From 80f6eb3d023ba8ea45a9dde93c176b52d62cf18e Mon Sep 17 00:00:00 2001 From: Jack Hodgkiss Date: Mon, 9 Jun 2025 14:06:16 +0100 Subject: [PATCH 1/4] feat: update `galaxy.yml` version to `2.7.1` --- galaxy.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/galaxy.yml b/galaxy.yml index 78f6a77..ec5c55a 100644 --- a/galaxy.yml +++ b/galaxy.yml @@ -2,7 +2,7 @@ namespace: stackhpc name: hashicorp description: > Hashicorp Vault/Consul deployment and configuration -version: "2.7.0" +version: "2.7.1" readme: "README.md" authors: - "Michał Nasiadka" From c2ce6bde2e3891600d308227221170203a815fc5 Mon Sep 17 00:00:00 2001 From: Jack Hodgkiss Date: Wed, 14 May 2025 10:18:38 +0100 Subject: [PATCH 2/4] feat: update `galaxy.yml` version to `2.7.0` --- galaxy.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/galaxy.yml b/galaxy.yml index e3c56aa..78f6a77 100644 --- a/galaxy.yml +++ b/galaxy.yml @@ -2,7 +2,7 @@ namespace: stackhpc name: hashicorp description: > Hashicorp Vault/Consul deployment and configuration -version: "2.6.1" +version: "2.7.0" readme: "README.md" authors: - "Michał Nasiadka" From df621920ced4fa615fc8bcbc37b9a39611aba7ef Mon Sep 17 00:00:00 2001 From: Jack Hodgkiss Date: Sat, 7 Jun 2025 18:56:40 +0100 Subject: [PATCH 3/4] feat: add additional `TCP` localhost listener Ensure that the `bao` client can communicate with `bao` server via `127.0.0.1` in situations where the `bind_addr` it not listening on localhost. --- roles/openbao/defaults/main.yml | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/roles/openbao/defaults/main.yml b/roles/openbao/defaults/main.yml index 982358b..0ad128c 100644 --- a/roles/openbao/defaults/main.yml +++ b/roles/openbao/defaults/main.yml @@ -44,7 +44,14 @@ openbao_config: > {% else %} "tls_disable": "true" {% endif %} + }{% if not openbao_bind_addr.startswith('127.') %}, + }, + { + "tcp": { + "address": "127.0.0.1:8200", + "tls_disable": "true" } + {% endif %} }], "storage": { "raft": { From 9377fd7314b7c179543c6ebf8c3956b3d90bad0a Mon Sep 17 00:00:00 2001 From: Jack Hodgkiss Date: Sat, 7 Jun 2025 22:01:12 +0100 Subject: [PATCH 4/4] feat: add support for setting `leader_ca_cert_file` If `TLS` is used on the `OpenBao` API then raft peers will need to configured with a `CA` certificate to verify the certificates being used by the leader otherwise then could not join. --- roles/openbao/README.md | 1 + roles/openbao/defaults/main.yml | 5 ++++- 2 files changed, 5 insertions(+), 1 deletion(-) diff --git a/roles/openbao/README.md b/roles/openbao/README.md index 5e1505f..026c171 100644 --- a/roles/openbao/README.md +++ b/roles/openbao/README.md @@ -33,6 +33,7 @@ Role variables * `openbao_ca_cert`: Path to CA certificate used to verify OpenBao server TLS cert * `openbao_tls_key`: Path to TLS key to use by OpenBao * `openbao_tls_cert`: Path to TLS cert to use by OpenBao + * `openbao_tls_ca`: Path to TLS CA certificate that can be used by peers to validate the leaders TLS * `openbao_log_keys`: Whether to log the root token and unseal keys in the Ansible output. Default `false` * `openbao_set_keys_fact`: Whether to set a `openbao_keys` fact containing the root token and unseal keys. Default `false` * `openbao_write_keys_file`: Whether to write the root token and unseal keys to a file. Default `false` diff --git a/roles/openbao/defaults/main.yml b/roles/openbao/defaults/main.yml index 0ad128c..f12bf51 100644 --- a/roles/openbao/defaults/main.yml +++ b/roles/openbao/defaults/main.yml @@ -13,6 +13,7 @@ openbao_cluster_name: "" openbao_tls_key: "" openbao_tls_cert: "" +openbao_tls_ca: "" openbao_protocol: "{{ 'https' if openbao_tls_key and openbao_tls_cert else 'http' }}" @@ -59,7 +60,9 @@ openbao_config: > "path": "/openbao/file", {% if openbao_raft_leaders | length > 0 %} "retry_join": { - "leader_api_addr": "{{ openbao_protocol }}://{{ openbao_raft_leaders | first }}:{{ openbao_api_port }}" + "leader_api_addr": "{{ openbao_protocol }}://{{ openbao_raft_leaders | first }}:{{ openbao_api_port }}"{% if openbao_tls_ca %}, + "leader_ca_cert_file": "/openbao/config/{{ openbao_tls_ca }}" + {% endif %} } {% endif %} }