Merge pull request #30 from stackhpc/vault_pki

Add vault_pki role

Author: mnasiadka

.github/workflows/pull_request.yml

@@ -65,7 +65,7 @@ jobs:
           else
               ansible_package=ansible-core
           fi
-          python3 -m pip install $ansible_package==$ansible_version.* docker ansible-modules-hashivault
+          python3 -m pip install $ansible_package==$ansible_version.* docker git+https://github.com/stackhpc/ansible-modules-hashivault@stackhpc
           ansible-galaxy collection build
           ansible-galaxy collection install *.tar.gz
 

roles/vault/defaults/main.yml

@@ -33,7 +33,14 @@ vault_config: >
         {% else %}
         "tls_disable": "true"
         {% endif %}
+      }{% if vault_bind_address != '127.0.0.1' %},
+    },
+    {
+      "tcp": {
+        "address": "127.0.0.1:8200",
+        "tls_disable": "true"
       }
+    {% endif %}
     }],
     "storage": {
     "consul": {

roles/vault/tasks/consul.yml

@@ -23,4 +23,4 @@
       -retry-join "{{ hostvars[host].ansible_facts[consul_bind_interface].ipv4.address }}"
       {% endif %}
       {% endfor %}
-  become: True
+  become: true

roles/vault/tasks/main.yml

@@ -1,4 +1,9 @@
 ---
-- import_tasks: prechecks.yml
-- import_tasks: consul.yml
-- import_tasks: vault.yml
+- name: "Vault Prechecks"
+  import_tasks: prechecks.yml
+
+- name: "Deploy Consul"
+  import_tasks: consul.yml
+
+- name: "Deploy Vault"
+  import_tasks: vault.yml

roles/vault/tasks/vault.yml

@@ -14,7 +14,7 @@
       VAULT_LOCAL_CONFIG: "{{ vault_config | to_json }}"
     command: >
       server
-  become: True
+  become: true
 
 - name: Check if vault is initialized
   uri:
@@ -25,7 +25,8 @@
   run_once: true
   until: vault_init_status.status == 200
 
-- block:
+- name: "Initialize vault"
+  block:
     - name: Initialize vault
       hashivault_init:
         url: "{{ vault_api_addr }}"

roles/vault_pki/README.md

@@ -0,0 +1,50 @@
+This role Generates a Root and Intermediate certificate and generates leaf certificates
+
+Requirements
+------------
+
+`ansible-modules-hashivault` Python package installed on the Ansible control host
+`hvac` Python package installed on the remote hosts
+
+Note that since version `4.6.4`, `ansible-modules-hashivault` requires
+`ansible>4`.
+
+There is a fork under https://github.com/stackhpc/ansible-modules-hashivault
+that doesn't have this requirement (and is needed for the role to operate
+correctly on ansible<4).
+
+Role variables
+--------------
+
+* Vault Create Root
+    * `vault_pki_root_create`: whether to create a RootCA certificate or not (default: `true`)
+    * Mandatory if `vault_pki_root_create` equals `true`
+        * `vault_pki_root_ca_name`: The name of the RootCA to create (string)
+        * `vault_pki_root_ca_common_name`: The common name of the RootCA (default: vault_pki_root_ca_name)
+    * `vault_pki_write_root_ca_to_file`: whether to write the root CA certificate to a file for importing into a systems trust store (default: `false`)
+    * `vault_pki_root_default_lease_ttl`: The default time in hours before expiry of the root CA certificate (default: "43830h")
+    * `vault_pki_root_max_lease_ttl`: The max time in hours that is allowed before expiry of the root CA certificate (default: "43830h")
+    * `vault_pki_root_ttl`: The time in hours before the root CA certificate expires (default: "43830h")
+    * `vault_pki_root_key_bits`: The key bits for the root RSA private key (default: "4096")
+---
+* Vault Create Intermediate
+    * `vault_pki_intermediate_create`: whether to create an intermediate CA or not (default: `true`)
+    * `vault_pki_intermediate_import`: whether to import a pre-existing intermediate pem bundle (default: `false`)
+    * `vault_pki_intermediate_export`: whether to export the generated intermediate pem bundle (default: `false`)
+        * Mandatory if `vault_pki_intermediate_create` equals `true`
+            * `vault_pki_intermediate_ca_name`: The name of the Intermediate CA to create
+            * `vault_pki_intermediate_ca_common_name`:  The common name of the RootCA (default: `vault_pki_intermediate_ca_name`)
+        * Mandatory if `vault_pki_intermediate_import`: equals `true`
+            * `vault_pki_intermediate_ca_bundle`: Concatenated certificate, intermediate and private key
+    * `vault_pki_intermediate_default_lease_ttl`: The default time in hours before expiry of the intermediate CA certificate (default: "43830h")
+    * `vault_pki_intermediate_max_lease_ttl`: The max time in hours that is allowed before expiry of the intermediate CA certificate (default: "43830h")
+    * `vault_pki_intermediate_ttl`: The time in hours before the intermediate CA certificate expires (default: "43830h")
+    * `vault_pki_intermediate_key_bits`: The key bits for the intermediate RSA private key (default: "4096")
+    * `vault_pki_intermediate_roles`: Certificate Roles to create for the intermediate CA. List of Dicts containing `{name: <role_name>, config: { <pki_option>: <value> ...}`
+---
+* Certificate Output
+    * `vault_pki_generate_certificates`: whether to generate leaf certificates or not (default: `false`)
+    * `vault_pki_write_certificates_host:` The host on which certificates will be written to. (default: "localhost")
+    * `vault_pki_certificates_directory`: directory to output certificate files to.
+    * `vault_pki_write_certificates`: whether to write generated certificates to a file or not (default: `false`)
+    * `vault_pki_certificate_subject`: The certificate subject parameters e.g. `ttl` `ip_sans`. List of Dicts containing `{role: <name of Certificate role>, common_name: <common name of certificate>, extra_params: {ttl: <value>, alt_sans: <value>, ip_sans: <value> }}`

