Merge pull request #1931 from hashicorp/rename-vault-config
Rename vault config
This commit is contained in:
commit
15f085a4d7
|
@ -115,10 +115,10 @@ vault {
|
|||
task_token_ttl = "1s"
|
||||
enabled = false
|
||||
token = "12345"
|
||||
tls_ca_file = "/path/to/ca/file"
|
||||
tls_ca_path = "/path/to/ca"
|
||||
tls_cert_file = "/path/to/cert/file"
|
||||
tls_key_file = "/path/to/key/file"
|
||||
ca_file = "/path/to/ca/file"
|
||||
ca_path = "/path/to/ca"
|
||||
cert_file = "/path/to/cert/file"
|
||||
key_file = "/path/to/key/file"
|
||||
tls_server_name = "foobar"
|
||||
tls_skip_verify = true
|
||||
}
|
||||
|
|
|
@ -704,10 +704,10 @@ func parseVaultConfig(result **config.VaultConfig, list *ast.ObjectList) error {
|
|||
"allow_unauthenticated",
|
||||
"enabled",
|
||||
"task_token_ttl",
|
||||
"tls_ca_file",
|
||||
"tls_ca_path",
|
||||
"tls_cert_file",
|
||||
"tls_key_file",
|
||||
"ca_file",
|
||||
"ca_path",
|
||||
"cert_file",
|
||||
"key_file",
|
||||
"tls_server_name",
|
||||
"tls_skip_verify",
|
||||
"token",
|
||||
|
|
|
@ -50,17 +50,17 @@ type VaultConfig struct {
|
|||
|
||||
// TLSCaFile is the path to a PEM-encoded CA cert file to use to verify the
|
||||
// Vault server SSL certificate.
|
||||
TLSCaFile string `mapstructure:"tls_ca_file"`
|
||||
TLSCaFile string `mapstructure:"ca_file"`
|
||||
|
||||
// TLSCaFile is the path to a directory of PEM-encoded CA cert files to
|
||||
// verify the Vault server SSL certificate.
|
||||
TLSCaPath string `mapstructure:"tls_ca_path"`
|
||||
TLSCaPath string `mapstructure:"ca_path"`
|
||||
|
||||
// TLSCertFile is the path to the certificate for Vault communication
|
||||
TLSCertFile string `mapstructure:"tls_cert_file"`
|
||||
TLSCertFile string `mapstructure:"cert_file"`
|
||||
|
||||
// TLSKeyFile is the path to the private key for Vault communication
|
||||
TLSKeyFile string `mapstructure:"tls_key_file"`
|
||||
TLSKeyFile string `mapstructure:"key_file"`
|
||||
|
||||
// TLSSkipVerify enables or disables SSL verification
|
||||
TLSSkipVerify *bool `mapstructure:"tls_skip_verify"`
|
||||
|
@ -75,6 +75,9 @@ func DefaultVaultConfig() *VaultConfig {
|
|||
return &VaultConfig{
|
||||
Addr: "https://vault.service.consul:8200",
|
||||
ConnectionRetryIntv: DefaultVaultConnectRetryIntv,
|
||||
AllowUnauthenticated: func(b bool) *bool {
|
||||
return &b
|
||||
}(true),
|
||||
}
|
||||
}
|
||||
|
||||
|
|
|
@ -39,11 +39,10 @@ vault {
|
|||
given in the format `protocol://host:port`. If your Vault installation is
|
||||
behind a load balancer, this should be the address of the load balancer.
|
||||
|
||||
- `allow_unauthenticated` `(bool: false)` - Specifies if users submitting jobs
|
||||
to the Nomad server should be required to provide their own Vault token,
|
||||
proving they have access to the policies listed in the job. This option should
|
||||
only ever be enabled in a trusted environment, because, if enabled, users
|
||||
could escalate privilege in a job.
|
||||
- `allow_unauthenticated` `(bool: true)` - Specifies if users submitting jobs to
|
||||
the Nomad server should be required to provide their own Vault token, proving
|
||||
they have access to the policies listed in the job. This option should be
|
||||
disabled in an untrusted environment.
|
||||
|
||||
- `enabled` `(bool: false)` - Specifies if the Vault integration should be
|
||||
activated.
|
||||
|
@ -51,20 +50,20 @@ vault {
|
|||
- `task_token_ttl` `(string: "")` - Specifies the TTL of created tokens when
|
||||
using a root token. This is specified using a label suffix like "30s" or "1h".
|
||||
|
||||
- `tls_ca_file` `(string: "")` - Specifies an optional path to the CA
|
||||
- `ca_file` `(string: "")` - Specifies an optional path to the CA
|
||||
certificate used for Vault communication. If unspecified, this will fallback
|
||||
to the default system CA bundle, which varies by OS and version.
|
||||
|
||||
- `tls_ca_path` `(string: "")` - Specifies an optional path to a folder
|
||||
- `ca_path` `(string: "")` - Specifies an optional path to a folder
|
||||
containing CA certificates to be used for Vault communication. If unspecified,
|
||||
this will fallback to the default system CA bundle, which varies by OS and
|
||||
version.
|
||||
|
||||
- `tls_cert_file` `(string: "")` - Specifies the path to the certificate used
|
||||
- `cert_file` `(string: "")` - Specifies the path to the certificate used
|
||||
for Vault communication. If this is set then you need to also set
|
||||
`tls_key_file`.
|
||||
|
||||
- `tls_key_file` `(string: "")` - Specifies the path to the private key used for
|
||||
- `key_file` `(string: "")` - Specifies the path to the private key used for
|
||||
Vault communication. If this is set then you need to also set `tls_cert_file`.
|
||||
|
||||
- `tls_server_name` `(string: "")` - Specifies an optional string used to set
|
||||
|
@ -112,9 +111,9 @@ Nomad and Vault:
|
|||
```hcl
|
||||
vault {
|
||||
enabled = true
|
||||
tls_ca_path = "/etc/certs/ca"
|
||||
tls_cert_file = "/var/certs/vault.crt"
|
||||
tls_key_file = "/var/certs/vault.key"
|
||||
ca_path = "/etc/certs/ca"
|
||||
cert_file = "/var/certs/vault.crt"
|
||||
key_file = "/var/certs/vault.key"
|
||||
tls_server_name = "nomad.service.consul"
|
||||
}
|
||||
```
|
||||
|
|
Loading…
Reference in a new issue