diff options
author | pmikus <pmikus@cisco.com> | 2021-05-18 13:30:08 +0000 |
---|---|---|
committer | Peter Mikus <pmikus@cisco.com> | 2021-08-09 11:52:06 +0000 |
commit | b9d4313cc851be7c7e8657783723343e8bd14664 (patch) | |
tree | 245393deb0753a63ed48f324f801f6b3c786e774 /fdio.infra.ansible/roles/vault/defaults | |
parent | 80989ff660f1acd635f6d004b15bc13a93240975 (diff) |
Infra: Vault
Signed-off-by: pmikus <pmikus@cisco.com>
Change-Id: Ia6e728f98d20144c3771405b32933a77fe15b19b
(cherry picked from commit 73440ab332c51eb11405767d320bc496d9ebdbe7)
(cherry picked from commit bb2af29c186f681dcbbc3c26a5f091af6c7415d3)
Diffstat (limited to 'fdio.infra.ansible/roles/vault/defaults')
-rw-r--r-- | fdio.infra.ansible/roles/vault/defaults/main.yaml | 159 |
1 files changed, 159 insertions, 0 deletions
diff --git a/fdio.infra.ansible/roles/vault/defaults/main.yaml b/fdio.infra.ansible/roles/vault/defaults/main.yaml new file mode 100644 index 0000000000..232dc40694 --- /dev/null +++ b/fdio.infra.ansible/roles/vault/defaults/main.yaml @@ -0,0 +1,159 @@ +--- +# file: roles/vault/defaults/main.yaml + +# Inst - Prerequisites. +packages: "{{ packages_base + packages_by_distro[ansible_distribution | lower] + packages_by_arch[ansible_machine] }}" +packages_base: + - "curl" + - "unzip" +packages_by_distro: + ubuntu: + - [] +packages_by_arch: + aarch64: + - [] + x86_64: + - [] + +# Inst - Vault Map. +vault_version: "1.8.1" +vault_architecture_map: + amd64: "amd64" + x86_64: "amd64" + armv7l: "arm" + aarch64: "arm64" + 32-bit: "386" + 64-bit: "amd64" +vault_architecture: "{{ vault_architecture_map[ansible_architecture] }}" +vault_os: "{{ ansible_system|lower }}" +vault_pkg: "vault_{{ vault_version }}_{{ vault_os }}_{{ vault_architecture }}.zip" +vault_zip_url: "https://releases.hashicorp.com/vault/{{ vault_version }}/{{ vault_pkg }}" + +# Conf - Service. +vault_node_role: "server" +vault_restart_handler_state: "restarted" +vault_systemd_service_name: "vault" + +# Inst - System paths. +vault_bin_dir: "/usr/local/bin" +vault_config_dir: "/etc/vault.d" +vault_data_dir: "/var/vault" +vault_inst_dir: "/opt" +vault_run_dir: "/var/run/vault" +vault_ssl_dir: "/etc/vault.d/ssl" + +# Conf - User and group. +vault_group: "vault" +vault_group_state: "present" +vault_user: "vault" +vault_user_state: "present" + +# Conf - Main +vault_group_name: "vault_instances" +vault_cluster_name: "yul1" +vault_datacenter: "yul1" +vault_log_level: "{{ lookup('env','VAULT_LOG_LEVEL') | default('info', true) }}" +vault_iface: "{{ lookup('env','VAULT_IFACE') | default(ansible_default_ipv4.interface, true) }}" +vault_address: "{{ hostvars[inventory_hostname]['ansible_'+vault_iface]['ipv4']['address'] }}" +vault_ui: "{{ lookup('env', 'VAULT_UI') | default(true, true) }}" +vault_port: 8200 +vault_use_config_path: false +vault_main_config: "{{ vault_config_dir }}/vault_main.hcl" +vault_main_configuration_template: "vault_main_configuration.hcl.j2" +vault_listener_localhost_enable: false +vault_http_proxy: "" +vault_https_proxy: "" +vault_no_proxy: "" + +# Conf - Listeners +vault_tcp_listeners: + - vault_address: "{{ vault_address }}" + vault_port: "{{ vault_port }}" + vault_cluster_address: "{{ vault_cluster_address }}" + vault_tls_disable: "{{ vault_tls_disable }}" + vault_tls_config_path: "{{ vault_tls_config_path }}" + vault_tls_cert_file: "{{ vault_tls_cert_file }}" + vault_tls_key_file: "{{ vault_tls_key_file }}" + vault_tls_ca_file: "{{ vault_tls_ca_file }}" + vault_tls_min_version: "{{ vault_tls_min_version }}" + vault_tls_cipher_suites: "{{ vault_tls_cipher_suites }}" + vault_tls_prefer_server_cipher_suites: "{{ vault_tls_prefer_server_cipher_suites }}" + vault_tls_require_and_verify_client_cert: "{{ vault_tls_require_and_verify_client_cert }}" + vault_tls_disable_client_certs: "{{ vault_tls_disable_client_certs }}" + vault_disable_mlock: true + +# Conf - Backend +vault_backend_consul: "vault_backend_consul.j2" +vault_backend_file: "vault_backend_file.j2" +vault_backend_raft: "vault_backend_raft.j2" +vault_backend_etcd: "vault_backend_etcd.j2" +vault_backend_s3: "vault_backend_s3.j2" +vault_backend_dynamodb: "vault_backend_dynamodb.j2" +vault_backend_mysql: "vault_backend_mysql.j2" +vault_backend_gcs: "vault_backend_gcs.j2" + +vault_cluster_disable: false +vault_cluster_address: "{{ hostvars[inventory_hostname]['ansible_'+vault_iface]['ipv4']['address'] }}:{{ (vault_port | int) + 1}}" +vault_cluster_addr: "{{ vault_protocol }}://{{ vault_cluster_address }}" +vault_api_addr: "{{ vault_protocol }}://{{ vault_redirect_address | default(hostvars[inventory_hostname]['ansible_'+vault_iface]['ipv4']['address']) }}:{{ vault_port }}" + +vault_max_lease_ttl: "768h" +vault_default_lease_ttl: "768h" + +vault_backend_tls_src_files: "{{ vault_tls_src_files }}" +vault_backend_tls_config_path: "{{ vault_tls_config_path }}" +vault_backend_tls_cert_file: "{{ vault_tls_cert_file }}" +vault_backend_tls_key_file: "{{ vault_tls_key_file }}" +vault_backend_tls_ca_file: "{{ vault_tls_ca_file }}" + +vault_consul: "127.0.0.1:8500" +vault_consul_path: "vault" +vault_consul_service: "vault" +vault_consul_scheme: "http" + +vault_backend: "consul" + +# Conf - Service registration +vault_service_registration_consul_enable: true +vault_service_registration_consul_template: "vault_service_registration_consul.hcl.j2" +vault_service_registration_consul_check_timeout: "5s" +vault_service_registration_consul_address: "127.0.0.1:8500" +vault_service_registration_consul_service: "vault" +vault_service_registration_consul_service_tags: "" +vault_service_registration_consul_service_address: +vault_service_registration_consul_disable_registration: false +vault_service_registration_consul_scheme: "http" + +vault_service_registration_consul_tls_config_path: "{{ vault_tls_config_path }}" +vault_service_registration_consul_tls_cert_file: "{{ vault_tls_cert_file }}" +vault_service_registration_consul_tls_key_file: "{{ vault_tls_key_file }}" +vault_service_registration_consul_tls_ca_file: "{{ vault_tls_ca_file }}" +vault_service_registration_consul_tls_min_version: "{{ vault_tls_min_version }}" +vault_service_registration_consul_tls_skip_verify: false + +# Conf - Telemetry +vault_telemetry_enabled: true +vault_telemetry_disable_hostname: false +vault_prometheus_retention_time: 30s + +# Conf - TLS +validate_certs_during_api_reachable_check: true + +vault_tls_config_path: "{{ lookup('env','VAULT_TLS_DIR') | default('/etc/vault/tls', true) }}" +vault_tls_src_files: "{{ lookup('env','VAULT_TLS_SRC_FILES') | default(role_path+'/files', true) }}" + +vault_tls_disable: "{{ lookup('env','VAULT_TLS_DISABLE') | default(1, true) }}" +vault_tls_gossip: "{{ lookup('env','VAULT_TLS_GOSSIP') | default(0, true) }}" + +vault_tls_copy_keys: true +vault_protocol: "{% if vault_tls_disable %}http{% else %}https{% endif %}" +vault_tls_cert_file: "{{ lookup('env','VAULT_TLS_CERT_FILE') | default('server.crt', true) }}" +vault_tls_key_file: "{{ lookup('env','VAULT_TLS_KEY_FILE') | default('server.key', true) }}" +vault_tls_ca_file: "{{ lookup('env','VAULT_TLS_CA_CRT') | default('ca.crt', true) }}" + +vault_tls_min_version: "{{ lookup('env','VAULT_TLS_MIN_VERSION') | default('tls12', true) }}" +vault_tls_cipher_suites: "" +vault_tls_prefer_server_cipher_suites: "{{ lookup('env','VAULT_TLS_PREFER_SERVER_CIPHER_SUITES') | default('false', true) }}" +vault_tls_files_remote_src: false +vault_tls_require_and_verify_client_cert: false +vault_tls_disable_client_certs: false
\ No newline at end of file |