ricsanfre.vault
Ansible 角色:Hashicorp Vault 服务器安装与配置
此角色用于在 Linux 服务器上安装和配置 Hashicorp Vault。
要求
无
角色变量
可用变量如下所列,默认值见 defaults\main.yaml
Vault 服务器安装详细信息
Vault UNIX 用户/组
vault_group: vault vault_user: vault要安装的 Vault 包和版本
vault_version: 1.12.2Vault 安装路径
vault_bin_path: /usr/local/bin vault_config_path: /etc/vault vault_tls_path: /etc/vault/tls vault_plugin_path: /usr/local/lib/vault/plugins vault_data_path: /var/lib/vault vault_log_path: /var/log/vaultVault TLS 配置
vault_enable_tls: false vault_key: "" vault_cert: "" custom_ca: false vault_ca: "" # Vault 服务 DNS vault_dns: ""若要启用 TLS 配置,请将
vault_enable_tls设置为 true,并将私钥和公钥证书的内容加载到vault_key和vault_cert变量中。如果使用自定义 CA 签署 TLS 证书,则需要将
custom_ca设置为 true,并将 CA 证书加载到vault_ca变量中。将
vault_dns设置为发放证书的 Vault 服务的完全限定域名 (FQDN)。也可以通过 Ansible 任务从文件中加载变量:
- name: 从文件加载 TLS 密钥和证书 set_fact: vault_key: "{{ lookup('file','certificates/{{ inventory_hostname }}_private.key') }}" vault_cert: "{{ lookup('file','certificates/{{ inventory_hostname }}_public.crt') }}" vault_ca: "{{ lookup('file','certificates/ca.crt') }}"Vault 初始化
vault_init: false vault_key_shares: 1 vault_key_threshold: 1 vault_keys_output: "{{ vault_config_path }}/unseal.json"若要自动初始化 Vault,请将
vault_init设置为 true,并提供vault_key_shares和vault_key_threshold变量以指定要生成的解封密钥数量。初始化将生成一个 JSON 文件
vault_keys_output,包含密钥和根令牌。Vault 解封和解封服务
vault_unseal: false vault_unseal_service: false若要自动解封 Vault,请将
vault_unseal设置为 true。解封过程将使用vault_keys_output文件中的密钥。可以创建 Systemd 服务,以便每当 Vault 服务启动或重启时自动解封 Vault。要启用此功能,请将
vault_unseal_service设置为 true。单次服务vault-unseal。此服务也使用vault_keys_output文件。KV 秘密引擎
通过提供以下变量,可以自动启用 KV 版本 2 秘密引擎。
vault_kv_secrets: path: secretKV 版本 2 将在路径
secret下启用。策略
可以自动配置 ACL 策略,通过提供名称和 HCL 内容。
policies: - name: write hcl: | path "secret/*" { capabilities = [ "create", "read", "update", "delete", "list", "patch" ] } - name: read hcl: | path "secret/*" { capabilities = [ "read" ] }
依赖项
无
示例剧本
以下剧本安装并配置 Vault,启用 TLS 并生成自定义 CA 签名的 SSL 证书。
它初始化并解封 Vault,并在 secret 路径下启用 KV 版本 2,同时创建几个策略(read 和 write)。
---
- name: 安装并配置 Vault 服务器
hosts: vault-server
become: true
gather_facts: true
vars:
server_hostname: vault.ricsanfre.com
ssl_key_size: 4096
key_type: RSA
country_name: ES
email_address: [email protected]
organization_name: Ricsanfre
ansible_user: root
pre_tasks:
- name: 生成自定义 CA
include_tasks: tasks/generate_custom_ca.yml
args:
apply:
delegate_to: localhost
become: false
- name: 为 minio 生成自定义 CA 签名 SSL 证书
include_tasks: tasks/generate_ca_signed_cert.yml
args:
apply:
delegate_to: localhost
become: false
- name: 加载 TLS 密钥和证书
set_fact:
vault_key: "{{ lookup('file', 'certificates/' + server_hostname + '.key') }}"
vault_cert: "{{ lookup('file', 'certificates/' + server_hostname + '.pem') }}"
vault_ca: "{{ lookup('file', 'certificates/CA.pem') }}"
roles:
- role: ricsanfre.vault
vault_enable_tls: true
custom_ca: true
vault_init: true
vault_unseal: true
vault_unseal_service: true
tls_skip_verify: true
display_init_response: true
# 配置 KV
vault_kv_secrets:
path: secret
# 策略
policies:
- name: write
hcl: |
path "secret/*" {
capabilities = [ "create", "read", "update", "delete", "list", "patch" ]
}
- name: read
hcl: |
path "secret/*" {
capabilities = [ "read" ]
}
pre-tasks 部分包括生成自定义 CA 和 Vault 的私钥及证书,并将其加载到 vault_key、vault_cert 和 vault_ca 变量中。
其中,generate_custom_ca.yml 包含用于生成自定义 CA 的任务:
---
- name: 创建 CA 密钥
openssl_privatekey:
path: certificates/CA.key
size: "{{ ssl_key_size | int }}"
mode: 0644
register: ca_key
- name: 创建 CA CSR
openssl_csr:
privatekey_path: certificates/CA.key
common_name: Ricsanfre CA
use_common_name_for_san: false # 因为我们没有指定 SAN,所以不使用 CN 作为 SAN
basic_constraints:
- 'CA:TRUE'
basic_constraints_critical: true
key_usage:
- keyCertSign
key_usage_critical: true
path: certificates/CA.csr
register: ca_csr
- name: 签署 CA CSR
openssl_certificate:
path: certificates/CA.pem
csr_path: certificates/CA.csr
privatekey_path: certificates/CA.key
provider: selfsigned
register: ca_crt
generate_ca_signed_certificate.yml 包含生成 Vault 密钥和由自定义 CA 签名的证书的任务:
---
- name: 创建私钥
openssl_privatekey:
path: "certificates/{{ server_hostname }}.key"
size: "{{ ssl_key_size | int }}"
type: "{{ key_type }}"
mode: 0644
- name: 创建 CSR
openssl_csr:
path: "certificates/{{ server_hostname }}.csr"
privatekey_path: "certificates/{{ server_hostname }}.key"
country_name: "{{ country_name }}"
organization_name: "{{ organization_name }}"
email_address: "{{ email_address }}"
common_name: "{{ server_hostname }}"
subject_alt_name: "DNS:{{ server_hostname }},IP:{{ ansible_default_ipv4.address }},IP:127.0.0.1"
- name: CA 签署 CSR
openssl_certificate:
csr_path: "certificates/{{ server_hostname }}.csr"
path: "certificates/{{ server_hostname }}.pem"
provider: ownca
ownca_path: certificates/CA.pem
ownca_privatekey_path: certificates/CA.key
许可证
MIT
作者信息
由 Ricardo Sanchez (ricsanfre) 创建