Bertrand Lanson
51605ab239
All checks were successful
development / Check commit compliance (push) Successful in 6s
101 lines
3.3 KiB
YAML
101 lines
3.3 KiB
YAML
---
|
|
#####################################################
|
|
# #
|
|
# Non-Editable #
|
|
# #
|
|
#####################################################
|
|
|
|
vault_init_server: "{{ (inventory_hostname == groups['vault_servers'][0]) | bool }}"
|
|
|
|
#########################
|
|
# vault haproxy backend #
|
|
#########################
|
|
|
|
vault_haproxy_frontend_options:
|
|
- acl is_vault hdr(host) -i {{ vault_fqdn }}
|
|
- use_backend vault_external if is_vault
|
|
|
|
vault_haproxy_backends:
|
|
- name: vault_external
|
|
options: "{{ vault_external_backend_options + vault_external_backend_servers }}"
|
|
|
|
vault_external_backend_options:
|
|
- description vault external http backend
|
|
- option forwardfor
|
|
- option httpchk GET /v1/sys/health?standbyok=true&sealedcode=200&standbycode=200&uninitcode=200
|
|
- http-check expect status 200
|
|
- default-server inter 2s fastinter 1s downinter 1s
|
|
|
|
vault_external_backend_servers: |
|
|
[
|
|
{% for host in groups['vault_servers'] %}
|
|
'server vault-{{ hostvars[host].api_interface_address }} {{ hostvars[host].api_interface_address }}:8200 check {{ 'ssl verify none ' if vault_enable_tls }}inter 5s'{% if not loop.last %},{% endif %}
|
|
{% endfor %}
|
|
]
|
|
|
|
######################
|
|
# vault internal tls #
|
|
######################
|
|
|
|
vault_certificates_directory: "{{ hashicorp_vault_config_dir }}/tls"
|
|
vault_certificates_extra_files_dir:
|
|
- src: "{{ sub_configuration_directories['certificates'] }}/vault/{{ inventory_hostname }}"
|
|
dest: "{{ vault_certificates_directory }}"
|
|
|
|
#################
|
|
# vault plugins #
|
|
#################
|
|
|
|
vault_plugin_directory: "{{ hashicorp_vault_config_dir }}/plugin"
|
|
vault_plugin_extra_files_dir:
|
|
- src: "{{ sub_configuration_directories['vault_servers'] }}/plugin"
|
|
dest: "{{ vault_plugin_directory }}"
|
|
|
|
##############################
|
|
# vault service registration #
|
|
##############################
|
|
|
|
vault_service_registration_policy: |
|
|
service "vault" {
|
|
policy = "write"
|
|
}
|
|
|
|
#################
|
|
# vault logging #
|
|
#################
|
|
|
|
vault_enable_log_to_file: "{{ enable_log_to_file | bool }}"
|
|
vault_logging_configuration:
|
|
log_file: "{{ hashistack_remote_log_dir }}/vault/vault.log"
|
|
log_level: info
|
|
log_rotate_duration: 24h
|
|
log_rotate_max_files: 30
|
|
|
|
########################
|
|
# vault role variables #
|
|
########################
|
|
|
|
hashicorp_vault_start_service: true
|
|
hashicorp_vault_service_name: "vault"
|
|
hashicorp_vault_version: "{{ vault_version }}"
|
|
hashicorp_vault_env_variables: {}
|
|
hashicorp_vault_config_dir: "{{ hashistack_remote_config_dir }}/vault.d"
|
|
hashicorp_vault_data_dir: "{{ hashistack_remote_data_dir }}/vault"
|
|
hashicorp_vault_extra_files: true
|
|
hashicorp_vault_extra_files_list: "{{ ([] +
|
|
(vault_certificates_extra_files_dir if vault_enable_tls else []) +
|
|
(vault_plugin_extra_files_dir if vault_enable_plugins else []) +
|
|
vault_extra_files_list)
|
|
| unique
|
|
| sort
|
|
}}"
|
|
hashicorp_vault_configuration:
|
|
cluster_name: "{{ vault_cluster_name }}"
|
|
cluster_addr: "{{ 'https' if vault_enable_tls else 'http'}}://{{ api_interface_address }}:8201"
|
|
api_addr: "{{ 'https' if vault_enable_tls else 'http'}}://{{ api_interface_address }}:8200"
|
|
ui: "{{ vault_enable_ui }}"
|
|
disable_mlock: false
|
|
disable_cache: false
|
|
listener: "{{ vault_listener_configuration }}"
|
|
storage: "{{ vault_storage_configuration }}"
|