Merge pull request 'feat/consul-internal-tls' (#8) from feat/consul-internal-tls into main
Some checks failed
build-deploy / Bump version and create changelog with commitizen (push) Has been cancelled
Some checks failed
build-deploy / Bump version and create changelog with commitizen (push) Has been cancelled
Reviewed-on: ansible-collections/hashistack#8
This commit is contained in:
commit
3b6a34b78b
1
.gitignore
vendored
1
.gitignore
vendored
@ -6,5 +6,6 @@ vault_config.yml
|
|||||||
consul_config.yml
|
consul_config.yml
|
||||||
**/certificates/**
|
**/certificates/**
|
||||||
**/secrets/credentials.yml
|
**/secrets/credentials.yml
|
||||||
|
**/secrets/credentials.decrypt.yml
|
||||||
**/secrets/vault.yml
|
**/secrets/vault.yml
|
||||||
**/.ansible-vault
|
**/.ansible-vault
|
||||||
|
@ -0,0 +1,212 @@
|
|||||||
|
---
|
||||||
|
##########################
|
||||||
|
# General options ########
|
||||||
|
##########################
|
||||||
|
|
||||||
|
# enable_haproxy: "yes"
|
||||||
|
# enable_vault: "yes"
|
||||||
|
# enable_consul: "yes"
|
||||||
|
# enable_nomad: "no"
|
||||||
|
|
||||||
|
# haproxy_version: "2.8"
|
||||||
|
# nomad_version: "1.7.7"
|
||||||
|
# consul_version: "1.18.1"
|
||||||
|
# vault_version: "1.16.2"
|
||||||
|
|
||||||
|
# deployment_method: "docker"
|
||||||
|
|
||||||
|
# consul_fqdn: consul.ednz.lab
|
||||||
|
# vault_fqdn: vault.ednz.lab
|
||||||
|
# nomad_fqdn: nomad.ednz.lab
|
||||||
|
|
||||||
|
# hashistack_external_vip_interface: "eth0"
|
||||||
|
# hashistack_external_vip_addr: "192.168.121.100"
|
||||||
|
# hashistack_internal_vip_interface: "{{ hashistack_external_vip_interface }}"
|
||||||
|
# hashistack_internal_vip_addr: "{{ hashistack_external_vip_addr }}"
|
||||||
|
|
||||||
|
api_interface: "eth1"
|
||||||
|
# api_interface_address: "{{ ansible_facts[api_interface]['ipv4']['address'] }}"
|
||||||
|
|
||||||
|
########################
|
||||||
|
# external tls options #
|
||||||
|
########################
|
||||||
|
|
||||||
|
enable_tls_external: true
|
||||||
|
# external_tls_externally_managed_certs: false
|
||||||
|
|
||||||
|
#####################################################
|
||||||
|
# #
|
||||||
|
# Consul #
|
||||||
|
# #
|
||||||
|
#####################################################
|
||||||
|
|
||||||
|
# consul_domain: consul
|
||||||
|
# consul_datacenter: dc1
|
||||||
|
# consul_primary_datacenter: dc1
|
||||||
|
# consul_leave_on_terminate: true
|
||||||
|
# consul_rejoin_after_leave: true
|
||||||
|
# consul_enable_script_checks: true
|
||||||
|
# consul_gossip_encryption_key: "{{ 'mysupersecretgossipencryptionkey'|b64encode }}"
|
||||||
|
|
||||||
|
################################
|
||||||
|
# consul address configuration #
|
||||||
|
################################
|
||||||
|
|
||||||
|
# consul_address_configuration:
|
||||||
|
# # The address to which Consul will bind client interfaces,
|
||||||
|
# # including the HTTP and DNS servers.
|
||||||
|
# client_addr: "0.0.0.0"
|
||||||
|
# # The address that should be bound to for internal cluster communications.
|
||||||
|
# bind_addr: "{{ api_interface_address }}"
|
||||||
|
# # The advertise address is used to change the address that we advertise to other nodes in the cluster.
|
||||||
|
# advertise_addr: "{{ api_interface_address }}"
|
||||||
|
|
||||||
|
############################
|
||||||
|
# consul ACL configuration #
|
||||||
|
############################
|
||||||
|
|
||||||
|
# consul_acl_configuration:
|
||||||
|
# enabled: true
|
||||||
|
# default_policy: "deny" # can be allow or deny
|
||||||
|
# enable_token_persistence: true
|
||||||
|
|
||||||
|
############################
|
||||||
|
# consul DNS configuration #
|
||||||
|
############################
|
||||||
|
|
||||||
|
# consul_dns_configuration:
|
||||||
|
# allow_stale: true
|
||||||
|
# enable_truncate: true
|
||||||
|
# only_passing: true
|
||||||
|
|
||||||
|
###########################
|
||||||
|
# consul ui configuration #
|
||||||
|
###########################
|
||||||
|
|
||||||
|
# consul_ui_configuration:
|
||||||
|
# enabled: "{{ 'consul_servers' in group_names }}"
|
||||||
|
|
||||||
|
#####################################
|
||||||
|
# consul service mesh configuration #
|
||||||
|
#####################################
|
||||||
|
|
||||||
|
# consul_mesh_configuration:
|
||||||
|
# enabled: true
|
||||||
|
|
||||||
|
############################
|
||||||
|
# consul tls configuration #
|
||||||
|
############################
|
||||||
|
|
||||||
|
consul_enable_tls: true
|
||||||
|
# consul_tls_configuration:
|
||||||
|
# defaults:
|
||||||
|
# ca_file: "/etc/ssl/certs/ca-certificates.crt"
|
||||||
|
# cert_file: "{{ consul_certificates_directory }}/cert.pem"
|
||||||
|
# key_file: "{{ consul_certificates_directory }}/key.pem"
|
||||||
|
# verify_incoming: false
|
||||||
|
# verify_outgoing: true
|
||||||
|
# internal_rpc:
|
||||||
|
# verify_server_hostname: true
|
||||||
|
|
||||||
|
############################
|
||||||
|
# consul container volumes #
|
||||||
|
############################
|
||||||
|
|
||||||
|
# extra_consul_container_volumes: []
|
||||||
|
|
||||||
|
#######################
|
||||||
|
# extra configuration #
|
||||||
|
#######################
|
||||||
|
|
||||||
|
# consul_extra_configuration: {}
|
||||||
|
# consul_extra_files_list: []
|
||||||
|
|
||||||
|
#####################################################
|
||||||
|
# #
|
||||||
|
# Vault #
|
||||||
|
# #
|
||||||
|
#####################################################
|
||||||
|
|
||||||
|
# vault_cluster_name: vault
|
||||||
|
# vault_enable_ui: true
|
||||||
|
# vault_seal_configuration:
|
||||||
|
# key_shares: 3
|
||||||
|
# key_threshold: 2
|
||||||
|
|
||||||
|
#################
|
||||||
|
# vault storage #
|
||||||
|
#################
|
||||||
|
|
||||||
|
# vault_storage_configuration:
|
||||||
|
# raft:
|
||||||
|
# path: "{{ hashi_vault_data_dir }}/data"
|
||||||
|
# node_id: "{{ ansible_hostname }}"
|
||||||
|
# retry_join: |
|
||||||
|
# [
|
||||||
|
# {% for host in groups['vault_servers'] %}
|
||||||
|
# {
|
||||||
|
# 'leader_api_addr': '{{ "https" if vault_enable_tls else "http"}}://{{ hostvars[host].api_interface_address }}:8200'
|
||||||
|
# }{% if not loop.last %},{% endif %}
|
||||||
|
# {% endfor %}
|
||||||
|
# ]
|
||||||
|
|
||||||
|
##################
|
||||||
|
# vault listener #
|
||||||
|
##################
|
||||||
|
|
||||||
|
vault_enable_tls: true
|
||||||
|
# vault_tls_verify: false
|
||||||
|
# vault_listener_configuration:
|
||||||
|
# tcp:
|
||||||
|
# address: "0.0.0.0:8200"
|
||||||
|
# tls_disable: true
|
||||||
|
|
||||||
|
# vault_tls_listener_configuration:
|
||||||
|
# tcp:
|
||||||
|
# tls_disable: false
|
||||||
|
# tls_cert_file: "{{ vault_certificates_directory }}/cert.pem"
|
||||||
|
# tls_key_file: "{{ vault_certificates_directory }}/key.pem"
|
||||||
|
# tls_disable_client_certs: true
|
||||||
|
|
||||||
|
# vault_extra_listener_configuration: {}
|
||||||
|
|
||||||
|
########################
|
||||||
|
# service registration #
|
||||||
|
########################
|
||||||
|
|
||||||
|
# vault_enable_service_registration: false
|
||||||
|
# vault_service_registration_configuration:
|
||||||
|
# consul:
|
||||||
|
# address: "127.0.0.1:8500"
|
||||||
|
# scheme: "http"
|
||||||
|
# token: ""
|
||||||
|
|
||||||
|
#################
|
||||||
|
# vault plugins #
|
||||||
|
#################
|
||||||
|
|
||||||
|
# vault_enable_plugins: false
|
||||||
|
|
||||||
|
###########
|
||||||
|
# logging #
|
||||||
|
###########
|
||||||
|
|
||||||
|
# vault_enable_log_to_file: false
|
||||||
|
# vault_logging_configuration:
|
||||||
|
# log_level: info
|
||||||
|
# log_format: standard
|
||||||
|
# log_rotate_duration: 24h
|
||||||
|
# log_rotate_max_files: 30
|
||||||
|
|
||||||
|
###########################
|
||||||
|
# vault container volumes #
|
||||||
|
###########################
|
||||||
|
|
||||||
|
# extra_vault_container_volumes: []
|
||||||
|
|
||||||
|
#####################
|
||||||
|
# extra configuration
|
||||||
|
#####################
|
||||||
|
|
||||||
|
# vault_extra_configuration: {}
|
||||||
|
# vault_extra_files_list: []
|
@ -192,7 +192,7 @@
|
|||||||
|
|
||||||
- name: "Create Consul certificates"
|
- name: "Create Consul certificates"
|
||||||
when:
|
when:
|
||||||
- "'consul_servers' in group_names"
|
- "('consul_servers' in group_names) or ('consul_agents' in group_names)"
|
||||||
vars:
|
vars:
|
||||||
consul_private_key_path: "{{ sub_configuration_directories['certificates'] }}/consul/{{ inventory_hostname }}/key.pem"
|
consul_private_key_path: "{{ sub_configuration_directories['certificates'] }}/consul/{{ inventory_hostname }}/key.pem"
|
||||||
consul_certificate_path: "{{ sub_configuration_directories['certificates'] }}/consul/{{ inventory_hostname }}/cert.pem"
|
consul_certificate_path: "{{ sub_configuration_directories['certificates'] }}/consul/{{ inventory_hostname }}/cert.pem"
|
||||||
|
@ -5,6 +5,16 @@
|
|||||||
# #
|
# #
|
||||||
#####################################################
|
#####################################################
|
||||||
|
|
||||||
|
#####################
|
||||||
|
# consul api config #
|
||||||
|
#####################
|
||||||
|
|
||||||
|
consul_api_addr: "{{ consul_api_scheme }}://{{ api_interface_address }}:{{ consul_api_port[consul_api_scheme] }}"
|
||||||
|
consul_api_scheme: "{{ 'https' if consul_enable_tls else 'http' }}"
|
||||||
|
consul_api_port:
|
||||||
|
http: 8500
|
||||||
|
https: 8501
|
||||||
|
|
||||||
##########################
|
##########################
|
||||||
# consul haproxy backend #
|
# consul haproxy backend #
|
||||||
##########################
|
##########################
|
||||||
@ -27,7 +37,7 @@ consul_external_backend_options:
|
|||||||
consul_external_backend_servers: |
|
consul_external_backend_servers: |
|
||||||
[
|
[
|
||||||
{% for host in groups['consul_servers'] %}
|
{% for host in groups['consul_servers'] %}
|
||||||
'server consul-{{ hostvars[host].api_interface_address }} {{ hostvars[host].api_interface_address }}:{{ hashi_consul_configuration.ports.http }} check inter 5s'{% if not loop.last %},{% endif %}
|
'server consul-{{ hostvars[host].api_interface_address }} {{ hostvars[host].api_interface_address }}:{{ hostvars[host].consul_api_port[consul_api_scheme] }} check {{ 'ssl verify none ' if consul_enable_tls }}inter 5s'{% if not loop.last %},{% endif %}
|
||||||
{% endfor %}
|
{% endfor %}
|
||||||
]
|
]
|
||||||
|
|
||||||
@ -43,6 +53,15 @@ consul_default_agent_policy: |
|
|||||||
policy = "read"
|
policy = "read"
|
||||||
}
|
}
|
||||||
|
|
||||||
|
#######################
|
||||||
|
# consul internal tls #
|
||||||
|
#######################
|
||||||
|
|
||||||
|
consul_certificates_directory: "{{ hashi_consul_config_dir }}/tls"
|
||||||
|
consul_certificates_extra_files_dir:
|
||||||
|
- src: "{{ sub_configuration_directories['certificates'] }}/consul/{{ inventory_hostname }}"
|
||||||
|
dest: "{{ consul_certificates_directory }}"
|
||||||
|
|
||||||
#########################
|
#########################
|
||||||
# consul role variables #
|
# consul role variables #
|
||||||
#########################
|
#########################
|
||||||
@ -53,9 +72,15 @@ hashi_consul_deploy_method: "{{ deployment_method }}"
|
|||||||
hashi_consul_env_variables: {}
|
hashi_consul_env_variables: {}
|
||||||
hashi_consul_config_dir: "/etc/consul.d"
|
hashi_consul_config_dir: "/etc/consul.d"
|
||||||
hashi_consul_data_dir: "/opt/consul"
|
hashi_consul_data_dir: "/opt/consul"
|
||||||
hashi_consul_extra_files: false
|
hashi_consul_extra_files: true
|
||||||
hashi_consul_extra_files_src: "{{ sub_configuration_directories.consul_servers }}/config"
|
hashi_consul_extra_files_list: "{{ ([] +
|
||||||
hashi_consul_extra_files_dst: "{{ hashi_consul_config_dir }}/config"
|
(consul_certificates_extra_files_dir if consul_enable_tls else []) +
|
||||||
|
(vault_plugin_extra_files_dir if vault_enable_plugins else []) +
|
||||||
|
vault_extra_files_list)
|
||||||
|
| unique
|
||||||
|
| sort
|
||||||
|
}}"
|
||||||
|
hashi_consul_extra_container_volumes: "{{ default_container_extra_volumes | union(extra_consul_container_volumes) | unique | sort }}"
|
||||||
hashi_consul_envoy_install: false
|
