Vault security hardening and role isolation

2026-02-28 09:39:12 +03:00 · 2017-02-08 21:41:36 +00:00
parent f4ec2d18e5
commit 245e05ce61
78 changed files with 1408 additions and 706 deletions
--- a/roles/etcd/tasks/main.yml
+++ b/roles/etcd/tasks/main.yml
@@ -1,10 +1,24 @@
 ---
 - include: pre_upgrade.yml
  tags: etcd-pre-upgrade
+
 - include: check_certs.yml
+  when: cert_management == "script"
  tags: [etcd-secrets, facts]
- include: gen_certs.yml
+- include: gen_certs_script.yml
+  when: cert_management == "script"
  tags: etcd-secrets
+
+- include: sync_etcd_master_certs.yml
+  when: cert_management == "vault" and inventory_hostname in groups.etcd
+  tags: etcd-secrets
+- include: sync_etcd_node_certs.yml
+  when: cert_management == "vault" and inventory_hostname in etcd_node_cert_hosts 
+  tags: etcd-secrets
+- include: gen_certs_vault.yml
+  when: cert_management == "vault" and (etcd_master_certs_needed|d() or etcd_node_certs_needed|d())
+  tags: etcd-secrets
+
 - include: "install_{{ etcd_deployment_type }}.yml"
  when: is_etcd_master
  tags: upgrade