2017-01-14 04:31:10 +08:00
|
|
|
---
|
2017-02-09 05:41:36 +08:00
|
|
|
# The Vault role is typically a two step process:
|
|
|
|
# 1. Bootstrap
|
|
|
|
# This starts a temporary Vault to generate certs for Vault itself. This
|
|
|
|
# includes a Root CA for the cluster, assuming one doesn't exist already.
|
|
|
|
# The temporary instance will remain running after Bootstrap, to provide a
|
|
|
|
# running Vault for the Etcd role to generate certs against.
|
|
|
|
# 2. Cluster
|
|
|
|
# Once Etcd is started, then the Cluster tasks can start up a long-term
|
|
|
|
# Vault cluster using Etcd as the backend. The same Root CA is mounted as
|
|
|
|
# used during step 1, allowing all certs to have the same chain of trust.
|
2017-01-14 04:31:10 +08:00
|
|
|
|
2017-02-09 05:41:36 +08:00
|
|
|
## Bootstrap
|
2017-01-14 04:31:10 +08:00
|
|
|
- include: bootstrap/main.yml
|
2017-03-03 21:33:00 +08:00
|
|
|
when: cert_management == 'vault' and vault_bootstrap | d()
|
2017-01-14 04:31:10 +08:00
|
|
|
|
2017-02-09 05:41:36 +08:00
|
|
|
## Cluster
|
2017-01-14 04:31:10 +08:00
|
|
|
- include: cluster/main.yml
|
2017-03-03 21:33:00 +08:00
|
|
|
when: cert_management == 'vault' and not vault_bootstrap | d()
|