84 lines
2.1 KiB
YAML
84 lines
2.1 KiB
YAML
---
|
|
|
|
#
|
|
# Not tested and finished yet.
|
|
#
|
|
|
|
- name: Helm add Hashicorp repo
|
|
delegate_to: "{{ kubectl_host }}"
|
|
run_once: true
|
|
kubernetes.core.helm_repository:
|
|
name: hashicorp
|
|
repo_url: "https://helm.releases.hashicorp.com"
|
|
|
|
- name: Helm deploy Hashicorp Vault Secrets Operator
|
|
delegate_to: "{{ kubectl_host }}"
|
|
kubernetes.core.helm:
|
|
kubeconfig: "{{ kubeconfig }}"
|
|
chart_ref: hashicorp/vault-secrets-operator
|
|
release_name: vault-secrets-operator
|
|
release_namespace: vault-secrets-operator-system
|
|
create_namespace: true
|
|
wait: true
|
|
# https://github.com/hashicorp/vault-secrets-operator/blob/main/chart/values.yaml
|
|
values:
|
|
defaultVaultConnection:
|
|
enabled: true
|
|
address: "https://zabbix.snel.com:8200"
|
|
skipTLSVerify: false
|
|
spec:
|
|
template:
|
|
spec:
|
|
containers:
|
|
- name: manager
|
|
args:
|
|
- "--client-cache-persistence-model=direct-encrypted"
|
|
|
|
- name: VaultAuth
|
|
delegate_to: "{{ kubectl_host }}"
|
|
kubernetes.core.k8s:
|
|
kubeconfig: "{{ kubeconfig }}"
|
|
resource_definition:
|
|
apiVersion: secrets.hashicorp.com/v1beta1
|
|
kind: VaultAuth
|
|
metadata:
|
|
name: static-auth
|
|
namespace: app
|
|
spec:
|
|
method: kubernetes
|
|
mount: demo-auth-mount
|
|
kubernetes:
|
|
role: role1
|
|
serviceAccount: default
|
|
audiences:
|
|
- vault
|
|
|
|
- name: VaultStaticSecret
|
|
delegate_to: "{{ kubectl_host }}"
|
|
kubernetes.core.k8s:
|
|
kubeconfig: "{{ kubeconfig }}"
|
|
resource_definition:
|
|
apiVersion: secrets.hashicorp.com/v1beta1
|
|
kind: VaultStaticSecret
|
|
metadata:
|
|
name: vault-kv-app
|
|
namespace: app
|
|
spec:
|
|
type: kv-v2
|
|
|
|
# mount path
|
|
mount: kvv2
|
|
|
|
# path of the secret
|
|
path: webapp/config
|
|
|
|
# dest k8s secret
|
|
destination:
|
|
name: secretkv
|
|
create: true
|
|
|
|
# static secret refresh interval
|
|
refreshAfter: 30s
|
|
|
|
# Name of the CRD to authenticate to Vault
|
|
vaultAuthRef: static-auth |