Update to 2023-07-08 16:00

roles/vault_agent/defaults/main/consul.yml

@@ -0,0 +1 @@
+../../../consul/defaults/main.yml

roles/vault_agent/defaults/main/main.yml

@@ -0,0 +1,92 @@
+---
+
+vault_agent_root_dir: /opt/vault_agent
+
+# Address of the vault server
+vault_agent_vault_address: https://vault.service.consul
+
+# Type of authentication. Can be token or approle
+vault_agent_auth: approle
+
+# If auth is approle, you have to set vault_agent_approle_role_id and vault_agent_approle_secret_id
+# vault_agent_approle_role_id: XXXXX
+# vault_agent_approle_secret_id: XXXXXXX
+
+# If auth is token, you have to set vault_agent_token
+# vault_agent_token: XXXXX
+
+# List of sinks where the token can be written
+vault_agent_sinks: []
+# vault_agent_sinks:
+#   - path: /tmp/vault.token
+#     wrap_ttl: 20s
+#     mode: 600
+
+
+# List of templates
+vault_agent_templates: []
+# vault_agent_templates:
+#     # Use only one of source or contents
+#   - source: /srv/foo.tpl
+#     contents: "{{ with secret \"kv/bar\" }}{{.Data.data.baz}}{{ end }}"
+#     destination: /src/foo
+#     left_delimiter = "[["
+#     right_delimiter = "]]"
+#     perms: 0600
+#     exec:
+#       timeout: 30s
+#       command: systemctl restart foo.service
+
+vault_agent_nomad_base:
+  # Should vault-agent fetch a vault token for use by Nomad
+  vault_token:
+    enabled: False
+    role: nomad-{{ nomad_conf.server.enabled | ternary('server', 'client') }}
+
+  # Should vault-agent fetch certificates from vault for use by Nomad agent
+  nomad_pki:
+    enabled: False
+    path: pki/nomad
+    role: nomad-{{ nomad_conf.server.enabled | ternary('server', 'client') }}
+    ttl: 72h
+    # Vault can get a client certificate for administrative tasks
+    cli:
+      enabled: "{{ nomad_conf.server.enabled | ternary(True, False) }}"
+      role: nomad-user
+      ttl: 72h
+      # When renewing this cert, vault-agent can update nomad secret (so vault can connect to the Nomad API to manage tokens)
+      # secret_path: nomad
+
+  # Should vault-agent fetch a certificate to connect on Consul. This is required when using Consul Connect
+  # Even if a Consul agent is available on localhost with no TLS
+  consul_pki:
+    enabled: False
+    path: pki/consul
+    role: nomad-client # Only Nomad clients will use Consul PKI
+    ttl: 72h
+
+  # Should vault-agent fetch a consul token. It'll be used to register services in Consul service catalog
+  consul_token:
+    enabled: False
+    # The path of the consul secret engine
+    path: consul
+    # The role used to get the token
+    role: nomad-{{ nomad_conf.server.enabled | ternary('server', 'client') }}
+
+vault_agent_nomad_extra: {}
+vault_agent_nomad_host: {}
+vault_agent_nomad: "{{ vault_agent_nomad_base | combine(vault_agent_nomad_extra, recursive=True) | combine(vault_agent_nomad_host, recursive=True) }}"
+
+
+vault_agent_consul_base:
+  # Should vault-agent fetch certificates for Consul agent
+  consul_pki:
+    enabled: False
+    path: pki/consul
+    role: consul-{{ consul_conf.server | ternary('server', 'client') }}
+    ttl: 72h
+
+vault_agent_consul_extra: {}
+vault_agent_consul_host: {}
+vault_agent_consul: "{{ vault_agent_consul_base | combine(vault_agent_consul_extra, recursive=True) | combine(vault_agent_consul_host, recursive=True) }}"
+

roles/vault_agent/defaults/main/nomad.yml

@@ -0,0 +1 @@
+../../../nomad/defaults/main.yml

roles/vault_agent/handlers/main.yml

@@ -0,0 +1,4 @@
+---
+
+- name: restart vault-agent
+  service: name=vault-agent state=restarted

