Browse Source
Fix vault file owner issues and k8s apiserver cert creation (#2985)
apiserver cert should be created only once
pull/2947/head
Matthew Mosesohn
6 years ago
committed by
GitHub
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
5 changed files with
12 additions and
2 deletions
-
roles/etcd/tasks/sync_etcd_master_certs.yml
-
roles/kubernetes/secrets/tasks/gen_certs_vault.yml
-
roles/vault/tasks/bootstrap/main.yml
-
roles/vault/tasks/bootstrap/sync_vault_certs.yml
-
roles/vault/tasks/shared/issue_cert.yml
|
|
|
@ -13,6 +13,8 @@ |
|
|
|
sync_file: "{{ item }}" |
|
|
|
sync_file_dir: "{{ etcd_cert_dir }}" |
|
|
|
sync_file_hosts: [ "{{ inventory_hostname }}" ] |
|
|
|
sync_file_owner: kube |
|
|
|
sync_file_group: root |
|
|
|
sync_file_is_cert: true |
|
|
|
with_items: "{{ etcd_master_cert_list|d([]) }}" |
|
|
|
|
|
|
|
|
|
|
|
@ -44,6 +44,7 @@ |
|
|
|
issue_cert_file_group: "{{ kube_cert_group }}" |
|
|
|
issue_cert_file_owner: kube |
|
|
|
issue_cert_hosts: "{{ groups['kube-master'] }}" |
|
|
|
issue_cert_run_once: true |
|
|
|
issue_cert_ip_sans: >- |
|
|
|
[ |
|
|
|
{%- for host in groups['kube-master'] -%} |
|
|
|
|
|
|
|
@ -43,7 +43,7 @@ |
|
|
|
- "{{ vault_pki_mounts.etcd }}" |
|
|
|
loop_control: |
|
|
|
loop_var: mount |
|
|
|
when: inventory_hostname in groups.vault and not vault_cluster_is_initialized |
|
|
|
when: inventory_hostname == groups.vault|first and not vault_cluster_is_initialized |
|
|
|
|
|
|
|
- include_tasks: ../shared/gen_ca.yml |
|
|
|
vars: |
|
|
|
|
|
|
|
@ -4,6 +4,8 @@ |
|
|
|
sync_file: "ca.pem" |
|
|
|
sync_file_dir: "{{ vault_cert_dir }}" |
|
|
|
sync_file_hosts: "{{ groups.vault }}" |
|
|
|
sync_file_owner: vault |
|
|
|
sync_file_group: root |
|
|
|
sync_file_is_cert: true |
|
|
|
|
|
|
|
- name: bootstrap/sync_vault_certs | Set facts for vault sync_file results |
|
|
|
@ -20,6 +22,8 @@ |
|
|
|
sync_file: "ca.pem" |
|
|
|
sync_file_dir: "{{ vault_cert_dir }}" |
|
|
|
sync_file_hosts: "{{ groups['kube-master'] }}" |
|
|
|
sync_file_owner: vault |
|
|
|
sync_file_group: root |
|
|
|
sync_file_is_cert: false |
|
|
|
|
|
|
|
- name: bootstrap/sync_vault_certs | Set facts for vault sync_file results |
|
|
|
@ -36,6 +40,8 @@ |
|
|
|
sync_file: "api.pem" |
|
|
|
sync_file_dir: "{{ vault_cert_dir }}" |
|
|
|
sync_file_hosts: "{{ groups.vault }}" |
|
|
|
sync_file_owner: vault |
|
|
|
sync_file_group: root |
|
|
|
sync_file_is_cert: true |
|
|
|
|
|
|
|
- name: bootstrap/sync_vault_certs | Set fact if Vault's API cert is needed |
|
|
|
|
|
|
|
@ -45,7 +45,7 @@ |
|
|
|
state: directory |
|
|
|
recurse: yes |
|
|
|
owner: "vault" |
|
|
|
group: "vault" |
|
|
|
group: "root" |
|
|
|
mode: 0755 |
|
|
|
|
|
|
|
- name: gen_certs_vault | install hvac |
|
|
|
@ -87,6 +87,7 @@ |
|
|
|
format: "{{ issue_cert_format | d('pem') }}" |
|
|
|
ip_sans: "{{ issue_cert_ip_sans | default([]) | join(',') }}" |
|
|
|
register: issue_cert_result |
|
|
|
run_once: "{{ issue_cert_run_once | d(false) }}" |
|
|
|
|
|
|
|
- name: "issue_cert | Copy {{ issue_cert_path }} cert to all hosts" |
|
|
|
copy: |
|
|
|
|
