--- vault_bootstrap: false vault_deployment_type: docker vault_adduser_vars: comment: "Hashicorp Vault User" createhome: no name: vault shell: /sbin/nologin system: yes # This variables redefined in kubespray-defaults for using shared tasks # in etcd and kubernetes/secrets roles vault_base_dir: /etc/vault vault_cert_dir: "{{ vault_base_dir }}/ssl" vault_config_dir: "{{ vault_base_dir }}/config" vault_roles_dir: "{{ vault_base_dir }}/roles" vault_secrets_dir: "{{ vault_base_dir }}/secrets" vault_lib_dir: "/var/lib/vault" vault_log_dir: "/var/log/vault" vault_version: 0.10.1 vault_binary_checksum: 66f0f1b0b221d664dd5913f8697409d7401df4bb2a19c7277e8fbad152063fae vault_download_url: "https://releases.hashicorp.com/vault/{{ vault_version }}/vault_{{ vault_version }}_linux_{{ image_arch }}.zip" # Arch of Docker images and needed packages image_arch: amd64 vault_download_vars: container: "{{ vault_deployment_type != 'host' }}" dest: "vault/vault_{{ vault_version }}_linux_{{ image_arch }}.zip" enabled: true mode: "0755" owner: "vault" repo: "{{ vault_image_repo }}" sha256: "{{ vault_binary_checksum if vault_deployment_type == 'host' else vault_digest_checksum|d(none) }}" source_url: "{{ vault_download_url }}" tag: "{{ vault_image_tag }}" unarchive: true url: "{{ vault_download_url }}" version: "{{ vault_version }}" vault_container_name: kube-hashicorp-vault vault_temp_container_name: vault-temp vault_image_repo: "vault" vault_image_tag: "{{ vault_version }}" vault_bind_address: 0.0.0.0 vault_port: 8200 vault_etcd_url: "{{ etcd_access_addresses }}" # 8y default lease vault_default_lease_ttl: 70080h vault_max_lease_ttl: 87600h vault_temp_config: backend: file: path: /vault/file default_lease_ttl: "{{ vault_default_lease_ttl }}" listener: tcp: address: "{{ vault_bind_address }}:{{ vault_port }}" tls_disable: "true" max_lease_ttl: "{{ vault_max_lease_ttl }}" vault_config: backend: etcd: address: "{{ vault_etcd_url }}" ha_enabled: "true" redirect_addr: "https://{{ inventory_hostname }}:{{ vault_port }}" tls_ca_file: "{{ etcd_cert_dir }}/ca.pem" tls_cert_file: "{{ etcd_cert_dir}}/node-{{ inventory_hostname }}.pem" tls_key_file: "{{ etcd_cert_dir}}/node-{{ inventory_hostname }}-key.pem" cluster_name: "kubernetes-vault" default_lease_ttl: "{{ vault_default_lease_ttl }}" max_lease_ttl: "{{ vault_max_lease_ttl }}" listener: tcp: address: "{{ vault_bind_address }}:{{ vault_port }}" tls_cert_file: "{{ vault_cert_dir }}/api.pem" tls_key_file: "{{ vault_cert_dir }}/api-key.pem" vault_secret_shares: 1 vault_secret_threshold: 1 vault_successful_http_codes: ["200", "429", "500", "501", "503"] vault_ca_options: vault: common_name: vault format: pem ttl: "{{ vault_max_lease_ttl }}" exclude_cn_from_sans: true alt_names: "vault.kube-system.svc.{{ dns_domain }},vault.kube-system.svc,vault.kube-system,vault" etcd: common_name: etcd format: pem ttl: "{{ vault_max_lease_ttl }}" exclude_cn_from_sans: true kube: common_name: kube format: pem ttl: "{{ vault_max_lease_ttl }}" exclude_cn_from_sans: true vault_client_headers: Accept: "application/json" Content-Type: "application/json" etcd_cert_dir: /etc/ssl/etcd/ssl kube_cert_dir: /etc/kubernetes/ssl vault_pki_mounts: userpass: name: userpass default_lease_ttl: "{{ vault_default_lease_ttl }}" max_lease_ttl: "{{ vault_max_lease_ttl }}" description: "Userpass" cert_dir: "{{ vault_cert_dir }}" roles: - name: userpass group: userpass password: "{{ lookup('password', inventory_dir + '/credentials/vault/userpass.creds length=15') }}" policy_rules: default role_options: allow_any_name: true vault: name: vault default_lease_ttl: "{{ vault_default_lease_ttl }}" max_lease_ttl: "{{ vault_max_lease_ttl }}" description: "Vault Root CA" cert_dir: "{{ vault_cert_dir }}" roles: - name: vault group: vault password: "{{ lookup('password', inventory_dir + '/credentials/vault/vault.creds length=15') }}" policy_rules: default role_options: allow_any_name: true etcd: name: etcd default_lease_ttl: "{{ vault_default_lease_ttl }}" max_lease_ttl: "{{ vault_max_lease_ttl }}" description: "Etcd Root CA" cert_dir: "{{ etcd_cert_dir }}" roles: - name: etcd group: etcd password: "{{ lookup('password', inventory_dir + '/credentials/vault/etcd.creds length=15') }}" policy_rules: default role_options: allow_any_name: true enforce_hostnames: false organization: "kube:etcd" kube: name: kube default_lease_ttl: "{{ vault_default_lease_ttl }}" max_lease_ttl: "{{ vault_max_lease_ttl }}" description: "Kubernetes Root CA" cert_dir: "{{ kube_cert_dir }}" roles: - name: kube-master group: kube-master password: "{{ lookup('password', inventory_dir + '/credentials/vault/kube-master.creds length=15') }}" policy_rules: default role_options: allow_any_name: true enforce_hostnames: false organization: "system:masters" - name: front-proxy-client group: kube-master password: "{{ lookup('password', inventory_dir + '/credentials/vault/kube-proxy.creds length=15') }}" policy_rules: default role_options: allow_any_name: true enforce_hostnames: false organization: "system:front-proxy-client" - name: kube-node group: k8s-cluster password: "{{ lookup('password', inventory_dir + '/credentials/vault/kube-node.creds length=15') }}" policy_rules: default role_options: allow_any_name: true enforce_hostnames: false organization: "system:nodes" - name: kube-proxy group: k8s-cluster password: "{{ lookup('password', inventory_dir + '/credentials/vault/kube-proxy.creds length=15') }}" policy_rules: default role_options: allow_any_name: true enforce_hostnames: false organization: "system:node-proxier"