Change single Vault pki mount to multi pki mounts paths for etcd and kube CA`s (#1552)

* Added update CA trust step for etcd and kube/secrets roles * Added load_balancer_domain_name to certificate alt names if defined. Reset CA's in RedHat os. * Rename kube-cluster-ca.crt to vault-ca.crt, we need separated CA`s for vault, etcd and kube. * Vault role refactoring, remove optional cert vault auth because not not used and worked. Create separate CA`s fro vault and etcd. * Fixed different certificates set for vault cert_managment * Update doc/vault.md * Fixed condition create vault CA, wrong group * Fixed missing etcd_cert_path mount for rkt deployment type. Distribute vault roles for all vault hosts * Removed wrong when condition in create etcd role vault tasks.
2026-03-21 02:47:39 -02:30 · 2017-08-30 16:03:22 +03:00
parent 72a0d78b3c
commit 6eb22c5db2
36 changed files with 337 additions and 329 deletions
--- a/roles/vault/tasks/cluster/create_roles.yml
+++ b/roles/vault/tasks/cluster/create_roles.yml
@@ -1,4 +1,10 @@
 ---
+- include: ../shared/auth_backend.yml
+  vars:
+    auth_backend_description: A Username/Password Auth Backend primarily used for services needing to issue certificates
+    auth_backend_path: userpass
+    auth_backend_type: userpass
+  when: inventory_hostname == groups.vault|first

 - include: ../shared/create_role.yml
  vars:
@@ -6,4 +12,7 @@
    create_role_group: "{{ item.group }}"
    create_role_policy_rules: "{{ item.policy_rules }}"
    create_role_options: "{{ item.role_options }}"
-  with_items: "{{ vault_roles|d([]) }}"
+    create_role_mount_path: "{{ item.mount_path }}"
+  with_items:
+    - "{{ vault_etcd_role }}"
+    - "{{ vault_kube_role }}"
--- a/roles/vault/tasks/cluster/main.yml
+++ b/roles/vault/tasks/cluster/main.yml
@@ -25,19 +25,42 @@
 - include: ../shared/find_leader.yml
  when: inventory_hostname in groups.vault

- include: ../shared/pki_mount.yml
+- include: ../shared/create_mount.yml
+  vars:
+    create_mount_path: "{{ vault_ca_options.common_name }}"
+    create_mount_default_lease_ttl: "{{ vault_default_lease_ttl }}"
+    create_mount_max_lease_ttl: "{{ vault_max_lease_ttl }}"
+    create_mount_description: "Vault Root CA"
+    create_mount_cert_dir: "{{ vault_cert_dir }}"
+    create_mount_config_ca_needed: true
  when: inventory_hostname == groups.vault|first

- include: ../shared/config_ca.yml
+- include: ../shared/create_mount.yml
  vars:
-    ca_name: ca
-    mount_name: pki
+    create_mount_path: "{{ vault_etcd_mount_path }}"
+    create_mount_default_lease_ttl: "{{ vault_etcd_default_lease_ttl }}"
+    create_mount_max_lease_ttl: "{{ vault_etcd_max_lease_ttl }}"
+    create_mount_description: "Etcd Root CA"
+    create_mount_cert_dir: "{{ vault_etcd_cert_dir }}"
+    create_mount_config_ca_needed: true
  when: inventory_hostname == groups.vault|first

+- include: ../shared/create_mount.yml
+  vars:
+    create_mount_path: "{{ vault_kube_mount_path }}"
+    create_mount_default_lease_ttl: "{{ vault_kube_default_lease_ttl }}"
+    create_mount_max_lease_ttl: "{{ vault_kube_max_lease_ttl }}"
+    create_mount_description: "Kubernetes Root CA"
+    create_mount_cert_dir: "{{ vault_kube_cert_dir }}"
+    create_mount_config_ca_needed: false
+  when: inventory_hostname == groups.vault|first
+
+- include: ../shared/gen_ca.yml
+  vars:
+    gen_ca_cert_dir: "{{ vault_kube_cert_dir }}"
+    gen_ca_mount_path: "{{ vault_kube_mount_path }}"
+  when: inventory_hostname in groups.vault
+
 ## Vault Policies, Roles, and Auth Backends

- include: role_auth_cert.yml
-  when: vault_role_auth_method == "cert"
-
- include: role_auth_userpass.yml
-  when: vault_role_auth_method == "userpass"
+- include: create_roles.yml
--- a/roles/vault/tasks/cluster/role_auth_cert.yml
+++ b/roles/vault/tasks/cluster/role_auth_cert.yml
@@ -1,19 +0,0 @@
---
-
- include: ../shared/cert_auth_mount.yml
-  when: inventory_hostname == groups.vault|first
-
- include: ../shared/auth_backend.yml
-  vars:
-    auth_backend_description: A Cert-based Auth primarily for services needing to issue certificates
-    auth_backend_name: cert
-    auth_backend_type: cert
-  when: inventory_hostname == groups.vault|first
-
- include: ../shared/config_ca.yml
-  vars:
-    ca_name: auth-ca
-    mount_name: auth-pki
-  when: inventory_hostname == groups.vault|first
-
- include: create_roles.yml
--- a/roles/vault/tasks/cluster/role_auth_userpass.yml
+++ b/roles/vault/tasks/cluster/role_auth_userpass.yml
@@ -1,10 +0,0 @@
---
-
- include: ../shared/auth_backend.yml
-  vars:
-    auth_backend_description: A Username/Password Auth Backend primarily used for services needing to issue certificates
-    auth_backend_path: userpass
-    auth_backend_type: userpass
-  when: inventory_hostname == groups.vault|first
-
- include: create_roles.yml