Add ca_cert to hashi_vault lookups
This commit is contained in:
parent
6225653c56
commit
9c0b211db2
8 changed files with 16 additions and 17 deletions
|
|
@ -20,12 +20,11 @@
|
||||||
- git
|
- git
|
||||||
- htop
|
- htop
|
||||||
- inxi
|
- inxi
|
||||||
|
- kitty-terminfo
|
||||||
- make
|
- make
|
||||||
- ncdu
|
- ncdu
|
||||||
- netcat-traditional
|
|
||||||
- netcat-openbsd
|
- netcat-openbsd
|
||||||
- ntp
|
- ntp
|
||||||
- rxvt-unicode
|
|
||||||
- screen
|
- screen
|
||||||
- strace
|
- strace
|
||||||
- sysstat
|
- sysstat
|
||||||
|
|
|
||||||
|
|
@ -3,7 +3,7 @@ primary_datacenter = "{{ main_dc_name }}"
|
||||||
domain = "{{ consul_domain }}"
|
domain = "{{ consul_domain }}"
|
||||||
node_name = "{{ inventory_hostname_short }}"
|
node_name = "{{ inventory_hostname_short }}"
|
||||||
|
|
||||||
encrypt = "{{ lookup('hashi_vault', 'secret=kv/data/consul:data')['gossip'] }}"
|
encrypt = "{{ lookup('hashi_vault', 'secret=kv/data/consul:data ca_cert=/etc/pki/certs/MaskedName_Root_CA.crt')['gossip'] }}"
|
||||||
|
|
||||||
verify_incoming = false
|
verify_incoming = false
|
||||||
verify_outgoing = true
|
verify_outgoing = true
|
||||||
|
|
@ -32,6 +32,6 @@ acl {
|
||||||
default_policy = "deny"
|
default_policy = "deny"
|
||||||
enable_token_persistence = true
|
enable_token_persistence = true
|
||||||
tokens {
|
tokens {
|
||||||
default = "{{ lookup('hashi_vault', 'secret=kv/data/consul:data')['server-acl-token'] }}"
|
default = "{{ lookup('hashi_vault', 'secret=kv/data/consul:data ca_cert=/etc/pki/certs/MaskedName_Root_CA.crt')['server-acl-token'] }}"
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
|
||||||
|
|
@ -6,7 +6,7 @@ server = true
|
||||||
bootstrap_expect = 3
|
bootstrap_expect = 3
|
||||||
ui = true
|
ui = true
|
||||||
|
|
||||||
encrypt = "{{ lookup('hashi_vault', 'secret=kv/data/consul:data')['gossip'] }}"
|
encrypt = "{{ lookup('hashi_vault', 'secret=kv/data/consul:data ca_cert=/etc/pki/certs/MaskedName_Root_CA.crt')['gossip'] }}"
|
||||||
|
|
||||||
verify_outgoing = true
|
verify_outgoing = true
|
||||||
verify_server_hostname = true
|
verify_server_hostname = true
|
||||||
|
|
@ -49,6 +49,6 @@ acl {
|
||||||
default_policy = "deny"
|
default_policy = "deny"
|
||||||
enable_token_persistence = true
|
enable_token_persistence = true
|
||||||
tokens {
|
tokens {
|
||||||
default = "{{ lookup('hashi_vault', 'secret=kv/data/consul:data')['server-acl-token'] }}"
|
default = "{{ lookup('hashi_vault', 'secret=kv/data/consul:data ca_cert=/etc/pki/certs/MaskedName_Root_CA.crt')['server-acl-token'] }}"
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
|
||||||
|
|
@ -1 +1 @@
|
||||||
{{ lookup('hashi_vault', 'secret=kv/data/acme:data')['private_key'] }}
|
{{ lookup('hashi_vault', 'secret=kv/data/acme:data ca_cert=/etc/pki/certs/MaskedName_Root_CA.crt')['private_key'] }}
|
||||||
|
|
|
||||||
|
|
@ -1,5 +1,5 @@
|
||||||
export NAMECHEAP_API_USER={{ lookup('hashi_vault', 'secret=kv/data/namecheap:data')['api_user'] }}
|
export NAMECHEAP_API_USER={{ lookup('hashi_vault', 'secret=kv/data/namecheap:data ca_cert=/etc/pki/certs/MaskedName_Root_CA.crt')['api_user'] }}
|
||||||
export NAMECHEAP_API_KEY={{ lookup('hashi_vault', 'secret=kv/data/namecheap:data')['api_key'] }}
|
export NAMECHEAP_API_KEY={{ lookup('hashi_vault', 'secret=kv/data/namecheap:data ca_cert=/etc/pki/certs/MaskedName_Root_CA.crt')['api_key'] }}
|
||||||
export AWS_ACCESS_KEY_ID={{ lookup('hashi_vault', 'secret=kv/data/aws:data')['access_key'] }}
|
export AWS_ACCESS_KEY_ID={{ lookup('hashi_vault', 'secret=kv/data/aws:data ca_cert=/etc/pki/certs/MaskedName_Root_CA.crt')['access_key'] }}
|
||||||
export AWS_SECRET_ACCESS_KEY={{ lookup('hashi_vault', 'secret=kv/data/aws:data')['secret_key'] }}
|
export AWS_SECRET_ACCESS_KEY={{ lookup('hashi_vault', 'secret=kv/data/aws:data ca_cert=/etc/pki/certs/MaskedName_Root_CA.crt')['secret_key'] }}
|
||||||
export AWS_HOSTED_ZONE_ID={{ lookup('hashi_vault', 'secret=kv/data/aws:data')['hosted_zone_id'] }}
|
export AWS_HOSTED_ZONE_ID={{ lookup('hashi_vault', 'secret=kv/data/aws:data ca_cert=/etc/pki/certs/MaskedName_Root_CA.crt')['hosted_zone_id'] }}
|
||||||
|
|
|
||||||
|
|
@ -14,13 +14,13 @@ client {
|
||||||
}
|
}
|
||||||
|
|
||||||
consul {
|
consul {
|
||||||
token = "{{ lookup('hashi_vault', 'secret=kv/data/nomad:data')['consul-acl-client'] }}"
|
token = "{{ lookup('hashi_vault', 'secret=kv/data/nomad:data ca_cert=/etc/pki/certs/MaskedName_Root_CA.crt')['consul-acl-client'] }}"
|
||||||
}
|
}
|
||||||
|
|
||||||
vault {
|
vault {
|
||||||
enabled = true
|
enabled = true
|
||||||
ca_file = "/etc/pki/certs/{{ vault_ca_cert_name }}"
|
ca_file = "/etc/pki/certs/{{ vault_ca_cert_name }}"
|
||||||
token = "{{ lookup('hashi_vault', 'secret=kv/data/nomad:data')['vault-token'] }}"
|
token = "{{ lookup('hashi_vault', 'secret=kv/data/nomad:data ca_cert=/etc/pki/certs/MaskedName_Root_CA.crt')['vault-token'] }}"
|
||||||
address = "https://vault.service.{{ consul_domain }}:8200"
|
address = "https://vault.service.{{ consul_domain }}:8200"
|
||||||
create_from_role = "nomad-cluster"
|
create_from_role = "nomad-cluster"
|
||||||
unwrap_token = true
|
unwrap_token = true
|
||||||
|
|
|
||||||
|
|
@ -9,14 +9,14 @@ server {
|
||||||
vault {
|
vault {
|
||||||
enabled = true
|
enabled = true
|
||||||
ca_file = "/etc/pki/certs/{{ vault_ca_cert_name }}"
|
ca_file = "/etc/pki/certs/{{ vault_ca_cert_name }}"
|
||||||
token = "{{ lookup('hashi_vault', 'secret=kv/data/nomad:data')['vault-token'] }}"
|
token = "{{ lookup('hashi_vault', 'secret=kv/data/nomad:data ca_cert=/etc/pki/certs/MaskedName_Root_CA.crt')['vault-token'] }}"
|
||||||
address = "https://vault.service.{{ consul_domain }}:8200"
|
address = "https://vault.service.{{ consul_domain }}:8200"
|
||||||
create_from_role = "nomad-cluster"
|
create_from_role = "nomad-cluster"
|
||||||
unwrap_token = true
|
unwrap_token = true
|
||||||
}
|
}
|
||||||
|
|
||||||
consul {
|
consul {
|
||||||
token = "{{ lookup('hashi_vault', 'secret=kv/data/nomad:data')['consul-acl-server'] }}"
|
token = "{{ lookup('hashi_vault', 'secret=kv/data/nomad:data ca_cert=/etc/pki/certs/MaskedName_Root_CA.crt')['consul-acl-server'] }}"
|
||||||
}
|
}
|
||||||
|
|
||||||
tls {
|
tls {
|
||||||
|
|
|
||||||
|
|
@ -18,5 +18,5 @@ cluster_addr = "https://{{ ansible_default_ipv4.address }}:8201"
|
||||||
storage "consul" {
|
storage "consul" {
|
||||||
address = "localhost:8500"
|
address = "localhost:8500"
|
||||||
path = "vault/"
|
path = "vault/"
|
||||||
token = "{{ lookup('hashi_vault', 'secret=kv/data/vault:data')['consul-acl'] }}"
|
token = "{{ lookup('hashi_vault', 'secret=kv/data/vault:data ca_cert=/etc/pki/certs/MaskedName_Root_CA.crt')['consul-acl'] }}"
|
||||||
}
|
}
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue