c12s-kubespray/roles/vault/tasks/shared/create_role.yml

---
- name: create_role | Create a policy for the new role
  hashivault_policy_set:
    url: "{{ vault_leader_url }}"
    token: "{{ vault_root_token }}"
    ca_cert: "{{ vault_cert_dir }}/ca.pem"
    name: "{{ create_role_name }}"
    rules: >-
           {%- if create_role_policy_rules|d("default") == "default" -%}
           {{
           { 'path': {
                create_role_mount_path + '/issue/' + create_role_name: {'policy': 'write'},
                create_role_mount_path + '/roles/' + create_role_name: {'policy': 'read'}
            }} | to_json + '\n'
            }}
            {%- else -%}
            {{ create_role_policy_rules | to_json + '\n' }}
            {%- endif -%}

- name: create_role | Create {{ create_role_name }} role in the {{ create_role_mount_path }} pki mount
  hashivault_write:
    url: "{{ vault_leader_url }}"
    token: "{{ vault_root_token }}"
    ca_cert: "{{ vault_cert_dir }}/ca.pem"
    secret: "{{ create_role_mount_path }}/roles/{{ create_role_name }}"
    data: |
     {%- if create_role_options|d("default") == "default" -%}
     {
     allow_any_name: true
     }
     {%- else -%}
     {{ create_role_options | to_json }}
     {%- endif -%}

## Userpass based auth method

- include_tasks: gen_userpass.yml
  vars:
    gen_userpass_password: "{{ create_role_password }}"
    gen_userpass_policies: "{{ create_role_name }}"
    gen_userpass_role: "{{ create_role_name }}"
    gen_userpass_username: "{{ create_role_name }}"
Vault security hardening and role isolation 2017-02-08 21:41:36 +00:00			`---`
refactor vault role (#2733) * Move front-proxy-client certs back to kube mount We want the same CA for all k8s certs * Refactor vault to use a third party module The module adds idempotency and reduces some of the repetitive logic in the vault role Requires ansible-modules-hashivault on ansible node and hvac on the vault hosts themselves Add upgrade test scenario Remove bootstrap-os tags from tasks * fix upgrade issues * improve unseal logic * specify ca and fix etcd check * Fix initialization check bump machine size 2018-05-11 16:11:38 +00:00			`- name: create_role \| Create a policy for the new role`
			`hashivault_policy_set:`
			`url: "{{ vault_leader_url }}"`
			`token: "{{ vault_root_token }}"`
			`ca_cert: "{{ vault_cert_dir }}/ca.pem"`
			`name: "{{ create_role_name }}"`
			`rules: >-`
			`{%- if create_role_policy_rules\|d("default") == "default" -%}`
			`{{`
			`{ 'path': {`
			`create_role_mount_path + '/issue/' + create_role_name: {'policy': 'write'},`
			`create_role_mount_path + '/roles/' + create_role_name: {'policy': 'read'}`
			`}} \| to_json + '\n'`
			`}}`
			`{%- else -%}`
			`{{ create_role_policy_rules \| to_json + '\n' }}`
			`{%- endif -%}`
Vault security hardening and role isolation 2017-02-08 21:41:36 +00:00
Vault role updates: * using separated vault roles for generate certs with different `O` (Organization) subject field; * configure vault roles for issuing certificates with different `CN` (Common name) subject field; * set `CN` and `O` to `kubernetes` and `etcd` certificates; * vault/defaults vars definition was simplified; * vault dirs variables defined in kubernetes-defaults foles for using shared tasks in etcd and kubernetes/secrets roles; * upgrade vault to 0.8.1; * generate random vault user password for each role by default; * fix `serial` file name for vault certs; * move vault auth request to issue_cert tasks; * enable `RBAC` in vault CI; 2017-09-01 19:51:37 +00:00			`- name: create_role \| Create {{ create_role_name }} role in the {{ create_role_mount_path }} pki mount`
refactor vault role (#2733) * Move front-proxy-client certs back to kube mount We want the same CA for all k8s certs * Refactor vault to use a third party module The module adds idempotency and reduces some of the repetitive logic in the vault role Requires ansible-modules-hashivault on ansible node and hvac on the vault hosts themselves Add upgrade test scenario Remove bootstrap-os tags from tasks * fix upgrade issues * improve unseal logic * specify ca and fix etcd check * Fix initialization check bump machine size 2018-05-11 16:11:38 +00:00			`hashivault_write:`
			`url: "{{ vault_leader_url }}"`
			`token: "{{ vault_root_token }}"`
			`ca_cert: "{{ vault_cert_dir }}/ca.pem"`
			`secret: "{{ create_role_mount_path }}/roles/{{ create_role_name }}"`
			`data: \|`
			`{%- if create_role_options\|d("default") == "default" -%}`
			`{`
			`allow_any_name: true`
			`}`
			`{%- else -%}`
			`{{ create_role_options \| to_json }}`
			`{%- endif -%}`
Vault security hardening and role isolation 2017-02-08 21:41:36 +00:00
			`## Userpass based auth method`

Use include/import tasks (#2192) import_tasks will consume far less memory, so it should be used whenever it is compatible. 2018-01-29 11:37:48 +00:00			`- include_tasks: gen_userpass.yml`
Vault security hardening and role isolation 2017-02-08 21:41:36 +00:00			`vars:`
Vault role updates: * using separated vault roles for generate certs with different `O` (Organization) subject field; * configure vault roles for issuing certificates with different `CN` (Common name) subject field; * set `CN` and `O` to `kubernetes` and `etcd` certificates; * vault/defaults vars definition was simplified; * vault dirs variables defined in kubernetes-defaults foles for using shared tasks in etcd and kubernetes/secrets roles; * upgrade vault to 0.8.1; * generate random vault user password for each role by default; * fix `serial` file name for vault certs; * move vault auth request to issue_cert tasks; * enable `RBAC` in vault CI; 2017-09-01 19:51:37 +00:00			`gen_userpass_password: "{{ create_role_password }}"`
Vault security hardening and role isolation 2017-02-08 21:41:36 +00:00			`gen_userpass_policies: "{{ create_role_name }}"`
			`gen_userpass_role: "{{ create_role_name }}"`
			`gen_userpass_username: "{{ create_role_name }}"`