Vault Configuration Documentation 🔐
This section provides comprehensive documentation for setting up HashiCorp Vault using Ansible. It details the available configuration options, enabling you to customize and deploy Vault in your environment.
🔧 Basic Configuration
To deploy Vault, start by enabling it and specifying the version:
enable_vault: "yes"
vault_version: "1.16.2"
Define the fully qualified domain name (FQDN) for Vault and specify the cluster name:
vault_fqdn: vault.ednz.lab
vault_cluster_name: vault
Set the bind address and cluster address:
vault_bind_addr: "0.0.0.0"
vault_cluster_addr: "{{ api_interface_address }}"
Enable or disable the Vault UI:
vault_enable_ui: true
Control mlock (which protects memory from being swapped to disk) and cache:
vault_disable_mlock: false
vault_disable_cache: false
🌐 TLS Configuration
Enable TLS for Vault's listener and other communications:
vault_enable_tls: "{{ enable_tls_internal }}"
Specify the TLS settings for the listener:
vault_tls_listener_configuration:
- tcp:
tls_disable: false
tls_cert_file: "{{ vault_certs_dir }}/fullchain.crt"
tls_key_file: "{{ vault_certs_dir }}/cert.key"
tls_disable_client_certs: true
Note: Set
tls_disable_client_certs
totrue
if you do not require client certificates for mutual TLS.
📂 Directory Paths
Configure paths for Vault's configuration, data, certificates, and logs:
vault_config_dir: "{{ hashistack_remote_config_dir }}/vault.d"
vault_data_dir: "/opt/vault"
vault_certs_dir: "{{ vault_config_dir }}/tls"
vault_logs_dir: "{{ hashistack_remote_log_dir }}/vault"
🔐 Seal Configuration
Vault uses a seal/unseal mechanism to protect the master key. Configure the key shares and threshold:
vault_seal_configuration:
key_shares: 3
key_threshold: 2
Note: Adjust these values according to your security requirements.
🗃️ Storage Configuration
Configure Vault's storage backend, such as Raft, for integrated storage:
vault_storage_configuration:
raft:
path: "{{ vault_data_dir }}"
node_id: "{{ ansible_hostname }}"
retry_join: >-
[
{% for host in groups['vault_servers'] %}
{
'leader_api_addr': '{{ "https" if vault_enable_tls else "http"}}://{{ hostvars[host].api_interface_address }}:8200'
}{% if not loop.last %},{% endif %}
{% endfor %}
]
Note: The
retry_join
block is critical for cluster formation in Raft-based storage.
While this is the recommended way to configure storage for vault, you can edit this variable to enable any storage you want. Refer to the vault documentation for compatibility and syntax details about this variable.
Example:
# MySQL storage configuration
vault_storage_configuration:
mysql:
address: "10.1.10.10:3006"
username: "vault"
password: "vault"
database: "vault"
📶 Listener Configuration
Configure Vault's listener to bind on a specific address and port:
vault_listener_configuration:
- tcp:
address: "{{ vault_cluster_addr }}:8200"
tls_disable: true
🛠️ Service Registration
Enable and configure service registration with Consul:
vault_enable_service_registration: "{{ enable_consul | bool }}"
vault_service_registration_configuration:
consul:
address: >-
127.0.0.1:{{ hostvars[groups['consul_servers'][0]].consul_api_port[hostvars[groups['consul_servers'][0]].consul_api_scheme] }}
scheme: "{{ hostvars[groups['consul_servers'][0]].consul_api_scheme }}"
token: "{{ _credentials.consul.tokens.vault.secret_id }}"
Define the Consul service registration policy:
vault_service_registration_policy: |
service "vault" {
policy = "write"
}
🔌 Plugin Configuration
If plugins are required, specify the directory where plugins are stored:
vault_plugins_directory: "{{ vault_config_dir }}/plugins"
Note: Plugin management is typically disabled by default. Set
vault_enable_plugins
totrue
if needed.
📝 Logging Configuration
Configure Vault's logging level and log file settings:
vault_log_level: info
vault_enable_log_to_file: "{{ enable_log_to_file | bool }}"
vault_log_to_file_configuration:
log_file: "{{ vault_logs_dir }}/vault.log"
log_rotate_duration: 24h
log_rotate_max_files: 30
Note: Logging to a file can be useful for auditing and troubleshooting.
🌐 Extra Configuration
In case additional configuration is required that isn't covered by standard variables, you can use:
vault_extra_configuration: {}
This allows you to extend Vault's configuration as needed.
📁 Extra Files
If additional files need to be deployed to the Vault configuration directory, enable this option and provide a list of files:
vault_extra_files: true
vault_extra_files_list: []
This documentation covers the key aspects of configuring Vault with Ansible using hashistack-ansible
. Adjust the settings to suit your specific environment and operational requirements, and refer to the official Vault documentation for further details.