Fix vault file owner issues and k8s apiserver cert creation (#2985)

apiserver cert should be created only once

Fix vault file owner issues and k8s apiserver cert creation (#2985)
97e0de7e · Matthew Mosesohn · GitHub · 83d1486a · 97e0de7e · 97e0de7e
Unverified Commit 97e0de7e authored 6 years ago by Matthew Mosesohn Committed by GitHub 6 years ago
--- a/roles/etcd/tasks/sync_etcd_master_certs.yml
+++ b/roles/etcd/tasks/sync_etcd_master_certs.yml
@@ -13,6 +13,8 @@
    sync_file: "{{ item }}"
    sync_file_dir: "{{ etcd_cert_dir }}"
    sync_file_hosts: [ "{{ inventory_hostname }}" ]
+    sync_file_owner: kube
+    sync_file_group: root
    sync_file_is_cert: true
  with_items: "{{ etcd_master_cert_list|d([]) }}"


--- a/roles/kubernetes/secrets/tasks/gen_certs_vault.yml
+++ b/roles/kubernetes/secrets/tasks/gen_certs_vault.yml
@@ -44,6 +44,7 @@
    issue_cert_file_group: "{{ kube_cert_group }}"
    issue_cert_file_owner: kube
    issue_cert_hosts: "{{ groups['kube-master'] }}"
+    issue_cert_run_once: true
    issue_cert_ip_sans: >-
        [
        {%- for host in groups['kube-master']  -%}

--- a/roles/vault/tasks/bootstrap/main.yml
+++ b/roles/vault/tasks/bootstrap/main.yml
@@ -43,7 +43,7 @@
    - "{{ vault_pki_mounts.etcd }}"
  loop_control:
    loop_var: mount
-  when: inventory_hostname in groups.vault and not vault_cluster_is_initialized
+  when: inventory_hostname == groups.vault|first and not vault_cluster_is_initialized

 - include_tasks: ../shared/gen_ca.yml
  vars:

--- a/roles/vault/tasks/bootstrap/sync_vault_certs.yml
+++ b/roles/vault/tasks/bootstrap/sync_vault_certs.yml
@@ -4,6 +4,8 @@
    sync_file: "ca.pem"
    sync_file_dir: "{{ vault_cert_dir }}"
    sync_file_hosts: "{{ groups.vault }}"
+    sync_file_owner: vault
+    sync_file_group: root
    sync_file_is_cert: true

 - name: bootstrap/sync_vault_certs | Set facts for vault sync_file results
@@ -20,6 +22,8 @@
    sync_file: "ca.pem"
    sync_file_dir: "{{ vault_cert_dir }}"
    sync_file_hosts: "{{ groups['kube-master'] }}"
+    sync_file_owner: vault
+    sync_file_group: root
    sync_file_is_cert: false

 - name: bootstrap/sync_vault_certs | Set facts for vault sync_file results
@@ -36,6 +40,8 @@
    sync_file: "api.pem"
    sync_file_dir: "{{ vault_cert_dir }}"
    sync_file_hosts: "{{ groups.vault }}"
+    sync_file_owner: vault
+    sync_file_group: root
    sync_file_is_cert: true

 - name: bootstrap/sync_vault_certs | Set fact if Vault's API cert is needed

--- a/roles/vault/tasks/shared/issue_cert.yml
+++ b/roles/vault/tasks/shared/issue_cert.yml
@@ -45,7 +45,7 @@
    state: directory
    recurse: yes
    owner: "vault"
-    group: "vault"
+    group: "root"
    mode: 0755

 - name: gen_certs_vault | install hvac
@@ -87,6 +87,7 @@
      format: "{{ issue_cert_format | d('pem') }}"
      ip_sans: "{{ issue_cert_ip_sans | default([]) | join(',') }}"
  register: issue_cert_result
+  run_once: "{{ issue_cert_run_once | d(false) }}"

 - name: "issue_cert | Copy {{ issue_cert_path }} cert to all hosts"
  copy: