Use include/import tasks (#2192)
import_tasks will consume far less memory, so it should be used whenever it is compatible.
This commit is contained in:
Matthew Mosesohn
GitHub
parent
f4180503c8
commit
dc6a17e092
43 changed files with 117 additions and 117 deletions
|
|
@ -1,17 +1,17 @@
|
||||||
---
|
---
|
||||||
- include: bootstrap-ubuntu.yml
|
- import_tasks: bootstrap-ubuntu.yml
|
||||||
when: bootstrap_os == "ubuntu"
|
when: bootstrap_os == "ubuntu"
|
||||||
|
|
||||||
- include: bootstrap-debian.yml
|
- import_tasks: bootstrap-debian.yml
|
||||||
when: bootstrap_os == "debian"
|
when: bootstrap_os == "debian"
|
||||||
|
|
||||||
- include: bootstrap-coreos.yml
|
- import_tasks: bootstrap-coreos.yml
|
||||||
when: bootstrap_os == "coreos"
|
when: bootstrap_os == "coreos"
|
||||||
|
|
||||||
- include: bootstrap-centos.yml
|
- import_tasks: bootstrap-centos.yml
|
||||||
when: bootstrap_os == "centos"
|
when: bootstrap_os == "centos"
|
||||||
|
|
||||||
- include: setup-pipelining.yml
|
- import_tasks: setup-pipelining.yml
|
||||||
|
|
||||||
- name: check if atomic host
|
- name: check if atomic host
|
||||||
stat:
|
stat:
|
||||||
|
|
|
||||||
|
|
@ -15,7 +15,7 @@
|
||||||
tags:
|
tags:
|
||||||
- facts
|
- facts
|
||||||
|
|
||||||
- include: set_facts_dns.yml
|
- include_tasks: set_facts_dns.yml
|
||||||
when: dns_mode != 'none' and resolvconf_mode == 'docker_dns'
|
when: dns_mode != 'none' and resolvconf_mode == 'docker_dns'
|
||||||
tags:
|
tags:
|
||||||
- facts
|
- facts
|
||||||
|
|
@ -88,7 +88,7 @@
|
||||||
installed_docker_version.stdout|version_compare('1.12', '<')
|
installed_docker_version.stdout|version_compare('1.12', '<')
|
||||||
|
|
||||||
- name: Set docker systemd config
|
- name: Set docker systemd config
|
||||||
include: systemd.yml
|
import_tasks: systemd.yml
|
||||||
|
|
||||||
- name: ensure docker service is started and enabled
|
- name: ensure docker service is started and enabled
|
||||||
service:
|
service:
|
||||||
|
|
|
||||||
|
|
@ -1,6 +1,6 @@
|
||||||
---
|
---
|
||||||
- name: container_download | Make download decision if pull is required by tag or sha256
|
- name: container_download | Make download decision if pull is required by tag or sha256
|
||||||
include: set_docker_image_facts.yml
|
include_tasks: set_docker_image_facts.yml
|
||||||
delegate_to: "{{ download_delegate if download_run_once or omit }}"
|
delegate_to: "{{ download_delegate if download_run_once or omit }}"
|
||||||
delegate_facts: no
|
delegate_facts: no
|
||||||
run_once: "{{ download_run_once }}"
|
run_once: "{{ download_run_once }}"
|
||||||
|
|
|
||||||
|
|
@ -1,10 +1,10 @@
|
||||||
---
|
---
|
||||||
- include: download_prep.yml
|
- include_tasks: download_prep.yml
|
||||||
when:
|
when:
|
||||||
- not skip_downloads|default(false)
|
- not skip_downloads|default(false)
|
||||||
|
|
||||||
- name: "Download items"
|
- name: "Download items"
|
||||||
include: "download_{% if download.container %}container{% else %}file{% endif %}.yml"
|
include_tasks: "download_{% if download.container %}container{% else %}file{% endif %}.yml"
|
||||||
vars:
|
vars:
|
||||||
download: "{{ download_defaults | combine(item.value) }}"
|
download: "{{ download_defaults | combine(item.value) }}"
|
||||||
with_dict: "{{ downloads }}"
|
with_dict: "{{ downloads }}"
|
||||||
|
|
@ -13,7 +13,7 @@
|
||||||
- item.value.enabled
|
- item.value.enabled
|
||||||
|
|
||||||
- name: "Sync container"
|
- name: "Sync container"
|
||||||
include: sync_container.yml
|
include_tasks: sync_container.yml
|
||||||
vars:
|
vars:
|
||||||
download: "{{ download_defaults | combine(item.value) }}"
|
download: "{{ download_defaults | combine(item.value) }}"
|
||||||
with_dict: "{{ downloads }}"
|
with_dict: "{{ downloads }}"
|
||||||
|
|
|
||||||
|
|
@ -7,7 +7,7 @@
|
||||||
- reload etcd
|
- reload etcd
|
||||||
- wait for etcd up
|
- wait for etcd up
|
||||||
|
|
||||||
- include: backup.yml
|
- import_tasks: backup.yml
|
||||||
|
|
||||||
- name: etcd | reload systemd
|
- name: etcd | reload systemd
|
||||||
command: systemctl daemon-reload
|
command: systemctl daemon-reload
|
||||||
|
|
|
||||||
|
|
