feat: add global internal TLS option, make externally_managed_certs work
All checks were successful
development / Check commit compliance (push) Successful in 5s

This commit is contained in:
Bertrand Lanson 2024-08-17 16:47:38 +02:00
parent 259f273fd9
commit 2b8faa2bf5
Signed by: lanson
SSH Key Fingerprint: SHA256:/nqc6HGqld/PS208F6FUOvZlUzTS0rGpNNwR5O2bQBw
5 changed files with 44 additions and 15 deletions

View File

@ -40,6 +40,13 @@ api_interface: "eth1"
enable_tls_external: true enable_tls_external: true
# external_tls_externally_managed_certs: false # external_tls_externally_managed_certs: false
########################
# internal tls options #
########################
enable_tls_internal: true
# internal_tls_externally_managed_certs: false
##################################################### #####################################################
# # # #
# Consul # # Consul #
@ -103,7 +110,7 @@ enable_tls_external: true
# consul tls configuration # # consul tls configuration #
############################ ############################
consul_enable_tls: true # consul_enable_tls: "{{ enable_tls_internal }}"
# consul_tls_configuration: # consul_tls_configuration:
# defaults: # defaults:
# ca_file: "/etc/ssl/certs/ca-certificates.crt" # ca_file: "/etc/ssl/certs/ca-certificates.crt"
@ -160,7 +167,7 @@ consul_enable_tls: true
# vault listener # # vault listener #
################## ##################
vault_enable_tls: true # vault_enable_tls: "{{ enable_tls_internal }}"
# vault_tls_verify: false # vault_tls_verify: false
# vault_listener_configuration: # vault_listener_configuration:
# tcp: # tcp:
@ -271,7 +278,7 @@ vault_enable_tls: true
# nomad internal tls # # nomad internal tls #
###################### ######################
nomad_enable_tls: true # nomad_enable_tls: "{{ enable_tls_internal }}"
# nomad_tls_configuration: # nomad_tls_configuration:
# http: true # http: true
# rpc: true # rpc: true

View File

@ -150,9 +150,14 @@ consul_tls_configuration:
internal_rpc: internal_rpc:
verify_server_hostname: true verify_server_hostname: true
consul_certificates_extra_files_dir: consul_certificates_extra_files_dir: >
- src: "{{ hashistack_sub_configuration_directories['certificates'] }}/consul/{{ inventory_hostname }}" {{
dest: "{{ consul_certs_dir }}" [] if external_tls_externally_managed_certs | bool else
[{
'src': "{{ hashistack_sub_configuration_directories['certificates'] }}/consul/{{ inventory_hostname }}",
'dest': "{{ consul_certs_dir }}"
}]
}}
########################### ###########################
# telemetry configuration # # telemetry configuration #

View File

@ -37,6 +37,13 @@ enable_log_to_file: true
enable_tls_external: false enable_tls_external: false
external_tls_externally_managed_certs: false external_tls_externally_managed_certs: false
########################
# internal tls options #
########################
enable_tls_internal: false
internal_tls_externally_managed_certs: false
########## ##########
# Consul # # Consul #
########## ##########
@ -50,7 +57,7 @@ consul_enable_script_checks: false
consul_extra_files_list: [] consul_extra_files_list: []
consul_extra_configuration: {} consul_extra_configuration: {}
consul_enable_tls: false consul_enable_tls: "{{ enable_tls_internal }}"
consul_log_level: info consul_log_level: info
@ -68,7 +75,7 @@ vault_disable_cache: false
vault_extra_files_list: [] vault_extra_files_list: []
vault_extra_configuration: {} vault_extra_configuration: {}
vault_enable_tls: false vault_enable_tls: "{{ enable_tls_internal }}"
vault_enable_service_registration: "{{ enable_consul | bool }}" vault_enable_service_registration: "{{ enable_consul | bool }}"
@ -98,4 +105,4 @@ nomad_driver_extra_configuration: {}
nomad_log_level: info nomad_log_level: info
nomad_enable_tls: false nomad_enable_tls: "{{ enable_tls_internal }}"

View File

@ -157,9 +157,14 @@ nomad_tls_configuration:
key_file: "{{ nomad_certs_dir }}/cert.key" key_file: "{{ nomad_certs_dir }}/cert.key"
verify_server_hostname: true verify_server_hostname: true
nomad_certificates_extra_files_dir: nomad_certificates_extra_files_dir: >
- src: "{{ hashistack_sub_configuration_directories['certificates'] }}/nomad/{{ inventory_hostname }}" {{
dest: "{{ nomad_certs_dir }}" [] if external_tls_externally_managed_certs | bool else
[{
'src': "{{ hashistack_sub_configuration_directories['certificates'] }}/nomad/{{ inventory_hostname }}",
'dest': "{{ nomad_certs_dir }}"
}]
}}
########################### ###########################
# telemetry configuration # # telemetry configuration #

View File

@ -79,9 +79,14 @@ vault_tls_listener_configuration:
tls_key_file: "{{ vault_certs_dir }}/cert.key" tls_key_file: "{{ vault_certs_dir }}/cert.key"
tls_disable_client_certs: true tls_disable_client_certs: true
vault_certificates_extra_files_dir: vault_certificates_extra_files_dir: >
- src: "{{ hashistack_sub_configuration_directories['certificates'] }}/vault/{{ inventory_hostname }}" {{
dest: "{{ vault_certs_dir }}" [] if external_tls_externally_managed_certs | bool else
[{
'src': "{{ hashistack_sub_configuration_directories['certificates'] }}/vault/{{ inventory_hostname }}",
'dest': "{{ vault_certs_dir }}"
}]
}}
vault_extra_listener_configuration: [] vault_extra_listener_configuration: []