vault migration

Signed-off-by: Alexis Pentori <alexis@status.im>
2024-05-10 17:46:53 +02:00 · 2024-05-10 17:46:53 +02:00 · 474bfa8052
parent c98d9d193c
commit 474bfa8052
4 changed files with 9 additions and 5 deletions
--- a/ansible.cfg
+++ b/ansible.cfg
@ -22,3 +22,7 @@ pipelining = True
 control_path = /tmp/ansible-ssh-%%h-%%p-%%r
 # necessary for cloning private git repos
 ssh_args = -o ControlMaster=auto -o ControlPersist=60s -o ForwardAgent=yes -o ConnectTimeout=360
+
+[hashi_vault_collection]
+auth_method = token
+url = https://vault.infra.status.im
--- a/ansible/group_vars/node-db.yml
+++ b/ansible/group_vars/node-db.yml
@ -8,12 +8,12 @@ postgres_ha_replica_enabled: false
 postgres_ha_replica_allowed_addresses: []

 postgres_ha_admin_user: 'postgres'
-postgres_ha_admin_pass: '{{lookup("bitwarden", "fleets/waku/"+stage+"/db/admin")}}'
+postgres_ha_admin_pass: '{{lookup("community.hashi_vault.hashi_vault", "secret/waku/fleets/waku/"+stage+"/db/admin:password")}}'

 postgres_ha_databases:
  - name: 'nim-waku'
    user: 'nim-waku'
-    pass: '{{lookup("bitwarden", "fleets/waku/"+stage+"/db/nim-waku")}}'
+    pass: '{{lookup("community.hashi_vault.hashi_vault", "secret/waku/fleets/waku/"+stage+"/db/nim-waku:password")}}'

 postgres_ha_backup: false

--- a/ansible/group_vars/node.yml
+++ b/ansible/group_vars/node.yml
@ -9,7 +9,7 @@ nim_waku_log_level: 'debug'
 nim_waku_protocols_enabled: ['relay', 'rln-relay', 'store', 'filter', 'lightpush', 'peer-exchange']
 nim_waku_disc_v5_enabled: true
 nim_waku_dns4_domain_name: '{{ dns_entry }}'
-nim_waku_node_key: '{{lookup("bitwarden", "fleets/"+env+"/"+stage+"/nodekeys", field=hostname)}}'
+nim_waku_node_key: '{{lookup("community.hashi_vault.hashi_vault", "secret/waku/fleets/"+env+"/"+stage+"/nodekeys:"+hostname)}}'
 nim_waku_cluster_id: 1
 nim_waku_relay_shard_manager: true

@ -37,7 +37,7 @@ nim_waku_p2p_max_connections: 300
 # Store
 nim_waku_store_message_db_name: 'nim-waku'
 nim_waku_store_message_db_user: 'nim-waku'
-nim_waku_store_message_db_pass: '{{lookup("bitwarden", "fleets/"+env+"/"+stage+"/db/nim-waku")}}'
+nim_waku_store_message_db_pass: '{{lookup("community.hashi_vault.hashi_vault", "secret/waku/fleets/"+env+"/"+stage+"/db:password")}}'
 nim_waku_store_message_db_url: 'postgres://{{ nim_waku_store_message_db_user}}:{{ nim_waku_store_message_db_pass}}@node-db-01.{{ ansible_domain }}.wg:5432/{{nim_waku_store_message_db_name}}'
 nim_waku_store_message_retention_policy: 'time:432000' # 5 days
 nim_waku_store_vacuum: true
--- a/ansible/requirements.yml
+++ b/ansible/requirements.yml
@ -25,7 +25,7 @@

 - name: infra-role-certbot
  src: git@github.com:status-im/infra-role-certbot.git
-  version: fdf310513b2dc731f30861ed8a5957b54b4422f7
+  version: 17986a809058ce17ef45300365b268f3ed33a00a
  scm: git

 - name: infra-role-nim-waku