hcp-ansible/playbooks/group_vars/all/vault.yml
Bertrand Lanson 83f9c9748e
All checks were successful
development / Check commit compliance (push) Successful in 11s
pull-requests-open / Check commit compliance (pull_request) Successful in 8s
feat(vault): enable consul service registration automatically if consul is also enabled
2024-05-07 19:23:48 +02:00

91 lines
3.2 KiB
YAML

---
#####################################################
# #
# Non-Editable #
# #
#####################################################
#########################
# vault haproxy backend #
#########################
vault_haproxy_frontend_options:
- acl is_vault hdr(host) -i {{ vault_fqdn }}
- use_backend vault_external if is_vault
vault_haproxy_backends:
- name: vault_external
options: "{{ vault_external_backend_options + vault_external_backend_servers }}"
vault_external_backend_options:
- description vault external http backend
- option forwardfor
- option httpchk GET /v1/sys/health?standbyok=true&sealedcode=200&standbycode=200&uninitcode=200
- http-check expect status 200
- default-server inter 2s fastinter 1s downinter 1s
vault_external_backend_servers: |
[
{% for host in groups['vault_servers'] %}
'server vault-{{ hostvars[host].api_interface_address }} {{ hostvars[host].api_interface_address }}:8200 check {{ 'ssl verify none ' if vault_enable_tls }}inter 5s'{% if not loop.last %},{% endif %}
{% endfor %}
]
######################
# vault internal tls #
######################
vault_certificates_directory: "{{ hashi_vault_config_dir }}/tls"
vault_certificates_extra_files_dir:
- src: "{{ sub_configuration_directories['certificates'] }}/vault/{{ inventory_hostname }}"
dest: "{{ vault_certificates_directory }}"
#################
# vault plugins #
#################
vault_plugin_directory: "{{ hashi_vault_config_dir }}/plugin"
vault_plugin_extra_files_dir:
- src: "{{ sub_configuration_directories['vault_servers'] }}/plugin"
dest: "{{ vault_plugin_directory }}"
##############################
# vault service registration #
##############################
vault_service_registration_policy: |
service "vault" {
policy = "write"
}
########################
# vault role variables #
########################
hashi_vault_start_service: true
hashi_vault_version: "{{ vault_versions[deployment_method] }}"
hashi_vault_deploy_method: "{{ deployment_method }}"
hashi_vault_env_variables: {}
hashi_vault_config_dir: "/etc/vault.d"
hashi_vault_data_dir: "/opt/vault"
hashi_vault_extra_files: true
hashi_vault_extra_files_list: "{{ ([] +
(vault_certificates_extra_files_dir if vault_enable_tls else []) +
(vault_plugin_extra_files_dir if vault_enable_plugins else []) +
vault_extra_files_list)
| unique
| sort
}}"
hashi_vault_extra_files_src: "{{ sub_configuration_directories.vault_servers }}/config"
hashi_vault_extra_files_dst: "{{ hashi_vault_config_dir }}/config"
hashi_vault_extra_container_volumes: "{{ default_container_extra_volumes | union(extra_vault_container_volumes) | unique | sort }}"
hashi_vault_configuration:
cluster_name: "{{ vault_cluster_name }}"
cluster_addr: "{{ 'https' if vault_enable_tls else 'http'}}://{{ api_interface_address }}:8201"
api_addr: "{{ 'https' if vault_enable_tls else 'http'}}://{{ api_interface_address }}:8200"
ui: "{{ vault_enable_ui }}"
disable_mlock: false
disable_cache: false
listener: "{{ vault_listener_configuration }}"
storage: "{{ vault_storage_configuration }}"