6bf74aa20d
This commit adds two new cli commands to allow an operator to read and write passwords into a configured Hashicorp Vault KV. Change-Id: Icf0eaf7544fcbdf7b83f697cc711446f47118a4d
76 lines
2.6 KiB
YAML
76 lines
2.6 KiB
YAML
---
|
|
- hosts: all
|
|
any_errors_fatal: true
|
|
tasks:
|
|
# NOTE(yoctozepto): setting vars as facts for all to have them around in all the plays
|
|
- name: set facts for commonly used variables
|
|
set_fact:
|
|
kolla_ansible_src_dir: "{{ ansible_env.PWD }}/src/{{ zuul.project.canonical_hostname }}/openstack/kolla-ansible"
|
|
upper_constraints_file: "{{ ansible_env.HOME }}/src/opendev.org/openstack/requirements/upper-constraints.txt"
|
|
pip_user_path_env:
|
|
PATH: "{{ ansible_env.HOME + '/.local/bin:' + ansible_env.PATH }}"
|
|
|
|
- hosts: primary
|
|
any_errors_fatal: true
|
|
environment: "{{ pip_user_path_env }}"
|
|
tasks:
|
|
- name: ensure /etc/kolla exists
|
|
file:
|
|
path: "/etc/kolla"
|
|
state: "directory"
|
|
mode: 0777
|
|
become: true
|
|
|
|
# NOTE(mgoddard): We need a recent pip to install the latest cryptography
|
|
# library. See https://github.com/pyca/cryptography/issues/5753
|
|
- name: install pip 19.1.1+
|
|
pip:
|
|
name: "pip>=19.1.1"
|
|
executable: "pip3"
|
|
extra_args: "--user"
|
|
|
|
- name: install kolla-ansible and dependencies
|
|
pip:
|
|
name:
|
|
- "{{ kolla_ansible_src_dir }}"
|
|
executable: "pip3"
|
|
extra_args: "-c {{ upper_constraints_file }} --user"
|
|
|
|
- name: copy passwords.yml file
|
|
copy:
|
|
src: "{{ kolla_ansible_src_dir }}/etc/kolla/passwords.yml"
|
|
dest: /etc/kolla/passwords.yml
|
|
remote_src: true
|
|
|
|
- name: generate passwords
|
|
command: kolla-genpwd
|
|
|
|
# At this point we have generated all necessary configuration, and are
|
|
# ready to test Hashicorp Vault.
|
|
- name: Run test-hashicorp-vault-passwords.sh script
|
|
script:
|
|
cmd: test-hashicorp-vault-passwords.sh
|
|
executable: /bin/bash
|
|
chdir: "{{ kolla_ansible_src_dir }}"
|
|
environment:
|
|
BASE_DISTRO: "{{ base_distro }}"
|
|
|
|
- name: Read template file
|
|
slurp:
|
|
src: "/etc/kolla/passwords.yml"
|
|
register: template_file
|
|
|
|
- name: Read generated file
|
|
slurp:
|
|
src: "/tmp/passwords-hashicorp-vault.yml"
|
|
register: generated_file
|
|
|
|
# This test will load in the original input file and the one that was
|
|
# generated by Vault and ensure that the keys are the same in both files.
|
|
# This ensures that we are not missing any passwords.
|
|
- name: Check passwords that were written to Vault are as expected
|
|
vars:
|
|
input_passwords: "{{ template_file['content'] | b64decode | from_yaml | sort }}"
|
|
output_passwords: "{{ generated_file['content'] | b64decode | from_yaml | sort }}"
|
|
assert: { that: "input_passwords == output_passwords" }
|