c12s-kubespray/roles/vault/tasks/cluster/create_roles.yml

---
- include: ../shared/auth_backend.yml
  vars:
    auth_backend_description: A Username/Password Auth Backend primarily used for services needing to issue certificates
    auth_backend_path: userpass
    auth_backend_type: userpass
  when: inventory_hostname == groups.vault|first

- include: ../shared/create_role.yml
  vars:
    create_role_name: "{{ item.name }}"
    create_role_group: "{{ item.group }}"
    create_role_policy_rules: "{{ item.policy_rules }}"
    create_role_options: "{{ item.role_options }}"
    create_role_mount_path: "{{ item.mount_path }}"
  with_items:
    - "{{ vault_etcd_role }}"
    - "{{ vault_kube_role }}"
Vault security hardening and role isolation 2017-02-08 21:41:36 +00:00			`---`
Change single Vault pki mount to multi pki mounts paths for etcd and kube CA`s (#1552) * Added update CA trust step for etcd and kube/secrets roles * Added load_balancer_domain_name to certificate alt names if defined. Reset CA's in RedHat os. * Rename kube-cluster-ca.crt to vault-ca.crt, we need separated CA`s for vault, etcd and kube. * Vault role refactoring, remove optional cert vault auth because not not used and worked. Create separate CA`s fro vault and etcd. * Fixed different certificates set for vault cert_managment * Update doc/vault.md * Fixed condition create vault CA, wrong group * Fixed missing etcd_cert_path mount for rkt deployment type. Distribute vault roles for all vault hosts * Removed wrong when condition in create etcd role vault tasks. 2017-08-30 13:03:22 +00:00			`- include: ../shared/auth_backend.yml`
			`vars:`
			`auth_backend_description: A Username/Password Auth Backend primarily used for services needing to issue certificates`
			`auth_backend_path: userpass`
			`auth_backend_type: userpass`
			`when: inventory_hostname == groups.vault\|first`
Vault security hardening and role isolation 2017-02-08 21:41:36 +00:00
			`- include: ../shared/create_role.yml`
			`vars:`
			`create_role_name: "{{ item.name }}"`
			`create_role_group: "{{ item.group }}"`
			`create_role_policy_rules: "{{ item.policy_rules }}"`
			`create_role_options: "{{ item.role_options }}"`
Change single Vault pki mount to multi pki mounts paths for etcd and kube CA`s (#1552) * Added update CA trust step for etcd and kube/secrets roles * Added load_balancer_domain_name to certificate alt names if defined. Reset CA's in RedHat os. * Rename kube-cluster-ca.crt to vault-ca.crt, we need separated CA`s for vault, etcd and kube. * Vault role refactoring, remove optional cert vault auth because not not used and worked. Create separate CA`s fro vault and etcd. * Fixed different certificates set for vault cert_managment * Update doc/vault.md * Fixed condition create vault CA, wrong group * Fixed missing etcd_cert_path mount for rkt deployment type. Distribute vault roles for all vault hosts * Removed wrong when condition in create etcd role vault tasks. 2017-08-30 13:03:22 +00:00			`create_role_mount_path: "{{ item.mount_path }}"`
			`with_items:`
			`- "{{ vault_etcd_role }}"`
			`- "{{ vault_kube_role }}"`