mirror of
https://github.com/kubernetes-sigs/kubespray.git
synced 2026-03-08 02:58:29 +03:00
Vault role updates:
* using separated vault roles for generate certs with different `O` (Organization) subject field; * configure vault roles for issuing certificates with different `CN` (Common name) subject field; * set `CN` and `O` to `kubernetes` and `etcd` certificates; * vault/defaults vars definition was simplified; * vault dirs variables defined in kubernetes-defaults foles for using shared tasks in etcd and kubernetes/secrets roles; * upgrade vault to 0.8.1; * generate random vault user password for each role by default; * fix `serial` file name for vault certs; * move vault auth request to issue_cert tasks; * enable `RBAC` in vault CI;
This commit is contained in:
mkrasilnikov
@@ -1,5 +1,4 @@
|
||||
---
|
||||
|
||||
- include: ../shared/check_vault.yml
|
||||
when: inventory_hostname in groups.vault
|
||||
|
||||
@@ -9,72 +8,57 @@
|
||||
- include: ../shared/find_leader.yml
|
||||
when: inventory_hostname in groups.vault and vault_cluster_is_initialized|d()
|
||||
|
||||
## Sync Certs
|
||||
|
||||
- include: sync_vault_certs.yml
|
||||
when: inventory_hostname in groups.vault
|
||||
|
||||
- include: sync_etcd_certs.yml
|
||||
when: inventory_hostname in groups.etcd
|
||||
|
||||
## Generate Certs
|
||||
|
||||
# Start a temporary instance of Vault
|
||||
- include: start_vault_temp.yml
|
||||
when: >-
|
||||
inventory_hostname == groups.vault|first and
|
||||
not vault_cluster_is_initialized
|
||||
when: inventory_hostname == groups.vault|first and not vault_cluster_is_initialized
|
||||
|
||||
# Set vault_leader_url for all nodes based on above
|
||||
- name: vault | bootstrap
|
||||
- name: vault | Set fact about vault leader url
|
||||
set_fact:
|
||||
vault_leader_url: "{{ hostvars[groups.vault|first]['vault_leader_url'] }}"
|
||||
when: not vault_cluster_is_initialized
|
||||
|
||||
# Ensure vault PKI mounts exists
|
||||
- include: ../shared/create_mount.yml
|
||||
vars:
|
||||
create_mount_path: "{{ vault_ca_options.common_name }}"
|
||||
create_mount_default_lease_ttl: "{{ vault_default_lease_ttl }}"
|
||||
create_mount_max_lease_ttl: "{{ vault_max_lease_ttl }}"
|
||||
create_mount_description: "Vault Root CA"
|
||||
create_mount_cert_dir: "{{ vault_cert_dir }}"
|
||||
create_mount_config_ca_needed: "{{ not vault_ca_cert_needed }}"
|
||||
- include: create_mounts.yml
|
||||
when: inventory_hostname == groups.vault|first
|
||||
|
||||
# Generate root CA certs for Vault if none exist
|
||||
- include: ../shared/auth_backend.yml
|
||||
vars:
|
||||
auth_backend_description: A Username/Password Auth Backend primarily used for services needing to issue certificates
|
||||
auth_backend_path: userpass
|
||||
auth_backend_type: userpass
|
||||
when: inventory_hostname == groups.vault|first
|
||||
|
||||
- include: create_roles.yml
|
||||
with_items:
|
||||
- "{{ vault_pki_mounts.vault }}"
|
||||
- "{{ vault_pki_mounts.etcd }}"
|
||||
loop_control:
|
||||
loop_var: mount
|
||||
|
||||
- include: ../shared/gen_ca.yml
|
||||
vars:
|
||||
gen_ca_cert_dir: "{{ vault_cert_dir }}"
|
||||
gen_ca_mount_path: "{{ vault_ca_options.common_name }}"
|
||||
gen_ca_cert_dir: "{{ vault_pki_mounts.vault.cert_dir }}"
|
||||
gen_ca_mount_path: "{{ vault_pki_mounts.vault.name }}"
|
||||
gen_ca_vault_headers: "{{ vault_headers }}"
|
||||
gen_ca_vault_options: "{{ vault_ca_options.vault }}"
|
||||
when: >-
|
||||
inventory_hostname in groups.vault and
|
||||
not vault_cluster_is_initialized and
|
||||
vault_ca_cert_needed
|
||||
inventory_hostname in groups.vault
|
||||
and not vault_cluster_is_initialized
|
||||
and vault_ca_cert_needed
|
||||
|
||||
- include: ../shared/gen_ca.yml
|
||||
vars:
|
||||
gen_ca_cert_dir: "{{ vault_pki_mounts.etcd.cert_dir }}"
|
||||
gen_ca_mount_path: "{{ vault_pki_mounts.etcd.name }}"
|
||||
gen_ca_vault_headers: "{{ vault_headers }}"
|
||||
gen_ca_vault_options: "{{ vault_ca_options.etcd }}"
|
||||
when: inventory_hostname in groups.etcd and vault_etcd_ca_cert_needed
|
||||
|
||||
# Generate Vault API certs
|
||||
- include: gen_vault_certs.yml
|
||||
when: inventory_hostname in groups.vault and vault_api_cert_needed
|
||||
|
||||
# Ensure etcd PKI mounts exists
|
||||
- include: ../shared/create_mount.yml
|
||||
vars:
|
||||
create_mount_path: "{{ vault_etcd_mount_path }}"
|
||||
create_mount_default_lease_ttl: "{{ vault_etcd_default_lease_ttl }}"
|
||||
create_mount_max_lease_ttl: "{{ vault_etcd_max_lease_ttl }}"
|
||||
create_mount_description: "Etcd Root CA"
|
||||
create_mount_cert_dir: "{{ vault_etcd_cert_dir }}"
|
||||
create_mount_config_ca_needed: "{{ not vault_etcd_ca_cert_needed }}"
|
||||
when: inventory_hostname == groups.vault|first
|
||||
|
||||
# Generate root CA certs for etcd if none exist
|
||||
- include: ../shared/gen_ca.yml
|
||||
vars:
|
||||
gen_ca_cert_dir: "{{ vault_etcd_cert_dir }}"
|
||||
gen_ca_mount_path: "{{ vault_etcd_mount_path }}"
|
||||
when: inventory_hostname in groups.etcd and vault_etcd_ca_cert_needed
|
||||
|
||||
- include: create_etcd_role.yml
|
||||
|
||||
# Update all host's CA bundle, etcd CA will be added in etcd role
|
||||
- include: ca_trust.yml
|
||||
|
||||
Reference in New Issue
Block a user