- name: Bootstrap encrypt block: - name: Get gossip encryption key on previously bootstrapped server block: - name: Check for gossip encryption key on previously bootstrapped server slurp: src: "{{ consul_config_path }}/consul.json" register: consul_config_b64 ignore_errors: true - name: Deserialize existing configuration set_fact: consul_config_local: "{{ consul_config_b64.content | b64decode | from_json }}" when: consul_config_b64.content is defined - name: Save gossip encryption key from existing configuration set_fact: consul_raw_key: "{{ consul_config_local.encrypt }}" delegate_to: "{{ item }}" delegate_facts: true run_once: true loop: "{{ ansible_play_hosts_all }}" when: consul_config_local.encrypt is defined and consul_config_local.encrypt | length != 0 no_log: false when: - consul_config.encrypt is not defined or consul_config.encrypt | length == 0 - cluster_node_list != 0 - (hostvars[inventory_hostname]['ansible_host'] is defined and hostvars[inventory_hostname]['ansible_host'] in cluster_node_list) or hostvars[inventory_hostname]['ansible_default_ipv4']['address'] in cluster_node_list - name: Generate new key if none was found block: - name: Generate gossip encryption key shell: "consul keygen" register: consul_keygen when: - consul_raw_key is not defined - name: Save gossip encryption key as fact set_fact: consul_raw_key: "{{ consul_keygen.stdout }}" delegate_to: "{{ item }}" delegate_facts: true loop: "{{ ansible_play_hosts_all }}" when: - hostvars[inventory_hostname]['consul_raw_key'] is not defined no_log: false run_once: true when: - consul_config.encrypt is not defined or consul_config.encrypt | length == 0 no_log: false