From bd2028c3aff7316269790f4255e63da925028224 Mon Sep 17 00:00:00 2001
From: Bertrand Lanson <bertrand.lanson@protonmail.com>
Date: Sun, 5 May 2024 02:37:29 +0200
Subject: [PATCH] feat(consul): allow enabling consul internal TLS

---
 .gitignore                               |  1 +
 playbooks/generate_certs.yml             |  2 +-
 playbooks/group_vars/all/consul.yml      | 38 ++++++++++++++++++++----
 playbooks/group_vars/all/globals.yml     | 15 +++++++---
 playbooks/group_vars/all/vault.yml       |  4 +--
 playbooks/tasks/consul/consul_deploy.yml | 15 +++++-----
 roles/hashicorp_consul                   |  2 +-
 7 files changed, 55 insertions(+), 22 deletions(-)

diff --git a/.gitignore b/.gitignore
index 02e5a4e..cb534dd 100644
--- a/.gitignore
+++ b/.gitignore
@@ -6,5 +6,6 @@ vault_config.yml
 consul_config.yml
 **/certificates/**
 **/secrets/credentials.yml
+**/secrets/credentials.decrypt.yml
 **/secrets/vault.yml
 **/.ansible-vault
diff --git a/playbooks/generate_certs.yml b/playbooks/generate_certs.yml
index dc2913c..14e975d 100644
--- a/playbooks/generate_certs.yml
+++ b/playbooks/generate_certs.yml
@@ -192,7 +192,7 @@
 
         - name: "Create Consul certificates"
           when:
-            - "'consul_servers' in group_names"
+            - "('consul_servers' in group_names) or ('consul_agents' in group_names)"
           vars:
             consul_private_key_path: "{{ sub_configuration_directories['certificates'] }}/consul/{{ inventory_hostname }}/key.pem"
             consul_certificate_path: "{{ sub_configuration_directories['certificates'] }}/consul/{{ inventory_hostname }}/cert.pem"
diff --git a/playbooks/group_vars/all/consul.yml b/playbooks/group_vars/all/consul.yml
index 1914609..f65b51d 100644
--- a/playbooks/group_vars/all/consul.yml
+++ b/playbooks/group_vars/all/consul.yml
@@ -5,6 +5,16 @@
 #                                                   #
 #####################################################
 
+#####################
+# consul api config #
+#####################
+
+consul_api_addr: "{{ consul_api_scheme }}://{{ api_interface_address }}:{{ consul_api_port[consul_api_scheme] }}"
+consul_api_scheme: "{{ 'https' if consul_enable_tls else 'http' }}"
+consul_api_port:
+  http: 8500
+  https: 8501
+
 ##########################
 # consul haproxy backend #
 ##########################
@@ -27,7 +37,7 @@ consul_external_backend_options:
 consul_external_backend_servers: |
   [
     {% for host in groups['consul_servers'] %}
-      'server consul-{{ hostvars[host].api_interface_address }} {{ hostvars[host].api_interface_address }}:{{ hashi_consul_configuration.ports.http }} check inter 5s'{% if not loop.last %},{% endif %}
+      'server consul-{{ hostvars[host].api_interface_address }} {{ hostvars[host].api_interface_address }}:{{ hostvars[host].consul_api_port[consul_api_scheme] }} check {{ 'ssl verify none ' if consul_enable_tls }}inter 5s'{% if not loop.last %},{% endif %}
     {% endfor %}
   ]
 
@@ -43,6 +53,15 @@ consul_default_agent_policy: |
     policy = "read"
   }
 
+#######################
+# consul internal tls #
+#######################
+
+consul_certificates_directory: "{{ hashi_consul_config_dir }}/tls"
+consul_certificates_extra_files_dir:
+  - src: "{{ sub_configuration_directories['certificates'] }}/consul/{{ inventory_hostname }}"
+    dest: "{{ consul_certificates_directory }}"
+
 #########################
 # consul role variables #
 #########################
@@ -53,9 +72,15 @@ hashi_consul_deploy_method: "{{ deployment_method }}"
 hashi_consul_env_variables: {}
 hashi_consul_config_dir: "/etc/consul.d"
 hashi_consul_data_dir: "/opt/consul"
-hashi_consul_extra_files: false
-hashi_consul_extra_files_src: "{{ sub_configuration_directories.consul_servers }}/config"
-hashi_consul_extra_files_dst: "{{ hashi_consul_config_dir }}/config"
+hashi_consul_extra_files: true
+hashi_consul_extra_files_list: "{{ ([] +
+  (consul_certificates_extra_files_dir if consul_enable_tls else []) +
+  (vault_plugin_extra_files_dir if vault_enable_plugins else []) +
+  vault_extra_files_list)
+  | unique
+  | sort
+  }}"
+hashi_consul_extra_container_volumes: "{{ default_container_extra_volumes | union(extra_consul_container_volumes) | unique }}"
 hashi_consul_envoy_install: false
 hashi_consul_envoy_version: v1.27.2
 hashi_consul_configuration:
@@ -83,8 +108,6 @@ hashi_consul_configuration:
   dns_config: "{{ consul_dns_configuration }}"
   ports:
     dns: 8600
-    http: 8500 # "{{ ('8500'|int) if not  }}"
-    https: -1
     grpc: 8502
     grpc_tls: 8503
     server: 8300
@@ -98,3 +121,6 @@ hashi_consul_configuration:
 # this is used to circumvent jinja limitation to convert string to integer
 hashi_consul_configuration_string: |
   bootstrap_expect: {{ (groups['consul_servers'] | length) }}
+  ports:
+    http: {{ (consul_api_port.http|int) if not consul_enable_tls else ('-1' | int) }}
+    https: {{ (consul_api_port.https|int) if consul_enable_tls else ('-1' | int) }}
diff --git a/playbooks/group_vars/all/globals.yml b/playbooks/group_vars/all/globals.yml
index 7b95713..6f7a9d4 100644
--- a/playbooks/group_vars/all/globals.yml
+++ b/playbooks/group_vars/all/globals.yml
@@ -100,22 +100,29 @@ consul_mesh_configuration:
 # consul tls configuration #
 ############################
 
-consul_enable_tls: false
+consul_enable_tls: true
 consul_tls_configuration:
-  default:
+  defaults:
     ca_file: "/etc/ssl/certs/ca-certificates.crt"
-    cert_file: "{{ hashi_consul_config_dir }}/tls/cert.pem"
-    key_file: "{{ hashi_consul_config_dir }}/tls/key.pem"
+    cert_file: "{{ consul_certificates_directory }}/cert.pem"
+    key_file: "{{ consul_certificates_directory }}/key.pem"
     verify_incoming: false
     verify_outgoing: true
   internal_rpc:
     verify_server_hostname: true
 
+############################
+# consul container volumes #
+############################
+
+extra_consul_container_volumes: []
+
 #######################
 # extra configuration #
 #######################
 
 consul_extra_configuration: {}
+consul_extra_files_list: []
 
 #####################################################
 #                                                   #
diff --git a/playbooks/group_vars/all/vault.yml b/playbooks/group_vars/all/vault.yml
index 01f2ca4..35bbb7d 100644
--- a/playbooks/group_vars/all/vault.yml
+++ b/playbooks/group_vars/all/vault.yml
@@ -38,7 +38,7 @@ vault_external_backend_servers: |
 vault_certificates_directory: "{{ hashi_vault_config_dir }}/tls"
 vault_certificates_extra_files_dir:
   - src: "{{ sub_configuration_directories['certificates'] }}/vault/{{ inventory_hostname }}"
-    dest: "{{ hashi_vault_config_dir }}/tls"
+    dest: "{{ vault_certificates_directory }}"
 
 #################
 # vault plugins #
@@ -47,7 +47,7 @@ vault_certificates_extra_files_dir:
 vault_plugin_directory: "{{ hashi_vault_config_dir }}/plugin"
 vault_plugin_extra_files_dir:
   - src: "{{ sub_configuration_directories['vault_servers'] }}/plugin"
-    dest: "{{ hashi_vault_config_dir }}/plugin"
+    dest: "{{ vault_plugin_directory }}"
 
 ########################
 # vault role variables #
diff --git a/playbooks/tasks/consul/consul_deploy.yml b/playbooks/tasks/consul/consul_deploy.yml
index 7a890e4..5552f26 100644
--- a/playbooks/tasks/consul/consul_deploy.yml
+++ b/playbooks/tasks/consul/consul_deploy.yml
@@ -7,7 +7,7 @@
 
     - name: "Wait for consul cluster to initialize" # noqa: run-once[task]
       ansible.builtin.uri:
-        url: "http://{{ api_interface_address }}:8500" # TODO: this should be dynamic (http/https)
+        url: "{{ consul_api_addr }}"
         validate_certs: no
         return_content: yes
         status_code:
@@ -20,9 +20,9 @@
     - name: "Initialize consul cluster" # noqa: run-once[task]
       community.general.consul_acl_bootstrap:
         bootstrap_secret: "{{ _credentials.consul.root_token.secret_id }}"
-        host: "{{ hashi_consul_configuration['advertise_addr'] }}"
-        port: 8500
-        scheme: http
+        host: "{{ api_interface_address }}"
+        port: "{{ consul_api_port[consul_api_scheme] }}"
+        scheme: "{{ consul_api_scheme }}"
         state: present
       run_once: true
       delegate_to: "{{ groups['consul_servers'] | first }}"
@@ -63,8 +63,8 @@
               community.general.consul_policy:
                 token: "{{ _credentials.consul.root_token.secret_id }}"
                 host: "{{ api_interface_address }}"
-                port: 8500
-                scheme: http # TODO: this should be dynamic
+                port: "{{ consul_api_port[consul_api_scheme] }}"
+                scheme: "{{ consul_api_scheme }}"
                 validate_certs: false
                 state: present
                 name: agents-policy
@@ -73,14 +73,13 @@
 
             - name: "Create consul agents token"
               vars:
-                consul_full_url: "http://{{ hashi_consul_configuration['advertise_addr'] }}:8500"
                 consul_token_body:
                   Description: "Consul agents token"
                   SecretID: "{{ _credentials.consul.tokens.agent }}"
                   Policies:
                     - ID: "{{ _consul_agent_policy.policy.ID }}"
               ansible.builtin.uri:
-                url: "{{ consul_full_url }}/v1/acl/token"
+                url: "{{ consul_api_addr }}/v1/acl/token"
                 method: PUT
                 headers:
                   X-Consul-Token: "{{ _credentials.consul.root_token.secret_id  }}"
diff --git a/roles/hashicorp_consul b/roles/hashicorp_consul
index c6fbfe5..56696c3 160000
--- a/roles/hashicorp_consul
+++ b/roles/hashicorp_consul
@@ -1 +1 @@
-Subproject commit c6fbfe5b78ef8b8884af129ea84afb26da754833
+Subproject commit 56696c3552308225d4e5b91efc8e4bf75d31d2f3