From 0f9b20775b4a656b67c7039e2dda4cf676af2b21 Mon Sep 17 00:00:00 2001 From: pmikus Date: Sat, 5 Dec 2020 23:29:01 +0000 Subject: Ansible: Enable consul TLS Signed-off-by: pmikus Change-Id: Ia53acc4441087e93a51d87097adea0b220d10144 --- .../ansible/roles/consul/defaults/main.yaml | 6 +++--- .../ansible/roles/consul/tasks/main.yaml | 2 +- .../ansible/roles/consul/templates/base.hcl.j2 | 21 +++++++++++++++++---- 3 files changed, 21 insertions(+), 8 deletions(-) (limited to 'resources/tools/testbed-setup/ansible/roles/consul') diff --git a/resources/tools/testbed-setup/ansible/roles/consul/defaults/main.yaml b/resources/tools/testbed-setup/ansible/roles/consul/defaults/main.yaml index 89121fde2e..786554eb58 100644 --- a/resources/tools/testbed-setup/ansible/roles/consul/defaults/main.yaml +++ b/resources/tools/testbed-setup/ansible/roles/consul/defaults/main.yaml @@ -61,11 +61,11 @@ consul_user_state: "present" # Conf - nomad.d/consul.hcl consul_nomad_integration: true consul_certificates: - - src: "{{ vault_consul_ca_file }}" + - src: "{{ vault_consul_v1_ca_file }}" dest: "{{ consul_ca_file }}" - - src: "{{ vault_consul_cert_file }}" + - src: "{{ vault_consul_v1_cert_file }}" dest: "{{ consul_cert_file }}" - - src: "{{ vault_consul_key_file }}" + - src: "{{ vault_consul_v1_key_file }}" dest: "{{ consul_key_file }}" consul_auto_advertise: true diff --git a/resources/tools/testbed-setup/ansible/roles/consul/tasks/main.yaml b/resources/tools/testbed-setup/ansible/roles/consul/tasks/main.yaml index c40fab79e3..9d1ca1980d 100644 --- a/resources/tools/testbed-setup/ansible/roles/consul/tasks/main.yaml +++ b/resources/tools/testbed-setup/ansible/roles/consul/tasks/main.yaml @@ -158,7 +158,7 @@ mode: 0644 notify: - "Restart Consul" - - "Stop Systemd-resolved" +# - "Stop Systemd-resolved" # - "Restart Nomad" tags: - consul-conf diff --git a/resources/tools/testbed-setup/ansible/roles/consul/templates/base.hcl.j2 b/resources/tools/testbed-setup/ansible/roles/consul/templates/base.hcl.j2 index 11743fa420..e220c8f687 100644 --- a/resources/tools/testbed-setup/ansible/roles/consul/templates/base.hcl.j2 +++ b/resources/tools/testbed-setup/ansible/roles/consul/templates/base.hcl.j2 @@ -14,6 +14,23 @@ server = {{ consul_node_server | bool | lower }} encrypt = "{{ consul_encrypt }}" {% if consul_node_server | bool == True %} bootstrap_expect = {{ consul_bootstrap_expect }} +verify_incoming = true +verify_outgoing = true +verify_server_hostname = true +ca_file = "{{ consul_ca_file }}" +cert_file = "{{ consul_cert_file }}" +key_file = "{{ consul_key_file }}" +auto_encrypt { + allow_tls = true +} +{% else %} +verify_incoming = false +verify_outgoing = true +verify_server_hostname = true +ca_file = "{{ consul_ca_file }}" +auto_encrypt { + tls = true +} {% endif %} {% if consul_retry_join | bool -%} retry_join = [ {% for ip_port in consul_retry_servers -%} "{{ ip_port }}"{% if not loop.last %}, {% endif %}{%- endfor -%} ] @@ -21,10 +38,6 @@ retry_join = [ {% for ip_port in consul_retry_servers -%} "{{ ip_port }}"{% if n ui = {{ consul_ui | bool | lower }} -ca_file = "{{ consul_ca_file }}" -cert_file = "{{ consul_cert_file }}" -key_file = "{{ consul_key_file }}" - {% if consul_recursors -%} recursors = [ {% for server in consul_recursors -%} "{{ server }}"{% if not loop.last %}, {% endif %}{%- endfor -%} ] {%- endif %} \ No newline at end of file -- cgit 1.2.3-korg