External-Mirrors/kubespray
2
0
Fork 0
mirror of https://github.com/kubernetes-sigs/kubespray.git synced 2026-05-12 03:47:38 -02:30
Code Issues Packages Projects Releases Wiki Activity

Vault security hardening and role isolation

Browse Source
This commit is contained in:
Josh Conant
2017-02-08 21:41:36 +00:00
parent f4ec2d18e5
commit 245e05ce61
78 changed files with 1408 additions and 706 deletions
Download Patch File Download Diff File Expand all files Collapse all files

9
roles/vault/tasks/cluster/binary.yml Normal file
View File

@@ -0,0 +1,9 @@
---
- name: cluster/binary | Copy vault binary from downloaddir
copy:
src: "{{ local_release_dir }}/vault/vault"
dest: "/usr/bin/vault"
remote_src: true
mode: "0755"
owner: vault

14
roles/vault/tasks/cluster/configure.yml Normal file
View File

@@ -0,0 +1,14 @@
---
- name: cluster/configure | Ensure the vault/config directory exists
file:
dest: "{{ vault_config_dir }}"
mode: 0750
state: directory
- name: cluster/configure | Lay down the configuration file
copy:
content: "{{ vault_config | to_nice_json(indent=4) }}"
dest: "{{ vault_config_dir }}/config.json"
mode: 0640
register: vault_config_change

9
roles/vault/tasks/cluster/create_roles.yml Normal file
View File

@@ -0,0 +1,9 @@
---
- include: ../shared/create_role.yml
vars:
create_role_name: "{{ item.name }}"
create_role_group: "{{ item.group }}"
create_role_policy_rules: "{{ item.policy_rules }}"
create_role_options: "{{ item.role_options }}"
with_items: "{{ vault_roles|d([]) }}"

25
roles/vault/tasks/cluster/docker.yml
View File

@@ -1,25 +0,0 @@
---
- name: docker | Check on state of docker instance
command: "docker inspect {{ vault_container_name }}"
ignore_errors: true
register: vault_container_inspect
- name: docker | Set fact on container status
set_fact:
vault_container_inspect_json: "{{ vault_container_inspect.stdout|from_json }}"
when: vault_container_inspect|succeeded
# Not sure if State.Running is the best check here...
- name: docker | Remove old container if it's not currently running
command: "docker rm {{ vault_container_name }}"
when: vault_container_inspect|succeeded and not vault_container_inspect_json[0]["State"]["Running"]|bool
- name: docker | Start a new Vault instance
command: >
docker run -d --cap-add=IPC_LOCK --name {{vault_container_name}} -p {{vault_port}}:{{vault_port}}
-e 'VAULT_LOCAL_CONFIG={{ vault_config|to_json }}'
-v /etc/vault:/etc/vault
{{vault_image_repo}}:{{vault_version}} server
register: vault_docker_start
when: vault_container_inspect|failed or not vault_container_inspect_json[0]["State"]["Running"]|bool

33
roles/vault/tasks/cluster/gen_kube_master_certs.yml
View File

@@ -1,33 +0,0 @@
---
- name: "cluster/gen_kube_node_certs | Ensure kube_cert_dir exists"
file:
path: "{{ kube_cert_dir }}"
state: directory
- name: gen_kube_master_certs | Add the kube role
uri:
url: "https://{{ hostvars[groups.vault|first]['vault_leader'] }}:{{ vault_port }}/v1/pki/roles/kubernetes"
headers: "{{ hostvars[groups.vault|first]['vault_headers'] }}"
method: POST
body_format: json
body: "{{ vault_default_role_permissions }}"
status_code: 204
when: inventory_hostname == groups["kube-master"]|first
- include: ../gen_cert.yml
vars:
gen_cert_alt_names: "{{ groups['kube-master'] | join(',') }},localhost"
gen_cert_copy_ca: "{{ true if item == vault_kube_master_certs_needed|first else false }}"
gen_cert_hosts: "{{ groups['kube-master'] }}"
gen_cert_ip_sans: >-
{%- for host in groups["kube-master"] -%}
{{ hostvars[host]["ansible_default_ipv4"]["address"] }}
{%- if not loop.last -%},{%- endif -%}
{%- endfor -%}
,127.0.0.1,::1
gen_cert_path: "{{ item }}"
gen_cert_vault_headers: "{{ hostvars[groups.vault|first]['vault_headers'] }}"
gen_cert_vault_role: kubernetes
gen_cert_vault_url: "https://{{ hostvars[groups.vault|first]['vault_leader'] }}:{{ vault_port }}"
with_items: "{{ vault_kube_master_certs_needed|default([]) }}"

