Skip to content
Snippets Groups Projects
Normal view Permalink
run-hashi-vault.yml 2.68 KiB
Newer Older
Scott Solkhon's avatar
Support storing passwords in Hashicorp Vault
Scott Solkhon committed
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 
---
- hosts: all
  any_errors_fatal: true
  tasks:
    # NOTE(yoctozepto): setting vars as facts for all to have them around in all the plays
    - name: set facts for commonly used variables
      set_fact:
        kolla_ansible_src_dir: "{{ ansible_env.PWD }}/src/{{ zuul.project.canonical_hostname }}/openstack/kolla-ansible"
        upper_constraints_file: "{{ ansible_env.HOME }}/src/opendev.org/openstack/requirements/upper-constraints.txt"
        pip_user_path_env:
          PATH: "{{ ansible_env.HOME + '/.local/bin:' + ansible_env.PATH }}"

- hosts: primary
  any_errors_fatal: true
  environment: "{{ pip_user_path_env }}"
  tasks:
    - name: ensure /etc/kolla exists
      file:
        path: "/etc/kolla"
        state: "directory"
        mode: 0777
      become: true
Marcin Juszkiewicz's avatar
Add CentOS Stream 9 / Rocky Linux 9 host support  
Marcin Juszkiewicz committed
24 25 26 27 28 
    - name: ensure python3-pip exists
      package:
        name: python3-pip
      become: true
Scott Solkhon's avatar
Support storing passwords in Hashicorp Vault
Scott Solkhon committed
29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 
    # NOTE(mgoddard): We need a recent pip to install the latest cryptography
    # library. See https://github.com/pyca/cryptography/issues/5753
    - name: install pip 19.1.1+
      pip:
        name: "pip>=19.1.1"
        executable: "pip3"
        extra_args: "--user"

    - name: install kolla-ansible and dependencies
      pip:
        name:
          - "{{ kolla_ansible_src_dir }}"
        executable: "pip3"
        extra_args: "-c {{ upper_constraints_file }} --user"

    - name: copy passwords.yml file
      copy:
        src: "{{ kolla_ansible_src_dir }}/etc/kolla/passwords.yml"
        dest: /etc/kolla/passwords.yml
        remote_src: true

    - name: generate passwords
      command: kolla-genpwd

    # At this point we have generated all necessary configuration, and are
    # ready to test Hashicorp Vault.
    - name: Run test-hashicorp-vault-passwords.sh script
      script:
        cmd: test-hashicorp-vault-passwords.sh
        executable: /bin/bash
        chdir: "{{ kolla_ansible_src_dir }}"
      environment:
        BASE_DISTRO: "{{ base_distro }}"

    - name: Read template file
      slurp:
        src: "/etc/kolla/passwords.yml"
      register: template_file

    - name: Read generated file
      slurp:
        src: "/tmp/passwords-hashicorp-vault.yml"
      register: generated_file

    # This test will load in the original input file and the one that was
    # generated by Vault and ensure that the keys are the same in both files.
    # This ensures that we are not missing any passwords.
    - name: Check passwords that were written to Vault are as expected
      vars:
        input_passwords: "{{ template_file['content'] | b64decode | from_yaml | sort }}"
        output_passwords: "{{ generated_file['content'] | b64decode | from_yaml | sort }}"
      assert: { that: "input_passwords == output_passwords" }