Update to 2023-07-05 19:00

2025-07-27 16:25:56 +02:00 · 2023-07-05 19:00:07 +02:00
parent 0cc589ae4b
commit 8471af248b
25 changed files with 254 additions and 161 deletions
--- a/roles/consul/defaults/main.yml
+++ b/roles/consul/defaults/main.yml
@@ -76,6 +76,15 @@ consul_base_conf:
  connect:
    # Enable consul service mesh on servers
    enabled: "{{ (inventory_hostname in consul_servers | map('regex_replace', ':\\d+$', '')) | ternary(True, False) }}"
+    # ca_provider: vault
+    ca_config:
+      # address: https://active.vault.service.consul:8200
+      root_pki_path: pki/root
+      intermediate_pki_path: pki/connect
+      #auth_method:
+      #  approle:
+      #    role_id: XXXX
+      #    secret_id: YYYY

  acl:
    enabled: False
@@ -106,22 +115,6 @@ consul_extra_conf: {}
 consul_host_conf: {}
 consul_conf: "{{ consul_base_conf | combine(consul_extra_conf, recursive=True) | combine(consul_host_conf, recursive=True) }}"

-# TLS certs and token retrival from vault
-consul_base_vault_secrets:
-  # vault_address: https://active.vault.service.consul:8200
-  # vault_token: XXXXXX
-  pki:
-    enabled: False
-    path: /pki/consul
-    role: consul-{{ consul_conf.server | ternary('server', 'client') }}
-  tokens:
-    enabled: False
-    path: /consul
-    role: consul-agent
-consul_extra_vault_secrets: {}
-consul_host_vault_secrets: {}
-consul_vault_secrets: "{{ consul_base_vault_secrets | combine(consul_extra_vault_secrets, recursive=True) | combine(consul_host_vault_secrets, recursive=True) }}"
-
 # For example
 # consul_extra_conf:
 #   datacenter: my-dc
@@ -130,6 +123,23 @@ consul_vault_secrets: "{{ consul_base_vault_secrets | combine(consul_extra_vault
 #   ui_config:
 #     enabled: False

+consul_base_vault_agent:
+  # vault_address: https://active.vault.service.consul:8200
+  #
+  ## Only one of approle or token should be used
+  # auth:
+  #   approle:
+  #     role_id: XXXX
+  #     secret_id: YYYY
+  #   token: XXXXXXX
+  pki:
+    enabled: False
+    path: pki/consul
+    role: consul-{{ consul_conf.server | ternary('server', 'client') }}
+consul_extra_vault_agent: {}
+consul_host_vault_agent: {}
+consul_vault_agent: "{{ consul_base_vault_agent | combine(consul_extra_vault_agent, recursive=True) | combine(consul_host_vault_agent, recursive=True) }}"
+
 # List of services exposed by consul, the ports they use, and the list of IP
 # for which the service is accessible at the firewall level (if iptables_manage == True)
 consul_base_services: