Update to 2022-08-01 16:00

roles/consul/defaults/main.yml

@@ -16,63 +16,43 @@ consul_root_dir: /opt/consul
 # List of consul servers name or IP
 consul_servers: []
 
-# List of services exposed by consul, the ports they use, and the list of IP
-# for which the service is accessible at the firewall level (if iptables_manage == True)
-consul_base_services:
-  dns:
-    port: "{{ consul_conf.ports.dns | default(8600) }}"
-    src_ip: []
-    proto: [tcp,udp]
-  http:
-    port: "{{ consul_conf.ports.http | default(8500) }}"
-    src_ip: []
-    proto: [tcp]
-  https:
-    port: "{{ consul_conf.ports.https | default(8501) }}"
-    src_ip: []
-    proto: [tcp]
-  grpc:
-    port: "{{ consul_conf.ports.groc | default(8502) }}"
-    src_ip: []
-    proto: [tcp]
-  serf_lan:
-    port: "{{ consul_conf.ports.serf_lan | default(8301) }}"
-    src_ip: []
-    proto: [tcp,udp]
-  serf_wan:
-    port: "{{ consul_conf.ports.serf_wan | default(8302) }}"
-    src_ip: []
-    proto: [tcp,udp]
-  server:
-    port: "{{ consul_conf.ports.server | default(8300) }}"
-    src_ip: []
-    proto: [tcp]
-  sidecar_proxy:
-    port: "{{ consul_conf.ports.sidecar_proxy_min | default(21000) }}:{{ consul_conf.ports.sidecar_proxy_max | default(21255) }}"
-    src_ip: []
-    proto: [tcp]
-consul_extra_services: {}
-consul_services: "{{ consul_base_services | combine(consul_extra_services, recursive=True) }}"
-
 # Consul configuration (which will be converted to JSON)
 # The configuration is splited in a base conf and an extra conf, so you can override part of the config easily
 consul_base_conf:
-  node_name: "{{ inventory_hostname }}"
-  data_dir: "{{ consul_root_dir }}/data"
   client_addr: 0.0.0.0
   log_level: INFO
   bind_addr: 0.0.0.0
+
+  # Address that is advertised to the other nodes
   advertise_addr: "{{ ansible_default_ipv4.address }}"
+  # You can also advertise the WAN addr
+  # advertise_addr_wan: x.x.x.x
+
+  # You can define the datacenter in which this agent is running. The default value is dc1
+  # datacenter: dc1
+
+  # Node name, which should be uniq in the region. Default is the hostname
+  # node_name: nomade-fr-zone-c
+
+  # Optional encryption key for the gossip protocol
+  # You can generate one with cinsul keygen. The key should be the same on all the members
+  # encrypt: WSnGbK30nI6K/xk9w+AAtk0Y3RMXKoAlsj4VEICqi0I=
+
   retry_join: "{{ consul_servers }}"
   bootstrap_expect: "{{ consul_servers | length }}"
+
   server: "{{ (inventory_hostname in consul_servers) | ternary(True, False) }}"
+
   ui_config:
     enabled: "{{ (inventory_hostname in consul_servers) | ternary(True, False) }}"
-  connect:
+
-    enabled: "{{ (inventory_hostname in consul_servers) | ternary(True, False) }}"
   performance:
     raft_multiplier: 1
 
+consul_extra_conf: {}
+consul_host_conf: {}
+consul_conf: "{{ consul_base_conf | combine(consul_extra_conf, recursive=True) | combine(consul_host_conf, recursive=True) }}"
+
 # For example
 # consul_extra_conf:
 #   datacenter: my-dc
@@ -81,9 +61,45 @@ consul_base_conf:
 #   ui_config:
 #     enabled: False
 
