Skip to content
Snippets Groups Projects
Commit e52aca48 authored by Matthew Mosesohn's avatar Matthew Mosesohn Committed by GitHub
Browse files

Merge pull request #1223 from mattymo/vault_cert_skip 

Skip vault cert task evaluation when using script certs
parents 5ec503bd d7b8fb31
No related branches found
No related tags found
No related merge requests found
Hide whitespace changes
Inline Side-by-side
roles/etcd/tasks/gen_certs_vault.yml
+ 13
3
View file @ e52aca48
--- ---
- include: sync_etcd_master_certs.yml
when: inventory_hostname in groups.etcd
tags: etcd-secrets
- include: sync_etcd_node_certs.yml
when: inventory_hostname in etcd_node_cert_hosts
tags: etcd-secrets
- name: gen_certs_vault | Read in the local credentials - name: gen_certs_vault | Read in the local credentials
command: cat /etc/vault/roles/etcd/userpass command: cat /etc/vault/roles/etcd/userpass
...@@ -15,7 +23,7 @@ ...@@ -15,7 +23,7 @@
url: "{{ hostvars[groups.vault|first]['vault_leader_url'] }}/v1/auth/userpass/login/{{ etcd_vault_creds.username }}" url: "{{ hostvars[groups.vault|first]['vault_leader_url'] }}/v1/auth/userpass/login/{{ etcd_vault_creds.username }}"
headers: headers:
Accept: application/json Accept: application/json
Content-Type: application/json Content-Type: application/json
method: POST method: POST
body_format: json body_format: json
body: body:
...@@ -37,7 +45,7 @@ ...@@ -37,7 +45,7 @@
issue_cert_copy_ca: "{{ item == etcd_master_certs_needed|first }}" issue_cert_copy_ca: "{{ item == etcd_master_certs_needed|first }}"
issue_cert_file_group: "{{ etcd_cert_group }}" issue_cert_file_group: "{{ etcd_cert_group }}"
issue_cert_file_owner: kube issue_cert_file_owner: kube
issue_cert_headers: "{{ etcd_vault_headers }}" issue_cert_headers: "{{ etcd_vault_headers }}"
issue_cert_hosts: "{{ groups.etcd }}" issue_cert_hosts: "{{ groups.etcd }}"
issue_cert_ip_sans: >- issue_cert_ip_sans: >-
[ [
...@@ -60,7 +68,7 @@ ...@@ -60,7 +68,7 @@
issue_cert_copy_ca: "{{ item == etcd_node_certs_needed|first }}" issue_cert_copy_ca: "{{ item == etcd_node_certs_needed|first }}"
issue_cert_file_group: "{{ etcd_cert_group }}" issue_cert_file_group: "{{ etcd_cert_group }}"
issue_cert_file_owner: kube issue_cert_file_owner: kube
issue_cert_headers: "{{ etcd_vault_headers }}" issue_cert_headers: "{{ etcd_vault_headers }}"
issue_cert_hosts: "{{ etcd_node_cert_hosts }}" issue_cert_hosts: "{{ etcd_node_cert_hosts }}"
issue_cert_ip_sans: >- issue_cert_ip_sans: >-
[ [
...@@ -75,3 +83,5 @@ ...@@ -75,3 +83,5 @@
with_items: "{{ etcd_node_certs_needed|d([]) }}" with_items: "{{ etcd_node_certs_needed|d([]) }}"
when: inventory_hostname in etcd_node_cert_hosts when: inventory_hostname in etcd_node_cert_hosts
notify: set etcd_secret_changed notify: set etcd_secret_changed
roles/etcd/tasks/main.yml
+ 1
14
View file @ e52aca48
...@@ -7,20 +7,7 @@ ...@@ -7,20 +7,7 @@
when: cert_management == "script" when: cert_management == "script"
tags: [etcd-secrets, facts] tags: [etcd-secrets, facts]
- include: gen_certs_script.yml - include: "gen_certs_{{ cert_management }}.yml"
when: cert_management == "script"
tags: etcd-secrets
- include: sync_etcd_master_certs.yml
when: cert_management == "vault" and inventory_hostname in groups.etcd
tags: etcd-secrets
- include: sync_etcd_node_certs.yml
when: cert_management == "vault" and inventory_hostname in etcd_node_cert_hosts
tags: etcd-secrets
- include: gen_certs_vault.yml
when: cert_management == "vault" and (etcd_master_certs_needed|d() or etcd_node_certs_needed|d())
tags: etcd-secrets tags: etcd-secrets
- include: "install_{{ etcd_deployment_type }}.yml" - include: "install_{{ etcd_deployment_type }}.yml"
......
