improve the vault handling stuff

2023-06-29 16:06:41 +02:00 · 2023-06-29 16:06:41 +02:00 · dd769b19d4
commit dd769b19d4
parent 65e4c10460
3 changed files with 41 additions and 97 deletions
--- a/inventory/service/group_vars/vault-controller.yaml
+++ b/inventory/service/group_vars/vault-controller.yaml
--- a/playbooks/configure-vault.yaml
+++ b/playbooks/configure-vault.yaml
@ -1,4 +1,13 @@
 ---
+# Manage Vault configuration (policies, roles, accesses, etc)
+#
+# vault_instances is a dictionary ({instance_name: config}) containing all the
+# required information that is being passed one by one into the configure_vault
+# role for the execution with the help of Vault API invocation.
+#
+# variable `vault_create_auth=true` will force presence of auth methods which
+# are otherwise (default) not created
+#
 - hosts: vault-controller:!disabled
  name: "Configure Vault instances"
  tasks:
--- a/playbooks/roles/configure_vault/tasks/auth.yaml
+++ b/playbooks/roles/configure_vault/tasks/auth.yaml
@ -1,7 +1,8 @@
+---
 - name: Read Auth {{ auth.type }} at {{ auth.path }}
  check_mode: "no"
  ansible.builtin.uri:
-    url: "{{ vault_addr }}/v1/sys/auth/{{ auth.path }}/tune"
+    url: "{{ vault_addr }}/v1/sys/auth/{{ auth.path }}"
    headers:
      X-Vault-Token: "{{ vault_token }}"
    method: "GET"
@ -28,7 +29,6 @@
        passthrough_request_headers: "{{ auth.passthrough_request_headers | default(omit) }}"
        allowed_response_headers: "{{ auth.allowed_response_headers | default(omit) }}"
      options: "{{ auth.options | default(omit) }}"
-
    status_code: [200, 201, 202, 204]
  when:
    - "current_auth is not defined or current_auth.status != 200"