system-config/inventory/service/group_vars/vault-controller.yaml

vault_policies_main:
  # configure-vault playbook of the bridge to tune secret engines
  - name: "sys-mounts-cru"
    definition: |
      path "sys/mounts/*" { capabilities = ["read", "list", "create", "update"] }

  # configure-vault playbook of the bridge to tune auth methods
  - name: "sys-auth-ru"
    definition: |
      path "sys/mounts/auth/+/tune" { capabilities = ["read", "update"] }

  # configure-vault playbook of the bridge to tune secret engines
  - name: "sys-leases-revoke"
    definition: |
      path "sys/leases/revoke" { capabilities = ["update"] }

  # configure-vault playbook of the bridge to maintain policies
  - name: "policies-acl-rw"
    definition: |
      path "sys/policies/acl/*" { capabilities = ["read", "list", "create", "update", "delete"] }

  # configure-vault playbook of the bridge to maintain approles
  - name: "approle-rw"
    definition: |
      path "auth/approle/role/*" { capabilities = ["read", "list", "create", "update", "delete"] }

  # configure-vault playbook of the bridge to maintain k8 authorizations
  - name: "k8auth-rw"
    definition: |
      path "auth/+/config" { capabilities = ["read", "list", "create", "update", "delete"] }

  # configure-vault playbook of the bridge to maintain k8 auth roles
  - name: "k8role-rw"
    definition: |
      path "auth/+/role/*" { capabilities = ["read", "list", "create", "update", "delete"] }

  # Zuul checking whether requested approle exists
  - name: "approle-zuul-roles-read"
    definition: |
      path "auth/approle/role/zuul_eco_opentelekomcloud-infra_otc-zuul-jobs" { capabilities = ["read"] }
      path "auth/approle/role/zuul_eco_opentelekomcloud-infra_zuul-project-config" { capabilities = ["read"] }
      path "auth/approle/role/zuul_eco_opentelekomcloud-infra_gitstyring" { capabilities = ["read"] }
      path "auth/approle/role/zuul_eco_opentelekomcloud-docs_doc-exports" { capabilities = ["read"] }
      path "auth/approle/role/zuul_gl_ecosystem_zuul-project-config" { capabilities = ["read"] }
      path "auth/approle/role/zuul_gl_ecosystem_gitstyring" { capabilities = ["read"] }

  # Zuul create new secret for the approle
  - name: "approle-zuul-secret-id-w"
    definition: |
      path "auth/approle/role/zuul_eco_opentelekomcloud-infra_otc-zuul-jobs/secret-id" { capabilities = ["update"] }
      path "auth/approle/role/zuul_eco_opentelekomcloud-infra_zuul-project-config/secret-id" { capabilities = ["update"] }
      path "auth/approle/role/zuul_eco_opentelekomcloud-infra_gitstyring/secret-id" { capabilities = ["update"] }
      path "auth/approle/role/zuul_eco_opentelekomcloud-docs_doc-exports/secret-id" { capabilities = ["update"] }
      path "auth/approle/role/zuul_gl_ecosystem_zuul-project-config/secret-id" { capabilities = ["update"] }
      path "auth/approle/role/zuul_gl_ecosystem_gitstyring/secret-id" { capabilities = ["update"] }

  # Bridge access to inventory
  - name: "cloud-users-all-ro"
    definition: |
      path "secret/data/cloud_users/*" { capabilities = ["read", "list"] }
      path "secret/metadata/cloud_users/*" { capabilities = ["read", "list"] }
      path "secret/data/clouds/*" { capabilities = ["read", "list"] }
      path "secret/metadata/clouds/*" { capabilities = ["read", "list"] }

  # zuul deployment to know own credentials
  - name: "cloud-users-zuul-ro"
    definition: |
      path "secret/data/cloud_users/448_nodepool" { capabilities = ["read"] }
      path "secret/metadata/cloud_users/448_nodepool" { capabilities = ["read"] }
      path "secret/data/clouds/otcci_nodepool*" { capabilities = ["read"] }
      path "secret/metadata/clouds/otcci_nodepool*" { capabilities = ["read"] }

  # zuul itself
  - name: "zuul-app-ro"
    definition: |
      path "secret/data/zuul/*" {capabilities = ["read"] }
      path "secret/metadata/zuul/*" {capabilities = ["read"] }

  # database secret engine mgmt
  - name: "database-rw"
    definition: |
      path "database/*" {capabilities = ["read", "list", "create", "update", "delete"] }

  # Get credentials for databases
  - name: "database-ro"
    definition: |
      path "database/*" {capabilities = ["read", "list"] }

  # Temporary storage of the db users (in kv store)
  - name: "tmp-db-ro"
    definition: |
      path "secret/data/db/*" { capabilities = ["read"] }
      path "secret/metadata/db/*" { capabilities = ["read"] }

  # some ssh stuff, most likely zuul
  - name: "ssh-ro"
    definition: |
      path "secret/data/ssh/*" { capabilities = ["read"] }
      path "secret/metadata/ssh/*" { capabilities = ["read"] }

  # jobs want to open PRs
  - name: "gitea-cicd"
    definition: |
      path "secret/data/gitea_cicd" { capabilities = ["read"] }
      path "secret/metadata/gitea_cicd" { capabilities = ["read"] }

  # Swift configuration
  - name: "swift-ro"
    definition: |
      path "secret/data/swift/*" { capabilities = ["read"] }
      path "secret/metadata/swift/*" { capabilities = ["read"] }

  # Get credentials for  openstack cloud
  - name: "openstack-ro"
    definition: |
      path "openstack/*" {capabilities = ["read", "list"] }

  # Maintain openstack clouds/roles
  - name: "openstack-rw"
    definition: |
      path "openstack/*" {capabilities = ["read", "list", "create", "update", "delete"] }

   # Get password policies
  - name: "pwd-policy-ro"
    definition: |
      path "sys/policies/password/*" {capabilities = ["read", "list"] }

  # Maintain password policies
  - name: "pwd-policy-rw"
    definition: |
      path "sys/policies/password/*" {capabilities = ["read", "list", "create", "update", "delete"] }

  # Gitea configuration
  - name: "gitea-ro"
    definition: |
      path "secret/data/gitea" { capabilities = ["read"] }
      path "secret/metadata/gitea" { capabilities = ["read"] }

vault_approles_main: []

vault_k8roles_main:
  # Zuul otcci auth
  - name: "zuul"
    auth_path: "kubernetes_scs"
    policies: ["zuul-app-ro", "cloud-users-zuul-ro"]
    bound_service_account_names: ["zuul"]
    bound_service_account_namespaces: ["zuul-ci"]
    token_ttl: "3h"

vault_pwd_policies_main:
  - name: "os-policy"
    policy: |
      length = 20
      rule "charset" {
        charset = "abcdefghijklmnopqrstuvwxyz"
        min-chars = 1
      }
      rule "charset" {
        charset = "ABCDEFGHIJKLMNOPQRSTUVWXYZ"
        min-chars = 1
      }
      rule "charset" {
        charset = "0123456789"
        min-chars = 1
      }
      rule "charset" {
        charset = "!@#$%^&*"
        min-chars = 1
      }

vault_os_clouds_main: []
vault_os_roles_main: []
vault_os_static_roles_main: []
vault_instances:
  # main redundancy cluster
  main:
    vault_addr: "https://vault-lb.scs.otc-service.com:8200"
    vault_token: "{{ ansible_hashi_vault_token }}"
      # vault_token: "{{ lookup('community.hashi_vault.hashi_vault', 'auth/token/lookup-self').id }}"
    policies: "{{ vault_policies_main }}"
    approle:
      roles: "{{ vault_approles_main }}"
    kubernetes:
      auths:
        - path: "kubernetes_scs"
          kubernetes_host: "{{ scs_k8s.server }}"
          kubernetes_ca_cert: "{{ scs_k8s.secrets['ca.crt'] }}"
      roles: "{{ vault_k8roles_main }}"
    pki:
    # Admin settings
    # Secret engines
    secret_engines:
      - path: "secret"
        type: "kv"
        description: "KV Secrets Engine"
        options:
          version: "2"
      - path: "database"
        type: "database"
        description: "Database secrets Engine"
    auths:
      - path: "approle"
        type: "approle"
        description: "AppRole authorization"
      - path: "kubernetes_scs"
        type: "kubernetes"
        description: "OTC CI K8 cluster authorization"
    pwd_policies: "{{ vault_pwd_policies_main }}"
    # Opestack cloud/role definition
    os_clouds: "{{ vault_os_clouds_main }}"
    os_roles: "{{ vault_os_roles_main }}"
    os_static_roles: "{{ vault_os_static_roles_main }}"