ricsanfre.vault

Panoramica Versioni Approfondimenti

Ansible Role: Installing and Configuring Hashicorp Vault Server

This guide explains how to install and set up Hashicorp Vault on a Linux server using Ansible.

Requirements

No special requirements.

Role Variables

Here are the variables you can customize, along with their default values (check defaults\main.yaml for more):

  • Vault server settings:

    Vault user and group:

    vault_group: vault
vault_user: vault

    Vault package version:

    vault_version: 1.12.2

    Vault installation paths:

    vault_bin_path: /usr/local/bin
vault_config_path: /etc/vault
vault_tls_path: /etc/vault/tls
vault_plugin_path: /usr/local/lib/vault/plugins
vault_data_path: /var/lib/vault
vault_log_path: /var/log/vault

  • Vault TLS settings:

    vault_enable_tls: false
vault_key: ""
vault_cert: ""
custom_ca: false
vault_ca: ""
vault_dns: ""

    To enable TLS, set vault_enable_tls to true and add your private key and public certificate in vault_key and vault_cert. If using a custom CA, change custom_ca to true and add the CA certificate in vault_ca. Set vault_dns to the Fully Qualified Domain Name of your Vault service.

    You can load keys and certificates from files like this:

    - name: Load TLS key and cert
  set_fact:
    vault_key: "{{ lookup('file', 'certificates/{{ inventory_hostname }}_private.key') }}"
    vault_cert: "{{ lookup('file', 'certificates/{{ inventory_hostname }}_public.crt') }}"
    vault_ca: "{{ lookup('file', 'certificates/ca.crt') }}"

  • Vault initialization:

    vault_init: false
vault_key_shares: 1
vault_key_threshold: 1
vault_keys_output: "{{ vault_config_path }}/unseal.json"

    To automatically initialize Vault, set vault_init to true and specify vault_key_shares and vault_key_threshold for the number of unseal keys to create. Initialization will save a JSON file with the keys.

  • Vault unseal settings:

    vault_unseal: false
vault_unseal_service: false

    For automatic unsealing, set vault_unseal to true, which will use keys from the vault_keys_output file. You can create a service to automatically unseal Vault when it starts by setting vault_unseal_service to true.

  • KV secrets engine:

    You can enable the KV version 2 secret engine with:

    vault_kv_secrets:
  path: secret

    This will enable KV version 2 at the path secret.

  • Policies:

    You can create ACL policies by specifying the name and HCL content:

    policies:
  - name: write
    hcl: |
      path "secret/*" {
        capabilities = [ "create", "read", "update", "delete", "list", "patch" ]
      }
  - name: read
    hcl: |
      path "secret/*" {
        capabilities = [ "read" ]
      }

Dependencies

No dependencies.

Example Playbook

The following playbook installs and configures Vault, enabling TLS and generating SSL certificates.

---
- name: Install and configure Vault Server
  hosts: vault-server
  become: true
  gather_facts: true
  vars:
    server_hostname: vault.ricsanfre.com
    ssl_key_size: 4096
    key_type: RSA
    country_name: ES
    email_address: [email protected]
    organization_name: Ricsanfre
    ansible_user: root

  pre_tasks:
    - name: Generate custom CA
      include_tasks: tasks/generate_custom_ca.yml
      args:
        apply:
          delegate_to: localhost
          become: false
    - name: Generate SSL certificates signed by custom CA
      include_tasks: tasks/generate_ca_signed_cert.yml
      args:
        apply:
          delegate_to: localhost
          become: false

    - name: Load TLS key and cert
      set_fact:
        vault_key: "{{ lookup('file', 'certificates/' + server_hostname + '.key') }}"
        vault_cert: "{{ lookup('file', 'certificates/' + server_hostname + '.pem') }}"
        vault_ca: "{{ lookup('file', 'certificates/CA.pem') }}"

  roles:
    - role: ricsanfre.vault
      vault_enable_tls: true
      custom_ca: true
      vault_init: true
      vault_unseal: true
      vault_unseal_service: true
      tls_skip_verify: true
      display_init_response: true
      vault_kv_secrets:
        path: secret
      policies:
        - name: write
          hcl: |
            path "secret/*" {
              capabilities = [ "create", "read", "update", "delete", "list", "patch" ]
            }
        - name: read
          hcl: |
            path "secret/*" {
              capabilities = [ "read" ]
            }

The pre-tasks section has steps for generating a custom CA, Vault's private key, and loading them into vault_key, vault_cert, and vault_ca.

The task files (generate_custom_ca.yml and generate_ca_signed_certificate.yml) contain the commands to create a custom CA and generate Vault's certificates signed by that CA.

License

MIT License.

Author Information

Created by Ricardo Sanchez (ricsanfre)

Informazioni sul progetto

Vault hashicorp installation and configuration role

role secrets system vault
Installa
ansible-galaxy install ricsanfre.vault
GitHub repository
3 stelle
1 fork
1 problemi aperti
Licenza
mit
Download
8.7k
Proprietario
Ricardo Sanchez
Telecom engineer.