feat: add global internal TLS option, make externally_managed_certs work

2024-08-17 16:47:38 +02:00 · 2024-08-17 16:47:38 +02:00 · 2b8faa2bf5
commit 2b8faa2bf5
parent 259f273fd9
5 changed files with 44 additions and 15 deletions
--- a/molecule/no_tls_multi_node/etc/hashistack/globals.yml
+++ b/molecule/no_tls_multi_node/etc/hashistack/globals.yml
@ -40,6 +40,13 @@ api_interface: "eth1"
 enable_tls_external: true
 # external_tls_externally_managed_certs: false

+########################
+# internal tls options #
+########################
+
+enable_tls_internal: true
+# internal_tls_externally_managed_certs: false
+
 #####################################################
 #                                                   #
 #                Consul                             #
@ -103,7 +110,7 @@ enable_tls_external: true
 # consul tls configuration #
 ############################

-consul_enable_tls: true
+# consul_enable_tls: "{{ enable_tls_internal }}"
 # consul_tls_configuration:
 #   defaults:
 #     ca_file: "/etc/ssl/certs/ca-certificates.crt"
@ -160,7 +167,7 @@ consul_enable_tls: true
 # vault listener #
 ##################

-vault_enable_tls: true
+# vault_enable_tls: "{{ enable_tls_internal }}"
 # vault_tls_verify: false
 # vault_listener_configuration:
 #   tcp:
@ -271,7 +278,7 @@ vault_enable_tls: true
 # nomad internal tls #
 ######################

-nomad_enable_tls: true
+# nomad_enable_tls: "{{ enable_tls_internal }}"
 # nomad_tls_configuration:
 #   http: true
 #   rpc: true
--- a/playbooks/group_vars/all/consul.yml
+++ b/playbooks/group_vars/all/consul.yml
@ -150,9 +150,14 @@ consul_tls_configuration:
  internal_rpc:
    verify_server_hostname: true

-consul_certificates_extra_files_dir:
-  - src: "{{ hashistack_sub_configuration_directories['certificates'] }}/consul/{{ inventory_hostname }}"
-    dest: "{{ consul_certs_dir }}"
+consul_certificates_extra_files_dir: >
+  {{
+    [] if external_tls_externally_managed_certs | bool else
+    [{
+      'src': "{{ hashistack_sub_configuration_directories['certificates'] }}/consul/{{ inventory_hostname }}",
+      'dest': "{{ consul_certs_dir }}"
+    }]
+  }}

 ###########################
 # telemetry configuration #
--- a/playbooks/group_vars/all/globals.yml
+++ b/playbooks/group_vars/all/globals.yml
@ -37,6 +37,13 @@ enable_log_to_file: true
 enable_tls_external: false
 external_tls_externally_managed_certs: false

+########################
+# internal tls options #
+########################
+
+enable_tls_internal: false
+internal_tls_externally_managed_certs: false
+
 ##########
 # Consul #
 ##########
@ -50,7 +57,7 @@ consul_enable_script_checks: false
 consul_extra_files_list: []
 consul_extra_configuration: {}

-consul_enable_tls: false
+consul_enable_tls: "{{ enable_tls_internal }}"

 consul_log_level: info

@ -68,7 +75,7 @@ vault_disable_cache: false
 vault_extra_files_list: []
 vault_extra_configuration: {}

-vault_enable_tls: false
+vault_enable_tls: "{{ enable_tls_internal }}"

 vault_enable_service_registration: "{{ enable_consul | bool }}"

@ -98,4 +105,4 @@ nomad_driver_extra_configuration: {}

 nomad_log_level: info

-nomad_enable_tls: false
+nomad_enable_tls: "{{ enable_tls_internal }}"
--- a/playbooks/group_vars/all/nomad.yml
+++ b/playbooks/group_vars/all/nomad.yml
@ -157,9 +157,14 @@ nomad_tls_configuration:
  key_file: "{{ nomad_certs_dir }}/cert.key"
  verify_server_hostname: true

-nomad_certificates_extra_files_dir:
-  - src: "{{ hashistack_sub_configuration_directories['certificates'] }}/nomad/{{ inventory_hostname }}"
-    dest: "{{ nomad_certs_dir }}"
+nomad_certificates_extra_files_dir: >
+  {{
+    [] if external_tls_externally_managed_certs | bool else
+    [{
+      'src': "{{ hashistack_sub_configuration_directories['certificates'] }}/nomad/{{ inventory_hostname }}",
+      'dest': "{{ nomad_certs_dir }}"
+    }]
+  }}

 ###########################
 # telemetry configuration #
--- a/playbooks/group_vars/all/vault.yml
+++ b/playbooks/group_vars/all/vault.yml
@ -79,9 +79,14 @@ vault_tls_listener_configuration:
      tls_key_file: "{{ vault_certs_dir }}/cert.key"
      tls_disable_client_certs: true

-vault_certificates_extra_files_dir:
-  - src: "{{ hashistack_sub_configuration_directories['certificates'] }}/vault/{{ inventory_hostname }}"
-    dest: "{{ vault_certs_dir }}"
+vault_certificates_extra_files_dir: >
+  {{
+    [] if external_tls_externally_managed_certs | bool else
+    [{
+      'src': "{{ hashistack_sub_configuration_directories['certificates'] }}/vault/{{ inventory_hostname }}",
+      'dest': "{{ vault_certs_dir }}"
+    }]
+  }}

 vault_extra_listener_configuration: []