almost done, untested yet
This commit is contained in:
parent
542f12f431
commit
164c654be0
@ -1,2 +1,21 @@
|
||||
---
|
||||
# defaults file for renew_consul_certificates
|
||||
renew_consul_certificates_config_dir: /etc/consul-template.d/consul
|
||||
renew_consul_certificates_consul_user: consul
|
||||
renew_consul_certificates_consul_group: consul
|
||||
renew_consul_certificates_vault_addr: "https://consul.example.com"
|
||||
renew_consul_certificates_vault_token: mysupersecretconsultokenthatyoushouldchange
|
||||
renew_consul_certificates_vault_token_unwrap: false
|
||||
renew_consul_certificates_vault_token_renew: true
|
||||
renew_consul_certificates_ca_dest: /opt/consul/tls/ca.pem
|
||||
renew_consul_certificates_cert_dest: /opt/consul/tls/cert.pem
|
||||
renew_consul_certificates_key_dest: /opt/consul/tls/key.pem
|
||||
renew_consul_certificates_info:
|
||||
issuer_path: pki/issue/your-issuer
|
||||
common_name: consul01.example.com
|
||||
ttl: 90d
|
||||
is_server: false
|
||||
include_consul_service: false
|
||||
renew_consul_certificates_consul_dc_name: dc1.consul
|
||||
renew_consul_certificates_consul_service_name: consul.service.consul
|
||||
renew_consul_certificates_start_service: false
|
||||
|
@ -1,2 +1,19 @@
|
||||
---
|
||||
# handlers file for renew_consul_certificates
|
||||
- name: "Reload service file"
|
||||
ansible.builtin.systemd:
|
||||
daemon_reload: true
|
||||
listen: "systemctl-daemon-reload"
|
||||
|
||||
- name: "Enable consul-certs service"
|
||||
ansible.builtin.service:
|
||||
name: consul-certs
|
||||
enabled: true
|
||||
listen: "systemctl-enable-consul-certs"
|
||||
|
||||
- name: "Start consul-certs service"
|
||||
ansible.builtin.service:
|
||||
name: consul-certs
|
||||
state: restarted
|
||||
listen: "systemctl-restart-consul-certs"
|
||||
when: renew_consul_certificates_start_service
|
||||
|
17
molecule/with_custom_config/all.yml
Normal file
17
molecule/with_custom_config/all.yml
Normal file
@ -0,0 +1,17 @@
|
||||
---
|
||||
renew_vault_certificates_config_dir: /etc/consul-template.d/vault
|
||||
renew_vault_certificates_vault_user: vault
|
||||
renew_vault_certificates_vault_group: vault
|
||||
renew_vault_certificates_vault_addr: "https://vault.example.com"
|
||||
renew_vault_certificates_vault_token: mysupersecretvaulttokenthatyoushouldchange
|
||||
renew_vault_certificates_vault_token_unwrap: false
|
||||
renew_vault_certificates_vault_token_renew: true
|
||||
renew_vault_certificates_cert_dest: /opt/vault/tls/cert.pem
|
||||
renew_vault_certificates_key_dest: /opt/vault/tls/key.pem
|
||||
renew_vault_certificates_info:
|
||||
issuer_path: pki/issue/vault-issuer
|
||||
common_name: vault01.example.com
|
||||
ttl: 90d
|
||||
include_consul_service: true
|
||||
renew_vault_certificates_consul_service_name: vault.service.consul
|
||||
renew_vault_certificates_start_service: false
|
7
molecule/with_custom_config/converge.yml
Normal file
7
molecule/with_custom_config/converge.yml
Normal file
@ -0,0 +1,7 @@
|
||||
---
|
||||
- name: Converge
|
||||
hosts: all
|
||||
tasks:
|
||||
- name: "Include ednxzu.renew_vault_certificates"
|
||||
ansible.builtin.include_role:
|
||||
name: "ednxzu.renew_vault_certificates"
|
17
molecule/with_custom_config/group_vars/all.yml
Normal file
17
molecule/with_custom_config/group_vars/all.yml
Normal file
@ -0,0 +1,17 @@
|
||||
---
|
||||
renew_consul_certificates_config_dir: /etc/consul-template.d/consul
|
||||
renew_consul_certificates_consul_user: consul
|
||||
