hcp-ansible/docs/vault_clusters.md
Bertrand Lanson fd9a0e3c55
All checks were successful
development / Check commit compliance (push) Successful in 30s
fix: implement longer wait to stabilize consul cluster before bootstrapping to avoid timeout errors
2024-07-03 21:43:14 +02:00

4.3 KiB

Deploying a Vault cluster

This documentation explains each steps necessary to successfully deploy a Vault cluster using the ednz_cloud.hashistack ansible collection.

Prerequisites

You should, before attempting any deployment, have read through the Quick Start Guide. These steps are necessary in order to ensure smooth operations going forward.

Variables

Basics

First, in order to deploy a Vault cluster, you need to enable it.

enable_vault: "yes"

Selecting the vault version to install is done with the vault_version variable.

vault_version: latest

The vault version can either be latest or X.Y.Z.

For production deployment, it is recommended to use the X.Y.Z syntax.

General settings

First, you can change some general settings for vault.

vault_cluster_name: vault
vault_enable_ui: true
vault_seal_configuration:
  key_shares: 3
  key_threshold: 2

Storage settings

The storage configuration for vault can be edited as well. By default, vault will be configured to setup raft storage between all declared vault servers (in the vault_servers group).

vault_storage_configuration:
  raft:
    path: "{{ hashicorp_vault_data_dir }}/data"
    node_id: "{{ ansible_hostname }}"
    retry_join: |
      [
      {% for host in groups['vault_servers'] %}
        {
          'leader_api_addr': 'http://{{ hostvars[host].api_interface_address }}:8200'
        }{% if not loop.last %},{% endif %}
      {% endfor %}
      ]      

While this is the recommended way to configure storage for vault, you can edit this variable to enable any storage you want. Refer to the vault documentation for compatibility and syntax details about this variable.

Example:

# MySQL storage configuration
vault_storage_configuration:
  mysql:
    address: "10.1.10.10:3006"
    username: "vault"
    password: "vault"
    database: "vault"

Listener settings

TCP listeners

By default, TLS is disabled for vault. This goes against the Hashicorp recommendations on the matter, but there is no simple way to force the use of TLS (yet), without adding a lot of complexity to the deployment.

The listener configuration settings can be modified in vault_listener_configuration variable.

vault_listener_configuration:
  tcp:
    address: "0.0.0.0:8200"
    tls_disable: true

By default, vault will listen on all interfaces, on port 8200. you can change it by modifying the tcp.address property, and adding you own listener preferences.

Enabling TLS for Vault

In order to enable TLS for Vault, you simply need to set the vault_enable_tls variable to true.

At the moment, hashistack-Ansible does nothing to help you generate the certificates and renew them. All it does is look inside the etc/hashistack/vault_servers/tls directory on the deployment node, and copy the files to the destination hosts in /etc/vault.d/config/tls. The listener expect 2 files by default, a cert.pem, and a key.pem file.

Please refer to the vault documentation for details bout enabling TLS on vault listeners.

In case you want to add more configuration to the vault listeners, you can add it to the vault_extra_listener_configuration variable, which by default is empty. This variable will be merge with the rest ofthe listener configuration variables, and takes precedence over all the others.

Waring At the moment, hashistack-ansible does not support setting up multiple TCP listeners. Only one can be set.

Plugins for Vault

To enable plugin support for Vault, you can set the vault_enable_plugins variable to true. This variable will add the necessary configuration options in the vault.json file to enable support. Once enabled, you can simply place your compiled plugin files into the etc/hashistack/vault_servers/plugin directory. They will be copied over to the /etc/vault.d/config/plugin directory on the target nodes.

Refer to the vault documentation for details about enabling and using plugins.