roles/vault_agent/meta/main.yml

@@ -0,0 +1,4 @@
+---
+
+dependencies:
+  - role: vault_bin

roles/vault_agent/tasks/conf.yml

@@ -0,0 +1,33 @@
+---
+
+- name: Deploy main configuration
+  template: src=vault-agent.hcl.j2 dest={{ vault_agent_root_dir }}/etc/vault-agent.hcl mode=0600
+  notify: restart vault-agent
+  tags: vault,consul,nomad
+
+- name: Deploy Nomad and Consul configuration
+  template: src={{ item }}/{{ item }}.hcl.j2 dest={{ vault_agent_root_dir }}/etc/{{ item }}.hcl
+  loop:
+    - nomad
+    - consul
+  notify: restart vault-agent
+  tags: vault,consul,nomad
+
+- name: Setup AppRole auth
+  block:
+    - copy: content={{ vault_agent_approle_role_id }} dest={{ vault_agent_root_dir }}/auth/role_id owner=root group=root mode=600
+    - copy: content={{ vault_agent_approle_secret_id }} dest={{ vault_agent_root_dir }}/auth/secret_id owner=root group=root mode=600
+    - file: path={{ vault_agent_root_dir }}/auth/token state=absent
+  when:
+    - vault_agent_auth == 'approle'
+  tags: nomad
+
+- name: Setup Token auth
+  block:
+    - copy: content={{ vault_agent_token }} dest={{ vault_agent_root_dir }}/auth/token owner=root group=root mode=640
+    - file: path={{ vault_agent_root_dir }}/auth/role_id state=absent
+    - file: path={{ vault_agent_root_dir }}/auth/secret_id state=absent
+  when:
+    - vault_agent_auth == 'token'
+  tags: nomad
+

roles/vault_agent/tasks/directories.yml

@@ -0,0 +1,18 @@
+---
+
+- name: Create needed directories
+  file: path={{ vault_agent_root_dir }}/{{ item.dir }} state=directory owner={{ item.owner | default(omit) }} group={{ item.group | default(omit) }} mode={{ item.mode | default(omit) }}
+  loop:
+    - dir: /
+      owner: root
+      group: root
+      mode: 755
+    - dir: etc
+      mode: 700
+    - dir: auth
+      mode: 700
+    - dir: bin
+    - dir: templates/nomad
+    - dir: templates/consul
+  tags: vault,consul,nomad
+

roles/vault_agent/tasks/install.yml

@@ -0,0 +1,47 @@
+---
+
+- name: Install systemd unit
+  template: src=vault-agent.service.j2 dest=/etc/systemd/system/vault-agent.service
+  register: vault_agent_unit
+  notify: restart vault-agent
+  tags: vault,consul,nomad
+
+- name: Install Nomad templates
+  template: src=nomad/{{ item }}.j2 dest={{ vault_agent_root_dir }}/templates/nomad/{{ item }}
+  loop:
+    - vault.env.tpl
+    - agent_bundle.pem.tpl
+    - cli_bundle.pem.tpl
+    - consul_bundle.pem.tpl
+    - consul.env.tpl
+  notify: restart vault-agent
+  tags: vault,consul,nomad
+
+- name: Install Consul templates
+  template: src=consul/{{ item }}.j2 dest={{ vault_agent_root_dir }}/templates/consul/{{ item }}
+  loop:
+    - agent_bundle.pem.tpl
+  notify: restart vault-agent
+  tags: vault,consul,nomad
+
+- name: Create tmpfile fragment
+  copy:
+    content: |
+      d /run/vault_agent 770 root root
+    dest: /etc/tmpfiles.d/vault-agent.conf
+  register: vault_tmpfiles
+  tags: vault,consul,nomad
+
+- name: Create tmpfiles
+  command: systemd-tmpfiles --create
+  when: vault_tmpfiles.changed
+  tags: vault,consul,nomad
+
+- name: Reload systemd
+  systemd: daemon_reload=True
+  when: vault_agent_unit.changed
+  tags: vault,consul,nomad
+
+- name: Install Nomad API access updater
+  template: src=nomad/update_nomad_cert.sh.j2 dest={{ vault_agent_root_dir }}/bin/update_nomad_cert.sh mode=755
+  tags: vault,consul,nomad

roles/vault_agent/tasks/main.yml

@@ -0,0 +1,13 @@
+---
+
+- include_tasks: directories.yml
+  tags: always
+
+- include_tasks: install.yml
+  tags: always
+
+- include_tasks: conf.yml
+  tags: always
+
+- include_tasks: services.yml
+  tags: always

roles/vault_agent/tasks/services.yml

@@ -0,0 +1,5 @@
+---
+
+- name: Start and enable vault-agent
+  service: name=vault-agent state=started enabled=True
+  tags: vault,nomad,consul

roles/vault_agent/templates/consul/agent_bundle.pem.tpl.j2

@@ -0,0 +1,13 @@
+{% if consul_conf.server %}
+[[ with pkiCert "{{ vault_agent_consul.consul_pki.path }}/issue/{{ vault_agent_consul.consul_pki.role }}" "common_name=server-{{ ansible_fqdn | regex_replace('\\.', '-') }}.{{ consul_conf.datacenter | default('dc1') }}.{{ consul_conf.domain | default('consul') }}" "alt_names=consul.service.{{ consul_conf.domain | default('consul') }},server.{{ consul_conf.datacenter | default('dc1') }}.{{ consul_conf.domain | default('consul') }}{% if consul_conf.alt_domain is defined %},consul.service.{{ consul_conf.alt_domain }},server.{{ consul_conf.datacenter | default('dc1') }}.{{ consul_conf.alt_domain }}{% endif %}"{% if vault_agent_consul.consul_pki.ttl is defined %} "ttl={{ vault_agent_consul.consul_pki.ttl }}"{% endif %} ]]
+[[ .CA ]]
+[[ .Cert ]]
+[[ .Key ]]
+[[ .Cert | writeToFile "{{ consul_conf.tls.defaults.cert_file }}" "root" "{{ consul_user }}" "0644" ]]
+[[ .Key | writeToFile "{{ consul_conf.tls.defaults.key_file }}" "root" "{{ consul_user }}" "0640" ]]
+[[ end ]]
+{% else %}
+[[ with secret "{{ vault_agent_consul.consul_pki.path }}/cert/ca_chain" ]]
+[[ .Data.certificate | writeToFile "{{ consul_conf.tls.defaults.ca_file }}" "root" "{{ consul_user }}" "0644" ]]
+[[ end ]]
+{% endif %}

roles/vault_agent/templates/consul/consul.hcl.j2

@@ -0,0 +1,12 @@
+{% if vault_agent_consul.consul_pki.enabled %}
+template {
+  source = "{{ vault_agent_root_dir }}/templates/consul/agent_bundle.pem.tpl"
+  destination = "{{ consul_root_dir }}/tls/agent_bundle.pem"
+  left_delimiter  = "[["
+  right_delimiter = "]]"
+  perms           = 0640
+  exec {
+    command = ["systemctl", "reload", "consul"]
+  }
+}
+{% endif %}

roles/vault_agent/templates/nomad/agent_bundle.pem.tpl.j2

@@ -0,0 +1,10 @@
+[[ with pkiCert "{{ vault_agent_nomad.nomad_pki.path }}/issue/{{ vault_agent_nomad.nomad_pki.role }}" "common_name={{ (nomad_conf.server.enabled) | ternary('server', 'client') }}-{{ ansible_fqdn | regex_replace('\\.', '-') }}.{{ nomad_conf.region | default('global') }}.nomad" "alt_names=localhost,{{ (nomad_conf.server.enabled) | ternary('server', 'client') }}.{{ nomad_conf.region | default('global') }}.nomad{% if nomad_conf.server.enabled and nomad_conf.client.enabled %},client.{{ nomad_conf.region | default('global') }}.nomad{% endif %}{% if consul_conf is defined %},nomad{{ nomad_conf.server.enabled | ternary('', '-client') }}.service.{{ consul_conf.domain | default('consul') }}{% if consul_conf is defined and consul_conf.alt_domain is defined %},nomad{{ nomad_conf.server.enabled | ternary('', '-client') }}.service.{{ consul_conf.alt_domain }}{% endif %}{% endif %}"{% if nomad_vault_secrets.pki.ttl is defined %} "ttl={{ vault_agent_nomad.nomad_pki.ttl }}"{% endif %} ]]
+[[ .CA ]]
+[[ .Cert ]]
+[[ .Key ]]
+[[ .Cert | writeToFile "{{ nomad_conf.tls.cert_file }}" "{{ nomad_user }}" "{{ nomad_user }}" "0644" ]]
+[[ .Key | writeToFile "{{ nomad_conf.tls.key_file }}" "{{ nomad_user }}" "{{ nomad_user }}" "0640" ]]
+[[ end ]]
+[[ with secret "{{ vault_agent_nomad.nomad_pki.path }}/cert/ca_chain" ]]
+[[ .Data.certificate | writeToFile "{{ nomad_conf.tls.ca_file }}" "{{ nomad_user }}" "{{ nomad_user }}" "0644" ]]
+[[ end ]]

roles/vault_agent/templates/nomad/cli_bundle.pem.tpl.j2

@@ -0,0 +1,6 @@
+[[ with pkiCert "{{ vault_agent_nomad.nomad_pki.path }}/issue/{{ vault_agent_nomad.nomad_pki.role }}" "common_name=cli-{{ ansible_fqdn | regex_replace('\\.', '-') }}.{{ nomad_conf.region | default('global') }}.nomad" ]]
+[[ .Cert ]]
+[[ .Key ]]
+[[ .Cert | writeToFile "{{ nomad_root_dir }}/tls/cli.crt" "{{ nomad_user }}" "{{ nomad_user }}" "0644" ]]
+[[ .Key | writeToFile "{{ nomad_root_dir }}/tls/cli.key" "{{ nomad_user }}" "{{ nomad_user }}" "0640" ]]
+[[ end ]]

roles/vault_agent/templates/nomad/consul.env.tpl.j2

@@ -0,0 +1,3 @@
+[[- with secret "{{ vault_agent_nomad.consul_token.path }}/creds/{{ vault_agent_nomad.consul_token.role }}" -]]
+CONSUL_HTTP_TOKEN=[[ .Data.token ]]
+[[- end -]]

roles/vault_agent/templates/nomad/consul_bundle.pem.tpl.j2

@@ -0,0 +1,10 @@
+[[ with pkiCert "{{ vault_agent_nomad.consul_pki.path }}/issue/{{ vault_agent_nomad.consul_pki.role }}" "common_name={{ ansible_fqdn | regex_replace('\\.', '-') }}.{{ (consul_conf is defined and consul_conf.domain is defined) | ternary(consul_conf.domain, 'consul') }}"{% if vault_agent_nomad.consul_pki.ttl is defined %} "ttl={{ vault_agent_nomad.consul_pki.ttl }}"{% endif %} ]]
+[[ .CA ]]
+[[ .Cert ]]
+[[ .Key ]]
+[[ .Cert | writeToFile "{{ nomad_conf.consul.cert_file }}" "{{ nomad_user }}" "{{ nomad_user }}" "0644" ]]
+[[ .Key | writeToFile "{{ nomad_conf.consul.key_file }}" "{{ nomad_user }}" "{{ nomad_user }}" "0640" ]]
+[[ end ]]
+[[ with secret "{{ vault_agent_nomad.consul_pki.path }}/cert/ca_chain" ]]
+[[ .Data.certificate | writeToFile "{{ nomad_conf.consul.ca_file }}" "{{ nomad_user }}" "{{ nomad_user }}" "0644" ]]
+[[ end ]]

roles/vault_agent/templates/nomad/nomad.hcl.j2

@@ -0,0 +1,69 @@
+{% if vault_agent_nomad.vault_token.enabled %}
+template {
+  source          = "{{ vault_agent_root_dir }}/templates/nomad/vault.env.tpl"
+  destination     = "/run/nomad/vault.env"
+  left_delimiter  = "[["
+  right_delimiter = "]]"
+  perms           = 0640
+  exec {
+    # Wait a few sec before reloading Nomad as it fails if reloaded while not fully initialized yet
+    command = ["chown", ":{{ nomad_user }}", "/run/nomad/vault.env"]
+  }
+}
+{% endif %}
+
+{% if vault_agent_nomad.nomad_pki.enabled %}
+template {
+  source          = "{{ vault_agent_root_dir }}/templates/nomad/agent_bundle.pem.tpl"
+  destination     = "{{ nomad_root_dir }}/tls/agent_bundle.pem"
+  left_delimiter  = "[["
+  right_delimiter = "]]"
+  perms           = 0640
+  exec {
+    # Wait a few sec before reloading Nomad as it fails if reloaded while not fully initialized yet
+    command = ["sh", "-c", "sleep 15 && systemctl reload nomad || true"]
+  }
+}
+
+{% if nomad_conf.server.enabled %}
+template {
+  source          = "{{ vault_agent_root_dir }}/templates/nomad/cli_bundle.pem.tpl"
+  destination     = "{{ nomad_root_dir }}/tls/cli_bundle.pem"
+  left_delimiter  = "[["
+  right_delimiter = "]]"
+  perms           = 0640
+{% if vault_agent_nomad.nomad_pki.cli.enabled and vault_agent_nomad.nomad_pki.cli.secret_path is defined %}
+  exec {
+    command = "{{ vault_agent_root_dir }}/bin/update_nomad_cert.sh"
+  }
+{% endif %}
+}
+{% endif %}
+{% endif %}
+
+
+{% if vault_agent_nomad.consul_pki.enabled and nomad_conf.consul.ssl %}
+template {
+  source          = "{{ vault_agent_root_dir }}/templates/nomad/consul_bundle.pem.tpl"
+  destination     = "{{ nomad_root_dir }}/tls/consul_bundle.pem"
+  left_delimiter  = "[["
+  right_delimiter = "]]"
+  perms           = 0640
+  exec {
+    command = ["sh", "-c", "chown :{{ nomad_user }} && sleep 15 && systemctl reload nomad || true"]
+  }
+}
+{% endif %}
+
+{% if vault_agent_nomad.consul_token.enabled %}
+template {
+  source          = "{{ vault_agent_root_dir }}/templates/nomad/consul.env.tpl"
+  destination     = "/run/nomad/consul.env"
+  left_delimiter  = "[["
+  right_delimiter = "]]"
+  perms           = 0640
+  exec {
+    command = ["chown", ":{{ nomad_user}}", "/run/nomad/consul.env"]
+  }
+}
+{% endif %}

roles/vault_agent/templates/nomad/update_nomad_cert.sh.j2

@@ -0,0 +1,20 @@
+#!/bin/sh
+  
+set -eo pipefail
+
+VAULT_ADDR={{ vault_agent_vault_address }}
+VAULT_STATUS=$(vault status -format=json)
+
+if [ "$(echo ${VAULT_STATUS} | jq .is_self)" != "true" ]; then
+  echo "We're not the active vault, exiting"
+elif [ "$(echo ${VAULT_STATUS} | jq .sealed)" != "false" ]; then
+  echo "Vault is sealed, exiting"
+elif [ "$(echo ${VAULT_STATUS} | jq .initialized)" != "true" ]; then
+  echo "Vault is not initialized yet, exiting"
+else
+  echo Updating Vault certificate to access Nomad API
+  vault write {{ vault_agent_nomad.nomad_pki.cli.secret_path }}/config/access \
+    ca_cert="$(cat {{ nomad_root_dir }}/tls/ca.crt)" \
+    client_cert="$(cat {{ nomad_root_dir }}/tls/cli.crt)" \
+    client_key="$(cat {{ nomad_root_dir }}/tls/cli.key)"
+fi

roles/vault_agent/templates/nomad/vault.env.tpl.j2

@@ -0,0 +1,3 @@
+[[- with secret "auth/token/create/{{ vault_agent_nomad.vault_token.role }}" "no_parent=true" -]]
+VAULT_TOKEN=[[ .Auth.ClientToken ]]
+[[- end -]]

