kubespray/roles/vault/tasks/shared/check_etcd.yml

---

- name: check_etcd | Check if etcd is up and reachable
  uri:
    url: "{{ vault_etcd_url.split(',') | first }}/health"
    validate_certs: no
    client_cert: "{{ etcd_cert_dir }}/node-{{ inventory_hostname }}.pem"
    client_key: "{{ etcd_cert_dir }}/node-{{ inventory_hostname }}-key.pem"

    return_content: yes
  until: vault_etcd_health_check.status == 200 or vault_etcd_health_check.status == 401
  retries: 3
  delay: 2
  delegate_to: "{{groups['etcd'][0]}}"
  run_once: true
  failed_when: false
  register: vault_etcd_health_check

- name: check_etcd | Set fact based off the etcd_health_check response
  set_fact:
    vault_etcd_available: "{{ vault_etcd_health_check.content  }}"
- set_fact:
    vault_etcd_available: "{{ vault_etcd_available.health|d()|bool }}"

- name: check_etcd | Fail if etcd is not available and needed
  fail:
    msg: >
         Unable to start Vault cluster! Etcd is not available at
         {{ vault_etcd_url.split(',') | first }} however it is needed by Vault as a backend.
  when: vault_etcd_needed|d() and not vault_etcd_available
Vault security hardening and role isolation 2017-02-09 05:41:36 +08:00			`---`

Fix vault setup partially (#1531) This does not address per-node certs and scheduler/proxy/controller-manager component certs which are now required. This should be handled in a follow-up patch. 2017-08-18 20:09:45 +08:00			`- name: check_etcd \| Check if etcd is up and reachable`
Vault security hardening and role isolation 2017-02-09 05:41:36 +08:00			`uri:`
Fixup vault etcd check (#2938) * Fixup vault etcd * Update main.yml 2018-07-02 20:37:37 +08:00			`url: "{{ vault_etcd_url.split(',') \| first }}/health"`
Vault security hardening and role isolation 2017-02-09 05:41:36 +08:00			`validate_certs: no`
refactor vault role (#2733) * Move front-proxy-client certs back to kube mount We want the same CA for all k8s certs * Refactor vault to use a third party module The module adds idempotency and reduces some of the repetitive logic in the vault role Requires ansible-modules-hashivault on ansible node and hvac on the vault hosts themselves Add upgrade test scenario Remove bootstrap-os tags from tasks * fix upgrade issues * improve unseal logic * specify ca and fix etcd check * Fix initialization check bump machine size 2018-05-12 00:11:38 +08:00			`client_cert: "{{ etcd_cert_dir }}/node-{{ inventory_hostname }}.pem"`
			`client_key: "{{ etcd_cert_dir }}/node-{{ inventory_hostname }}-key.pem"`

fix etcd health check bug (#1480) 2017-10-24 23:10:56 +08:00			`return_content: yes`
Fix vault setup partially (#1531) This does not address per-node certs and scheduler/proxy/controller-manager component certs which are now required. This should be handled in a follow-up patch. 2017-08-18 20:09:45 +08:00			`until: vault_etcd_health_check.status == 200 or vault_etcd_health_check.status == 401`
refactor vault role (#2733) * Move front-proxy-client certs back to kube mount We want the same CA for all k8s certs * Refactor vault to use a third party module The module adds idempotency and reduces some of the repetitive logic in the vault role Requires ansible-modules-hashivault on ansible node and hvac on the vault hosts themselves Add upgrade test scenario Remove bootstrap-os tags from tasks * fix upgrade issues * improve unseal logic * specify ca and fix etcd check * Fix initialization check bump machine size 2018-05-12 00:11:38 +08:00			`retries: 3`
Fix vault setup partially (#1531) This does not address per-node certs and scheduler/proxy/controller-manager component certs which are now required. This should be handled in a follow-up patch. 2017-08-18 20:09:45 +08:00			`delay: 2`
			`delegate_to: "{{groups['etcd'][0]}}"`
			`run_once: true`
Vault security hardening and role isolation 2017-02-09 05:41:36 +08:00			`failed_when: false`
			`register: vault_etcd_health_check`

			`- name: check_etcd \| Set fact based off the etcd_health_check response`
			`set_fact:`
fix etcd health check bug (#1480) 2017-10-24 23:10:56 +08:00			`vault_etcd_available: "{{ vault_etcd_health_check.content }}"`
			`- set_fact:`
			`vault_etcd_available: "{{ vault_etcd_available.health\|d()\|bool }}"`
Vault security hardening and role isolation 2017-02-09 05:41:36 +08:00
			`- name: check_etcd \| Fail if etcd is not available and needed`
			`fail:`
			`msg: >`
			`Unable to start Vault cluster! Etcd is not available at`
Fixup vault etcd check (#2938) * Fixup vault etcd * Update main.yml 2018-07-02 20:37:37 +08:00			`{{ vault_etcd_url.split(',') \| first }} however it is needed by Vault as a backend.`
Vault security hardening and role isolation 2017-02-09 05:41:36 +08:00			`when: vault_etcd_needed\|d() and not vault_etcd_available`