62 lines
2.1 KiB
YAML
62 lines
2.1 KiB
YAML
---
|
|
argument_specs:
|
|
main:
|
|
short_description: Configure a running HashiCorp Vault instance
|
|
description:
|
|
- Unseals Vault if sealed and unseal keys are provided.
|
|
- Enables and configures OIDC authentication using Keycloak.
|
|
- Creates an admin policy and maps a Keycloak group to it.
|
|
- Requires Vault to already be initialized (use vault_init tag first).
|
|
options:
|
|
vault_url:
|
|
description: Base URL of the Vault API.
|
|
type: str
|
|
default: "http://nas.lan.toal.ca:8200"
|
|
vault_validate_certs:
|
|
description: Whether to validate TLS certificates for Vault API calls.
|
|
type: bool
|
|
default: false
|
|
vault_vault_root_token:
|
|
description: Vault root token for API authentication. Required.
|
|
type: str
|
|
required: true
|
|
vault_oidc_issuer:
|
|
description: OIDC discovery URL base (Keycloak realm URL). Required.
|
|
type: str
|
|
required: true
|
|
vault_vault_oidc_client_secret:
|
|
description: OIDC client secret from Keycloak. Required.
|
|
type: str
|
|
required: true
|
|
vault_oidc_client_id:
|
|
description: OIDC client ID registered in Keycloak.
|
|
type: str
|
|
default: vault
|
|
vault_oidc_admin_group:
|
|
description: Keycloak group name to map to the Vault admin policy.
|
|
type: str
|
|
default: vault-admins
|
|
vault_oidc_default_ttl:
|
|
description: Default token TTL for OIDC-authenticated tokens.
|
|
type: str
|
|
default: 1h
|
|
vault_oidc_max_ttl:
|
|
description: Maximum token TTL for OIDC-authenticated tokens.
|
|
type: str
|
|
default: 8h
|
|
vault_unseal_keys:
|
|
description: >-
|
|
List of unseal key strings. If provided and Vault is sealed,
|
|
the role will attempt to unseal using these keys.
|
|
type: list
|
|
elements: str
|
|
default: []
|
|
vault_init_key_shares:
|
|
description: Number of key shares for vault operator init.
|
|
type: int
|
|
default: 5
|
|
vault_init_key_threshold:
|
|
description: Number of key shares required to unseal.
|
|
type: int
|
|
default: 3
|