Adding the Vault role

2026-03-07 10:37:38 +03:00 · 2017-01-13 20:31:10 +00:00
parent 16674774c7
commit f4ec2d18e5
33 changed files with 1063 additions and 2 deletions
--- a/roles/vault/tasks/bootstrap/main.yml
+++ b/roles/vault/tasks/bootstrap/main.yml
@@ -0,0 +1,60 @@
+---
+
+## Sync Certs
+
+- include: bootstrap/sync_vault_certs.yml
+  when: inventory_hostname in groups.vault
+
+- include: bootstrap/sync_etcd_certs.yml
+  when: inventory_hostname in groups.etcd
+
+- include: bootstrap/sync_etcd_node_certs.yml
+  when: inventory_hostname in groups["k8s-cluster"] | union(groups.etcd)
+
+## Generate Certs
+
+# Start a temporary instance of Vault
+- include: bootstrap/start_vault_temp.yml
+  when: >-
+        ( hostvars[groups.etcd|first].get("vault_etcd_certs_needed", [])|length > 0 or
+        hostvars[groups.etcd|first].get("vault_etcd_node_certs_needed", [])|length > 0 or
+        hostvars[groups.vault|first]["vault_ca_cert_needed"] ) and
+        inventory_hostname == groups.vault|first
+
+# Generate root CA certs for Vault if none exist
+- include: bootstrap/gen_vault_certs.yml
+  when: >-
+        ( hostvars[groups.vault|first]["vault_ca_cert_needed"] or
+        hostvars[groups.vault|first]["vault_api_cert_needed"] ) and
+        inventory_hostname in groups.vault
+
+# Change vault-temp's issuing CA to use existing ca.pem/ca-key.pem
+- include: config_ca.yml
+  vars:
+    vault_url: "http://{{ groups.vault|first }}:{{ vault_temp_port }}"
+  when: >-
+        ( hostvars[groups.etcd|first].get("vault_etcd_certs_needed", [])|length > 0 or
+        hostvars[groups["k8s-cluster"]|first].get("vault_etcd_node_certs_needed", [])|length > 0 or
+        hostvars[groups.vault|first]["vault_api_cert_needed"] ) and
+        not hostvars[groups.vault|first]["vault_ca_cert_needed"] and
+        inventory_hostname == groups.vault|first
+
+# Generate etcd certs for etcd cluster members
+- include: bootstrap/gen_etcd_certs.yml
+  when: >- 
+        hostvars[groups.etcd|first].get("vault_etcd_certs_needed", [])|length > 0 and
+        inventory_hostname in groups.etcd
+
+# Generate etcd node certs for all k8s-cluster
+- include: bootstrap/gen_etcd_node_certs.yml
+  when: >-
+        hostvars[groups["k8s-cluster"]|first].get("vault_etcd_node_certs_needed", [])|length > 0 and
+        inventory_hostname in groups["k8s-cluster"] | union(groups.etcd)
+
+# Stop temporary vault
+- include: bootstrap/stop_vault_temp.yml
+  when: >-
+        inventory_hostname == groups.vault|first and
+        hostvars[groups.vault|first]["vault_temp_start"]|succeeded
+
+- include: ca_trust.yml