c12s-kubespray/roles/vault/tasks/bootstrap/start_vault_temp.yml
2017-02-08 21:31:28 +00:00

55 lines
2 KiB
YAML

---
- name: boostrap/start_vault_temp | Ensure vault-temp isn't already running
shell: if docker rm -f vault-temp 2>&1 1>/dev/null;then echo true;else echo false;fi
register: vault_temp_stop_check
changed_when: "{{ 'true' in vault_temp_stop_check.stdout }}"
- name: bootstrap/start_vault_temp | Start single node Vault with file backend
command: >
docker run -d --cap-add=IPC_LOCK --name vault-temp -p {{ vault_temp_port }}:{{ vault_temp_port }}
-e 'VAULT_LOCAL_CONFIG={{ vault_temp_config|to_json }}'
-v /etc/vault:/etc/vault
{{ vault_image_repo }}:{{ vault_version }} server
register: vault_temp_start
- name: bootstrap/start_vault_temp | Initialize vault-temp
uri:
url: "http://localhost:{{ vault_temp_port }}/v1/sys/init"
headers: "{{ vault_client_headers }}"
method: PUT
body_format: json
body:
secret_shares: 1
secret_threshold: 1
register: vault_temp_init
# NOTE: vault_headers and vault_url are used by subsequent gen_cert calls
- name: bootstrap/start_vault_temp | Set needed vault facts
set_fact:
vault_temp_unseal_keys: "{{ vault_temp_init.json['keys'] }}"
vault_temp_root_token: "{{ vault_temp_init.json.root_token }}"
vault_headers: "{{ vault_client_headers|combine({'X-Vault-Token': vault_temp_init.json.root_token}) }}"
- name: bootstrap/start_vault_temp | Unseal vault-temp
uri:
url: "http://localhost:{{ vault_temp_port }}/v1/sys/unseal"
headers: "{{ vault_headers }}"
method: POST
body_format: json
body:
key: "{{ item }}"
with_items: "{{ vault_temp_unseal_keys|default([]) }}"
- name: bootstrap/start_vault_temp | Create new PKI mount
uri:
url: "http://localhost:{{ vault_temp_port }}/v1/sys/mounts/pki"
headers: "{{ vault_headers }}"
method: POST
body_format: json
body:
config:
default_lease_ttl: "{{ vault_default_lease_ttl }}"
max_lease_ttl: "{{ vault_max_lease_ttl }}"
type: pki
status_code: 204