Vault role updates:

* using separated vault roles for generate certs with different `O` (Organization) subject field; * configure vault roles for issuing certificates with different `CN` (Common name) subject field; * set `CN` and `O` to `kubernetes` and `etcd` certificates; * vault/defaults vars definition was simplified; * vault dirs variables defined in kubernetes-defaults foles for using shared tasks in etcd and kubernetes/secrets roles; * upgrade vault to 0.8.1; * generate random vault user password for each role by default; * fix `serial` file name for vault certs; * move vault auth request to issue_cert tasks; * enable `RBAC` in vault CI;
2026-02-28 09:39:12 +03:00 · 2017-09-01 22:51:37 +03:00
parent c77d11f1c7
commit bf0af1cd3d
18 changed files with 283 additions and 281 deletions
--- a/roles/etcd/tasks/gen_certs_vault.yml
+++ b/roles/etcd/tasks/gen_certs_vault.yml
@@ -7,51 +7,14 @@
  when: inventory_hostname in etcd_node_cert_hosts
  tags: etcd-secrets

- name: gen_certs_vault | Read in the local credentials
-  command: cat /etc/vault/roles/etcd/userpass
-  register: etcd_vault_creds_cat
-  delegate_to: "{{ groups['vault'][0] }}"
-
- name: gen_certs_vault | Set facts for read Vault Creds
-  set_fact:
-    etcd_vault_creds: "{{ etcd_vault_creds_cat.stdout|from_json }}"
-  delegate_to: "{{ groups['vault'][0] }}"
-
- name: gen_certs_vault | Log into Vault and obtain an token
-  uri:
-    url: "{{ hostvars[groups.vault|first]['vault_leader_url'] }}/v1/auth/userpass/login/{{ etcd_vault_creds.username }}"
-    headers:
-      Accept: application/json
-      Content-Type: application/json
-    method: POST
-    body_format: json
-    body:
-      password: "{{ etcd_vault_creds.password }}"
-  register: etcd_vault_login_result
-  delegate_to: "{{ groups['vault'][0] }}"
-
- name: gen_certs_vault | Set fact for vault_client_token
-  set_fact:
-    vault_client_token: "{{ etcd_vault_login_result.get('json', {}).get('auth', {}).get('client_token') }}"
-  run_once: true
-
- name: gen_certs_vault | Set fact for Vault API token
-  set_fact:
-    etcd_vault_headers:
-      Accept: application/json
-      Content-Type: application/json
-      X-Vault-Token: "{{ vault_client_token }}"
-  run_once: true
-  when: vault_client_token != ""
-
 # Issue master certs to Etcd nodes
 - include: ../../vault/tasks/shared/issue_cert.yml
  vars:
+    issue_cert_common_name: "etcd:master:{{ item.rsplit('/', 1)[1].rsplit('.', 1)[0] }}"
    issue_cert_alt_names: "{{ groups.etcd + ['localhost'] }}"
    issue_cert_copy_ca: "{{ item == etcd_master_certs_needed|first }}"
    issue_cert_file_group: "{{ etcd_cert_group }}"
    issue_cert_file_owner: kube
-    issue_cert_headers: "{{ etcd_vault_headers }}"
    issue_cert_hosts: "{{ groups.etcd }}"
    issue_cert_ip_sans: >-
        [
@@ -74,11 +37,11 @@
 # Issue node certs to everyone else
 - include: ../../vault/tasks/shared/issue_cert.yml
  vars:
+    issue_cert_common_name: "etcd:node:{{ item.rsplit('/', 1)[1].rsplit('.', 1)[0] }}"
    issue_cert_alt_names: "{{ etcd_node_cert_hosts }}"
    issue_cert_copy_ca: "{{ item == etcd_node_certs_needed|first }}"
    issue_cert_file_group: "{{ etcd_cert_group }}"
    issue_cert_file_owner: kube
-    issue_cert_headers: "{{ etcd_vault_headers }}"
    issue_cert_hosts: "{{ etcd_node_cert_hosts }}"
    issue_cert_ip_sans: >-
        [