hcp-ansible/playbooks/group_vars/all/consul.yml
Bertrand Lanson bd2028c3af
All checks were successful
development / Check commit compliance (push) Successful in 6s
feat(consul): allow enabling consul internal TLS
2024-05-05 02:37:29 +02:00

127 lines
4.2 KiB
YAML

---
#####################################################
# #
# Non-Editable #
# #
#####################################################
#####################
# consul api config #
#####################
consul_api_addr: "{{ consul_api_scheme }}://{{ api_interface_address }}:{{ consul_api_port[consul_api_scheme] }}"
consul_api_scheme: "{{ 'https' if consul_enable_tls else 'http' }}"
consul_api_port:
http: 8500
https: 8501
##########################
# consul haproxy backend #
##########################
consul_haproxy_frontend_options:
- acl is_consul hdr(host) -i {{ consul_fqdn }}
- use_backend consul_external if is_consul
consul_haproxy_backends:
- name: consul_external
options: "{{ consul_external_backend_options + consul_external_backend_servers }}"
consul_external_backend_options:
- description consul external http backend
- option forwardfor
- option httpchk
- http-check send meth GET uri /
- default-server inter 2s fastinter 1s downinter 1s
consul_external_backend_servers: |
[
{% for host in groups['consul_servers'] %}
'server consul-{{ hostvars[host].api_interface_address }} {{ hostvars[host].api_interface_address }}:{{ hostvars[host].consul_api_port[consul_api_scheme] }} check {{ 'ssl verify none ' if consul_enable_tls }}inter 5s'{% if not loop.last %},{% endif %}
{% endfor %}
]
############################
# consul ACL configuration #
############################
consul_default_agent_policy: |
node_prefix "" {
policy = "write"
}
service_prefix "" {
policy = "read"
}
#######################
# consul internal tls #
#######################
consul_certificates_directory: "{{ hashi_consul_config_dir }}/tls"
consul_certificates_extra_files_dir:
- src: "{{ sub_configuration_directories['certificates'] }}/consul/{{ inventory_hostname }}"
dest: "{{ consul_certificates_directory }}"
#########################
# consul role variables #
#########################
hashi_consul_start_service: true
hashi_consul_version: "{{ consul_versions[deployment_method] }}"
hashi_consul_deploy_method: "{{ deployment_method }}"
hashi_consul_env_variables: {}
hashi_consul_config_dir: "/etc/consul.d"
hashi_consul_data_dir: "/opt/consul"
hashi_consul_extra_files: true
hashi_consul_extra_files_list: "{{ ([] +
(consul_certificates_extra_files_dir if consul_enable_tls else []) +
(vault_plugin_extra_files_dir if vault_enable_plugins else []) +
vault_extra_files_list)
| unique
| sort
}}"
hashi_consul_extra_container_volumes: "{{ default_container_extra_volumes | union(extra_consul_container_volumes) | unique }}"
hashi_consul_envoy_install: false
hashi_consul_envoy_version: v1.27.2
hashi_consul_configuration:
domain: "{{ consul_domain }}"
datacenter: "{{ consul_datacenter }}"
primary_datacenter: "{{ consul_primary_datacenter }}"
data_dir: "{{ hashi_consul_data_dir }}"
encrypt: "{{ consul_gossip_encryption_key }}"
server: "{{ 'consul_servers' in group_names }}"
retry_join: "{{
groups['consul_servers'] |
map('extract', hostvars, ['consul_address_configuration', 'bind_addr']) |
list |
to_json |
from_json
}}"
ui_config: "{{ consul_ui_configuration }}"
connect: "{{ consul_mesh_configuration }}"
leave_on_terminate: "{{ consul_leave_on_terminate }}"
rejoin_after_leave: "{{ consul_rejoin_after_leave }}"
enable_script_checks: "{{ consul_enable_script_checks }}"
enable_syslog: "{{ deployment_method == 'host' }}"
log_level: INFO
acl: "{{ consul_acl_configuration }}"
dns_config: "{{ consul_dns_configuration }}"
ports:
dns: 8600
grpc: 8502
grpc_tls: 8503
server: 8300
serf_lan: 8301
serf_wan: 8302
sidecar_min_port: 21000
sidecar_max_port: 21255
expose_min_port: 21500
expose_max_port: 21755
# this is used to circumvent jinja limitation to convert string to integer
hashi_consul_configuration_string: |
bootstrap_expect: {{ (groups['consul_servers'] | length) }}
ports:
http: {{ (consul_api_port.http|int) if not consul_enable_tls else ('-1' | int) }}
https: {{ (consul_api_port.https|int) if consul_enable_tls else ('-1' | int) }}