hcp-ansible/playbooks/group_vars/all/vault.yml
Bertrand Lanson 51605ab239
All checks were successful
development / Check commit compliance (push) Successful in 6s
fix: update various variables and bring some of them back out of globals.yml
2024-07-14 16:18:45 +02:00

101 lines
3.3 KiB
YAML

---
#####################################################
# #
# Non-Editable #
# #
#####################################################
vault_init_server: "{{ (inventory_hostname == groups['vault_servers'][0]) | bool }}"
#########################
# vault haproxy backend #
#########################
vault_haproxy_frontend_options:
- acl is_vault hdr(host) -i {{ vault_fqdn }}
- use_backend vault_external if is_vault
vault_haproxy_backends:
- name: vault_external
options: "{{ vault_external_backend_options + vault_external_backend_servers }}"
vault_external_backend_options:
- description vault external http backend
- option forwardfor
- option httpchk GET /v1/sys/health?standbyok=true&sealedcode=200&standbycode=200&uninitcode=200
- http-check expect status 200
- default-server inter 2s fastinter 1s downinter 1s
vault_external_backend_servers: |
[
{% for host in groups['vault_servers'] %}
'server vault-{{ hostvars[host].api_interface_address }} {{ hostvars[host].api_interface_address }}:8200 check {{ 'ssl verify none ' if vault_enable_tls }}inter 5s'{% if not loop.last %},{% endif %}
{% endfor %}
]
######################
# vault internal tls #
######################
vault_certificates_directory: "{{ hashicorp_vault_config_dir }}/tls"
vault_certificates_extra_files_dir:
- src: "{{ sub_configuration_directories['certificates'] }}/vault/{{ inventory_hostname }}"
dest: "{{ vault_certificates_directory }}"
#################
# vault plugins #
#################
vault_plugin_directory: "{{ hashicorp_vault_config_dir }}/plugin"
vault_plugin_extra_files_dir:
- src: "{{ sub_configuration_directories['vault_servers'] }}/plugin"
dest: "{{ vault_plugin_directory }}"
##############################
# vault service registration #
##############################
vault_service_registration_policy: |
service "vault" {
policy = "write"
}
#################
# vault logging #
#################
vault_enable_log_to_file: "{{ enable_log_to_file | bool }}"
vault_logging_configuration:
log_file: "{{ hashistack_remote_log_dir }}/vault/vault.log"
log_level: info
log_rotate_duration: 24h
log_rotate_max_files: 30
########################
# vault role variables #
########################
hashicorp_vault_start_service: true
hashicorp_vault_service_name: "vault"
hashicorp_vault_version: "{{ vault_version }}"
hashicorp_vault_env_variables: {}
hashicorp_vault_config_dir: "{{ hashistack_remote_config_dir }}/vault.d"
hashicorp_vault_data_dir: "{{ hashistack_remote_data_dir }}/vault"
hashicorp_vault_extra_files: true
hashicorp_vault_extra_files_list: "{{ ([] +
(vault_certificates_extra_files_dir if vault_enable_tls else []) +
(vault_plugin_extra_files_dir if vault_enable_plugins else []) +
vault_extra_files_list)
| unique
| sort
}}"
hashicorp_vault_configuration:
cluster_name: "{{ vault_cluster_name }}"
cluster_addr: "{{ 'https' if vault_enable_tls else 'http'}}://{{ api_interface_address }}:8201"
api_addr: "{{ 'https' if vault_enable_tls else 'http'}}://{{ api_interface_address }}:8200"
ui: "{{ vault_enable_ui }}"
disable_mlock: false
disable_cache: false
listener: "{{ vault_listener_configuration }}"
storage: "{{ vault_storage_configuration }}"