c12s-kubespray/roles/vault/tasks/shared/create_role.yml

76 lines
3 KiB
YAML

---
# The JSON inside JSON here is intentional (Vault API wants it)
- name: create_role | Create a policy for the new role allowing issuing
uri:
url: "{{ hostvars[groups.vault|first]['vault_leader_url'] }}/v1/sys/policy/{{ create_role_name }}"
headers: "{{ hostvars[groups.vault|first]['vault_headers'] }}"
method: PUT
body_format: json
body:
rules: >-
{%- if create_role_policy_rules|d("default") == "default" %}
{{
{ 'path': {
'pki/issue/' + create_role_name: {'policy': 'write'},
'pki/roles/' + create_role_name: {'policy': 'read'}
}} | to_json
}}
{%- else -%}
{{ create_role_policy_rules | to_json }}
{%- endif %}
status_code: 204
when: inventory_hostname == groups[create_role_group]|first
ignore_errors: "{{ ansible_check_mode }}"
- name: create_role | Create the new role in the pki mount
uri:
url: "{{ hostvars[groups.vault|first]['vault_leader_url'] }}/v1/pki/roles/{{ create_role_name }}"
headers: "{{ hostvars[groups.vault|first]['vault_headers'] }}"
method: POST
body_format: json
body: >-
{%- if create_role_options|d("default") == "default" -%}
{'allow_any_name': true}
{%- else -%}
{{ create_role_options }}
{%- endif -%}
status_code: 204
when: inventory_hostname == groups[create_role_group]|first
ignore_errors: "{{ ansible_check_mode }}"
## Cert based auth method
- include: gen_cert.yml
vars:
gen_cert_copy_ca: true
gen_cert_hosts: "{{ groups[create_role_group] }}"
gen_cert_mount: "auth-pki"
gen_cert_path: "{{ vault_roles_dir }}/{{ create_role_name }}/issuer.pem"
gen_cert_vault_headers: "{{ hostvars[groups.vault|first]['vault_headers'] }}"
gen_cert_vault_role: "dummy"
gen_cert_vault_url: "{{ hostvars[groups.vault|first]['vault_leader_url'] }}"
when: vault_role_auth_method == "cert" and inventory_hostname in groups[create_role_group]
- name: create_role | Insert the auth-pki CA as the authenticating CA for that role
uri:
url: "{{ hostvars[groups.vault|first]['vault_leader_url'] }}/v1/auth/cert/certs/{{ create_role_name }}"
headers: "{{ hostvars[groups.vault|first]['vault_headers'] }}"
method: POST
body_format: json
body:
certificate: "{{ hostvars[groups[create_role_group]|first]['gen_cert_result']['json']['data']['issuing_ca'] }}"
policies: "{{ create_role_name }}"
status_code: 204
when: vault_role_auth_method == "cert" and inventory_hostname == groups[create_role_group]|first
## Userpass based auth method
- include: gen_userpass.yml
vars:
gen_userpass_group: "{{ create_role_group }}"
gen_userpass_password: "{{ create_role_password|d(''|to_uuid) }}"
gen_userpass_policies: "{{ create_role_name }}"
gen_userpass_role: "{{ create_role_name }}"
gen_userpass_username: "{{ create_role_name }}"
when: vault_role_auth_method == "userpass" and inventory_hostname in groups[create_role_group]