Separate vault sidecar (#158)

* adding oracle linux to consul role support (#147)

* bumping terraform versions

* bumping github actions version

* linting

* linting

* fixing consul

* stuff

* hotfixes

* hotfixes

* hotfix hs_workspace injection in scaleway delegation playbook

* hotfix hs_workspace injection in scaleway delegation playbook

* hotfix public_domain

* feat(#155): Separate vault-sidecar from consul role

This Ansible role installs and configures the Vault-sidecar proxy to integrate Vault nodes into the Consul Service Mesh.

* feat(#155): Separate vault-sidecar from consul role

Removed  variable

---------

Co-authored-by: Aurélien Maury <aurelienmaury@users.noreply.github.com>
Co-authored-by: Aurélien Maury <amaury@wescale.fr>
Co-authored-by: Jamel ABASSOU <jamel.abassou@wescale.fr>

playbooks/21_consul_install.yml

@@ -7,3 +7,10 @@
   roles:
     - role: "envoy"
     - role: "consul"
+
+  tasks:
+    - name: Include vault-sidecar role if required
+      include_role:
+        name: vault-sidecar
+      when: hs_install_vault_sidecar | bool
+

playbooks/group_vars/all.yml

@@ -31,3 +31,4 @@ tf_module_dest: "{{ hs_workspace_tf_modules_dir }}/{{ tf_module_name }}"
 
 glxclans_host_service_user_name: "caretaker"
 
+hs_install_vault_sidecar : true

roles/consul/tasks/main.yml

@@ -62,12 +62,6 @@
     timeout: 60
   when: __hs_consul_is_minion
 
-- name: Execute os-specific _consul_masters tasks
-  include_tasks: "common/_consul_masters.yml"
-  when: __hs_consul_is_master
-  tags:
-    - hs_consul_masters
-
 - name: Execute os-specific _consul_minions tasks
   include_tasks: "common/_consul_minions.yml"
   when: __hs_consul_is_minion

roles/vault-sidecar/README.md

@@ -0,0 +1,17 @@
+# Ansible Role: vault-sidecar
+
+This Ansible role installs and configures the Vault-sidecar proxy to integrate Vault nodes into the Consul Service Mesh.
+
+## Operation
+
+This role automates the installation and configuration of the Vault-sidecar proxy to facilitate the integration of Vault nodes into the Consul Service Mesh. Here are the main operational steps:
+
+1. **Dependency Installation**: The role installs necessary dependencies to run the proxy, such as Consul and Vault.
+
+2. **Proxy Configuration**: Configuration files required for the proxy are generated using Jinja2 templates. These files include Consul service configuration for the proxy, system environment variables, and systemd service.
+
+3. **Service Activation**: Once the configuration is generated, the systemd service for the proxy is activated and started.
+
+## Usage
+
+To utilize this role in your Ansible playbooks, you need to define the variable `hs_install_vault_sidecar` as `true` or `false` in your `playbooks/group_vars/all.yml` file, depending on your requirements. Here's how you can include it in your playbook:

roles/vault-sidecar/defaults/main.yml

@@ -0,0 +1,3 @@
+---
+hs_consul_https_address: "0.0.0.0"
+hs_consul_api_port: "8501"

roles/vault-sidecar/handlers/main.yml

@@ -0,0 +1,7 @@
+---
+# handlers file for vault-sidecar
+- name: Reload consul
+  systemd:
+    name: consul
+    state: reloaded
+  become: yes

roles/vault-sidecar/meta/main.yml

@@ -0,0 +1,20 @@
+---
+galaxy_info:
+  role_name: "vault-sidecar"
+  author: "Team"
+  description: Hashistack Vault Sidecar
+  issue_tracker_url: https://github.com/wescale/hashistack/issues
+  min_ansible_version: "2.14"
+  license: MIT
+  standalone: false
+  platforms:
+    - name: Debian
+      versions:
+        - bullseye
+  galaxy_tags:
+    - hashicorp
+    - system
+    - vault
+    - sidecar
+
+dependencies: []

roles/vault-sidecar/tasks/main.yml

@@ -0,0 +1,47 @@
+---
+- name: Installer le proxy envoy pour Vault si install_envoy_proxy est vrai
+  block:
+    - name: Render vault-sidecar consul service
+      template:
+        src: "vault-sidecar.consul.j2"
+        dest: "/etc/consul.d/vault-sidecar.svc.hcl"
+        owner: consul
+        group: consul
+        mode: 0640
+      notify: Reload consul
+
+    - name: Force running of all notified handlers now
+      meta: flush_handlers
+
+    - name: Wait for consul api
+      wait_for:
+        host: "{{ hs_consul_https_address }}"
+        port: "{{ hs_consul_api_port }}"
+        timeout: 60
+
+    - name: Render vault-sidecar systemd env file
+      template:
+        src: "vault-sidecar.env.j2"
+        dest: "/etc/consul.d/vault-sidecar.env"
+        owner: consul
+        group: consul
+        mode: 0640
+      notify: Restart vault-sidecar
+
+    - name: Render vault-sidecar systemd service
+      template:
+        src: "vault-sidecar.service.j2"
+        dest: "/lib/systemd/system/vault-sidecar.service"
+        owner: consul
+        group: consul
+        mode: 0640
+      notify: Restart vault-sidecar
+
+    - name: Activate vault-sidecar service
+      systemd:
+        state: started
+        enabled: true
+        name: vault-sidecar
+  when: hs_install_vault_sidecar and __hs_consul_is_master
+  tags:
+    - hs_consul_is_masters

roles/vault-sidecar/vars/main.yml

@@ -0,0 +1,2 @@
+---
+# vars file for vault-sidecar