Fix Vault installation for setup without K8s (hitachienergy#1766)

* Install Vault on first master * Update changelog
rafzei · Nov 26, 2020 · 5cb8ff4 · 5cb8ff4
1 parent e889aee
commit 5cb8ff4
Show file tree

Hide file tree

Showing 5 changed files with 19 additions and 10 deletions.
diff --git a/CHANGELOG-0.8.md b/CHANGELOG-0.8.md
@@ -1,5 +1,11 @@
 # Changelog 0.8
 
+## [0.8.0] 2020-10-XX
+
+### Fixed
+
+- [#1754](https://github.com/epiphany-platform/epiphany/issues/1754) - Fix Vault installation for setup without K8s
+
 ## [0.8.0rc1] 2020-10-08
 
 ### Added

diff --git a/core/src/epicli/data/common/ansible/playbooks/roles/vault/tasks/main.yml b/core/src/epicli/data/common/ansible/playbooks/roles/vault/tasks/main.yml
@@ -34,12 +34,7 @@
     dest: /tmp/vault_helm_chart_values.yaml
   when: vault_helm_chart_values_bool
 
-- name: Install and configure Hashicorp Vault if enabled and no cloud service is used
-  when:
-    - specification.vault_enabled
-    - k8s_as_cloud_service is defined
-    - not k8s_as_cloud_service
-    - groups.kubernetes_master | length == 1
+- name: Install and configure Hashicorp Vault
   block:
     - name: Create Vault system group
       group:

diff --git a/...ata/common/ansible/playbooks/roles/vault/templates/kubernetes/vault-default-policy.yml.j2 b/...ata/common/ansible/playbooks/roles/vault/templates/kubernetes/vault-default-policy.yml.j2
@@ -11,7 +11,7 @@ spec:
   - Egress
   egress:
   - to:
-    {% for server in groups['vault'] %}- ipBlock:
+    {% for server in ansible_play_hosts_all %}- ipBlock:
         cidr: {{ hostvars[server]['ansible_default_ipv4']['address'] }}/32
     {% endfor %}ports:
     - protocol: TCP

diff --git a/core/src/epicli/data/common/ansible/playbooks/vault.yml b/core/src/epicli/data/common/ansible/playbooks/vault.yml
@@ -1,7 +1,15 @@
 ---
 # Ansible playbook that installs Hashicorp Vault
-- hosts: vault
+# Installing Vault on multi-master K8s is not supported so install only on the first host
+- hosts: >-
+    {{ 'vault[0]' if (groups.kubernetes_master is defined and
+                      groups.vault is defined and
+                      groups.vault | intersect(groups.kubernetes_master)) else
+      'vault' }}
   become: true
   become_method: sudo
   roles:
-    - vault
+    - role: vault
+      when:
+        - specification.vault_enabled
+        - k8s_as_cloud_service is undefined or not k8s_as_cloud_service
diff --git a/docs/home/howto/SECURITY.md b/docs/home/howto/SECURITY.md
@@ -379,7 +379,7 @@ that right now can be configured manually according to Hashicorp Vault [document
 
 At the moment only installation on Kubernetes Master is supported, but we are also planning separate installation with no
 other components. Also at this moment we are not providing clustered option for Vault deployment, but this will be part
-of the future releases. For multi-master (HA) Kubernetes, Vault is not installed.
+of the future releases. For multi-master (HA) Kubernetes, Vault is installed only on the first master defined in Ansible inventory.
 
 Below you can find sample configuration for Vault with description of all options.