richard
/
kubespray
mirror of https://github.com/kubernetes-sigs/kubespray.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
3127 Commits
33 Branches
82 Tags
153 MiB
Tree: 2a279e30b0
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from '2a279e30b0'
${ noResults }
kubespray/roles/vault/tasks/cluster/init.yml

44 lines
1.4 KiB
Raw Normal View History

Adding the Vault role
8 years ago
refactor vault role (#2733) * Move front-proxy-client certs back to kube mount We want the same CA for all k8s certs * Refactor vault to use a third party module The module adds idempotency and reduces some of the repetitive logic in the vault role Requires ansible-modules-hashivault on ansible node and hvac on the vault hosts themselves Add upgrade test scenario Remove bootstrap-os tags from tasks * fix upgrade issues * improve unseal logic * specify ca and fix etcd check * Fix initialization check bump machine size
6 years ago
Adding the Vault role
8 years ago
refactor vault role (#2733) * Move front-proxy-client certs back to kube mount We want the same CA for all k8s certs * Refactor vault to use a third party module The module adds idempotency and reduces some of the repetitive logic in the vault role Requires ansible-modules-hashivault on ansible node and hvac on the vault hosts themselves Add upgrade test scenario Remove bootstrap-os tags from tasks * fix upgrade issues * improve unseal logic * specify ca and fix etcd check * Fix initialization check bump machine size
6 years ago
Adding the Vault role
8 years ago
refactor vault role (#2733) * Move front-proxy-client certs back to kube mount We want the same CA for all k8s certs * Refactor vault to use a third party module The module adds idempotency and reduces some of the repetitive logic in the vault role Requires ansible-modules-hashivault on ansible node and hvac on the vault hosts themselves Add upgrade test scenario Remove bootstrap-os tags from tasks * fix upgrade issues * improve unseal logic * specify ca and fix etcd check * Fix initialization check bump machine size
6 years ago
Adding the Vault role
8 years ago
refactor vault role (#2733) * Move front-proxy-client certs back to kube mount We want the same CA for all k8s certs * Refactor vault to use a third party module The module adds idempotency and reduces some of the repetitive logic in the vault role Requires ansible-modules-hashivault on ansible node and hvac on the vault hosts themselves Add upgrade test scenario Remove bootstrap-os tags from tasks * fix upgrade issues * improve unseal logic * specify ca and fix etcd check * Fix initialization check bump machine size
6 years ago
Adding the Vault role
8 years ago
Vault security hardening and role isolation
8 years ago
Adding the Vault role
8 years ago
Vault security hardening and role isolation
8 years ago
Adding the Vault role
8 years ago
refactor vault role (#2733) * Move front-proxy-client certs back to kube mount We want the same CA for all k8s certs * Refactor vault to use a third party module The module adds idempotency and reduces some of the repetitive logic in the vault role Requires ansible-modules-hashivault on ansible node and hvac on the vault hosts themselves Add upgrade test scenario Remove bootstrap-os tags from tasks * fix upgrade issues * improve unseal logic * specify ca and fix etcd check * Fix initialization check bump machine size
6 years ago
  1. ---
  3. - name: cluster/init | wait for vault
  4. command: /bin/true
  5. notify: wait for vault up
  7. - meta: flush_handlers
  9. - name: cluster/init | Initialize Vault
  10. hashivault_init:
  11. url: "https://localhost:{{ vault_port }}/"
  12. ca_cert: "{{ vault_cert_dir }}/ca.pem"
  13. secret_shares: "{{ vault_secret_shares }}"
  14. secret_threshold: "{{ vault_secret_threshold }}"
  15. run_once: true
  16. register: vault_init_result
  17. when: not vault_cluster_is_initialized
  19. - name: cluster/init | Set facts on the results of the initialization
  20. set_fact:
  21. vault_unseal_keys: "{{ vault_init_result.keys_base64 }}"
  22. vault_root_token: "{{ vault_init_result.root_token }}"
  23. vault_headers: "{{ vault_client_headers|combine({'X-Vault-Token': vault_init_result.root_token}) }}"
  24. run_once: true
  25. when: not vault_cluster_is_initialized
  27. - name: cluster/init | Ensure all in groups.vault have the unseal_keys locally
  28. copy:
  29. content: "{{ vault_unseal_keys|join('\n') }}"
  30. dest: "{{ vault_secrets_dir }}/unseal_keys"
  31. mode: 0640
  32. when: not vault_cluster_is_initialized
  34. - name: cluster/init | Ensure all in groups.vault have the root_token locally
  35. copy:
  36. content: "{{ vault_root_token }}"
  37. dest: "{{ vault_secrets_dir }}/root_token"
  38. mode: 0640
  39. when: not vault_cluster_is_initialized
  41. - name: cluster/init | Ensure vault_headers and vault statuses are updated
  42. set_fact:
  43. vault_cluster_is_initialized: true
  44. run_once: true