Merge pull request 'feat/consul-internal-tls' (#8) from feat/consul-internal-tls into main
Some checks failed
build-deploy / Bump version and create changelog with commitizen (push) Has been cancelled

Reviewed-on: ansible-collections/hashistack#8
This commit is contained in:
Bertrand Lanson 2024-05-05 18:15:38 +00:00
commit 3b6a34b78b
8 changed files with 276 additions and 34 deletions

1
.gitignore vendored
View File

@ -6,5 +6,6 @@ vault_config.yml
consul_config.yml consul_config.yml
**/certificates/** **/certificates/**
**/secrets/credentials.yml **/secrets/credentials.yml
**/secrets/credentials.decrypt.yml
**/secrets/vault.yml **/secrets/vault.yml
**/.ansible-vault **/.ansible-vault

View File

@ -0,0 +1,212 @@
---
##########################
# General options ########
##########################
# enable_haproxy: "yes"
# enable_vault: "yes"
# enable_consul: "yes"
# enable_nomad: "no"
# haproxy_version: "2.8"
# nomad_version: "1.7.7"
# consul_version: "1.18.1"
# vault_version: "1.16.2"
# deployment_method: "docker"
# consul_fqdn: consul.ednz.lab
# vault_fqdn: vault.ednz.lab
# nomad_fqdn: nomad.ednz.lab
# hashistack_external_vip_interface: "eth0"
# hashistack_external_vip_addr: "192.168.121.100"
# hashistack_internal_vip_interface: "{{ hashistack_external_vip_interface }}"
# hashistack_internal_vip_addr: "{{ hashistack_external_vip_addr }}"
api_interface: "eth1"
# api_interface_address: "{{ ansible_facts[api_interface]['ipv4']['address'] }}"
########################
# external tls options #
########################
enable_tls_external: true
# external_tls_externally_managed_certs: false
#####################################################
# #
# Consul #
# #
#####################################################
# consul_domain: consul
# consul_datacenter: dc1
# consul_primary_datacenter: dc1
# consul_leave_on_terminate: true
# consul_rejoin_after_leave: true
# consul_enable_script_checks: true
# consul_gossip_encryption_key: "{{ 'mysupersecretgossipencryptionkey'|b64encode }}"
################################
# consul address configuration #
################################
# consul_address_configuration:
# # The address to which Consul will bind client interfaces,
# # including the HTTP and DNS servers.
# client_addr: "0.0.0.0"
# # The address that should be bound to for internal cluster communications.
# bind_addr: "{{ api_interface_address }}"
# # The advertise address is used to change the address that we advertise to other nodes in the cluster.
# advertise_addr: "{{ api_interface_address }}"
############################
# consul ACL configuration #
############################
# consul_acl_configuration:
# enabled: true
# default_policy: "deny" # can be allow or deny
# enable_token_persistence: true
############################
# consul DNS configuration #
############################
# consul_dns_configuration:
# allow_stale: true
# enable_truncate: true
# only_passing: true
###########################
# consul ui configuration #
###########################
# consul_ui_configuration:
# enabled: "{{ 'consul_servers' in group_names }}"
#####################################
# consul service mesh configuration #
#####################################
# consul_mesh_configuration:
# enabled: true
############################
# consul tls configuration #
############################
consul_enable_tls: true
# consul_tls_configuration:
# defaults:
# ca_file: "/etc/ssl/certs/ca-certificates.crt"
# cert_file: "{{ consul_certificates_directory }}/cert.pem"
# key_file: "{{ consul_certificates_directory }}/key.pem"
# verify_incoming: false
# verify_outgoing: true
# internal_rpc:
# verify_server_hostname: true
############################
# consul container volumes #
############################
# extra_consul_container_volumes: []
#######################
# extra configuration #
#######################
# consul_extra_configuration: {}
# consul_extra_files_list: []
#####################################################
# #
# Vault #
# #
#####################################################
# vault_cluster_name: vault
# vault_enable_ui: true
# vault_seal_configuration:
# key_shares: 3
# key_threshold: 2
#################
# vault storage #
#################
# vault_storage_configuration:
# raft:
# path: "{{ hashi_vault_data_dir }}/data"
# node_id: "{{ ansible_hostname }}"
# retry_join: |
# [
# {% for host in groups['vault_servers'] %}
# {
# 'leader_api_addr': '{{ "https" if vault_enable_tls else "http"}}://{{ hostvars[host].api_interface_address }}:8200'
# }{% if not loop.last %},{% endif %}
# {% endfor %}
# ]
##################
# vault listener #
##################
vault_enable_tls: true
# vault_tls_verify: false
# vault_listener_configuration:
# tcp:
# address: "0.0.0.0:8200"
# tls_disable: true
# vault_tls_listener_configuration:
# tcp:
# tls_disable: false
# tls_cert_file: "{{ vault_certificates_directory }}/cert.pem"
# tls_key_file: "{{ vault_certificates_directory }}/key.pem"
# tls_disable_client_certs: true
# vault_extra_listener_configuration: {}
########################
# service registration #
########################
# vault_enable_service_registration: false
# vault_service_registration_configuration:
# consul:
# address: "127.0.0.1:8500"
# scheme: "http"
# token: ""
#################
# vault plugins #
#################
# vault_enable_plugins: false
###########
# logging #
###########
# vault_enable_log_to_file: false
# vault_logging_configuration:
# log_level: info
# log_format: standard
# log_rotate_duration: 24h
# log_rotate_max_files: 30
###########################
# vault container volumes #
###########################
# extra_vault_container_volumes: []
#####################
# extra configuration
#####################
# vault_extra_configuration: {}
# vault_extra_files_list: []

