Vault security hardening and role isolation

2026-03-07 02:27:43 +03:00 · 2017-02-08 21:41:36 +00:00
parent f4ec2d18e5
commit 245e05ce61
78 changed files with 1408 additions and 706 deletions
--- a/roles/vault/tasks/bootstrap/start_vault_temp.yml
+++ b/roles/vault/tasks/bootstrap/start_vault_temp.yml
@@ -1,21 +1,21 @@
 ---

- name: boostrap/start_vault_temp | Ensure vault-temp isn't already running
-  shell: if docker rm -f vault-temp 2>&1 1>/dev/null;then echo true;else echo false;fi
+- name: bootstrap/start_vault_temp | Ensure vault-temp isn't already running
+  shell: if docker rm -f {{ vault_temp_container_name }} 2>&1 1>/dev/null;then echo true;else echo false;fi
  register: vault_temp_stop_check
  changed_when: "{{ 'true' in vault_temp_stop_check.stdout }}"

 - name: bootstrap/start_vault_temp | Start single node Vault with file backend
  command: >
-           docker run -d --cap-add=IPC_LOCK --name vault-temp -p {{ vault_temp_port }}:{{ vault_temp_port }}
+           docker run -d --cap-add=IPC_LOCK --name {{ vault_temp_container_name }}
+           -p {{ vault_port }}:{{ vault_port }}
           -e 'VAULT_LOCAL_CONFIG={{ vault_temp_config|to_json }}'
           -v /etc/vault:/etc/vault
           {{ vault_image_repo }}:{{ vault_version }} server
-  register: vault_temp_start

 - name: bootstrap/start_vault_temp | Initialize vault-temp
  uri:
-    url: "http://localhost:{{ vault_temp_port }}/v1/sys/init"
+    url: "http://localhost:{{ vault_port }}/v1/sys/init"
    headers: "{{ vault_client_headers }}"
    method: PUT
    body_format: json
@@ -24,32 +24,20 @@
      secret_threshold: 1
  register: vault_temp_init

-# NOTE: vault_headers and vault_url are used by subsequent gen_cert calls
+# NOTE: vault_headers and vault_url are used by subsequent issue calls
 - name: bootstrap/start_vault_temp | Set needed vault facts
  set_fact:
+    vault_leader_url: "http://{{ inventory_hostname }}:{{ vault_port }}"
    vault_temp_unseal_keys: "{{ vault_temp_init.json['keys'] }}"
    vault_temp_root_token: "{{ vault_temp_init.json.root_token }}"
    vault_headers: "{{ vault_client_headers|combine({'X-Vault-Token': vault_temp_init.json.root_token}) }}"

 - name: bootstrap/start_vault_temp | Unseal vault-temp
  uri:
-    url: "http://localhost:{{ vault_temp_port }}/v1/sys/unseal"
+    url: "http://localhost:{{ vault_port }}/v1/sys/unseal"
    headers: "{{ vault_headers }}"
    method: POST
    body_format: json
    body:
      key: "{{ item }}"
  with_items: "{{ vault_temp_unseal_keys|default([]) }}"
-
- name: bootstrap/start_vault_temp | Create new PKI mount
-  uri:
-    url: "http://localhost:{{ vault_temp_port }}/v1/sys/mounts/pki"
-    headers: "{{ vault_headers }}"
-    method: POST
-    body_format: json
-    body:
-      config:
-        default_lease_ttl: "{{ vault_default_lease_ttl }}"
-        max_lease_ttl: "{{ vault_max_lease_ttl }}"
-      type: pki
-    status_code: 204