roles/vault_pki/defaults/main.yml

@@ -0,0 +1,31 @@
+---
+vault_pki_root_create: true
+vault_pki_root_ca_name: ""
+vault_pki_root_ca_common_name: "{{ vault_pki_root_ca_name }}"
+vault_pki_write_root_ca_to_file: false
+vault_pki_root_default_lease_ttl: "43830h"
+vault_pki_root_max_lease_ttl: "43830h"
+vault_pki_root_ttl: "43830h"
+vault_pki_root_key_bits: 4096
+
+
+vault_pki_intermediate_create: true
+vault_pki_intermediate_import: false
+vault_pki_intermediate_export: false
+vault_pki_intermediate_ca_name: ""
+vault_pki_intermediate_ca_common_name: "{{ vault_pki_intermediate_ca_name }}"
+vault_pki_intermediate_ca_bundle: ""
+vault_pki_intermediate_default_lease_ttl: "43830h"
+vault_pki_intermediate_max_lease_ttl: "43830h"
+vault_pki_intermediate_ttl: "43830h"
+vault_pki_intermediate_key_bits: 4096
+
+vault_pki_intermediate_roles: {}
+
+vault_pki_generate_certificates: false
+
+vault_pki_write_certificates_host: "localhost"
+vault_pki_write_certificates_directory: ""
+vault_pki_write_certificate_files: false
+
+vault_pki_certificate_subject: []

roles/vault_pki/tasks/create_cert.yml

@@ -0,0 +1,23 @@
+---
+- name: "Generate Certificate"
+  hashivault_pki_cert_issue:
+    url: "{{ vault_api_addr }}"
+    token: "{{ vault_token }}"
+    mount_point: "{{ vault_pki_intermediate_ca_name }}"
+    common_name: "{{ item.common_name }}"
+    role: "{{ item.role }}"
+    extra_params: "{{ item.extra_params }}"
+  loop: "{{ vault_pki_certificate_subject }}"
+  register: certificate_data
+
+- name: "Write out certificate pem_bundle"
+  copy:
+    content: |
+      {{ item.data.certificate }}
+      {{ item.data.issuing_ca }}
+      {{ item.data.private_key }}
+    dest: "{{ vault_pki_certificates_directory }}/{{ item.item.common_name | replace(' ', '-') }}.pem"
+    mode: 0600
+  delegate_to: "{{ vault_pki_certificates_host }}"
+  loop: "{{ certificate_data.results }}"
+  when: vault_pki_write_certificate_files | bool

roles/vault_pki/tasks/intermediate.yml

@@ -0,0 +1,84 @@
+---
+- name: "Ensure Vault Intermediate PKI backend exists"
+  hashivault_secret_engine:
+    url: "{{ vault_api_addr }}"
+    token: "{{ vault_token }}"
+    name: "{{ vault_pki_intermediate_ca_name }}"
+    description: "{{ vault_pki_intermediate_ca_name }} CA"
+    backend: "pki"
+    config:
+      default_lease_ttl: "{{ vault_pki_intermediate_default_lease_ttl }}"
+      max_lease_ttl: "{{ vault_pki_intermediate_max_lease_ttl }}"
+
+- name: "Generate Intermediate CA cert, key and sign CSR"
+  block:
+    - name: "Generate Vault Intermediate CA cert and key"
+      hashivault_pki_ca:
+        url: "{{ vault_api_addr }}"
+        token: "{{ vault_token }}"
+        mount_point: "{{ vault_pki_intermediate_ca_name }}"
+        type: "{% if vault_pki_intermediate_export | bool %}exported{% else %}internal{% endif %}"
+        common_name: "{{ vault_pki_intermediate_ca_common_name }}"
+        kind: "intermediate"
+        config:
+          ttl: "{{ vault_pki_intermediate_ttl }}"
+          key_bits: "{{ vault_pki_intermediate_key_bits }}"
+      register: intermediate_ca_csr
+
+    - name: "Sign Intermediate CSR"
+      hashivault_pki_cert_sign:
+        url: "{{ vault_api_addr }}"
+        token: "{{ vault_token }}"
+        mount_point: "{{ vault_pki_root_ca_name }}"
+        csr: "{{ intermediate_ca_csr.data.csr }}"
+        common_name: "{{ vault_pki_intermediate_ca_common_name }}"
+        type: intermediate
+      register: intermediate_ca_csr_signed
+
+    - name: "Set Intermediate as signed"
+      hashivault_pki_set_signed:
+        url: "{{ vault_api_addr }}"
+        token: "{{ vault_token }}"
+        mount_point: "{{ vault_pki_intermediate_ca_name }}"
+        certificate: |
+          {{ intermediate_ca_csr_signed.data.certificate }}
+          {{ intermediate_ca_csr_signed.data.issuing_ca }}
+      when:
+        - not vault_pki_intermediate_export | bool
+
+    - name: "Set Exported Intermediate as signed"
+      hashivault_pki_ca_set:
+        url: "{{ vault_api_addr }}"
+        token: "{{ vault_token }}"
+        mount_point: "{{ vault_pki_intermediate_ca_name }}"
+        pem_bundle: |
+          {{ intermediate_ca_csr_signed.data.certificate }}
+          {{ intermediate_ca_csr_signed.data.issuing_ca }}
+          {{ intermediate_ca_csr.data.private_key }}
+      when:
+        - vault_pki_intermediate_export | bool
+
+    - name: "Write out Intermediate Certs and keys to file"
+      copy:
+        content: |
+          {{ intermediate_ca_csr_signed.data.certificate }}
+          {{ intermediate_ca_csr_signed.data.issuing_ca }}
+          {{ intermediate_ca_csr.data.private_key }}
+        dest: "{{ vault_pki_certificates_directory }}/{{ vault_pki_intermediate_ca_name |replace(' ', '-') }}.pem"
+        mode: 0600
+      delegate_to: "{{ vault_pki_certificates_host }}"
+      when:
+        - vault_pki_intermediate_export | bool
+
+  when: not vault_pki_intermediate_import | bool
+
+- name: "Import Intermediate CA cert and key"
+  block:
+    - name: "Import Intermediate CA cert and key"
+      hashivault_pki_ca_set:
+        url: "{{ vault_api_addr }}"
+        token: "{{ vault_token }}"
+        mount_point: "{{ vault_pki_intermediate_ca_name }}"
+        pem_bundle: "{{ vault_pki_intermediate_ca_bundle }}"
+
+  when: vault_pki_intermediate_import | bool

roles/vault_pki/tasks/main.yml

@@ -0,0 +1,21 @@
+---
+- name: "Prechecks"
+  include_tasks: "prechecks.yml"
+
+- name: "Generate Root"
+  include_tasks: "root.yml"
+  when: vault_pki_root_create | bool
+
+- name: "Generate Intermediate"
+  include_tasks: "intermediate.yml"
+  when: vault_pki_intermediate_create | bool
+
+- name: "Define Roles"
+  include_tasks: "roles.yml"
+  when: vault_pki_intermediate_roles | length > 0
+
+- name: "Generate Certificates"
+  include_tasks: "create_cert.yml"
+  when:
+    - vault_pki_generate_certificates | bool
+    - vault_pki_certificate_subject | length > 0