manage gossip encryption key in role
This commit is contained in:
parent
24fb4be8c2
commit
2b441a5ac6
@ -1,7 +1,10 @@
|
|||||||
---
|
---
|
||||||
# defaults file for ansible-consul
|
# defaults file for ansible-consul
|
||||||
|
consul_bin_path: "/usr/local/bin"
|
||||||
consul_server: True
|
consul_server: True
|
||||||
consul_ui: True
|
consul_ui: True
|
||||||
|
consul_config_path: "/etc/consul.d"
|
||||||
|
consul_bootstrap_state: "{{ consul_config_path }}/.consul_bootstrapped"
|
||||||
consul_iface: "{{ ansible_default_ipv4.interface }}"
|
consul_iface: "{{ ansible_default_ipv4.interface }}"
|
||||||
consul_bind_address: "{{ hostvars[inventory_hostname]['ansible_'+ consul_iface | replace('-', '_')]['ipv4']['address']}}"
|
consul_bind_address: "{{ hostvars[inventory_hostname]['ansible_'+ consul_iface | replace('-', '_')]['ipv4']['address']}}"
|
||||||
consul_client_addr: "127.0.0.1"
|
consul_client_addr: "127.0.0.1"
|
||||||
@ -9,8 +12,7 @@ consul_bootstrap: False
|
|||||||
consul_domain: "consul"
|
consul_domain: "consul"
|
||||||
consul_data_dir: "/opt/consul"
|
consul_data_dir: "/opt/consul"
|
||||||
consul_datacenter: "dc1"
|
consul_datacenter: "dc1"
|
||||||
consul_gossip_encryption_key:
|
consul_encrypt_enable: True
|
||||||
|
|
||||||
consul_ansible_group: "consul"
|
consul_ansible_group: "consul"
|
||||||
consul_servers_list: "\
|
consul_servers_list: "\
|
||||||
{% set _consul_servers_list = [] %}\
|
{% set _consul_servers_list = [] %}\
|
||||||
|
100
tasks/main.yml
100
tasks/main.yml
@ -1,4 +1,11 @@
|
|||||||
---
|
---
|
||||||
|
- name: Read bootstrapped state
|
||||||
|
stat:
|
||||||
|
path: "{{ consul_bootstrap_state }}"
|
||||||
|
register: bootstrap_state
|
||||||
|
ignore_errors: true
|
||||||
|
|
||||||
|
|
||||||
- name: Include OS-specific variables
|
- name: Include OS-specific variables
|
||||||
include_vars: "{{ item }}"
|
include_vars: "{{ item }}"
|
||||||
with_first_found:
|
with_first_found:
|
||||||
@ -19,12 +26,93 @@
|
|||||||
path: "{{ consul_data_dir }}"
|
path: "{{ consul_data_dir }}"
|
||||||
mode: 0755
|
mode: 0755
|
||||||
|
|
||||||
|
- block:
|
||||||
|
- block:
|
||||||
|
- name: Check for gossip encryption key on previously boostrapped server
|
||||||
|
slurp:
|
||||||
|
src: "{{ consul_config_path }}/config.json"
|
||||||
|
register: consul_config_b64
|
||||||
|
ignore_errors: true
|
||||||
|
- debug:
|
||||||
|
msg: "{{consul_config_b64}}"
|
||||||
|
- name: Deserialize existing configuration
|
||||||
|
set_fact:
|
||||||
|
consul_config: "{{ consul_config_b64.content | b64decode | from_json }}"
|
||||||
|
when: consul_config_b64.content is defined and consul_config_b64.content != ""
|
||||||
|
|
||||||
|
- name: Save gossip encryption key from existing configuration
|
||||||
|
set_fact:
|
||||||
|
consul_raw_key: "{{ consul_config.encrypt }}"
|
||||||
|
when: consul_config is defined
|
||||||
|
|
||||||
|
when:
|
||||||
|
- consul_raw_key is not defined
|
||||||
|
- bootstrap_state.stat.exists | bool
|
||||||
|
- inventory_hostname in consul_servers_list
|
||||||
|
|
||||||
|
# Key provided by extra vars or the above block
|
||||||
|
- name: Write gossip encryption key locally for use with new servers
|
||||||
|
copy:
|
||||||
|
content: "{{ consul_raw_key }}"
|
||||||
|
