```{include} ../../../../roles/vault/README.md ``` ## Role defaults ### Internals * Version of the vault package to install. Used to determine which archive to install according to the suffix like [in the official release repository](https://releases.hashicorp.com/vault/). For example, valid values are: '1.14.4', '1.15.0+ent', '1.14.3+ent.fips1402', etc. ``` hs_vault_version: "1.15.4" ``` * Domain under which vault will be published on the network. ``` hs_vault_domain: "{{ public_domain }}" hs_vault_enable_cert_auth_for_join: true ``` * Name of the vault cluster. ``` hs_vault_cluster_name: "{{ hs_workspace }}" ``` * Path on the ansible controller where secrets are to be stored. Default value should be defined by the __playbook's__ `group_vars/all.yml`. ``` hs_vault_local_secret_dir: "{{ hs_workspace_secrets_dir }}" ``` * ID of the vault node. MUST be different for every node in the cluster. ``` hs_vault_node_id: "{{ inventory_hostname | regex_replace('_', '-') }}" ``` * FQDN of the node on the network. MUST be different for every node in the cluster. MUST be solvable by any of the other nodes in the cluster. ``` hs_vault_node_fqdn: "{{ hs_vault_node_id }}.{{ hs_vault_domain }}" ``` * FQDN of the vault service on the network. Typically the FQDN of the load-balancer if any is set up. ``` hs_vault_service_fqdn: "{{ hs_vault_cluster_name }}.{{ hs_vault_domain }}" ``` ### Networking * URL of the vault service. Used by Terraform from the ansible controller to contact vault for initial configuration. ``` hs_vault_external_url: "{{ __hs_vault_api_protocol }}://{{ hs_vault_service_fqdn }}" ``` * Name of the ansible inventory group that contain all master nodes. ``` hs_vault_inventory_masters_group: "hashistack_masters" ``` * API address. ``` hs_vault_api_address: "{{ hs_vault_node_fqdn }}" ``` * IPv4 interface to listen on. ``` hs_vault_listen_ipv4: "0.0.0.0" ``` * API port number. ``` hs_vault_api_port: "8200" ``` * Cluster port number. ``` hs_vault_cluster_port: "8201" ``` ### Certificates * Set this to `true` if you are using self-signed CA certificate. ``` hs_vault_use_custom_ca: false ``` * Path of the certificate that are upload on the cluster nodes for Vault endpoints. ``` hs_vault_local_ca_cert: "{{ hs_vault_local_secret_dir }}/ca.cert.pem" hs_vault_node_cert: "{{ hs_vault_local_secret_dir }}/self.cert.pem" hs_vault_node_cert_private_key: "{{ hs_vault_local_secret_dir }}/self.cert.key" hs_vault_node_cert_fullchain: "{{ hs_vault_local_secret_dir }}/self.fullchain.cert.pem" ``` ### Unseal method * The only supported method so far is the `in-place` method which automates a manual unseal on the cluster and stores the generated secrets in your `{{ hs_vault_local_unseal_file }}` directory. ``` hs_vault_unseal_method: "in-place" hs_vault_unseal_key_shares: 5 hs_vault_unseal_key_threshold: 3 hs_vault_local_unseal_file: "{{ hs_vault_local_secret_dir }}/root_vault.yml" ``` ### Terraform configuration modules * If you like to inject a backend configuration into the generated terraform code. Supported values: [`'s3'`] ``` hs_vault_terraform_backend_type: '' ``` * This dict will be passed to each terraform module for backend configuration. ``` hs_vault_terraform_backend_config: {} ``` * Ansible controller's directory to copy the terraform module before apply. ``` hs_vault_terraform_work_dir: >- {{ hs_workspace_tf_modules_dir | default(lookup('env', 'PWD') + '/terraform') }} ``` * Local directory where Vault release archive will be downloaded. ``` hs_vault_local_cache_dir: "{{ hs_workspace_root }}" ``` * Local path to a file that will be used as licence for Vault. ``` hs_vault_local_license_file: "" ``` * Flag to let the role configure Vault with initial policies dedicated to Consul and Nomad integration. ``` hs_vault_enable_default_policies: true ``` ### Add-ons * List of additional tested configuration modules. Any subset from: `['telemetry','consul_service_mesh_ca','nomad','auth_ldap']`. See below for specific configuration variables ``` hs_vault_enabled_addons: - "telemetry" - "snapshot" - "consul_service_mesh_ca" - "nomad" ``` #### auth_ldap ```{admonition} Purpose :class: note Configure Vault instance auth engine backed by a third-party ldap service. See also: [Vault LDAP auth API](https://developer.hashicorp.com/vault/api-docs/auth/ldap) ``` * Mount point of the auth engine in vault. ``` hs_vault_addon_auth_ldap_path: 'ldap' ``` * LDAP connection parameters ``` hs_vault_addon_auth_ldap_server_url: '' hs_vault_addon_auth_ldap_starttls: '' # MUST be 'true' or 'false' as string hs_vault_addon_auth_ldap_bind_dn: '' hs_vault_addon_auth_ldap_bind_pass: '' ``` * LDAP query parameters ``` hs_vault_addon_auth_ldap_user_principal_domain: '' hs_vault_addon_auth_ldap_discover_dn: '' # MUST be 'true' or 'false' as string hs_vault_addon_auth_ldap_user_dn: '' hs_vault_addon_auth_ldap_user_attr: '' hs_vault_addon_auth_ldap_group_dn: '' hs_vault_addon_auth_ldap_group_filter: '' # MUST escape Go template by using ``` ```{admonition} See also :class: note * [Vault LDAP auth API](https://developer.hashicorp.com/vault/api-docs/auth/ldap) ``` ### snapshot ```{admonition} Purpose :class: note Configure Vault cluster hosts with a `vault-snapshot` user and a least-privilege policy token for taking snapshots from this user. ``` * List of public keys values to authorize for the `vault-snapshot` user. ``` hs_vault_addon_snapshot_authorized_keys: []