feat: add ovveride options for vault variables
This commit is contained in:
parent
0e89312874
commit
a5c72c969f
@ -3,15 +3,12 @@
|
||||
# Vault #
|
||||
#########
|
||||
|
||||
vault_config_dir: "{{ hashistack_remote_config_dir }}/vault.d"
|
||||
vault_data_dir: "/opt/vault"
|
||||
vault_certs_dir: "{{ vault_config_dir }}/tls"
|
||||
vault_logs_dir: "{{ hashistack_remote_log_dir }}/vault"
|
||||
|
||||
vault_extra_files: true
|
||||
# vault_extra_files_list: []
|
||||
|
||||
vault_env_variables: {}
|
||||
# hashistack_vault_config_dir:
|
||||
# hashistack_vault_data_dir:
|
||||
# hashistack_vault_certs_dir:
|
||||
# hashistack_vault_logs_dir:
|
||||
# hashistack_vault_extra_files_list:
|
||||
# hashistack_vault_env_variables:
|
||||
|
||||
#######################
|
||||
# extra configuration #
|
||||
@ -22,103 +19,57 @@ vault_env_variables: {}
|
||||
# option should be used to add pieces of configuration not
|
||||
# available through standard variables.
|
||||
|
||||
# vault_extra_configuration: {}
|
||||
# hashistack_vault_extra_configuration:
|
||||
|
||||
###########
|
||||
# general #
|
||||
###########
|
||||
|
||||
# vault_cluster_name: vault
|
||||
# vault_bind_addr: "0.0.0.0"
|
||||
# vault_cluster_addr: "{{ api_interface_address }}"
|
||||
# vault_enable_ui: true
|
||||
# vault_disable_mlock: false
|
||||
# vault_disable_cache: false
|
||||
# hashistack_vault_cluster_name:
|
||||
# hashistack_vault_bind_addr:
|
||||
# hashistack_vault_cluster_addr:
|
||||
# hashistack_vault_enable_ui:
|
||||
# hashistack_vault_disable_mlock:
|
||||
# hashistack_vault_disable_cache:
|
||||
|
||||
######################
|
||||
# seal configuration #
|
||||
######################
|
||||
|
||||
vault_seal_configuration:
|
||||
key_shares: 3
|
||||
key_threshold: 2
|
||||
# hashistack_vault_seal_configuration:
|
||||
|
||||
#########################
|
||||
# storage configuration #
|
||||
#########################
|
||||
|
||||
vault_storage_configuration:
|
||||
raft:
|
||||
path: "{{ vault_data_dir }}"
|
||||
node_id: "{{ ansible_hostname }}"
|
||||
retry_join: >-
|
||||
[
|
||||
{% for host in groups['vault_servers'] %}
|
||||
{
|
||||
'leader_api_addr': '{{ "https" if vault_enable_tls else "http"}}://{{ hostvars[host].api_interface_address }}:8200'
|
||||
}{% if not loop.last %},{% endif %}
|
||||
{% endfor %}
|
||||
]
|
||||
# hashistack_vault_storage_configuration:
|
||||
|
||||
##########################
|
||||
# listener configuration #
|
||||
##########################
|
||||
|
||||
# vault_enable_tls: false
|
||||
vault_listener_configuration:
|
||||
- tcp:
|
||||
address: "{{ vault_cluster_addr }}:8200"
|
||||
tls_disable: true
|
||||
|
||||
vault_tls_listener_configuration:
|
||||
- tcp:
|
||||
tls_disable: false
|
||||
tls_cert_file: "{{ vault_certs_dir }}/fullchain.crt"
|
||||
tls_key_file: "{{ vault_certs_dir }}/cert.key"
|
||||
tls_disable_client_certs: true
|
||||
|
||||
vault_certificates_extra_files_dir: >
|
||||
{{
|
||||
[] if external_tls_externally_managed_certs | bool else
|
||||
[{
|
||||
'src': "{{ hashistack_sub_configuration_directories['certificates'] }}/vault/{{ inventory_hostname }}",
|
||||
'dest': "{{ vault_certs_dir }}"
|
||||
}]
|
||||
}}
|
||||
|
||||
vault_extra_listener_configuration: []
|
||||
# hashistack_vault_enable_tls:
|
||||
# hashistack_vault_listener_configuration:
|
||||
# hashistack_vault_tls_listener_configuration:
|
||||
|
||||
########################
|
||||
# service registration #
|
||||
########################
|
||||
|
||||
# vault_enable_service_registration: "{{ enable_consul | bool }}"
|
||||
vault_service_registration_configuration:
|
||||
consul:
|
||||
address: >-
|
||||
127.0.0.1:{{ hostvars[groups['consul_servers'][0]].consul_api_port[hostvars[groups['consul_servers'][0]].consul_api_scheme] }}
|
||||
scheme: "{{ hostvars[groups['consul_servers'][0]].consul_api_scheme }}"
|
||||
token: "{{ _credentials.consul.tokens.vault.secret_id }}"
|
||||
|
||||
vault_service_registration_policy: |
|
||||
service "vault" {
|
||||
policy = "write"
|
||||
}
|
||||
# hashistack_vault_enable_service_registration:
|
||||
# hashistack_vault_service_registration_configuration:
|
||||
|
||||
#########################
|
||||
# plugins configuration #
|
||||
#########################
|
||||
|
||||
# vault_enable_plugins: false
|
||||
vault_plugins_directory: "{{ vault_config_dir }}/plugins"
|
||||
# hashistack_vault_enable_plugins:
|
||||
# hashistack_vault_plugins_directory:
|
||||
|
||||
#################
|
||||
# vault logging #
|
||||
#################
|
||||
|
||||
# vault_log_level: info
|
||||
vault_enable_log_to_file: "{{ enable_log_to_file | bool }}"
|
||||
vault_log_to_file_configuration:
|
||||
log_file: "{{ vault_logs_dir }}/vault.log"
|
||||
log_rotate_duration: 24h
|
||||
log_rotate_max_files: 30
|
||||
# hashistack_vault_log_level:
|
||||
# hashistack_vault_enable_log_to_file:
|
||||
# hashistack_vault_log_to_file_configuration:
|
||||
|
174
playbooks/group_vars/all/vault_default.yml
Normal file
174
playbooks/group_vars/all/vault_default.yml
Normal file
@ -0,0 +1,174 @@
|
||||
---
|
||||
#########
|
||||
# Vault #
|
||||
#########
|
||||
|
||||
hashistack_default_vault_config_dir: "{{ hashistack_remote_config_dir }}/vault.d"
|
||||
vault_config_dir: "{{ hashistack_vault_config_dir | default(hashistack_default_vault_config_dir) }}"
|
||||
|
||||
hashistack_default_vault_data_dir: "/opt/vault"
|
||||
vault_data_dir: "{{ hashistack_vault_data_dir | default(hashistack_default_vault_data_dir) }}"
|
||||
|
||||
hashistack_default_vault_certs_dir: "{{ vault_config_dir }}/tls"
|
||||
vault_certs_dir: "{{ hashistack_vault_certs_dir | default(hashistack_default_vault_certs_dir) }}"
|
||||
|
||||
hashistack_default_vault_logs_dir: "{{ hashistack_remote_log_dir }}/vault"
|
||||
vault_logs_dir: "{{ hashistack_vault_logs_dir | default(hashistack_default_vault_logs_dir) }}"
|
||||
|
||||
vault_extra_files: true
|
||||
|
||||
hashistack_default_vault_extra_files_list: []
|
||||
vault_extra_files_list: "{{ hashistack_vault_extra_files_list | default(hashistack_default_vault_extra_files_list) }}"
|
||||
|
||||
hashistack_default_vault_env_variables: {}
|
||||
vault_env_variables: "{{ hashistack_vault_env_variables | default(hashistack_default_vault_env_variables) }}"
