vault: migrating secrets

Signed-off-by: Alexis Pentori <alexis@status.im>
2024-09-05 11:55:18 +02:00 · 2024-09-05 11:55:18 +02:00 · 70b7c6dc72
parent d3ad781cfc
commit 70b7c6dc72
3 changed files with 16 additions and 18 deletions
--- a/ansible/group_vars/all.yml
+++ b/ansible/group_vars/all.yml
@ -1,19 +1,17 @@
 ---
 # Root password
-bootstrap__root_pass: '{{lookup("bitwarden", "root-pass")}}'
+bootstrap__root_pass:               '{{lookup("vault", "hosts/config",                field="root-pass")}}'
 # Migrated to NFTables from IPTables.
 # https://github.com/status-im/infra-misc/issues/301
 bootstrap__firewall_nftables: true
-# Consul
+  # Consul
-bootstrap__consul_encryption_key:   '{{lookup("bitwarden", "consul/cluster",    field="encryption-key")}}'
+bootstrap__consul_encryption_key:   '{{lookup("vault", "hosts/config",                field="consul-encryption-key")}}'
-bootstarp__consul_agent_acl_token:  '{{lookup("bitwarden", "consul/acl-tokens", field="agent-default")}}'
+bootstarp__consul_agent_acl_token:  '{{lookup("vault", "hosts/config",                field="agent-acl-token")}}'
-bootstrap__consul_certs_ca_crt:     '{{lookup("bitwarden", "consul/certs",      file="ca.pem")}}'
+bootstrap__consul_certs_ca_crt:     '{{lookup("vault", "hosts/consul/certs",          field="ca.pem")}}'
-bootstrap__consul_certs_client_crt: '{{lookup("bitwarden", "consul/certs",      file="client.pem")}}'
+bootstrap__consul_certs_client_crt: '{{lookup("vault", "hosts/consul/certs",          field="client.pem")}}'
-bootstrap__consul_certs_client_key: '{{lookup("bitwarden", "consul/certs",      file="client-key.pem")}}'
+bootstrap__consul_certs_client_key: '{{lookup("vault", "hosts/consul/certs",          field="client-key.pem")}}'
 # SSHGuard
-bootstrap__sshguard_whitelist_extra: ['{{lookup("bitwarden", "sshguard/whitelist", field="jakubgs-home")}}']
+bootstrap__sshguard_whitelist_extra: ['{{lookup("vault", "hosts/sshguard/whitelist",  field="jakubgs-home")}}']
 # Wireguard
-wireguard_consul_acl_token: '{{lookup("bitwarden", "consul/acl-tokens", field="wireguard")}}'
+wireguard_consul_acl_token:         '{{lookup("vault", "hosts/config",                field="wireguard-acl-token")}}'
 # Volume of Trace level logs is too high and fills up ES cluster.
 bootstrap__rsyslog_filter_rules: ['TRC']
@ -22,7 +20,7 @@ bootstrap__rsyslog_filter_rules: ['TRC']
 bootstrap__docker_registries:
  - url:      'https://harbor.status.im'
    username: 'robot$wakuorg+infra-waku'
-    password: '{{ lookup("bitwarden", "harbor-robot", field="robot$wakuorg+infra-waku") }}'
+    password: '{{ lookup("vault", "hosts/config/harbor-robot", field="robot$wakuorg+infra-waku") }}'
 # Custom SSH accounts for Nimbus fleet, should start from UID 8000.
 bootstrap__active_extra_users:
--- a/ansible/group_vars/node-db.yml
+++ b/ansible/group_vars/node-db.yml
@ -8,12 +8,12 @@ postgres_ha_replica_enabled: false
 postgres_ha_replica_allowed_addresses: []
 postgres_ha_admin_user: 'postgres'
-postgres_ha_admin_pass: '{{lookup("bitwarden", "fleets/waku/"+stage+"/db/admin")}}'
+postgres_ha_admin_pass: '{{lookup("vault", "waku/" + env + "-" + stage+"/config", field="db-admin-password")}}'
 postgres_ha_databases:
  - name: 'nim-waku'
    user: 'nim-waku'
-    pass: '{{lookup("bitwarden", "fleets/waku/"+stage+"/db/nim-waku")}}'
+    pass: '{{lookup("vault", "waku/"+ env + "-" +stage+"/config", field="db-password")}}'
 postgres_ha_backup: false
--- a/ansible/group_vars/node.yml
+++ b/ansible/group_vars/node.yml
@ -9,7 +9,7 @@ nim_waku_log_level: 'debug'
 nim_waku_protocols_enabled: ['relay', 'rln-relay', 'store', 'filter', 'lightpush', 'peer-exchange']
 nim_waku_disc_v5_enabled: true
 nim_waku_dns4_domain_name: '{{ dns_entry }}'
-nim_waku_node_key: '{{lookup("bitwarden", "fleets/"+env+"/"+stage+"/nodekeys", field=hostname)}}'
+nim_waku_node_key: '{{lookup("vault", "waku/"+env+"-"+stage+"/config", field=hostname)}}'
 nim_waku_cluster_id: 1
 nim_waku_relay_shard_manager: true
@ -39,7 +39,7 @@ nim_waku_max_relay_peers: '{{ nim_waku_p2p_max_connections - 100 }}'
 # Store
 nim_waku_store_message_db_name: 'nim-waku'
 nim_waku_store_message_db_user: 'nim-waku'
-nim_waku_store_message_db_pass: '{{lookup("bitwarden", "fleets/"+env+"/"+stage+"/db/nim-waku")}}'
+nim_waku_store_message_db_pass: '{{lookup("vault", "waku/"+env+"-"+stage+"/config", field="db-password")}}'
 nim_waku_store_message_db_url: 'postgres://{{ nim_waku_store_message_db_user}}:{{ nim_waku_store_message_db_pass}}@node-db-01.{{ ansible_domain }}.wg:5432/{{nim_waku_store_message_db_name}}'
 nim_waku_store_message_retention_policy: 'size:50GB'
 nim_waku_store_vacuum: true
@ -66,8 +66,8 @@ nim_waku_rln_relay_eth_contract_address: '0xCB33Aa5B38d79E3D9Fa8B10afF38AA201399
 nim_waku_rln_relay_eth_client_address: 'http://linux-01.ih-eu-mda1.nimbus.sepolia.wg:8556'
 nim_waku_rln_relay_tree_path: '/data/rln_relay_tree'
 nim_waku_rln_keystore_active: true 
-nim_waku_rln_cred_password: '{{ lookup("bitwarden", "fleets/" + env + "/" + stage + "/waku-rln",  field="keystore-password")}}'
+nim_waku_rln_cred_password: '{{ lookup("vault", "waku/" + env + "-" + stage + "/config",  field="keystore-password")}}'
-nim_waku_rln_account_key: '{{ lookup("bitwarden", "fleets/" + env + "/" + stage + "/waku-rln",  field="account-private-key")}}'
+nim_waku_rln_account_key: '{{ lookup("vault", "waku/" + env + "-" + stage + "/config",  field="account-private-key")}}'
 # Consul Service
 nim_waku_consul_success_before_passing: 5