roles/vault_agent/templates/vault-agent.hcl.j2

@@ -0,0 +1,58 @@
+vault {
+  address = "{{ vault_agent_vault_address }}"
+}
+
+auto_auth {
+{% if vault_agent_auth == 'approle' %}
+  method {
+    type = "approle"
+    config {
+      role_id_file_path   = "{{ vault_agent_root_dir }}/auth/role_id"
+      secret_id_file_path = "{{ vault_agent_root_dir }}/auth/secret_id"
+      remove_secret_id_file_after_reading = false
+    }
+  }
+{% elif vault_agent_auth == 'token' %}
+  method {
+    type = "token_file"
+    config {
+      token_file_path = "{{ vault_agent_root_dir }}/auth/token"
+    }
+  }
+{% endif %}
+
+  # Not used, but prevent service failing if there's not template yet
+  sink {
+    type = "file"
+    wrap_ttl = "1s"
+    config = {
+      path = "/run/vault_agent/vault.token"
+      mode = 600
+    }
+  }
+}
+
+{% for template in vault_agent_templates %}
+template {
+{% if template.source is defined %}
+  source = "{{ template.source }}"
+{% elif template.contents is defined %}
+  contents = "{{ template.contents }}"
+{% endif %}
+  destination = "{{ template.destination }}"
+{% for prop in ['left_delimiter', 'right_delimiter', 'perms'] %}
+{% if template[prop] is defined %}
+  {{ prop }} = "{{ template[prop] }}"
+{% endif %}
+{% endfor %}
+
+{% if template.exec is defined and template.exec.command is defined %}
+  exec {
+{% if template.exec.timeout is defined %}
+    timeout = "{{ template.exec.timeout }}"
+{% endif %}
+    command = "template.exec.command"
+  }
+{% endif %}
+}
+{% endfor %}

roles/vault_agent/templates/vault-agent.service.j2

@@ -0,0 +1,49 @@
+[Unit]
+Description="HashiCorp Vault Agent"
+Documentation=https://www.vaultproject.io/docs/
+Requires=network-online.target
+After=network-online.target
+ConditionFileNotEmpty={{ vault_agent_root_dir }}/etc/vault-agent.hcl
+StartLimitIntervalSec=60
+StartLimitBurst=6
+Before=consul.service
+Before=nomad.service
+{% if vault_agent_nomad.nomad_pki.enabled or vault_agent_nomad.vault_token.enabled or vault_agent_nomad.consul_pki.enabled or vault_agent_nomad.consul_token.enabled %}
+PartOf=nomad.service
+{% endif %}
+{% if vault_agent_consul.consul_pki.enabled %}
+PartOf=consul.service
+{% endif %}
+
+[Service]
+Type=notify
+User=root
+Group=root
+SyslogIdentifier=vault-agent
+ProtectSystem=full
+ProtectHome=read-only
+PrivateTmp=yes
+PrivateDevices=yes
+SecureBits=keep-caps
+AmbientCapabilities=CAP_IPC_LOCK
+CapabilityBoundingSet=CAP_SYSLOG CAP_IPC_LOCK CAP_CHOWN CAP_FOWNER CAP_DAC_OVERRIDE
+NoNewPrivileges=yes
+ExecStart=/usr/local/bin/vault agent -config={{ vault_agent_root_dir }}/etc/
+ExecReload=/bin/kill --signal HUP $MAINPID
+KillMode=process
+KillSignal=SIGINT
+Restart=on-failure
+RestartSec=5
+TimeoutStopSec=30
+LimitNOFILE=65536
+LimitMEMLOCK=infinity
+
+[Install]
+WantedBy=multi-user.target
+{% if vault_agent_nomad.nomad_pki.enabled or vault_agent_nomad.vault_token.enabled or vault_agent_nomad.consul_pki.enabled or vault_agent_nomad.consul_token.enabled %}
+RequiredBy=nomad.service
+{% endif %}
+{% if vault_agent_consul.consul_pki.enabled %}
+RequiredBy=consul.service
+{% endif %}
+