Place vault role credentials only to vault group hosts
parent
ad313c9d49
commit
b930b0ef5a
|
@ -38,6 +38,7 @@
|
|||
- "{{ vault_pki_mounts.etcd }}"
|
||||
loop_control:
|
||||
loop_var: mount
|
||||
when: inventory_hostname in groups.vault
|
||||
|
||||
- include: ../shared/gen_ca.yml
|
||||
vars:
|
||||
|
|
|
@ -42,3 +42,4 @@
|
|||
when: inventory_hostname == groups.vault|first
|
||||
|
||||
- include: create_roles.yml
|
||||
when: inventory_hostname in groups.vault
|
||||
|
|
|
@ -19,7 +19,8 @@
|
|||
{{ create_role_policy_rules | to_json + '\n' }}
|
||||
{%- endif -%}
|
||||
status_code: 204
|
||||
when: inventory_hostname == groups[create_role_group]|first
|
||||
delegate_to: "{{ groups.vault|first }}"
|
||||
run_once: true
|
||||
|
||||
- name: create_role | Create {{ create_role_name }} role in the {{ create_role_mount_path }} pki mount
|
||||
uri:
|
||||
|
@ -34,15 +35,14 @@
|
|||
{{ create_role_options }}
|
||||
{%- endif -%}
|
||||
status_code: 204
|
||||
when: inventory_hostname == groups[create_role_group]|first
|
||||
delegate_to: "{{ groups.vault|first }}"
|
||||
run_once: true
|
||||
|
||||
## Userpass based auth method
|
||||
|
||||
- include: gen_userpass.yml
|
||||
vars:
|
||||
gen_userpass_group: "{{ create_role_group }}"
|
||||
gen_userpass_password: "{{ create_role_password }}"
|
||||
gen_userpass_policies: "{{ create_role_name }}"
|
||||
gen_userpass_role: "{{ create_role_name }}"
|
||||
gen_userpass_username: "{{ create_role_name }}"
|
||||
when: inventory_hostname in groups[create_role_group]
|
||||
|
|
|
@ -10,13 +10,13 @@
|
|||
password: "{{ gen_userpass_password }}"
|
||||
policies: "{{ gen_userpass_role }}"
|
||||
status_code: 204
|
||||
when: inventory_hostname == groups[gen_userpass_group]|first
|
||||
delegate_to: "{{ groups.vault|first }}"
|
||||
run_once: true
|
||||
|
||||
- name: shared/gen_userpass | Ensure destination directory exists
|
||||
file:
|
||||
path: "{{ vault_roles_dir }}/{{ gen_userpass_role }}"
|
||||
state: directory
|
||||
when: inventory_hostname in groups[gen_userpass_group]
|
||||
|
||||
- name: shared/gen_userpass | Copy credentials to all hosts in the group
|
||||
copy:
|
||||
|
@ -26,4 +26,3 @@
|
|||
'password': gen_userpass_password} | to_nice_json(indent=4)
|
||||
}}
|
||||
dest: "{{ vault_roles_dir }}/{{ gen_userpass_role }}/userpass"
|
||||
when: inventory_hostname in groups[gen_userpass_group]
|
||||
|
|
|
@ -29,13 +29,13 @@
|
|||
- name: "issue_cert | Read in the local credentials"
|
||||
command: cat {{ vault_roles_dir }}/{{ issue_cert_role }}/userpass
|
||||
register: vault_creds_cat
|
||||
delegate_to: "{{ issue_cert_hosts|first }}"
|
||||
delegate_to: "{{ groups.vault|first }}"
|
||||
run_once: true
|
||||
|
||||
- name: gen_certs_vault | Set facts for read Vault Creds
|
||||
set_fact:
|
||||
user_vault_creds: "{{ vault_creds_cat.stdout|from_json }}"
|
||||
delegate_to: "{{ issue_cert_hosts|first }}"
|
||||
delegate_to: "{{ groups.vault|first }}"
|
||||
run_once: true
|
||||
|
||||
- name: gen_certs_vault | Log into Vault and obtain an token
|
||||
|
@ -49,7 +49,7 @@
|
|||
body:
|
||||
password: "{{ user_vault_creds.password }}"
|
||||
register: vault_login_result
|
||||
delegate_to: "{{ issue_cert_hosts|first }}"
|
||||
delegate_to: "{{ groups.vault|first }}"
|
||||
run_once: true
|
||||
|
||||
- name: gen_certs_vault | Set fact for vault_client_token
|
||||
|
|
Loading…
Reference in New Issue