External-Mirrors/kubespray
2
0
Fork 0
mirror of https://github.com/kubernetes-sigs/kubespray.git synced 2026-02-22 21:46:02 -03:30
Code Issues Packages Projects Releases Wiki Activity

Adding the Vault role

Browse Source
This commit is contained in:
Josh Conant
2017-01-13 20:31:10 +00:00
parent 16674774c7
commit f4ec2d18e5
33 changed files with 1063 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

32
roles/vault/tasks/bootstrap/ca_trust.yml Normal file
View File

@@ -0,0 +1,32 @@
---
- name: trust_ca | pull CA from cert from groups.vault|first
command: "cat {{ vault_cert_dir }}/ca.pem"
register: vault_cert_file_cat
when: inventory_hostname == groups.vault|first
# This part is mostly stolen from the etcd role
- name: trust_ca | target ca-certificate store file
set_fact:
ca_cert_path: >-
{% if ansible_os_family == "Debian" -%}
/usr/local/share/ca-certificates/kube-cluster-ca.crt
{%- elif ansible_os_family == "RedHat" -%}
/etc/pki/ca-trust/source/anchors/kube-cluster-ca.crt
{%- elif ansible_os_family == "CoreOS" -%}
/etc/ssl/certs/kube-cluster-ca.pem
{%- endif %}
- name: trust_ca | add CA to trusted CA dir
copy:
content: "{{ hostvars[groups.vault|first]['vault_cert_file_cat']['stdout'] }}"
dest: "{{ ca_cert_path }}"
register: vault_ca_cert
- name: trust_ca | update ca-certificates (Debian/Ubuntu/CoreOS)
command: update-ca-certificates
when: vault_ca_cert.changed and ansible_os_family in ["Debian", "CoreOS"]
- name: trust_ca | update ca-certificates (RedHat)
command: update-ca-trust extract
when: vault_ca_cert.changed and ansible_os_family == "RedHat"

29
roles/vault/tasks/bootstrap/gen_etcd_certs.yml Normal file
View File

@@ -0,0 +1,29 @@
---
- name: bootstrap/gen_etcd_certs | Add the etcd role
uri:
url: "http://{{ groups.vault|first }}:{{ vault_temp_port }}/v1/pki/roles/etcd"
headers: "{{ hostvars[groups.vault|first]['vault_headers'] }}"
method: POST
body_format: json
body:
allow_any_name: true
status_code: 204
when: inventory_hostname == groups.etcd|first
- include: ../gen_cert.yml
vars:
gen_cert_alt_names: "{{ groups.etcd | join(',') }},localhost"
gen_cert_copy_ca: "{{ true if item == vault_etcd_certs_needed|first else false }}"
gen_cert_hosts: "{{ groups.etcd }}"
gen_cert_ip_sans: >-
{%- for host in groups.etcd -%}
{{ hostvars[host]["ansible_default_ipv4"]["address"] }}
{%- if not loop.last -%},{%- endif -%}
{%- endfor -%}
,127.0.0.1,::1
gen_cert_path: "{{ item }}"
gen_cert_vault_headers: "{{ hostvars[groups.vault|first]['vault_headers'] }}"
gen_cert_vault_role: etcd
gen_cert_vault_url: "http://{{ groups.vault|first }}:{{ vault_temp_port }}"
with_items: "{{ vault_etcd_certs_needed|default([]) }}"

29
roles/vault/tasks/bootstrap/gen_etcd_node_certs.yml Normal file
View File

@@ -0,0 +1,29 @@
---
- name: bootstrap/gen_etcd_node_certs | Add the etcd role
uri:
url: "http://{{ groups.vault|first }}:{{ vault_temp_port }}/v1/pki/roles/etcd"
headers: "{{ hostvars[groups.vault|first]['vault_headers'] }}"
method: POST
body_format: json
body:
allow_any_name: true
status_code: 204
when: inventory_hostname == groups["k8s-cluster"]|first
- include: ../gen_cert.yml
vars:
gen_cert_alt_names: "{{ groups['k8s-cluster'] | union(groups.etcd) | join(',') }},localhost"
gen_cert_copy_ca: "{{ true if item == vault_etcd_node_certs_needed|first else false }}"
gen_cert_hosts: "{{ groups['k8s-cluster'] | union(groups.etcd) }}"
gen_cert_ip_sans: >-
{%- for host in groups["k8s-cluster"] | union(groups.etcd) -%}
{{ hostvars[host]["ansible_default_ipv4"]["address"] }}
{%- if not loop.last -%},{%- endif -%}
{%- endfor -%}
,127.0.0.1,::1
gen_cert_path: "{{ item }}"
gen_cert_vault_headers: "{{ hostvars[groups.vault|first]['vault_headers'] }}"
gen_cert_vault_role: etcd
gen_cert_vault_url: "http://{{ groups.vault|first }}:{{ vault_temp_port }}"
with_items: "{{ vault_etcd_node_certs_needed|default([]) }}"

