vault_policies_main: # configure-vault playbook of the bridge to tune secret engines - name: "sys-mounts-cru" definition: | path "sys/mounts/*" { capabilities = ["read", "list", "create", "update"] } # configure-vault playbook of the bridge to tune auth methods - name: "sys-auth-ru" definition: | path "sys/mounts/auth/+/tune" { capabilities = ["read", "update"] } # configure-vault playbook of the bridge to tune secret engines - name: "sys-leases-revoke" definition: | path "sys/leases/revoke" { capabilities = ["update"] } # configure-vault playbook of the bridge to maintain policies - name: "policies-acl-rw" definition: | path "sys/policies/acl/*" { capabilities = ["read", "list", "create", "update", "delete"] } # configure-vault playbook of the bridge to maintain approles - name: "approle-rw" definition: | path "auth/approle/role/*" { capabilities = ["read", "list", "create", "update", "delete"] } # configure-vault playbook of the bridge to maintain k8 authorizations - name: "k8auth-rw" definition: | path "auth/+/config" { capabilities = ["read", "list", "create", "update", "delete"] } # configure-vault playbook of the bridge to maintain k8 auth roles - name: "k8role-rw" definition: | path "auth/+/role/*" { capabilities = ["read", "list", "create", "update", "delete"] } # Get password policies - name: "pwd-policy-ro" definition: | path "sys/policies/password/*" {capabilities = ["read", "list"] } # Maintain password policies - name: "pwd-policy-rw" definition: | path "sys/policies/password/*" {capabilities = ["read", "list", "create", "update", "delete"] } # Zuul checking whether requested approle exists - name: "approle-zuul-roles-read" definition: | path "auth/approle/role/zuul_scs_opentelekomcloud-scs_zuul-config" { capabilities = ["read"] } # Zuul create new secret for the approle - name: "approle-zuul-secret-id-w" definition: | path "auth/approle/role/zuul_scs_opentelekomcloud-scs_zuul-config/secret-id" { capabilities = ["update"] } # zuul itself - name: "zuul-app-ro" definition: | path "secret/data/zuul/*" {capabilities = ["read"] } path "secret/metadata/zuul/*" {capabilities = ["read"] } vault_approles_main: # This approle is used by bridge to provision systems - name: "vault-config" token_policies: - "sys-mounts-cru" - "sys-auth-ru" - "policies-acl-rw" - "approle-rw" - "k8auth-rw" - "k8role-rw" - "sys-leases-revoke" - "pwd-policy-rw" token_ttl: "2h" vault_k8roles_main: # Zuul Kubernetes auth - name: "zuul" auth_path: "kubernetes_scs" policies: ["zuul-app-ro", "cloud-users-zuul-ro"] bound_service_account_names: ["zuul"] bound_service_account_namespaces: ["zuul-ci"] token_ttl: "3h" vault_pwd_policies_main: - name: "os-policy" policy: | length = 20 rule "charset" { charset = "abcdefghijklmnopqrstuvwxyz" min-chars = 1 } rule "charset" { charset = "ABCDEFGHIJKLMNOPQRSTUVWXYZ" min-chars = 1 } rule "charset" { charset = "0123456789" min-chars = 1 } rule "charset" { charset = "!@#$%^&*" min-chars = 1 } vault_os_clouds_main: [] vault_os_roles_main: [] vault_os_static_roles_main: [] vault_instances: # main redundancy cluster main: vault_addr: "https://vault-lb.scs.otc-service.com:8200" vault_token: "{{ lookup('community.hashi_vault.hashi_vault', 'auth/token/lookup-self').id }}" policies: "{{ vault_policies_main }}" approle: roles: "{{ vault_approles_main }}" kubernetes: auths: - path: "kubernetes_scs" kubernetes_host: "{{ scs_k8s.server }}" kubernetes_ca_cert: "{{ scs_k8s.secrets['ca.crt'] }}" roles: "{{ vault_k8roles_main }}" pki: # Admin settings # Secret engines secret_engines: - path: "secret" type: "kv" description: "KV Secrets Engine" options: version: "2" - path: "database" type: "database" description: "Database secrets Engine" auths: - path: "approle" type: "approle" description: "AppRole authorization" - path: "kubernetes_scs" type: "kubernetes" description: "OTC CI K8 cluster authorization" pwd_policies: "{{ vault_pwd_policies_main }}" # Opestack cloud/role definition os_clouds: "{{ vault_os_clouds_main }}" os_roles: "{{ vault_os_roles_main }}" os_static_roles: "{{ vault_os_static_roles_main }}"