richard
/
kubespray
mirror of https://github.com/kubernetes-sigs/kubespray.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
1502 Commits
29 Branches
81 Tags
147 MiB
Tree: 6ae6b7cfcd
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from '6ae6b7cfcd'
${ noResults }
kubespray/roles/etcd/tasks/gen_certs_vault.yml

77 lines
2.8 KiB
Raw Normal View History

Vault security hardening and role isolation
7 years ago
  1. ---
  3. - name: gen_certs_vault | Read in the local credentials
  4. command: cat /etc/vault/roles/etcd/userpass
  5. register: etcd_vault_creds_cat
  6. when: inventory_hostname == groups.etcd|first
  8. - name: gen_certs_vault | Set facts for read Vault Creds
  9. set_fact:
  10. etcd_vault_creds: "{{ hostvars[groups.etcd|first]['etcd_vault_creds_cat']['stdout']|from_json }}"
  11. when: inventory_hostname == groups.etcd|first
  13. - name: gen_certs_vault | Log into Vault and obtain an token
  14. uri:
  15. url: "{{ hostvars[groups.vault|first]['vault_leader_url'] }}/v1/auth/userpass/login/{{ etcd_vault_creds.username }}"
  16. headers:
  17. Accept: application/json
  18. Content-Type: application/json
  19. method: POST
  20. body_format: json
  21. body:
  22. password: "{{ etcd_vault_creds.password }}"
  23. register: etcd_vault_login_result
  24. when: inventory_hostname == groups.etcd|first
  26. - name: gen_certs_vault | Set fact for Vault API token
  27. set_fact:
  28. etcd_vault_headers:
  29. Accept: application/json
  30. Content-Type: application/json
  31. X-Vault-Token: "{{ hostvars[groups.etcd|first]['etcd_vault_login_result']['json']['auth']['client_token'] }}"
  33. # Issue master certs to Etcd nodes
  34. - include: ../../vault/tasks/shared/issue_cert.yml
  35. vars:
  36. issue_cert_alt_names: "{{ groups.etcd + ['localhost'] }}"
  37. issue_cert_copy_ca: "{{ item == etcd_master_certs_needed|first }}"
  38. issue_cert_file_group: "{{ etcd_cert_group }}"
  39. issue_cert_file_owner: kube
  40. issue_cert_headers: "{{ etcd_vault_headers }}"
  41. issue_cert_hosts: "{{ groups.etcd }}"
  42. issue_cert_ip_sans: >-
  43. [
  44. {%- for host in groups.etcd -%}
  45. "{{ hostvars[host]['ansible_default_ipv4']['address'] }}",
  46. {%- endfor -%}
  47. "127.0.0.1","::1"
  48. ]
  49. issue_cert_path: "{{ item }}"
  50. issue_cert_role: etcd
  51. issue_cert_url: "{{ hostvars[groups.vault|first]['vault_leader_url'] }}"
  52. with_items: "{{ etcd_master_certs_needed|d([]) }}"
  53. when: inventory_hostname in groups.etcd
  54. notify: set etcd_secret_changed
  56. # Issue node certs to everyone else
  57. - include: ../../vault/tasks/shared/issue_cert.yml
  58. vars:
  59. issue_cert_alt_names: "{{ etcd_node_cert_hosts }}"
  60. issue_cert_copy_ca: "{{ item == etcd_node_certs_needed|first }}"
  61. issue_cert_file_group: "{{ etcd_cert_group }}"
  62. issue_cert_file_owner: kube
  63. issue_cert_headers: "{{ etcd_vault_headers }}"
  64. issue_cert_hosts: "{{ etcd_node_cert_hosts }}"
  65. issue_cert_ip_sans: >-
  66. [
  67. {%- for host in etcd_node_cert_hosts -%}
  68. "{{ hostvars[host]['ansible_default_ipv4']['address'] }}",
  69. {%- endfor -%}
  70. "127.0.0.1","::1"
  71. ]
  72. issue_cert_path: "{{ item }}"
  73. issue_cert_role: etcd
  74. issue_cert_url: "{{ hostvars[groups.vault|first]['vault_leader_url'] }}"
  75. with_items: "{{ etcd_node_certs_needed|d([]) }}"
  76. when: inventory_hostname in etcd_node_cert_hosts
  77. notify: set etcd_secret_changed