This Ansible role performs a basic Vault installation, including filesystem structure and example configuration.
It can also bootstrap a minimal development or evaluation server or HA Consul-backed cluster in a Vagrant and VirtualBox based environment. See README_VAGRANT.md and the associated Vagrantfile for more details about the developer mode setup.
This role requires FreeBSD, or a Debian or RHEL based Linux distribution. It might work with other software versions, but does work with the following specific software and versions:
- Ansible: 2.6.4
- Vault: 0.11.2
- Debian: 9
- FreeBSD 11
- Ubuntu 16.04
Sorry, there is no planned support at the moment for Windows.
The role defines variables in defaults/main.yml
:
-
version to install
- Can be overridden with
VAULT_VERSION
environment variable - Will include "+prem" if vault_enterprise_premium=True
- Will include ".hsm" if vault_enterprise_premium_hsm=True
- Can be overridden with
-
Default value: 0.11.2
- Set this to true when installing Vault Enterprise; this is not currently
possible as a "remote only" install method
- Can be overridden with
VAULT_ENTERPRISE
environment variable
- Can be overridden with
- Default value: false
- package filename
- Default value:
"vault_{{ vault_version }}_linux_amd64.zip"
- package filename
- Default value:
"vault-enterprise_{{ vault_version }}_{{ vault_os }}_{{ vault_architecture }}.zip"
- Package download URL
- Default value:
"https://releases.hashicorp.com/vault/{{ vault_version }}/vault_{{ vault_version }}_linux_amd64.zip"
- Override this var if you have your zip hosted internally
- Works for enterprise installs also
- SHA summaries URL
- Override this var if you have your sha file is hosted internally
- Default value:
"https://releases.hashicorp.com/vault/{{ vault_version }}/vault_{{ vault_version}}_SHA256SUMS"
- SHA summaries filename (included for convenience not for modification)
- Default value:
"vault_{{ vault_version }}_SHA256SUMS"
- SHA summaries filename (included for convenience not for modification)
- Will attempt to download from
vault_checksum_file_url
if not present in files/ - Default value:
"vault-enterprise_{{ vault_version }}_SHA256SUMS"
- Binary installation path
- Default value:
/usr/local/bin
- Configuration file path
- Default value:
/etc/vault.d
- Data path
- Default value:
/var/vault
- Log path - (not yet implemented)
- Default value:
/var/log/vault
- PID file location
- Default value:
/var/run/vault
- Should this role manage the vault user?
- Default value: true
- OS user name
- Default value: vault
- OS group name
- Default value: bin
- Inventory group name
- Default value:
vault_instances
- Cluster name label
- Default value: dc1
- Datacenter label
- Default value: dc1
- Enable vault web ui
- Default value: false
- host:port value for connecting to Consul HA backend
- Default value: 127.0.0.1:8500
- Scheme for Consul backend
- Supported values: http, https
- Default value: http
- Name of Vault's Consul K/V root path
- Default value: vault
- Name of the Vault service to register in Consul
- Default value: vault
- ACL token for accessing Consul
- Default value: none
- Log level
- Supported values: trace, debug, info, warn, err
- Default value: info
- Log to syslog (not yet impemented)
- Default value: true
- Network interface
- Can be overridden with
VAULT_IFACE
environment variable
- Can be overridden with
- Default value:
eth1
- Primary network interface address to use
- Default value:
"{{ hostvars[inventory_hostname]['ansible_'+vault_iface]['ipv4']['address'] }}"
- TCP port number to on which to listen
- Default value: 8200
- Short node name
- Default value:
"{{ inventory_hostname_short }}"
- Configures the maximum possible lease duration for tokens and secrets.
- Default value:
768h
(32 days)
- Configures the default lease duration for tokens and secrets.
- Default value:
768h
(32 days)
- Main configuration file name (full path)
- Default value:
"{{ vault_config_path }}/vault_main.hcl"
- Backend consul template filename
- Default value:
backend_consul.j2
- Address to bind to for cluster server-to-server requests
- Default value:
"{{ hostvars[inventory_hostname]['ansible_'+vault_iface]['ipv4']['address'] }}:{{ (vault_port | int) + 1}}"
- Address to advertise to other Vault servers in the cluster for request forwarding
- Default value:
"{{ vault_protocol }}://{{ vault_cluster_address }}"
- HA Client Redirect address
- Default value:
"{{ vault_protocol }}://{{ vault_redirect_address or hostvars[inventory_hostname]['ansible_'+vault_iface]['ipv4']['address'] }}:{{ vault_port }}"
- vault_redirect_address is kept for backward compatibility but is deprecated.
- Disable HA clustering
- Default value: false
- Disable Certificate Validation for API reachability check
- Default value: false
- Path to TLS certificate and key
- Default value
/etc/vault/tls
- Disable TLS
- Can be overridden with
VAULT_TLS_DISABLE
environment variable
- Can be overridden with
- Default value: 1
- Enable TLS Gossip to Consul Backend
- Default value: 0
- User-specified source directory for TLS files
- Override with
VAULT_TLS_SRC_FILES
environment variable
- Override with
- Default value:
{{ role_path }}/files
- Path to TLS certificate and key
- Default value
/etc/vault/tls
- CA certificate filename
- Override with
VAULT_TLS_CA_CRT
environment variable
- Override with
- Default value:
ca.crt
- Server certificate
- Override with
VAULT_TLS_CERT_FILE
environment variable
- Override with
- Default value:
server.crt
- Server key
- Override with
VAULT_TLS_KEY_FILE
environment variable
- Override with
- Default value:
server.key
- Minimum acceptable TLS version
- Can be overridden with
VAULT_TLS_MIN_VERSION
environment variable
- Can be overridden with
- Default value: tls12
- Comma-separated list of supported ciphersuites
- Default value: "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA"
- Prefer server's cipher suite over client cipher suite
- Can be overridden with
VAULT_TLS_PREFER_SERVER_CIPHER_SUITES
environment variable
- Can be overridden with
- Default value: false
- Require clients to present a valid client certificate
- Default value: false
- Disable requesting for client certificates
- Default value: false
- Copy from remote source if TLS files are already on host
- Default value: no
The consul
binary works on most Linux platforms and is not distribution
specific. However, some distributions require installation of specific OS
packages with different naming, so this role was built with support for
popular Linux distributions and defines these variables to deal with the
differences across distributions:
- Vault package filename
- Default value:
{{ vault_version }}_linux_amd64.zip
- Vault package download URL
- Default value:
{{ vault_zip_url }}
- List of OS packages to install
- Default value: list
- Vault package filename
- Default value:
"{{ vault_version }}_linux_amd64.zip"
- Vault package download URL
- Default value:
"{{ vault_zip_url }}"
- Vault download SHA256 summary
- Default value: SHA256 SUM
- List of OS packages to install
- Default value: list
- Vault package filename
- Default value:
"{{ vault_version }}_linux_amd64.zip"
- Vault package download URL
- Default value:
"{{ vault_zip_url }}"
- Vault package SHA256 summary
- Default value: SHA256 SUM
- List of OS packages to install
- Default value: list
- Vault package filename
- Default value:
"{{ vault_version }}_linux_amd64.zip"
- Vault package download URL
- Default value:
"{{ vault_zip_url }}"
- Vault package SHA256 summary
- Default value: SHA256 SUM
- Enable logrotation for systemd based systems
- Default value: false
- Determines how frequently to rotate vault logs
- Default value: 7
- List of OS packages to install
- Default value: list
NOTE: Read these before executing the role to avoid certain frequently encountered issues which are resolved by installing the correct dependencies.
Ansible requires GNU tar and this role performs some local use of the
unarchive module, so ensure that your system has gtar
installed.
The role depends on python-netaddr
so:
pip install netaddr
on the Ansible control host prior to executing the role.
Basic installation is possible using the included site.yml
playbook:
ansible-playbook -i hosts site.yml
You can also pass variables in using the --extra-vars
option to the
ansible-playbook
command:
ansible-playbook -i hosts site.yml --extra-vars "vault_datacenter=maui"
Specify a template file with a different backend definition
(see templates/backend_consul.j2
):
ansible-playbook -i hosts site.yml --extra-vars "vault_backed=backend_file.j2"
You need to make sure that the template file backend_file.j2
is in the
role directory for this to work.
See examples/README_VAGRANT.md
for details on quick Vagrant deployments
under VirtualBox for testing, etc.
The role can install Vault Enterprise based instances.
Place the Vault Enterprise zip archive into {{ role_path }}/files
and set
vault_enterprise: true
or use the VAULT_ENTERPRISE="true"
environment
variable. Attempts to download the package from vault_zip_url
if zip is not found in files/.
- Set to True if using premium binary. Basically just includes "+prem" in "vault_version" var
- Default value: False
The role can configure HSM based instances. Make sure to reference the HSM support page and take notice of the behavior changes after HSM is installed.
- Set to True if using premium hsm binary. Basically just includes ".hsm" in "vault_version" var
- Default value: False
- Set which cryptography app to use.
- Default value: pkcs11
- Backend seal template filename
- Default value: vault_backend_seal.j2
- Set to the absolute path of the HSM library vault will call
- Default value: /lib64/hsmlibrary.so
- The PIN for login. May also be specified by the VAULT_HSM_PIN environment variable. If set via the environment variable, Vault will obfuscate the environment variable after reading it, and it will need to be re-set if Vault is restarted.
- Default value: 12345
- The label of the key to use. If the key does not exist and generation is enabled, this is the label that will be given to the generated key. May also be specified by the VAULT_HSM_KEY_LABEL environment variable.
- Default value: vault-hsm-key
- If no existing key with the label specified by key_label can be found at Vault initialization time, instructs Vault to generate a key. This is a boolean expressed as a string (e.g. "true"). May also be specified by the VAULT_HSM_GENERATE_KEY environment variable. Vault may not be able to successfully generate keys in all circumstances, such as if proprietary vendor extensions are required to create keys of a suitable type.
- Default value: false
- Do not change this unles you know you need to. The encryption/decryption mechanism to use, specified as a decimal or hexadecimal (prefixed by 0x) string. May also be specified by the VAULT_HSM_MECHANISM environment variable.
- Default value: ''
- Example for RSA: 0x0009
- The slot token label to use. May also be specified by the VAULT_HSM_TOKEN_LABEL environment variable. This label will only be applied when
vault_softcard_enable
is true. - Default value: ''
- Enable if you plan to use a softcard on your HSM.
- Default value: false
- The slot number to use, specified as a string (e.g. "0"). May also be specified by the VAULT_HSM_SLOT environment variable. This label will only be applied when
vault_softcard_enable
is false (default). - Default value: 0
BSD
Special thanks to the folks listed in CONTRIBUTORS.md for their contributions to this project.