richard
/
kubespray
mirror of https://github.com/kubernetes-sigs/kubespray.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
3431 Commits
29 Branches
80 Tags
156 MiB
Tree: 82a28d6bb3
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from '82a28d6bb3'
${ noResults }
kubespray/roles/vault/tasks/main.yml

24 lines
895 B
Raw Normal View History

Adding the Vault role
7 years ago
Vault security hardening and role isolation
7 years ago
Adding the Vault role
7 years ago
refactor vault role (#2733) * Move front-proxy-client certs back to kube mount We want the same CA for all k8s certs * Refactor vault to use a third party module The module adds idempotency and reduces some of the repetitive logic in the vault role Requires ansible-modules-hashivault on ansible node and hvac on the vault hosts themselves Add upgrade test scenario Remove bootstrap-os tags from tasks * fix upgrade issues * improve unseal logic * specify ca and fix etcd check * Fix initialization check bump machine size
6 years ago
Vault security hardening and role isolation
7 years ago
Use include/import tasks (#2192) import_tasks will consume far less memory, so it should be used whenever it is compatible.
6 years ago
Disable vault role properly on ansible 2.2.0 when condition does not seem to work correctly at playbook level for ansible 2.2.0.
7 years ago
Adding the Vault role
7 years ago
Vault security hardening and role isolation
7 years ago
Use include/import tasks (#2192) import_tasks will consume far less memory, so it should be used whenever it is compatible.
6 years ago
Disable vault role properly on ansible 2.2.0 when condition does not seem to work correctly at playbook level for ansible 2.2.0.
7 years ago
  1. ---
  2. # The Vault role is typically a two step process:
  3. # 1. Bootstrap
  4. # This starts a temporary Vault to generate certs for Vault itself. This
  5. # includes a Root CA for the cluster, assuming one doesn't exist already.
  6. # The temporary instance will remain running after Bootstrap, to provide a
  7. # running Vault for the Etcd role to generate certs against.
  8. # 2. Cluster
  9. # Once Etcd is started, then the Cluster tasks can start up a long-term
  10. # Vault cluster using Etcd as the backend. The same Root CA is mounted as
  11. # used during step 1, allowing all certs to have the same chain of trust.
  13. - name: install hvac
  14. pip:
  15. name: "hvac"
  16. state: "present"
  18. ## Bootstrap
  19. - include_tasks: bootstrap/main.yml
  20. when: cert_management == 'vault' and vault_bootstrap | d()
  22. ## Cluster
  23. - include_tasks: cluster/main.yml
  24. when: cert_management == 'vault' and not vault_bootstrap | d()