dest: '/tmp/consul_raw.key'
|
||||||
|
mode: 0600
|
||||||
|
become: false
|
||||||
|
vars:
|
||||||
|
ansible_become: false
|
||||||
|
no_log: true
|
||||||
|
delegate_to: localhost
|
||||||
|
changed_when: false
|
||||||
|
when: consul_raw_key is defined
|
||||||
|
|
||||||
|
# Generate new key if none was found
|
||||||
|
- block:
|
||||||
|
- name: Generate gossip encryption key
|
||||||
|
shell: "PATH={{ consul_bin_path }}:$PATH consul keygen"
|
||||||
|
register: consul_keygen
|
||||||
|
|
||||||
|
- name: Write key locally to share with other nodes
|
||||||
|
copy:
|
||||||
|
content: "{{ consul_keygen.stdout }}"
|
||||||
|
dest: '/tmp/consul_raw.key'
|
||||||
|
become: false
|
||||||
|
vars:
|
||||||
|
ansible_become: false
|
||||||
|
delegate_to: localhost
|
||||||
|
|
||||||
|
no_log: true
|
||||||
|
run_once: true
|
||||||
|
when:
|
||||||
|
# if files '/tmp/consul_raw.key' exist
|
||||||
|
- lookup('first_found', dict(files=['/tmp/consul_raw.key'], skip=true)) | ternary(false, true)
|
||||||
|
- not bootstrap_state.stat.exists | bool
|
||||||
|
|
||||||
|
- name: Read gossip encryption key for servers that require it
|
||||||
|
set_fact:
|
||||||
|
consul_raw_key: "{{ lookup('file', '/tmp/consul_raw.key') }}"
|
||||||
|
no_log: true
|
||||||
|
when:
|
||||||
|
- consul_raw_key is not defined
|
||||||
|
|
||||||
|
- name: Delete gossip encryption key file
|
||||||
|
file:
|
||||||
|
path: '/tmp/consul_raw.key'
|
||||||
|
state: absent
|
||||||
|
become: false
|
||||||
|
vars:
|
||||||
|
ansible_become: false
|
||||||
|
run_once: true
|
||||||
|
delegate_to: localhost
|
||||||
|
changed_when: false
|
||||||
|
#no_log: true
|
||||||
|
when:
|
||||||
|
- consul_encrypt_enable | bool
|
||||||
|
|
||||||
- name: apply config template
|
- name: apply config template
|
||||||
block:
|
block:
|
||||||
- name: server template
|
- name: server template
|
||||||
template:
|
template:
|
||||||
src: config.hcl.j2
|
src: config.json.j2
|
||||||
dest: /etc/consul.d/config.hcl
|
dest: "{{ consul_config_path}}/config.json"
|
||||||
owner: consul
|
owner: consul
|
||||||
mode: 0644
|
mode: 0644
|
||||||
notify: reload consul configuration
|
notify: reload consul configuration
|
||||||
@ -45,11 +133,19 @@
|
|||||||
job: "{{ consul_data_dir }}/cs-backup.sh {{ consul_backup_location }}"
|
job: "{{ consul_data_dir }}/cs-backup.sh {{ consul_backup_location }}"
|
||||||
hour: "{{consul_cron_hour}}"
|
hour: "{{consul_cron_hour}}"
|
||||||
when: consul_snapshot
|
when: consul_snapshot
|
||||||
|
|
||||||
- name: ensure service is started
|
- name: ensure service is started
|
||||||
systemd:
|
systemd:
|
||||||
name: "{{ consul_service_name }}"
|
name: "{{ consul_service_name }}"
|
||||||
state: started
|
state: started
|
||||||
enabled: True
|
enabled: True
|
||||||
|
|
||||||
|
- name: Create bootstrapped state file
|
||||||
|
file:
|
||||||
|
dest: "{{ consul_bootstrap_state }}"
|
||||||
|
state: touch
|
||||||
|
mode: 0600
|
||||||
|
when: not bootstrap_state.stat.exists
|
||||||
|
|
||||||
- include_tasks: dnsmasq.yml
|
- include_tasks: dnsmasq.yml
|
||||||
when: consul_dnsmasq_enable | bool
|
when: consul_dnsmasq_enable | bool
|
||||||
|
@ -1,35 +1,30 @@
|
|||||||
|
{
|
||||||
bootstrap= {{consul_bootstrap|lower}}
|
"bootstrap": {{consul_bootstrap|lower}},
|
||||||
server= {{consul_server|lower}}
|
"server": {{consul_server|lower}},
|
||||||
{% if consul_server %}
|
{% if consul_server %}
|
||||||
bootstrap_expect= {{consul_bootstrap_expect}}
|
"bootstrap_expect": {{consul_bootstrap_expect}},
|
||||||
{% endif %}
|
{% endif %}
|
||||||
domain= "{{consul_domain}}"
|
"domain": "{{consul_domain}}",
|
||||||
{% if consul_bind_address %}
|
{% if consul_bind_address %}
|
||||||
bind_addr="{{consul_bind_address}}"
|
"bind_addr":"{{consul_bind_address}}",
|
||||||
{% endif %}
|
{% endif %}
|
||||||
{% if consul_client_addr %}
|
{% if consul_client_addr %}
|
||||||
client_addr="{{consul_client_addr}}"
|
"client_addr":"{{consul_client_addr}}",
|
||||||
{% endif %}
|
|
||||||
|
|
||||||
{%if consul_ui %}
|
|
||||||
ui_config {
|
|
||||||
enabled = true
|
|
||||||
}
|
|
||||||
{%endif%}
|
|
||||||
|
|
||||||
{% if consul_gossip_encryption_key %}
|
|
||||||
encrypt= "{{consul_gossip_encryption_key}}"
|
|
||||||
{% endif %}
|
{% endif %}
|
||||||
|
|
||||||
|
|
||||||
datacenter= "{{consul_datacenter}}"
|
{% if consul_raw_key %}
|
||||||
data_dir= "{{consul_data_dir}}"
|
"encrypt": "{{consul_raw_key}}",
|
||||||
acl {
|
{% endif %}
|
||||||
enabled = false
|
|
||||||
default_policy = "allow"
|
|
||||||
enable_token_persistence = true
|
"datacenter": "{{consul_datacenter}}",
|
||||||
}
|
"data_dir": "{{consul_data_dir}}",
|
||||||
|
"acl": {
|
||||||
|
"enabled": false,
|
||||||
|
"default_policy": "allow",
|
||||||
|
"enable_token_persistence": true
|
||||||
|
},
|
||||||
{%if consul_retry_join_force %}
|
{%if consul_retry_join_force %}
|
||||||
{% for server in consul_retry_join_force %}
|
{% for server in consul_retry_join_force %}
|
||||||
{% set _ = consul_join.append(server) %}
|
{% set _ = consul_join.append(server) %}
|
||||||
@ -39,11 +34,15 @@ acl {
|
|||||||
{% set _ = consul_join.append(hostvars[server]['consul_bind_address'] | default(hostvars[server]['ansible_default_ipv4']['address'],true) | mandatory) %}
|
{% set _ = consul_join.append(hostvars[server]['consul_bind_address'] | default(hostvars[server]['ansible_default_ipv4']['address'],true) | mandatory) %}
|
||||||
{% endfor %}
|
{% endfor %}
|
||||||
{% endif %}
|
{% endif %}
|
||||||
retry_join= {{ consul_join | map('ipwrap') | list | to_json }}
|
"retry_join": {{ consul_join | map('ipwrap') | list | to_json }},
|
||||||
|
|
||||||
{% if _consul_wan_servercount | int > 0 %}
|
{% if _consul_wan_servercount | int > 0 %}
|
||||||
{% for server in _consul_wan_servers %}
|
{% for server in _consul_wan_servers %}
|
||||||
{% set _ = consul_join_wan.append(hostvars[server]['consul_bind_address']|default(hostvars[server]['ansible_default_ipv4']['address'],true) | mandatory) %}
|
{% set _ = consul_join_wan.append(hostvars[server]['consul_bind_address']|default(hostvars[server]['ansible_default_ipv4']['address'],true) | mandatory) %}
|
||||||
{% endfor %}
|
{% endfor %}
|
||||||
retry_join_wan= {{ consul_join_wan | map('ipwrap') | list | to_json }}
|
"retry_join_wan": {{ consul_join_wan | map('ipwrap') | list | to_json }},
|
||||||
{% endif %}
|
{% endif %}
|
||||||
|
"ui_config": {
|
||||||
|
"enabled": {{consul_ui|bool|to_json}}
|
||||||
|
}
|
||||||
|
}
|
Loading…
Reference in New Issue
Block a user