Explicitly define ports for consul and vault

2020-10-12 22:39:23 -04:00 · 2020-10-12 22:39:23 -04:00 · b5d51f7e3f
commit b5d51f7e3f
parent b5b9dc2024
4 changed files with 34 additions and 3 deletions
--- a/ansible/roles/consul_server/templates/consul.hcl.j2
+++ b/ansible/roles/consul_server/templates/consul.hcl.j2
@ -30,11 +30,13 @@ raft_protocol       = 3
 enable_local_script_checks = true

 addresses {
+  http  = "127.0.0.1"
  https = "0.0.0.0"
  dns   = "0.0.0.0"
 }

 ports {
+  http  = 8500
  https = 8501
 }

--- a/ansible/roles/nomad_client/templates/nomad.hcl.j2
+++ b/ansible/roles/nomad_client/templates/nomad.hcl.j2
@ -17,6 +17,15 @@ consul {
  token     = "{{ lookup('hashi_vault', 'secret=kv/data/nomad:data')['consul-acl-client'] }}"
 }

+vault {
+  enabled           = true
+  ca_file           = "/etc/pki/certs/{{ vault_ca_cert_name }}"
+  token             = "{{ lookup('hashi_vault', 'secret=kv/data/nomad:data')['vault-token'] }}"
+  address           = "https://vault.service.{{ consul_domain }}:8200"
+  create_from_role  = "nomad-cluster"
+  unwrap_token      = true
+}
+
 tls {
  http      = true
  rpc       = true
--- a/ansible/roles/nomad_server/templates/nomad.hcl.j2
+++ b/ansible/roles/nomad_server/templates/nomad.hcl.j2
@ -6,6 +6,15 @@ server {
  bootstrap_expect = 1
 }

+vault {
+  enabled           = true
+  ca_file           = "/etc/pki/certs/{{ vault_ca_cert_name }}"
+  token             = "{{ lookup('hashi_vault', 'secret=kv/data/nomad:data')['vault-token'] }}"
+  address           = "https://vault.service.{{ consul_domain }}:8200"
+  create_from_role  = "nomad-cluster"
+  unwrap_token      = true
+}
+
 consul {
  token     = "{{ lookup('hashi_vault', 'secret=kv/data/nomad:data')['consul-acl-server'] }}"
 }
--- a/ansible/roles/vault_server/templates/vault.hcl.j2
+++ b/ansible/roles/vault_server/templates/vault.hcl.j2
@ -1,9 +1,20 @@
 ui = true
+
 listener "tcp" {
-  address       = "0.0.0.0:8200"
-  tls_cert_file = "/etc/vault.d/certs/vault.pem"
-  tls_key_file  = "/etc/vault.d/certs/vault.key"
+  address         = "127.0.0.1:8200"
+  tls_cert_file   = "/etc/vault.d/certs/vault.pem"
+  tls_key_file    = "/etc/vault.d/certs/vault.key"
 }
+
+listener "tcp" {
+  address         = "{{ ansible_default_ipv4.address }}:8200"
+  tls_cert_file   = "/etc/vault.d/certs/vault.pem"
+  tls_key_file    = "/etc/vault.d/certs/vault.key"
+}
+
+api_address     = "{{ ansible_default_ipv4.address }}:8200"
+cluster_address = "{{ ansible_default_ipv4.address }}:8201"
+
 storage "consul" {
  address   = "localhost:8500"
  path      = "vault/"