hashistack/roles/hashistack_ca/tasks/renew/renew_consul.yml

---
# tasks/renew/renew_consul file for hashistack_ca
- name: "Consul leaf certificates | Check if certificate exists"
  ansible.builtin.stat:
    path: "{{ hashistack_ca_consul_cert_path }}"
  register: _hashistack_ca_consul_cert_stat

- name: "Consul leaf certificates | Check if intermediate CA certificate exists"
  ansible.builtin.stat:
    path: "{{ hashistack_ca_intermediate_cert_path }}"
  register: _hashistack_ca_intermediate_cert_stat

- name: "Consul leaf certificates | Check certificate for renewal"
  when:
    - _hashistack_ca_consul_cert_stat.stat.exists
    - _hashistack_ca_consul_cert_stat.stat.isreg
    - _hashistack_ca_intermediate_cert_stat.stat.exists
    - _hashistack_ca_intermediate_cert_stat.stat.isreg
  block:
    - name: "Consul leaf certificates | Get certificate expiration date"
      community.crypto.x509_certificate_info:
        path: "{{ hashistack_ca_consul_cert_path }}"
        valid_at:
          renew_threshold: "+{{ hashistack_ca_leaf_renew_threshold }}"
      register: _hashistack_ca_consul_cert_info

    - name: "Intermediate CA | Get intermediate CA certificate info"
      community.crypto.x509_certificate_info:
        path: "{{ hashistack_ca_intermediate_cert_path }}"
      register: _hashistack_ca_intermediate_cert_info

    - name: "Consul leaf certificates | Check if certificate is expiring within the threshold"
      ansible.builtin.set_fact:
        _hashistack_cert_is_expiring_soon: "{{ not _hashistack_ca_consul_cert_info.valid_at.renew_threshold }}"

    - name: "Consul leaf certificates | Check if intermediate CA has been renewed"
      ansible.builtin.set_fact:
        _hashistack_ca_intermediate_renewed: "{{ _hashistack_ca_intermediate_cert_info.not_before > _hashistack_ca_consul_cert_info.not_before }}"

- name: "Consul leaf certificates | Renew certificate if expiring soon or intermediate CA has been renewed"
  when:
    - _hashistack_cert_is_expiring_soon or _hashistack_ca_intermediate_renewed
  block:
    - name: "Consul leaf certificates | Remove old certificate before renewal"
      ansible.builtin.file:
        path: "{{ hashistack_ca_consul_cert_path }}"
        state: absent

    - name: "Consul leaf certificates | Remove old certificate key before renewal"
      ansible.builtin.file:
        path: "{{ hashistack_ca_consul_key_path }}"
        state: absent

    - name: "Consul leaf certificates | Generate new consul leaf certificate"
      ansible.builtin.include_tasks: ../generate/generate_consul.yml