Skip to content
Snippets Groups Projects
Commit b930b0ef authored by mkrasilnikov's avatar mkrasilnikov
Browse files

Place vault role credentials only to vault group hosts

parent ad313c9d
Branches
Tags
No related merge requests found
Show whitespace changes
Inline Side-by-side
roles/vault/tasks/bootstrap/main.yml
+ 1
0
View file @ b930b0ef
......@@ -38,6 +38,7 @@
- "{{ vault_pki_mounts.etcd }}"
loop_control:
loop_var: mount
when: inventory_hostname in groups.vault
- include: ../shared/gen_ca.yml
vars:
......
roles/vault/tasks/cluster/main.yml
+ 1
0
View file @ b930b0ef
......@@ -42,3 +42,4 @@
when: inventory_hostname == groups.vault|first
- include: create_roles.yml
when: inventory_hostname in groups.vault
roles/vault/tasks/shared/create_role.yml
+ 4
4
View file @ b930b0ef
......@@ -19,7 +19,8 @@
{{ create_role_policy_rules | to_json + '\n' }}
{%- endif -%}
status_code: 204
when: inventory_hostname == groups[create_role_group]|first
delegate_to: "{{ groups.vault|first }}"
run_once: true
- name: create_role | Create {{ create_role_name }} role in the {{ create_role_mount_path }} pki mount
uri:
......@@ -34,15 +35,14 @@
{{ create_role_options }}
{%- endif -%}
status_code: 204
when: inventory_hostname == groups[create_role_group]|first
delegate_to: "{{ groups.vault|first }}"
run_once: true
## Userpass based auth method
- include: gen_userpass.yml
vars:
gen_userpass_group: "{{ create_role_group }}"
gen_userpass_password: "{{ create_role_password }}"
gen_userpass_policies: "{{ create_role_name }}"
gen_userpass_role: "{{ create_role_name }}"
gen_userpass_username: "{{ create_role_name }}"
when: inventory_hostname in groups[create_role_group]
roles/vault/tasks/shared/gen_userpass.yml
+ 2
3
View file @ b930b0ef
......@@ -10,13 +10,13 @@
password: "{{ gen_userpass_password }}"
policies: "{{ gen_userpass_role }}"
status_code: 204
when: inventory_hostname == groups[gen_userpass_group]|first
delegate_to: "{{ groups.vault|first }}"
run_once: true
- name: shared/gen_userpass | Ensure destination directory exists
file:
path: "{{ vault_roles_dir }}/{{ gen_userpass_role }}"
state: directory
when: inventory_hostname in groups[gen_userpass_group]
- name: shared/gen_userpass | Copy credentials to all hosts in the group
copy:
......@@ -26,4 +26,3 @@
'password': gen_userpass_password} | to_nice_json(indent=4)
}}
dest: "{{ vault_roles_dir }}/{{ gen_userpass_role }}/userpass"
when: inventory_hostname in groups[gen_userpass_group]
roles/vault/tasks/shared/issue_cert.yml
+ 3
3
View file @ b930b0ef
......@@ -29,13 +29,13 @@
- name: "issue_cert | Read in the local credentials"
command: cat {{ vault_roles_dir }}/{{ issue_cert_role }}/userpass
register: vault_creds_cat
delegate_to: "{{ issue_cert_hosts|first }}"
delegate_to: "{{ groups.vault|first }}"
run_once: true
- name: gen_certs_vault | Set facts for read Vault Creds
set_fact:
user_vault_creds: "{{ vault_creds_cat.stdout|from_json }}"
delegate_to: "{{ issue_cert_hosts|first }}"
delegate_to: "{{ groups.vault|first }}"
run_once: true
- name: gen_certs_vault | Log into Vault and obtain an token
......@@ -49,7 +49,7 @@
body:
password: "{{ user_vault_creds.password }}"
register: vault_login_result
delegate_to: "{{ issue_cert_hosts|first }}"
delegate_to: "{{ groups.vault|first }}"
run_once: true
- name: gen_certs_vault | Set fact for vault_client_token
......
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment