Update to 2023-07-08 16:00

roles/consul/defaults/main.yml

@@ -123,23 +123,6 @@ consul_conf: "{{ consul_base_conf | combine(consul_extra_conf, recursive=True) |
 #   ui_config:
 #     enabled: False
 
-consul_base_vault_agent:
-  # vault_address: https://active.vault.service.consul:8200
-  #
-  ## Only one of approle or token should be used
-  # auth:
-  #   approle:
-  #     role_id: XXXX
-  #     secret_id: YYYY
-  #   token: XXXXXXX
-  pki:
-    enabled: False
-    path: pki/consul
-    role: consul-{{ consul_conf.server | ternary('server', 'client') }}
-consul_extra_vault_agent: {}
-consul_host_vault_agent: {}
-consul_vault_agent: "{{ consul_base_vault_agent | combine(consul_extra_vault_agent, recursive=True) | combine(consul_host_vault_agent, recursive=True) }}"
-
 # List of services exposed by consul, the ports they use, and the list of IP
 # for which the service is accessible at the firewall level (if iptables_manage == True)
 consul_base_services:

roles/consul/tasks/cleanup.yml

@@ -6,4 +6,6 @@
     - "{{ consul_root_dir }}/archives"
     - /etc/systemd/system/consul-template-consul.service
     - "{{ consul_root_dir }}/consul-template"
+    - "{{ consul_root_dir }}/vault"
+    - "{{ consul_root_dir }}/bin"
   tags: consul

roles/consul/tasks/conf.yml

@@ -7,9 +7,7 @@
   vars:
     cert_path: "{{ consul_conf.tls.defaults.cert_file }}"
     cert_key_path: "{{ consul_conf.tls.defaults.key_file }}"
-    cert_key_user: "{{ consul_user }}"
-    cert_key_group: "{{ consul_user }}"
-    cert_key_mode: 660
+    cert_key_mode: omit
   when: consul_conf.tls.enabled
   tags: consul
 
@@ -97,38 +95,15 @@
   loop: "{{ consul_backup_configs.stdout_lines }}"
   tags: consul
 
-- name: Deploy vault agent configuration
-  template: src=vault/agent.hcl.j2 dest={{ consul_root_dir }}/vault/agent.hcl mode=640 owner=root group={{ consul_user }}
-  notify: restart consul-vault-agent
-  when: consul_vault_agent.pki.enabled
-  tags: consul
-
-- name: Deploy agent cert bundle template
-  template: src=vault/agent_bundle.pem.tpl.j2 dest={{ consul_root_dir }}/vault/templates/agent_bundle.pem.tpl owner=root group=root
-  notify: restart consul-vault-agent
-  when: consul_vault_agent.pki.enabled
-  tags: consul
-
-- when:
-    - consul_vault_agent.auth is defined
-    - consul_vault_agent.auth.approle is defined
-    - consul_vault_agent.auth.approle.role_id is defined
-    - consul_vault_agent.auth.approle.secret_id is defined
-  name: Setup AppRole auth
-  block:
-    - copy: content={{ consul_vault_agent.auth.approle.role_id }} dest={{ consul_root_dir }}/vault/role_id owner=root group={{ consul_user }} mode=640
-    - copy: content={{ consul_vault_agent.auth.approle.secret_id }} dest={{ consul_root_dir }}/vault/secret_id owner=root group={{ consul_user }} mode=640
-  tags: consul
-
 - name: Set ACL on the TLS dir
   shell: |
     setfacl -R -b -k {{ consul_root_dir }}/tls
-    chown -R {{ consul_user }}:{{ consul_user }} {{ consul_root_dir }}/tls
-    chmod 775 {{ consul_root_dir }}/tls
-    chmod 660 {{ consul_root_dir }}/tls/*
-    setfacl -m u:{{ consul_user }}:rwx {{ consul_root_dir }}/tls
-    setfacl -m d:u:{{ consul_user }}:rw {{ consul_root_dir }}/tls
-    setfacl -m u:{{ consul_user }}:rw {{ consul_root_dir }}/tls/*
+    chown -R :{{ consul_user }} {{ consul_root_dir }}/tls
+    chmod 770 {{ consul_root_dir }}/tls
+    chmod 640 {{ consul_root_dir }}/tls/*
+    setfacl -m u:{{ consul_user }}:rx {{ consul_root_dir }}/tls
+    setfacl -m d:u:{{ consul_user }}:r {{ consul_root_dir }}/tls
+    setfacl -m u:{{ consul_user }}:r {{ consul_root_dir }}/tls/*
     {% if consul_admin_groups | length > 0 %}
     setfacl -m {% for group in consul_admin_groups %}g:{{ group }}:rx{{ ',' if not loop.last }}{% endfor %} {{ consul_root_dir }}/tls
     setfacl -m {% for group in consul_admin_groups %}d:g:{{ group }}:r{{ ',' if not loop.last }}{% endfor %} {{ consul_root_dir }}/tls

roles/consul/tasks/directories.yml

@@ -28,10 +28,4 @@
       group: "{{ consul_user }}"
       mode: 750
     - dir: tls
-    - dir: vault
-      mode: 750
-      owner: root
-      group: "{{ consul_user }}"
-    - dir: vault/templates
-    - dir: bin
   tags: consul

roles/consul/tasks/facts.yml

@@ -9,6 +9,6 @@
   tags: consul
 
 - name: Check if the consul-template service still exists
-  stat: path=/etc/systemd/system/consul-template
+  stat: path=/etc/systemd/system/consul-template-consul
   register: consul_ct_service
   tags: consul

roles/consul/tasks/install.yml

@@ -6,11 +6,6 @@
   notify: restart consul
   tags: consul
 
-- name: Deploy consul service wrapper
-  template: src=consul.sh.j2 dest={{ consul_root_dir }}/bin/consul mode=755
-  notify: restart consul
-  tags: consul
-
 - name: Install backup hooks
   template: src={{ item }}-backup.j2 dest=/etc/backup/{{ item }}.d/consul mode=755
   loop:
@@ -31,14 +26,8 @@
   when: consul_tmpfiles.changed
   tags: consul
 
-- name: Install vault agent unit file
-  template: src=vault/agent.service.j2 dest=/etc/systemd/system/consul-vault-agent.service
-  register: consul_vault_agent_unit
-  notify: restart consul-vault-agent
-  tags: consul
-
 - name: Reload systemd
   systemd: daemon_reload=True
-  when: consul_unit.changed or consul_vault_agent_unit.changed
+  when: consul_unit.changed
   tags: consul
 

roles/consul/tasks/services.yml

@@ -13,10 +13,3 @@
   when: consul_ct_service.stat.exists
   tags: consul
 
-- name: Handle consul-vault-agent service
-  service:
-    name: consul-vault-agent
-    state: "{{ (consul_vault_agent.pki.enabled) | ternary('started', 'stopped') }}"
-    enabled: "{{ (consul_vault_agent.pki.enabled) | ternary(True, False) }}"
-  tags: consul
-

roles/consul/templates/agent_token.tpl.j2

@@ -1,3 +0,0 @@
-[[ with secret "{{ consul_vault_agent.tokens.path }}/creds/{{ consul_vault_agent.tokens.role }}" ]]
-[[ .Data.token ]]
-[[ end ]]

roles/consul/templates/consul.service.j2

@@ -3,10 +3,6 @@ Description="HashiCorp Consul - A service mesh solution"
 Documentation=https://www.consul.io/
 Requires=network-online.target
 After=network-online.target
-After=consul-vault-agent.service
-{% if consul_vault_agent.vault_address is defined and consul_vault_agent.pki.enabled %}
-Requires=consul-vault-agent.service
-{% endif %}
 ConditionFileNotEmpty={{ consul_root_dir }}/etc/consul.hcl
 
 # Consul version {{ consul_current_version }}
@@ -15,7 +11,7 @@ Type=notify
 EnvironmentFile=-{{ consul_root_dir }}/etc/consul.env
 User={{ consul_user }}
 Group={{ consul_user }}
-ExecStart={{ consul_root_dir }}/bin/consul
+ExecStart=/usr/local/bin/consul agent -config-dir {{ consul_root_dir }}/etc/
 ExecReload=/bin/kill --signal HUP $MAINPID
 SuccessExitStatus=1
 Restart=on-failure

roles/consul/templates/consul.sh.j2

@@ -1,19 +0,0 @@
-#!/bin/sh
-
-{% if consul_vault_agent.vault_address is defined and consul_vault_agent.pki.enabled %}
-if [ -f /run/consul/vault_token ]; then
-  exec env VAULT_TOKEN=$(vault unwrap -field=token $(jq -r '.token' /run/consul/vault_token)) \
-    /usr/local/bin/consul \
-      agent \
-      -config-dir={{ consul_root_dir }}/etc/ \
-      -pid-file /run/consul/consul_agent.pid
-else
-  echo "Consul service failed due to missing Vault token"
-  exit 1
-fi
-{% else %}
-exec /usr/local/bin/consul \
-  agent \
-  -config-dir={{ consul_root_dir }}/etc/ \
-  -pid-file /run/consul/consul_agent.pid
-{% endif %}

roles/consul/templates/vault/agent.hcl.j2

@@ -1,44 +0,0 @@
-vault {
-  address = "{{ consul_vault_agent.vault_address }}"
-}
-
-auto_auth {
-{% if  consul_vault_agent.auth.approle is defined %}
-  method {
-    type = "approle"
-    config {
-      role_id_file_path   = "{{ consul_root_dir }}/vault/role_id"
-      secret_id_file_path = "{{ consul_root_dir }}/vault/secret_id"
-      remove_secret_id_file_after_reading = false
-    }
-  }
-{% elif consul_vault_agent.auth.token is defined %}
-  method {
-    type = "token_file"
-    config {
-      token_file_path = "{{ consul_root_dir }}/vault/token"
-    }
-  }
-{% endif %}
-
-  sink {
-    type = "file"
-    wrap_ttl = "30s"
-    config = {
-      path = "/run/consul/vault_token"
-      mode = 640
-    }
-  }
-}
-
-template {
-  source = "{{ consul_root_dir }}/vault/templates/agent_bundle.pem.tpl"
-  destination = "{{ consul_root_dir }}/tls/agent_bundle.pem"
-  left_delimiter  = "[["
-  right_delimiter = "]]"
-  perms           = 0640
-  exec {
-    command = ["sh", "-c", "kill -USR1 $(cat /run/consul/consul_agent.pid)"]
-  }
-}
-

