richard
/
kubespray
mirror of https://github.com/kubernetes-sigs/kubespray.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
2975 Commits
29 Branches
81 Tags
150 MiB
Tree: 00db751646
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from '00db751646'
${ noResults }
kubespray/roles/vault/defaults/main.yml

185 lines
5.9 KiB
Raw Normal View History

Adding the Vault role
7 years ago
Vault role updates: * using separated vault roles for generate certs with different `O` (Organization) subject field; * configure vault roles for issuing certificates with different `CN` (Common name) subject field; * set `CN` and `O` to `kubernetes` and `etcd` certificates; * vault/defaults vars definition was simplified; * vault dirs variables defined in kubernetes-defaults foles for using shared tasks in etcd and kubernetes/secrets roles; * upgrade vault to 0.8.1; * generate random vault user password for each role by default; * fix `serial` file name for vault certs; * move vault auth request to issue_cert tasks; * enable `RBAC` in vault CI;
7 years ago
Adding the Vault role
7 years ago
Vault security hardening and role isolation
7 years ago
Vault role updates: * using separated vault roles for generate certs with different `O` (Organization) subject field; * configure vault roles for issuing certificates with different `CN` (Common name) subject field; * set `CN` and `O` to `kubernetes` and `etcd` certificates; * vault/defaults vars definition was simplified; * vault dirs variables defined in kubernetes-defaults foles for using shared tasks in etcd and kubernetes/secrets roles; * upgrade vault to 0.8.1; * generate random vault user password for each role by default; * fix `serial` file name for vault certs; * move vault auth request to issue_cert tasks; * enable `RBAC` in vault CI;
7 years ago
Vault security hardening and role isolation
7 years ago
Vault role updates: * using separated vault roles for generate certs with different `O` (Organization) subject field; * configure vault roles for issuing certificates with different `CN` (Common name) subject field; * set `CN` and `O` to `kubernetes` and `etcd` certificates; * vault/defaults vars definition was simplified; * vault dirs variables defined in kubernetes-defaults foles for using shared tasks in etcd and kubernetes/secrets roles; * upgrade vault to 0.8.1; * generate random vault user password for each role by default; * fix `serial` file name for vault certs; * move vault auth request to issue_cert tasks; * enable `RBAC` in vault CI;
7 years ago
Vault security hardening and role isolation
7 years ago
Vault role updates: * using separated vault roles for generate certs with different `O` (Organization) subject field; * configure vault roles for issuing certificates with different `CN` (Common name) subject field; * set `CN` and `O` to `kubernetes` and `etcd` certificates; * vault/defaults vars definition was simplified; * vault dirs variables defined in kubernetes-defaults foles for using shared tasks in etcd and kubernetes/secrets roles; * upgrade vault to 0.8.1; * generate random vault user password for each role by default; * fix `serial` file name for vault certs; * move vault auth request to issue_cert tasks; * enable `RBAC` in vault CI;
7 years ago
Vault security hardening and role isolation
7 years ago
Vault role updates: * using separated vault roles for generate certs with different `O` (Organization) subject field; * configure vault roles for issuing certificates with different `CN` (Common name) subject field; * set `CN` and `O` to `kubernetes` and `etcd` certificates; * vault/defaults vars definition was simplified; * vault dirs variables defined in kubernetes-defaults foles for using shared tasks in etcd and kubernetes/secrets roles; * upgrade vault to 0.8.1; * generate random vault user password for each role by default; * fix `serial` file name for vault certs; * move vault auth request to issue_cert tasks; * enable `RBAC` in vault CI;
7 years ago
Rename vault_address to vault_bind_address
7 years ago
Adding the Vault role
7 years ago
Use etcd_access_addresses for vault_etcd_url
7 years ago
Vault role updates: * using separated vault roles for generate certs with different `O` (Organization) subject field; * configure vault roles for issuing certificates with different `CN` (Common name) subject field; * set `CN` and `O` to `kubernetes` and `etcd` certificates; * vault/defaults vars definition was simplified; * vault dirs variables defined in kubernetes-defaults foles for using shared tasks in etcd and kubernetes/secrets roles; * upgrade vault to 0.8.1; * generate random vault user password for each role by default; * fix `serial` file name for vault certs; * move vault auth request to issue_cert tasks; * enable `RBAC` in vault CI;
7 years ago
Change vault cert ttl to 8y (#2013)
7 years ago
Vault role updates: * using separated vault roles for generate certs with different `O` (Organization) subject field; * configure vault roles for issuing certificates with different `CN` (Common name) subject field; * set `CN` and `O` to `kubernetes` and `etcd` certificates; * vault/defaults vars definition was simplified; * vault dirs variables defined in kubernetes-defaults foles for using shared tasks in etcd and kubernetes/secrets roles; * upgrade vault to 0.8.1; * generate random vault user password for each role by default; * fix `serial` file name for vault certs; * move vault auth request to issue_cert tasks; * enable `RBAC` in vault CI;
