main.yml

---
vault_bootstrap: false
vault_deployment_type: docker

vault_adduser_vars:
  comment: "Hashicorp Vault User"
  createhome: no
  name: vault
  shell: /sbin/nologin
  system: yes

# This variables redefined in kubespray-defaults for using shared tasks
# in etcd and kubernetes/secrets roles
vault_base_dir: /etc/vault
vault_cert_dir: "{{ vault_base_dir }}/ssl"
vault_config_dir: "{{ vault_base_dir }}/config"
vault_roles_dir: "{{ vault_base_dir }}/roles"
vault_secrets_dir: "{{ vault_base_dir }}/secrets"
vault_log_dir: "/var/log/vault"

vault_version: 0.8.1
vault_binary_checksum: 3c4d70ba71619a43229e65c67830e30e050eab7a81ac6b28325ff707e5914188
vault_download_url: "https://releases.hashicorp.com/vault/{{ vault_version }}/vault_{{ vault_version }}_linux_amd64.zip"
vault_download_vars:
  container: "{{ vault_deployment_type != 'host' }}"
  dest: "vault/vault_{{ vault_version }}_linux_amd64.zip"
  enabled: true
  mode: "0755"
  owner: "vault"
  repo: "{{ vault_image_repo }}"
  sha256: "{{ vault_binary_checksum if vault_deployment_type == 'host' else vault_digest_checksum|d(none) }}"
  source_url: "{{ vault_download_url }}"
  tag: "{{ vault_image_tag }}"
  unarchive: true
  url: "{{ vault_download_url }}"
  version: "{{ vault_version }}"

vault_container_name: kube-hashicorp-vault
vault_temp_container_name: vault-temp
vault_image_repo: "vault"
vault_image_tag: "{{ vault_version }}"

vault_bind_address: 0.0.0.0
vault_port: 8200
vault_etcd_url: "{{ etcd_access_addresses }}"

# 8y default lease
vault_default_lease_ttl: 70080h
vault_max_lease_ttl: 87600h

vault_temp_config:
  backend:
    file:
      path: /vault/file
  default_lease_ttl: "{{ vault_default_lease_ttl }}"
  listener:
    tcp:
      address: "{{ vault_bind_address }}:{{ vault_port }}"
      tls_disable: "true"
  max_lease_ttl: "{{ vault_max_lease_ttl }}"

vault_config:
  backend:
    etcd:
      address: "{{ vault_etcd_url }}"
      ha_enabled: "true"
      redirect_addr: "https://{{ ansible_default_ipv4.address }}:{{ vault_port }}"
      tls_ca_file: "{{ vault_etcd_cert_dir }}/ca.pem"
      tls_cert_file: "{{ vault_etcd_cert_dir}}/node-{{ inventory_hostname }}.pem"
      tls_key_file: "{{ vault_etcd_cert_dir}}/node-{{ inventory_hostname }}-key.pem"
  cluster_name: "kubernetes-vault"
  default_lease_ttl: "{{ vault_default_lease_ttl }}"
  max_lease_ttl: "{{ vault_max_lease_ttl }}"
  listener:
    tcp:
      address: "{{ vault_bind_address }}:{{ vault_port }}"
      tls_cert_file: "{{ vault_cert_dir }}/api.pem"
      tls_key_file: "{{ vault_cert_dir }}/api-key.pem"

vault_secret_shares: 1
vault_secret_threshold: 1

vault_ca_options:
  vault:
    common_name: vault
    format: pem
    ttl: "{{ vault_max_lease_ttl }}"
    exclude_cn_from_sans: true
    alt_names: "vault.{{ system_namespace }}.svc.{{ dns_domain }},vault.{{ system_namespace }}.svc,vault.{{ system_namespace }},vault"
  etcd:
    common_name: etcd
    format: pem
    ttl: "{{ vault_max_lease_ttl }}"
    exclude_cn_from_sans: true
  kube:
    common_name: kube
    format: pem
    ttl: "{{ vault_max_lease_ttl }}"
    exclude_cn_from_sans: true

vault_client_headers:
  Accept: "application/json"
  Content-Type: "application/json"

vault_etcd_cert_dir: /etc/ssl/etcd/ssl
vault_kube_cert_dir: /etc/kubernetes/ssl

vault_pki_mounts:
  vault:
    name: vault
    default_lease_ttl: "{{ vault_default_lease_ttl }}"
    max_lease_ttl: "{{ vault_max_lease_ttl }}"
    description: "Vault Root CA"
    cert_dir: "{{ vault_cert_dir }}"
    roles:
      - name: vault
        group: vault
        password: "{{ lookup('password', 'credentials/vault/vault length=15') }}"
        policy_rules: default
        role_options: default
  etcd:
    name: etcd
    default_lease_ttl: "{{ vault_default_lease_ttl }}"
    max_lease_ttl: "{{ vault_max_lease_ttl }}"
    description: "Etcd Root CA"
    cert_dir: "{{ vault_etcd_cert_dir }}"
    roles:
      - name: etcd
        group: etcd
        password: "{{ lookup('password', 'credentials/vault/etcd length=15') }}"
        policy_rules: default
        role_options:
          allow_any_name: true
          enforce_hostnames: false
          organization: "kube:etcd"
  kube:
    name: kube
    default_lease_ttl: "{{ vault_default_lease_ttl }}"
    max_lease_ttl: "{{ vault_max_lease_ttl }}"
    description: "Kubernetes Root CA"
    cert_dir: "{{ vault_kube_cert_dir }}"
    roles:
      - name: kube-master
        group: kube-master
        password: "{{ lookup('password', 'credentials/vault/kube-master length=15') }}"
        policy_rules: default
        role_options:
          allow_any_name: true
          enforce_hostnames: false
          organization: "system:masters"
      - name: kube-node
        group: k8s-cluster
        password: "{{ lookup('password', 'credentials/vault/kube-node length=15') }}"
        policy_rules: default
        role_options:
          allow_any_name: true
          enforce_hostnames: false
          organization: "system:nodes"
      - name: kube-proxy
        group: k8s-cluster
        password: "{{ lookup('password', 'credentials/vault/kube-proxy length=15') }}"
        policy_rules: default
        role_options:
          allow_any_name: true
          enforce_hostnames: false
          organization: "system:node-proxier"