From 97f40adf9a56ca5ca9e42f2642e2e1f86d2ba943 Mon Sep 17 00:00:00 2001 From: Ubuntu Date: Mon, 23 Feb 2026 13:50:32 +0000 Subject: [PATCH 001/412] consul ansible role files added --- roles/consul-role/README.md | 38 +++++++++++++++++++ roles/consul-role/defaults/main.yml | 23 +++++++++++ roles/consul-role/handlers/main.yml | 10 +++++ roles/consul-role/meta/main.yml | 34 +++++++++++++++++ roles/consul-role/tasks/acl.yml | 16 ++++++++ roles/consul-role/tasks/config.yml | 8 ++++ roles/consul-role/tasks/directories.yml | 10 +++++ roles/consul-role/tasks/install.yml | 28 ++++++++++++++ roles/consul-role/tasks/main.yml | 17 +++++++++ roles/consul-role/tasks/service.yml | 14 +++++++ roles/consul-role/templates/consul.service.j2 | 16 ++++++++ roles/consul-role/templates/server.hcl.j2 | 28 ++++++++++++++ roles/consul-role/tests/inventory | 4 ++ roles/consul-role/tests/test.yml | 5 +++ roles/consul-role/vars/main.yml | 4 ++ roles/playbook.yml | 5 +++ 16 files changed, 260 insertions(+) create mode 100644 roles/consul-role/README.md create mode 100644 roles/consul-role/defaults/main.yml create mode 100644 roles/consul-role/handlers/main.yml create mode 100644 roles/consul-role/meta/main.yml create mode 100644 roles/consul-role/tasks/acl.yml create mode 100644 roles/consul-role/tasks/config.yml create mode 100644 roles/consul-role/tasks/directories.yml create mode 100644 roles/consul-role/tasks/install.yml create mode 100644 roles/consul-role/tasks/main.yml create mode 100644 roles/consul-role/tasks/service.yml create mode 100644 roles/consul-role/templates/consul.service.j2 create mode 100644 roles/consul-role/templates/server.hcl.j2 create mode 100644 roles/consul-role/tests/inventory create mode 100644 roles/consul-role/tests/test.yml create mode 100644 roles/consul-role/vars/main.yml create mode 100644 roles/playbook.yml diff --git a/roles/consul-role/README.md b/roles/consul-role/README.md new file mode 100644 index 0000000..225dd44 --- /dev/null +++ b/roles/consul-role/README.md @@ -0,0 +1,38 @@ +Role Name +========= + +A brief description of the role goes here. + +Requirements +------------ + +Any pre-requisites that may not be covered by Ansible itself or the role should be mentioned here. For instance, if the role uses the EC2 module, it may be a good idea to mention in this section that the boto package is required. + +Role Variables +-------------- + +A description of the settable variables for this role should go here, including any variables that are in defaults/main.yml, vars/main.yml, and any variables that can/should be set via parameters to the role. Any variables that are read from other roles and/or the global scope (ie. hostvars, group vars, etc.) should be mentioned here as well. + +Dependencies +------------ + +A list of other roles hosted on Galaxy should go here, plus any details in regards to parameters that may need to be set for other roles, or variables that are used from other roles. + +Example Playbook +---------------- + +Including an example of how to use your role (for instance, with variables passed in as parameters) is always nice for users too: + + - hosts: servers + roles: + - { role: username.rolename, x: 42 } + +License +------- + +BSD + +Author Information +------------------ + +An optional section for the role authors to include contact information, or a website (HTML is not allowed). diff --git a/roles/consul-role/defaults/main.yml b/roles/consul-role/defaults/main.yml new file mode 100644 index 0000000..31cc711 --- /dev/null +++ b/roles/consul-role/defaults/main.yml @@ -0,0 +1,23 @@ +--- +# defaults file for consul +consul_version: "1.17.0" +consul_user: "consul" +consul_group: "consul" + +consul_install_dir: "/usr/local/bin" +consul_data_dir: "/var/lib/consul" +consul_config_dir: "/etc/consul.d" + +consul_node_name: "{{ inventory_hostname }}" +consul_bind_addr: "{{ ansible_default_ipv4.address }}" + +consul_is_server: true +consul_bootstrap_expect: "{{ groups['consul_servers'] | length }}" + +consul_enable_ui: true + +# ACL +consul_acl_enabled: true +consul_acl_default_policy: "deny" +consul_acl_token_persistence: true +consul_agent_token: "" diff --git a/roles/consul-role/handlers/main.yml b/roles/consul-role/handlers/main.yml new file mode 100644 index 0000000..de11d96 --- /dev/null +++ b/roles/consul-role/handlers/main.yml @@ -0,0 +1,10 @@ +--- +# handlers file for consul +- name: Restart Consul + ansible.builtin.systemd: + name: consul + state: restarted + +- name: Reload systemd + ansible.builtin.systemd: + daemon_reload: true diff --git a/roles/consul-role/meta/main.yml b/roles/consul-role/meta/main.yml new file mode 100644 index 0000000..ea68190 --- /dev/null +++ b/roles/consul-role/meta/main.yml @@ -0,0 +1,34 @@ +galaxy_info: + author: your name + description: your role description + company: your company (optional) + + # If the issue tracker for your role is not on github, uncomment the + # next line and provide a value + # issue_tracker_url: http://example.com/issue/tracker + + # Choose a valid license ID from https://spdx.org - some suggested licenses: + # - BSD-3-Clause (default) + # - MIT + # - GPL-2.0-or-later + # - GPL-3.0-only + # - Apache-2.0 + # - CC-BY-4.0 + license: license (GPL-2.0-or-later, MIT, etc) + + min_ansible_version: 2.1 + + # If this a Container Enabled role, provide the minimum Ansible Container version. + # min_ansible_container_version: + + galaxy_tags: [] + # List tags for your role here, one per line. A tag is a keyword that describes + # and categorizes the role. Users find roles by searching for tags. Be sure to + # remove the '[]' above, if you add tags to this list. + # + # NOTE: A tag is limited to a single word comprised of alphanumeric characters. + # Maximum 20 tags per role. + +dependencies: [] + # List your role dependencies here, one per line. Be sure to remove the '[]' above, + # if you add dependencies to this list. diff --git a/roles/consul-role/tasks/acl.yml b/roles/consul-role/tasks/acl.yml new file mode 100644 index 0000000..f31f385 --- /dev/null +++ b/roles/consul-role/tasks/acl.yml @@ -0,0 +1,16 @@ +- name: Wait for Consul API + ansible.builtin.wait_for: + port: 8500 + delay: 5 + timeout: 60 + +- name: Bootstrap ACL (run once) + ansible.builtin.command: consul acl bootstrap + register: consul_bootstrap + run_once: true + when: consul_agent_token == "" + +- name: Show bootstrap token + ansible.builtin.debug: + var: consul_bootstrap.stdout + when: consul_bootstrap is defined diff --git a/roles/consul-role/tasks/config.yml b/roles/consul-role/tasks/config.yml new file mode 100644 index 0000000..de79f54 --- /dev/null +++ b/roles/consul-role/tasks/config.yml @@ -0,0 +1,8 @@ +- name: Deploy Consul server configuration + ansible.builtin.template: + src: server.hcl.j2 + dest: "{{ consul_config_dir }}/server.hcl" + owner: "{{ consul_user }}" + group: "{{ consul_group }}" + mode: "0640" + notify: Restart Consul diff --git a/roles/consul-role/tasks/directories.yml b/roles/consul-role/tasks/directories.yml new file mode 100644 index 0000000..6478b0a --- /dev/null +++ b/roles/consul-role/tasks/directories.yml @@ -0,0 +1,10 @@ +- name: Create Consul directories + ansible.builtin.file: + path: "{{ item }}" + state: directory + owner: "{{ consul_user }}" + group: "{{ consul_group }}" + mode: "0750" + loop: + - "{{ consul_data_dir }}" + - "{{ consul_config_dir }}" diff --git a/roles/consul-role/tasks/install.yml b/roles/consul-role/tasks/install.yml new file mode 100644 index 0000000..5735be8 --- /dev/null +++ b/roles/consul-role/tasks/install.yml @@ -0,0 +1,28 @@ +- name: Install required packages + ansible.builtin.apt: + name: + - unzip + - wget + - curl + state: present + update_cache: true + +- name: Create consul user + ansible.builtin.user: + name: "{{ consul_user }}" + system: true + shell: /sbin/nologin + create_home: false + +- name: Download Consul binary + ansible.builtin.get_url: + url: "{{ consul_binary_url }}" + dest: "{{ consul_zip_path }}" + mode: "0644" + +- name: Unarchive Consul + ansible.builtin.unarchive: + src: "{{ consul_zip_path }}" + dest: "{{ consul_install_dir }}" + remote_src: true + mode: "0755" diff --git a/roles/consul-role/tasks/main.yml b/roles/consul-role/tasks/main.yml new file mode 100644 index 0000000..60c3ea3 --- /dev/null +++ b/roles/consul-role/tasks/main.yml @@ -0,0 +1,17 @@ +--- +# tasks file for consul +- name: Include installation tasks + ansible.builtin.import_tasks: install.yml + +- name: Include directory tasks + ansible.builtin.import_tasks: directories.yml + +- name: Include configuration tasks + ansible.builtin.import_tasks: config.yml + +- name: Include service tasks + ansible.builtin.import_tasks: service.yml + +- name: Include ACL tasks + ansible.builtin.import_tasks: acl.yml + when: consul_acl_enabled diff --git a/roles/consul-role/tasks/service.yml b/roles/consul-role/tasks/service.yml new file mode 100644 index 0000000..0983725 --- /dev/null +++ b/roles/consul-role/tasks/service.yml @@ -0,0 +1,14 @@ +- name: Deploy systemd service + ansible.builtin.template: + src: consul.service.j2 + dest: /etc/systemd/system/consul.service + mode: "0644" + notify: + - Reload systemd + - Restart Consul + +- name: Enable and start Consul + ansible.builtin.systemd: + name: consul + enabled: true + state: started diff --git a/roles/consul-role/templates/consul.service.j2 b/roles/consul-role/templates/consul.service.j2 new file mode 100644 index 0000000..281d3cc --- /dev/null +++ b/roles/consul-role/templates/consul.service.j2 @@ -0,0 +1,16 @@ +[Unit] +Description=Consul Agent +Requires=network-online.target +After=network-online.target + +[Service] +User={{ consul_user }} +Group={{ consul_group }} +ExecStart={{ consul_install_dir }}/consul agent -config-dir={{ consul_config_dir }} +ExecReload=/bin/kill -HUP $MAINPID +KillSignal=SIGINT +Restart=on-failure +LimitNOFILE=65536 + +[Install] +WantedBy=multi-user.target diff --git a/roles/consul-role/templates/server.hcl.j2 b/roles/consul-role/templates/server.hcl.j2 new file mode 100644 index 0000000..eec9bf3 --- /dev/null +++ b/roles/consul-role/templates/server.hcl.j2 @@ -0,0 +1,28 @@ +node_name = "{{ consul_node_name }}" +bind_addr = "{{ consul_bind_addr }}" +data_dir = "{{ consul_data_dir }}" + +server = {{ consul_is_server | lower }} +bootstrap_expect = {{ consul_bootstrap_expect }} + +ui_config { + enabled = {{ consul_enable_ui | lower }} +} + +retry_join = [ +{% for host in groups['consul_servers'] %} + "{{ hostvars[host]['ansible_default_ipv4']['address'] }}"{% if not loop.last %},{% endif %} +{% endfor %} +] + +acl { + enabled = {{ consul_acl_enabled | lower }} + default_policy = "{{ consul_acl_default_policy }}" + enable_token_persistence = {{ consul_acl_token_persistence | lower }} + +{% if consul_agent_token != "" %} + tokens { + agent = "{{ consul_agent_token }}" + } +{% endif %} +} diff --git a/roles/consul-role/tests/inventory b/roles/consul-role/tests/inventory new file mode 100644 index 0000000..2326cf0 --- /dev/null +++ b/roles/consul-role/tests/inventory @@ -0,0 +1,4 @@ +[consul_servers] +consul1 ansible_host=172.31.4.63 ansible_user=ubuntu ansible_ssh_private_key_file=/home/ubuntu/hyd.pem +consul2 ansible_host=172.31.14.198 ansible_user=ubuntu ansible_ssh_private_key_file=/home/ubuntu/hyd.pem +consul3 ansible_host=172.31.7.230 ansible_user=ubuntu ansible_ssh_private_key_file=/home/ubuntu/hyd.pem diff --git a/roles/consul-role/tests/test.yml b/roles/consul-role/tests/test.yml new file mode 100644 index 0000000..88acc0b --- /dev/null +++ b/roles/consul-role/tests/test.yml @@ -0,0 +1,5 @@ +--- +- hosts: localhost + remote_user: root + roles: + - consul diff --git a/roles/consul-role/vars/main.yml b/roles/consul-role/vars/main.yml new file mode 100644 index 0000000..7c5ac5c --- /dev/null +++ b/roles/consul-role/vars/main.yml @@ -0,0 +1,4 @@ +--- +# vars file for consul +consul_binary_url: "https://releases.hashicorp.com/consul/{{ consul_version }}/consul_{{ consul_version }}_linux_amd64.zip" +consul_zip_path: "/tmp/consul_{{ consul_version }}.zip" diff --git a/roles/playbook.yml b/roles/playbook.yml new file mode 100644 index 0000000..01791fb --- /dev/null +++ b/roles/playbook.yml @@ -0,0 +1,5 @@ +- name: Deploy Consul Cluster + hosts: consul_servers + become: true + roles: + - consul-role From 6c61d62cca8950cea0f8deba1616d5c625306233 Mon Sep 17 00:00:00 2001 From: AnithaAnnem Date: Tue, 24 Feb 2026 18:27:03 +0530 Subject: [PATCH 002/412] Update server.hcl.j2 --- roles/consul-role/templates/server.hcl.j2 | 1 + 1 file changed, 1 insertion(+) diff --git a/roles/consul-role/templates/server.hcl.j2 b/roles/consul-role/templates/server.hcl.j2 index eec9bf3..aef880c 100644 --- a/roles/consul-role/templates/server.hcl.j2 +++ b/roles/consul-role/templates/server.hcl.j2 @@ -1,5 +1,6 @@ node_name = "{{ consul_node_name }}" bind_addr = "{{ consul_bind_addr }}" +client_addr = "0.0.0.0" data_dir = "{{ consul_data_dir }}" server = {{ consul_is_server | lower }} From 1287bbdf3d688e4cb831a16de9f1bbd04398a201 Mon Sep 17 00:00:00 2001 From: Ubuntu Date: Wed, 25 Feb 2026 10:11:51 +0000 Subject: [PATCH 003/412] files added --- {roles/consul-role => consul-role}/README.md | 0 {roles/consul-role => consul-role}/defaults/main.yml | 4 +++- {roles/consul-role => consul-role}/handlers/main.yml | 0 {roles/consul-role => consul-role}/meta/main.yml | 0 {roles/consul-role => consul-role}/tasks/acl.yml | 5 +---- {roles/consul-role => consul-role}/tasks/config.yml | 0 {roles/consul-role => consul-role}/tasks/directories.yml | 0 {roles/consul-role => consul-role}/tasks/install.yml | 8 ++++++++ {roles/consul-role => consul-role}/tasks/main.yml | 1 + {roles/consul-role => consul-role}/tasks/service.yml | 0 .../templates/consul.service.j2 | 0 .../consul-role => consul-role}/templates/server.hcl.j2 | 5 +++-- {roles/consul-role => consul-role}/tests/inventory | 0 consul-role/tests/test.yml | 0 {roles/consul-role => consul-role}/vars/main.yml | 0 roles/consul-role/tests/test.yml | 5 ----- roles/playbook.yml | 5 ----- 17 files changed, 16 insertions(+), 17 deletions(-) rename {roles/consul-role => consul-role}/README.md (100%) rename {roles/consul-role => consul-role}/defaults/main.yml (81%) rename {roles/consul-role => consul-role}/handlers/main.yml (100%) rename {roles/consul-role => consul-role}/meta/main.yml (100%) rename {roles/consul-role => consul-role}/tasks/acl.yml (68%) rename {roles/consul-role => consul-role}/tasks/config.yml (100%) rename {roles/consul-role => consul-role}/tasks/directories.yml (100%) rename {roles/consul-role => consul-role}/tasks/install.yml (81%) rename {roles/consul-role => consul-role}/tasks/main.yml (99%) rename {roles/consul-role => consul-role}/tasks/service.yml (100%) rename {roles/consul-role => consul-role}/templates/consul.service.j2 (100%) rename {roles/consul-role => consul-role}/templates/server.hcl.j2 (83%) rename {roles/consul-role => consul-role}/tests/inventory (100%) create mode 100644 consul-role/tests/test.yml rename {roles/consul-role => consul-role}/vars/main.yml (100%) delete mode 100644 roles/consul-role/tests/test.yml delete mode 100644 roles/playbook.yml diff --git a/roles/consul-role/README.md b/consul-role/README.md similarity index 100% rename from roles/consul-role/README.md rename to consul-role/README.md diff --git a/roles/consul-role/defaults/main.yml b/consul-role/defaults/main.yml similarity index 81% rename from roles/consul-role/defaults/main.yml rename to consul-role/defaults/main.yml index 31cc711..fd54c3f 100644 --- a/roles/consul-role/defaults/main.yml +++ b/consul-role/defaults/main.yml @@ -9,7 +9,7 @@ consul_data_dir: "/var/lib/consul" consul_config_dir: "/etc/consul.d" consul_node_name: "{{ inventory_hostname }}" -consul_bind_addr: "{{ ansible_default_ipv4.address }}" +consul_bind_addr: "{{ ansible_host }}" # safer than ansible_default_ipv4.address consul_is_server: true consul_bootstrap_expect: "{{ groups['consul_servers'] | length }}" @@ -21,3 +21,5 @@ consul_acl_enabled: true consul_acl_default_policy: "deny" consul_acl_token_persistence: true consul_agent_token: "" + +consul_client_addr: "0.0.0.0" diff --git a/roles/consul-role/handlers/main.yml b/consul-role/handlers/main.yml similarity index 100% rename from roles/consul-role/handlers/main.yml rename to consul-role/handlers/main.yml diff --git a/roles/consul-role/meta/main.yml b/consul-role/meta/main.yml similarity index 100% rename from roles/consul-role/meta/main.yml rename to consul-role/meta/main.yml diff --git a/roles/consul-role/tasks/acl.yml b/consul-role/tasks/acl.yml similarity index 68% rename from roles/consul-role/tasks/acl.yml rename to consul-role/tasks/acl.yml index f31f385..37d5b0c 100644 --- a/roles/consul-role/tasks/acl.yml +++ b/consul-role/tasks/acl.yml @@ -9,8 +9,5 @@ register: consul_bootstrap run_once: true when: consul_agent_token == "" + failed_when: false -- name: Show bootstrap token - ansible.builtin.debug: - var: consul_bootstrap.stdout - when: consul_bootstrap is defined diff --git a/roles/consul-role/tasks/config.yml b/consul-role/tasks/config.yml similarity index 100% rename from roles/consul-role/tasks/config.yml rename to consul-role/tasks/config.yml diff --git a/roles/consul-role/tasks/directories.yml b/consul-role/tasks/directories.yml similarity index 100% rename from roles/consul-role/tasks/directories.yml rename to consul-role/tasks/directories.yml diff --git a/roles/consul-role/tasks/install.yml b/consul-role/tasks/install.yml similarity index 81% rename from roles/consul-role/tasks/install.yml rename to consul-role/tasks/install.yml index 5735be8..a3cdc0b 100644 --- a/roles/consul-role/tasks/install.yml +++ b/consul-role/tasks/install.yml @@ -7,9 +7,17 @@ state: present update_cache: true + +- name: Create consul group + ansible.builtin.group: + name: "{{ consul_group }}" + system: true + + - name: Create consul user ansible.builtin.user: name: "{{ consul_user }}" + group: "{{ consul_group }}" system: true shell: /sbin/nologin create_home: false diff --git a/roles/consul-role/tasks/main.yml b/consul-role/tasks/main.yml similarity index 99% rename from roles/consul-role/tasks/main.yml rename to consul-role/tasks/main.yml index 60c3ea3..3868141 100644 --- a/roles/consul-role/tasks/main.yml +++ b/consul-role/tasks/main.yml @@ -15,3 +15,4 @@ - name: Include ACL tasks ansible.builtin.import_tasks: acl.yml when: consul_acl_enabled + diff --git a/roles/consul-role/tasks/service.yml b/consul-role/tasks/service.yml similarity index 100% rename from roles/consul-role/tasks/service.yml rename to consul-role/tasks/service.yml diff --git a/roles/consul-role/templates/consul.service.j2 b/consul-role/templates/consul.service.j2 similarity index 100% rename from roles/consul-role/templates/consul.service.j2 rename to consul-role/templates/consul.service.j2 diff --git a/roles/consul-role/templates/server.hcl.j2 b/consul-role/templates/server.hcl.j2 similarity index 83% rename from roles/consul-role/templates/server.hcl.j2 rename to consul-role/templates/server.hcl.j2 index aef880c..e7240c3 100644 --- a/roles/consul-role/templates/server.hcl.j2 +++ b/consul-role/templates/server.hcl.j2 @@ -1,6 +1,6 @@ node_name = "{{ consul_node_name }}" bind_addr = "{{ consul_bind_addr }}" -client_addr = "0.0.0.0" +client_addr = "{{ consul_client_addr }}" data_dir = "{{ consul_data_dir }}" server = {{ consul_is_server | lower }} @@ -12,7 +12,7 @@ ui_config { retry_join = [ {% for host in groups['consul_servers'] %} - "{{ hostvars[host]['ansible_default_ipv4']['address'] }}"{% if not loop.last %},{% endif %} + "{{ hostvars[host]['ansible_host'] }}"{% if not loop.last %},{% endif %} {% endfor %} ] @@ -27,3 +27,4 @@ acl { } {% endif %} } + diff --git a/roles/consul-role/tests/inventory b/consul-role/tests/inventory similarity index 100% rename from roles/consul-role/tests/inventory rename to consul-role/tests/inventory diff --git a/consul-role/tests/test.yml b/consul-role/tests/test.yml new file mode 100644 index 0000000..e69de29 diff --git a/roles/consul-role/vars/main.yml b/consul-role/vars/main.yml similarity index 100% rename from roles/consul-role/vars/main.yml rename to consul-role/vars/main.yml diff --git a/roles/consul-role/tests/test.yml b/roles/consul-role/tests/test.yml deleted file mode 100644 index 88acc0b..0000000 --- a/roles/consul-role/tests/test.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -- hosts: localhost - remote_user: root - roles: - - consul diff --git a/roles/playbook.yml b/roles/playbook.yml deleted file mode 100644 index 01791fb..0000000 --- a/roles/playbook.yml +++ /dev/null @@ -1,5 +0,0 @@ -- name: Deploy Consul Cluster - hosts: consul_servers - become: true - roles: - - consul-role From 58fd6e7c3adc67cd088bad9ce642db8664170448 Mon Sep 17 00:00:00 2001 From: AnithaAnnem Date: Wed, 25 Feb 2026 16:03:02 +0530 Subject: [PATCH 004/412] Update README.md --- consul-role/README.md | 318 ++++++++++++++++++++++++++++++++++++++---- 1 file changed, 294 insertions(+), 24 deletions(-) diff --git a/consul-role/README.md b/consul-role/README.md index 225dd44..1090d95 100644 --- a/consul-role/README.md +++ b/consul-role/README.md @@ -1,38 +1,308 @@ -Role Name -========= +# HashiCorp Consul Ansible Role -A brief description of the role goes here. +## Table of Contents -Requirements ------------- +1. [Overview](#1-overview) +2. [Supported Operating Systems](#2-supported-operating-systems) +3. [Prerequisites & Known Limitations](#3-prerequisites--known-limitations) +4. [Architecture & Core Components](#4-architecture--core-components) +5. [Configuration Overview](#5-configuration-overview) +6. [Installation Flow](#6-installation-flow) +7. [Running Consul](#7-running-consul) +8. [Validation & Testing](#8-validation--testing) +9. [Best Practices Followed](#9-best-practices-followed) +10. [Troubleshooting](#10-troubleshooting) +11. [Conclusion](#11-conclusion) +12. [References](#12-references) +13. [Author](#13-author) -Any pre-requisites that may not be covered by Ansible itself or the role should be mentioned here. For instance, if the role uses the EC2 module, it may be a good idea to mention in this section that the boto package is required. +## 1. Overview -Role Variables --------------- +**HashiCorp Consul** is a service networking platform that enables: -A description of the settable variables for this role should go here, including any variables that are in defaults/main.yml, vars/main.yml, and any variables that can/should be set via parameters to the role. Any variables that are read from other roles and/or the global scope (ie. hostvars, group vars, etc.) should be mentioned here as well. +- Service Discovery +- Service Mesh +- Health Checking +- Key-Value Storage +- Secure Service-to-Service Communication -Dependencies ------------- +It is widely used in distributed systems and microservices architectures to provide dynamic infrastructure management. -A list of other roles hosted on Galaxy should go here, plus any details in regards to parameters that may need to be set for other roles, or variables that are used from other roles. +### Problems Consul Solves -Example Playbook ----------------- +- How do services find each other? +- How do we secure service communication? +- How do we monitor service health? +- How do we manage configuration centrally? -Including an example of how to use your role (for instance, with variables passed in as parameters) is always nice for users too: +### Supported Environments - - hosts: servers - roles: - - { role: username.rolename, x: 42 } +Consul works across: -License -------- +- Virtual Machines +- Kubernetes +- Hybrid environments +- Multi-cloud deployments -BSD +--- -Author Information ------------------- +## 2. Supported Operating Systems -An optional section for the role authors to include contact information, or a website (HTML is not allowed). +Consul supports multiple operating systems: + +### Linux +- Ubuntu +- Debian +- RHEL +- CentOS +- Amazon Linux + +### Other Platforms +- Windows +- macOS +- Kubernetes environments +- Cloud platforms: + - AWS + - Azure + - GCP + +> Consul is written in **Go** and distributed as a single binary. + +--- + +## 3. Prerequisites & Known Limitations + +### Prerequisites + +- Network connectivity between cluster nodes +- Minimum **3 nodes** for production cluster (recommended) +- Proper firewall configuration (ports **8300–8600**) +- Stable DNS or IP addressing +- TLS certificates (for secure production environments) + +### Known Limitations + +- Requires quorum for leader election +- Performance depends on cluster size and network latency +- Misconfigured ACLs can block cluster operations +- Not a replacement for full configuration management tools + +--- + +## 4. Architecture & Core Components + +Consul architecture consists of the following components: + +### 4.1 Servers + +- Maintain cluster state +- Participate in **Raft consensus** +- Handle leader election + +### 4.2 Clients (Agents) + +- Run on application nodes +- Register services +- Perform health checks + +### 4.3 Datacenter + +- Logical grouping of nodes in a specific environment + +### 4.4 Gossip Protocol + +- Used for node membership +- Handles failure detection + +### 4.5 Raft Consensus + +- Provides strong consistency +- Manages leader election among servers + +### 4.6 Key-Value Store + +- Stores configuration data centrally +- Used for dynamic application configuration + +### 4.7 Service Mesh (Connect) + +- Provides secure service-to-service communication +- Uses **mTLS (Mutual TLS)** +- Enables zero-trust networking between services + +--- + +## 5. Configuration Overview + +Consul can be configured using: + +- HCL files +- JSON configuration files +- Command-line flags +- Environment variables + +### Important Configuration Parameters + +| Parameter | Description | +|-------------------|------------| +| `node_name` | Unique node identifier | +| `bind_addr` | Address to bind Consul to | +| `data_dir` | Directory for Consul data | +| `server` | Defines server or client mode (`true/false`) | +| `bootstrap_expect` | Number of servers expected for cluster formation | +| `retry_join` | List of nodes to join cluster | +| `acl` | Enables Access Control Lists | +| `ui_config` | UI configuration settings | + +### ACL Configuration Includes + +- Enable/Disable ACLs +- Default policies +- Token management +- Token persistence + +--- + +## 6. Installation Flow +### Step 1: Download Binary +``` +wget https://releases.hashicorp.com/consul//consul__linux_amd64.zip +``` + +### Step 2: Unzip +``` +unzip consul__linux_amd64.zip +``` + +### Step 3: Move Binary +``` +sudo mv consul /usr/local/bin/ +``` + +### Step 4: Verify Installation +``` +consul --version +``` + +# 7. Running Consul +## Start a Single Server (Development Mode) +``` +consul agent -dev +``` + +## Start Server Node +``` +consul agent -server -bootstrap-expect=3 \ + -node=node1 \ + -bind= \ + -data-dir=/var/lib/consul \ + -config-dir=/etc/consul.d +``` +## Start Client Node +``` +consul agent \ + -node=client1 \ + -bind= \ + -data-dir=/var/lib/consul \ + -config-dir=/etc/consul.d +``` + +# 8. Validation & Testing +## Check Cluster Members +``` +consul members +``` +## Check Leader +``` +consul operator raft list-peers +``` +## Check Services +``` +consul catalog services +``` +## Access UI + +Default UI URL: + +``` +http://:8500 +``` + +# 9. Best Practices Followed + +- Always use minimum 3 server nodes + +- Enable ACLs in production + +- Use TLS encryption + +- Avoid running in -dev mode in production + +- Monitor health checks continuously + +- Secure gossip communication + +- Use proper token management + +# 10. Troubleshooting +## Consul Not Starting + +- Check systemd logs + +``` +journalctl -u consul +``` +## No Leader Elected + +- Ensure minimum quorum + +- Verify bootstrap_expect value + +- Check network connectivity + +## ACL Errors + +- Verify bootstrap token + +- Ensure token persistence is enabled + +- Check default policy + +## Node Not Joining + +- Verify retry_join + +- Check firewall ports + +- Validate bind address + +# 11. Conclusion + +HashiCorp Consul is a powerful service networking solution designed for modern distributed systems. + +It provides: + +- Reliable service discovery + +- Secure service communication + +- Centralized configuration + +- High availability clustering + +Consul simplifies infrastructure complexity and enables scalable microservices architecture. + +# 12. References + + +| Purpose | Link | +|---------|------| +| Consul Official Documentation | https://developer.hashicorp.com/consul/docs | +| Consul Installation Guide | https://developer.hashicorp.com/consul/docs/install | +| Consul ACL Documentation | https://developer.hashicorp.com/consul/docs/security/acl | +| Consul Service Mesh Guide | https://developer.hashicorp.com/consul/docs/connect | + +# 13. Author + +**Author**: Annem Anitha +**Last Updated:** 25-Feb-2026 From 2d1ebd0219cb8aea49958a08415a143a0b6d5335 Mon Sep 17 00:00:00 2001 From: AnithaAnnem Date: Wed, 25 Feb 2026 21:47:41 +0530 Subject: [PATCH 005/412] Update test.yml --- consul-role/tests/test.yml | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/consul-role/tests/test.yml b/consul-role/tests/test.yml index e69de29..3a05691 100644 --- a/consul-role/tests/test.yml +++ b/consul-role/tests/test.yml @@ -0,0 +1,5 @@ +- name: Deploy Consul Cluster + hosts: consul_servers + become: true + roles: + - consul-role From eaaed56c56d0e0a4868f53921f54f13e3292ab82 Mon Sep 17 00:00:00 2001 From: AnithaAnnem Date: Thu, 26 Feb 2026 22:34:04 +0530 Subject: [PATCH 006/412] Update inventory --- consul-role/tests/inventory | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/consul-role/tests/inventory b/consul-role/tests/inventory index 2326cf0..c6ae797 100644 --- a/consul-role/tests/inventory +++ b/consul-role/tests/inventory @@ -1,4 +1,7 @@ [consul_servers] -consul1 ansible_host=172.31.4.63 ansible_user=ubuntu ansible_ssh_private_key_file=/home/ubuntu/hyd.pem -consul2 ansible_host=172.31.14.198 ansible_user=ubuntu ansible_ssh_private_key_file=/home/ubuntu/hyd.pem -consul3 ansible_host=172.31.7.230 ansible_user=ubuntu ansible_ssh_private_key_file=/home/ubuntu/hyd.pem +#consul1 ansible_host=172.31.4.63 ansible_user=ubuntu ansible_ssh_private_key_file=/home/ubuntu/hyd.pem +#consul2 ansible_host=172.31.14.198 ansible_user=ubuntu ansible_ssh_private_key_file=/home/ubuntu/hyd.pem +#consul3 ansible_host=172.31.7.230 ansible_user=ubuntu ansible_ssh_private_key_file=/home/ubuntu/hyd.pem +d-he-mw-coe-cnsl-8-138 ansible_host=192.168.8.138 +d-he-mw-coe-cnsl-8-35 ansible_host=192.168.8.35 +d-he-mw-coe-cnsl-8-220 ansible_host=192.168.8.220 From b87a3fa9f2a39c8cba9bd516f5ce47abed76baf6 Mon Sep 17 00:00:00 2001 From: AnithaAnnem Date: Thu, 26 Feb 2026 23:18:26 +0530 Subject: [PATCH 007/412] Update inventory --- consul-role/tests/inventory | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/consul-role/tests/inventory b/consul-role/tests/inventory index c6ae797..e1c4c3c 100644 --- a/consul-role/tests/inventory +++ b/consul-role/tests/inventory @@ -1,7 +1,7 @@ -[consul_servers] +#[consul_servers] #consul1 ansible_host=172.31.4.63 ansible_user=ubuntu ansible_ssh_private_key_file=/home/ubuntu/hyd.pem #consul2 ansible_host=172.31.14.198 ansible_user=ubuntu ansible_ssh_private_key_file=/home/ubuntu/hyd.pem #consul3 ansible_host=172.31.7.230 ansible_user=ubuntu ansible_ssh_private_key_file=/home/ubuntu/hyd.pem -d-he-mw-coe-cnsl-8-138 ansible_host=192.168.8.138 -d-he-mw-coe-cnsl-8-35 ansible_host=192.168.8.35 -d-he-mw-coe-cnsl-8-220 ansible_host=192.168.8.220 +#d-he-mw-coe-cnsl-8-138 ansible_host=192.168.8.138 +#d-he-mw-coe-cnsl-8-35 ansible_host=192.168.8.35 +#d-he-mw-coe-cnsl-8-220 ansible_host=192.168.8.220 From c2e21ae0d5be37fa5669164ba12bbd64e4152ee6 Mon Sep 17 00:00:00 2001 From: iabhishek-snaatak Date: Thu, 26 Feb 2026 23:33:06 +0530 Subject: [PATCH 008/412] Delete consul-role/tests/inventory --- consul-role/tests/inventory | 7 ------- 1 file changed, 7 deletions(-) delete mode 100644 consul-role/tests/inventory diff --git a/consul-role/tests/inventory b/consul-role/tests/inventory deleted file mode 100644 index e1c4c3c..0000000 --- a/consul-role/tests/inventory +++ /dev/null @@ -1,7 +0,0 @@ -#[consul_servers] -#consul1 ansible_host=172.31.4.63 ansible_user=ubuntu ansible_ssh_private_key_file=/home/ubuntu/hyd.pem -#consul2 ansible_host=172.31.14.198 ansible_user=ubuntu ansible_ssh_private_key_file=/home/ubuntu/hyd.pem -#consul3 ansible_host=172.31.7.230 ansible_user=ubuntu ansible_ssh_private_key_file=/home/ubuntu/hyd.pem -#d-he-mw-coe-cnsl-8-138 ansible_host=192.168.8.138 -#d-he-mw-coe-cnsl-8-35 ansible_host=192.168.8.35 -#d-he-mw-coe-cnsl-8-220 ansible_host=192.168.8.220 From fc7723458265c9bd236633fe008c5f7d6cafebcb Mon Sep 17 00:00:00 2001 From: iabhishek-snaatak Date: Fri, 27 Feb 2026 00:01:44 +0530 Subject: [PATCH 009/412] Update test.yml --- consul-role/tests/test.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/consul-role/tests/test.yml b/consul-role/tests/test.yml index 3a05691..eca63c9 100644 --- a/consul-role/tests/test.yml +++ b/consul-role/tests/test.yml @@ -1,5 +1,6 @@ - name: Deploy Consul Cluster - hosts: consul_servers + hosts: all become: true roles: - consul-role + From 0925bd880cee0d14d6f1c26cd8b950441b3cb640 Mon Sep 17 00:00:00 2001 From: AnithaAnnem Date: Fri, 27 Feb 2026 17:04:32 +0530 Subject: [PATCH 010/412] Update main.yml --- consul-role/tasks/main.yml | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/consul-role/tasks/main.yml b/consul-role/tasks/main.yml index 3868141..7b8b190 100644 --- a/consul-role/tasks/main.yml +++ b/consul-role/tasks/main.yml @@ -1,18 +1,18 @@ --- # tasks file for consul - name: Include installation tasks - ansible.builtin.import_tasks: install.yml + ansible.builtin.include_tasks: install.yml - name: Include directory tasks - ansible.builtin.import_tasks: directories.yml + ansible.builtin.include_tasks: directories.yml - name: Include configuration tasks - ansible.builtin.import_tasks: config.yml + ansible.builtin.include_tasks: config.yml - name: Include service tasks - ansible.builtin.import_tasks: service.yml + ansible.builtin.include_tasks: service.yml - name: Include ACL tasks - ansible.builtin.import_tasks: acl.yml + ansible.builtin.include_tasks: acl.yml when: consul_acl_enabled From 78a2a6c47d00f56334054bdb38f4663dd648b31c Mon Sep 17 00:00:00 2001 From: anitha Date: Fri, 27 Feb 2026 18:16:09 +0530 Subject: [PATCH 011/412] role updated --- defaults/main.yml | 37 ----------------- handlers/main.yml | 16 -------- meta/main.yml | 17 -------- tasks/consul-Debian.yml | 73 ---------------------------------- tasks/consul-user.yml | 18 --------- tasks/main.yml | 5 --- templates/consul-hcl.j2 | 7 ---- templates/consul-service.j2 | 19 --------- templates/server-hcl-leader.j2 | 2 - templates/server-hcl.j2 | 1 - vars/main.yml | 10 ----- 11 files changed, 205 deletions(-) delete mode 100644 defaults/main.yml delete mode 100644 handlers/main.yml delete mode 100644 meta/main.yml delete mode 100644 tasks/consul-Debian.yml delete mode 100644 tasks/consul-user.yml delete mode 100644 tasks/main.yml delete mode 100644 templates/consul-hcl.j2 delete mode 100644 templates/consul-service.j2 delete mode 100644 templates/server-hcl-leader.j2 delete mode 100644 templates/server-hcl.j2 delete mode 100644 vars/main.yml diff --git a/defaults/main.yml b/defaults/main.yml deleted file mode 100644 index 4ece191..0000000 --- a/defaults/main.yml +++ /dev/null @@ -1,37 +0,0 @@ ---- -# common -consul_owner: consul -consul_group: consul - -# consul binary -consul_binary_dir: /usr/local/bin -consul_binary_perm: 0440 -consul_binary_owner: root -consul_binary_group: root - -# consul user -consul_user_home: /etc/consul.d -consul_user_shell: /bin/false - -# consul-hcl file -consul_hcl_dest: /etc/consul.d/consul.hcl -consul_hcl_mode: 0640 - -# server-hcl file -server_hcl_dest: /etc/consul.d/server.hcl -server_hcl_mode: 0640 - -# consul-service file -consul_service_file: /etc/systemd/system/consul.service -description: HashiCorp Consul - A service mesh solution -documentation: https://www.consul.io/ -requires: network-online.target -after: network-online.target -cond_file_not_empty: /etc/consul.d/consul.hcl -type: notify -exec_start: /usr/local/bin/consul agent -config-dir=/etc/consul.d/ -exec_reload: /usr/local/bin/consul reload -kill_mode: process -restart: on-failure -limit_file: 65536 -wanted_by: multi-user.target diff --git a/handlers/main.yml b/handlers/main.yml deleted file mode 100644 index cd1e12b..0000000 --- a/handlers/main.yml +++ /dev/null @@ -1,16 +0,0 @@ ---- - -- name: daemon_reload - systemd: - daemon_reload: true - -- name: restart_consul - service: - name: consul - enabled: true - state: restarted - -- name: stop_consul - service: - name: consul - state: stopped diff --git a/meta/main.yml b/meta/main.yml deleted file mode 100644 index 5be9dd6..0000000 --- a/meta/main.yml +++ /dev/null @@ -1,17 +0,0 @@ ---- -galaxy_info: - author: Shatrujeet - description: Create consul cluster with any number of nodes - - min_ansible_version: 2.0 - - platforms: - - name: Ubuntu - versions: - - xenial - - precise - - trusty - - name: consul - versions: - - 1.7.2 -dependencies: [] diff --git a/tasks/consul-Debian.yml b/tasks/consul-Debian.yml deleted file mode 100644 index a68a0d7..0000000 --- a/tasks/consul-Debian.yml +++ /dev/null @@ -1,73 +0,0 @@ ---- - -- name: Setting private Ip of leader - when: group_names[0] == "consul-leader" - set_fact: - ip_leader: "{{ ansible_default_ipv4.address }}" - -- name: Installing unzip - apt: - name: unzip - state: present - -- name: Downloading archived consul binary - when: (group_names[0] == "consul-leader") or (group_names[0] == "consul-server") or (group_names[0] == "consul-client") - unarchive: - src: "{{ consul_binary_url }}" - dest: "{{ consul_binary_dir }}" - owner: "{{ consul_binary_owner }}" - group: "{{ consul_binary_group }}" - remote_src: true - -- name: Executing command to generate encrypt key - when: group_names[0] == "consul-leader" - command: consul keygen - register: encr_key - -- name: Stopping consul service if running - when: (group_names[0] == "consul-leader") or (group_names[0] == "consul-server") or (group_names[0] == "consul-client") - service: - name: consul - state: stopped - ignore_errors: true - -- name: Including file for consul user - when: (group_names[0] == "consul-leader") or (group_names[0] == "consul-server") or (group_names[0] == "consul-client") - include: consul-user.yml - -- name: Creating a Consul service file - when: (group_names[0] == "consul-leader") or (group_names[0] == "consul-server") or (group_names[0] == "consul-client") - template: - src: consul-service.j2 - dest: "{{ consul_service_file }}" - -- name: Creating consul.hcl file - when: (group_names[0] == "consul-leader") or (group_names[0] == "consul-server") or (group_names[0] == "consul-client") - template: - src: consul-hcl.j2 - dest: "{{ consul_hcl_dest }}" - -- name: Creating server.hcl file for leader - when: group_names[0] == "consul-leader" - template: - src: server-hcl-leader.j2 - dest: "{{ server_hcl_dest }}" - owner: "{{ consul_owner }}" - group: "{{ consul_group }}" - mode: "{{ server_hcl_mode }}" - -- name: Creating server.hcl file for server - when: group_names[0] == "consul-server" - template: - src: server-hcl.j2 - dest: "{{ server_hcl_dest }}" - owner: "{{ consul_owner }}" - group: "{{ consul_group }}" - mode: "{{ server_hcl_mode }}" - -- name: Reloading systemd and restarting consul - when: (group_names[0] == "consul-leader") or (group_names[0] == "consul-server") or (group_names[0] == "consul-client") - command: /bin/true - notify: - - daemon_reload - - restart_consul diff --git a/tasks/consul-user.yml b/tasks/consul-user.yml deleted file mode 100644 index cc7e597..0000000 --- a/tasks/consul-user.yml +++ /dev/null @@ -1,18 +0,0 @@ ---- -- name: Adding a non-privileged user 'consul' with no shell - user: - name: consul - home: "{{ consul_user_home }}" - shell: "{{ consul_user_shell }}" - -- name: Checking and Removing consul storage directory if exists - file: - path: "{{ consul_data_dir }}" - state: absent - -- name: Creating directories for consul persistent storage - file: - path: "{{ consul_data_dir }}" - state: directory - owner: "{{ consul_owner }}" - group: "{{ consul_group }}" diff --git a/tasks/main.yml b/tasks/main.yml deleted file mode 100644 index 543501b..0000000 --- a/tasks/main.