From e16b57aa055a576c6572cf27dcaf535a70692429 Mon Sep 17 00:00:00 2001
From: Maxim Krasilnikov <mak.krasilnikov@gmail.com>
Date: Thu, 7 Sep 2017 23:30:16 +0300
Subject: [PATCH] Store vault users passwords to credentials dir. Create vault
 and etcd roles after start vault cluster (#1632)

---
 roles/kubernetes/secrets/tasks/main.yml     |  2 +-
 roles/vault/defaults/main.yml               | 10 +++++-----
 roles/vault/tasks/cluster/create_mounts.yml |  2 +-
 roles/vault/tasks/cluster/create_roles.yml  |  4 ++--
 roles/vault/tasks/cluster/main.yml          |  6 ++++++
 5 files changed, 15 insertions(+), 9 deletions(-)

diff --git a/roles/kubernetes/secrets/tasks/main.yml b/roles/kubernetes/secrets/tasks/main.yml
index 2a15591df..97987f706 100644
--- a/roles/kubernetes/secrets/tasks/main.yml
+++ b/roles/kubernetes/secrets/tasks/main.yml
@@ -31,7 +31,7 @@
     src: known_users.csv.j2
     dest: "{{ kube_users_dir }}/known_users.csv"
     backup: yes
-  when: inventory_hostname in "{{ groups['kube-master'] }}" and kube_basic_auth|default(true)
+  when: inventory_hostname in groups['kube-master'] and kube_basic_auth|default(true)
   notify: set secret_changed
 
 #
diff --git a/roles/vault/defaults/main.yml b/roles/vault/defaults/main.yml
index 2320ae862..8916d4b3a 100644
--- a/roles/vault/defaults/main.yml
+++ b/roles/vault/defaults/main.yml
@@ -111,7 +111,7 @@ vault_pki_mounts:
     roles:
       - name: vault
         group: vault
-        password: "{{ lookup('pipe','date +%Y%m%d%H%M%S' + cluster_name + 'vault') | to_uuid }}"
+        password: "{{ lookup('password', 'credentials/vault/vault length=15') }}"
         policy_rules: default
         role_options: default
   etcd:
@@ -123,7 +123,7 @@ vault_pki_mounts:
     roles:
       - name: etcd
         group: etcd
-        password: "{{ lookup('pipe','date +%Y%m%d%H%M%S' + cluster_name + 'etcd') | to_uuid }}"
+        password: "{{ lookup('password', 'credentials/vault/etcd length=15') }}"
         policy_rules: default
         role_options:
           allow_any_name: true
@@ -138,7 +138,7 @@ vault_pki_mounts:
     roles:
       - name: kube-master
         group: kube-master
-        password: "{{ lookup('pipe','date +%Y%m%d%H%M%S' + cluster_name + 'kube-master') | to_uuid }}"
+        password: "{{ lookup('password', 'credentials/vault/kube-master length=15') }}"
         policy_rules: default
         role_options:
           allow_any_name: true
@@ -146,7 +146,7 @@ vault_pki_mounts:
           organization: "system:masters"
       - name: kube-node
         group: k8s-cluster
-        password: "{{ lookup('pipe','date +%Y%m%d%H%M%S' + cluster_name + 'kube-node') | to_uuid }}"
+        password: "{{ lookup('password', 'credentials/vault/kube-node length=15') }}"
         policy_rules: default
         role_options:
           allow_any_name: true
@@ -154,7 +154,7 @@ vault_pki_mounts:
           organization: "system:nodes"
       - name: kube-proxy
         group: k8s-cluster
-        password: "{{ lookup('pipe', 'date +%Y%m%d%H%M%S' + cluster_name + 'kube-proxy') | to_uuid }}"
+        password: "{{ lookup('password', 'credentials/vault/kube-proxy length=15') }}"
         policy_rules: default
         role_options:
           allow_any_name: true
diff --git a/roles/vault/tasks/cluster/create_mounts.yml b/roles/vault/tasks/cluster/create_mounts.yml
index b1be8c9fe..d64fa0bae 100644
--- a/roles/vault/tasks/cluster/create_mounts.yml
+++ b/roles/vault/tasks/cluster/create_mounts.yml
@@ -6,7 +6,7 @@
     create_mount_max_lease_ttl: "{{ item.max_lease_ttl }}"
     create_mount_description: "{{ item.description }}"
     create_mount_cert_dir: "{{ item.cert_dir }}"
-    create_mount_config_ca_needed: "{{ item.name != vault_pki_mounts.kube.name }}"
+    create_mount_config_ca_needed: item.name != vault_pki_mounts.kube.name
   with_items:
     - "{{ vault_pki_mounts.vault }}"
     - "{{ vault_pki_mounts.etcd }}"
diff --git a/roles/vault/tasks/cluster/create_roles.yml b/roles/vault/tasks/cluster/create_roles.yml
index 9314bfa84..468229fd4 100644
--- a/roles/vault/tasks/cluster/create_roles.yml
+++ b/roles/vault/tasks/cluster/create_roles.yml
@@ -6,5 +6,5 @@
     create_role_password: "{{ item.password }}"
     create_role_policy_rules: "{{ item.policy_rules }}"
     create_role_options: "{{ item.role_options }}"
-    create_role_mount_path: "{{ vault_pki_mounts.kube.name }}"
-  with_items: "{{ vault_pki_mounts.kube.roles }}"
+    create_role_mount_path: "{{ mount.name }}"
+  with_items: "{{ mount.roles }}"
diff --git a/roles/vault/tasks/cluster/main.yml b/roles/vault/tasks/cluster/main.yml
index 9c7c83aaf..94af5e5dc 100644
--- a/roles/vault/tasks/cluster/main.yml
+++ b/roles/vault/tasks/cluster/main.yml
@@ -42,4 +42,10 @@
   when: inventory_hostname == groups.vault|first
 
 - include: create_roles.yml
+  with_items:
+    - "{{ vault_pki_mounts.vault }}"
+    - "{{ vault_pki_mounts.etcd }}"
+    - "{{ vault_pki_mounts.kube }}"
+  loop_control:
+    loop_var: mount
   when: inventory_hostname in groups.vault
-- 
GitLab