Add vault_pki role

Install ansible-modules-hashivault from stackhpc fork

Author: mnasiadka

.github/workflows/pull_request.yml

@@ -65,7 +65,7 @@ jobs:
           else
               ansible_package=ansible-core
           fi
-          python3 -m pip install $ansible_package==$ansible_version.* docker ansible-modules-hashivault
+          python3 -m pip install $ansible_package==$ansible_version.* docker git+https://github.com/stackhpc/ansible-modules-hashivault@stackhpc
           ansible-galaxy collection build
           ansible-galaxy collection install *.tar.gz
 

roles/vault_pki/defaults/main.yml

@@ -0,0 +1,12 @@
+---
+vault_pki_root_create: True
+vault_pki_root_ca_name: ""
+vault_pki_root_ca_common_name: "{{ vault_pki_root_ca_name }}"
+
+vault_pki_intermediate_create: True
+vault_pki_intermediate_import: False
+vault_pki_intermediate_ca_name: ""
+vault_pki_intermediate_ca_common_name: "{{ vault_pki_intermediate_ca_name }}"
+vault_pki_intermediate_ca_type: "internal"
+
+vault_pki_intermediate_roles: {}

roles/vault_pki/tasks/intermediate.yml

@@ -0,0 +1,53 @@
+---
+- name: "Ensure Vault Intermediate PKI backend exists"
+  hashivault_secret_engine:
+    url: "{{ vault_api_addr }}"
+    token: "{{ vault_token }}"
+    name: "{{ vault_pki_intermediate_ca_name }}"
+    description: "{{ vault_pki_intermediate_ca_name }} CA"
+    backend: "pki"
+
+- name: "Generate Intermediate CA cert, key and sign CSR"
+  block:
+    - name: "Generate Vault Intermediate CA cert and key"
+      hashivault_pki_ca:
+        url: "{{ vault_api_addr }}"
+        token: "{{ vault_token }}"
+        mount_point: "{{ vault_pki_intermediate_ca_name }}"
+        type: "{{ vault_pki_intermediate_ca_type }}"
+        common_name: "{{ vault_pki_intermediate_ca_common_name }}"
+        kind: "intermediate"
+        config:
+          key_bits: 4096
+          max_lease_ttl: "43830h"
+      register: intermediate_ca_csr
+
+    - name: "Sign Intermediate CSR"
+      hashivault_pki_cert_sign:
+        url: "{{ vault_api_addr }}"
+        token: "{{ vault_token }}"
+        mount_point: "{{ vault_pki_root_ca_name }}"
+        csr: "{{ intermediate_ca_csr.data.csr }}"
+        common_name: "{{ vault_pki_intermediate_ca_common_name }}"
+        type: intermediate
+      register: intermediate_ca_csr_signed
+
+    - name: "Set Intermediate as signed"
+      hashivault_pki_set_signed:
+        url: "{{ vault_api_addr }}"
+        token: "{{ vault_token }}"
+        mount_point: "{{ vault_pki_intermediate_ca_name }}"
+        certificate: "{{ intermediate_ca_csr_signed.data.certificate }}\n{{ intermediate_ca_csr_signed.data.issuing_ca }}"
+
+  when: not vault_pki_intermediate_import | bool
+
+- name: "Import Intermediate CA cert and key"
+  block:
+    - name: "Import Intermediate CA cert and key"
+      hashivault_pki_ca_set:
+        url: "{{ vault_api_addr }}"
+        token: "{{ vault_token }}"
+        mount_point: "{{ vault_pki_intermediate_ca_name }}"
+        pem_bundle: "{{ vault_pki_intermediate_ca_bundle }}"
+ 
+  when: vault_pki_intermediate_import | bool

roles/vault_pki/tasks/main.yml

@@ -0,0 +1,10 @@
+---
+- include_tasks: "prechecks.yml"
+- include_tasks: "root.yml"
+  when: vault_pki_root_create | bool
+
+- include_tasks: "intermediate.yml"
+  when: vault_pki_intermediate_create | bool
+
+- include_tasks: "roles.yml"
+  when: vault_pki_intermediate_roles | length > 0

