Update to 2023-07-05 19:00

roles/consul/defaults/main.yml

@@ -76,6 +76,15 @@ consul_base_conf:
   connect:
     # Enable consul service mesh on servers
     enabled: "{{ (inventory_hostname in consul_servers | map('regex_replace', ':\\d+$', '')) | ternary(True, False) }}"
+    # ca_provider: vault
+    ca_config:
+      # address: https://active.vault.service.consul:8200
+      root_pki_path: pki/root
+      intermediate_pki_path: pki/connect
+      #auth_method:
+      #  approle:
+      #    role_id: XXXX
+      #    secret_id: YYYY
 
   acl:
     enabled: False
@@ -106,22 +115,6 @@ consul_extra_conf: {}
 consul_host_conf: {}
 consul_conf: "{{ consul_base_conf | combine(consul_extra_conf, recursive=True) | combine(consul_host_conf, recursive=True) }}"
 
-# TLS certs and token retrival from vault
-consul_base_vault_secrets:
-  # vault_address: https://active.vault.service.consul:8200
-  # vault_token: XXXXXX
-  pki:
-    enabled: False
-    path: /pki/consul
-    role: consul-{{ consul_conf.server | ternary('server', 'client') }}
-  tokens:
-    enabled: False
-    path: /consul
-    role: consul-agent
-consul_extra_vault_secrets: {}
-consul_host_vault_secrets: {}
-consul_vault_secrets: "{{ consul_base_vault_secrets | combine(consul_extra_vault_secrets, recursive=True) | combine(consul_host_vault_secrets, recursive=True) }}"
-
 # For example
 # consul_extra_conf:
 #   datacenter: my-dc
@@ -130,6 +123,23 @@ consul_vault_secrets: "{{ consul_base_vault_secrets | combine(consul_extra_vault
 #   ui_config:
 #     enabled: False
 
+consul_base_vault_agent:
+  # vault_address: https://active.vault.service.consul:8200
+  #
+  ## Only one of approle or token should be used
+  # auth:
+  #   approle:
+  #     role_id: XXXX
+  #     secret_id: YYYY
+  #   token: XXXXXXX
+  pki:
+    enabled: False
+    path: pki/consul
+    role: consul-{{ consul_conf.server | ternary('server', 'client') }}
+consul_extra_vault_agent: {}
+consul_host_vault_agent: {}
+consul_vault_agent: "{{ consul_base_vault_agent | combine(consul_extra_vault_agent, recursive=True) | combine(consul_host_vault_agent, recursive=True) }}"
+
 # List of services exposed by consul, the ports they use, and the list of IP
 # for which the service is accessible at the firewall level (if iptables_manage == True)
 consul_base_services:

roles/consul/handlers/main.yml

@@ -8,6 +8,5 @@
   service: name=consul state=reloaded
   when: consul_service_started is not defined or not consul_service_started.changed
 
-- name: restart consul-template-consul
-  service: name=consul-template-consul state=restarted
-
+- name: restart consul-vault-agent
+  service: name=consul-vault-agent state=restarted

roles/consul/meta/main.yml

@@ -2,4 +2,3 @@
 
 dependencies:
   - role: consul_bin
-  - role: consul_template

roles/consul/tasks/cleanup.yml

@@ -4,5 +4,6 @@
   file: path={{ item }} state=absent
   loop:
     - "{{ consul_root_dir }}/archives"
-    - "{{ consul_root_dir }}/bin"
+    - /etc/systemd/system/consul-template-consul.service
+    - "{{ consul_root_dir }}/consul-template"
   tags: consul

roles/consul/tasks/conf.yml

@@ -1,24 +1,27 @@
 ---
 
 # Ensure certificates exists. This is needed so first consul service starts doesn't fail
-# when consul-template hasn't populated the cert yet
+# when vault-agent hasn't populated the cert yet
 - name: Generate self-signed certificate
   import_tasks: ../includes/create_selfsigned_cert.yml
   vars:
     cert_path: "{{ consul_conf.tls.defaults.cert_file }}"
     cert_key_path: "{{ consul_conf.tls.defaults.key_file }}"
+    cert_key_user: "{{ consul_user }}"
     cert_key_group: "{{ consul_user }}"
-    cert_key_mode: 640
+    cert_key_mode: 660
+  when: consul_conf.tls.enabled
   tags: consul
 
 - name: Check if CA exists
   stat: path={{ consul_conf.tls.defaults.ca_file }}
   register: consul_ca_file
+  when: consul_conf.tls.enabled
   tags: consul
 
 - name: Copy cert as CA
   copy: src={{ consul_conf.tls.defaults.cert_file }} dest={{ consul_conf.tls.defaults.ca_file }} remote_src=True
-  when: not consul_ca_file.stat.exists
+  when: consul_conf.tls.enabled and not consul_ca_file.stat.exists
   tags: consul
 
 - name: Deploy consul configuration
@@ -94,33 +97,38 @@
   loop: "{{ consul_backup_configs.stdout_lines }}"
   tags: consul
 
-- name: Deploy consul-template config
-  template: src=consul-template.hcl.j2 dest={{ consul_root_dir }}/consul-template/consul-template.hcl mode=600 owner=root group=root
-  notify: restart consul-template-consul
-  when: consul_vault_secrets.pki.enabled or consul_vault_secrets.tokens.enabled
+- name: Deploy vault agent configuration
+  template: src=vault/agent.hcl.j2 dest={{ consul_root_dir }}/vault/agent.hcl mode=640 owner=root group={{ consul_user }}
+  notify: restart consul-vault-agent
+  when: consul_vault_agent.pki.enabled
   tags: consul
 
-- name: Deploy agent bundle template
-  template: src=agent_bundle.pem.tpl.j2 dest={{ consul_root_dir }}/consul-template/agent_bundle.pem.tpl owner=root group=root
-  notify: restart consul-template-consul
-  when: consul_vault_secrets.pki.enabled
+- name: Deploy agent cert bundle template
+  template: src=vault/agent_bundle.pem.tpl.j2 dest={{ consul_root_dir }}/vault/templates/agent_bundle.pem.tpl owner=root group=root
+  notify: restart consul-vault-agent
+  when: consul_vault_agent.pki.enabled
   tags: consul
 
-- name: Deploy consul-template cli bundle template
-  template: src=cli_bundle.pem.tpl.j2 dest={{ consul_root_dir }}/consul-template/cli_bundle.pem.tpl owner=root group=root
-  notify: restart consul-template-consul
-  when: consul_vault_secrets.pki.enabled and consul_conf.server
-  tags: consul
-
-- name: Deploy the consul-template agent token template
-  template: src=agent.token.tpl.j2 dest={{ consul_root_dir }}/consul-template/agent.token.tpl owner=root group=root
-  notify: restart consul-template-consul
-  when: consul_vault_secrets.tokens.enabled
+- when:
+    - consul_vault_agent.auth is defined
+    - consul_vault_agent.auth.approle is defined
+    - consul_vault_agent.auth.approle.role_id is defined
+    - consul_vault_agent.auth.approle.secret_id is defined
+  name: Setup AppRole auth
+  block:
+    - copy: content={{ consul_vault_agent.auth.approle.role_id }} dest={{ consul_root_dir }}/vault/role_id owner=root group={{ consul_user }} mode=640
+    - copy: content={{ consul_vault_agent.auth.approle.secret_id }} dest={{ consul_root_dir }}/vault/secret_id owner=root group={{ consul_user }} mode=640
   tags: consul
 
 - name: Set ACL on the TLS dir
   shell: |
     setfacl -R -b -k {{ consul_root_dir }}/tls
+    chown -R {{ consul_user }}:{{ consul_user }} {{ consul_root_dir }}/tls
+    chmod 775 {{ consul_root_dir }}/tls
+    chmod 660 {{ consul_root_dir }}/tls/*
+    setfacl -m u:{{ consul_user }}:rwx {{ consul_root_dir }}/tls
+    setfacl -m d:u:{{ consul_user }}:rw {{ consul_root_dir }}/tls
+    setfacl -m u:{{ consul_user }}:rw {{ consul_root_dir }}/tls/*
     {% if consul_admin_groups | length > 0 %}
     setfacl -m {% for group in consul_admin_groups %}g:{{ group }}:rx{{ ',' if not loop.last }}{% endfor %} {{ consul_root_dir }}/tls
     setfacl -m {% for group in consul_admin_groups %}d:g:{{ group }}:r{{ ',' if not loop.last }}{% endfor %} {{ consul_root_dir }}/tls

roles/consul/tasks/directories.yml

@@ -28,9 +28,10 @@
       group: "{{ consul_user }}"
       mode: 750
     - dir: tls
+    - dir: vault
+      mode: 750
       owner: root
-      group: root
-      mode: 755
-    - dir: consul-template
-      mode: 755
+      group: "{{ consul_user }}"
+    - dir: vault/templates
+    - dir: bin
   tags: consul

roles/consul/tasks/facts.yml

@@ -8,3 +8,7 @@
     - set_fact: consul_current_version={{ consul_current_version.stdout }}
   tags: consul
 
+- name: Check if the consul-template service still exists
+  stat: path=/etc/systemd/system/consul-template
+  register: consul_ct_service
+  tags: consul

roles/consul/tasks/install.yml

@@ -6,15 +6,9 @@
   notify: restart consul
   tags: consul
 
-- name: Install consul-template unit
-  template: src=consul-template-consul.service.j2 dest=/etc/systemd/system/consul-template-consul.service
-  register: consul_template_tpl_unit
-  notify: restart consul-template-consul
-  tags: consul
-
-- name: Reload systemd
-  systemd: daemon_reload=True
-  when: consul_unit.changed or consul_template_tpl_unit.changed
+- name: Deploy consul service wrapper
+  template: src=consul.sh.j2 dest={{ consul_root_dir }}/bin/consul mode=755
+  notify: restart consul
   tags: consul
 
 - name: Install backup hooks
@@ -27,9 +21,8 @@
 - name: Create tmpfiles fragment
   copy:
     content: |
-      d /run/nomad 770 root {{ consul_user }}
+      d /run/consul 770 root {{ consul_user }}
     dest: /etc/tmpfiles.d/consul.conf
-  notify: systemd-tmpfiles
   register: consul_tmpfiles
   tags: consul
 
@@ -37,3 +30,15 @@
   command: systemd-tmpfiles --create
   when: consul_tmpfiles.changed
   tags: consul
+
+- name: Install vault agent unit file
+  template: src=vault/agent.service.j2 dest=/etc/systemd/system/consul-vault-agent.service
+  register: consul_vault_agent_unit
+  notify: restart consul-vault-agent
+  tags: consul
+
+- name: Reload systemd
+  systemd: daemon_reload=True
+  when: consul_unit.changed or consul_vault_agent_unit.changed
+  tags: consul
+

roles/consul/tasks/services.yml

@@ -5,10 +5,18 @@
   register: consul_service_started
   tags: consul
 
-- name: Handle consul-template-consul service
+- name: Stop consul-template-consul service
   service:
     name: consul-template-consul
-    state: "{{ (consul_vault_secrets.pki.enabled or consul_vault_secrets.tokens.enabled) | ternary('started', 'stopped') }}"
-    enabled: "{{ (consul_vault_secrets.pki.enabled or consul_vault_secrets.tokens.enabled) | ternary(True, False) }}"
+    state: stopped
+    enabled: False
+  when: consul_ct_service.stat.exists
+  tags: consul
+
+- name: Handle consul-vault-agent service
+  service:
+    name: consul-vault-agent
+    state: "{{ (consul_vault_agent.pki.enabled) | ternary('started', 'stopped') }}"
+    enabled: "{{ (consul_vault_agent.pki.enabled) | ternary(True, False) }}"
   tags: consul
 

roles/consul/templates/agent.token.tpl.j2

@@ -1,3 +0,0 @@
-[[ with secret "{{ consul_vault_secrets.tokens.path }}/creds/{{ consul_vault_secrets.tokens.role }}" ]]
-[[ .Data.token ]]
-[[ end ]]

roles/consul/templates/agent_bundle.pem.tpl.j2

@@ -1,18 +0,0 @@
-{% if consul_conf.server %}
-[[ with pkiCert "{{ consul_vault_secrets.pki.path }}/issue/{{ consul_vault_secrets.pki.role }}" "common_name=server-{{ ansible_fqdn | regex_replace('\\.', '-') }}.{{ consul_conf.datacenter | default('dc1') }}.{{ consul_conf.domain | default('consul') }}" "alt_names=localhost,consul.service.{{ consul_conf.domain | default('consul') }},server.{{ consul_conf.datacenter | default('dc1') }}.{{ consul_conf.domain | default('consul') }}{% if consul_conf.alt_domain is defined %}consul.service.{{ consul_conf.alt_domain }},server.{{ consul_conf.datacenter | default('dc1') }}.{{ consul_conf.alt_domain }}{% endif %}" ]]
-[[ .CA ]]
-[[ .Cert ]]
-[[ .Key ]]
-[[ .CA | writeToFile "{{ consul_conf.tls.defaults.ca_file }}" "root" "root" "0644" ]]
-[[ .Cert | writeToFile "{{ consul_conf.tls.defaults.cert_file }}" "root" "root" "0644" ]]
-[[ .Key | writeToFile "{{ consul_conf.tls.defaults.key_file }}" "root" "{{ consul_user }}" "0640" ]]
-[[ end ]]
-[[ with secret "{{ consul_vault_secrets.pki.path }}/cert/ca" ]]
-[[ .Data.certificate | writeToFile "{{ consul_conf.tls.defaults.cert_file }}" "root" "root" "0644" "append,newline" ]]
-[[ end ]]
-{% else %}
-[[ with secret "{{ consul_vault_secrets.pki.path }}/cert/ca" ]]
-[[ .Data.certificate | writeToFile "{{ consul_conf.tls.defaults.ca_file }}" "root" "root" "0644" ]]
-[[ end ]]
-{% endif %}
-

roles/consul/templates/agent_token.tpl.j2

@@ -0,0 +1,3 @@
+[[ with secret "{{ consul_vault_agent.tokens.path }}/creds/{{ consul_vault_agent.tokens.role }}" ]]
+[[ .Data.token ]]
+[[ end ]]

roles/consul/templates/cli_bundle.pem.tpl.j2

@@ -1,7 +0,0 @@
-[[ with pkiCert "{{ consul_vault_secrets.pki.path }}/issue/{{ consul_vault_secrets.pki.role }}" "common_name=cli-{{ ansible_fqdn | regex_replace('\\.', '-') }}.{{ consul_conf.datacenter | default('dc1') }}.{{ consul_conf.domain | default('consul') }}" ]]
-[[ .CA ]]
-[[ .Cert ]]
-[[ .Key ]]
-[[ .Cert | writeToFile "{{ consul_root_dir }}/tls/cli.crt" "root" "root" "0644" ]]
-[[ .Key | writeToFile "{{ consul_root_dir }}/tls/cli.key" "root" "root" "0640" ]]
-[[ end ]]

roles/consul/templates/consul-template-consul.service.j2

@@ -1,18 +0,0 @@
-[Unit]
-Description="HashiCorp consul-template"
-Documentation=https://github.com/hashicorp/consul-template
-Requires=network-online.target
-After=network-online.target
-ConditionFileNotEmpty={{ consul_root_dir }}/consul-template/consul-template.hcl
-
-[Service]
-Type=simple
-ExecStart=/usr/local/bin/consul-template -config={{ consul_root_dir }}/consul-template/consul-template.hcl
-SuccessExitStatus=12
-ExecReload=/bin/kill --signal HUP $MAINPID
-KillSignal=SIGINT
-Restart=on-failure
-RestartSec=2
-
-[Install]
-WantedBy=multi-user.target

roles/consul/templates/consul-template.hcl.j2

@@ -1,42 +0,0 @@
-vault {
-  address      = "{{ consul_vault_secrets.vault_address }}"
-  token        = "{{ consul_vault_secrets.vault_token }}"
-  unwrap_token = false
-}
-
-template {
-  source          = "{{ consul_root_dir }}/consul-template/agent_bundle.pem.tpl"
-  left_delimiter  = "[["
-  right_delimiter = "]]"
-  destination     = "{{ consul_root_dir }}/tls/agent_bundle.pem"
-  perms           = 0640
-  exec {
-    command = "sh -c 'systemctl reload consul || true'"
-  }
-}
-
-{% if consul_conf.server %}
-template {
-  source          = "{{ consul_root_dir }}/consul-template/cli_bundle.pem.tpl"
-  left_delimiter  = "[["
-  right_delimiter = "]]"
-  destination     = "{{ consul_root_dir }}/tls/cli_bundle.pem"
-  perms           = 0640
-  exec {
-    command = "sh -c 'systemctl reload consul || true'"
-  }
-}
-{% endif %}
-
-{% if consul_vault_secrets.tokens.enabled %}
-template {
-  source          = "{{ consul_root_dir }}/consul-template/agent.token.tpl"
-  left_delimiter  = "[["
-  right_delimiter = "]]"
-  destination     = "{{ consul_root_dir }}/tmp/agent.token"
-  perms           = 0600
-  exec {
-    command = "sh -c 'consul acl set-agent-token default $(grep -P \'^[^\s]\' {{ consul_root_dir }}/tmp/agent.token)'"
-  }
-}
-{% endif %}

roles/consul/templates/consul.hcl.j2

@@ -69,6 +69,28 @@ telemetry {
 {% if consul_conf.connect.enabled %}
 connect {
   enabled = true
+{% if consul_conf.connect.ca_provider is defined %}
+  ca_provider = "{{ consul_conf.connect.ca_provider }}"
+  ca_config {
+{% for key in ['address', 'token', 'root_pki_path', 'intermediate_pki_path'] %}
+{% if consul_conf.connect.ca_config[key] is defined %}
+    {{ key }} = "{{ consul_conf.connect.ca_config[key] }}"
+{% endif %}
+{% endfor %}
+{% if consul_conf.connect.ca_config.auth_method is defined %}
+    auth_method {
+{% if consul_conf.connect.ca_config.auth_method.approle is defined %}
+      type = "approle"
+      params {
+{% for key in ['role_id', 'secret_id'] %}
+        {{ key }} = "{{ consul_conf.connect.ca_config.auth_method.approle[key] }}"
+{% endfor %}
+      }
+{% endif %}
+    }
+{% endif %}
+  }
+{% endif %}
 }
 {% endif %}
 

roles/consul/templates/consul.service.j2

@@ -3,6 +3,10 @@ Description="HashiCorp Consul - A service mesh solution"
 Documentation=https://www.consul.io/
 Requires=network-online.target
 After=network-online.target
+After=consul-vault-agent.service
+{% if consul_vault_agent.vault_address is defined and consul_vault_agent.pki.enabled %}
+Requires=consul-vault-agent.service
+{% endif %}
 ConditionFileNotEmpty={{ consul_root_dir }}/etc/consul.hcl
 
 # Consul version {{ consul_current_version }}
@@ -11,7 +15,7 @@ Type=notify
 EnvironmentFile=-{{ consul_root_dir }}/etc/consul.env
 User={{ consul_user }}
 Group={{ consul_user }}
-ExecStart=/usr/local/bin/consul agent -config-dir={{ consul_root_dir }}/etc/
+ExecStart={{ consul_root_dir }}/bin/consul
 ExecReload=/bin/kill --signal HUP $MAINPID
 SuccessExitStatus=1
 Restart=on-failure

roles/consul/templates/consul.sh.j2

@@ -0,0 +1,19 @@
+#!/bin/sh
+
+{% if consul_vault_agent.vault_address is defined and consul_vault_agent.pki.enabled %}
+if [ -f /run/consul/vault_token ]; then
+  exec env VAULT_TOKEN=$(vault unwrap -field=token $(jq -r '.token' /run/consul/vault_token)) \
+    /usr/local/bin/consul \
+      agent \
+      -config-dir={{ consul_root_dir }}/etc/ \
+      -pid-file /run/consul/consul_agent.pid
+else
+  echo "Consul service failed due to missing Vault token"
+  exit 1
+fi
+{% else %}
+exec /usr/local/bin/consul \
+  agent \
+  -config-dir={{ consul_root_dir }}/etc/ \
+  -pid-file /run/consul/consul_agent.pid
+{% endif %}

roles/consul/templates/profile.sh.j2

@@ -1,12 +1,5 @@
-{% if consul_conf.tls.enabled and consul_conf.server %}
-export CONSUL_HTTP_ADDR=https://localhost:{{ consul_services.https.port }}
-export CONSUL_HTTP_SSL=true
-export CONSUL_CACERT={{ consul_conf.tls.defaults.ca_file }}
-{% if consul_vault_secrets.pki.enabled %}
-export CONSUL_CLIENT_CERT={{ consul_root_dir }}/tls/cli.crt
-export CONSUL_CLIENT_KEY={{ consul_root_dir }}/tls/cli.key
-export CONSUL_TLS_SERVER_NAME=server.{{ consul_conf.datacenter | default('dc1') }}.{{ consul_conf.domain | default('consul') }}
-{% endif %}
+{% if consul_conf.server %}
+export CONSUL_HTTP_ADDR=http://localhost:{{ consul_services.http.port }}
 {% else %}
-# TLS not enabled or not running in server mode
+# not running in server mode
 {% endif %}

roles/consul/templates/vault/agent.hcl.j2

@@ -0,0 +1,44 @@
+vault {
+  address = "{{ consul_vault_agent.vault_address }}"
+}
+
+auto_auth {
+{% if  consul_vault_agent.auth.approle is defined %}
+  method {
+    type = "approle"
+    config {
+      role_id_file_path   = "{{ consul_root_dir }}/vault/role_id"
+      secret_id_file_path = "{{ consul_root_dir }}/vault/secret_id"
+      remove_secret_id_file_after_reading = false
+    }
+  }
+{% elif consul_vault_agent.auth.token is defined %}
+  method {
+    type = "token_file"
+    config {
+      token_file_path = "{{ consul_root_dir }}/vault/token"
+    }
+  }
+{% endif %}
+
+  sink {
+    type = "file"
+    wrap_ttl = "30s"
+    config = {
+      path = "/run/consul/vault_token"
+      mode = 640
+    }
+  }
+}
+
+template {
+  source = "{{ consul_root_dir }}/vault/templates/agent_bundle.pem.tpl"
+  destination = "{{ consul_root_dir }}/tls/agent_bundle.pem"
+  left_delimiter  = "[["
+  right_delimiter = "]]"
+  perms           = 0640
+  exec {
+    command = ["sh", "-c", "kill -USR1 $(cat /run/consul/consul_agent.pid)"]
+  }
+}
+

roles/consul/templates/vault/agent.service.j2

@@ -0,0 +1,34 @@
+[Unit]
+Description="HashiCorp Vault Agent for Consul"
+Documentation=https://www.vaultproject.io/docs/
+Requires=network-online.target
+After=network-online.target
+ConditionFileNotEmpty={{ consul_root_dir }}/vault/agent.hcl
+StartLimitIntervalSec=60
+StartLimitBurst=3
+PartOf=consul.service
+
+[Service]
+Type=notify
+User={{ consul_user }}
+Group={{ consul_user }}
+ProtectSystem=full
+ProtectHome=read-only
+PrivateTmp=yes
+PrivateDevices=yes
+SecureBits=keep-caps
+AmbientCapabilities=CAP_IPC_LOCK
+CapabilityBoundingSet=CAP_SYSLOG CAP_IPC_LOCK
+NoNewPrivileges=yes
+ExecStart=/usr/local/bin/vault agent -config={{ consul_root_dir }}/vault/agent.hcl
+ExecReload=/bin/kill --signal HUP $MAINPID
+KillMode=process
+KillSignal=SIGINT
+Restart=on-failure
+RestartSec=5
+TimeoutStopSec=30
+LimitNOFILE=65536
+LimitMEMLOCK=infinity
+
+[Install]
+WantedBy=multi-user.target

