https://github.com/goldstrike77/ansible-role-linux-vault
Ansible role for install and configure Hashicorp Vault server on the Linux operating system.
https://github.com/goldstrike77/ansible-role-linux-vault
ansible ansible-role secrets vault
Last synced: over 1 year ago
JSON representation
Ansible role for install and configure Hashicorp Vault server on the Linux operating system.
- Host: GitHub
- URL: https://github.com/goldstrike77/ansible-role-linux-vault
- Owner: goldstrike77
- License: mit
- Created: 2020-07-20T07:55:29.000Z (almost 6 years ago)
- Default Branch: master
- Last Pushed: 2021-06-28T08:09:32.000Z (about 5 years ago)
- Last Synced: 2025-01-12T17:47:50.621Z (over 1 year ago)
- Topics: ansible, ansible-role, secrets, vault
- Language: Jinja
- Homepage:
- Size: 58.6 KB
- Stars: 1
- Watchers: 0
- Forks: 1
- Open Issues: 0
-
Metadata Files:
- Readme: README.md
- License: LICENSE
Awesome Lists containing this project
README

>__Please note that the original design goal of this role was more concerned with the initial installation and bootstrapping environment, which currently does not involve performing continuous maintenance, and therefore are only suitable for testing and development purposes, should not be used in production environments. The author does not guarantee the accuracy, completeness, reliability, and availability of the role content. Under no circumstances will the author be held responsible or liable in any way for any claims, damages, losses, expenses, costs or liabilities whatsoever, including, without limitation, any direct or indirect damages for loss of profits, business interruption or loss of information.__
>__请注意,此角色的最初设计目标更关注初始安装和引导环境,目前不涉及执行连续维护,因此仅适用于测试和开发目的,不应在生产环境中使用。作者不对角色内容之准确性、完整性、可靠性、可用性做保证。在任何情况下,作者均不对任何索赔,损害,损失,费用,成本或负债承担任何责任,包括但不限于因利润损失,业务中断或信息丢失而造成的任何直接或间接损害。__
___

__Table of Contents__
- [Overview](#overview)
- [Requirements](#requirements)
* [Operating systems](#operating-systems)
* [Versions](#versions)
- [ Role variables](#Role-variables)
* [Main Configuration](#Main-parameters)
* [Other Configuration](#Other-parameters)
- [Dependencies](#dependencies)
- [Example Playbook](#example-playbook)
* [Hosts inventory file](#Hosts-inventory-file)
* [Vars in role configuration](#vars-in-role-configuration)
* [Combination of group vars and playbook](#combination-of-group-vars-and-playbook)
- [License](#license)
- [Author Information](#author-information)
- [Donations](#Donations)
## Overview
Vault is a tool for securely accessing secrets. A secret is anything that you want to tightly control access to, such as API keys, passwords, certificates, and more. Vault provides a unified interface to any secret, while providing tight access control and recording a detailed audit log.
>__There is a file that records the root token in /tmp folder at the first leader node, Burn after reading!__
## Requirements
### Operating systems
This Ansible role installs vault on the Linux operating system, including establishing a filesystem structure and server configuration with some common operational features, Will works on the following operating systems:
* CentOS 7
### Versions
The following list of supported releases:
* Vault 1.5+
## Role variables
### Main parameters #
There are some variables in defaults/main.yml which can (Or needs to) be overridden:
##### General parameters
* `vault_version`: Specify the Vault version.
* `vault_path`: Specify the Consul data folder.
* `vault_tls`: A boolean value, whether Encrypting client and cluster communications.
##### Listen port
* `vault_port_arg`:Defines communication port.
##### Storage parameters
* `vault_storage_arg.stanza`: Specify the location for the durable storage of Vault's information.
##### Backup parameters
* `vault_backupset_arg.keep`: Backup retention cycle in days.
* `vault_backupset_arg.encryptkey`: BackupSet encryption key.
* `vault_backupset_arg.cloud_rsync`: Whether rsync for cloud storage.
* `vault_backupset_arg.cloud_drive`: Specify the cloud storage providers.
* `vault_backupset_arg.cloud_bwlimit`: Controls the bandwidth limit.
* `vault_backupset_arg.cloud_event`: Define transfer events.
* `vault_backupset_arg.cloud_config`: Specify the cloud storage configuration.
##### System Variables
* `vault_arg.log_level`: Specifies the log level to use.
* `vault_arg.log_format`: Specifies the log format to use.
* `vault_arg.max_request_duration`: Specifies the maximum request duration allowed before Vault cancels the request.
* `vault_arg.http_read_header_timeout`: Specifies the amount of time allowed to read request headers.
##### Service Mesh
* `environments`: Define the service environment.
* `datacenter`: Define the DataCenter.
* `domain`: Define the Domain.
* `customer`: Define the customer name.
* `tags`: Define the service custom label.
* `exporter_is_install`: Whether to install prometheus exporter.
* `consul_public_register`: Whether register a exporter service with public consul client.
* `consul_public_exporter_token`: Public Consul client ACL token.
* `consul_public_http_prot`: The consul Hypertext Transfer Protocol.
* `consul_public_clients`: List of public consul clients.
* `consul_public_http_port`: The consul HTTP API port.
### Other parameters
There are some variables in vars/main.yml:
## Dependencies
- Ansible versions >= 2.8
- Python >= 2.7.5
## Example
### Hosts inventory file
See tests/inventory for an example.
### Vars in role configuration
Including an example of how to use your role (for instance, with variables passed in as parameters) is always nice for users too:
```yaml
- hosts: all
roles:
- role: ansible-role-linux-vault
```
### Combination of group vars and playbook
You can also use the group_vars or the host_vars files for setting the variables needed for this role. File you should change: group_vars/all or host_vars/`group_name`.
```yaml
vault_version: '1.7.3'
vault_path: '/data'
vault_tls: true
vault_port_arg:
api: '8200'
cluster: '8201'
vault_storage_arg:
stanza: 'raft'
vault_backupset_arg:
keep: '30'
cloud_rsync: false
cloud_drive: 'azureblob'
cloud_bwlimit: '10M'
cloud_event: 'sync'
cloud_config:
account: 'blobuser'
key: 'base64encodedkey=='
endpoint: 'blob.core.chinacloudapi.cn'
vault_arg:
log_level: 'Info'
log_format: 'standard'
max_request_duration: '60s'
http_read_header_timeout: '30s'
environments: 'prd'
datacenter: 'dc01'
domain: 'local'
customer: 'demo'
tags:
subscription: 'default'
owner: 'nobody'
department: 'Infrastructure'
organization: 'The Company'
region: 'China'
exporter_is_install: false
consul_public_register: false
consul_public_exporter_token: '00000000-0000-0000-0000-000000000000'
consul_public_http_prot: 'https'
consul_public_http_port: '8500'
consul_public_clients:
- '127.0.0.1'
```
## License

## Author Information
Please send your suggestions to make this role better.
## Donations
Please donate to the following monero address.
46CHVMbb6wQV2PJYEbahb353SYGqXhcdFQVEWdCnHb6JaR5125h3kNQ6bcqLye5G7UF7qz6xL9qHLDSAY3baagfmLZABz75