vault#

Purpose

  • Install Vault.

  • Initialize the service

  • Unseal

  • Setup the needed policies for Consul, Nomad and telemetry integration.

Sensitive data

Stores unseal key shares on ansible controller at:

  • {{ hs_workspace_secrets_dir }}/root_vault.yml

Role defaults#

Internals#

  • Version of the vault package to install. Used to determine which archive to install according to the suffix like in the official release repository. For example, valid values are: ‘1.14.4’, ‘1.15.0+ent’, ‘1.14.3+ent.fips1402’, etc.

hs_vault_version: "1.15.4"
  • Domain under which vault will be published on the network.

hs_vault_domain: "{{ public_domain }}"
hs_vault_enable_cert_auth_for_join: true
  • Name of the vault cluster.

hs_vault_cluster_name: "{{ hs_workspace }}"
  • Path on the ansible controller where secrets are to be stored. Default value should be defined by the playbook’s group_vars/all.yml.

hs_vault_local_secret_dir: "{{ hs_workspace_secrets_dir }}"
  • ID of the vault node. MUST be different for every node in the cluster.

hs_vault_node_id: "{{ inventory_hostname | regex_replace('_', '-') }}"
  • FQDN of the node on the network. MUST be different for every node in the cluster. MUST be solvable by any of the other nodes in the cluster.

hs_vault_node_fqdn: "{{ hs_vault_node_id }}.{{ hs_vault_domain }}"
  • FQDN of the vault service on the network. Typically the FQDN of the load-balancer if any is set up.

hs_vault_service_fqdn: "{{ hs_vault_cluster_name }}.{{ hs_vault_domain }}"

Networking#

  • URL of the vault service. Used by Terraform from the ansible controller to contact vault for initial configuration.

hs_vault_external_url: "{{ __hs_vault_api_protocol }}://{{ hs_vault_service_fqdn }}"

  • Name of the ansible inventory group that contain all master nodes.

hs_vault_inventory_masters_group: "hashistack_masters"
  • API address.

hs_vault_api_address: "{{ hs_vault_node_fqdn }}"
  • IPv4 interface to listen on.

hs_vault_listen_ipv4: "0.0.0.0"
  • API port number.

hs_vault_api_port: "8200"
  • Cluster port number.

hs_vault_cluster_port: "8201"

Certificates#

  • Set this to true if you are using self-signed CA certificate.

hs_vault_use_custom_ca: false

  • Path of the certificate that are upload on the cluster nodes for Vault endpoints.

hs_vault_local_ca_cert: "{{ hs_vault_local_secret_dir }}/ca.cert.pem"
hs_vault_node_cert: "{{ hs_vault_local_secret_dir }}/self.cert.pem"
hs_vault_node_cert_private_key: "{{ hs_vault_local_secret_dir }}/self.cert.key"
hs_vault_node_cert_fullchain: "{{ hs_vault_local_secret_dir }}/self.fullchain.cert.pem"

Unseal method#

  • The only supported method so far is the in-place method which automates a manual unseal on the cluster and stores the generated secrets in your {{ hs_vault_local_unseal_file }} directory.

hs_vault_unseal_method: "in-place"
hs_vault_unseal_key_shares: 5
hs_vault_unseal_key_threshold: 3
hs_vault_local_unseal_file: "{{ hs_vault_local_secret_dir }}/root_vault.yml"

Terraform configuration modules#

  • If you like to inject a backend configuration into the generated terraform code. Supported values: ['s3']

hs_vault_terraform_backend_type: ''

  • This dict will be passed to each terraform module for backend configuration.

hs_vault_terraform_backend_config: {}

  • Ansible controller’s directory to copy the terraform module before apply.

hs_vault_terraform_work_dir: >-
  {{
    hs_workspace_tf_modules_dir
    | default(lookup('env', 'PWD') + '/terraform')
  }}

  • Local directory where Vault release archive will be downloaded.

hs_vault_local_cache_dir: "{{ hs_workspace_root }}"

  • Local path to a file that will be used as licence for Vault.

hs_vault_local_license_file: ""

  • Flag to let the role configure Vault with initial policies dedicated to Consul and Nomad integration.

hs_vault_enable_default_policies: true

Add-ons#

  • List of additional tested configuration modules. Any subset from: ['telemetry','consul_service_mesh_ca','nomad','auth_ldap']. See below for specific configuration variables

hs_vault_enabled_addons:
  - "telemetry"
  - "snapshot"
  - "consul_service_mesh_ca"
  - "nomad"

auth_ldap#

Purpose

Configure Vault instance auth engine backed by a third-party ldap service.

See also: Vault LDAP auth API

  • Mount point of the auth engine in vault.

hs_vault_addon_auth_ldap_path: 'ldap'

  • LDAP connection parameters

hs_vault_addon_auth_ldap_server_url: ''
hs_vault_addon_auth_ldap_starttls: ''    # MUST be 'true' or 'false' as string
hs_vault_addon_auth_ldap_bind_dn: ''
hs_vault_addon_auth_ldap_bind_pass: ''

  • LDAP query parameters

hs_vault_addon_auth_ldap_user_principal_domain: ''
hs_vault_addon_auth_ldap_discover_dn: ''   # MUST be 'true' or 'false' as string
hs_vault_addon_auth_ldap_user_dn: ''
hs_vault_addon_auth_ldap_user_attr: ''
hs_vault_addon_auth_ldap_group_dn: ''
hs_vault_addon_auth_ldap_group_filter: ''  # MUST escape Go template by using

snapshot#

Purpose

Configure Vault cluster hosts with a vault-snapshot user and a least-privilege policy token for taking snapshots from this user.

  • List of public keys values to authorize for the vault-snapshot user.

hs_vault_addon_snapshot_authorized_keys: []