c12s-kubespray/roles/vault/tasks/shared/create_role.yml

---

# The JSON inside JSON here is intentional (Vault API wants it)
- name: create_role | Create a policy for the new role allowing issuing
  uri:
    url: "{{ hostvars[groups.vault|first]['vault_leader_url'] }}/v1/sys/policy/{{ create_role_name }}"
    headers: "{{ hostvars[groups.vault|first]['vault_headers'] }}"
    method: PUT
    body_format: json
    body:
      rules: >-
             {%- if create_role_policy_rules|d("default") == "default" -%}
             {{
             { 'path': {
                 create_role_mount_path + '/issue/' + create_role_name: {'policy': 'write'},
                 create_role_mount_path + '/roles/' + create_role_name: {'policy': 'read'}
             }} | to_json + '\n'
             }}
             {%- else -%}
             {{ create_role_policy_rules | to_json + '\n' }}
             {%- endif -%}
    status_code: 204
  when: inventory_hostname == groups[create_role_group]|first

- name: create_role | Create the new role in the {{ create_role_mount_path }} pki mount
  uri:
    url: "{{ hostvars[groups.vault|first]['vault_leader_url'] }}/v1/{{ create_role_mount_path }}/roles/{{ create_role_name }}"
    headers: "{{ hostvars[groups.vault|first]['vault_headers'] }}"
    method: POST
    body_format: json
    body: >-
          {%- if create_role_options|d("default") == "default" -%}
          {'allow_any_name': true}
          {%- else -%}
          {{ create_role_options }}
          {%- endif -%}
    status_code: 204
  when: inventory_hostname == groups[create_role_group]|first

## Userpass based auth method

- include: gen_userpass.yml
  vars:
    gen_userpass_group: "{{ create_role_group }}"
    gen_userpass_password: "{{ create_role_password|d(''|to_uuid) }}"
    gen_userpass_policies: "{{ create_role_name }}"
    gen_userpass_role: "{{ create_role_name }}"
    gen_userpass_username: "{{ create_role_name }}"
  when: inventory_hostname in groups[create_role_group]
Vault security hardening and role isolation 2017-02-08 21:41:36 +00:00			`---`

			`# The JSON inside JSON here is intentional (Vault API wants it)`
			`- name: create_role \| Create a policy for the new role allowing issuing`
			`uri:`
			`url: "{{ hostvars[groups.vault\|first]['vault_leader_url'] }}/v1/sys/policy/{{ create_role_name }}"`
			`headers: "{{ hostvars[groups.vault\|first]['vault_headers'] }}"`
			`method: PUT`
			`body_format: json`
			`body:`
			`rules: >-`
			`{%- if create_role_policy_rules\|d("default") == "default" -%}`
			`{{`
			`{ 'path': {`
Change single Vault pki mount to multi pki mounts paths for etcd and kube CA`s (#1552) * Added update CA trust step for etcd and kube/secrets roles * Added load_balancer_domain_name to certificate alt names if defined. Reset CA's in RedHat os. * Rename kube-cluster-ca.crt to vault-ca.crt, we need separated CA`s for vault, etcd and kube. * Vault role refactoring, remove optional cert vault auth because not not used and worked. Create separate CA`s fro vault and etcd. * Fixed different certificates set for vault cert_managment * Update doc/vault.md * Fixed condition create vault CA, wrong group * Fixed missing etcd_cert_path mount for rkt deployment type. Distribute vault roles for all vault hosts * Removed wrong when condition in create etcd role vault tasks. 2017-08-30 13:03:22 +00:00			`create_role_mount_path + '/issue/' + create_role_name: {'policy': 'write'},`
			`create_role_mount_path + '/roles/' + create_role_name: {'policy': 'read'}`
Vault security hardening and role isolation 2017-02-08 21:41:36 +00:00			`}} \| to_json + '\n'`
			`}}`
			`{%- else -%}`
			`{{ create_role_policy_rules \| to_json + '\n' }}`
			`{%- endif -%}`
			`status_code: 204`
			`when: inventory_hostname == groups[create_role_group]\|first`

