From 9c0b211db2d262cf59cd18b5e4c0d7331245a51f Mon Sep 17 00:00:00 2001
From: Asara <amarpreet@minhas.io>
Date: Tue, 1 Nov 2022 16:02:59 -0400
Subject: [PATCH] Add ca_cert to hashi_vault lookups

---
 ansible/roles/common/tasks/Debian.yml                  |  3 +--
 ansible/roles/consul/templates/consul.hcl.j2           |  4 ++--
 ansible/roles/consul_server/templates/consul.hcl.j2    |  4 ++--
 .../roles/lego/templates/amarpreet@minhas.io.key.j2    |  2 +-
 ansible/roles/lego/templates/defaults                  | 10 +++++-----
 ansible/roles/nomad_client/templates/nomad.hcl.j2      |  4 ++--
 ansible/roles/nomad_server/templates/nomad.hcl.j2      |  4 ++--
 ansible/roles/vault_server/templates/vault.hcl.j2      |  2 +-
 8 files changed, 16 insertions(+), 17 deletions(-)

diff --git a/ansible/roles/common/tasks/Debian.yml b/ansible/roles/common/tasks/Debian.yml
index a7943fb..efe771d 100644
--- a/ansible/roles/common/tasks/Debian.yml
+++ b/ansible/roles/common/tasks/Debian.yml
@@ -20,12 +20,11 @@
       - git
       - htop
       - inxi
+      - kitty-terminfo
       - make
       - ncdu
-      - netcat-traditional
       - netcat-openbsd
       - ntp
-      - rxvt-unicode
       - screen
       - strace
       - sysstat
diff --git a/ansible/roles/consul/templates/consul.hcl.j2 b/ansible/roles/consul/templates/consul.hcl.j2
index 51385cf..7ef3f08 100644
--- a/ansible/roles/consul/templates/consul.hcl.j2
+++ b/ansible/roles/consul/templates/consul.hcl.j2
@@ -3,7 +3,7 @@ primary_datacenter  = "{{ main_dc_name }}"
 domain              = "{{ consul_domain }}"
 node_name           = "{{ inventory_hostname_short }}"
 
-encrypt             = "{{ lookup('hashi_vault', 'secret=kv/data/consul:data')['gossip'] }}"
+encrypt             = "{{ lookup('hashi_vault', 'secret=kv/data/consul:data ca_cert=/etc/pki/certs/MaskedName_Root_CA.crt')['gossip'] }}"
 
 verify_incoming         = false
 verify_outgoing         = true
@@ -32,6 +32,6 @@ acl {
   default_policy = "deny"
   enable_token_persistence = true
   tokens {
-    default = "{{ lookup('hashi_vault', 'secret=kv/data/consul:data')['server-acl-token'] }}"
+    default = "{{ lookup('hashi_vault', 'secret=kv/data/consul:data ca_cert=/etc/pki/certs/MaskedName_Root_CA.crt')['server-acl-token'] }}"
   }
 }
diff --git a/ansible/roles/consul_server/templates/consul.hcl.j2 b/ansible/roles/consul_server/templates/consul.hcl.j2
index 3a3640e..f81b0fc 100644
--- a/ansible/roles/consul_server/templates/consul.hcl.j2
+++ b/ansible/roles/consul_server/templates/consul.hcl.j2
@@ -6,7 +6,7 @@ server              = true
 bootstrap_expect    = 3
 ui                  = true
 
-encrypt             = "{{ lookup('hashi_vault', 'secret=kv/data/consul:data')['gossip'] }}"
+encrypt             = "{{ lookup('hashi_vault', 'secret=kv/data/consul:data ca_cert=/etc/pki/certs/MaskedName_Root_CA.crt')['gossip'] }}"
 
 verify_outgoing         = true
 verify_server_hostname  = true
@@ -49,6 +49,6 @@ acl {
   default_policy = "deny"
   enable_token_persistence = true
   tokens {
-    default = "{{ lookup('hashi_vault', 'secret=kv/data/consul:data')['server-acl-token'] }}"
+    default = "{{ lookup('hashi_vault', 'secret=kv/data/consul:data ca_cert=/etc/pki/certs/MaskedName_Root_CA.crt')['server-acl-token'] }}"
   }
 }
diff --git a/ansible/roles/lego/templates/amarpreet@minhas.io.key.j2 b/ansible/roles/lego/templates/amarpreet@minhas.io.key.j2
index c073889..f0d1e15 100644
--- a/ansible/roles/lego/templates/amarpreet@minhas.io.key.j2
+++ b/ansible/roles/lego/templates/amarpreet@minhas.io.key.j2
@@ -1 +1 @@
-{{ lookup('hashi_vault', 'secret=kv/data/acme:data')['private_key'] }}
+{{ lookup('hashi_vault', 'secret=kv/data/acme:data ca_cert=/etc/pki/certs/MaskedName_Root_CA.crt')['private_key'] }}
diff --git a/ansible/roles/lego/templates/defaults b/ansible/roles/lego/templates/defaults
index 19e9d7a..6357fae 100644
--- a/ansible/roles/lego/templates/defaults
+++ b/ansible/roles/lego/templates/defaults
@@ -1,5 +1,5 @@
-export NAMECHEAP_API_USER={{ lookup('hashi_vault', 'secret=kv/data/namecheap:data')['api_user'] }}
-export NAMECHEAP_API_KEY={{ lookup('hashi_vault', 'secret=kv/data/namecheap:data')['api_key'] }}
-export AWS_ACCESS_KEY_ID={{ lookup('hashi_vault', 'secret=kv/data/aws:data')['access_key'] }}
-export AWS_SECRET_ACCESS_KEY={{ lookup('hashi_vault', 'secret=kv/data/aws:data')['secret_key'] }}
-export AWS_HOSTED_ZONE_ID={{ lookup('hashi_vault', 'secret=kv/data/aws:data')['hosted_zone_id'] }}
+export NAMECHEAP_API_USER={{ lookup('hashi_vault', 'secret=kv/data/namecheap:data ca_cert=/etc/pki/certs/MaskedName_Root_CA.crt')['api_user'] }}
+export NAMECHEAP_API_KEY={{ lookup('hashi_vault', 'secret=kv/data/namecheap:data ca_cert=/etc/pki/certs/MaskedName_Root_CA.crt')['api_key'] }}
+export AWS_ACCESS_KEY_ID={{ lookup('hashi_vault', 'secret=kv/data/aws:data ca_cert=/etc/pki/certs/MaskedName_Root_CA.crt')['access_key'] }}
+export AWS_SECRET_ACCESS_KEY={{ lookup('hashi_vault', 'secret=kv/data/aws:data ca_cert=/etc/pki/certs/MaskedName_Root_CA.crt')['secret_key'] }}
+export AWS_HOSTED_ZONE_ID={{ lookup('hashi_vault', 'secret=kv/data/aws:data ca_cert=/etc/pki/certs/MaskedName_Root_CA.crt')['hosted_zone_id'] }}
diff --git a/ansible/roles/nomad_client/templates/nomad.hcl.j2 b/ansible/roles/nomad_client/templates/nomad.hcl.j2
index 24d749f..4d1b262 100644
--- a/ansible/roles/nomad_client/templates/nomad.hcl.j2
+++ b/ansible/roles/nomad_client/templates/nomad.hcl.j2
@@ -14,13 +14,13 @@ client {
 }
 
 consul {
-  token     = "{{ lookup('hashi_vault', 'secret=kv/data/nomad:data')['consul-acl-client'] }}"
+  token     = "{{ lookup('hashi_vault', 'secret=kv/data/nomad:data ca_cert=/etc/pki/certs/MaskedName_Root_CA.crt')['consul-acl-client'] }}"
 }
 
 vault {
   enabled           = true
   ca_file           = "/etc/pki/certs/{{ vault_ca_cert_name }}"
-  token             = "{{ lookup('hashi_vault', 'secret=kv/data/nomad:data')['vault-token'] }}"
+  token             = "{{ lookup('hashi_vault', 'secret=kv/data/nomad:data ca_cert=/etc/pki/certs/MaskedName_Root_CA.crt')['vault-token'] }}"
   address           = "https://vault.service.{{ consul_domain }}:8200"
   create_from_role  = "nomad-cluster"
   unwrap_token      = true
diff --git a/ansible/roles/nomad_server/templates/nomad.hcl.j2 b/ansible/roles/nomad_server/templates/nomad.hcl.j2
index be51577..b73a29c 100644
--- a/ansible/roles/nomad_server/templates/nomad.hcl.j2
+++ b/ansible/roles/nomad_server/templates/nomad.hcl.j2
@@ -9,14 +9,14 @@ server {
 vault {
   enabled           = true
   ca_file           = "/etc/pki/certs/{{ vault_ca_cert_name }}"
-  token             = "{{ lookup('hashi_vault', 'secret=kv/data/nomad:data')['vault-token'] }}"
+  token             = "{{ lookup('hashi_vault', 'secret=kv/data/nomad:data ca_cert=/etc/pki/certs/MaskedName_Root_CA.crt')['vault-token'] }}"
   address           = "https://vault.service.{{ consul_domain }}:8200"
   create_from_role  = "nomad-cluster"
   unwrap_token      = true
 }
 
 consul {
-  token     = "{{ lookup('hashi_vault', 'secret=kv/data/nomad:data')['consul-acl-server'] }}"
+  token     = "{{ lookup('hashi_vault', 'secret=kv/data/nomad:data ca_cert=/etc/pki/certs/MaskedName_Root_CA.crt')['consul-acl-server'] }}"
 }
 
 tls {
diff --git a/ansible/roles/vault_server/templates/vault.hcl.j2 b/ansible/roles/vault_server/templates/vault.hcl.j2
index cff4105..4902e96 100644
--- a/ansible/roles/vault_server/templates/vault.hcl.j2
+++ b/ansible/roles/vault_server/templates/vault.hcl.j2
@@ -18,5 +18,5 @@ cluster_addr      = "https://{{ ansible_default_ipv4.address }}:8201"
 storage "consul" {
   address   = "localhost:8500"
   path      = "vault/"
-  token     = "{{ lookup('hashi_vault', 'secret=kv/data/vault:data')['consul-acl'] }}"
+  token     = "{{ lookup('hashi_vault', 'secret=kv/data/vault:data ca_cert=/etc/pki/certs/MaskedName_Root_CA.crt')['consul-acl'] }}"
 }