roles/kubernetes/secrets/tasks/gen_certs_vault.yml
+ 10
3
View file @ e52aca48
--- ---
- include: sync_kube_master_certs.yml
when: inventory_hostname in groups['kube-master']
tags: k8s-secrets
- include: sync_kube_node_certs.yml
when: inventory_hostname in groups['k8s-cluster']
tags: k8s-secrets
- name: gen_certs_vault | Read in the local credentials - name: gen_certs_vault | Read in the local credentials
command: cat /etc/vault/roles/kube/userpass command: cat /etc/vault/roles/kube/userpass
...@@ -15,7 +22,7 @@ ...@@ -15,7 +22,7 @@
url: "{{ hostvars[groups.vault|first]['vault_leader_url'] }}/v1/auth/userpass/login/{{ kube_vault_creds.username }}" url: "{{ hostvars[groups.vault|first]['vault_leader_url'] }}/v1/auth/userpass/login/{{ kube_vault_creds.username }}"
headers: headers:
Accept: application/json Accept: application/json
Content-Type: application/json Content-Type: application/json
method: POST method: POST
body_format: json body_format: json
body: body:
...@@ -54,7 +61,7 @@ ...@@ -54,7 +61,7 @@
}} }}
issue_cert_file_group: "{{ kube_cert_group }}" issue_cert_file_group: "{{ kube_cert_group }}"
issue_cert_file_owner: kube issue_cert_file_owner: kube
issue_cert_headers: "{{ kube_vault_headers }}" issue_cert_headers: "{{ kube_vault_headers }}"
issue_cert_hosts: "{{ groups['kube-master'] }}" issue_cert_hosts: "{{ groups['kube-master'] }}"
issue_cert_ip_sans: >- issue_cert_ip_sans: >-
[ [
...@@ -75,7 +82,7 @@ ...@@ -75,7 +82,7 @@
issue_cert_copy_ca: "{{ item == kube_node_certs_needed|first }}" issue_cert_copy_ca: "{{ item == kube_node_certs_needed|first }}"
issue_cert_file_group: "{{ kube_cert_group }}" issue_cert_file_group: "{{ kube_cert_group }}"
issue_cert_file_owner: kube issue_cert_file_owner: kube
issue_cert_headers: "{{ kube_vault_headers }}" issue_cert_headers: "{{ kube_vault_headers }}"
issue_cert_hosts: "{{ groups['k8s-cluster'] }}" issue_cert_hosts: "{{ groups['k8s-cluster'] }}"
issue_cert_path: "{{ item }}" issue_cert_path: "{{ item }}"
issue_cert_role: kube issue_cert_role: kube
......
roles/kubernetes/secrets/tasks/main.yml
+ 0
8
View file @ e52aca48
...@@ -74,13 +74,5 @@ ...@@ -74,13 +74,5 @@
- include: "gen_certs_{{ cert_management }}.yml" - include: "gen_certs_{{ cert_management }}.yml"
tags: k8s-secrets tags: k8s-secrets
- include: sync_kube_master_certs.yml
when: cert_management == "vault" and inventory_hostname in groups['kube-master']
tags: k8s-secrets
- include: sync_kube_node_certs.yml
when: cert_management == "vault" and inventory_hostname in groups['k8s-cluster']
tags: k8s-secrets
- include: gen_tokens.yml - include: gen_tokens.yml
tags: k8s-secrets tags: k8s-secrets
roles/vault/tasks/bootstrap/start_vault_temp.yml
+ 4
0
View file @ e52aca48
...@@ -13,6 +13,10 @@ ...@@ -13,6 +13,10 @@
-v /etc/vault:/etc/vault -v /etc/vault:/etc/vault
{{ vault_image_repo }}:{{ vault_version }} server {{ vault_image_repo }}:{{ vault_version }} server
#FIXME(mattymo): Crashes on first start with aufs docker storage. See hashicorp/docker-vault#19
- name: bootstrap/start_vault_temp | Start again single node Vault with file backend
command: docker start {{ vault_temp_container_name }}
- name: bootstrap/start_vault_temp | Initialize vault-temp - name: bootstrap/start_vault_temp | Initialize vault-temp
uri: uri:
url: "http://localhost:{{ vault_port }}/v1/sys/init" url: "http://localhost:{{ vault_port }}/v1/sys/init"
......
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment