diff --git a/CHANGELOG.md b/CHANGELOG.md index 7c140ecc..10dc7a37 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -348,3 +348,7 @@ - Local TLS keys (thanks @dggreenbaum) - Remove Atlas support - Update documentation + +## v1.9.1 + +- Split gossip encryption out into separate task file diff --git a/tasks/encrypt_gossip.yml b/tasks/encrypt_gossip.yml new file mode 100644 index 00000000..cdb16424 --- /dev/null +++ b/tasks/encrypt_gossip.yml @@ -0,0 +1,38 @@ +--- +# File: tasks/encrypt_gossip.yml - Gossip encryption tasks for Consul + +- block: + - name: Check for key on previously boostrapped server + shell: 'cat {{ consul_config_path }}/bootstrap/config.json | grep "encrypt" | sed -E ''s/"encrypt": "(.+)",?/\1/'' | sed ''s/^ *//;s/ *$//''' + register: consul_key_read + run_once: true + + - name: Save encryption key (from existing config) + set_fact: consul_raw_key={{ consul_key_read.stdout }} + ignore_errors: yes + + when: consul_raw_key is not defined and bootstrap_marker.stat.exists + +- name: Writing key locally to share with other servers that are new + local_action: copy content={{ consul_raw_key }} dest=/tmp/consul_raw.key + become: no + when: consul_raw_key is defined and bootstrap_marker.stat.exists + +- name: Reading key for servers that are missing it + set_fact: consul_raw_key="{{ lookup('file', '/tmp/consul_raw.key') }}" + when: consul_raw_key is not defined and bootstrap_marker.stat.exists + +- name: Deleting key file + local_action: file path=/tmp/consul_raw.key state=absent + become: no + when: consul_raw_key is defined and bootstrap_marker.stat.exists + +- block: + - name: Generate gossip encryption key + shell: "PATH={{ consul_bin_path }}:$PATH consul keygen" + register: consul_keygen + run_once: true + + - name: Save encryption key + set_fact: consul_raw_key={{ consul_keygen.stdout }} + when: consul_raw_key is not defined and not bootstrap_marker.stat.exists diff --git a/tasks/main.yml b/tasks/main.yml index 5dde3cb2..024faf79 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -50,47 +50,12 @@ - name: Add Consul user user: "name=consul comment='Consul user' uid=1042 group=bin" -# Include variables and define needed variables. - name: Include OS-specific variables. include_vars: "{{ ansible_os_family }}.yml" - name: Install specified packages include: install.yml -- block: - - name: Look for an existing encryption key on a previously boostrapped server - shell: 'cat {{ consul_config_path }}/bootstrap/config.json | grep "encrypt" | sed -E ''s/"encrypt": "(.+)",?/\1/'' | sed ''s/^ *//;s/ *$//''' - register: consul_key_read - run_once: true - - - name: Save encryption key (from existing config) - set_fact: consul_raw_key={{ consul_key_read.stdout }} - when: consul_raw_key is not defined and bootstrap_marker.stat.exists - -- name: Writing key locally to share with other servers that are new - local_action: copy content={{ consul_raw_key }} dest=/tmp/consul_raw.key - become: no - when: consul_raw_key is defined and bootstrap_marker.stat.exists - -- name: Reading key for servers that are missing it - set_fact: consul_raw_key="{{ lookup('file', '/tmp/consul_raw.key') }}" - when: consul_raw_key is not defined and bootstrap_marker.stat.exists - -- name: Deleting key file - local_action: file path=/tmp/consul_raw.key state=absent - become: no - when: consul_raw_key is defined and bootstrap_marker.stat.exists - -- block: - - name: Generate gossip encryption key - shell: "PATH={{ consul_bin_path }}:$PATH consul keygen" - register: consul_keygen - run_once: true - - - name: Save encryption key - set_fact: consul_raw_key={{ consul_keygen.stdout }} - when: consul_raw_key is not defined and not bootstrap_marker.stat.exists - - name: Directories file: "dest={{ item }} state=directory owner={{ consul_user }} group={{ consul_group}}" with_items: @@ -104,6 +69,9 @@ - /etc/consul.d/client - /etc/consul.d/server +- include: ../tasks/encrypt_gossip.yml + when: consul_acl_enable + - name: Bootstrap configuration template: "src=config_bootstrap.json.j2 dest={{ consul_config_path }}/bootstrap/config.json" notify: diff --git a/version.txt b/version.txt index 295e37c0..ba1e8bf0 100644 --- a/version.txt +++ b/version.txt @@ -1 +1 @@ -v1.9.0 +v1.9.1