From 97e0de7e29e32c4b0edd9a8743119568f949b9ab Mon Sep 17 00:00:00 2001 From: Matthew Mosesohn Date: Wed, 11 Jul 2018 14:58:02 +0300 Subject: [PATCH] Fix vault file owner issues and k8s apiserver cert creation (#2985) apiserver cert should be created only once --- roles/etcd/tasks/sync_etcd_master_certs.yml | 2 ++ roles/kubernetes/secrets/tasks/gen_certs_vault.yml | 1 + roles/vault/tasks/bootstrap/main.yml | 2 +- roles/vault/tasks/bootstrap/sync_vault_certs.yml | 6 ++++++ roles/vault/tasks/shared/issue_cert.yml | 3 ++- 5 files changed, 12 insertions(+), 2 deletions(-) diff --git a/roles/etcd/tasks/sync_etcd_master_certs.yml b/roles/etcd/tasks/sync_etcd_master_certs.yml index b810ff775..3990e569d 100644 --- a/roles/etcd/tasks/sync_etcd_master_certs.yml +++ b/roles/etcd/tasks/sync_etcd_master_certs.yml @@ -13,6 +13,8 @@ sync_file: "{{ item }}" sync_file_dir: "{{ etcd_cert_dir }}" sync_file_hosts: [ "{{ inventory_hostname }}" ] + sync_file_owner: kube + sync_file_group: root sync_file_is_cert: true with_items: "{{ etcd_master_cert_list|d([]) }}" diff --git a/roles/kubernetes/secrets/tasks/gen_certs_vault.yml b/roles/kubernetes/secrets/tasks/gen_certs_vault.yml index 88db2f5a4..136ef3ffe 100644 --- a/roles/kubernetes/secrets/tasks/gen_certs_vault.yml +++ b/roles/kubernetes/secrets/tasks/gen_certs_vault.yml @@ -44,6 +44,7 @@ issue_cert_file_group: "{{ kube_cert_group }}" issue_cert_file_owner: kube issue_cert_hosts: "{{ groups['kube-master'] }}" + issue_cert_run_once: true issue_cert_ip_sans: >- [ {%- for host in groups['kube-master'] -%} diff --git a/roles/vault/tasks/bootstrap/main.yml b/roles/vault/tasks/bootstrap/main.yml index 18373ad9a..e4e67d11f 100644 --- a/roles/vault/tasks/bootstrap/main.yml +++ b/roles/vault/tasks/bootstrap/main.yml @@ -43,7 +43,7 @@ - "{{ vault_pki_mounts.etcd }}" loop_control: loop_var: mount - when: inventory_hostname in groups.vault and not vault_cluster_is_initialized + when: inventory_hostname == groups.vault|first and not vault_cluster_is_initialized - include_tasks: ../shared/gen_ca.yml vars: diff --git a/roles/vault/tasks/bootstrap/sync_vault_certs.yml b/roles/vault/tasks/bootstrap/sync_vault_certs.yml index d6b2c6e91..cf499099a 100644 --- a/roles/vault/tasks/bootstrap/sync_vault_certs.yml +++ b/roles/vault/tasks/bootstrap/sync_vault_certs.yml @@ -4,6 +4,8 @@ sync_file: "ca.pem" sync_file_dir: "{{ vault_cert_dir }}" sync_file_hosts: "{{ groups.vault }}" + sync_file_owner: vault + sync_file_group: root sync_file_is_cert: true - name: bootstrap/sync_vault_certs | Set facts for vault sync_file results @@ -20,6 +22,8 @@ sync_file: "ca.pem" sync_file_dir: "{{ vault_cert_dir }}" sync_file_hosts: "{{ groups['kube-master'] }}" + sync_file_owner: vault + sync_file_group: root sync_file_is_cert: false - name: bootstrap/sync_vault_certs | Set facts for vault sync_file results @@ -36,6 +40,8 @@ sync_file: "api.pem" sync_file_dir: "{{ vault_cert_dir }}" sync_file_hosts: "{{ groups.vault }}" + sync_file_owner: vault + sync_file_group: root sync_file_is_cert: true - name: bootstrap/sync_vault_certs | Set fact if Vault's API cert is needed diff --git a/roles/vault/tasks/shared/issue_cert.yml b/roles/vault/tasks/shared/issue_cert.yml index 89921b345..be49f375d 100644 --- a/roles/vault/tasks/shared/issue_cert.yml +++ b/roles/vault/tasks/shared/issue_cert.yml @@ -45,7 +45,7 @@ state: directory recurse: yes owner: "vault" - group: "vault" + group: "root" mode: 0755 - name: gen_certs_vault | install hvac @@ -87,6 +87,7 @@ format: "{{ issue_cert_format | d('pem') }}" ip_sans: "{{ issue_cert_ip_sans | default([]) | join(',') }}" register: issue_cert_result + run_once: "{{ issue_cert_run_once | d(false) }}" - name: "issue_cert | Copy {{ issue_cert_path }} cert to all hosts" copy: