From 6c02758759eba42fd1ed6a916319109f1fd0c4bf Mon Sep 17 00:00:00 2001
From: Daniel Berteaud <dbd@ehtrace.com>
Date: Sun, 4 Sep 2022 00:00:24 +0200
Subject: [PATCH] Update to 2022-09-04 00:00

---
 roles/nomad/defaults/main.yml                | 12 ++++++------
 roles/nomad/tasks/conf.yml                   |  2 +-
 roles/nomad/tasks/services.yml               |  2 +-
 roles/nomad/templates/agent.crt.tpl.j2       |  3 ---
 roles/nomad/templates/agent_cert.tpl.j2      |  2 +-
 roles/nomad/templates/cli_cert.tpl.j2        |  2 +-
 roles/nomad/templates/consul-template.hcl.j2 |  4 ++--
 roles/nomad/templates/pre-backup.j2          |  2 +-
 roles/nomad/templates/profile.sh.j2          |  3 ++-
 9 files changed, 15 insertions(+), 17 deletions(-)
 delete mode 100644 roles/nomad/templates/agent.crt.tpl.j2

diff --git a/roles/nomad/defaults/main.yml b/roles/nomad/defaults/main.yml
index b3ba5d8..6477882 100644
--- a/roles/nomad/defaults/main.yml
+++ b/roles/nomad/defaults/main.yml
@@ -56,7 +56,7 @@ nomad_base_conf:
 
 
   # TLS Settings
-  # See the nomad_vault configuration if you want to integrate with vault to obtain and renew the certificates
+  # See the nomad_vault_tls configuration if you want to integrate with vault to obtain and renew the certificates
   tls:
     http: False
     rpc: False
@@ -223,7 +223,7 @@ nomad_host_services: {}
 nomad_services: "{{ nomad_base_services | combine(nomad_extra_services, recursive=True) | combine(nomad_host_services, recursive=True) }}"
 
 # When using vault to setup TLS for Nomad
-nomad_base_vault:
+nomad_base_vault_tls:
   enabled: False
   address: "{{ nomad_conf.vault.address | default(omit) }}"
   # Token to use to issue certificates
@@ -231,9 +231,9 @@ nomad_base_vault:
   pki:
     # The path of the PKI secret where cert will be issued
     path: /pki/nomad
-    role: nomad-cluster
+    role: nomad-{{ nomad_conf.server.enabled | ternary('server', 'client') }}
     ttl: 24h
 
-nomad_extra_vault: {}
-nomad_host_vault: {}
-nomad_vault: "{{ nomad_base_vault | combine(nomad_extra_vault, recursive=True) | combine(nomad_host_vault, recursive=True) }}"
+nomad_extra_vault_tls: {}
+nomad_host_vault_tls: {}
+nomad_vault_tls: "{{ nomad_base_vault_tls | combine(nomad_extra_vault_tls, recursive=True) | combine(nomad_host_vault_tls, recursive=True) }}"
diff --git a/roles/nomad/tasks/conf.yml b/roles/nomad/tasks/conf.yml
index 80ee548..722a266 100644
--- a/roles/nomad/tasks/conf.yml
+++ b/roles/nomad/tasks/conf.yml
@@ -92,7 +92,7 @@
   loop: "{{ nomad_backup_configs.stdout_lines }}"
   tags: nomad
 
-- when: nomad_vault.enabled
+- when: nomad_vault_tls.enabled
   block:
 
     - name: Deploy consul-template config
diff --git a/roles/nomad/tasks/services.yml b/roles/nomad/tasks/services.yml
index 6f3ceb7..c6d106b 100644
--- a/roles/nomad/tasks/services.yml
+++ b/roles/nomad/tasks/services.yml
@@ -6,5 +6,5 @@
   tags: nomad
 
 - name: Handle consul-template-nomad service
-  service: name=consul-template-nomad state={{ nomad_vault.enabled | ternary('started', 'stopped') }} enabled={{ nomad_vault.enabled | ternary(True, False) }}
+  service: name=consul-template-nomad state={{ nomad_vault_tls.enabled | ternary('started', 'stopped') }} enabled={{ nomad_vault_tls.enabled | ternary(True, False) }}
   tags: nomad
diff --git a/roles/nomad/templates/agent.crt.tpl.j2 b/roles/nomad/templates/agent.crt.tpl.j2
deleted file mode 100644
index 316d502..0000000
--- a/roles/nomad/templates/agent.crt.tpl.j2
+++ /dev/null
@@ -1,3 +0,0 @@
-{{ with secret "[[ nomad_vault.pki.path ]]/issue/[[ nomad_vault.pki.role ]]" "common_name=[[ (nomad_conf.server.enabled) | ternary('server', 'client') ]].[[ nomad_conf.region | default('global') ]].nomad" "ttl=[[ nomad_vault.pki.ttl ]]" "alt_names=localhost,[[ inventory_hostname ]],{% if nomad_conf.server.enabled and nomad_conf.client.enabled %}client.[[ nomad_conf.region | default('global') ]].nomad{% endif %}" "ip_sans=127.0.0.1,[[ ansible_default_ipv4.address ]]"}}
-{{ .Data.certificate }}
-{{ end }}
diff --git a/roles/nomad/templates/agent_cert.tpl.j2 b/roles/nomad/templates/agent_cert.tpl.j2
index 9ec5ee5..9c2ef6c 100644
--- a/roles/nomad/templates/agent_cert.tpl.j2
+++ b/roles/nomad/templates/agent_cert.tpl.j2
@@ -1,3 +1,3 @@
-[[ with secret "{{ nomad_vault.pki.path }}/issue/{{ nomad_vault.pki.role }}" "common_name={{ (nomad_conf.server.enabled) | ternary('server', 'client') }}.{{ nomad_conf.region | default('global') }}.nomad" "ttl={{ nomad_vault.pki.ttl }}" "alt_names=localhost,{{ inventory_hostname }},{% if nomad_conf.server.enabled and nomad_conf.client.enabled %}client.{{ nomad_conf.region | default('global') }}.nomad{% endif %}" "ip_sans=127.0.0.1,{{ ansible_default_ipv4.address }}" ]]
+[[ with secret "{{ nomad_vault_tls.pki.path }}/issue/{{ nomad_vault_tls.pki.role }}" "common_name={{ (nomad_conf.server.enabled) | ternary('server', 'client') }}-{{ ansible_fqdn | regex_replace('\\.', '-') }}.{{ nomad_conf.region | default('global') }}.nomad" "ttl={{ nomad_vault_tls.pki.ttl }}" "alt_names=localhost,{{ (nomad_conf.server.enabled) | ternary('server', 'client') }}.{{ nomad_conf.region | default('global') }}.nomad{% if nomad_conf.server.enabled and nomad_conf.client.enabled %},client.{{ nomad_conf.region | default('global') }}.nomad{% endif %}" ]]
 [[ .Data.{{ item.what }} ]]
 [[ end ]]
diff --git a/roles/nomad/templates/cli_cert.tpl.j2 b/roles/nomad/templates/cli_cert.tpl.j2
index ee8368f..9bc7767 100644
--- a/roles/nomad/templates/cli_cert.tpl.j2
+++ b/roles/nomad/templates/cli_cert.tpl.j2
@@ -1,3 +1,3 @@
-[[ with secret "{{ nomad_vault.pki.path }}/issue/{{ nomad_vault.pki.role }}" "ttl={{ nomad_vault.pki.ttl }}" ]]
+[[ with secret "{{ nomad_vault_tls.pki.path }}/issue/{{ nomad_vault_tls.pki.role }}" "ttl={{ nomad_vault_tls.pki.ttl }}" "common_name=cli-{{ ansible_fqdn | regex_replace('\\.', '-') }}.{{ nomad_conf.region | default('global') }}.nomad" ]]
 [[ .Data.{{ item.what }} ]]
 [[ end ]]
diff --git a/roles/nomad/templates/consul-template.hcl.j2 b/roles/nomad/templates/consul-template.hcl.j2
index 19cc2d8..8bc033c 100644
--- a/roles/nomad/templates/consul-template.hcl.j2
+++ b/roles/nomad/templates/consul-template.hcl.j2
@@ -1,6 +1,6 @@
 vault {
-  address      = "{{ nomad_vault.address }}"
-  token        = "{{ nomad_vault.token }}"
+  address      = "{{ nomad_vault_tls.address }}"
+  token        = "{{ nomad_vault_tls.token }}"
   unwrap_token = false
 }
 
diff --git a/roles/nomad/templates/pre-backup.j2 b/roles/nomad/templates/pre-backup.j2
index 75cf88c..affc645 100644
--- a/roles/nomad/templates/pre-backup.j2
+++ b/roles/nomad/templates/pre-backup.j2
@@ -6,7 +6,7 @@ set -eo pipefail
 NOMAD_ADDR=https://localhost:{{ nomad_services.http.port }} \
 NOMAD_CACERT={{ nomad_conf.tls.ca_file }} \
 {% endif %}
-{% if nomad_vault.enabled %}
+{% if nomad_vault_tls.enabled %}
 NOMAD_CLIENT_CERT={{ nomad_root_dir }}/tls/cli.crt \
 NOMAD_CLIENT_KEY={{ nomad_root_dir }}/tls/cli.key \
 {% endif %}
diff --git a/roles/nomad/templates/profile.sh.j2 b/roles/nomad/templates/profile.sh.j2
index 545c66f..b4697bf 100644
--- a/roles/nomad/templates/profile.sh.j2
+++ b/roles/nomad/templates/profile.sh.j2
@@ -1,8 +1,9 @@
 {% if nomad_conf.tls.http %}
 export NOMAD_ADDR=https://localhost:{{ nomad_services.http.port }}
 export NOMAD_CACERT={{ nomad_conf.tls.ca_file }}
-{% if nomad_vault.enabled %}
+{% if nomad_vault_tls.enabled %}
 export NOMAD_CLIENT_CERT={{ nomad_root_dir }}/tls/cli.crt
 export NOMAD_CLIENT_KEY={{ nomad_root_dir }}/tls/cli.key
+export NOMAD_TLS_SERVER_NAME={{ nomad_conf.server.enabled | ternary('server', 'client') }}.global.nomad
 {% endif %}
 {% endif %}