renew_consul_certificates_consul_group: consul
|
||||
renew_consul_certificates_vault_addr: "https://consul.example.com"
|
||||
renew_consul_certificates_vault_token: mysupersecretconsultokenthatyoushouldchange
|
||||
renew_consul_certificates_vault_token_unwrap: false
|
||||
renew_consul_certificates_vault_token_renew: true
|
||||
renew_consul_certificates_cert_dest: /opt/consul/tls/cert.pem
|
||||
renew_consul_certificates_key_dest: /opt/consul/tls/key.pem
|
||||
renew_consul_certificates_info:
|
||||
issuer_path: pki/issue/consul-issuer
|
||||
common_name: consul01.example.com
|
||||
ttl: 90d
|
||||
include_consul_service: true
|
||||
renew_consul_certificates_consul_service_name: consul.service.consul
|
||||
renew_consul_certificates_start_service: false
|
37
molecule/with_custom_config/molecule.yml
Normal file
37
molecule/with_custom_config/molecule.yml
Normal file
@ -0,0 +1,37 @@
|
||||
---
|
||||
dependency:
|
||||
name: galaxy
|
||||
options:
|
||||
requirements-file: ./requirements.yml
|
||||
driver:
|
||||
name: docker
|
||||
platforms:
|
||||
- name: instance
|
||||
image: geerlingguy/docker-${MOLECULE_TEST_OS}-ansible
|
||||
command: ""
|
||||
volumes:
|
||||
- /sys/fs/cgroup:/sys/fs/cgroup
|
||||
cgroupns_mode: host
|
||||
privileged: true
|
||||
pre_build_image: true
|
||||
provisioner:
|
||||
name: ansible
|
||||
config_options:
|
||||
defaults:
|
||||
remote_tmp: /tmp/.ansible
|
||||
verifier:
|
||||
name: testinfra
|
||||
scenario:
|
||||
name: with_custom_config
|
||||
test_sequence:
|
||||
- dependency
|
||||
- cleanup
|
||||
- destroy
|
||||
- syntax
|
||||
- create
|
||||
- prepare
|
||||
- converge
|
||||
- idempotence
|
||||
- verify
|
||||
- cleanup
|
||||
- destroy
|
15
molecule/with_custom_config/prepare.yml
Normal file
15
molecule/with_custom_config/prepare.yml
Normal file
@ -0,0 +1,15 @@
|
||||
---
|
||||
- name: Prepare
|
||||
hosts: all
|
||||
tasks:
|
||||
- name: "Create group vault"
|
||||
ansible.builtin.group:
|
||||
name: "vault"
|
||||
state: present
|
||||
|
||||
- name: "Create user vault"
|
||||
ansible.builtin.user:
|
||||
name: "vault"
|
||||
group: "vault"
|
||||
shell: /bin/false
|
||||
state: present
|
5
molecule/with_custom_config/requirements.yml
Normal file
5
molecule/with_custom_config/requirements.yml
Normal file
@ -0,0 +1,5 @@
|
||||
---
|
||||
# requirements file for molecule
|
||||
roles:
|
||||
- name: ednxzu.manage_repositories
|
||||
- name: ednxzu.manage_apt_packages
|
22
molecule/with_custom_config/tests/conftest.py
Normal file
22
molecule/with_custom_config/tests/conftest.py
Normal file
@ -0,0 +1,22 @@
|
||||
"""PyTest Fixtures."""
|
||||
from __future__ import absolute_import
|
||||
|
||||
import os
|
||||
|
||||
import pytest
|
||||
|
||||
|
||||
def pytest_runtest_setup(item):
|
||||
"""Run tests only when under molecule with testinfra installed."""
|
||||
try:
|
||||
import testinfra
|
||||
except ImportError:
|
||||
pytest.skip("Test requires testinfra", allow_module_level=True)
|
||||
if "MOLECULE_INVENTORY_FILE" in os.environ:
|
||||
pytest.testinfra_hosts = testinfra.utils.ansible_runner.AnsibleRunner(
|
||||
os.environ["MOLECULE_INVENTORY_FILE"]
|
||||
).get_hosts("all")
|
||||
else:
|
||||
pytest.skip(
|
||||
"Test should run only from inside molecule.", allow_module_level=True
|
||||
)
|
48
molecule/with_custom_config/tests/test_default.py
Normal file
48
molecule/with_custom_config/tests/test_default.py
Normal file
@ -0,0 +1,48 @@
|
||||
"""Role testing files using testinfra."""
