diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml new file mode 100644 index 0000000..468a01d --- /dev/null +++ b/.gitlab-ci.yml @@ -0,0 +1,82 @@ +--- +stages: + - verify + - test-default + - test-with-custom-config + +image: + name: registry.ednz.fr/forge/ansible-runner + +variables: + ANSIBLE_HOST_KEY_CHECKING: 'false' + ANSIBLE_FORCE_COLOR: 'true' + ANSIBLE_PYTHON_INTERPRETER: /usr/bin/python3 + DOCKER_AUTH_CONFIG: $CI_DOCKER_AUTH_CONFIG + +.stage-test-default: + stage: test-default + +.stage-test-with-custom-config: + stage: test-with-custom-config + +.variables-ubuntu-2004: + variables: + MOLECULE_TEST_OS: "ubuntu2004" + +.variables-ubuntu-2204: + variables: + MOLECULE_TEST_OS: "ubuntu2204" + +.variables-debian-11: + variables: + MOLECULE_TEST_OS: "debian11" + +.script-molecule-test-default: + script: + - molecule test + +.script-molecule-test-with-custom-config: + script: + - molecule test -s with_custom_config + +ansible-verify: + stage: verify + script: + - yamllint . -c .yamllint + - ansible-lint + +ansible-test-ubuntu-2004-default: + extends: + - .stage-test-default + - .variables-ubuntu-2004 + - .script-molecule-test-default + +ansible-test-ubuntu-2204-default: + extends: + - .stage-test-default + - .variables-ubuntu-2204 + - .script-molecule-test-default + +ansible-test-debian-11-default: + extends: + - .stage-test-default + - .variables-debian-11 + - .script-molecule-test-default + +ansible-test-ubuntu-2004-with-custom-config: + extends: + - .stage-test-with-custom-config + - .variables-ubuntu-2004 + - .script-molecule-test-with-custom-config + +ansible-test-ubuntu-2204-with-custom-config: + extends: + - .stage-test-with-custom-config + - .variables-ubuntu-2204 + - .script-molecule-test-with-custom-config + +ansible-test-debian-11-with-custom-config: + extends: + - .stage-test-with-custom-config + - .variables-debian-11 + - .script-molecule-test-with-custom-config diff --git a/README.md b/README.md index 152f8a7..9dc9007 100644 --- a/README.md +++ b/README.md @@ -11,80 +11,81 @@ This role assume that you already have installed a nomad server/client on the ho Role Variables -------------- -Available variables are listed below, along with default values. A sample file for the default values is available in `default/renew_consul_certificates.yml.sample` in case you need it for any `group_vars` or `host_vars` configuration. +Available variables are listed below, along with default values. A sample file for the default values is available in `default/renew_nomad_certificates.yml.sample` in case you need it for any `group_vars` or `host_vars` configuration. ```yaml -renew_consul_certificates_config_dir: /etc/consul-template.d/consul # by default, set to /etc/consul-template.d/consul +renew_nomad_certificates_config_dir: /etc/consul-template.d/nomad # by default, set to /etc/consul-template.d/nomad ``` This variable defines where the files for the role are stored (consul-template configuration + templates). ```yaml -renew_vault_certificates_consul_user: consul # by default, set to consul +renew_nomad_certificates_consul_user: nomad # by default, set to nomad ``` -This variable defines the user that'll be running the certificate renewal service. Defaults to `consul`, and should be present on the host prior to playing this role (ideally when installing consul). +This variable defines the user that'll be running the certificate renewal service. Defaults to `nomad`, and should be present on the host prior to playing this role (ideally when installing nomad). ```yaml -renew_vault_certificates_consul_group: consul # by default, set to consul +renew_nomad_certificates_consul_group: nomad # by default, set to nomad ``` -This variable defines the group that'll be running the certificate renewal service. Defaults to `consul`, and should be present on the host prior to playing this role (ideally when