|
||||
|
||||
#######################
|
||||
# extra configuration #
|
||||
#######################
|
||||
|
||||
# You should prioritize adding configuration
|
||||
# to the configuration entries below, this
|
||||
# option should be used to add pieces of configuration not
|
||||
# available through standard variables.
|
||||
|
||||
hashistack_default_vault_extra_configuration: {}
|
||||
vault_extra_configuration: >-
|
||||
{{
|
||||
hashistack_default_vault_extra_configuration |
|
||||
combine((hashistack_vault_extra_configuration | default({})), recursive=true)
|
||||
}}
|
||||
|
||||
###########
|
||||
# general #
|
||||
###########
|
||||
|
||||
hashistack_default_vault_cluster_name: vault
|
||||
vault_cluster_name: "{{ hashistack_vault_cluster_name | default(hashistack_default_vault_cluster_name) }}"
|
||||
|
||||
hashistack_default_vault_bind_addr: "0.0.0.0"
|
||||
vault_bind_addr: "{{ hashistack_vault_bind_addr | default(hashistack_default_vault_bind_addr) }}"
|
||||
|
||||
hashistack_default_vault_cluster_addr: "{{ api_interface_address }}"
|
||||
vault_cluster_addr: "{{ hashistack_vault_cluster_addr | default(hashistack_default_vault_cluster_addr) }}"
|
||||
|
||||
hashistack_default_vault_enable_ui: true
|
||||
vault_enable_ui: "{{ hashistack_vault_enable_ui | default(hashistack_default_vault_enable_ui) }}"
|
||||
|
||||
hashistack_default_vault_disable_mlock: false
|
||||
vault_disable_mlock: "{{ hashistack_vault_disable_mlock | default(hashistack_default_vault_disable_mlock) }}"
|
||||
|
||||
hashistack_default_vault_disable_cache: false
|
||||
vault_disable_cache: "{{ hashistack_vault_disable_cache | default(hashistack_default_vault_disable_cache) }}"
|
||||
|
||||
######################
|
||||
# seal configuration #
|
||||
######################
|
||||
|
||||
hashistack_default_vault_seal_configuration:
|
||||
key_shares: 3
|
||||
key_threshold: 2
|
||||
vault_seal_configuration: >-
|
||||
{{
|
||||
hashistack_default_vault_seal_configuration |
|
||||
combine((hashistack_vault_seal_configuration | default({})), recursive=true)
|
||||
}}
|
||||
|
||||
#########################
|
||||
# storage configuration #
|
||||
#########################
|
||||
|
||||
hashistack_default_vault_storage_configuration:
|
||||
raft:
|
||||
path: "{{ vault_data_dir }}"
|
||||
node_id: "{{ ansible_hostname }}"
|
||||
retry_join: >-
|
||||
[
|
||||
{% for host in groups['vault_servers'] %}
|
||||
{
|
||||
'leader_api_addr': '{{ "https" if vault_enable_tls else "http"}}://{{ hostvars[host].api_interface_address }}:8200'
|
||||
}{% if not loop.last %},{% endif %}
|
||||
{% endfor %}
|
||||
]
|
||||
vault_storage_configuration: "{{ hashistack_vault_storage_configuration | default(hashistack_default_vault_storage_configuration) }}"
|
||||
##########################
|
||||
# listener configuration #
|
||||
##########################
|
||||
|
||||
hashistack_default_vault_enable_tls: false
|
||||
vault_enable_tls: "{{ hashistack_vault_enable_tls | default(hashistack_default_vault_enable_tls) }}"
|
||||
|
||||
hashistack_default_vault_listener_configuration:
|
||||
- tcp:
|
||||
address: "{{ vault_cluster_addr }}:8200"
|
||||
tls_disable: true
|
||||
vault_listener_configuration: "{{ hashistack_vault_listener_configuration | default(hashistack_default_vault_listener_configuration) }}"
|
||||
|
||||
hashistack_default_vault_tls_listener_configuration:
|
||||
- tcp:
|
||||
tls_disable: false
|
||||
tls_cert_file: "{{ vault_certs_dir }}/fullchain.crt"
|
||||
tls_key_file: "{{ vault_certs_dir }}/cert.key"
|
||||
tls_disable_client_certs: true
|
||||
vault_tls_listener_configuration: "{{ hashistack_vault_tls_listener_configuration | default(hashistack_default_vault_tls_listener_configuration) }}"
|
||||
|
||||
vault_certificates_extra_files_dir: >
|
||||
{{
|
||||
[] if external_tls_externally_managed_certs | bool else
|
||||
[{
|
||||
'src': "{{ hashistack_sub_configuration_directories['certificates'] }}/vault/{{ inventory_hostname }}",
|
||||
'dest': "{{ vault_certs_dir }}"
|
||||
}]
|
||||
}}
|
||||
|
||||
vault_extra_listener_configuration: []
|
||||
|
||||
########################
|
||||
# service registration #
|
||||
########################
|
||||
|
||||
hashistack_default_vault_enable_service_registration: "{{ enable_consul | bool }}"
|
||||
vault_enable_service_registration: "{{ hashistack_vault_enable_service_registration | default(hashistack_default_vault_enable_service_registration) }}"
|
||||
|
||||
hashistack_default_vault_service_registration_configuration:
|
||||
consul:
|
||||
address: >-
|
||||
127.0.0.1:{{ hostvars[groups['consul_servers'][0]].consul_api_port[hostvars[groups['consul_servers'][0]].consul_api_scheme] }}
|
||||
scheme: "{{ hostvars[groups['consul_servers'][0]].consul_api_scheme }}"
|
||||
token: "{{ _credentials.consul.tokens.vault.secret_id }}"
|
||||
vault_service_registration_configuration: "{{ hashistack_vault_service_registration_configuration | default(hashistack_default_vault_service_registration_configuration) }}"
|
||||
|
||||
vault_service_registration_policy: |
|
||||
service "vault" {
|
||||
policy = "write"
|
||||
}
|
||||
|
||||
#########################
|
||||
# plugins configuration #
|
||||
#########################
|
||||
|
||||
hashistack_default_vault_enable_plugins: false
|
||||
vault_enable_plugins: "{{ hashistack_vault_enable_plugins | default(hashistack_default_vault_enable_plugins) }}"
|
||||
|
||||
hashistack_default_vault_plugins_directory: "{{ vault_config_dir }}/plugins"
|
||||
vault_plugins_directory: "{{ hashistack_vault_plugins_directory | default(hashistack_default_vault_plugins_directory) }}"
|
||||
|
||||
#################
|
||||
# vault logging #
|
||||
#################
|
||||
|
||||
hashistack_default_vault_log_level: info
|
||||
vault_log_level: "{{ hashistack_vault_log_level | default(hashistack_default_vault_log_level) }}"
|
||||
|
||||
hashistack_default_vault_enable_log_to_file: "{{ enable_log_to_file | bool }}"
|
||||
vault_enable_log_to_file: "{{ hashistack_vault_enable_log_to_file | default(hashistack_default_vault_enable_log_to_file) }}"
|
||||
|
||||
hashistack_default_vault_log_to_file_configuration:
|
||||
log_file: "{{ vault_logs_dir }}/vault.log"
|
||||
log_rotate_duration: 24h
|
||||
log_rotate_max_files: 30
|
||||
vault_log_to_file_configuration: >-
|
||||
{{
|
||||
hashistack_default_vault_log_to_file_configuration |
|
||||
combine((hashistack_vault_log_to_file_configuration | default({})), recursive=true)
|
||||
}}
|
Loading…
Reference in New Issue
Block a user