|
||||
|
||||
|
||||
def test_hosts_file(host):
|
||||
"""Validate /etc/hosts file."""
|
||||
etc_hosts = host.file("/etc/hosts")
|
||||
assert etc_hosts.exists
|
||||
assert etc_hosts.user == "root"
|
||||
assert etc_hosts.group == "root"
|
||||
|
||||
def test_consul_template_config(host):
|
||||
"""Validate /etc/consul-template.d/consul/ files."""
|
||||
etc_consul_template_d_consul_config_hcl = host.file("/etc/consul-template.d/consul/consul_config.hcl")
|
||||
assert etc_consul_template_d_consul_config_hcl.exists
|
||||
assert etc_consul_template_d_consul_config_hcl.user == "consul"
|
||||
assert etc_consul_template_d_consul_config_hcl.group == "consul"
|
||||
assert etc_consul_template_d_consul_config_hcl.mode == 0o600
|
||||
|
||||
def test_template_files(host):
|
||||
"""Validate /etc/consul-template.d/consul/templates/ files."""
|
||||
consul_cert_pem_tpl = host.file("/etc/consul-template.d/consul/templates/consul_cert.pem.tpl")
|
||||
consul_key_pem_tpl = host.file("/etc/consul-template.d/consul/templates/consul_key.pem.tpl")
|
||||
for file in consul_cert_pem_tpl, consul_key_pem_tpl:
|
||||
assert file.exists
|
||||
assert file.user == "consul"
|
||||
assert file.group == "consul"
|
||||
assert file.mode == 0o600
|
||||
assert consul_cert_pem_tpl.content_string == '{{ with secret "pki/issue/consul-issuer" "common_name=consul01.example.com" "ttl=90d" "alt_names=localhost,consul.service.consul,active.consul.service.consul,standby.consul.service.consul" "ip_sans=127.0.0.1" }}\n{{ .Data.certificate }}\n{{ .Data.issuing_ca }}\n{{ end }}\n'
|
||||
assert consul_key_pem_tpl.content_string == '{{ with secret "pki/issue/consul-issuer" "common_name=consul01.example.com" "ttl=90d" "alt_names=localhost,consul.service.consul,active.consul.service.consul,standby.consul.service.consul" "ip_sans=127.0.0.1" }}\n{{ .Data.private_key }}\n{{ end }}\n'
|
||||
|
||||
def test_consul_certs_service_file(host):
|
||||
"""Validate consul-certs service file."""
|
||||
etc_systemd_system_consul_certs_service = host.file("/etc/systemd/system/consul-certs.service")
|
||||
assert etc_systemd_system_consul_certs_service.exists
|
||||
assert etc_systemd_system_consul_certs_service.user == "root"
|
||||
assert etc_systemd_system_consul_certs_service.group == "root"
|
||||
assert etc_systemd_system_consul_certs_service.mode == 0o644
|
||||
assert etc_systemd_system_consul_certs_service.content_string != ""
|
||||
|
||||
def test_consul_certs_service(host):
|
||||
"""Validate consul-certs service."""
|
||||
consul_certs_service = host.service("consul-certs.service")
|
||||
assert consul_certs_service.is_enabled
|
||||
assert not consul_certs_service.is_running
|
||||
assert consul_certs_service.systemd_properties["Restart"] == "on-failure"
|
||||
assert consul_certs_service.systemd_properties["User"] == "consul"
|
||||
assert consul_certs_service.systemd_properties["Group"] == "consul"
|
||||
assert consul_certs_service.systemd_properties["FragmentPath"] == "/etc/systemd/system/consul-certs.service"
|
@ -1,2 +1,48 @@
|
||||
---
|
||||
# task/configure file for renew_consul_certificates
|
||||
- name: "Configure files for consul certificate renewal"
|
||||
notify:
|
||||
- "systemctl-enable-consul-certs"
|
||||
- "systemctl-restart-consul-certs"
|
||||
block:
|
||||
- name: "Copy consul_config.hcl template"
|
||||
ansible.builtin.template:
|
||||
src: consul_config.hcl.j2
|
||||
dest: "{{ renew_consul_certificates_config_dir }}/consul_config.hcl"
|
||||
owner: "{{ renew_consul_certificates_consul_user }}"
|
||||
group: "{{ renew_consul_certificates_consul_group }}"
|
||||
mode: '0600'
|
||||
|
||||
- name: "Copy consul_ca.pem.tpl template"
|
||||
ansible.builtin.template:
|
||||
src: consul_ca.pem.tpl.j2
|
||||
dest: "{{ renew_consul_certificates_config_dir }}/templates/consul_ca.pem.tpl"
|
||||
owner: "{{ renew_consul_certificates_consul_user }}"
|
||||
group: "{{ renew_consul_certificates_consul_group }}"
|
||||
mode: '0600'
|
||||
|
||||
- name: "Copy consul_cert.pem.tpl template"
|
||||
ansible.builtin.template:
|
||||
src: consul_cert.pem.tpl.j2
|
||||
dest: "{{ renew_consul_certificates_config_dir }}/templates/consul_cert.pem.tpl"
|
||||
owner: "{{ renew_consul_certificates_consul_user }}"
|
||||
group: "{{ renew_consul_certificates_consul_group }}"
|
||||
mode: '0600'
|
||||
|
||||
- name: "Copy consul_cert.key.tpl template"
|
||||
ansible.builtin.template:
|
||||
src: consul_key.pem.tpl.j2
|
||||
dest: "{{ renew_consul_certificates_config_dir }}/templates/consul_key.pem.tpl"
|
||||
owner: "{{ renew_consul_certificates_consul_user }}"
|
||||
group: "{{ renew_consul_certificates_consul_group }}"
|
||||
mode: '0600'
|
||||
|
||||
- name: "Configure consul-certs systemd service"
|
||||
ansible.builtin.template:
|
||||
src: consul-certs.service.j2
|
||||
dest: /etc/systemd/system/consul-certs.service
|
||||
owner: root
|
||||
group: root
|
||||
mode: '0644'
|
||||
notify:
|
||||
- "systemctl-daemon-reload"
|
||||
|
@ -1,2 +1,15 @@
|
||||
---
|
||||
# task/install file for renew_consul_certificates
|
||||
- name: "Configure hashicorp repository"
|
||||
ansible.builtin.include_role:
|
||||
name: ednxzu.manage_repositories
|
||||
vars:
|
||||
manage_repositories_enable_default_repo: false
|
||||
manage_repositories_enable_custom_repo: true
|
||||
manage_repositories_custom_repo: "{{ renew_consul_certificates_repository }}"
|
||||
|
||||
- name: "Install consul-template"
|
||||
ansible.builtin.include_role:
|
||||
name: ednxzu.manage_apt_packages
|
||||
vars:
|
||||
manage_apt_packages_list: "{{ renew_consul_certificates_packages }}"
|
||||
|
@ -1,2 +1,10 @@
|
||||
---
|
||||
# task/main file for renew_consul_certificates
|
||||
- name: "Import prerequisites.yml"
|
||||
ansible.builtin.include_tasks: prerequisites.yml
|
||||
|
||||
- name: "Import install.yml"
|
||||
ansible.builtin.include_tasks: install.yml
|
||||
|
||||
- name: "Import configure.yml"
|
||||
ansible.builtin.include_tasks: configure.yml
|
||||
|
@ -1,2 +1,37 @@
|
||||
---
|
||||
