ansible-collections/hashistack
ansible-collections/hashistack
4
0
Fork 0
Code Issues 5 Pull Requests Actions Packages Projects 1 Releases Wiki Activity
Page: 23 vault configuration
Pages
01 introduction 02 quick start 10 general informations 11 architecture guide 20 globals 21 consul configuration 22 nomad configuration 23 vault configuration 24 extra configuration 31 tls guide
2 23 vault configuration
Bertrand Lanson edited this page 2024-08-29 20:02:05 +02:00
Table of Contents

Vault Configuration Documentation 🔐

This section provides comprehensive documentation for setting up HashiCorp Vault using Ansible. It details the available configuration options, enabling you to customize and deploy Vault in your environment.

🔧 Basic Configuration

To deploy Vault, start by enabling it and specifying the version:

enable_vault: "yes"
vault_version: "1.16.2"

Define the fully qualified domain name (FQDN) for Vault and specify the cluster name:

vault_fqdn: vault.ednz.lab
vault_cluster_name: vault

Set the bind address and cluster address:

vault_bind_addr: "0.0.0.0"
vault_cluster_addr: "{{ api_interface_address }}"

Enable or disable the Vault UI:

vault_enable_ui: true

Control mlock (which protects memory from being swapped to disk) and cache:

vault_disable_mlock: false
vault_disable_cache: false

🌐 TLS Configuration

Enable TLS for Vault's listener and other communications:

vault_enable_tls: "{{ enable_tls_internal }}"

Specify the TLS settings for the listener:

vault_tls_listener_configuration:
  - tcp:
      tls_disable: false
      tls_cert_file: "{{ vault_certs_dir }}/fullchain.crt"
      tls_key_file: "{{ vault_certs_dir }}/cert.key"
      tls_disable_client_certs: true

Note: Set tls_disable_client_certs to true if you do not require client certificates for mutual TLS.

📂 Directory Paths

Configure paths for Vault's configuration, data, certificates, and logs:

vault_config_dir: "{{ hashistack_remote_config_dir }}/vault.d"
vault_data_dir: "/opt/vault"
vault_certs_dir: "{{ vault_config_dir }}/tls"
vault_logs_dir: "{{ hashistack_remote_log_dir }}/vault"

🔐 Seal Configuration

Vault uses a seal/unseal mechanism to protect the master key. Configure the key shares and threshold:

vault_seal_configuration:
  key_shares: 3
  key_threshold: 2

Note: Adjust these values according to your security requirements.

🗃️ Storage Configuration

Configure Vault's storage backend, such as Raft, for integrated storage:

vault_storage_configuration:
  raft:
    path: "{{ vault_data_dir }}"
    node_id: "{{ ansible_hostname }}"
    retry_join: >-
      [
      {% for host in groups['vault_servers'] %}
        {
          'leader_api_addr': '{{ "https" if vault_enable_tls else "http"}}://{{ hostvars[host].api_interface_address }}:8200'
        }{% if not loop.last %},{% endif %}
      {% endfor %}
      ]

Note: The retry_join block is critical for cluster formation in Raft-based storage.

While this is the recommended way to configure storage for vault, you can edit this variable to enable any storage you want. Refer to the vault documentation for compatibility and syntax details about this variable.

Example:

# MySQL storage configuration
vault_storage_configuration:
  mysql:
    address: "10.1.10.10:3006"
    username: "vault"
    password: "vault"
    database: "vault"

📶 Listener Configuration

Configure Vault's listener to bind on a specific address and port:

vault_listener_configuration:
  - tcp:
      address: "{{ vault_cluster_addr }}:8200"
      tls_disable: true

🛠️ Service Registration

Enable and configure service registration with Consul:

vault_enable_service_registration: "{{ enable_consul | bool }}"
vault_service_registration_configuration:
  consul:
    address: >-
      127.0.0.1:{{ hostvars[groups['consul_servers'][0]].consul_api_port[hostvars[groups['consul_servers'][0]].consul_api_scheme] }}      
    scheme: "{{ hostvars[groups['consul_servers'][0]].consul_api_scheme }}"
    token: "{{ _credentials.consul.tokens.vault.secret_id }}"

Define the Consul service registration policy:

vault_service_registration_policy: |
  service "vault" {
    policy = "write"
  }

🔌 Plugin Configuration

If plugins are required, specify the directory where plugins are stored:

vault_plugins_directory: "{{ vault_config_dir }}/plugins"

Note: Plugin management is typically disabled by default. Set vault_enable_plugins to true if needed.

📝 Logging Configuration

Configure Vault's logging level and log file settings:

vault_log_level: info
vault_enable_log_to_file: "{{ enable_log_to_file | bool }}"
vault_log_to_file_configuration:
  log_file: "{{ vault_logs_dir }}/vault.log"
  log_rotate_duration: 24h
  log_rotate_max_files: 30

Note: Logging to a file can be useful for auditing and troubleshooting.

🌐 Extra Configuration

In case additional configuration is required that isn't covered by standard variables, you can use:

vault_extra_configuration: {}

This allows you to extend Vault's configuration as needed.

📁 Extra Files

If additional files need to be deployed to the Vault configuration directory, enable this option and provide a list of files:

vault_extra_files: true
vault_extra_files_list: []

This documentation covers the key aspects of configuring Vault with Ansible using hashistack-ansible. Adjust the settings to suit your specific environment and operational requirements, and refer to the official Vault documentation for further details.