richard
/
kubespray
mirror of https://github.com/kubernetes-sigs/kubespray.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
2228 Commits
29 Branches
81 Tags
147 MiB
Tree: 6e949bf951
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from '6e949bf951'
${ noResults }
kubespray/roles/vault/tasks/shared/create_role.yml

48 lines
1.8 KiB
Raw Normal View History

Vault security hardening and role isolation
7 years ago
Change single Vault pki mount to multi pki mounts paths for etcd and kube CA`s (#1552) * Added update CA trust step for etcd and kube/secrets roles * Added load_balancer_domain_name to certificate alt names if defined. Reset CA's in RedHat os. * Rename kube-cluster-ca.crt to vault-ca.crt, we need separated CA`s for vault, etcd and kube. * Vault role refactoring, remove optional cert vault auth because not not used and worked. Create separate CA`s fro vault and etcd. * Fixed different certificates set for vault cert_managment * Update doc/vault.md * Fixed condition create vault CA, wrong group * Fixed missing etcd_cert_path mount for rkt deployment type. Distribute vault roles for all vault hosts * Removed wrong when condition in create etcd role vault tasks.
7 years ago
Vault security hardening and role isolation
7 years ago
Place vault role credentials only to vault group hosts
7 years ago
Vault security hardening and role isolation
7 years ago
Vault role updates: * using separated vault roles for generate certs with different `O` (Organization) subject field; * configure vault roles for issuing certificates with different `CN` (Common name) subject field; * set `CN` and `O` to `kubernetes` and `etcd` certificates; * vault/defaults vars definition was simplified; * vault dirs variables defined in kubernetes-defaults foles for using shared tasks in etcd and kubernetes/secrets roles; * upgrade vault to 0.8.1; * generate random vault user password for each role by default; * fix `serial` file name for vault certs; * move vault auth request to issue_cert tasks; * enable `RBAC` in vault CI;
7 years ago
Vault security hardening and role isolation
7 years ago
Change single Vault pki mount to multi pki mounts paths for etcd and kube CA`s (#1552) * Added update CA trust step for etcd and kube/secrets roles * Added load_balancer_domain_name to certificate alt names if defined. Reset CA's in RedHat os. * Rename kube-cluster-ca.crt to vault-ca.crt, we need separated CA`s for vault, etcd and kube. * Vault role refactoring, remove optional cert vault auth because not not used and worked. Create separate CA`s fro vault and etcd. * Fixed different certificates set for vault cert_managment * Update doc/vault.md * Fixed condition create vault CA, wrong group * Fixed missing etcd_cert_path mount for rkt deployment type. Distribute vault roles for all vault hosts * Removed wrong when condition in create etcd role vault tasks.
7 years ago
Vault security hardening and role isolation
7 years ago
Place vault role credentials only to vault group hosts
7 years ago
Vault security hardening and role isolation
7 years ago
Vault role updates: * using separated vault roles for generate certs with different `O` (Organization) subject field; * configure vault roles for issuing certificates with different `CN` (Common name) subject field; * set `CN` and `O` to `kubernetes` and `etcd` certificates; * vault/defaults vars definition was simplified; * vault dirs variables defined in kubernetes-defaults foles for using shared tasks in etcd and kubernetes/secrets roles; * upgrade vault to 0.8.1; * generate random vault user password for each role by default; * fix `serial` file name for vault certs; * move vault auth request to issue_cert tasks; * enable `RBAC` in vault CI;
7 years ago
Vault security hardening and role isolation
7 years ago
  1. ---
  2. # The JSON inside JSON here is intentional (Vault API wants it)
  3. - name: create_role | Create a policy for the new role allowing issuing
  4. uri:
  5. url: "{{ hostvars[groups.vault|first]['vault_leader_url'] }}/v1/sys/policy/{{ create_role_name }}"
  6. headers: "{{ hostvars[groups.vault|first]['vault_headers'] }}"
  7. method: PUT
  8. body_format: json
  9. body:
  10. rules: >-
  11. {%- if create_role_policy_rules|d("default") == "default" -%}
  12. {{
  13. { 'path': {
  14. create_role_mount_path + '/issue/' + create_role_name: {'policy': 'write'},
  15. create_role_mount_path + '/roles/' + create_role_name: {'policy': 'read'}
  16. }} | to_json + '\n'
  17. }}
  18. {%- else -%}
  19. {{ create_role_policy_rules | to_json + '\n' }}
  20. {%- endif -%}
  21. status_code: 204
  22. delegate_to: "{{ groups.vault|first }}"
  23. run_once: true
  25. - name: create_role | Create {{ create_role_name }} role in the {{ create_role_mount_path }} pki mount
  26. uri:
  27. url: "{{ hostvars[groups.vault|first]['vault_leader_url'] }}/v1/{{ create_role_mount_path }}/roles/{{ create_role_name }}"
  28. headers: "{{ hostvars[groups.vault|first]['vault_headers'] }}"
  29. method: POST
  30. body_format: json
  31. body: >-
  32. {%- if create_role_options|d("default") == "default" -%}
  33. {'allow_any_name': true}
  34. {%- else -%}
  35. {{ create_role_options }}
  36. {%- endif -%}
  37. status_code: 204
  38. delegate_to: "{{ groups.vault|first }}"
  39. run_once: true
  41. ## Userpass based auth method
  43. - include: gen_userpass.yml
  44. vars:
  45. gen_userpass_password: "{{ create_role_password }}"
  46. gen_userpass_policies: "{{ create_role_name }}"
  47. gen_userpass_role: "{{ create_role_name }}"
  48. gen_userpass_username: "{{ create_role_name }}"