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- - -- name: Include OS Specific setup file - when: ansible_os_family == "Debian" - include: consul-Debian.yml diff --git a/templates/consul-hcl.j2 b/templates/consul-hcl.j2 deleted file mode 100644 index 98fd01d..0000000 --- a/templates/consul-hcl.j2 +++ /dev/null @@ -1,7 +0,0 @@ -datacenter = "{{ datacenter }}" -data_dir = "{{ consul_data_dir }}" -encrypt = "{{ hostvars[groups['consul-leader'][0]].encr_key.stdout }}" -retry_join = ["{{ hostvars[groups['consul-leader'][0]].ip_leader }}"] -performance { - raft_multiplier = {{ raft_mul }} -} diff --git a/templates/consul-service.j2 b/templates/consul-service.j2 deleted file mode 100644 index e25a5de..0000000 --- a/templates/consul-service.j2 +++ /dev/null @@ -1,19 +0,0 @@ -[Unit] -Description="{{ description }}" -Documentation={{ documentation }} -Requires={{ requires }} -After={{ after }} -ConditionFileNotEmpty={{ cond_file_not_empty }} - -[Service] -Type={{ type }} -User={{ consul_owner }} -Group={{ consul_group }} -ExecStart={{ exec_start }} -ExecReload={{ exec_reload }} -KillMode={{ kill_mode }} -Restart={{ restart }} -LimitNOFILE={{ limit_file }} - -[Install] -WantedBy={{ wanted_by }} diff --git a/templates/server-hcl-leader.j2 b/templates/server-hcl-leader.j2 deleted file mode 100644 index 8e773c8..0000000 --- a/templates/server-hcl-leader.j2 +++ /dev/null @@ -1,2 +0,0 @@ -server = true -bootstrap_expect = 1 diff --git a/templates/server-hcl.j2 b/templates/server-hcl.j2 deleted file mode 100644 index cb15f46..0000000 --- a/templates/server-hcl.j2 +++ /dev/null @@ -1 +0,0 @@ -server = true diff --git a/vars/main.yml b/vars/main.yml deleted file mode 100644 index cc4abb6..0000000 --- a/vars/main.yml +++ /dev/null @@ -1,10 +0,0 @@ ---- -# consul binary -consul_binary_url: https://releases.hashicorp.com/consul/1.7.2/consul_1.7.2_linux_amd64.zip - -# consul persistent storage -consul_data_dir: /opt/consul - -# consul-hcl -datacenter: dc1 -raft_mul: 1 From d63855424c68c5d47842e6bf263e448899af7e5f Mon Sep 17 00:00:00 2001 From: AnithaAnnem Date: Fri, 27 Feb 2026 23:23:24 +0530 Subject: [PATCH 012/412] Create inventory --- consul-role/tests/inventory | 5 +++++ 1 file changed, 5 insertions(+) create mode 100644 consul-role/tests/inventory diff --git a/consul-role/tests/inventory b/consul-role/tests/inventory new file mode 100644 index 0000000..7583200 --- /dev/null +++ b/consul-role/tests/inventory @@ -0,0 +1,5 @@ + +[consul_servers] +d-he-mw-coe-cnsl-8-138 ansible_host=192.168.8.138 +d-he-mw-coe-cnsl-8-35 ansible_host=192.168.8.35 +d-he-mw-coe-cnsl-8-220 ansible_host=192.168.8.220 From 4822817c3864ed86e4a956fda2a62758d33c65db Mon Sep 17 00:00:00 2001 From: AnithaAnnem Date: Fri, 27 Feb 2026 23:40:17 +0530 Subject: [PATCH 013/412] Delete consul-role/tests/inventory --- consul-role/tests/inventory | 5 ----- 1 file changed, 5 deletions(-) delete mode 100644 consul-role/tests/inventory diff --git a/consul-role/tests/inventory b/consul-role/tests/inventory deleted file mode 100644 index 7583200..0000000 --- a/consul-role/tests/inventory +++ /dev/null @@ -1,5 +0,0 @@ - -[consul_servers] -d-he-mw-coe-cnsl-8-138 ansible_host=192.168.8.138 -d-he-mw-coe-cnsl-8-35 ansible_host=192.168.8.35 -d-he-mw-coe-cnsl-8-220 ansible_host=192.168.8.220 From bf02505ccf9c36d9d9c1f3830564d7aa023cfdbb Mon Sep 17 00:00:00 2001 From: AnithaAnnem Date: Fri, 27 Feb 2026 23:57:24 +0530 Subject: [PATCH 014/412] Update main.yml --- consul-role/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/consul-role/defaults/main.yml b/consul-role/defaults/main.yml index fd54c3f..801571a 100644 --- a/consul-role/defaults/main.yml +++ b/consul-role/defaults/main.yml @@ -12,7 +12,7 @@ consul_node_name: "{{ inventory_hostname }}" consul_bind_addr: "{{ ansible_host }}" # safer than ansible_default_ipv4.address consul_is_server: true -consul_bootstrap_expect: "{{ groups['consul_servers'] | length }}" +consul_bootstrap_expect: "{{ play_hosts | length }}" consul_enable_ui: true From 5f52a3fd60c62b4636d744cdb7d618ba7c4872c7 Mon Sep 17 00:00:00 2001 From: AnithaAnnem Date: Fri, 27 Feb 2026 23:58:16 +0530 Subject: [PATCH 015/412] Update server.hcl.j2 --- consul-role/templates/server.hcl.j2 | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/consul-role/templates/server.hcl.j2 b/consul-role/templates/server.hcl.j2 index e7240c3..68b0979 100644 --- a/consul-role/templates/server.hcl.j2 +++ b/consul-role/templates/server.hcl.j2 @@ -11,8 +11,8 @@ ui_config { } retry_join = [ -{% for host in groups['consul_servers'] %} - "{{ hostvars[host]['ansible_host'] }}"{% if not loop.last %},{% endif %} +{% for host in play_hosts %} + "{{ hostvars[host]['ansible_host'] | default(host) }}"{% if not loop.last %},{% endif %} {% endfor %} ] From a7f3f1c634e103117c9beb16178d57913f5fa4ca Mon Sep 17 00:00:00 2001 From: AnithaAnnem Date: Sun, 1 Mar 2026 16:47:06 +0530 Subject: [PATCH 016/412] Update acl.yml --- consul-role/tasks/acl.yml | 25 +++++++++++++++++++++++-- 1 file changed, 23 insertions(+), 2 deletions(-) diff --git a/consul-role/tasks/acl.yml b/consul-role/tasks/acl.yml index 37d5b0c..34be4ed 100644 --- a/consul-role/tasks/acl.yml +++ b/consul-role/tasks/acl.yml @@ -4,10 +4,31 @@ delay: 5 timeout: 60 -- name: Bootstrap ACL (run once) +- name: Check if ACL bootstrap file exists + ansible.builtin.stat: + path: /etc/consul.d/bootstrap.token + register: consul_acl_file + run_once: true + +- name: Bootstrap ACL (run once if not already bootstrapped) ansible.builtin.command: consul acl bootstrap register: consul_bootstrap run_once: true - when: consul_agent_token == "" + when: not consul_acl_file.stat.exists failed_when: false +- name: Extract SecretID from bootstrap output + ansible.builtin.set_fact: + consul_master_token: "{{ consul_bootstrap.stdout | regex_search('SecretID:\\s+(\\S+)', '\\1') }}" + when: consul_bootstrap.stdout is defined + run_once: true + +- name: Save bootstrap token to file + ansible.builtin.copy: + content: "{{ consul_master_token }}" + dest: /etc/consul.d/bootstrap.token + owner: "{{ consul_user }}" + group: "{{ consul_group }}" + mode: "0600" + when: consul_master_token is defined + run_once: true From 5925bc02e87a5967f1aec11f86143f231953371a Mon Sep 17 00:00:00 2001 From: AnithaAnnem Date: Mon, 2 Mar 2026 13:09:40 +0530 Subject: [PATCH 017/412] Update main.yml --- consul-role/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/consul-role/defaults/main.yml b/consul-role/defaults/main.yml index 801571a..163277d 100644 --- a/consul-role/defaults/main.yml +++ b/consul-role/defaults/main.yml @@ -9,7 +9,7 @@ consul_data_dir: "/var/lib/consul" consul_config_dir: "/etc/consul.d" consul_node_name: "{{ inventory_hostname }}" -consul_bind_addr: "{{ ansible_host }}" # safer than ansible_default_ipv4.address +consul_bind_addr: "{{ ansible_host }}" consul_is_server: true consul_bootstrap_expect: "{{ play_hosts | length }}" From e729bcab9e57dc52d29543fcc5d5670fcd1d58ab Mon Sep 17 00:00:00 2001 From: AnithaAnnem Date: Mon, 2 Mar 2026 13:49:19 +0530 Subject: [PATCH 018/412] Update acl.yml --- consul-role/tasks/acl.yml | 27 ++++++++++++++++++--------- 1 file changed, 18 insertions(+), 9 deletions(-) diff --git a/consul-role/tasks/acl.yml b/consul-role/tasks/acl.yml index 34be4ed..bfa5c0b 100644 --- a/consul-role/tasks/acl.yml +++ b/consul-role/tasks/acl.yml @@ -4,26 +4,34 @@ delay: 5 timeout: 60 -- name: Check if ACL bootstrap file exists - ansible.builtin.stat: - path: /etc/consul.d/bootstrap.token - register: consul_acl_file +# Check if ACL already bootstrapped by querying leader +- name: Check if ACL bootstrap already done + ansible.builtin.command: consul acl policy list + register: acl_check + failed_when: false + changed_when: false run_once: true + no_log: true -- name: Bootstrap ACL (run once if not already bootstrapped) +# Bootstrap only if ACL not initialized +- name: Bootstrap ACL (only if not already bootstrapped) ansible.builtin.command: consul acl bootstrap register: consul_bootstrap run_once: true - when: not consul_acl_file.stat.exists + when: "'Permission denied' in acl_check.stderr or acl_check.rc != 0" + no_log: true failed_when: false -- name: Extract SecretID from bootstrap output +# Extract SecretID safely +- name: Extract SecretID ansible.builtin.set_fact: consul_master_token: "{{ consul_bootstrap.stdout | regex_search('SecretID:\\s+(\\S+)', '\\1') }}" - when: consul_bootstrap.stdout is defined + when: consul_bootstrap.stdout is defined and consul_bootstrap.stdout != "" run_once: true + no_log: true -- name: Save bootstrap token to file +# Store token securely on server +- name: Save bootstrap token securely ansible.builtin.copy: content: "{{ consul_master_token }}" dest: /etc/consul.d/bootstrap.token @@ -32,3 +40,4 @@ mode: "0600" when: consul_master_token is defined run_once: true + no_log: true From 4c82b5052ca6f755a9a0b0a6049d27eaaef8badd Mon Sep 17 00:00:00 2001 From: anitha Date: Mon, 2 Mar 2026 22:35:28 +0530 Subject: [PATCH 019/412] key vault generated --- consul-role/files/tls.crt | 151 ++++++++++++++++++++++++++++++++++++++ consul-role/files/tls.key | 18 +++++ 2 files changed, 169 insertions(+) create mode 100644 consul-role/files/tls.crt create mode 100644 consul-role/files/tls.key diff --git a/consul-role/files/tls.crt b/consul-role/files/tls.crt new file mode 100644 index 0000000..abc52ec --- /dev/null +++ b/consul-role/files/tls.crt @@ -0,0 +1,151 @@ +$ANSIBLE_VAULT;1.1;AES256 +61613835646636313838366631336531666238383732616633663761656665373937393766386435 +6436626561306637373332376363393163633038623934350a343430366231643565343766386635 +39616431333462653938323731326461643932643930383164616239336337623838633530663239 +3666343633666566650a633630313662353339313164306561356165666365643037353731386338 +61373231633565333736656662333339323131663931323733313965353435643937326262393133 +31356365643765653931623534663830316132653531643662313166326664643035346231386666 +30313161663531303861306435326565623534306662346336313233623232336333613763356434 +33346364666465353335616162386131316331343430313838366632373262383233303466633539 +38653237386534353764383835653439363361323161356532656161633731643765663030356237 +35656536303334393937353735336532653737313131316666363862343831633131346363346639 +30336332333637396634353766653931363036653163333532633530393534396230396639333130 +31303331346135356662383235326331353038316537313634363338663565313163323462663662 +62396235646639303531386365366532373865623436353464626232646232366138646436633834 +32373364383537616465663134643236363463653663646161643237616366313032643162653063 +39313735386638353732633531663261356663323066366430376137363930366263356439643734 +65623766323436383438383965373366666234323635643439343561373237333463356462353137 +61643539353435623732363135663863323863313534303339313538366564336332303837633436 +30336561373935663365303935313937326331353863353265343335343836326431663531393732 +64376330383266383364623032343034663662313330373832613839333561333933366334663333 +37356139316535343037613062626133376433346136326264613534363736333463353636356531 +66613138373932656366626634636537643036333362303565386135663461323238623337386665 +32646562343734386137616464306330643266356330636563626432613862636234363831366630 +64396366623138353236343530343166323837366566393338373362393931376361653431316461 +62633335383763333966616361363132363063383265373532353639393333353262303062363566 +34313063343938383530303062353138323533356235633362383039373864623631663364313134 +36323562613764643462366462376563656333346130366132653232623436326232323935303038 +63666433636538323365613735626262656563383431623333636263323934303963393962316130 +30373233316530643462663630323762373936653536393337373162663634306436666362323564 +65346666306263333238653131383034383765396438663935363331306132663061363163313837 +39366635376632653737353133666266663935303830643361666438386430633266333030306563 +65386165366238373365316430613763383439353731316134313966613765313736656238643431 +37363864653439656233343430313066393161333434373639353563646239303264613635326466 +39306261336330396238663532306266653735333864386434633031366164613838393430633464 +33613061376234353662333165356462643232353030323334306539313263306166323135663532 +66633839316465656261636461363563616561616234303165363533346661376534656635393663 +34613231343937386264613537393538353333623662653539623539383337363963303365376632 +39326265633161356161616366616333313839626562363332636631323338363139363565383939 +32303138306532356561373538383332313962613933343366636537633034356134663439343835 +30343461356234373238343761613431613962306232653632316161663236366439333931303432 +66616365316631326464396236646632653066343936363266623134653437373136356437343063 +33643531373633333731663634383937343464633261393139623630323861363435356562303834 +39313430393364386262633263633234643838616338656131356165316662663661646331623266 +32393365383865613033353161326635613561393633643132623365386132663139663966353532 +62306131396666313830313461346264306137646637373264306435656363356439363763363430 +66376630643235303063323831313133303538393538666137333439383338323764663935373332 +31666533323338613864336437653732313436323133396134336336643838386165393664366333 +34303930396330373837313833353331343236363334616231386566306163303436336663366264 +35633739626433653239623436636264333434323839616136643339616231323465343330623861 +34613264666635616634326461316330333732653364393235653461376538326132363136356534 +33326337656564356137356162353934376238326364333062363362343839303061663264383338 +62613438623862363334353763653465333466653035653461623533323862343062323932343966 +66326438633731323964363036623164616432636365396336383236303134306239623239313835 +64353265633664636431626362646130353764663062393732643433303364393033643837356633 +36336163316132373834376531643539313632306539643666663233333963303562616535616339 +33386235313938353436653566643934623934653139663535623536643530626465383133303362 +61616633646363303463646335366163383233656336333635616535386134356131666132336333 +62303032636465333131393863663037643133626137636161386331663233653466393964396230 +39636661663230353334636661663730303936633538623732336437356338376638353131313334 +34373664663838396132353831303032613231396439303237633363356534366134333033366130 +63353230633963376330376330366238666330646137386131336230346434316533663336653163 +34323833373634633565343137626364653530346231303336633839343064653336343363333363 +37393862343437323737653938313466393639333736383335633435666532633432666163323836 +65326662363262636566333563623735306363623666386362346665353535323330633034663564 +31366638663161653337643431626561373334656437363033393961383261386432313933643762 +33353866353938646462616338323532663665346132376436363132643136303035363938383538 +61313662316236383534313038653765376362346537626566343630613239613239623530623564 +37303764323935623031643462356230626164653333326337316463323833643562663234666262 +62623365383864613831313136333039613334313566383432616638623165613137393839323938 +37356365346539663431663963333735613532366539396432626632333231623337613735356439 +30626135393337613131336339366138396539653739316637666564343833356332666161333166 +63313530343666396434323235363730636564386639346135353066633432356638656133373566 +37646231333537376465396663323263323931666264663030636635623139393462303334343766 +36616533346132366432633838306135613065663464366565346133336362356538663130666232 +35643862663361656234646131613066333531656565313934323537353035616166313262363132 +61373532336139633764373836353765646638376536343638633033323166626238336261366635 +66393837636138636434386339656131613834353663666438646262363864366537373333656139 +30626363333862633734626266646338323733386136333263373039343662343665663836323634 +31333737626366316364373962666331623361343063626264393661643834616238616665336137 +33653061323465313832326465613663383533643838343064346166653032313438663330656463 +65383365323766323632333165356361643863376466303336653762336135626263626433623539 +66386337393538613864633336643765303832376662363333663934313233303038373366616634 +32303863623764386237313665393861633331626164646263613762643462663836636139303832 +35643763376563323766643964656565636131356266333231366462393665306561393239663334 +65653663323335613762613832656163396332633665303132393139663633336561353434653731 +63373636396336623537366137663939313538666437363365346335636432363732323530616239 +36353239666135646239346165386665373361643265353136373834343738653064613331626539 +30336465353439306461616562616264363039396563666634656361396635306364386262363162 +65616230623038386461373631366261383835396365363562363338313939353235356666663061 +32333765343837323135323535376634656366343464653738346638343764663865653030336632 +65366138656635303931393062643064343734393561323762343732613066313364373237663664 +38313162393561373233336537663761646566636661663337613133396435383038366135316363 +38663933663039333830343531363538343534636234313261313330666164376464646436666638 +63623961313031326664623164643864336661653433383332333533656239373337343831643033 +32376436643363633965306439663033303937333938383161643030373763646163326139343039 +63633336363438373131613630633763393663366636386336393738663365626466373236313933 +64653861373830333034656664393463393034336361336637313062326237646633313261336234 +37313936623832643163383964323266386433636166343065353962646136383863663462386537 +64343363633462353065646436346365363265316465343763643634396531646265333966633362 +31333731363436363835616530393466383462393866393633393230323532643662376664353536 +35326263343331323365643763343733636238383965333538386438656538616438626532363164 +33303236346235313165323161373266643263373933376435306432336334613939333831383533 +36656362626138386330356136613339653833373633316334393366393265313637323431383035 +37336361306638356237653537653330336365396135626565376635646262653762613531373737 +61613330626266643730313133646663313330323539363835323636356533633032343763313262 +36323466616161653734623836633566653732633530656566366362346332646464343164643539 +35313466313963646633353663353034633638393931353831353632623666353538316639353133 +65383462343935663535303463636365313632386161653037326236656461356331363935663031 +64326531356535666266666361346564646633636165663061636636353162303435626530333834 +33303031353361306433656661356632663961663365663264313335636435623161643637616537 +31613133383335623836656561623065383939366663363838663161373535326135323163313831 +62343237353164633936353038663835353861666563616432313932636538646332363638323966 +39386433366630316361646462633737396535623061343334323062343566373262323363383662 +36646631643139663862666233663637336163616363363231623438653839313635363065366535 +64303866313165333235393530353236303165316636336464383238333764633730313237363134 +61636564653461383633373532313861373937346263646563663663656630313437656464383931 +38653134633963386633313162643438653330626164363564633935373264373937306331633161 +61323838323863663737343663393432373637643365643731643231323735666266353565646531 +37343531626633616665343361643235333762643933303263633637366534626464346663633535 +65343734336437326138393332386363616164656230353634386134396430303964623232353361 +34396638343566346436616632396538653762623338333063633939626339663330633662343363 +39353161613831303737386635333431616431313966393232626133336638313539363230326332 +34376566653638333731653066633538313062363530636663613162313262393235326362383635 +31663338393261653238323465656435666133356466383730636264393138613032313231333162 +66623531636438386263363436396639663239383037373234613565303861336166363063313431 +39653731623937333039653839643534643335346338616263616266613962396531623666666636 +64656330306430376338396331643135656638313530336337373035653463386439653434366135 +30646639633966626134393931623333376165643966393365383433343637633836643133313064 +33653835633238633931646437613565636236326265343162313163623236353831303230343961 +31373133336632306133356664353363303336376331383635616333346561346235363534303538 +39623334336334386162666165313164623839333238396637333835323231653765646133653339 +35386531376430356633336262653964336362306561666430303562613839623730303034323866 +34353734343561613733313134333761366561333262663263643137306431643762663364666434 +65313239386465633263646265376231336564386238303832313537343865633637373830313032 +33393034323830663535653464326462303039333931356332633532383234333936393735393464 +64306665376238303734306565373930373735303730623437623835663764643134316263363939 +37363039336630313965663463653930313961633032613362663530653766376134336263633832 +32363161623266656130316130313335613966363435383730623636343331336636373030626535 +30363330303435306133386662306563636265616566393436373635313762323566333337616265 +33303733616233656332356230396231313666346332613233303132383537613063396532656330 +36376338323161633036623232343833396333306439306261343039373836373832303539343363 +66376662656630393430343638366230393066313839653863643865633365356631393236643739 +65323564343135373532633731663333626163633239356362313234306438386638336236613433 +62386664356264313264653938333135303861313436653463363731633361373635326663663736 +63383830396136633630326565336437303162613762386538366436366263363962376338353535 +32613835373264363138366433373338616235653930623334643738623434393032373061396363 +66393335633339653332383664643638323966663462383863333235633232613363663132383735 +63373831396663633261373130366432643030356430313066303863666531326461373835636361 +31313130313336656664376230316266646232356564303638346533636631356430613265366333 +62616161343666616565346638326335646266643765346533623762643039396366623564323964 +3637303531393962393731653663636435313765373030383261 diff --git a/consul-role/files/tls.key b/consul-role/files/tls.key new file mode 100644 index 0000000..a034b01 --- /dev/null +++ b/consul-role/files/tls.key @@ -0,0 +1,18 @@ +$ANSIBLE_VAULT;1.1;AES256 +35363165663164346535373537666464623866333963363164643665343235383137346531666336 +3962316134666537653164313731333563323462356239610a303662613932663063653666373634 +61653766646361383964633439343133613864353334623230316263376166626566613564326266 +6230346562383034360a376661376563343762356535386637626339343661636336363231373365 +33616664303737303638346431386265613030303931373138656532633134366666656635613366 +61323231383932613364343164373439656337323234393439373262313563346462373363623939 +34643432363135343162626564383837333364363262316266656430386163353231323565373237 +62636563633138666532623039636138626631303463326237666463613963323362386265303031 +35306635613837666238646531363339316361643234646132656638636433353537653239373465 +32623734363639396438363134393264363566663866363331313333663565616435656430633930 +32633937653666313462613463616434376236333930313437376437646231643231363332346233 +33363465653136626336393162386530313665356336303064363932633561633861356136336563 +38323964633063356330356435646231666539363936376239313866646332376666316266383261 +66633761343538393964656539366264373835623131333061633338616665633436356139353063 +36663434353034336530303438663534393937346439356536346466306630633064633561656432 +64623763343430303333343866383537353366646265323535383733373436383562396338303735 +3932 From 78a950406c66921da70225d154b70c28d59f4c57 Mon Sep 17 00:00:00 2001 From: anitha Date: Mon, 2 Mar 2026 23:09:52 +0530 Subject: [PATCH 020/412] tls certificate changes done --- consul-role/tasks/acl.yml | 2 +- consul-role/tasks/config.yml | 26 ++++++++++++++++++++++++++ consul-role/templates/server.hcl.j2 | 7 +++++++ 3 files changed, 34 insertions(+), 1 deletion(-) diff --git a/consul-role/tasks/acl.yml b/consul-role/tasks/acl.yml index bfa5c0b..926ccf3 100644 --- a/consul-role/tasks/acl.yml +++ b/consul-role/tasks/acl.yml @@ -1,6 +1,6 @@ - name: Wait for Consul API ansible.builtin.wait_for: - port: 8500 + port: 8501 delay: 5 timeout: 60 diff --git a/consul-role/tasks/config.yml b/consul-role/tasks/config.yml index de79f54..20f3534 100644 --- a/consul-role/tasks/config.yml +++ b/consul-role/tasks/config.yml @@ -1,3 +1,29 @@ +- name: Create TLS cert directory + ansible.builtin.file: + path: "{{ consul_config_dir }}/certs" + state: directory + owner: "{{ consul_user }}" + group: "{{ consul_group }}" + mode: "0750" + +- name: Copy TLS certificate + ansible.builtin.copy: + src: tls.crt + dest: "{{ consul_config_dir }}/certs/tls.crt" + owner: "{{ consul_user }}" + group: "{{ consul_group }}" + mode: "0644" + notify: Restart Consul + +- name: Copy TLS private key + ansible.builtin.copy: + src: tls.key + dest: "{{ consul_config_dir }}/certs/tls.key" + owner: "{{ consul_user }}" + group: "{{ consul_group }}" + mode: "0600" + notify: Restart Consul + - name: Deploy Consul server configuration ansible.builtin.template: src: server.hcl.j2 diff --git a/consul-role/templates/server.hcl.j2 b/consul-role/templates/server.hcl.j2 index 68b0979..1c5eabf 100644 --- a/consul-role/templates/server.hcl.j2 +++ b/consul-role/templates/server.hcl.j2 @@ -28,3 +28,10 @@ acl { {% endif %} } +ports { + http = -1 + https = 8501 +} + +cert_file = "{{ consul_config_dir }}/certs/tls.crt" +key_file = "{{ consul_config_dir }}/certs/tls.key" From 51fd201a7bb003a8edc571709b7d4738905d886e Mon Sep 17 00:00:00 2001 From: AnithaAnnem Date: Mon, 2 Mar 2026 23:27:28 +0530 Subject: [PATCH 021/412] Update acl.yml --- consul-role/tasks/acl.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/consul-role/tasks/acl.yml b/consul-role/tasks/acl.yml index 926ccf3..fd27ec2 100644 --- a/consul-role/tasks/acl.yml +++ b/consul-role/tasks/acl.yml @@ -1,5 +1,6 @@ - name: Wait for Consul API ansible.builtin.wait_for: + host: "{{ consul_bind_addr }}" port: 8501 delay: 5 timeout: 60 From 1b85b5410e3d8848e6e39ed2d443e75c014d7491 Mon Sep 17 00:00:00 2001 From: AnithaAnnem Date: Mon, 2 Mar 2026 23:50:25 +0530 Subject: [PATCH 022/412] Update server.hcl.j2 --- consul-role/templates/server.hcl.j2 | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/consul-role/templates/server.hcl.j2 b/consul-role/templates/server.hcl.j2 index 1c5eabf..8cd9bc1 100644 --- a/consul-role/templates/server.hcl.j2 +++ b/consul-role/templates/server.hcl.j2 @@ -33,5 +33,11 @@ ports { https = 8501 } -cert_file = "{{ consul_config_dir }}/certs/tls.crt" -key_file = "{{ consul_config_dir }}/certs/tls.key" +tls { + defaults { + cert_file = "/etc/consul.d/certs/tls.crt" + key_file = "/etc/consul.d/certs/tls.key" + verify_incoming = false + verify_outgoing = false + } +} From 93f4a95c499b6043db7f689477b6064d9feab1a1 Mon Sep 17 00:00:00 2001 From: AnithaAnnem Date: Tue, 3 Mar 2026 01:02:44 +0530 Subject: [PATCH 023/412] Update acl.yml --- consul-role/tasks/acl.yml | 39 +++++++++++++++++++++++++++++++++++++++ 1 file changed, 39 insertions(+) diff --git a/consul-role/tasks/acl.yml b/consul-role/tasks/acl.yml index fd27ec2..5cf35c0 100644 --- a/consul-role/tasks/acl.yml +++ b/consul-role/tasks/acl.yml @@ -42,3 +42,42 @@ when: consul_master_token is defined run_once: true no_log: true + +- name: Create agent policy + ansible.builtin.command: > + consul acl policy create + -http-addr=https://127.0.0.1:8501 + -token={{ consul_master_token }} + -name agent-policy + -rules 'node_prefix "" { policy = "write" } service_prefix "" { policy = "write" }' + run_once: true + ignore_errors: true + no_log: true + + +# CREATE AGENT TOKEN +- name: Create agent token + ansible.builtin.command: > + consul acl token create + -http-addr=https://127.0.0.1:8501 + -token={{ consul_master_token }} + -description "Agent Token" + -policy-name agent-policy + -format=json + register: agent_token_output + run_once: true + no_log: true + +- name: Extract agent SecretID + ansible.builtin.set_fact: + consul_agent_token: "{{ (agent_token_output.stdout | from_json).SecretID }}" + when: agent_token_output.stdout is defined and agent_token_output.stdout != "" + run_once: true + no_log: true + +# RESTART CONSUL TO APPLY AGENT TOKEN +- name: Restart consul after token creation + ansible.builtin.systemd: + name: consul + state: restarted + when: consul_agent_token is defined From 05cddf6031f3b2046e87c2a448d2046c6f82c82e Mon Sep 17 00:00:00 2001 From: AnithaAnnem Date: Tue, 3 Mar 2026 01:12:20 +0530 Subject: [PATCH 024/412] Update acl.yml --- consul-role/tasks/acl.yml | 56 --------------------------------------- 1 file changed, 56 deletions(-) diff --git a/consul-role/tasks/acl.yml b/consul-role/tasks/acl.yml index 5cf35c0..0602b22 100644 --- a/consul-role/tasks/acl.yml +++ b/consul-role/tasks/acl.yml @@ -23,61 +23,5 @@ no_log: true failed_when: false -# Extract SecretID safely -- name: Extract SecretID - ansible.builtin.set_fact: - consul_master_token: "{{ consul_bootstrap.stdout | regex_search('SecretID:\\s+(\\S+)', '\\1') }}" - when: consul_bootstrap.stdout is defined and consul_bootstrap.stdout != "" - run_once: true - no_log: true - -# Store token securely on server -- name: Save bootstrap token securely - ansible.builtin.copy: - content: "{{ consul_master_token }}" - dest: /etc/consul.d/bootstrap.token - owner: "{{ consul_user }}" - group: "{{ consul_group }}" - mode: "0600" - when: consul_master_token is defined - run_once: true - no_log: true - -- name: Create agent policy - ansible.builtin.command: > - consul acl policy create - -http-addr=https://127.0.0.1:8501 - -token={{ consul_master_token }} - -name agent-policy - -rules 'node_prefix "" { policy = "write" } service_prefix "" { policy = "write" }' - run_once: true - ignore_errors: true - no_log: true - - -# CREATE AGENT TOKEN -- name: Create agent token - ansible.builtin.command: > - consul acl token create - -http-addr=https://127.0.0.1:8501 - -token={{ consul_master_token }} - -description "Agent Token" - -policy-name agent-policy - -format=json - register: agent_token_output - run_once: true - no_log: true - -- name: Extract agent SecretID - ansible.builtin.set_fact: - consul_agent_token: "{{ (agent_token_output.stdout | from_json).SecretID }}" - when: agent_token_output.stdout is defined and agent_token_output.stdout != "" - run_once: true - no_log: true -# RESTART CONSUL TO APPLY AGENT TOKEN -- name: Restart consul after token creation - ansible.builtin.systemd: - name: consul - state: restarted when: consul_agent_token is defined From 10b52ba90c1bab795ad914563c167435c4f118d3 Mon Sep 17 00:00:00 2001 From: anitha Date: Tue, 3 Mar 2026 16:01:11 +0530 Subject: [PATCH 025/412] policy files added --- consul-role/files/policies/agent-policy.hcl | 7 +++ consul-role/files/policies/service-policy.hcl | 7 +++ consul-role/files/web-service.json | 10 ++++ consul-role/tasks/acl.yml | 57 ++++++++++++++++--- consul-role/tasks/config.yml | 9 +++ consul-role/tasks/main.yml | 3 +- consul-role/templates/server.hcl.j2 | 6 +- 7 files changed, 89 insertions(+), 10 deletions(-) create mode 100644 consul-role/files/policies/agent-policy.hcl create mode 100644 consul-role/files/policies/service-policy.hcl create mode 100644 consul-role/files/web-service.json diff --git a/consul-role/files/policies/agent-policy.hcl b/consul-role/files/policies/agent-policy.hcl new file mode 100644 index 0000000..63ac501 --- /dev/null +++ b/consul-role/files/policies/agent-policy.hcl @@ -0,0 +1,7 @@ +node_prefix "" { + policy = "write" +} + +service_prefix "" { + policy = "read" +} diff --git a/consul-role/files/policies/service-policy.hcl b/consul-role/files/policies/service-policy.hcl new file mode 100644 index 0000000..d39aaa1 --- /dev/null +++ b/consul-role/files/policies/service-policy.hcl @@ -0,0 +1,7 @@ +service "web" { + policy = "write" +} + +service "web-sidecar-proxy" { + policy = "write" +} diff --git a/consul-role/files/web-service.json b/consul-role/files/web-service.json new file mode 100644 index 0000000..3eda54c --- /dev/null +++ b/consul-role/files/web-service.json @@ -0,0 +1,10 @@ +{ + "service": { + "name": "web", + "port": 8080, + "check": { + "http": "http://localhost:8080/health", + "interval": "10s" + } + } +} diff --git a/consul-role/tasks/acl.yml b/consul-role/tasks/acl.yml index 0602b22..691fa09 100644 --- a/consul-role/tasks/acl.yml +++ b/consul-role/tasks/acl.yml @@ -14,14 +14,57 @@ run_once: true no_log: true -# Bootstrap only if ACL not initialized -- name: Bootstrap ACL (only if not already bootstrapped) - ansible.builtin.command: consul acl bootstrap - register: consul_bootstrap +- name: Create agent policy + command: > + consul acl policy create + -name agent-policy + -rules @{{ role_path }}/files/policies/agent-policy.hcl run_once: true - when: "'Permission denied' in acl_check.stderr or acl_check.rc != 0" - no_log: true - failed_when: false + when: "'agent-policy' not in acl_check.stdout" +- name: Create agent token + command: > + consul acl token create + -description "Agent Token" + -policy-name agent-policy + -format json + register: agent_token + run_once: true + when: "'agent-policy' not in acl_check.stdout" + + + +- name: Extract agent SecretID + set_fact: + consul_agent_token: "{{ (agent_token.stdout | from_json).SecretID }}" + when: agent_token.stdout is defined + run_once: true + +- name: Save agent token to file + copy: + content: "{{ consul_agent_token }}" + dest: "{{ consul_config_dir }}/agent.token" + owner: "{{ consul_user }}" + group: "{{ consul_group }}" + mode: "0600" when: consul_agent_token is defined + run_once: true + +- name: Create service policy (optional) + command: > + consul acl policy create + -name web-service-policy + -rules @{{ role_path }}/files/policies/service-policy.hcl + run_once: true + ignore_errors: true + +- name: Create service token (optional) + command: > + consul acl token create + -description "Web Service Token" + -policy-name web-service-policy + -format json + register: service_token + run_once: true + ignore_errors: true diff --git a/consul-role/tasks/config.yml b/consul-role/tasks/config.yml index 20f3534..14e550a 100644 --- a/consul-role/tasks/config.yml +++ b/consul-role/tasks/config.yml @@ -32,3 +32,12 @@ group: "{{ consul_group }}" mode: "0640" notify: Restart Consul + +- name: Register web service + copy: + src: web-service.json + dest: "{{ consul_config_dir }}/web-service.json" + owner: "{{ consul_user }}" + group: "{{ consul_group }}" + mode: "0644" + notify: Restart Consul diff --git a/consul-role/tasks/main.yml b/consul-role/tasks/main.yml index 7b8b190..85cc744 100644 --- a/consul-role/tasks/main.yml +++ b/consul-role/tasks/main.yml @@ -15,4 +15,5 @@ - name: Include ACL tasks ansible.builtin.include_tasks: acl.yml when: consul_acl_enabled - + environment: + CONSUL_HTTP_TOKEN: "{{ lookup('env','CONSUL_HTTP_TOKEN') }}" diff --git a/consul-role/templates/server.hcl.j2 b/consul-role/templates/server.hcl.j2 index 8cd9bc1..97d63f3 100644 --- a/consul-role/templates/server.hcl.j2 +++ b/consul-role/templates/server.hcl.j2 @@ -21,13 +21,15 @@ acl { default_policy = "{{ consul_acl_default_policy }}" enable_token_persistence = {{ consul_acl_token_persistence | lower }} -{% if consul_agent_token != "" %} + + {% if consul_agent_token is defined and consul_agent_token != "" %} tokens { agent = "{{ consul_agent_token }}" } -{% endif %} + {% endif %} } + ports { http = -1 https = 8501 From 0da420f652e972bbc621aa2c1bea1b5f81c7f761 Mon Sep 17 00:00:00 2001 From: anitha Date: Tue, 3 Mar 2026 16:38:28 +0530 Subject: [PATCH 026/412] files modified --- consul-role/tasks/config.yml | 1 - consul-role/tasks/main.yml | 2 -- 2 files changed, 3 deletions(-) diff --git a/consul-role/tasks/config.yml b/consul-role/tasks/config.yml index 14e550a..43f2281 100644 --- a/consul-role/tasks/config.yml +++ b/consul-role/tasks/config.yml @@ -40,4 +40,3 @@ owner: "{{ consul_user }}" group: "{{ consul_group }}" mode: "0644" - notify: Restart Consul diff --git a/consul-role/tasks/main.yml b/consul-role/tasks/main.yml index 85cc744..8dadbcf 100644 --- a/consul-role/tasks/main.yml +++ b/consul-role/tasks/main.yml @@ -15,5 +15,3 @@ - name: Include ACL tasks ansible.builtin.include_tasks: acl.yml when: consul_acl_enabled - environment: - CONSUL_HTTP_TOKEN: "{{ lookup('env','CONSUL_HTTP_TOKEN') }}" From ccf2deb9637d1f53598cb807132d74d135c3fb70 Mon Sep 17 00:00:00 2001 From: AnithaAnnem Date: Tue, 3 Mar 2026 16:48:09 +0530 Subject: [PATCH 027/412] Update acl.yml --- consul-role/tasks/acl.yml | 60 +++++---------------------------------- 1 file changed, 7 insertions(+), 53 deletions(-) diff --git a/consul-role/tasks/acl.yml b/consul-role/tasks/acl.yml index 691fa09..60e19a4 100644 --- a/consul-role/tasks/acl.yml +++ b/consul-role/tasks/acl.yml @@ -14,57 +14,11 @@ run_once: true no_log: true -- name: Create agent policy - command: > - consul acl policy create - -name agent-policy - -rules @{{ role_path }}/files/policies/agent-policy.hcl +# Bootstrap only if ACL not initialized +- name: Bootstrap ACL (only if not already bootstrapped) + ansible.builtin.command: consul acl bootstrap + register: consul_bootstrap run_once: true - when: "'agent-policy' not in acl_check.stdout" - - -- name: Create agent token - command: > - consul acl token create - -description "Agent Token" - -policy-name agent-policy - -format json - register: agent_token - run_once: true - when: "'agent-policy' not in acl_check.stdout" - - - -- name: Extract agent SecretID - set_fact: - consul_agent_token: "{{ (agent_token.stdout | from_json).SecretID }}" - when: agent_token.stdout is defined - run_once: true - -- name: Save agent token to file - copy: - content: "{{ consul_agent_token }}" - dest: "{{ consul_config_dir }}/agent.token" - owner: "{{ consul_user }}" - group: "{{ consul_group }}" - mode: "0600" - when: consul_agent_token is defined - run_once: true - -- name: Create service policy (optional) - command: > - consul acl policy create - -name web-service-policy - -rules @{{ role_path }}/files/policies/service-policy.hcl - run_once: true - ignore_errors: true - -- name: Create service token (optional) - command: > - consul acl token create - -description "Web Service Token" - -policy-name web-service-policy - -format json - register: service_token - run_once: true - ignore_errors: true + when: "'Permission denied' in acl_check.stderr or acl_check.rc != 0" + no_log: true + failed_when: false From fddf86c21595922e49548d1677e30fa09c1cd7a3 Mon Sep 17 00:00:00 2001 From: AnithaAnnem Date: Tue, 3 Mar 2026 16:48:26 +0530 Subject: [PATCH 028/412] Update config.yml --- consul-role/tasks/config.yml | 8 -------- 1 file changed, 8 deletions(-) diff --git a/consul-role/tasks/config.yml b/consul-role/tasks/config.yml index 43f2281..20f3534 100644 --- a/consul-role/tasks/config.yml +++ b/consul-role/tasks/config.yml @@ -32,11 +32,3 @@ group: "{{ consul_group }}" mode: "0640" notify: Restart Consul - -- name: Register web service - copy: - src: web-service.json - dest: "{{ consul_config_dir }}/web-service.json" - owner: "{{ consul_user }}" - group: "{{ consul_group }}" - mode: "0644" From fd2f4eaa4984b36d6f605eb35f7db5c389ec0316 Mon Sep 17 00:00:00 2001 From: anitha Date: Tue, 3 Mar 2026 17:09:13 +0530 Subject: [PATCH 029/412] server.hcl.j2 modified --- consul-role/templates/server.hcl.j2 | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/consul-role/templates/server.hcl.j2 b/consul-role/templates/server.hcl.j2 index 97d63f3..2bd28fd 100644 --- a/consul-role/templates/server.hcl.j2 +++ b/consul-role/templates/server.hcl.j2 @@ -37,8 +37,8 @@ ports { tls { defaults { - cert_file = "/etc/consul.d/certs/tls.crt" - key_file = "/etc/consul.d/certs/tls.key" + cert_file = "{{ consul_config_dir }}/certs/tls.crt" + key_file = "{{ consul_config_dir }}/certs/tls.key" verify_incoming = false verify_outgoing = false } From db1065047360e8f4aba36cc9042714621aedff29 Mon Sep 17 00:00:00 2001 From: anitha Date: Tue, 3 Mar 2026 17:14:50 +0530 Subject: [PATCH 030/412] policy files deleted --- consul-role/files/policies/agent-policy.hcl | 7 ------- consul-role/files/policies/service-policy.hcl | 7 ------- consul-role/files/web-service.json | 10 ---------- 3 files changed, 24 deletions(-) delete mode 100644 consul-role/files/policies/agent-policy.hcl delete mode 100644 consul-role/files/policies/service-policy.hcl delete mode 100644 consul-role/files/web-service.json diff --git a/consul-role/files/policies/agent-policy.hcl b/consul-role/files/policies/agent-policy.hcl deleted file mode 100644 index 63ac501..0000000 --- a/consul-role/files/policies/agent-policy.hcl +++ /dev/null @@ -1,7 +0,0 @@ -node_prefix "" { - policy = "write" -} - -service_prefix "" { - policy = "read" -} diff --git a/consul-role/files/policies/service-policy.hcl b/consul-role/files/policies/service-policy.hcl deleted file mode 100644 index d39aaa1..0000000 --- a/consul-role/files/policies/service-policy.hcl +++ /dev/null @@ -1,7 +0,0 @@ -service "web" { - policy = "write" -} - -service "web-sidecar-proxy" { - policy = "write" -} diff --git a/consul-role/files/web-service.json b/consul-role/files/web-service.json deleted file mode 100644 index 3eda54c..0000000 --- a/consul-role/files/web-service.json +++ /dev/null @@ -1,10 +0,0 @@ -{ - "service": { - "name": "web", - "port": 8080, - "check": { - "http": "http://localhost:8080/health", - "interval": "10s" - } - } -} From c8ce5ed8d076552960830068e009ad63020f491b Mon Sep 17 00:00:00 2001 From: AnithaAnnem Date: Tue, 3 Mar 2026 17:36:21 +0530 Subject: [PATCH 031/412] Update main.yml --- consul-role/tasks/main.yml | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) diff --git a/consul-role/tasks/main.yml b/consul-role/tasks/main.yml index 8dadbcf..ce869b6 100644 --- a/consul-role/tasks/main.yml +++ b/consul-role/tasks/main.yml @@ -1,17 +1,16 @@ --- -# tasks file for consul - name: Include installation tasks ansible.builtin.include_tasks: install.yml - name: Include directory tasks ansible.builtin.include_tasks: directories.yml +- name: Include ACL tasks + ansible.builtin.include_tasks: acl.yml + when: consul_acl_enabled + - name: Include configuration tasks ansible.builtin.include_tasks: config.yml - name: Include service tasks ansible.builtin.include_tasks: service.yml - -- name: Include ACL tasks - ansible.builtin.include_tasks: acl.yml - when: consul_acl_enabled From 4386fa4668166814644c1a5fc05ecdc82dfb76d4 Mon Sep 17 00:00:00 2001 From: AnithaAnnem Date: Tue, 3 Mar 2026 17:37:51 +0530 Subject: [PATCH 032/412] Update acl.yml --- consul-role/tasks/acl.yml | 43 +++++++++++++++++++++++++-------------- 1 file changed, 28 insertions(+), 15 deletions(-) diff --git a/consul-role/tasks/acl.yml b/consul-role/tasks/acl.yml index 60e19a4..4201a52 100644 --- a/consul-role/tasks/acl.yml +++ b/consul-role/tasks/acl.yml @@ -5,20 +5,33 @@ delay: 5 timeout: 60 -# Check if ACL already bootstrapped by querying leader -- name: Check if ACL bootstrap already done - ansible.builtin.command: consul acl policy list - register: acl_check - failed_when: false - changed_when: false - run_once: true - no_log: true +- block: + + - name: Create agent policy + command: > + consul acl policy create + -name agent-policy + -rules @{{ role_path }}/files/policies/agent-policy.hcl + register: agent_policy + failed_when: false + changed_when: "'Created' in agent_policy.stdout" + + - name: Create agent token + command: > + consul acl token create + -description "Agent Token" + -policy-name agent-policy + -format json + register: agent_token + when: agent_policy.changed + + - name: Extract agent SecretID + set_fact: + consul_agent_token: "{{ (agent_token.stdout | from_json).SecretID }}" + when: agent_token.stdout is defined -# Bootstrap only if ACL not initialized -- name: Bootstrap ACL (only if not already bootstrapped) - ansible.builtin.command: consul acl bootstrap - register: consul_bootstrap + environment: + CONSUL_HTTP_ADDR: "https://127.0.0.1:8501" + CONSUL_HTTP_SSL_VERIFY: "false" + CONSUL_HTTP_TOKEN: "{{ lookup('env','CONSUL_HTTP_TOKEN') }}" run_once: true - when: "'Permission denied' in acl_check.stderr or acl_check.rc != 0" - no_log: true - failed_when: false From 57cebd0079678e407a37d9cb1570bb1dd3d017d6 Mon Sep 17 00:00:00 2001 From: AnithaAnnem Date: Tue, 3 Mar 2026 17:52:08 +0530 Subject: [PATCH 033/412] Update acl.yml --- consul-role/tasks/acl.yml | 103 +++++++++++++++++++++++++++----------- 1 file changed, 74 insertions(+), 29 deletions(-) diff --git a/consul-role/tasks/acl.yml b/consul-role/tasks/acl.yml index 4201a52..b9474a8 100644 --- a/consul-role/tasks/acl.yml +++ b/consul-role/tasks/acl.yml @@ -5,33 +5,78 @@ delay: 5 timeout: 60 -- block: - - - name: Create agent policy - command: > - consul acl policy create - -name agent-policy - -rules @{{ role_path }}/files/policies/agent-policy.hcl - register: agent_policy - failed_when: false - changed_when: "'Created' in agent_policy.stdout" - - - name: Create agent token - command: > - consul acl token create - -description "Agent Token" - -policy-name agent-policy - -format json - register: agent_token - when: agent_policy.changed - - - name: Extract agent SecretID - set_fact: - consul_agent_token: "{{ (agent_token.stdout | from_json).SecretID }}" - when: agent_token.stdout is defined - - environment: - CONSUL_HTTP_ADDR: "https://127.0.0.1:8501" - CONSUL_HTTP_SSL_VERIFY: "false" - CONSUL_HTTP_TOKEN: "{{ lookup('env','CONSUL_HTTP_TOKEN') }}" +- name: Set Consul CLI environment + set_fact: + consul_cli_env: + CONSUL_HTTP_ADDR: "https://127.0.0.1:8501" + CONSUL_HTTP_SSL_VERIFY: "false" + CONSUL_HTTP_TOKEN: "{{ lookup('env','CONSUL_HTTP_TOKEN') }}" + run_once: true + +# -------------------------------------------------- +# CHECK EXISTING POLICIES +# -------------------------------------------------- + +- name: Get existing policies + command: consul acl policy list + register: policy_list + environment: "{{ consul_cli_env }}" + run_once: true + +# -------------------------------------------------- +# CREATE AGENT POLICY (only if missing) +# -------------------------------------------------- + +- name: Create agent policy + command: > + consul acl policy create + -name agent-policy + -rules @{{ role_path }}/files/policies/agent-policy.hcl + environment: "{{ consul_cli_env }}" + run_once: true + when: "'agent-policy' not in policy_list.stdout" + +# -------------------------------------------------- +# CHECK EXISTING TOKENS +# -------------------------------------------------- + +- name: Get existing tokens + command: consul acl token list + register: token_list + environment: "{{ consul_cli_env }}" + run_once: true + +# -------------------------------------------------- +# CREATE AGENT TOKEN (only if missing) +# -------------------------------------------------- + +- name: Create agent token + command: > + consul acl token create + -description "Agent Token" + -policy-name agent-policy + -format json + register: agent_token + environment: "{{ consul_cli_env }}" + run_once: true + when: "'Agent Token' not in token_list.stdout" + +- name: Extract agent SecretID + set_fact: + consul_agent_token: "{{ (agent_token.stdout | from_json).SecretID }}" + when: agent_token.stdout is defined + run_once: true + +# -------------------------------------------------- +# STORE TOKEN LOCALLY ON NODE (if created) +# -------------------------------------------------- + +- name: Save agent token to file + copy: + content: "{{ consul_agent_token }}" + dest: "{{ consul_config_dir }}/agent.token" + owner: "{{ consul_user }}" + group: "{{ consul_group }}" + mode: "0600" + when: consul_agent_token is defined run_once: true From 40087756ecb5334cbabfd1085b8ff278495c653e Mon Sep 17 00:00:00 2001 From: AnithaAnnem Date: Tue, 3 Mar 2026 17:58:13 +0530 Subject: [PATCH 034/412] Update acl.yml --- consul-role/tasks/acl.yml | 49 ++++++++++++++++++++++++++++----------- 1 file changed, 35 insertions(+), 14 deletions(-) diff --git a/consul-role/tasks/acl.yml b/consul-role/tasks/acl.yml index b9474a8..e47b190 100644 --- a/consul-role/tasks/acl.yml +++ b/consul-role/tasks/acl.yml @@ -1,3 +1,7 @@ +# -------------------------------------------------- +# WAIT FOR CONSUL API +# -------------------------------------------------- + - name: Wait for Consul API ansible.builtin.wait_for: host: "{{ consul_bind_addr }}" @@ -5,6 +9,10 @@ delay: 5 timeout: 60 +# -------------------------------------------------- +# SET CLI ENVIRONMENT +# -------------------------------------------------- + - name: Set Consul CLI environment set_fact: consul_cli_env: @@ -14,17 +22,19 @@ run_once: true # -------------------------------------------------- -# CHECK EXISTING POLICIES +# POLICY CHECK # -------------------------------------------------- - name: Get existing policies command: consul acl policy list register: policy_list environment: "{{ consul_cli_env }}" + changed_when: false run_once: true + delegate_to: "{{ groups['all'][0] }}" # -------------------------------------------------- -# CREATE AGENT POLICY (only if missing) +# CREATE AGENT POLICY # -------------------------------------------------- - name: Create agent policy @@ -33,21 +43,24 @@ -name agent-policy -rules @{{ role_path }}/files/policies/agent-policy.hcl environment: "{{ consul_cli_env }}" - run_once: true when: "'agent-policy' not in policy_list.stdout" + run_once: true + delegate_to: "{{ groups['all'][0] }}" # -------------------------------------------------- -# CHECK EXISTING TOKENS +# TOKEN CHECK # -------------------------------------------------- - name: Get existing tokens command: consul acl token list register: token_list environment: "{{ consul_cli_env }}" + changed_when: false run_once: true + delegate_to: "{{ groups['all'][0] }}" # -------------------------------------------------- -# CREATE AGENT TOKEN (only if missing) +# CREATE AGENT TOKEN # -------------------------------------------------- - name: Create agent token @@ -58,25 +71,33 @@ -format json register: agent_token environment: "{{ consul_cli_env }}" - run_once: true when: "'Agent Token' not in token_list.stdout" + run_once: true + delegate_to: "{{ groups['all'][0] }}" -- name: Extract agent SecretID +# -------------------------------------------------- +# EXTRACT SECRET ID +# -------------------------------------------------- + +- name: Set agent token fact set_fact: - consul_agent_token: "{{ (agent_token.stdout | from_json).SecretID }}" - when: agent_token.stdout is defined + consul_agent_token: >- + {{ + (agent_token.stdout | from_json).SecretID + if agent_token is defined and agent_token.stdout != "" + else "" + }} run_once: true # -------------------------------------------------- -# STORE TOKEN LOCALLY ON NODE (if created) +# DISTRIBUTE TOKEN TO ALL NODES # -------------------------------------------------- -- name: Save agent token to file +- name: Copy agent token to all nodes copy: - content: "{{ consul_agent_token }}" + content: "{{ hostvars[groups['all'][0]].consul_agent_token }}" dest: "{{ consul_config_dir }}/agent.token" owner: "{{ consul_user }}" group: "{{ consul_group }}" mode: "0600" - when: consul_agent_token is defined - run_once: true + when: hostvars[groups['all'][0]].consul_agent_token is defined From 3a02925b221962b4b2ec130fd3117fd34641abdd Mon Sep 17 00:00:00 2001 From: AnithaAnnem Date: Tue, 3 Mar 2026 18:03:03 +0530 Subject: [PATCH 035/412] Update main.yml --- consul-role/defaults/main.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/consul-role/defaults/main.yml b/consul-role/defaults/main.yml index 163277d..3f0e7e3 100644 --- a/consul-role/defaults/main.yml +++ b/consul-role/defaults/main.yml @@ -23,3 +23,4 @@ consul_acl_token_persistence: true consul_agent_token: "" consul_client_addr: "0.0.0.0" +consul_binary_path: "/usr/local/bin/consul" From 6619e0af308167dfb3853d2e36aa100f81870727 Mon Sep 17 00:00:00 2001 From: AnithaAnnem Date: Tue, 3 Mar 2026 18:03:24 +0530 Subject: [PATCH 036/412] Update acl.yml --- consul-role/tasks/acl.yml | 57 ++++++++++++++------------------------- 1 file changed, 20 insertions(+), 37 deletions(-) diff --git a/consul-role/tasks/acl.yml b/consul-role/tasks/acl.yml index e47b190..7dffebd 100644 --- a/consul-role/tasks/acl.yml +++ b/consul-role/tasks/acl.yml @@ -1,8 +1,4 @@ -# -------------------------------------------------- -# WAIT FOR CONSUL API -# -------------------------------------------------- - -- name: Wait for Consul API +- name: Wait for Consul API (HTTPS) ansible.builtin.wait_for: host: "{{ consul_bind_addr }}" port: 8501 @@ -10,7 +6,7 @@ timeout: 60 # -------------------------------------------------- -# SET CLI ENVIRONMENT +# Set CLI Environment # -------------------------------------------------- - name: Set Consul CLI environment @@ -22,82 +18,69 @@ run_once: true # -------------------------------------------------- -# POLICY CHECK +# GET EXISTING POLICIES # -------------------------------------------------- - name: Get existing policies - command: consul acl policy list + command: "{{ consul_binary_path | default('/usr/local/bin/consul') }} acl policy list" register: policy_list environment: "{{ consul_cli_env }}" - changed_when: false run_once: true - delegate_to: "{{ groups['all'][0] }}" # -------------------------------------------------- -# CREATE AGENT POLICY +# CREATE AGENT POLICY (if missing) # -------------------------------------------------- - name: Create agent policy command: > - consul acl policy create + {{ consul_binary_path | default('/usr/local/bin/consul') }} acl policy create -name agent-policy -rules @{{ role_path }}/files/policies/agent-policy.hcl environment: "{{ consul_cli_env }}" - when: "'agent-policy' not in policy_list.stdout" run_once: true - delegate_to: "{{ groups['all'][0] }}" + when: "'agent-policy' not in policy_list.stdout" # -------------------------------------------------- -# TOKEN CHECK +# GET EXISTING TOKENS # -------------------------------------------------- - name: Get existing tokens - command: consul acl token list + command: "{{ consul_binary_path | default('/usr/local/bin/consul') }} acl token list" register: token_list environment: "{{ consul_cli_env }}" - changed_when: false run_once: true - delegate_to: "{{ groups['all'][0] }}" # -------------------------------------------------- -# CREATE AGENT TOKEN +# CREATE AGENT TOKEN (if missing) # -------------------------------------------------- - name: Create agent token command: > - consul acl token create + {{ consul_binary_path | default('/usr/local/bin/consul') }} acl token create -description "Agent Token" -policy-name agent-policy -format json register: agent_token environment: "{{ consul_cli_env }}" - when: "'Agent Token' not in token_list.stdout" run_once: true - delegate_to: "{{ groups['all'][0] }}" - -# -------------------------------------------------- -# EXTRACT SECRET ID -# -------------------------------------------------- + when: "'Agent Token' not in token_list.stdout" -- name: Set agent token fact +- name: Extract agent SecretID set_fact: - consul_agent_token: >- - {{ - (agent_token.stdout | from_json).SecretID - if agent_token is defined and agent_token.stdout != "" - else "" - }} + consul_agent_token: "{{ (agent_token.stdout | from_json).SecretID }}" + when: agent_token.stdout is defined run_once: true # -------------------------------------------------- -# DISTRIBUTE TOKEN TO ALL NODES +# SAVE TOKEN TO CONFIG # -------------------------------------------------- -- name: Copy agent token to all nodes +- name: Save agent token to file copy: - content: "{{ hostvars[groups['all'][0]].consul_agent_token }}" + content: "{{ consul_agent_token }}" dest: "{{ consul_config_dir }}/agent.token" owner: "{{ consul_user }}" group: "{{ consul_group }}" mode: "0600" - when: hostvars[groups['all'][0]].consul_agent_token is defined + when: consul_agent_token is defined + run_once: true From 0847e2bb29c988980647b988bb4085ea5a4a86b1 Mon Sep 17 00:00:00 2001 From: AnithaAnnem Date: Tue, 3 Mar 2026 18:10:16 +0530 Subject: [PATCH 037/412] Update acl.yml --- consul-role/tasks/acl.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/consul-role/tasks/acl.yml b/consul-role/tasks/acl.yml index 7dffebd..2681f33 100644 --- a/consul-role/tasks/acl.yml +++ b/consul-role/tasks/acl.yml @@ -14,7 +14,7 @@ consul_cli_env: CONSUL_HTTP_ADDR: "https://127.0.0.1:8501" CONSUL_HTTP_SSL_VERIFY: "false" - CONSUL_HTTP_TOKEN: "{{ lookup('env','CONSUL_HTTP_TOKEN') }}" + CONSUL_HTTP_TOKEN: "{{ ansible_env.CONSUL_HTTP_TOKEN }}" run_once: true # -------------------------------------------------- From 7bb2779a77217f34ffdc17fd4b931105cefcb8c3 Mon Sep 17 00:00:00 2001 From: AnithaAnnem Date: Tue, 3 Mar 2026 18:15:50 +0530 Subject: [PATCH 038/412] Update main.yml --- consul-role/defaults/main.