richard
/
kubespray
mirror of https://github.com/kubernetes-sigs/kubespray.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
1404 Commits
29 Branches
81 Tags
150 MiB
Tree: 732ae69d22
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from '732ae69d22'
${ noResults }
kubespray/roles/vault/defaults/main.yml

90 lines
2.9 KiB
Raw Normal View History

Adding the Vault role
7 years ago
Vault security hardening and role isolation
7 years ago
Adding the Vault role
7 years ago
Vault security hardening and role isolation
7 years ago
Adding the Vault role
7 years ago
Vault security hardening and role isolation
7 years ago
Adding the Vault role
7 years ago
Vault security hardening and role isolation
7 years ago
Adding the Vault role
7 years ago
Vault security hardening and role isolation
7 years ago
Adding the Vault role
7 years ago
Vault security hardening and role isolation
7 years ago
Adding the Vault role
7 years ago
Vault security hardening and role isolation
7 years ago
Adding the Vault role
7 years ago
Vault security hardening and role isolation
7 years ago
Adding the Vault role
7 years ago
Vault security hardening and role isolation
7 years ago
Adding the Vault role
7 years ago
Vault security hardening and role isolation
7 years ago
  1. ---
  3. vault_adduser_vars:
  4. comment: "Hashicorp Vault User"
  5. createhome: no
  6. name: vault
  7. shell: /sbin/nologin
  8. system: yes
  9. vault_base_dir: /etc/vault
  10. # https://releases.hashicorp.com/vault/0.6.4/vault_0.6.4_SHA256SUMS
  11. vault_binary_checksum: 04d87dd553aed59f3fe316222217a8d8777f40115a115dac4d88fac1611c51a6
  12. vault_bootstrap: false
  13. vault_ca_options:
  14. common_name: kube-cluster-ca
  15. format: pem
  16. ttl: 87600h
  17. vault_cert_dir: "{{ vault_base_dir }}/ssl"
  18. vault_client_headers:
  19. Accept: "application/json"
  20. Content-Type: "application/json"
  21. vault_config:
  22. backend:
  23. etcd:
  24. address: "{{ vault_etcd_url }}"
  25. ha_enabled: "true"
  26. redirect_addr: "https://{{ ansible_default_ipv4.address }}:{{ vault_port }}"
  27. tls_ca_file: "{{ vault_cert_dir }}/ca.pem"
  28. cluster_name: "kubernetes-vault"
  29. default_lease_ttl: "{{ vault_default_lease_ttl }}"
  30. listener:
  31. tcp:
  32. address: "0.0.0.0:{{ vault_port }}"
  33. tls_cert_file: "{{ vault_cert_dir }}/api.pem"
  34. tls_key_file: "{{ vault_cert_dir }}/api-key.pem"
  35. max_lease_ttl: "{{ vault_max_lease_ttl }}"
  36. vault_config_dir: "{{ vault_base_dir }}/config"
  37. vault_container_name: kube-hashicorp-vault
  38. # This variable is meant to match the GID of vault inside Hashicorp's official Vault Container
  39. vault_default_lease_ttl: 720h
  40. vault_default_role_permissions:
  41. allow_any_name: true
  42. vault_deployment_type: docker
  43. vault_download_url: "https://releases.hashicorp.com/vault/{{ vault_version }}/vault_{{ vault_version }}_linux_amd64.zip"
  44. vault_download_vars:
  45. container: "{{ vault_deployment_type != 'host' }}"
  46. dest: "vault/vault_{{ vault_version }}_linux_amd64.zip"
  47. enabled: true
  48. mode: "0755"
  49. owner: "vault"
  50. repo: "{{ vault_image_repo }}"
  51. sha256: "{{ vault_binary_checksum if vault_deployment_type == 'host' else vault_digest_checksum|d(none) }}"
  52. source_url: "{{ vault_download_url }}"
  53. tag: "{{ vault_image_tag }}"
  54. unarchive: true
  55. url: "{{ vault_download_url }}"
  56. version: "{{ vault_version }}"
  57. vault_etcd_url: "https://{{ hostvars[groups.etcd[0]]['ansible_default_ipv4']['address'] }}:2379"
  58. vault_image_repo: "vault"
  59. vault_image_tag: "{{ vault_version }}"
  60. vault_log_dir: "/var/log/vault"
  61. vault_max_lease_ttl: 87600h
  62. vault_needs_gen: false
  63. vault_port: 8200
  64. # Although "cert" is an option, ansible has no way to auth via cert until
  65. # upstream merges: https://github.com/ansible/ansible/pull/18141
  66. vault_role_auth_method: userpass
  67. vault_roles:
  68. - name: etcd
  69. group: etcd
  70. policy_rules: default
  71. role_options: default
  72. - name: kube
  73. group: k8s-cluster
  74. policy_rules: default
  75. role_options: default
  76. vault_roles_dir: "{{ vault_base_dir }}/roles"
  77. vault_secret_shares: 1
  78. vault_secret_threshold: 1
  79. vault_secrets_dir: "{{ vault_base_dir }}/secrets"
  80. vault_temp_config:
  81. default_lease_ttl: "{{ vault_default_lease_ttl }}"
  82. backend:
  83. file:
  84. path: /vault/file
  85. listener:
  86. tcp:
  87. address: "0.0.0.0:{{ vault_port }}"
  88. tls_disable: "true"
  89. vault_temp_container_name: vault-temp
  90. vault_version: 0.6.4