--- ######### # Vault # ######### hashistack_default_vault_config_dir: "{{ hashistack_remote_config_dir }}/vault.d" vault_config_dir: "{{ hashistack_vault_config_dir | default(hashistack_default_vault_config_dir) }}" hashistack_default_vault_data_dir: "/opt/vault" vault_data_dir: "{{ hashistack_vault_data_dir | default(hashistack_default_vault_data_dir) }}" hashistack_default_vault_certs_dir: "{{ vault_config_dir }}/tls" vault_certs_dir: "{{ hashistack_vault_certs_dir | default(hashistack_default_vault_certs_dir) }}" hashistack_default_vault_logs_dir: "{{ hashistack_remote_log_dir }}/vault" vault_logs_dir: "{{ hashistack_vault_logs_dir | default(hashistack_default_vault_logs_dir) }}" vault_extra_files: true hashistack_default_vault_extra_files_list: [] vault_extra_files_list: "{{ hashistack_vault_extra_files_list | default(hashistack_default_vault_extra_files_list) }}" hashistack_default_vault_env_variables: {} vault_env_variables: "{{ hashistack_vault_env_variables | default(hashistack_default_vault_env_variables) }}" ####################### # extra configuration # ####################### # You should prioritize adding configuration # to the configuration entries below, this # option should be used to add pieces of configuration not # available through standard variables. hashistack_default_vault_extra_configuration: {} vault_extra_configuration: >- {{ hashistack_default_vault_extra_configuration | combine((hashistack_vault_extra_configuration | default({})), recursive=true) }} ########### # general # ########### hashistack_default_vault_cluster_name: vault vault_cluster_name: "{{ hashistack_vault_cluster_name | default(hashistack_default_vault_cluster_name) }}" hashistack_default_vault_bind_addr: "0.0.0.0" vault_bind_addr: "{{ hashistack_vault_bind_addr | default(hashistack_default_vault_bind_addr) }}" hashistack_default_vault_cluster_addr: "{{ api_interface_address }}" vault_cluster_addr: "{{ hashistack_vault_cluster_addr | default(hashistack_default_vault_cluster_addr) }}" hashistack_default_vault_enable_ui: true vault_enable_ui: "{{ hashistack_vault_enable_ui | default(hashistack_default_vault_enable_ui) }}" hashistack_default_vault_disable_mlock: false vault_disable_mlock: "{{ hashistack_vault_disable_mlock | default(hashistack_default_vault_disable_mlock) }}" hashistack_default_vault_disable_cache: false vault_disable_cache: "{{ hashistack_vault_disable_cache | default(hashistack_default_vault_disable_cache) }}" ###################### # seal configuration # ###################### hashistack_default_vault_seal_configuration: key_shares: 3 key_threshold: 2 vault_seal_configuration: >- {{ hashistack_default_vault_seal_configuration | combine((hashistack_vault_seal_configuration | default({})), recursive=true) }} ######################### # storage configuration # ######################### hashistack_default_vault_storage_configuration: raft: path: "{{ vault_data_dir }}" node_id: "{{ ansible_hostname }}" retry_join: >- [ {% for host in groups['vault_servers'] %} { 'leader_api_addr': '{{ "https" if vault_enable_tls else "http"}}://{{ hostvars[host].api_interface_address }}:8200' }{% if not loop.last %},{% endif %} {% endfor %} ] vault_storage_configuration: "{{ hashistack_vault_storage_configuration | default(hashistack_default_vault_storage_configuration) }}" ########################## # listener configuration # ########################## hashistack_default_vault_enable_tls: "{{ enable_tls_internal }}" vault_enable_tls: "{{ hashistack_vault_enable_tls | default(hashistack_default_vault_enable_tls) }}" hashistack_default_vault_listener_configuration: - tcp: address: "{{ vault_cluster_addr }}:8200" tls_disable: true vault_listener_configuration: "{{ hashistack_vault_listener_configuration | default(hashistack_default_vault_listener_configuration) }}" hashistack_default_vault_tls_listener_configuration: - tcp: tls_disable: false tls_cert_file: "{{ vault_certs_dir }}/fullchain.crt" tls_key_file: "{{ vault_certs_dir }}/cert.key" tls_disable_client_certs: true vault_tls_listener_configuration: "{{ hashistack_vault_tls_listener_configuration | default(hashistack_default_vault_tls_listener_configuration) }}" vault_certificates_extra_files_dir: > {{ [] if internal_tls_externally_managed_certs | bool else [{ 'src': "{{ hashistack_sub_configuration_directories['certificates'] }}/vault/{{ inventory_hostname }}", 'dest': "{{ vault_certs_dir }}" }] }} vault_extra_listener_configuration: [] ######################## # service registration # ######################## hashistack_default_vault_enable_service_registration: "{{ enable_consul | bool }}" vault_enable_service_registration: "{{ hashistack_vault_enable_service_registration | default(hashistack_default_vault_enable_service_registration) }}" hashistack_default_vault_service_registration_configuration: consul: address: >- 127.0.0.1:{{ hostvars[groups['consul_servers'][0]].consul_api_port[hostvars[groups['consul_servers'][0]].consul_api_scheme] }} scheme: "{{ hostvars[groups['consul_servers'][0]].consul_api_scheme }}" token: "{{ _credentials.consul.tokens.vault.secret_id }}" vault_service_registration_configuration: "{{ hashistack_vault_service_registration_configuration | default(hashistack_default_vault_service_registration_configuration) }}" vault_service_registration_policy: | service "vault" { policy = "write" } ######################### # plugins configuration # ######################### hashistack_default_vault_enable_plugins: false vault_enable_plugins: "{{ hashistack_vault_enable_plugins | default(hashistack_default_vault_enable_plugins) }}" hashistack_default_vault_plugins_directory: "{{ vault_config_dir }}/plugins" vault_plugins_directory: "{{ hashistack_vault_plugins_directory | default(hashistack_default_vault_plugins_directory) }}" ################# # vault logging # ################# hashistack_default_vault_log_level: info vault_log_level: "{{ hashistack_vault_log_level | default(hashistack_default_vault_log_level) }}" hashistack_default_vault_enable_log_to_file: "{{ enable_log_to_file | bool }}" vault_enable_log_to_file: "{{ hashistack_vault_enable_log_to_file | default(hashistack_default_vault_enable_log_to_file) }}" hashistack_default_vault_log_to_file_configuration: log_file: "{{ vault_logs_dir }}/vault.log" log_rotate_duration: 24h log_rotate_max_files: 30 vault_log_to_file_configuration: >- {{ hashistack_default_vault_log_to_file_configuration | combine((hashistack_vault_log_to_file_configuration | default({})), recursive=true) }}