epostnikof/kubespray
1
0
Fork 0
mirror of https://github.com/kubernetes-sigs/kubespray.git synced 2026-03-06 10:08:37 +03:00
Code Issues Packages Projects Releases Wiki Activity

Use dedicated front-proxy-ca for front-proxy-client

Browse Source
This commit is contained in:
Chad Swenson
2018-04-05 14:32:12 -05:00
parent a6a47dbc96
commit d87b6fd9f3
12 changed files with 73 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files

16
roles/vault/defaults/main.yml
View File

@@ -97,6 +97,11 @@ vault_ca_options:
format: pem
ttl: "{{ vault_max_lease_ttl }}"
exclude_cn_from_sans: true
front_proxy:
common_name: front-proxy
format: pem
ttl: "{{ vault_max_lease_ttl }}"
exclude_cn_from_sans: true
vault_client_headers:
Accept: "application/json"
@@ -164,11 +169,18 @@ vault_pki_mounts:
allow_any_name: true
enforce_hostnames: false
organization: "system:node-proxier"
front_proxy:
name: front-proxy
default_lease_ttl: "{{ vault_default_lease_ttl }}"
max_lease_ttl: "{{ vault_max_lease_ttl }}"
description: "Kubernetes Front Proxy CA"
cert_dir: "{{ vault_kube_cert_dir }}"
roles:
- name: front-proxy-client
group: k8s-cluster
password: "{{ lookup('password', inventory_dir + '/credentials/vault/kube-proxy.creds length=15') }}"
password: "{{ lookup('password', inventory_dir + '/credentials/vault/front-proxy-client.creds length=15') }}"
policy_rules: default
role_options:
allow_any_name: true
enforce_hostnames: false
organization: "system:front-proxy"
organization: "system:front-proxy"