Remove Vault (#3684)

* Remove Vault * Remove reference to 'kargo' in the doc * change check order
2026-05-08 01:47:37 -02:30 · 2018-11-10 17:51:24 +01:00
parent b2b421840c
commit 3dcb914607
70 changed files with 93 additions and 166 deletions
--- a/roles/etcd/tasks/gen_certs_vault.yml
+++ b/roles/etcd/tasks/gen_certs_vault.yml
@@ -1,73 +0,0 @@
---
- include_tasks: sync_etcd_master_certs.yml
-  when: inventory_hostname in groups.etcd
-  tags:
-    - etcd-secrets
-
- include_tasks: sync_etcd_node_certs.yml
-  when: inventory_hostname in etcd_node_cert_hosts
-  tags:
-    - etcd-secrets
-
-# Issue master certs to Etcd nodes
- include_tasks: ../../vault/tasks/shared/issue_cert.yml
-  vars:
-    issue_cert_common_name: "etcd:master:{{ item.rsplit('/', 1)[1].rsplit('.', 1)[0] }}"
-    issue_cert_alt_names: "{{ groups['etcd'] + ['localhost'] + (etcd_cert_alt_names)|default() }}"
-    issue_cert_copy_ca: "{{ item == etcd_master_certs_needed|first }}"
-    issue_cert_file_group: "{{ etcd_cert_group }}"
-    issue_cert_file_owner: kube
-    issue_cert_hosts: "{{ groups.etcd }}"
-    issue_cert_ip_sans: >-
-        [
-        {%- for host in groups.etcd  -%}
-        "{{ hostvars[host]['ansible_default_ipv4']['address'] }}",
-        {%- if hostvars[host]['ip'] is defined -%}
-        "{{ hostvars[host]['ip'] }}",
-        {%- endif -%}
-        {%- endfor -%}
-        {%- for cert_alt_ip in etcd_cert_alt_ips -%}
-        "{{ cert_alt_ip }}",
-        {%- endfor -%}
-        "127.0.0.1","::1"
-        ]
-    issue_cert_path: "{{ item }}"
-    issue_cert_role: etcd
-    issue_cert_url: "{{ hostvars[groups.vault|first]['vault_leader_url'] }}"
-    issue_cert_mount_path: "{{ etcd_vault_mount_path }}"
-  with_items: "{{ etcd_master_certs_needed|d([]) }}"
-  when: inventory_hostname in groups.etcd
-  notify: set etcd_secret_changed
-
-# Issue node certs to everyone else
- include_tasks: ../../vault/tasks/shared/issue_cert.yml
-  vars:
-    issue_cert_common_name: "etcd:node:{{ item.rsplit('/', 1)[1].rsplit('.', 1)[0] }}"
-    issue_cert_alt_names: "{{ etcd_node_cert_hosts }}"
-    issue_cert_copy_ca: "{{ item == etcd_node_certs_needed|first }}"
-    issue_cert_file_group: "{{ etcd_cert_group }}"
-    issue_cert_file_owner: kube
-    issue_cert_hosts: "{{ etcd_node_cert_hosts }}"
-    issue_cert_ip_sans: >-
-        [
-        {%- for host in etcd_node_cert_hosts -%}
-        "{{ hostvars[host]['ansible_default_ipv4']['address'] }}",
-        {%- if hostvars[host]['ip'] is defined -%}
-        "{{ hostvars[host]['ip'] }}",
-        {%- endif -%}
-        {%- endfor -%}
-        "127.0.0.1","::1"
-        ]
-    issue_cert_path: "{{ item }}"
-    issue_cert_role: etcd
-    issue_cert_url: "{{ hostvars[groups.vault|first]['vault_leader_url'] }}"
-    issue_cert_mount_path: "{{ etcd_vault_mount_path }}"
-  with_items: "{{ etcd_node_certs_needed|d([]) }}"
-  when: inventory_hostname in etcd_node_cert_hosts
-  notify: set etcd_secret_changed
-
- name: gen_certs_vault | ensure file permissions
-  shell: >-
-    find {{etcd_cert_dir }} -type d -exec chmod 0755 {} \; &&
-    find {{etcd_cert_dir }} -type f -exec chmod 0640 {} \;
-  changed_when: false
--- a/roles/etcd/tasks/main.yml
+++ b/roles/etcd/tasks/main.yml
@@ -5,7 +5,9 @@
    - etcd-secrets
    - facts

- include_tasks: "gen_certs_{{ cert_management }}.yml"
+- include_tasks: "gen_certs_script.yml"
+  when:
+    - cert_management |d('script') == "script"
  tags:
    - etcd-secrets

--- a/roles/etcd/tasks/sync_etcd_master_certs.yml
+++ b/roles/etcd/tasks/sync_etcd_master_certs.yml
@@ -1,39 +0,0 @@
---
-
- name: sync_etcd_master_certs | Create list of master certs needing creation
-  set_fact:
-    etcd_master_cert_list: >-
-        {{ etcd_master_cert_list|default([]) +  [
-        "admin-" + inventory_hostname + ".pem",
-        "member-" + inventory_hostname + ".pem"
-        ] }}
-
- include_tasks: ../../vault/tasks/shared/sync_file.yml
-  vars:
-    sync_file: "{{ item }}"
-    sync_file_dir: "{{ etcd_cert_dir }}"
-    sync_file_hosts: [ "{{ inventory_hostname }}" ]
-    sync_file_owner: kube
-    sync_file_group: root
-    sync_file_is_cert: true
-  with_items: "{{ etcd_master_cert_list|d([]) }}"
-
- name: sync_etcd_certs | Set facts for etcd sync_file results
-  set_fact:
-    etcd_master_certs_needed: "{{ etcd_master_certs_needed|default([]) + [item.path] }}"
-  with_items: "{{ sync_file_results|d([]) }}"
-  when: item.no_srcs|bool
-
- name: sync_etcd_certs | Unset sync_file_results after etcd certs sync
-  set_fact:
-    sync_file_results: []
-
- include_tasks: ../../vault/tasks/shared/sync_file.yml
-  vars:
-    sync_file: ca.pem
-    sync_file_dir: "{{ etcd_cert_dir }}"
-    sync_file_hosts: [ "{{ inventory_hostname }}" ]
-
- name: sync_etcd_certs | Unset sync_file_results after ca.pem sync
-  set_fact:
-    sync_file_results: []
--- a/roles/etcd/tasks/sync_etcd_node_certs.yml
+++ b/roles/etcd/tasks/sync_etcd_node_certs.yml
@@ -1,33 +0,0 @@
---
-
- name: sync_etcd_node_certs | Create list of node certs needing creation
-  set_fact:
-    etcd_node_cert_list: "{{ etcd_node_cert_list|default([]) +  ['node-' + inventory_hostname + '.pem'] }}"
-
- include_tasks: ../../vault/tasks/shared/sync_file.yml
-  vars:
-    sync_file: "{{ item }}"
-    sync_file_dir: "{{ etcd_cert_dir }}"
-    sync_file_hosts: [ "{{ inventory_hostname }}" ]
-    sync_file_is_cert: true
-  with_items: "{{ etcd_node_cert_list|d([]) }}"
-
- name: sync_etcd_node_certs | Set facts for etcd sync_file results
-  set_fact:
-    etcd_node_certs_needed: "{{ etcd_node_certs_needed|default([]) + [item.path] }}"
-  with_items: "{{ sync_file_results|d([]) }}"
-  when: item.no_srcs|bool
-
- name: sync_etcd_node_certs | Unset sync_file_results after etcd node certs
-  set_fact:
-    sync_file_results: []
-
- include_tasks: ../../vault/tasks/shared/sync_file.yml
-  vars:
-    sync_file: ca.pem
-    sync_file_dir: "{{ etcd_cert_dir }}"
-    sync_file_hosts: "{{ groups['etcd'] }}"
-
- name: sync_etcd_node_certs | Unset sync_file_results after ca.pem
-  set_fact:
-    sync_file_results: []