61 lines
2.2 KiB
YAML
61 lines
2.2 KiB
YAML
---
|
|
|
|
## Sync Certs
|
|
|
|
- include: bootstrap/sync_vault_certs.yml
|
|
when: inventory_hostname in groups.vault
|
|
|
|
- include: bootstrap/sync_etcd_certs.yml
|
|
when: inventory_hostname in groups.etcd
|
|
|
|
- include: bootstrap/sync_etcd_node_certs.yml
|
|
when: inventory_hostname in groups["k8s-cluster"] | union(groups.etcd)
|
|
|
|
## Generate Certs
|
|
|
|
# Start a temporary instance of Vault
|
|
- include: bootstrap/start_vault_temp.yml
|
|
when: >-
|
|
( hostvars[groups.etcd|first].get("vault_etcd_certs_needed", [])|length > 0 or
|
|
hostvars[groups.etcd|first].get("vault_etcd_node_certs_needed", [])|length > 0 or
|
|
hostvars[groups.vault|first]["vault_ca_cert_needed"] ) and
|
|
inventory_hostname == groups.vault|first
|
|
|
|
# Generate root CA certs for Vault if none exist
|
|
- include: bootstrap/gen_vault_certs.yml
|
|
when: >-
|
|
( hostvars[groups.vault|first]["vault_ca_cert_needed"] or
|
|
hostvars[groups.vault|first]["vault_api_cert_needed"] ) and
|
|
inventory_hostname in groups.vault
|
|
|
|
# Change vault-temp's issuing CA to use existing ca.pem/ca-key.pem
|
|
- include: config_ca.yml
|
|
vars:
|
|
vault_url: "http://{{ groups.vault|first }}:{{ vault_temp_port }}"
|
|
when: >-
|
|
( hostvars[groups.etcd|first].get("vault_etcd_certs_needed", [])|length > 0 or
|
|
hostvars[groups["k8s-cluster"]|first].get("vault_etcd_node_certs_needed", [])|length > 0 or
|
|
hostvars[groups.vault|first]["vault_api_cert_needed"] ) and
|
|
not hostvars[groups.vault|first]["vault_ca_cert_needed"] and
|
|
inventory_hostname == groups.vault|first
|
|
|
|
# Generate etcd certs for etcd cluster members
|
|
- include: bootstrap/gen_etcd_certs.yml
|
|
when: >-
|
|
hostvars[groups.etcd|first].get("vault_etcd_certs_needed", [])|length > 0 and
|
|
inventory_hostname in groups.etcd
|
|
|
|
# Generate etcd node certs for all k8s-cluster
|
|
- include: bootstrap/gen_etcd_node_certs.yml
|
|
when: >-
|
|
hostvars[groups["k8s-cluster"]|first].get("vault_etcd_node_certs_needed", [])|length > 0 and
|
|
inventory_hostname in groups["k8s-cluster"] | union(groups.etcd)
|
|
|
|
# Stop temporary vault
|
|
- include: bootstrap/stop_vault_temp.yml
|
|
when: >-
|
|
inventory_hostname == groups.vault|first and
|
|
hostvars[groups.vault|first]["vault_temp_start"]|succeeded
|
|
|
|
- include: ca_trust.yml
|