Add multiple TCP listeners

This adds the variable vault_tcp_listeners. This variable holds the attributes for all Vault TCP listeners. Per default, the first listener is a fallback to the initially defined standard variables. Additional listeners can be added to the list as needed.
ansible-community · Mar 3, 2021 · 9c060a3 · 9c060a3
1 parent 8ea1a85
commit 9c060a3
Show file tree

Hide file tree

Showing 3 changed files with 82 additions and 26 deletions.
diff --git a/README.md b/README.md
@@ -187,6 +187,35 @@ The role defines variables in `defaults/main.yml`:
 - Enable vault web UI
 - Default value:  true
 
+## TCP Listener Variables
+
+### `vault_tcp_listeners`
+
+- A list of tcp listeners. Each listener can define any of the listener specific variables described in further detail below.
+- Default value:
+```yaml
+vault_tcp_listeners:
+  - vault_address: '{{ vault_address }}'
+    vault_port: '{{ vault_port }}'
+    vault_cluster_address: '{{ vault_cluster_address }}'
+    # vault_proxy_protocol_behavior: '{{ vault_proxy_protocol_behavior }}'
+    # vault_proxy_protocol_authorized_addrs: '{{ vault_proxy_protocol_authorized_addrs }}'
+    vault_tls_disable: '{{ vault_tls_disable }}'
+    vault_tls_config_path: '{{ vault_tls_config_path }}'
+    vault_tls_cert_file: '{{ vault_tls_cert_file }}'
+    vault_tls_key_file: '{{ vault_tls_key_file }}'
+    vault_tls_ca_file: '{{ vault_tls_ca_file }}'
+    vault_tls_min_version: '{{ vault_tls_min_version }}'
+    vault_tls_cipher_suites: '{{ vault_tls_cipher_suites }}'
+    vault_tls_prefer_server_cipher_suites: '{{ vault_tls_prefer_server_cipher_suites }}'
+    vault_tls_require_and_verify_client_cert: '{{ vault_tls_require_and_verify_client_cert }}'
+    vault_tls_disable_client_certs: '{{ vault_tls_disable_client_certs }}'
+    # vault_x_forwarded_for_authorized_addrs: '{{ vault_x_forwarded_for_authorized_addrs }}'
+    # vault_x_forwarded_for_hop_skips: '{{ vault_x_forwarded_for_hop_skips }}'
+    # vault_x_forwarded_for_reject_not_authorized: '{{ vault_x_forwarded_for_reject_not_authorized }}'
+    # vault_x_forwarded_for_reject_not_present: '{{ vault_x_forwarded_for_reject_not_present }}'
+```
+
 ## Storage Backend Variables
 
 ### `vault_backend`

diff --git a/defaults/main.yml b/defaults/main.yml
@@ -67,6 +67,31 @@ vault_http_proxy: ""
 vault_https_proxy: ""
 vault_no_proxy: ""
 
+# ---------------------------------------------------------------------------
+# TCP listeners
+# ---------------------------------------------------------------------------
+
+vault_tcp_listeners:
+  - vault_address: '{{ vault_address }}'
+    vault_port: '{{ vault_port }}'
+    vault_cluster_address: '{{ vault_cluster_address }}'
+    # vault_proxy_protocol_behavior: '{{ vault_proxy_protocol_behavior }}'
+    # vault_proxy_protocol_authorized_addrs: '{{ vault_proxy_protocol_authorized_addrs }}'
+    vault_tls_disable: '{{ vault_tls_disable }}'
+    vault_tls_config_path: '{{ vault_tls_config_path }}'
+    vault_tls_cert_file: '{{ vault_tls_cert_file }}'
+    vault_tls_key_file: '{{ vault_tls_key_file }}'
+    vault_tls_ca_file: '{{ vault_tls_ca_file }}'
+    vault_tls_min_version: '{{ vault_tls_min_version }}'
+    vault_tls_cipher_suites: '{{ vault_tls_cipher_suites }}'
+    vault_tls_prefer_server_cipher_suites: '{{ vault_tls_prefer_server_cipher_suites }}'
+    vault_tls_require_and_verify_client_cert: '{{ vault_tls_require_and_verify_client_cert }}'
+    vault_tls_disable_client_certs: '{{ vault_tls_disable_client_certs }}'
+    # vault_x_forwarded_for_authorized_addrs: '{{ vault_x_forwarded_for_authorized_addrs }}'
+    # vault_x_forwarded_for_hop_skips: '{{ vault_x_forwarded_for_hop_skips }}'
+    # vault_x_forwarded_for_reject_not_authorized: '{{ vault_x_forwarded_for_reject_not_authorized }}'
+    # vault_x_forwarded_for_reject_not_present: '{{ vault_x_forwarded_for_reject_not_present }}'
+
 # ---------------------------------------------------------------------------
 # Storage backend
 # ---------------------------------------------------------------------------

diff --git a/templates/vault_main_configuration.hcl.j2 b/templates/vault_main_configuration.hcl.j2
@@ -8,42 +8,43 @@ api_addr = "{{ vault_api_addr }}"
 
 plugin_directory = "{{ vault_plugin_path }}"
 
+{% for l in vault_tcp_listeners %}
 listener "tcp" {
-  address = "{{ vault_address }}:{{ vault_port }}"
-  cluster_address = "{{ vault_cluster_address }}"
-  {% if (vault_proxy_protocol_behavior is defined and vault_proxy_protocol_behavior) -%}
-  proxy_protocol_behavior = "{{ vault_proxy_protocol_behavior }}"
-  {% if (vault_proxy_protocol_authorized_addrs is defined) -%}
-  proxy_protocol_authorized_addrs = "{{ vault_proxy_protocol_authorized_addrs }}"
+  address = "{{ l.vault_address }}:{{ l.vault_port }}"
+  cluster_address = "{{ l.vault_cluster_address }}"
+  {% if (l.vault_proxy_protocol_behavior is defined and l.vault_proxy_protocol_behavior) -%}
+  proxy_protocol_behavior = "{{ l.vault_proxy_protocol_behavior }}"
+  {% if (l.vault_proxy_protocol_authorized_addrs is defined) -%}
+  proxy_protocol_authorized_addrs = "{{ l.vault_proxy_protocol_authorized_addrs }}"
   {% endif -%}
   {% endif -%}
-  {% if not (vault_tls_disable | bool) -%}
-  tls_cert_file = "{{ vault_tls_config_path }}/{{ vault_tls_cert_file }}"
-  tls_key_file = "{{ vault_tls_config_path }}/{{ vault_tls_key_file }}"
-  tls_client_ca_file="{{ vault_tls_config_path }}/{{ vault_tls_ca_file }}"
-  tls_min_version  = "{{ vault_tls_min_version }}"
+  {% if not (l.vault_tls_disable | bool) -%}
+  tls_cert_file = "{{ l.vault_tls_config_path }}/{{ l.vault_tls_cert_file }}"
+  tls_key_file = "{{ l.vault_tls_config_path }}/{{ l.vault_tls_key_file }}"
+  tls_client_ca_file="{{ l.vault_tls_config_path }}/{{ l.vault_tls_ca_file }}"
+  tls_min_version  = "{{ l.vault_tls_min_version }}"
   {% if vault_tls_cipher_suites is defined and vault_tls_cipher_suites -%}
-  tls_cipher_suites = "{{ vault_tls_cipher_suites}}"
+  tls_cipher_suites = "{{ l.vault_tls_cipher_suites}}"
   {% endif -%}
-  tls_prefer_server_cipher_suites = "{{ vault_tls_prefer_server_cipher_suites }}"
-  {% if (vault_tls_require_and_verify_client_cert | bool) -%}
-  tls_require_and_verify_client_cert = "{{ vault_tls_require_and_verify_client_cert | bool | lower}}"
+  tls_prefer_server_cipher_suites = "{{ l.vault_tls_prefer_server_cipher_suites }}"
+  {% if (l.vault_tls_require_and_verify_client_cert | bool) -%}
+  tls_require_and_verify_client_cert = "{{ l.vault_tls_require_and_verify_client_cert | bool | lower}}"
   {% endif -%}
-  {% if (vault_tls_disable_client_certs | bool) -%}
-  tls_disable_client_certs = "{{ vault_tls_disable_client_certs | bool | lower}}"
+  {% if (l.vault_tls_disable_client_certs | bool) -%}
+  tls_disable_client_certs = "{{ l.vault_tls_disable_client_certs | bool | lower}}"
   {% endif -%}
   {% endif -%}
-  tls_disable = "{{ vault_tls_disable | bool | lower }}"
-  {% if (vault_x_forwarded_for_authorized_addrs is defined and vault_x_forwarded_for_authorized_addrs) -%}
-  x_forwarded_for_authorized_addrs = "{{ vault_x_forwarded_for_authorized_addrs }}"
-  {% if (vault_x_forwarded_for_hop_skips is defined) -%}
-  x_forwarded_for_hop_skips = "{{ vault_x_forwarded_for_hop_skips }}"
+  tls_disable = "{{ l.vault_tls_disable | bool | lower }}"
+  {% if (l.vault_x_forwarded_for_authorized_addrs is defined and l.vault_x_forwarded_for_authorized_addrs) -%}
+  x_forwarded_for_authorized_addrs = "{{ l.vault_x_forwarded_for_authorized_addrs }}"
+  {% if (l.vault_x_forwarded_for_hop_skips is defined) -%}
+  x_forwarded_for_hop_skips = "{{ l.vault_x_forwarded_for_hop_skips }}"
   {% endif -%}
-  {% if (vault_x_forwarded_for_reject_not_authorized is defined) -%}
-  x_forwarded_for_reject_not_authorized = "{{ vault_x_forwarded_for_reject_not_authorized | bool | lower }}"
+  {% if (l.vault_x_forwarded_for_reject_not_authorized is defined) -%}
+  x_forwarded_for_reject_not_authorized = "{{ l.vault_x_forwarded_for_reject_not_authorized | bool | lower }}"
   {% endif -%}
-  {% if (vault_x_forwarded_for_reject_not_present is defined) -%}
-  x_forwarded_for_reject_not_present = "{{ vault_x_forwarded_for_reject_not_present | bool | lower }}"
+  {% if (l.vault_x_forwarded_for_reject_not_present is defined) -%}
+  x_forwarded_for_reject_not_present = "{{ l.vault_x_forwarded_for_reject_not_present | bool | lower }}"
   {% endif -%}
   {% endif -%}
   {% if (vault_unauthenticated_metrics_access | bool) -%}
@@ -52,6 +53,7 @@ listener "tcp" {
   }
   {% endif %}
 }
+{% endfor %}
 
 {% if (vault_listener_localhost_enable | bool) -%}
 listener "tcp" {