Change single Vault pki mount to multi pki mounts paths for etcd and kube CA`s (#1552) * Added update CA trust step for etcd and kube/secrets roles * Added load_balancer_domain_name to certificate alt names if defined. Reset CA's in RedHat os. * Rename kube-cluster-ca.crt to vault-ca.crt, we need separated CA`s for vault, etcd and kube. * Vault role refactoring, remove optional cert vault auth because not not used and worked. Create separate CA`s fro vault and etcd. * Fixed different certificates set for vault cert_managment * Update doc/vault.md * Fixed condition create vault CA, wrong group * Fixed missing etcd_cert_path mount for rkt deployment type. Distribute vault roles for all vault hosts * Removed wrong when condition in create etcd role vault tasks. 2017-08-30 13:03:22 +00:00			`- name: create_role \| Create the new role in the {{ create_role_mount_path }} pki mount`
Vault security hardening and role isolation 2017-02-08 21:41:36 +00:00			`uri:`
Change single Vault pki mount to multi pki mounts paths for etcd and kube CA`s (#1552) * Added update CA trust step for etcd and kube/secrets roles * Added load_balancer_domain_name to certificate alt names if defined. Reset CA's in RedHat os. * Rename kube-cluster-ca.crt to vault-ca.crt, we need separated CA`s for vault, etcd and kube. * Vault role refactoring, remove optional cert vault auth because not not used and worked. Create separate CA`s fro vault and etcd. * Fixed different certificates set for vault cert_managment * Update doc/vault.md * Fixed condition create vault CA, wrong group * Fixed missing etcd_cert_path mount for rkt deployment type. Distribute vault roles for all vault hosts * Removed wrong when condition in create etcd role vault tasks. 2017-08-30 13:03:22 +00:00			`url: "{{ hostvars[groups.vault\|first]['vault_leader_url'] }}/v1/{{ create_role_mount_path }}/roles/{{ create_role_name }}"`
Vault security hardening and role isolation 2017-02-08 21:41:36 +00:00			`headers: "{{ hostvars[groups.vault\|first]['vault_headers'] }}"`
			`method: POST`
			`body_format: json`
			`body: >-`
			`{%- if create_role_options\|d("default") == "default" -%}`
			`{'allow_any_name': true}`
			`{%- else -%}`
			`{{ create_role_options }}`
			`{%- endif -%}`
			`status_code: 204`
			`when: inventory_hostname == groups[create_role_group]\|first`

			`## Userpass based auth method`

			`- include: gen_userpass.yml`
			`vars:`
			`gen_userpass_group: "{{ create_role_group }}"`
			`gen_userpass_password: "{{ create_role_password\|d(''\|to_uuid) }}"`
			`gen_userpass_policies: "{{ create_role_name }}"`
			`gen_userpass_role: "{{ create_role_name }}"`
			`gen_userpass_username: "{{ create_role_name }}"`
Change single Vault pki mount to multi pki mounts paths for etcd and kube CA`s (#1552) * Added update CA trust step for etcd and kube/secrets roles * Added load_balancer_domain_name to certificate alt names if defined. Reset CA's in RedHat os. * Rename kube-cluster-ca.crt to vault-ca.crt, we need separated CA`s for vault, etcd and kube. * Vault role refactoring, remove optional cert vault auth because not not used and worked. Create separate CA`s fro vault and etcd. * Fixed different certificates set for vault cert_managment * Update doc/vault.md * Fixed condition create vault CA, wrong group * Fixed missing etcd_cert_path mount for rkt deployment type. Distribute vault roles for all vault hosts * Removed wrong when condition in create etcd role vault tasks. 2017-08-30 13:03:22 +00:00			`when: inventory_hostname in groups[create_role_group]`