Operations grimoire/Eglide/Vault: Difference between revisions
(Created page with "Vault on the shellserver role is installed through HashiCorp repository package. States are located in {{Ops file|roles/shellserver/vault}} unit. This unit is needed as Eglide isn't connected to our private network and so doesn't have access to Complector directly. == Certificates == Vault certificates should be generated in /etc/certificates/vault If we use the Nasqueron Vault CA for this, Vault client should use certificate from <code>/usr/local/share/ca-certificate...") |
mNo edit summary |
||
| Line 6: | Line 6: | ||
Vault certificates should be generated in /etc/certificates/vault | Vault certificates should be generated in /etc/certificates/vault | ||
If we use the Nasqueron Vault CA for this, Vault client should use certificate from <code>/usr/local/share/ca-certificates/nasqueron-vault-ca.crt</code> like on any other server. The certificates_update_store state in {{roles/core/certificates}} includes that certificate in /etc/ssl/certs as <code>debian:nasqueron-vault-ca.pem</code>. | If we use the Nasqueron Vault CA for this, Vault client should use certificate from <code>/usr/local/share/ca-certificates/nasqueron-vault-ca.crt</code> like on any other server. The certificates_update_store state in {{Ops file|roles/core/certificates}} includes that certificate in /etc/ssl/certs as <code>debian:nasqueron-vault-ca.pem</code>. | ||
Vault server wants two files to do TLS termination: | Vault server wants two files to do TLS termination: | ||
Revision as of 10:08, 29 May 2023
Vault on the shellserver role is installed through HashiCorp repository package.
States are located in rOPS: roles/shellserver/vault unit. This unit is needed as Eglide isn't connected to our private network and so doesn't have access to Complector directly.
Certificates
Vault certificates should be generated in /etc/certificates/vault
If we use the Nasqueron Vault CA for this, Vault client should use certificate from /usr/local/share/ca-certificates/nasqueron-vault-ca.crt like on any other server. The certificates_update_store state in rOPS: roles/core/certificates includes that certificate in /etc/ssl/certs as debian:nasqueron-vault-ca.pem.
Vault server wants two files to do TLS termination:
- /etc/certificates/vault/private.key
- /etc/certificates/vault/fullchain.pem
From Operations grimoire/Vault we can generate those elements from Complector Vault (working on Complector or WindRiver).
