diff --git a/roles/kubernetes/secrets/tasks/main.yml b/roles/kubernetes/secrets/tasks/main.yml index 2a15591df..97987f706 100644 --- a/roles/kubernetes/secrets/tasks/main.yml +++ b/roles/kubernetes/secrets/tasks/main.yml @@ -31,7 +31,7 @@ src: known_users.csv.j2 dest: "{{ kube_users_dir }}/known_users.csv" backup: yes - when: inventory_hostname in "{{ groups['kube-master'] }}" and kube_basic_auth|default(true) + when: inventory_hostname in groups['kube-master'] and kube_basic_auth|default(true) notify: set secret_changed # diff --git a/roles/vault/defaults/main.yml b/roles/vault/defaults/main.yml index 2320ae862..8916d4b3a 100644 --- a/roles/vault/defaults/main.yml +++ b/roles/vault/defaults/main.yml @@ -111,7 +111,7 @@ vault_pki_mounts: roles: - name: vault group: vault - password: "{{ lookup('pipe','date +%Y%m%d%H%M%S' + cluster_name + 'vault') | to_uuid }}" + password: "{{ lookup('password', 'credentials/vault/vault length=15') }}" policy_rules: default role_options: default etcd: @@ -123,7 +123,7 @@ vault_pki_mounts: roles: - name: etcd group: etcd - password: "{{ lookup('pipe','date +%Y%m%d%H%M%S' + cluster_name + 'etcd') | to_uuid }}" + password: "{{ lookup('password', 'credentials/vault/etcd length=15') }}" policy_rules: default role_options: allow_any_name: true @@ -138,7 +138,7 @@ vault_pki_mounts: roles: - name: kube-master group: kube-master - password: "{{ lookup('pipe','date +%Y%m%d%H%M%S' + cluster_name + 'kube-master') | to_uuid }}" + password: "{{ lookup('password', 'credentials/vault/kube-master length=15') }}" policy_rules: default role_options: allow_any_name: true @@ -146,7 +146,7 @@ vault_pki_mounts: organization: "system:masters" - name: kube-node group: k8s-cluster - password: "{{ lookup('pipe','date +%Y%m%d%H%M%S' + cluster_name + 'kube-node') | to_uuid }}" + password: "{{ lookup('password', 'credentials/vault/kube-node length=15') }}" policy_rules: default role_options: allow_any_name: true @@ -154,7 +154,7 @@ vault_pki_mounts: organization: "system:nodes" - name: kube-proxy group: k8s-cluster - password: "{{ lookup('pipe', 'date +%Y%m%d%H%M%S' + cluster_name + 'kube-proxy') | to_uuid }}" + password: "{{ lookup('password', 'credentials/vault/kube-proxy length=15') }}" policy_rules: default role_options: allow_any_name: true diff --git a/roles/vault/tasks/cluster/create_mounts.yml b/roles/vault/tasks/cluster/create_mounts.yml index b1be8c9fe..d64fa0bae 100644 --- a/roles/vault/tasks/cluster/create_mounts.yml +++ b/roles/vault/tasks/cluster/create_mounts.yml @@ -6,7 +6,7 @@ create_mount_max_lease_ttl: "{{ item.max_lease_ttl }}" create_mount_description: "{{ item.description }}" create_mount_cert_dir: "{{ item.cert_dir }}" - create_mount_config_ca_needed: "{{ item.name != vault_pki_mounts.kube.name }}" + create_mount_config_ca_needed: item.name != vault_pki_mounts.kube.name with_items: - "{{ vault_pki_mounts.vault }}" - "{{ vault_pki_mounts.etcd }}" diff --git a/roles/vault/tasks/cluster/create_roles.yml b/roles/vault/tasks/cluster/create_roles.yml index 9314bfa84..468229fd4 100644 --- a/roles/vault/tasks/cluster/create_roles.yml +++ b/roles/vault/tasks/cluster/create_roles.yml @@ -6,5 +6,5 @@ create_role_password: "{{ item.password }}" create_role_policy_rules: "{{ item.policy_rules }}" create_role_options: "{{ item.role_options }}" - create_role_mount_path: "{{ vault_pki_mounts.kube.name }}" - with_items: "{{ vault_pki_mounts.kube.roles }}" + create_role_mount_path: "{{ mount.name }}" + with_items: "{{ mount.roles }}" diff --git a/roles/vault/tasks/cluster/main.yml b/roles/vault/tasks/cluster/main.yml index 9c7c83aaf..94af5e5dc 100644 --- a/roles/vault/tasks/cluster/main.yml +++ b/roles/vault/tasks/cluster/main.yml @@ -42,4 +42,10 @@ when: inventory_hostname == groups.vault|first - include: create_roles.yml + with_items: + - "{{ vault_pki_mounts.vault }}" + - "{{ vault_pki_mounts.etcd }}" + - "{{ vault_pki_mounts.kube }}" + loop_control: + loop_var: mount when: inventory_hostname in groups.vault