From ee97d0611fded8c6a223009460e2ef1945d83c3d Mon Sep 17 00:00:00 2001 From: Asara Date: Sat, 29 Aug 2020 20:22:52 -0400 Subject: [PATCH] Add masked.name to consul, get certs from vault --- ansible/roles/consul/tasks/Debian.yml | 1 + ansible/roles/consul/templates/consul.hcl.j2 | 6 +- ansible/roles/consul_server/handlers/main.yml | 1 + ansible/roles/consul_server/tasks/Debian.yml | 63 +++++++++++------- ansible/roles/consul_server/tasks/FreeBSD.yml | 65 ++++++++++++------- .../templates/consul-server.key.j2 | 1 - .../consul_server/templates/consul.hcl.j2 | 6 +- 7 files changed, 89 insertions(+), 54 deletions(-) delete mode 100644 ansible/roles/consul_server/templates/consul-server.key.j2 diff --git a/ansible/roles/consul/tasks/Debian.yml b/ansible/roles/consul/tasks/Debian.yml index 7111a25..b4cc423 100644 --- a/ansible/roles/consul/tasks/Debian.yml +++ b/ansible/roles/consul/tasks/Debian.yml @@ -86,3 +86,4 @@ name: consul state: started enabled: True +... diff --git a/ansible/roles/consul/templates/consul.hcl.j2 b/ansible/roles/consul/templates/consul.hcl.j2 index 5899d6d..025bc6f 100644 --- a/ansible/roles/consul/templates/consul.hcl.j2 +++ b/ansible/roles/consul/templates/consul.hcl.j2 @@ -1,12 +1,12 @@ -datacenter = "{{ consul_dc }}" -domain = "consul" +datacenter = "{{ main_dc_name }}" +domain = "{{ consul_domain }}" encrypt = "{{ lookup('hashi_vault', 'secret=kv/data/consul:data')['gossip'] }}" verify_incoming = false verify_outgoing = true verify_server_hostname = true -ca_file = "{{ consul_config_path }}/certs/consul-agent-ca.pem" +ca_file = "/etc/pki/certs/{{ vault_ca_cert_name }}" auto_encrypt { tls = true diff --git a/ansible/roles/consul_server/handlers/main.yml b/ansible/roles/consul_server/handlers/main.yml index 0c9cfcd..d360c40 100644 --- a/ansible/roles/consul_server/handlers/main.yml +++ b/ansible/roles/consul_server/handlers/main.yml @@ -12,3 +12,4 @@ service: name: consul state: restarted +... diff --git a/ansible/roles/consul_server/tasks/Debian.yml b/ansible/roles/consul_server/tasks/Debian.yml index 5ee16b3..5a856c5 100644 --- a/ansible/roles/consul_server/tasks/Debian.yml +++ b/ansible/roles/consul_server/tasks/Debian.yml @@ -26,31 +26,47 @@ state: directory owner: consul group: consul - mode: 0744 + mode: 0755 -- name: ensure consul agent ca cert +- name: check if server cert is expiring in the next 5 days + shell: "openssl x509 -checkend 432000 -noout -in /etc/consul.d/certs/consul-server.pem" + args: + executable: /bin/bash + failed_when: False + check_mode: False + changed_when: False + register: exp + +- name: get cert + shell: "vault write pki_int/issue/{{ vault_pki_policy }} common_name=server.{{ main_dc_name }}.{{ consul_domain }} ttl=43200m" + args: + executable: /bin/bash + environment: + VAULT_ADDR: http://ivyking.minhas.io:8200 + VAULT_TOKEN: "{{ lookup('file', lookup('env', 'HOME') + '/.vault-token') }}" + VAULT_FORMAT: json + register: cert_data + when: exp.rc != 0 + +- name: write cert data to server copy: - src: files/consul-agent-ca.pem - dest: /etc/consul.d/certs/consul-agent-ca.pem + content: "{{ item.content }}" + dest: "/etc/consul.d/certs/{{ item.path }}" + mode: '{{ item.mode }}' owner: consul group: consul - mode: 0644 - -- name: ensure consul server cert - copy: - src: files/consul-server.pem - dest: /etc/consul.d/certs/consul-server.pem - owner: consul - group: consul - mode: 0600 - -- name: ensure consul server key - template: - src: templates/consul-server.key.j2 - dest: /etc/consul.d/certs/consul-server.key - owner: consul - group: consul - mode: 0600 + when: cert_data.changed + loop: + - { + content: "{{ (cert_data.stdout | from_json).data.certificate }}", + path: "consul-server.pem", + mode: "0755" + } + - { + content: "{{ (cert_data.stdout | from_json).data.private_key }}", + path: "consul-server.key", + mode: "0600" + } - name: ensure consul data dir file: @@ -93,8 +109,8 @@ src: templates/consul.hcl.j2 dest: /etc/consul.d/consul.hcl owner: root - group: root - mode: 0755 + group: consul + mode: 0750 notify: restart_consul_debian - name: ensure consul is started and enabled @@ -102,3 +118,4 @@ name: consul state: started enabled: True +... diff --git a/ansible/roles/consul_server/tasks/FreeBSD.yml b/ansible/roles/consul_server/tasks/FreeBSD.yml index be803fd..dd5f133 100644 --- a/ansible/roles/consul_server/tasks/FreeBSD.yml +++ b/ansible/roles/consul_server/tasks/FreeBSD.yml @@ -26,31 +26,47 @@ state: directory owner: consul group: consul - mode: 0744 + mode: 0755 -- name: ensure consul agent ca cert +- name: check if server cert is expiring in the next 5 days + shell: "openssl x509 -checkend 432000 -noout -in /usr/local/etc/consul.d/certs/consul-server.pem" + args: + executable: /usr/local/bin/bash + failed_when: False + check_mode: False + changed_when: False + register: exp + +- name: get cert + shell: "vault write pki_int/issue/{{ vault_pki_policy }} common_name=server.{{ main_dc_name }}.{{ consul_domain }} ttl=43200m" + args: + executable: /usr/local/bin/bash + environment: + VAULT_ADDR: http://ivyking.minhas.io:8200 + VAULT_TOKEN: "{{ lookup('file', lookup('env', 'HOME') + '/.vault-token') }}" + VAULT_FORMAT: json + register: cert_data + when: exp.rc != 0 + +- name: write cert data to server copy: - src: files/consul-agent-ca.pem - dest: /usr/local/etc/consul.d/certs/consul-agent-ca.pem + content: "{{ item.content }}" + dest: "/usr/local/etc/consul.d/certs/{{ item.path }}" + mode: '{{ item.mode }}' owner: consul group: consul - mode: 0644 - -- name: ensure consul server cert - copy: - src: files/consul-server.pem - dest: /usr/local/etc/consul.d/certs/consul-server.pem - owner: consul - group: consul - mode: 0600 - -- name: ensure consul server key - template: - src: templates/consul-server.key.j2 - dest: /usr/local/etc/consul.d/certs/consul-server.key - owner: consul - group: consul - mode: 0600 + when: cert_data.changed + loop: + - { + content: "{{ (cert_data.stdout | from_json).data.certificate }}", + path: "consul-server.pem", + mode: "0755" + } + - { + content: "{{ (cert_data.stdout | from_json).data.private_key }}", + path: "consul-server.key", + mode: "0600" + } - name: ensure consul data dir file: @@ -64,7 +80,7 @@ shell: cmd: "consul --version | head -1 | cut -d'v' -f2" args: - executable: /bin/bash + executable: /usr/local/bin/bash changed_when: False failed_when: False register: installed_consul_version @@ -80,8 +96,8 @@ src: templates/consul.hcl.j2 dest: /usr/local/etc/consul.d/consul.hcl owner: root - group: staff - mode: 0755 + group: consul + mode: 0750 notify: restart_consul_fbsd - name: enable and start consul @@ -89,3 +105,4 @@ name: consul state: started enabled: True +... diff --git a/ansible/roles/consul_server/templates/consul-server.key.j2 b/ansible/roles/consul_server/templates/consul-server.key.j2 deleted file mode 100644 index 5991a43..0000000 --- a/ansible/roles/consul_server/templates/consul-server.key.j2 +++ /dev/null @@ -1 +0,0 @@ -{{ lookup('hashi_vault', 'secret=kv/data/consul:data')['consul-server-key'] }} diff --git a/ansible/roles/consul_server/templates/consul.hcl.j2 b/ansible/roles/consul_server/templates/consul.hcl.j2 index 0a96cb0..acea632 100644 --- a/ansible/roles/consul_server/templates/consul.hcl.j2 +++ b/ansible/roles/consul_server/templates/consul.hcl.j2 @@ -1,5 +1,5 @@ -datacenter = "{{ consul_dc }}" -domain = "consul" +datacenter = "{{ main_dc_name }}" +domain = "{{ consul_domain }}" server = true bootstrap_expect = 3 ui = true @@ -9,7 +9,7 @@ encrypt = "{{ lookup('hashi_vault', 'secret=kv/data/consul:data')['g verify_incoming = true verify_outgoing = true verify_server_hostname = true -ca_file = "{{ consul_config_path }}/certs/consul-agent-ca.pem" +ca_file = "/etc/pki/certs/{{ vault_ca_cert_name }}" cert_file = "{{ consul_config_path }}/certs/consul-server.pem" key_file = "{{ consul_config_path }}/certs/consul-server.key"