installing consul). +This variable defines the group that'll be running the certificate renewal service. Defaults to `nomad`, and should be present on the host prior to playing this role (ideally when installing nomad). ```yaml -renew_vault_certificates_vault_addr: https://127.0.0.1:8200 # by default, set to https://127.0.0.1:8200 +renew_nomad_certificates_vault_addr: https://vault.example.com # by default, set to https://vault.example.com ``` This variable defines the address the consul-template service will query to get the new certificates. Defaults to localhost, but can be changed if vault isnt reachable on localhost. ```yaml -renew_vault_certificates_vault_token: mysupersecretvaulttokenthatyoushouldchange # by default, set to a dummy string +renew_nomad_certificates_vault_token: mysupersecretvaulttokenthatyoushouldchange # by default, set to a dummy string ``` This variable defines the vault token top use to access vault and renew the certificate. Default is a dummy string to pass unit tests. ```yaml -renew_vault_certificates_vault_token_unwrap: false # by default, set to false +renew_nomad_certificates_vault_token_unwrap: false # by default, set to false ``` Defines whether or not the token is wrapped and should be unwrapped (this is an enterprise-only feature of vault at the moment). ```yaml -renew_vault_certificates_vault_token_renew: true # by default, set to true +renew_nomad_certificates_vault_token_renew: true # by default, set to true ``` This variable defines whether or not to renew the vault token. It should probably be `true`, and you should have a periodic token to handle this. ```yaml -renew_consul_certificates_ca_dest: /opt/consul/tls/ca.pem # by default, set to /opt/consul/tls/ca.pem +renew_nomad_certificates_ca_dest: /opt/nomad/tls/ca.pem # by default, set to /opt/nomad/tls/ca.pem ``` -This variable defines where to copy the certificate authority upon renewal. Default to `/opt/consul/tls/ca.pem` but should be changed depending on where you store the certificate authority. +This variable defines where to copy the certificate authority upon renewal. Default to `/opt/nomad/tls/ca.pem` but should be changed depending on where you store the certificate authority. ```yaml -renew_vault_certificates_cert_dest: /opt/consul/tls/cert.pem # by default, set to /opt/consul/tls/cert.pem +renew_nomad_certificates_cert_dest: /opt/nomad/tls/cert.pem # by default, set to /opt/nomad/tls/cert.pem ``` -This variable defines where to copy the certificates upon renewal. Default to `/opt/consul/tls/cert.pem` but should be changed depending on where you store the certificates. +This variable defines where to copy the certificates upon renewal. Default to `/opt/nomad/tls/cert.pem` but should be changed depending on where you store the certificates. ```yaml -renew_consul_certificates_key_dest: /opt/consul/tls/key.pem # by default, set to /opt/consul/tls/cert.pem +renew_nomad_certificates_key_dest: /opt/nomad/tls/key.pem # by default, set to /opt/nomad/tls/cert.pem ``` -This variable defines where to copy the private keys upon renewal. Default to `/opt/consul/tls/key.pem` but should be changed depending on where you store the keys. +This variable defines where to copy the private keys upon renewal. Default to `/opt/nomad/tls/key.pem` but should be changed depending on where you store the keys. ```yaml -renew_consul_certificates_info: # by default, set to: +renew_nomad_certificates_info: # by default, set to: issuer_path: pki/issue/your-issuer common_name: consul01.example.com ttl: 90d is_server: false + is_client: false include_consul_service: false ``` -This variable defines the path on vault to retrieve the certificates, as well as the common name and TTL to use for it. It can also include consul aliases in case you have registered consul services in itself (`consul.service.consul`). It also handles whether