@ -30,7 +30,7 @@
|
||||||
notify: restart etcd
|
notify: restart etcd
|
||||||
|
|
||||||
- name: Configure | Join member(s) to cluster one at a time
|
- name: Configure | Join member(s) to cluster one at a time
|
||||||
include: join_member.yml
|
include_tasks: join_member.yml
|
||||||
vars:
|
vars:
|
||||||
target_node: "{{ item }}"
|
target_node: "{{ item }}"
|
||||||
loop_control:
|
loop_control:
|
||||||
|
|
|
||||||
|
|
@ -1,16 +1,16 @@
|
||||||
---
|
---
|
||||||
- include: sync_etcd_master_certs.yml
|
- include_tasks: sync_etcd_master_certs.yml
|
||||||
when: inventory_hostname in groups.etcd
|
when: inventory_hostname in groups.etcd
|
||||||
tags:
|
tags:
|
||||||
- etcd-secrets
|
- etcd-secrets
|
||||||
|
|
||||||
- include: sync_etcd_node_certs.yml
|
- include_tasks: sync_etcd_node_certs.yml
|
||||||
when: inventory_hostname in etcd_node_cert_hosts
|
when: inventory_hostname in etcd_node_cert_hosts
|
||||||
tags:
|
tags:
|
||||||
- etcd-secrets
|
- etcd-secrets
|
||||||
|
|
||||||
# Issue master certs to Etcd nodes
|
# Issue master certs to Etcd nodes
|
||||||
- include: ../../vault/tasks/shared/issue_cert.yml
|
- include_tasks: ../../vault/tasks/shared/issue_cert.yml
|
||||||
vars:
|
vars:
|
||||||
issue_cert_common_name: "etcd:master:{{ item.rsplit('/', 1)[1].rsplit('.', 1)[0] }}"
|
issue_cert_common_name: "etcd:master:{{ item.rsplit('/', 1)[1].rsplit('.', 1)[0] }}"
|
||||||
issue_cert_alt_names: "{{ groups['etcd'] + ['localhost'] + (etcd_cert_alt_names)|default() }}"
|
issue_cert_alt_names: "{{ groups['etcd'] + ['localhost'] + (etcd_cert_alt_names)|default() }}"
|
||||||
|
|
@ -37,7 +37,7 @@
|
||||||
notify: set etcd_secret_changed
|
notify: set etcd_secret_changed
|
||||||
|
|
||||||
# Issue node certs to everyone else
|
# Issue node certs to everyone else
|
||||||
- include: ../../vault/tasks/shared/issue_cert.yml
|
- include_tasks: ../../vault/tasks/shared/issue_cert.yml
|
||||||
vars:
|
vars:
|
||||||
issue_cert_common_name: "etcd:node:{{ item.rsplit('/', 1)[1].rsplit('.', 1)[0] }}"
|
issue_cert_common_name: "etcd:node:{{ item.rsplit('/', 1)[1].rsplit('.', 1)[0] }}"
|
||||||
issue_cert_alt_names: "{{ etcd_node_cert_hosts }}"
|
issue_cert_alt_names: "{{ etcd_node_cert_hosts }}"
|
||||||
|
|
|
||||||
|
|
@ -10,7 +10,7 @@
|
||||||
ETCDCTL_CERT_FILE: "{{ etcd_cert_dir }}/node-{{ inventory_hostname }}.pem"
|
ETCDCTL_CERT_FILE: "{{ etcd_cert_dir }}/node-{{ inventory_hostname }}.pem"
|
||||||
ETCDCTL_KEY_FILE: "{{ etcd_cert_dir }}/node-{{ inventory_hostname }}-key.pem"
|
ETCDCTL_KEY_FILE: "{{ etcd_cert_dir }}/node-{{ inventory_hostname }}-key.pem"
|
||||||
|
|
||||||
- include: refresh_config.yml
|
- include_tasks: refresh_config.yml
|
||||||
vars:
|
vars:
|
||||||
etcd_peer_addresses: >-
|
etcd_peer_addresses: >-
|
||||||
{% for host in groups['etcd'] -%}
|
{% for host in groups['etcd'] -%}
|
||||||
|
|
|
||||||
|
|
@ -1,15 +1,15 @@
|
||||||
---
|
---
|
||||||
- include: check_certs.yml
|
- include_tasks: check_certs.yml
|
||||||
when: cert_management == "script"
|
when: cert_management == "script"
|
||||||
tags:
|
tags:
|
||||||
- etcd-secrets
|
- etcd-secrets
|
||||||
- facts
|
- facts
|
||||||
|
|
||||||
- include: "gen_certs_{{ cert_management }}.yml"
|
- include_tasks: "gen_certs_{{ cert_management }}.yml"
|
||||||
tags:
|
tags:
|
||||||
- etcd-secrets
|
- etcd-secrets
|
||||||
|
|
||||||
- include: upd_ca_trust.yml
|
- include_tasks: upd_ca_trust.yml
|
||||||
tags:
|
tags:
|
||||||
- etcd-secrets
|
- etcd-secrets
|
||||||
|
|
||||||
|
|
@ -24,18 +24,18 @@
|
||||||
etcd_client_cert_serial: "{{ etcd_client_cert_serial_result.stdout }}"
|
etcd_client_cert_serial: "{{ etcd_client_cert_serial_result.stdout }}"
|
||||||
when: inventory_hostname in groups['k8s-cluster']|union(groups['etcd'])|union(groups['calico-rr']|default([]))|unique|sort
|
when: inventory_hostname in groups['k8s-cluster']|union(groups['etcd'])|union(groups['calico-rr']|default([]))|unique|sort
|
||||||
|
|
||||||
- include: "install_{{ etcd_deployment_type }}.yml"
|
- include_tasks: "install_{{ etcd_deployment_type }}.yml"
|
||||||
when: is_etcd_master
|
when: is_etcd_master
|
||||||
tags:
|
tags:
