C12s/c12s-kubespray
3
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity
c12s-kubespray/roles/vault/defaults/main.yml
mkrasilnikov bf0af1cd3d Vault role updates: 
* using separated vault roles for generate certs with different `O` (Organization) subject field;
  * configure vault roles for issuing certificates with different `CN` (Common name) subject field;
  * set `CN` and `O` to `kubernetes` and `etcd` certificates;
  * vault/defaults vars definition was simplified;
  * vault dirs variables defined in kubernetes-defaults foles for using
  shared tasks in etcd and kubernetes/secrets roles;
  * upgrade vault to 0.8.1;
  * generate random vault user password for each role by default;
  * fix `serial` file name for vault certs;
  * move vault auth request to issue_cert tasks;
  * enable `RBAC` in vault CI;
2017-09-05 09:07:35 +03:00

162 lines
5 KiB
YAML
Raw Blame History

---
vault_bootstrap: false
vault_deployment_type: docker
vault_adduser_vars:
comment: "Hashicorp Vault User"
createhome: no
name: vault
shell: /sbin/nologin
system: yes
# This variables redefined in kubespray-defaults for using shared tasks
# in etcd and kubernetes/secrets roles
vault_base_dir: /etc/vault
vault_cert_dir: "{{ vault_base_dir }}/ssl"
vault_config_dir: "{{ vault_base_dir }}/config"
vault_roles_dir: "{{ vault_base_dir }}/roles"
vault_secrets_dir: "{{ vault_base_dir }}/secrets"
vault_log_dir: "/var/log/vault"
vault_version: 0.8.1
vault_binary_checksum: 3c4d70ba71619a43229e65c67830e30e050eab7a81ac6b28325ff707e5914188
vault_download_url: "https://releases.hashicorp.com/vault/{{ vault_version }}/vault_{{ vault_version }}_linux_amd64.zip"
vault_download_vars:
container: "{{ vault_deployment_type != 'host' }}"
dest: "vault/vault_{{ vault_version }}_linux_amd64.zip"
enabled: true
mode: "0755"
owner: "vault"
repo: "{{ vault_image_repo }}"
sha256: "{{ vault_binary_checksum if vault_deployment_type == 'host' else vault_digest_checksum|d(none) }}"
source_url: "{{ vault_download_url }}"
tag: "{{ vault_image_tag }}"
unarchive: true
url: "{{ vault_download_url }}"
version: "{{ vault_version }}"
vault_container_name: kube-hashicorp-vault
vault_temp_container_name: vault-temp
vault_image_repo: "vault"
vault_image_tag: "{{ vault_version }}"
vault_address: 0.0.0.0
vault_port: 8200
vault_etcd_url: "https://{{ hostvars[groups.etcd[0]]['ip']|d(hostvars[groups.etcd[0]]['ansible_default_ipv4']['address']) }}:2379"
vault_default_lease_ttl: 720h
vault_max_lease_ttl: 87600h
vault_temp_config:
backend:
file:
path: /vault/file
default_lease_ttl: "{{ vault_default_lease_ttl }}"
listener:
tcp:
address: "{{ vault_address }}:{{ vault_port }}"
tls_disable: "true"
max_lease_ttl: "{{ vault_max_lease_ttl }}"
vault_config:
backend:
etcd:
address: "{{ vault_etcd_url }}"
ha_enabled: "true"
redirect_addr: "https://{{ ansible_default_ipv4.address }}:{{ vault_port }}"
tls_ca_file: "{{ vault_etcd_cert_dir }}/ca.pem"
cluster_name: "kubernetes-vault"
default_lease_ttl: "{{ vault_default_lease_ttl }}"
max_lease_ttl: "{{ vault_max_lease_ttl }}"
listener:
tcp:
address: "{{ vault_address }}:{{ vault_port }}"
tls_cert_file: "{{ vault_cert_dir }}/api.pem"
tls_key_file: "{{ vault_cert_dir }}/api-key.pem"
vault_secret_shares: 1
vault_secret_threshold: 1
vault_ca_options:
vault:
common_name: vault
format: pem
ttl: "{{ vault_max_lease_ttl }}"
exclude_cn_from_sans: true
etcd:
common_name: etcd
format: pem
ttl: "{{ vault_max_lease_ttl }}"
exclude_cn_from_sans: true
kube:
common_name: kube
format: pem
ttl: "{{ vault_max_lease_ttl }}"
exclude_cn_from_sans: true
vault_client_headers:
Accept: "application/json"
Content-Type: "application/json"
vault_etcd_cert_dir: /etc/ssl/etcd/ssl
vault_kube_cert_dir: /etc/kubernetes/ssl
vault_pki_mounts:
vault:
name: vault
default_lease_ttl: "{{ vault_default_lease_ttl }}"
max_lease_ttl: "{{ vault_max_lease_ttl }}"
description: "Vault Root CA"
cert_dir: "{{ vault_cert_dir }}"
roles:
- name: vault
group: vault
password: "{{ lookup('pipe','date +%Y%m%d%H%M%S' + cluster_name + 'vault') | to_uuid }}"
policy_rules: default
role_options: default
etcd:
name: etcd
default_lease_ttl: "{{ vault_default_lease_ttl }}"
max_lease_ttl: "{{ vault_max_lease_ttl }}"
description: "Etcd Root CA"
cert_dir: "{{ vault_etcd_cert_dir }}"
roles:
- name: etcd
group: etcd
password: "{{ lookup('pipe','date +%Y%m%d%H%M%S' + cluster_name + 'etcd') | to_uuid }}"
policy_rules: default
role_options:
allow_any_name: true
enforce_hostnames: false
organization: "kube:etcd"
kube:
name: kube
default_lease_ttl: "{{ vault_default_lease_ttl }}"
max_lease_ttl: "{{ vault_max_lease_ttl }}"
description: "Kubernetes Root CA"
cert_dir: "{{ vault_kube_cert_dir }}"
roles:
- name: kube-master
group: kube-master
password: "{{ lookup('pipe','date +%Y%m%d%H%M%S' + cluster_name + 'kube-master') | to_uuid }}"
policy_rules: default
role_options:
allow_any_name: true
enforce_hostnames: false
organization: "system:masters"
- name: kube-node
group: k8s-cluster
password: "{{ lookup('pipe','date +%Y%m%d%H%M%S' + cluster_name + 'kube-node') | to_uuid }}"
policy_rules: default
role_options:
allow_any_name: true
enforce_hostnames: false
organization: "system:nodes"
- name: kube-proxy
group: k8s-cluster
password: "{{ lookup('pipe', 'date +%Y%m%d%H%M%S' + cluster_name + 'kube-proxy') | to_uuid }}"
policy_rules: default
role_options:
allow_any_name: true
enforce_hostnames: false
organization: "system:node-proxier"
Reference in a new issue View git blame Copy permalink