diff --git a/mojaloop/iac/playbooks/argok3s_cluster_deploy.yaml b/mojaloop/iac/playbooks/argok3s_cluster_deploy.yaml index 7be89a88..3437749a 100644 --- a/mojaloop/iac/playbooks/argok3s_cluster_deploy.yaml +++ b/mojaloop/iac/playbooks/argok3s_cluster_deploy.yaml @@ -3,6 +3,7 @@ roles: - mojaloop.iac.bastion_common - mojaloop.iac.netclient + - mojaloop.iac.haproxy - hosts: master become: true diff --git a/mojaloop/iac/playbooks/control_center_netmaker_deploy.yaml b/mojaloop/iac/playbooks/control_center_post_deploy.yaml similarity index 59% rename from mojaloop/iac/playbooks/control_center_netmaker_deploy.yaml rename to mojaloop/iac/playbooks/control_center_post_deploy.yaml index 8eb00bb9..c7ceb2b6 100644 --- a/mojaloop/iac/playbooks/control_center_netmaker_deploy.yaml +++ b/mojaloop/iac/playbooks/control_center_post_deploy.yaml @@ -7,4 +7,9 @@ - hosts: bastion become: true roles: - - mojaloop.iac.netclient \ No newline at end of file + - mojaloop.iac.netclient + +- hosts: docker + become: true + roles: + - mojaloop.iac.vault \ No newline at end of file diff --git a/mojaloop/iac/roles/argocd/defaults/main.yaml b/mojaloop/iac/roles/argocd/defaults/main.yaml index 2eb19076..18bd18e0 100644 --- a/mojaloop/iac/roles/argocd/defaults/main.yaml +++ b/mojaloop/iac/roles/argocd/defaults/main.yaml @@ -3,7 +3,11 @@ argocd_lovely_plugin_version: "0.18.0" repo_url: "https://localhost/repo.git" repo_password: mypassword repo_username: user -external_secrets_version: "0.8.2" +external_secrets_version: "0.9.0" external_secrets_namespace: "external-secrets" +tenant_vault_token: token +tenant_vault_server_url: "https://tenantvault" kubeconfig_location: "/etc/rancher/k3s/k3s.yaml" -root_app_path: "infra/app-yamls" \ No newline at end of file +root_app_path: "infra/app-yamls" +netmaker_image_version: "0.18.7" +wireguard_node_port: "31821" \ No newline at end of file diff --git a/mojaloop/iac/roles/argocd/tasks/main.yaml b/mojaloop/iac/roles/argocd/tasks/main.yaml index d891452a..78084a58 100644 --- a/mojaloop/iac/roles/argocd/tasks/main.yaml +++ b/mojaloop/iac/roles/argocd/tasks/main.yaml @@ -16,7 +16,7 @@ src: "templates/{{ item }}.yaml.j2" dest: "{{ extsectmpvalues.path }}/{{ item }}.yaml" with_items: - - external-secretstore-gitlab + - external-secretstore - name: Upload argo bootstrap files template: @@ -40,7 +40,7 @@ helm --kubeconfig {{ kubeconfig_location }} upgrade --install external-secrets external-secrets/external-secrets --version {{ external_secrets_version }} -n {{ external_secrets_namespace }} --create-namespace --set installCRDs=true - name: Try clustersecretstore create until successful - shell: kubectl --kubeconfig {{ kubeconfig_location }} apply -n {{ external_secrets_namespace }} -f {{ extsectmpvalues.path }}/external-secretstore-gitlab.yaml + shell: kubectl --kubeconfig {{ kubeconfig_location }} apply -n {{ external_secrets_namespace }} -f {{ extsectmpvalues.path }}/external-secretstore.yaml register: clustersecretstore until: clustersecretstore is not failed retries: 12 diff --git a/mojaloop/iac/roles/argocd/templates/external-secretstore-gitlab.yaml.j2 b/mojaloop/iac/roles/argocd/templates/external-secretstore-gitlab.yaml.j2 deleted file mode 100644 index c625ef36..00000000 --- a/mojaloop/iac/roles/argocd/templates/external-secretstore-gitlab.yaml.j2 +++ /dev/null @@ -1,29 +0,0 @@ ---- -apiVersion: v1 -kind: Secret -metadata: - name: gitlab-secret - namespace: {{ external_secrets_namespace }} - labels: - type: gitlab -type: Opaque -stringData: - token: "{{ repo_password }}" ---- -apiVersion: external-secrets.io/v1beta1 -kind: ClusterSecretStore -metadata: - name: gitlab-secret-store -spec: - provider: - # provider type: gitlab - gitlab: - url: {{ gitlab_server_url }} - auth: - SecretRef: - accessToken: - name: gitlab-secret - namespace: {{ external_secrets_namespace }} - key: token - projectID: "{{ gitlab_project_id }}" - inheritFromGroups: true diff --git a/mojaloop/iac/roles/argocd/templates/external-secretstore.yaml.j2 b/mojaloop/iac/roles/argocd/templates/external-secretstore.yaml.j2 new file mode 100644 index 00000000..29b6fdcf --- /dev/null +++ b/mojaloop/iac/roles/argocd/templates/external-secretstore.yaml.j2 @@ -0,0 +1,63 @@ +--- +apiVersion: v1 +kind: Secret +metadata: + name: gitlab-secret + namespace: {{ external_secrets_namespace }} + labels: + type: gitlab +type: Opaque +stringData: + token: "{{ repo_password }}" + +--- +apiVersion: v1 +kind: Secret +metadata: + name: vault-secret + namespace: {{ external_secrets_namespace }} + labels: + type: vault +type: Opaque +stringData: + token: "{{ tenant_vault_token }}" + +--- +apiVersion: external-secrets.io/v1beta1 +kind: ClusterSecretStore +metadata: + name: gitlab-secret-store +spec: + provider: + # provider type: gitlab + gitlab: + url: {{ gitlab_server_url }} + auth: + SecretRef: + accessToken: + name: gitlab-secret + namespace: {{ external_secrets_namespace }} + key: token + projectID: "{{ gitlab_project_id }}" + inheritFromGroups: true + +--- +apiVersion: external-secrets.io/v1beta1 +kind: ClusterSecretStore +metadata: + name: tenant-vault-secret-store +spec: + provider: + vault: + server: {{ tenant_vault_server_url }} + path: "secret" + # Version is the Vault KV secret engine version. + # This can be either "v1" or "v2", defaults to "v2" + version: "v2" + auth: + # points to a secret that contains a vault token + # https://www.vaultproject.io/docs/auth/token + tokenSecretRef: + name: vault-secret + namespace: {{ external_secrets_namespace }} + key: token diff --git a/mojaloop/iac/roles/argocd/templates/netclient.yaml.j2 b/mojaloop/iac/roles/argocd/templates/netclient.yaml.j2 index e35902e0..38464b9d 100644 --- a/mojaloop/iac/roles/argocd/templates/netclient.yaml.j2 +++ b/mojaloop/iac/roles/argocd/templates/netclient.yaml.j2 @@ -1,33 +1,24 @@ +--- apiVersion: apps/v1 kind: DaemonSet metadata: - name: netclient + name: netclient-gateway labels: - app: netclient + app: netclient-gateway spec: selector: matchLabels: - app: netclient + app: netclient-gateway template: metadata: labels: - app: netclient + app: netclient-gateway spec: hostNetwork: true containers: - name: netclient - image: gravitl/netclient:v0.18.7 + image: gravitl/netclient:v{{ netmaker_image_version }} env: - - name: NETCLIENT_ROAMING - value: "no" - - name: NETCLIENT_PORT - value: "51821" - - name: NETCLIENT_IS_STATIC - value: "yes" - - name: NETCLIENT_ENDPOINT - valueFrom: - fieldRef: - fieldPath: status.hostIP - name: TOKEN valueFrom: secretKeyRef: @@ -36,8 +27,6 @@ spec: volumeMounts: - mountPath: /etc/netclient name: etc-netclient - - mountPath: /usr/bin/wg - name: wg securityContext: privileged: true volumes: @@ -45,10 +34,6 @@ spec: path: /etc/netclient type: DirectoryOrCreate name: etc-netclient - - hostPath: - path: /usr/bin/wg - type: File - name: wg --- apiVersion: external-secrets.io/v1beta1 kind: ExternalSecret @@ -68,4 +53,4 @@ spec: data: - secretKey: TOKEN # Key given to the secret to be created on the cluster remoteRef: - key: NETMAKER_TOKEN \ No newline at end of file + key: NETMAKER_OPS_TOKEN \ No newline at end of file diff --git a/mojaloop/iac/roles/haproxy/defaults/main.yaml b/mojaloop/iac/roles/haproxy/defaults/main.yaml new file mode 100644 index 00000000..172fb4b0 --- /dev/null +++ b/mojaloop/iac/roles/haproxy/defaults/main.yaml @@ -0,0 +1,8 @@ +haproxy_version: 2.8 +seaweedfs_s3_listening_port: 8333 +nexus_docker_repo_listening_port: 8082 +local_vault_listening_port: 8200 +vault_listening_port: 443 +nexus_fqdn: private_ip +seaweedfs_fqdn: private_ip +vault_fqdn: private_ip \ No newline at end of file diff --git a/mojaloop/iac/roles/haproxy/handlers/main.yaml b/mojaloop/iac/roles/haproxy/handlers/main.yaml new file mode 100644 index 00000000..52cedeea --- /dev/null +++ b/mojaloop/iac/roles/haproxy/handlers/main.yaml @@ -0,0 +1,5 @@ +- name: "restart haproxy" + systemd: + name: "haproxy" + state: restarted + force: true \ No newline at end of file diff --git a/mojaloop/iac/roles/haproxy/tasks/install.yaml b/mojaloop/iac/roles/haproxy/tasks/install.yaml new file mode 100644 index 00000000..284c4b90 --- /dev/null +++ b/mojaloop/iac/roles/haproxy/tasks/install.yaml @@ -0,0 +1,38 @@ +- name: Install software-properties-common + package: + name: + - software-properties-common + state: present + +- name: Update apt cache + shell: apt update + +- apt_repository: + repo: "ppa:vbernat/haproxy-{{ haproxy_version }}" + state: present + +- name: Update apt cache + shell: apt update + +- name: Install haproxy + package: + name: + - haproxy + state: present + +- name: copy haproxy conf + template: + src: haproxy.cfg.j2 + dest: /etc/haproxy/haproxy.cfg + owner: root + group: root + mode: '0640' + notify: restart haproxy + +- name: "set haproxy to auto restart" + systemd: + enabled: true + daemon_reload: true + name: "haproxy" + state: started + force: true \ No newline at end of file diff --git a/mojaloop/iac/roles/haproxy/tasks/main.yaml b/mojaloop/iac/roles/haproxy/tasks/main.yaml new file mode 100644 index 00000000..d3912fc9 --- /dev/null +++ b/mojaloop/iac/roles/haproxy/tasks/main.yaml @@ -0,0 +1 @@ +- include_tasks: install.yaml \ No newline at end of file diff --git a/mojaloop/iac/roles/haproxy/templates/haproxy.cfg.j2 b/mojaloop/iac/roles/haproxy/templates/haproxy.cfg.j2 new file mode 100644 index 00000000..b18b0042 --- /dev/null +++ b/mojaloop/iac/roles/haproxy/templates/haproxy.cfg.j2 @@ -0,0 +1,26 @@ +defaults + timeout connect 5000 + timeout client 50000 + timeout server 50000 +frontend seaweed + bind :{{ seaweedfs_s3_listening_port }} + default_backend seaweed + +frontend nexus + bind :{{ nexus_docker_repo_listening_port }} + default_backend nexus + +frontend vault + mode tcp + bind :{{ local_vault_listening_port }} + default_backend vault + +backend seaweed + server seaweed {{ seaweedfs_fqdn }}:{{ seaweedfs_s3_listening_port }} + +backend nexus + server nexus {{ nexus_fqdn }}:{{ nexus_docker_repo_listening_port }} + +backend vault + mode tcp + server vault {{ vault_fqdn }}:{{ vault_listening_port }} ssl verify none diff --git a/mojaloop/iac/roles/netclient/defaults/main.yaml b/mojaloop/iac/roles/netclient/defaults/main.yaml index d4de26a9..b5d33bf5 100644 --- a/mojaloop/iac/roles/netclient/defaults/main.yaml +++ b/mojaloop/iac/roles/netclient/defaults/main.yaml @@ -1,5 +1,5 @@ netmaker_root_dir: /root/netmaker-compose netmaker_image_version: 0.18.7 -netclient_enrollment_key: cntrlctr-bastion -netmaker_join_token: null -enrollment_key_list_file_location: /tmp/keylist.json \ No newline at end of file +netclient_enrollment_keys: ["cntrlctr-ops"] +netmaker_join_tokens: [] +netmaker_enrollment_key_list_file_location: /tmp/keylist.json \ No newline at end of file diff --git a/mojaloop/iac/roles/netclient/tasks/install.yaml b/mojaloop/iac/roles/netclient/tasks/install.yaml index 272c51a8..7862b089 100644 --- a/mojaloop/iac/roles/netclient/tasks/install.yaml +++ b/mojaloop/iac/roles/netclient/tasks/install.yaml @@ -22,13 +22,15 @@ - name: set token from local file vars: - query: "[?tags[0]=='{{ netclient_enrollment_key }}'].token" + query: "[?tags[0]=='{{ item }}'].token" set_fact: - netmaker_join_token: "{{ lookup('file', enrollment_key_list_file_location) | from_json | json_query(query) | first }}" - when: "netmaker_join_token is none" + netmaker_join_tokens: "{{ netmaker_join_tokens + [lookup('file', netmaker_enrollment_key_list_file_location) | from_json | json_query(query) | first] }}" + when: "not netmaker_join_tokens" + loop: "{{ netclient_enrollment_keys }}" - name: join netmaker network - command: "netclient join -t {{ netmaker_join_token }}" + command: "netclient join -t {{ item }}" + loop: "{{ netmaker_join_tokens }}" - name: iptable accept on forward iptables: diff --git a/mojaloop/iac/roles/netmaker/defaults/main.yaml b/mojaloop/iac/roles/netmaker/defaults/main.yaml index 1c148876..c61b1986 100644 --- a/mojaloop/iac/roles/netmaker/defaults/main.yaml +++ b/mojaloop/iac/roles/netmaker/defaults/main.yaml @@ -6,13 +6,19 @@ netmaker_caddy_image_version: 2.6.2 netmaker_acme_email: cicd.automation@modusbox.com netmaker_mq_pw: crazypassword netmaker_master_key: crazypassword -netmaker_control_network_name: cntrlctr netmaker_admin_password: crazypassword netmaker_admin_username: nmaker-admin -netmaker_control_network_address_range: 10.20.30.0/24 enable_oauth: false netmaker_oidc_issuer: https://gitlab.com netmaker_oidc_client_id: clientid netmaker_oidc_client_secret: crazysecret -enrollment_key_list: ["bastion"] -enrollment_key_list_file_location: /tmp/keylist.json \ No newline at end of file +netmaker_enrollment_key_list_file_location: /tmp/keylist.json +netmaker_control_network_address_cidr_start: 10.20.30.0/24 +netmaker_networks: + - network_name: cntrlctr + node_keys: + - ops + - network_name: dev + node_keys: + - k8s + - cc-svcs \ No newline at end of file diff --git a/mojaloop/iac/roles/netmaker/tasks/configure.yaml b/mojaloop/iac/roles/netmaker/tasks/configure.yaml index f35131e8..4bbca07a 100644 --- a/mojaloop/iac/roles/netmaker/tasks/configure.yaml +++ b/mojaloop/iac/roles/netmaker/tasks/configure.yaml @@ -9,27 +9,30 @@ retries: 30 delay: 10 # Every 10 seconds -- name: Add local control network if not exists +- name: Add admin user uri: - url: https://api.{{ netmaker_base_domain }}/api/networks + url: https://api.{{ netmaker_base_domain }}/api/users/{{ netmaker_admin_username }} method: POST headers: Content-Type: application/json Authorization: Bearer {{ netmaker_master_key }} - body: "{{ lookup('template', 'createnetwork.json.j2') }}" + body: "{{ lookup('template', 'createadminuser.json.j2') }}" body_format: json status_code: [200, 400] -- name: Add admin user +- name: Add networks if don't exist uri: - url: https://api.{{ netmaker_base_domain }}/api/users/{{ netmaker_admin_username }} + url: https://api.{{ netmaker_base_domain }}/api/networks method: POST headers: Content-Type: application/json Authorization: Bearer {{ netmaker_master_key }} - body: "{{ lookup('template', 'createadminuser.json.j2') }}" + body: "{{ lookup('template', 'createnetwork.json.j2') }}" body_format: json status_code: [200, 400] + loop: "{{ netmaker_networks }}" + loop_control: + index_var: ipindex - name: Get keys uri: @@ -53,9 +56,9 @@ body_format: json status_code: [200, 400] vars: - keytag: "{{ netmaker_control_network_name }}-{{ item }}" + keytag: "{{ item.0.network_name }}-{{ item.1 }}" when: "keytag not in key_response.content" - with_items: "{{ enrollment_key_list }}" + loop: "{{ netmaker_networks | subelements('node_keys') }}" - name: Get keys again uri: @@ -71,7 +74,7 @@ - name: copy keys copy: content: "{{ key_response2.content }}" - dest: "{{ enrollment_key_list_file_location }}" + dest: "{{ netmaker_enrollment_key_list_file_location }}" delegate_to: localhost # - name: Save access token for bastion netclient diff --git a/mojaloop/iac/roles/netmaker/templates/createkey.json.j2 b/mojaloop/iac/roles/netmaker/templates/createkey.json.j2 index 23ec87b8..23c828fd 100644 --- a/mojaloop/iac/roles/netmaker/templates/createkey.json.j2 +++ b/mojaloop/iac/roles/netmaker/templates/createkey.json.j2 @@ -1,6 +1,6 @@ { - "tags":["{{ netmaker_control_network_name }}-{{ item }}"], - "networks":["{{ netmaker_control_network_name }}"], + "tags":["{{ item.0.network_name }}-{{ item.1 }}"], + "networks":["{{ item.0.network_name }}"], "expiration":0, "unlimited":true, "uses_remaining":0 diff --git a/mojaloop/iac/roles/netmaker/templates/createnetwork.json.j2 b/mojaloop/iac/roles/netmaker/templates/createnetwork.json.j2 index 6a8fd31f..47a17251 100644 --- a/mojaloop/iac/roles/netmaker/templates/createnetwork.json.j2 +++ b/mojaloop/iac/roles/netmaker/templates/createnetwork.json.j2 @@ -1,9 +1,9 @@ { - "addressrange": "{{ netmaker_control_network_address_range }}", + "addressrange": "{{ netmaker_control_network_address_cidr_start | ansible.utils.ipaddr('net') | ansible.utils.ipmath(ipindex * 256)}}/{{ netmaker_control_network_address_cidr_start | ansible.utils.ipaddr('prefix') }}", "addressrange6": "", "defaultacl": "yes", "defaultudpholepunch": "yes", "isipv4": "yes", "isipv6": "no", - "netid": "{{ netmaker_control_network_name }}" + "netid": "{{ item.network_name }}" } diff --git a/mojaloop/iac/roles/vault/defaults/main.yaml b/mojaloop/iac/roles/vault/defaults/main.yaml new file mode 100644 index 00000000..78b0f39a --- /dev/null +++ b/mojaloop/iac/roles/vault/defaults/main.yaml @@ -0,0 +1,7 @@ +vault_image_version: 1.13 +vault_root_dir: /root/vault-compose +vault_listening_port: 8200 +vault_fqdn: vault.domain.null +vault_gitlab_url: http://gitlab.url +vault_gitlab_token: "#crazytoken$" +vault_root_token_key: VAULT_ROOT_TOKEN \ No newline at end of file diff --git a/mojaloop/iac/roles/vault/handlers/main.yaml b/mojaloop/iac/roles/vault/handlers/main.yaml new file mode 100644 index 00000000..ec056cf8 --- /dev/null +++ b/mojaloop/iac/roles/vault/handlers/main.yaml @@ -0,0 +1,4 @@ +- name: Restart Vault + systemd: + name: "vault" + state: restarted \ No newline at end of file diff --git a/mojaloop/iac/roles/vault/tasks/install.yaml b/mojaloop/iac/roles/vault/tasks/install.yaml new file mode 100644 index 00000000..4b2ee4eb --- /dev/null +++ b/mojaloop/iac/roles/vault/tasks/install.yaml @@ -0,0 +1,43 @@ +- name: "create directory for project" + file: + path: "{{ vault_root_dir }}/vaultbuild" + state: directory + recurse: yes + +- name: "deploy vault Dockerfile" + template: + src: "../templates/Dockerfile.j2" + dest: "{{ vault_root_dir }}/vaultbuild/Dockerfile" + notify: Restart Vault + +- name: "deploy systemd service" + template: + src: "../templates/vault.service.j2" + dest: "/etc/systemd/system/vault.service" + notify: Restart Vault + +- name: "deploy init script" + template: + src: "../templates/init.sh.j2" + dest: "{{ vault_root_dir }}/vaultbuild/init.sh" + mode: 0755 + notify: Restart Vault + +- name: "deploy vault-config.hcl" + template: + src: "../templates/vault-config.hcl.j2" + dest: "{{ vault_root_dir }}/vault-config.hcl" + notify: Restart Vault + +- name: "deploy docker compose file" + template: + src: "../templates/vault.docker-compose.yml.j2" + dest: "{{ vault_root_dir }}/docker-compose.yml" + notify: Restart Vault + +- name: "set to auto restart" + systemd: + enabled: true + daemon_reload: true + name: "vault" + state: started diff --git a/mojaloop/iac/roles/vault/tasks/main.yaml b/mojaloop/iac/roles/vault/tasks/main.yaml new file mode 100644 index 00000000..d3912fc9 --- /dev/null +++ b/mojaloop/iac/roles/vault/tasks/main.yaml @@ -0,0 +1 @@ +- include_tasks: install.yaml \ No newline at end of file diff --git a/mojaloop/iac/roles/vault/templates/Dockerfile.j2 b/mojaloop/iac/roles/vault/templates/Dockerfile.j2 new file mode 100644 index 00000000..6e0fb846 --- /dev/null +++ b/mojaloop/iac/roles/vault/templates/Dockerfile.j2 @@ -0,0 +1,9 @@ +FROM ubuntu:20.04 +RUN apt-get update && apt-get install -y software-properties-common curl gnupg2 && \ + curl -fsSL https://apt.releases.hashicorp.com/gpg | apt-key add - && \ + apt-add-repository "deb [arch=amd64] https://apt.releases.hashicorp.com $(lsb_release -cs) main" && \ + apt-get update && apt-get install -y \ + vault={{ vault_image_version }}.0-1 jq curl && \ + setcap cap_ipc_lock= /usr/bin/vault +COPY init.sh ./ +CMD ./init.sh \ No newline at end of file diff --git a/mojaloop/iac/roles/vault/templates/init.sh.j2 b/mojaloop/iac/roles/vault/templates/init.sh.j2 new file mode 100644 index 00000000..4ab84a60 --- /dev/null +++ b/mojaloop/iac/roles/vault/templates/init.sh.j2 @@ -0,0 +1,37 @@ +#!/bin/bash +set -e + +export VAULT_SKIP_VERIFY=true +if [ $(vault status -format=json | jq .initialized) == "false" ] +then + vault operator init -key-shares=1 -key-threshold=1 -format=json > /tmp/output.json + vault operator unseal $(cat /tmp/output.json | jq .unseal_keys_b64[0] | tr -d '"') + export VAULT_ROOT_TOKEN=$(cat /tmp/output.json | jq .root_token | tr -d '"') + if [ $VAULT_ROOT_TOKEN != "" ] + then + export VAULT_ROOT_TOKEN_FOUND=$(curl -sw '%{http_code}' --request GET "${GITLAB_URL}/{{ vault_root_token_key }}" --header "Authorization: Bearer $GITLAB_TOKEN" -o /dev/null) + if [ $VAULT_ROOT_TOKEN_FOUND == "404" ] + then + curl -s --request POST "$GITLAB_URL" --header "Authorization: Bearer $GITLAB_TOKEN" --form "key={{ vault_root_token_key }}" --form "value=$VAULT_ROOT_TOKEN" --form "raw=true" --form "masked=true" -o /dev/null + else + echo "vault