add tls basic support

2025-04-29 15:02:01 +00:00 · 2022-09-06 15:59:08 +03:00 · 2022-09-06 15:59:08 +03:00 · e2a378bd4b
commit e2a378bd4b
parent 0acba68443
5 changed files with 72 additions and 8 deletions
--- a/defaults/main.yaml
+++ b/defaults/main.yaml
@ -1,4 +1,4 @@
-consul_version: 1.12.2
+consul_version: 1.12.4
 consul_config_path: "/etc/consul.d"
 consul_data_path: "/opt/consul"
 consul_user: consul
@ -9,7 +9,7 @@ consul_cluster_group: consul
 consul_server_group: consul_server
 consul_agent_group: consul_agent

-consul_config: []
+consul_config: {}
 consul_default_config:
  server: "{{ true if inventory_hostname in groups[consul_server_group] else false }}"
  ui_config: 
@ -27,4 +27,32 @@ consul_default_config:
    down_policy: extend-cache
    enable_token_persistence: true

+consul_ssl: no
+consul_ssl_path: "/etc/consul.d/ssl"
+consul_self_signed_cert: no
+consul_self_signed_cert_name: "consul-tls"
+consul_server_ssl_config: {}
+consul_server_ssl_default_config:
+  ports:
+    https: 8501
+  verify_incoming: true
+  verify_outgoing: true
+  verify_server_hostname: false
+  ca_file: "{{ consul_ssl_path }}/CA-{{ consul_self_signed_cert_name }}.crt"
+  cert_file: "{{ consul_ssl_path }}/{{ consul_self_signed_cert_name }}.crt"
+  key_file: "{{ consul_ssl_path }}/{{ consul_self_signed_cert_name }}.key"
+  auto_encrypt:
+   allow_tls: true
+
+consul_agent_ssl_config: {}
+consul_agent_ssl_default_config:
+  ports:
+    https: 8501
+  verify_incoming: true
+  verify_outgoing: true
+  verify_server_hostname: false
+  ca_file: "{{ consul_ssl_path }}/CA-{{ consul_self_signed_cert_name }}.crt"
+  cert_file: "{{ consul_ssl_path }}/{{ consul_self_signed_cert_name }}.crt"
+  key_file: "{{ consul_ssl_path }}/{{ consul_self_signed_cert_name }}.key"
+
 is_virtualenv: "{{ lookup('env','VIRTUAL_ENV') | default('') }}"
--- a/handlers/main.yaml
+++ b/handlers/main.yaml
@ -5,4 +5,4 @@
      state: restarted
      name: consul
      daemon_reload: yes
-    when: not consul_setup.changed
+    when: "not consul_setup.changed or not consul_enable_and_start.changed"
--- a/tasks/RedHat/main.yaml
+++ b/tasks/RedHat/main.yaml
@ -4,7 +4,7 @@
    description: Hashicorp Stable - $basearch
    file: hashicorp
    baseurl: https://rpm.releases.hashicorp.com/RHEL/$releasever/$basearch/stable
-    enabled: no
+    enabled: yes
    gpgcheck: yes
    gpgkey: https://rpm.releases.hashicorp.com/gpg
  when: consul_install_repo
@ -16,6 +16,7 @@
    disable_gpg_check: yes
    enablerepo: hashicorp
    update_cache: yes
+    disablerepo: '*'
  register: consul_setup
  when: consul_install_repo

--- a/tasks/config.yaml
+++ b/tasks/config.yaml
@ -5,12 +5,42 @@
  vars:
     consul_config_encrypt:
       encrypt: "{{ consul_raw_key }}"
-  when: 
+  when:
    - consul_config.encrypt is not defined

- name: Merge config for Consul
-  set_fact:
-    consul_config_combined: "{{ consul_default_config | combine(consul_config, recursive=true) }}"
+- name: Merge config for Consul server
+  when: inventory_hostname in groups[consul_server_group]
+  block:
+    - name: Merge config for Consul server
+      set_fact:
+        consul_config_combined: "{{ consul_default_config | combine(consul_config, recursive=true) }}"
+
+    - name: Merge SSL options for Consul server
+      set_fact:
+        consul_server_ssl_config_combined: "{{ consul_server_ssl_default_config | combine(consul_server_ssl_config, recursive=true) }}"
+      when: consul_ssl
+
+    - name: Merge SSL options with config for Consul server
+      set_fact:
+        consul_config_combined: "{{ consul_config_combined | combine(consul_server_ssl_config_combined, recursive=true) }}"
+      when: consul_ssl
+
+- name: Merge config for Consul agent
+  when: inventory_hostname in groups[consul_agent_group]
+  block:
+    - name: Merge config for Consul agent
+      set_fact:
+        consul_config_combined: "{{ consul_default_config | combine(consul_config, recursive=true) }}"
+
+    - name: Merge SSL options for Consul agent
+      set_fact:
+        consul_agent_ssl_config_combined: "{{ consul_agent_ssl_default_config | combine(consul_agent_ssl_config, recursive=true) }}"
+      when: consul_ssl
+
+    - name: Merge SSL options with config for Consul agent
+      set_fact:
+        consul_config_combined: "{{ consul_config_combined | combine(consul_agent_ssl_config_combined, recursive=true) }}"
+      when: consul_ssl

 - name: Propagate consul config
  copy:
--- a/tasks/main.yaml
+++ b/tasks/main.yaml
@ -18,6 +18,10 @@
 - name: "Install Consul for {{ ansible_facts['os_family'] }}"
  include_tasks: "{{ ansible_facts['os_family'] }}/main.yaml"

+- name: SSL certificates generation
+  import_tasks: cacert.yaml
+  when: consul_ssl
+
 - name: Bootstrap Consul
  include_tasks: bootstrap.yaml
  when: inventory_hostname in groups[consul_server_group]
@ -32,6 +36,7 @@
    enabled: true
    state: started
    masked: no
+  register: consul_enable_and_start
  tags: consul, consul_start

 - name: Join new server node to cluster