From e2a378bd4b2cf98cb894b6e7e701916bb77f7d26 Mon Sep 17 00:00:00 2001
From: ace <ace@0xace.cc>
Date: Tue, 6 Sep 2022 15:59:08 +0300
Subject: [PATCH] add tls basic support

---
 defaults/main.yaml     | 32 ++++++++++++++++++++++++++++++--
 handlers/main.yaml     |  2 +-
 tasks/RedHat/main.yaml |  3 ++-
 tasks/config.yaml      | 38 ++++++++++++++++++++++++++++++++++----
 tasks/main.yaml        |  5 +++++
 5 files changed, 72 insertions(+), 8 deletions(-)

diff --git a/defaults/main.yaml b/defaults/main.yaml
index 6919c34..4d0cfdd 100644
--- a/defaults/main.yaml
+++ b/defaults/main.yaml
@@ -1,4 +1,4 @@
-consul_version: 1.12.2
+consul_version: 1.12.4
 consul_config_path: "/etc/consul.d"
 consul_data_path: "/opt/consul"
 consul_user: consul
@@ -9,7 +9,7 @@ consul_cluster_group: consul
 consul_server_group: consul_server
 consul_agent_group: consul_agent
 
-consul_config: []
+consul_config: {}
 consul_default_config:
   server: "{{ true if inventory_hostname in groups[consul_server_group] else false }}"
   ui_config: 
@@ -27,4 +27,32 @@ consul_default_config:
     down_policy: extend-cache
     enable_token_persistence: true
 
+consul_ssl: no
+consul_ssl_path: "/etc/consul.d/ssl"
+consul_self_signed_cert: no
+consul_self_signed_cert_name: "consul-tls"
+consul_server_ssl_config: {}
+consul_server_ssl_default_config:
+  ports:
+    https: 8501
+  verify_incoming: true
+  verify_outgoing: true
+  verify_server_hostname: false
+  ca_file: "{{ consul_ssl_path }}/CA-{{ consul_self_signed_cert_name }}.crt"
+  cert_file: "{{ consul_ssl_path }}/{{ consul_self_signed_cert_name }}.crt"
+  key_file: "{{ consul_ssl_path }}/{{ consul_self_signed_cert_name }}.key"
+  auto_encrypt:
+   allow_tls: true
+
+consul_agent_ssl_config: {}
+consul_agent_ssl_default_config:
+  ports:
+    https: 8501
+  verify_incoming: true
+  verify_outgoing: true
+  verify_server_hostname: false
+  ca_file: "{{ consul_ssl_path }}/CA-{{ consul_self_signed_cert_name }}.crt"
+  cert_file: "{{ consul_ssl_path }}/{{ consul_self_signed_cert_name }}.crt"
+  key_file: "{{ consul_ssl_path }}/{{ consul_self_signed_cert_name }}.key"
+
 is_virtualenv: "{{ lookup('env','VIRTUAL_ENV') | default('') }}"
diff --git a/handlers/main.yaml b/handlers/main.yaml
index 45313be..dafc16a 100644
--- a/handlers/main.yaml
+++ b/handlers/main.yaml
@@ -5,4 +5,4 @@
       state: restarted
       name: consul
       daemon_reload: yes
-    when: not consul_setup.changed
+    when: "not consul_setup.changed or not consul_enable_and_start.changed"
diff --git a/tasks/RedHat/main.yaml b/tasks/RedHat/main.yaml
index e8208a3..ce2f014 100644
--- a/tasks/RedHat/main.yaml
+++ b/tasks/RedHat/main.yaml
@@ -4,7 +4,7 @@
     description: Hashicorp Stable - $basearch
     file: hashicorp
     baseurl: https://rpm.releases.hashicorp.com/RHEL/$releasever/$basearch/stable
-    enabled: no
+    enabled: yes
     gpgcheck: yes
     gpgkey: https://rpm.releases.hashicorp.com/gpg
   when: consul_install_repo
@@ -16,6 +16,7 @@
     disable_gpg_check: yes
     enablerepo: hashicorp
     update_cache: yes
+    disablerepo: '*'
   register: consul_setup
   when: consul_install_repo
 
diff --git a/tasks/config.yaml b/tasks/config.yaml
index d1dde2b..39152c7 100644
--- a/tasks/config.yaml
+++ b/tasks/config.yaml
@@ -5,12 +5,42 @@
   vars:
      consul_config_encrypt:
        encrypt: "{{ consul_raw_key }}"
-  when: 
+  when:
     - consul_config.encrypt is not defined
 
-- name: Merge config for Consul
-  set_fact:
-    consul_config_combined: "{{ consul_default_config | combine(consul_config, recursive=true) }}"
+- name: Merge config for Consul server
+  when: inventory_hostname in groups[consul_server_group]
+  block:
+    - name: Merge config for Consul server
+      set_fact:
+        consul_config_combined: "{{ consul_default_config | combine(consul_config, recursive=true) }}"
+
+    - name: Merge SSL options for Consul server
+      set_fact:
+        consul_server_ssl_config_combined: "{{ consul_server_ssl_default_config | combine(consul_server_ssl_config, recursive=true) }}"
+      when: consul_ssl
+
+    - name: Merge SSL options with config for Consul server
+      set_fact:
+        consul_config_combined: "{{ consul_config_combined | combine(consul_server_ssl_config_combined, recursive=true) }}"
+      when: consul_ssl
+
+- name: Merge config for Consul agent
+  when: inventory_hostname in groups[consul_agent_group]
+  block:
+    - name: Merge config for Consul agent
+      set_fact:
+        consul_config_combined: "{{ consul_default_config | combine(consul_config, recursive=true) }}"
+
+    - name: Merge SSL options for Consul agent
+      set_fact:
+        consul_agent_ssl_config_combined: "{{ consul_agent_ssl_default_config | combine(consul_agent_ssl_config, recursive=true) }}"
+      when: consul_ssl
+
+    - name: Merge SSL options with config for Consul agent
+      set_fact:
+        consul_config_combined: "{{ consul_config_combined | combine(consul_agent_ssl_config_combined, recursive=true) }}"
+      when: consul_ssl
 
 - name: Propagate consul config
   copy:
diff --git a/tasks/main.yaml b/tasks/main.yaml
index 2ff6585..8f082ce 100644
--- a/tasks/main.yaml
+++ b/tasks/main.yaml
@@ -18,6 +18,10 @@
 - name: "Install Consul for {{ ansible_facts['os_family'] }}"
   include_tasks: "{{ ansible_facts['os_family'] }}/main.yaml"
 
+- name: SSL certificates generation
+  import_tasks: cacert.yaml
+  when: consul_ssl
+
 - name: Bootstrap Consul
   include_tasks: bootstrap.yaml
   when: inventory_hostname in groups[consul_server_group]
@@ -32,6 +36,7 @@
     enabled: true
     state: started
     masked: no
+  register: consul_enable_and_start
   tags: consul, consul_start
 
 - name: Join new server node to cluster