X-Git-Url: https://gerrit.fd.io/r/gitweb?a=blobdiff_plain;f=fdio.infra.ansible%2Froles%2Fvault%2Fdefaults%2Fmain.yaml;fp=fdio.infra.ansible%2Froles%2Fvault%2Fdefaults%2Fmain.yaml;h=232dc406943a85961c1e9aca50d900cafd69be8c;hb=b9d4313cc851be7c7e8657783723343e8bd14664;hp=0000000000000000000000000000000000000000;hpb=80989ff660f1acd635f6d004b15bc13a93240975;p=csit.git

diff --git a/fdio.infra.ansible/roles/vault/defaults/main.yaml b/fdio.infra.ansible/roles/vault/defaults/main.yaml
new file mode 100644
index 0000000000..232dc40694
--- /dev/null
+++ b/fdio.infra.ansible/roles/vault/defaults/main.yaml
@@ -0,0 +1,159 @@
+---
+# file: roles/vault/defaults/main.yaml
+
+# Inst - Prerequisites.
+packages: "{{ packages_base + packages_by_distro[ansible_distribution | lower] + packages_by_arch[ansible_machine] }}"
+packages_base:
+  - "curl"
+  - "unzip"
+packages_by_distro:
+  ubuntu:
+    - []
+packages_by_arch:
+  aarch64:
+    - []
+  x86_64:
+    - []
+
+# Inst - Vault Map.
+vault_version: "1.8.1"
+vault_architecture_map:
+  amd64: "amd64"
+  x86_64: "amd64"
+  armv7l: "arm"
+  aarch64: "arm64"
+  32-bit: "386"
+  64-bit: "amd64"
+vault_architecture: "{{ vault_architecture_map[ansible_architecture] }}"
+vault_os: "{{ ansible_system|lower }}"
+vault_pkg: "vault_{{ vault_version }}_{{ vault_os }}_{{ vault_architecture }}.zip"
+vault_zip_url: "https://releases.hashicorp.com/vault/{{ vault_version }}/{{ vault_pkg }}"
+
+# Conf - Service.
+vault_node_role: "server"
+vault_restart_handler_state: "restarted"
+vault_systemd_service_name: "vault"
+
+# Inst - System paths.
+vault_bin_dir: "/usr/local/bin"
+vault_config_dir: "/etc/vault.d"
+vault_data_dir: "/var/vault"
+vault_inst_dir: "/opt"
+vault_run_dir: "/var/run/vault"
+vault_ssl_dir: "/etc/vault.d/ssl"
+
+# Conf - User and group.
+vault_group: "vault"
+vault_group_state: "present"
+vault_user: "vault"
+vault_user_state: "present"
+
+# Conf - Main
+vault_group_name: "vault_instances"
+vault_cluster_name: "yul1"
+vault_datacenter: "yul1"
+vault_log_level: "{{ lookup('env','VAULT_LOG_LEVEL') | default('info', true) }}"
+vault_iface: "{{ lookup('env','VAULT_IFACE') | default(ansible_default_ipv4.interface, true) }}"
+vault_address: "{{ hostvars[inventory_hostname]['ansible_'+vault_iface]['ipv4']['address'] }}"
+vault_ui: "{{ lookup('env', 'VAULT_UI') | default(true, true) }}"
+vault_port: 8200
+vault_use_config_path: false
+vault_main_config: "{{ vault_config_dir }}/vault_main.hcl"
+vault_main_configuration_template: "vault_main_configuration.hcl.j2"
+vault_listener_localhost_enable: false
+vault_http_proxy: ""
+vault_https_proxy: ""
+vault_no_proxy: ""
+
+# Conf - Listeners
+vault_tcp_listeners:
+  - vault_address: "{{ vault_address }}"
+    vault_port: "{{ vault_port }}"
+    vault_cluster_address: "{{ vault_cluster_address }}"
+    vault_tls_disable: "{{ vault_tls_disable }}"
+    vault_tls_config_path: "{{ vault_tls_config_path }}"
+    vault_tls_cert_file: "{{ vault_tls_cert_file }}"
+    vault_tls_key_file: "{{ vault_tls_key_file }}"
+    vault_tls_ca_file: "{{ vault_tls_ca_file }}"
+    vault_tls_min_version: "{{ vault_tls_min_version }}"
+    vault_tls_cipher_suites: "{{ vault_tls_cipher_suites }}"
+    vault_tls_prefer_server_cipher_suites: "{{ vault_tls_prefer_server_cipher_suites }}"
+    vault_tls_require_and_verify_client_cert: "{{ vault_tls_require_and_verify_client_cert }}"
+    vault_tls_disable_client_certs: "{{ vault_tls_disable_client_certs }}"
+    vault_disable_mlock: true
+
+# Conf - Backend
+vault_backend_consul: "vault_backend_consul.j2"
+vault_backend_file: "vault_backend_file.j2"
+vault_backend_raft: "vault_backend_raft.j2"
+vault_backend_etcd: "vault_backend_etcd.j2"
+vault_backend_s3: "vault_backend_s3.j2"
+vault_backend_dynamodb: "vault_backend_dynamodb.j2"
+vault_backend_mysql: "vault_backend_mysql.j2"
+vault_backend_gcs: "vault_backend_gcs.j2"
+
+vault_cluster_disable: false
+vault_cluster_address: "{{ hostvars[inventory_hostname]['ansible_'+vault_iface]['ipv4']['address'] }}:{{ (vault_port | int) + 1}}"
+vault_cluster_addr: "{{ vault_protocol }}://{{ vault_cluster_address }}"
+vault_api_addr: "{{ vault_protocol }}://{{ vault_redirect_address | default(hostvars[inventory_hostname]['ansible_'+vault_iface]['ipv4']['address']) }}:{{ vault_port }}"
+
+vault_max_lease_ttl: "768h"
+vault_default_lease_ttl: "768h"
+
+vault_backend_tls_src_files: "{{ vault_tls_src_files }}"
+vault_backend_tls_config_path: "{{ vault_tls_config_path }}"
+vault_backend_tls_cert_file: "{{ vault_tls_cert_file }}"
+vault_backend_tls_key_file: "{{ vault_tls_key_file }}"
+vault_backend_tls_ca_file: "{{ vault_tls_ca_file }}"
+
+vault_consul: "127.0.0.1:8500"
+vault_consul_path: "vault"
+vault_consul_service: "vault"
+vault_consul_scheme: "http"
+
+vault_backend: "consul"
+
+# Conf - Service registration
+vault_service_registration_consul_enable: true
+vault_service_registration_consul_template: "vault_service_registration_consul.hcl.j2"
+vault_service_registration_consul_check_timeout: "5s"
+vault_service_registration_consul_address: "127.0.0.1:8500"
+vault_service_registration_consul_service: "vault"
+vault_service_registration_consul_service_tags: ""
+vault_service_registration_consul_service_address:
+vault_service_registration_consul_disable_registration: false
+vault_service_registration_consul_scheme: "http"
+
+vault_service_registration_consul_tls_config_path: "{{ vault_tls_config_path }}"
+vault_service_registration_consul_tls_cert_file: "{{ vault_tls_cert_file }}"
+vault_service_registration_consul_tls_key_file: "{{ vault_tls_key_file }}"
+vault_service_registration_consul_tls_ca_file: "{{ vault_tls_ca_file }}"
+vault_service_registration_consul_tls_min_version: "{{ vault_tls_min_version }}"
+vault_service_registration_consul_tls_skip_verify: false
+
+# Conf - Telemetry
+vault_telemetry_enabled: true
+vault_telemetry_disable_hostname: false
+vault_prometheus_retention_time: 30s
+
+# Conf - TLS
+validate_certs_during_api_reachable_check: true
+
+vault_tls_config_path: "{{ lookup('env','VAULT_TLS_DIR') | default('/etc/vault/tls', true) }}"
+vault_tls_src_files: "{{ lookup('env','VAULT_TLS_SRC_FILES') | default(role_path+'/files', true) }}"
+
+vault_tls_disable: "{{ lookup('env','VAULT_TLS_DISABLE') | default(1, true) }}"
+vault_tls_gossip: "{{ lookup('env','VAULT_TLS_GOSSIP') | default(0, true) }}"
+
+vault_tls_copy_keys: true
+vault_protocol: "{% if vault_tls_disable %}http{% else %}https{% endif %}"
+vault_tls_cert_file: "{{ lookup('env','VAULT_TLS_CERT_FILE') | default('server.crt', true) }}"
+vault_tls_key_file: "{{ lookup('env','VAULT_TLS_KEY_FILE') | default('server.key', true) }}"
+vault_tls_ca_file: "{{ lookup('env','VAULT_TLS_CA_CRT') | default('ca.crt', true) }}"
+
+vault_tls_min_version: "{{ lookup('env','VAULT_TLS_MIN_VERSION') | default('tls12', true) }}"
+vault_tls_cipher_suites: ""
+vault_tls_prefer_server_cipher_suites: "{{ lookup('env','VAULT_TLS_PREFER_SERVER_CIPHER_SUITES') | default('false', true) }}"
+vault_tls_files_remote_src: false
+vault_tls_require_and_verify_client_cert: false
+vault_tls_disable_client_certs: false
\ No newline at end of file