Update to 2022-09-04 18:00

2025-10-30 18:31:28 +01:00 · 2022-09-04 18:00:17 +02:00
parent c36a80b596
commit e084a5f0b2
10 changed files with 124 additions and 9 deletions
--- a/roles/nomad/templates/agent_cert.tpl.j2
+++ b/roles/nomad/templates/agent_cert.tpl.j2
@@ -1,3 +1,3 @@
-[[ with secret "{{ nomad_vault_tls.pki.path }}/issue/{{ nomad_vault_tls.pki.role }}" "common_name={{ (nomad_conf.server.enabled) | ternary('server', 'client') }}-{{ ansible_fqdn | regex_replace('\\.', '-') }}.{{ nomad_conf.region | default('global') }}.nomad" "ttl={{ nomad_vault_tls.pki.ttl }}" "alt_names=localhost,{{ (nomad_conf.server.enabled) | ternary('server', 'client') }}.{{ nomad_conf.region | default('global') }}.nomad{% if nomad_conf.server.enabled and nomad_conf.client.enabled %},client.{{ nomad_conf.region | default('global') }}.nomad{% endif %}" ]]
+[[ with secret "{{ nomad_vault_tls.pki.path }}/issue/{{ nomad_vault_tls.pki.role }}" "common_name={{ (nomad_conf.server.enabled) | ternary('server', 'client') }}-{{ ansible_fqdn | regex_replace('\\.', '-') }}.{{ nomad_conf.region | default('global') }}.nomad" "ttl={{ nomad_vault_tls.pki.ttl }}" "alt_names=localhost,{{ (nomad_conf.server.enabled) | ternary('server', 'client') }}.{{ nomad_conf.region | default('global') }}.nomad{% if nomad_conf.server.enabled and nomad_conf.client.enabled %},client.{{ nomad_conf.region | default('global') }}.nomad{% endif %}{% if consul_conf is defined %},nomad{{ nomad_conf.server.enabled | ternary('', '-client') }}.service.{{ consul_conf.domain | default('consul') }}{% endif %}" ]]
 [[ .Data.{{ item.what }} ]]
 [[ end ]]
--- a/roles/nomad/templates/consul-template.hcl.j2
+++ b/roles/nomad/templates/consul-template.hcl.j2
@@ -35,7 +35,6 @@ template {
  exec {
    command = "systemctl reload nomad"
  }
-
 }

 {% if nomad_conf.server.enabled %}
@@ -54,3 +53,32 @@ template {
  perms           = 0640
 }
 {% endif %}
+
+{% if nomad_conf.client.enabled and nomad_conf.consul.ssl %}
+template {
+  source          = "{{ nomad_root_dir }}/consul-template/consul.crt.tpl"
+  left_delimiter  = "[["
+  right_delimiter = "]]"
+  destination     = "{{ nomad_conf.consul.cert_file }}"
+}
+
+template {
+  source          = "{{ nomad_root_dir }}/consul-template/consul.key.tpl"
+  left_delimiter  = "[["
+  right_delimiter = "]]"
+  destination     = "{{ nomad_conf.consul.key_file }}"
+  perms           = 0640
+}
+
+template {
+  source          = "{{ nomad_root_dir }}/consul-template/consul_ca.crt.tpl"
+  left_delimiter  = "[["
+  right_delimiter = "]]"
+  destination     = "{{ nomad_conf.consul.ca_file }}"
+  perms           = 0644
+  exec {
+    command = "systemctl reload nomad"
+  }
+}
+
+{% endif %}
--- a/roles/nomad/templates/consul_cert.tpl.j2
+++ b/roles/nomad/templates/consul_cert.tpl.j2
@@ -0,0 +1,8 @@
+[[ with secret "{{ nomad_vault_tls.consul_pki.path }}/issue/{{ nomad_vault_tls.consul_pki.role }}" "common_name={{ ansible_fqdn | regex_replace('\\.', '-') }}.{{ (consul_conf is defined and consul_conf.domain is defined) | ternary(consul_conf.domain, 'consul') }}" "ttl={{ nomad_vault_tls.consul_pki.ttl }}" ]]
+[[ .Data.{{ item.what }} ]]
+[[ end ]]
+{% if item.what == 'issuing_ca' %}
+[[ with secret "{{ nomad_vault_tls.root_pki.path }}/cert/ca" ]]
+[[ .Data.certificate ]]
+[[ end ]]
+{% endif %}
--- a/roles/nomad/templates/nomad.hcl.j2
+++ b/roles/nomad/templates/nomad.hcl.j2
@@ -167,18 +167,40 @@ telemetry {
 }

 consul {
-{% if nomad_conf.consul.address is defined %}
-  address = "{{ nomad_conf.consul.address }}"
+{% for key in ['address', 'auth', 'client_service_name', 'server_service_name', 'grpc_address', 'token'] %}
+{% if nomad_conf.consul[key] is defined %}
+  {{ key }} = "{{ nomad_conf.consul[key] }}"
 {% endif %}
-{% if nomad_conf.consul.allow_unauthenticated is defined %}
-  allow_unauthenticated = {{ nomad_conf.consul.allow_unauthenticated | ternary('true', 'false') }}
+{% endfor %}
+
+{% for key in ['allow_unauthenticated', 'auto_advertise', 'checks_use_advertise', 'server_auto_join'] %}
+{% if nomad_conf.consul[key] is defined %}
+  {{ key }} = {{ nomad_conf.consul[key] | ternary('true', 'false') }}
 {% endif %}
+{% endfor %}
+
 {% if nomad_conf.consul.tags is defined and nomad_conf.consul.tags is iterable %}
  tags = [
 {% for tag in nomad_conf.consul.tags %}
-    "{{ tag }}"
-  ]
+    "{{ tag }}",
 {% endfor %}
+  ]
+{% endif %}
+
+{% if nomad_conf.consul.ssl %}
+  ssl = true
+{% for key in ['ca_file', 'cert_file', 'key_file'] %}
+{% if nomad_conf.consul[key] is defined %}
+  {{ key }} = "{{ nomad_conf.consul[key] }}"
+{% endif %}
+{% endfor %}
+
+{% for key in ['verify_ssl', 'share_ssl'] %}
+{% if nomad_conf.consul[key] is defined %}
+  {{ key }} = {{ nomad_conf.consul[key] | ternary('true', 'false') }}
+{% endif %}
+{% endfor %}
+
 {% endif %}
 }

--- a/roles/nomad/templates/nomad.service.j2
+++ b/roles/nomad/templates/nomad.service.j2
@@ -7,6 +7,13 @@ ConditionFileNotEmpty={{ nomad_root_dir }}/etc/nomad.hcl

 [Service]
 EnvironmentFile=-{{ nomad_root_dir }}/etc/nomad.env
+{% if nomad_conf.consul.ssl and nomad_conf.client.enabled %}
+Environment=CONSUL_HTTP_SSL=true
+Environment=CONSUL_HTTP_ADDR=localhost:{{ (consul_services is defined) | ternary(consul_services.https.port, '8501') }}
+Environment=CONSUL_CACERT={{ nomad_conf.consul.ca_file }}
+Environment=CONSUL_CLIENT_CERT={{ nomad_conf.consul.cert_file }}
+Environment=CONSUL_CLIENT_KEY={{ nomad_conf.consul.key_file }}
+{% endif %}
 User={{ nomad_user }}
 Group={{ nomad_user }}
 ExecStart={{ nomad_root_dir }}/bin/nomad agent -config={{ nomad_root_dir }}/etc/