diff --git a/README.md b/README.md new file mode 100644 index 0000000..f3f19a6 --- /dev/null +++ b/README.md @@ -0,0 +1,4 @@ +Consul role +Tested with OS: + - AlmaLinux 8 + - Debian 11 diff --git a/tasks/Debian/main.yaml b/tasks/Debian/main.yaml index 5f05f23..0f77e73 100644 --- a/tasks/Debian/main.yaml +++ b/tasks/Debian/main.yaml @@ -29,9 +29,9 @@ masked: yes when: is_consul.rc != 0 -- name: "Install {{ consul_package_name }}-{{ consul_version }}" +- name: "Install {{ consul_package_name }}-{{ consul_version }}-{{ consul_version_build }}" apt: - name: "{{ consul_package }}" + name: "{{ consul_package }}-{{ consul_version_build }}" update_cache: yes register: consul_setup when: is_consul.rc != 0 diff --git a/tasks/bootstrap.yaml b/tasks/bootstrap.yaml index 4e4426f..0c13bf5 100644 --- a/tasks/bootstrap.yaml +++ b/tasks/bootstrap.yaml @@ -26,7 +26,7 @@ when: - consul_config.encrypt is not defined or consul_config.encrypt | length == 0 - cluster_node_list != 0 - - hostvars[inventory_hostname]['ansible_host'] in cluster_node_list + - (hostvars[inventory_hostname]['ansible_host'] is defined and hostvars[inventory_hostname]['ansible_host'] in cluster_node_list) or hostvars[inventory_hostname]['ansible_default_ipv4']['address'] in cluster_node_list - name: Generate new key if none was found block: diff --git a/tasks/cacert.yaml b/tasks/cacert.yaml index 649a6d7..855cccf 100644 --- a/tasks/cacert.yaml +++ b/tasks/cacert.yaml @@ -61,17 +61,29 @@ when: consul_cert is not defined register: consul_key_gen - - name: Generate consul server subject_alt_ips + - name: Generate consul server subject_alt_ips from ansible_host set_fact: - consul_server_subject_alt_ips: "{{ groups[consul_server_group] | default([]) | map('extract', hostvars, ['ansible_host']) | map('regex_replace', '^', 'IP:') | list }}" + consul_server_subject_alt_ips_from_ansible_host: "{{ groups[consul_server_group] | default([]) | map('extract', hostvars, ['ansible_host']) | map('regex_replace', '^', 'IP:') | list }}" + when: hostvars[inventory_hostname]['ansible_host'] is defined + + - name: Generate consul server subject_alt_ips from default ipv4 address + set_fact: + consul_server_subject_alt_ips: "{{ groups[consul_server_group] | default([]) | map('extract', hostvars, ['ansible_default_ipv4', 'address']) | map('regex_replace', '^', 'IP:') | list }}" + when: hostvars[inventory_hostname]['ansible_default_ipv4']['address'] is defined - name: Generate consul server subject_alt_names set_fact: consul_server_subject_alt_names: "{{ groups[consul_server_group] | default([]) | map('extract', hostvars, ['inventory_hostname']) | map('regex_replace', '^', 'DNS:') | list }}" - - name: Generate consul agent subject_alt_ips + - name: Generate consul agent subject_alt_ips from ansible_host set_fact: - consul_agent_subject_alt_ips: "{{ groups[consul_agent_group] | default([]) | map('extract', hostvars, ['ansible_host']) | map('regex_replace', '^', 'IP:') | list }}" + consul_agent_subject_alt_ips_from_ansible_host: "{{ groups[consul_agent_group] | default([]) | map('extract', hostvars, ['ansible_host']) | map('regex_replace', '^', 'IP:') | list }}" + when: hostvars[inventory_hostname]['ansible_host'] is defined + + - name: Generate consul agent subject_alt_ips from default ipv4 address + set_fact: + consul_agent_subject_alt_ips: "{{ groups[consul_agent_group] | default([]) | map('extract', hostvars, ['ansible_default_ipv4', 'address']) | map('regex_replace', '^', 'IP:') | list }}" + when: hostvars[inventory_hostname]['ansible_default_ipv4']['address'] is defined - name: Generate consul agent subject_alt_names set_fact: @@ -82,7 +94,7 @@ path: "{{ consul_ssl_path }}/{{ consul_self_signed_cert_name }}.csr" privatekey_path: "{{ consul_ssl_path }}/{{ consul_self_signed_cert_name }}.key" common_name: "{{ consul_self_signed_cert_name }}" - subject_alt_name: "{{ consul_server_subject_alt_ips + consul_server_subject_alt_names + consul_agent_subject_alt_ips + consul_agent_subject_alt_names }}" + subject_alt_name: "{{ consul_server_subject_alt_ips | default([]) + consul_server_subject_alt_names | default([]) + consul_agent_subject_alt_ips | default([]) + consul_agent_subject_alt_names | default([]) + consul_server_subject_alt_ips_from_ansible_host | default([]) + consul_agent_subject_alt_ips_from_ansible_host | default([]) }}" owner: consul group: consul register: consul_csr @@ -151,13 +163,13 @@ - name: Put Consul CA OpenSSL cert to PKI copy: content: "{{ consul_ca_cert }}" - dest: "/etc/pki/ca-trust/source/anchors/CA-{{ consul_self_signed_cert_name }}.crt" - register: consul_ca_trust_anchors + dest: "{{ consul_ssl_ca_trust_dir }}/CA-{{ consul_self_signed_cert_name }}.crt" + register: consul_ca_trust notify: Restart consul - name: Update CA trust - shell: update-ca-trust extract - when: consul_ca_trust_anchors.changed + shell: "{{ consul_ssl_update_ca_command }}" + when: consul_ca_trust.changed - name: Put Consul OpenSSL key copy: diff --git a/tasks/main.yaml b/tasks/main.yaml index 8f082ce..31207b1 100644 --- a/tasks/main.yaml +++ b/tasks/main.yaml @@ -42,6 +42,6 @@ - name: Join new server node to cluster import_tasks: join.yaml when: - - hostvars[inventory_hostname]['ansible_host'] not in cluster_node_list + - (hostvars[inventory_hostname]['ansible_host'] is defined and hostvars[inventory_hostname]['ansible_host'] not in cluster_node_list) or hostvars[inventory_hostname]['ansible_default_ipv4']['address'] not in cluster_node_list - cluster_node_list | length != 0 - inventory_hostname in groups[consul_server_group] diff --git a/vars/Debian.yaml b/vars/Debian.yaml index 70b07e0..3f995d7 100644 --- a/vars/Debian.yaml +++ b/vars/Debian.yaml @@ -6,3 +6,6 @@ consul_apt_key: consul_apt_repository: - repo: deb [arch=amd64] https://apt.releases.hashicorp.com {{ ansible_distribution_release }} main filename: hashicorp +consul_version_build: "1" +consul_ssl_update_ca_command: "update-ca-certificates --fresh" +consul_ssl_ca_trust_dir: "/usr/local/share/ca-certificates" diff --git a/vars/RedHat.yaml b/vars/RedHat.yaml index c5d8e98..ddbfb2c 100644 --- a/vars/RedHat.yaml +++ b/vars/RedHat.yaml @@ -1 +1,3 @@ consul_package: "{{ consul_package_name }}-{{ consul_version }}" +consul_ssl_update_ca_command: "update-ca-trust extract" +consul_ssl_ca_trust_dir: "/etc/pki/ca-trust/source/anchors"