Merge branch 'master' into multi-arch-support

2026-05-20 15:27:56 -02:30 · 2018-08-17 16:35:50 +02:00
parent 1081f620d2 7e37aa4aca
commit 26bf719a02
191 changed files with 2050 additions and 2634 deletions
--- a/roles/vault/handlers/main.yml
+++ b/roles/vault/handlers/main.yml
@@ -3,7 +3,7 @@
  command: /bin/true
  notify:
    - restart vault service
-    - set facts about local Vault health
+    - wait for vault up
    - unseal vault

 - name: wait for vault up
--- a/roles/vault/tasks/bootstrap/main.yml
+++ b/roles/vault/tasks/bootstrap/main.yml
@@ -43,7 +43,7 @@
    - "{{ vault_pki_mounts.etcd }}"
  loop_control:
    loop_var: mount
-  when: inventory_hostname in groups.vault and not vault_cluster_is_initialized
+  when: inventory_hostname == groups.vault|first and not vault_cluster_is_initialized

 - include_tasks: ../shared/gen_ca.yml
  vars:
--- a/roles/vault/tasks/bootstrap/sync_vault_certs.yml
+++ b/roles/vault/tasks/bootstrap/sync_vault_certs.yml
@@ -4,6 +4,8 @@
    sync_file: "ca.pem"
    sync_file_dir: "{{ vault_cert_dir }}"
    sync_file_hosts: "{{ groups.vault }}"
+    sync_file_owner: vault
+    sync_file_group: root
    sync_file_is_cert: true

 - name: bootstrap/sync_vault_certs | Set facts for vault sync_file results
@@ -20,6 +22,8 @@
    sync_file: "ca.pem"
    sync_file_dir: "{{ vault_cert_dir }}"
    sync_file_hosts: "{{ groups['kube-master'] }}"
+    sync_file_owner: vault
+    sync_file_group: root
    sync_file_is_cert: false

 - name: bootstrap/sync_vault_certs | Set facts for vault sync_file results
@@ -36,6 +40,8 @@
    sync_file: "api.pem"
    sync_file_dir: "{{ vault_cert_dir }}"
    sync_file_hosts: "{{ groups.vault }}"
+    sync_file_owner: vault
+    sync_file_group: root
    sync_file_is_cert: true

 - name: bootstrap/sync_vault_certs | Set fact if Vault's API cert is needed
--- a/roles/vault/tasks/cluster/init.yml
+++ b/roles/vault/tasks/cluster/init.yml
@@ -1,5 +1,4 @@
 ---
-
 - name: cluster/init | wait for vault
  command: /bin/true
  notify: wait for vault up
--- a/roles/vault/tasks/shared/check_etcd.yml
+++ b/roles/vault/tasks/shared/check_etcd.yml
@@ -2,7 +2,7 @@

 - name: check_etcd | Check if etcd is up and reachable
  uri:
-    url: "{{ vault_etcd_url }}/health"
+    url: "{{ vault_etcd_url.split(',') | first }}/health"
    validate_certs: no
    client_cert: "{{ etcd_cert_dir }}/node-{{ inventory_hostname }}.pem"
    client_key: "{{ etcd_cert_dir }}/node-{{ inventory_hostname }}-key.pem"
@@ -26,5 +26,5 @@
  fail:
    msg: >
         Unable to start Vault cluster! Etcd is not available at
-         {{ vault_etcd_url }} however it is needed by Vault as a backend.
+         {{ vault_etcd_url.split(',') | first }} however it is needed by Vault as a backend.
  when: vault_etcd_needed|d() and not vault_etcd_available
--- a/roles/vault/tasks/shared/check_vault.yml
+++ b/roles/vault/tasks/shared/check_vault.yml
@@ -9,7 +9,9 @@
 # Check if vault is reachable on the localhost
 - name: check_vault | Attempt to pull local https Vault health
  command: /bin/true
-  notify: wait for vault up nowait
+  notify:
+    - wait for vault up nowait
+    - set facts about local Vault health

 - meta: flush_handlers

@@ -44,6 +46,6 @@
    vault_cluster_is_initialized: >-
      {{ vault_is_initialized or
         hostvars[item]['vault_is_initialized'] or
-         'Key not found' not in vault_etcd_exists.stdout|default('Key not found') }}
+         ('value' in vault_etcd_exists.stdout|default('')) }}
  with_items: "{{ groups.vault }}"
  run_once: true
--- a/roles/vault/tasks/shared/issue_cert.yml
+++ b/roles/vault/tasks/shared/issue_cert.yml
@@ -45,7 +45,7 @@
    state: directory
    recurse: yes
    owner: "vault"
-    group: "vault"
+    group: "root"
    mode: 0755

 - name: gen_certs_vault | install hvac
@@ -76,8 +76,7 @@
  run_once: true

 - name: "issue_cert | Generate {{ issue_cert_path }} for {{ issue_cert_role }} role"
-  #hashivault_write:
-  vault_cert_issue:
+  hashivault_write:
    url: "{{ issue_cert_url }}"
    token: "{{ vault_client_token }}"
    ca_cert: "{% if 'https' in issue_cert_url %}{{ vault_cert_dir }}/ca.pem{% endif %}"
@@ -88,6 +87,7 @@
      format: "{{ issue_cert_format | d('pem') }}"
      ip_sans: "{{ issue_cert_ip_sans | default([]) | join(',') }}"
  register: issue_cert_result
+  run_once: "{{ issue_cert_run_once | d(false) }}"

 - name: "issue_cert | Copy {{ issue_cert_path }} cert to all hosts"
  copy:
--- a/roles/vault/templates/host.service.j2
+++ b/roles/vault/templates/host.service.j2
@@ -4,7 +4,7 @@ After=network.target

 [Service]
 AmbientCapabilities=CAP_IPC_LOCK
-ExecStart=/usr/bin/vault server --config={{ vault_config_dir }}/config.json
+ExecStart={{ bin_dir }}/vault server --config={{ vault_config_dir }}/config.json
 LimitNOFILE=40000
 NotifyAccess=all
 Restart=always
--- a/roles/vault/templates/rkt.service.j2
+++ b/roles/vault/templates/rkt.service.j2
@@ -12,26 +12,34 @@ LimitNOFILE=40000
 # Container has the following internal mount points:
 #   /vault/file/    # File backend storage location
 #   /vault/logs/    # Log files
+ExecStartPre=-/usr/bin/rkt rm --uuid-file=/var/run/vault.uuid
+
 ExecStart=/usr/bin/rkt run \
--insecure-options=image \
--volume hosts,kind=host,source=/etc/hosts,readOnly=true \
--mount volume=hosts,target=/etc/hosts \
--volume=volume-vault-file,kind=host,source=/var/lib/vault \
--volume=volume-vault-logs,kind=host,source={{ vault_log_dir }} \
--volume=vault-cert-dir,kind=host,source={{ vault_cert_dir }} \
--mount=volume=vault-cert-dir,target={{ vault_cert_dir }} \
--volume=vault-conf-dir,kind=host,source={{ vault_config_dir }} \
--mount=volume=vault-conf-dir,target={{ vault_config_dir }} \
--volume=vault-secrets-dir,kind=host,source={{ vault_secrets_dir }} \
--mount=volume=vault-secrets-dir,target={{ vault_secrets_dir }} \
--volume=vault-roles-dir,kind=host,source={{ vault_roles_dir }} \
--mount=volume=vault-roles-dir,target={{ vault_roles_dir }} \
--volume=etcd-cert-dir,kind=host,source={{ etcd_cert_dir }} \
--mount=volume=etcd-cert-dir,target={{ etcd_cert_dir }} \
-docker://{{ vault_image_repo }}:{{ vault_image_tag }} \
--name={{ vault_container_name }} --net=host \
--caps-retain=CAP_IPC_LOCK \
--exec vault -- server --config={{ vault_config_dir }}/config.json
+        --insecure-options=image \
+        --volume hosts,kind=host,source=/etc/hosts,readOnly=true \
+        --mount volume=hosts,target=/etc/hosts \
+        --volume=volume-vault-file,kind=host,source=/var/lib/vault \
+        --volume=volume-vault-logs,kind=host,source={{ vault_log_dir }} \
+        --volume=vault-cert-dir,kind=host,source={{ vault_cert_dir }} \
+        --mount=volume=vault-cert-dir,target={{ vault_cert_dir }} \
+        --volume=vault-conf-dir,kind=host,source={{ vault_config_dir }} \
+        --mount=volume=vault-conf-dir,target={{ vault_config_dir }} \
+        --volume=vault-secrets-dir,kind=host,source={{ vault_secrets_dir }} \
+        --mount=volume=vault-secrets-dir,target={{ vault_secrets_dir }} \
+        --volume=vault-roles-dir,kind=host,source={{ vault_roles_dir }} \
+        --mount=volume=vault-roles-dir,target={{ vault_roles_dir }} \
+        --volume=etcd-cert-dir,kind=host,source={{ etcd_cert_dir }} \
+        --mount=volume=etcd-cert-dir,target={{ etcd_cert_dir }} \
+        docker://{{ vault_image_repo }}:{{ vault_image_tag }} \
+        --uuid-file-save=/var/run/vault.uuid \
+        --name={{ vault_container_name }} \
+        --net=host \
+        --caps-retain=CAP_IPC_LOCK \
+        --exec vault -- \
+                server \
+                --config={{ vault_config_dir }}/config.json
+
+ExecStop=-/usr/bin/rkt stop --uuid-file=/var/run/vault.uuid

 [Install]
 WantedBy=multi-user.target