fix: allow override of the hashistack_ca_action via extra-vars flag

2024-11-10 22:51:35 +01:00 · 2024-11-10 22:51:35 +01:00 · 802e1fc16e
commit 802e1fc16e
parent 6a707800c1
1 changed files with 38 additions and 23 deletions
--- a/playbooks/group_vars/all/hashistack_ca.yml
+++ b/playbooks/group_vars/all/hashistack_ca.yml
@ -2,7 +2,7 @@
 # defaults
 hashistack_ca_directory: "{{ hashistack_sub_configuration_directories['certificates'] }}"
 hashistack_ca_use_cryptography: false
-hashistack_ca_action: "noop"
+# hashistack_ca_action: "noop"
 hashistack_ca_domain: example.com
 hashistack_ca_directory_owner: "{{ lookup('env', 'USER') }}"
@ -79,37 +79,52 @@ hashistack_ca_leaf_renew_threshold: 30d
 ############################
 hashistack_ca_consul_org_name: "{{ hashistack_ca_root_org_name }}"
 hashistack_ca_consul_common_name: "{{ inventory_hostname }}"
-hashistack_ca_consul_csr_sans:
+hashistack_ca_consul_csr_sans: >
-  - "DNS:{{ inventory_hostname }}"
+  {{
-  - "DNS:consul.service.consul"
+    [
-  - "DNS:localhost"
+      "DNS:" + inventory_hostname,
-  - "IP:{{ api_interface_address }}"
+      "DNS:consul.service.consul",
-  - "IP:127.0.0.1"
+      "DNS:localhost",
-  - "{{ 'DNS:server.' ~ consul_datacenter ~ '.' ~ consul_domain if consul_enable_server else omit }}"
+      "IP:" + api_interface_address,
      "IP:127.0.0.1"
    ]
    + ([ "DNS:server." + consul_datacenter + "." + consul_domain ] if consul_enable_server else [])
  }}
 ###########################
 # Nomad Leaf Certificates #
 ###########################
 hashistack_ca_nomad_org_name: "{{ hashistack_ca_root_org_name }}"
 hashistack_ca_nomad_common_name: "{{ inventory_hostname }}"
-hashistack_ca_nomad_csr_sans:
+hashistack_ca_nomad_csr_sans: >
-  - "DNS:{{ inventory_hostname }}"
+  {{
-  - "DNS:localhost"
+    [
-  - "IP:{{ api_interface_address }}"
+      "DNS:" + inventory_hostname,
-  - "IP:127.0.0.1"
+      "DNS:localhost",
-  - "{{ 'DNS:server.' ~ nomad_region ~ '.nomad' if nomad_enable_server else omit }}"
+      "IP:" + api_interface_address,
-  - "{{ 'DNS:nomad.service.consul' if (nomad_enable_server and enable_consul) else omit }}"
+      "IP:127.0.0.1"
    ]
    + ([ "DNS:server." + nomad_region + ".nomad" ] if nomad_enable_server else [])
    + ([ "DNS:client." + nomad_region + ".nomad" ] if nomad_enable_client else [])
    + ([ "DNS:nomad.service.consul" ] if (nomad_enable_server and enable_consul) else [])
  }}
 ###########################
 # Vault Leaf Certificates #
 ###########################
 hashistack_ca_vault_org_name: "{{ hashistack_ca_root_org_name }}"
 hashistack_ca_vault_common_name: "{{ inventory_hostname }}"
-hashistack_ca_vault_csr_sans:
+hashistack_ca_vault_csr_sans: >
-  - "DNS:{{ inventory_hostname }}"
+  {{
-  - "{{ 'DNS:active.vault.service.consul' if enable_consul else omit }}"
+    [
-  - "{{ 'DNS:standby.vault.service.consul' if enable_consul else omit }}"
+      "DNS:" + inventory_hostname,
-  - "{{ 'DNS:vault.service.consul' if enable_consul else omit }}"
+      "DNS:localhost",
-  - "DNS:localhost"
+      "IP:" + api_interface_address,
-  - "IP:{{ api_interface_address }}"
+      "IP:127.0.0.1"
-  - "IP:127.0.0.1"
+    ]
    + ([
      "DNS:active.vault.service.consul",
      "DNS:standby.vault.service.consul",
      "DNS:vault.service.consul"
      ] if enable_consul else [])
  }}