vault_policies_main: # configure-vault playbook of the bridge to tune secret engines - name: "sys-mounts-cru" definition: | path "sys/mounts/*" { capabilities = ["read", "list", "create", "update"] } # configure-vault playbook of the bridge to tune auth methods - name: "sys-auth-ru" definition: | path "sys/mounts/auth/+/tune" { capabilities = ["read", "update"] } # configure-vault playbook of the bridge to tune secret engines - name: "sys-leases-revoke" definition: | path "sys/leases/revoke" { capabilities = ["update"] } # configure-vault playbook of the bridge to maintain policies - name: "policies-acl-rw" definition: | path "sys/policies/acl/*" { capabilities = ["read", "list", "create", "update", "delete"] } # configure-vault playbook of the bridge to maintain approles - name: "approle-rw" definition: | path "auth/approle/role/*" { capabilities = ["read", "list", "create", "update", "delete"] } # configure-vault playbook of the bridge to maintain k8 authorizations - name: "k8auth-rw" definition: | path "auth/+/config" { capabilities = ["read", "list", "create", "update", "delete"] } # configure-vault playbook of the bridge to maintain k8 auth roles - name: "k8role-rw" definition: | path "auth/+/role/*" { capabilities = ["read", "list", "create", "update", "delete"] } # Zuul checking whether requested approle exists - name: "approle-zuul-roles-read" definition: | path "auth/approle/role/zuul_eco_opentelekomcloud-infra_otc-zuul-jobs" { capabilities = ["read"] } path "auth/approle/role/zuul_eco_opentelekomcloud-infra_zuul-project-config" { capabilities = ["read"] } path "auth/approle/role/zuul_eco_opentelekomcloud-infra_gitstyring" { capabilities = ["read"] } path "auth/approle/role/zuul_eco_opentelekomcloud-docs_doc-exports" { capabilities = ["read"] } path "auth/approle/role/zuul_gl_ecosystem_zuul-project-config" { capabilities = ["read"] } path "auth/approle/role/zuul_gl_ecosystem_gitstyring" { capabilities = ["read"] } # Zuul create new secret for the approle - name: "approle-zuul-secret-id-w" definition: | path "auth/approle/role/zuul_eco_opentelekomcloud-infra_otc-zuul-jobs/secret-id" { capabilities = ["update"] } path "auth/approle/role/zuul_eco_opentelekomcloud-infra_zuul-project-config/secret-id" { capabilities = ["update"] } path "auth/approle/role/zuul_eco_opentelekomcloud-infra_gitstyring/secret-id" { capabilities = ["update"] } path "auth/approle/role/zuul_eco_opentelekomcloud-docs_doc-exports/secret-id" { capabilities = ["update"] } path "auth/approle/role/zuul_gl_ecosystem_zuul-project-config/secret-id" { capabilities = ["update"] } path "auth/approle/role/zuul_gl_ecosystem_gitstyring/secret-id" { capabilities = ["update"] } # Bridge access to inventory - name: "cloud-users-all-ro" definition: | path "secret/data/cloud_users/*" { capabilities = ["read", "list"] } path "secret/metadata/cloud_users/*" { capabilities = ["read", "list"] } path "secret/data/clouds/*" { capabilities = ["read", "list"] } path "secret/metadata/clouds/*" { capabilities = ["read", "list"] } # zuul deployment to know own credentials - name: "cloud-users-zuul-ro" definition: | path "secret/data/cloud_users/448_nodepool" { capabilities = ["read"] } path "secret/metadata/cloud_users/448_nodepool" { capabilities = ["read"] } path "secret/data/clouds/otcci_nodepool*" { capabilities = ["read"] } path "secret/metadata/clouds/otcci_nodepool*" { capabilities = ["read"] } # zuul itself - name: "zuul-app-ro" definition: | path "secret/data/zuul/*" {capabilities = ["read"] } path "secret/metadata/zuul/*" {capabilities = ["read"] } # database secret engine mgmt - name: "database-rw" definition: | path "database/*" {capabilities = ["read", "list", "create", "update", "delete"] } # Get credentials for databases - name: "database-ro" definition: | path "database/*" {capabilities = ["read", "list"] } # Temporary storage of the db users (in kv store) - name: "tmp-db-ro" definition: | path "secret/data/db/*" { capabilities = ["read"] } path "secret/metadata/db/*" { capabilities = ["read"] } # some ssh stuff, most likely zuul - name: "ssh-ro" definition: | path "secret/data/ssh/*" { capabilities = ["read"] } path "secret/metadata/ssh/*" { capabilities = ["read"] } # jobs want to open PRs - name: "gitea-cicd" definition: | path "secret/data/gitea_cicd" { capabilities = ["read"] } path "secret/metadata/gitea_cicd" { capabilities = ["read"] } # Swift configuration - name: "swift-ro" definition: | path "secret/data/swift/*" { capabilities = ["read"] } path "secret/metadata/swift/*" { capabilities = ["read"] } # Get credentials for openstack cloud - name: "openstack-ro" definition: | path "openstack/*" {capabilities = ["read", "list"] } # Maintain openstack clouds/roles - name: "openstack-rw" definition: | path "openstack/*" {capabilities = ["read", "list", "create", "update", "delete"] } # Get password policies - name: "pwd-policy-ro" definition: | path "sys/policies/password/*" {capabilities = ["read", "list"] } # Maintain password policies - name: "pwd-policy-rw" definition: | path "sys/policies/password/*" {capabilities = ["read", "list", "create", "update", "delete"] } # Gitea configuration - name: "gitea-ro" definition: | path "secret/data/gitea" { capabilities = ["read"] } path "secret/metadata/gitea" { capabilities = ["read"] } vault_approles_main: [] vault_k8roles_main: # Zuul otcci auth - name: "zuul" auth_path: "kubernetes_scs" policies: ["zuul-app-ro", "cloud-users-zuul-ro"] bound_service_account_names: ["zuul"] bound_service_account_namespaces: ["zuul-ci"] token_ttl: "3h" vault_pwd_policies_main: - name: "os-policy" policy: | length = 20 rule "charset" { charset = "abcdefghijklmnopqrstuvwxyz" min-chars = 1 } rule "charset" { charset = "ABCDEFGHIJKLMNOPQRSTUVWXYZ" min-chars = 1 } rule "charset" { charset = "0123456789" min-chars = 1 } rule "charset" { charset = "!@#$%^&*" min-chars = 1 } vault_os_clouds_main: [] vault_os_roles_main: [] vault_os_static_roles_main: [] vault_instances: # main redundancy cluster main: vault_addr: "https://vault-lb.scs.otc-service.com:8200" vault_token: "{{ ansible_hashi_vault_token }}" # vault_token: "{{ lookup('community.hashi_vault.hashi_vault', 'auth/token/lookup-self').id }}" policies: "{{ vault_policies_main }}" approle: roles: "{{ vault_approles_main }}" kubernetes: auths: - path: "kubernetes_scs" kubernetes_host: "{{ scs_k8s.server }}" kubernetes_ca_cert: "{{ scs_k8s.secrets['ca.crt'] }}" roles: "{{ vault_k8roles_main }}" pki: # Admin settings # Secret engines secret_engines: - path: "secret" type: "kv" description: "KV Secrets Engine" options: version: "2" - path: "database" type: "database" description: "Database secrets Engine" auths: - path: "approle" type: "approle" description: "AppRole authorization" - path: "kubernetes_scs" type: "kubernetes" description: "OTC CI K8 cluster authorization" pwd_policies: "{{ vault_pwd_policies_main }}" # Opestack cloud/role definition os_clouds: "{{ vault_os_clouds_main }}" os_roles: "{{ vault_os_roles_main }}" os_static_roles: "{{ vault_os_static_roles_main }}"