I'm trying to come up with some roles for configuring hashicorp vault
agent. In the end I'd like to build up then agent's config file to pull
different secrets from a vault and then call scripts in response.
I have a role,, for example, that creates a perforce authentication token
using a vault secret and has a cron job to keep it up to date every hour.
I might have another role that pulls down a password and updates a kerberos
keytab on a system.
So far I've broken this up into something like these roles:
- vault-agent-init
- clears the fragments assemble directory
- makes misc directories
- vault-agent-perforce-auth
- parms: user, secret path, ...
- drops a fragment into the fragments directory to add to config
- adds a cron job that creates and keeps up to date a perforce
ticket/token file for a specific user
- vault-agent-keytab-auth
- parms: user, secret path, ...
- drops a fragment into the fragments directory to add to config
- adds a cron job that updates keytab for a specific user
- vault-agent
- assembles fragments, finishes configuring the agent.
Right now I put these together within a machine's role by placing these in
order using include_role -- not using dependency roles. Roles that depend
on the the init role causes the fragments dir to be cleared for each parent
role because init runs more than once.
Here's an example of what is included in a machine/service's role:
- include_role:
name: vault_agent_init
- include_role:
name: vault_agent_keytab_auth
vars:
vault_approle: "xxx"
vault_agent_keytab_user: "yyy"
vault_agent_secret_path: "secret/user/yyy"
- include_role:
name: vault_agent_perforce_auth
vars:
vault_approle: "xxxx"
[...]
vault_agent_secret_path: "yyyy"
- include_role: # assemble final config
name: vault_agent
The idea is that I can build up the fragments, and then when done, include
the final role to build up the fragments.
Is there a better way to pattern this? I could try parameterizing
everything into a single vault agent role.. but... I'd like other roles to
be able to add other fragments without having to keep parameterizing the
agent's role. It feels like keeping these as smaller components would be
better -- more maintainable.
One of the challenges I'm having with this now is I would like apply a role
to all machines that is dependent on one of these secrets - the
vault-agent-perforce-auth role... This role would use the perforce
authentication to pull down a repository and sync it every hour. But now
I've designed myself into a corner where I have to add these includes
manually to every machine's role list and can't just apply it to my list of
common roles applied to all machines.
I learned puppet first long ago, but have been using ansible now for quite
a few years -- but I fear that I am only seeing this design problem through
a puppet "lens."
Thanks!
Rich
--
You received this message because you are subscribed to the Google Groups
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/ansible-project/f783c756-5736-4312-b4ba-e04eac92a0cbn%40googlegroups.com.
