An error occurs on the task: Vault main configuration

ansible-community / ansible-vault

:key: Ansible role for Hashicorp Vault

BSD 2-Clause "Simplified" License

363 stars 194 forks source link

An error occurs on the task: Vault main configuration #333

Open vldanch opened 1 year ago

vldanch commented 1 year ago

playbook launch: ansible-playbook -i inventory/infrastructure/hosts playbooks/all.yml --limit vault --tags vault-community

TASK [ansible-role-vault-community : Vault main configuration] ****************************************************************************************************************************************************
fatal: [vault1-infrastructure]: FAILED! => {"changed": false, "msg": "AnsibleUndefinedVariable: [\n{% for server in groups[vault_raft_group_name] %}\n  {\n    \"peer\": \"{{ server }}\",\n    \"api_addr\": \"{{ hostvars[server]['vault_api_addr'] |\n    default(vault_protocol + '://' + hostvars[server]['ansible_' + hostvars[server]['ansible_default_ipv4']['interface']]['ipv4']['address'] + ':' + (vault_port|string)) }}\"\n  },\n{% endfor %}\n]\n: 'dict object' has no attribute 'vault_raft_servers'"}

How can this error be fixed?

FalcoSuessgott commented 1 year ago

Your playbook needs to run for the inventory group vault_raft_servers unless you rename it setting vault_raft_group_name

vldanch commented 1 year ago

@FalcoSuessgott And why is it needed at all?

FalcoSuessgott commented 1 year ago

Because per default this role deploys an vault cluster with raft / integrated storage. You can specify other backends such as etcd or mysql but raft is the common used one.

vldanch commented 1 year ago

@FalcoSuessgott raft should be hosted on clustered vault hosts?

[vault-infra]
vault1-infrastructure ansible_host=ip-address ansible_port=22
vault2-infrastructure ansible_host=ip-address ansible_port=22
vault3-infrastructure ansible_host=ip-address ansible_port=22

And, accordingly, vault_raft_group_name should point to a group in the hosts file? Or does it still have to be a separate host?

FalcoSuessgott commented 1 year ago

[vault-infra]
vault1-infrastructure ansible_host=ip-address ansible_port=22
vault2-infrastructure ansible_host=ip-address ansible_port=22
vault3-infrastructure ansible_host=ip-address ansible_port=22

[vault-infra:vars]
vault_raft_group_name=vault-infra

should do the trick :)

vldanch commented 1 year ago

@FalcoSuessgott The most interesting thing is that it rolled out and now I see the following error in the logs:

* Vault is sealed"
2023-07-20T12:46:12.365Z [INFO]  core: security barrier not initialized
2023-07-20T12:46:12.365Z [INFO]  core: attempting to join possible raft leader node: leader_addr=http://ip-address:8200
2023-07-20T12:46:12.366Z [INFO]  core: join attempt failed: error="error during raft bootstrap init call: Error making API request.

URL: PUT http://ip-address:8200/v1/sys/storage/raft/bootstrap/challenge
Code: 503. Errors:

* Vault is sealed"
2023-07-20T12:46:12.366Z [ERROR] core: failed to retry join raft cluster: retry=2s

And I can’t see the status on more than one host:

root@vault2-infrastructure:~# vault status
Error checking seal status: Get "https://127.0.0.1:8200/v1/sys/seal-status": dial tcp 127.0.0.1:8200: connect: connection refused

FalcoSuessgott commented 1 year ago

This is the normal behaviour, Vault is sealed. Which means you have to unseal the node first using UI, CLI or API. I suggest you read through https://developer.hashicorp.com/vault/docs/concepts/seal.

You will have to unseal one node, save the unseal keys and root token file. go to every other node and unseal them using the keys from the first node. of course you can automate that task or even use Vaults auto unseal mechanism.