diff --git a/CHANGELOG.md b/CHANGELOG.md index 4118b5d3..93daa4d7 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -200,3 +200,10 @@ - Streamline main tasks - Update documentation - Update variables + +## v1.3.1 + +- Correct variable names +- Add token display variables +- Update documentation +- Remove deprecated variables diff --git a/README.md b/README.md index ccf5911a..f8f28ff5 100644 --- a/README.md +++ b/README.md @@ -25,7 +25,7 @@ software and versions: ## Role Variables -The role specifies variables in `defaults/main.yml` and `vars/*.yml`. +The role defines variables in `defaults/main.yml`: | Name | Default Value | Description | | -------------- | ------------- | -----------------------------------| @@ -58,6 +58,7 @@ The role specifies variables in `defaults/main.yml` and `vars/*.yml`. | `consul_acl_default_policy` | *allow* | Default ACL policy | | `consul_acl_down_policy` | *allow* | Default ACL down policy | | `consul_acl_master_token` | UUID | ACL master token | +| `consul_acl_master_token_display` | *false* | Display generated ACL Master Token | | `consul_acl_replication_token` | UUID | ACL replication token | | `consul_atlas_enable` | *false* | Enable Atlas support | | `consul_atlas_infrastructure` | Environment variable | Atlas infrastructure name | @@ -67,9 +68,7 @@ The role specifies variables in `defaults/main.yml` and `vars/*.yml`. The `consul` binary works on most Linux platforms and is not distribution specific. However, some distributions require installation of specific OS -packages with different naming, so this role was built with support for -popular Linux distributions and defines these variables to deal with the -differences acros distros: +packages with different package names. | Name | Default Value | Description | | -------------- | ------------- | -----------------------------------| @@ -93,7 +92,11 @@ differences acros distros: ## Dependencies Ansible requires GNU tar and this role performs some local use of the -unarchive module, so ensure that your system has `gtar` installed. +unarchive module, so ensure that your system has `gtar` installed and +in the PATH. + +If you're on system with a different (i.e. BSD) `tar`, like macOS and you +see odd errors during unarchive tasks, you could be missing `gtar`. ## Example Playbook @@ -116,7 +119,42 @@ Be aware that for clustering, the included `site.yml` does the following: 2. Reconfigures bootstrap node to run without bootstrap-expect setting 3. Restarts bootstrap node -### DNSMasq Forwarding Support +### ACL Support + +Basic support for ACLs is included in the role. You can set the environment +variables `CONSUL_ACL_ENABLE` to *true*, and also set the +`CONSUL_ACL_DATACENTER` environment variable to its correct value for your +environment prior to executing your playbook; for example: + +``` +CONSUL_ACL_ENABLE="true" CONSUL_ACL_DATACENTER="maui" \ +CONSUL_ACL_MASTER_TOKEN_DISPLAY="true" ansible-playbook -i uat_hosts aloha.yml +``` + +If you want the automatically generated ACL Master Token value emitted to +standard out during the play, set the environment variable +`CONSUL_ACL_MASTER_TOKEN_DISPLAY` to "true" as in the above example. + +There are a number of Ansible ACL variables you can override to further refine +your initial ACL setup. They are not all currently picked up from environment +variables, but do have some sensible defaults. Check `defaults/main.yml` to +see how some of he defaults (i.e. tokens) are automatically generated. + +### Atlas Support + +Basic support for Atlas is included in the role. You can set the environment +variables `CONSUL_ATLAS_ENABLE` to *true*, and also set the +`CONSUL_ATLAS_INFRASTRUCTURE` and `CONSUL_ATLAS_TOKEN` environment variables +to their correct values for your environment prior to executing your +playbook; for example: + +``` +CONSUL_ATLAS_ENABLE="true" CONSUL_ATLAS_INFRASTRUCTURE="brianshumate/example" \ +CONSUL_ATLAS_TOKEN="00000000-000000000-000000000000-0000" \ +ansible-playbook -i uat_hosts site.yml +``` + +### Dnsmasq Forwarding Support The role now includes support for [DNS forwarding](https://www.consul.io/docs/guides/forwarding.html) with [Dnsmasq](http://www.thekelleys.org.uk/dnsmasq/doc.html). diff --git a/defaults/main.yml b/defaults/main.yml index 0ba06b48..999151a4 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -26,17 +26,21 @@ consul_bootstrap_address: "{{ hostvars[groups[consul_group_name][0]]['ansible_'+ consul_node_name: "{{ inventory_hostname_short }}" ## ACL -consul_acl_enable: "false" -consul_acl_datacenter: "{{ consul_datacenter }}" +consul_acl_enable: "{{ lookup('env','CONSUL_ACL_ENABLE') | default('false', true) }}" +consul_acl_datacenter: "{{ lookup('env','CONSUL_ACL_DATACENTER') | default(consul_datacenter, true) }}" consul_acl_default_policy: "allow" consul_acl_down_policy: "allow" -consul_acl_master_token: "{{ ansible_date_time.iso8601_micro | to_uuid }}" -consul_acl_replication_token: "{{ ansible_date_time.iso8601_micro | to_uuid }}" +consul_acl_master_token_display: "{{ lookup('env','CONSUL_ACL_MASTER_TOKEN_DISPLAY') | default('false', true) }}" +consul_acl_replication_token_display: "{{ lookup('env','CONSUL_ACL_REPLICATION_TOKEN_DISPLAY') | default('false', true) }}" + +# TODO: deprecate? +# consul_acl_master_token: "{{ ansible_date_time.iso8601_micro | to_uuid }}" +# consul_acl_replication_token: "{{ ansible_date_time.iso8601_micro | to_uuid }}" # Options -consul_dnsmasq_enable: "false" -consul_atlas_enable: "false" -consul_atlas_infrastructure: "{{ lookup('env','ATLAS_INFRA') }}" +consul_dnsmasq_enable: "{{ lookup('env','CONSUL_DNSQMASQ_ENABLE') | default('false', true) }}" +consul_atlas_enable: "{{ lookup('env','CONSUL_ATLAS_ENABLE') | default('false', true) }}" +consul_atlas_infrastructure: "{{ lookup('env','ATLAS_INFRASTRUCTURE') }}" consul_atlas_token: "{{ lookup('env','ATLAS_TOKEN') }}" ## Distribution @@ -78,8 +82,3 @@ consul_ubuntu_sha256: "{{ consul_zip_sha256 }}" consul_ubuntu_os_packages: - git - unzip - -## Deprecated -consul_ui_url: "https://releases.hashicorp.com/consul/{{ consul_version }}/consul_{{ consul_version }}_web_ui.zip" -consul_ui_pkg: "{{ consul_version }}_web_ui.zip" -consul_ui_sha256: "5f8841b51e0e3e2eb1f1dc66a47310ae42b0448e77df14c83bb49e0e0d5fa4b7" diff --git a/examples/README_VAGRANT.md b/examples/README_VAGRANT.md index 3a09498d..3888991c 100644 --- a/examples/README_VAGRANT.md +++ b/examples/README_VAGRANT.md @@ -115,7 +115,7 @@ The role includes support for DNS forwarding with Dnsmasq. Install like this: ``` -CONSUL_DNSMASQ="true" vagrant up +CONSUL_DNSMASQ_ENABLE="true" vagrant up ``` Then you can query any of the agents via DNS directly via port 53: diff --git a/examples/Vagrantfile b/examples/Vagrantfile index 53cc75df..e1e92bab 100644 --- a/examples/Vagrantfile +++ b/examples/Vagrantfile @@ -8,8 +8,10 @@ ANSIBLE_PLAYBOOK = ENV['ANSIBLE_PLAYBOOK'] || "site.yml" BOX_MEM = ENV['BOX_MEM'] || "1536" BOX_NAME = ENV['BOX_NAME'] || "debian/jessie64" CLUSTER_HOSTS = ENV['CLUSTER_HOSTS'] || "vagrant_hosts" -DNSMASQ = ENV['CONSUL_DNSMASQ'] || "false" -LOGLEVEL = ENV['CONSUL_LOGLEVEL'] || "INFO" +CONSUL_ACL_ENABLE = ENV['CONSUL_ACL_ENABLE'] || "false" +CONSUL_ATLAS_ENABLE = ENV['CONSUL_ATLAS_ENABLE'] || "false" +CONSUL_DNSMASQ_ENABLE = ENV['CONSUL_DNSMASQ_ENABLE'] || "false" +CONSUL_LOGLEVEL = ENV['CONSUL_LOGLEVEL'] || "INFO" VAGRANTFILE_API_VERSION = "2" Vagrant.require_version ">= 1.5.0" @@ -77,8 +79,10 @@ Vagrant.configure(VAGRANTFILE_API_VERSION) do |config| ansible.inventory_path = CLUSTER_HOSTS # Extra Ansible variables can be defined here ansible.extra_vars = { - consul_dnsmasq_enable: DNSMASQ, - consul_log_level: LOGLEVEL + consul_acl_enable: CONSUL_ACL_ENABLE, + consul_atlas_enable: CONSUL_ATLAS_ENABLE, + consul_dnsmasq_enable: CONSUL_DNSMASQ_ENABLE, + consul_log_level: CONSUL_LOGLEVEL } ansible.playbook = ANSIBLE_PLAYBOOK ansible.limit = "all" diff --git a/tasks/main.yml b/tasks/main.yml index 11c8274d..348f34f1 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -61,6 +61,32 @@ - name: Server configuration template: src=server_config.json.j2 dest={{ consul_config_path }}/server/config.json +- name: ACL Master Token + command: "echo {{ ansible_date_time.iso8601_micro | to_uuid }}" + connection: local + become: no + run_once: True + register: consul_acl_master_token + when: consul_acl_enable == "true" + +- name: Display ACL Master Token + debug: msg="{{ consul_acl_master_token['stdout'] }}" + run_once: True + when: consul_acl_enable == "true" and consul_acl_master_token_display == "true" + +- name: ACL Replication Token + command: "echo {{ ansible_date_time.iso8601_micro | to_uuid }}" + connection: local + become: no + run_once: True + register: consul_acl_replication_token + when: consul_acl_enable == "true" + +- name: Display ACL Replication Token + debug: msg="{{ consul_acl_replication_token['stdout'] }}" + run_once: True + when: consul_acl_enable == "true" and consul_acl_replication_token_display == "true" + - name: ACL bootstrap configuration template: src=config_acl.json.j2 dest={{ consul_config_path }}/{{ item }}/config_acl.json with_items: @@ -69,6 +95,14 @@ - server when: consul_acl_enable == "true" +- name: ACL policy configuration + template: src=config_acl_policy.hcl.j2 dest={{ consul_config_path }}/{{ item }}/config_acl_policy.hcl + with_items: + - bootstrap + - client + - server + when: consul_acl_enable == "true" + - name: Atlas configuration template: src=config_atlas.json.j2 dest={{ consul_config_path }}/{{ item }}/config_atlas.json with_items: diff --git a/templates/config_acl.json.j2 b/templates/config_acl.json.j2 index 60717212..4f1255a7 100644 --- a/templates/config_acl.json.j2 +++ b/templates/config_acl.json.j2 @@ -2,6 +2,5 @@ "acl_datacenter": "{{ consul_acl_datacenter }}", "acl_default_policy": "{{ consul_acl_default_policy }}", "acl_down_policy": "{{ consul_acl_down_policy }}", - "acl_master_token": "{{ consul_acl_master_token }}", - "acl_replication_token": "{{ consul_acl_replication_token }}" + "acl_master_token": "{{ consul_acl_master_token['stdout'] }}" } diff --git a/templates/config_acl_policy.hcl.j2 b/templates/config_acl_policy.hcl.j2 new file mode 100644 index 00000000..557a7859 --- /dev/null +++ b/templates/config_acl_policy.hcl.j2 @@ -0,0 +1,44 @@ +# Default all keys to read-only +key "" { + policy = "read" +} +key "foo/" { + policy = "write" +} +key "foo/private/" { + # Deny access to the dir "foo/private" + policy = "deny" +} + +# Default all services to allow registration. Also permits all +# services to be discovered. +service "" { + policy = "write" +} + +# Deny registration access to services prefixed "secure-". +# Discovery of the service is still allowed in read mode. +service "secure-" { + policy = "read" +} + +# Allow firing any user event by default. +event "" { + policy = "write" +} + +# Deny firing events prefixed with "destroy-". +event "destroy-" { + policy = "deny" +} + +# Default prepared queries to read-only. +query "" { + policy = "read" +} + +# Read-only mode for the encryption keyring by default (list only) +keyring = "read" + +# Read-only mode for Consul operator interfaces (list only) +operator = "read" \ No newline at end of file diff --git a/templates/config_atlas.json b/templates/config_atlas.json.j2 similarity index 100% rename from templates/config_atlas.json rename to templates/config_atlas.json.j2 diff --git a/version.txt b/version.txt index 18fa8e74..75740798 100644 --- a/version.txt +++ b/version.txt @@ -1 +1 @@ -v1.3.0 +v1.3.1