.j2 index 748d4f3..f54631d 100644 --- a/roles/consul/templates/pre-backup.j2 +++ b/roles/consul/templates/pre-backup.j2 @@ -10,6 +10,8 @@ if [ -e /etc/profile.d/consul.sh ]; then fi {% if consul_conf.acl.enabled and consul_backup_token is defined %} export CONSUL_HTTP_TOKEN={{ consul_backup_token }} +# Give some time for the token to be replicated (if obtained from vault) +sleep 0.1 {% endif %} {% endif %} consul snapshot save -append-filename version,dc,node,status {{ consul_root_dir }}/backup/consul.snap diff --git a/roles/nomad/templates/pre-backup.j2 b/roles/nomad/templates/pre-backup.j2 index 9668df1..35c107d 100644 --- a/roles/nomad/templates/pre-backup.j2 +++ b/roles/nomad/templates/pre-backup.j2 @@ -11,6 +11,8 @@ if [ -e /etc/profile.d/nomad.sh ]; then fi {% if nomad_conf.acl.enabled and nomad_backup_token is defined %} export NOMAD_TOKEN={{ nomad_backup_token }} +# Give some time for the token to be replicated (if obtained from vault) +sleep 0.1 {% endif %} {% endif %} /usr/local/bin/nomad operator snapshot save {{ nomad_root_dir }}/backup/nomad.snap diff --git a/roles/vault/tasks/install.yml b/roles/vault/tasks/install.yml index 51bb656..ba8ece4 100644 --- a/roles/vault/tasks/install.yml +++ b/roles/vault/tasks/install.yml @@ -1,5 +1,11 @@ --- +- name: Install dependencies + package: + name: + - jq + tags: vault + - name: Deploy systemd service unit template: src=vault.service.j2 dest=/etc/systemd/system/vault.service register: vault_unit diff --git a/roles/vault/templates/pre-backup.j2 b/roles/vault/templates/pre-backup.j2 index 687b088..1218155 100644 --- a/roles/vault/templates/pre-backup.j2 +++ b/roles/vault/templates/pre-backup.j2 @@ -7,5 +7,8 @@ if [ -e /etc/profile.d/vault.sh ]; then source /etc/profile.d/vault.sh fi export VAULT_TOKEN={{ vault_backup_token }} +# Direct snapshot requ to the active leader, see +# https://support.hashicorp.com/hc/en-us/articles/22097624571155-Vault-snapshot-save-fails-with-message-Error-taking-snapshot-incomplete-snapshot-unable-to-read-SHA256SUMS-sealed-file +export VAULT_ADDR=$(vault status -format json | jq -r .leader_address) vault operator raft snapshot save {{ vault_root_dir }}/backup/vault.snap {% endif %} diff --git a/roles/vault_agent/templates/nomad/nomad.hcl.j2 b/roles/vault_agent/templates/nomad/nomad.hcl.j2 index 77cdb72..be264e9 100644 --- a/roles/vault_agent/templates/nomad/nomad.hcl.j2 +++ b/roles/vault_agent/templates/nomad/nomad.hcl.j2 @@ -12,6 +12,16 @@ template { } {% endif %} +{% if nomad_conf.server.enabled %} +template { + source = "{{ vault_agent_root_dir }}/templates/nomad/vault.env.tpl" + destination = "/run/nomad/vault_config.env" + left_delimiter = "[[" + right_delimiter = "]]" + perms = 0640 +} +{% endif %} + {% if vault_agent_nomad.nomad_pki.enabled %} template { source = "{{ vault_agent_root_dir }}/templates/nomad/agent_bundle.pem.tpl" diff --git a/roles/vault_agent/templates/nomad/update_nomad_cert.sh.j2 b/roles/vault_agent/templates/nomad/update_nomad_cert.sh.j2 index a55abcc..f2f2e49 100644 --- a/roles/vault_agent/templates/nomad/update_nomad_cert.sh.j2 +++ b/roles/vault_agent/templates/nomad/update_nomad_cert.sh.j2 @@ -13,9 +13,9 @@ elif [ "$(echo ${VAULT_STATUS} | jq .initialized)" != "true" ]; then echo "Vault is not initialized yet, exiting" else echo Updating Vault certificate to access Nomad API - if [ -z "${VAULT_TOKEN}" -a -e /run/nomad/vault.env ]; then + if [ -z "${VAULT_TOKEN}" -a -e /run/nomad/vault_config.env ]; then echo "Using VAULT_TOKEN from Nomad agent" - export $(cat /run/nomad/vault.env) + export $(cat /run/nomad/vault_config.env) fi vault write {{ vault_agent_nomad.nomad_pki.cli.secret_path | default('nomad') }}/config/access \ ca_cert="$(cat {{ nomad_root_dir }}/tls/ca.crt)" \