roles/consul/templates/vault/agent.service.j2

@@ -1,34 +0,0 @@
-[Unit]
-Description="HashiCorp Vault Agent for Consul"
-Documentation=https://www.vaultproject.io/docs/
-Requires=network-online.target
-After=network-online.target
-ConditionFileNotEmpty={{ consul_root_dir }}/vault/agent.hcl
-StartLimitIntervalSec=60
-StartLimitBurst=3
-PartOf=consul.service
-
-[Service]
-Type=notify
-User={{ consul_user }}
-Group={{ consul_user }}
-ProtectSystem=full
-ProtectHome=read-only
-PrivateTmp=yes
-PrivateDevices=yes
-SecureBits=keep-caps
-AmbientCapabilities=CAP_IPC_LOCK
-CapabilityBoundingSet=CAP_SYSLOG CAP_IPC_LOCK
-NoNewPrivileges=yes
-ExecStart=/usr/local/bin/vault agent -config={{ consul_root_dir }}/vault/agent.hcl
-ExecReload=/bin/kill --signal HUP $MAINPID
-KillMode=process
-KillSignal=SIGINT
-Restart=on-failure
-RestartSec=5
-TimeoutStopSec=30
-LimitNOFILE=65536
-LimitMEMLOCK=infinity
-
-[Install]
-WantedBy=multi-user.target

roles/consul/templates/vault/agent_bundle.pem.tpl.j2

@@ -1,17 +0,0 @@
-{% if consul_conf.server %}
-[[ with pkiCert "{{ consul_vault_agent.pki.path }}/issue/{{ consul_vault_agent.pki.role }}" "common_name=server-{{ ansible_fqdn | regex_replace('\\.', '-') }}.{{ consul_conf.datacenter | default('dc1') }}.{{ consul_conf.domain | default('consul') }}" "alt_names=consul.service.{{ consul_conf.domain | default('consul') }},server.{{ consul_conf.datacenter | default('dc1') }}.{{ consul_conf.domain | default('consul') }}{% if consul_conf.alt_domain is defined %},consul.service.{{ consul_conf.alt_domain }},server.{{ consul_conf.datacenter | default('dc1') }}.{{ consul_conf.alt_domain }}{% endif %}" "ttl=72h" ]]
-[[ .CA ]]
-[[ .Cert ]]
-[[ .Key ]]
-[[ .CA | writeToFile "{{ consul_conf.tls.defaults.ca_file }}" "{{ consul_user }}" "{{ consul_user }}" "0644" ]]
-[[ .Cert | writeToFile "{{ consul_conf.tls.defaults.cert_file }}" "{{ consul_user }}" "{{ consul_user }}" "0644" ]]
-[[ .Key | writeToFile "{{ consul_conf.tls.defaults.key_file }}" "{{ consul_user }}" "{{ consul_user }}" "0640" ]]
-[[ end ]]
-[[ with secret "{{ consul_vault_agent.pki.path }}/cert/ca" ]]
-[[ .Data.certificate | writeToFile "{{ consul_conf.tls.defaults.cert_file }}" "{{ consul_user }}" "{{ consul_user }}" "0644" "append,newline" ]]
-[[ end ]]
-{% else %}
-[[ with secret "{{ consul_vault_agent.pki.path }}/cert/ca" ]]
-[[ .Data.certificate | writeToFile "{{ consul_conf.tls.defaults.ca_file }}" "{{ consul_user }}" "{{ consul_user }}" "0644" ]]
-[[ end ]]
-{% endif %}

roles/consul/templates/vault/agent_token.tpl.j2

@@ -1,3 +0,0 @@
-[[ with secret "{{ consul_vault_agent.tokens.path }}/creds/{{ consul_vault_agent.tokens.role }}" ]]
-[[ .Data.token ]]
-[[ end ]]

roles/consul/templates/vault/cli_bundle.pem.tpl.j2

@@ -1,7 +0,0 @@
-[[ with pkiCert "{{ consul_vault_agent.pki.path }}/issue/{{ consul_vault_agent.pki.role }}" "common_name=cli-{{ ansible_fqdn | regex_replace('\\.', '-') }}.{{ consul_conf.datacenter | default('dc1') }}.{{ consul_conf.domain | default('consul') }}" ]]
-[[ .CA ]]
-[[ .Cert ]]
-[[ .Key ]]
-[[ .Cert | writeToFile "{{ consul_root_dir }}/tls/cli.crt" "{{ consul_user }}" "{{ consul_user }}" "0644" ]]
-[[ .Key | writeToFile "{{ consul_root_dir }}/tls/cli.key" "{{ consul_user }}" "{{ consul_user }}" "0640" ]]
-[[ end ]]