hcp-ansible/playbooks/group_vars/all/vault.yml

---
#####################################################
#                                                   #
#                Non-Editable                       #
#                                                   #
#####################################################

#########################
# vault haproxy backend #
#########################

vault_haproxy_frontend_options:
  - acl is_vault hdr(host) -i {{ vault_fqdn }}
  - use_backend vault_external if is_vault

vault_haproxy_backends:
  - name: vault_external
    options: "{{ vault_external_backend_options + vault_external_backend_servers }}"

vault_external_backend_options:
  - description vault external http backend
  - option forwardfor
  - option httpchk GET /v1/sys/health?standbyok=true&sealedcode=200&standbycode=200&uninitcode=200
  - http-check expect status 200
  - default-server inter 2s fastinter 1s downinter 1s

vault_external_backend_servers: |
  [
    {% for host in groups['vault_servers'] %}
      'server vault-{{ hostvars[host].api_interface_address }} {{ hostvars[host].api_interface_address }}:8200 check {{ 'ssl verify none ' if vault_enable_tls }}inter 5s'{% if not loop.last %},{% endif %}
    {% endfor %}
  ]

######################
# vault internal tls #
######################

vault_certificates_directory: "{{ hashi_vault_config_dir }}/tls"
vault_certificates_extra_files_dir:
  - src: "{{ sub_configuration_directories['certificates'] }}/vault/{{ inventory_hostname }}"
    dest: "{{ hashi_vault_config_dir }}/tls"

#################
# vault plugins #
#################

vault_plugin_directory: "{{ hashi_vault_config_dir }}/plugin"
vault_plugin_extra_files_dir:
  - src: "{{ sub_configuration_directories['vault_servers'] }}/plugin"
    dest: "{{ hashi_vault_config_dir }}/plugin"

########################
# vault role variables #
########################

hashi_vault_start_service: true
hashi_vault_version: "{{ vault_versions[deployment_method] }}"
hashi_vault_deploy_method: "{{ deployment_method }}"
hashi_vault_env_variables: {}
hashi_vault_config_dir: "/etc/vault.d"
hashi_vault_data_dir: "/opt/vault"
hashi_vault_extra_files: true
hashi_vault_extra_files_set:
  "{{ (vault_certificates_extra_files_dir if vault_enable_tls else []) |
  union(vault_plugin_extra_files_dir if vault_enable_plugins else []) |
  union(vault_extra_files_list) |
  list }}"
hashi_vault_extra_files_src: "{{ sub_configuration_directories.vault_servers }}/config"
hashi_vault_extra_files_dst: "{{ hashi_vault_config_dir }}/config"
hashi_vault_extra_container_volumes: "{{ default_container_extra_volumes | union(extra_vault_container_volumes) | unique }}"
hashi_vault_configuration:
  cluster_name: "{{ vault_cluster_name }}"
  cluster_addr: "{{ 'https' if vault_enable_tls else 'http'}}://{{ api_interface_address }}:8201"
  api_addr: "{{ 'https' if vault_enable_tls else 'http'}}://{{ api_interface_address }}:8200"
  ui: "{{ vault_enable_ui }}"
  disable_mlock: false
  disable_cache: false
  listener: "{{ vault_listener_configuration }}"
  storage: "{{ vault_storage_configuration }}"
feat(deploy): add haproxy deployment, integrate with consul 2024-03-17 09:57:02 +00:00			`---`
			`#####################################################`
			`# #`
feat(haproxy): add a lot to haproxy, and generate_certs playbook + docs 2024-04-01 21:59:48 +00:00			`# Non-Editable #`
feat(deploy): add haproxy deployment, integrate with consul 2024-03-17 09:57:02 +00:00			`# #`
			`#####################################################`

			`#########################`
feat(haproxy): add a lot to haproxy, and generate_certs playbook + docs 2024-04-01 21:59:48 +00:00			`# vault haproxy backend #`
feat(deploy): add haproxy deployment, integrate with consul 2024-03-17 09:57:02 +00:00			`#########################`

feat(haproxy): add a lot to haproxy, and generate_certs playbook + docs 2024-04-01 21:59:48 +00:00			`vault_haproxy_frontend_options:`
			`- acl is_vault hdr(host) -i {{ vault_fqdn }}`
			`- use_backend vault_external if is_vault`

			`vault_haproxy_backends:`
			`- name: vault_external`
			`options: "{{ vault_external_backend_options + vault_external_backend_servers }}"`

