-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathdeploy-all.yaml
158 lines (137 loc) · 5.77 KB
/
deploy-all.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
- hosts: localhost
vars:
hpcs_server_policy: |
path "auth/jwt/role/*" {
capabilities = ["sudo","read","create","delete","update"]
}
path "sys/policies/acl/*" {
capabilities = ["sudo","read","create","delete","update"]
}
tasks:
- include_tasks: create-certs.yaml
- name: Add hashicorp to helm repositories
kubernetes.core.helm_repository:
name: stable
repo_url: "https://helm.releases.hashicorp.com"
- name: Deploy hashicorp vault
kubernetes.core.helm:
release_name: vault
chart_ref: hashicorp/vault
release_namespace: hpcs
create_namespace: true
chart_version: 0.27.0
- name: Wait for vault to be created
shell: "kubectl get --namespace hpcs pod/vault-0 --output=jsonpath='{.status}'"
register: pod_ready_for_init
until: (pod_ready_for_init.stdout | from_json)['containerStatuses'] is defined
retries: 10
delay: 2
- name: Initialize vault
kubernetes.core.k8s_exec:
namespace: hpcs
pod: vault-0
command: vault operator init -n 1 -t 1 -format json
register: vault_init
ignore_errors: True
- name: Showing tokens
ansible.builtin.debug:
msg:
- "Please note the unseal token : {{ (vault_init.stdout | from_json)['unseal_keys_b64'][0] }}"
- "Please note the root-token : '{{ (vault_init.stdout | from_json)['root_token' ] }}'"
when: vault_init.rc == 0
- name: Unseal vault
kubernetes.core.k8s_exec:
namespace: hpcs
pod: vault-0
command: vault operator unseal {{ (vault_init.stdout | from_json)['unseal_keys_b64'][0] }}
when: vault_init.rc == 0
ignore_errors: True
- name: Enable jwt authentication in vault
kubernetes.core.k8s_exec:
namespace: hpcs
pod: vault-0
command: sh -c "export VAULT_TOKEN={{ (vault_init.stdout | from_json)['root_token' ] }} ; vault auth enable jwt"
when: vault_init.rc == 0
- name: Enable kv secrets in vault
kubernetes.core.k8s_exec:
namespace: hpcs
pod: vault-0
command: sh -c "export VAULT_TOKEN={{ (vault_init.stdout | from_json)['root_token' ] }} ; vault secrets enable -version=2 kv"
when: vault_init.rc == 0
- name: Create hpcs-server vault policy file
copy:
content: "{{ hpcs_server_policy }}"
dest: /tmp/policy
when: vault_init.rc == 0
- name: Deploy hpcs-stack
kubernetes.core.helm:
release_name: hpcs-stack
chart_ref: hpcs-stack
release_namespace: hpcs
create_namespace: true
- name: Wait for spire-oidc to be ready
shell: "kubectl get --namespace hpcs pod/spire-server-0 --output=jsonpath='{.status.containerStatuses[*].ready}'"
register: pod_spire_oidc
until: pod_spire_oidc.stdout == "true true true"
# until: (pod_spire_oidc.stdout | from_json)['containerStatuses'][?name==spire-oidc]['ready']
retries: 10
delay: 2
- name: Copy oidc cert to vault's pod
kubernetes.core.k8s_cp:
namespace: hpcs
pod: vault-0
remote_path: /tmp/cert
local_path: hpcs-stack/charts/spire/files/spire-oidc.crt
when: vault_init.rc == 0
- name: Write oidc config to vault
kubernetes.core.k8s_exec:
namespace: hpcs
pod: vault-0
command: sh -c "export VAULT_TOKEN={{ (vault_init.stdout | from_json)['root_token'] }} ; vault write auth/jwt/config oidc_discovery_url=https://spire-oidc oidc_discovery_ca_pem=\"$(cat /tmp/cert)\""
when: vault_init.rc == 0
- name: Copy policy file to vault's pod
kubernetes.core.k8s_cp:
namespace: hpcs
pod: vault-0
remote_path: /tmp/policy
local_path: /tmp/policy
when: vault_init.rc == 0
- name: Write hpcs-server vault policy
kubernetes.core.k8s_exec:
namespace: hpcs
pod: vault-0
command: sh -c "export VAULT_TOKEN={{ (vault_init.stdout | from_json)['root_token'] }} ; vault policy write hpcs-server /tmp/policy"
when: vault_init.rc == 0
- name: Write hpcs-server vault role
kubernetes.core.k8s_exec:
namespace: hpcs
pod: vault-0
command: sh -c "export VAULT_TOKEN={{ (vault_init.stdout | from_json)['root_token'] }} ; vault write auth/jwt/role/hpcs-server role_type=jwt user_claim=sub bound_audiences=TESTING bound_subject=spiffe://hpcs/hpcs-server/workload token_ttl=24h token_policies=hpcs-server"
when: vault_init.rc == 0
- name: Check cgroups version
kubernetes.core.k8s_exec:
namespace: hpcs
pod: vault-0
command: sh -c "cat /proc/filesystems | grep cgroup2"
register: cgroups_check
- name: Register node uid and nodename
shell: "kubectl get nodes -o json"
register: kubectl_node_info
- name: Register hpcs-server identity
kubernetes.core.k8s_exec:
namespace: hpcs
pod: spire-server-0
container: spire-server
command: ./bin/spire-server entry create -parentID spiffe://hpcs/spire/agent/k8s_psat/hpcs/{{ (kubectl_node_info.stdout | from_json)['items'][0]['metadata']['uid'] }} -spiffeID spiffe://hpcs/hpcs-server/workload -selector unix:uid:0
register: cgroups_check
when: cgroups_check.rc == 0
ignore_errors: True
- name: Register hpcs-server identity
kubernetes.core.k8s_exec:
namespace: hpcs
pod: spire-server-0
container: spire-server
command: ./bin/spire-server entry create -parentID spiffe://hpcs/spire/agent/k8s_psat/hpcs/{{ (kubectl_node_info.stdout | from_json)['items'][0]['metadata']['uid'] }} -spiffeID spiffe://hpcs/hpcs-server/workload -selector k8s:pod-name:hpcs-server
register: cgroups_check
when: cgroups_check.rc == 1
ignore_errors: True