richard
/
kubespray
mirror of https://github.com/kubernetes-sigs/kubespray.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
3141 Commits
30 Branches
81 Tags
149 MiB
Tree: 728024e8ff
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from '728024e8ff'
${ noResults }
kubespray/roles/vault/tasks/shared/check_vault.yml

49 lines
2.0 KiB
Raw Normal View History

Vault security hardening and role isolation
7 years ago
refactor vault role (#2733) * Move front-proxy-client certs back to kube mount We want the same CA for all k8s certs * Refactor vault to use a third party module The module adds idempotency and reduces some of the repetitive logic in the vault role Requires ansible-modules-hashivault on ansible node and hvac on the vault hosts themselves Add upgrade test scenario Remove bootstrap-os tags from tasks * fix upgrade issues * improve unseal logic * specify ca and fix etcd check * Fix initialization check bump machine size
6 years ago
Vault security hardening and role isolation
7 years ago
refactor vault role (#2733) * Move front-proxy-client certs back to kube mount We want the same CA for all k8s certs * Refactor vault to use a third party module The module adds idempotency and reduces some of the repetitive logic in the vault role Requires ansible-modules-hashivault on ansible node and hvac on the vault hosts themselves Add upgrade test scenario Remove bootstrap-os tags from tasks * fix upgrade issues * improve unseal logic * specify ca and fix etcd check * Fix initialization check bump machine size
6 years ago
Adding yamllinter to ci steps (#1556) * Adding yaml linter to ci check * Minor linting fixes from yamllint * Changing CI to install python pkgs from requirements.txt - adding in a secondary requirements.txt for tests - moving yamllint to tests requirements
7 years ago
Vault security hardening and role isolation
7 years ago
refactor vault role (#2733) * Move front-proxy-client certs back to kube mount We want the same CA for all k8s certs * Refactor vault to use a third party module The module adds idempotency and reduces some of the repetitive logic in the vault role Requires ansible-modules-hashivault on ansible node and hvac on the vault hosts themselves Add upgrade test scenario Remove bootstrap-os tags from tasks * fix upgrade issues * improve unseal logic * specify ca and fix etcd check * Fix initialization check bump machine size
6 years ago
Vault security hardening and role isolation
7 years ago
refactor vault role (#2733) * Move front-proxy-client certs back to kube mount We want the same CA for all k8s certs * Refactor vault to use a third party module The module adds idempotency and reduces some of the repetitive logic in the vault role Requires ansible-modules-hashivault on ansible node and hvac on the vault hosts themselves Add upgrade test scenario Remove bootstrap-os tags from tasks * fix upgrade issues * improve unseal logic * specify ca and fix etcd check * Fix initialization check bump machine size
6 years ago
Vault security hardening and role isolation
7 years ago
FIX: Unneded (extra) cycles in some tasks (#1393)
7 years ago
  1. ---
  2. # Stop temporary Vault if it's running (can linger if playbook fails out)
  3. - name: stop vault-temp container
  4. shell: docker stop {{ vault_temp_container_name }} || rkt stop {{ vault_temp_container_name }}
  5. failed_when: false
  6. register: vault_temp_stop
  7. changed_when: vault_temp_stop|succeeded
  9. # Check if vault is reachable on the localhost
  10. - name: check_vault | Attempt to pull local https Vault health
  11. command: /bin/true
  12. notify: wait for vault up nowait
  14. - meta: flush_handlers
  16. - name: check_vault | Set facts about local Vault health
  17. set_fact:
  18. vault_is_running: "{{ vault_health_check.get('status', '-1') in vault_successful_http_codes }}"
  20. - name: check_vault | Set facts about local Vault health
  21. set_fact:
  22. vault_is_initialized: "{{ vault_health_check.get('json', {}).get('initialized', false) }}"
  23. vault_is_sealed: "{{ vault_health_check.get('json', {}).get('sealed', true) }}"
  24. # vault_in_standby: "{{ vault_health_check.get('json', {}).get('standby', true) }}"
  25. # vault_run_version: "{{ vault_local_service_health.get('json', {}).get('version', '') }}"
  27. - name: check_vault | Check is vault is initialized in etcd if vault is not running
  28. command: |-
  29. curl \
  30. --cacert {{ etcd_cert_dir }}/ca.pem \
  31. --cert {{ etcd_cert_dir}}/node-{{ inventory_hostname }}.pem \
  32. --key {{ etcd_cert_dir }}/node-{{ inventory_hostname }}-key.pem \
  33. -X POST -d '{"key": "{{ "/vault/core/seal-config" | b64encode }}"}' \
  34. {{ etcd_access_addresses.split(',') | first }}/v3alpha/kv/range
  35. register: vault_etcd_exists
  36. retries: 4
  37. delay: "{{ retry_stagger | random + 3 }}"
  38. run_once: true
  39. when: not vault_is_running and vault_etcd_available
  40. changed_when: false
  42. - name: check_vault | Set fact about the Vault cluster's initialization state
  43. set_fact:
  44. vault_cluster_is_initialized: >-
  45. {{ vault_is_initialized or
  46. hostvars[item]['vault_is_initialized'] or
  47. 'Key not found' not in vault_etcd_exists.stdout|default('Key not found') }}
  48. with_items: "{{ groups.vault }}"
  49. run_once: true