Own CA certificate for vault setup

2017-06-30 13:46:05 +02:00 · 2017-06-30 13:46:05 +02:00 · bd456651eb
commit bd456651eb
parent 8a8654c515
11 changed files with 94 additions and 9 deletions
--- a/inventory/group_vars/k8s-cluster.yml
+++ b/inventory/group_vars/k8s-cluster.yml
@ -132,3 +132,27 @@ efk_enabled: false

 # Helm deployment
 helm_enabled: false
+
+# Alt names for apiserver certificate
+#kube_apiserver_alt_name: ['*.apiserver.yourcompany.com']
+
+# Uncomment this or pass via variable to regenerate certificate by its file name
+#need_new_cert: "apiserver"
+
+# Variable for existent CA certificate
+# If you use Intermediate cert, put full chain with root CA here
+#vault_existent_crt: |
+# -----BEGIN CERTIFICATE-----
+# ...
+# -----END CERTIFICATE-----
+# -----BEGIN CERTIFICATE-----
+# ...
+# -----END CERTIFICATE-----
+
+# Correponding cert key for vault_existent_crt
+# !!! Normally this should be stored in ansible/hashicorp vault in encrypted format
+# !!! Never commit this to public repo
+#vault_existent_key: |
+# -----BEGIN RSA PRIVATE KEY-----
+# ...
+# -----END RSA PRIVATE KEY-----
--- a/roles/etcd/tasks/gen_certs_vault.yml
+++ b/roles/etcd/tasks/gen_certs_vault.yml
@ -4,7 +4,7 @@
  tags: etcd-secrets

 - include: sync_etcd_node_certs.yml
-  when: inventory_hostname in etcd_node_cert_hosts
+  when: inventory_hostname in etcd_node_cert_hosts|difference(groups.etcd)
  tags: etcd-secrets


--- a/roles/etcd/tasks/sync_etcd_master_certs.yml
+++ b/roles/etcd/tasks/sync_etcd_master_certs.yml
@ -6,7 +6,7 @@
        {{ etcd_master_cert_list|default([]) +  [
        "admin-" + item + ".pem",
        "member-" + item + ".pem"
-        ] }}
+        ] | unique }}
  with_items: "{{ groups.etcd }}"
  run_once: true

--- a/roles/etcd/tasks/sync_etcd_node_certs.yml
+++ b/roles/etcd/tasks/sync_etcd_node_certs.yml
@ -3,7 +3,7 @@
 - name: sync_etcd_node_certs | Create list of node certs needing creation
  set_fact: 
    etcd_node_cert_list: "{{ etcd_node_cert_list|default([]) +  ['node-' + item + '.pem'] }}"
-  with_items: "{{ etcd_node_cert_hosts }}"
+  with_items: "{{ etcd_node_cert_hosts | unique }}"
  run_once: true

 - include: ../../vault/tasks/shared/sync_file.yml
@ -30,7 +30,7 @@
  vars: 
    sync_file: ca.pem
    sync_file_dir: "{{ etcd_cert_dir }}"
-    sync_file_hosts: "{{ etcd_node_cert_hosts }}"
+    sync_file_hosts: "{{ etcd_node_cert_hosts | unique }}"
  run_once: true

 - name: sync_etcd_node_certs | Unset sync_file_results after ca.pem
--- a/roles/kubernetes/secrets/tasks/gen_certs_vault.yml
+++ b/roles/kubernetes/secrets/tasks/gen_certs_vault.yml
@ -55,6 +55,7 @@
  vars:
    issue_cert_alt_names: >-
        {{
+        kube_apiserver_alt_name|d([]) if item|search("apiserver") else omit +
        groups['kube-master'] +
        ['kubernetes.default.svc.cluster.local', 'kubernetes.default.svc', 'kubernetes.default', 'kubernetes'] +
        ['localhost']
--- a/roles/vault/tasks/bootstrap/ca_trust.yml
+++ b/roles/vault/tasks/bootstrap/ca_trust.yml
@ -4,6 +4,7 @@
  command: "cat {{ vault_cert_dir }}/ca.pem"
  register: vault_cert_file_cat
  delegate_to: "{{ groups['vault']|first }}"
+  ignore_errors: "{{ vault_existent_crt is defined and vault_existent_key is defined }}"

 # This part is mostly stolen from the etcd role
 - name: bootstrap/ca_trust | target ca-certificate store file
@ -17,9 +18,17 @@
      /etc/ssl/certs/kube-cluster-ca.pem
      {%- endif %}

+- set_fact:
+   ca_file_content: "{{ vault_cert_file_cat.get('stdout') }}"
+  when: not ( vault_existent_crt is defined and vault_existent_key is defined )
+
+- set_fact:
+   ca_file_content: "{{ vault_existent_crt }}"
+  when: vault_existent_crt is defined and vault_existent_key is defined
+
 - name: bootstrap/ca_trust | add CA to trusted CA dir
  copy:
-    content: "{{ vault_cert_file_cat.get('stdout') }}"
+    content: "{{ ca_file_content }}"
    dest: "{{ ca_cert_path }}"
  register: vault_ca_cert

--- a/roles/vault/tasks/bootstrap/gen_ca.yml
+++ b/roles/vault/tasks/bootstrap/gen_ca.yml
@ -14,18 +14,45 @@
    body_format: json
    body: "{{ vault_ca_options }}"
  register: vault_ca_gen
-  when: inventory_hostname == groups.vault|first and vault_ca_cert_needed
+  when: inventory_hostname == groups.vault|first and vault_ca_cert_needed and
+        not ( vault_existent_crt is defined and vault_existent_key is defined )
+
+- name: bootstrap/gen_ca | Configure pki mount to use the found root CA cert and key
+  uri:
+    url: "{{ vault_leader_url }}/v1/pki/config/ca"
+    headers: "{{ vault_headers }}"
+    method: POST
+    body_format: json
+    body:
+      pem_bundle: "{{ vault_existent_crt + vault_existent_key }}"
+    status_code: 204
+  when: inventory_hostname == groups.vault|first and vault_ca_cert_needed and
+        vault_existent_crt is defined and vault_existent_key is defined
+
+- name: config_ca | Copy existent certificate data
+  copy:
+    content: "{{ item.content }}"
+    dest: "{{ item.dest }}"
+    owner: root
+    group: root
+    mode: "{{ item.mode }}"
+  when: item.content != ''
+  with_items:
+    - { content: "{{ vault_existent_crt|default() }}", dest: "{{ vault_cert_dir }}/ca.pem", mode: 644 }
+    - { content: "{{ vault_existent_key|default() }}", dest: "{{ vault_cert_dir }}/ca-key.pem", mode: 400 }

 - name: bootstrap/gen_ca | Copy root CA cert locally
  copy:
    content: "{{ hostvars[groups.vault|first]['vault_ca_gen']['json']['data']['certificate'] }}"
    dest: "{{ vault_cert_dir }}/ca.pem"
    mode: 0644
-  when: vault_ca_cert_needed
+  when: vault_ca_cert_needed and
+        not ( vault_existent_crt is defined and vault_existent_key is defined )

 - name: bootstrap/gen_ca | Copy root CA key locally
  copy:
    content: "{{ hostvars[groups.vault|first]['vault_ca_gen']['json']['data']['private_key'] }}"
    dest: "{{ vault_cert_dir }}/ca-key.pem"
    mode: 0640
-  when: vault_ca_cert_needed
+  when: vault_ca_cert_needed and
+        not ( vault_existent_crt is defined and vault_existent_key is defined )
--- a/roles/vault/tasks/bootstrap/start_vault_temp.yml
+++ b/roles/vault/tasks/bootstrap/start_vault_temp.yml
@ -37,6 +37,23 @@
    vault_headers: "{{ vault_client_headers|combine({'X-Vault-Token': vault_temp_init.json.root_token}) }}"
  ignore_errors: "{{ ansible_check_mode }}"

+- name: "bootstrap/start_vault_temp | Check {{vault_leader_url}}"
+  uri:
+    url: "{{ vault_leader_url}}/v1/sys/health"
+    headers: "{{ vault_client_headers }}"
+    status_code: 200,429,500,501
+    timeout: 5
+  ignore_errors: true
+  register: vault_leader_url_check
+
+- debug: var=vault_leader_url_check verbosity=2
+
+- name: bootstrap/start_vault_temp | Tune vault_leader_url url
+  set_fact:
+    vault_leader_url: "http://localhost:{{ vault_port }}"
+  when: vault_leader_url_check|failed
+  ignore_errors: "{{ ansible_check_mode }}"
+
 - name: bootstrap/start_vault_temp | Unseal vault-temp
  uri:
    url: "http://localhost:{{ vault_port }}/v1/sys/unseal"
--- a/roles/vault/tasks/cluster/init.yml
+++ b/roles/vault/tasks/cluster/init.yml
@ -2,7 +2,7 @@

 - name: cluster/init | Initialize Vault
  uri:
-    url: "https://{{ groups.vault|first }}:{{ vault_port }}/v1/sys/init"
+    url: "https://localhost:{{ vault_port }}/v1/sys/init"
    headers: "{{ vault_client_headers }}"
    method: POST
    body_format: json
--- a/roles/vault/tasks/shared/issue_cert.yml
+++ b/roles/vault/tasks/shared/issue_cert.yml
@ -58,6 +58,7 @@
    mode: "{{ issue_cert_file_mode | d('0640') }}"
    owner: "{{ issue_cert_file_owner | d('root') }}"
  ignore_errors: "{{ ansible_check_mode }}"
+  no_log: "{{ not ansible_check_mode }}"

 - name: issue_cert | Copy issuing CA cert
  copy:
--- a/roles/vault/tasks/shared/sync_file.yml
+++ b/roles/vault/tasks/shared/sync_file.yml
@ -73,6 +73,12 @@
    sync_file_no_srcs: "{{ true if sync_file_srcs|d([])|length == 0 else false }}"
    sync_file_unneeded: "{{ true if sync_file_srcs|d([])|length == sync_file_hosts|length else false }}"

+- name: "sync_file | Set fact to regenirate certificate {{sync_file_path}}"
+  set_fact:
+    sync_file_no_srcs: true
+  when: need_new_cert|d() is defined and
+        sync_file_path|search(need_new_cert|d('!'))
+
 - name: "sync_file | Set sync_file_result fact"
  set_fact:
    sync_file_result: