bf0af1cd3d
* using separated vault roles for generate certs with different `O` (Organization) subject field; * configure vault roles for issuing certificates with different `CN` (Common name) subject field; * set `CN` and `O` to `kubernetes` and `etcd` certificates; * vault/defaults vars definition was simplified; * vault dirs variables defined in kubernetes-defaults foles for using shared tasks in etcd and kubernetes/secrets roles; * upgrade vault to 0.8.1; * generate random vault user password for each role by default; * fix `serial` file name for vault certs; * move vault auth request to issue_cert tasks; * enable `RBAC` in vault CI;
49 lines
1.9 KiB
YAML
49 lines
1.9 KiB
YAML
---
|
|
# The JSON inside JSON here is intentional (Vault API wants it)
|
|
- name: create_role | Create a policy for the new role allowing issuing
|
|
uri:
|
|
url: "{{ hostvars[groups.vault|first]['vault_leader_url'] }}/v1/sys/policy/{{ create_role_name }}"
|
|
headers: "{{ hostvars[groups.vault|first]['vault_headers'] }}"
|
|
method: PUT
|
|
body_format: json
|
|
body:
|
|
rules: >-
|
|
{%- if create_role_policy_rules|d("default") == "default" -%}
|
|
{{
|
|
{ 'path': {
|
|
create_role_mount_path + '/issue/' + create_role_name: {'policy': 'write'},
|
|
create_role_mount_path + '/roles/' + create_role_name: {'policy': 'read'}
|
|
}} | to_json + '\n'
|
|
}}
|
|
{%- else -%}
|
|
{{ create_role_policy_rules | to_json + '\n' }}
|
|
{%- endif -%}
|
|
status_code: 204
|
|
when: inventory_hostname == groups[create_role_group]|first
|
|
|
|
- name: create_role | Create {{ create_role_name }} role in the {{ create_role_mount_path }} pki mount
|
|
uri:
|
|
url: "{{ hostvars[groups.vault|first]['vault_leader_url'] }}/v1/{{ create_role_mount_path }}/roles/{{ create_role_name }}"
|
|
headers: "{{ hostvars[groups.vault|first]['vault_headers'] }}"
|
|
method: POST
|
|
body_format: json
|
|
body: >-
|
|
{%- if create_role_options|d("default") == "default" -%}
|
|
{'allow_any_name': true}
|
|
{%- else -%}
|
|
{{ create_role_options }}
|
|
{%- endif -%}
|
|
status_code: 204
|
|
when: inventory_hostname == groups[create_role_group]|first
|
|
|
|
## Userpass based auth method
|
|
|
|
- include: gen_userpass.yml
|
|
vars:
|
|
gen_userpass_group: "{{ create_role_group }}"
|
|
gen_userpass_password: "{{ create_role_password }}"
|
|
gen_userpass_policies: "{{ create_role_name }}"
|
|
gen_userpass_role: "{{ create_role_name }}"
|
|
gen_userpass_username: "{{ create_role_name }}"
|
|
when: inventory_hostname in groups[create_role_group]
|