refactor vault role (#2733)

* Move front-proxy-client certs back to kube mount We want the same CA for all k8s certs * Refactor vault to use a third party module The module adds idempotency and reduces some of the repetitive logic in the vault role Requires ansible-modules-hashivault on ansible node and hvac on the vault hosts themselves Add upgrade test scenario Remove bootstrap-os tags from tasks * fix upgrade issues * improve unseal logic * specify ca and fix etcd check * Fix initialization check bump machine size
2026-03-06 10:08:37 +03:00 · 2018-05-11 19:11:38 +03:00
parent e23fd5ca44
commit 07cc981971
49 changed files with 437 additions and 375 deletions
--- a/roles/vault/defaults/main.yml
+++ b/roles/vault/defaults/main.yml
@@ -16,10 +16,11 @@ vault_cert_dir: "{{ vault_base_dir }}/ssl"
 vault_config_dir: "{{ vault_base_dir }}/config"
 vault_roles_dir: "{{ vault_base_dir }}/roles"
 vault_secrets_dir: "{{ vault_base_dir }}/secrets"
+vault_lib_dir: "/var/lib/vault"
 vault_log_dir: "/var/log/vault"

-vault_version: 0.8.1
-vault_binary_checksum: 3c4d70ba71619a43229e65c67830e30e050eab7a81ac6b28325ff707e5914188
+vault_version: 0.10.1
+vault_binary_checksum: 66f0f1b0b221d664dd5913f8697409d7401df4bb2a19c7277e8fbad152063fae
 vault_download_url: "https://releases.hashicorp.com/vault/{{ vault_version }}/vault_{{ vault_version }}_linux_amd64.zip"
 vault_download_vars:
  container: "{{ vault_deployment_type != 'host' }}"
@@ -64,10 +65,10 @@ vault_config:
    etcd:
      address: "{{ vault_etcd_url }}"
      ha_enabled: "true"
-      redirect_addr: "https://{{ ansible_default_ipv4.address }}:{{ vault_port }}"
-      tls_ca_file: "{{ vault_etcd_cert_dir }}/ca.pem"
-      tls_cert_file: "{{ vault_etcd_cert_dir}}/node-{{ inventory_hostname }}.pem"
-      tls_key_file: "{{ vault_etcd_cert_dir}}/node-{{ inventory_hostname }}-key.pem"
+      redirect_addr: "https://{{ inventory_hostname }}:{{ vault_port }}"
+      tls_ca_file: "{{ etcd_cert_dir }}/ca.pem"
+      tls_cert_file: "{{ etcd_cert_dir}}/node-{{ inventory_hostname }}.pem"
+      tls_key_file: "{{ etcd_cert_dir}}/node-{{ inventory_hostname }}-key.pem"
  cluster_name: "kubernetes-vault"
  default_lease_ttl: "{{ vault_default_lease_ttl }}"
  max_lease_ttl: "{{ vault_max_lease_ttl }}"
@@ -80,6 +81,8 @@ vault_config:
 vault_secret_shares: 1
 vault_secret_threshold: 1

+vault_successful_http_codes: ["200", "429", "500", "501", "503"]
+
 vault_ca_options:
  vault:
    common_name: vault
@@ -97,20 +100,29 @@ vault_ca_options:
    format: pem
    ttl: "{{ vault_max_lease_ttl }}"
    exclude_cn_from_sans: true
-  front_proxy:
-    common_name: front-proxy
-    format: pem
-    ttl: "{{ vault_max_lease_ttl }}"
-    exclude_cn_from_sans: true

 vault_client_headers:
  Accept: "application/json"
  Content-Type: "application/json"

-vault_etcd_cert_dir: /etc/ssl/etcd/ssl
-vault_kube_cert_dir: /etc/kubernetes/ssl
+etcd_cert_dir: /etc/ssl/etcd/ssl
+kube_cert_dir: /etc/kubernetes/ssl

 vault_pki_mounts:
+  userpass:
+    name: userpass
+    default_lease_ttl: "{{ vault_default_lease_ttl }}"
+    max_lease_ttl: "{{ vault_max_lease_ttl }}"
+    description: "Userpass"
+    cert_dir: "{{ vault_cert_dir }}"
+    roles:
+      - name: userpass
+        group: userpass
+        password: "{{ lookup('password', inventory_dir + '/credentials/vault/userpass.creds length=15') }}"
+        policy_rules: default
+        role_options:
+          allow_any_name: true
+
  vault:
    name: vault
    default_lease_ttl: "{{ vault_default_lease_ttl }}"
@@ -122,13 +134,14 @@ vault_pki_mounts:
        group: vault
        password: "{{ lookup('password', inventory_dir + '/credentials/vault/vault.creds length=15') }}"
        policy_rules: default
-        role_options: default
+        role_options:
+          allow_any_name: true
  etcd:
    name: etcd
    default_lease_ttl: "{{ vault_default_lease_ttl }}"
    max_lease_ttl: "{{ vault_max_lease_ttl }}"
    description: "Etcd Root CA"
-    cert_dir: "{{ vault_etcd_cert_dir }}"
+    cert_dir: "{{ etcd_cert_dir }}"
    roles:
      - name: etcd
        group: etcd
@@ -143,7 +156,7 @@ vault_pki_mounts:
    default_lease_ttl: "{{ vault_default_lease_ttl }}"
    max_lease_ttl: "{{ vault_max_lease_ttl }}"
    description: "Kubernetes Root CA"
-    cert_dir: "{{ vault_kube_cert_dir }}"
+    cert_dir: "{{ kube_cert_dir }}"
    roles:
      - name: kube-master
        group: kube-master
@@ -153,6 +166,14 @@ vault_pki_mounts:
          allow_any_name: true
          enforce_hostnames: false
          organization: "system:masters"
+      - name: front-proxy-client
+        group: kube-master
+        password: "{{ lookup('password', inventory_dir + '/credentials/vault/kube-proxy.creds length=15') }}"
+        policy_rules: default
+        role_options:
+          allow_any_name: true
+          enforce_hostnames: false
+          organization: "system:front-proxy-client"
      - name: kube-node
        group: k8s-cluster
        password: "{{ lookup('password', inventory_dir + '/credentials/vault/kube-node.creds length=15') }}"
@@ -169,18 +190,3 @@ vault_pki_mounts:
          allow_any_name: true
          enforce_hostnames: false
          organization: "system:node-proxier"
-  front_proxy:
-    name: front-proxy
-    default_lease_ttl: "{{ vault_default_lease_ttl }}"
-    max_lease_ttl: "{{ vault_max_lease_ttl }}"
-    description: "Kubernetes Front Proxy CA"
-    cert_dir: "{{ vault_kube_cert_dir }}"
-    roles:
-      - name: front-proxy-client
-        group: k8s-cluster
-        password: "{{ lookup('password', inventory_dir + '/credentials/vault/front-proxy-client.creds length=15') }}"
-        policy_rules: default
-        role_options:
-          allow_any_name: true
-          enforce_hostnames: false
-          organization: "system:front-proxy"