33
roles/vault/tasks/cluster/gen_kube_node_certs.yml
View File

@@ -1,33 +0,0 @@
---
- name: "cluster/gen_kube_node_certs | Ensure kube_cert_dir exists"
file:
path: "{{ kube_cert_dir }}"
state: directory
- name: "cluster/gen_kube_node_certs | Add the kubernetes role"
uri:
url: "https://{{ hostvars[groups.vault|first]['vault_leader'] }}:{{ vault_port }}/v1/pki/roles/kubernetes"
headers: "{{ hostvars[groups.vault|first]['vault_headers'] }}"
method: POST
body_format: json
body: "{{ vault_default_role_permissions }}"
status_code: 204
when: inventory_hostname == groups["k8s-cluster"]|first
- include: ../gen_cert.yml
vars:
gen_cert_alt_names: "{{ groups['k8s-cluster'] | join(',') }},localhost"
gen_cert_copy_ca: "{{ true if item == vault_kube_node_certs_needed|first else false }}"
gen_cert_hosts: "{{ groups['k8s-cluster'] }}"
gen_cert_ip_sans: >-
{%- for host in groups["k8s-cluster"] -%}
{{ hostvars[host]["ansible_default_ipv4"]["address"] }}
{%- if not loop.last -%},{%- endif -%}
{%- endfor -%}
,127.0.0.1,::1
gen_cert_path: "{{ item }}"
gen_cert_vault_headers: "{{ hostvars[groups.vault|first]['vault_headers'] }}"
gen_cert_vault_role: kubernetes
gen_cert_vault_url: "https://{{ hostvars[groups.vault|first]['vault_leader'] }}:{{ vault_port }}"
with_items: "{{ vault_kube_node_certs_needed|default([]) }}"

3
roles/vault/tasks/cluster/init.yml
View File

@@ -28,6 +28,7 @@
- name: cluster/init | Ensure the vault_secrets_dir exists
file:
mode: 0750
path: "{{ vault_secrets_dir }}"
state: directory
@@ -35,12 +36,14 @@
copy:
content: "{{ vault_unseal_keys|join('\n') }}"
dest: "{{ vault_secrets_dir }}/unseal_keys"
mode: 0640
when: not vault_cluster_is_initialized
- name: cluster/init | Ensure all in groups.vault have the root_token locally
copy:
content: "{{ vault_root_token }}"
dest: "{{ vault_secrets_dir }}/root_token"
mode: 0640
when: not vault_cluster_is_initialized
- name: cluster/init | Ensure vault_headers and vault statuses are updated

