You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

197 lines
6.1 KiB

  1. ---
  2. vault_bootstrap: false
  3. vault_deployment_type: docker
  4. vault_adduser_vars:
  5. comment: "Hashicorp Vault User"
  6. createhome: no
  7. name: vault
  8. shell: /sbin/nologin
  9. system: yes
  10. # This variables redefined in kubespray-defaults for using shared tasks
  11. # in etcd and kubernetes/secrets roles
  12. vault_base_dir: /etc/vault
  13. vault_cert_dir: "{{ vault_base_dir }}/ssl"
  14. vault_config_dir: "{{ vault_base_dir }}/config"
  15. vault_roles_dir: "{{ vault_base_dir }}/roles"
  16. vault_secrets_dir: "{{ vault_base_dir }}/secrets"
  17. vault_lib_dir: "/var/lib/vault"
  18. vault_log_dir: "/var/log/vault"
  19. vault_version: 0.10.1
  20. vault_binary_checksum: 66f0f1b0b221d664dd5913f8697409d7401df4bb2a19c7277e8fbad152063fae
  21. vault_download_url: "https://releases.hashicorp.com/vault/{{ vault_version }}/vault_{{ vault_version }}_linux_{{ image_arch }}.zip"
  22. # Arch of Docker images and needed packages
  23. image_arch: "{{host_architecture}}"
  24. vault_download_vars:
  25. container: "{{ vault_deployment_type != 'host' }}"
  26. dest: "vault/vault_{{ vault_version }}_linux_{{ image_arch }}.zip"
  27. enabled: true
  28. mode: "0755"
  29. owner: "vault"
  30. repo: "{{ vault_image_repo }}"
  31. sha256: "{{ vault_binary_checksum if vault_deployment_type == 'host' else vault_digest_checksum|d(none) }}"
  32. source_url: "{{ vault_download_url }}"
  33. tag: "{{ vault_image_tag }}"
  34. unarchive: true
  35. url: "{{ vault_download_url }}"
  36. version: "{{ vault_version }}"
  37. vault_container_name: kube-hashicorp-vault
  38. vault_temp_container_name: vault-temp
  39. vault_image_repo: "vault"
  40. vault_image_tag: "{{ vault_version }}"
  41. vault_bind_address: 0.0.0.0
  42. vault_port: 8200
  43. vault_etcd_url: "{{ etcd_access_addresses }}"
  44. # By default lease
  45. vault_default_lease_ttl: 70080h
  46. vault_max_lease_ttl: 87600h
  47. vault_temp_config:
  48. backend:
  49. file:
  50. path: /vault/file
  51. default_lease_ttl: "{{ vault_default_lease_ttl }}"
  52. listener:
  53. tcp:
  54. address: "{{ vault_bind_address }}:{{ vault_port }}"
  55. tls_disable: "true"
  56. max_lease_ttl: "{{ vault_max_lease_ttl }}"
  57. vault_config:
  58. backend:
  59. etcd:
  60. address: "{{ vault_etcd_url }}"
  61. ha_enabled: "true"
  62. redirect_addr: "https://{{ inventory_hostname }}:{{ vault_port }}"
  63. tls_ca_file: "{{ etcd_cert_dir }}/ca.pem"
  64. tls_cert_file: "{{ etcd_cert_dir}}/node-{{ inventory_hostname }}.pem"
  65. tls_key_file: "{{ etcd_cert_dir}}/node-{{ inventory_hostname }}-key.pem"
  66. cluster_name: "kubernetes-vault"
  67. default_lease_ttl: "{{ vault_default_lease_ttl }}"
  68. max_lease_ttl: "{{ vault_max_lease_ttl }}"
  69. ui: "true"
  70. listener:
  71. tcp:
  72. address: "{{ vault_bind_address }}:{{ vault_port }}"
  73. tls_cert_file: "{{ vault_cert_dir }}/api.pem"
  74. tls_key_file: "{{ vault_cert_dir }}/api-key.pem"
  75. vault_secret_shares: 1
  76. vault_secret_threshold: 1
  77. vault_successful_http_codes: ["200", "429", "500", "501", "503"]
  78. vault_ca_options:
  79. vault:
  80. common_name: vault
  81. format: pem
  82. ttl: "{{ vault_max_lease_ttl }}"
  83. exclude_cn_from_sans: true
  84. alt_names: "vault.kube-system.svc.{{ dns_domain }},vault.kube-system.svc,vault.kube-system,vault"
  85. etcd:
  86. common_name: etcd
  87. format: pem
  88. ttl: "{{ vault_max_lease_ttl }}"
  89. exclude_cn_from_sans: true
  90. kube:
  91. common_name: kube
  92. format: pem
  93. ttl: "{{ vault_max_lease_ttl }}"
  94. exclude_cn_from_sans: true
  95. vault_client_headers:
  96. Accept: "application/json"
  97. Content-Type: "application/json"
  98. etcd_cert_dir: /etc/ssl/etcd/ssl
  99. kube_cert_dir: /etc/kubernetes/ssl
  100. vault_pki_mounts:
  101. userpass:
  102. name: userpass
  103. default_lease_ttl: "{{ vault_default_lease_ttl }}"
  104. max_lease_ttl: "{{ vault_max_lease_ttl }}"
  105. description: "Userpass"
  106. cert_dir: "{{ vault_cert_dir }}"
  107. roles:
  108. - name: userpass
  109. group: userpass
  110. password: "{{ lookup('password', credentials_dir + '/vault/userpass.creds length=15') }}"
  111. policy_rules: default
  112. role_options:
  113. allow_any_name: true
  114. vault:
  115. name: vault
  116. default_lease_ttl: "{{ vault_default_lease_ttl }}"
  117. max_lease_ttl: "{{ vault_max_lease_ttl }}"
  118. description: "Vault Root CA"
  119. cert_dir: "{{ vault_cert_dir }}"
  120. roles:
  121. - name: vault
  122. group: vault
  123. password: "{{ lookup('password', credentials_dir + '/vault/vault.creds length=15') }}"
  124. policy_rules: default
  125. role_options:
  126. allow_any_name: true
  127. etcd:
  128. name: etcd
  129. default_lease_ttl: "{{ vault_default_lease_ttl }}"
  130. max_lease_ttl: "{{ vault_max_lease_ttl }}"
  131. description: "Etcd Root CA"
  132. cert_dir: "{{ etcd_cert_dir }}"
  133. roles:
  134. - name: etcd
  135. group: etcd
  136. password: "{{ lookup('password', credentials_dir + '/vault/etcd.creds length=15') }}"
  137. policy_rules: default
  138. role_options:
  139. allow_any_name: true
  140. enforce_hostnames: false
  141. organization: "kube:etcd"
  142. kube:
  143. name: kube
  144. default_lease_ttl: "{{ vault_default_lease_ttl }}"
  145. max_lease_ttl: "{{ vault_max_lease_ttl }}"
  146. description: "Kubernetes Root CA"
  147. cert_dir: "{{ kube_cert_dir }}"
  148. roles:
  149. - name: kube-master
  150. group: kube-master
  151. password: "{{ lookup('password', credentials_dir + '/vault/kube-master.creds length=15') }}"
  152. policy_rules: default
  153. role_options:
  154. allow_any_name: true
  155. enforce_hostnames: false
  156. organization: "system:masters"
  157. - name: front-proxy-client
  158. group: kube-master
  159. password: "{{ lookup('password', credentials_dir + '/vault/kube-proxy.creds length=15') }}"
  160. policy_rules: default
  161. role_options:
  162. allow_any_name: true
  163. enforce_hostnames: false
  164. organization: "system:front-proxy-client"
  165. - name: kube-node
  166. group: k8s-cluster
  167. password: "{{ lookup('password', credentials_dir + '/vault/kube-node.creds length=15') }}"
  168. policy_rules: default
  169. role_options:
  170. allow_any_name: true
  171. enforce_hostnames: false
  172. organization: "system:nodes"
  173. - name: kube-proxy
  174. group: k8s-cluster
  175. password: "{{ lookup('password', credentials_dir + '/vault/kube-proxy.creds length=15') }}"
  176. policy_rules: default
  177. role_options:
  178. allow_any_name: true
  179. enforce_hostnames: false
  180. organization: "system:node-proxier"