hashi_consul_envoy_install: false
|
||||||
hashi_consul_envoy_version: v1.27.2
|
hashi_consul_envoy_version: v1.27.2
|
||||||
hashi_consul_configuration:
|
hashi_consul_configuration:
|
||||||
@ -83,8 +108,6 @@ hashi_consul_configuration:
|
|||||||
dns_config: "{{ consul_dns_configuration }}"
|
dns_config: "{{ consul_dns_configuration }}"
|
||||||
ports:
|
ports:
|
||||||
dns: 8600
|
dns: 8600
|
||||||
http: 8500 # "{{ ('8500'|int) if not }}"
|
|
||||||
https: -1
|
|
||||||
grpc: 8502
|
grpc: 8502
|
||||||
grpc_tls: 8503
|
grpc_tls: 8503
|
||||||
server: 8300
|
server: 8300
|
||||||
@ -98,3 +121,6 @@ hashi_consul_configuration:
|
|||||||
# this is used to circumvent jinja limitation to convert string to integer
|
# this is used to circumvent jinja limitation to convert string to integer
|
||||||
hashi_consul_configuration_string: |
|
hashi_consul_configuration_string: |
|
||||||
bootstrap_expect: {{ (groups['consul_servers'] | length) }}
|
bootstrap_expect: {{ (groups['consul_servers'] | length) }}
|
||||||
|
ports:
|
||||||
|
http: {{ (consul_api_port.http|int) if not consul_enable_tls else ('-1' | int) }}
|
||||||
|
https: {{ (consul_api_port.https|int) if consul_enable_tls else ('-1' | int) }}
|
||||||
|
@ -6,12 +6,12 @@
|
|||||||
enable_haproxy: "yes"
|
enable_haproxy: "yes"
|
||||||
enable_vault: "yes"
|
enable_vault: "yes"
|
||||||
enable_consul: "yes"
|
enable_consul: "yes"
|
||||||
enable_nomad: "no"
|
enable_nomad: "yes"
|
||||||
|
|
||||||
haproxy_version: "2.8"
|
haproxy_version: "2.8"
|
||||||
nomad_version: "latest"
|
nomad_version: "1.7.7"
|
||||||
consul_version: "latest"
|
consul_version: "1.18.1"
|
||||||
vault_version: "1.15.6"
|
vault_version: "1.16.2"
|
||||||
|
|
||||||
deployment_method: "docker"
|
deployment_method: "docker"
|
||||||
|
|
||||||
@ -21,20 +21,17 @@ nomad_fqdn: nomad.ednz.lab
|
|||||||
|
|
||||||
hashistack_external_vip_interface: "eth0"
|
hashistack_external_vip_interface: "eth0"
|
||||||
hashistack_external_vip_addr: "192.168.121.100"
|
hashistack_external_vip_addr: "192.168.121.100"
|
||||||
hashistack_internal_vip_interface: "eth1"
|
hashistack_internal_vip_interface: "{{ hashistack_external_vip_interface }}"
|
||||||
# hashistack_internal_vip_interface: "{{ hashistack_external_vip_interface }}"
|
hashistack_internal_vip_addr: "{{ hashistack_external_vip_addr }}"
|
||||||
hashistack_internal_vip_addr: "192.168.100.100"
|
|
||||||
# hashistack_internal_vip_addr: "{{ hashistack_external_vip_addr }}"
|
|
||||||
|
|
||||||
# api_interface: "eth0"
|
api_interface: "eth0"
|
||||||
api_interface: "eth1"
|
|
||||||
api_interface_address: "{{ ansible_facts[api_interface]['ipv4']['address'] }}"
|
api_interface_address: "{{ ansible_facts[api_interface]['ipv4']['address'] }}"
|
||||||
|
|
||||||
########################
|
########################
|
||||||
# external tls options #
|
# external tls options #
|
||||||
########################
|
########################
|
||||||
|
|
||||||
enable_tls_external: true
|
enable_tls_external: false
|
||||||
external_tls_externally_managed_certs: false
|
external_tls_externally_managed_certs: false
|
||||||
|
|
||||||
#####################################################
|
#####################################################
|
||||||
@ -102,20 +99,27 @@ consul_mesh_configuration:
|
|||||||
|
|
||||||
consul_enable_tls: false
|
consul_enable_tls: false
|
||||||
consul_tls_configuration:
|
consul_tls_configuration:
|
||||||
default:
|
defaults:
|
||||||
ca_file: "/etc/ssl/certs/ca-certificates.crt"
|
ca_file: "/etc/ssl/certs/ca-certificates.crt"
|
||||||
cert_file: "{{ hashi_consul_config_dir }}/tls/cert.pem"
|
cert_file: "{{ consul_certificates_directory }}/cert.pem"
|
||||||
key_file: "{{ hashi_consul_config_dir }}/tls/key.pem"
|
key_file: "{{ consul_certificates_directory }}/key.pem"
|
||||||
verify_incoming: false
|
verify_incoming: false
|
||||||
verify_outgoing: true
|
verify_outgoing: true
|
||||||
internal_rpc:
|
internal_rpc:
|
||||||
verify_server_hostname: true
|
verify_server_hostname: true
|
||||||
|
|
||||||
|
############################
|
||||||
|
# consul container volumes #
|
||||||
|
############################
|
||||||
|
|
||||||
|
extra_consul_container_volumes: []
|
||||||
|
|
||||||
#######################
|
#######################
|
||||||
# extra configuration #
|
# extra configuration #
|
||||||
#######################
|
#######################
|
||||||
|
|
||||||
consul_extra_configuration: {}
|
consul_extra_configuration: {}
|
||||||
|
consul_extra_files_list: []
|
||||||
|
|
||||||
#####################################################
|
#####################################################
|
||||||
# #
|
# #
|
||||||
@ -150,7 +154,7 @@ vault_storage_configuration:
|
|||||||
# vault listener #
|
# vault listener #
|
||||||
##################
|
##################
|
||||||
|
|
||||||
vault_enable_tls: true
|
vault_enable_tls: false
|
||||||
vault_tls_verify: false
|
vault_tls_verify: false
|
||||||
vault_listener_configuration:
|
vault_listener_configuration:
|
||||||
tcp:
|
tcp:
|
||||||
|
@ -38,7 +38,7 @@ vault_external_backend_servers: |
|
|||||||
vault_certificates_directory: "{{ hashi_vault_config_dir }}/tls"
|
vault_certificates_directory: "{{ hashi_vault_config_dir }}/tls"
|
||||||
vault_certificates_extra_files_dir:
|
vault_certificates_extra_files_dir:
|
||||||
- src: "{{ sub_configuration_directories['certificates'] }}/vault/{{ inventory_hostname }}"
|
- src: "{{ sub_configuration_directories['certificates'] }}/vault/{{ inventory_hostname }}"
|
||||||
dest: "{{ hashi_vault_config_dir }}/tls"
|
dest: "{{ vault_certificates_directory }}"
|
||||||
|
|
||||||
#################
|
#################
|
||||||
# vault plugins #
|
# vault plugins #
|
||||||
@ -47,7 +47,7 @@ vault_certificates_extra_files_dir:
|
|||||||
vault_plugin_directory: "{{ hashi_vault_config_dir }}/plugin"
|
vault_plugin_directory: "{{ hashi_vault_config_dir }}/plugin"
|
||||||
vault_plugin_extra_files_dir:
|
vault_plugin_extra_files_dir:
|
||||||
- src: "{{ sub_configuration_directories['vault_servers'] }}/plugin"
|
- src: "{{ sub_configuration_directories['vault_servers'] }}/plugin"
|
||||||
dest: "{{ hashi_vault_config_dir }}/plugin"
|
dest: "{{ vault_plugin_directory }}"
|
||||||
|
|
||||||
########################
|
########################
|
||||||
# vault role variables #
|
# vault role variables #
|
||||||
@ -69,7 +69,7 @@ hashi_vault_extra_files_list: "{{ ([] +
|
|||||||
}}"
|
}}"
|
||||||
hashi_vault_extra_files_src: "{{ sub_configuration_directories.vault_servers }}/config"
|
hashi_vault_extra_files_src: "{{ sub_configuration_directories.vault_servers }}/config"
|
||||||
hashi_vault_extra_files_dst: "{{ hashi_vault_config_dir }}/config"
|
hashi_vault_extra_files_dst: "{{ hashi_vault_config_dir }}/config"
|
||||||
hashi_vault_extra_container_volumes: "{{ default_container_extra_volumes | union(extra_vault_container_volumes) | unique }}"
|
hashi_vault_extra_container_volumes: "{{ default_container_extra_volumes | union(extra_vault_container_volumes) | unique | sort }}"
|
||||||
hashi_vault_configuration:
|
hashi_vault_configuration:
|
||||||
cluster_name: "{{ vault_cluster_name }}"
|
cluster_name: "{{ vault_cluster_name }}"
|
||||||
cluster_addr: "{{ 'https' if vault_enable_tls else 'http'}}://{{ api_interface_address }}:8201"
|
cluster_addr: "{{ 'https' if vault_enable_tls else 'http'}}://{{ api_interface_address }}:8201"
|
||||||
|
@ -7,7 +7,7 @@
|
|||||||
|
|
||||||
- name: "Wait for consul cluster to initialize" # noqa: run-once[task]
|
- name: "Wait for consul cluster to initialize" # noqa: run-once[task]
|
||||||
ansible.builtin.uri:
|
ansible.builtin.uri:
|
||||||
url: "http://{{ api_interface_address }}:8500" # TODO: this should be dynamic (http/https)
|
url: "{{ consul_api_addr }}"
|
||||||
validate_certs: no
|
validate_certs: no
|
||||||
return_content: yes
|
return_content: yes
|
||||||
status_code:
|
status_code:
|
||||||
@ -20,9 +20,9 @@
|
|||||||
- name: "Initialize consul cluster" # noqa: run-once[task]
|
- name: "Initialize consul cluster" # noqa: run-once[task]
|
||||||
community.general.consul_acl_bootstrap:
|
community.general.consul_acl_bootstrap:
|
||||||
bootstrap_secret: "{{ _credentials.consul.root_token.secret_id }}"
|
bootstrap_secret: "{{ _credentials.consul.root_token.secret_id }}"
|
||||||
host: "{{ hashi_consul_configuration['advertise_addr'] }}"
|
host: "{{ api_interface_address }}"
|
||||||
port: 8500
|
port: "{{ consul_api_port[consul_api_scheme] }}"
|
||||||
scheme: http
|
scheme: "{{ consul_api_scheme }}"
|
||||||
state: present
|
state: present
|
||||||
run_once: true
|
run_once: true
|
||||||
delegate_to: "{{ groups['consul_servers'] | first }}"
|
delegate_to: "{{ groups['consul_servers'] | first }}"
|
||||||
@ -63,8 +63,8 @@
|
|||||||
community.general.consul_policy:
|
community.general.consul_policy:
|
||||||
token: "{{ _credentials.consul.root_token.secret_id }}"
|
token: "{{ _credentials.consul.root_token.secret_id }}"
|
||||||
host: "{{ api_interface_address }}"
|
host: "{{ api_interface_address }}"
|
||||||
port: 8500
|
port: "{{ consul_api_port[consul_api_scheme] }}"
|
||||||
scheme: http # TODO: this should be dynamic
|
scheme: "{{ consul_api_scheme }}"
|
||||||
validate_certs: false
|
validate_certs: false
|
||||||
state: present
|
state: present
|
||||||
name: agents-policy
|
name: agents-policy
|
||||||
@ -73,14 +73,13 @@
|
|||||||
|
|
||||||
- name: "Create consul agents token"
|
- name: "Create consul agents token"
|
||||||
vars:
|
vars:
|
||||||
consul_full_url: "http://{{ hashi_consul_configuration['advertise_addr'] }}:8500"
|
|
||||||
consul_token_body:
|
consul_token_body:
|
||||||
Description: "Consul agents token"
|
Description: "Consul agents token"
|
||||||
SecretID: "{{ _credentials.consul.tokens.agent }}"
|
SecretID: "{{ _credentials.consul.tokens.agent }}"
|
||||||
Policies:
|
Policies:
|
||||||
- ID: "{{ _consul_agent_policy.policy.ID }}"
|
- ID: "{{ _consul_agent_policy.policy.ID }}"
|
||||||
ansible.builtin.uri:
|
ansible.builtin.uri:
|
||||||
url: "{{ consul_full_url }}/v1/acl/token"
|
url: "{{ consul_api_addr }}/v1/acl/token"
|
||||||
method: PUT
|
method: PUT
|
||||||
headers:
|
headers:
|
||||||
X-Consul-Token: "{{ _credentials.consul.root_token.secret_id }}"
|
X-Consul-Token: "{{ _credentials.consul.root_token.secret_id }}"
|
||||||
|
@ -1 +1 @@
|
|||||||
Subproject commit c6fbfe5b78ef8b8884af129ea84afb26da754833
|
Subproject commit 56696c3552308225d4e5b91efc8e4bf75d31d2f3
|
Loading…
Reference in New Issue
Block a user