You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

196 lines
6.2 KiB

  1. ---
  2. vault_bootstrap: false
  3. vault_deployment_type: docker
  4. vault_adduser_vars:
  5. comment: "Hashicorp Vault User"
  6. createhome: no
  7. name: vault
  8. shell: /sbin/nologin
  9. system: yes
  10. # This variables redefined in kubespray-defaults for using shared tasks
  11. # in etcd and kubernetes/secrets roles
  12. vault_base_dir: /etc/vault
  13. vault_cert_dir: "{{ vault_base_dir }}/ssl"
  14. vault_config_dir: "{{ vault_base_dir }}/config"
  15. vault_roles_dir: "{{ vault_base_dir }}/roles"
  16. vault_secrets_dir: "{{ vault_base_dir }}/secrets"
  17. vault_lib_dir: "/var/lib/vault"
  18. vault_log_dir: "/var/log/vault"
  19. vault_version: 0.10.1
  20. vault_binary_checksum: 66f0f1b0b221d664dd5913f8697409d7401df4bb2a19c7277e8fbad152063fae
  21. vault_download_url: "https://releases.hashicorp.com/vault/{{ vault_version }}/vault_{{ vault_version }}_linux_{{ image_arch }}.zip"
  22. # Arch of Docker images and needed packages
  23. image_arch: "{{host_architecture}}"
  24. vault_download_vars:
  25. container: "{{ vault_deployment_type != 'host' }}"
  26. dest: "vault/vault_{{ vault_version }}_linux_{{ image_arch }}.zip"
  27. enabled: true
  28. mode: "0755"
  29. owner: "vault"
  30. repo: "{{ vault_image_repo }}"
  31. sha256: "{{ vault_binary_checksum if vault_deployment_type == 'host' else vault_digest_checksum|d(none) }}"
  32. source_url: "{{ vault_download_url }}"
  33. tag: "{{ vault_image_tag }}"
  34. unarchive: true
  35. url: "{{ vault_download_url }}"
  36. version: "{{ vault_version }}"
  37. vault_container_name: kube-hashicorp-vault
  38. vault_temp_container_name: vault-temp
  39. vault_image_repo: "vault"
  40. vault_image_tag: "{{ vault_version }}"
  41. vault_bind_address: 0.0.0.0
  42. vault_port: 8200
  43. vault_etcd_url: "{{ etcd_access_addresses }}"
  44. # 8y default lease
  45. vault_default_lease_ttl: 70080h
  46. vault_max_lease_ttl: 87600h
  47. vault_temp_config:
  48. backend:
  49. file:
  50. path: /vault/file
  51. default_lease_ttl: "{{ vault_default_lease_ttl }}"
  52. listener:
  53. tcp:
  54. address: "{{ vault_bind_address }}:{{ vault_port }}"
  55. tls_disable: "true"
  56. max_lease_ttl: "{{ vault_max_lease_ttl }}"
  57. vault_config:
  58. backend:
  59. etcd:
  60. address: "{{ vault_etcd_url }}"
  61. ha_enabled: "true"
  62. redirect_addr: "https://{{ inventory_hostname }}:{{ vault_port }}"
  63. tls_ca_file: "{{ etcd_cert_dir }}/ca.pem"
  64. tls_cert_file: "{{ etcd_cert_dir}}/node-{{ inventory_hostname }}.pem"
  65. tls_key_file: "{{ etcd_cert_dir}}/node-{{ inventory_hostname }}-key.pem"
  66. cluster_name: "kubernetes-vault"
  67. default_lease_ttl: "{{ vault_default_lease_ttl }}"
  68. max_lease_ttl: "{{ vault_max_lease_ttl }}"
  69. listener:
  70. tcp:
  71. address: "{{ vault_bind_address }}:{{ vault_port }}"
  72. tls_cert_file: "{{ vault_cert_dir }}/api.pem"
  73. tls_key_file: "{{ vault_cert_dir }}/api-key.pem"
  74. vault_secret_shares: 1
  75. vault_secret_threshold: 1
  76. vault_successful_http_codes: ["200", "429", "500", "501", "503"]
  77. vault_ca_options:
  78. vault:
  79. common_name: vault
  80. format: pem
  81. ttl: "{{ vault_max_lease_ttl }}"
  82. exclude_cn_from_sans: true
  83. alt_names: "vault.kube-system.svc.{{ dns_domain }},vault.kube-system.svc,vault.kube-system,vault"
  84. etcd:
  85. common_name: etcd
  86. format: pem
  87. ttl: "{{ vault_max_lease_ttl }}"
  88. exclude_cn_from_sans: true
  89. kube:
  90. common_name: kube
  91. format: pem
  92. ttl: "{{ vault_max_lease_ttl }}"
  93. exclude_cn_from_sans: true
  94. vault_client_headers:
  95. Accept: "application/json"
  96. Content-Type: "application/json"
  97. etcd_cert_dir: /etc/ssl/etcd/ssl
  98. kube_cert_dir: /etc/kubernetes/ssl
  99. vault_pki_mounts:
  100. userpass:
  101. name: userpass
  102. default_lease_ttl: "{{ vault_default_lease_ttl }}"
  103. max_lease_ttl: "{{ vault_max_lease_ttl }}"
  104. description: "Userpass"
  105. cert_dir: "{{ vault_cert_dir }}"
  106. roles:
  107. - name: userpass
  108. group: userpass
  109. password: "{{ lookup('password', inventory_dir + '/credentials/vault/userpass.creds length=15') }}"
  110. policy_rules: default
  111. role_options:
  112. allow_any_name: true
  113. vault:
  114. name: vault
  115. default_lease_ttl: "{{ vault_default_lease_ttl }}"
  116. max_lease_ttl: "{{ vault_max_lease_ttl }}"
  117. description: "Vault Root CA"
  118. cert_dir: "{{ vault_cert_dir }}"
  119. roles:
  120. - name: vault
  121. group: vault
  122. password: "{{ lookup('password', inventory_dir + '/credentials/vault/vault.creds length=15') }}"
  123. policy_rules: default
  124. role_options:
  125. allow_any_name: true
  126. etcd:
  127. name: etcd
  128. default_lease_ttl: "{{ vault_default_lease_ttl }}"
  129. max_lease_ttl: "{{ vault_max_lease_ttl }}"
  130. description: "Etcd Root CA"
  131. cert_dir: "{{ etcd_cert_dir }}"
  132. roles:
  133. - name: etcd
  134. group: etcd
  135. password: "{{ lookup('password', inventory_dir + '/credentials/vault/etcd.creds length=15') }}"
  136. policy_rules: default
  137. role_options:
  138. allow_any_name: true
  139. enforce_hostnames: false
  140. organization: "kube:etcd"
  141. kube:
  142. name: kube
  143. default_lease_ttl: "{{ vault_default_lease_ttl }}"
  144. max_lease_ttl: "{{ vault_max_lease_ttl }}"
  145. description: "Kubernetes Root CA"
  146. cert_dir: "{{ kube_cert_dir }}"
  147. roles:
  148. - name: kube-master
  149. group: kube-master
  150. password: "{{ lookup('password', inventory_dir + '/credentials/vault/kube-master.creds length=15') }}"
  151. policy_rules: default
  152. role_options:
  153. allow_any_name: true
  154. enforce_hostnames: false
  155. organization: "system:masters"
  156. - name: front-proxy-client
  157. group: kube-master
  158. password: "{{ lookup('password', inventory_dir + '/credentials/vault/kube-proxy.creds length=15') }}"
  159. policy_rules: default
  160. role_options:
  161. allow_any_name: true
  162. enforce_hostnames: false
  163. organization: "system:front-proxy-client"
  164. - name: kube-node
  165. group: k8s-cluster
  166. password: "{{ lookup('password', inventory_dir + '/credentials/vault/kube-node.creds length=15') }}"
  167. policy_rules: default
  168. role_options:
  169. allow_any_name: true
  170. enforce_hostnames: false
  171. organization: "system:nodes"
  172. - name: kube-proxy
  173. group: k8s-cluster
  174. password: "{{ lookup('password', inventory_dir + '/credentials/vault/kube-proxy.creds length=15') }}"
  175. policy_rules: default
  176. role_options:
  177. allow_any_name: true
  178. enforce_hostnames: false
  179. organization: "system:node-proxier"