Add task for installing Hashicorp Vault (#397)

* Add task for installing Hashicorp Vault Signed-off-by: Jakub Stejskal <xstejs24@gmail.com> * Revert changes to main.yaml Signed-off-by: Jakub Stejskal <xstejs24@gmail.com> * Yamllint fix Signed-off-by: Jakub Stejskal <xstejs24@gmail.com> --------- Signed-off-by: Jakub Stejskal <xstejs24@gmail.com>
skodjob · Feb 26, 2025 · a2605ef · a2605ef
1 parent 58254f2
commit a2605ef
Show file tree

Hide file tree

Showing 6 changed files with 73 additions and 3 deletions.
diff --git a/...etup/install/hive/00-prepare_secrets.yaml → ...ion-hub/tasks/common/prepare_secrets.yaml b/...etup/install/hive/00-prepare_secrets.yaml → ...ion-hub/tasks/common/prepare_secrets.yaml
diff --git a/install/roles/automation-hub/tasks/common/set_facts.yaml b/install/roles/automation-hub/tasks/common/set_facts.yaml
@@ -30,3 +30,6 @@
 - name: Show generated cluster dict
   debug:
     msg: "{{ clusters_dict }}"
+
+- include_tasks:
+    file: prepare_secrets.yaml
diff --git a/install/roles/automation-hub/tasks/infra-setup/install/create_clusters_hive.yaml b/install/roles/automation-hub/tasks/infra-setup/install/create_clusters_hive.yaml
@@ -1,7 +1,4 @@
 ---
-- include_tasks:
-    file: hive/00-prepare_secrets.yaml
-
 - include_tasks:
     file: hive/02-deploy_cluster.yaml
   loop: "{{ clusters_dict.values() }}"

diff --git a/install/roles/automation-hub/tasks/infra-setup/install/vault/install_vault.yaml b/install/roles/automation-hub/tasks/infra-setup/install/vault/install_vault.yaml
@@ -0,0 +1,67 @@
+---
+- name: Create {{ vault_namespace }} namespace on Infra cluster
+  kubernetes.core.k8s:
+    kubeconfig: "{{ kubeconfig_path }}/{{ infra_context_name }}"
+    verify_ssl: no
+    state: present
+    definition:
+      apiVersion: v1
+      kind: Namespace
+      metadata:
+        name: "{{ vault_namespace }}"
+        labels:
+          project: "skodjob"
+          secret: "vault"
+
+- name: Clean helm releases for Vault
+  shell: "oc delete secret -l owner=helm -n {{ vault_namespace }} || true"
+  environment:
+    KUBECONFIG: "{{ kubeconfig_path }}/{{ infra_context_name }}"
+
+- name: Make default SA admin in {{ vault_namespace }} namespace
+  shell: "oc adm policy add-role-to-user admin system:serviceaccount:{{ vault_namespace }}:default -n {{ vault_namespace }}"
+  environment:
+    KUBECONFIG: "{{ kubeconfig_path }}/{{ infra_context_name }}"
+
+- name: Add Vault Helm Repo
+  kubernetes.core.helm_repository:
+    name: hashicorp
+    url: https://helm.releases.hashicorp.com
+
+- name: Install Vault
+  kubernetes.core.helm:
+    name: "{{ vault_namespace }}"
+    kubeconfig: "{{ kubeconfig_path }}/{{ infra_context_name }}"
+    chart_ref: hashicorp/vault
+    release_namespace: "{{ vault_namespace }}"
+    create_namespace: True
+    force: True
+    wait: True
+    replace: True
+    update_repo_cache: True
+    values:
+      commonLabels:
+        app: vault
+        project: skodjob
+      global:
+        openshift: true
+      server:
+        ha:
+          enabled: true
+          replicas: 3
+          raft:
+            enabled: true
+        # Configure AWS KMS for unsealing
+        extraEnvironmentVars:
+          AWS_ACCESS_KEY_ID: "{{ aws_secret['aws_access_key_id'] }}"
+          AWS_SECRET_ACCESS_KEY: "{{ aws_secret['aws_secret_access_key'] }}"
+          AWS_REGION: "us-east-2"
+          VAULT_SEAL_TYPE: "awskms"
+          VAULT_AWSKMS_SEAL_KEY_ID: "{{ vault_auto_unseal_key_id }}"
+        route:
+          enabled: true
+          host: "{{ vault_namespace }}-{{ vault_namespace }}.apps.{{ infra_context_name }}.{{ cluster_domain }}"
+          tls:
+            termination: edge
+        ui:
+          enabled: true
diff --git a/install/roles/automation-hub/tasks/main.yml b/install/roles/automation-hub/tasks/main.yml
@@ -88,6 +88,9 @@
 - import_tasks: infra-setup/install/orchestrate_cert_manager.yaml
   tags: [cert-manager, cm, infra, never]
 
+- import_tasks: infra-setup/install/vault/install_vault.yaml
+  tags: [vault, infra, never]
+
 - import_tasks: infra-setup/install/orchestrate_logging.yaml
   tags: [logging, infra, monitoring, never]
 

diff --git a/install/secrets/clusters.yaml b/install/secrets/clusters.yaml