From 9bf5d70f15a92cf1aa533bdb737b5ffd3d89983c Mon Sep 17 00:00:00 2001
From: Brian Shumate <brian@brianshumate.com>
Date: Thu, 9 Feb 2017 10:53:23 -0500
Subject: [PATCH] Consul 0.7.4 and new ACL handling technique

- Consul 0.7.4
- BREAKING CHANGE: Deprecate read/write of ACL tokens from file system
  functionality and prefer setting tokens from existing cluster nodes with
  CONSUL_ACL_MASTER_TOKEN and  CONSUL_ACL_REPLICATION_TOKEN environment
  variables instead
- Update documentation
---
 CHANGELOG.md               |  9 +++++++
 README.md                  | 29 +++++++++++++++-------
 defaults/main.yml          |  4 +++-
 examples/README_VAGRANT.md |  2 +-
 tasks/acl.yml              | 49 +-------------------------------------
 version.txt                |  2 +-
 6 files changed, 36 insertions(+), 59 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index bf509b25..1cb0ea4c 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -323,3 +323,12 @@
 
 - Consul 0.7.3
 - Update documentation
+
+## v1.8.0
+
+- Consul 0.7.4
+- BREAKING CHANGE: Deprecate read/write of ACL tokens from file system
+  functionality and prefer setting tokens from existing cluster nodes with
+  CONSUL_ACL_MASTER_TOKEN and  CONSUL_ACL_REPLICATION_TOKEN environment
+  variables instead
+- Update documentation
diff --git a/README.md b/README.md
index f0b435ae..7c6a0f51 100644
--- a/README.md
+++ b/README.md
@@ -19,7 +19,7 @@ with other software versions, but does work with the following specific
 software and versions:
 
 * Ansible: 2.2.1.0
-* Consul: 0.7.3
+* Consul: 0.7.4
 * Debian: 8
 * CentOS: 7
 
@@ -30,7 +30,7 @@ inventory file (see below):
 
 | Name           | Default Value | Description                        |
 | -------------- | ------------- | -----------------------------------|
-| `consul_version` | *0.7.3* | Version to install |
+| `consul_version` | *0.7.4* | Version to install |
 | `consul_zip_url` | `https://releases.hashicorp.com/consul/{{ consul_version }}/consul_{{ consul_version }}_linux_amd64.zip` | Download URL |
 | `consul_checksum_file_url` | "https://releases.hashicorp.com/consul/{{ consul_version }}/{{ consul_version }}_SHA256SUMS" | URL to package SHA256 summaries |
 | `consul_bin_path` | `/usr/local/bin` | Binary installation path |
@@ -59,9 +59,9 @@ inventory file (see below):
 | `consul_acl_datacenter` | *dc1* | ACL authoritative datacenter name |
 | `consul_acl_default_policy` | *allow* | Default ACL policy |
 | `consul_acl_down_policy` | *allow* | Default ACL down policy |
-| `consul_acl_master_token` | UUID | ACL master token |
+| `consul_acl_master_token` | *SN4K3OILSN4K3OILSN4K3OILSN4K3OIL* | ACL master token — can be overridden with `CONSUL_ACL_MASTER_TOKEN` environment variable |
 | `consul_acl_master_token_display` | *false* | Display generated ACL Master Token |
-| `consul_acl_replication_token` | UUID | ACL replication token |
+| `consul_acl_replication_token` | *SN4K3OILSN4K3OILSN4K3OILSN4K3OIL* | ACL replication token — can be overridden with `CONSUL_ACL_REPLICATION_TOKEN` environment variable|
 | `consul_atlas_enable` | *false* | Enable Atlas support |
 | `consul_atlas_infrastructure` | Environment variable | Atlas infrastructure name |
 | `consul_atlas_token` | Environment variable | Atlas token |
@@ -168,10 +168,23 @@ If you want the automatically generated ACL Master Token value emitted to
 standard out during the play, set the environment variable
 `CONSUL_ACL_MASTER_TOKEN_DISPLAY` to *true* as in the above example.
 
-There are a number of Ansible ACL variables you can override to further refine
-your initial ACL setup. They are not all currently picked up from environment
-variables, but do have some sensible defaults. Check `defaults/main.yml` to
-see how some of he defaults (i.e. tokens) are automatically generated.
+If you want to use existing tokens, set the environment variables
+`CONSUL_ACL_MASTER_TOKEN` and `CONSUL_ACL_REPLICATION_TOKEN` as well,
+for example:
+
+```
+CONSUL_ACL_ENABLE=true CONSUL_ACL_DATACENTER=stjohn \
+CONSUL_ACL_MASTER_TOKEN=0815C55B-3AD2-4C1B-BE9B-715CAAE3A4B2 \
+CONSUL_ACL_REPLICATION_TOKEN=C609E56E-DD0B-4B99-A0AD-B079252354A0 \
+CONSUL_ACL_MASTER_TOKEN_DISPLAY=true ansible-playbook -i uat_hosts sail.yml
+```
+
+There are a number of Ansible ACL variables you can override to further
+refine your initial ACL setup. They are not all currently picked up from
+environment variables, but do have some sensible defaults.
+
+Check `defaults/main.yml` to see how some of he defaults (i.e. tokens)
+are automatically generated.
 
 ### Atlas Support
 
diff --git a/defaults/main.yml b/defaults/main.yml
index 80c3f76d..27842d90 100644
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -2,7 +2,7 @@
 # File: defaults/main.yml - Default variables for Consul
 
 ## Core
-consul_version: "{{ lookup('env','CONSUL_VERSION') | default('0.7.3', true) }}"
+consul_version: "{{ lookup('env','CONSUL_VERSION') | default('0.7.4', true) }}"
 consul_zip_url: "https://releases.hashicorp.com/consul/{{ consul_version }}/consul_{{ consul_version }}_linux_amd64.zip"
 consul_checksum_file_url: "https://releases.hashicorp.com/consul/{{ consul_version }}/consul_{{ consul_version}}_SHA256SUMS"
 consul_bin_path: "/usr/local/bin"
@@ -30,7 +30,9 @@ consul_acl_enable: "{{ lookup('env','CONSUL_ACL_ENABLE') | default(false, true)
 consul_acl_datacenter: "{{ lookup('env','CONSUL_ACL_DATACENTER') | default(consul_datacenter, true) }}"
 consul_acl_default_policy: "allow"
 consul_acl_down_policy: "allow"
+consul_acl_master_token: "{{ lookup('env','CONSUL_ACL_MASTER_TOKEN') | default('SN4K3OILSN4K3OILSN4K3OILSN4K3OIL', true) }}"
 consul_acl_master_token_display: "{{ lookup('env','CONSUL_ACL_MASTER_TOKEN_DISPLAY') | default(false, true) }}"
+consul_acl_replication_token: "{{ lookup('env','CONSUL_ACL_REPLICATION_TOKEN') | default('SN4K3OILSN4K3OILSN4K3OILSN4K3OIL', true) }}"
 consul_acl_replication_token_display: "{{ lookup('env','CONSUL_ACL_REPLICATION_TOKEN_DISPLAY') | default(false, true) }}"
 
 ## TLS
diff --git a/examples/README_VAGRANT.md b/examples/README_VAGRANT.md
index c6f6cbe5..caa645dc 100644
--- a/examples/README_VAGRANT.md
+++ b/examples/README_VAGRANT.md
@@ -95,7 +95,7 @@ BOX_NAME=centos/7 vagrant up
 ## Notes
 
 1. This project functions with the following software versions:
-  * Consul version 0.7.3
+  * Consul version 0.7.4
   * Ansible: 2.2.1.0
   * VirtualBox version 5.1.14
   * Vagrant version 1.9.1
diff --git a/tasks/acl.yml b/tasks/acl.yml
index 57113c12..4b2abc7c 100644
--- a/tasks/acl.yml
+++ b/tasks/acl.yml
@@ -1,53 +1,6 @@
 ---
 # File: tasks/acl.yml - ACL tasks for Consul
 
-- block:
-  - name: Look for an existing ACL master token on a previously boostrapped server
-    shell: 'cat {{ consul_config_path }}/server/config_acl.json | grep "acl_master_token" | sed -E ''s/"acl_master_token": "(.+)",?/\1/'' | sed ''s/^ *//;s/ *$//'''
-    register: acl_master_token_read
-    run_once: true
-
-  - name: Save ACL master token key (from existing config)
-    set_fact: consul_acl_master_token={{ acl_master_token_read.stdout }}
-    when: acl_master_token_read.stdout != ''
-  when: consul_acl_master_token is not defined and bootstrap_marker.stat.exists
-
-- name: Writing ACL master token locally to share with other servers that are new
-  local_action: copy content={{ consul_acl_master_token }} dest=/tmp/acl_master_token
-  become: no
-  when: consul_acl_master_token is defined
-
-- name: Reading ACL master token for servers that are missing it
-  set_fact: consul_acl_master_token="{{ lookup('file', '/tmp/acl_master_token') }}"
-  when: consul_acl_master_token is not defined
-
-- name: Deleting ACL master token file
-  local_action: file path=/tmp/acl_master_token state=absent
-  become: no
-
-- block:
-  - name: Look for an existing ACL replication token on a previously boostrapped server
-    shell: 'cat {{ consul_config_path }}/server/config_acl.json | grep "acl_replication_token" | sed -E ''s/"acl_replication_token": "(.+)",?/\1/'' | sed ''s/^ *//;s/ *$//'''
-    register: consul_acl_replication_token_read
-    run_once: true
-
-  - name: Save ACL replication token key (from existing config)
-    set_fact: consul_acl_replication_token={{ consul_acl_replication_token_read.stdout }}
-  when: consul_acl_replication_token is not defined and bootstrap_marker.stat.exists
-
-- name: Writing ACL replication token locally to share with other servers that are new
-  local_action: copy content={{ consul_acl_replication_token }} dest=/tmp/acl_replication_token
-  become: no
-  when: consul_acl_replication_token is defined
-
-- name: Reading ACL replication token for servers that are missing it
-  set_fact: consul_acl_replication_token="{{ lookup('file', '/tmp/acl_replication_token') }}"
-  when: consul_acl_replication_token is not defined
-
-- name: Deleting ACL replication token file
-  become: no
-  local_action: file path=/tmp/acl_replication_token state=absent
-
 - block:
   - name: Generate ACL master token
     command: "echo {{ ansible_date_time.iso8601_micro | to_uuid }}"
@@ -92,4 +45,4 @@
   - client
   - server
   notify:
-    - restart consul
\ No newline at end of file
+    - restart consul
diff --git a/version.txt b/version.txt
index 8d3083da..ba103d90 100644
--- a/version.txt
+++ b/version.txt
@@ -1,2 +1,2 @@
-v1.7.4
+v1.8.0