From 090cec6a118080706c4140f2761fe545a7cc40b7 Mon Sep 17 00:00:00 2001 From: Daniel Berteaud Date: Wed, 26 Jul 2023 19:00:19 +0200 Subject: [PATCH] Update to 2023-07-26 19:00 --- roles/consul/defaults/main.yml | 8 +++++--- roles/consul/tasks/install.yml | 2 +- roles/consul/templates/pre-backup.j2 | 11 +++++++++++ roles/nomad/defaults/main.yml | 5 +++++ roles/nomad/tasks/install.yml | 2 +- roles/nomad/templates/pre-backup.j2 | 17 +++++++++++------ roles/vault/defaults/main.yml | 9 ++++++--- roles/vault/tasks/install.yml | 7 +++++++ roles/vault/templates/post-backup.j2 | 4 ++++ roles/vault/templates/pre-backup.j2 | 11 +++++++++++ roles/vault_agent/templates/vault-agent.hcl.j2 | 1 - roles/vault_bin/defaults/main.yml | 4 ++-- 12 files changed, 64 insertions(+), 17 deletions(-) create mode 100644 roles/vault/templates/post-backup.j2 create mode 100644 roles/vault/templates/pre-backup.j2 diff --git a/roles/consul/defaults/main.yml b/roles/consul/defaults/main.yml index a1b1f00..ef74b08 100644 --- a/roles/consul/defaults/main.yml +++ b/roles/consul/defaults/main.yml @@ -10,9 +10,11 @@ consul_root_dir: /opt/consul # Used for example to grant access to cli cert with ACL consul_admin_groups: "{{ system_admin_groups | default([]) }}" -# If ACL are enabled, you need to set a management token for ansible -# to be able to manage Consul (eg snapshot before upgrades) -# consul_mgm_token: XXXXXXXXX +# An optional CONSUL_HTTP_TOKEN to use to take a snapshot of raft logs during pre-backup +# for example: +# consul_backup_token: 1677848e-1fcd-b24a-6fb0-56b503d75651 +# or a more advanced use +# # consul_backup_token: $(VAULT_TOKEN=$(cat /run/vault_agent/vault.token) vault read -field=secret_id consul/creds/admin ttl=1m) # List of consul servers name or IP consul_servers: [] diff --git a/roles/consul/tasks/install.yml b/roles/consul/tasks/install.yml index 80679c8..0b3c286 100644 --- a/roles/consul/tasks/install.yml +++ b/roles/consul/tasks/install.yml @@ -7,7 +7,7 @@ tags: consul - name: Install backup hooks - template: src={{ item }}-backup.j2 dest=/etc/backup/{{ item }}.d/consul mode=755 + template: src={{ item }}-backup.j2 dest=/etc/backup/{{ item }}.d/consul mode=700 loop: - pre - post diff --git a/roles/consul/templates/pre-backup.j2 b/roles/consul/templates/pre-backup.j2 index 7626f57..dd9a506 100644 --- a/roles/consul/templates/pre-backup.j2 +++ b/roles/consul/templates/pre-backup.j2 @@ -1,4 +1,15 @@ #!/bin/sh set -eo pipefail +{% if consul_conf.server %} +if [ -e /etc/profile.d/vault.sh ]; then + source /etc/profile.d/vault.sh +fi +if [ -e /etc/profile.d/consul.sh ]; then + source /etc/profile.d/consul.sh +fi +{% if consul_conf.acl.enabled and consul_backup_token is defined %} +export CONSUL_HTTP_TOKEN={{ consul_backup_token }} +{% endif %} +{% endif %} consul snapshot save {{ consul_root_dir }}/backup/consul.snap diff --git a/roles/nomad/defaults/main.yml b/roles/nomad/defaults/main.yml index 37beed0..6d1fd34 100644 --- a/roles/nomad/defaults/main.yml +++ b/roles/nomad/defaults/main.yml @@ -256,3 +256,8 @@ nomad_extra_services: {} nomad_host_services: {} nomad_services: "{{ nomad_base_services | combine(nomad_extra_services, recursive=True) | combine(nomad_host_services, recursive=True) }}" +# An optional NOMAD_TOKEN to use to take a snapshot of raft logs during pre-backup +# for example: +# nomad_backup_token: 1677848e-1fcd-b24a-6fb0-56b503d75651 +# or a more advanced use +# nomad_backup_token: $(VAULT_TOKEN=$(cat /run/vault_agent/vault.token) vault read -field=secret_id nomad/creds/admin ttl=1m) diff --git a/roles/nomad/tasks/install.yml b/roles/nomad/tasks/install.yml index baeb19b..6610a9a 100644 --- a/roles/nomad/tasks/install.yml +++ b/roles/nomad/tasks/install.yml @@ -78,7 +78,7 @@ tags: nomad - name: Install backup hooks - template: src={{ item }}-backup.j2 dest=/etc/backup/{{ item }}.d/nomad mode=755 + template: src={{ item }}-backup.j2 dest=/etc/backup/{{ item }}.d/nomad mode=700 loop: - pre - post diff --git a/roles/nomad/templates/pre-backup.j2 b/roles/nomad/templates/pre-backup.j2 