-consul_extra_conf: {}
+# List of services exposed by consul, the ports they use, and the list of IP
-# Host conf is just another level of configuration override
+# for which the service is accessible at the firewall level (if iptables_manage == True)
-consul_host_conf: {}
+consul_base_services:
-
+  dns:
-# Merge all the conf
+    port: 8600
-consul_conf: "{{ consul_base_conf | combine(consul_extra_conf, recursive=True) | combine(consul_host_conf, recursive=True) }}"
+    src_ip: []
+    proto: [tcp,udp]
+  http:
+    port: 8500
+    src_ip: []
+    proto: [tcp]
+  https:
+    port: 8501
+    src_ip: []
+    proto: [tcp]
+  grpc:
+    port: 8502
+    src_ip: []
+    proto: [tcp]
+  serf_lan:
+    port: 8301
+    src_ip: []
+    proto: [tcp,udp]
+  serf_wan:
+    port: 8302
+    src_ip: []
+    proto: [tcp,udp]
+  server:
+    port: 8300
+    src_ip: []
+    proto: [tcp]
+  sidecar:
+    port: 21000:21255
+    src_ip: []
+    proto: [tcp]
+  expose:
+    port: 21500:21755
+    src_ip: []
+    proto: [tcp]
+consul_extra_services: {}
+consul_host_services: {}
+consul_services: "{{ consul_base_services | combine(consul_extra_services, recursive=True) | combine(consul_host_services, recursive=True) }}"

roles/consul/tasks/conf.yml

@@ -2,11 +2,11 @@
 
 - name: Deploy consul configuration
   template:
-    src: consul.json.j2
+    src: consul.hcl.j2
-    dest: "{{ consul_root_dir }}/etc/consul.json"
+    dest: "{{ consul_root_dir }}/etc/consul.hcl"
     owner: root
     group: "{{ consul_user }}"
-    mode: 640
+    mode: 0640
-    validate: consul validate %s
+    #validate: consul validate %s
   notify: restart consul
   tags: consul

roles/consul/tasks/facts.yml

@@ -1,12 +1,26 @@
 ---
 
-- name: Detect installed version
+- set_fact: consul_install_mode='none'
-  block:
-    - import_tasks: ../includes/webapps_set_install_mode.yml
-      vars:
-        - root_dir: "{{ consul_root_dir }}"
-        - version: "{{ consul_version }}"
-    - set_fact: consul_install_mode={{ install_mode | default('none') }}
-    - set_fact: consul_current_version={{ current_version | default('') }}
   tags: consul
 
+- name: Detect if consul is installed
+  stat: path=/usr/local/bin/consul
+  register: consul_bin
+  tags: consul
+
+- when: not consul_bin.stat.exists
+  set_fact: consul_install_mode='install'
+  tags: consul
+
+- when: consul_bin.stat.exists
+  block:
+    - name: Detect installed version
+      shell: /usr/local/bin/consul version | head -1 | perl -pe 's/Consul v(\d+(\.\d+)*)/$1/'
+      changed_when: False
+      register: consul_current_version
+    - set_fact: consul_current_version={{ consul_current_version.stdout }}
+  tags: consul
+
+- when: consul_bin.stat.exists and consul_current_version != consul_version
+  set_fact: consul_install_mode='upgrade'
+

roles/consul/tasks/iptables.yml

@@ -6,10 +6,10 @@
     state: "{{ (('tcp' in consul_services[item].proto or 'udp' in consul_services[item].proto) and consul_services[item].src_ip | length > 0) | ternary('present', 'absent') }}"
     rules: |
       {% if 'tcp' in consul_services[item].proto %}
-      -A INPUT -m state --state NEW -p tcp --dport {{ consul_services[item].port }} -j ACCEPT
+      -A INPUT -m state --state NEW -p tcp --dport {{ consul_services[item].port }} -s {{ consul_services[item].src_ip | join(',') }} -j ACCEPT
       {% endif %}
       {% if 'udp' in consul_services[item].proto %}
-      -A INPUT -m state --state NEW -p udp --dport {{ consul_services[item].port }} -j ACCEPT
+      -A INPUT -m state --state NEW -p udp --dport {{ consul_services[item].port }} -s {{ consul_services[item].src_ip | join(',') }} -j ACCEPT
       {% endif %}
   loop: "{{ consul_services.keys() | list }}"
   tags: firewall,consul

roles/consul/tasks/main.yml

@@ -26,9 +26,6 @@
 - include_tasks: services.yml
   tags: always
 
-- include_tasks: write_version.yml
-  tags: always
-
 - include_tasks: archive_post.yml
   when: consul_install_mode | default('none') == 'upgrade'
   tags: always

roles/consul/tasks/write_version.yml

@@ -1,5 +0,0 @@
----
-
-- name: Write installed version
-  copy: content={{ consul_version }} dest={{ consul_root_dir }}/meta/ansible_version
-  tags: consul

roles/consul/templates/consul.hcl.j2

@@ -0,0 +1,47 @@
+data_dir = "{{ consul_root_dir }}/data"
+log_level = "{{ consul_conf.log_level }}"
+bind_addr = "0.0.0.0"
+client_addr = "0.0.0.0"
+
+advertise_addr = "{{ consul_conf.advertise_addr }}"
+
+{% if consul_conf.datacenter is defined %}
+datacenter = "{{ consul_conf.datacenter }}"
+{% endif %}
+
+{% if consul_conf.node_name is defined %}
+node_name = {{ consul_conf.node_name }}
+{% endif %}
+
+ports {
+{% for service in consul_services.keys() | list %}
+{% if service not in ['sidecar', 'expose'] and consul_services[service].port is defined %}
+  {{ service }} = {{ consul_services[service].port }}
+{% elif service in ['sidecar', 'expose'] %}
+  {{ service }}_min_port = {{ consul_services[service].port | split(':') | first }}
+  {{ service }}_max_port = {{ consul_services[service].port | split(':') | last }}
+{% endif %}
+{% endfor %}
+}
+
+bootstrap_expect = {{ consul_conf.bootstrap_expect }}
+
+performance {
+  raft_multiplier = {{ consul_conf.performance.raft_multiplier }}
+}
+
+retry_join = [
+{% for server in consul_servers %}
+  "{{ server }}",
+{% endfor %}
+]
+
+server = {{ consul_conf.server | ternary('true', 'false') }}
+
+{% if consul_conf.encrypt is defined %}
+encrypt = "{{ consul_conf.encrypt }}"
+{% endif %}
+
+ui_config {
+  enabled = {{ consul_conf.ui_config.enabled | ternary('true', 'false') }}
+}

roles/consul/templates/consul.json.j2

@@ -1 +0,0 @@
-{{ consul_conf | to_nice_json(indent=2) }}

roles/consul/templates/consul.service.j2

@@ -3,17 +3,18 @@ Description="HashiCorp Consul - A service mesh solution"
 Documentation=https://www.consul.io/
 Requires=network-online.target
 After=network-online.target
-ConditionFileNotEmpty={{ consul_root_dir }}/etc/consul.json
+ConditionFileNotEmpty={{ consul_root_dir }}/etc/consul.hcl
 
 [Service]
 EnvironmentFile=-{{ consul_root_dir }}/etc/consul.env
 User={{ consul_user }}
 Group={{ consul_user }}
-ExecStart={{ consul_root_dir }}/bin/consul agent -config-dir={{ consul_root_dir }}/etc/
+ExecStart={{ consul_root_dir }}/bin/consul agent -config-file={{ consul_root_dir }}/etc/consul.hcl
 ExecReload=/bin/kill --signal HUP $MAINPID
 KillMode=process
 KillSignal=SIGTERM
 Restart=on-failure
+RestartSec=2
 LimitNOFILE=65536
 
 [Install]

roles/nomad/defaults/main.yml

@@ -20,6 +20,13 @@ nomad_servers: []
 # Nomad configuration
 nomad_base_conf:
   log_level: INFO
+
+  # You can define the datacenter in which this agent is running. The default value is dc1
+  # datacenter: dc1
+
+  # Node name, which should be uniq in the region. Default is the hostname
+  # name: nomade-fr-zone-c
+
   # Client related settings
   # The default is to act as a client if the hostname is not listed in nomad servers
   client:

roles/nomad/templates/nomad.hcl.j2

@@ -2,6 +2,16 @@ data_dir = "{{ nomad_root_dir }}/data"
 log_level = "{{ nomad_conf.log_level }}"
 bind_addr = "0.0.0.0"
 
+{% if nomad_conf.datacenter is defined %}
+datacenter = "{{ nomad_conf.datacenter }}"
+{% endif %}
+
+{% if nomad_conf.name is defined %}
+name = {{ nomad_conf.name }}
+{% endif %}
+
+disable_update_check = true
+
 advertise {
 {% for service in nomad_services.keys() | list %}
 {% if nomad_services[service].advertise is defined %}