bf0af1cd3d
* using separated vault roles for generate certs with different `O` (Organization) subject field; * configure vault roles for issuing certificates with different `CN` (Common name) subject field; * set `CN` and `O` to `kubernetes` and `etcd` certificates; * vault/defaults vars definition was simplified; * vault dirs variables defined in kubernetes-defaults foles for using shared tasks in etcd and kubernetes/secrets roles; * upgrade vault to 0.8.1; * generate random vault user password for each role by default; * fix `serial` file name for vault certs; * move vault auth request to issue_cert tasks; * enable `RBAC` in vault CI;
29 lines
1.1 KiB
YAML
29 lines
1.1 KiB
YAML
---
|
|
- name: shared/gen_userpass | Create the Username/Password combo for the role
|
|
uri:
|
|
url: "{{ hostvars[groups.vault|first]['vault_leader_url'] }}/v1/auth/userpass/users/{{ gen_userpass_username }}"
|
|
headers: "{{ hostvars[groups.vault|first]['vault_headers'] }}"
|
|
method: POST
|
|
body_format: json
|
|
body:
|
|
username: "{{ gen_userpass_username }}"
|
|
password: "{{ gen_userpass_password }}"
|
|
policies: "{{ gen_userpass_role }}"
|
|
status_code: 204
|
|
when: inventory_hostname == groups[gen_userpass_group]|first
|
|
|
|
- name: shared/gen_userpass | Ensure destination directory exists
|
|
file:
|
|
path: "{{ vault_roles_dir }}/{{ gen_userpass_role }}"
|
|
state: directory
|
|
when: inventory_hostname in groups[gen_userpass_group]
|
|
|
|
- name: shared/gen_userpass | Copy credentials to all hosts in the group
|
|
copy:
|
|
content: >
|
|
{{
|
|
{'username': gen_userpass_username,
|
|
'password': gen_userpass_password} | to_nice_json(indent=4)
|
|
}}
|
|
dest: "{{ vault_roles_dir }}/{{ gen_userpass_role }}/userpass"
|
|
when: inventory_hostname in groups[gen_userpass_group]
|