Place vault role credentials only to vault group hosts

pull/1607/head
mkrasilnikov 2017-09-05 11:05:06 +03:00
parent ad313c9d49
commit b930b0ef5a
5 changed files with 11 additions and 10 deletions

View File

@ -38,6 +38,7 @@
- "{{ vault_pki_mounts.etcd }}"
loop_control:
loop_var: mount
when: inventory_hostname in groups.vault
- include: ../shared/gen_ca.yml
vars:

View File

@ -42,3 +42,4 @@
when: inventory_hostname == groups.vault|first
- include: create_roles.yml
when: inventory_hostname in groups.vault

View File

@ -19,7 +19,8 @@
{{ create_role_policy_rules | to_json + '\n' }}
{%- endif -%}
status_code: 204
when: inventory_hostname == groups[create_role_group]|first
delegate_to: "{{ groups.vault|first }}"
run_once: true
- name: create_role | Create {{ create_role_name }} role in the {{ create_role_mount_path }} pki mount
uri:
@ -34,15 +35,14 @@
{{ create_role_options }}
{%- endif -%}
status_code: 204
when: inventory_hostname == groups[create_role_group]|first
delegate_to: "{{ groups.vault|first }}"
run_once: true
## Userpass based auth method
- include: gen_userpass.yml
vars:
gen_userpass_group: "{{ create_role_group }}"
gen_userpass_password: "{{ create_role_password }}"
gen_userpass_policies: "{{ create_role_name }}"
gen_userpass_role: "{{ create_role_name }}"
gen_userpass_username: "{{ create_role_name }}"
when: inventory_hostname in groups[create_role_group]

View File

@ -10,13 +10,13 @@
password: "{{ gen_userpass_password }}"
policies: "{{ gen_userpass_role }}"
status_code: 204
when: inventory_hostname == groups[gen_userpass_group]|first
delegate_to: "{{ groups.vault|first }}"
run_once: true
- name: shared/gen_userpass | Ensure destination directory exists
file:
path: "{{ vault_roles_dir }}/{{ gen_userpass_role }}"
state: directory
when: inventory_hostname in groups[gen_userpass_group]
- name: shared/gen_userpass | Copy credentials to all hosts in the group
copy:
@ -26,4 +26,3 @@
'password': gen_userpass_password} | to_nice_json(indent=4)
}}
dest: "{{ vault_roles_dir }}/{{ gen_userpass_role }}/userpass"
when: inventory_hostname in groups[gen_userpass_group]

View File

@ -29,13 +29,13 @@
- name: "issue_cert | Read in the local credentials"
command: cat {{ vault_roles_dir }}/{{ issue_cert_role }}/userpass
register: vault_creds_cat
delegate_to: "{{ issue_cert_hosts|first }}"
delegate_to: "{{ groups.vault|first }}"
run_once: true
- name: gen_certs_vault | Set facts for read Vault Creds
set_fact:
user_vault_creds: "{{ vault_creds_cat.stdout|from_json }}"
delegate_to: "{{ issue_cert_hosts|first }}"
delegate_to: "{{ groups.vault|first }}"
run_once: true
- name: gen_certs_vault | Log into Vault and obtain an token
@ -49,7 +49,7 @@
body:
password: "{{ user_vault_creds.password }}"
register: vault_login_result
delegate_to: "{{ issue_cert_hosts|first }}"
delegate_to: "{{ groups.vault|first }}"
run_once: true
- name: gen_certs_vault | Set fact for vault_client_token