175 lines
5.6 KiB
YAML
175 lines
5.6 KiB
YAML
---
|
|
vault_bootstrap: false
|
|
vault_deployment_type: docker
|
|
|
|
vault_adduser_vars:
|
|
comment: "Hashicorp Vault User"
|
|
createhome: no
|
|
name: vault
|
|
shell: /sbin/nologin
|
|
system: yes
|
|
|
|
# This variables redefined in kubespray-defaults for using shared tasks
|
|
# in etcd and kubernetes/secrets roles
|
|
vault_base_dir: /etc/vault
|
|
vault_cert_dir: "{{ vault_base_dir }}/ssl"
|
|
vault_config_dir: "{{ vault_base_dir }}/config"
|
|
vault_roles_dir: "{{ vault_base_dir }}/roles"
|
|
vault_secrets_dir: "{{ vault_base_dir }}/secrets"
|
|
vault_log_dir: "/var/log/vault"
|
|
|
|
vault_version: 0.8.1
|
|
vault_binary_checksum: 3c4d70ba71619a43229e65c67830e30e050eab7a81ac6b28325ff707e5914188
|
|
vault_download_url: "https://releases.hashicorp.com/vault/{{ vault_version }}/vault_{{ vault_version }}_linux_amd64.zip"
|
|
vault_download_vars:
|
|
container: "{{ vault_deployment_type != 'host' }}"
|
|
dest: "vault/vault_{{ vault_version }}_linux_amd64.zip"
|
|
enabled: true
|
|
mode: "0755"
|
|
owner: "vault"
|
|
repo: "{{ vault_image_repo }}"
|
|
sha256: "{{ vault_binary_checksum if vault_deployment_type == 'host' else vault_digest_checksum|d(none) }}"
|
|
source_url: "{{ vault_download_url }}"
|
|
tag: "{{ vault_image_tag }}"
|
|
unarchive: true
|
|
url: "{{ vault_download_url }}"
|
|
version: "{{ vault_version }}"
|
|
|
|
vault_container_name: kube-hashicorp-vault
|
|
vault_temp_container_name: vault-temp
|
|
vault_image_repo: "vault"
|
|
vault_image_tag: "{{ vault_version }}"
|
|
|
|
vault_bind_address: 0.0.0.0
|
|
vault_port: 8200
|
|
vault_etcd_url: "{{ etcd_access_addresses }}"
|
|
|
|
# 8y default lease
|
|
vault_default_lease_ttl: 70080h
|
|
vault_max_lease_ttl: 87600h
|
|
|
|
vault_temp_config:
|
|
backend:
|
|
file:
|
|
path: /vault/file
|
|
default_lease_ttl: "{{ vault_default_lease_ttl }}"
|
|
listener:
|
|
tcp:
|
|
address: "{{ vault_bind_address }}:{{ vault_port }}"
|
|
tls_disable: "true"
|
|
max_lease_ttl: "{{ vault_max_lease_ttl }}"
|
|
|
|
vault_config:
|
|
backend:
|
|
etcd:
|
|
address: "{{ vault_etcd_url }}"
|
|
ha_enabled: "true"
|
|
redirect_addr: "https://{{ ansible_default_ipv4.address }}:{{ vault_port }}"
|
|
tls_ca_file: "{{ vault_etcd_cert_dir }}/ca.pem"
|
|
tls_cert_file: "{{ vault_etcd_cert_dir}}/node-{{ inventory_hostname }}.pem"
|
|
tls_key_file: "{{ vault_etcd_cert_dir}}/node-{{ inventory_hostname }}-key.pem"
|
|
cluster_name: "kubernetes-vault"
|
|
default_lease_ttl: "{{ vault_default_lease_ttl }}"
|
|
max_lease_ttl: "{{ vault_max_lease_ttl }}"
|
|
listener:
|
|
tcp:
|
|
address: "{{ vault_bind_address }}:{{ vault_port }}"
|
|
tls_cert_file: "{{ vault_cert_dir }}/api.pem"
|
|
tls_key_file: "{{ vault_cert_dir }}/api-key.pem"
|
|
|
|
vault_secret_shares: 1
|
|
vault_secret_threshold: 1
|
|
|
|
vault_ca_options:
|
|
vault:
|
|
common_name: vault
|
|
format: pem
|
|
ttl: "{{ vault_max_lease_ttl }}"
|
|
exclude_cn_from_sans: true
|
|
alt_names: "vault.{{ system_namespace }}.svc.{{ dns_domain }},vault.{{ system_namespace }}.svc,vault.{{ system_namespace }},vault"
|
|
etcd:
|
|
common_name: etcd
|
|
format: pem
|
|
ttl: "{{ vault_max_lease_ttl }}"
|
|
exclude_cn_from_sans: true
|
|
kube:
|
|
common_name: kube
|
|
format: pem
|
|
ttl: "{{ vault_max_lease_ttl }}"
|
|
exclude_cn_from_sans: true
|
|
|
|
vault_client_headers:
|
|
Accept: "application/json"
|
|
Content-Type: "application/json"
|
|
|
|
vault_etcd_cert_dir: /etc/ssl/etcd/ssl
|
|
vault_kube_cert_dir: /etc/kubernetes/ssl
|
|
|
|
vault_pki_mounts:
|
|
vault:
|
|
name: vault
|
|
default_lease_ttl: "{{ vault_default_lease_ttl }}"
|
|
max_lease_ttl: "{{ vault_max_lease_ttl }}"
|
|
description: "Vault Root CA"
|
|
cert_dir: "{{ vault_cert_dir }}"
|
|
roles:
|
|
- name: vault
|
|
group: vault
|
|
password: "{{ lookup('password', inventory_dir + '/credentials/vault/vault.creds length=15') }}"
|
|
policy_rules: default
|
|
role_options: default
|
|
etcd:
|
|
name: etcd
|
|
default_lease_ttl: "{{ vault_default_lease_ttl }}"
|
|
max_lease_ttl: "{{ vault_max_lease_ttl }}"
|
|
description: "Etcd Root CA"
|
|
cert_dir: "{{ vault_etcd_cert_dir }}"
|
|
roles:
|
|
- name: etcd
|
|
group: etcd
|
|
password: "{{ lookup('password', inventory_dir + '/credentials/vault/etcd.creds length=15') }}"
|
|
policy_rules: default
|
|
role_options:
|
|
allow_any_name: true
|
|
enforce_hostnames: false
|
|
organization: "kube:etcd"
|
|
kube:
|
|
name: kube
|
|
default_lease_ttl: "{{ vault_default_lease_ttl }}"
|
|
max_lease_ttl: "{{ vault_max_lease_ttl }}"
|
|
description: "Kubernetes Root CA"
|
|
cert_dir: "{{ vault_kube_cert_dir }}"
|
|
roles:
|
|
- name: kube-master
|
|
group: kube-master
|
|
password: "{{ lookup('password', inventory_dir + '/credentials/vault/kube-master.creds length=15') }}"
|
|
policy_rules: default
|
|
role_options:
|
|
allow_any_name: true
|
|
enforce_hostnames: false
|
|
organization: "system:masters"
|
|
- name: kube-node
|
|
group: k8s-cluster
|
|
password: "{{ lookup('password', inventory_dir + '/credentials/vault/kube-node.creds length=15') }}"
|
|
policy_rules: default
|
|
role_options:
|
|
allow_any_name: true
|
|
enforce_hostnames: false
|
|
organization: "system:nodes"
|
|
- name: kube-proxy
|
|
group: k8s-cluster
|
|
password: "{{ lookup('password', inventory_dir + '/credentials/vault/kube-proxy.creds length=15') }}"
|
|
policy_rules: default
|
|
role_options:
|
|
allow_any_name: true
|
|
enforce_hostnames: false
|
|
organization: "system:node-proxier"
|
|
- name: front-proxy-client
|
|
group: k8s-cluster
|
|
password: "{{ lookup('password', inventory_dir + '/credentials/vault/kube-proxy.creds length=15') }}"
|
|
policy_rules: default
|
|
role_options:
|
|
allow_any_name: true
|
|
enforce_hostnames: false
|
|
organization: "system:front-proxy"
|