Place vault role credentials only to vault group hosts
mkrasilnikov
parent
ad313c9d49
commit
b930b0ef5a
|
|
@ -38,6 +38,7 @@
|
||||||
- "{{ vault_pki_mounts.etcd }}"
|
- "{{ vault_pki_mounts.etcd }}"
|
||||||
loop_control:
|
loop_control:
|
||||||
loop_var: mount
|
loop_var: mount
|
||||||
|
when: inventory_hostname in groups.vault
|
||||||
|
|
||||||
- include: ../shared/gen_ca.yml
|
- include: ../shared/gen_ca.yml
|
||||||
vars:
|
vars:
|
||||||
|
|
|
||||||
|
|
@ -42,3 +42,4 @@
|
||||||
when: inventory_hostname == groups.vault|first
|
when: inventory_hostname == groups.vault|first
|
||||||
|
|
||||||
- include: create_roles.yml
|
- include: create_roles.yml
|
||||||
|
when: inventory_hostname in groups.vault
|
||||||
|
|
|
||||||
|
|
@ -19,7 +19,8 @@
|
||||||
{{ create_role_policy_rules | to_json + '\n' }}
|
{{ create_role_policy_rules | to_json + '\n' }}
|
||||||
{%- endif -%}
|
{%- endif -%}
|
||||||
status_code: 204
|
status_code: 204
|
||||||
when: inventory_hostname == groups[create_role_group]|first
|
delegate_to: "{{ groups.vault|first }}"
|
||||||
|
run_once: true
|
||||||
|
|
||||||
- name: create_role | Create {{ create_role_name }} role in the {{ create_role_mount_path }} pki mount
|
- name: create_role | Create {{ create_role_name }} role in the {{ create_role_mount_path }} pki mount
|
||||||
uri:
|
uri:
|
||||||
|
|
@ -34,15 +35,14 @@
|
||||||
{{ create_role_options }}
|
{{ create_role_options }}
|
||||||
{%- endif -%}
|
{%- endif -%}
|
||||||
status_code: 204
|
status_code: 204
|
||||||
when: inventory_hostname == groups[create_role_group]|first
|
delegate_to: "{{ groups.vault|first }}"
|
||||||
|
run_once: true
|
||||||
|
|
||||||
## Userpass based auth method
|
## Userpass based auth method
|
||||||
|
|
||||||
- include: gen_userpass.yml
|
- include: gen_userpass.yml
|
||||||
vars:
|
vars:
|
||||||
gen_userpass_group: "{{ create_role_group }}"
|
|
||||||
gen_userpass_password: "{{ create_role_password }}"
|
gen_userpass_password: "{{ create_role_password }}"
|
||||||
gen_userpass_policies: "{{ create_role_name }}"
|
gen_userpass_policies: "{{ create_role_name }}"
|
||||||
gen_userpass_role: "{{ create_role_name }}"
|
gen_userpass_role: "{{ create_role_name }}"
|
||||||
gen_userpass_username: "{{ create_role_name }}"
|
gen_userpass_username: "{{ create_role_name }}"
|
||||||
when: inventory_hostname in groups[create_role_group]
|
|
||||||
|
|
|
||||||
|
|
@ -10,13 +10,13 @@
|
||||||
password: "{{ gen_userpass_password }}"
|
password: "{{ gen_userpass_password }}"
|
||||||
policies: "{{ gen_userpass_role }}"
|
policies: "{{ gen_userpass_role }}"
|
||||||
status_code: 204
|
status_code: 204
|
||||||
when: inventory_hostname == groups[gen_userpass_group]|first
|
delegate_to: "{{ groups.vault|first }}"
|
||||||
|
run_once: true
|
||||||
|
|
||||||
- name: shared/gen_userpass | Ensure destination directory exists
|
- name: shared/gen_userpass | Ensure destination directory exists
|
||||||
file:
|
file:
|
||||||
path: "{{ vault_roles_dir }}/{{ gen_userpass_role }}"
|
path: "{{ vault_roles_dir }}/{{ gen_userpass_role }}"
|
||||||
state: directory
|
state: directory
|
||||||
when: inventory_hostname in groups[gen_userpass_group]
|
|
||||||
|
|
||||||
- name: shared/gen_userpass | Copy credentials to all hosts in the group
|
- name: shared/gen_userpass | Copy credentials to all hosts in the group
|
||||||
copy:
|
copy:
|
||||||
|
|
@ -26,4 +26,3 @@
|
||||||
'password': gen_userpass_password} | to_nice_json(indent=4)
|
'password': gen_userpass_password} | to_nice_json(indent=4)
|
||||||
}}
|
}}
|
||||||
dest: "{{ vault_roles_dir }}/{{ gen_userpass_role }}/userpass"
|
dest: "{{ vault_roles_dir }}/{{ gen_userpass_role }}/userpass"
|
||||||
when: inventory_hostname in groups[gen_userpass_group]
|
|
||||||
|
|
|
||||||
|
|
@ -29,13 +29,13 @@
|
||||||
- name: "issue_cert | Read in the local credentials"
|
- name: "issue_cert | Read in the local credentials"
|
||||||
command: cat {{ vault_roles_dir }}/{{ issue_cert_role }}/userpass
|
command: cat {{ vault_roles_dir }}/{{ issue_cert_role }}/userpass
|
||||||
register: vault_creds_cat
|
register: vault_creds_cat
|
||||||
delegate_to: "{{ issue_cert_hosts|first }}"
|
delegate_to: "{{ groups.vault|first }}"
|
||||||
run_once: true
|
run_once: true
|
||||||
|
|
||||||
- name: gen_certs_vault | Set facts for read Vault Creds
|
- name: gen_certs_vault | Set facts for read Vault Creds
|
||||||
set_fact:
|
set_fact:
|
||||||
user_vault_creds: "{{ vault_creds_cat.stdout|from_json }}"
|
user_vault_creds: "{{ vault_creds_cat.stdout|from_json }}"
|
||||||
delegate_to: "{{ issue_cert_hosts|first }}"
|
delegate_to: "{{ groups.vault|first }}"
|
||||||
run_once: true
|
run_once: true
|
||||||
|
|
||||||
- name: gen_certs_vault | Log into Vault and obtain an token
|
- name: gen_certs_vault | Log into Vault and obtain an token
|
||||||
|
|
@ -49,7 +49,7 @@
|
||||||
body:
|
body:
|
||||||
password: "{{ user_vault_creds.password }}"
|
password: "{{ user_vault_creds.password }}"
|
||||||
register: vault_login_result
|
register: vault_login_result
|
||||||
delegate_to: "{{ issue_cert_hosts|first }}"
|
delegate_to: "{{ groups.vault|first }}"
|
||||||
run_once: true
|
run_once: true
|
||||||
|
|
||||||
- name: gen_certs_vault | Set fact for vault_client_token
|
- name: gen_certs_vault | Set fact for vault_client_token
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue