External-Mirrors/kubespray
2
0
Fork 0
mirror of https://github.com/kubernetes-sigs/kubespray.git synced 2026-05-07 01:17:39 -02:30
Code Issues Packages Projects Releases Wiki Activity

Vault role updates:

Browse Source 
* using separated vault roles for generate certs with different `O` (Organization) subject field;
  * configure vault roles for issuing certificates with different `CN` (Common name) subject field;
  * set `CN` and `O` to `kubernetes` and `etcd` certificates;
  * vault/defaults vars definition was simplified;
  * vault dirs variables defined in kubernetes-defaults foles for using
  shared tasks in etcd and kubernetes/secrets roles;
  * upgrade vault to 0.8.1;
  * generate random vault user password for each role by default;
  * fix `serial` file name for vault certs;
  * move vault auth request to issue_cert tasks;
  * enable `RBAC` in vault CI;
This commit is contained in:
mkrasilnikov
2017-09-01 22:51:37 +03:00
parent c77d11f1c7
commit bf0af1cd3d
18 changed files with 283 additions and 281 deletions
Download Patch File Download Diff File Expand all files Collapse all files

17
roles/vault/tasks/bootstrap/create_etcd_role.yml
View File

@@ -1,17 +0,0 @@
---
- include: ../shared/auth_backend.yml
vars:
auth_backend_description: A Username/Password Auth Backend primarily used for services needing to issue certificates
auth_backend_path: userpass
auth_backend_type: userpass
delegate_to: "{{ groups.vault|first }}"
run_once: true
- include: ../shared/create_role.yml
vars:
create_role_name: "{{ vault_etcd_role.name }}"
create_role_group: "{{ vault_etcd_role.group }}"
create_role_policy_rules: "{{ vault_etcd_role.policy_rules }}"
create_role_options: "{{ vault_etcd_role.role_options }}"
create_role_mount_path: "{{ vault_etcd_role.mount_path }}"
when: inventory_hostname in groups.etcd

12
roles/vault/tasks/bootstrap/create_mounts.yml Normal file
View File

@@ -0,0 +1,12 @@
---
- include: ../shared/create_mount.yml
vars:
create_mount_path: "{{ item.name }}"
create_mount_default_lease_ttl: "{{ item.default_lease_ttl }}"
create_mount_max_lease_ttl: "{{ item.max_lease_ttl }}"
create_mount_description: "{{ item.description }}"
create_mount_cert_dir: "{{ item.cert_dir }}"
create_mount_config_ca_needed: "{{ item.config_ca }}"
with_items:
- "{{ vault_pki_mounts.vault|combine({'config_ca': not vault_ca_cert_needed}) }}"
- "{{ vault_pki_mounts.etcd|combine({'config_ca': not vault_etcd_ca_cert_needed}) }}"

10
roles/vault/tasks/bootstrap/create_roles.yml Normal file
View File

@@ -0,0 +1,10 @@
---
- include: ../shared/create_role.yml
vars:
create_role_name: "{{ item.name }}"
create_role_group: "{{ item.group }}"
create_role_policy_rules: "{{ item.policy_rules }}"
create_role_password: "{{ item.password }}"
create_role_options: "{{ item.role_options }}"
create_role_mount_path: "{{ mount.name }}"
with_items: "{{ mount.roles }}"

20
roles/vault/tasks/bootstrap/gen_vault_certs.yml
View File

@@ -1,29 +1,21 @@
---
- name: boostrap/gen_vault_certs | Add the vault role
uri:
url: "{{ vault_leader_url }}/v1/{{ vault_ca_options.common_name }}/roles/vault"
headers: "{{ vault_headers }}"
method: POST
body_format: json
body: "{{ vault_default_role_permissions }}"
status_code: 204
when: inventory_hostname == groups.vault|first and vault_api_cert_needed
- include: ../shared/issue_cert.yml
vars:
issue_cert_common_name: "{{ vault_pki_mounts.vault.roles[0].name }}"
issue_cert_alt_names: "{{ groups.vault + ['localhost'] }}"
issue_cert_hosts: "{{ groups.vault }}"
issue_cert_ip_sans: >-
[
{%- for host in groups.vault -%}
"{{ hostvars[host]['ansible_default_ipv4']['address'] }}",
{%- if hostvars[host]['ip'] is defined -%}
"{{ hostvars[host]['ip'] }}",
{%- endif -%}
{%- endfor -%}
"127.0.0.1","::1"
]
issue_cert_mount_path: "{{ vault_ca_options.common_name }}"
issue_cert_mount_path: "{{ vault_pki_mounts.vault.name }}"
issue_cert_path: "{{ vault_cert_dir }}/api.pem"
issue_cert_headers: "{{ hostvars[groups.vault|first]['vault_headers'] }}"
issue_cert_role: vault
issue_cert_role: "{{ vault_pki_mounts.vault.roles[0].name }}"
issue_cert_url: "{{ vault_leader_url }}"
when: vault_api_cert_needed

80
roles/vault/tasks/bootstrap/main.yml
View File

@@ -1,5 +1,4 @@
---
- include: ../shared/check_vault.yml
when: inventory_hostname in groups.vault
@@ -9,72 +8,57 @@
- include: ../shared/find_leader.yml
when: inventory_hostname in groups.vault and vault_cluster_is_initialized|d()
## Sync Certs
- include: sync_vault_certs.yml
when: inventory_hostname in groups.vault
- include: sync_etcd_certs.yml
when: inventory_hostname in groups.etcd
## Generate Certs
# Start a temporary instance of Vault
- include: start_vault_temp.yml
when: >-
inventory_hostname == groups.vault|first and
not vault_cluster_is_initialized
when: inventory_hostname == groups.vault|first and not vault_cluster_is_initialized
# Set vault_leader_url for all nodes based on above
- name: vault | bootstrap
- name: vault | Set fact about vault leader url
set_fact:
vault_leader_url: "{{ hostvars[groups.vault|first]['vault_leader_url'] }}"
when: not vault_cluster_is_initialized
# Ensure vault PKI mounts exists
- include: ../shared/create_mount.yml
vars:
create_mount_path: "{{ vault_ca_options.common_name }}"
create_mount_default_lease_ttl: "{{ vault_default_lease_ttl }}"
create_mount_max_lease_ttl: "{{ vault_max_lease_ttl }}"
create_mount_description: "Vault Root CA"
create_mount_cert_dir: "{{ vault_cert_dir }}"
create_mount_config_ca_needed: "{{ not vault_ca_cert_needed }}"
- include: create_mounts.yml
when: inventory_hostname == groups.vault|first
# Generate root CA certs for Vault if none exist
- include: ../shared/auth_backend.yml
vars:
auth_backend_description: A Username/Password Auth Backend primarily used for services needing to issue certificates
auth_backend_path: userpass
auth_backend_type: userpass
when: inventory_hostname == groups.vault|first
- include: create_roles.yml
with_items:
- "{{ vault_pki_mounts.vault }}"
- "{{ vault_pki_mounts.etcd }}"
loop_control:
loop_var: mount
- include: ../shared/gen_ca.yml
vars:
gen_ca_cert_dir: "{{ vault_cert_dir }}"
gen_ca_mount_path: "{{ vault_ca_options.common_name }}"
gen_ca_cert_dir: "{{ vault_pki_mounts.vault.cert_dir }}"
gen_ca_mount_path: "{{ vault_pki_mounts.vault.name }}"
gen_ca_vault_headers: "{{ vault_headers }}"
gen_ca_vault_options: "{{ vault_ca_options.vault }}"
when: >-
inventory_hostname in groups.vault and
not vault_cluster_is_initialized and
vault_ca_cert_needed
inventory_hostname in groups.vault
and not vault_cluster_is_initialized
and vault_ca_cert_needed
- include: ../shared/gen_ca.yml
vars:
gen_ca_cert_dir: "{{ vault_pki_mounts.etcd.cert_dir }}"
gen_ca_mount_path: "{{ vault_pki_mounts.etcd.name }}"
gen_ca_vault_headers: "{{ vault_headers }}"
gen_ca_vault_options: "{{ vault_ca_options.etcd }}"
when: inventory_hostname in groups.etcd and vault_etcd_ca_cert_needed
# Generate Vault API certs
- include: gen_vault_certs.yml
when: inventory_hostname in groups.vault and vault_api_cert_needed
# Ensure etcd PKI mounts exists
- include: ../shared/create_mount.yml
vars:
create_mount_path: "{{ vault_etcd_mount_path }}"
create_mount_default_lease_ttl: "{{ vault_etcd_default_lease_ttl }}"
create_mount_max_lease_ttl: "{{ vault_etcd_max_lease_ttl }}"
create_mount_description: "Etcd Root CA"
create_mount_cert_dir: "{{ vault_etcd_cert_dir }}"
create_mount_config_ca_needed: "{{ not vault_etcd_ca_cert_needed }}"
when: inventory_hostname == groups.vault|first
# Generate root CA certs for etcd if none exist
- include: ../shared/gen_ca.yml
vars:
gen_ca_cert_dir: "{{ vault_etcd_cert_dir }}"
gen_ca_mount_path: "{{ vault_etcd_mount_path }}"
when: inventory_hostname in groups.etcd and vault_etcd_ca_cert_needed
- include: create_etcd_role.yml
# Update all host's CA bundle, etcd CA will be added in etcd role
- include: ca_trust.yml

13
roles/vault/tasks/cluster/create_mounts.yml Normal file
View File

@@ -0,0 +1,13 @@
---
- include: ../shared/create_mount.yml
vars:
create_mount_path: "{{ item.name }}"
create_mount_default_lease_ttl: "{{ item.default_lease_ttl }}"
create_mount_max_lease_ttl: "{{ item.max_lease_ttl }}"
create_mount_description: "{{ item.description }}"
create_mount_cert_dir: "{{ item.cert_dir }}"
create_mount_config_ca_needed: "{{ item.name != vault_pki_mounts.kube.name }}"
with_items:
- "{{ vault_pki_mounts.vault }}"
- "{{ vault_pki_mounts.etcd }}"
- "{{ vault_pki_mounts.kube }}"

14
roles/vault/tasks/cluster/create_roles.yml
View File

@@ -1,18 +1,10 @@
---
- include: ../shared/auth_backend.yml
vars:
auth_backend_description: A Username/Password Auth Backend primarily used for services needing to issue certificates
auth_backend_path: userpass
auth_backend_type: userpass
when: inventory_hostname == groups.vault|first
- include: ../shared/create_role.yml
vars:
create_role_name: "{{ item.name }}"
create_role_group: "{{ item.group }}"
create_role_password: "{{ item.password }}"
create_role_policy_rules: "{{ item.policy_rules }}"
create_role_options: "{{ item.role_options }}"
create_role_mount_path: "{{ item.mount_path }}"
with_items:
- "{{ vault_etcd_role }}"
- "{{ vault_kube_role }}"
create_role_mount_path: "{{ vault_pki_mounts.kube.name }}"
with_items: "{{ vault_pki_mounts.kube.roles }}"

44
roles/vault/tasks/cluster/main.yml
View File

@@ -5,8 +5,6 @@
- include: ../shared/check_etcd.yml
when: inventory_hostname in groups.vault
## Vault Cluster Setup
- include: configure.yml
when: inventory_hostname in groups.vault
@@ -25,42 +23,22 @@
- include: ../shared/find_leader.yml
when: inventory_hostname in groups.vault
- include: ../shared/create_mount.yml
vars:
create_mount_path: "{{ vault_ca_options.common_name }}"
create_mount_default_lease_ttl: "{{ vault_default_lease_ttl }}"
create_mount_max_lease_ttl: "{{ vault_max_lease_ttl }}"
create_mount_description: "Vault Root CA"
create_mount_cert_dir: "{{ vault_cert_dir }}"
create_mount_config_ca_needed: true
when: inventory_hostname == groups.vault|first
- include: ../shared/create_mount.yml
vars:
create_mount_path: "{{ vault_etcd_mount_path }}"
create_mount_default_lease_ttl: "{{ vault_etcd_default_lease_ttl }}"
create_mount_max_lease_ttl: "{{ vault_etcd_max_lease_ttl }}"
create_mount_description: "Etcd Root CA"
create_mount_cert_dir: "{{ vault_etcd_cert_dir }}"
create_mount_config_ca_needed: true
when: inventory_hostname == groups.vault|first
- include: ../shared/create_mount.yml
vars:
create_mount_path: "{{ vault_kube_mount_path }}"
create_mount_default_lease_ttl: "{{ vault_kube_default_lease_ttl }}"
create_mount_max_lease_ttl: "{{ vault_kube_max_lease_ttl }}"
create_mount_description: "Kubernetes Root CA"
create_mount_cert_dir: "{{ vault_kube_cert_dir }}"
create_mount_config_ca_needed: false
- include: create_mounts.yml
when: inventory_hostname == groups.vault|first
- include: ../shared/gen_ca.yml
vars:
gen_ca_cert_dir: "{{ vault_kube_cert_dir }}"
gen_ca_mount_path: "{{ vault_kube_mount_path }}"
gen_ca_cert_dir: "{{ vault_pki_mounts.kube.cert_dir }}"
gen_ca_mount_path: "{{ vault_pki_mounts.kube.name }}"
gen_ca_vault_headers: "{{ vault_headers }}"
gen_ca_vault_options: "{{ vault_ca_options.kube }}"
when: inventory_hostname in groups.vault
## Vault Policies, Roles, and Auth Backends
- include: ../shared/auth_backend.yml
vars:
auth_backend_description: A Username/Password Auth Backend primarily used for services needing to issue certificates
auth_backend_path: userpass
auth_backend_type: userpass
when: inventory_hostname == groups.vault|first
- include: create_roles.yml

5
roles/vault/tasks/shared/create_role.yml
View File

@@ -1,5 +1,4 @@
---
# The JSON inside JSON here is intentional (Vault API wants it)
- name: create_role | Create a policy for the new role allowing issuing
uri:
@@ -22,7 +21,7 @@
status_code: 204
when: inventory_hostname == groups[create_role_group]|first
- name: create_role | Create the new role in the {{ create_role_mount_path }} pki mount
- name: create_role | Create {{ create_role_name }} role in the {{ create_role_mount_path }} pki mount
uri:
url: "{{ hostvars[groups.vault|first]['vault_leader_url'] }}/v1/{{ create_role_mount_path }}/roles/{{ create_role_name }}"
headers: "{{ hostvars[groups.vault|first]['vault_headers'] }}"
@@ -42,7 +41,7 @@
- include: gen_userpass.yml
vars:
gen_userpass_group: "{{ create_role_group }}"
gen_userpass_password: "{{ create_role_password|d(''|to_uuid) }}"
gen_userpass_password: "{{ create_role_password }}"
gen_userpass_policies: "{{ create_role_name }}"
gen_userpass_role: "{{ create_role_name }}"
gen_userpass_username: "{{ create_role_name }}"

4
roles/vault/tasks/shared/gen_ca.yml
View File

@@ -8,10 +8,10 @@
- name: "bootstrap/gen_ca | Generate {{ gen_ca_mount_path }} root CA"
uri:
url: "{{ vault_leader_url }}/v1/{{ gen_ca_mount_path }}/root/generate/exported"
headers: "{{ vault_headers }}"
headers: "{{ gen_ca_vault_headers }}"
method: POST
body_format: json
body: "{{ vault_ca_options }}"
body: "{{ gen_ca_vault_options }}"
register: vault_ca_gen
delegate_to: "{{ groups.vault|first }}"
run_once: true

1
roles/vault/tasks/shared/gen_userpass.yml
View File

@@ -1,5 +1,4 @@
---
- name: shared/gen_userpass | Create the Username/Password combo for the role
uri:
url: "{{ hostvars[groups.vault|first]['vault_leader_url'] }}/v1/auth/userpass/users/{{ gen_userpass_username }}"

45
roles/vault/tasks/shared/issue_cert.yml
View File

@@ -11,7 +11,6 @@
# issue_cert_file_mode: Mode of the placed cert file
# issue_cert_file_owner: Owner of the placed cert file and directory
# issue_cert_format: Format for returned data. Can be pem, der, or pem_bundle
# issue_cert_headers: Headers passed into the issue request
# issue_cert_hosts: List of hosts to distribute the cert to
# issue_cert_ip_sans: Requested IP Subject Alternative Names, in a list
# issue_cert_mount_path: Mount point in Vault to make the request to
@@ -27,7 +26,47 @@
mode: "{{ issue_cert_dir_mode | d('0755') }}"
owner: "{{ issue_cert_file_owner | d('root') }}"
- name: "issue_cert | Generate the cert for {{ issue_cert_role }}"
- name: "issue_cert | Read in the local credentials"
command: cat {{ vault_roles_dir }}/{{ issue_cert_role }}/userpass
register: vault_creds_cat
delegate_to: "{{ issue_cert_hosts|first }}"
run_once: true
- name: gen_certs_vault | Set facts for read Vault Creds
set_fact:
user_vault_creds: "{{ vault_creds_cat.stdout|from_json }}"
delegate_to: "{{ issue_cert_hosts|first }}"
run_once: true
- name: gen_certs_vault | Log into Vault and obtain an token
uri:
url: "{{ hostvars[groups.vault|first]['vault_leader_url'] }}/v1/auth/userpass/login/{{ user_vault_creds.username }}"
headers:
Accept: application/json
Content-Type: application/json
method: POST
body_format: json
body:
password: "{{ user_vault_creds.password }}"
register: vault_login_result
delegate_to: "{{ issue_cert_hosts|first }}"
run_once: true
- name: gen_certs_vault | Set fact for vault_client_token
set_fact:
vault_client_token: "{{ vault_login_result.get('json', {}).get('auth', {}).get('client_token') }}"
run_once: true
- name: gen_certs_vault | Set fact for Vault API token
set_fact:
issue_cert_headers:
Accept: application/json
Content-Type: application/json
X-Vault-Token: "{{ vault_client_token }}"
run_once: true
when: vault_client_token != ""
- name: "issue_cert | Generate {{ issue_cert_path }} for {{ issue_cert_role }} role"
uri:
url: "{{ issue_cert_url }}/v1/{{ issue_cert_mount_path|d('pki') }}/issue/{{ issue_cert_role }}"
headers: "{{ issue_cert_headers }}"
@@ -70,7 +109,7 @@
- name: issue_cert | Copy certificate serial to all hosts
copy:
content: "{{ hostvars[issue_cert_hosts|first]['issue_cert_result']['json']['data']['serial_number'] }}"
dest: "{{ issue_cert_path.rsplit('.', 1)|first }}.serial }}"
dest: "{{ issue_cert_path.rsplit('.', 1)|first }}.serial"
group: "{{ issue_cert_file_group | d('root' )}}"
mode: "{{ issue_cert_file_mode | d('0640') }}"
owner: "{{ issue_cert_file_owner | d('root') }}"