diff --git a/CHANGELOG.md b/CHANGELOG.md index 10dc7a37..9cef0e84 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -352,3 +352,10 @@ ## v1.9.1 - Split gossip encryption out into separate task file + +## v1.9.2 + +- Keep gossip encryption in main tasks until we sort cross play var +- Compact YAML style for all tasks +- Fix task items, shorten timeouts +- Update documentation diff --git a/tasks/acl.yml b/tasks/acl.yml index 4b2abc7c..db3dc654 100644 --- a/tasks/acl.yml +++ b/tasks/acl.yml @@ -7,7 +7,8 @@ register: consul_acl_master_token_keygen run_once: true - name: Save ACL master yoken - set_fact: consul_acl_master_token={{ consul_acl_master_token_keygen.stdout }} + set_fact: + consul_acl_master_token: "{{ consul_acl_master_token_keygen.stdout }}" when: consul_acl_master_token is not defined and not bootstrap_marker.stat.exists - name: Display ACL Master Token @@ -21,16 +22,20 @@ register: consul_acl_replication_token_keygen run_once: true - name: Save ACL replication yoken - set_fact: consul_acl_replication_token={{ consul_acl_replication_token_keygen.stdout }} + set_fact: + consul_acl_replication_token: "{{ consul_acl_replication_token_keygen.stdout }}" when: (consul_acl_replication_token is not defined or consul_acl_replication_token == '') and not bootstrap_marker.stat.exists - name: Display ACL Replication Token - debug: msg="{{ consul_acl_replication_token }}" + debug: + msg: "{{ consul_acl_replication_token }}" run_once: True when: consul_acl_replication_token_display - name: ACL bootstrap configuration - template: src=config_acl.json.j2 dest={{ consul_config_path }}/{{ item }}/config_acl.json + template: + src:config_acl.json.j2 + dest: "{{ consul_config_path }}/{{ item }}/config_acl.json" with_items: - bootstrap - client @@ -39,7 +44,9 @@ - restart consul - name: ACL policy configuration - template: src=config_acl_policy.hcl.j2 dest={{ consul_config_path }}/{{ item }}/config_acl_policy.hcl + template: + src: config_acl_policy.hcl.j2 + dest: "{{ consul_config_path }}/{{ item }}/config_acl_policy.hcl" with_items: - bootstrap - client diff --git a/tasks/client.yml b/tasks/client.yml index 0f086395..fb42c085 100644 --- a/tasks/client.yml +++ b/tasks/client.yml @@ -2,7 +2,9 @@ # File: tasks/client.yml - Ansible dependencies for Consul - name: Install dependencies for configuration by ansible (1/2) - apt: name={{ item }} state=installed + apt: + name: "{{ item }}" + state: installed with_items: - python-pip - python-setuptools diff --git a/tasks/dnsmasq.yml b/tasks/dnsmasq.yml index 65a039bc..58c8dedb 100644 --- a/tasks/dnsmasq.yml +++ b/tasks/dnsmasq.yml @@ -2,19 +2,30 @@ # File: tasks/dnsmasq.yml - Dnsmasq tasks for Consul - name: Dnsmasq package - yum: name=dnsmasq state=present + yum: + name: dnsmasq + state: present when: ansible_os_family == "RedHat" tags: dnsmasq,installation - name: Dnsmasq package - apt: name=dnsmasq state=present + apt: + name: dnsmasq + state: present when: ansible_os_family == "Debian" tags: dnsmasq,installation - name: Stop Dnsmasq - service: name=dnsmasq state=stopped + service: + name: dnsmasq + state: stopped - name: "Dnsmasq setup" - copy: src=../files/dnsmasq-10-consul dest=/etc/dnsmasq.d/10-consul owner=root group=root mode=0644 + copy: + src: ../files/dnsmasq-10-consul + dest: /etc/dnsmasq.d/10-consul + owner: root + group: root + mode: 0644 notify: restart dnsmasq tags: dnsmasq diff --git a/tasks/install.yml b/tasks/install.yml index 47fa8a30..cc1b015a 100644 --- a/tasks/install.yml +++ b/tasks/install.yml @@ -2,21 +2,26 @@ # File: tasks/install.yml - package installation tasks for Consul - name: OS packages - package: "name={{ item }} state=present" + package: + name: "{{ item }}" + state: present with_items: "{{ consul_os_packages }}" tags: installation - name: Check Consul package checksum file become: no connection: local - stat: "path={{ role_path }}/files/consul_{{ consul_version }}_SHA256SUMS" + stat: + path: "{{ role_path }}/files/consul_{{ consul_version }}_SHA256SUMS" run_once: true register: consul_checksum - name: Get Consul package checksum file become: no connection: local - get_url: "url={{ consul_checksum_file_url }} dest={{ role_path }}/files/consul_{{ consul_version }}_SHA256SUMS" + get_url: + url: "{{ consul_checksum_file_url }}" + dest: "{{ role_path }}/files/consul_{{ consul_version }}_SHA256SUMS" run_once: true tags: installation when: consul_checksum.stat.exists == False @@ -32,14 +37,19 @@ - name: Check Consul package file become: no connection: local - stat: "path={{ role_path }}/files/{{ consul_pkg }}" + stat: + path: "{{ role_path }}/files/{{ consul_pkg }}" run_once: true register: consul_package - name: Download Consul become: no connection: local - get_url: "url={{ consul_zip_url }} dest={{ role_path }}/files/{{ consul_pkg }} checksum=sha256:{{ consul_sha256.stdout.split(' ')|first }} timeout=42" + get_url: + url: "{{ consul_zip_url }}" + dest: "{{ role_path }}/files/{{ consul_pkg }}" + checksum: "sha256:{{ consul_sha256.stdout.split(' ')|first }}" + timeout: 42 run_once: true tags: installation when: consul_package.stat.exists == False @@ -47,18 +57,28 @@ - name: Unarchive Consul become: no connection: local - unarchive: "src={{ role_path }}/files/{{ consul_pkg }} dest={{ role_path }}/files/ creates={{ role_path }}/files/consul" + unarchive: + src: "{{ role_path }}/files/{{ consul_pkg }}" + dest: "{{ role_path }}/files/" + creates: "{{ role_path }}/files/consul" run_once: true tags: installation - name: Install Consul - copy: "src={{ role_path }}/files/consul dest=/usr/local/bin/ owner={{ consul_user }} group={{ consul_group }} mode=0755" + copy: + src: "{{ role_path }}/files/consul" + dest: /usr/local/bin/ + owner: "{{ consul_user }}" + group: "{{ consul_group }}" + mode: 0755 tags: installation - name: Cleanup become: no connection: local - file: "path={{ item }} state=absent" + file: + path: "{{ item }}" + state: absent with_fileglob: "{{ role_path }}/files/consul" run_once: true tags: installation diff --git a/tasks/iptables.yml b/tasks/iptables.yml index 2ca5a634..82f1e661 100644 --- a/tasks/iptables.yml +++ b/tasks/iptables.yml @@ -1,18 +1,49 @@ --- # File: tasks/iptables.yml - iptables tasks for Consul -- name: install iptables - apt: name=iptables +- name: Install iptables + apt: + name: iptables -- name: redirect local DNS (1/4) - iptables: table=nat chain=PREROUTING protocol=udp match=udp destination_port=53 jump=REDIRECT to_ports=8600 +- name: Redirect local DNS (1/4) + iptables: + table: nat + chain: PREROUTING + protocol: udp + match: udp + destination_port: 53 + jump: REDIRECT + to_ports: 8600 -- name: redirect local DNS (2/4) - iptables: table=nat chain=PREROUTING protocol=tcp match=tcp destination_port=53 jump=REDIRECT to_ports=8600 +- name: Redirect local DNS (2/4) + iptables: + table: nat + chain: PREROUTING + protocol: tcp + match: tcp + destination_port: 53 + jump: REDIRECT + to_ports: 8600 -- name: redirect local DNS (3/4) - iptables: table=nat chain=OUTPUT protocol=udp match=udp destination_port=53 jump=REDIRECT to_ports=8600 destination=localhost +- name: Redirect local DNS (3/4) + iptables: + table: nat + chain: OUTPUT + protocol: udp + match: udp + destination_port: 53 + jump: REDIRECT + to_ports: 8600 + destination: localhost -- name: redirect local DNS (4/4) - iptables: table=nat chain=OUTPUT protocol=tcp match=tcp destination_port=53 jump=REDIRECT to_ports=8600 destination=localhost +- name: Redirect local DNS (4/4) + iptables: + table: nat + chain: OUTPUT + protocol: tcp + match: tcp + destination_port: 53 + jump: REDIRECT + to_ports: 8600 + destination: localhost \ No newline at end of file diff --git a/tasks/main.yml b/tasks/main.yml index 024faf79..310128e0 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -3,61 +3,70 @@ - name: Check distribution compatibility fail: - msg: "{{ ansible_distribution }} is not supported by this role" + msg: "{{ ansible_distribution }} is not currently supported by this role." when: ansible_distribution not in ['RedHat', 'CentOS', 'Debian', 'Ubuntu'] -- name: Fail if not a new release of Red Hat / CentOS +- name: Fail if not a new release of CentOS or Red Hat fail: - msg: "{{ ansible_distribution_version }} is not an acceptable version of {{ ansible_distribution }} for this role" + msg: "{{ ansible_distribution_version }} isn't a supported version." when: ansible_distribution in ['RedHat', 'CentOS'] and ansible_distribution_version|version_compare(6, '<') - name: Fail if not a new release of Debian fail: - msg: "{{ ansible_distribution_version }} is not an acceptable version of {{ ansible_distribution }} for this role" + msg: "{{ ansible_distribution_version }} is not a supported version." when: ansible_distribution == "Debian" and ansible_distribution_version|version_compare(8.5, '<') - name: Fail if not a new release of Ubuntu fail: - msg: "{{ ansible_distribution_version }} is not an acceptable version of {{ ansible_distribution }} for this role" + msg: "{{ ansible_distribution_version }} is not a supported version." when: ansible_distribution == "Ubuntu" and ansible_distribution_version|version_compare(13.04, '<') - name: Fail if specified ethernet interface not found fail: - msg: "The ethernet interface specified by consul_iface was not found on this system" + msg: "The ethernet interface specified by consul_iface was not found." when: consul_iface not in ansible_interfaces - name: Fail if iptables is enabled for Red Hat / CentOS fail: - msg: "No support for iptables on {{ ansible_distribution }}, use dnsmasq instead" + msg: "Use DNSmasq instead of iptables on {{ ansible_distribution }}." when: consul_iptables_enable and (ansible_distribution in ['RedHat', 'CentOS'] and ansible_distribution_version|version_compare(6, '>=')) - name: Fail if both Dnsmasq and iptables are enabled fail: - msg: "DNS Forwarding via both dnsmasq and iptables is not supported, enable only one option" + msg: "EONEORTHEOTHER: DNSmasq and iptables together is not supported." when: consul_dnsmasq_enable and consul_iptables_enable - name: Fail if iptables is enabled but no recursors are defined fail: - msg: "If iptables is enabled recursors are required" + msg: "Recursors are required if iptables is enabled." when: consul_iptables_enable and consul_recursors|length == 0 - name: Check bootstrapped state - stat: path=/etc/consul/.consul_bootstrapped + stat: + path: /etc/consul/.consul_bootstrapped register: bootstrap_marker ignore_errors: true - name: Add Consul user - user: "name=consul comment='Consul user' uid=1042 group=bin" + user: + name: consul + comment: "Consul user" + uid: 1042 + group: bin -- name: Include OS-specific variables. +- name: OS-specific variables include_vars: "{{ ansible_os_family }}.yml" -- name: Install specified packages +- name: Install OS packages include: install.yml -- name: Directories - file: "dest={{ item }} state=directory owner={{ consul_user }} group={{ consul_group}}" +- name: Create directories + file: + dest: "{{ item }}" + state: directory + owner: "{{ consul_user }}" + group: "{{ consul_group}}" with_items: - /etc/consul - /opt/consul @@ -65,25 +74,68 @@ - /var/log/consul - /var/run/consul - /etc/consul.d - - /etc/consul.d/bootstrap + - /etc/consul.d/bootstrap - /etc/consul.d/client - /etc/consul.d/server -- include: ../tasks/encrypt_gossip.yml - when: consul_acl_enable +#- include: ../tasks/encrypt_gossip.yml + +- block: + - name: Check for key on previously boostrapped server + shell: 'cat {{ consul_config_path }}/bootstrap/config.json | grep "encrypt" | sed -E ''s/"encrypt": "(.+)",?/\1/'' | sed ''s/^ *//;s/ *$//''' + register: consul_key_read + run_once: true + + - name: Save encryption key (from existing config) + set_fact: + consul_raw_key: "{{ consul_key_read.stdout }}" + ignore_errors: yes + + when: consul_raw_key is not defined and bootstrap_marker.stat.exists + +- name: Write key locally to share with new servers + local_action copy content="{{ consul_raw_key }}" dest=/tmp/consul_raw.key + become: no + when: consul_raw_key is defined and bootstrap_marker.stat.exists + +- name: Read key for servers that require it + set_fact: + consul_raw_key: "{{ lookup('file', '/tmp/consul_raw.key') }}" + when: consul_raw_key is not defined and bootstrap_marker.stat.exists + +- name: Deleting key file + local_action file path=/tmp/consul_raw.key state=absent + become: no + when: consul_raw_key is defined and bootstrap_marker.stat.exists + +- block: + - name: Generate gossip encryption key + shell: "PATH={{ consul_bin_path }}:$PATH consul keygen" + register: consul_keygen + run_once: true + + - name: Save encryption key + set_fact: consul_raw_key={{ consul_keygen.stdout }} + when: consul_raw_key is not defined and not bootstrap_marker.stat.exists - name: Bootstrap configuration - template: "src=config_bootstrap.json.j2 dest={{ consul_config_path }}/bootstrap/config.json" + template: + src: config_bootstrap.json.j2 + dest: "{{ consul_config_path }}/bootstrap/config.json" notify: - restart consul - name: Client configuration - template: "src=config_client.json.j2 dest={{ consul_config_path }}/client/config.json" + template: + src: config_client.json.j2 + dest: "{{ consul_config_path }}/client/config.json" notify: - restart consul - name: Server configuration - template: "src=config_server.json.j2 dest={{ consul_config_path }}/server/config.json" + template: + src: config_server.json.j2 + dest: "{{ consul_config_path }}/server/config.json" notify: - restart consul @@ -93,25 +145,48 @@ - block: - name: SYSV init script - template: src=consul_sysvinit.j2 dest=/etc/init.d/consul owner=root group=root mode=755 + template: + src: consul_sysvinit.j2 + dest: /etc/init.d/consul + owner: root + group: root + mode: 0755 when: not ansible_service_mgr == "systemd" and not ansible_os_family == "Debian" - name: Debian init script - template: src=consul_debianinit.j2 dest=/etc/init.d/consul owner=root group=root mode=755 + template: + src: consul_debianinit.j2 + dest: /etc/init.d/consul + owner: root + group: root + mode: 755 when: not ansible_service_mgr == "systemd" and ansible_os_family == "Debian" - name: systemd script - template: src=consul_systemd.service.j2 dest=/lib/systemd/system/consul.service owner=root group=root mode=644 + template: + src: consul_systemd.service.j2 + dest: /lib/systemd/system/consul.service + owner: root + group: root + mode: 644 when: ansible_service_mgr == "systemd" - name: Start Consul - service: name=consul state=started enabled=yes + service: + name: consul + state: started + enabled: yes - name: Consul up? - wait_for: delay=5 path=/var/run/consul/consul.pid state=present - - - name: Bootstrapped marker - file: dest=/etc/consul/.consul_bootstrapped state=touch + wait_for: + delay: 5 + path: /var/run/consul/consul.pid + state: present + + - name: Create bootstrapped marker + file: + dest: /etc/consul/.consul_bootstrapped + state: touch - include: ../tasks/dnsmasq.yml when: consul_dnsmasq_enable diff --git a/tasks/tls.yml b/tasks/tls.yml index 76e3bddd..f305c83c 100644 --- a/tasks/tls.yml +++ b/tasks/tls.yml @@ -2,17 +2,30 @@ # File: tasks/tls.yml - TLS tasks for Consul - name: Create SSL directory - file: "dest={{ consul_tls_dir }} state=directory owner=root group=root mode=755" + file: + dest: "{{ consul_tls_dir }}" + state: directory + owner: root + group: root + mode: 0755 - block: - name: Copy CA certificate - copy: "src={{ consul_src_files }}/{{ consul_ca_crt }} dest={{ consul_tls_dir }}/{{ consul_ca_crt }}" + copy: + src: "{{ consul_src_files }}/{{ consul_ca_crt }}" + dest: "{{ consul_tls_dir }}/{{ consul_ca_crt }}" - name: Copy server certificate - copy: "src={{ consul_src_files }}/{{ consul_server_crt }} dest={{ consul_tls_dir }}/{{ consul_server_crt }}" + copy: + src: "{{ consul_src_files }}/{{ consul_server_crt }}" + dest: "{{ consul_tls_dir }}/{{ consul_server_crt }}" - name: Copy server key - copy: "src={{ consul_src_files }}/{{ consul_server_key }} dest={{ consul_tls_dir }}/{{ consul_server_key }}" + copy: + src: "{{ consul_src_files }}/{{ consul_server_key }}" + dest: "{{ consul_tls_dir }}/{{ consul_server_key }}" - name: Server TLS configuration - template: "src=config_server_tls.json.j2 dest={{ consul_config_path }}/server/config_server_tls.json" + template: + src: config_server_tls.json.j2 + dest: "{{ consul_config_path }}/server/config_server_tls.json" diff --git a/version.txt b/version.txt index ba1e8bf0..b95e90dc 100644 --- a/version.txt +++ b/version.txt @@ -1 +1 @@ -v1.9.1 +v1.9.2