93 lines
3.0 KiB
YAML
93 lines
3.0 KiB
YAML
---
|
|
|
|
vault_agent_root_dir: /opt/vault_agent
|
|
|
|
# Address of the vault server
|
|
vault_agent_vault_address: https://vault.service.consul
|
|
|
|
# Type of authentication. Can be token or approle
|
|
vault_agent_auth: approle
|
|
|
|
# If auth is approle, you have to set vault_agent_approle_role_id and vault_agent_approle_secret_id
|
|
# vault_agent_approle_role_id: XXXXX
|
|
# vault_agent_approle_secret_id: XXXXXXX
|
|
|
|
# If auth is token, you have to set vault_agent_token
|
|
# vault_agent_token: XXXXX
|
|
|
|
# List of sinks where the token can be written
|
|
vault_agent_sinks: []
|
|
# vault_agent_sinks:
|
|
# - path: /tmp/vault.token
|
|
# wrap_ttl: 20s
|
|
# mode: 600
|
|
|
|
|
|
# List of templates
|
|
vault_agent_templates: []
|
|
# vault_agent_templates:
|
|
# # Use only one of source or contents
|
|
# - source: /srv/foo.tpl
|
|
# contents: "{{ with secret \"kv/bar\" }}{{.Data.data.baz}}{{ end }}"
|
|
# destination: /src/foo
|
|
# left_delimiter = "[["
|
|
# right_delimiter = "]]"
|
|
# perms: 0600
|
|
# exec:
|
|
# timeout: 30s
|
|
# command: systemctl restart foo.service
|
|
|
|
vault_agent_nomad_base:
|
|
# Should vault-agent fetch a vault token for use by Nomad
|
|
vault_token:
|
|
enabled: False
|
|
role: nomad-{{ nomad_conf.server.enabled | ternary('server', 'client') }}
|
|
|
|
# Should vault-agent fetch certificates from vault for use by Nomad agent
|
|
nomad_pki:
|
|
enabled: False
|
|
path: pki/nomad
|
|
role: nomad-{{ nomad_conf.server.enabled | ternary('server', 'client') }}
|
|
ttl: 72h
|
|
# Vault can get a client certificate for administrative tasks
|
|
cli:
|
|
enabled: "{{ nomad_conf.server.enabled | ternary(True, False) }}"
|
|
role: nomad-user
|
|
ttl: 72h
|
|
# When renewing this cert, vault-agent can update nomad secret (so vault can connect to the Nomad API to manage tokens)
|
|
# secret_path: nomad
|
|
|
|
# Should vault-agent fetch a certificate to connect on Consul. This is required when using Consul Connect
|
|
# Even if a Consul agent is available on localhost with no TLS
|
|
consul_pki:
|
|
enabled: False
|
|
path: pki/consul
|
|
role: nomad-client # Only Nomad clients will use Consul PKI
|
|
ttl: 72h
|
|
|
|
# Should vault-agent fetch a consul token. It'll be used to register services in Consul service catalog
|
|
consul_token:
|
|
enabled: False
|
|
# The path of the consul secret engine
|
|
path: consul
|
|
# The role used to get the token
|
|
role: nomad-{{ nomad_conf.server.enabled | ternary('server', 'client') }}
|
|
|
|
vault_agent_nomad_extra: {}
|
|
vault_agent_nomad_host: {}
|
|
vault_agent_nomad: "{{ vault_agent_nomad_base | combine(vault_agent_nomad_extra, recursive=True) | combine(vault_agent_nomad_host, recursive=True) }}"
|
|
|
|
|
|
vault_agent_consul_base:
|
|
# Should vault-agent fetch certificates for Consul agent
|
|
consul_pki:
|
|
enabled: False
|
|
path: pki/consul
|
|
role: consul-{{ consul_conf.server | ternary('server', 'client') }}
|
|
ttl: 72h
|
|
|
|
vault_agent_consul_extra: {}
|
|
vault_agent_consul_host: {}
|
|
vault_agent_consul: "{{ vault_agent_consul_base | combine(vault_agent_consul_extra, recursive=True) | combine(vault_agent_consul_host, recursive=True) }}"
|
|
|