From eca78a092d0dc12bf03e17b123a6340443d738d1 Mon Sep 17 00:00:00 2001 From: Asara Date: Wed, 30 Sep 2020 22:16:38 -0400 Subject: [PATCH] Enable https on consul --- ansible/roles/consul_server/tasks/Debian.yml | 2 +- ansible/roles/consul_server/tasks/FreeBSD.yml | 2 +- ansible/roles/consul_server/templates/consul.hcl.j2 | 11 ++++++++--- 3 files changed, 10 insertions(+), 5 deletions(-) diff --git a/ansible/roles/consul_server/tasks/Debian.yml b/ansible/roles/consul_server/tasks/Debian.yml index 5a856c5..ee6c320 100644 --- a/ansible/roles/consul_server/tasks/Debian.yml +++ b/ansible/roles/consul_server/tasks/Debian.yml @@ -38,7 +38,7 @@ register: exp - name: get cert - shell: "vault write pki_int/issue/{{ vault_pki_policy }} common_name=server.{{ main_dc_name }}.{{ consul_domain }} ttl=43200m" + shell: "vault write pki_int/issue/{{ vault_pki_policy }} common_name=server.{{ main_dc_name }}.{{ consul_domain }} alt_names=consul.service.{{ consul_domain }},consul.service.{{ main_dc_name }}.{{ consul_domain }} ttl=43200m" args: executable: /bin/bash environment: diff --git a/ansible/roles/consul_server/tasks/FreeBSD.yml b/ansible/roles/consul_server/tasks/FreeBSD.yml index dd5f133..17bf956 100644 --- a/ansible/roles/consul_server/tasks/FreeBSD.yml +++ b/ansible/roles/consul_server/tasks/FreeBSD.yml @@ -38,7 +38,7 @@ register: exp - name: get cert - shell: "vault write pki_int/issue/{{ vault_pki_policy }} common_name=server.{{ main_dc_name }}.{{ consul_domain }} ttl=43200m" + shell: "vault write pki_int/issue/{{ vault_pki_policy }} common_name=server.{{ main_dc_name }}.{{ consul_domain }} alt_names=consul.service.{{ consul_domain }},consul.service.{{ main_dc_name }}.{{ consul_domain }} ttl=43200m" args: executable: /usr/local/bin/bash environment: diff --git a/ansible/roles/consul_server/templates/consul.hcl.j2 b/ansible/roles/consul_server/templates/consul.hcl.j2 index 60b9e05..11f1010 100644 --- a/ansible/roles/consul_server/templates/consul.hcl.j2 +++ b/ansible/roles/consul_server/templates/consul.hcl.j2 @@ -8,9 +8,10 @@ ui = true encrypt = "{{ lookup('hashi_vault', 'secret=kv/data/consul:data')['gossip'] }}" -verify_incoming = true verify_outgoing = true verify_server_hostname = true +verify_incoming_https = false +verify_incoming_rpc = true ca_file = "/etc/pki/certs/{{ vault_ca_cert_name }}" cert_file = "{{ consul_config_path }}/certs/consul-server.pem" key_file = "{{ consul_config_path }}/certs/consul-server.key" @@ -29,8 +30,12 @@ raft_protocol = 3 enable_local_script_checks = true addresses { - http = "0.0.0.0" - dns = "0.0.0.0" + https = "0.0.0.0" + dns = "0.0.0.0" +} + +ports { + https = 8501 } performance {