External-Mirrors/kubespray
2
0
Fork 0
mirror of https://github.com/kubernetes-sigs/kubespray.git synced 2026-03-19 09:57:37 -02:30
Code Issues Packages Projects Releases Wiki Activity

Adding the Vault role

Browse Source
This commit is contained in:
Josh Conant
2017-01-13 20:31:10 +00:00
parent 16674774c7
commit f4ec2d18e5
33 changed files with 1063 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

25
roles/vault/tasks/cluster/docker.yml Normal file
View File

@@ -0,0 +1,25 @@
---
- name: docker | Check on state of docker instance
command: "docker inspect {{ vault_container_name }}"
ignore_errors: true
register: vault_container_inspect
- name: docker | Set fact on container status
set_fact:
vault_container_inspect_json: "{{ vault_container_inspect.stdout|from_json }}"
when: vault_container_inspect|succeeded
# Not sure if State.Running is the best check here...
- name: docker | Remove old container if it's not currently running
command: "docker rm {{ vault_container_name }}"
when: vault_container_inspect|succeeded and not vault_container_inspect_json[0]["State"]["Running"]|bool
- name: docker | Start a new Vault instance
command: >
docker run -d --cap-add=IPC_LOCK --name {{vault_container_name}} -p {{vault_port}}:{{vault_port}}
-e 'VAULT_LOCAL_CONFIG={{ vault_config|to_json }}'
-v /etc/vault:/etc/vault
{{vault_image_repo}}:{{vault_version}} server
register: vault_docker_start
when: vault_container_inspect|failed or not vault_container_inspect_json[0]["State"]["Running"]|bool

33
roles/vault/tasks/cluster/gen_kube_master_certs.yml Normal file
View File

@@ -0,0 +1,33 @@
---
- name: "cluster/gen_kube_node_certs | Ensure kube_cert_dir exists"
file:
path: "{{ kube_cert_dir }}"
state: directory
- name: gen_kube_master_certs | Add the kube role
uri:
url: "https://{{ hostvars[groups.vault|first]['vault_leader'] }}:{{ vault_port }}/v1/pki/roles/kubernetes"
headers: "{{ hostvars[groups.vault|first]['vault_headers'] }}"
method: POST
body_format: json
body: "{{ vault_default_role_permissions }}"
status_code: 204
when: inventory_hostname == groups["kube-master"]|first
- include: ../gen_cert.yml
vars:
gen_cert_alt_names: "{{ groups['kube-master'] | join(',') }},localhost"
gen_cert_copy_ca: "{{ true if item == vault_kube_master_certs_needed|first else false }}"
gen_cert_hosts: "{{ groups['kube-master'] }}"
gen_cert_ip_sans: >-
{%- for host in groups["kube-master"] -%}
{{ hostvars[host]["ansible_default_ipv4"]["address"] }}
{%- if not loop.last -%},{%- endif -%}
{%- endfor -%}
,127.0.0.1,::1
gen_cert_path: "{{ item }}"
gen_cert_vault_headers: "{{ hostvars[groups.vault|first]['vault_headers'] }}"
gen_cert_vault_role: kubernetes
gen_cert_vault_url: "https://{{ hostvars[groups.vault|first]['vault_leader'] }}:{{ vault_port }}"
with_items: "{{ vault_kube_master_certs_needed|default([]) }}"

33
roles/vault/tasks/cluster/gen_kube_node_certs.yml Normal file
View File

@@ -0,0 +1,33 @@
---
- name: "cluster/gen_kube_node_certs | Ensure kube_cert_dir exists"
file:
path: "{{ kube_cert_dir }}"
state: directory
- name: "cluster/gen_kube_node_certs | Add the kubernetes role"
uri:
url: "https://{{ hostvars[groups.vault|first]['vault_leader'] }}:{{ vault_port }}/v1/pki/roles/kubernetes"
headers: "{{ hostvars[groups.vault|first]['vault_headers'] }}"
method: POST
body_format: json
body: "{{ vault_default_role_permissions }}"
status_code: 204
when: inventory_hostname == groups["k8s-cluster"]|first
- include: ../gen_cert.yml
vars:
gen_cert_alt_names: "{{ groups['k8s-cluster'] | join(',') }},localhost"
gen_cert_copy_ca: "{{ true if item == vault_kube_node_certs_needed|first else false }}"
gen_cert_hosts: "{{ groups['k8s-cluster'] }}"
gen_cert_ip_sans: >-
{%- for host in groups["k8s-cluster"] -%}
{{ hostvars[host]["ansible_default_ipv4"]["address"] }}
{%- if not loop.last -%},{%- endif -%}
{%- endfor -%}
,127.0.0.1,::1
gen_cert_path: "{{ item }}"
gen_cert_vault_headers: "{{ hostvars[groups.vault|first]['vault_headers'] }}"
gen_cert_vault_role: kubernetes
gen_cert_vault_url: "https://{{ hostvars[groups.vault|first]['vault_leader'] }}:{{ vault_port }}"
with_items: "{{ vault_kube_node_certs_needed|default([]) }}"

49
roles/vault/tasks/cluster/init.yml Normal file
View File

@@ -0,0 +1,49 @@
---
- name: cluster/init | Initialize Vault
uri:
url: "https://{{ groups.vault|first }}:{{ vault_port }}/v1/sys/init"
headers: "{{ vault_client_headers }}"
method: POST
body_format: json
body:
secret_shares: "{{ vault_secret_shares }}"
secret_threshold: "{{ vault_secret_threshold }}"
validate_certs: false
register: vault_init_result
when: not vault_cluster_is_initialized and inventory_hostname == groups.vault|first
- name: cluster/init | Set facts on the results of the initialization
set_fact:
vault_unseal_keys: "{{ vault_init_result.json['keys'] }}"
vault_root_token: "{{ vault_init_result.json.root_token }}"
vault_headers: "{{ vault_client_headers|combine({'X-Vault-Token': vault_init_result.json.root_token}) }}"
when: not vault_cluster_is_initialized and inventory_hostname == groups.vault|first
- name: cluster/init | Ensure all hosts have these facts
set_fact:
vault_unseal_keys: "{{ hostvars[groups.vault|first]['vault_unseal_keys'] }}"
vault_root_token: "{{ hostvars[groups.vault|first]['vault_root_token'] }}"
when: not vault_cluster_is_initialized and inventory_hostname != groups.vault|first
- name: cluster/init | Ensure the vault_secrets_dir exists
file:
path: "{{ vault_secrets_dir }}"
state: directory
- name: cluster/init | Ensure all in groups.vault have the unseal_keys locally
copy:
content: "{{ vault_unseal_keys|join('\n') }}"
dest: "{{ vault_secrets_dir }}/unseal_keys"
when: not vault_cluster_is_initialized
- name: cluster/init | Ensure all in groups.vault have the root_token locally
copy:
content: "{{ vault_root_token }}"
dest: "{{ vault_secrets_dir }}/root_token"
when: not vault_cluster_is_initialized
- name: cluster/init | Ensure vault_headers and vault statuses are updated
set_fact:
vault_headers: "{{ vault_client_headers | combine({'X-Vault-Token': vault_root_token})}}"
vault_cluster_is_initialized: true

30
roles/vault/tasks/cluster/main.yml Normal file
View File

@@ -0,0 +1,30 @@
---
## Vault Cluster Setup
- include: docker.yml
when: inventory_hostname in groups.vault and vault_deployment_type == "docker"
- include: init.yml
when: inventory_hostname in groups.vault
- include: unseal.yml
when: inventory_hostname in groups.vault
- include: pki_mount.yml
when: 'inventory_hostname == hostvars[groups.vault|first]["vault_leader"]'
- include: config_ca.yml
vars:
vault_url: "https://{{ vault_leader }}:{{ vault_port }}"
when: 'inventory_hostname == hostvars[groups.vault|first]["vault_leader"]'
## Sync Kubernetes Certs
- include: sync_kube_master_certs.yml
when: inventory_hostname in groups["kube-master"]
- include: sync_kube_node_certs.yml
when: inventory_hostname in groups["k8s-cluster"]
## Generate Kubernetes Certs
- include: gen_kube_master_certs.yml
when: inventory_hostname in groups["kube-master"]
- include: gen_kube_node_certs.yml
when: inventory_hostname in groups["k8s-cluster"]

23
roles/vault/tasks/cluster/pki_mount.yml Normal file
View File

@@ -0,0 +1,23 @@
---
- name: cluster/pki_mount | Test if default PKI mount exists
uri:
url: "https://localhost:{{ vault_port }}/v1/sys/mounts/pki/tune"
headers: "{{ vault_headers }}"
validate_certs: false
ignore_errors: true
register: vault_pki_mount_check
- name: cluster/pki_mount | Mount default PKI mount if needed
uri:
url: "https://localhost:{{ vault_port }}/v1/sys/mounts/pki"
headers: "{{ vault_headers }}"
method: POST
body_format: json
body:
config:
default_lease_ttl: "{{ vault_default_lease_ttl }}"
max_lease_ttl: "{{ vault_max_lease_ttl }}"
type: pki
status_code: 204
when: vault_pki_mount_check | failed

38
roles/vault/tasks/cluster/sync_kube_master_certs.yml Normal file
View File

@@ -0,0 +1,38 @@
---
- name: cluster/sync_kube_master_certs | Create list of needed certs
set_fact:
vault_kube_master_cert_list: >-
{{ vault_kube_master_cert_list|default([]) + [
"admin-" + item + ".pem",
"apiserver-" + item + ".pem"
] }}
with_items: "{{ groups['kube-master'] }}"
- include: ../sync_file.yml
vars:
sync_file: "{{ item }}"
sync_file_dir: "{{ kube_cert_dir }}"
sync_file_hosts: "{{ groups['kube-master'] }}"
sync_file_is_cert: true
with_items: "{{ vault_kube_master_cert_list|default([]) }}"
- name: cluster/sync_kube_master_certs | Set facts for kube-master sync_file results
set_fact:
vault_kube_master_certs_needed: "{{ vault_kube_master_certs_needed|default([]) + [item.path] }}"
with_items: "{{ sync_file_results }}"
when: item.no_srcs|bool
- name: cluster/sync_kube_master_certs | Unset sync_file_results after kube master certs
set_fact:
sync_file_results: []
- include: ../sync_file.yml
vars:
sync_file: ca.pem
sync_file_dir: "{{ kube_cert_dir }}"
sync_file_hosts: "{{ groups['kube-master'] }}"
- name: cluster/sync_kube_master_certs | Unset sync_file_results after ca.pem
set_fact:
sync_file_results: []

34
roles/vault/tasks/cluster/sync_kube_node_certs.yml Normal file
View File

@@ -0,0 +1,34 @@
---
- name: cluster/sync_kube_node_certs | Create list of needed certs
set_fact:
vault_kube_node_cert_list: "{{ vault_kube_node_cert_list|default([]) + ['node-' + item + '.pem'] }}"
with_items: "{{ groups['k8s-cluster'] }}"
- include: ../sync_file.yml
vars:
sync_file: "{{ item }}"
sync_file_dir: "{{ kube_cert_dir }}"
sync_file_hosts: "{{ groups['k8s-cluster'] }}"
sync_file_is_cert: true
with_items: "{{ vault_kube_node_cert_list|default([]) }}"
- name: cluster/sync_kube_node_certs | Set facts for kube-master sync_file results
set_fact:
vault_kube_node_certs_needed: "{{ vault_kube_node_certs_needed|default([]) + [item.path] }}"
with_items: "{{ sync_file_results }}"
when: item.no_srcs|bool
- name: cluster/sync_kube_node_certs | Unset sync_file_results after kube node certs
set_fact:
sync_file_results: []
- include: ../sync_file.yml
vars:
sync_file: ca.pem
sync_file_dir: "{{ kube_cert_dir }}"
sync_file_hosts: "{{ groups['k8s-cluster'] }}"
- name: cluster/sync_kube_node_certs | Unset sync_file_results after ca.pem
set_fact:
sync_file_results: []

26
roles/vault/tasks/cluster/unseal.yml Normal file
View File

@@ -0,0 +1,26 @@
---
- name: cluster/unseal | Unseal Vault
uri:
url: "https://localhost:{{ vault_port }}/v1/sys/unseal"
headers: "{{ vault_headers }}"
method: POST
body_format: json
body:
key: "{{ item }}"
with_items: "{{ vault_unseal_keys|default([]) }}"
when: vault_is_sealed
- name: cluster/unseal | Find the current leader
uri:
url: "https://localhost:{{ vault_port }}/v1/sys/health"
headers: "{{ vault_headers }}"
method: HEAD
status_code: 200,429
register: vault_leader_check
- name: cluster/unseal | Set fact for current leader
set_fact:
vault_leader: "{{ item }}"
with_items: "{{ groups.vault }}"
when: 'hostvars[item]["vault_leader_check"]["status"] == 200'