|
||||||
- upgrade
|
- upgrade
|
||||||
|
|
||||||
- include: set_cluster_health.yml
|
- import_tasks: set_cluster_health.yml
|
||||||
when: is_etcd_master and etcd_cluster_setup
|
when: is_etcd_master and etcd_cluster_setup
|
||||||
|
|
||||||
- include: configure.yml
|
- import_tasks: configure.yml
|
||||||
when: is_etcd_master and etcd_cluster_setup
|
when: is_etcd_master and etcd_cluster_setup
|
||||||
|
|
||||||
- include: refresh_config.yml
|
- import_tasks: refresh_config.yml
|
||||||
when: is_etcd_master and etcd_cluster_setup
|
when: is_etcd_master and etcd_cluster_setup
|
||||||
|
|
||||||
- name: Restart etcd if certs changed
|
- name: Restart etcd if certs changed
|
||||||
|
|
@ -56,8 +56,8 @@
|
||||||
# After etcd cluster is assembled, make sure that
|
# After etcd cluster is assembled, make sure that
|
||||||
# initial state of the cluster is in `existing`
|
# initial state of the cluster is in `existing`
|
||||||
# state insted of `new`.
|
# state insted of `new`.
|
||||||
- include: set_cluster_health.yml
|
- import_tasks: set_cluster_health.yml
|
||||||
when: is_etcd_master and etcd_cluster_setup
|
when: is_etcd_master and etcd_cluster_setup
|
||||||
|
|
||||||
- include: refresh_config.yml
|
- import_tasks: refresh_config.yml
|
||||||
when: is_etcd_master and etcd_cluster_setup
|
when: is_etcd_master and etcd_cluster_setup
|
||||||
|
|
|
||||||
|
|
@ -8,7 +8,7 @@
|
||||||
"member-" + inventory_hostname + ".pem"
|
"member-" + inventory_hostname + ".pem"
|
||||||
] }}
|
] }}
|
||||||
|
|
||||||
- include: ../../vault/tasks/shared/sync_file.yml
|
- include_tasks: ../../vault/tasks/shared/sync_file.yml
|
||||||
vars:
|
vars:
|
||||||
sync_file: "{{ item }}"
|
sync_file: "{{ item }}"
|
||||||
sync_file_dir: "{{ etcd_cert_dir }}"
|
sync_file_dir: "{{ etcd_cert_dir }}"
|
||||||
|
|
@ -26,7 +26,7 @@
|
||||||
set_fact:
|
set_fact:
|
||||||
sync_file_results: []
|
sync_file_results: []
|
||||||
|
|
||||||
- include: ../../vault/tasks/shared/sync_file.yml
|
- include_tasks: ../../vault/tasks/shared/sync_file.yml
|
||||||
vars:
|
vars:
|
||||||
sync_file: ca.pem
|
sync_file: ca.pem
|
||||||
sync_file_dir: "{{ etcd_cert_dir }}"
|
sync_file_dir: "{{ etcd_cert_dir }}"
|
||||||
|
|
|
||||||
|
|
@ -4,7 +4,7 @@
|
||||||
set_fact:
|
set_fact:
|
||||||
etcd_node_cert_list: "{{ etcd_node_cert_list|default([]) + ['node-' + inventory_hostname + '.pem'] }}"
|
etcd_node_cert_list: "{{ etcd_node_cert_list|default([]) + ['node-' + inventory_hostname + '.pem'] }}"
|
||||||
|
|
||||||
- include: ../../vault/tasks/shared/sync_file.yml
|
- include_tasks: ../../vault/tasks/shared/sync_file.yml
|
||||||
vars:
|
vars:
|
||||||
sync_file: "{{ item }}"
|
sync_file: "{{ item }}"
|
||||||
sync_file_dir: "{{ etcd_cert_dir }}"
|
sync_file_dir: "{{ etcd_cert_dir }}"
|
||||||
|
|
@ -22,7 +22,7 @@
|
||||||
set_fact:
|
set_fact:
|
||||||
sync_file_results: []
|
sync_file_results: []
|
||||||
|
|
||||||
- include: ../../vault/tasks/shared/sync_file.yml
|
- include_tasks: ../../vault/tasks/shared/sync_file.yml
|
||||||
vars:
|
vars:
|
||||||
sync_file: ca.pem
|
sync_file: ca.pem
|
||||||
sync_file_dir: "{{ etcd_cert_dir }}"
|
sync_file_dir: "{{ etcd_cert_dir }}"
|
||||||
|
|
|
||||||
|
|
@ -91,13 +91,13 @@
|
||||||
- dnsmasq
|
- dnsmasq
|
||||||
|
|
||||||
- name: Kubernetes Apps | Netchecker
|
- name: Kubernetes Apps | Netchecker
|
||||||
include: tasks/netchecker.yml
|
import_tasks: tasks/netchecker.yml
|
||||||
when: deploy_netchecker
|
when: deploy_netchecker
|
||||||
tags:
|
tags:
|
||||||
- netchecker
|
- netchecker
|
||||||
|
|
||||||
- name: Kubernetes Apps | Dashboard
|
- name: Kubernetes Apps | Dashboard
|
||||||
include: tasks/dashboard.yml
|
import_tasks: tasks/dashboard.yml
|
||||||
when: dashboard_enabled
|
when: dashboard_enabled
|
||||||
tags:
|
tags:
|
||||||
- dashboard
|
- dashboard
|
||||||
|
|
|
||||||
|
|
@ -3,7 +3,7 @@
|
||||||
file: path={{ helm_home_dir }} state=directory
|
file: path={{ helm_home_dir }} state=directory
|
||||||
|
|
||||||
- name: Helm | Set up helm launcher
|
- name: Helm | Set up helm launcher
|
||||||
include: "install_{{ helm_deployment_type }}.yml"
|
include_tasks: "install_{{ helm_deployment_type }}.yml"
|
||||||
|
|
||||||
- name: Helm | Lay Down Helm Manifests (RBAC)
|
- name: Helm | Lay Down Helm Manifests (RBAC)
|
||||||
template:
|
template:
|
||||||
|
|
|
||||||
|
|
@ -12,4 +12,4 @@
|
||||||
delegate_to: "{{ groups['kube-master'][0] }}"
|
delegate_to: "{{ groups['kube-master'][0] }}"
|
||||||
run_once: true
|
run_once: true
|
||||||
|
|
||||||
- include: configure.yml
|
- import_tasks: configure.yml
|
||||||
|
|
|
||||||
|
|
@ -168,5 +168,5 @@
|
||||||
when: sa_key_before.stat.checksum|default("") != sa_key_after.stat.checksum
|
when: sa_key_before.stat.checksum|default("") != sa_key_after.stat.checksum
|
||||||
|
|
||||||
- name: kubeadm | cleanup old certs if necessary
|
- name: kubeadm | cleanup old certs if necessary
|
||||||
include: kubeadm-cleanup-old-certs.yml
|
import_tasks: kubeadm-cleanup-old-certs.yml
|
||||||
when: old_apiserver_cert.stat.exists
|
when: old_apiserver_cert.stat.exists
|
||||||
|
|
|
||||||
|
|
@ -1,5 +1,5 @@
|
||||||
---
|
---
|
||||||
- include: pre-upgrade.yml
|
- import_tasks: pre-upgrade.yml
|
||||||
tags:
|
tags:
|
||||||
- k8s-pre-upgrade
|
- k8s-pre-upgrade
|
||||||
|
|
||||||
|
|
@ -9,7 +9,7 @@
|
||||||
kube_basic_auth: false
|
kube_basic_auth: false
|
||||||
when: kubeadm_enabled|bool|default(false)
|
when: kubeadm_enabled|bool|default(false)
|
||||||
|
|
||||||
- include: users-file.yml
|
- import_tasks: users-file.yml
|
||||||
when: kube_basic_auth|default(true)
|
when: kube_basic_auth|default(true)
|
||||||
|
|
||||||
- name: Compare host kubectl with hyperkube container
|
- name: Compare host kubectl with hyperkube container
|
||||||
|
|
@ -56,9 +56,9 @@
|
||||||
- upgrade
|
- upgrade
|
||||||
|
|
||||||
- name: Include kubeadm setup if enabled
|
- name: Include kubeadm setup if enabled
|
||||||
include: kubeadm-setup.yml
|
import_tasks: kubeadm-setup.yml
|
||||||
when: kubeadm_enabled|bool|default(false)
|
when: kubeadm_enabled|bool|default(false)
|
||||||
|
|
||||||
- name: Include static pod setup if not using kubeadm
|
- name: Include static pod setup if not using kubeadm
|
||||||
include: static-pod-setup.yml
|
import_tasks: static-pod-setup.yml
|
||||||
when: not kubeadm_enabled|bool|default(false)
|
when: not kubeadm_enabled|bool|default(false)
|
||||||
|
|
|
||||||
|
|
@ -37,7 +37,7 @@
|
||||||
tags:
|
tags:
|
||||||
- kubeadm
|
- kubeadm
|
||||||
|
|
||||||
- include: "install_{{ kubelet_deployment_type }}.yml"
|
- include_tasks: "install_{{ kubelet_deployment_type }}.yml"
|
||||||
|
|
||||||
- name: install | Write kubelet systemd init file
|
- name: install | Write kubelet systemd init file
|
||||||
template:
|
template:
|
||||||
|
|
|
||||||
|
|
@ -1,9 +1,9 @@
|
||||||
---
|
---
|
||||||
- include: facts.yml
|
- import_tasks: facts.yml
|
||||||
tags:
|
tags:
|
||||||
- facts
|
- facts
|
||||||
|
|
||||||
- include: pre_upgrade.yml
|
- import_tasks: pre_upgrade.yml
|
||||||
tags:
|
tags:
|
||||||
- kubelet
|
- kubelet
|
||||||
|
|
||||||
|
|
@ -13,11 +13,11 @@
|
||||||
state: directory
|
state: directory
|
||||||
mode: 0755
|
mode: 0755
|
||||||
|
|
||||||
- include: install.yml
|
- import_tasks: install.yml
|
||||||
tags:
|
tags:
|
||||||
- kubelet
|
- kubelet
|
||||||
|
|
||||||
- include: nginx-proxy.yml
|
- import_tasks: nginx-proxy.yml
|
||||||
when: is_kube_master == false and loadbalancer_apiserver_localhost
|
when: is_kube_master == false and loadbalancer_apiserver_localhost
|
||||||
tags:
|
tags:
|
||||||
- nginx
|
- nginx
|
||||||
|
|
|
||||||
|
|
@ -1,5 +1,5 @@
|
||||||
---
|
---
|
||||||
- include: verify-settings.yml
|
- import_tasks: verify-settings.yml
|
||||||
tags:
|
tags:
|
||||||
- asserts
|
- asserts
|
||||||
|
|
||||||
|
|
@ -19,7 +19,7 @@
|
||||||
tags:
|
tags:
|
||||||
- bootstrap-os
|
- bootstrap-os
|
||||||
|
|
||||||
- include: set_facts.yml
|
- import_tasks: set_facts.yml
|
||||||
tags:
|
tags:
|
||||||
- facts
|
- facts
|
||||||
|
|
||||||
|
|
@ -72,7 +72,7 @@
|
||||||
- cloud-provider
|
- cloud-provider
|
||||||
- facts
|
- facts
|
||||||
|
|
||||||
- include: "{{ cloud_provider }}-credential-check.yml"
|
- include_tasks: "{{ cloud_provider }}-credential-check.yml"
|
||||||
when:
|
when:
|
||||||
- cloud_provider is defined
|
- cloud_provider is defined
|
||||||
- cloud_provider in [ 'openstack', 'azure', 'vsphere' ]
|
- cloud_provider in [ 'openstack', 'azure', 'vsphere' ]
|
||||||
|
|
@ -99,7 +99,7 @@
|
||||||
- contiv
|
- contiv
|
||||||
- bootstrap-os
|
- bootstrap-os
|
||||||
|
|
||||||
- include: resolvconf.yml
|
- import_tasks: resolvconf.yml
|
||||||
when:
|
when:
|
||||||
- dns_mode != 'none'
|
- dns_mode != 'none'
|
||||||
- resolvconf_mode == 'host_resolvconf'
|
- resolvconf_mode == 'host_resolvconf'
|
||||||
|
|
@ -276,12 +276,12 @@
|
||||||
tags:
|
tags:
|
||||||
- cloud-provider
|
- cloud-provider
|
||||||
|
|
||||||
- include: etchosts.yml
|
- import_tasks: etchosts.yml
|
||||||
tags:
|
tags:
|
||||||
- bootstrap-os
|
- bootstrap-os
|
||||||
- etchosts
|
- etchosts
|
||||||
|
|
||||||
- include: dhclient-hooks.yml
|
- import_tasks: dhclient-hooks.yml
|
||||||
when:
|
when:
|
||||||
- dns_mode != 'none'
|
- dns_mode != 'none'
|
||||||
- resolvconf_mode == 'host_resolvconf'
|
- resolvconf_mode == 'host_resolvconf'
|
||||||
|
|
@ -290,7 +290,7 @@
|
||||||
- bootstrap-os
|
- bootstrap-os
|
||||||
- resolvconf
|
- resolvconf
|
||||||
|
|
||||||
- include: dhclient-hooks-undo.yml
|
- import_tasks: dhclient-hooks-undo.yml
|
||||||
when:
|
when:
|
||||||
- dns_mode != 'none'
|
- dns_mode != 'none'
|
||||||
- resolvconf_mode != 'host_resolvconf'
|
- resolvconf_mode != 'host_resolvconf'
|
||||||
|
|
@ -306,7 +306,7 @@
|
||||||
tags:
|
tags:
|
||||||
- bootstrap-os
|
- bootstrap-os
|
||||||
|
|
||||||
- include: growpart-azure-centos-7.yml
|
- import_tasks: growpart-azure-centos-7.yml
|
||||||
when:
|
when:
|
||||||
- azure_check.stat.exists
|
- azure_check.stat.exists
|
||||||
- ansible_distribution in ["CentOS","RedHat"]
|
- ansible_distribution in ["CentOS","RedHat"]
|
||||||
|
|
|
||||||
|
|
@ -11,7 +11,7 @@
|
||||||
kube_cert_group: "kube"
|
kube_cert_group: "kube"
|
||||||
when: is_atomic
|
when: is_atomic
|
||||||
|
|
||||||
- include: set_resolv_facts.yml
|
- import_tasks: set_resolv_facts.yml
|
||||||
tags:
|
tags:
|
||||||
- bootstrap-os
|
- bootstrap-os
|
||||||
- resolvconf
|
- resolvconf
|
||||||
|
|
|
||||||
|
|
@ -1,12 +1,12 @@
|
||||||
---
|
---
|
||||||
- include: sync_kube_master_certs.yml
|
- import_tasks: sync_kube_master_certs.yml
|
||||||
when: inventory_hostname in groups['kube-master']
|
when: inventory_hostname in groups['kube-master']
|
||||||
|
|
||||||
- include: sync_kube_node_certs.yml
|
- import_tasks: sync_kube_node_certs.yml
|
||||||
when: inventory_hostname in groups['k8s-cluster']
|
when: inventory_hostname in groups['k8s-cluster']
|
||||||
|
|
||||||
# Issue admin certs to kube-master hosts
|
# Issue admin certs to kube-master hosts
|
||||||
- include: ../../../vault/tasks/shared/issue_cert.yml
|
- include_tasks: ../../../vault/tasks/shared/issue_cert.yml
|
||||||
vars:
|
vars:
|
||||||
issue_cert_common_name: "admin"
|
issue_cert_common_name: "admin"
|
||||||
issue_cert_copy_ca: "{{ item == kube_admin_certs_needed|first }}"
|
issue_cert_copy_ca: "{{ item == kube_admin_certs_needed|first }}"
|
||||||
|
|
@ -37,7 +37,7 @@
|
||||||
run_once: true
|
run_once: true
|
||||||
|
|
||||||
# Issue master components certs to kube-master hosts
|
# Issue master components certs to kube-master hosts
|
||||||
- include: ../../../vault/tasks/shared/issue_cert.yml
|
- include_tasks: ../../../vault/tasks/shared/issue_cert.yml
|
||||||
vars:
|
vars:
|
||||||
issue_cert_common_name: "kubernetes"
|
issue_cert_common_name: "kubernetes"
|
||||||
issue_cert_alt_names: "{{ kube_cert_alt_names }}"
|
issue_cert_alt_names: "{{ kube_cert_alt_names }}"
|
||||||
|
|
@ -63,7 +63,7 @@
|
||||||
notify: set secret_changed
|
notify: set secret_changed
|
||||||
|
|
||||||
# Issue node certs to k8s-cluster nodes
|
# Issue node certs to k8s-cluster nodes
|
||||||
- include: ../../../vault/tasks/shared/issue_cert.yml
|
- include_tasks: ../../../vault/tasks/shared/issue_cert.yml
|
||||||
vars:
|
vars:
|
||||||
# Need to strip out the 'node-' prefix from the cert name so it can be used
|
# Need to strip out the 'node-' prefix from the cert name so it can be used
|
||||||
# with the node authorization plugin ( CN matches kubelet node name )
|
# with the node authorization plugin ( CN matches kubelet node name )
|
||||||
|
|
@ -80,7 +80,7 @@
|
||||||
when: inventory_hostname in groups['k8s-cluster']
|
when: inventory_hostname in groups['k8s-cluster']
|
||||||
|
|
||||||
# Issue proxy certs to k8s-cluster nodes
|
# Issue proxy certs to k8s-cluster nodes
|
||||||
- include: ../../../vault/tasks/shared/issue_cert.yml
|
- include_tasks: ../../../vault/tasks/shared/issue_cert.yml
|
||||||
vars:
|
vars:
|
||||||
issue_cert_common_name: "system:kube-proxy"
|
issue_cert_common_name: "system:kube-proxy"
|
||||||
issue_cert_copy_ca: "{{ item == kube_proxy_certs_needed|first }}"
|
issue_cert_copy_ca: "{{ item == kube_proxy_certs_needed|first }}"
|
||||||
|
|
|
||||||
|
|
@ -1,10 +1,10 @@
|
||||||
---
|
---
|
||||||
- include: check-certs.yml
|
- import_tasks: check-certs.yml
|
||||||
tags:
|
tags:
|
||||||
- k8s-secrets
|
- k8s-secrets
|
||||||
- facts
|
- facts
|
||||||
|
|
||||||
- include: check-tokens.yml
|
- import_tasks: check-tokens.yml
|
||||||
tags:
|
tags:
|
||||||
- k8s-secrets
|
- k8s-secrets
|
||||||
- facts
|
- facts
|
||||||
|
|
@ -69,11 +69,11 @@
|
||||||
delegate_to: "{{groups['kube-master'][0]}}"
|
delegate_to: "{{groups['kube-master'][0]}}"
|
||||||
when: gen_tokens|default(false)
|
when: gen_tokens|default(false)
|
||||||
|
|
||||||
- include: "gen_certs_{{ cert_management }}.yml"
|
- include_tasks: "gen_certs_{{ cert_management }}.yml"
|
||||||
tags:
|
tags:
|
||||||
- k8s-secrets
|
- k8s-secrets
|
||||||
|
|
||||||
- include: upd_ca_trust.yml
|
- import_tasks: upd_ca_trust.yml
|
||||||
tags:
|
tags:
|
||||||
- k8s-secrets
|
- k8s-secrets
|
||||||
|
|
||||||
|
|
@ -111,6 +111,6 @@
|
||||||
kube_proxy_cert_serial: "{{ node_certificate_serials.results[1].stdout|default() }}"
|
kube_proxy_cert_serial: "{{ node_certificate_serials.results[1].stdout|default() }}"
|
||||||
when: inventory_hostname in groups['k8s-cluster']
|
when: inventory_hostname in groups['k8s-cluster']
|
||||||
|
|
||||||
- include: gen_tokens.yml
|
- import_tasks: gen_tokens.yml
|
||||||
tags:
|
tags:
|
||||||
- k8s-secrets
|
- k8s-secrets
|
||||||
|
|
|
||||||
|
|
@ -4,7 +4,7 @@
|
||||||
set_fact:
|
set_fact:
|
||||||
kube_admin_cert_list: "{{ kube_admin_cert_list|d([]) + ['admin-' + inventory_hostname + '.pem'] }}"
|
kube_admin_cert_list: "{{ kube_admin_cert_list|d([]) + ['admin-' + inventory_hostname + '.pem'] }}"
|
||||||
|
|
||||||
- include: ../../../vault/tasks/shared/sync_file.yml
|
- include_tasks: ../../../vault/tasks/shared/sync_file.yml
|
||||||
vars:
|
vars:
|
||||||
sync_file: "{{ item }}"
|
sync_file: "{{ item }}"
|
||||||
sync_file_dir: "{{ kube_cert_dir }}"
|
sync_file_dir: "{{ kube_cert_dir }}"
|
||||||
|
|
@ -24,7 +24,7 @@
|
||||||
set_fact:
|
set_fact:
|
||||||
sync_file_results: []
|
sync_file_results: []
|
||||||
|
|
||||||
- include: ../../../vault/tasks/shared/sync_file.yml
|
- include_tasks: ../../../vault/tasks/shared/sync_file.yml
|
||||||
vars:
|
vars:
|
||||||
sync_file: "{{ item }}"
|
sync_file: "{{ item }}"
|
||||||
sync_file_dir: "{{ kube_cert_dir }}"
|
sync_file_dir: "{{ kube_cert_dir }}"
|
||||||
|
|
@ -44,7 +44,7 @@
|
||||||
set_fact:
|
set_fact:
|
||||||
sync_file_results: []
|
sync_file_results: []
|
||||||
|
|
||||||
- include: ../../../vault/tasks/shared/sync_file.yml
|
- include_tasks: ../../../vault/tasks/shared/sync_file.yml
|
||||||
vars:
|
vars:
|
||||||
sync_file: ca.pem
|
sync_file: ca.pem
|
||||||
sync_file_dir: "{{ kube_cert_dir }}"
|
sync_file_dir: "{{ kube_cert_dir }}"
|
||||||
|
|
|
||||||
|
|
@ -4,7 +4,7 @@
|
||||||
set_fact:
|
set_fact:
|
||||||
kube_node_cert_list: "{{ kube_node_cert_list|default([]) + ['node-' + inventory_hostname + '.pem'] }}"
|
kube_node_cert_list: "{{ kube_node_cert_list|default([]) + ['node-' + inventory_hostname + '.pem'] }}"
|
||||||
|
|
||||||
- include: ../../../vault/tasks/shared/sync_file.yml
|
- include_tasks: ../../../vault/tasks/shared/sync_file.yml
|
||||||
vars:
|
vars:
|
||||||
sync_file: "{{ item }}"
|
sync_file: "{{ item }}"
|
||||||
sync_file_dir: "{{ kube_cert_dir }}"
|
sync_file_dir: "{{ kube_cert_dir }}"
|
||||||
|
|
@ -24,7 +24,7 @@
|
||||||
set_fact:
|
set_fact:
|
||||||
sync_file_results: []
|
sync_file_results: []
|
||||||
|
|
||||||
- include: ../../../vault/tasks/shared/sync_file.yml
|
- include_tasks: ../../../vault/tasks/shared/sync_file.yml
|
||||||
vars:
|
vars:
|
||||||
sync_file: ca.pem
|
sync_file: ca.pem
|
||||||
sync_file_dir: "{{ kube_cert_dir }}"
|
sync_file_dir: "{{ kube_cert_dir }}"
|
||||||
|
|
@ -40,7 +40,7 @@
|
||||||
set_fact:
|
set_fact:
|
||||||
kube_proxy_cert_list: "{{ kube_proxy_cert_list|default([]) + ['kube-proxy-' + inventory_hostname + '.pem'] }}"
|
kube_proxy_cert_list: "{{ kube_proxy_cert_list|default([]) + ['kube-proxy-' + inventory_hostname + '.pem'] }}"
|
||||||
|
|
||||||
- include: ../../../vault/tasks/shared/sync_file.yml
|
- include_tasks: ../../../vault/tasks/shared/sync_file.yml
|
||||||
vars:
|
vars:
|
||||||
sync_file: "{{ item }}"
|
sync_file: "{{ item }}"
|
||||||
sync_file_dir: "{{ kube_cert_dir }}"
|
sync_file_dir: "{{ kube_cert_dir }}"
|
||||||
|
|
|
||||||
|
|
@ -1,5 +1,5 @@
|
||||||
---
|
---
|
||||||
- include: pre-upgrade.yml
|
- import_tasks: pre-upgrade.yml
|
||||||
|
|
||||||
- name: Flannel | Create Flannel manifests
|
- name: Flannel | Create Flannel manifests
|
||||||
template:
|
template:
|
||||||
|
|
|
||||||
|
|
@ -1,5 +1,5 @@
|
||||||
---
|
---
|
||||||
- include: seed.yml
|
- import_tasks: seed.yml
|
||||||
when: weave_mode_seed
|
when: weave_mode_seed
|
||||||
|
|
||||||
- name: Weave | Copy cni plugins from hyperkube
|
- name: Weave | Copy cni plugins from hyperkube
|
||||||
|
|
|
||||||
|
|
@ -1,4 +1,4 @@
|
||||||
---
|
---
|
||||||
|
|
||||||
- name: Install rkt
|
- name: Install rkt
|
||||||
include: install.yml
|
import_tasks: install.yml
|
||||||
|
|
|
||||||
|
|
@ -1,5 +1,5 @@
|
||||||
---
|
---
|
||||||
- include: ../shared/create_mount.yml
|
- include_tasks: ../shared/create_mount.yml
|
||||||
vars:
|
vars:
|
||||||
create_mount_path: "{{ item.name }}"
|
create_mount_path: "{{ item.name }}"
|
||||||
create_mount_default_lease_ttl: "{{ item.default_lease_ttl }}"
|
create_mount_default_lease_ttl: "{{ item.default_lease_ttl }}"
|
||||||
|
|
|
||||||
|
|
@ -1,5 +1,5 @@
|
||||||
---
|
---
|
||||||
- include: ../shared/create_role.yml
|
- include_tasks: ../shared/create_role.yml
|
||||||
vars:
|
vars:
|
||||||
create_role_name: "{{ item.name }}"
|
create_role_name: "{{ item.name }}"
|
||||||
create_role_group: "{{ item.group }}"
|
create_role_group: "{{ item.group }}"
|
||||||
|
|
|
||||||
|
|
@ -1,5 +1,5 @@
|
||||||
---
|
---
|
||||||
- include: ../shared/issue_cert.yml
|
- import_tasks: ../shared/issue_cert.yml
|
||||||
vars:
|
vars:
|
||||||
issue_cert_common_name: "{{ vault_pki_mounts.vault.roles[0].name }}"
|
issue_cert_common_name: "{{ vault_pki_mounts.vault.roles[0].name }}"
|
||||||
issue_cert_alt_names: "{{ groups['vault'] + ['localhost'] + (vault_ca_options['vault']['alt_names'].split(','))|default() }}"
|
issue_cert_alt_names: "{{ groups['vault'] + ['localhost'] + (vault_ca_options['vault']['alt_names'].split(','))|default() }}"
|
||||||
|
|
|
||||||
|
|
@ -1,20 +1,20 @@
|
||||||
---
|
---
|
||||||
- include: ../shared/check_vault.yml
|
- import_tasks: ../shared/check_vault.yml
|
||||||
when: inventory_hostname in groups.vault
|
when: inventory_hostname in groups.vault
|
||||||
|
|
||||||
- include: sync_secrets.yml
|
- import_tasks: sync_secrets.yml
|
||||||
when: inventory_hostname in groups.vault
|
when: inventory_hostname in groups.vault
|
||||||
|
|
||||||
- include: ../shared/find_leader.yml
|
- import_tasks: ../shared/find_leader.yml
|
||||||
when: inventory_hostname in groups.vault and vault_cluster_is_initialized
|
when: inventory_hostname in groups.vault and vault_cluster_is_initialized
|
||||||
|
|
||||||
- include: sync_vault_certs.yml
|
- import_tasks: sync_vault_certs.yml
|
||||||
when: inventory_hostname in groups.vault
|
when: inventory_hostname in groups.vault
|
||||||
|
|
||||||
- include: sync_etcd_certs.yml
|
- import_tasks: sync_etcd_certs.yml
|
||||||
when: inventory_hostname in groups.etcd
|
when: inventory_hostname in groups.etcd
|
||||||
|
|
||||||
- include: start_vault_temp.yml
|
- import_tasks: start_vault_temp.yml
|
||||||
when: inventory_hostname == groups.vault|first and not vault_cluster_is_initialized
|
when: inventory_hostname == groups.vault|first and not vault_cluster_is_initialized
|
||||||
|
|
||||||
- name: vault | Set fact about vault leader url
|
- name: vault | Set fact about vault leader url
|
||||||
|
|
@ -22,17 +22,17 @@
|
||||||
vault_leader_url: "{{ hostvars[groups.vault|first]['vault_leader_url'] }}"
|
vault_leader_url: "{{ hostvars[groups.vault|first]['vault_leader_url'] }}"
|
||||||
when: not vault_cluster_is_initialized
|
when: not vault_cluster_is_initialized
|
||||||
|
|
||||||
- include: create_mounts.yml
|
- import_tasks: create_mounts.yml
|
||||||
when: inventory_hostname == groups.vault|first
|
when: inventory_hostname == groups.vault|first
|
||||||
|
|
||||||
- include: ../shared/auth_backend.yml
|
- include_tasks: ../shared/auth_backend.yml
|
||||||
vars:
|
vars:
|
||||||
auth_backend_description: A Username/Password Auth Backend primarily used for services needing to issue certificates
|
auth_backend_description: A Username/Password Auth Backend primarily used for services needing to issue certificates
|
||||||
auth_backend_path: userpass
|
auth_backend_path: userpass
|
||||||
auth_backend_type: userpass
|
auth_backend_type: userpass
|
||||||
when: inventory_hostname == groups.vault|first
|
when: inventory_hostname == groups.vault|first
|
||||||
|
|
||||||
- include: create_roles.yml
|
- include_tasks: create_roles.yml
|
||||||
with_items:
|
with_items:
|
||||||
- "{{ vault_pki_mounts.vault }}"
|
- "{{ vault_pki_mounts.vault }}"
|
||||||
- "{{ vault_pki_mounts.etcd }}"
|
- "{{ vault_pki_mounts.etcd }}"
|
||||||
|
|
@ -40,7 +40,7 @@
|
||||||
loop_var: mount
|
loop_var: mount
|
||||||
when: inventory_hostname in groups.vault
|
when: inventory_hostname in groups.vault
|
||||||
|
|
||||||
- include: ../shared/gen_ca.yml
|
- include_tasks: ../shared/gen_ca.yml
|
||||||
vars:
|
vars:
|
||||||
gen_ca_cert_dir: "{{ vault_pki_mounts.vault.cert_dir }}"
|
gen_ca_cert_dir: "{{ vault_pki_mounts.vault.cert_dir }}"
|
||||||
gen_ca_mount_path: "{{ vault_pki_mounts.vault.name }}"
|
gen_ca_mount_path: "{{ vault_pki_mounts.vault.name }}"
|
||||||
|
|
@ -51,7 +51,7 @@
|
||||||
and not vault_cluster_is_initialized
|
and not vault_cluster_is_initialized
|
||||||
and vault_ca_cert_needed
|
and vault_ca_cert_needed
|
||||||
|
|
||||||
- include: ../shared/gen_ca.yml
|
- include_tasks: ../shared/gen_ca.yml
|
||||||
vars:
|
vars:
|
||||||
gen_ca_cert_dir: "{{ vault_pki_mounts.etcd.cert_dir }}"
|
gen_ca_cert_dir: "{{ vault_pki_mounts.etcd.cert_dir }}"
|
||||||
gen_ca_mount_path: "{{ vault_pki_mounts.etcd.name }}"
|
gen_ca_mount_path: "{{ vault_pki_mounts.etcd.name }}"
|
||||||
|
|
@ -59,7 +59,7 @@
|
||||||
gen_ca_vault_options: "{{ vault_ca_options.etcd }}"
|
gen_ca_vault_options: "{{ vault_ca_options.etcd }}"
|
||||||
when: inventory_hostname in groups.etcd and vault_etcd_ca_cert_needed
|
when: inventory_hostname in groups.etcd and vault_etcd_ca_cert_needed
|
||||||
|
|
||||||
- include: gen_vault_certs.yml
|
- import_tasks: gen_vault_certs.yml
|
||||||
when: inventory_hostname in groups.vault and vault_api_cert_needed
|
when: inventory_hostname in groups.vault and vault_api_cert_needed
|
||||||
|
|
||||||
- include: ca_trust.yml
|
- import_tasks: ca_trust.yml
|
||||||
|
|
|
||||||
|
|
@ -1,6 +1,6 @@
|
||||||
---
|
---
|
||||||
|
|
||||||
- include: ../shared/sync_file.yml
|
- include_tasks: ../shared/sync_file.yml
|
||||||
vars:
|
vars:
|
||||||
sync_file: "ca.pem"
|
sync_file: "ca.pem"
|
||||||
sync_file_dir: "{{ vault_etcd_cert_dir }}"
|
sync_file_dir: "{{ vault_etcd_cert_dir }}"
|
||||||
|
|
|
||||||
|
|
@ -1,6 +1,6 @@
|
||||||
---
|
---
|
||||||
|
|
||||||
- include: ../shared/sync_file.yml
|
- include_tasks: ../shared/sync_file.yml
|
||||||
vars:
|
vars:
|
||||||
sync_file: "{{ item }}"
|
sync_file: "{{ item }}"
|
||||||
sync_file_dir: "{{ vault_secrets_dir }}"
|
sync_file_dir: "{{ vault_secrets_dir }}"
|
||||||
|
|
|
||||||
|
|
@ -1,5 +1,5 @@
|
||||||
---
|
---
|
||||||
- include: ../shared/sync_file.yml
|
- include_tasks: ../shared/sync_file.yml
|
||||||
vars:
|
vars:
|
||||||
sync_file: "ca.pem"
|
sync_file: "ca.pem"
|
||||||
sync_file_dir: "{{ vault_cert_dir }}"
|
sync_file_dir: "{{ vault_cert_dir }}"
|
||||||
|
|
@ -14,7 +14,7 @@
|
||||||
set_fact:
|
set_fact:
|
||||||
sync_file_results: []
|
sync_file_results: []
|
||||||
|
|
||||||
- include: ../shared/sync_file.yml
|
- include_tasks: ../shared/sync_file.yml
|
||||||
vars:
|
vars:
|
||||||
sync_file: "api.pem"
|
sync_file: "api.pem"
|
||||||
sync_file_dir: "{{ vault_cert_dir }}"
|
sync_file_dir: "{{ vault_cert_dir }}"
|
||||||
|
|
|
||||||
|
|
@ -1,5 +1,5 @@
|
||||||
---
|
---
|
||||||
- include: ../shared/create_mount.yml
|
- include_tasks: ../shared/create_mount.yml
|
||||||
vars:
|
vars:
|
||||||
create_mount_path: "{{ item.name }}"
|
create_mount_path: "{{ item.name }}"
|
||||||
create_mount_default_lease_ttl: "{{ item.default_lease_ttl }}"
|
create_mount_default_lease_ttl: "{{ item.default_lease_ttl }}"
|
||||||
|
|
|
||||||
|
|
@ -1,5 +1,5 @@
|
||||||
---
|
---
|
||||||
- include: ../shared/create_role.yml
|
- include_tasks: ../shared/create_role.yml
|
||||||
vars:
|
vars:
|
||||||
create_role_name: "{{ item.name }}"
|
create_role_name: "{{ item.name }}"
|
||||||
create_role_group: "{{ item.group }}"
|
create_role_group: "{{ item.group }}"
|
||||||
|
|
|
||||||
|
|
@ -1,32 +1,32 @@
|
||||||
---
|
---
|
||||||
- include: ../shared/check_vault.yml
|
- import_tasks: ../shared/check_vault.yml
|
||||||
when: inventory_hostname in groups.vault
|
when: inventory_hostname in groups.vault
|
||||||
|
|
||||||
- include: ../shared/check_etcd.yml
|
- import_tasks: ../shared/check_etcd.yml
|
||||||
when: inventory_hostname in groups.vault
|
when: inventory_hostname in groups.vault
|
||||||
|
|
||||||
- include: configure.yml
|
- import_tasks: configure.yml
|
||||||
when: inventory_hostname in groups.vault
|
when: inventory_hostname in groups.vault
|
||||||
|
|
||||||
- include: binary.yml
|
- import_tasks: binary.yml
|
||||||
when: inventory_hostname in groups.vault and vault_deployment_type == "host"
|
when: inventory_hostname in groups.vault and vault_deployment_type == "host"
|
||||||
|
|
||||||
- include: systemd.yml
|
- import_tasks: systemd.yml
|
||||||
when: inventory_hostname in groups.vault
|
when: inventory_hostname in groups.vault
|
||||||
|
|
||||||
- include: init.yml
|
- import_tasks: init.yml
|
||||||
when: inventory_hostname in groups.vault
|
when: inventory_hostname in groups.vault
|
||||||
|
|
||||||
- include: unseal.yml
|
- import_tasks: unseal.yml
|
||||||
when: inventory_hostname in groups.vault
|
when: inventory_hostname in groups.vault
|
||||||
|
|
||||||
- include: ../shared/find_leader.yml
|
- import_tasks: ../shared/find_leader.yml
|
||||||
when: inventory_hostname in groups.vault
|
when: inventory_hostname in groups.vault
|
||||||
|
|
||||||
- include: create_mounts.yml
|
- import_tasks: create_mounts.yml
|
||||||
when: inventory_hostname == groups.vault|first
|
when: inventory_hostname == groups.vault|first
|
||||||
|
|
||||||
- include: ../shared/gen_ca.yml
|
- include_tasks: ../shared/gen_ca.yml
|
||||||
vars:
|
vars:
|
||||||
gen_ca_cert_dir: "{{ vault_pki_mounts.kube.cert_dir }}"
|
gen_ca_cert_dir: "{{ vault_pki_mounts.kube.cert_dir }}"
|
||||||
gen_ca_mount_path: "{{ vault_pki_mounts.kube.name }}"
|
gen_ca_mount_path: "{{ vault_pki_mounts.kube.name }}"
|
||||||
|
|
@ -34,14 +34,14 @@
|
||||||
gen_ca_vault_options: "{{ vault_ca_options.kube }}"
|
gen_ca_vault_options: "{{ vault_ca_options.kube }}"
|
||||||
when: inventory_hostname in groups.vault
|
when: inventory_hostname in groups.vault
|
||||||
|
|
||||||
- include: ../shared/auth_backend.yml
|
- include_tasks: ../shared/auth_backend.yml
|
||||||
vars:
|
vars:
|
||||||
auth_backend_description: A Username/Password Auth Backend primarily used for services needing to issue certificates
|
auth_backend_description: A Username/Password Auth Backend primarily used for services needing to issue certificates
|
||||||
auth_backend_path: userpass
|
auth_backend_path: userpass
|
||||||
auth_backend_type: userpass
|
auth_backend_type: userpass
|
||||||
when: inventory_hostname == groups.vault|first
|
when: inventory_hostname == groups.vault|first
|
||||||
|
|
||||||
- include: create_roles.yml
|
- include_tasks: create_roles.yml
|
||||||
with_items:
|
with_items:
|
||||||
- "{{ vault_pki_mounts.vault }}"
|
- "{{ vault_pki_mounts.vault }}"
|
||||||
- "{{ vault_pki_mounts.etcd }}"
|
- "{{ vault_pki_mounts.etcd }}"
|
||||||
|
|
|
||||||
|
|
@ -11,9 +11,9 @@
|
||||||
# used during step 1, allowing all certs to have the same chain of trust.
|
# used during step 1, allowing all certs to have the same chain of trust.
|
||||||
|
|
||||||
## Bootstrap
|
## Bootstrap
|
||||||
- include: bootstrap/main.yml
|
- include_tasks: bootstrap/main.yml
|
||||||
when: cert_management == 'vault' and vault_bootstrap | d()
|
when: cert_management == 'vault' and vault_bootstrap | d()
|
||||||
|
|
||||||
## Cluster
|
## Cluster
|
||||||
- include: cluster/main.yml
|
- include_tasks: cluster/main.yml
|
||||||
when: cert_management == 'vault' and not vault_bootstrap | d()
|
when: cert_management == 'vault' and not vault_bootstrap | d()
|
||||||
|
|
|
||||||
|
|
@ -1,6 +1,6 @@
|
||||||
---
|
---
|
||||||
|
|
||||||
- include: ../shared/pki_mount.yml
|
- include_tasks: ../shared/pki_mount.yml
|
||||||
vars:
|
vars:
|
||||||
pki_mount_path: auth-pki
|
pki_mount_path: auth-pki
|
||||||
pki_mount_options:
|
pki_mount_options:
|
||||||
|
|
|
||||||
|
|
@ -1,5 +1,5 @@
|
||||||
---
|
---
|
||||||
- include: ../shared/pki_mount.yml
|
- include_tasks: ../shared/pki_mount.yml
|
||||||
vars:
|
vars:
|
||||||
pki_mount_path: "{{ create_mount_path }}"
|
pki_mount_path: "{{ create_mount_path }}"
|
||||||
pki_mount_options:
|
pki_mount_options:
|
||||||
|
|
@ -8,7 +8,7 @@
|
||||||
max_lease_ttl: "{{ create_mount_max_lease_ttl }}"
|
max_lease_ttl: "{{ create_mount_max_lease_ttl }}"
|
||||||
description: "{{ create_mount_description }}"
|
description: "{{ create_mount_description }}"
|
||||||
|
|
||||||
- include: ../shared/config_ca.yml
|
- include_tasks: ../shared/config_ca.yml
|
||||||
vars:
|
vars:
|
||||||
config_ca_ca_pem: "{{ create_mount_cert_dir }}/ca.pem"
|
config_ca_ca_pem: "{{ create_mount_cert_dir }}/ca.pem"
|
||||||
config_ca_ca_key: "{{ create_mount_cert_dir }}/ca-key.pem"
|
config_ca_ca_key: "{{ create_mount_cert_dir }}/ca-key.pem"
|
||||||
|
|
|
||||||
|
|
@ -40,7 +40,7 @@
|
||||||
|
|
||||||
## Userpass based auth method
|
## Userpass based auth method
|
||||||
|
|
||||||
- include: gen_userpass.yml
|
- include_tasks: gen_userpass.yml
|
||||||
vars:
|
vars:
|
||||||
gen_userpass_password: "{{ create_role_password }}"
|
gen_userpass_password: "{{ create_role_password }}"
|
||||||
gen_userpass_policies: "{{ create_role_name }}"
|
gen_userpass_policies: "{{ create_role_name }}"
|
||||||
|
|
|
||||||
|
|
@ -1,6 +1,6 @@
|
||||||
---
|
---
|
||||||
|
|
||||||
- include: sync_file.yml
|
- include_tasks: sync_file.yml
|
||||||
vars:
|
vars:
|
||||||
sync_file: "auth-ca.pem"
|
sync_file: "auth-ca.pem"
|
||||||
sync_file_dir: "{{ vault_cert_dir }}"
|
sync_file_dir: "{{ vault_cert_dir }}"
|
||||||
|
|
|
||||||
|
|
@ -80,7 +80,7 @@
|
||||||
set_fact:
|
set_fact:
|
||||||
sync_file_results: "{{ sync_file_results|default([]) + [sync_file_result] }}"
|
sync_file_results: "{{ sync_file_results|default([]) + [sync_file_result] }}"
|
||||||
|
|
||||||
- include: sync.yml
|
- include_tasks: sync.yml
|
||||||
when: not (sync_file_no_srcs or sync_file_unneeded)
|
when: not (sync_file_no_srcs or sync_file_unneeded)
|
||||||
|
|
||||||
- name: "Unset local vars to avoid variable bleed into next iteration"
|
- name: "Unset local vars to avoid variable bleed into next iteration"
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue