2017-01-13 20:31:10 +00:00
|
|
|
---
|
|
|
|
|
2017-02-08 21:41:36 +00:00
|
|
|
- include: ../shared/check_vault.yml
|
|
|
|
when: inventory_hostname in groups.vault
|
2017-02-17 21:22:34 +00:00
|
|
|
|
2017-02-08 21:41:36 +00:00
|
|
|
- include: sync_secrets.yml
|
2017-01-13 20:31:10 +00:00
|
|
|
when: inventory_hostname in groups.vault
|
2017-02-17 21:22:34 +00:00
|
|
|
|
2017-02-08 21:41:36 +00:00
|
|
|
- include: ../shared/find_leader.yml
|
|
|
|
when: inventory_hostname in groups.vault and vault_cluster_is_initialized|d()
|
2017-01-13 20:31:10 +00:00
|
|
|
|
2017-02-08 21:41:36 +00:00
|
|
|
## Sync Certs
|
2017-01-13 20:31:10 +00:00
|
|
|
|
2017-02-08 21:41:36 +00:00
|
|
|
- include: sync_vault_certs.yml
|
|
|
|
when: inventory_hostname in groups.vault
|
2017-01-13 20:31:10 +00:00
|
|
|
|
|
|
|
## Generate Certs
|
|
|
|
|
|
|
|
# Start a temporary instance of Vault
|
2017-02-08 21:41:36 +00:00
|
|
|
- include: start_vault_temp.yml
|
2017-01-13 20:31:10 +00:00
|
|
|
when: >-
|
2017-02-08 21:41:36 +00:00
|
|
|
inventory_hostname == groups.vault|first and
|
|
|
|
not vault_cluster_is_initialized
|
2017-08-24 20:21:39 +00:00
|
|
|
|
|
|
|
# Set vault_leader_url for all nodes based on above
|
|
|
|
- name: vault | bootstrap
|
|
|
|
set_fact:
|
|
|
|
vault_leader_url: "{{ hostvars[groups.vault|first]['vault_leader_url'] }}"
|
|
|
|
when: not vault_cluster_is_initialized
|
2017-01-13 20:31:10 +00:00
|
|
|
|
2017-02-08 21:41:36 +00:00
|
|
|
# NOTE: The next 2 steps run against temp Vault and long-term Vault
|
2017-01-13 20:31:10 +00:00
|
|
|
|
2017-02-08 21:41:36 +00:00
|
|
|
# Ensure PKI mount exists
|
|
|
|
- include: ../shared/pki_mount.yml
|
2017-01-13 20:31:10 +00:00
|
|
|
when: >-
|
|
|
|
inventory_hostname == groups.vault|first
|
|
|
|
|
2017-02-08 21:41:36 +00:00
|
|
|
# If the Root CA already exists, ensure Vault's PKI is using it
|
|
|
|
- include: ../shared/config_ca.yml
|
|
|
|
vars:
|
|
|
|
ca_name: ca
|
|
|
|
mount_name: pki
|
2017-01-13 20:31:10 +00:00
|
|
|
when: >-
|
2017-02-08 21:41:36 +00:00
|
|
|
inventory_hostname == groups.vault|first and
|
|
|
|
not vault_ca_cert_needed
|
2017-01-13 20:31:10 +00:00
|
|
|
|
2017-02-08 21:41:36 +00:00
|
|
|
# Generate root CA certs for Vault if none exist
|
|
|
|
- include: gen_ca.yml
|
2017-01-13 20:31:10 +00:00
|
|
|
when: >-
|
2017-02-08 21:41:36 +00:00
|
|
|
inventory_hostname in groups.vault and
|
|
|
|
not vault_cluster_is_initialized and
|
|
|
|
vault_ca_cert_needed
|
|
|
|
|
|
|
|
# Generate Vault API certs
|
|
|
|
- include: gen_vault_certs.yml
|
|
|
|
when: inventory_hostname in groups.vault and vault_api_cert_needed
|
2017-01-13 20:31:10 +00:00
|
|
|
|
2017-02-08 21:41:36 +00:00
|
|
|
# Update all host's CA bundle
|
2017-01-13 20:31:10 +00:00
|
|
|
- include: ca_trust.yml
|
2017-02-08 21:41:36 +00:00
|
|
|
|
|
|
|
## Add Etcd Role to Vault (if needed)
|
|
|
|
|
|
|
|
- include: role_auth_cert.yml
|
|
|
|
when: vault_role_auth_method == "cert"
|
2017-02-17 21:22:34 +00:00
|
|
|
|
2017-02-08 21:41:36 +00:00
|
|
|
- include: role_auth_userpass.yml
|
|
|
|
when: vault_role_auth_method == "userpass"
|