roles/consul/templates/vault/agent_bundle.pem.tpl.j2

@@ -0,0 +1,17 @@
+{% if consul_conf.server %}
+[[ with pkiCert "{{ consul_vault_agent.pki.path }}/issue/{{ consul_vault_agent.pki.role }}" "common_name=server-{{ ansible_fqdn | regex_replace('\\.', '-') }}.{{ consul_conf.datacenter | default('dc1') }}.{{ consul_conf.domain | default('consul') }}" "alt_names=consul.service.{{ consul_conf.domain | default('consul') }},server.{{ consul_conf.datacenter | default('dc1') }}.{{ consul_conf.domain | default('consul') }}{% if consul_conf.alt_domain is defined %},consul.service.{{ consul_conf.alt_domain }},server.{{ consul_conf.datacenter | default('dc1') }}.{{ consul_conf.alt_domain }}{% endif %}" "ttl=72h" ]]
+[[ .CA ]]
+[[ .Cert ]]
+[[ .Key ]]
+[[ .CA | writeToFile "{{ consul_conf.tls.defaults.ca_file }}" "{{ consul_user }}" "{{ consul_user }}" "0644" ]]
+[[ .Cert | writeToFile "{{ consul_conf.tls.defaults.cert_file }}" "{{ consul_user }}" "{{ consul_user }}" "0644" ]]
+[[ .Key | writeToFile "{{ consul_conf.tls.defaults.key_file }}" "{{ consul_user }}" "{{ consul_user }}" "0640" ]]
+[[ end ]]
+[[ with secret "{{ consul_vault_agent.pki.path }}/cert/ca" ]]
+[[ .Data.certificate | writeToFile "{{ consul_conf.tls.defaults.cert_file }}" "{{ consul_user }}" "{{ consul_user }}" "0644" "append,newline" ]]
+[[ end ]]
+{% else %}
+[[ with secret "{{ consul_vault_agent.pki.path }}/cert/ca" ]]
+[[ .Data.certificate | writeToFile "{{ consul_conf.tls.defaults.ca_file }}" "{{ consul_user }}" "{{ consul_user }}" "0644" ]]
+[[ end ]]
+{% endif %}

roles/consul/templates/vault/agent_token.tpl.j2

@@ -0,0 +1,3 @@
+[[ with secret "{{ consul_vault_agent.tokens.path }}/creds/{{ consul_vault_agent.tokens.role }}" ]]
+[[ .Data.token ]]
+[[ end ]]

roles/consul/templates/vault/cli_bundle.pem.tpl.j2

@@ -0,0 +1,7 @@
+[[ with pkiCert "{{ consul_vault_agent.pki.path }}/issue/{{ consul_vault_agent.pki.role }}" "common_name=cli-{{ ansible_fqdn | regex_replace('\\.', '-') }}.{{ consul_conf.datacenter | default('dc1') }}.{{ consul_conf.domain | default('consul') }}" ]]
+[[ .CA ]]
+[[ .Cert ]]
+[[ .Key ]]
+[[ .Cert | writeToFile "{{ consul_root_dir }}/tls/cli.crt" "{{ consul_user }}" "{{ consul_user }}" "0644" ]]
+[[ .Key | writeToFile "{{ consul_root_dir }}/tls/cli.key" "{{ consul_user }}" "{{ consul_user }}" "0640" ]]
+[[ end ]]