jpp/ansible-roles
1
0
Fork 0
mirror of https://git.lapiole.org/dani/ansible-roles.git synced 2025-07-30 03:05:51 +02:00
Code Issues Packages Projects Releases Wiki Activity

Update to 2022-09-13 17:00

Browse Source
This commit is contained in:
Daniel Berteaud
2022-09-13 17:00:08 +02:00
parent 3d8b59673b
commit a612a2fdcd
18 changed files with 89 additions and 182 deletions
Download Patch File Download Diff File Expand all files Collapse all files

27
roles/consul/tasks/conf.yml
View File

@@ -100,26 +100,14 @@
when: consul_vault_secrets.pki.enabled or consul_vault_secrets.tokens.enabled
tags: consul
- name: Deploy consul-template agent cert template
template: src=agent_cert.tpl.j2 dest={{ consul_root_dir }}/consul-template/{{ item.where }} owner=root group=root
loop:
- what: certificate
where: agent.crt.tpl
- what: private_key
where: agent.key.tpl
- what: issuing_ca
where: ca.crt.tpl
- name: Deploy agent bundle template
template: src=agent_bundle.pem.tpl.j2 dest={{ consul_root_dir }}/consul-template/agent_bundle.pem.tpl owner=root group=root
notify: restart consul-template-consul
when: consul_vault_secrets.pki.enabled
tags: consul
- name: Deploy consul-template cli cert template
template: src=cli_cert.tpl.j2 dest={{ consul_root_dir }}/consul-template/{{ item.where }} owner=root group=root
loop:
- what: certificate
where: cli.crt.tpl
- what: private_key
where: cli.key.tpl
- name: Deploy consul-template cli bundle template
template: src=cli_bundle.pem.tpl.j2 dest={{ consul_root_dir }}/consul-template/cli_bundle.pem.tpl owner=root group=root
notify: restart consul-template-consul
when: consul_vault_secrets.pki.enabled and consul_conf.server
tags: consul
@@ -132,10 +120,11 @@
- name: Set ACL on the TLS dir
shell: |
setfacl -R -b -x {{ consul_root_dir }}/tls
setfacl -R -b -k {{ consul_root_dir }}/tls
{% if consul_admin_groups | length > 0 %}
setfacl -R -m {% for group in consul_admin_groups %}g:{{ group }}:rX{{ ',' if not loop.last }}{% endfor %} {{ consul_root_dir }}/tls
setfacl -R -m {% for group in consul_admin_groups %}d:g:{{ group }}:rX{{ ',' if not loop.last }}{% endfor %} {{ consul_root_dir }}/tls
setfacl -m {% for group in consul_admin_groups %}g:{{ group }}:rx{{ ',' if not loop.last }}{% endfor %} {{ consul_root_dir }}/tls
setfacl -m {% for group in consul_admin_groups %}d:g:{{ group }}:r{{ ',' if not loop.last }}{% endfor %} {{ consul_root_dir }}/tls
setfacl -m {% for group in consul_admin_groups %}g:{{ group }}:r{{ ',' if not loop.last }}{% endfor %} {{ consul_root_dir }}/tls/*
{% endif %}
changed_when: False
failed_when: False # Do not fail if eg, the FS doesn't support ACL

18
roles/consul/templates/agent_bundle.pem.tpl.j2 Normal file
View File

@@ -0,0 +1,18 @@
{% if consul_conf.server %}
[[ with pkiCert "{{ consul_vault_secrets.pki.path }}/issue/{{ consul_vault_secrets.pki.role }}" "common_name=server-{{ ansible_fqdn | regex_replace('\\.', '-') }}.{{ consul_conf.datacenter | default('dc1') }}.{{ consul_conf.domain | default('consul') }}" "alt_names=localhost,consul.service.{{ consul_conf.domain | default('consul') }},server.{{ consul_conf.datacenter | default('dc1') }}.{{ consul_conf.domain | default('consul') }}" ]]
[[ .CA ]]
[[ .Cert ]]
[[ .Key ]]
[[ .CA | writeToFile "{{ consul_conf.tls.defaults.ca_file }}" "root" "root" "0644" ]]
[[ .Cert | writeToFile "{{ consul_conf.tls.defaults.cert_file }}" "root" "root" "0644" ]]
[[ .Key | writeToFile "{{ consul_conf.tls.defaults.key_file }}" "root" "{{ consul_user }}" "0640" ]]
[[ end ]]
[[ with secret "{{ consul_vault_secrets.pki.path }}/cert/ca" ]]
[[ .Data.certificate | writeToFile "{{ consul_conf.tls.defaults.cert_file }}" "root" "root" "0644" "append,newline" ]]
[[ end ]]
{% else %}
[[ with secret "{{ consul_vault_secrets.pki.path }}/cert/ca" ]]
[[ .Data.certificate | writeToFile "{{ consul_conf.tls.defaults.ca_file }}" "root" "root" "0644" ]]
[[ end ]]
{% endif %}

14
roles/consul/templates/agent_cert.tpl.j2
View File

@@ -1,14 +0,0 @@
{% if consul_conf.server %}
[[ with secret "{{ consul_vault_secrets.pki.path }}/issue/{{ consul_vault_secrets.pki.role }}" "common_name=server-{{ ansible_fqdn | regex_replace('\\.', '-') }}.{{ consul_conf.datacenter | default('dc1') }}.{{ consul_conf.domain | default('consul') }}" "alt_names=localhost,consul.service.{{ consul_conf.domain | default('consul') }},server.{{ consul_conf.datacenter | default('dc1') }}.{{ consul_conf.domain | default('consul') }}" ]]
[[ .Data.{{ item.what }} ]]
[[ end ]]
{% if item.what == 'certificate' %}
[[ with secret "{{ consul_vault_secrets.pki.path }}/cert/ca" ]]
[[ .Data.certificate ]]
[[ end ]]
{% endif %}
{% else %}
[[ with secret "{{ consul_vault_secrets.pki.path }}/cert/ca" ]]
[[ .Data.certificate ]]
[[ end ]]
{% endif %}

7
roles/consul/templates/cli_bundle.pem.tpl.j2 Normal file
View File

@@ -0,0 +1,7 @@
[[ with pkiCert "{{ consul_vault_secrets.pki.path }}/issue/{{ consul_vault_secrets.pki.role }}" "common_name=cli-{{ ansible_fqdn | regex_replace('\\.', '-') }}.{{ consul_conf.datacenter | default('dc1') }}.{{ consul_conf.domain | default('consul') }}" ]]
[[ .CA ]]
[[ .Cert ]]
[[ .Key ]]
[[ .Cert | writeToFile "{{ consul_root_dir }}/tls/cli.crt" "root" "root" "0644" ]]
[[ .Key | writeToFile "{{ consul_root_dir }}/tls/cli.key" "root" "root" "0640" ]]
[[ end ]]

3
roles/consul/templates/cli_cert.tpl.j2
View File

@@ -1,3 +0,0 @@
[[ with secret "{{ consul_vault_secrets.pki.path }}/issue/{{ consul_vault_secrets.pki.role }}" "common_name=cli-{{ ansible_fqdn | regex_replace('\\.', '-') }}.{{ consul_conf.datacenter | default('dc1') }}.{{ consul_conf.domain | default('consul') }}" ]]
[[ .Data.{{ item.what }} ]]
[[ end ]]

40
roles/consul/templates/consul-template.hcl.j2
View File

@@ -5,55 +5,27 @@ vault {
}
template {
source = "{{ consul_root_dir }}/consul-template/ca.crt.tpl"
source = "{{ consul_root_dir }}/consul-template/agent_bundle.pem.tpl"
left_delimiter = "[["
right_delimiter = "]]"
destination = "{{ consul_conf.tls.defaults.ca_file }}"
perms = 0644
destination = "{{ consul_root_dir }}/tls/agent_bundle.pem"
perms = 0640
exec {
command = "sh -c 'systemctl reload consul || true'"
}
}
{% if consul_vault_secrets.pki.enabled %}
{% if consul_conf.server %}
template {
source = "{{ consul_root_dir }}/consul-template/agent.crt.tpl"
source = "{{ consul_root_dir }}/consul-template/cli_bundle.pem.tpl"
left_delimiter = "[["
right_delimiter = "]]"
destination = "{{ consul_conf.tls.defaults.cert_file }}"
perms = 0644
destination = "{{ consul_root_dir }}/tls/cli_bundle.pem"
perms = 0640
exec {
command = "sh -c 'systemctl reload consul || true'"
}
}
template {
source = "{{ consul_root_dir }}/consul-template/agent.key.tpl"
left_delimiter = "[["
right_delimiter = "]]"
destination = "{{ consul_conf.tls.defaults.key_file }}"
perms = 0640
exec {
command = "sh -c 'chgrp {{ consul_user }} {{ consul_conf.tls.defaults.key_file }} && systemctl reload consul || true'"
}
}
template {
source = "{{ consul_root_dir }}/consul-template/cli.crt.tpl"
left_delimiter = "[["
right_delimiter = "]]"
destination = "{{ consul_root_dir }}/tls/cli.crt"
}
template {
source = "{{ consul_root_dir }}/consul-template/cli.key.tpl"
left_delimiter = "[["
right_delimiter = "]]"
destination = "{{ consul_root_dir }}/tls/cli.key"
perms = 0640
}
{% endif %}
{% endif %}
{% if consul_vault_secrets.tokens.enabled %}

2
roles/consul/templates/consul.hcl.j2
View File

@@ -89,6 +89,7 @@ acl {
}
{% if consul_conf.tls.enabled %}
{% if consul_conf.server %}
# TLS settings
tls {
{% for section in ['defaults', 'grpc', 'https', 'internal_rpc'] %}
@@ -110,7 +111,6 @@ tls {
}
# auto_encrypt, to distribute certificates from servers to clients
{% if consul_conf.server %}
auto_encrypt {
allow_tls = true
}

1
roles/consul/templates/consul.service.j2
View File

@@ -6,7 +6,6 @@ After=network-online.target
ConditionFileNotEmpty={{ consul_root_dir }}/etc/consul.hcl
[Service]
Type=notify
EnvironmentFile=-{{ consul_root_dir }}/etc/consul.env
User={{ consul_user }}
Group={{ consul_user }}