Lots of changes

deploy_consul.yaml

@@ -5,48 +5,101 @@
 
   gather_facts: true
   tasks:
-#    - name: Install python
-#      raw: apk add python3
 
-    - name: Install packages
+    - name: Install zip utils
-      community.general.apk:
+      apk:
-        name: consul
+        name:
+          - unzip
+          - consul
         state: present
-        update_cache: yes
+
+    - name: Check for upgrade requirement
+      shell: /usr/sbin/consul version
+      register: consul_version
+      changed_when: false
+
+    - name: Apply upgrades if needed
+      block:
+        - name: Obtain consul binary
+          get_url:
+            url: https://releases.hashicorp.com/consul/1.10.4/consul_1.10.4_linux_amd64.zip
+            dest: /tmp/consul.zip
+        - name: Remove old consul binary
+          file:
+            path: /usr/sbin/consul
+            state: absent
+        - name: Expand binary
+          unarchive:
+            src: /tmp/consul.zip
+            dest: /usr/sbin/
+            remote_src: yes
+      when: consul_version.stdout.find('Consul v1.10.4') == -1
 
     - name: Create keys directory
       file:
         path: /etc/consul.keys
         state: directory
         owner: root
-
+    - name: Set up CA and create certs
-    - name: Deploy keys
+      block:
-      copy:
+        - name: Create a CA for key creation
-        src: "{{ item }}"
+          shell: consul tls ca create
-        dest: /etc/consul.keys/
+          args:
+            chdir: /etc/consul.keys
+            creates: /etc/consul.keys/consul-agent-ca-key.pem
+        - name: Retrieve new CA key and certificate
+          fetch:
+            src: '/etc/consul.keys/{{item}}'
+            dest: 'files/keys/{{item}}'
+            flat: yes
           loop:
-        - "files/keys/consul-agent-ca.pem"
+            - consul-agent-ca-key.pem
-        - "files/keys/dc1-server-consul-{{ ansible_nodename }}.pem"
+            - consul-agent-ca.pem
-        - "files/keys/dc1-server-consul-{{ ansible_nodename }}-key.pem"
+        - name: Install server certificate script
-
+          copy:
-    - name: Update tls config
+            src: 'files/scripts/consul-server-cert.sh'
+            dest: '/usr/sbin/consul-server-cert'
+            mode: '0700'
+        - name: Create server certificates
+          shell: '/usr/sbin/consol-server-cert {{item}}'
+          args:
+            chdir: /etc/consul.keys
+            creates: '/etc/consul.keys/{{item}}.key.pem'
+          loop: "{{ groups.consul }}"
+        - name: Retrieve server certificates
+          fetch:
+            src: '/etc/consul.keys/{{item}}.pem'
+            dest: 'files/keys/{{item}}.pem'
+            flat: yes
+          loop: "{{ groups.consul }}"
+        - name: Retrieve server keys
+          fetch:
+            src: '/etc/consul.keys/{{item}}.key.pem'
+            dest: 'files/keys/{{item}}.key.pem'
+            flat: yes
+          loop: "{{ groups.consul }}"          
+      when: inventory_hostname in 'cnsl01'
+    - name: Distribute CA certificate
+      copy:
+        src: keys/consul-agent-ca.pem
+        dest: /etc/consul.keys/consul-agent-ca.pem
+    - name: Distribute certificates and keys
+      block:
+        - name: Ship certificate
+          copy:
+            src: "keys/{{inventory_hostname}}.pem"
+            dest: "/etc/consul.keys/{{inventory_hostname}}.pem"
+        - name: Ship key
+          copy:
+            src: "keys/{{inventory_hostname}}.key.pem"
+            dest: "/etc/consul.keys/{{inventory_hostname}}.key.pem"
+      when: inventory_hostname not in 'cnsl01'
+    - name: Update server tls config
       template:
         src: tls.json
         dest: /etc/consul/
     
