diff --git a/CHANGELOG-0.8.md b/CHANGELOG-0.8.md index 04abbb7532..755858d9f9 100644 --- a/CHANGELOG-0.8.md +++ b/CHANGELOG-0.8.md @@ -1,5 +1,11 @@ # Changelog 0.8 +## [0.8.0] 2020-10-XX + +### Fixed + +- [#1754](https://github.com/epiphany-platform/epiphany/issues/1754) - Fix Vault installation for setup without K8s + ## [0.8.0rc1] 2020-10-08 ### Added diff --git a/core/src/epicli/data/common/ansible/playbooks/roles/vault/tasks/main.yml b/core/src/epicli/data/common/ansible/playbooks/roles/vault/tasks/main.yml index 427f84ddb4..eb87ae6a7a 100644 --- a/core/src/epicli/data/common/ansible/playbooks/roles/vault/tasks/main.yml +++ b/core/src/epicli/data/common/ansible/playbooks/roles/vault/tasks/main.yml @@ -34,12 +34,7 @@ dest: /tmp/vault_helm_chart_values.yaml when: vault_helm_chart_values_bool -- name: Install and configure Hashicorp Vault if enabled and no cloud service is used - when: - - specification.vault_enabled - - k8s_as_cloud_service is defined - - not k8s_as_cloud_service - - groups.kubernetes_master | length == 1 +- name: Install and configure Hashicorp Vault block: - name: Create Vault system group group: diff --git a/core/src/epicli/data/common/ansible/playbooks/roles/vault/templates/kubernetes/vault-default-policy.yml.j2 b/core/src/epicli/data/common/ansible/playbooks/roles/vault/templates/kubernetes/vault-default-policy.yml.j2 index dffe057e15..0242cb6eaf 100644 --- a/core/src/epicli/data/common/ansible/playbooks/roles/vault/templates/kubernetes/vault-default-policy.yml.j2 +++ b/core/src/epicli/data/common/ansible/playbooks/roles/vault/templates/kubernetes/vault-default-policy.yml.j2 @@ -11,7 +11,7 @@ spec: - Egress egress: - to: - {% for server in groups['vault'] %}- ipBlock: + {% for server in ansible_play_hosts_all %}- ipBlock: cidr: {{ hostvars[server]['ansible_default_ipv4']['address'] }}/32 {% endfor %}ports: - protocol: TCP diff --git a/core/src/epicli/data/common/ansible/playbooks/vault.yml b/core/src/epicli/data/common/ansible/playbooks/vault.yml index aceb9a9008..c9ebd12fae 100644 --- a/core/src/epicli/data/common/ansible/playbooks/vault.yml +++ b/core/src/epicli/data/common/ansible/playbooks/vault.yml @@ -1,7 +1,15 @@ --- # Ansible playbook that installs Hashicorp Vault -- hosts: vault +# Installing Vault on multi-master K8s is not supported so install only on the first host +- hosts: >- + {{ 'vault[0]' if (groups.kubernetes_master is defined and + groups.vault is defined and + groups.vault | intersect(groups.kubernetes_master)) else + 'vault' }} become: true become_method: sudo roles: - - vault + - role: vault + when: + - specification.vault_enabled + - k8s_as_cloud_service is undefined or not k8s_as_cloud_service diff --git a/docs/home/howto/SECURITY.md b/docs/home/howto/SECURITY.md index 16097108ea..e7eebbdfee 100644 --- a/docs/home/howto/SECURITY.md +++ b/docs/home/howto/SECURITY.md @@ -379,7 +379,7 @@ that right now can be configured manually according to Hashicorp Vault [document At the moment only installation on Kubernetes Master is supported, but we are also planning separate installation with no other components. Also at this moment we are not providing clustered option for Vault deployment, but this will be part -of the future releases. For multi-master (HA) Kubernetes, Vault is not installed. +of the future releases. For multi-master (HA) Kubernetes, Vault is installed only on the first master defined in Ansible inventory. Below you can find sample configuration for Vault with description of all options.