~xenrox/ansible

b242037690928a36c4075907f036b2dc4eac6fc9 — Thorben Günther 2 years ago f83b9ac 
keycloak: Move secrets to hc vault
patch browse .tar.gz 
6 files changed, 12 insertions(+), 27 deletions(-)

M group_vars/all/vars.yml
D group_vars/all/vault_keycloak.yml
M roles/keycloak/tasks/main.yml
M roles/keycloak/templates/standalone.xml.j2
M terraform_keycloak/keycloak.tf
M terraform_vault/secrets.tf

M group_vars/all/vars.yml => group_vars/all/vars.yml +0 -3
@@ 6,9 6,6 @@ ejabberd_xenrox_password: "{{ vault_ejabberd_xenrox_password }}"
email_noreply_mail: "{{ vault_email_noreply_mail }}"
email_noreply_password: "{{ vault_email_noreply_password }}"
faceit_bearer: "{{ vault_faceit_bearer }}"
keycloak_admin_password: "{{ vault_keycloak_admin_password }}"
keycloak_admin_username: "{{ vault_keycloak_admin_username }}"
keycloak_psql_password: "{{ vault_keycloak_psql_password }}"
minio_access_key: "{{ vault_minio_access_key }}"
minio_secret_key: "{{ vault_minio_secret_key }}"
nextcloud_instanceid: "{{ vault_nextcloud_instanceid }}"


D group_vars/all/vault_keycloak.yml => group_vars/all/vault_keycloak.yml +0 -15
@@ 1,15 0,0 @@
$ANSIBLE_VAULT;1.1;AES256
38313064616364626636393963633236306364396163323934333664326661363830633431353766
3138613238666232303130363564366333313661623834330a663530633037333035653463343861
61336431636364653966346439313830633732666436356238366433313034343531303566366531
3934396432333963320a616539666666326164363634306334323262663533646233646635346133
36623333363766373562383834366133363634393563343438353735643932653663633837333564
37366364633766616138393661656433643837626230323332356264343935356139366333623230
65343264383266343032393163643761306238653135353962633663323239396162623262353366
66646534333834373166613561633166323163323435663263616565623134306430393931643163
38303231383966663231306461653965636435326163393732663861623134303734353434623864
36616333613862636264626337343537643739666231356365616337376162363131383734616233
38646537663763616339626131353536613061643061636130356565633536313566653061353832
64373333613536643366633362393335646366653435323761636466306364376364386365656364
37656232383463393761373764303064646132646463323933323735346135356664626236666135
3166633466313461326535646230656562343439373337636462


M roles/keycloak/tasks/main.yml => roles/keycloak/tasks/main.yml +6 -2
@@ 1,4 1,8 @@
---
- name: Get secrets
  ansible.builtin.set_fact:
    keycloak_secrets: "{{ lookup('community.hashi_vault.hashi_vault', 'ansible/data/keycloak') }}"

- name: Install
  community.general.pacman:
    name: keycloak


@@ 7,7 11,7 @@
- name: Create db user
  community.general.postgresql_user:
    name: keycloak
    password: "{{ keycloak_psql_password }}"
    password: "{{ keycloak_secrets['psql_password'] }}"
  become: true
  become_user: postgres
  no_log: true


@@ 30,7 34,7 @@
  notify: Restart keycloak

- name: Create admin user
  ansible.builtin.command: /opt/keycloak/bin/add-user-keycloak.sh -r master -u {{ keycloak_admin_username }} -p {{ keycloak_admin_password }}
  ansible.builtin.command: /opt/keycloak/bin/add-user-keycloak.sh -r master -u {{ keycloak_secrets['admin_username'] }} -p {{ keycloak_secrets['admin_password'] }}
  no_log: true
  when: keycloak_db.changed



M roles/keycloak/templates/standalone.xml.j2 => roles/keycloak/templates/standalone.xml.j2 +1 -1
@@ 134,7 134,7 @@
                    <driver>postgresql</driver>
                    <security>
                        <user-name>keycloak</user-name>
                        <password>{{ keycloak_psql_password }}</password>
                        <password>{{ keycloak_secrets['psql_password'] }}</password>
                    </security>
                </datasource>
                <drivers>


M terraform_keycloak/keycloak.tf => terraform_keycloak/keycloak.tf +4 -5
@@ 4,9 4,8 @@ terraform {
  }
}

data "external" "vault_keycloak" {
  program = ["${path.module}/../misc/read-vault.py",
  "group_vars/all/vault_keycloak.yml"]
data "vault_generic_secret" "keycloak" {
  path = "ansible/keycloak"
}

data "vault_generic_secret" "nextcloud" {


@@ 28,8 27,8 @@ data "external" "vault_email" {

provider "keycloak" {
  client_id = "admin-cli"
  username  = data.external.vault_keycloak.result.vault_keycloak_admin_username
  password  = data.external.vault_keycloak.result.vault_keycloak_admin_password
  username  = data.vault_generic_secret.keycloak.data["admin_username"]
  password  = data.vault_generic_secret.keycloak.data["admin_password"]
  url       = "https://keycloak.xenrox.net"
}



M terraform_vault/secrets.tf => terraform_vault/secrets.tf +1 -1
@@ 1,6 1,6 @@
locals {
  users           = toset(["xenrox", "seeguen", "test"])
  ansible_secrets = toset(["nextcloud", "peertube", "vault"])
  ansible_secrets = toset(["keycloak", "nextcloud", "peertube", "vault"])
}

resource "vault_generic_secret" "ansible_secrets" {