or not to append the server.yourdc.consul SAN, in case you're enforcing hostname checking. +This variable defines the path on vault to retrieve the certificates, as well as the common name and TTL to use for it. It can also include nomad aliases in case you have registered nomad services in consul (`nomad.service.consul`). It also handles whether or not to append the server/client.yourdc.consul SAN, in case you're enforcing hostname checking. ```yaml -renew_consul_certificates_consul_dc_name: dc1.consul # by default, set to dc1.consul +renew_nomad_certificates_nomad_dc_name: dc1.nomad # by default, set to dc1.nomad ``` -In case you enforce hostname checking, set this variable to your desired dc and consul domain. This is used to forge the SAN that will be checked by consul to only allow specific nodes to be managers. +In case you enforce hostname checking, set this variable to your desired dc and nomad domain. This is used to forge the SAN that will be checked by nomad to only allow specific nodes to be managers. ```yaml -renew_consul_certificates_consul_service_name: consul.service.consul # by default, set to consul.service.consul +renew_nomad_certificates_consul_service_name: nomad.service.consul # by default, set to nomad.service.consul ``` -This variable defines the consul service name in consul. Default is `consul.service.consul` +This variable defines the nomad service name in consul. Default is `nomad.service.consul` ```yaml -renew_consul_certificates_start_service: false +renew_nomad_certificates_start_service: false ``` This variable defines whether or not to start the service after creating it. By default, it is only enabled, but not started, in case you're building golden images (in which case you probably don't want a certificate generated during the build process). @@ -101,7 +102,7 @@ Including an example of how to use your role (for instance, with variables passe # calling the role inside a playbook with either the default or group_vars/host_vars - hosts: servers roles: - - ednxzu.renew_consul_certificates + - ednxzu.renew_nomad_certificates ``` License diff --git a/defaults/main.yml b/defaults/main.yml index b7ee706..5feb77b 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -15,6 +15,7 @@ renew_nomad_certificates_info: common_name: nomad01.example.com ttl: 90d is_server: false + is_client: false include_nomad_service: false renew_nomad_certificates_nomad_dc_name: dc1.nomad renew_nomad_certificates_nomad_service_name: nomad.service.nomad diff --git a/molecule/default/molecule.yml b/molecule/default/molecule.yml index 6132acb..7a62eb2 100644 --- a/molecule/default/molecule.yml +++ b/molecule/default/molecule.yml @@ -22,7 +22,7 @@ provisioner: verifier: name: testinfra scenario: - name: with_custom_config + name: default test_sequence: - dependency - cleanup diff --git a/molecule/default/tests/test_default.py b/molecule/default/tests/test_default.py index 0cff669..a7293cd 100644 --- a/molecule/default/tests/test_default.py +++ b/molecule/default/tests/test_default.py @@ -3,8 +3,48 @@ def test_hosts_file(host): """Validate /etc/hosts file.""" - f = host.file("/etc/hosts") + etc_hosts = host.file("/etc/hosts") + assert etc_hosts.exists + assert etc_hosts.user == "root" + assert etc_hosts.group == "root" - assert f.exists - assert f.user == "root" - assert f.group == "root" +def test_nomad_template_config(host): + """Validate /etc/consul-template.d/nomad/ files.""" + etc_nomad_template_d_nomad_config_hcl = host.file("/etc/consul-template.d/nomad/nomad_config.hcl") + assert etc_nomad_template_d_nomad_config_hcl.exists + assert etc_nomad_template_d_nomad_config_hcl.user == "nomad" + assert etc_nomad_template_d_nomad_config_hcl.group == "nomad" + assert etc_nomad_template_d_nomad_config_hcl.mode == 0o600 + +def test_template_files(host): + """Validate /etc/consul-template.d/nomad/templates/ files.""" + nomad_ca_pem_tpl = host.file("/etc/consul-template.d/nomad/templates/nomad_ca.pem.tpl") + nomad_cert_pem_tpl = host.file("/etc/consul-template.d/nomad/templates/nomad_cert.pem.tpl") + nomad_key_pem_tpl = host.file("/etc/consul-template.d/nomad/templates/nomad_key.pem.tpl") + for file in nomad_cert_pem_tpl, nomad_key_pem_tpl: + assert file.exists + assert file.user == "nomad" + assert file.group == "nomad" + assert file.mode == 0o600 + assert nomad_ca_pem_tpl.content_string == '{{ with secret "pki/issue/your-issuer" "common_name=nomad01.example.com" "ttl=90d" "alt_names=localhost" "ip_sans=127.0.0.1" }}\n{{ .Data.issuing_ca }}\n{{ end }}\n' + assert nomad_cert_pem_tpl.content_string == '{{ with secret "pki/issue/your-issuer" "common_name=nomad01.example.com" "ttl=90d" "alt_names=localhost" "ip_sans=127.0.0.1" }}\n{{ .Data.certificate }}\n{{ .Data.issuing_ca }}\n{{ end }}\n' + assert nomad_key_pem_tpl.content_string == '{{ with secret "pki/issue/your-issuer" "common_name=nomad01.example.com" "ttl=90d" "alt_names=localhost" "ip_sans=127.0.0.1" }}\n{{ .Data.private_key }}\n{{ end }}\n' + +def test_nomad_certs_service_file(host): + """Validate nomad-certs service file.""" + etc_systemd_system_nomad_certs_service = host.file("/etc/systemd/system/nomad-certs.service") + assert etc_systemd_system_nomad_certs_service.exists + assert etc_systemd_system_nomad_certs_service.user == "root" + assert etc_systemd_system_nomad_certs_service.group == "root" + assert etc_systemd_system_nomad_certs_service.mode == 0o644 + assert etc_systemd_system_nomad_certs_service.content_string != "" + +def test_nomad_certs_service(host): + """Validate nomad-certs service.""" + nomad_certs_service = host.service("nomad-certs.service") + assert nomad_certs_service.is_enabled + assert not nomad_certs_service.is_running + assert nomad_certs_service.systemd_properties["Restart"] == "on-failure" + assert nomad_certs_service.systemd_properties["User"] == "nomad" + assert nomad_certs_service.systemd_properties["Group"] == "nomad" + assert nomad_certs_service.systemd_properties["FragmentPath"] == "/etc/systemd/system/nomad-certs.service" diff --git a/molecule/with_custom_config/converge.yml b/molecule/with_custom_config/converge.yml index d9ad3ce..e272496 100644 --- a/molecule/with_custom_config/converge.yml +++ b/molecule/with_custom_config/converge.yml @@ -2,6 +2,6 @@ - name: Converge hosts: all tasks: - - name: "Include ednxzu.renew_consul_certificates" + - name: "Include ednxzu.renew_nomad_certificates" ansible.builtin.include_role: - name: "ednxzu.renew_consul_certificates" + name: "ednxzu.renew_nomad_certificates" diff --git a/molecule/with_custom_config/group_vars/all.yml b/molecule/with_custom_config/group_vars/all.yml index 60a6162..f8f9e11 100644 --- a/molecule/with_custom_config/group_vars/all.yml +++ b/molecule/with_custom_config/group_vars/all.yml @@ -14,6 +14,7 @@ renew_nomad_certificates_info: common_name: nomad01.example.com ttl: 90d is_server: true + is_client: true include_nomad_service: true renew_nomad_certificates_nomad_dc_name: dc1.nomad renew_nomad_certificates_nomad_service_name: nomad.service.nomad diff --git a/molecule/with_custom_config/tests/test_default.py b/molecule/with_custom_config/tests/test_default.py index c411ac2..d62196f 100644 --- a/molecule/with_custom_config/tests/test_default.py +++ b/molecule/with_custom_config/tests/test_default.py @@ -8,43 +8,43 @@ def test_hosts_file(host): assert etc_hosts.user == "root" assert etc_hosts.group == "root" -def test_consul_template_config(host): - """Validate /etc/consul-template.d/consul/ files.""" - etc_consul_template_d_consul_config_hcl = host.file("/etc/consul-template.d/consul/consul_config.hcl") - assert etc_consul_template_d_consul_config_hcl.exists - assert etc_consul_template_d_consul_config_hcl.user == "consul" - assert etc_consul_template_d_consul_config_hcl.group == "consul" - assert etc_consul_template_d_consul_config_hcl.mode == 0o600 +def test_nomad_template_config(host): + """Validate /etc/consul-template.d/nomad/ files.""" + etc_nomad_template_d_nomad_config_hcl = host.file("/etc/consul-template.d/nomad/nomad_config.hcl") + assert etc_nomad_template_d_nomad_config_hcl.exists + assert etc_nomad_template_d_nomad_config_hcl.user == "nomad" + assert etc_nomad_template_d_nomad_config_hcl.group == "nomad" + assert etc_nomad_template_d_nomad_config_hcl.mode == 0o600 def test_template_files(host): - """Validate /etc/consul-template.d/consul/templates/ files.""" - consul_ca_pem_tpl = host.file("/etc/consul-template.d/consul/templates/consul_ca.pem.tpl") - consul_cert_pem_tpl = host.file("/etc/consul-template.d/consul/templates/consul_cert.pem.tpl") - consul_key_pem_tpl = host.file("/etc/consul-template.d/consul/templates/consul_key.pem.tpl") - for file in consul_cert_pem_tpl, consul_key_pem_tpl: + """Validate /etc/consul-template.d/nomad/templates/ files.""" + nomad_ca_pem_tpl = host.file("/etc/consul-template.d/nomad/templates/nomad_ca.pem.tpl") + nomad_cert_pem_tpl = host.file("/etc/consul-template.d/nomad/templates/nomad_cert.pem.tpl") + nomad_key_pem_tpl = host.file("/etc/consul-template.d/nomad/templates/nomad_key.pem.tpl") + for file in nomad_cert_pem_tpl, nomad_key_pem_tpl: assert file.exists - assert file.user == "consul" - assert file.group == "consul" + assert file.user == "nomad" + assert file.group == "nomad" assert file.mode == 0o600 - assert consul_ca_pem_tpl.content_string == '{{ with secret "pki/issue/your-issuer" "common_name=consul01.example.com" "ttl=90d" "alt_names=localhost,server.dc1.consul,consul.service.consul" "ip_sans=127.0.0.1" }}\n{{ .Data.issuing_ca }}\n{{ end }}\n' - assert consul_cert_pem_tpl.content_string == '{{ with secret "pki/issue/your-issuer" "common_name=consul01.example.com" "ttl=90d" "alt_names=localhost,server.dc1.consul,consul.service.consul" "ip_sans=127.0.0.1" }}\n{{ .Data.certificate }}\n{{ .Data.issuing_ca }}\n{{ end }}\n' - assert consul_key_pem_tpl.content_string == '{{ with secret "pki/issue/your-issuer" "common_name=consul01.example.com" "ttl=90d" "alt_names=localhost,server.dc1.consul,consul.service.consul" "ip_sans=127.0.0.1" }}\n{{ .Data.private_key }}\n{{ end }}\n' + assert nomad_ca_pem_tpl.content_string == '{{ with secret "pki/issue/your-issuer" "common_name=nomad01.example.com" "ttl=90d" "alt_names=localhost,server.dc1.nomad,client.dc1.nomad,nomad.service.nomad" "ip_sans=127.0.0.1" }}\n{{ .Data.issuing_ca }}\n{{ end }}\n' + assert nomad_cert_pem_tpl.content_string == '{{ with secret "pki/issue/your-issuer" "common_name=nomad01.example.com" "ttl=90d" "alt_names=localhost,server.dc1.nomad,client.dc1.nomad,nomad.service.nomad" "ip_sans=127.0.0.1" }}\n{{ .Data.certificate }}\n{{ .Data.issuing_ca }}\n{{ end }}\n' + assert nomad_key_pem_tpl.content_string == '{{ with secret "pki/issue/your-issuer" "common_name=nomad01.example.com" "ttl=90d" "alt_names=localhost,server.dc1.nomad,client.dc1.nomad,nomad.service.nomad" "ip_sans=127.0.0.1" }}\n{{ .Data.private_key }}\n{{ end }}\n' -def test_consul_certs_service_file(host): - """Validate consul-certs service file.""" - etc_systemd_system_consul_certs_service = host.file("/etc/systemd/system/consul-certs.service") - assert etc_systemd_system_consul_certs_service.exists - assert etc_systemd_system_consul_certs_service.user == "root" - assert etc_systemd_system_consul_certs_service.group == "root" - assert etc_systemd_system_consul_certs_service.mode == 0o644 - assert etc_systemd_system_consul_certs_service.content_string != "" +def test_nomad_certs_service_file(host): + """Validate nomad-certs service file.""" + etc_systemd_system_nomad_certs_service = host.file("/etc/systemd/system/nomad-certs.service") + assert etc_systemd_system_nomad_certs_service.exists + assert etc_systemd_system_nomad_certs_service.user == "root" + assert etc_systemd_system_nomad_certs_service.group == "root" + assert etc_systemd_system_nomad_certs_service.mode == 0o644 + assert etc_systemd_system_nomad_certs_service.content_string != "" -def test_consul_certs_service(host): - """Validate consul-certs service.""" - consul_certs_service = host.service("consul-certs.service") - assert consul_certs_service.is_enabled - assert not consul_certs_service.is_running - assert consul_certs_service.systemd_properties["Restart"] == "on-failure" - assert consul_certs_service.systemd_properties["User"] == "consul" - assert consul_certs_service.systemd_properties["Group"] == "consul" - assert consul_certs_service.systemd_properties["FragmentPath"] == "/etc/systemd/system/consul-certs.service" +def test_nomad_certs_service(host): + """Validate nomad-certs service.""" + nomad_certs_service = host.service("nomad-certs.service") + assert nomad_certs_service.is_enabled + assert not nomad_certs_service.is_running + assert nomad_certs_service.systemd_properties["Restart"] == "on-failure" + assert nomad_certs_service.systemd_properties["User"] == "nomad" + assert nomad_certs_service.systemd_properties["Group"] == "nomad" + assert nomad_certs_service.systemd_properties["FragmentPath"] == "/etc/systemd/system/nomad-certs.service" diff --git a/templates/consul-certs.service.j2 b/templates/consul-certs.service.j2 deleted file mode 100644 index f43d719..0000000 --- a/templates/consul-certs.service.j2 +++ /dev/null @@ -1,16 +0,0 @@ -[Unit] -Description=Automatic renewal of consul certificate using consul-template -Requires=network-online.target -After=network-online.target consul.service -ConditionFileNotEmpty={{ renew_consul_certificates_config_dir }}/consul_config.hcl - -[Service] -User={{ renew_consul_certificates_consul_user }} -Group={{ renew_consul_certificates_consul_group }} -ExecStart=/usr/bin/consul-template $OPTIONS -config={{ renew_consul_certificates_config_dir }}/consul_config.hcl -ExecReload=/bin/kill --signal HUP $MAINPID -KillSignal=SIGINT -Restart=on-failure - -[Install] -WantedBy=multi-user.target \ No newline at end of file diff --git a/templates/consul_ca.pem.tpl.j2 b/templates/consul_ca.pem.tpl.j2 deleted file mode 100644 index 65e4826..0000000 --- a/templates/consul_ca.pem.tpl.j2 +++ /dev/null @@ -1,5 +0,0 @@ -{% raw %}{{ with secret {% endraw %}"{{ renew_consul_certificates_info['issuer_path'] }}" "common_name={{ renew_consul_certificates_info['common_name'] }}" "ttl={{ renew_consul_certificates_info['ttl'] }}" "alt_names=localhost{% if renew_consul_certificates_info['is_server'] %},server.{{ renew_consul_certificates_consul_dc_name }}{% endif %}{% if renew_consul_certificates_info['include_consul_service']%},{{ renew_consul_certificates_consul_service_name }}{% endif %}" "ip_sans=127.0.0.1"{% raw %} }}{% endraw %} - -{% raw %}{{ .Data.issuing_ca }}{% endraw %} - -{% raw %}{{ end }}{% endraw %} diff --git a/templates/consul_cert.pem.tpl.j2 b/templates/consul_cert.pem.tpl.j2 deleted file mode 100644 index b45ded2..0000000 --- a/templates/consul_cert.pem.tpl.j2 +++ /dev/null @@ -1,7 +0,0 @@ -{% raw %}{{ with secret {% endraw %}"{{ renew_consul_certificates_info['issuer_path'] }}" "common_name={{ renew_consul_certificates_info['common_name'] }}" "ttl={{ renew_consul_certificates_info['ttl'] }}" "alt_names=localhost{% if renew_consul_certificates_info['is_server'] %},server.