{"id":18363430,"url":"https://github.com/stuttgart-things/install-configure-vault","last_synced_at":"2025-04-10T06:49:41.539Z","repository":{"id":162979074,"uuid":"623486787","full_name":"stuttgart-things/install-configure-vault","owner":"stuttgart-things","description":"setup, configure and use a hashicorp vault instance","archived":false,"fork":false,"pushed_at":"2024-12-17T06:17:39.000Z","size":241,"stargazers_count":1,"open_issues_count":2,"forks_count":0,"subscribers_count":1,"default_branch":"main","last_synced_at":"2025-02-15T19:38:31.418Z","etag":null,"topics":["ansible","podman","security","vault"],"latest_commit_sha":null,"homepage":"","language":"Jinja","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/stuttgart-things.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2023-04-04T13:20:16.000Z","updated_at":"2024-05-15T18:08:59.000Z","dependencies_parsed_at":"2024-05-12T09:26:30.970Z","dependency_job_id":"d51e1683-c544-4e56-8005-e4485653e33b","html_url":"https://github.com/stuttgart-things/install-configure-vault","commit_stats":null,"previous_names":[],"tags_count":1,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/stuttgart-things%2Finstall-configure-vault","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/stuttgart-things%2Finstall-configure-vault/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/stuttgart-things%2Finstall-configure-vault/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/stuttgart-things%2Finstall-configure-vault/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/stuttgart-things","download_url":"https://codeload.github.com/stuttgart-things/install-configure-vault/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":248173850,"owners_count":21059595,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["ansible","podman","security","vault"],"created_at":"2024-11-05T23:06:29.488Z","updated_at":"2025-04-10T06:49:41.514Z","avatar_url":"https://github.com/stuttgart-things.png","language":"Jinja","funding_links":[],"categories":[],"sub_categories":[],"readme":"stuttgart-things/install-configure-vault\n=========================================\n\nThis Ansible role can completely set up and configure a hashicorp vault. The entire ansible logic is based on api calls. No client binary is required.\nIn addition to the installation, this role can also be used to fill the vault with data and issue certificates and much more.\n\n### Role installation:\n\u003cdetails\u003e\u003csummary\u003e\u003cb\u003eInstall this role on your ansible host (click here)\u003c/b\u003e\u003c/summary\u003e\n\n```\ncat \u003c\u003cEOF \u003e /tmp/requirements.yaml\nroles:\n- src: https://github.com/stuttgart-things/install-configure-vault.git\n  scm: git\n- src: https://github.com/stuttgart-things/install-requirements.git\n  scm: git\n- src: https://github.com/stuttgart-things/deploy-podman-container.git\n  scm: git\n- src: https://github.com/stuttgart-things/generate-selfsigned-certs.git\n  scm: git\n- src: https://github.com/stuttgart-things/install-configure-podman.git\n  scm: git\n- src: https://github.com/stuttgart-things/deploy-helm-chart.git\n  scm: git\n\ncollections:\n- name: containers.podman\n  version: 1.9.1\n- name: community.general\n  version: 4.3.0\n- name: community.crypto\n  version: 1.9.9\n- name: ansible.posix\n  version: 1.3.0\n- name: community.kubernetes\n  version: 2.0.1\n\nEOF\nansible-galaxy install -r /tmp/requirements.yaml --force \u0026\u0026 ansible-galaxy collection install -r /tmp/requirements.yaml -f\n```\n\u003c/details\u003e\n\nFor more information about stuttgart-things role installation visit: [Stuttgart-Things howto install role](https://codehub.sva.de/Lab/stuttgart-things/meta/documentation/doc-as-code/-/blob/master/howtos/howto-install-role.md)\n\n## Howto install Vault Root CA in windows 10 OS Systems (BETA)\n\n- Download the powershell script located in /meta folder\n- Make sure your windows version have the version 2004 or greater\n- Run on a powershell commandline with admin privileges \"Set-ExecutionPolicy RemoteSigned\" to make sure scripts are allowed on your system\n- Run the downloaded script and follow the wizard\n\n## Example playbooks to use this role\n\n\u003cdetails\u003e\u003csummary\u003eInstall and initializing a vault server within a podman container (click here)\u003c/summary\u003e\n\n### Ansible command:\n```\nansible-playbook -i inventory.ini playbook.yml\n```\n\n### Playbook: playbook.yml\n```\n---\n- hosts: \"vault\"\n  gather_facts: true\n  become: true\n  vars:\n    # default configuration\n    vault_url: https://example.com:8200\n\n    # Install vault server\n    install_vault_podman: true\n    install_vault_init_secret_shares: 1\n    install_vault_init_secret_threshold: 1\n\n    # Output install config\n    vault_install_save_conf_path: /tmp/vault_config.txt #optional comment out if not needed\n\n  roles:\n    - install-configure-vault\n```\n\n### Playbook: inventory.ini\n```\n[vault]\nexample.com\n```\n\u003c/details\u003e\n\n\u003cdetails\u003e\u003csummary\u003eCreate new local users (click here)\u003c/summary\u003e\n\n### Ansible command:\n```\nansible-playbook -i inventory.ini playbook.yml\n```\n\n### Playbook: playbook.yml\n```\n---\n- hosts: \"localhost\"\n  gather_facts: true\n  become: true\n  vars:\n    # default configuration\n    vault_url: https://example.com:8200\n    #vault_username: username\n    #vault_password: password\n    vault_token: \u003croot_token\u003e # or uncomment vault user+pw and use a admin user account\n\n    # Create new local userpass user\n    vault_create_user: true\n    vault_crate_user_data:\n      - name: bob\n        password: secret\n        policies: admins\n      - name: alice\n        password: supersecret\n        policies: admins\n\n  roles:\n    - install-configure-vault\n```\n\n\u003c/details\u003e\n\n\u003cdetails\u003e\u003csummary\u003eCreate certification authority (click here)\u003c/summary\u003e\n\n### Ansible command:\n```\nansible-playbook playbook.yml\n```\n\n### Playbook: playbook.yml\n```\n---\n- hosts: \"localhost\"\n  gather_facts: true\n  become: true\n  vars:\n    # default configuration\n    vault_url: https://example.com:8200\n    #vault_username: username\n    #vault_password: password\n    vault_token: \u003croot_token\u003e # or uncomment vault user+pw and use a admin user account\n\n    # CA root certificate default configuration\n    vault_create_ca: true\n    vault_ca_cert_common_name: mydomain.com # Best pratice the name of the domain managed by vault CA\n    vault_ca_cert_key_bits: 4096\n    vault_ca_cert_organization: company\n    vault_ca_cert_ou: my-ou\n\n    # CA root role\n    vault_ca_cert_role_name: mydomain.com\n    vault_ca_role_allow_subdomains: true\n    vault_ca_role_allowed_domains: mydomain.com\n\n  roles:\n    - install-configure-vault\n```\n\n\u003c/details\u003e\n\n\u003cdetails\u003e\u003csummary\u003eInstall the vault certification authority ca certificate on remote system (click here)\u003c/summary\u003e\n\n### Ansible command:\n```\nansible-playbook -i inventory.ini playbook.yml\n```\n\n### Playbook: playbook.yml\n```\n---\n- hosts: \"all\"\n  gather_facts: true\n  become: true\n  vars:\n    # default configuration\n    vault_url: https://example.com:8200\n\n    # Install ca on system\n    vault_install_ca_cert: true\n\n  roles:\n    - install-configure-vault\n```\n\n### Playbook: inventory.ini\n```\nall:\n  children:\n    ungrouped: {}\n    vault:\n      hosts:\n        example.com: {}\n```\n\u003c/details\u003e\n\n\u003cdetails\u003e\u003csummary\u003eRequest a certificate from the vault server to sign on remote system with installation (click here) \u003c/summary\u003e\n\n### Ansible command:\n```\nansible-playbook playbook.yml\n```\n\n### Playbook: playbook.yml\n```\n---\n- hosts: \"all\"\n  gather_facts: true\n  become: false\n  vars:\n    # default configuration\n    vault_url: https://example.com:8200\n    #vault_username: username\n    #vault_password: password\n    vault_token: \u003croot_token\u003e # or uncomment vault user+pw and use a admin user account\n\n    # CA root role\n    vault_ca_cert_role_name: example.com\n\n    # Generate cert\n    vault_gen_cert: true\n    vault_gen_cert_fqdn: hostname.example.com\n    #vault_gen_cert_ip_sans: 192.168.1.1 #Only set if access via the ip should be permitted or if there is an alternative\n    vault_gen_cert_install: true # true for installing cert directly to the path \n    vault_gen_cert_install_pub_path: /tmp/public_key.pem\n    vault_gen_cert_install_priv_path: /tmp/private_key.pem\n    vault_gen_cert_install_ca_path: /tmp/ca_key.crt\n\n  roles:\n    - install-configure-vault\n```\n\n### Playbook: inventory.ini\n```\nall:\n  children:\n    ungrouped: {}\n    vault:\n      hosts:\n        example.com: {}\n```\n\u003c/details\u003e\n\n\u003cdetails\u003e\u003csummary\u003eUpload file from remote machine to vault (click here)\u003c/summary\u003e\n\n### Ansible command:\n```\nansible-playbook -i inventory.ini playbook.yml\n```\n\n### Playbook: playbook.yml\n```\n---\n- hosts: \"all\"\n  gather_facts: true\n  become: false\n  vars:\n    # default configuration\n    vault_url: https://example.com:8200\n    #vault_username: username\n    #vault_password: password\n    vault_token: \u003croot_token\u003e # or uncomment vault user+pw and use a admin user account\n\n    vault_kv_write: true\n    vault_kv_write_file_data:\n      - secret_name: test\n        secret_engine: labul\n        path: /tmp/test.txt\n        filename: test # The key on vault server, needed for extracting \n\n  roles:\n    - install-configure-vault\n```\n\n### Playbook: inventory.ini\n```\nall:\n  children:\n    ungrouped: {}\n    vault:\n      hosts:\n        example.com: {}\n```\n\u003c/details\u003e\n\n\u003cdetails\u003e\u003csummary\u003eWrite key value secrets (kv)\u003c/summary\u003e\n\n### Ansible command:\n```\nansible-playbook -i inventory.ini playbook.yml\n```\n\n### Playbook: playbook.yml\n```\n---\n- hosts: \"all\"\n  gather_facts: true\n  become: false\n  vars:\n    # default configuration\n    vault_url: https://example.com:8200\n    #vault_username: username\n    #vault_password: password\n    vault_token: \u003croot_token\u003e # or uncomment vault user+pw and use a admin user account\n\n    # Write data to KV database\n    vault_kv_write: true\n    vault_kv_write_data:\n      - secret_name: awx_server\n        secret_engine: labul\n        kv:\n          ip: 1.2.3.4\n          username: user\n          password: secret\n      - secret_name: vcenter\n        secret_engine: labda\n        kv:\n          ip: 1.2.3.4\n          username: user\n          password: secret\n\n  roles:\n    - install-configure-vault\n```\n\u003c/details\u003e\n\n\u003cdetails\u003e\u003csummary\u003eGenerate bashrc config add alias for inject vault secrets to environment vars\u003c/summary\u003e\n\n### Ansible command:\n```\nansible-playbook -i inventory.ini playbook.yml\n```\n\n### Playbook: playbook.yml\n```\n---\n- hosts: \"all\"\n  gather_facts: true\n  become: false\n  vars:\n    # default configuration\n    vault_url: https://example.com:8200\n    #vault_username: username\n    #vault_password: password\n    vault_token: \u003croot_token\u003e # or uncomment vault user+pw and use a admin user account\n\n    # Generate bashrc\n    vault_bashrc: true\n    vault_bashrc_mod:\n    labul_vault:              # \u003c- alias command\n      labul:                  # \u003c- secret engine\n        - awx                 # \u003c- secret name\n        - vcenter             # \u003c- another secret name\n      ocp4:                   # \u003c- secret engine\n        - pull_secret         # \u003c- secret name\n    labda_vault:              # \u003c- alias command\n      labda:                  # \u003c- secret engine\n        - awx                 # \u003c- secret name\n        - vcenter             # \u003c- another secret name\n      ocp4:                   # \u003c- secret engine\n        - pull_secret         # \u003c- secret name\n\n  roles:\n    - install-configure-vault\n```\n\u003c/details\u003e\n\n\u003cdetails\u003e\u003csummary\u003eHave your own public key signed by vault to access machines (click here)\u003c/summary\u003e\n\n### Ansible command:\n```\nansible-playbook playbook.yml\n```\n\n### Playbook: playbook.yml\n```\n---\n- name: Manage client\n  gather_facts: true\n  hosts: localhost\n  become: false\n\n  vars:\n    vault_url: \"{{ lookup('env','VAULT_ADDR') }}\"\n    vault_secret_id: \"{{ lookup('env','VAULT_SECRET_ID') }}\"\n    vault_role_id: \"{{ lookup('env','VAULT_ROLE_ID') }}\"\n    vault_namespace: \"{{ lookup('env','VAULT_NAMESPACE') }}\"\n    vault_ssh_sign_public_key: true\n\n  roles:\n    - vault-ssh-manager\n\n```\n\u003c/details\u003e\n\n\u003cdetails\u003e\u003csummary\u003ePrepare the server for access via the vault ssh ca (click here)\u003c/summary\u003e\n\n### Ansible command:\n```\nansible-playbook -i inventory playbook.yml\n```\n\n### Playbook: playbook.yml\n```\n---\n- name: Manage server\n  gather_facts: true\n  hosts: yourhost\n  become: true\n\n  vars:\n    vault_url: \"{{ lookup('env','VAULT_ADDR') }}\"\n    vault_secret_id: \"{{ lookup('env','VAULT_SECRET_ID') }}\"\n    vault_role_id: \"{{ lookup('env','VAULT_ROLE_ID') }}\"\n    vault_namespace: \"{{ lookup('env','VAULT_NAMESPACE') }}\"\n    vault_ssh_conf_server: true\n\n  roles:\n    - vault-ssh-manager\n\n```\n\n### Playbook: inventory.yaml\n```\nall:\n  children:\n    ungrouped: {}\n    vault:\n      hosts:\n        example.com: {}\n```\n\u003c/details\u003e\n\n\u003cdetails\u003e\u003csummary\u003eUpgrade Vault Server to specific version (click here)\u003c/summary\u003e\n\n### Ansible command:\n```\nansible-playbook -i inventory playbook.yml\n```\n\n### Playbook: playbook.yml\n```\n---\n- name: Manage server\n  gather_facts: true\n  hosts: vault\n  become: true\n\n  vars:\n    # default configuration\n    vault_url: https://vault.example.com:8200\n    vault_token: \u003csecret\u003e # or uncomment vault user+pw and use a admin user account\n\n    vault_version: 1.8.0 #hub.docker.com/_/vault?\n\n    #add_registry_mirrors: true\n    #registry_mirrors:\n    #  - http://rancher-things-dev-w.tiab.labda.sva.de:30869\n\n  roles:\n    - install-configure-vault\n\n```\n\n### Playbook: inventory.yaml\n```\nall:\n  children:\n    ungrouped: {}\n    vault:\n      hosts:\n        example.com: {}\n```\n\u003c/details\u003e\n\n\u003cdetails\u003e\u003csummary\u003eCreate AppRole (click here)\u003c/summary\u003e\n\n### Ansible command:\n```\nansible-playbook -i inventory playbook.yml\n```\n\n### Playbook: playbook.yml\n```\n---\n- name: Manage server\n  gather_facts: true\n  hosts: vault\n  become: true\n\n  vars:\n    # default configuration\n    vault_url: https://vault.example.com:8200\n    vault_token: \u003csecret\u003e # or uncomment vault user+pw and use a admin user account\n\n    create_approle: true\n\n    vault_approle:\n      - name: argo-ci\n        approle_endpoint_name: approle\n        approle_secret_id_ttl: 8760h\n        approle_token_num_uses: 2000\n        approle_token_ttl: 20m\n        approle_token_max_ttl: 30m\n        approle_secret_id_num_uses: 2000\n        approle_token_policies: admin\n      - name: sthings\n        approle_endpoint_name: approle\n        