|
28 | 28 | command: vault auth enable jwt |
29 | 29 | when: not vault_auth_jwt |
30 | 30 |
|
31 | | -- name: Get router CA certificate |
32 | | - kubernetes.core.k8s_info: |
33 | | - kind: Secret |
34 | | - namespace: openshift-ingress-operator |
35 | | - name: router-ca |
36 | | - api_version: v1 |
37 | | - register: router_ca_cert |
| 31 | +- name: Split url into host and port |
| 32 | + ansible.builtin.set_fact: |
| 33 | + oidc_discovery_host: "{{ oidc_discovery_url | urlsplit('hostname') }}" |
| 34 | + oidc_discovery_port: "{{ oidc_discovery_url | urlsplit('port') | default('443', true) }}" |
| 35 | + |
| 36 | +- name: Check if OIDC endpoint is reachable |
| 37 | + kubernetes.core.k8s_exec: |
| 38 | + namespace: "{{ vault_ns }}" |
| 39 | + pod: "{{ vault_pod }}" |
| 40 | + command: > |
| 41 | + curl -fsk -o /dev/null -w "%{http_code}" {{ oidc_discovery_url }}/.well-known/openid-configuration |
| 42 | + register: oidc_discovery_reachable |
| 43 | + until: oidc_discovery_reachable.rc == 0 and oidc_discovery_reachable.stdout | int == 200 |
| 44 | + retries: 20 |
| 45 | + delay: 45 |
| 46 | + changed_when: false |
| 47 | + failed_when: oidc_discovery_reachable.rc != 0 or oidc_discovery_reachable.stdout | int != 200 |
| 48 | + |
| 49 | +- name: Get OIDC discovery certificate |
| 50 | + kubernetes.core.k8s_exec: |
| 51 | + namespace: "{{ vault_ns }}" |
| 52 | + pod: "{{ vault_pod }}" |
| 53 | + command: > |
| 54 | + bash -e -c |
| 55 | + "echo -n | openssl s_client -connect {{ oidc_discovery_host }}:{{ oidc_discovery_port }} -servername {{ oidc_discovery_host }} |
| 56 | + | openssl x509 -outform PEM > /tmp/oidc-discovery-certificate.pem" |
38 | 57 | when: not vault_auth_jwt |
39 | 58 |
|
40 | | -- name: Copy router CA certificate to vault |
41 | | - kubernetes.core.k8s_cp: |
| 59 | +- name: Check JWT discovery configuration |
| 60 | + kubernetes.core.k8s_exec: |
42 | 61 | namespace: "{{ vault_ns }}" |
43 | 62 | pod: "{{ vault_pod }}" |
44 | | - content: "{{ router_ca_cert.resources[0].data['tls.crt'] | b64decode }}" |
45 | | - remote_path: /tmp/router-ca.crt |
| 63 | + command: > |
| 64 | + vault read auth/jwt/config |
| 65 | + register: jwt_discovery_config_json |
| 66 | + changed_when: false |
| 67 | + failed_when: jwt_discovery_config_json.rc != 0 |
46 | 68 | when: not vault_auth_jwt |
47 | 69 |
|
| 70 | +- name: Set JWT discovery configuration fact |
| 71 | + ansible.builtin.set_fact: |
| 72 | + jwt_discovery_config: "{{ jwt_discovery_config_json.stdout | from_json }}" |
| 73 | + when: not vault_auth_jwt and jwt_discovery_config_json.stdout_lines | length > 0 |
| 74 | + |
| 75 | +- name: Set JWT discovery configuration facts |
| 76 | + ansible.builtin.set_fact: |
| 77 | + jwt_config_oidc_discovery_url: "{{ jwt_discovery_config.data.oidc_discovery_url }}" |
| 78 | + jwt_config_default_role: "{{ jwt_discovery_config.data.default_role }}" |
| 79 | + when: not vault_auth_jwt and jwt_discovery_config_json.stdout_lines | length > 0 |
| 80 | + |
48 | 81 | - name: Write JWT configuration |
49 | 82 | kubernetes.core.k8s_exec: |
50 | 83 | namespace: "{{ vault_ns }}" |
|
53 | 86 | vault write auth/jwt/config |
54 | 87 | oidc_discovery_url={{ oidc_discovery_url }} |
55 | 88 | default_role={{ default_role | default('default') }} |
56 | | - oidc_discovery_ca_pem=@/tmp/router-ca.crt |
| 89 | + oidc_discovery_ca_pem=@/tmp/oidc-discovery-certificate.pem |
| 90 | + when: not vault_auth_jwt or |
| 91 | + not jwt_config_oidc_discovery_url == oidc_discovery_url or |
| 92 | + not jwt_config_default_role == default_role | default('default') |
| 93 | + |
| 94 | +- name: Get JWT role configuration |
| 95 | + kubernetes.core.k8s_exec: |
| 96 | + namespace: "{{ vault_ns }}" |
| 97 | + pod: "{{ vault_pod }}" |
| 98 | + command: > |
| 99 | + vault read auth/jwt/role/{{ default_role | default('default') }} |
| 100 | + register: jwt_role_config_json |
| 101 | + changed_when: false |
| 102 | + failed_when: jwt_role_config_json.rc != 0 |
57 | 103 | when: not vault_auth_jwt |
58 | 104 |
|
| 105 | +- name: Set JWT role configuration fact |
| 106 | + ansible.builtin.set_fact: |
| 107 | + jwt_role_config: "{{ jwt_role_config_json.stdout | from_json }}" |
| 108 | + when: not vault_auth_jwt and jwt_role_config_json.stdout_lines | length > 0 |
| 109 | + |
| 110 | +- name: Set JWT role configuration facts |
| 111 | + ansible.builtin.set_fact: |
| 112 | + jwt_role_config_bound_audiences: "{{ jwt_role_config.data.bound_audiences[0] | default('') }}" |
| 113 | + jwt_role_config_bound_subject: "{{ jwt_role_config.data.bound_subject }}" |
| 114 | + jwt_role_config_token_ttl: "{{ jwt_role_config.data.token_ttl }}" |
| 115 | + jwt_role_config_token_policies: "{{ jwt_role_config.data.token_policies[0] | default('') }}" |
| 116 | + when: not vault_auth_jwt and jwt_role_config_json.stdout_lines | length > 0 |
| 117 | + |
59 | 118 | - name: Write JWT role |
60 | 119 | kubernetes.core.k8s_exec: |
61 | 120 | namespace: "{{ vault_ns }}" |
|
67 | 126 | bound_audiences={{ spiffe_audience }} |
68 | 127 | bound_subject={{ spiffe_subject }} |
69 | 128 | token_ttl={{ token_ttl | default('24h') }} |
70 | | - token_policies={{ vault_global_policy }}-secret |
71 | | - when: not vault_auth_jwt |
| 129 | + token_policies={{ role_policy | default('{}-secret'.format(vault_global_policy)) }} |
| 130 | + when: not vault_auth_jwt or |
| 131 | + not jwt_role_config_bound_audiences == spiffe_audience or |
| 132 | + not jwt_role_config_bound_subject == spiffe_subject or |
| 133 | + not jwt_role_config_token_ttl == token_ttl | default('24h') or |
| 134 | + not jwt_role_config_token_policies == role_policy | default('{}-secret'.format(vault_global_policy)) |
72 | 135 |
|
73 | 136 | - name: Delete router CA certificate |
74 | 137 | kubernetes.core.k8s_exec: |
75 | 138 | namespace: "{{ vault_ns }}" |
76 | 139 | pod: "{{ vault_pod }}" |
77 | | - command: rm -f /tmp/router-ca.crt |
| 140 | + command: rm -f /tmp/oidc-discovery-certificate.pem |
78 | 141 | when: not vault_auth_jwt |
0 commit comments