search

SwanseaUniversityMedical / DARE-Teleport

0 stars 0 forks source link

`TASK [dare.common.vault_init_config : initialise vault with given number of key shares and threshold]` can fail if playbook is rerun #89

Closed mikej888 closed 1 year ago

mikej888 commented 1 year ago

Issue encountered while running DARE-SeRP-Dev-Deployment Version: 43f688f (Thu Sep 14 17:15:42 2023 +0100) main branch.

Running monolithic_mk8s_example/1-vm-setup-and-deploy.yaml failed at:

$ ansible-playbook -i vmware-host.yaml 1-vm-setup-and-deploy.yaml -v
...
TASK [dare.common.vault_init_config : include_tasks] ***********************************************
included: /home/mjj/.ansible/collections/ansible_collections/dare/common/roles/vault_init_config/tasks/init.yml for single_host

TASK [dare.common.vault_init_config : initialise vault with given number of key shares and threshold] ***
[DEPRECATION WARNING]: The 'return_code' return key is being renamed to 'rc'. Both keys are being returned for now to allow users to migrate their automation. This feature will be removed from kubernetes.core in version 4.0.0. Deprecation warnings can be disabled by setting deprecation_warnings=False in ansible.cfg.
fatal: [single_host]: FAILED! => {"changed": true, "rc": 2, "return_code": 2, "stderr": "Error initializing: Error making API request.\n\nURL: PUT http://127.0.0.1:8200/v1/sys/init\nCode: 400. Errors:\n\n* Vault is already initialized\n", "stderr_lines": ["Error initializing: Error making API request.", "", "URL: PUT http://127.0.0.1:8200/v1/sys/init", "Code: 400. Errors:", "", "* Vault is already initialized"], "stdout": "", "stdout_lines": []}

PLAY RECAP *****************************************************************************************
single_host                : ok=84   changed=24   unreachable=0    failed=1    skipped=36   rescued=0    ignored=1

The failure occurs within: ~/.ansible/collections/ansible_collections/dare/common/roles/vault_init_config/tasks/init.yml (file ansble/roles/vault_init_config/tasks/init.yml in this repository):

- name: initialise vault with given number of key shares and threshold
  kubernetes.core.k8s_exec:
    namespace: "{{ vault_namespace }}"
    pod: "{{ vault_pods[0] }}"
    command: "vault operator init -key-shares={{ vault_number_key_shares }} -key-threshold={{ vault_k
ey_threshold }} -format=json"
  register: vault_init_result

Is there a way to check if the Vault has been initialised and, if so, to retrieve the root token again? It could be retrived from the root-unseal.json file on the control VM via a task like the following (which could be made conditional on if the Vault has already been initialised):

- set_fact:
    vault_init: "{{ lookup('file', vault_config_output_folder + '/root-unseal.json') | from_json }}"
alee-x commented 1 year ago

Hi @mikej888

If you're re-running the playbook on a vault that's already initialised and when you already have the root token, you should set the following variables in your playbook:

vault_unseal_required: false

vault_root_token: <put your vault root token from the json file here>