43
roles/vault/tasks/cluster/main.yml
View File

@@ -1,30 +1,35 @@
---
- include: ../shared/check_vault.yml
when: inventory_hostname in groups.vault
- include: ../shared/check_etcd.yml
when: inventory_hostname in groups.vault
## Vault Cluster Setup
- include: docker.yml
when: inventory_hostname in groups.vault and vault_deployment_type == "docker"
- include: configure.yml
when: inventory_hostname in groups.vault
- include: binary.yml
when: inventory_hostname in groups.vault and vault_deployment_type == "host"
- include: systemd.yml
when: inventory_hostname in groups.vault
- include: init.yml
when: inventory_hostname in groups.vault
- include: unseal.yml
when: inventory_hostname in groups.vault
- include: pki_mount.yml
when: 'inventory_hostname == hostvars[groups.vault|first]["vault_leader"]'
- include: config_ca.yml
- include: ../shared/find_leader.yml
when: inventory_hostname in groups.vault
- include: ../shared/pki_mount.yml
when: inventory_hostname == groups.vault|first
- include: ../shared/config_ca.yml
vars:
vault_url: "https://{{ vault_leader }}:{{ vault_port }}"
when: 'inventory_hostname == hostvars[groups.vault|first]["vault_leader"]'
ca_name: ca
mount_name: pki
when: inventory_hostname == groups.vault|first
## Sync Kubernetes Certs
## Vault Policies, Roles, and Auth Backends
- include: sync_kube_master_certs.yml
when: inventory_hostname in groups["kube-master"]
- include: sync_kube_node_certs.yml
when: inventory_hostname in groups["k8s-cluster"]
## Generate Kubernetes Certs
- include: gen_kube_master_certs.yml
when: inventory_hostname in groups["kube-master"]
- include: gen_kube_node_certs.yml
when: inventory_hostname in groups["k8s-cluster"]
- include: role_auth_cert.yml
when: vault_role_auth_method == "cert"
- include: role_auth_userpass.yml
when: vault_role_auth_method == "userpass"

23
roles/vault/tasks/cluster/pki_mount.yml
View File

@@ -1,23 +0,0 @@
---
- name: cluster/pki_mount | Test if default PKI mount exists
uri:
url: "https://localhost:{{ vault_port }}/v1/sys/mounts/pki/tune"
headers: "{{ vault_headers }}"
validate_certs: false
ignore_errors: true
register: vault_pki_mount_check
- name: cluster/pki_mount | Mount default PKI mount if needed
uri:
url: "https://localhost:{{ vault_port }}/v1/sys/mounts/pki"
headers: "{{ vault_headers }}"
method: POST
body_format: json
body:
config:
default_lease_ttl: "{{ vault_default_lease_ttl }}"
max_lease_ttl: "{{ vault_max_lease_ttl }}"
type: pki
status_code: 204
when: vault_pki_mount_check | failed

19
roles/vault/tasks/cluster/role_auth_cert.yml Normal file
View File

@@ -0,0 +1,19 @@
---
- include: ../shared/cert_auth_mount.yml
when: inventory_hostname == groups.vault|first
- include: ../shared/auth_backend.yml
vars:
auth_backend_description: A Cert-based Auth primarily for services needing to issue certificates
auth_backend_name: cert
auth_backend_type: cert
when: inventory_hostname == groups.vault|first
- include: ../shared/config_ca.yml
vars:
ca_name: auth-ca
mount_name: auth-pki
when: inventory_hostname == groups.vault|first
- include: create_roles.yml

10
roles/vault/tasks/cluster/role_auth_userpass.yml Normal file
View File

@@ -0,0 +1,10 @@
---
- include: ../shared/auth_backend.yml
vars:
auth_backend_description: A Username/Password Auth Backend primarily used for services needing to issue certificates
auth_backend_path: userpass
auth_backend_type: userpass
when: inventory_hostname == groups.vault|first
- include: create_roles.yml

38
roles/vault/tasks/cluster/sync_kube_master_certs.yml
View File

@@ -1,38 +0,0 @@
---
- name: cluster/sync_kube_master_certs | Create list of needed certs
set_fact:
vault_kube_master_cert_list: >-
{{ vault_kube_master_cert_list|default([]) + [
"admin-" + item + ".pem",
"apiserver-" + item + ".pem"
] }}
with_items: "{{ groups['kube-master'] }}"
- include: ../sync_file.yml
vars:
sync_file: "{{ item }}"
sync_file_dir: "{{ kube_cert_dir }}"
sync_file_hosts: "{{ groups['kube-master'] }}"
sync_file_is_cert: true
with_items: "{{ vault_kube_master_cert_list|default([]) }}"
- name: cluster/sync_kube_master_certs | Set facts for kube-master sync_file results
set_fact:
vault_kube_master_certs_needed: "{{ vault_kube_master_certs_needed|default([]) + [item.path] }}"
with_items: "{{ sync_file_results }}"
when: item.no_srcs|bool
- name: cluster/sync_kube_master_certs | Unset sync_file_results after kube master certs
set_fact:
sync_file_results: []
- include: ../sync_file.yml
vars:
sync_file: ca.pem
sync_file_dir: "{{ kube_cert_dir }}"
sync_file_hosts: "{{ groups['kube-master'] }}"
- name: cluster/sync_kube_master_certs | Unset sync_file_results after ca.pem
set_fact:
sync_file_results: []

34
roles/vault/tasks/cluster/sync_kube_node_certs.yml
View File

@@ -1,34 +0,0 @@
---
- name: cluster/sync_kube_node_certs | Create list of needed certs
set_fact:
vault_kube_node_cert_list: "{{ vault_kube_node_cert_list|default([]) + ['node-' + item + '.pem'] }}"
with_items: "{{ groups['k8s-cluster'] }}"
- include: ../sync_file.yml
vars:
sync_file: "{{ item }}"
sync_file_dir: "{{ kube_cert_dir }}"
sync_file_hosts: "{{ groups['k8s-cluster'] }}"
sync_file_is_cert: true
with_items: "{{ vault_kube_node_cert_list|default([]) }}"
- name: cluster/sync_kube_node_certs | Set facts for kube-master sync_file results
set_fact:
vault_kube_node_certs_needed: "{{ vault_kube_node_certs_needed|default([]) + [item.path] }}"
with_items: "{{ sync_file_results }}"
when: item.no_srcs|bool
- name: cluster/sync_kube_node_certs | Unset sync_file_results after kube node certs
set_fact:
sync_file_results: []
- include: ../sync_file.yml
vars:
sync_file: ca.pem
sync_file_dir: "{{ kube_cert_dir }}"
sync_file_hosts: "{{ groups['k8s-cluster'] }}"
- name: cluster/sync_kube_node_certs | Unset sync_file_results after ca.pem
set_fact:
sync_file_results: []

45
roles/vault/tasks/cluster/systemd.yml Normal file
View File

@@ -0,0 +1,45 @@
---
- name: cluster/systemd | Ensure mount points exist prior to vault.service startup
file:
mode: 0750
path: "{{ item }}"
state: directory
with_items:
- "{{ vault_config_dir }}"
- "{{ vault_log_dir }}"
- "{{ vault_secrets_dir }}"
- /var/lib/vault/
- name: cluster/systemd | Ensure the vault user has access to needed directories
file:
owner: vault
path: "{{ item }}"
recurse: true
with_items:
- "{{ vault_base_dir }}"
- "{{ vault_log_dir }}"
- /var/lib/vault
- name: cluster/systemd | Copy down vault.service systemd file
template:
src: "{{ vault_deployment_type }}.service.j2"
dest: /etc/systemd/system/vault.service
backup: yes
register: vault_systemd_placement
- name: cluster/systemd | Enable vault.service
systemd:
daemon_reload: true
enabled: yes
name: vault
state: started
- name: cluster/systemd | Query local vault until service is up
uri:
url: "{{ vault_config.listener.tcp.tls_disable|d()|ternary('http', 'https') }}://localhost:{{ vault_port }}/v1/sys/health"
headers: "{{ vault_client_headers }}"
status_code: 200,429,500,501
register: vault_health_check
until: vault_health_check|succeeded
retries: 10

14
roles/vault/tasks/cluster/unseal.yml
View File

@@ -11,16 +11,12 @@
with_items: "{{ vault_unseal_keys|default([]) }}"
when: vault_is_sealed
- name: cluster/unseal | Find the current leader
- name: cluster/unseal | Wait until server is ready
uri:
url: "https://localhost:{{ vault_port }}/v1/sys/health"
headers: "{{ vault_headers }}"
method: HEAD
status_code: 200,429
register: vault_leader_check
- name: cluster/unseal | Set fact for current leader
set_fact:
vault_leader: "{{ item }}"
with_items: "{{ groups.vault }}"
when: 'hostvars[item]["vault_leader_check"]["status"] == 200'
status_code: 200, 429
register: vault_node_ready
until: vault_node_ready|succeeded
retries: 5