{{ renew_consul_certificates_consul_dc_name }}{% endif %}{% if renew_consul_certificates_info['include_consul_service']%},{{ renew_consul_certificates_consul_service_name }}{% endif %}" "ip_sans=127.0.0.1"{% raw %} }}{% endraw %} - -{% raw %}{{ .Data.certificate }}{% endraw %} - -{% raw %}{{ .Data.issuing_ca }}{% endraw %} - -{% raw %}{{ end }}{% endraw %} diff --git a/templates/consul_config.hcl.j2 b/templates/consul_config.hcl.j2 deleted file mode 100644 index cf34570..0000000 --- a/templates/consul_config.hcl.j2 +++ /dev/null @@ -1,33 +0,0 @@ -vault { - address = "{{ renew_consul_certificates_vault_addr }}" - token = "{{ renew_consul_certificates_vault_token }}" - unwrap_token = {{ renew_consul_certificates_vault_token_unwrap|lower }} - renew_token = {{ renew_consul_certificates_vault_token_renew|lower }} -} - -template { - source = "{{ renew_consul_certificates_config_dir }}/templates/consul_ca.pem.tpl" - destination = "{{ renew_consul_certificates_ca_dest }}" - perms = 0700 - user = "{{ renew_consul_certificates_consul_user }}" - group = "{{ renew_consul_certificates_consul_group }}" - command = "sh -c 'echo \"$(date) Update certificate and key file for {{ renew_consul_certificates_info['common_name'] }}\" && consul reload '" -} - -template { - source = "{{ renew_consul_certificates_config_dir }}/templates/consul_cert.pem.tpl" - destination = "{{ renew_consul_certificates_cert_dest }}" - perms = 0700 - user = "{{ renew_consul_certificates_consul_user }}" - group = "{{ renew_consul_certificates_consul_group }}" - command = "sh -c 'echo \"$(date) Update certificate and key file for {{ renew_consul_certificates_info['common_name'] }}\" && consul reload '" -} - -template { - source = "{{ renew_consul_certificates_config_dir }}/templates/consul_key.pem.tpl" - destination = "{{ renew_consul_certificates_key_dest }}" - perms = 0700 - user = "{{ renew_consul_certificates_consul_user }}" - group = "{{ renew_consul_certificates_consul_group }}" - command = "sh -c 'echo \"$(date) Update certificate and key file for {{ renew_consul_certificates_info['common_name'] }}\" && consul reload '" -} diff --git a/templates/consul_key.pem.tpl.j2 b/templates/consul_key.pem.tpl.j2 deleted file mode 100644 index 234de6c..0000000 --- a/templates/consul_key.pem.tpl.j2 +++ /dev/null @@ -1,5 +0,0 @@ -{% raw %}{{ with secret {% endraw %}"{{ renew_consul_certificates_info['issuer_path'] }}" "common_name={{ renew_consul_certificates_info['common_name'] }}" "ttl={{ renew_consul_certificates_info['ttl'] }}" "alt_names=localhost{% if renew_consul_certificates_info['is_server'] %},server.{{ renew_consul_certificates_consul_dc_name }}{% endif %}{% if renew_consul_certificates_info['include_consul_service']%},{{ renew_consul_certificates_consul_service_name }}{% endif %}" "ip_sans=127.0.0.1"{% raw %} }}{% endraw %} - -{% raw %}{{ .Data.private_key }}{% endraw %} - -{% raw %}{{ end }}{% endraw %} diff --git a/templates/nomad-certs.service.j2 b/templates/nomad-certs.service.j2 new file mode 100644 index 0000000..f678031 --- /dev/null +++ b/templates/nomad-certs.service.j2 @@ -0,0 +1,16 @@ +[Unit] +Description=Automatic renewal of nomad certificate using consul-template +Requires=network-online.target +After=network-online.target nomad.service +ConditionFileNotEmpty={{ renew_nomad_certificates_config_dir }}/nomad_config.hcl + +[Service] +User={{ renew_nomad_certificates_nomad_user }} +Group={{ renew_nomad_certificates_nomad_group }} +ExecStart=/usr/bin/nomad-template $OPTIONS -config={{ renew_nomad_certificates_config_dir }}/nomad_config.hcl +ExecReload=/bin/kill --signal HUP $MAINPID +KillSignal=SIGINT +Restart=on-failure + +[Install] +WantedBy=multi-user.target \ No newline at end of file diff --git a/templates/nomad_ca.pem.tpl.j2 b/templates/nomad_ca.pem.tpl.j2 new file mode 100644 index 0000000..781fe1b --- /dev/null +++ b/templates/nomad_ca.pem.tpl.j2 @@ -0,0 +1,5 @@ +{% raw %}{{ with secret {% endraw %}"{{ renew_nomad_certificates_info['issuer_path'] }}" "common_name={{ renew_nomad_certificates_info['common_name'] }}" "ttl={{ renew_nomad_certificates_info['ttl'] }}" "alt_names=localhost{% if renew_nomad_certificates_info['is_server'] %},server.{{ renew_nomad_certificates_nomad_dc_name }}{% endif %}{% if renew_nomad_certificates_info['is_client'] %},client.