Asara/infra
1
0
Fork 0
Code Issues Pull requests Releases Wiki Activity

Add masked.name to consul, get certs from vault

Browse source
This commit is contained in:
Amarpreet Minhas 2020-08-29 20:22:52 -04:00
parent 326d017271
commit ee97d0611f
7 changed files with 89 additions and 54 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

1
ansible/roles/consul/tasks/Debian.yml
View file

@ -86,3 +86,4 @@
name: consul name: consul
state: started state: started
enabled: True enabled: True
...

6
ansible/roles/consul/templates/consul.hcl.j2
View file

@ -1,12 +1,12 @@
datacenter = "{{ consul_dc }}" datacenter = "{{ main_dc_name }}"
domain = "consul" domain = "{{ consul_domain }}"
encrypt = "{{ lookup('hashi_vault', 'secret=kv/data/consul:data')['gossip'] }}" encrypt = "{{ lookup('hashi_vault', 'secret=kv/data/consul:data')['gossip'] }}"
verify_incoming = false verify_incoming = false
verify_outgoing = true verify_outgoing = true
verify_server_hostname = true verify_server_hostname = true
ca_file = "{{ consul_config_path }}/certs/consul-agent-ca.pem" ca_file = "/etc/pki/certs/{{ vault_ca_cert_name }}"
auto_encrypt { auto_encrypt {
tls = true tls = true

1
ansible/roles/consul_server/handlers/main.yml
View file

@ -12,3 +12,4 @@
service: service:
name: consul name: consul
state: restarted state: restarted
...

63
ansible/roles/consul_server/tasks/Debian.yml
View file

@ -26,31 +26,47 @@
state: directory state: directory
owner: consul owner: consul
group: consul group: consul
mode: 0744 mode: 0755
- name: ensure consul agent ca cert - name: check if server cert is expiring in the next 5 days
shell: "openssl x509 -checkend 432000 -noout -in /etc/consul.d/certs/consul-server.pem"
args:
executable: /bin/bash
failed_when: False
check_mode: False
changed_when: False
register: exp
- name: get cert
shell: "vault write pki_int/issue/{{ vault_pki_policy }} common_name=server.{{ main_dc_name }}.{{ consul_domain }} ttl=43200m"
args:
executable: /bin/bash
environment:
VAULT_ADDR: http://ivyking.minhas.io:8200
VAULT_TOKEN: "{{ lookup('file', lookup('env', 'HOME') + '/.vault-token') }}"
VAULT_FORMAT: json
register: cert_data
when: exp.rc != 0
- name: write cert data to server
copy: copy:
src: files/consul-agent-ca.pem content: "{{ item.content }}"
dest: /etc/consul.d/certs/consul-agent-ca.pem dest: "/etc/consul.d/certs/{{ item.path }}"
mode: '{{ item.mode }}'
owner: consul owner: consul
group: consul group: consul
mode: 0644 when: cert_data.changed
loop:
- name: ensure consul server cert - {
copy: content: "{{ (cert_data.stdout | from_json).data.certificate }}",
src: files/consul-server.pem path: "consul-server.pem",
dest: /etc/consul.d/certs/consul-server.pem mode: "0755"
owner: consul }
group: consul - {
mode: 0600 content: "{{ (cert_data.stdout | from_json).data.private_key }}",
path: "consul-server.key",
- name: ensure consul server key mode: "0600"
template: }
src: templates/consul-server.key.j2
dest: /etc/consul.d/certs/consul-server.key
owner: consul
group: consul
mode: 0600
- name: ensure consul data dir - name: ensure consul data dir
file: file:
@ -93,8 +109,8 @@
src: templates/consul.hcl.j2 src: templates/consul.hcl.j2
dest: /etc/consul.d/consul.hcl dest: /etc/consul.d/consul.hcl
owner: root owner: root
group: root group: consul
mode: 0755 mode: 0750
notify: restart_consul_debian notify: restart_consul_debian
- name: ensure consul is started and enabled - name: ensure consul is started and enabled
@ -102,3 +118,4 @@
name: consul name: consul
state: started state: started
enabled: True enabled: True
...

