fix: Remove unnecessary container registry step
This commit is contained in:
54
roles/vault_setup/tasks/init.yml
Normal file
54
roles/vault_setup/tasks/init.yml
Normal file
@@ -0,0 +1,54 @@
|
||||
---
|
||||
# Initialize Vault. Idempotent: skips if already initialized.
|
||||
# On success, displays root token and unseal keys for manual saving to 1Password.
|
||||
# After saving, rerun the playbook (default play) to complete configuration.
|
||||
|
||||
- name: Check Vault initialization status
|
||||
ansible.builtin.uri:
|
||||
url: "{{ vault_url }}/v1/sys/init"
|
||||
method: GET
|
||||
validate_certs: "{{ vault_validate_certs }}"
|
||||
register: __vault_init_status
|
||||
|
||||
- name: Skip init (already initialized)
|
||||
ansible.builtin.debug:
|
||||
msg: "Vault is already initialized. Skipping init."
|
||||
when: __vault_init_status.json.initialized | bool
|
||||
|
||||
- name: Initialize Vault
|
||||
ansible.builtin.uri:
|
||||
url: "{{ vault_url }}/v1/sys/init"
|
||||
method: POST
|
||||
validate_certs: "{{ vault_validate_certs }}"
|
||||
body_format: json
|
||||
body:
|
||||
secret_shares: "{{ vault_init_key_shares }}"
|
||||
secret_threshold: "{{ vault_init_key_threshold }}"
|
||||
status_code: 200
|
||||
register: __vault_init_result
|
||||
no_log: true
|
||||
when: not __vault_init_status.json.initialized | bool
|
||||
|
||||
- name: Display init output — SAVE TO 1PASSWORD NOW
|
||||
ansible.builtin.debug:
|
||||
msg:
|
||||
- "*** VAULT INITIALIZED — SAVE THE FOLLOWING TO 1PASSWORD IMMEDIATELY ***"
|
||||
- ""
|
||||
- "Root Token:"
|
||||
- " vault_vault_root_token: {{ __vault_init_result.json.root_token }}"
|
||||
- ""
|
||||
- "Unseal Keys (need {{ vault_init_key_threshold }} of {{ vault_init_key_shares }}):"
|
||||
- "{% for key in __vault_init_result.json.keys_base64 %} unseal_key_{{ loop.index }}: {{ key }}{% endfor %}"
|
||||
- ""
|
||||
- "Save vault_unseal_keys as a list of {{ vault_init_key_threshold }} key strings in 1Password."
|
||||
- "Save vault_vault_root_token to 1Password."
|
||||
when: not __vault_init_status.json.initialized | bool
|
||||
|
||||
- name: Fail after init — save credentials before continuing
|
||||
ansible.builtin.fail:
|
||||
msg: >-
|
||||
Vault initialization complete.
|
||||
SAVE the root token and unseal keys to 1Password before continuing.
|
||||
Then run the default play to unseal and configure OIDC:
|
||||
ansible-navigator run playbooks/deploy_vault.yml
|
||||
when: not __vault_init_status.json.initialized | bool
|
||||
Reference in New Issue
Block a user