jacobmammoliti / ansible-role-vault Goto Github PK
View Code? Open in Web Editor NEWAnsible role to deploy HashiCorp Vault.
License: Mozilla Public License 2.0
Ansible role to deploy HashiCorp Vault.
License: Mozilla Public License 2.0
If Vault's home and data directories below /usr
the systemd unit file cannot include these two parameters.
# Sandboxing settings to improve the security of the host by restricting vault privileges and access
ProtectSystem=true
ProtectSystem=full
Explanation:
Takes a boolean argument or the special values "full" or "strict". If true, mounts the /usr/ and the boot loader directories (/boot and /efi) read-only for processes invoked by this unit. If set to "full", the /etc/ directory is mounted read-only, too. If set to "strict" the entire file system hierarchy is mounted read-only, except for the API file system subtrees /dev/, /proc/ and /sys/ (protect these directories using PrivateDevices=, ProtectKernelTunables=, ProtectControlGroups=). This setting ensures that any modification of the vendor-supplied operating system (and optionally its configuration, and local mounts) is prohibited for the service. It is recommended to enable this setting for all long-running services, unless they are involved with system updates or need to modify the operating system in other ways. If this option is used, ReadWritePaths= may be used to exclude specific directories from being made read-only. This setting is implied if DynamicUser= is set. This setting cannot ensure protection in all cases. In general it has the same limitations as ReadOnlyPaths=, see below. Defaults to off.
ref: https://www.freedesktop.org/software/systemd/man/systemd.exec.html
Launching the Vault service results in an error message claiming it is a read-only
filesystem when using the above two parameters.
Suggest to add conditional on new Boolean var (maybe vault_tls_disable_client_certs
) for tls_disable_client_certs
.
Currently not present at all, which makes Vault request client certificates from everyone. This is likely in most use-cases not required and can be problematic for LB health checks against Vault when the LB doesn't send Vault a proper cert.
tls_disable_client_certs = "false"
If you apply the role with vault_local_binary_location: /home/test/download/vault_oss
, then the servies will not start.
The role installs the binary retaining the local filename, but the rest of the settings still expect the binary to be named vault
.
should probably be changed to
dest: '{{ vault_install_directory }}/vault'
Everything is on the same indentation level and fails.
The command to create instances returns with an error as the gcloud syntax might have changed. --scopes
flag is the problem and I found that this works instead:
for i in 0 1; do
gcloud compute instances create vault-${i} \
--async \
--no-address \
--boot-disk-size 100GB \
--image-family ubuntu-1804-lts \
--image-project ubuntu-os-cloud \
--machine-type n1-standard-1 \
--scopes=https://www.googleapis.com/auth/cloudkms \
--scopes=compute-ro \
--tags vault
done
Facing the following issue using Ubuntu 21.10:
Should L79 in repository_install.yml simply be vault-enterprise
, without ={{ vault_version }}+ent
appended?
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.