Update to 2022-09-04 14:00

roles/consul/defaults/main.yml

@@ -13,6 +13,10 @@ consul_user: consul
 # Root directory where consul will be installed
 consul_root_dir: /opt/consul
 
+# List of Unix group which will be consul admins
+# Used for example to grant access to cli cert with ACL
+consul_admin_groups: "{{ system_admin_groups | default([]) }}"
+
 # If ACL are enabled, you need to set a management token for ansible
 # to be able to manage Consul (eg snapshot before upgrades)
 # consul_mgm_token: XXXXXXXXX
@@ -85,10 +89,37 @@ consul_base_conf:
     # The default_policy is also used for intentions in the service mesh
     default_policy: deny
 
+  tls:
+    # No TLS will be stup unless this is set to True
+    enabled: False
+    # Default TLS settings
+    defaults:
+      ca_file: "{{ consul_root_dir }}/tls/ca.crt"
+      cert_file: "{{ consul_root_dir }}/tls/consul.crt"
+      key_file: "{{ consul_root_dir }}/tls/consul.key"
+      verify_incoming: True
+      verify_outgoing: True
+    # TLS settings for interal RPC
+    internal_rpc:
+      verify_server_hostname: True
+
 consul_extra_conf: {}
 consul_host_conf: {}
 consul_conf: "{{ consul_base_conf | combine(consul_extra_conf, recursive=True) | combine(consul_host_conf, recursive=True) }}"
 
+# To get certificates from vault
+consul_base_vault_tls:
+  enabled: False
+  # address: https://active.vault.service.consul:8200
+  # token: XXXXXX
+  pki:
+    path: /pki/consul
+    role: consul-{{ consul_conf.server | ternary('server', 'client') }}
+    ttl: 24h
+consul_extra_vault_tls: {}
+consul_host_vault_tls: {}
+consul_vault_tls: "{{ consul_base_vault_tls | combine(consul_extra_vault_tls, recursive=True) | combine(consul_host_vault_tls, recursive=True) }}"
+
 # For example
 # consul_extra_conf:
 #   datacenter: my-dc