Asara/infra
1
0
Fork 0
Code Issues Pull requests Releases Wiki Activity

Add masked.name to consul, get certs from vault

Browse source
This commit is contained in:
Amarpreet Minhas 2020-08-29 20:22:52 -04:00
parent 326d017271
commit ee97d0611f
7 changed files with 89 additions and 54 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

1
ansible/roles/consul/tasks/Debian.yml
View file

@ -86,3 +86,4 @@
name: consul
state: started
enabled: True
...

6
ansible/roles/consul/templates/consul.hcl.j2
View file

@ -1,12 +1,12 @@
datacenter = "{{ consul_dc }}"
domain = "consul"
datacenter = "{{ main_dc_name }}"
domain = "{{ consul_domain }}"
encrypt = "{{ lookup('hashi_vault', 'secret=kv/data/consul:data')['gossip'] }}"
verify_incoming = false
verify_outgoing = true
verify_server_hostname = true
ca_file = "{{ consul_config_path }}/certs/consul-agent-ca.pem"
ca_file = "/etc/pki/certs/{{ vault_ca_cert_name }}"
auto_encrypt {
tls = true

1
ansible/roles/consul_server/handlers/main.yml
View file

@ -12,3 +12,4 @@
service:
name: consul
state: restarted
...

63
ansible/roles/consul_server/tasks/Debian.yml
View file

@ -26,31 +26,47 @@
state: directory
owner: consul
group: consul
mode: 0744
mode: 0755
- name: ensure consul agent ca cert
- name: check if server cert is expiring in the next 5 days
shell: "openssl x509 -checkend 432000 -noout -in /etc/consul.d/certs/consul-server.pem"
args:
executable: /bin/bash
failed_when: False
check_mode: False
changed_when: False
register: exp
- name: get cert
shell: "vault write pki_int/issue/{{ vault_pki_policy }} common_name=server.{{ main_dc_name }}.{{ consul_domain }} ttl=43200m"
args:
executable: /bin/bash
environment:
VAULT_ADDR: http://ivyking.minhas.io:8200
VAULT_TOKEN: "{{ lookup('file', lookup('env', 'HOME') + '/.vault-token') }}"
VAULT_FORMAT: json
register: cert_data
when: exp.rc != 0
- name: write cert data to server
copy:
src: files/consul-agent-ca.pem
dest: /etc/consul.d/certs/consul-agent-ca.pem
content: "{{ item.content }}"
dest: "/etc/consul.d/certs/{{ item.path }}"
mode: '{{ item.mode }}'
owner: consul
group: consul
mode: 0644
- name: ensure consul server cert
copy:
src: files/consul-server.pem
dest: /etc/consul.d/certs/consul-server.pem
owner: consul
group: consul
mode: 0600
- name: ensure consul server key
template:
src: templates/consul-server.key.j2
dest: /etc/consul.d/certs/consul-server.key
owner: consul
group: consul
mode: 0600
when: cert_data.changed
loop:
- {
content: "{{ (cert_data.stdout | from_json).data.certificate }}",
path: "consul-server.pem",
mode: "0755"
}
- {
content: "{{ (cert_data.stdout | from_json).data.private_key }}",
path: "consul-server.key",
mode: "0600"
}
- name: ensure consul data dir
file:
@ -93,8 +109,8 @@
src: templates/consul.hcl.j2
dest: /etc/consul.d/consul.hcl
owner: root
group: root
mode: 0755
group: consul
mode: 0750
notify: restart_consul_debian
- name: ensure consul is started and enabled
@ -102,3 +118,4 @@
name: consul
state: started
enabled: True
...

65
ansible/roles/consul_server/tasks/FreeBSD.yml
View file

@ -26,31 +26,47 @@
state: directory
owner: consul
group: consul
mode: 0744
mode: 0755
- name: ensure consul agent ca cert
- name: check if server cert is expiring in the next 5 days
shell: "openssl x509 -checkend 432000 -noout -in /usr/local/etc/consul.d/certs/consul-server.pem"
args:
executable: /usr/local/bin/bash
failed_when: False
check_mode: False
changed_when: False
register: exp
- name: get cert
shell: "vault write pki_int/issue/{{ vault_pki_policy }} common_name=server.{{ main_dc_name }}.{{ consul_domain }} ttl=43200m"
args:
executable: /usr/local/bin/bash
environment:
VAULT_ADDR: http://ivyking.minhas.io:8200
VAULT_TOKEN: "{{ lookup('file', lookup('env', 'HOME') + '/.vault-token') }}"
VAULT_FORMAT: json
register: cert_data
when: exp.rc != 0
- name: write cert data to server
copy:
src: files/consul-agent-ca.pem
dest: /usr/local/etc/consul.d/certs/consul-agent-ca.pem
content: "{{ item.content }}"
dest: "/usr/local/etc/consul.d/certs/{{ item.path }}"
mode: '{{ item.mode }}'
owner: consul
group: consul
mode: 0644
- name: ensure consul server cert
copy:
src: files/consul-server.pem
dest: /usr/local/etc/consul.d/certs/consul-server.pem
owner: consul
group: consul
mode: 0600
- name: ensure consul server key
template:
src: templates/consul-server.key.j2
dest: /usr/local/etc/consul.d/certs/consul-server.key
owner: consul
group: consul
mode: 0600
when: cert_data.changed
loop:
- {
content: "{{ (cert_data.stdout | from_json).data.certificate }}",
path: "consul-server.pem",
mode: "0755"
}
- {
content: "{{ (cert_data.stdout | from_json).data.private_key }}",
path: "consul-server.key",
mode: "0600"
}
- name: ensure consul data dir
file:
@ -64,7 +80,7 @@
shell:
cmd: "consul --version | head -1 | cut -d'v' -f2"
args:
executable: /bin/bash
executable: /usr/local/bin/bash
changed_when: False
failed_when: False
register: installed_consul_version
@ -80,8 +96,8 @@
src: templates/consul.hcl.j2
dest: /usr/local/etc/consul.d/consul.hcl
owner: root
group: staff
mode: 0755
group: consul
mode: 0750
notify: restart_consul_fbsd
- name: enable and start consul
@ -89,3 +105,4 @@
name: consul
state: started
enabled: True
...

1
ansible/roles/consul_server/templates/consul-server.key.j2
View file

@ -1 +0,0 @@
{{ lookup('hashi_vault', 'secret=kv/data/consul:data')['consul-server-key'] }}

6
ansible/roles/consul_server/templates/consul.hcl.j2
View file

@ -1,5 +1,5 @@
datacenter = "{{ consul_dc }}"
domain = "consul"
datacenter = "{{ main_dc_name }}"
domain = "{{ consul_domain }}"
server = true
bootstrap_expect = 3
ui = true
@ -9,7 +9,7 @@ encrypt = "{{ lookup('hashi_vault', 'secret=kv/data/consul:data')['g
verify_incoming = true
verify_outgoing = true
verify_server_hostname = true
ca_file = "{{ consul_config_path }}/certs/consul-agent-ca.pem"
ca_file = "/etc/pki/certs/{{ vault_ca_cert_name }}"
cert_file = "{{ consul_config_path }}/certs/consul-server.pem"
key_file = "{{ consul_config_path }}/certs/consul-server.key"