66 lines
2.2 KiB
YAML
66 lines
2.2 KiB
YAML
---
|
|
- name: Initialize Vault Cluster
|
|
hosts: ch4 # 只在一个节点初始化
|
|
become: yes
|
|
|
|
tasks:
|
|
- name: Check if Vault is already initialized
|
|
uri:
|
|
url: "http://{{ ansible_host }}:8200/v1/sys/health"
|
|
method: GET
|
|
status_code: [200, 429, 472, 473, 501, 503]
|
|
register: vault_health
|
|
|
|
- name: Initialize Vault (only if not initialized)
|
|
uri:
|
|
url: "http://{{ ansible_host }}:8200/v1/sys/init"
|
|
method: POST
|
|
body_format: json
|
|
body:
|
|
secret_shares: 5
|
|
secret_threshold: 3
|
|
status_code: 200
|
|
register: vault_init_result
|
|
when: not vault_health.json.initialized
|
|
|
|
- name: Save initialization results to local file
|
|
copy:
|
|
content: |
|
|
# Vault Cluster Initialization Results
|
|
Generated on: {{ ansible_date_time.iso8601 }}
|
|
Initialized by: {{ inventory_hostname }}
|
|
|
|
## Root Token
|
|
{{ vault_init_result.json.root_token }}
|
|
|
|
## Unseal Keys
|
|
{% for key in vault_init_result.json.keys %}
|
|
Key {{ loop.index }}: {{ key }}
|
|
{% endfor %}
|
|
|
|
## Base64 Unseal Keys
|
|
{% for key in vault_init_result.json.keys_base64 %}
|
|
Key {{ loop.index }} (base64): {{ key }}
|
|
{% endfor %}
|
|
|
|
## Important Notes
|
|
- Store these keys securely and separately
|
|
- You need 3 out of 5 keys to unseal Vault
|
|
- Root token provides full access to Vault
|
|
- Consider revoking root token after initial setup
|
|
dest: /tmp/vault-init-results.txt
|
|
delegate_to: localhost
|
|
when: vault_init_result is defined and vault_init_result.json is defined
|
|
|
|
- name: Display initialization results
|
|
debug:
|
|
msg: |
|
|
Vault initialized successfully!
|
|
Root Token: {{ vault_init_result.json.root_token }}
|
|
Unseal Keys: {{ vault_init_result.json.keys }}
|
|
when: vault_init_result is defined and vault_init_result.json is defined
|
|
|
|
- name: Display already initialized message
|
|
debug:
|
|
msg: "Vault is already initialized on {{ inventory_hostname }}"
|
|
when: vault_health.json.initialized |