Change single Vault pki mount to multi pki mounts paths for etcd and kube CA`s (#1552)

* Added update CA trust step for etcd and kube/secrets roles * Added load_balancer_domain_name to certificate alt names if defined. Reset CA's in RedHat os. * Rename kube-cluster-ca.crt to vault-ca.crt, we need separated CA`s for vault, etcd and kube. * Vault role refactoring, remove optional cert vault auth because not not used and worked. Create separate CA`s fro vault and etcd. * Fixed different certificates set for vault cert_managment * Update doc/vault.md * Fixed condition create vault CA, wrong group * Fixed missing etcd_cert_path mount for rkt deployment type. Distribute vault roles for all vault hosts * Removed wrong when condition in create etcd role vault tasks.
2026-03-18 09:27:34 -02:30 · 2017-08-30 16:03:22 +03:00
parent 72a0d78b3c
commit 6eb22c5db2
36 changed files with 337 additions and 329 deletions
--- a/roles/vault/tasks/shared/create_role.yml
+++ b/roles/vault/tasks/shared/create_role.yml
@@ -12,8 +12,8 @@
             {%- if create_role_policy_rules|d("default") == "default" -%}
             {{
             { 'path': {
-                 'pki/issue/' + create_role_name: {'policy': 'write'},
-                 'pki/roles/' + create_role_name: {'policy': 'read'}
+                 create_role_mount_path + '/issue/' + create_role_name: {'policy': 'write'},
+                 create_role_mount_path + '/roles/' + create_role_name: {'policy': 'read'}
             }} | to_json + '\n'
             }}
             {%- else -%}
@@ -22,9 +22,9 @@
    status_code: 204
  when: inventory_hostname == groups[create_role_group]|first

- name: create_role | Create the new role in the pki mount
+- name: create_role | Create the new role in the {{ create_role_mount_path }} pki mount
  uri:
-    url: "{{ hostvars[groups.vault|first]['vault_leader_url'] }}/v1/pki/roles/{{ create_role_name }}"
+    url: "{{ hostvars[groups.vault|first]['vault_leader_url'] }}/v1/{{ create_role_mount_path }}/roles/{{ create_role_name }}"
    headers: "{{ hostvars[groups.vault|first]['vault_headers'] }}"
    method: POST
    body_format: json
@@ -37,31 +37,6 @@
    status_code: 204
  when: inventory_hostname == groups[create_role_group]|first

-## Cert based auth method
-
- include: gen_cert.yml
-  vars:
-    gen_cert_copy_ca: true
-    gen_cert_hosts: "{{ groups[create_role_group] }}"
-    gen_cert_mount: "auth-pki"
-    gen_cert_path: "{{ vault_roles_dir }}/{{ create_role_name }}/issuer.pem"
-    gen_cert_vault_headers: "{{ hostvars[groups.vault|first]['vault_headers'] }}"
-    gen_cert_vault_role: "dummy"
-    gen_cert_vault_url: "{{ hostvars[groups.vault|first]['vault_leader_url'] }}"
-  when: vault_role_auth_method == "cert" and inventory_hostname in groups[create_role_group]
-
- name: create_role | Insert the auth-pki CA as the authenticating CA for that role
-  uri:
-    url: "{{ hostvars[groups.vault|first]['vault_leader_url'] }}/v1/auth/cert/certs/{{ create_role_name }}"
-    headers: "{{ hostvars[groups.vault|first]['vault_headers'] }}"
-    method: POST
-    body_format: json
-    body:
-      certificate: "{{ hostvars[groups[create_role_group]|first]['gen_cert_result']['json']['data']['issuing_ca'] }}"
-      policies: "{{ create_role_name }}"
-    status_code: 204
-  when: vault_role_auth_method == "cert" and inventory_hostname == groups[create_role_group]|first
-
 ## Userpass based auth method

 - include: gen_userpass.yml
@@ -71,4 +46,4 @@
    gen_userpass_policies: "{{ create_role_name }}"
    gen_userpass_role: "{{ create_role_name }}"
    gen_userpass_username: "{{ create_role_name }}"
-  when: vault_role_auth_method == "userpass" and inventory_hostname in groups[create_role_group]
+  when: inventory_hostname in groups[create_role_group]