{{ renew_nomad_certificates_nomad_dc_name }}{% endif %}{% if renew_nomad_certificates_info['include_nomad_service']%},{{ renew_nomad_certificates_nomad_service_name }}{% endif %}" "ip_sans=127.0.0.1"{% raw %} }}{% endraw %} + +{% raw %}{{ .Data.issuing_ca }}{% endraw %} + +{% raw %}{{ end }}{% endraw %} diff --git a/templates/nomad_cert.pem.tpl.j2 b/templates/nomad_cert.pem.tpl.j2 new file mode 100644 index 0000000..3113ee4 --- /dev/null +++ b/templates/nomad_cert.pem.tpl.j2 @@ -0,0 +1,7 @@ +{% raw %}{{ with secret {% endraw %}"{{ renew_nomad_certificates_info['issuer_path'] }}" "common_name={{ renew_nomad_certificates_info['common_name'] }}" "ttl={{ renew_nomad_certificates_info['ttl'] }}" "alt_names=localhost{% if renew_nomad_certificates_info['is_server'] %},server.{{ renew_nomad_certificates_nomad_dc_name }}{% endif %}{% if renew_nomad_certificates_info['is_client'] %},client.{{ renew_nomad_certificates_nomad_dc_name }}{% endif %}{% if renew_nomad_certificates_info['include_nomad_service']%},{{ renew_nomad_certificates_nomad_service_name }}{% endif %}" "ip_sans=127.0.0.1"{% raw %} }}{% endraw %} + +{% raw %}{{ .Data.certificate }}{% endraw %} + +{% raw %}{{ .Data.issuing_ca }}{% endraw %} + +{% raw %}{{ end }}{% endraw %} diff --git a/templates/nomad_config.hcl.j2 b/templates/nomad_config.hcl.j2 new file mode 100644 index 0000000..dc5fa9b --- /dev/null +++ b/templates/nomad_config.hcl.j2 @@ -0,0 +1,33 @@ +vault { + address = "{{ renew_nomad_certificates_vault_addr }}" + token = "{{ renew_nomad_certificates_vault_token }}" + unwrap_token = {{ renew_nomad_certificates_vault_token_unwrap|lower }} + renew_token = {{ renew_nomad_certificates_vault_token_renew|lower }} +} + +template { + source = "{{ renew_nomad_certificates_config_dir }}/templates/nomad_ca.pem.tpl" + destination = "{{ renew_nomad_certificates_ca_dest }}" + perms = 0700 + user = "{{ renew_nomad_certificates_nomad_user }}" + group = "{{ renew_nomad_certificates_nomad_group }}" + command = "sh -c 'echo \"$(date) Update certificate and key file for {{ renew_nomad_certificates_info['common_name'] }}\" && nomad reload '" +} + +template { + source = "{{ renew_nomad_certificates_config_dir }}/templates/nomad_cert.pem.tpl" + destination = "{{ renew_nomad_certificates_cert_dest }}" + perms = 0700 + user = "{{ renew_nomad_certificates_nomad_user }}" + group = "{{ renew_nomad_certificates_nomad_group }}" + command = "sh -c 'echo \"$(date) Update certificate and key file for {{ renew_nomad_certificates_info['common_name'] }}\" && nomad reload '" +} + +template { + source = "{{ renew_nomad_certificates_config_dir }}/templates/nomad_key.pem.tpl" + destination = "{{ renew_nomad_certificates_key_dest }}" + perms = 0700 + user = "{{ renew_nomad_certificates_nomad_user }}" + group = "{{ renew_nomad_certificates_nomad_group }}" + command = "sh -c 'echo \"$(date) Update certificate and key file for {{ renew_nomad_certificates_info['common_name'] }}\" && nomad reload '" +} diff --git a/templates/nomad_key.pem.tpl.j2 b/templates/nomad_key.pem.tpl.j2 new file mode 100644 index 0000000..d638f17 --- /dev/null +++ b/templates/nomad_key.pem.tpl.j2 @@ -0,0 +1,5 @@ +{% raw %}{{ with secret {% endraw %}"{{ renew_nomad_certificates_info['issuer_path'] }}" "common_name={{ renew_nomad_certificates_info['common_name'] }}" "ttl={{ renew_nomad_certificates_info['ttl'] }}" "alt_names=localhost{% if renew_nomad_certificates_info['is_server'] %},server.{{ renew_nomad_certificates_nomad_dc_name }}{% endif %}{% if renew_nomad_certificates_info['is_client'] %},client.{{ renew_nomad_certificates_nomad_dc_name }}{% endif %}{% if renew_nomad_certificates_info['include_nomad_service']%},{{ renew_nomad_certificates_nomad_service_name }}{% endif %}" "ip_sans=127.0.0.1"{% raw %} }}{% endraw %} + +{% raw %}{{ .Data.private_key }}{% endraw %} + +{% raw %}{{ end }}{% endraw %}