Fixing up vault variables

2017-04-19 15:52:51 +00:00 · 2017-04-19 15:52:51 +00:00 · db3e8edacd
parent 780308c194
commit db3e8edacd
5 changed files with 17 additions and 11 deletions
--- a/roles/etcd/tasks/gen_certs_vault.yml
+++ b/roles/etcd/tasks/gen_certs_vault.yml
@ -31,12 +31,18 @@
  register: etcd_vault_login_result
  when: inventory_hostname == groups.etcd|first

+- name: gen_certs_vault | Set fact for vault_client_token
+  set_fact:
+    vault_client_token:  "{{ etcd_vault_login_result.get('json', {}).get('auth', {}).get('client_token') }}"
+  delegate_to: "{{ groups['etcd'][0] }}"
+
 - name: gen_certs_vault | Set fact for Vault API token
  set_fact:
    etcd_vault_headers:
        Accept: application/json
        Content-Type: application/json
-        X-Vault-Token: "{{ hostvars[groups.etcd|first]['etcd_vault_login_result']['json']['auth']['client_token'] }}"
+        X-Vault-Token: "{{ vault_client_token }}"
+  when: vault_client_token != ""

 # Issue master certs to Etcd nodes
 - include: ../../vault/tasks/shared/issue_cert.yml
--- a/roles/kubernetes/secrets/tasks/sync_kube_node_certs.yml
+++ b/roles/kubernetes/secrets/tasks/sync_kube_node_certs.yml
@ -9,7 +9,7 @@
  vars: 
    sync_file: "{{ item }}"
    sync_file_dir: "{{ kube_cert_dir }}"
-    sync_file_group: "{{ kuber_cert_group }}"
+    sync_file_group: "{{ kube_cert_group }}"
    sync_file_hosts: "{{ groups['k8s-cluster'] }}"
    sync_file_is_cert: true
    sync_file_owner: kube
@ -29,7 +29,7 @@
  vars: 
    sync_file: ca.pem
    sync_file_dir: "{{ kube_cert_dir }}"
-    sync_file_group: "{{ kuber_cert_group }}"
+    sync_file_group: "{{ kube_cert_group }}"
    sync_file_hosts: "{{ groups['k8s-cluster'] }}"
    sync_file_owner: kube

--- a/roles/vault/tasks/bootstrap/ca_trust.yml
+++ b/roles/vault/tasks/bootstrap/ca_trust.yml
@ -3,7 +3,7 @@
 - name: bootstrap/ca_trust | pull CA from cert from groups.vault|first
  command: "cat {{ vault_cert_dir }}/ca.pem"
  register: vault_cert_file_cat
-  when: inventory_hostname == groups.vault|first
+  delegate_to: "{{ groups['vault']|first }}"

 # This part is mostly stolen from the etcd role
 - name: bootstrap/ca_trust | target ca-certificate store file
@ -19,7 +19,7 @@

 - name: bootstrap/ca_trust | add CA to trusted CA dir
  copy:
-    content: "{{ hostvars[groups.vault|first]['vault_cert_file_cat']['stdout'] }}"
+    content: "{{ vault_cert_file_cat.get('stdout') }}"
    dest: "{{ ca_cert_path }}"
  register: vault_ca_cert

--- a/roles/vault/tasks/shared/sync.yml
+++ b/roles/vault/tasks/shared/sync.yml
@ -12,11 +12,11 @@

 - name: "sync_file | Set facts for file contents"
  set_fact:
-    sync_file_contents: "{{ hostvars[sync_file_srcs|first]['sync_file_cat']['stdout'] }}"
+    sync_file_contents: "{{ hostvars[sync_file_srcs|first].get('sync_file_cat', {}).get('stdout') }}"

 - name: "sync_file | Set fact for key contents"
  set_fact:
-    sync_file_key_contents: "{{ hostvars[sync_file_srcs|first]['sync_file_key_cat']['stdout'] }}"
+    sync_file_key_contents: "{{ hostvars[sync_file_srcs|first].get('sync_file_key_cat', {}).get('stdout') }}"
  when: sync_file_is_cert|d()

 - name: "sync_file | Ensure the directory exists"
--- a/roles/vault/tasks/shared/sync_file.yml
+++ b/roles/vault/tasks/shared/sync_file.yml
@ -36,7 +36,7 @@
  with_items: "{{ sync_file_hosts | unique }}"
  loop_control:
    loop_var: host_item
-  when: hostvars[host_item]["sync_file_stat"]["stat"]["exists"]|bool
+  when: hostvars[host_item].get("sync_file_stat", {}).get("stat", {}).get("exists")

 - name: "sync_file | Combine all possible key file sync sources"
  set_fact:
@ -44,7 +44,7 @@
  with_items: "{{ sync_file_hosts | unique }}"
  loop_control:
    loop_var: host_item
-  when: sync_file_is_cert|d() and hostvars[host_item]["sync_file_key_stat"]["stat"]["exists"]|bool
+  when: sync_file_is_cert|d() and hostvars[host_item].get("sync_file_key_stat", {}).get("stat", {}).get("exists")

 - name: "sync_file | Remove sync sources with files that do not match sync_file_srcs|first"
  set_fact:
@ -52,7 +52,7 @@
  when: >-
        sync_file_srcs|d([])|length > 1 and
        inventory_hostname != sync_file_srcs|first and
-        sync_file_stat.stat.get("checksum") != hostvars[sync_file_srcs|first]["sync_file_stat"]["stat"]["checksum"]
+        sync_file_stat.stat.get("checksum") != hostvars[sync_file_srcs|first].get("sync_file_stat", {}).get("stat", {}).get("checksum")

 - name: "sync_file | Remove sync sources with keys that do not match sync_file_srcs|first"
  set_fact:
@ -61,7 +61,7 @@
        sync_file_is_cert|d() and
        sync_file_key_srcs|d([])|length > 1 and
        inventory_hostname != sync_file_key_srcs|first and
-        sync_file_key_stat.stat.checksum != hostvars[sync_file_srcs|first]["sync_file_key_stat"]["stat"]["checksum"]
+        sync_file_key_stat.stat.get("checksum") != hostvars[sync_file_srcs|first].get("sync_file_key_stat", {}).get("stat", {}).get("checksum")

 - name: "sync_file | Consolidate file and key sources"
  set_fact: