Add playbook for updating Vault API TLS certificate

seunghun1ee · seunghun1ee · commit f7e458c3e29d · 2024-11-14T16:38:12.000Z
Unlike ``vault-deploy-seed.yml`` playbook, this playbook
only updates ``overcloud.crt`` and ``overcloud.key`` which
are used as Vault API TLS certificate.
diff --git a/etc/kayobe/ansible/vault-update-api-cert-overcloud.yml b/etc/kayobe/ansible/vault-update-api-cert-overcloud.yml
@@ -0,0 +1,89 @@
+---
+- name: Update Overcloud Vault API certificate
+  any_errors_fatal: true
+  gather_facts: true
+  hosts: seed
+  vars:
+    consul_bind_interface: "lo"
+    vault_bind_address: "{{ ansible_facts[consul_bind_interface].ipv4.address }}"
+    vault_api_addr: "http://{{ vault_bind_address }}:8200"
+  tasks:
+    - name: Set a fact about the virtualenv on the remote system
+      set_fact:
+        virtualenv: "{{ ansible_python_interpreter | dirname | dirname }}"
+      when:
+        - ansible_python_interpreter is defined
+        - not ansible_python_interpreter.startswith('/bin/')
+        - not ansible_python_interpreter.startswith('/usr/bin/')
+
+    - name: Ensure Python PyYAML and hvac modules are installed
+      pip:
+        name:
+          - PyYAML
+          - hvac
+        state: latest
+        extra_args: "{% if pip_upper_constraints_file %}-c {{ pip_upper_constraints_file }}{% endif %}"
+        virtualenv: "{{ virtualenv is defined | ternary(virtualenv, omit) }}"
+      become: "{{ virtualenv is not defined }}"
+
+    - name: Ensure vault directory exists in Kayobe configuration
+      file:
+        path: "{{ kayobe_env_config_path }}/vault/"
+        state: directory
+      delegate_to: localhost
+      run_once: true
+
+    - name: Include Vault keys
+      include_vars:
+        file: "{{ kayobe_env_config_path }}/vault/seed-vault-keys.json"
+        name: vault_keys
+
+    - import_role:
+        name: stackhpc.hashicorp.vault_pki
+      vars:
+        vault_token: "{{ vault_keys.root_token }}"
+        vault_pki_root_create: false
+        vault_pki_intermediate_create: false
+        vault_pki_certificates_directory: "{{ kayobe_env_config_path }}/vault"
+        vault_pki_generate_certificates: true
+        vault_pki_write_certificates: true
+        vault_pki_certificate_subject:
+          - common_name: "{% if kolla_internal_fqdn != kolla_internal_vip_address %}{{ kolla_internal_fqdn }}{% else %}overcloud{% endif %}"
+            role: "{{ seed_vault_pki_role_name }}"
+            extra_params:
+              ip_sans: "{% for host in groups['controllers'] %}{{ internal_net_name | net_ip(host) }}{% if not loop.last %},{% endif %}{% endfor %},{{ kolla_internal_vip_address }}"
+        vault_pki_write_certificate_files: true
+        vault_pki_overwrite_certificates: true
+        vault_pki_write_pem_bundle: false
+
+- name: Copy new certificate and key to hosts
+  any_errors_fatal: true
+  gather_facts: true
+  hosts: controllers
+  tasks:
+    - name: Template out TLS key and cert
+      copy:
+        # Within the Hashicorp Vault container these uids & gids map to the vault user
+        src: "{{ kayobe_env_config_path }}/vault/{{ item }}"
+        dest: "/opt/kayobe/vault/{{ item }}"
+        owner: 100
+        group: 1000
+        mode: 0600
+      loop:
+        - "{% if kolla_internal_fqdn != kolla_internal_vip_address %}{{ kolla_internal_fqdn }}{% else %}overcloud{% endif %}.crt"
+        - "{% if kolla_internal_fqdn != kolla_internal_vip_address %}{{ kolla_internal_fqdn }}{% else %}overcloud{% endif %}.key"
+      become: True
+
+- name: Restart Overcloud Vaults
+  any_errors_fatal: true
+  gather_facts: true
+  hosts: controllers
+  serial: 1
+  tasks:
+    community.docker.docker_container:
+      name: vault
+      state: started
+      restart: true
+
+- name: Unseal Overcloud Vaults
+  import_playbook: "{{ kayobe_config_path }}/ansible/vault-unseal-overcloud.yml"
