kubespray/roles/vault/tasks/bootstrap/main.yml

---

- include: ../shared/check_vault.yml
  when: inventory_hostname in groups.vault

- include: sync_secrets.yml
  when: inventory_hostname in groups.vault

- include: ../shared/find_leader.yml
  when: inventory_hostname in groups.vault and vault_cluster_is_initialized|d()

## Sync Certs

- include: sync_vault_certs.yml
  when: inventory_hostname in groups.vault

- include: sync_etcd_certs.yml
  when: inventory_hostname in groups.etcd

## Generate Certs

# Start a temporary instance of Vault
- include: start_vault_temp.yml
  when: >-
        inventory_hostname == groups.vault|first and
        not vault_cluster_is_initialized

# Set vault_leader_url for all nodes based on above
- name: vault | bootstrap
  set_fact:
    vault_leader_url: "{{ hostvars[groups.vault|first]['vault_leader_url'] }}"
  when: not vault_cluster_is_initialized

# Ensure vault PKI mounts exists
- include: ../shared/create_mount.yml
  vars:
    create_mount_path: "{{ vault_ca_options.common_name }}"
    create_mount_default_lease_ttl: "{{ vault_default_lease_ttl }}"
    create_mount_max_lease_ttl: "{{ vault_max_lease_ttl }}"
    create_mount_description: "Vault Root CA"
    create_mount_cert_dir: "{{ vault_cert_dir }}"
    create_mount_config_ca_needed: "{{ not vault_ca_cert_needed }}"
  when: inventory_hostname == groups.vault|first

# Generate root CA certs for Vault if none exist
- include: ../shared/gen_ca.yml
  vars:
    gen_ca_cert_dir: "{{ vault_cert_dir }}"
    gen_ca_mount_path: "{{ vault_ca_options.common_name }}"
  when: >-
        inventory_hostname in groups.vault and
        not vault_cluster_is_initialized and
        vault_ca_cert_needed

# Generate Vault API certs
- include: gen_vault_certs.yml
  when: inventory_hostname in groups.vault and vault_api_cert_needed

# Ensure etcd PKI mounts exists
- include: ../shared/create_mount.yml
  vars:
    create_mount_path: "{{ vault_etcd_mount_path }}"
    create_mount_default_lease_ttl: "{{ vault_etcd_default_lease_ttl }}"
    create_mount_max_lease_ttl: "{{ vault_etcd_max_lease_ttl }}"
    create_mount_description: "Etcd Root CA"
    create_mount_cert_dir: "{{ vault_etcd_cert_dir }}"
    create_mount_config_ca_needed: "{{ not vault_etcd_ca_cert_needed }}"
  when: inventory_hostname == groups.vault|first

# Generate root CA certs for etcd if none exist
- include: ../shared/gen_ca.yml
  vars:
    gen_ca_cert_dir: "{{ vault_etcd_cert_dir }}"
    gen_ca_mount_path: "{{ vault_etcd_mount_path }}"
  when: inventory_hostname in groups.etcd and vault_etcd_ca_cert_needed

- include: create_etcd_role.yml

# Update all host's CA bundle, etcd CA will be added in etcd role
- include: ca_trust.yml