approle_secret_id_ttl: 8760h\n        approle_token_num_uses: 2000\n        approle_token_ttl: 20m\n        approle_token_max_ttl: 30m\n        approle_secret_id_num_uses: 2000\n        approle_token_policies: admin\n\n  roles:\n    - install-configure-vault\n\n```\n\n### Playbook: inventory.yaml\n```\nall:\n  children:\n    ungrouped: {}\n    vault:\n      hosts:\n        example.com: {}\n```\n\u003c/details\u003e\n\n## Requirements and Dependencies:\n- Ubuntu 20.04\n- Fedora 34\n- CentOS 8\n- CentOS 7\n\n### Features:\n- Vault token is automatically obtained from userpass or approle if not given\n- Install vault (within a podman container)\n- Initialize new vault installation\n- Create a vault root certification authority\n- Provide and issue trusted certificates for services such as letsencrypt\n- Create local users\n- Create key value databases\n- Add key value data\n- Upload local files to vault secret store\n- Generate .bashrc file for fully automated environment handling\n- Automated certificate installation\n- Sign your own SSH public keys via vault and then return them to the system\n- Register the server via vault and configure sshd to enable vault ssh logins\n- Support for update Vault Server\n- Support for upgrade CA \n- Create AppRoles based on profiles\n\n## Version:\n```\nDATE            WHO            WHAT\n2022-01-25      Marcel Zapf    Added kubernetes support\n2021-12-21      Marcel Zapf    Added namespace support\n2021-12-08      Marcel Zapf    Improved webinterface cert issuing process, fixed bug replace cert in webinterface on upgrade\n2021-10-08      Marcel Zapf    Added support for creating AppRole based on profiles\n2021-07-30      Marcel Zapf    Readme update\n2021-07-29      Marcel Zapf    Added support for upgrade SSH CA and Vault version\n2021-06-15      Marcel Zapf    Added support for automated SSH CA handling\n2021-06-04      Marcel Zapf    Added support for storage backend filesystem (default), S3, RAFT Cluster\n2021-02-05      Marcel Zapf    Added feature to delete a secret\n2021-01-27      Marcel Zapf    ID for the CA certificate added to support more Vault CAs\n2021-01-20      Marcel Zapf    Move container vars to defaults for better freze collections version\n2021-01-13      Marcel Zapf    Readme update\n2020-11-17      Marcel Zapf    Fix some known bugs and add aditional default vars for vault specific certificate\n2020-11-12      Marcel Zapf    Add windows root ca installing process to readme\n2020-11-03      Marcel Zapf    Add feature for saving config after vault installation\n2020-10-28      Marcel Zapf    Add bashrc generator add kv upload\n2020-10-26      Marcel Zapf    Fixed ip_san error while running error handler\n2020-10-23      Marcel Zapf    Add missing task for installing issuing ca key\n2020-10-22      Marcel Zapf    Move error handler to own file, fix json override bug, add ip_sans to ca installation\n2020-10-21      Marcel Zapf    Added support for additionally ip address with domain name (Vault CA)\n2020-10-20      Marcel Zapf    Better logic vault creates his own cert for webinterface and api, api awx bugfix move execution host from localhost to vars\n2020-10-19      Marcel Zapf    Logic added that allows further vault tasks to be linked directly after installation\n2020-10-15      Marcel Zapf    Bug fixing\n2020-10-14      Marcel Zapf    Implementet new Features\n2020-10-13      Marcel Zapf    Init readme, role wip\n```\n\nLicense\n-------\n\nBSD\n\nAuthor Information\n------------------\n\nMarcel Zapf; 02/2021; Stuttgart-Things\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fstuttgart-things%2Finstall-configure-vault","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fstuttgart-things%2Finstall-configure-vault","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fstuttgart-things%2Finstall-configure-vault/lists"}