2023-07-30 21:08:31 +00:00
|
|
|
---
|
|
|
|
title: vault
|
|
|
|
type: docs
|
|
|
|
---
|
|
|
|
|
|
|
|
[![Source Code](https://img.shields.io/badge/gitea-source%20code-blue?logo=gitea&logoColor=white)](https://gitea.rknet.org/ansible/xoxys.vault)
|
|
|
|
[![Build Status](https://img.shields.io/drone/build/ansible/xoxys.vault?logo=drone&server=https%3A%2F%2Fdrone.rknet.org)](https://drone.rknet.org/ansible/xoxys.vault)
|
|
|
|
[![License: MIT](https://img.shields.io/badge/License-MIT-blue.svg?label=license)](https://gitea.rknet.org/ansible/xoxys.vault/src/branch/main/LICENSE)
|
|
|
|
|
|
|
|
Setup HashiCorp Vaul secrets manager.
|
|
|
|
|
|
|
|
<!--more-->
|
|
|
|
|
|
|
|
- [Requirements](#requirements)
|
|
|
|
- [Default Variables](#default-variables)
|
|
|
|
- [vault_auto_unseal](#vault_auto_unseal)
|
|
|
|
- [vault_cap_add](#vault_cap_add)
|
|
|
|
- [vault_cap_drop](#vault_cap_drop)
|
|
|
|
- [vault_config_volume](#vault_config_volume)
|
|
|
|
- [vault_data_volume](#vault_data_volume)
|
|
|
|
- [vault_default_lease_ttl](#vault_default_lease_ttl)
|
|
|
|
- [vault_disable_clustering](#vault_disable_clustering)
|
|
|
|
- [vault_exposed_ports](#vault_exposed_ports)
|
|
|
|
- [vault_image](#vault_image)
|
|
|
|
- [vault_log_level](#vault_log_level)
|
|
|
|
- [vault_max_lease_ttl](#vault_max_lease_ttl)
|
|
|
|
- [vault_network](#vault_network)
|
|
|
|
- [vault_network_ipv4_gateway](#vault_network_ipv4_gateway)
|
|
|
|
- [vault_network_ipv4_subnet](#vault_network_ipv4_subnet)
|
|
|
|
- [vault_network_ipv6_enabled](#vault_network_ipv6_enabled)
|
|
|
|
- [vault_network_ipv6_gateway](#vault_network_ipv6_gateway)
|
|
|
|
- [vault_network_ipv6_subnet](#vault_network_ipv6_subnet)
|
|
|
|
- [vault_podman_args](#vault_podman_args)
|
|
|
|
- [vault_ui](#vault_ui)
|
|
|
|
- [vault_unseal_keys](#vault_unseal_keys)
|
|
|
|
- [vault_url](#vault_url)
|
|
|
|
- [vault_volumes](#vault_volumes)
|
|
|
|
- [Dependencies](#dependencies)
|
|
|
|
|
|
|
|
---
|
|
|
|
|
|
|
|
## Requirements
|
|
|
|
|
|
|
|
- Minimum Ansible version: `2.10`
|
|
|
|
|
|
|
|
|
|
|
|
## Default Variables
|
|
|
|
|
|
|
|
### vault_auto_unseal
|
|
|
|
|
|
|
|
#### Default value
|
|
|
|
|
|
|
|
```YAML
|
|
|
|
vault_auto_unseal: false
|
|
|
|
```
|
|
|
|
|
|
|
|
### vault_cap_add
|
|
|
|
|
|
|
|
#### Default value
|
|
|
|
|
|
|
|
```YAML
|
|
|
|
vault_cap_add:
|
|
|
|
- ipc_lock
|
|
|
|
```
|
|
|
|
|
|
|
|
### vault_cap_drop
|
|
|
|
|
|
|
|
#### Default value
|
|
|
|
|
|
|
|
```YAML
|
|
|
|
vault_cap_drop: []
|
|
|
|
```
|
|
|
|
|
|
|
|
### vault_config_volume
|
|
|
|
|
|
|
|
#### Default value
|
|
|
|
|
|
|
|
```YAML
|
|
|
|
vault_config_volume: vault-config
|
|
|
|
```
|
|
|
|
|
|
|
|
### vault_data_volume
|
|
|
|
|
|
|
|
#### Default value
|
|
|
|
|
|
|
|
```YAML
|
|
|
|
vault_data_volume: vault-data
|
|
|
|
```
|
|
|
|
|
|
|
|
### vault_default_lease_ttl
|
|
|
|
|
|
|
|
#### Default value
|
|
|
|
|
|
|
|
```YAML
|
|
|
|
vault_default_lease_ttl: 24h
|
|
|
|
```
|
|
|
|
|
|
|
|
### vault_disable_clustering
|
|
|
|
|
|
|
|
#### Default value
|
|
|
|
|
|
|
|
```YAML
|
|
|
|
vault_disable_clustering: true
|
|
|
|
```
|
|
|
|
|
|
|
|
### vault_exposed_ports
|
|
|
|
|
|
|
|
Ports you want to publish outside of Docker. Vault is running on `8200` inside of the container.
