fix: Remove unnecessary container registry step

2026-03-20 16:17:10 -04:00
parent d31b14cd72
commit 1862f20074
13 changed files with 642 additions and 7 deletions
--- a/roles/vault_setup/meta/argument_specs.yml
+++ b/roles/vault_setup/meta/argument_specs.yml
@@ -0,0 +1,61 @@
+---
+argument_specs:
+  main:
+    short_description: Configure a running HashiCorp Vault instance
+    description:
+      - Unseals Vault if sealed and unseal keys are provided.
+      - Enables and configures OIDC authentication using Keycloak.
+      - Creates an admin policy and maps a Keycloak group to it.
+      - Requires Vault to already be initialized (use vault_init tag first).
+    options:
+      vault_url:
+        description: Base URL of the Vault API.
+        type: str
+        default: "http://nas.lan.toal.ca:8200"
+      vault_validate_certs:
+        description: Whether to validate TLS certificates for Vault API calls.
+        type: bool
+        default: false
+      vault_vault_root_token:
+        description: Vault root token for API authentication. Required.
+        type: str
+        required: true
+      vault_oidc_issuer:
+        description: OIDC discovery URL base (Keycloak realm URL). Required.
+        type: str
+        required: true
+      vault_vault_oidc_client_secret:
+        description: OIDC client secret from Keycloak. Required.
+        type: str
+        required: true
+      vault_oidc_client_id:
+        description: OIDC client ID registered in Keycloak.
+        type: str
+        default: vault
+      vault_oidc_admin_group:
+        description: Keycloak group name to map to the Vault admin policy.
+        type: str
+        default: vault-admins
+      vault_oidc_default_ttl:
+        description: Default token TTL for OIDC-authenticated tokens.
+        type: str
+        default: 1h
+      vault_oidc_max_ttl:
+        description: Maximum token TTL for OIDC-authenticated tokens.
+        type: str
+        default: 8h
+      vault_unseal_keys:
+        description: >-
+          List of unseal key strings. If provided and Vault is sealed,
+          the role will attempt to unseal using these keys.
+        type: list
+        elements: str
+        default: []
+      vault_init_key_shares:
+        description: Number of key shares for vault operator init.
+        type: int
+        default: 5
+      vault_init_key_threshold:
+        description: Number of key shares required to unseal.
+        type: int
+        default: 3