diff --git a/playbooks/tasks/consul/consul_deploy.yml b/playbooks/tasks/consul/consul_deploy.yml index 9ee2028..7a890e4 100644 --- a/playbooks/tasks/consul/consul_deploy.yml +++ b/playbooks/tasks/consul/consul_deploy.yml @@ -7,7 +7,7 @@ - name: "Wait for consul cluster to initialize" # noqa: run-once[task] ansible.builtin.uri: - url: "http://{{ api_interface_address }}:8500" + url: "http://{{ api_interface_address }}:8500" # TODO: this should be dynamic (http/https) validate_certs: no return_content: yes status_code: @@ -19,6 +19,7 @@ - name: "Initialize consul cluster" # noqa: run-once[task] community.general.consul_acl_bootstrap: + bootstrap_secret: "{{ _credentials.consul.root_token.secret_id }}" host: "{{ hashi_consul_configuration['advertise_addr'] }}" port: 8500 scheme: http @@ -28,27 +29,27 @@ register: _consul_init_secret when: hashi_consul_configuration.acl.enabled - - name: "Write consul configuration to file" # noqa: run-once[task] no-handler - ansible.builtin.blockinfile: - marker: "## -- {root_token} ANSIBLE MANAGED BLOCK ##" - block: "{{ - { - 'root_token':{ - 'accessor_id': _consul_init_secret.result.AccessorID, - 'secret_id': _consul_init_secret.result.SecretID - } - } | to_nice_yaml - }}" - path: "{{ sub_configuration_directories.consul_servers }}/consul_config.yml" - mode: "0644" - when: _consul_init_secret.result is defined - run_once: true - delegate_to: localhost + # - name: "Write consul configuration to file" # noqa: run-once[task] no-handler + # ansible.builtin.blockinfile: + # marker: "## -- {root_token} ANSIBLE MANAGED BLOCK ##" + # block: "{{ + # { + # 'root_token':{ + # 'accessor_id': _consul_init_secret.result.AccessorID, + # 'secret_id': _consul_init_secret.result.SecretID + # } + # } | to_nice_yaml + # }}" + # path: "{{ sub_configuration_directories.consul_servers }}/consul_config.yml" + # mode: "0644" + # when: _consul_init_secret.result is defined + # run_once: true + # delegate_to: localhost - - name: "Load consul cluster variables" - ansible.builtin.include_vars: - file: "{{ sub_configuration_directories.consul_servers }}/consul_config.yml" - name: _consul_cluster_config + # - name: "Load consul cluster variables" + # ansible.builtin.include_vars: + # file: "{{ sub_configuration_directories.consul_servers }}/consul_config.yml" + # name: _consul_cluster_config - name: "Create consul agents token" when: @@ -57,14 +58,14 @@ block: - name: "Create consul agents token" # noqa: run-once[task] no-handler run_once: true - delegate_to: localhost block: - name: "Create consul agent policy" community.general.consul_policy: - host: "{{ hashi_consul_configuration['advertise_addr'] }}" - token: "{{ _consul_cluster_config.root_token.secret_id }}" + token: "{{ _credentials.consul.root_token.secret_id }}" + host: "{{ api_interface_address }}" port: 8500 - scheme: http + scheme: http # TODO: this should be dynamic + validate_certs: false state: present name: agents-policy rules: "{{ consul_default_agent_policy }}" @@ -74,55 +75,65 @@ vars: consul_full_url: "http://{{ hashi_consul_configuration['advertise_addr'] }}:8500" consul_token_body: + Description: "Consul agents token" + SecretID: "{{ _credentials.consul.tokens.agent }}" Policies: - ID: "{{ _consul_agent_policy.policy.ID }}" ansible.builtin.uri: url: "{{ consul_full_url }}/v1/acl/token" method: PUT headers: - X-Consul-Token: "{{ _consul_cluster_config.root_token.secret_id }}" + X-Consul-Token: "{{ _credentials.consul.root_token.secret_id }}" body: "{{ consul_token_body | to_json }}" status_code: - 200 register: _consul_agent_token + changed_when: _consul_agent_token.status == 200 - - name: "Write consul agents token to file" # no-handler - ansible.builtin.blockinfile: - marker: "## -- {tokens} ANSIBLE MANAGED BLOCK ##" - block: "{{ - { - 'tokens':{ - 'agent': _consul_agent_token.json.SecretID - } - } | to_nice_yaml - }}" - path: "{{ sub_configuration_directories.consul_servers }}/consul_config.yml" - mode: "0644" - when: "'OK' in _consul_agent_token.msg" + - name: "Restart consul service" + ansible.builtin.service: + name: "consul_container" + state: restarted + throttle: 1 + when: _consul_agent_token.changed - - name: "Merge token configuration" - delegate_to: localhost - block: - - name: "Stat consul secrets file" - ansible.builtin.stat: - path: "{{ sub_configuration_directories.consul_servers }}/consul_config.yml" - register: _consul_config_file + # - name: "Write consul agents token to file" # no-handler + # ansible.builtin.blockinfile: + # marker: "## -- {tokens} ANSIBLE MANAGED BLOCK ##" + # block: "{{ + # { + # 'tokens':{ + # 'agent': _consul_agent_token.json.SecretID + # } + # } | to_nice_yaml + # }}" + # path: "{{ sub_configuration_directories.consul_servers }}/consul_config.yml" + # mode: "0644" + # when: "'OK' in _consul_agent_token.msg" - - name: "Load consul secrets file" - ansible.builtin.include_vars: - file: "{{ sub_configuration_directories.consul_servers }}/consul_config.yml" - name: _consul_cluster_config - when: _consul_config_file.stat.exists + # - name: "Merge token configuration" + # delegate_to: localhost + # block: + # - name: "Stat consul secrets file" + # ansible.builtin.stat: + # path: "{{ sub_configuration_directories.consul_servers }}/consul_config.yml" + # register: _consul_config_file + # + # - name: "Load consul secrets file" + # ansible.builtin.include_vars: + # file: "{{ sub_configuration_directories.consul_servers }}/consul_config.yml" + # name: _consul_cluster_config + # when: _consul_config_file.stat.exists + # + # - name: "Merge token configuration" + # vars: + # _config_to_merge: + # acl: + # tokens: "{{ _consul_cluster_config.tokens }}" + # ansible.builtin.set_fact: + # hashi_consul_configuration: "{{ hashi_consul_configuration | default({}) | combine(_config_to_merge, recursive=true) }}" + # when: _consul_cluster_config.tokens is defined - - name: "Merge token configuration" - vars: - _config_to_merge: - acl: - tokens: "{{ _consul_cluster_config.tokens }}" - ansible.builtin.set_fact: - hashi_consul_configuration: "{{ hashi_consul_configuration | default({}) | combine(_config_to_merge, recursive=true) }}" - when: _consul_cluster_config.tokens is defined - - - name: "Include ednz_cloud.hashistack.hashicorp_consul" - ansible.builtin.include_role: - name: ednz_cloud.hashistack.hashicorp_consul + # - name: "Include ednz_cloud.hashistack.hashicorp_consul" + # ansible.builtin.include_role: + # name: ednz_cloud.hashistack.hashicorp_consul diff --git a/playbooks/tasks/consul/consul_vars.yml b/playbooks/tasks/consul/consul_vars.yml index 8e2a3a8..9458a95 100644 --- a/playbooks/tasks/consul/consul_vars.yml +++ b/playbooks/tasks/consul/consul_vars.yml @@ -36,35 +36,14 @@ - name: "Consul | Merge token configuration" delegate_to: localhost block: - - name: "Consul | Stat consul secrets file" - ansible.builtin.stat: - path: "{{ sub_configuration_directories.consul_servers }}/consul_config.yml" - register: _consul_config_file - - - name: "Consul | Load consul secrets file" - ansible.builtin.include_vars: - file: "{{ sub_configuration_directories.consul_servers }}/consul_config.yml" - name: _consul_cluster_config - when: _consul_config_file.stat.exists - - name: "Consul | Merge token configuration" vars: _config_to_merge: acl: - tokens: "{{ _consul_cluster_config.tokens }}" + tokens: + agent: "{{ _credentials.consul.tokens.agent }}" ansible.builtin.set_fact: hashi_consul_configuration: "{{ hashi_consul_configuration | default({}) | combine(_config_to_merge, recursive=true) }}" - when: _consul_cluster_config.tokens is defined - - - name: "Consul | Create secrets file if not present" - ansible.builtin.file: - path: "{{ sub_configuration_directories.consul_servers }}/consul_config.yml" - state: touch - owner: "{{ lookup('env', 'USER') }}" - group: "{{ lookup('env', 'USER') }}" - mode: "0644" - run_once: true - when: not _consul_config_file.stat.exists - name: "Consul | Merge extra configuration settings" vars: