From 802e1fc16ebbee5ed79375c23027218a73e0136b Mon Sep 17 00:00:00 2001 From: Bertrand Lanson Date: Sun, 10 Nov 2024 22:51:35 +0100 Subject: [PATCH] fix: allow override of the hashistack_ca_action via extra-vars flag --- playbooks/group_vars/all/hashistack_ca.yml | 61 ++++++++++++++-------- 1 file changed, 38 insertions(+), 23 deletions(-) diff --git a/playbooks/group_vars/all/hashistack_ca.yml b/playbooks/group_vars/all/hashistack_ca.yml index 33aa792..bc1e3d2 100644 --- a/playbooks/group_vars/all/hashistack_ca.yml +++ b/playbooks/group_vars/all/hashistack_ca.yml @@ -2,7 +2,7 @@ # defaults hashistack_ca_directory: "{{ hashistack_sub_configuration_directories['certificates'] }}" hashistack_ca_use_cryptography: false -hashistack_ca_action: "noop" +# hashistack_ca_action: "noop" hashistack_ca_domain: example.com hashistack_ca_directory_owner: "{{ lookup('env', 'USER') }}" @@ -79,37 +79,52 @@ hashistack_ca_leaf_renew_threshold: 30d ############################ hashistack_ca_consul_org_name: "{{ hashistack_ca_root_org_name }}" hashistack_ca_consul_common_name: "{{ inventory_hostname }}" -hashistack_ca_consul_csr_sans: - - "DNS:{{ inventory_hostname }}" - - "DNS:consul.service.consul" - - "DNS:localhost" - - "IP:{{ api_interface_address }}" - - "IP:127.0.0.1" - - "{{ 'DNS:server.' ~ consul_datacenter ~ '.' ~ consul_domain if consul_enable_server else omit }}" +hashistack_ca_consul_csr_sans: > + {{ + [ + "DNS:" + inventory_hostname, + "DNS:consul.service.consul", + "DNS:localhost", + "IP:" + api_interface_address, + "IP:127.0.0.1" + ] + + ([ "DNS:server." + consul_datacenter + "." + consul_domain ] if consul_enable_server else []) + }} ########################### # Nomad Leaf Certificates # ########################### hashistack_ca_nomad_org_name: "{{ hashistack_ca_root_org_name }}" hashistack_ca_nomad_common_name: "{{ inventory_hostname }}" -hashistack_ca_nomad_csr_sans: - - "DNS:{{ inventory_hostname }}" - - "DNS:localhost" - - "IP:{{ api_interface_address }}" - - "IP:127.0.0.1" - - "{{ 'DNS:server.' ~ nomad_region ~ '.nomad' if nomad_enable_server else omit }}" - - "{{ 'DNS:nomad.service.consul' if (nomad_enable_server and enable_consul) else omit }}" +hashistack_ca_nomad_csr_sans: > + {{ + [ + "DNS:" + inventory_hostname, + "DNS:localhost", + "IP:" + api_interface_address, + "IP:127.0.0.1" + ] + + ([ "DNS:server." + nomad_region + ".nomad" ] if nomad_enable_server else []) + + ([ "DNS:client." + nomad_region + ".nomad" ] if nomad_enable_client else []) + + ([ "DNS:nomad.service.consul" ] if (nomad_enable_server and enable_consul) else []) + }} ########################### # Vault Leaf Certificates # ########################### hashistack_ca_vault_org_name: "{{ hashistack_ca_root_org_name }}" hashistack_ca_vault_common_name: "{{ inventory_hostname }}" -hashistack_ca_vault_csr_sans: - - "DNS:{{ inventory_hostname }}" - - "{{ 'DNS:active.vault.service.consul' if enable_consul else omit }}" - - "{{ 'DNS:standby.vault.service.consul' if enable_consul else omit }}" - - "{{ 'DNS:vault.service.consul' if enable_consul else omit }}" - - "DNS:localhost" - - "IP:{{ api_interface_address }}" - - "IP:127.0.0.1" +hashistack_ca_vault_csr_sans: > + {{ + [ + "DNS:" + inventory_hostname, + "DNS:localhost", + "IP:" + api_interface_address, + "IP:127.0.0.1" + ] + + ([ + "DNS:active.vault.service.consul", + "DNS:standby.vault.service.consul", + "DNS:vault.service.consul" + ] if enable_consul else []) + }}