Fix vault setup partially (#1531)

This does not address per-node certs and scheduler/proxy/controller-manager component certs which are now required. This should be handled in a follow-up patch.
2026-02-28 09:39:12 +03:00 · 2017-08-18 15:09:45 +03:00
parent 8373129588
commit 2645e88b0c
7 changed files with 37 additions and 16 deletions
--- a/roles/etcd/tasks/gen_certs_vault.yml
+++ b/roles/etcd/tasks/gen_certs_vault.yml
@@ -11,12 +11,12 @@
 - name: gen_certs_vault | Read in the local credentials
  command: cat /etc/vault/roles/etcd/userpass
  register: etcd_vault_creds_cat
-  when: inventory_hostname == groups.etcd|first
+  delegate_to: "{{ groups['vault'][0] }}"

 - name: gen_certs_vault | Set facts for read Vault Creds
  set_fact:
-    etcd_vault_creds: "{{ hostvars[groups.etcd|first]['etcd_vault_creds_cat']['stdout']|from_json }}"
-  when: inventory_hostname == groups.etcd|first
+    etcd_vault_creds: "{{ etcd_vault_creds_cat.stdout|from_json }}"
+  delegate_to: "{{ groups['vault'][0] }}"

 - name: gen_certs_vault | Log into Vault and obtain an token
  uri:
@@ -29,12 +29,12 @@
    body:
      password: "{{ etcd_vault_creds.password }}"
  register: etcd_vault_login_result
-  when: inventory_hostname == groups.etcd|first
+  delegate_to: "{{ groups['vault'][0] }}"

 - name: gen_certs_vault | Set fact for vault_client_token
  set_fact:
    vault_client_token:  "{{ etcd_vault_login_result.get('json', {}).get('auth', {}).get('client_token') }}"
-  delegate_to: "{{ groups['etcd'][0] }}"
+  run_once: true

 - name: gen_certs_vault | Set fact for Vault API token
  set_fact:
@@ -42,6 +42,7 @@
        Accept: application/json
        Content-Type: application/json
        X-Vault-Token: "{{ vault_client_token }}"
+  run_once: true
  when: vault_client_token != ""

 # Issue master certs to Etcd nodes