Store vault users passwords to credentials dir. Create vault and etcd roles after start vault cluster (#1632)
This commit is contained in:
parent
fb30f65951
commit
e16b57aa05
5 changed files with 15 additions and 9 deletions
|
@ -31,7 +31,7 @@
|
|||
src: known_users.csv.j2
|
||||
dest: "{{ kube_users_dir }}/known_users.csv"
|
||||
backup: yes
|
||||
when: inventory_hostname in "{{ groups['kube-master'] }}" and kube_basic_auth|default(true)
|
||||
when: inventory_hostname in groups['kube-master'] and kube_basic_auth|default(true)
|
||||
notify: set secret_changed
|
||||
|
||||
#
|
||||
|
|
|
@ -111,7 +111,7 @@ vault_pki_mounts:
|
|||
roles:
|
||||
- name: vault
|
||||
group: vault
|
||||
password: "{{ lookup('pipe','date +%Y%m%d%H%M%S' + cluster_name + 'vault') | to_uuid }}"
|
||||
password: "{{ lookup('password', 'credentials/vault/vault length=15') }}"
|
||||
policy_rules: default
|
||||
role_options: default
|
||||
etcd:
|
||||
|
@ -123,7 +123,7 @@ vault_pki_mounts:
|
|||
roles:
|
||||
- name: etcd
|
||||
group: etcd
|
||||
password: "{{ lookup('pipe','date +%Y%m%d%H%M%S' + cluster_name + 'etcd') | to_uuid }}"
|
||||
password: "{{ lookup('password', 'credentials/vault/etcd length=15') }}"
|
||||
policy_rules: default
|
||||
role_options:
|
||||
allow_any_name: true
|
||||
|
@ -138,7 +138,7 @@ vault_pki_mounts:
|
|||
roles:
|
||||
- name: kube-master
|
||||
group: kube-master
|
||||
password: "{{ lookup('pipe','date +%Y%m%d%H%M%S' + cluster_name + 'kube-master') | to_uuid }}"
|
||||
password: "{{ lookup('password', 'credentials/vault/kube-master length=15') }}"
|
||||
policy_rules: default
|
||||
role_options:
|
||||
allow_any_name: true
|
||||
|
@ -146,7 +146,7 @@ vault_pki_mounts:
|
|||
organization: "system:masters"
|
||||
- name: kube-node
|
||||
group: k8s-cluster
|
||||
password: "{{ lookup('pipe','date +%Y%m%d%H%M%S' + cluster_name + 'kube-node') | to_uuid }}"
|
||||
password: "{{ lookup('password', 'credentials/vault/kube-node length=15') }}"
|
||||
policy_rules: default
|
||||
role_options:
|
||||
allow_any_name: true
|
||||
|
@ -154,7 +154,7 @@ vault_pki_mounts:
|
|||
organization: "system:nodes"
|
||||
- name: kube-proxy
|
||||
group: k8s-cluster
|
||||
password: "{{ lookup('pipe', 'date +%Y%m%d%H%M%S' + cluster_name + 'kube-proxy') | to_uuid }}"
|
||||
password: "{{ lookup('password', 'credentials/vault/kube-proxy length=15') }}"
|
||||
policy_rules: default
|
||||
role_options:
|
||||
allow_any_name: true
|
||||
|
|
|
@ -6,7 +6,7 @@
|
|||
create_mount_max_lease_ttl: "{{ item.max_lease_ttl }}"
|
||||
create_mount_description: "{{ item.description }}"
|
||||
create_mount_cert_dir: "{{ item.cert_dir }}"
|
||||
create_mount_config_ca_needed: "{{ item.name != vault_pki_mounts.kube.name }}"
|
||||
create_mount_config_ca_needed: item.name != vault_pki_mounts.kube.name
|
||||
with_items:
|
||||
- "{{ vault_pki_mounts.vault }}"
|
||||
- "{{ vault_pki_mounts.etcd }}"
|
||||
|
|
|
@ -6,5 +6,5 @@
|
|||
create_role_password: "{{ item.password }}"
|
||||
create_role_policy_rules: "{{ item.policy_rules }}"
|
||||
create_role_options: "{{ item.role_options }}"
|
||||
create_role_mount_path: "{{ vault_pki_mounts.kube.name }}"
|
||||
with_items: "{{ vault_pki_mounts.kube.roles }}"
|
||||
create_role_mount_path: "{{ mount.name }}"
|
||||
with_items: "{{ mount.roles }}"
|
||||
|
|
|
@ -42,4 +42,10 @@
|
|||
when: inventory_hostname == groups.vault|first
|
||||
|
||||
- include: create_roles.yml
|
||||
with_items:
|
||||
- "{{ vault_pki_mounts.vault }}"
|
||||
- "{{ vault_pki_mounts.etcd }}"
|
||||
- "{{ vault_pki_mounts.kube }}"
|
||||
loop_control:
|
||||
loop_var: mount
|
||||
when: inventory_hostname in groups.vault
|
||||
|
|
Loading…
Reference in a new issue