66
roles/vault/tasks/bootstrap/gen_vault_certs.yml Normal file
View File

@@ -0,0 +1,66 @@
---
- name: bootstrap/gen_vault_certs | Ensure vault_cert_dir exists
file:
path: "{{ vault_cert_dir }}"
state: directory
- name: bootstrap/gen_vault_certs | Generate Root CA in vault-temp
uri:
url: "http://localhost:{{ vault_temp_port }}/v1/pki/root/generate/exported"
headers: "{{ vault_headers }}"
method: POST
body_format: json
body: "{{ vault_ca_options }}"
register: vault_ca_gen
when: inventory_hostname == groups.vault|first and vault_ca_cert_needed
- name: bootstrap/gen_vault_certs | Set facts for ca cert and key
set_fact:
vault_ca_cert: "{{ vault_ca_gen.json.data.certificate }}"
vault_ca_key: "{{ vault_ca_gen.json.data.private_key }}"
when: inventory_hostname == groups.vault|first and vault_ca_cert_needed
- name: bootstrap/gen_vault_certs | Set cert and key facts for all hosts other than groups.vault|first
set_fact:
vault_ca_cert: "{{ hostvars[groups.vault|first]['vault_ca_cert'] }}"
vault_ca_key: "{{ hostvars[groups.vault|first]['vault_ca_key'] }}"
when: inventory_hostname != groups.vault|first and vault_ca_cert_needed
- name: bootstrap/gen_vault_certs | Copy root CA cert locally
copy:
content: "{{ vault_ca_cert }}"
dest: "{{ vault_cert_dir }}/ca.pem"
when: vault_ca_cert_needed
- name: bootstrap/gen_vault_certs | Copy root CA key locally
copy:
content: "{{vault_ca_key}}"
dest: "{{vault_cert_dir}}/ca-key.pem"
when: vault_ca_cert_needed
- name: boostrap/gen_vault_certs | Add the vault role
uri:
url: "http://localhost:{{ vault_temp_port }}/v1/pki/roles/vault"
headers: "{{ vault_headers }}"
method: POST
body_format: json
body: "{{ vault_default_role_permissions }}"
status_code: 204
when: inventory_hostname == groups.vault|first and vault_api_cert_needed
- include: ../gen_cert.yml
vars:
gen_cert_alt_names: "{{ groups.vault | join(',') }},localhost"
gen_cert_hosts: "{{ groups.vault }}"
gen_cert_ip_sans: >-
{%- for host in groups.vault -%}
{{ hostvars[host]["ansible_default_ipv4"]["address"] }}
{%- if not loop.last -%},{%- endif -%}
{%- endfor -%}
,127.0.0.1,::1
gen_cert_path: "{{ vault_cert_dir }}/api.pem"
gen_cert_vault_headers: "{{ hostvars[groups.vault|first]['vault_headers'] }}"
gen_cert_vault_role: vault
gen_cert_vault_url: "http://{{ groups.vault|first }}:{{ vault_temp_port }}"
when: vault_api_cert_needed

60
roles/vault/tasks/bootstrap/main.yml Normal file
View File

@@ -0,0 +1,60 @@
---
## Sync Certs
- include: bootstrap/sync_vault_certs.yml
when: inventory_hostname in groups.vault
- include: bootstrap/sync_etcd_certs.yml
when: inventory_hostname in groups.etcd
- include: bootstrap/sync_etcd_node_certs.yml
when: inventory_hostname in groups["k8s-cluster"] | union(groups.etcd)
## Generate Certs
# Start a temporary instance of Vault
- include: bootstrap/start_vault_temp.yml
when: >-
( hostvars[groups.etcd|first].get("vault_etcd_certs_needed", [])|length > 0 or
hostvars[groups.etcd|first].get("vault_etcd_node_certs_needed", [])|length > 0 or
hostvars[groups.vault|first]["vault_ca_cert_needed"] ) and
inventory_hostname == groups.vault|first
# Generate root CA certs for Vault if none exist
- include: bootstrap/gen_vault_certs.yml
when: >-
( hostvars[groups.vault|first]["vault_ca_cert_needed"] or
hostvars[groups.vault|first]["vault_api_cert_needed"] ) and
inventory_hostname in groups.vault
# Change vault-temp's issuing CA to use existing ca.pem/ca-key.pem
- include: config_ca.yml
vars:
vault_url: "http://{{ groups.vault|first }}:{{ vault_temp_port }}"
when: >-
( hostvars[groups.etcd|first].get("vault_etcd_certs_needed", [])|length > 0 or
hostvars[groups["k8s-cluster"]|first].get("vault_etcd_node_certs_needed", [])|length > 0 or
hostvars[groups.vault|first]["vault_api_cert_needed"] ) and
not hostvars[groups.vault|first]["vault_ca_cert_needed"] and
inventory_hostname == groups.vault|first
# Generate etcd certs for etcd cluster members
- include: bootstrap/gen_etcd_certs.yml
when: >-
hostvars[groups.etcd|first].get("vault_etcd_certs_needed", [])|length > 0 and
inventory_hostname in groups.etcd
# Generate etcd node certs for all k8s-cluster
- include: bootstrap/gen_etcd_node_certs.yml
when: >-
hostvars[groups["k8s-cluster"]|first].get("vault_etcd_node_certs_needed", [])|length > 0 and
inventory_hostname in groups["k8s-cluster"] | union(groups.etcd)
# Stop temporary vault
- include: bootstrap/stop_vault_temp.yml
when: >-
inventory_hostname == groups.vault|first and
hostvars[groups.vault|first]["vault_temp_start"]|succeeded
- include: ca_trust.yml

55
roles/vault/tasks/bootstrap/start_vault_temp.yml Normal file
View File

@@ -0,0 +1,55 @@
---
- name: boostrap/start_vault_temp | Ensure vault-temp isn't already running
shell: if docker rm -f vault-temp 2>&1 1>/dev/null;then echo true;else echo false;fi
register: vault_temp_stop_check
changed_when: "{{ 'true' in vault_temp_stop_check.stdout }}"
- name: bootstrap/start_vault_temp | Start single node Vault with file backend
command: >
docker run -d --cap-add=IPC_LOCK --name vault-temp -p {{ vault_temp_port }}:{{ vault_temp_port }}
-e 'VAULT_LOCAL_CONFIG={{ vault_temp_config|to_json }}'
-v /etc/vault:/etc/vault
{{ vault_image_repo }}:{{ vault_version }} server
register: vault_temp_start
- name: bootstrap/start_vault_temp | Initialize vault-temp
uri:
url: "http://localhost:{{ vault_temp_port }}/v1/sys/init"
headers: "{{ vault_client_headers }}"
method: PUT
body_format: json
body:
secret_shares: 1
secret_threshold: 1
register: vault_temp_init
# NOTE: vault_headers and vault_url are used by subsequent gen_cert calls
- name: bootstrap/start_vault_temp | Set needed vault facts
set_fact:
vault_temp_unseal_keys: "{{ vault_temp_init.json['keys'] }}"
vault_temp_root_token: "{{ vault_temp_init.json.root_token }}"
vault_headers: "{{ vault_client_headers|combine({'X-Vault-Token': vault_temp_init.json.root_token}) }}"
- name: bootstrap/start_vault_temp | Unseal vault-temp
uri:
url: "http://localhost:{{ vault_temp_port }}/v1/sys/unseal"
headers: "{{ vault_headers }}"
method: POST
body_format: json
body:
key: "{{ item }}"
with_items: "{{ vault_temp_unseal_keys|default([]) }}"
- name: bootstrap/start_vault_temp | Create new PKI mount
uri:
url: "http://localhost:{{ vault_temp_port }}/v1/sys/mounts/pki"
headers: "{{ vault_headers }}"
method: POST
body_format: json
body:
config:
default_lease_ttl: "{{ vault_default_lease_ttl }}"
max_lease_ttl: "{{ vault_max_lease_ttl }}"
type: pki
status_code: 204

4
roles/vault/tasks/bootstrap/stop_vault_temp.yml Normal file
View File

@@ -0,0 +1,4 @@
---
- name: stop vault-temp container
command: docker stop vault-temp

38
roles/vault/tasks/bootstrap/sync_etcd_certs.yml Normal file
View File

@@ -0,0 +1,38 @@
---
- name: bootstrap/sync_etcd_certs | Create list of certs needing creation
set_fact:
vault_etcd_cert_list: >-
{{ vault_etcd_cert_list|default([]) + [
"admin-" + item + ".pem",
"member-" + item + ".pem"
] }}
with_items: "{{ groups.etcd }}"
- include: ../sync_file.yml
vars:
sync_file: "{{ item }}"
sync_file_dir: "{{ etcd_cert_dir }}"
sync_file_hosts: "{{ groups.etcd }}"
sync_file_is_cert: true
with_items: "{{ vault_etcd_cert_list|default([]) }}"
- name: bootstrap/sync_etcd_certs | Set facts for etcd sync_file results
set_fact:
vault_etcd_certs_needed: "{{ vault_etcd_certs_needed|default([]) + [item.path] }}"
with_items: "{{ sync_file_results }}"
when: item.no_srcs|bool
- name: bootstrap/sync_etcd_certs | Unset sync_file_results after etcd certs sync
set_fact:
sync_file_results: []
- include: ../sync_file.yml
vars:
sync_file: ca.pem
sync_file_dir: "{{ etcd_cert_dir }}"
sync_file_hosts: "{{ groups.etcd }}"
- name: bootstrap/sync_etcd_certs | Unset sync_file_results after ca.pem sync
set_fact:
sync_file_results: []

34
roles/vault/tasks/bootstrap/sync_etcd_node_certs.yml Normal file
View File

@@ -0,0 +1,34 @@
---
- name: bootstrap/sync_etcd_node_certs | Create list of certs needing creation
set_fact:
vault_etcd_node_cert_list: "{{ vault_etcd_node_cert_list|default([]) + ['node-' + item + '.pem'] }}"
with_items: "{{ groups['k8s-cluster'] | union(groups.etcd) }}"
- include: ../sync_file.yml
vars:
sync_file: "{{ item }}"
sync_file_dir: "{{ etcd_cert_dir }}"
sync_file_hosts: "{{ groups['k8s-cluster'] | union(groups.etcd) }}"
sync_file_is_cert: true
with_items: "{{ vault_etcd_node_cert_list|default([]) }}"
- name: bootstrap/sync_etcd_node_certs | Set facts for etcd sync_file results
set_fact:
vault_etcd_node_certs_needed: "{{ vault_etcd_node_certs_needed|default([]) + [item.path] }}"
with_items: "{{ sync_file_results }}"
when: item.no_srcs|bool
- name: bootstrap/sync_etcd_node_certs | Unset sync_file_results after etcd node certs
set_fact:
sync_file_results: []
- include: ../sync_file.yml
vars:
sync_file: ca.pem
sync_file_dir: "{{ etcd_cert_dir }}"
sync_file_hosts: "{{ groups['k8s-cluster']| union(groups.etcd) }}"
- name: bootstrap/sync_etcd_node_certs | Unset sync_file_results after ca.pem
set_fact:
sync_file_results: []

32
roles/vault/tasks/bootstrap/sync_vault_certs.yml Normal file
View File

@@ -0,0 +1,32 @@
---
- include: ../sync_file.yml
vars:
sync_file: "ca.pem"
sync_file_dir: "{{ vault_cert_dir }}"
sync_file_hosts: "{{ groups.vault }}"
sync_file_is_cert: true
- name: "bootstrap/sync_vault_certs | Set facts for vault sync_file results"
set_fact:
vault_ca_cert_needed: "{{ true if sync_file_results|length > 0 else false }}"
- name: bootstrap/sync_vault_certs | Unset sync_file_results after ca.pem sync
set_fact:
sync_file_results: []
- include: ../sync_file.yml
vars:
sync_file: "api.pem"
sync_file_dir: "{{ vault_cert_dir }}"
sync_file_hosts: "{{ groups.vault }}"
sync_file_is_cert: true
- name: bootstrap/sync_vault_certs | Set fact if Vault's API cert is needed
set_fact:
vault_api_cert_needed: "{{ true if sync_file_results|length > 0 else false }}"
- name: bootstrap/sync_vault_certs | Unset sync_file_results after api.pem sync
set_fact:
sync_file_results: []