7 years ago
Adding the Vault role
7 years ago
Adding ability to override max ttl (#1559) Prior this would fail because we didnt set max ttl for vault temp
7 years ago
Adding the Vault role
7 years ago
Rename vault_address to vault_bind_address
7 years ago
Adding the Vault role
7 years ago
Adding ability to override max ttl (#1559) Prior this would fail because we didnt set max ttl for vault temp
7 years ago
Vault role updates: * using separated vault roles for generate certs with different `O` (Organization) subject field; * configure vault roles for issuing certificates with different `CN` (Common name) subject field; * set `CN` and `O` to `kubernetes` and `etcd` certificates; * vault/defaults vars definition was simplified; * vault dirs variables defined in kubernetes-defaults foles for using shared tasks in etcd and kubernetes/secrets roles; * upgrade vault to 0.8.1; * generate random vault user password for each role by default; * fix `serial` file name for vault certs; * move vault auth request to issue_cert tasks; * enable `RBAC` in vault CI;
7 years ago
Vault should use cert auth for etcd
6 years ago
Vault role updates: * using separated vault roles for generate certs with different `O` (Organization) subject field; * configure vault roles for issuing certificates with different `CN` (Common name) subject field; * set `CN` and `O` to `kubernetes` and `etcd` certificates; * vault/defaults vars definition was simplified; * vault dirs variables defined in kubernetes-defaults foles for using shared tasks in etcd and kubernetes/secrets roles; * upgrade vault to 0.8.1; * generate random vault user password for each role by default; * fix `serial` file name for vault certs; * move vault auth request to issue_cert tasks; * enable `RBAC` in vault CI;
7 years ago
Rename vault_address to vault_bind_address
7 years ago
Vault role updates: * using separated vault roles for generate certs with different `O` (Organization) subject field; * configure vault roles for issuing certificates with different `CN` (Common name) subject field; * set `CN` and `O` to `kubernetes` and `etcd` certificates; * vault/defaults vars definition was simplified; * vault dirs variables defined in kubernetes-defaults foles for using shared tasks in etcd and kubernetes/secrets roles; * upgrade vault to 0.8.1; * generate random vault user password for each role by default; * fix `serial` file name for vault certs; * move vault auth request to issue_cert tasks; * enable `RBAC` in vault CI;
7 years ago
Stop templating kube-system namespace and creating it (#2545) Kubernetes makes this namespace automatically, so there is no need for kubespray to manage it.
6 years ago
Vault role updates: * using separated vault roles for generate certs with different `O` (Organization) subject field; * configure vault roles for issuing certificates with different `CN` (Common name) subject field; * set `CN` and `O` to `kubernetes` and `etcd` certificates; * vault/defaults vars definition was simplified; * vault dirs variables defined in kubernetes-defaults foles for using shared tasks in etcd and kubernetes/secrets roles; * upgrade vault to 0.8.1; * generate random vault user password for each role by default; * fix `serial` file name for vault certs; * move vault auth request to issue_cert tasks; * enable `RBAC` in vault CI;
7 years ago
Use dedicated front-proxy-ca for front-proxy-client
6 years ago
Vault role updates: * using separated vault roles for generate certs with different `O` (Organization) subject field; * configure vault roles for issuing certificates with different `CN` (Common name) subject field; * set `CN` and `O` to `kubernetes` and `etcd` certificates; * vault/defaults vars definition was simplified; * vault dirs variables defined in kubernetes-defaults foles for using shared tasks in etcd and kubernetes/secrets roles; * upgrade vault to 0.8.1; * generate random vault user password for each role by default; * fix `serial` file name for vault certs; * move vault auth request to issue_cert tasks; * enable `RBAC` in vault CI;
7 years ago
Change single Vault pki mount to multi pki mounts paths for etcd and kube CA`s (#1552) * Added update CA trust step for etcd and kube/secrets roles * Added load_balancer_domain_name to certificate alt names if defined. Reset CA's in RedHat os. * Rename kube-cluster-ca.crt to vault-ca.crt, we need separated CA`s for vault, etcd and kube. * Vault role refactoring, remove optional cert vault auth because not not used and worked. Create separate CA`s fro vault and etcd. * Fixed different certificates set for vault cert_managment * Update doc/vault.md * Fixed condition create vault CA, wrong group * Fixed missing etcd_cert_path mount for rkt deployment type. Distribute vault roles for all vault hosts * Removed wrong when condition in create etcd role vault tasks.
7 years ago
Vault role updates: * using separated vault roles for generate certs with different `O` (Organization) subject field; * configure vault roles for issuing certificates with different `CN` (Common name) subject field; * set `CN` and `O` to `kubernetes` and `etcd` certificates; * vault/defaults vars definition was simplified; * vault dirs variables defined in kubernetes-defaults foles for using shared tasks in etcd and kubernetes/secrets roles; * upgrade vault to 0.8.1; * generate random vault user password for each role by default; * fix `serial` file name for vault certs; * move vault auth request to issue_cert tasks; * enable `RBAC` in vault CI;
7 years ago
Addition of the .creds extension to the credentials files generated by password lookup in order for Ansible not to consider them as inventory files with inventory_ignore_extensions set accordingly (#2446)
6 years ago
Vault role updates: * using separated vault roles for generate certs with different `O` (Organization) subject field; * configure vault roles for issuing certificates with different `CN` (Common name) subject field; * set `CN` and `O` to `kubernetes` and `etcd` certificates; * vault/defaults vars definition was simplified; * vault dirs variables defined in kubernetes-defaults foles for using shared tasks in etcd and kubernetes/secrets roles; * upgrade vault to 0.8.1; * generate random vault user password for each role by default; * fix `serial` file name for vault certs; * move vault auth request to issue_cert tasks; * enable `RBAC` in vault CI;
7 years ago
Addition of the .creds extension to the credentials files generated by password lookup in order for Ansible not to consider them as inventory files with inventory_ignore_extensions set accordingly (#2446)
6 years ago
Vault role updates: * using separated vault roles for generate certs with different `O` (Organization) subject field; * configure vault roles for issuing certificates with different `CN` (Common name) subject field; * set `CN` and `O` to `kubernetes` and `etcd` certificates; * vault/defaults vars definition was simplified; * vault dirs variables defined in kubernetes-defaults foles for using shared tasks in etcd and kubernetes/secrets roles; * upgrade vault to 0.8.1; * generate random vault user password for each role by default; * fix `serial` file name for vault certs; * move vault auth request to issue_cert tasks; * enable `RBAC` in vault CI;
7 years ago
Addition of the .creds extension to the credentials files generated by password lookup in order for Ansible not to consider them as inventory files with inventory_ignore_extensions set accordingly (#2446)
6 years ago
Vault role updates: * using separated vault roles for generate certs with different `O` (Organization) subject field; * configure vault roles for issuing certificates with different `CN` (Common name) subject field; * set `CN` and `O` to `kubernetes` and `etcd` certificates; * vault/defaults vars definition was simplified; * vault dirs variables defined in kubernetes-defaults foles for using shared tasks in etcd and kubernetes/secrets roles; * upgrade vault to 0.8.1; * generate random vault user password for each role by default; * fix `serial` file name for vault certs; * move vault auth request to issue_cert tasks; * enable `RBAC` in vault CI;
7 years ago
Addition of the .creds extension to the credentials files generated by password lookup in order for Ansible not to consider them as inventory files with inventory_ignore_extensions set accordingly (#2446)
6 years ago
Vault role updates: * using separated vault roles for generate certs with different `O` (Organization) subject field; * configure vault roles for issuing certificates with different `CN` (Common name) subject field; * set `CN` and `O` to `kubernetes` and `etcd` certificates; * vault/defaults vars definition was simplified; * vault dirs variables defined in kubernetes-defaults foles for using shared tasks in etcd and kubernetes/secrets roles; * upgrade vault to 0.8.1; * generate random vault user password for each role by default; * fix `serial` file name for vault certs; * move vault auth request to issue_cert tasks; * enable `RBAC` in vault CI;
7 years ago
Addition of the .creds extension to the credentials files generated by password lookup in order for Ansible not to consider them as inventory files with inventory_ignore_extensions set accordingly (#2446)
6 years ago
Vault role updates: * using separated vault roles for generate certs with different `O` (Organization) subject field; * configure vault roles for issuing certificates with different `CN` (Common name) subject field; * set `CN` and `O` to `kubernetes` and `etcd` certificates; * vault/defaults vars definition was simplified; * vault dirs variables defined in kubernetes-defaults foles for using shared tasks in etcd and kubernetes/secrets roles; * upgrade vault to 0.8.1; * generate random vault user password for each role by default; * fix `serial` file name for vault certs; * move vault auth request to issue_cert tasks; * enable `RBAC` in vault CI;
7 years ago
Use dedicated front-proxy-ca for front-proxy-client
6 years ago
Issue front proxy certs for vault
6 years ago
Use dedicated front-proxy-ca for front-proxy-client
6 years ago
Issue front proxy certs for vault
6 years ago
Use dedicated front-proxy-ca for front-proxy-client
6 years ago
  1. ---
  2. vault_bootstrap: false
  3. vault_deployment_type: docker
  5. vault_adduser_vars:
  6. comment: "Hashicorp Vault User"
  7. createhome: no
  8. name: vault
  9. shell: /sbin/nologin
  10. system: yes
  12. # This variables redefined in kubespray-defaults for using shared tasks
  13. # in etcd and kubernetes/secrets roles
  14. vault_base_dir: /etc/vault
  15. vault_cert_dir: "{{ vault_base_dir }}/ssl"
  16. vault_config_dir: "{{ vault_base_dir }}/config"
  17. vault_roles_dir: "{{ vault_base_dir }}/roles"
  18. vault_secrets_dir: "{{ vault_base_dir }}/secrets"
  19. vault_log_dir: "/var/log/vault"
  21. vault_version: 0.8.1
  22. vault_binary_checksum: 3c4d70ba71619a43229e65c67830e30e050eab7a81ac6b28325ff707e5914188
  23. vault_download_url: "https://releases.hashicorp.com/vault/{{ vault_version }}/vault_{{ vault_version }}_linux_amd64.zip"
  24. vault_download_vars:
  25. container: "{{ vault_deployment_type != 'host' }}"
  26. dest: "vault/vault_{{ vault_version }}_linux_amd64.zip"
  27. enabled: true
  28. mode: "0755"
  29. owner: "vault"
  30. repo: "{{ vault_image_repo }}"
  31. sha256: "{{ vault_binary_checksum if vault_deployment_type == 'host' else vault_digest_checksum|d(none) }}"
  32. source_url: "{{ vault_download_url }}"
  33. tag: "{{ vault_image_tag }}"
  34. unarchive: true
  35. url: "{{ vault_download_url }}"
  36. version: "{{ vault_version }}"
  38. vault_container_name: kube-hashicorp-vault
  39. vault_temp_container_name: vault-temp
  40. vault_image_repo: "vault"
  41. vault_image_tag: "{{ vault_version }}"
  43. vault_bind_address: 0.0.0.0
  44. vault_port: 8200
  45. vault_etcd_url: "{{ etcd_access_addresses }}"
  47. # 8y default lease
  48. vault_default_lease_ttl: 70080h
  49. vault_max_lease_ttl: 87600h
  51. vault_temp_config:
  52. backend:
  53. file:
  54. path: /vault/file
  55. default_lease_ttl: "{{ vault_default_lease_ttl }}"
  56. listener:
  57. tcp:
  58. address: "{{ vault_bind_address }}:{{ vault_port }}"
  59. tls_disable: "true"
  60. max_lease_ttl: "{{ vault_max_lease_ttl }}"
  62. vault_config:
  63. backend:
  64. etcd:
  65. address: "{{ vault_etcd_url }}"
  66. ha_enabled: "true"
  67. redirect_addr: "https://{{ ansible_default_ipv4.address }}:{{ vault_port }}"
  68. tls_ca_file: "{{ vault_etcd_cert_dir }}/ca.pem"
  69. tls_cert_file: "{{ vault_etcd_cert_dir}}/node-{{ inventory_hostname }}.pem"
  70. tls_key_file: "{{ vault_etcd_cert_dir}}/node-{{ inventory_hostname }}-key.pem"
  71. cluster_name: "kubernetes-vault"
  72. default_lease_ttl: "{{ vault_default_lease_ttl }}"
  73. max_lease_ttl: "{{ vault_max_lease_ttl }}"
  74. listener:
  75. tcp:
  76. address: "{{ vault_bind_address }}:{{ vault_port }}"
  77. tls_cert_file: "{{ vault_cert_dir }}/api.pem"
  78. tls_key_file: "{{ vault_cert_dir }}/api-key.pem"
  80. vault_secret_shares: 1
  81. vault_secret_threshold: 1
  83. vault_ca_options:
  84. vault:
  85. common_name: vault
  86. format: pem
  87. ttl: "{{ vault_max_lease_ttl }}"
  88. exclude_cn_from_sans: true
  89. alt_names: "vault.kube-system.svc.{{ dns_domain }},vault.kube-system.svc,vault.kube-system,vault"
  90. etcd:
  91. common_name: etcd
  92. format: pem
  93. ttl: "{{ vault_max_lease_ttl }}"
  94. exclude_cn_from_sans: true
  95. kube:
  96. common_name: kube
  97. format: pem
  98. ttl: "{{ vault_max_lease_ttl }}"
  99. exclude_cn_from_sans: true
  100. front_proxy:
  101. common_name: front-proxy
  102. format: pem
  103. ttl: "{{ vault_max_lease_ttl }}"
  104. exclude_cn_from_sans: true
  106. vault_client_headers:
  107. Accept: "application/json"
  108. Content-Type: "application/json"
  110. vault_etcd_cert_dir: /etc/ssl/etcd/ssl
  111. vault_kube_cert_dir: /etc/kubernetes/ssl
  113. vault_pki_mounts:
  114. vault:
  115. name: vault
  116. default_lease_ttl: "{{ vault_default_lease_ttl }}"
  117. max_lease_ttl: "{{ vault_max_lease_ttl }}"
  118. description: "Vault Root CA"
  119. cert_dir: "{{ vault_cert_dir }}"
  120. roles:
  121. - name: vault
  122. group: vault
  123. password: "{{ lookup('password', inventory_dir + '/credentials/vault/vault.creds length=15') }}"
  124. policy_rules: default
  125. role_options: default
  126. etcd:
  127. name: etcd
  128. default_lease_ttl: "{{ vault_default_lease_ttl }}"
  129. max_lease_ttl: "{{ vault_max_lease_ttl }}"
  130. description: "Etcd Root CA"
  131. cert_dir: "{{ vault_etcd_cert_dir }}"
  132. roles:
  133. - name: etcd
  134. group: etcd
  135. password: "{{ lookup('password', inventory_dir + '/credentials/vault/etcd.creds length=15') }}"
  136. policy_rules: default
  137. role_options:
  138. allow_any_name: true
  139. enforce_hostnames: false
  140. organization: "kube:etcd"
  141. kube:
  142. name: kube
  143. default_lease_ttl: "{{ vault_default_lease_ttl }}"
  144. max_lease_ttl: "{{ vault_max_lease_ttl }}"
  145. description: "Kubernetes Root CA"
  146. cert_dir: "{{ vault_kube_cert_dir }}"
  147. roles:
  148. - name: kube-master
  149. group: kube-master
  150. password: "{{ lookup('password', inventory_dir + '/credentials/vault/kube-master.creds length=15') }}"
  151. policy_rules: default
  152. role_options:
  153. allow_any_name: true
  154. enforce_hostnames: false
  155. organization: "system:masters"
  156. - name: kube-node
  157. group: k8s-cluster
  158. password: "{{ lookup('password', inventory_dir + '/credentials/vault/kube-node.creds length=15') }}"
  159. policy_rules: default
  160. role_options:
  161. allow_any_name: true
  162. enforce_hostnames: false
  163. organization: "system:nodes"
  164. - name: kube-proxy
  165. group: k8s-cluster
  166. password: "{{ lookup('password', inventory_dir + '/credentials/vault/kube-proxy.creds length=15') }}"
  167. policy_rules: default
  168. role_options:
  169. allow_any_name: true
  170. enforce_hostnames: false
  171. organization: "system:node-proxier"
  172. front_proxy:
  173. name: front-proxy
  174. default_lease_ttl: "{{ vault_default_lease_ttl }}"
  175. max_lease_ttl: "{{ vault_max_lease_ttl }}"
  176. description: "Kubernetes Front Proxy CA"
  177. cert_dir: "{{ vault_kube_cert_dir }}"
  178. roles:
  179. - name: front-proxy-client
  180. group: k8s-cluster
  181. password: "{{ lookup('password', inventory_dir + '/credentials/vault/front-proxy-client.creds length=15') }}"
  182. policy_rules: default
  183. role_options:
  184. allow_any_name: true
  185. enforce_hostnames: false
  186. organization: "system:front-proxy"