diff --git a/roles/consul/tasks/conf.yml b/roles/consul/tasks/conf.yml index 851b639..1970605 100644 --- a/roles/consul/tasks/conf.yml +++ b/roles/consul/tasks/conf.yml @@ -100,26 +100,14 @@ when: consul_vault_secrets.pki.enabled or consul_vault_secrets.tokens.enabled tags: consul -- name: Deploy consul-template agent cert template - template: src=agent_cert.tpl.j2 dest={{ consul_root_dir }}/consul-template/{{ item.where }} owner=root group=root - loop: - - what: certificate - where: agent.crt.tpl - - what: private_key - where: agent.key.tpl - - what: issuing_ca - where: ca.crt.tpl +- name: Deploy agent bundle template + template: src=agent_bundle.pem.tpl.j2 dest={{ consul_root_dir }}/consul-template/agent_bundle.pem.tpl owner=root group=root notify: restart consul-template-consul when: consul_vault_secrets.pki.enabled tags: consul -- name: Deploy consul-template cli cert template - template: src=cli_cert.tpl.j2 dest={{ consul_root_dir }}/consul-template/{{ item.where }} owner=root group=root - loop: - - what: certificate - where: cli.crt.tpl - - what: private_key - where: cli.key.tpl +- name: Deploy consul-template cli bundle template + template: src=cli_bundle.pem.tpl.j2 dest={{ consul_root_dir }}/consul-template/cli_bundle.pem.tpl owner=root group=root notify: restart consul-template-consul when: consul_vault_secrets.pki.enabled and consul_conf.server tags: consul @@ -132,10 +120,11 @@ - name: Set ACL on the TLS dir shell: | - setfacl -R -b -x {{ consul_root_dir }}/tls + setfacl -R -b -k {{ consul_root_dir }}/tls {% if consul_admin_groups | length > 0 %} - setfacl -R -m {% for group in consul_admin_groups %}g:{{ group }}:rX{{ ',' if not loop.last }}{% endfor %} {{ consul_root_dir }}/tls - setfacl -R -m {% for group in consul_admin_groups %}d:g:{{ group }}:rX{{ ',' if not loop.last }}{% endfor %} {{ consul_root_dir }}/tls + setfacl -m {% for group in consul_admin_groups %}g:{{ group }}:rx{{ ',' if not loop.last }}{% endfor %} {{ consul_root_dir }}/tls + setfacl -m {% for group in consul_admin_groups %}d:g:{{ group }}:r{{ ',' if not loop.last }}{% endfor %} {{ consul_root_dir }}/tls + setfacl -m {% for group in consul_admin_groups %}g:{{ group }}:r{{ ',' if not loop.last }}{% endfor %} {{ consul_root_dir }}/tls/* {% endif %} changed_when: False failed_when: False # Do not fail if eg, the FS doesn't support ACL diff --git a/roles/consul/templates/agent_bundle.pem.tpl.j2 b/roles/consul/templates/agent_bundle.pem.tpl.j2 new file mode 100644 index 0000000..b18edee --- /dev/null +++ b/roles/consul/templates/agent_bundle.pem.tpl.j2 @@ -0,0 +1,18 @@ +{% if consul_conf.server %} +[[ with pkiCert "{{ consul_vault_secrets.pki.path }}/issue/{{ consul_vault_secrets.pki.role }}" "common_name=server-{{ ansible_fqdn | regex_replace('\\.', '-') }}.{{ consul_conf.datacenter | default('dc1') }}.{{ consul_conf.domain | default('consul') }}" "alt_names=localhost,consul.service.{{ consul_conf.domain | default('consul') }},server.{{ consul_conf.datacenter | default('dc1') }}.{{ consul_conf.domain | default('consul') }}" ]] +[[ .CA ]] +[[ .Cert ]] +[[ .Key ]] +[[ .CA | writeToFile "{{ consul_conf.tls.defaults.ca_file }}" "root" "root" "0644" ]] +[[ .Cert | writeToFile "{{ consul_conf.tls.defaults.cert_file }}" "root" "root" "0644" ]] +[[ .Key | writeToFile "{{ consul_conf.tls.defaults.key_file }}" "root" "{{ consul_user }}" "0640" ]] +[[ end ]] +[[ with secret "{{ consul_vault_secrets.pki.path }}/cert/ca" ]] +[[ .Data.certificate | writeToFile "{{ consul_conf.tls.defaults.cert_file }}" "root" "root" "0644" "append,newline" ]] +[[ end ]] +{% else %} +[[ with secret "{{ consul_vault_secrets.pki.path }}/cert/ca" ]] +[[ .Data.certificate | writeToFile "{{ consul_conf.tls.defaults.ca_file }}" "root" "root" "0644" ]] +[[ end ]] +{% endif %} + diff --git a/roles/consul/templates/agent_cert.tpl.j2 b/roles/consul/templates/agent_cert.tpl.j2 deleted file mode 100644 index cb3bc9d..0000000 --- a/roles/consul/templates/agent_cert.tpl.j2 +++ /dev/null @@ -1,14 +0,0 @@ -{% if consul_conf.server %} -[[ with secret "{{ consul_vault_secrets.pki.path }}/issue/{{ consul_vault_secrets.pki.role }}" "common_name=server-{{ ansible_fqdn | regex_replace('\\.', '-') }}.{{ consul_conf.datacenter | default('dc1') }}.{{ consul_conf.domain | default('consul') }}" "alt_names=localhost,consul.service.{{ consul_conf.domain | default('consul') }},server.{{ consul_conf.datacenter | default('dc1') }}.{{ consul_conf.domain | default('consul') }}" ]] -[[ .Data.{{ item.what }} ]] -[[ end ]] -{% if item.what == 'certificate' %} -[[ with secret "{{ consul_vault_secrets.pki.path }}/cert/ca" ]] -[[ .Data.certificate ]] -[[ end ]] -{% endif %} -{% else %} -[[ with secret "{{ consul_vault_secrets.pki.path }}/cert/ca" ]] -[[ .Data.certificate ]] -[[ end ]] -{% endif %} diff --git a/roles/consul/templates/cli_bundle.pem.tpl.j2 b/roles/consul/templates/cli_bundle.pem.tpl.j2 new file mode 100644 index 0000000..355fa39 --- /dev/null +++ b/roles/consul/templates/cli_bundle.pem.tpl.j2 @@ -0,0 +1,7 @@ +[[ with pkiCert "{{ consul_vault_secrets.pki.path }}/issue/{{ consul_vault_secrets.pki.role }}" "common_name=cli-{{ ansible_fqdn | regex_replace('\\.', '-') }}.{{ consul_conf.datacenter | default('dc1') }}.{{ consul_conf.domain | default('consul') }}" ]] +[[ .CA ]] +[[ .Cert ]] +[[ .Key ]] +[[ .Cert | writeToFile "{{ consul_root_dir }}/tls/cli.crt" "root" "root" "0644" ]] +[[ .Key | writeToFile "{{ consul_root_dir }}/tls/cli.key" "root" "root" "0640" ]] +[[ end ]] diff --git a/roles/consul/templates/cli_cert.tpl.j2 b/roles/consul/templates/cli_cert.tpl.j2 deleted file mode 100644 index d1f4a4c..0000000 --- a/roles/consul/templates/cli_cert.tpl.j2 +++ /dev/null @@ -1,3 +0,0 @@ -[[ with secret "{{ consul_vault_secrets.pki.path }}/issue/{{ consul_vault_secrets.pki.role }}" "common_name=cli-{{ ansible_fqdn | regex_replace('\\.', '-') }}.{{ consul_conf.datacenter | default('dc1') }}.{{ consul_conf.domain | default('consul') }}" ]] -[[ .Data.{{ item.what }} ]] -[[ end ]] diff --git a/roles/consul/templates/consul-template.hcl.j2 b/roles/consul/templates/consul-template.hcl.j2 index a0419d5..7fcf36b 100644 --- a/roles/consul/templates/consul-template.hcl.j2 +++ b/roles/consul/templates/consul-template.hcl.j2 @@ -5,55 +5,27 @@ vault { } template { - source = "{{ consul_root_dir }}/consul-template/ca.crt.tpl" + source = "{{ consul_root_dir }}/consul-template/agent_bundle.pem.tpl" left_delimiter = "[[" right_delimiter = "]]" - destination = "{{ consul_conf.tls.defaults.ca_file }}" - perms = 0644 + destination = "{{ consul_root_dir }}/tls/agent_bundle.pem" + perms = 0640 exec { command = "sh -c 'systemctl reload consul || true'" } } -{% if consul_vault_secrets.pki.enabled %} {% if consul_conf.server %} template { - source = "{{ consul_root_dir }}/consul-template/agent.crt.tpl" + source = "{{ consul_root_dir }}/consul-template/cli_bundle.pem.tpl" left_delimiter = "[[" right_delimiter = "]]" - destination = "{{ consul_conf.tls.defaults.cert_file }}" - perms = 0644 + destination = "{{ consul_root_dir }}/tls/cli_bundle.pem" + perms = 0640 exec { command = "sh -c 'systemctl reload consul || true'" } } - -template { - source = "{{ consul_root_dir }}/consul-template/agent.key.tpl" - left_delimiter = "[[" - right_delimiter = "]]" - destination = "{{ consul_conf.tls.defaults.key_file }}" - perms = 0640 - exec { - command = "sh -c 'chgrp {{ consul_user }} {{ consul_conf.tls.defaults.key_file }} && systemctl reload consul || true'" - } -} - -template { - source = "{{ consul_root_dir }}/consul-template/cli.crt.tpl" - left_delimiter = "[[" - right_delimiter = "]]" - destination = "{{ consul_root_dir }}/tls/cli.crt" -} - -template { - source = "{{ consul_root_dir }}/consul-template/cli.key.tpl" - left_delimiter = "[[" - right_delimiter = "]]" - destination = "{{ consul_root_dir }}/tls/cli.key" - perms = 0640 -} -{% endif %} {% endif %} {% if consul_vault_secrets.tokens.enabled %} diff --git a/roles/consul/templates/consul.hcl.j2 b/roles/consul/templates/consul.hcl.j2 index c74135b..80e97ac 100644 --- a/roles/consul/templates/consul.hcl.j2 +++ b/roles/consul/templates/consul.hcl.j2 @@ -89,6 +89,7 @@ acl { } {% if consul_conf.tls.enabled %} +{% if consul_conf.server %} # TLS settings tls { {% for section in ['defaults', 'grpc', 'https', 'internal_rpc'] %} @@ -110,7 +111,6 @@ tls { } # auto_encrypt, to distribute certificates from servers to clients -{% if consul_conf.server %} auto_encrypt { allow_tls = true } diff --git a/roles/consul/templates/consul.service.j2 b/roles/consul/templates/consul.service.j2 index 79ac42f..dd2052e 100644 --- a/roles/consul/templates/consul.service.j2 +++ b/roles/consul/templates/consul.service.j2 @@ -6,7 +6,6 @@ After=network-online.target ConditionFileNotEmpty={{ consul_root_dir }}/etc/consul.hcl [Service] -Type=notify EnvironmentFile=-{{ consul_root_dir }}/etc/consul.env User={{ consul_user }} Group={{ consul_user }} diff --git a/roles/nomad/defaults/main.yml b/roles/nomad/defaults/main.yml index ec078bc..db5982f 100644 --- a/roles/nomad/defaults/main.yml +++ b/roles/nomad/defaults/main.yml @@ -229,7 +229,7 @@ nomad_services: "{{ nomad_base_services | combine(nomad_extra_services, recursiv # When using vault to setup TLS for Nomad nomad_base_vault_secrets: - vault_address: "{{ nomad_conf.vault.address | default(omit) }}" + vault_address: "{{ nomad_conf.vault.address | default('https://active.vault.service.consul:8200') }}" # Token to use to issue certificates # token: XXXXXXXXX pki: diff --git a/roles/nomad/tasks/conf.yml b/roles/nomad/tasks/conf.yml index 257f621..542533d 100644 --- a/roles/nomad/tasks/conf.yml +++ b/roles/nomad/tasks/conf.yml @@ -119,36 +119,25 @@ when: nomad_vault_secrets.pki.enabled or nomad_vault_secrets.tokens.enabled tags: nomad -- name: Deploy consul-template agent cert template - template: src=agent_cert.tpl.j2 dest={{ nomad_root_dir }}/consul-template/{{ item.where }} owner=root group=root - loop: - - what: certificate - where: agent.crt.tpl - - what: private_key - where: agent.key.tpl - - what: issuing_ca - where: ca.crt.tpl +- name: Deploy consul-template agent bundle template + template: src=agent_bundle.pem.tpl.j2 dest={{ nomad_root_dir }}/consul-template/agent_bundle.pem.tpl owner=root group=root notify: restart consul-template-nomad when: nomad_vault_secrets.pki.enabled tags: nomad -- name: Deploy consul-template cli cert template - template: src=cli_cert.tpl.j2 dest={{ nomad_root_dir }}/consul-template/{{ item.where }} owner=root group=root - loop: - - what: certificate - where: cli.crt.tpl - - what: private_key - where: cli.key.tpl +- name: Deploy consul-template cli bundle template + template: src=cli_bundle.pem.tpl.j2 dest={{ nomad_root_dir }}/consul-template/cli_bundle.pem.tpl owner=root group=root notify: restart consul-template-nomad when: nomad_vault_secrets.pki.enabled and nomad_conf.server.enabled tags: nomad - name: Set ACL on the TLS dir shell: | - setfacl -R -b -x {{ nomad_root_dir }}/tls + setfacl -R -b -k {{ nomad_root_dir }}/tls {% if nomad_admin_groups | length > 0 %} - setfacl -R -m {% for group in nomad_admin_groups %}g:{{ group }}:rX{{ ',' if not loop.last }}{% endfor %} {{ nomad_root_dir }}/tls - setfacl -R -m {% for group in nomad_admin_groups %}d:g:{{ group }}:rX{{ ',' if not loop.last }}{% endfor %} {{ nomad_root_dir }}/tls + setfacl -m {% for group in nomad_admin_groups %}g:{{ group }}:rx{{ ',' if not loop.last }}{% endfor %} {{ nomad_root_dir }}/tls + setfacl -m {% for group in nomad_admin_groups %}d:g:{{ group }}:r{{ ',' if not loop.last }}{% endfor %} {{ nomad_root_dir }}/tls + setfacl -m {% for group in nomad_admin_groups %}g:{{ group }}:r{{ ',' if not loop.last }}{% endfor %} {{ nomad_root_dir }}/tls/* {% endif %} changed_when: False failed_when: False # Do not fail if eg, the FS doesn't support ACL @@ -159,14 +148,7 @@ tags: nomad - name: Deploy consul-template consul cert templates - template: src=consul_cert.tpl.j2 dest={{ nomad_root_dir }}/consul-template/{{ item.where }} owner=root group=root - loop: - - what: certificate - where: consul.crt.tpl - - what: private_key - where: consul.key.tpl - - what: issuing_ca - where: consul_ca.crt.tpl + template: src=consul_bundle.pem.tpl.j2 dest={{ nomad_root_dir }}/consul-template/consul_bundle.pem.tpl owner=root group=root notify: restart consul-template-nomad when: nomad_vault_secrets.consul_pki.enabled and nomad_conf.consul.ssl tags: nomad diff --git a/roles/nomad/templates/agent_bundle.pem.tpl.j2 b/roles/nomad/templates/agent_bundle.pem.tpl.j2 new file mode 100644 index 0000000..683d8d5 --- /dev/null +++ b/roles/nomad/templates/agent_bundle.pem.tpl.j2 @@ -0,0 +1,11 @@ +[[ with pkiCert "{{ nomad_vault_secrets.pki.path }}/issue/{{ nomad_vault_secrets.pki.role }}" "common_name={{ (nomad_conf.server.enabled) | ternary('server', 'client') }}-{{ ansible_fqdn | regex_replace('\\.', '-') }}.{{ nomad_conf.region | default('global') }}.nomad" "alt_names=localhost,{{ (nomad_conf.server.enabled) | ternary('server', 'client') }}.{{ nomad_conf.region | default('global') }}.nomad{% if nomad_conf.server.enabled and nomad_conf.client.enabled %},client.{{ nomad_conf.region | default('global') }}.nomad{% endif %}{% if consul_conf is defined %},nomad{{ nomad_conf.server.enabled | ternary('', '-client') }}.service.{{ consul_conf.domain | default('consul') }}{% endif %}"{% if nomad_vault_secrets.pki.ttl is defined %} "ttl={{ nomad_vault_secrets.pki.ttl }}"{% endif %} ]] +[[ .CA ]] +[[ .Cert ]] +[[ .Key ]] +[[ .CA | writeToFile "{{ nomad_conf.tls.ca_file }}" "root" "root" "0644" ]] +[[ .Cert | writeToFile "{{ nomad_conf.tls.cert_file }}" "root" "root" "0644" ]] +[[ .Key | writeToFile "{{ nomad_conf.tls.key_file }}" "root" "{{ nomad_user }}" "0640" ]] +[[ end ]] +[[ with secret "{{ nomad_vault_secrets.pki.path }}/cert/ca" ]] +[[ .Data.certificate | writeToFile "{{ nomad_conf.tls.cert_file }}" "" "" "0644" "append,newline" ]] +[[ end ]] diff --git a/roles/nomad/templates/agent_cert.tpl.j2 b/roles/nomad/templates/agent_cert.tpl.j2 deleted file mode 100644 index 43fa8a9..0000000 --- a/roles/nomad/templates/agent_cert.tpl.j2 +++ /dev/null @@ -1,8 +0,0 @@ -[[ with secret "{{ nomad_vault_secrets.pki.path }}/issue/{{ nomad_vault_secrets.pki.role }}" "common_name={{ (nomad_conf.server.enabled) | ternary('server', 'client') }}-{{ ansible_fqdn | regex_replace('\\.', '-') }}.{{ nomad_conf.region | default('global') }}.nomad" "alt_names=localhost,{{ (nomad_conf.server.enabled) | ternary('server', 'client') }}.{{ nomad_conf.region | default('global') }}.nomad{% if nomad_conf.server.enabled and nomad_conf.client.enabled %},client.{{ nomad_conf.region | default('global') }}.nomad{% endif %}{% if consul_conf is defined %},nomad{{ nomad_conf.server.enabled | ternary('', '-client') }}.service.{{ consul_conf.domain | default('consul') }}{% endif %}"{% if nomad_vault_secrets.pki.ttl is defined %} "ttl={{ nomad_vault_secrets.pki.ttl }}"{% endif %} ]] -[[ .Data.{{ item.what }} ]] -[[ end ]] -{% if item.what == 'certificate' %} -[[ with secret "{{ nomad_vault_secrets.pki.path }}/cert/ca" ]] -[[ .Data.certificate ]] -[[ end ]] -{% endif %} diff --git a/roles/nomad/templates/cli_bundle.pem.tpl.j2 b/roles/nomad/templates/cli_bundle.pem.tpl.j2 new file mode 100644 index 0000000..eaa778a --- /dev/null +++ b/roles/nomad/templates/cli_bundle.pem.tpl.j2 @@ -0,0 +1,7 @@ +[[ with pkiCert "{{ nomad_vault_secrets.pki.path }}/issue/{{ nomad_vault_secrets.pki.role }}" "common_name=cli-{{ ansible_fqdn | regex_replace('\\.', '-') }}.{{ nomad_conf.region | default('global') }}.nomad" ]] +[[ .CA ]] +[[ .Cert ]] +[[ .Key ]] +[[ .Cert | writeToFile "{{ nomad_root_dir }}/tls/cli.crt" "root" "root" "0644" ]] +[[ .Key | writeToFile "{{ nomad_root_dir }}/tls/cli.key" "root" "root" "0640" ]] +[[ end ]] diff --git a/roles/nomad/templates/cli_cert.tpl.j2 b/roles/nomad/templates/cli_cert.tpl.j2 deleted file mode 100644 index b5b6369..0000000 --- a/roles/nomad/templates/cli_cert.tpl.j2 +++ /dev/null @@ -1,3 +0,0 @@ -[[ with secret "{{ nomad_vault_secrets.pki.path }}/issue/{{ nomad_vault_secrets.pki.role }}" "common_name=cli-{{ ansible_fqdn | regex_replace('\\.', '-') }}.{{ nomad_conf.region | default('global') }}.nomad" ]] -[[ .Data.{{ item.what }} ]] -[[ end ]] diff --git a/roles/nomad/templates/consul-template.hcl.j2 b/roles/nomad/templates/consul-template.hcl.j2 index 4d66836..7a91967 100644 --- a/roles/nomad/templates/consul-template.hcl.j2 +++ b/roles/nomad/templates/consul-template.hcl.j2 @@ -4,92 +4,40 @@ vault { unwrap_token = false } -# Sleep 10 sec before sending nomad service a reload to prevent it from crashing as +# Sleep 25 sec before sending nomad service a reload to prevent it from crashing as # Nomad doesn't support getting a reload while it's still initializing {% if nomad_vault_secrets.pki.enabled %} template { - source = "{{ nomad_root_dir }}/consul-template/agent.crt.tpl" + source = "{{ nomad_root_dir }}/consul-template/agent_bundle.pem.tpl" left_delimiter = "[[" right_delimiter = "]]" - destination = "{{ nomad_conf.tls.cert_file }}" - perms = 0644 - exec { - command = "sh -c 'sleep 10 && systemctl reload nomad || true'" - } -} - -template { - source = "{{ nomad_root_dir }}/consul-template/agent.key.tpl" - left_delimiter = "[[" - right_delimiter = "]]" - destination = "{{ nomad_conf.tls.key_file }}" + destination = "{{ nomad_root_dir }}/tls/agent_bundle.pem" perms = 0640 exec { - command = ["sh", "-c", "chgrp {{ nomad_user }} {{ nomad_conf.tls.key_file }} && sleep 10 && systemctl reload nomad || true"] - } -} - -template { - source = "{{ nomad_root_dir }}/consul-template/ca.crt.tpl" - left_delimiter = "[[" - right_delimiter = "]]" - destination = "{{ nomad_conf.tls.ca_file }}" - perms = 0644 - exec { - command = "sh -c 'sleep 10 && systemctl reload nomad || true'" + command = "sh -c 'sleep 25 && systemctl reload nomad || true'" } } {% if nomad_conf.server.enabled %} template { - source = "{{ nomad_root_dir }}/consul-template/cli.crt.tpl" + source = "{{ nomad_root_dir }}/consul-template/cli_bundle.pem.tpl" + destination = "{{ nomad_root_dir }}/tls/cli_bundle.pem" left_delimiter = "[[" right_delimiter = "]]" - destination = "{{ nomad_root_dir }}/tls/cli.crt" -} - -template { - source = "{{ nomad_root_dir }}/consul-template/cli.key.tpl" - left_delimiter = "[[" - right_delimiter = "]]" - destination = "{{ nomad_root_dir }}/tls/cli.key" perms = 0640 } {% endif %} -{% endif %} - {% if nomad_vault_secrets.consul_pki.enabled and nomad_conf.consul.ssl %} template { - source = "{{ nomad_root_dir }}/consul-template/consul.crt.tpl" + source = "{{ nomad_root_dir }}/consul-template/consul_bundle.pem.tpl" + destination = "{{ nomad_root_dir }}/tlc/consul_bundle.pem" left_delimiter = "[[" right_delimiter = "]]" - destination = "{{ nomad_conf.consul.cert_file }}" - exec { - command = "sh -c 'sleep 10 && systemctl reload nomad || true'" - } -} - -template { - source = "{{ nomad_root_dir }}/consul-template/consul.key.tpl" - left_delimiter = "[[" - right_delimiter = "]]" - destination = "{{ nomad_conf.consul.key_file }}" perms = 0640 exec { - command = "sh -c 'sleep 10 && systemctl reload nomad || true'" - } -} - -template { - source = "{{ nomad_root_dir }}/consul-template/consul_ca.crt.tpl" - left_delimiter = "[[" - right_delimiter = "]]" - destination = "{{ nomad_conf.consul.ca_file }}" - perms = 0644 - exec { - command = "sh -c 'sleep 10 && systemctl reload nomad || true'" + command = "sh -c 'sleep 25 && systemctl reload nomad || true'" } } {% endif %} - +{% endif %} diff --git a/roles/nomad/templates/consul_bundle.pem.tpl.j2 b/roles/nomad/templates/consul_bundle.pem.tpl.j2 new file mode 100644 index 0000000..198767f --- /dev/null +++ b/roles/nomad/templates/consul_bundle.pem.tpl.j2 @@ -0,0 +1,11 @@ +[[ with pkiCert "{{ nomad_vault_secrets.consul_pki.path }}/issue/{{ nomad_vault_secrets.consul_pki.role }}" "common_name={{ ansible_fqdn | regex_replace('\\.', '-') }}.{{ (consul_conf is defined and consul_conf.domain is defined) | ternary(consul_conf.domain, 'consul') }}"{% if nomad_vault_secrets.consul_pki.ttl is defined %} "ttl={{ nomad_vault_secrets.consul_pki.ttl }}"{% endif %} ]] +[[ .CA ]] +[[ .Cert ]] +[[ .Key ]] +[[ .CA | writeToFile "{{ nomad_conf.consul.ca_file }}" "root" "root" "0644" ]] +[[ .Cert | writeToFile "{{ nomad_conf.consul.cert_file }}" "root" "root" "0644" ]] +[[ .Key | writeToFile "{{ nomad_conf.consul.key_file }}" "root" "{{ nomad_user }}" "0640" ]] +[[ end ]] +[[ with secret "{{ nomad_vault_secrets.consul_pki.root_path }}/cert/ca" ]] +[[ .Data.certificate | writeToFile "{{ nomad_conf.consul.ca_file }}" "root" "root" "0644" "append,newline" ]] +[[ end ]] diff --git a/roles/nomad/templates/consul_cert.tpl.j2 b/roles/nomad/templates/consul_cert.tpl.j2 deleted file mode 100644 index 3478201..0000000 --- a/roles/nomad/templates/consul_cert.tpl.j2 +++ /dev/null @@ -1,8 +0,0 @@ -[[ with secret "{{ nomad_vault_secrets.consul_pki.path }}/issue/{{ nomad_vault_secrets.consul_pki.role }}" "common_name={{ ansible_fqdn | regex_replace('\\.', '-') }}.{{ (consul_conf is defined and consul_conf.domain is defined) | ternary(consul_conf.domain, 'consul') }}"{% if nomad_vault_secrets.consul_pki.ttl is defined %} "ttl={{ nomad_vault_secrets.consul_pki.ttl }}"{% endif %} ]] -[[ .Data.{{ item.what }} ]] -[[ end ]] -{% if item.what == 'issuing_ca' %} -[[ with secret "{{ nomad_vault_secrets.consul_pki.root_path }}/cert/ca" ]] -[[ .Data.certificate ]] -[[ end ]] -{% endif %} diff --git a/roles/nomad/templates/nomad.service.j2 b/roles/nomad/templates/nomad.service.j2 index 9cbc0bd..2d61d06 100644 --- a/roles/nomad/templates/nomad.service.j2 +++ b/roles/nomad/templates/nomad.service.j2 @@ -18,7 +18,6 @@ User={{ nomad_user }} Group={{ nomad_user }} ExecStart={{ nomad_root_dir }}/bin/nomad agent -config={{ nomad_root_dir }}/etc/ ExecReload=/bin/kill --signal HUP $MAINPID -SuccessExitStatus=1 Restart=on-failure LimitNOFILE=65536 LimitNPROC=infinity