View File

@ -192,7 +192,7 @@
- name: "Create Consul certificates" - name: "Create Consul certificates"
when: when:
- "'consul_servers' in group_names" - "('consul_servers' in group_names) or ('consul_agents' in group_names)"
vars: vars:
consul_private_key_path: "{{ sub_configuration_directories['certificates'] }}/consul/{{ inventory_hostname }}/key.pem" consul_private_key_path: "{{ sub_configuration_directories['certificates'] }}/consul/{{ inventory_hostname }}/key.pem"
consul_certificate_path: "{{ sub_configuration_directories['certificates'] }}/consul/{{ inventory_hostname }}/cert.pem" consul_certificate_path: "{{ sub_configuration_directories['certificates'] }}/consul/{{ inventory_hostname }}/cert.pem"

View File

@ -5,6 +5,16 @@
# # # #
##################################################### #####################################################
#####################
# consul api config #
#####################
consul_api_addr: "{{ consul_api_scheme }}://{{ api_interface_address }}:{{ consul_api_port[consul_api_scheme] }}"
consul_api_scheme: "{{ 'https' if consul_enable_tls else 'http' }}"
consul_api_port:
http: 8500
https: 8501
########################## ##########################
# consul haproxy backend # # consul haproxy backend #
########################## ##########################
@ -27,7 +37,7 @@ consul_external_backend_options:
consul_external_backend_servers: | consul_external_backend_servers: |
[ [
{% for host in groups['consul_servers'] %} {% for host in groups['consul_servers'] %}
'server consul-{{ hostvars[host].api_interface_address }} {{ hostvars[host].api_interface_address }}:{{ hashi_consul_configuration.ports.http }} check inter 5s'{% if not loop.last %},{% endif %} 'server consul-{{ hostvars[host].api_interface_address }} {{ hostvars[host].api_interface_address }}:{{ hostvars[host].consul_api_port[consul_api_scheme] }} check {{ 'ssl verify none ' if consul_enable_tls }}inter 5s'{% if not loop.last %},{% endif %}
{% endfor %} {% endfor %}
] ]
@ -43,6 +53,15 @@ consul_default_agent_policy: |
policy = "read" policy = "read"
} }
#######################
# consul internal tls #
#######################
consul_certificates_directory: "{{ hashi_consul_config_dir }}/tls"
consul_certificates_extra_files_dir:
- src: "{{ sub_configuration_directories['certificates'] }}/consul/{{ inventory_hostname }}"
dest: "{{ consul_certificates_directory }}"
######################### #########################
# consul role variables # # consul role variables #
######################### #########################
@ -53,9 +72,15 @@ hashi_consul_deploy_method: "{{ deployment_method }}"
hashi_consul_env_variables: {} hashi_consul_env_variables: {}
hashi_consul_config_dir: "/etc/consul.d" hashi_consul_config_dir: "/etc/consul.d"
hashi_consul_data_dir: "/opt/consul" hashi_consul_data_dir: "/opt/consul"
hashi_consul_extra_files: false hashi_consul_extra_files: true
hashi_consul_extra_files_src: "{{ sub_configuration_directories.consul_servers }}/config" hashi_consul_extra_files_list: "{{ ([] +
hashi_consul_extra_files_dst: "{{ hashi_consul_config_dir }}/config" (consul_certificates_extra_files_dir if consul_enable_tls else []) +
(vault_plugin_extra_files_dir if vault_enable_plugins else []) +
vault_extra_files_list)
| unique
| sort
}}"
hashi_consul_extra_container_volumes: "{{ default_container_extra_volumes | union(extra_consul_container_volumes) | unique | sort }}"
hashi_consul_envoy_install: false hashi_consul_envoy_install: false
hashi_consul_envoy_version: v1.27.2 hashi_consul_envoy_version: v1.27.2
hashi_consul_configuration: hashi_consul_configuration:
@ -83,8 +108,6 @@ hashi_consul_configuration:
dns_config: "{{ consul_dns_configuration }}" dns_config: "{{ consul_dns_configuration }}"
ports: ports:
dns: 8600 dns: 8600
http: 8500 # "{{ ('8500'|int) if not }}"
https: -1
grpc: 8502 grpc: 8502
grpc_tls: 8503 grpc_tls: 8503
server: 8300 server: 8300
@ -98,3 +121,6 @@ hashi_consul_configuration:
# this is used to circumvent jinja limitation to convert string to integer # this is used to circumvent jinja limitation to convert string to integer
hashi_consul_configuration_string: | hashi_consul_configuration_string: |
bootstrap_expect: {{ (groups['consul_servers'] | length) }} bootstrap_expect: {{ (groups['consul_servers'] | length) }}
ports:
http: {{ (consul_api_port.http|int) if not consul_enable_tls else ('-1' | int) }}
https: {{ (consul_api_port.https|int) if consul_enable_tls else ('-1' | int) }}

View File

@ -6,12 +6,12 @@
enable_haproxy: "yes" enable_haproxy: "yes"
enable_vault: "yes" enable_vault: "yes"
enable_consul: "yes" enable_consul: "yes"
enable_nomad: "no" enable_nomad: "yes"
haproxy_version: "2.8" haproxy_version: "2.8"
nomad_version: "latest" nomad_version: "1.7.7"
consul_version: "latest" consul_version: "1.18.1"
vault_version: "1.15.6" vault_version: "1.16.2"
deployment_method: "docker" deployment_method: "docker"
@ -21,20 +21,17 @@ nomad_fqdn: nomad.ednz.lab
hashistack_external_vip_interface: "eth0" hashistack_external_vip_interface: "eth0"
hashistack_external_vip_addr: "192.168.121.100" hashistack_external_vip_addr: "192.168.121.100"
hashistack_internal_vip_interface: "eth1" hashistack_internal_vip_interface: "{{ hashistack_external_vip_interface }}"
# hashistack_internal_vip_interface: "{{ hashistack_external_vip_interface }}" hashistack_internal_vip_addr: "{{ hashistack_external_vip_addr }}"
hashistack_internal_vip_addr: "192.168.100.100"
# hashistack_internal_vip_addr: "{{ hashistack_external_vip_addr }}"
# api_interface: "eth0" api_interface: "eth0"
api_interface: "eth1"
api_interface_address: "{{ ansible_facts[api_interface]['ipv4']['address'] }}" api_interface_address: "{{ ansible_facts[api_interface]['ipv4']['address'] }}"
######################## ########################
# external tls options # # external tls options #
######################## ########################
enable_tls_external: true enable_tls_external: false
external_tls_externally_managed_certs: false external_tls_externally_managed_certs: false
##################################################### #####################################################
@ -102,20 +99,27 @@ consul_mesh_configuration:
consul_enable_tls: false consul_enable_tls: false
consul_tls_configuration: consul_tls_configuration:
default: defaults:
ca_file: "/etc/ssl/certs/ca-certificates.crt" ca_file: "/etc/ssl/certs/ca-certificates.crt"
cert_file: "{{ hashi_consul_config_dir }}/tls/cert.pem" cert_file: "{{ consul_certificates_directory }}/cert.pem"
key_file: "{{ hashi_consul_config_dir }}/tls/key.pem" key_file: "{{ consul_certificates_directory }}/key.pem"
verify_incoming: false verify_incoming: false
verify_outgoing: true verify_outgoing: true
internal_rpc: internal_rpc:
verify_server_hostname: true verify_server_hostname: true
############################
# consul container volumes #
############################
extra_consul_container_volumes: []
####################### #######################
# extra configuration # # extra configuration #
####################### #######################
consul_extra_configuration: {} consul_extra_configuration: {}
consul_extra_files_list: []
##################################################### #####################################################
# # # #
@ -150,7 +154,7 @@ vault_storage_configuration:
# vault listener # # vault listener #
################## ##################
vault_enable_tls: true vault_enable_tls: false
vault_tls_verify: false vault_tls_verify: false
vault_listener_configuration: vault_listener_configuration:
tcp: tcp:

View File

@ -38,7 +38,7 @@ vault_external_backend_servers: |
vault_certificates_directory: "{{ hashi_vault_config_dir }}/tls" vault_certificates_directory: "{{ hashi_vault_config_dir }}/tls"
vault_certificates_extra_files_dir: vault_certificates_extra_files_dir:
- src: "{{ sub_configuration_directories['certificates'] }}/vault/{{ inventory_hostname }}" - src: "{{ sub_configuration_directories['certificates'] }}/vault/{{ inventory_hostname }}"
dest: "{{ hashi_vault_config_dir }}/tls" dest: "{{ vault_certificates_directory }}"
################# #################
# vault plugins # # vault plugins #
@ -47,7 +47,7 @@ vault_certificates_extra_files_dir:
vault_plugin_directory: "{{ hashi_vault_config_dir }}/plugin" vault_plugin_directory: "{{ hashi_vault_config_dir }}/plugin"
vault_plugin_extra_files_dir: vault_plugin_extra_files_dir:
- src: "{{ sub_configuration_directories['vault_servers'] }}/plugin" - src: "{{ sub_configuration_directories['vault_servers'] }}/plugin"
dest: "{{ hashi_vault_config_dir }}/plugin" dest: "{{ vault_plugin_directory }}"
######################## ########################
# vault role variables # # vault role variables #
@ -69,7 +69,7 @@ hashi_vault_extra_files_list: "{{ ([] +
}}" }}"
hashi_vault_extra_files_src: "{{ sub_configuration_directories.vault_servers }}/config" hashi_vault_extra_files_src: "{{ sub_configuration_directories.vault_servers }}/config"
hashi_vault_extra_files_dst: "{{ hashi_vault_config_dir }}/config" hashi_vault_extra_files_dst: "{{ hashi_vault_config_dir }}/config"
hashi_vault_extra_container_volumes: "{{ default_container_extra_volumes | union(extra_vault_container_volumes) | unique }}" hashi_vault_extra_container_volumes: "{{ default_container_extra_volumes | union(extra_vault_container_volumes) | unique | sort }}"
hashi_vault_configuration: hashi_vault_configuration:
cluster_name: "{{ vault_cluster_name }}" cluster_name: "{{ vault_cluster_name }}"
cluster_addr: "{{ 'https' if vault_enable_tls else 'http'}}://{{ api_interface_address }}:8201" cluster_addr: "{{ 'https' if vault_enable_tls else 'http'}}://{{ api_interface_address }}:8201"

View File

@ -7,7 +7,7 @@
- name: "Wait for consul cluster to initialize" # noqa: run-once[task] - name: "Wait for consul cluster to initialize" # noqa: run-once[task]
ansible.builtin.uri: ansible.builtin.uri:
url: "http://{{ api_interface_address }}:8500" # TODO: this should be dynamic (http/https) url: "{{ consul_api_addr }}"
validate_certs: no validate_certs: no
return_content: yes return_content: yes
status_code: status_code:
@ -20,9 +20,9 @@
- name: "Initialize consul cluster" # noqa: run-once[task] - name: "Initialize consul cluster" # noqa: run-once[task]
community.general.consul_acl_bootstrap: community.general.consul_acl_bootstrap:
bootstrap_secret: "{{ _credentials.consul.root_token.secret_id }}" bootstrap_secret: "{{ _credentials.consul.root_token.secret_id }}"
host: "{{ hashi_consul_configuration['advertise_addr'] }}" host: "{{ api_interface_address }}"
port: 8500 port: "{{ consul_api_port[consul_api_scheme] }}"
scheme: http scheme: "{{ consul_api_scheme }}"
state: present state: present
run_once: true run_once: true
delegate_to: "{{ groups['consul_servers'] | first }}" delegate_to: "{{ groups['consul_servers'] | first }}"
@ -63,8 +63,8 @@
community.general.consul_policy: community.general.consul_policy:
token: "{{ _credentials.consul.root_token.secret_id }}" token: "{{ _credentials.consul.root_token.secret_id }}"
host: "{{ api_interface_address }}" host: "{{ api_interface_address }}"
port: 8500 port: "{{ consul_api_port[consul_api_scheme] }}"
scheme: http # TODO: this should be dynamic scheme: "{{ consul_api_scheme }}"
validate_certs: false validate_certs: false
state: present state: present
name: agents-policy name: agents-policy
@ -73,14 +73,13 @@
- name: "Create consul agents token" - name: "Create consul agents token"
vars: vars:
consul_full_url: "http://{{ hashi_consul_configuration['advertise_addr'] }}:8500"
consul_token_body: consul_token_body:
Description: "Consul agents token" Description: "Consul agents token"
SecretID: "{{ _credentials.consul.tokens.agent }}" SecretID: "{{ _credentials.consul.tokens.agent }}"
Policies: Policies:
- ID: "{{ _consul_agent_policy.policy.ID }}" - ID: "{{ _consul_agent_policy.policy.ID }}"
ansible.builtin.uri: ansible.builtin.uri:
url: "{{ consul_full_url }}/v1/acl/token" url: "{{ consul_api_addr }}/v1/acl/token"
method: PUT method: PUT
headers: headers:
X-Consul-Token: "{{ _credentials.consul.root_token.secret_id }}" X-Consul-Token: "{{ _credentials.consul.root_token.secret_id }}"

@ -1 +1 @@
Subproject commit c6fbfe5b78ef8b8884af129ea84afb26da754833 Subproject commit 56696c3552308225d4e5b91efc8e4bf75d31d2f3