Vault security hardening and role isolation

2026-05-19 14:57:43 -02:30 · 2017-02-08 21:41:36 +00:00
parent f4ec2d18e5
commit 245e05ce61
78 changed files with 1408 additions and 706 deletions
--- a/roles/vault/tasks/main.yml
+++ b/roles/vault/tasks/main.yml
@@ -1,13 +1,19 @@
 ---
+# The Vault role is typically a two step process:
+# 1. Bootstrap
+#    This starts a temporary Vault to generate certs for Vault itself. This
+#    includes a Root CA for the cluster, assuming one doesn't exist already.
+#    The temporary instance will remain running after Bootstrap, to provide a
+#    running Vault for the Etcd role to generate certs against.
+# 2. Cluster
+#    Once Etcd is started, then the Cluster tasks can start up a long-term
+#    Vault cluster using Etcd as the backend. The same Root CA is mounted as
+#    used during step 1, allowing all certs to have the same chain of trust.

- include: check_vault.yml
-  when: inventory_hostname in groups.vault
-
-# bootstrap.yml's sole purpose is to ensure certs exist for Vault and Etcd
-# prior to startup, so TLS can be enabled.
+## Bootstrap
 - include: bootstrap/main.yml
-  when: vault_bootstrap|bool
+  when: vault_bootstrap | d()

-# cluster.yml should only run after the backend service is ready (default etcd)
+## Cluster
 - include: cluster/main.yml
-  when: not vault_bootstrap|bool
+  when: not vault_bootstrap | d()