ansible-vault icon indicating copy to clipboard operation
ansible-vault copied to clipboard

Published 20 hours ago verified publisher icon ansible-community

An error occurs on the task: Vault main configuration

Open vldanch opened this issue 1 year ago • 7 comments

playbook launch: ansible-playbook -i inventory/infrastructure/hosts playbooks/all.yml --limit vault --tags vault-community 

TASK [ansible-role-vault-community : Vault main configuration] ****************************************************************************************************************************************************
fatal: [vault1-infrastructure]: FAILED! => {"changed": false, "msg": "AnsibleUndefinedVariable: [\n{% for server in groups[vault_raft_group_name] %}\n  {\n    \"peer\": \"{{ server }}\",\n    \"api_addr\": \"{{ hostvars[server]['vault_api_addr'] |\n    default(vault_protocol + '://' + hostvars[server]['ansible_' + hostvars[server]['ansible_default_ipv4']['interface']]['ipv4']['address'] + ':' + (vault_port|string)) }}\"\n  },\n{% endfor %}\n]\n: 'dict object' has no attribute 'vault_raft_servers'"}

How can this error be fixed?

vldanch avatar Jul 20 '23 05:07 vldanch

Your playbook needs to run for the inventory group vault_raft_servers unless you rename it setting vault_raft_group_name

FalcoSuessgott avatar Jul 20 '23 06:07 FalcoSuessgott

@FalcoSuessgott And why is it needed at all?

vldanch avatar Jul 20 '23 06:07 vldanch

Because per default this role deploys an vault cluster with raft / integrated storage. You can specify other backends such as etcd or mysql but raft is the common used one.

FalcoSuessgott avatar Jul 20 '23 06:07 FalcoSuessgott

@FalcoSuessgott raft should be hosted on clustered vault hosts?

[vault-infra]
vault1-infrastructure ansible_host=ip-address ansible_port=22
vault2-infrastructure ansible_host=ip-address ansible_port=22
vault3-infrastructure ansible_host=ip-address ansible_port=22

And, accordingly, vault_raft_group_name should point to a group in the hosts file? Or does it still have to be a separate host?

vldanch avatar Jul 20 '23 12:07 vldanch 

[vault-infra]
vault1-infrastructure ansible_host=ip-address ansible_port=22
vault2-infrastructure ansible_host=ip-address ansible_port=22
vault3-infrastructure ansible_host=ip-address ansible_port=22

[vault-infra:vars]
vault_raft_group_name=vault-infra

should do the trick :)

FalcoSuessgott avatar Jul 20 '23 12:07 FalcoSuessgott

@FalcoSuessgott The most interesting thing is that it rolled out and now I see the following error in the logs:

* Vault is sealed"
2023-07-20T12:46:12.365Z [INFO]  core: security barrier not initialized
2023-07-20T12:46:12.365Z [INFO]  core: attempting to join possible raft leader node: leader_addr=http://ip-address:8200
2023-07-20T12:46:12.366Z [INFO]  core: join attempt failed: error="error during raft bootstrap init call: Error making API request.

URL: PUT http://ip-address:8200/v1/sys/storage/raft/bootstrap/challenge
Code: 503. Errors:

* Vault is sealed"
2023-07-20T12:46:12.366Z [ERROR] core: failed to retry join raft cluster: retry=2s

And I can’t see the status on more than one host:

root@vault2-infrastructure:~# vault status
Error checking seal status: Get "https://127.0.0.1:8200/v1/sys/seal-status": dial tcp 127.0.0.1:8200: connect: connection refused

vldanch avatar Jul 20 '23 12:07 vldanch

This is the normal behaviour, Vault is sealed. Which means you have to unseal the node first using UI, CLI or API. I suggest you read through https://developer.hashicorp.com/vault/docs/concepts/seal.

You will have to unseal one node, save the unseal keys and root token file. go to every other node and unseal them using the keys from the first node. of course you can automate that task or even use Vaults auto unseal mechanism.

FalcoSuessgott avatar Jul 20 '23 12:07 FalcoSuessgott