root token already present, updating code" + curl -s --request PUT "${GITLAB_URL}/{{ vault_root_token_key }}" --header "Authorization: Bearer $GITLAB_TOKEN" --form "value=$VAULT_ROOT_TOKEN" -o /dev/null + fi + else + echo "VAULT_ROOT_TOKEN not parsed correctly, exiting" + exit 1 + fi + + export UNSEAL_KEY=$(cat /tmp/output.json | jq .unseal_keys_b64[0] | tr -d '"') + export UNSEAL_KEY_FOUND=$(curl -sw '%{http_code}' --request GET "${GITLAB_URL}/UNSEAL_KEY" --header "Authorization: Bearer $GITLAB_TOKEN" -o /dev/null) + if [ $UNSEAL_KEY_FOUND == "404" ] + then + curl -s --request POST "$GITLAB_URL" --header "Authorization: Bearer $GITLAB_TOKEN" --form "key=UNSEAL_KEY" --form "value=$UNSEAL_KEY" --form "raw=true" --form "masked=true" -o /dev/null + else + echo "unseal key already present, updating code" + curl -s --request PUT "${GITLAB_URL}/UNSEAL_KEY" --header "Authorization: Bearer $GITLAB_TOKEN" --form "value=$UNSEAL_KEY" -o /dev/null + fi + +else + echo "vault already initialized" +fi \ No newline at end of file diff --git a/mojaloop/iac/roles/vault/templates/vault-config.hcl.j2 b/mojaloop/iac/roles/vault/templates/vault-config.hcl.j2 new file mode 100644 index 00000000..71fcc07b --- /dev/null +++ b/mojaloop/iac/roles/vault/templates/vault-config.hcl.j2 @@ -0,0 +1,12 @@ +ui = true +api_addr = "http://0.0.0.0:{{ vault_listening_port }}" +// Filesystem storage +storage "file" { + path = "/vault/file" +} + +// TCP Listener +listener "tcp" { + address = "0.0.0.0:{{ vault_listening_port }}" + tls_disable = "true" +} \ No newline at end of file diff --git a/mojaloop/iac/roles/vault/templates/vault.docker-compose.yml.j2 b/mojaloop/iac/roles/vault/templates/vault.docker-compose.yml.j2 new file mode 100644 index 00000000..962ffbd5 --- /dev/null +++ b/mojaloop/iac/roles/vault/templates/vault.docker-compose.yml.j2 @@ -0,0 +1,42 @@ +version: '3.6' + +services: + vault: + image: hashicorp/vault:{{ vault_image_version }} + container_name: vault + restart: on-failure:10 + ports: + - "{{ vault_listening_port }}:{{ vault_listening_port }}" + cap_add: + - IPC_LOCK + environment: + VAULT_ADDR: "http://0.0.0.0:{{ vault_listening_port }}" + volumes: + - vault-volume:/vault/file + - {{ vault_root_dir}}/vault-config.hcl:/vault/config/vault-config.hcl + networks: + vault-network: + ipv4_address: 172.21.0.10 + aliases: + - vault-server + command: server + vault-client: + build: ./vaultbuild + depends_on: + - vault + environment: + VAULT_ADDR: "http://vault-server:{{ vault_listening_port }}" + GITLAB_URL: "{{ vault_gitlab_url }}" + GITLAB_TOKEN: "{{ vault_gitlab_token }}" + networks: + vault-network: + ipv4_address: 172.21.0.20 + aliases: + - vault-client +networks: + vault-network: + ipam: + config: + - subnet: 172.21.0.0/24 +volumes: + vault-volume: {} # runtime data for vault \ No newline at end of file diff --git a/mojaloop/iac/roles/vault/templates/vault.service.j2 b/mojaloop/iac/roles/vault/templates/vault.service.j2 new file mode 100644 index 00000000..8b3091c6 --- /dev/null +++ b/mojaloop/iac/roles/vault/templates/vault.service.j2 @@ -0,0 +1,10 @@ +[Unit] +Description=vault docker-compose unit +After=docker.service + +[Service] +ExecStart=/usr/bin/docker-compose -f {{ vault_root_dir }}/docker-compose.yml up +ExecStop=/usr/bin/docker-compose -f {{ vault_root_dir }}/docker-compose.yml down + +[Install] +WantedBy=docker.service \ No newline at end of file