diff --git a/defaults/main.yml b/defaults/main.yml index d527b674..ab5432c8 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -348,6 +348,14 @@ vault_gkms_key_ring: 'vault' vault_gkms_crypto_key: 'vault_key' vault_gkms_copy_sa: true +# ocikms seal +vault_ocikms: false +vault_ocikms_backend: vault_seal_ocikms.j2 +vault_ocikms_auth_type_api_key: false +vault_ocikms_key_id: "{{ lookup('env','VAULT_OCIKMS_SEAL_KEY_ID') | default('', false) }}" +vault_ocikms_crypto_endpoint: "{{ lookup('env','VAULT_OCIKMS_CRYPTO_ENDPOINT') | default('', false) }}" +vault_ocikms_management_endpoint: "{{ lookup('env','VAULT_OCIKMS_MANAGEMENT_ENDPOINT') | default('', false) }}" + # pkcs11 seal vault_enterprise_premium_hsm: false # WARNING: the following variable is deprecated as this section will become diff --git a/templates/vault_main_configuration.hcl.j2 b/templates/vault_main_configuration.hcl.j2 index bf2670da..c68276c4 100644 --- a/templates/vault_main_configuration.hcl.j2 +++ b/templates/vault_main_configuration.hcl.j2 @@ -111,6 +111,10 @@ ui = {{ vault_ui | bool | lower }} {% include vault_backend_gkms with context %} {% endif %} +{% if vault_ocikms | bool -%} + {% include vault_ocikms_backend with context %} +{% endif %} + {% if vault_telemetry_enabled | bool -%} telemetry { {% if vault_statsite_address is defined %} diff --git a/templates/vault_seal_ocikms.j2 b/templates/vault_seal_ocikms.j2 new file mode 100644 index 00000000..9340d2f8 --- /dev/null +++ b/templates/vault_seal_ocikms.j2 @@ -0,0 +1,10 @@ +seal "ocikms" { + key_id = "{{ vault_ocikms_key_id }}" + auth_type_api_key = "{{ vault_ocikms_auth_type_api_key }}" +{% if vault_ocikms_crypto_endpoint is string and vault_ocikms_crypto_endpoint|length %} + crypto_endpoint = "{{ vault_ocikms_crypto_endpoint }}" +{% endif %} +{% if vault_ocikms_management_endpoint is string and vault_ocikms_management_endpoint|length %} + management_endpoint = "{{ vault_ocikms_management_endpoint }}" +{% endif %} +}