# task/prerequisites file for renew_consul_certificates
|
||||
- name: "Install required roles"
|
||||
ansible.builtin.command:
|
||||
cmd: "ansible-galaxy install {{ item }}"
|
||||
loop: "{{ renew_consul_certificates_prerequisites_roles }}"
|
||||
changed_when: false
|
||||
delegate_to: localhost
|
||||
run_once: true
|
||||
|
||||
- name: "Create directory {{ renew_consul_certificates_config_dir }}"
|
||||
ansible.builtin.file:
|
||||
path: "{{ renew_consul_certificates_config_dir }}"
|
||||
state: directory
|
||||
owner: "{{ renew_consul_certificates_consul_user }}"
|
||||
group: "{{ renew_consul_certificates_consul_group }}"
|
||||
mode: '0755'
|
||||
|
||||
- name: "Create directory templates directory in {{ renew_consul_certificates_config_dir }}"
|
||||
ansible.builtin.file:
|
||||
path: "{{ renew_consul_certificates_config_dir }}/templates"
|
||||
state: directory
|
||||
owner: "{{ renew_consul_certificates_consul_user }}"
|
||||
group: "{{ renew_consul_certificates_consul_group }}"
|
||||
mode: '0755'
|
||||
|
||||
- name: "Ensure certificate/key directory(ies) exist(s)"
|
||||
ansible.builtin.file:
|
||||
path: "{{item | dirname }}"
|
||||
state: directory
|
||||
owner: "{{ renew_consul_certificates_consul_user }}"
|
||||
group: "{{ renew_consul_certificates_consul_group }}"
|
||||
mode: '0755'
|
||||
loop:
|
||||
- "{{ renew_consul_certificates_cert_dest }}"
|
||||
- "{{ renew_consul_certificates_key_dest }}"
|
||||
- "{{ renew_consul_certificates_ca_dest }}"
|
||||
|
16
templates/consul-certs.service.j2
Normal file
16
templates/consul-certs.service.j2
Normal file
@ -0,0 +1,16 @@
|
||||
[Unit]
|
||||
Description=Automatic renewal of consul certificate using consul-template
|
||||
Requires=network-online.target
|
||||
After=network-online.target consul.service
|
||||
ConditionFileNotEmpty={{ renew_consul_certificates_config_dir }}/consul_config.hcl
|
||||
|
||||
[Service]
|
||||
User={{ renew_consul_certificates_consul_user }}
|
||||
Group={{ renew_consul_certificates_consul_group }}
|
||||
ExecStart=/usr/bin/consul-template $OPTIONS -config={{ renew_consul_certificates_config_dir }}/consul_config.hcl
|
||||
ExecReload=/bin/kill --signal HUP $MAINPID
|
||||
KillSignal=SIGINT
|
||||
Restart=on-failure
|
||||
|
||||
[Install]
|
||||
WantedBy=multi-user.target
|
5
templates/consul_ca.pem.j2
Normal file
5
templates/consul_ca.pem.j2
Normal file
@ -0,0 +1,5 @@
|
||||
{% raw %}{{ with secret {% endraw %}"{{ renew_consul_certificates_info['issuer_path'] }}" "common_name={{ renew_consul_certificates_info['common_name'] }}" "ttl={{ renew_consul_certificates_info['ttl'] }}" "alt_names=localhost{% if renew_consul_certificates_info['is_server'] %},server.{{ renew_consul_certificates_consul_dc_name }}{% endif %}{% if renew_consul_certificates_info['include_consul_service']%},{{ renew_consul_certificates_consul_service_name }}{% endif %}" "ip_sans=127.0.0.1"{% raw %} }}{% endraw %}
|
||||
|
||||
{% raw %}{{ .Data.issuing_ca }}{% endraw %}
|
||||
|
||||
{% raw %}{{ end }}{% endraw %}
|
5
templates/consul_cert.pem.tpl.j2
Normal file
5
templates/consul_cert.pem.tpl.j2
Normal file
@ -0,0 +1,5 @@
|
||||
{% raw %}{{ with secret {% endraw %}"{{ renew_consul_certificates_info['issuer_path'] }}" "common_name={{ renew_consul_certificates_info['common_name'] }}" "ttl={{ renew_consul_certificates_info['ttl'] }}" "alt_names=localhost{% if renew_consul_certificates_info['is_server'] %},server.{{ renew_consul_certificates_consul_dc_name }}{% endif %}{% if renew_consul_certificates_info['include_consul_service']%},{{ renew_consul_certificates_consul_service_name }}{% endif %}" "ip_sans=127.0.0.1"{% raw %} }}{% endraw %}
|
||||
|
||||
{% raw %}{{ .Data.certificate }}{% endraw %}
|
||||
|
||||
{% raw %}{{ end }}{% endraw %}
|
33
templates/consul_config.hcl.j2
Normal file
33
templates/consul_config.hcl.j2
Normal file
@ -0,0 +1,33 @@
|
||||
vault {
|
||||
address = "{{ renew_consul_certificates_vault_addr }}"
|
||||
token = "{{ renew_consul_certificates_vault_token }}"
|
||||
unwrap_token = {{ renew_consul_certificates_vault_token_unwrap|lower }}
|
||||
renew_token = {{ renew_consul_certificates_vault_token_renew|lower }}
|
||||
}
|
||||
|
||||
template {
|
||||
source = "{{ renew_consul_certificates_config_dir }}/templates/consul_ca.pem.tpl"
|
||||
destination = "{{ renew_consul_certificates_ca_dest }}"
|
||||
perms = 0700
|
||||
user = "{{ renew_consul_certificates_consul_user }}"
|
||||
group = "{{ renew_consul_certificates_consul_group }}"
|
||||
command = "sh -c 'echo \"$(date) Update certificate and key file for {{ renew_consul_certificates_info['common_name'] }}\" && pkill -SIGHUP vault '"
|
||||
}
|
||||
|
||||
template {
|
||||
source = "{{ renew_consul_certificates_config_dir }}/templates/consul_cert.pem.tpl"
|
||||
destination = "{{ renew_consul_certificates_cert_dest }}"
|
||||
perms = 0700
|
||||
user = "{{ renew_consul_certificates_consul_user }}"
|
||||
group = "{{ renew_consul_certificates_consul_group }}"
|
||||
command = "sh -c 'echo \"$(date) Update certificate and key file for {{ renew_consul_certificates_info['common_name'] }}\" && pkill -SIGHUP vault '"
|
||||
}
|
||||
|
||||
template {
|
||||
source = "{{ renew_consul_certificates_config_dir }}/templates/consul_key.pem.tpl"
|
||||
destination = "{{ renew_consul_certificates_key_dest }}"
|
||||
perms = 0700
|
||||
user = "{{ renew_consul_certificates_consul_user }}"
|
||||
group = "{{ renew_consul_certificates_consul_group }}"
|
||||
command = "sh -c 'echo \"$(date) Update certificate and key file for {{ renew_consul_certificates_info['common_name'] }}\" && pkill -SIGHUP vault '"
|
||||
}
|
5
templates/consul_key.pem.tpl.j2
Normal file
5
templates/consul_key.pem.tpl.j2
Normal file
@ -0,0 +1,5 @@
|
||||
{% raw %}{{ with secret {% endraw %}"{{ renew_consul_certificates_info['issuer_path'] }}" "common_name={{ renew_consul_certificates_info['common_name'] }}" "ttl={{ renew_consul_certificates_info['ttl'] }}" "alt_names=localhost{% if renew_consul_certificates_info['is_server'] %},server.{{ renew_consul_certificates_consul_dc_name }}{% endif %}{% if renew_consul_certificates_info['include_consul_service']%},{{ renew_consul_certificates_consul_service_name }}{% endif %}" "ip_sans=127.0.0.1"{% raw %} }}{% endraw %}
|
||||
|
||||
{% raw %}{{ .Data.private_key }}{% endraw %}
|
||||
|
||||
{% raw %}{{ end }}{% endraw %}
|
@ -1,2 +1,17 @@
|
||||
---
|
||||
# vars file for renew_consul_certificates
|
||||
renew_consul_certificates_prerequisites_roles:
|
||||
- ednxzu.manage_repositories
|
||||
- ednxzu.manage_apt_packages
|
||||
renew_consul_certificates_repository:
|
||||
- uri: "https://apt.releases.hashicorp.com"
|
||||
gpg_key: "https://apt.releases.hashicorp.com/gpg"
|
||||
comments: "hashicorp repository"
|
||||
type: "deb"
|
||||
suites: "{{ ansible_distribution_release }}"
|
||||
components: "main"
|
||||
filename: "hashicorp"
|
||||
renew_consul_certificates_packages:
|
||||
- name: consul-template
|
||||
version: latest
|
||||
state: present
|
||||
|
Loading…
Reference in New Issue
Block a user