From f9df692056e6222ab6908ea1e1f26eb3ff8d75a0 Mon Sep 17 00:00:00 2001
From: woopstar <andreas@kruger.nu>
Date: Wed, 7 Feb 2018 11:03:07 +0100
Subject: [PATCH] Issue front proxy certs for vault

---
 .../secrets/tasks/gen_certs_vault.yml         | 26 +++++++++++++++++++
 roles/vault/defaults/main.yml                 |  8 ++++++
 2 files changed, 34 insertions(+)

diff --git a/roles/kubernetes/secrets/tasks/gen_certs_vault.yml b/roles/kubernetes/secrets/tasks/gen_certs_vault.yml
index ca28b537f..5b3b46edc 100644
--- a/roles/kubernetes/secrets/tasks/gen_certs_vault.yml
+++ b/roles/kubernetes/secrets/tasks/gen_certs_vault.yml
@@ -93,3 +93,29 @@
     issue_cert_mount_path: "{{ kube_vault_mount_path }}"
   with_items: "{{ kube_proxy_certs_needed|d([]) }}"
   when: inventory_hostname in groups['k8s-cluster']
+
+# Issue front proxy cert to kube-master hosts
+- include_tasks: ../../../vault/tasks/shared/issue_cert.yml
+  vars:
+    issue_cert_common_name: "front-proxy-client"
+    issue_cert_alt_names: "{{ kube_cert_alt_names }}"
+    issue_cert_file_group: "{{ kube_cert_group }}"
+    issue_cert_file_owner: kube
+    issue_cert_hosts: "{{ groups['kube-master'] }}"
+    issue_cert_ip_sans: >-
+        [
+        {%- for host in groups['kube-master']  -%}
+        "{{ hostvars[host]['ansible_default_ipv4']['address'] }}",
+        {%- if hostvars[host]['ip'] is defined -%}
+        "{{ hostvars[host]['ip'] }}",
+        {%- endif -%}
+        {%- endfor -%}
+        "127.0.0.1","::1","{{ kube_apiserver_ip }}"
+        ]
+    issue_cert_path: "{{ item }}"
+    issue_cert_role: front-proxy-client
+    issue_cert_url: "{{ hostvars[groups.vault|first]['vault_leader_url'] }}"
+    issue_cert_mount_path: "{{ kube_vault_mount_path }}"
+  with_items: "{{ kube_master_components_certs_needed|d([]) }}"
+  when: inventory_hostname in groups['kube-master']
+  notify: set secret_changed
diff --git a/roles/vault/defaults/main.yml b/roles/vault/defaults/main.yml
index 3e41cb00c..5c44dd80b 100644
--- a/roles/vault/defaults/main.yml
+++ b/roles/vault/defaults/main.yml
@@ -162,3 +162,11 @@ vault_pki_mounts:
           allow_any_name: true
           enforce_hostnames: false
           organization: "system:node-proxier"
+      - name: front-proxy-client
+        group: k8s-cluster
+        password: "{{ lookup('password', 'credentials/vault/kube-proxy length=15') }}"
+        policy_rules: default
+        role_options:
+          allow_any_name: true
+          enforce_hostnames: false
+          organization: "system:front-proxy"
-- 
GitLab