External-Mirrors/kubespray
2
0
Fork 0
mirror of https://github.com/kubernetes-sigs/kubespray.git synced 2026-02-22 05:30:51 -03:30
Code Issues Packages Projects Releases Wiki Activity

Change single Vault pki mount to multi pki mounts paths for etcd and kube CA`s (#1552)

Browse Source 
* Added update CA trust step for etcd and kube/secrets roles

* Added load_balancer_domain_name to certificate alt names if defined. Reset CA's in RedHat os.

* Rename kube-cluster-ca.crt to vault-ca.crt, we need separated CA`s for vault, etcd and kube.

* Vault role refactoring, remove optional cert vault auth because not not used and worked. Create separate CA`s fro vault and etcd.

* Fixed different certificates set for vault cert_managment

* Update doc/vault.md

* Fixed condition create vault CA, wrong group

* Fixed missing etcd_cert_path mount for rkt deployment type. Distribute vault roles for all vault hosts

* Removed wrong when condition in create etcd role vault tasks.
This commit is contained in:
Maxim Krasilnikov
2017-08-30 16:03:22 +03:00
committed by Matthew Mosesohn
parent 72a0d78b3c
commit 6eb22c5db2
36 changed files with 337 additions and 329 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
roles/vault/tasks/shared/cert_auth_mount.yml
View File

@@ -1,14 +1,13 @@
---
- include: ../shared/mount.yml
- include: ../shared/pki_mount.yml
vars:
mount_name: auth-pki
mount_options:
pki_mount_path: auth-pki
pki_mount_options:
description: PKI mount to generate certs for the Cert Auth Backend
config:
default_lease_ttl: "{{ vault_default_lease_ttl }}"
max_lease_ttl: "{{ vault_max_lease_ttl }}"
type: pki
- name: shared/auth_mount | Create a dummy role for issuing certs from auth-pki
uri:

9
roles/vault/tasks/shared/config_ca.yml
View File

@@ -1,12 +1,11 @@
---
- name: config_ca | Read root CA cert for Vault
command: "cat /etc/vault/ssl/{{ ca_name }}.pem"
command: "cat {{ config_ca_ca_pem }}"
register: vault_ca_cert_cat
- name: config_ca | Pull current CA cert from Vault
uri:
url: "{{ vault_leader_url }}/v1/{{ mount_name }}/ca/pem"
url: "{{ vault_leader_url }}/v1/{{ config_ca_mount_path }}/ca/pem"
headers: "{{ vault_headers }}"
return_content: true
status_code: 200,204
@@ -14,13 +13,13 @@
register: vault_pull_current_ca
- name: config_ca | Read root CA key for Vault
command: "cat /etc/vault/ssl/{{ ca_name }}-key.pem"
command: "cat {{ config_ca_ca_key }}"
register: vault_ca_key_cat
when: vault_ca_cert_cat.stdout.strip() != vault_pull_current_ca.content.strip()
- name: config_ca | Configure pki mount to use the found root CA cert and key
uri:
url: "{{ vault_leader_url }}/v1/{{ mount_name }}/config/ca"
url: "{{ vault_leader_url }}/v1/{{ config_ca_mount_path }}/config/ca"
headers: "{{ vault_headers }}"
method: POST
body_format: json

16
roles/vault/tasks/shared/create_mount.yml Normal file
View File

@@ -0,0 +1,16 @@
---
- include: ../shared/pki_mount.yml
vars:
pki_mount_path: "{{ create_mount_path }}"
pki_mount_options:
config:
default_lease_ttl: "{{ create_mount_default_lease_ttl }}"
max_lease_ttl: "{{ create_mount_max_lease_ttl }}"
description: "{{ create_mount_description }}"
- include: ../shared/config_ca.yml
vars:
config_ca_ca_pem: "{{ create_mount_cert_dir }}/ca.pem"
config_ca_ca_key: "{{ create_mount_cert_dir }}/ca-key.pem"
config_ca_mount_path: "{{ create_mount_path }}"
when: create_mount_config_ca_needed

35
roles/vault/tasks/shared/create_role.yml
View File

@@ -12,8 +12,8 @@
{%- if create_role_policy_rules|d("default") == "default" -%}
{{
{ 'path': {
'pki/issue/' + create_role_name: {'policy': 'write'},
'pki/roles/' + create_role_name: {'policy': 'read'}
create_role_mount_path + '/issue/' + create_role_name: {'policy': 'write'},
create_role_mount_path + '/roles/' + create_role_name: {'policy': 'read'}
}} | to_json + '\n'
}}
{%- else -%}
@@ -22,9 +22,9 @@
status_code: 204
when: inventory_hostname == groups[create_role_group]|first
- name: create_role | Create the new role in the pki mount
- name: create_role | Create the new role in the {{ create_role_mount_path }} pki mount
uri:
url: "{{ hostvars[groups.vault|first]['vault_leader_url'] }}/v1/pki/roles/{{ create_role_name }}"
url: "{{ hostvars[groups.vault|first]['vault_leader_url'] }}/v1/{{ create_role_mount_path }}/roles/{{ create_role_name }}"
headers: "{{ hostvars[groups.vault|first]['vault_headers'] }}"
method: POST
body_format: json
@@ -37,31 +37,6 @@
status_code: 204
when: inventory_hostname == groups[create_role_group]|first
## Cert based auth method
- include: gen_cert.yml
vars:
gen_cert_copy_ca: true
gen_cert_hosts: "{{ groups[create_role_group] }}"
gen_cert_mount: "auth-pki"
gen_cert_path: "{{ vault_roles_dir }}/{{ create_role_name }}/issuer.pem"
gen_cert_vault_headers: "{{ hostvars[groups.vault|first]['vault_headers'] }}"
gen_cert_vault_role: "dummy"
gen_cert_vault_url: "{{ hostvars[groups.vault|first]['vault_leader_url'] }}"
when: vault_role_auth_method == "cert" and inventory_hostname in groups[create_role_group]
- name: create_role | Insert the auth-pki CA as the authenticating CA for that role
uri:
url: "{{ hostvars[groups.vault|first]['vault_leader_url'] }}/v1/auth/cert/certs/{{ create_role_name }}"
headers: "{{ hostvars[groups.vault|first]['vault_headers'] }}"
method: POST
body_format: json
body:
certificate: "{{ hostvars[groups[create_role_group]|first]['gen_cert_result']['json']['data']['issuing_ca'] }}"
policies: "{{ create_role_name }}"
status_code: 204
when: vault_role_auth_method == "cert" and inventory_hostname == groups[create_role_group]|first
## Userpass based auth method
- include: gen_userpass.yml
@@ -71,4 +46,4 @@
gen_userpass_policies: "{{ create_role_name }}"
gen_userpass_role: "{{ create_role_name }}"
gen_userpass_username: "{{ create_role_name }}"
when: vault_role_auth_method == "userpass" and inventory_hostname in groups[create_role_group]
when: inventory_hostname in groups[create_role_group]

29
roles/vault/tasks/shared/gen_ca.yml Normal file
View File

@@ -0,0 +1,29 @@
---
- name: "bootstrap/gen_ca | Ensure cert_dir {{ gen_ca_cert_dir }} exists"
file:
mode: 0755
path: "{{ gen_ca_cert_dir }}"
state: directory
- name: "bootstrap/gen_ca | Generate {{ gen_ca_mount_path }} root CA"
uri:
url: "{{ vault_leader_url }}/v1/{{ gen_ca_mount_path }}/root/generate/exported"
headers: "{{ vault_headers }}"
method: POST
body_format: json
body: "{{ vault_ca_options }}"
register: vault_ca_gen
delegate_to: "{{ groups.vault|first }}"
run_once: true
- name: "bootstrap/gen_ca | Copy {{ gen_ca_mount_path }} root CA cert locally"
copy:
content: "{{ hostvars[groups.vault|first]['vault_ca_gen']['json']['data']['certificate'] }}"
dest: "{{ gen_ca_cert_dir }}/ca.pem"
mode: 0644
- name: "bootstrap/gen_ca | Copy {{ gen_ca_mount_path }} root CA key locally"
copy:
content: "{{ hostvars[groups.vault|first]['vault_ca_gen']['json']['data']['private_key'] }}"
dest: "{{ gen_ca_cert_dir }}/ca-key.pem"
mode: 0640

15
roles/vault/tasks/shared/issue_cert.yml
View File

@@ -14,16 +14,11 @@
# issue_cert_headers: Headers passed into the issue request
# issue_cert_hosts: List of hosts to distribute the cert to
# issue_cert_ip_sans: Requested IP Subject Alternative Names, in a list
# issue_cert_mount: Mount point in Vault to make the request to
# issue_cert_mount_path: Mount point in Vault to make the request to
# issue_cert_path: Full path to the cert, include its name
# issue_cert_role: The Vault role to issue the cert with
# issue_cert_url: Url to reach Vault, including protocol and port
- name: issue_cert | debug who issues certs
debug:
msg: "{{ issue_cert_hosts }} issues certs"
- name: issue_cert | Ensure target directory exists
file:
path: "{{ issue_cert_path | dirname }}"
@@ -34,7 +29,7 @@
- name: "issue_cert | Generate the cert for {{ issue_cert_role }}"
uri:
url: "{{ issue_cert_url }}/v1/{{ issue_cert_mount|d('pki') }}/issue/{{ issue_cert_role }}"
url: "{{ issue_cert_url }}/v1/{{ issue_cert_mount_path|d('pki') }}/issue/{{ issue_cert_role }}"
headers: "{{ issue_cert_headers }}"
method: POST
body_format: json
@@ -45,11 +40,7 @@
ip_sans: "{{ issue_cert_ip_sans | default([]) | join(',') }}"
register: issue_cert_result
delegate_to: "{{ issue_cert_hosts|first }}"
- name: issue_cert | results
debug:
msg: "{{ issue_cert_result }}"
run_once: true
- name: "issue_cert | Copy {{ issue_cert_path }} cert to all hosts"
copy:

18
roles/vault/tasks/shared/mount.yml
View File

@@ -1,18 +0,0 @@
---
- name: shared/mount | Test if PKI mount exists
uri:
url: "{{ vault_leader_url }}/v1/sys/mounts/{{ mount_name }}/tune"
headers: "{{ vault_headers }}"
ignore_errors: true
register: vault_pki_mount_check
- name: shared/mount | Mount PKI mount if needed
uri:
url: "{{ vault_leader_url }}/v1/sys/mounts/{{ mount_name }}"
headers: "{{ vault_headers }}"
method: POST
body_format: json
body: "{{ mount_options|d() }}"
status_code: 204
when: vault_pki_mount_check|failed

34
roles/vault/tasks/shared/pki_mount.yml
View File

@@ -1,11 +1,27 @@
---
- name: "shared/mount | Test if {{ pki_mount_path }} PKI mount exists"
uri:
url: "{{ vault_leader_url }}/v1/sys/mounts/{{ pki_mount_path }}/tune"
headers: "{{ vault_headers }}"
ignore_errors: true
register: vault_pki_mount_check
- include: mount.yml
vars:
mount_name: pki
mount_options:
config:
default_lease_ttl: "{{ vault_default_lease_ttl }}"
max_lease_ttl: "{{ vault_max_lease_ttl }}"
description: The default PKI mount for Kubernetes
type: pki
- name: shared/mount | Set pki mount type
set_fact:
mount_options: "{{ pki_mount_options | combine({'type': 'pki'}) }}"
when: vault_pki_mount_check|failed
- name: shared/mount | Mount {{ pki_mount_path }} PKI mount if needed
uri:
url: "{{ vault_leader_url }}/v1/sys/mounts/{{ pki_mount_path }}"
headers: "{{ vault_headers }}"
method: POST
body_format: json
body: "{{ mount_options|d() }}"
status_code: 204
when: vault_pki_mount_check|failed
- name: shared/mount | Unset mount options
set_fact:
mount_options: {}
when: vault_pki_mount_check|failed