index aa934a8..9668df1 100644 --- a/roles/nomad/templates/pre-backup.j2 +++ b/roles/nomad/templates/pre-backup.j2 @@ -2,10 +2,15 @@ set -eo pipefail -{% if nomad_conf.tls.http %} -NOMAD_ADDR=https://localhost:{{ nomad_services.http.port }} \ -NOMAD_CACERT={{ nomad_conf.tls.ca_file }} \ -NOMAD_CLIENT_CERT={{ nomad_root_dir }}/tls/cli.crt \ -NOMAD_CLIENT_KEY={{ nomad_root_dir }}/tls/cli.key \ +{% if nomad_conf.server.enabled %} +if [ -e /etc/profile.d/vault.sh ]; then + source /etc/profile.d/vault.sh +fi +if [ -e /etc/profile.d/nomad.sh ]; then + source /etc/profile.d/nomad.sh +fi +{% if nomad_conf.acl.enabled and nomad_backup_token is defined %} +export NOMAD_TOKEN={{ nomad_backup_token }} {% endif %} -{{ nomad_root_dir }}/bin/nomad operator snapshot save {{ nomad_root_dir }}/backup/nomad.snap +{% endif %} +/usr/local/bin/nomad operator snapshot save {{ nomad_root_dir }}/backup/nomad.snap diff --git a/roles/vault/defaults/main.yml b/roles/vault/defaults/main.yml index f65f117..bb2ad99 100644 --- a/roles/vault/defaults/main.yml +++ b/roles/vault/defaults/main.yml @@ -12,9 +12,12 @@ vault_user: vault # expose your vault server on the public internet # vault_letsencrypt_cert: "{{ inventory_hostname }}" -# A token having backup (raft snapshot) permission. If set, ansible will -# take a snapshot of the data before upgrading vault -# vault_bkp_token: XXXXX + +# A token having read access to sys/storage/raft/snapshot. If set, a snapshot will be taken +# during pre-backup and removed in post-backup +# vault_backup_token: XXXXX +# You can also define a command to get the token, eg +# vault_backup_token: $(cat /run/vault_agent/vault.token) # Ports used by vault, and the IP/CIDR for which the port will be opened on the local firewall vault_base_services: diff --git a/roles/vault/tasks/install.yml b/roles/vault/tasks/install.yml index 07a2158..bf592d3 100644 --- a/roles/vault/tasks/install.yml +++ b/roles/vault/tasks/install.yml @@ -29,3 +29,10 @@ dest: /etc/profile.d/vault.sh mode: 0755 tags: vault + +- name: Install backup hooks + template: src={{ item }}-backup.j2 dest=/etc/backup/{{ item }}.d/vault mode=700 + loop: + - pre + - post + tags: vault diff --git a/roles/vault/templates/post-backup.j2 b/roles/vault/templates/post-backup.j2 new file mode 100644 index 0000000..02f96e1 --- /dev/null +++ b/roles/vault/templates/post-backup.j2 @@ -0,0 +1,4 @@ +#!/bin/sh + +set -eo pipefail +rm -f {{ vault_root_dir }}/backup/vault.snap diff --git a/roles/vault/templates/pre-backup.j2 b/roles/vault/templates/pre-backup.j2 new file mode 100644 index 0000000..687b088 --- /dev/null +++ b/roles/vault/templates/pre-backup.j2 @@ -0,0 +1,11 @@ +#!/bin/sh + +set -eo pipefail + +{% if vault_backup_token is defined %} +if [ -e /etc/profile.d/vault.sh ]; then + source /etc/profile.d/vault.sh +fi +export VAULT_TOKEN={{ vault_backup_token }} +vault operator raft snapshot save {{ vault_root_dir }}/backup/vault.snap +{% endif %} diff --git a/roles/vault_agent/templates/vault-agent.hcl.j2 b/roles/vault_agent/templates/vault-agent.hcl.j2 index 83100d4..cc22083 100644 --- a/roles/vault_agent/templates/vault-agent.hcl.j2 +++ b/roles/vault_agent/templates/vault-agent.hcl.j2 @@ -24,7 +24,6 @@ auto_auth { # Not used, but prevent service failing if there's not template yet sink { type = "file" - wrap_ttl = "1s" config = { path = "/run/vault_agent/vault.token" mode = 0600 diff --git a/roles/vault_bin/defaults/main.yml b/roles/vault_bin/defaults/main.yml index 6def85a..46cbc77 100644 --- a/roles/vault_bin/defaults/main.yml +++ b/roles/vault_bin/defaults/main.yml @@ -1,7 +1,7 @@ # Version of Vault to install -vault_version: 1.14.0 +vault_version: 1.14.1 # URL of the archive vault_archive_url: https://releases.hashicorp.com/vault/{{ vault_version }}/vault_{{ vault_version }}_linux_amd64.zip # Expected sha256 of the archive -vault_archive_sha256: 3d5c27e35d8ed43d861e892fc7d8f888f2fda4319a36f344f8c09603fb184b50 +vault_archive_sha256: 6031432dfc3de07f6523d206c44fc018aa969d94c8e9125a77340af359f57ea3