-    - name: Copy static config files
+    - name: Copy static server config files
       copy:
         src: files/server_cfg/
         dest: /etc/consul
-
-    - name: Restart server
-      service:
-        name: consul
-        state: restarted
-
-    - name: Enable service
-      service:
-        name: consul
-        enabled: true
-        runlevel: default
-        

deploy_python.yaml

@@ -0,0 +1,9 @@
+- name: Deploy consul cluster
+  hosts:
+    - consul
+  vars:
+
+  gather_facts: false
+  tasks:
+    - name: Install python
+      raw: apk add python3

files/scripts/consul-server-cert.sh

@@ -0,0 +1,21 @@
+#!/usr/bin/env bash
+
+RENEW=false
+
+while getopts r: flag
+do
+  case "${flag}" in
+    r) RENEW=true
+  esac
+done
+
+HOSTNAME=$1 
+
+if [[ -f "$HOSTNAME.key.pem" && renew == 'false' ]]; then
+  echo "Certificate key for $HOSTNAME exists, use -r to renew it."
+  exit
+fi 
+
+consul tls cert create -server -dc dc1 -additional-dnsname=$HOSTNAME -node=$HOSTNAME 
+mv dc1-server-consul-0-key.pem $HOSTNAME.key.pem 
+mv dc1-server-consul-0.pem $HOSTNAME.pem

files/server_cfg/server.json

@@ -8,7 +8,9 @@
   "disable_remote_exec": true,
   "enable_syslog": true,
   "client_addr": "0.0.0.0",
-  "ui": true,
+  "ui_config": {
+    "enabled": true
+  },
   "retry_join": [
     "10.0.96.80",
     "10.0.96.81",

policy/cnsl02-node-policy.hcl

@@ -1,3 +0,0 @@
-node "cnsl02" {
-  policy = "write"
-}

policy/cnsl03-node-policy.hcl

@@ -1,3 +0,0 @@
-node "cnsl03" {
-  policy = "write"
-}

policy/node-policy.hcl

@@ -1,12 +0,0 @@
-agent_prefix "" {
-  policy = "write"
-}
-node_prefix "" {
-  policy = "write"
-}
-service_prefix "" {
-  policy = "read"
-}
-session_prefix "" {
-  policy = "read"
-}

policy/node-token.txt

@@ -1,7 +0,0 @@
-AccessorID:       34eb7622-fb31-c2ac-68c0-f1de090c220a
-SecretID:         a3ffb2c1-a218-5b02-c4ae-6b2e73050a7c
-Description:      node token
-Local:            false
-Create Time:      2021-11-14 03:38:58.055421799 +0000 UTC
-Policies:
-   90a72d92-8c2f-475d-1db3-b44ac409be6d - node-policy

policy/oort-node-policy.hcl

@@ -1,3 +0,0 @@
-node "oort" {
-  policy = "write"
-}

policy/oort.hcl

@@ -1,3 +0,0 @@
-node "oort" {
-  policy = "write"
-}

requirements.in

@@ -0,0 +1,3 @@
+ansible
+proxmoxer
+requests

templates/agent.json

@@ -8,8 +8,6 @@
   "enable_syslog": true,
   "encrypt": "HwOdJKTZXTaqGsCaBs7qRlrPm0msjz/K2WQ1/HbZ+I8=",
   "ca_file": "/etc/consul/consul-agent-ca.pem",
-  "cert_file": "/etc/consul/dc1-agent-consul-0.pem",
-  "key_file": "/etc/consul/dc1-agent-consul-0-key.pem",
   "verify_incoming": true,
   "verify_outgoing": true,
   "verify_server_hostname": true,

templates/node-policy.hcl

@@ -1,3 +1,3 @@
-node "cnsl01" {
+node "{{item}}" {
   policy = "write"
 }

templates/tls.json

@@ -1,8 +1,11 @@
 {
   "ca_file": "/etc/consul.keys/consul-agent-ca.pem",
-  "cert_file": "/etc/consul.keys/dc1-server-consul-{{ ansible_nodename }}.pem",
+  "cert_file": "/etc/consul.keys/{{ ansible_nodename }}.pem",
-  "key_file": "/etc/consul.keys/dc1-server-consul-{{ ansible_nodename }}-key.pem",
+  "key_file": "/etc/consul.keys/{{ ansible_nodename }}.key.pem",
   "verify_incoming": true,
   "verify_outgoing": true,
-  "verify_server_hostname": true
+  "verify_server_hostname": true,
+  "auto_encrypt": {
+    "allow_tls": true
+  }
 }