roles/vault_pki/tasks/prechecks.yml

@@ -0,0 +1,10 @@
+---
+- name: "Fail if variables are not set"
+  fail:
+    msg: "variable {{ item }} is not set"
+  when:
+    - vars[item.name] | length == 0
+    - item.when 
+  loop:
+    - { "name": "vault_pki_root_ca_name", "when": "vault_pki_root_create | bool" }
+    - { "name": "vault_pki_intermediate_ca_name", "when": "vault_pki_intermediate_create | bool" }

roles/vault_pki/tasks/roles.yml

@@ -0,0 +1,9 @@
+---
+- name: "Create PKI role(s)"
+  hashivault_pki_role:
+    url: "{{ vault_api_addr }}"
+    token: "{{ vault_token }}"
+    mount_point: "{{ vault_pki_intermediate_ca_name }}"
+    name: "{{ item.name }}"
+    config: "{{ item.config }}" 
+  loop: "{{ vault_pki_intermediate_roles }}"

roles/vault_pki/tasks/root.yml

@@ -0,0 +1,20 @@
+---
+- name: "Ensure Vault RootCA PKI backend exists"
+  hashivault_secret_engine:
+    url: "{{ vault_api_addr }}"
+    token: "{{ vault_token }}"
+    name: "{{ vault_pki_root_ca_name }}"
+    description: "{{ vault_pki_root_ca_name }} CA"
+    backend: "pki"
+
+- name: "Generate Vault Root CA cert and key"
+  hashivault_pki_ca:
+    url: "{{ vault_api_addr }}"
+    token: "{{ vault_token }}"
+    mount_point: "{{ vault_pki_root_ca_name }}"
+    type: "internal"
+    common_name: "{{ vault_pki_root_ca_common_name }}"
+    kind: "root"
+    config:
+      key_bits: 4096
+      ttl: "43830h"

roles/vault_unseal/tasks/main.yml

@@ -1,4 +1,9 @@
 ---
+- name: Fail when vault_unseal_keys are empty
+  fail:
+    msg: "vault_unseal_keys are empty"
+  when: not (vault_unseal_keys | length > 0)
+
 - name: Unseal Vault
   hashivault_unseal:
     authtype: "{{ vault_unseal_authtype | default(omit) }}"
@@ -15,3 +20,10 @@
     url: "{{ vault_api_addr }}"
     username: "{{ vault_unseal_username | default(omit) }}"
     verify: "{{ vault_unseal_verify | default(omit) }}"
+  register: vault_unseal_status
+
+- name: Fail if vault is sealed (something went wrong)
+  uri:
+    url: "{{ vault_api_addr }}/v1/sys/seal-status"
+  register: vault_seal_status
+  failed_when: vault_seal_status.json.sealed

tests/test_vault.yml

@@ -28,4 +28,26 @@
       import_role:
         name: vault_unseal
       vars:
-        vault_keys: "{{ vault_keys.keys_base64 }}"
+        vault_unseal_keys: "{{ vault_keys.keys_base64 }}"
+
+    - name: Configure PKI
+      import_role:
+        name: vault_pki  
+      vars:
+        vault_token: "{{ vault_keys.root_token }}"
+        vault_pki_root_ca_name: "OS-TLS-ROOT"
+        vault_pki_intermediate_ca_name: "OS-TLS-INT" 
+        vault_pki_intermediate_roles:
+          - name: "ServerCert"
+            config:
+              max_ttl: 8760h
+              ttl: 8760h
+              allow_ip_sans: true
+              require_cn: false
+              server_flag: true
+              key_type: rsa
+              key_bits: 4096
+              country: "UK"
+              locality: "Bristol"
+              organization: "StackHPC"
+              ou: "HPC"