Merge pull request #1223 from mattymo/vault_cert_skip

Skip vault cert task evaluation when using script certs

Merge pull request #1223 from mattymo/vault_cert_skip
e52aca48 · Matthew Mosesohn · GitHub · 5ec503bd · d7b8fb31 · e52aca48
Commit e52aca48 authored 8 years ago by Matthew Mosesohn Committed by GitHub 8 years ago
--- a/roles/etcd/tasks/gen_certs_vault.yml
+++ b/roles/etcd/tasks/gen_certs_vault.yml
 ---
+- include: sync_etcd_master_certs.yml
+  when: inventory_hostname in groups.etcd
+  tags: etcd-secrets
+
+- include: sync_etcd_node_certs.yml
+  when: inventory_hostname in etcd_node_cert_hosts
+  tags: etcd-secrets
+

 - name: gen_certs_vault | Read in the local credentials
  command: cat /etc/vault/roles/etcd/userpass
@@ -75,3 +83,5 @@
  with_items: "{{ etcd_node_certs_needed|d([]) }}"
  when: inventory_hostname in etcd_node_cert_hosts
  notify: set etcd_secret_changed
+
+
--- a/roles/etcd/tasks/main.yml
+++ b/roles/etcd/tasks/main.yml
@@ -7,20 +7,7 @@
  when: cert_management == "script"
  tags: [etcd-secrets, facts]

- include: gen_certs_script.yml
-  when: cert_management == "script"
-  tags: etcd-secrets
-
- include: sync_etcd_master_certs.yml
-  when: cert_management == "vault" and inventory_hostname in groups.etcd
-  tags: etcd-secrets
-
- include: sync_etcd_node_certs.yml
-  when: cert_management == "vault" and inventory_hostname in etcd_node_cert_hosts
-  tags: etcd-secrets
-
- include: gen_certs_vault.yml
-  when: cert_management == "vault" and (etcd_master_certs_needed|d() or etcd_node_certs_needed|d())
+- include: "gen_certs_{{ cert_management }}.yml"
  tags: etcd-secrets

 - include: "install_{{ etcd_deployment_type }}.yml"

--- a/roles/kubernetes/secrets/tasks/gen_certs_vault.yml
+++ b/roles/kubernetes/secrets/tasks/gen_certs_vault.yml
 ---
+- include: sync_kube_master_certs.yml
+  when: inventory_hostname in groups['kube-master']
+  tags: k8s-secrets
+
+- include: sync_kube_node_certs.yml
+  when: inventory_hostname in groups['k8s-cluster']
+  tags: k8s-secrets

 - name: gen_certs_vault | Read in the local credentials
  command: cat /etc/vault/roles/kube/userpass

--- a/roles/kubernetes/secrets/tasks/main.yml
+++ b/roles/kubernetes/secrets/tasks/main.yml
@@ -74,13 +74,5 @@
 - include: "gen_certs_{{ cert_management }}.yml"
  tags: k8s-secrets

- include: sync_kube_master_certs.yml
-  when: cert_management == "vault" and inventory_hostname in groups['kube-master']
-  tags: k8s-secrets
-
- include: sync_kube_node_certs.yml
-  when: cert_management == "vault" and inventory_hostname in groups['k8s-cluster']
-  tags: k8s-secrets
-
 - include: gen_tokens.yml
  tags: k8s-secrets
--- a/roles/vault/tasks/bootstrap/start_vault_temp.yml
+++ b/roles/vault/tasks/bootstrap/start_vault_temp.yml
@@ -13,6 +13,10 @@
           -v /etc/vault:/etc/vault
           {{ vault_image_repo }}:{{ vault_version }} server

+#FIXME(mattymo): Crashes on first start with aufs docker storage. See hashicorp/docker-vault#19
+- name: bootstrap/start_vault_temp | Start again single node Vault with file backend
+  command: docker start {{ vault_temp_container_name }}
+
 - name: bootstrap/start_vault_temp | Initialize vault-temp
  uri:
    url: "http://localhost:{{ vault_port }}/v1/sys/init"