Last active
January 16, 2023 11:04
-
-
Save NIXKnight/6321794022a04f593b79a33eee22532f to your computer and use it in GitHub Desktop.
Passing PostgreSQL Users and Passwords to Ansible via Hashicorp Vault in a Kubernetes Pod
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/usr/bin/env bash | |
# +------------------------------------------------------------------------------------------+ | |
# + FILE: ansible-wrapper + | |
# + + | |
# + AUTHOR: Saad Ali (https://github.com/NIXKnight) + | |
# + To be used with https://github.com/NIXKnight/Docker-Kube-Utils.git + | |
# +------------------------------------------------------------------------------------------+ | |
export K8S_SERVICEACCOUNT_DIR="/var/run/secrets/kubernetes.io/serviceaccount" | |
export K8S_AUTH_TOKEN="$(cat $K8S_SERVICEACCOUNT_DIR/token)" | |
cat <<EOF > /tmp/payload.json | |
{ | |
"role": "postgresql-db-manager", | |
"jwt": "$K8S_AUTH_TOKEN" | |
} | |
EOF | |
export VAULT_ADDR="http://vault.vault.svc.cluster.local:8200" | |
export VAULT_TOKEN="$(curl --data @/tmp/payload.json -X POST $VAULT_ADDR/v1/auth/kubernetes/login | jq -r '.auth.client_token')" | |
export ANSIBLE_STDOUT_CALLBACK="debug" | |
export ANSIBLE_CALLBACKS_ENABLED="profile_tasks" | |
cd /postgresql-db-manager/ | |
ansible-playbook playbook.yaml -vv |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# To be used with Ansible role https://github.com/NIXKnight/Ansible-PgSQL-DB-User.git | |
postgresql_login_host: "{{ lookup('ansible.builtin.env', 'POSTGRESQL_SERVICE_HOST') }}" | |
postgresql_login_username: "{{ lookup('community.hashi_vault.hashi_vault', 'kv_secrets/data/apps/postgresql:admin_username') }}" | |
postgresql_login_password: "{{ lookup('community.hashi_vault.hashi_vault', 'kv_secrets/data/apps/postgresql:admin_password') }}" | |
postgresql_db_users: | |
# Database for Keycloak | |
- db_name: "{{ lookup('community.hashi_vault.hashi_vault', 'kv_secrets/data/apps/keycloak:postgresql_database') }}" | |
username: "{{ lookup('community.hashi_vault.hashi_vault', 'kv_secrets/data/apps/keycloak:postgresql_username') }}" | |
password: "{{ lookup('community.hashi_vault.hashi_vault', 'kv_secrets/data/apps/keycloak:postgresql_password') }}" | |
encoding: "UTF-8" | |
lc_collate: "en_US.UTF-8" | |
lc_ctype: "en_US.UTF-8" | |
privileges: "ALL" | |
db_objects: "ALL_DEFAULT" | |
db_object_type: "default_privs" | |
# Database for Terraform state | |
- db_name: "{{ lookup('community.hashi_vault.hashi_vault', 'kv_secrets/data/apps/terraform:state_db_name') }}" | |
username: "{{ lookup('community.hashi_vault.hashi_vault', 'kv_secrets/data/apps/terraform:state_db_username') }}" | |
password: "{{ lookup('community.hashi_vault.hashi_vault', 'kv_secrets/data/apps/terraform:state_db_password') }}" | |
encoding: "UTF-8" | |
lc_collate: "en_US.UTF-8" | |
lc_ctype: "en_US.UTF-8" | |
privileges: "ALL" | |
db_objects: "ALL_DEFAULT" | |
db_object_type: "default_privs" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
- name: Ensure Databases and Users Exist in PostgreSQL | |
connection: local | |
hosts: localhost | |
gather_facts: yes | |
become: False | |
vars_files: | |
- "{{ playbook_dir }}/extravars.yaml" | |
roles: | |
- Ansible-PgSQL-DB-User |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment