richard
/
kubespray
mirror of https://github.com/kubernetes-sigs/kubespray.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
3832 Commits
29 Branches
81 Tags
150 MiB
Tree: 22c234040e
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from '22c234040e'
${ noResults }
kubespray/roles/vault/handlers/main.yml

50 lines
1.6 KiB
Raw Normal View History

refactor vault role (#2733) * Move front-proxy-client certs back to kube mount We want the same CA for all k8s certs * Refactor vault to use a third party module The module adds idempotency and reduces some of the repetitive logic in the vault role Requires ansible-modules-hashivault on ansible node and hvac on the vault hosts themselves Add upgrade test scenario Remove bootstrap-os tags from tasks * fix upgrade issues * improve unseal logic * specify ca and fix etcd check * Fix initialization check bump machine size
6 years ago
Adding wait for vault up handler in service restart
6 years ago
refactor vault role (#2733) * Move front-proxy-client certs back to kube mount We want the same CA for all k8s certs * Refactor vault to use a third party module The module adds idempotency and reduces some of the repetitive logic in the vault role Requires ansible-modules-hashivault on ansible node and hvac on the vault hosts themselves Add upgrade test scenario Remove bootstrap-os tags from tasks * fix upgrade issues * improve unseal logic * specify ca and fix etcd check * Fix initialization check bump machine size
6 years ago
Fix ansible syntax to avoid ansible deprecation warnings (#3512) * failed * version_compare * succeeded * skipped * success * version_compare becomes version since ansible 2.5 * ansible minimal version updated in doc and spec * last version_compare
6 years ago
refactor vault role (#2733) * Move front-proxy-client certs back to kube mount We want the same CA for all k8s certs * Refactor vault to use a third party module The module adds idempotency and reduces some of the repetitive logic in the vault role Requires ansible-modules-hashivault on ansible node and hvac on the vault hosts themselves Add upgrade test scenario Remove bootstrap-os tags from tasks * fix upgrade issues * improve unseal logic * specify ca and fix etcd check * Fix initialization check bump machine size
6 years ago
  1. ---
  2. - name: restart vault
  3. command: /bin/true
  4. notify:
  5. - restart vault service
  6. - wait for vault up
  7. - unseal vault
  9. - name: wait for vault up
  10. uri:
  11. url: "{{ vault_leader_url | default('https://localhost:8200') }}/v1/sys/health"
  12. headers: "{{ vault_client_headers }}"
  13. status_code: "{{ vault_successful_http_codes | join(',') }}"
  14. register: vault_health_check
  15. until: vault_health_check is succeeded
  16. retries: 10
  17. delay: "{{ retry_stagger | random + 3 }}"
  18. run_once: yes
  19. notify: set facts about local Vault health
  21. - name: wait for vault up nowait
  22. uri:
  23. url: "{{ vault_leader_url | default('https://localhost:8200') }}/v1/sys/health"
  24. headers: "{{ vault_client_headers }}"
  25. status_code: "{{ vault_successful_http_codes | join(',') }}"
  26. register: vault_health_check
  27. run_once: yes
  28. failed_when: false
  29. notify: set facts about local Vault health
  31. - name: set facts about local Vault health
  32. set_fact:
  33. vault_is_running: "{{ vault_health_check.get('status', '-1') in vault_successful_http_codes }}"
  34. vault_cluster_is_initialized: "{{ vault_health_check.get('json', {}).get('initialized', false) }}"
  35. vault_is_sealed: "{{ vault_health_check.get('json', {}).get('sealed', true) }}"
  37. - name: restart vault service
  38. systemd:
  39. daemon_reload: true
  40. enabled: yes
  41. name: vault
  42. state: restarted
  44. - name: unseal vault
  45. hashivault_unseal:
  46. url: "{{ vault_leader_url | default('https://localhost:8200') }}"
  47. token: "{{ vault_root_token }}"
  48. ca_cert: "{{ vault_cert_dir }}/ca.pem"
  49. keys: "{{ item }}"
  50. with_items: "{{ vault_unseal_keys|default([]) }}"