Merge pull request #37 from stackhpc/fix_defaults

Add default values for critical variables

Author: mnasiadka

roles/vault/README.md

@@ -13,9 +13,8 @@ Role variables
 --------------
 
 * Consul
-  * Mandatory
-    * `consul_bind_interface`: Which interface should be used for Consul
   * Optional
+    * `consul_bind_interface`: Which interface should be used for Consul (default: "lo")
     * `consul_docker_name`: Docker - under which name to run the Consul image (default: "consul")
     * `consul_docker_image`: Docker image for Consul (default: "consul")
     * `consul_docker_tag`: Docker image tag for Consul (default: "latest")
@@ -26,10 +25,10 @@ Role variables
 * Vault
   * Mandatory
     * `vault_cluster_name`: Vault cluster name (e.g. "prod_cluster")
-    * `vault_api_addr`: Vault [API addr](https://www.vaultproject.io/docs/configuration#api_addr) - Full URL including protocol and port (e.g. "http://127.0.0.1:8200")
-    * `vault_bind_address`: Which IP address should Vault bind to
     * `vault_config_dir`: Directory into which to bind mount Vault configuration
   * Optional
+    * `vault_bind_address`: Which IP address should Vault bind to (default: "127.0.0.1")
+    * `vault_api_addr`: Vault [API addr](https://www.vaultproject.io/docs/configuration#api_addr) - Full URL including protocol and port (default: "http://127.0.0.1:8200")
     * `consul_container.etc_hosts`: Dict; `{<hostname>:<ip_address>}` to be added to container /etc/host
 s (default: Omitted)
     * `vault_extra_volumes`: List of `"<host_location>:<container_mountpoint>"`

roles/vault/defaults/main.yml

@@ -9,10 +9,11 @@ vault_docker_image: "vault"
 vault_docker_tag: "latest"
 
 vault_cluster_name: ""
+vault_protocol: "{{ 'https' if vault_tls_key and vault_tls_cert else 'http' }}"
 # Allow vault_vip_url and vault_vip_address for backwards compatibility.
-vault_vip_address: "{{ vault_vip_url | default('') }}"
-vault_api_addr: "{{ ('https://' ~ vault_vip_address ~ ':8200') if vault_vip_address else '' }}"
-vault_bind_address: ""
+vault_vip_address: "{{ vault_vip_url | default(vault_bind_address) }}"
+vault_api_addr: "{{ vault_protocol ~ '://' ~ vault_vip_address ~ ':8200' }}"
+vault_bind_address: "127.0.0.1"
 vault_tls_key: ""
 vault_tls_cert: ""
 
@@ -54,7 +55,7 @@ vault_config: >
     }
   }
 
-consul_bind_interface: ""
+consul_bind_interface: "lo"
 consul_bind_ip: "{{ hostvars[inventory_hostname].ansible_facts[consul_bind_interface].ipv4.address }}"
 
 # Docker options

roles/vault_unseal/defaults/main.yml

@@ -1,7 +1,9 @@
 ---
 # Allow vault_vip_url and vault_vip_address for backwards compatibility.
-vault_vip_address: "{{ vault_vip_url | default('') }}"
-vault_api_addr: "{{ ('https://' ~ vault_vip_address ~ ':8200') if vault_vip_address else '' }}"
+vault_protocol: "https"
+vault_vip_address: "{{ vault_vip_url | default(vault_bind_address) }}"
+vault_api_addr: "{{ vault_protocol ~ '://' ~ vault_vip_address ~ ':8200' }}"
+vault_bind_address: "127.0.0.1"
 
 # List of unseal key shards.
 vault_unseal_keys: []

roles/vault_unseal/tasks/main.yml

@@ -21,8 +21,12 @@
     username: "{{ vault_unseal_username | default(omit) }}"
     verify: "{{ vault_unseal_verify | default(omit) }}"
 
-- name: Fail if vault is sealed (something went wrong)
+- name: Check if vault is sealed
   uri:
     url: "{{ vault_api_addr }}/v1/sys/seal-status"
   register: vault_seal_status
-  failed_when: vault_seal_status.json.sealed
+
+- name: Fail when vault is still sealed
+  assert:
+    that: not vault_seal_status.json.sealed
+    fail_msg: "Vault is sealed - something went wrong"

tests/test_vault.yml

@@ -3,9 +3,6 @@
   gather_facts: true
   hosts: consul
   vars:
-    consul_bind_interface: lo
-    vault_bind_address: 127.0.0.1
-    vault_api_addr: http://127.0.0.1:8200
     vault_config_dir: "/etc/vault"
     vault_log_keys: true
     vault_set_keys_fact: true
@@ -29,6 +26,7 @@
         name: vault_unseal
       vars:
         vault_unseal_keys: "{{ vault_keys.keys_base64 }}"
+        vault_protocol: "http"
 
     - name: Configure PKI
       import_role: