Update to 2024-10-24 12:00

roles/consul/templates/pre-backup.j2

@@ -10,6 +10,8 @@ if [ -e /etc/profile.d/consul.sh ]; then
 fi
 {% if consul_conf.acl.enabled and consul_backup_token is defined %}
 export CONSUL_HTTP_TOKEN={{ consul_backup_token }}
+# Give some time for the token to be replicated (if obtained from vault)
+sleep 0.1
 {% endif %}
 {% endif %}
 consul snapshot save -append-filename version,dc,node,status {{ consul_root_dir }}/backup/consul.snap

roles/nomad/templates/pre-backup.j2

@@ -11,6 +11,8 @@ if [ -e /etc/profile.d/nomad.sh ]; then
 fi
 {% if nomad_conf.acl.enabled and nomad_backup_token is defined %}
 export NOMAD_TOKEN={{ nomad_backup_token }}
+# Give some time for the token to be replicated (if obtained from vault)
+sleep 0.1
 {% endif %}
 {% endif %}
 /usr/local/bin/nomad operator snapshot save {{ nomad_root_dir }}/backup/nomad.snap

roles/vault/tasks/install.yml

@@ -1,5 +1,11 @@
 ---
 
+- name: Install dependencies
+  package:
+    name:
+      - jq
+  tags: vault
+
 - name: Deploy systemd service unit
   template: src=vault.service.j2 dest=/etc/systemd/system/vault.service
   register: vault_unit

roles/vault/templates/pre-backup.j2

@@ -7,5 +7,8 @@ if [ -e /etc/profile.d/vault.sh ]; then
   source /etc/profile.d/vault.sh
 fi
 export VAULT_TOKEN={{ vault_backup_token }}
+# Direct snapshot requ to the active leader, see
+# https://support.hashicorp.com/hc/en-us/articles/22097624571155-Vault-snapshot-save-fails-with-message-Error-taking-snapshot-incomplete-snapshot-unable-to-read-SHA256SUMS-sealed-file
+export VAULT_ADDR=$(vault status -format json | jq -r .leader_address)
 vault operator raft snapshot save {{ vault_root_dir }}/backup/vault.snap
 {% endif %}

roles/vault_agent/templates/nomad/nomad.hcl.j2

@@ -12,6 +12,16 @@ template {
 }
 {% endif %}
 
+{% if nomad_conf.server.enabled %}
+template {
+  source          = "{{ vault_agent_root_dir }}/templates/nomad/vault.env.tpl"
+  destination     = "/run/nomad/vault_config.env"
+  left_delimiter  = "[["
+  right_delimiter = "]]"
+  perms           = 0640
+}
+{% endif %}
+
 {% if vault_agent_nomad.nomad_pki.enabled %}
 template {
   source          = "{{ vault_agent_root_dir }}/templates/nomad/agent_bundle.pem.tpl"

roles/vault_agent/templates/nomad/update_nomad_cert.sh.j2

@@ -13,9 +13,9 @@ elif [ "$(echo ${VAULT_STATUS} | jq .initialized)" != "true" ]; then
   echo "Vault is not initialized yet, exiting"
 else
   echo Updating Vault certificate to access Nomad API
-  if [ -z "${VAULT_TOKEN}" -a -e /run/nomad/vault.env ]; then
+  if [ -z "${VAULT_TOKEN}" -a -e /run/nomad/vault_config.env ]; then
     echo "Using VAULT_TOKEN from Nomad agent"
-    export $(cat /run/nomad/vault.env)
+    export $(cat /run/nomad/vault_config.env)
   fi
   vault write {{ vault_agent_nomad.nomad_pki.cli.secret_path | default('nomad') }}/config/access \
     ca_cert="$(cat {{ nomad_root_dir }}/tls/ca.crt)" \