65
ansible/roles/consul_server/tasks/FreeBSD.yml
View file

@ -26,31 +26,47 @@
state: directory state: directory
owner: consul owner: consul
group: consul group: consul
mode: 0744 mode: 0755
- name: ensure consul agent ca cert - name: check if server cert is expiring in the next 5 days
shell: "openssl x509 -checkend 432000 -noout -in /usr/local/etc/consul.d/certs/consul-server.pem"
args:
executable: /usr/local/bin/bash
failed_when: False
check_mode: False
changed_when: False
register: exp
- name: get cert
shell: "vault write pki_int/issue/{{ vault_pki_policy }} common_name=server.{{ main_dc_name }}.{{ consul_domain }} ttl=43200m"
args:
executable: /usr/local/bin/bash
environment:
VAULT_ADDR: http://ivyking.minhas.io:8200
VAULT_TOKEN: "{{ lookup('file', lookup('env', 'HOME') + '/.vault-token') }}"
VAULT_FORMAT: json
register: cert_data
when: exp.rc != 0
- name: write cert data to server
copy: copy:
src: files/consul-agent-ca.pem content: "{{ item.content }}"
dest: /usr/local/etc/consul.d/certs/consul-agent-ca.pem dest: "/usr/local/etc/consul.d/certs/{{ item.path }}"
mode: '{{ item.mode }}'
owner: consul owner: consul
group: consul group: consul
mode: 0644 when: cert_data.changed
loop:
- name: ensure consul server cert - {
copy: content: "{{ (cert_data.stdout | from_json).data.certificate }}",
src: files/consul-server.pem path: "consul-server.pem",
dest: /usr/local/etc/consul.d/certs/consul-server.pem mode: "0755"
owner: consul }
group: consul - {
mode: 0600 content: "{{ (cert_data.stdout | from_json).data.private_key }}",
path: "consul-server.key",
- name: ensure consul server key mode: "0600"
template: }
src: templates/consul-server.key.j2
dest: /usr/local/etc/consul.d/certs/consul-server.key
owner: consul
group: consul
mode: 0600
- name: ensure consul data dir - name: ensure consul data dir
file: file:
@ -64,7 +80,7 @@
shell: shell:
cmd: "consul --version | head -1 | cut -d'v' -f2" cmd: "consul --version | head -1 | cut -d'v' -f2"
args: args:
executable: /bin/bash executable: /usr/local/bin/bash
changed_when: False changed_when: False
failed_when: False failed_when: False
register: installed_consul_version register: installed_consul_version
@ -80,8 +96,8 @@
src: templates/consul.hcl.j2 src: templates/consul.hcl.j2
dest: /usr/local/etc/consul.d/consul.hcl dest: /usr/local/etc/consul.d/consul.hcl
owner: root owner: root
group: staff group: consul
mode: 0755 mode: 0750
notify: restart_consul_fbsd notify: restart_consul_fbsd
- name: enable and start consul - name: enable and start consul
@ -89,3 +105,4 @@
name: consul name: consul
state: started state: started
enabled: True enabled: True
...

1
ansible/roles/consul_server/templates/consul-server.key.j2
View file

@ -1 +0,0 @@
{{ lookup('hashi_vault', 'secret=kv/data/consul:data')['consul-server-key'] }}

6
ansible/roles/consul_server/templates/consul.hcl.j2
View file

@ -1,5 +1,5 @@
datacenter = "{{ consul_dc }}" datacenter = "{{ main_dc_name }}"
domain = "consul" domain = "{{ consul_domain }}"
server = true server = true
bootstrap_expect = 3 bootstrap_expect = 3
ui = true ui = true
@ -9,7 +9,7 @@ encrypt = "{{ lookup('hashi_vault', 'secret=kv/data/consul:data')['g
verify_incoming = true verify_incoming = true
verify_outgoing = true verify_outgoing = true
verify_server_hostname = true verify_server_hostname = true
ca_file = "{{ consul_config_path }}/certs/consul-agent-ca.pem" ca_file = "/etc/pki/certs/{{ vault_ca_cert_name }}"
cert_file = "{{ consul_config_path }}/certs/consul-server.pem" cert_file = "{{ consul_config_path }}/certs/consul-server.pem"
key_file = "{{ consul_config_path }}/certs/consul-server.key" key_file = "{{ consul_config_path }}/certs/consul-server.key"