diff options
| author |   pmikus <pmikus@cisco.com> | 2020-12-05 23:29:01 +0000 |
|---|---|---|
| committer | Peter Mikus <pmikus@cisco.com> | 2020-12-07 09:10:21 +0000 |
| commit | 0f9b20775b4a656b67c7039e2dda4cf676af2b21 (patch) | |
| tree | f602d1a220546bbbbd1f1ea5ad530d1762832481 /resources/tools/testbed-setup/ansible/roles | |
| parent | 36e59060f08d9978b1ae3dc4a4dd5da1caf6cd19 (diff) | |
Ansible: Enable consul TLS
Signed-off-by: pmikus <pmikus@cisco.com>
Change-Id: Ia53acc4441087e93a51d87097adea0b220d10144
Diffstat (limited to 'resources/tools/testbed-setup/ansible/roles')
3 files changed, 21 insertions, 8 deletions
diff --git a/resources/tools/testbed-setup/ansible/roles/consul/defaults/main.yaml b/resources/tools/testbed-setup/ansible/roles/consul/defaults/main.yaml index 89121fde2e..786554eb58 100644 --- a/resources/tools/testbed-setup/ansible/roles/consul/defaults/main.yaml +++ b/resources/tools/testbed-setup/ansible/roles/consul/defaults/main.yaml @@ -61,11 +61,11 @@ consul_user_state: "present" # Conf - nomad.d/consul.hcl consul_nomad_integration: true consul_certificates: - - src: "{{ vault_consul_ca_file }}" + - src: "{{ vault_consul_v1_ca_file }}" dest: "{{ consul_ca_file }}" - - src: "{{ vault_consul_cert_file }}" + - src: "{{ vault_consul_v1_cert_file }}" dest: "{{ consul_cert_file }}" - - src: "{{ vault_consul_key_file }}" + - src: "{{ vault_consul_v1_key_file }}" dest: "{{ consul_key_file }}" consul_auto_advertise: true diff --git a/resources/tools/testbed-setup/ansible/roles/consul/tasks/main.yaml b/resources/tools/testbed-setup/ansible/roles/consul/tasks/main.yaml index c40fab79e3..9d1ca1980d 100644 --- a/resources/tools/testbed-setup/ansible/roles/consul/tasks/main.yaml +++ b/resources/tools/testbed-setup/ansible/roles/consul/tasks/main.yaml @@ -158,7 +158,7 @@ mode: 0644 notify: - "Restart Consul" - - "Stop Systemd-resolved" +# - "Stop Systemd-resolved" # - "Restart Nomad" tags: - consul-conf diff --git a/resources/tools/testbed-setup/ansible/roles/consul/templates/base.hcl.j2 b/resources/tools/testbed-setup/ansible/roles/consul/templates/base.hcl.j2 index 11743fa420..e220c8f687 100644 --- a/resources/tools/testbed-setup/ansible/roles/consul/templates/base.hcl.j2 +++ b/resources/tools/testbed-setup/ansible/roles/consul/templates/base.hcl.j2 @@ -14,6 +14,23 @@ server = {{ consul_node_server | bool | lower }} encrypt = "{{ consul_encrypt }}" {% if consul_node_server | bool == True %} bootstrap_expect = {{ consul_bootstrap_expect }} +verify_incoming = true +verify_outgoing = true +verify_server_hostname = true +ca_file = "{{ consul_ca_file }}" +cert_file = "{{ consul_cert_file }}" +key_file = "{{ consul_key_file }}" +auto_encrypt { + allow_tls = true +} +{% else %} +verify_incoming = false +verify_outgoing = true +verify_server_hostname = true +ca_file = "{{ consul_ca_file }}" +auto_encrypt { + tls = true +} {% endif %} {% if consul_retry_join | bool -%} retry_join = [ {% for ip_port in consul_retry_servers -%} "{{ ip_port }}"{% if not loop.last %}, {% endif %}{%- endfor -%} ] @@ -21,10 +38,6 @@ retry_join = [ {% for ip_port in consul_retry_servers -%} "{{ ip_port }}"{% if n ui = {{ consul_ui | bool | lower }} -ca_file = "{{ consul_ca_file }}" -cert_file = "{{ consul_cert_file }}" -key_file = "{{ consul_key_file }}" - {% if consul_recursors -%} recursors = [ {% for server in consul_recursors -%} "{{ server }}"{% if not loop.last %}, {% endif %}{%- endfor -%} ] {%- endif %}
\ No newline at end of file |