From a5c72c969fd399689aab6ceea4a23a0c4b1a3889 Mon Sep 17 00:00:00 2001 From: Bertrand Lanson Date: Wed, 11 Sep 2024 22:20:28 +0200 Subject: [PATCH] feat: add ovveride options for vault variables --- playbooks/group_vars/all/vault.yml | 99 +++--------- playbooks/group_vars/all/vault_default.yml | 174 +++++++++++++++++++++ 2 files changed, 199 insertions(+), 74 deletions(-) create mode 100644 playbooks/group_vars/all/vault_default.yml diff --git a/playbooks/group_vars/all/vault.yml b/playbooks/group_vars/all/vault.yml index c5a0f17..77f6717 100644 --- a/playbooks/group_vars/all/vault.yml +++ b/playbooks/group_vars/all/vault.yml @@ -3,15 +3,12 @@ # Vault # ######### -vault_config_dir: "{{ hashistack_remote_config_dir }}/vault.d" -vault_data_dir: "/opt/vault" -vault_certs_dir: "{{ vault_config_dir }}/tls" -vault_logs_dir: "{{ hashistack_remote_log_dir }}/vault" - -vault_extra_files: true -# vault_extra_files_list: [] - -vault_env_variables: {} +# hashistack_vault_config_dir: +# hashistack_vault_data_dir: +# hashistack_vault_certs_dir: +# hashistack_vault_logs_dir: +# hashistack_vault_extra_files_list: +# hashistack_vault_env_variables: ####################### # extra configuration # @@ -22,103 +19,57 @@ vault_env_variables: {} # option should be used to add pieces of configuration not # available through standard variables. -# vault_extra_configuration: {} +# hashistack_vault_extra_configuration: ########### # general # ########### -# vault_cluster_name: vault -# vault_bind_addr: "0.0.0.0" -# vault_cluster_addr: "{{ api_interface_address }}" -# vault_enable_ui: true -# vault_disable_mlock: false -# vault_disable_cache: false +# hashistack_vault_cluster_name: +# hashistack_vault_bind_addr: +# hashistack_vault_cluster_addr: +# hashistack_vault_enable_ui: +# hashistack_vault_disable_mlock: +# hashistack_vault_disable_cache: ###################### # seal configuration # ###################### -vault_seal_configuration: - key_shares: 3 - key_threshold: 2 +# hashistack_vault_seal_configuration: ######################### # storage configuration # ######################### -vault_storage_configuration: - raft: - path: "{{ vault_data_dir }}" - node_id: "{{ ansible_hostname }}" - retry_join: >- - [ - {% for host in groups['vault_servers'] %} - { - 'leader_api_addr': '{{ "https" if vault_enable_tls else "http"}}://{{ hostvars[host].api_interface_address }}:8200' - }{% if not loop.last %},{% endif %} - {% endfor %} - ] +# hashistack_vault_storage_configuration: ########################## # listener configuration # ########################## -# vault_enable_tls: false -vault_listener_configuration: - - tcp: - address: "{{ vault_cluster_addr }}:8200" - tls_disable: true - -vault_tls_listener_configuration: - - tcp: - tls_disable: false - tls_cert_file: "{{ vault_certs_dir }}/fullchain.crt" - tls_key_file: "{{ vault_certs_dir }}/cert.key" - tls_disable_client_certs: true - -vault_certificates_extra_files_dir: > - {{ - [] if external_tls_externally_managed_certs | bool else - [{ - 'src': "{{ hashistack_sub_configuration_directories['certificates'] }}/vault/{{ inventory_hostname }}", - 'dest': "{{ vault_certs_dir }}" - }] - }} - -vault_extra_listener_configuration: [] +# hashistack_vault_enable_tls: +# hashistack_vault_listener_configuration: +# hashistack_vault_tls_listener_configuration: ######################## # service registration # ######################## -# vault_enable_service_registration: "{{ enable_consul | bool }}" -vault_service_registration_configuration: - consul: - address: >- - 127.0.0.1:{{ hostvars[groups['consul_servers'][0]].consul_api_port[hostvars[groups['consul_servers'][0]].consul_api_scheme] }} - scheme: "{{ hostvars[groups['consul_servers'][0]].consul_api_scheme }}" - token: "{{ _credentials.consul.tokens.vault.secret_id }}" - -vault_service_registration_policy: | - service "vault" { - policy = "write" - } +# hashistack_vault_enable_service_registration: +# hashistack_vault_service_registration_configuration: ######################### # plugins configuration # ######################### -# vault_enable_plugins: false -vault_plugins_directory: "{{ vault_config_dir }}/plugins" +# hashistack_vault_enable_plugins: +# hashistack_vault_plugins_directory: ################# # vault logging # ################# -# vault_log_level: info -vault_enable_log_to_file: "{{ enable_log_to_file | bool }}" -vault_log_to_file_configuration: - log_file: "{{ vault_logs_dir }}/vault.log" - log_rotate_duration: 24h - log_rotate_max_files: 30 +# hashistack_vault_log_level: +# hashistack_vault_enable_log_to_file: +# hashistack_vault_log_to_file_configuration: diff --git a/playbooks/group_vars/all/vault_default.yml b/playbooks/group_vars/all/vault_default.yml new file mode 100644 index 0000000..91d1fd5 --- /dev/null +++ b/playbooks/group_vars/all/vault_default.yml @@ -0,0 +1,174 @@ +--- +######### +# Vault # +######### + +hashistack_default_vault_config_dir: "{{ hashistack_remote_config_dir }}/vault.d" +vault_config_dir: "{{ hashistack_vault_config_dir | default(hashistack_default_vault_config_dir) }}" + +hashistack_default_vault_data_dir: "/opt/vault" +vault_data_dir: "{{ hashistack_vault_data_dir | default(hashistack_default_vault_data_dir) }}" + +hashistack_default_vault_certs_dir: "{{ vault_config_dir }}/tls" +vault_certs_dir: "{{ hashistack_vault_certs_dir | default(hashistack_default_vault_certs_dir) }}" + +hashistack_default_vault_logs_dir: "{{ hashistack_remote_log_dir }}/vault" +vault_logs_dir: "{{ hashistack_vault_logs_dir | default(hashistack_default_vault_logs_dir) }}" + +vault_extra_files: true + +hashistack_default_vault_extra_files_list: [] +vault_extra_files_list: "{{ hashistack_vault_extra_files_list | default(hashistack_default_vault_extra_files_list) }}" + +hashistack_default_vault_env_variables: {} +vault_env_variables: "{{ hashistack_vault_env_variables | default(hashistack_default_vault_env_variables) }}" + +####################### +# extra configuration # +####################### + +# You should prioritize adding configuration +# to the configuration entries below, this +# option should be used to add pieces of configuration not +# available through standard variables. + +hashistack_default_vault_extra_configuration: {} +vault_extra_configuration: >- + {{ + hashistack_default_vault_extra_configuration | + combine((hashistack_vault_extra_configuration | default({})), recursive=true) + }} + +########### +# general # +########### + +hashistack_default_vault_cluster_name: vault +vault_cluster_name: "{{ hashistack_vault_cluster_name | default(hashistack_default_vault_cluster_name) }}" + +hashistack_default_vault_bind_addr: "0.0.0.0" +vault_bind_addr: "{{ hashistack_vault_bind_addr | default(hashistack_default_vault_bind_addr) }}" + +hashistack_default_vault_cluster_addr: "{{ api_interface_address }}" +vault_cluster_addr: "{{ hashistack_vault_cluster_addr | default(hashistack_default_vault_cluster_addr) }}" + +hashistack_default_vault_enable_ui: true +vault_enable_ui: "{{ hashistack_vault_enable_ui | default(hashistack_default_vault_enable_ui) }}" + +hashistack_default_vault_disable_mlock: false +vault_disable_mlock: "{{ hashistack_vault_disable_mlock | default(hashistack_default_vault_disable_mlock) }}" + +hashistack_default_vault_disable_cache: false +vault_disable_cache: "{{ hashistack_vault_disable_cache | default(hashistack_default_vault_disable_cache) }}" + +###################### +# seal configuration # +###################### + +hashistack_default_vault_seal_configuration: + key_shares: 3 + key_threshold: 2 +vault_seal_configuration: >- + {{ + hashistack_default_vault_seal_configuration | + combine((hashistack_vault_seal_configuration | default({})), recursive=true) + }} + +######################### +# storage configuration # +######################### + +hashistack_default_vault_storage_configuration: + raft: + path: "{{ vault_data_dir }}" + node_id: "{{ ansible_hostname }}" + retry_join: >- + [ + {% for host in groups['vault_servers'] %} + { + 'leader_api_addr': '{{ "https" if vault_enable_tls else "http"}}://{{ hostvars[host].api_interface_address }}:8200' + }{% if not loop.last %},{% endif %} + {% endfor %} + ] +vault_storage_configuration: "{{ hashistack_vault_storage_configuration | default(hashistack_default_vault_storage_configuration) }}" +########################## +# listener configuration # +########################## + +hashistack_default_vault_enable_tls: false +vault_enable_tls: "{{ hashistack_vault_enable_tls | default(hashistack_default_vault_enable_tls) }}" + +hashistack_default_vault_listener_configuration: + - tcp: + address: "{{ vault_cluster_addr }}:8200" + tls_disable: true +vault_listener_configuration: "{{ hashistack_vault_listener_configuration | default(hashistack_default_vault_listener_configuration) }}" + +hashistack_default_vault_tls_listener_configuration: + - tcp: + tls_disable: false + tls_cert_file: "{{ vault_certs_dir }}/fullchain.crt" + tls_key_file: "{{ vault_certs_dir }}/cert.key" + tls_disable_client_certs: true +vault_tls_listener_configuration: "{{ hashistack_vault_tls_listener_configuration | default(hashistack_default_vault_tls_listener_configuration) }}" + +vault_certificates_extra_files_dir: > + {{ + [] if external_tls_externally_managed_certs | bool else + [{ + 'src': "{{ hashistack_sub_configuration_directories['certificates'] }}/vault/{{ inventory_hostname }}", + 'dest': "{{ vault_certs_dir }}" + }] + }} + +vault_extra_listener_configuration: [] + +######################## +# service registration # +######################## + +hashistack_default_vault_enable_service_registration: "{{ enable_consul | bool }}" +vault_enable_service_registration: "{{ hashistack_vault_enable_service_registration | default(hashistack_default_vault_enable_service_registration) }}" + +hashistack_default_vault_service_registration_configuration: + consul: + address: >- + 127.0.0.1:{{ hostvars[groups['consul_servers'][0]].consul_api_port[hostvars[groups['consul_servers'][0]].consul_api_scheme] }} + scheme: "{{ hostvars[groups['consul_servers'][0]].consul_api_scheme }}" + token: "{{ _credentials.consul.tokens.vault.secret_id }}" +vault_service_registration_configuration: "{{ hashistack_vault_service_registration_configuration | default(hashistack_default_vault_service_registration_configuration) }}" + +vault_service_registration_policy: | + service "vault" { + policy = "write" + } + +######################### +# plugins configuration # +######################### + +hashistack_default_vault_enable_plugins: false +vault_enable_plugins: "{{ hashistack_vault_enable_plugins | default(hashistack_default_vault_enable_plugins) }}" + +hashistack_default_vault_plugins_directory: "{{ vault_config_dir }}/plugins" +vault_plugins_directory: "{{ hashistack_vault_plugins_directory | default(hashistack_default_vault_plugins_directory) }}" + +################# +# vault logging # +################# + +hashistack_default_vault_log_level: info +vault_log_level: "{{ hashistack_vault_log_level | default(hashistack_default_vault_log_level) }}" + +hashistack_default_vault_enable_log_to_file: "{{ enable_log_to_file | bool }}" +vault_enable_log_to_file: "{{ hashistack_vault_enable_log_to_file | default(hashistack_default_vault_enable_log_to_file) }}" + +hashistack_default_vault_log_to_file_configuration: + log_file: "{{ vault_logs_dir }}/vault.log" + log_rotate_duration: 24h + log_rotate_max_files: 30 +vault_log_to_file_configuration: >- + {{ + hashistack_default_vault_log_to_file_configuration | + combine((hashistack_vault_log_to_file_configuration | default({})), recursive=true) + }}