Added customer engine name (#94)

* 23.2 RHEL and Rocky 8 now install node 20 instead of 18 * Added ability to customize vault secret engine name in inventory file * lint updates --------- Co-authored-by: $GITHUB_ACTOR <github-action@users.noreply.github.com>
itential · Nov 12, 2024 · 5aed28b · 5aed28b
1 parent c8e2166
commit 5aed28b
Show file tree

Hide file tree

Showing 8 changed files with 12 additions and 8 deletions.
diff --git a/docs/vault_guide.md b/docs/vault_guide.md
@@ -51,6 +51,7 @@ The following table lists the default variables that are shared between the Vaul
 | `vault_group` | `all` | String | The Vault Linux group. | `vault`
 | `vault_port` | `all` | Integer | The Vault listen port. | `8200`
 | `vault_root_key_dir` | `all` | String | The Vault root key directory. | `/opt/vault/keys/root_key`
+| `vault_name` | `all` | String | The name of the secret engine used to configure vault and IAP | `itential`
 
 ## Vault Role Variables
 

diff --git a/roles/common_vars/defaults/main/vault.yml b/roles/common_vars/defaults/main/vault.yml
@@ -12,3 +12,6 @@ vault_root_key_dir: /opt/vault/keys/root_key
 
 # Flag to manage how secret data is written to Vault with IAP version 2021.2 and later.
 vault_read_only: false
+
+# default vault name
+vault_name: itential
diff --git a/roles/platform/templates/2021.1-properties.j2 b/roles/platform/templates/2021.1-properties.j2
@@ -16,7 +16,7 @@
 {# Build Vault props #}
 {% set vaultProps = None %}
 {% if configure_vault | bool %}
-  {% set vaultProps = dict(url = "http://" ~ hostvars[groups['vault'][0]].inventory_hostname ~ ":" ~ vault_port, token = iap_vault_token_dir ~ "/token.txt", endpoint = "kv-v2/data" ) %}
+  {% set vaultProps = dict(url = "http://" ~ hostvars[groups['vault'][0]].inventory_hostname ~ ":" ~ vault_port, token = iap_vault_token_dir ~ "/token.txt", endpoint = vault_name ~ "/data", readOnly = "false" | bool) %}
 {% endif %}
 {# Build SSL props #}
 {% set acceptInvalidCerts = True %}

diff --git a/roles/platform/templates/2021.2-properties.j2 b/roles/platform/templates/2021.2-properties.j2
@@ -16,7 +16,7 @@
 {# Build Vault props #}
 {% set vaultProps = None %}
 {% if configure_vault | bool %}
-  {% set vaultProps = dict(url = "http://" ~ hostvars[groups['vault'][0]].inventory_hostname ~ ":" ~ vault_port, token = iap_vault_token_dir ~ "/token.txt", endpoint = "kv-v2/data", readOnly = "false" | bool) %}
+  {% set vaultProps = dict(url = "http://" ~ hostvars[groups['vault'][0]].inventory_hostname ~ ":" ~ vault_port, token = iap_vault_token_dir ~ "/token.txt", endpoint = vault_name ~ "/data", readOnly = "false" | bool) %}
   {% if vault_read_only | bool %}
     {% set vaultProps = dict(vaultProps, **{'readOnly': vault_read_only}) %}
   {% endif %}

diff --git a/roles/platform/templates/2022.1-properties.j2 b/roles/platform/templates/2022.1-properties.j2
@@ -16,7 +16,7 @@
 {# Build Vault props #}
 {% set vaultProps = None %}
 {% if configure_vault | bool %}
-  {% set vaultProps = dict(url = "http://" ~ hostvars[groups['vault'][0]].inventory_hostname ~ ":" ~ vault_port, token = iap_vault_token_dir ~ "/token.txt", endpoint = "kv-v2/data", readOnly = "false" | bool) %}
+  {% set vaultProps = dict(url = "http://" ~ hostvars[groups['vault'][0]].inventory_hostname ~ ":" ~ vault_port, token = iap_vault_token_dir ~ "/token.txt", endpoint = vault_name ~ "/data", readOnly = "false" | bool) %}
   {% if vault_read_only | bool %}
     {% set vaultProps = dict(vaultProps, **{'readOnly': vault_read_only}) %}
   {% endif %}

diff --git a/roles/platform/templates/2023.1-properties.j2 b/roles/platform/templates/2023.1-properties.j2
@@ -43,7 +43,7 @@ defined in the host file.
 {# Build Vault props #}
 {% set vaultProps = None %}
 {% if configure_vault | bool %}
-  {% set vaultProps = dict(url = "http://" ~ hostvars[groups['vault'][0]].inventory_hostname ~ ":" ~ vault_port, token = iap_vault_token_dir ~ "/token.txt", endpoint = "kv-v2/data", readOnly = "false" | bool) %}
+  {% set vaultProps = dict(url = "http://" ~ hostvars[groups['vault'][0]].inventory_hostname ~ ":" ~ vault_port, token = iap_vault_token_dir ~ "/token.txt", endpoint = vault_name ~ "/data", readOnly = "false" | bool) %}
   {% if vault_read_only | bool %}
     {% set vaultProps = dict(vaultProps, **{'readOnly': vault_read_only}) %}
   {% endif %}

diff --git a/roles/platform/templates/2023.2-properties.j2 b/roles/platform/templates/2023.2-properties.j2
@@ -43,7 +43,7 @@ defined in the host file.
 {# Build Vault props #}
 {% set vaultProps = None %}
 {% if configure_vault | bool %}
-  {% set vaultProps = dict(url = "http://" ~ hostvars[groups['vault'][0]].inventory_hostname ~ ":" ~ vault_port, token = iap_vault_token_dir ~ "/token.txt", endpoint = "kv-v2/data", readOnly = "false" | bool) %}
+  {% set vaultProps = dict(url = "http://" ~ hostvars[groups['vault'][0]].inventory_hostname ~ ":" ~ vault_port, token = iap_vault_token_dir ~ "/token.txt", endpoint = vault_name ~ "/data", readOnly = "false" | bool) %}
   {% if vault_read_only | bool %}
     {% set vaultProps = dict(vaultProps, **{'readOnly': vault_read_only}) %}
   {% endif %}

diff --git a/roles/vault_unseal/tasks/main.yml b/roles/vault_unseal/tasks/main.yml
@@ -96,7 +96,7 @@
   register: root_key
 
 # Check if kv-v2 engine exists
-- name: Check for kv-v2 secrets engine
+- name: Check for secrets engine
   ansible.builtin.command: vault secrets list
   environment:
     VAULT_ADDR: "http://{{ inventory_hostname }}:{{ vault_port }}"
@@ -105,10 +105,10 @@
   changed_when: false
 
 - name: Enable KV Secrets Engine
-  ansible.builtin.command: vault secrets enable kv-v2
+  ansible.builtin.command: vault secrets enable -path={{ vault_name }} -version=2 kv
   environment:
     VAULT_ADDR: "http://{{ inventory_hostname }}:{{ vault_port }}"
     VAULT_TOKEN: "{{ root_key.content | b64decode }}"
   register: vault_secrets_enable_result
   changed_when: vault_secrets_enable_result.changed
-  when: '"kv-v2" not in secrets.stdout'
+  when: 'vault_name not in secrets.stdout'