c12s-kubespray/roles/vault/tasks/bootstrap/start_vault_temp.yml
2017-06-30 13:46:05 +02:00

65 lines
2.5 KiB
YAML

---
- name: bootstrap/start_vault_temp | Ensure vault-temp isn't already running
shell: if docker rm -f {{ vault_temp_container_name }} 2>&1 1>/dev/null;then echo true;else echo false;fi
register: vault_temp_stop_check
changed_when: "'true' in vault_temp_stop_check.stdout"
- name: bootstrap/start_vault_temp | Start single node Vault with file backend
command: >
docker run -d --cap-add=IPC_LOCK --name {{ vault_temp_container_name }}
-p {{ vault_port }}:{{ vault_port }}
-e 'VAULT_LOCAL_CONFIG={{ vault_temp_config|to_json }}'
-v /etc/vault:/etc/vault
{{ vault_image_repo }}:{{ vault_version }} server
#FIXME(mattymo): Crashes on first start with aufs docker storage. See hashicorp/docker-vault#19
- name: bootstrap/start_vault_temp | Start again single node Vault with file backend
command: docker start {{ vault_temp_container_name }}
- name: bootstrap/start_vault_temp | Initialize vault-temp
uri:
url: "http://localhost:{{ vault_port }}/v1/sys/init"
headers: "{{ vault_client_headers }}"
method: PUT
body_format: json
body:
secret_shares: 1
secret_threshold: 1
register: vault_temp_init
# NOTE: vault_headers and vault_url are used by subsequent issue calls
- name: bootstrap/start_vault_temp | Set needed vault facts
set_fact:
vault_leader_url: "http://{{ inventory_hostname }}:{{ vault_port }}"
vault_temp_unseal_keys: "{{ vault_temp_init.json['keys'] }}"
vault_temp_root_token: "{{ vault_temp_init.json.root_token }}"
vault_headers: "{{ vault_client_headers|combine({'X-Vault-Token': vault_temp_init.json.root_token}) }}"
ignore_errors: "{{ ansible_check_mode }}"
- name: "bootstrap/start_vault_temp | Check {{vault_leader_url}}"
uri:
url: "{{ vault_leader_url}}/v1/sys/health"
headers: "{{ vault_client_headers }}"
status_code: 200,429,500,501
timeout: 5
ignore_errors: true
register: vault_leader_url_check
- debug: var=vault_leader_url_check verbosity=2
- name: bootstrap/start_vault_temp | Tune vault_leader_url url
set_fact:
vault_leader_url: "http://localhost:{{ vault_port }}"
when: vault_leader_url_check|failed
ignore_errors: "{{ ansible_check_mode }}"
- name: bootstrap/start_vault_temp | Unseal vault-temp
uri:
url: "http://localhost:{{ vault_port }}/v1/sys/unseal"
headers: "{{ vault_headers }}"
method: POST
body_format: json
body:
key: "{{ item }}"
with_items: "{{ vault_temp_unseal_keys|default([]) }}"