From 2b8faa2bf591825d79130021675c1edeb51bd57d Mon Sep 17 00:00:00 2001
From: Bertrand Lanson <bertrand.lanson@protonmail.com>
Date: Sat, 17 Aug 2024 16:47:38 +0200
Subject: [PATCH] feat: add global internal TLS option, make
 externally_managed_certs work

---
 .../no_tls_multi_node/etc/hashistack/globals.yml    | 13 ++++++++++---
 playbooks/group_vars/all/consul.yml                 | 11 ++++++++---
 playbooks/group_vars/all/globals.yml                | 13 ++++++++++---
 playbooks/group_vars/all/nomad.yml                  | 11 ++++++++---
 playbooks/group_vars/all/vault.yml                  | 11 ++++++++---
 5 files changed, 44 insertions(+), 15 deletions(-)

diff --git a/molecule/no_tls_multi_node/etc/hashistack/globals.yml b/molecule/no_tls_multi_node/etc/hashistack/globals.yml
index 6b66406..66f4777 100644
--- a/molecule/no_tls_multi_node/etc/hashistack/globals.yml
+++ b/molecule/no_tls_multi_node/etc/hashistack/globals.yml
@@ -40,6 +40,13 @@ api_interface: "eth1"
 enable_tls_external: true
 # external_tls_externally_managed_certs: false
 
+########################
+# internal tls options #
+########################
+
+enable_tls_internal: true
+# internal_tls_externally_managed_certs: false
+
 #####################################################
 #                                                   #
 #                Consul                             #
@@ -103,7 +110,7 @@ enable_tls_external: true
 # consul tls configuration #
 ############################
 
-consul_enable_tls: true
+# consul_enable_tls: "{{ enable_tls_internal }}"
 # consul_tls_configuration:
 #   defaults:
 #     ca_file: "/etc/ssl/certs/ca-certificates.crt"
@@ -160,7 +167,7 @@ consul_enable_tls: true
 # vault listener #
 ##################
 
-vault_enable_tls: true
+# vault_enable_tls: "{{ enable_tls_internal }}"
 # vault_tls_verify: false
 # vault_listener_configuration:
 #   tcp:
@@ -271,7 +278,7 @@ vault_enable_tls: true
 # nomad internal tls #
 ######################
 
-nomad_enable_tls: true
+# nomad_enable_tls: "{{ enable_tls_internal }}"
 # nomad_tls_configuration:
 #   http: true
 #   rpc: true
diff --git a/playbooks/group_vars/all/consul.yml b/playbooks/group_vars/all/consul.yml
index db0781a..918204c 100644
--- a/playbooks/group_vars/all/consul.yml
+++ b/playbooks/group_vars/all/consul.yml
@@ -150,9 +150,14 @@ consul_tls_configuration:
   internal_rpc:
     verify_server_hostname: true
 
-consul_certificates_extra_files_dir:
-  - src: "{{ hashistack_sub_configuration_directories['certificates'] }}/consul/{{ inventory_hostname }}"
-    dest: "{{ consul_certs_dir }}"
+consul_certificates_extra_files_dir: >
+  {{
+    [] if external_tls_externally_managed_certs | bool else
+    [{
+      'src': "{{ hashistack_sub_configuration_directories['certificates'] }}/consul/{{ inventory_hostname }}",
+      'dest': "{{ consul_certs_dir }}"
+    }]
+  }}
 
 ###########################
 # telemetry configuration #
diff --git a/playbooks/group_vars/all/globals.yml b/playbooks/group_vars/all/globals.yml
index 231e3e1..359a20b 100644
--- a/playbooks/group_vars/all/globals.yml
+++ b/playbooks/group_vars/all/globals.yml
@@ -37,6 +37,13 @@ enable_log_to_file: true
 enable_tls_external: false
 external_tls_externally_managed_certs: false
 
+########################
+# internal tls options #
+########################
+
+enable_tls_internal: false
+internal_tls_externally_managed_certs: false
+
 ##########
 # Consul #
 ##########
@@ -50,7 +57,7 @@ consul_enable_script_checks: false
 consul_extra_files_list: []
 consul_extra_configuration: {}
 
-consul_enable_tls: false
+consul_enable_tls: "{{ enable_tls_internal }}"
 
 consul_log_level: info
 
@@ -68,7 +75,7 @@ vault_disable_cache: false
 vault_extra_files_list: []
 vault_extra_configuration: {}
 
-vault_enable_tls: false
+vault_enable_tls: "{{ enable_tls_internal }}"
 
 vault_enable_service_registration: "{{ enable_consul | bool }}"
 
@@ -98,4 +105,4 @@ nomad_driver_extra_configuration: {}
 
 nomad_log_level: info
 
-nomad_enable_tls: false
+nomad_enable_tls: "{{ enable_tls_internal }}"
diff --git a/playbooks/group_vars/all/nomad.yml b/playbooks/group_vars/all/nomad.yml
index eba3d69..642228f 100644
--- a/playbooks/group_vars/all/nomad.yml
+++ b/playbooks/group_vars/all/nomad.yml
@@ -157,9 +157,14 @@ nomad_tls_configuration:
   key_file: "{{ nomad_certs_dir }}/cert.key"
   verify_server_hostname: true
 
-nomad_certificates_extra_files_dir:
-  - src: "{{ hashistack_sub_configuration_directories['certificates'] }}/nomad/{{ inventory_hostname }}"
-    dest: "{{ nomad_certs_dir }}"
+nomad_certificates_extra_files_dir: >
+  {{
+    [] if external_tls_externally_managed_certs | bool else
+    [{
+      'src': "{{ hashistack_sub_configuration_directories['certificates'] }}/nomad/{{ inventory_hostname }}",
+      'dest': "{{ nomad_certs_dir }}"
+    }]
+  }}
 
 ###########################
 # telemetry configuration #
diff --git a/playbooks/group_vars/all/vault.yml b/playbooks/group_vars/all/vault.yml
index aa17855..f447156 100644
--- a/playbooks/group_vars/all/vault.yml
+++ b/playbooks/group_vars/all/vault.yml
@@ -79,9 +79,14 @@ vault_tls_listener_configuration:
       tls_key_file: "{{ vault_certs_dir }}/cert.key"
       tls_disable_client_certs: true
 
-vault_certificates_extra_files_dir:
-  - src: "{{ hashistack_sub_configuration_directories['certificates'] }}/vault/{{ inventory_hostname }}"
-    dest: "{{ vault_certs_dir }}"
+vault_certificates_extra_files_dir: >
+  {{
+    [] if external_tls_externally_managed_certs | bool else
+    [{
+      'src': "{{ hashistack_sub_configuration_directories['certificates'] }}/vault/{{ inventory_hostname }}",
+      'dest': "{{ vault_certs_dir }}"
+    }]
+  }}
 
 vault_extra_listener_configuration: []