52 lines
1.8 KiB
YAML
52 lines
1.8 KiB
YAML
---
|
|
# Configures a running, initialized HashiCorp Vault instance.
|
|
#
|
|
# Expects Vault to already be initialized (run --tags vault_init first).
|
|
# Unseals if sealed and vault_unseal_keys is defined.
|
|
# Then configures OIDC authentication with Keycloak.
|
|
|
|
- name: Validate required variables
|
|
ansible.builtin.assert:
|
|
that:
|
|
- vault_url | length > 0
|
|
- vault_vault_root_token | default('') | length > 0
|
|
- vault_oidc_issuer | default('') | length > 0
|
|
- vault_vault_oidc_client_secret | default('') | length > 0
|
|
fail_msg: >-
|
|
vault_vault_root_token, vault_oidc_issuer, and vault_vault_oidc_client_secret
|
|
are required. Run --tags vault_init first, save credentials to 1Password,
|
|
then run --tags vault_configure_keycloak,vault_configure_oidc or default play.
|
|
|
|
- name: Check Vault status
|
|
ansible.builtin.uri:
|
|
url: "{{ vault_url }}/v1/sys/health"
|
|
method: GET
|
|
validate_certs: "{{ vault_validate_certs }}"
|
|
status_code: [200, 429, 472, 473, 501, 503]
|
|
register: __vault_health
|
|
|
|
- name: Assert Vault is initialized
|
|
ansible.builtin.assert:
|
|
that:
|
|
- __vault_health.json.initialized | bool
|
|
fail_msg: >-
|
|
Vault is not initialized. Run:
|
|
ansible-navigator run playbooks/deploy_vault.yml --tags vault_init
|
|
|
|
- name: Unseal Vault if sealed
|
|
ansible.builtin.include_tasks: unseal.yml
|
|
when:
|
|
- __vault_health.json.sealed | bool
|
|
- vault_unseal_keys | default([]) | length > 0
|
|
|
|
- name: Assert Vault is unsealed
|
|
ansible.builtin.assert:
|
|
that:
|
|
- not __vault_health.json.sealed | bool or __vault_unsealed | default(false) | bool
|
|
fail_msg: >-
|
|
Vault is sealed. Provide vault_unseal_keys (list of unseal key strings) or
|
|
unseal manually via the Vault UI, then rerun.
|
|
|
|
- name: Configure OIDC authentication
|
|
ansible.builtin.include_tasks: configure_oidc.yml
|