From dd769b19d49085f2ffe21b9560eb775d3d610bc6 Mon Sep 17 00:00:00 2001 From: Artem Goncharov Date: Thu, 29 Jun 2023 16:06:41 +0200 Subject: [PATCH] improve the vault handling stuff --- .../service/group_vars/vault-controller.yaml | 125 +++++------------- playbooks/configure-vault.yaml | 9 ++ .../roles/configure_vault/tasks/auth.yaml | 4 +- 3 files changed, 41 insertions(+), 97 deletions(-) diff --git a/inventory/service/group_vars/vault-controller.yaml b/inventory/service/group_vars/vault-controller.yaml index 2678582..08b6591 100644 --- a/inventory/service/group_vars/vault-controller.yaml +++ b/inventory/service/group_vars/vault-controller.yaml @@ -34,93 +34,7 @@ vault_policies_main: definition: | path "auth/+/role/*" { capabilities = ["read", "list", "create", "update", "delete"] } - # Zuul checking whether requested approle exists - - name: "approle-zuul-roles-read" - definition: | - path "auth/approle/role/zuul_eco_opentelekomcloud-infra_otc-zuul-jobs" { capabilities = ["read"] } - path "auth/approle/role/zuul_eco_opentelekomcloud-infra_zuul-project-config" { capabilities = ["read"] } - path "auth/approle/role/zuul_eco_opentelekomcloud-infra_gitstyring" { capabilities = ["read"] } - path "auth/approle/role/zuul_eco_opentelekomcloud-docs_doc-exports" { capabilities = ["read"] } - path "auth/approle/role/zuul_gl_ecosystem_zuul-project-config" { capabilities = ["read"] } - path "auth/approle/role/zuul_gl_ecosystem_gitstyring" { capabilities = ["read"] } - - # Zuul create new secret for the approle - - name: "approle-zuul-secret-id-w" - definition: | - path "auth/approle/role/zuul_eco_opentelekomcloud-infra_otc-zuul-jobs/secret-id" { capabilities = ["update"] } - path "auth/approle/role/zuul_eco_opentelekomcloud-infra_zuul-project-config/secret-id" { capabilities = ["update"] } - path "auth/approle/role/zuul_eco_opentelekomcloud-infra_gitstyring/secret-id" { capabilities = ["update"] } - path "auth/approle/role/zuul_eco_opentelekomcloud-docs_doc-exports/secret-id" { capabilities = ["update"] } - path "auth/approle/role/zuul_gl_ecosystem_zuul-project-config/secret-id" { capabilities = ["update"] } - path "auth/approle/role/zuul_gl_ecosystem_gitstyring/secret-id" { capabilities = ["update"] } - - # Bridge access to inventory - - name: "cloud-users-all-ro" - definition: | - path "secret/data/cloud_users/*" { capabilities = ["read", "list"] } - path "secret/metadata/cloud_users/*" { capabilities = ["read", "list"] } - path "secret/data/clouds/*" { capabilities = ["read", "list"] } - path "secret/metadata/clouds/*" { capabilities = ["read", "list"] } - - # zuul deployment to know own credentials - - name: "cloud-users-zuul-ro" - definition: | - path "secret/data/cloud_users/448_nodepool" { capabilities = ["read"] } - path "secret/metadata/cloud_users/448_nodepool" { capabilities = ["read"] } - path "secret/data/clouds/otcci_nodepool*" { capabilities = ["read"] } - path "secret/metadata/clouds/otcci_nodepool*" { capabilities = ["read"] } - - # zuul itself - - name: "zuul-app-ro" - definition: | - path "secret/data/zuul/*" {capabilities = ["read"] } - path "secret/metadata/zuul/*" {capabilities = ["read"] } - - # database secret engine mgmt - - name: "database-rw" - definition: | - path "database/*" {capabilities = ["read", "list", "create", "update", "delete"] } - - # Get credentials for databases - - name: "database-ro" - definition: | - path "database/*" {capabilities = ["read", "list"] } - - # Temporary storage of the db users (in kv store) - - name: "tmp-db-ro" - definition: | - path "secret/data/db/*" { capabilities = ["read"] } - path "secret/metadata/db/*" { capabilities = ["read"] } - - # some ssh stuff, most likely zuul - - name: "ssh-ro" - definition: | - path "secret/data/ssh/*" { capabilities = ["read"] } - path "secret/metadata/ssh/*" { capabilities = ["read"] } - - # jobs want to open PRs - - name: "gitea-cicd" - definition: | - path "secret/data/gitea_cicd" { capabilities = ["read"] } - path "secret/metadata/gitea_cicd" { capabilities = ["read"] } - - # Swift configuration - - name: "swift-ro" - definition: | - path "secret/data/swift/*" { capabilities = ["read"] } - path "secret/metadata/swift/*" { capabilities = ["read"] } - - # Get credentials for openstack cloud - - name: "openstack-ro" - definition: | - path "openstack/*" {capabilities = ["read", "list"] } - - # Maintain openstack clouds/roles - - name: "openstack-rw" - definition: | - path "openstack/*" {capabilities = ["read", "list", "create", "update", "delete"] } - - # Get password policies + # Get password policies - name: "pwd-policy-ro" definition: | path "sys/policies/password/*" {capabilities = ["read", "list"] } @@ -130,16 +44,38 @@ vault_policies_main: definition: | path "sys/policies/password/*" {capabilities = ["read", "list", "create", "update", "delete"] } - # Gitea configuration - - name: "gitea-ro" + # Zuul checking whether requested approle exists + - name: "approle-zuul-roles-read" definition: | - path "secret/data/gitea" { capabilities = ["read"] } - path "secret/metadata/gitea" { capabilities = ["read"] } + path "auth/approle/role/zuul_scs_opentelekomcloud-scs_zuul-config" { capabilities = ["read"] } -vault_approles_main: [] + # Zuul create new secret for the approle + - name: "approle-zuul-secret-id-w" + definition: | + path "auth/approle/role/zuul_scs_opentelekomcloud-scs_zuul-config/secret-id" { capabilities = ["update"] } + + # zuul itself + - name: "zuul-app-ro" + definition: | + path "secret/data/zuul/*" {capabilities = ["read"] } + path "secret/metadata/zuul/*" {capabilities = ["read"] } + +vault_approles_main: + # This approle is used by bridge to provision systems + - name: "vault-config" + token_policies: + - "sys-mounts-cru" + - "sys-auth-ru" + - "policies-acl-rw" + - "approle-rw" + - "k8auth-rw" + - "k8role-rw" + - "sys-leases-revoke" + - "pwd-policy-rw" + token_ttl: "2h" vault_k8roles_main: - # Zuul otcci auth + # Zuul Kubernetes auth - name: "zuul" auth_path: "kubernetes_scs" policies: ["zuul-app-ro", "cloud-users-zuul-ro"] @@ -175,8 +111,7 @@ vault_instances: # main redundancy cluster main: vault_addr: "https://vault-lb.scs.otc-service.com:8200" - vault_token: "{{ ansible_hashi_vault_token }}" - # vault_token: "{{ lookup('community.hashi_vault.hashi_vault', 'auth/token/lookup-self').id }}" + vault_token: "{{ lookup('community.hashi_vault.hashi_vault', 'auth/token/lookup-self').id }}" policies: "{{ vault_policies_main }}" approle: roles: "{{ vault_approles_main }}" diff --git a/playbooks/configure-vault.yaml b/playbooks/configure-vault.yaml index 29235db..9e34141 100644 --- a/playbooks/configure-vault.yaml +++ b/playbooks/configure-vault.yaml @@ -1,4 +1,13 @@ --- +# Manage Vault configuration (policies, roles, accesses, etc) +# +# vault_instances is a dictionary ({instance_name: config}) containing all the +# required information that is being passed one by one into the configure_vault +# role for the execution with the help of Vault API invocation. +# +# variable `vault_create_auth=true` will force presence of auth methods which +# are otherwise (default) not created +# - hosts: vault-controller:!disabled name: "Configure Vault instances" tasks: diff --git a/playbooks/roles/configure_vault/tasks/auth.yaml b/playbooks/roles/configure_vault/tasks/auth.yaml index 07ffcea..9984e55 100644 --- a/playbooks/roles/configure_vault/tasks/auth.yaml +++ b/playbooks/roles/configure_vault/tasks/auth.yaml @@ -1,7 +1,8 @@ +--- - name: Read Auth {{ auth.type }} at {{ auth.path }} check_mode: "no" ansible.builtin.uri: - url: "{{ vault_addr }}/v1/sys/auth/{{ auth.path }}/tune" + url: "{{ vault_addr }}/v1/sys/auth/{{ auth.path }}" headers: X-Vault-Token: "{{ vault_token }}" method: "GET" @@ -28,7 +29,6 @@ passthrough_request_headers: "{{ auth.passthrough_request_headers | default(omit) }}" allowed_response_headers: "{{ auth.allowed_response_headers | default(omit) }}" options: "{{ auth.options | default(omit) }}" - status_code: [200, 201, 202, 204] when: - "current_auth is not defined or current_auth.status != 200"