jpp/ansible-roles
1
0
Fork 0
mirror of https://git.lapiole.org/dani/ansible-roles.git synced 2025-04-12 00:03:17 +02:00
Code Issues Packages Projects Releases Wiki Activity
ansible-roles/roles/vault_agent/defaults/main/main.yml
Daniel Berteaud d87c1bdc89 Update to 2023-07-08 16:00
2023-07-08 16:00:11 +02:00

93 lines
3.0 KiB
YAML
Raw Blame History

---
vault_agent_root_dir: /opt/vault_agent
# Address of the vault server
vault_agent_vault_address: https://vault.service.consul
# Type of authentication. Can be token or approle
vault_agent_auth: approle
# If auth is approle, you have to set vault_agent_approle_role_id and vault_agent_approle_secret_id
# vault_agent_approle_role_id: XXXXX
# vault_agent_approle_secret_id: XXXXXXX
# If auth is token, you have to set vault_agent_token
# vault_agent_token: XXXXX
# List of sinks where the token can be written
vault_agent_sinks: []
# vault_agent_sinks:
# - path: /tmp/vault.token
# wrap_ttl: 20s
# mode: 600
# List of templates
vault_agent_templates: []
# vault_agent_templates:
# # Use only one of source or contents
# - source: /srv/foo.tpl
# contents: "{{ with secret \"kv/bar\" }}{{.Data.data.baz}}{{ end }}"
# destination: /src/foo
# left_delimiter = "[["
# right_delimiter = "]]"
# perms: 0600
# exec:
# timeout: 30s
# command: systemctl restart foo.service
vault_agent_nomad_base:
# Should vault-agent fetch a vault token for use by Nomad
vault_token:
enabled: False
role: nomad-{{ nomad_conf.server.enabled | ternary('server', 'client') }}
# Should vault-agent fetch certificates from vault for use by Nomad agent
nomad_pki:
enabled: False
path: pki/nomad
role: nomad-{{ nomad_conf.server.enabled | ternary('server', 'client') }}
ttl: 72h
# Vault can get a client certificate for administrative tasks
cli:
enabled: "{{ nomad_conf.server.enabled | ternary(True, False) }}"
role: nomad-user
ttl: 72h
# When renewing this cert, vault-agent can update nomad secret (so vault can connect to the Nomad API to manage tokens)
# secret_path: nomad
# Should vault-agent fetch a certificate to connect on Consul. This is required when using Consul Connect
# Even if a Consul agent is available on localhost with no TLS
consul_pki:
enabled: False
path: pki/consul
role: nomad-client # Only Nomad clients will use Consul PKI
ttl: 72h
# Should vault-agent fetch a consul token. It'll be used to register services in Consul service catalog
consul_token:
enabled: False
# The path of the consul secret engine
path: consul
# The role used to get the token
role: nomad-{{ nomad_conf.server.enabled | ternary('server', 'client') }}
vault_agent_nomad_extra: {}
vault_agent_nomad_host: {}
vault_agent_nomad: "{{ vault_agent_nomad_base | combine(vault_agent_nomad_extra, recursive=True) | combine(vault_agent_nomad_host, recursive=True) }}"
vault_agent_consul_base:
# Should vault-agent fetch certificates for Consul agent
consul_pki:
enabled: False
path: pki/consul
role: consul-{{ consul_conf.server | ternary('server', 'client') }}
ttl: 72h
vault_agent_consul_extra: {}
vault_agent_consul_host: {}
vault_agent_consul: "{{ vault_agent_consul_base | combine(vault_agent_consul_extra, recursive=True) | combine(vault_agent_consul_host, recursive=True) }}"
Reference in New Issue View Git Blame Copy Permalink