Hashicorp vault & consul cluster

Installs & configures Hashicorp's Consul & Vault + HAProxy to run as an HA cluster

Note: Please see this repo for a similar project that uses the latest integrated storage backend made available in Vault 1.4 release, removing the need for a Consul-based backend storage deployment

Symbolic representation overview of deployment

Consul UI Dashboard

Although the vault installation creates OpenSSL TLS private key, CSR & resultant certificate, the URI modules in these roles currently use "validate_certs: no". It is up to you to complete the TLS configuration.

WARNING - When vault is initialized, the master key shards & root token are stored in the ansible user's HOME dir on the Ansible control machine. This is NOT good practice, but was used to get things running. I am considering various future options that won't break the non-interactive execution of the playbooks, such as ansible vault'ing the file with a pre-defined ansible vault password file. But this is really no more secure than the current setup. Hashicorp vault has the ability to encrypt the master key shards using PGP, GPG, and Keybase. This is the ideal solution but might prove too difficult to implement while maintaining non-interactive playbook execution.

Heavily based on the documentation supplied by HashiCorp at https://www.vaultproject.io/guides/operations/vault-ha-consul.html

Currently tested on these Operating Systems

• Oracle Linux/RHEL/CentOS 7 (Note: Enables EPEL repo using Jeff Geerling's EPEL role)
• Debian/Stretch64

Requirements

• Hashicorp Vagrant
• Ansible 2.5 or higher

Dependencies

• Requires elevated root privileges
• Copy Ansible control machine user's public SSH key (usually called id_rsa.pub) into the vagrant working directory

Getting the code

git clone https://github.com/AdamGoldsmith/consul-vault.git --recurse-submodules

Running the deployment

cd vagrant
export BOX_NAME="centos/7"     # Optional (defaults to debian/stretch64)
vagrant up

On the Ansible Control Machine

To deploy

./deploy.sh

or

ansible-playbook playbooks/site.yml

To remove

./deploy.sh -t remove

or

ansible-playbook playbooks/site.yml --tags 'remove'

Known Issues

• deploy.sh

The deploy.sh script has been updated to use /bin/bash which might not be universally available on your system so you may need to update this to use the shell of your choice.

• PyOpenSSL

If you get the message "You need to have PyOpenSSL>=0.15 to generate CSRs", then it is most likely an issue with the OpenSSL package that python has imported. When pyOpenSSL is installed/upgraded via the PIP Ansible module in this playbok, it will install the python package under /usr/lib/pythonx.x/site-packages, however it is possible that another OpenSSL python package could be installed under /usr/lib64/pythonx.x/site-packages that is being loaded in preference to the higher-level package.
In order to prevent this happening, temporarily move the directory "/usr/lib64/pythonx.x/site-packages/OpenSSL" out of the way while running this playbook.

License

MIT License

Author Information

Adam Goldsmith