|
|
|
|
|
|
|
|
#### Default value
|
|
|
|
|
|
|
|
```YAML
|
|
|
|
vault_exposed_ports: []
|
|
|
|
```
|
|
|
|
|
|
|
|
### vault_image
|
|
|
|
|
|
|
|
#### Default value
|
|
|
|
|
|
|
|
```YAML
|
2023-07-31 19:32:27 +00:00
|
|
|
vault_image: docker.io/hashicorp/vault:latest
|
2023-07-30 21:08:31 +00:00
|
|
|
```
|
|
|
|
|
|
|
|
### vault_log_level
|
|
|
|
|
|
|
|
#### Default value
|
|
|
|
|
|
|
|
```YAML
|
|
|
|
vault_log_level: warn
|
|
|
|
```
|
|
|
|
|
|
|
|
### vault_max_lease_ttl
|
|
|
|
|
|
|
|
#### Default value
|
|
|
|
|
|
|
|
```YAML
|
|
|
|
vault_max_lease_ttl: 240h
|
|
|
|
```
|
|
|
|
|
|
|
|
### vault_network
|
|
|
|
|
|
|
|
Name of the container network. If the name ends with `.network`, the network will be created with the specified configuration.
|
|
|
|
Otherwise, the network must already exist and the container will be attached to the network.
|
|
|
|
|
|
|
|
#### Default value
|
|
|
|
|
|
|
|
```YAML
|
|
|
|
vault_network: vault.network
|
|
|
|
```
|
|
|
|
|
|
|
|
### vault_network_ipv4_gateway
|
|
|
|
|
|
|
|
#### Default value
|
|
|
|
|
|
|
|
```YAML
|
|
|
|
vault_network_ipv4_gateway: _unset_
|
|
|
|
```
|
|
|
|
|
|
|
|
### vault_network_ipv4_subnet
|
|
|
|
|
|
|
|
#### Default value
|
|
|
|
|
|
|
|
```YAML
|
|
|
|
vault_network_ipv4_subnet: _unset_
|
|
|
|
```
|
|
|
|
|
|
|
|
### vault_network_ipv6_enabled
|
|
|
|
|
|
|
|
#### Default value
|
|
|
|
|
|
|
|
```YAML
|
|
|
|
vault_network_ipv6_enabled: false
|
|
|
|
```
|
|
|
|
|
|
|
|
### vault_network_ipv6_gateway
|
|
|
|
|
|
|
|
#### Default value
|
|
|
|
|
|
|
|
```YAML
|
|
|
|
vault_network_ipv6_gateway: _unset_
|
|
|
|
```
|
|
|
|
|
|
|
|
#### Example usage
|
|
|
|
|
|
|
|
```YAML
|
|
|
|
vault_network_ipv6_gateway: fd00:0:0:2::1
|
|
|
|
```
|
|
|
|
|
|
|
|
### vault_network_ipv6_subnet
|
|
|
|
|
|
|
|
#### Default value
|
|
|
|
|
|
|
|
```YAML
|
|
|
|
vault_network_ipv6_subnet: _unset_
|
|
|
|
```
|
|
|
|
|
|
|
|
#### Example usage
|
|
|
|
|
|
|
|
```YAML
|
|
|
|
vault_network_ipv6_subnet: fd00:0:0:2::/64
|
|
|
|
```
|
|
|
|
|
|
|
|
### vault_podman_args
|
|
|
|
|
|
|
|
#### Default value
|
|
|
|
|
|
|
|
```YAML
|
|
|
|
vault_podman_args:
|
|
|
|
- --pids-limit=-1
|
|
|
|
- --userns=host
|
|
|
|
- --health-cmd='["wget", "--spider", "--proxy", "off", "http://localhost:8200/{{
|
|
|
|
__vault_health_path }}"]'
|
|
|
|
- --health-interval=5s
|
|
|
|
- --health-timeout=5s
|
|
|
|
- --health-retries=6
|
|
|
|
- --health-on-failure=kill
|
|
|
|
```
|
|
|
|
|
|
|
|
### vault_ui
|
|
|
|
|
|
|
|
#### Default value
|
|
|
|
|
|
|
|
```YAML
|
|
|
|
vault_ui: true
|
|
|
|
```
|
|
|
|
|
|
|
|
### vault_unseal_keys
|
|
|
|
|
|
|
|
#### Default value
|
|
|
|
|
|
|
|
```YAML
|
|
|
|
vault_unseal_keys: []
|
|
|
|
```
|
|
|
|
|
|
|
|
### vault_url
|
|
|
|
|
|
|
|
#### Default value
|
|
|
|
|
|
|
|
```YAML
|
|
|
|
vault_url: http://localhost:8200
|
|
|
|
```
|
|
|
|
|
|
|
|
### vault_volumes
|
|
|
|
|
|
|
|
> Define required docker volumes.
|
|
|
|
|
|
|
|
#### Default value
|
|
|
|
|
|
|
|
```YAML
|
|
|
|
vault_volumes:
|
|
|
|
- name: '{{ vault_config_volume }}'
|
|
|
|
dest: /vault/config
|
2023-07-31 20:23:12 +00:00
|
|
|
opts: Z
|
2023-07-30 21:08:31 +00:00
|
|
|
- name: '{{ vault_data_volume }}'
|
|
|
|
dest: /vault/file
|
2023-07-31 20:23:12 +00:00
|
|
|
opts: Z
|
2023-07-30 21:08:31 +00:00
|
|
|
```
|
|
|
|
|
|
|
|
#### Example usage
|
|
|
|
|
|
|
|
```YAML
|
|
|
|
vault_volumes:
|
|
|
|
- name: data
|
|
|
|
# target location inside the container
|
|
|
|
dest: /var/www/app/data
|
|
|
|
type: volume
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
## Dependencies
|
|
|
|
|
|
|
|
None.
|