hcp-ansible/playbooks/group_vars/all/consul.yml
Bertrand Lanson 2b8faa2bf5
All checks were successful
development / Check commit compliance (push) Successful in 5s
feat: add global internal TLS option, make externally_managed_certs work
2024-08-17 16:47:38 +02:00

180 lines
4.1 KiB
YAML

---
consul_init_server: "{{ (inventory_hostname == groups['consul_servers'][0]) | bool }}"
#####################
# consul api config #
#####################
consul_api_addr: "{{ consul_api_scheme }}://{{ api_interface_address }}:{{ consul_api_port[consul_api_scheme] }}"
consul_api_scheme: "{{ 'https' if consul_enable_tls else 'http' }}"
consul_api_port:
http: 8500
https: 8501
consul_grpc_port:
http: 8502
https: 8503
##########
# Consul #
##########
consul_config_dir: "{{ hashistack_remote_config_dir }}/consul.d"
consul_data_dir: "/opt/consul"
consul_certs_dir: "{{ consul_config_dir }}/tls"
consul_logs_dir: "{{ hashistack_remote_log_dir }}/consul"
consul_envoy_install: false
consul_envoy_version: latest
consul_extra_files: true
# consul_extra_files_list: []
consul_env_variables: {}
#######################
# extra configuration #
#######################
# You should prioritize adding configuration
# to the configuration entries below, this
# option should be used to add pieces of configuration not
# available through standard variables.
# consul_extra_configuration: {}
###########
# general #
###########
# consul_domain: consul
# consul_datacenter: dc1
# consul_primary_datacenter: "{{ consul_datacenter }}"
# consul_gossip_encryption_key: "{{ _credentials.consul.gossip_encryption_key }}"
# consul_enable_script_checks: false
#######################
# leave configuration #
#######################
consul_leave_on_terminate: true
consul_rejoin_after_leave: true
######################
# join configuration #
######################
consul_join_configuration:
retry_join: |
{{
groups['consul_servers'] |
map('extract', hostvars, ['consul_address_configuration', 'bind_addr']) |
list |
to_json |
from_json
}}
retry_interval: 30s
retry_max: 0
########################
# server configuration #
########################
consul_enable_server: "{{ 'consul_servers' in group_names }}"
consul_bootstrap_expect: "{{ (groups['consul_servers'] | length) }}"
####################
# ui configuration #
####################
consul_ui_configuration:
enabled: "{{ consul_enable_server }}"
#########################
# address configuration #
#########################
consul_bind_addr: "0.0.0.0"
consul_advertise_addr: "{{ api_interface_address }}"
consul_address_configuration:
client_addr: "{{ consul_bind_addr }}"
bind_addr: "{{ consul_advertise_addr }}"
advertise_addr: "{{ consul_advertise_addr }}"
#####################
# ACL configuration #
#####################
consul_acl_configuration:
enabled: true
default_policy: "deny"
enable_token_persistence: true
tokens:
agent: "{{ _credentials.consul.tokens.agent.secret_id }}"
consul_default_agent_policy: |
node_prefix "" {
policy = "write"
}
service_prefix "" {
policy = "read"
}
##############################
# service mesh configuration #
##############################
consul_mesh_configuration:
enabled: true
#####################
# DNS configuration #
#####################
consul_dns_configuration:
allow_stale: true
enable_truncate: true
only_passing: true
################
# internal tls #
################
# consul_enable_tls: false
consul_tls_configuration:
defaults:
ca_file: "/etc/ssl/certs/ca-certificates.crt"
cert_file: "{{ consul_certs_dir }}/fullchain.crt"
key_file: "{{ consul_certs_dir }}/cert.key"
verify_incoming: false
verify_outgoing: true
internal_rpc:
verify_server_hostname: true
consul_certificates_extra_files_dir: >
{{
[] if external_tls_externally_managed_certs | bool else
[{
'src': "{{ hashistack_sub_configuration_directories['certificates'] }}/consul/{{ inventory_hostname }}",
'dest': "{{ consul_certs_dir }}"
}]
}}
###########################
# telemetry configuration #
###########################
consul_enable_prometheus_metrics: false
consul_prometheus_retention_time: 60s
consul_telemetry_configuration: {}
###########
# logging #
###########
# consul_log_level: info
consul_enable_log_to_file: "{{ enable_log_to_file | bool }}"
consul_log_to_file_configuration:
log_file: "{{ consul_logs_dir }}/consul.log"
log_rotate_duration: 24h
log_rotate_max_files: 30