From e4bcbefa51a9296a36662a478a33ca7e5f8729eb Mon Sep 17 00:00:00 2001
From: Bertrand Lanson <bertrand.lanson@protonmail.com>
Date: Fri, 5 May 2023 22:48:57 +0200
Subject: [PATCH] added consul reload back, with env variable file

---
 README.md                                     |  7 ++++++
 defaults/main.yml                             |  3 +++
 defaults/renew_consul_certificates.yml.sample |  3 +++
 .../with_custom_config/group_vars/all.yml     |  3 +++
 tasks/configure.yml                           | 22 ++++++++++++++-----
 templates/consul-certs.env.j2                 |  4 ++++
 templates/consul-certs.service.j2             |  1 +
 7 files changed, 37 insertions(+), 6 deletions(-)
 create mode 100644 templates/consul-certs.env.j2

diff --git a/README.md b/README.md
index 05abfee..4f25129 100644
--- a/README.md
+++ b/README.md
@@ -28,6 +28,13 @@ renew_consul_certificates_consul_group: consul # by default, set to consul
 ```
 This variable defines the group that'll be running the certificate renewal service. Defaults to `consul`, and should be present on the host prior to playing this role (ideally when installing consul).
 
+```yaml
+renew_consul_certificates_service_env_variables:
+  consul_http_addr: http://127.0.0.1:8500
+  # consul_http_token:
+```
+This variable sets the environment variables for the consul-certs services (notably the address and token to use for the `consul reload` command).
+
 ```yaml
 renew_consul_certificates_vault_addr: https://vault.example.com # by default, set to https://vault.example.com
 ```
diff --git a/defaults/main.yml b/defaults/main.yml
index fd0e98e..a5a13ea 100644
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -3,6 +3,9 @@
 renew_consul_certificates_config_dir: /etc/consul-template.d/consul
 renew_consul_certificates_consul_user: consul
 renew_consul_certificates_consul_group: consul
+renew_consul_certificates_service_env_variables:
+  consul_http_addr: http://127.0.0.1:8500
+  # consul_http_token:
 renew_consul_certificates_vault_addr: "https://vault.example.com"
 renew_consul_certificates_vault_token: mysupersecretconsultokenthatyoushouldchange
 renew_consul_certificates_vault_token_unwrap: false
diff --git a/defaults/renew_consul_certificates.yml.sample b/defaults/renew_consul_certificates.yml.sample
index 50a2598..e289122 100644
--- a/defaults/renew_consul_certificates.yml.sample
+++ b/defaults/renew_consul_certificates.yml.sample
@@ -2,6 +2,9 @@
 # renew_consul_certificates_config_dir: /etc/consul-template.d/consul
 # renew_consul_certificates_consul_user: consul
 # renew_consul_certificates_consul_group: consul
+# renew_consul_certificates_service_env_variables:
+#   consul_http_addr: http://127.0.0.1:8500
+#   # consul_http_token:
 # renew_consul_certificates_vault_addr: "https://consul.example.com"
 # renew_consul_certificates_vault_token: mysupersecretconsultokenthatyoushouldchange
 # renew_consul_certificates_vault_token_unwrap: false
diff --git a/molecule/with_custom_config/group_vars/all.yml b/molecule/with_custom_config/group_vars/all.yml
index b57a796..945a562 100644
--- a/molecule/with_custom_config/group_vars/all.yml
+++ b/molecule/with_custom_config/group_vars/all.yml
@@ -2,6 +2,9 @@
 renew_consul_certificates_config_dir: /etc/consul-template.d/consul
 renew_consul_certificates_consul_user: consul
 renew_consul_certificates_consul_group: consul
+renew_consul_certificates_service_env_variables:
+  consul_http_addr: http://127.0.0.1:8500
+  # consul_http_token:
 renew_consul_certificates_vault_addr: "https://consul.example.com"
 renew_consul_certificates_vault_token: mysupersecretconsultokenthatyoushouldchange
 renew_consul_certificates_vault_token_unwrap: false
diff --git a/tasks/configure.yml b/tasks/configure.yml
index 17acbbc..7ef5491 100644
--- a/tasks/configure.yml
+++ b/tasks/configure.yml
@@ -38,11 +38,21 @@
         mode: '0600'
 
 - name: "Configure consul-certs systemd service"
-  ansible.builtin.template:
-    src: consul-certs.service.j2
-    dest: /etc/systemd/system/consul-certs.service
-    owner: root
-    group: root
-    mode: '0644'
   notify:
     - "systemctl-daemon-reload"
+  block:
+    - name: "Configure consul-certs env file"
+      ansible.builtin.template:
+        src: consul-certs.env.j2
+        dest: "{{ renew_consul_certificates_config_dir }}/consul-certs.env"
+        owner: root
+        group: root
+        mode: '0644'
+
+    - name: "Configure consul-certs systemd service"
+      ansible.builtin.template:
+        src: consul-certs.service.j2
+        dest: /etc/systemd/system/consul-certs.service
+        owner: root
+        group: root
+        mode: '0644'
diff --git a/templates/consul-certs.env.j2 b/templates/consul-certs.env.j2
new file mode 100644
index 0000000..0303f37
--- /dev/null
+++ b/templates/consul-certs.env.j2
@@ -0,0 +1,4 @@
+# {{ ansible_managed }}
+{% for item in renew_consul_certificates_service_env_variables %}
+{{ item|upper }}="{{ renew_consul_certificates_service_env_variables[item] }}"
+{% endfor %}
\ No newline at end of file
diff --git a/templates/consul-certs.service.j2 b/templates/consul-certs.service.j2
index f43d719..987b365 100644
--- a/templates/consul-certs.service.j2
+++ b/templates/consul-certs.service.j2
@@ -5,6 +5,7 @@ After=network-online.target consul.service
 ConditionFileNotEmpty={{ renew_consul_certificates_config_dir }}/consul_config.hcl
 
 [Service]
+EnvironmentFile=-{{ renew_consul_certificates_config_dir }}/consul-certs.env
 User={{ renew_consul_certificates_consul_user }}
 Group={{ renew_consul_certificates_consul_group }}
 ExecStart=/usr/bin/consul-template $OPTIONS -config={{ renew_consul_certificates_config_dir }}/consul_config.hcl