			`vault_external_backend_options:`
			`- description vault external http backend`
			`- option forwardfor`
			`- option httpchk GET /v1/sys/health?standbyok=true&sealedcode=200&standbycode=200&uninitcode=200`
			`- http-check expect status 200`
			`- default-server inter 2s fastinter 1s downinter 1s`

			`vault_external_backend_servers: \|`
			`[`
			`{% for host in groups['vault_servers'] %}`
feat(TLS): add tls features to vault and trust hosts store on containers 2024-04-06 21:47:35 +00:00			`'server vault-{{ hostvars[host].api_interface_address }} {{ hostvars[host].api_interface_address }}:8200 check {{ 'ssl verify none ' if vault_enable_tls }}inter 5s'{% if not loop.last %},{% endif %}`
feat(haproxy): add a lot to haproxy, and generate_certs playbook + docs 2024-04-01 21:59:48 +00:00			`{% endfor %}`
			`]`

feat(certs): generate_certs playbook now generate internal CA for vault 2024-04-03 21:55:01 +00:00			`######################`
			`# vault internal tls #`
			`######################`

			`vault_certificates_directory: "{{ hashi_vault_config_dir }}/tls"`
			`vault_certificates_extra_files_dir:`
			`- src: "{{ sub_configuration_directories['certificates'] }}/vault/{{ inventory_hostname }}"`
feat(TLS): add tls features to vault and trust hosts store on containers 2024-04-06 21:47:35 +00:00			`dest: "{{ hashi_vault_config_dir }}/tls"`
feat(certs): generate_certs playbook now generate internal CA for vault 2024-04-03 21:55:01 +00:00
			`#################`
			`# vault plugins #`
			`#################`

			`vault_plugin_directory: "{{ hashi_vault_config_dir }}/plugin"`
			`vault_plugin_extra_files_dir:`
			`- src: "{{ sub_configuration_directories['vault_servers'] }}/plugin"`
			`dest: "{{ hashi_vault_config_dir }}/plugin"`

feat(haproxy): add a lot to haproxy, and generate_certs playbook + docs 2024-04-01 21:59:48 +00:00			`########################`
			`# vault role variables #`
			`########################`
feat(deploy): add haproxy deployment, integrate with consul 2024-03-17 09:57:02 +00:00
			`hashi_vault_start_service: true`
feat(consul): start configuring and deploying agents 2024-03-17 18:05:02 +00:00			`hashi_vault_version: "{{ vault_versions[deployment_method] }}"`
feat(deploy): add haproxy deployment, integrate with consul 2024-03-17 09:57:02 +00:00			`hashi_vault_deploy_method: "{{ deployment_method }}"`
			`hashi_vault_env_variables: {}`
			`hashi_vault_config_dir: "/etc/vault.d"`
			`hashi_vault_data_dir: "/opt/vault"`
			`hashi_vault_extra_files: true`
fix: various inconsistencies and idempotence issues related to variable computing 2024-05-03 20:25:03 +00:00			`hashi_vault_extra_files_set:`
			`"{{ (vault_certificates_extra_files_dir if vault_enable_tls else []) \|`
			`union(vault_plugin_extra_files_dir if vault_enable_plugins else []) \|`
			`union(vault_extra_files_list) \|`
			`list }}"`
feat(deploy): add haproxy deployment, integrate with consul 2024-03-17 09:57:02 +00:00			`hashi_vault_extra_files_src: "{{ sub_configuration_directories.vault_servers }}/config"`
			`hashi_vault_extra_files_dst: "{{ hashi_vault_config_dir }}/config"`
			`hashi_vault_extra_container_volumes: "{{ default_container_extra_volumes \| union(extra_vault_container_volumes) \| unique }}"`
			`hashi_vault_configuration:`
			`cluster_name: "{{ vault_cluster_name }}"`
feat(TLS): add tls features to vault and trust hosts store on containers 2024-04-06 21:47:35 +00:00			`cluster_addr: "{{ 'https' if vault_enable_tls else 'http'}}://{{ api_interface_address }}:8201"`
			`api_addr: "{{ 'https' if vault_enable_tls else 'http'}}://{{ api_interface_address }}:8200"`
feat(deploy): add haproxy deployment, integrate with consul 2024-03-17 09:57:02 +00:00			`ui: "{{ vault_enable_ui }}"`
			`disable_mlock: false`
			`disable_cache: false`
			`listener: "{{ vault_listener_configuration }}"`
			`storage: "{{ vault_storage_configuration }}"`