c12s-kubespray/roles/vault/tasks/bootstrap/main.yml

68 lines
1.7 KiB
YAML
Raw Normal View History

2017-01-13 20:31:10 +00:00
---
- include: ../shared/check_vault.yml
when: inventory_hostname in groups.vault
- include: sync_secrets.yml
2017-01-13 20:31:10 +00:00
when: inventory_hostname in groups.vault
- include: ../shared/find_leader.yml
when: inventory_hostname in groups.vault and vault_cluster_is_initialized|d()
2017-01-13 20:31:10 +00:00
## Sync Certs
2017-01-13 20:31:10 +00:00
- include: sync_vault_certs.yml
when: inventory_hostname in groups.vault
2017-01-13 20:31:10 +00:00
## Generate Certs
# Start a temporary instance of Vault
- include: start_vault_temp.yml
2017-01-13 20:31:10 +00:00
when: >-
inventory_hostname == groups.vault|first and
not vault_cluster_is_initialized
# Set vault_leader_url for all nodes based on above
- name: vault | bootstrap
set_fact:
vault_leader_url: "{{ hostvars[groups.vault|first]['vault_leader_url'] }}"
when: not vault_cluster_is_initialized
2017-01-13 20:31:10 +00:00
# NOTE: The next 2 steps run against temp Vault and long-term Vault
2017-01-13 20:31:10 +00:00
# Ensure PKI mount exists
- include: ../shared/pki_mount.yml
2017-01-13 20:31:10 +00:00
when: >-
inventory_hostname == groups.vault|first
# If the Root CA already exists, ensure Vault's PKI is using it
- include: ../shared/config_ca.yml
vars:
ca_name: ca
mount_name: pki
2017-01-13 20:31:10 +00:00
when: >-
inventory_hostname == groups.vault|first and
not vault_ca_cert_needed
2017-01-13 20:31:10 +00:00
# Generate root CA certs for Vault if none exist
- include: gen_ca.yml
2017-01-13 20:31:10 +00:00
when: >-
inventory_hostname in groups.vault and
not vault_cluster_is_initialized and
vault_ca_cert_needed
# Generate Vault API certs
- include: gen_vault_certs.yml
when: inventory_hostname in groups.vault and vault_api_cert_needed
2017-01-13 20:31:10 +00:00
# Update all host's CA bundle
2017-01-13 20:31:10 +00:00
- include: ca_trust.yml
## Add Etcd Role to Vault (if needed)
- include: role_auth_cert.yml
when: vault_role_auth_method == "cert"
- include: role_auth_userpass.yml
when: vault_role_auth_method == "userpass"