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/consul-role/defaults/main.yml b/consul-role/defaults/main.yml index 3f0e7e3..163277d 100644 --- a/consul-role/defaults/main.yml +++ b/consul-role/defaults/main.yml @@ -23,4 +23,3 @@ consul_acl_token_persistence: true consul_agent_token: "" consul_client_addr: "0.0.0.0" -consul_binary_path: "/usr/local/bin/consul" From 85a465b147b06bf2e86b683d1133a9493b102d2e Mon Sep 17 00:00:00 2001 From: AnithaAnnem Date: Tue, 3 Mar 2026 18:16:34 +0530 Subject: [PATCH 039/412] Update acl.yml --- consul-role/tasks/acl.yml | 92 +++++++-------------------------------- 1 file changed, 15 insertions(+), 77 deletions(-) diff --git a/consul-role/tasks/acl.yml b/consul-role/tasks/acl.yml index 2681f33..60e19a4 100644 --- a/consul-role/tasks/acl.yml +++ b/consul-role/tasks/acl.yml @@ -1,86 +1,24 @@ -- name: Wait for Consul API (HTTPS) +- name: Wait for Consul API ansible.builtin.wait_for: host: "{{ consul_bind_addr }}" port: 8501 delay: 5 timeout: 60 -# -------------------------------------------------- -# Set CLI Environment -# -------------------------------------------------- - -- name: Set Consul CLI environment - set_fact: - consul_cli_env: - CONSUL_HTTP_ADDR: "https://127.0.0.1:8501" - CONSUL_HTTP_SSL_VERIFY: "false" - CONSUL_HTTP_TOKEN: "{{ ansible_env.CONSUL_HTTP_TOKEN }}" - run_once: true - -# -------------------------------------------------- -# GET EXISTING POLICIES -# -------------------------------------------------- - -- name: Get existing policies - command: "{{ consul_binary_path | default('/usr/local/bin/consul') }} acl policy list" - register: policy_list - environment: "{{ consul_cli_env }}" - run_once: true - -# -------------------------------------------------- -# CREATE AGENT POLICY (if missing) -# -------------------------------------------------- - -- name: Create agent policy - command: > - {{ consul_binary_path | default('/usr/local/bin/consul') }} acl policy create - -name agent-policy - -rules @{{ role_path }}/files/policies/agent-policy.hcl - environment: "{{ consul_cli_env }}" - run_once: true - when: "'agent-policy' not in policy_list.stdout" - -# -------------------------------------------------- -# GET EXISTING TOKENS -# -------------------------------------------------- - -- name: Get existing tokens - command: "{{ consul_binary_path | default('/usr/local/bin/consul') }} acl token list" - register: token_list - environment: "{{ consul_cli_env }}" - run_once: true - -# -------------------------------------------------- -# CREATE AGENT TOKEN (if missing) -# -------------------------------------------------- - -- name: Create agent token - command: > - {{ consul_binary_path | default('/usr/local/bin/consul') }} acl token create - -description "Agent Token" - -policy-name agent-policy - -format json - register: agent_token - environment: "{{ consul_cli_env }}" - run_once: true - when: "'Agent Token' not in token_list.stdout" - -- name: Extract agent SecretID - set_fact: - consul_agent_token: "{{ (agent_token.stdout | from_json).SecretID }}" - when: agent_token.stdout is defined +# Check if ACL already bootstrapped by querying leader +- name: Check if ACL bootstrap already done + ansible.builtin.command: consul acl policy list + register: acl_check + failed_when: false + changed_when: false run_once: true + no_log: true -# -------------------------------------------------- -# SAVE TOKEN TO CONFIG -# -------------------------------------------------- - -- name: Save agent token to file - copy: - content: "{{ consul_agent_token }}" - dest: "{{ consul_config_dir }}/agent.token" - owner: "{{ consul_user }}" - group: "{{ consul_group }}" - mode: "0600" - when: consul_agent_token is defined +# Bootstrap only if ACL not initialized +- name: Bootstrap ACL (only if not already bootstrapped) + ansible.builtin.command: consul acl bootstrap + register: consul_bootstrap run_once: true + when: "'Permission denied' in acl_check.stderr or acl_check.rc != 0" + no_log: true + failed_when: false From 8624273b5e38f58e38b5f2a103694c426f661ee5 Mon Sep 17 00:00:00 2001 From: anitha Date: Tue, 3 Mar 2026 23:55:14 +0530 Subject: [PATCH 040/412] acl files added --- consul-role/tasks/acl.yml | 17 ++++++++++--- consul-role/tasks/main.yml | 12 ++++++---- consul-role/tasks/rbac.yml | 29 +++++++++++++++++++++++ consul-role/templates/admin-policy.hcl.j2 | 13 ++++++++++ consul-role/templates/read-policy.hcl.j2 | 7 ++++++ 5 files changed, 71 insertions(+), 7 deletions(-) create mode 100644 consul-role/tasks/rbac.yml create mode 100644 consul-role/templates/admin-policy.hcl.j2 create mode 100644 consul-role/templates/read-policy.hcl.j2 diff --git a/consul-role/tasks/acl.yml b/consul-role/tasks/acl.yml index 60e19a4..813b035 100644 --- a/consul-role/tasks/acl.yml +++ b/consul-role/tasks/acl.yml @@ -1,11 +1,12 @@ -- name: Wait for Consul API +--- +- name: Wait for Consul HTTPS API ansible.builtin.wait_for: host: "{{ consul_bind_addr }}" port: 8501 delay: 5 timeout: 60 -# Check if ACL already bootstrapped by querying leader +# Check if ACL already bootstrapped - name: Check if ACL bootstrap already done ansible.builtin.command: consul acl policy list register: acl_check @@ -14,7 +15,7 @@ run_once: true no_log: true -# Bootstrap only if ACL not initialized +# Bootstrap ACL if not initialized - name: Bootstrap ACL (only if not already bootstrapped) ansible.builtin.command: consul acl bootstrap register: consul_bootstrap @@ -22,3 +23,13 @@ when: "'Permission denied' in acl_check.stderr or acl_check.rc != 0" no_log: true failed_when: false + +# Extract Bootstrap Token +- name: Extract Bootstrap Token + ansible.builtin.set_fact: + consul_master_token: "{{ consul_bootstrap.stdout | regex_search('SecretID:\\s+(.*)', '\\1') }}" + when: + - consul_bootstrap.stdout is defined + - consul_bootstrap.stdout != "" + no_log: true + run_once: true diff --git a/consul-role/tasks/main.yml b/consul-role/tasks/main.yml index ce869b6..b1735b9 100644 --- a/consul-role/tasks/main.yml +++ b/consul-role/tasks/main.yml @@ -5,12 +5,16 @@ - name: Include directory tasks ansible.builtin.include_tasks: directories.yml -- name: Include ACL tasks - ansible.builtin.include_tasks: acl.yml - when: consul_acl_enabled - - name: Include configuration tasks ansible.builtin.include_tasks: config.yml - name: Include service tasks ansible.builtin.include_tasks: service.yml + +- name: Include ACL tasks + ansible.builtin.include_tasks: acl.yml + when: consul_acl_enabled + +- name: Include RBAC tasks + ansible.builtin.include_tasks: rbac.yml + when: consul_acl_enabled diff --git a/consul-role/tasks/rbac.yml b/consul-role/tasks/rbac.yml new file mode 100644 index 0000000..b4f0a68 --- /dev/null +++ b/consul-role/tasks/rbac.yml @@ -0,0 +1,29 @@ +- name: Create Read Policy File + template: + src: read-policy.hcl.j2 + dest: /tmp/read-policy.hcl + run_once: true + +- name: Create Read Policy + command: > + consul acl policy create + -name read-policy + -rules @/tmp/read-policy.hcl + -token {{ consul_master_token }} + run_once: true + +- name: Create Developer Role + command: > + consul acl role create + -name developer-role + -policy-name read-policy + -token {{ consul_master_token }} + run_once: true + +- name: Create Developer Token + command: > + consul acl token create + -description "Developer Token" + -role-name developer-role + -token {{ consul_master_token }} + run_once: true diff --git a/consul-role/templates/admin-policy.hcl.j2 b/consul-role/templates/admin-policy.hcl.j2 new file mode 100644 index 0000000..b406954 --- /dev/null +++ b/consul-role/templates/admin-policy.hcl.j2 @@ -0,0 +1,13 @@ +node_prefix "" { + policy = "write" +} + +service_prefix "" { + policy = "write" +} + +kv_prefix "" { + policy = "write" +} + +acl = "write" diff --git a/consul-role/templates/read-policy.hcl.j2 b/consul-role/templates/read-policy.hcl.j2 new file mode 100644 index 0000000..90d3a1c --- /dev/null +++ b/consul-role/templates/read-policy.hcl.j2 @@ -0,0 +1,7 @@ +node_prefix "" { + policy = "read" +} + +service_prefix "" { + policy = "read" +} From 9181acf51b4c63e69933556177d143426d536438 Mon Sep 17 00:00:00 2001 From: AnithaAnnem Date: Wed, 4 Mar 2026 00:08:17 +0530 Subject: [PATCH 041/412] Update acl.yml --- consul-role/tasks/acl.yml | 11 ++++------- 1 file changed, 4 insertions(+), 7 deletions(-) diff --git a/consul-role/tasks/acl.yml b/consul-role/tasks/acl.yml index 813b035..0f7f8f1 100644 --- a/consul-role/tasks/acl.yml +++ b/consul-role/tasks/acl.yml @@ -6,7 +6,6 @@ delay: 5 timeout: 60 -# Check if ACL already bootstrapped - name: Check if ACL bootstrap already done ansible.builtin.command: consul acl policy list register: acl_check @@ -15,21 +14,19 @@ run_once: true no_log: true -# Bootstrap ACL if not initialized -- name: Bootstrap ACL (only if not already bootstrapped) +- name: Bootstrap ACL (only once) ansible.builtin.command: consul acl bootstrap register: consul_bootstrap run_once: true - when: "'Permission denied' in acl_check.stderr or acl_check.rc != 0" + when: acl_check.rc != 0 no_log: true failed_when: false -# Extract Bootstrap Token -- name: Extract Bootstrap Token +- name: Set consul_master_token if bootstrapped now ansible.builtin.set_fact: consul_master_token: "{{ consul_bootstrap.stdout | regex_search('SecretID:\\s+(.*)', '\\1') }}" when: - consul_bootstrap.stdout is defined - consul_bootstrap.stdout != "" - no_log: true run_once: true + no_log: true From e03f71f6a3420907bdd776ac51834263ffbd6ae5 Mon Sep 17 00:00:00 2001 From: anitha Date: Thu, 5 Mar 2026 15:07:56 +0530 Subject: [PATCH 042/412] files modified --- consul-role/tasks/acl.yml | 9 ++++----- consul-role/tasks/rbac.yml | 6 +++--- 2 files changed, 7 insertions(+), 8 deletions(-) diff --git a/consul-role/tasks/acl.yml b/consul-role/tasks/acl.yml index 0f7f8f1..4006d2c 100644 --- a/consul-role/tasks/acl.yml +++ b/consul-role/tasks/acl.yml @@ -22,11 +22,10 @@ no_log: true failed_when: false -- name: Set consul_master_token if bootstrapped now - ansible.builtin.set_fact: +- name: Set consul_master_token globally + set_fact: consul_master_token: "{{ consul_bootstrap.stdout | regex_search('SecretID:\\s+(.*)', '\\1') }}" - when: - - consul_bootstrap.stdout is defined - - consul_bootstrap.stdout != "" run_once: true + delegate_to: localhost + delegate_facts: true no_log: true diff --git a/consul-role/tasks/rbac.yml b/consul-role/tasks/rbac.yml index b4f0a68..c70d2e1 100644 --- a/consul-role/tasks/rbac.yml +++ b/consul-role/tasks/rbac.yml @@ -9,7 +9,7 @@ consul acl policy create -name read-policy -rules @/tmp/read-policy.hcl - -token {{ consul_master_token }} + -token {{ hostvars['localhost']['consul_master_token'] }} run_once: true - name: Create Developer Role @@ -17,7 +17,7 @@ consul acl role create -name developer-role -policy-name read-policy - -token {{ consul_master_token }} + -token {{ hostvars['localhost']['consul_master_token'] }} run_once: true - name: Create Developer Token @@ -25,5 +25,5 @@ consul acl token create -description "Developer Token" -role-name developer-role - -token {{ consul_master_token }} + -token {{ hostvars['localhost']['consul_master_token'] }} run_once: true From 588e8a8574775ff99dad833535c9d0379766d2a5 Mon Sep 17 00:00:00 2001 From: AnithaAnnem Date: Thu, 5 Mar 2026 15:32:07 +0530 Subject: [PATCH 043/412] Update rbac.yml --- consul-role/tasks/rbac.yml | 3 --- 1 file changed, 3 deletions(-) diff --git a/consul-role/tasks/rbac.yml b/consul-role/tasks/rbac.yml index c70d2e1..fb9adbc 100644 --- a/consul-role/tasks/rbac.yml +++ b/consul-role/tasks/rbac.yml @@ -9,7 +9,6 @@ consul acl policy create -name read-policy -rules @/tmp/read-policy.hcl - -token {{ hostvars['localhost']['consul_master_token'] }} run_once: true - name: Create Developer Role @@ -17,7 +16,6 @@ consul acl role create -name developer-role -policy-name read-policy - -token {{ hostvars['localhost']['consul_master_token'] }} run_once: true - name: Create Developer Token @@ -25,5 +23,4 @@ consul acl token create -description "Developer Token" -role-name developer-role - -token {{ hostvars['localhost']['consul_master_token'] }} run_once: true From d46d806b40e11d65def9af247cc6cfb211c4f56f Mon Sep 17 00:00:00 2001 From: AnithaAnnem Date: Thu, 5 Mar 2026 15:36:07 +0530 Subject: [PATCH 044/412] Update rbac.yml --- consul-role/tasks/rbac.yml | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/consul-role/tasks/rbac.yml b/consul-role/tasks/rbac.yml index fb9adbc..f939eff 100644 --- a/consul-role/tasks/rbac.yml +++ b/consul-role/tasks/rbac.yml @@ -1,14 +1,10 @@ -- name: Create Read Policy File - template: - src: read-policy.hcl.j2 - dest: /tmp/read-policy.hcl - run_once: true - - name: Create Read Policy command: > consul acl policy create -name read-policy -rules @/tmp/read-policy.hcl + environment: + CONSUL_HTTP_ADDR: "https://{{ consul_bind_addr }}:8501" run_once: true - name: Create Developer Role @@ -16,6 +12,8 @@ consul acl role create -name developer-role -policy-name read-policy + environment: + CONSUL_HTTP_ADDR: "https://{{ consul_bind_addr }}:8501" run_once: true - name: Create Developer Token @@ -23,4 +21,6 @@ consul acl token create -description "Developer Token" -role-name developer-role + environment: + CONSUL_HTTP_ADDR: "https://{{ consul_bind_addr }}:8501" run_once: true From b694e5243e5620c22b7acea12af3221553c849ab Mon Sep 17 00:00:00 2001 From: AnithaAnnem Date: Thu, 5 Mar 2026 15:44:46 +0530 Subject: [PATCH 045/412] Update rbac.yml --- consul-role/tasks/rbac.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/consul-role/tasks/rbac.yml b/consul-role/tasks/rbac.yml index f939eff..04ebdc5 100644 --- a/consul-role/tasks/rbac.yml +++ b/consul-role/tasks/rbac.yml @@ -5,6 +5,7 @@ -rules @/tmp/read-policy.hcl environment: CONSUL_HTTP_ADDR: "https://{{ consul_bind_addr }}:8501" + CONSUL_CACERT: "/etc/consul.d/certs/consul-agent-ca.pem" run_once: true - name: Create Developer Role @@ -14,6 +15,7 @@ -policy-name read-policy environment: CONSUL_HTTP_ADDR: "https://{{ consul_bind_addr }}:8501" + CONSUL_CACERT: "/etc/consul.d/certs/consul-agent-ca.pem" run_once: true - name: Create Developer Token @@ -23,4 +25,5 @@ -role-name developer-role environment: CONSUL_HTTP_ADDR: "https://{{ consul_bind_addr }}:8501" + CONSUL_CACERT: "/etc/consul.d/certs/consul-agent-ca.pem" run_once: true From 1eef240c913aa62551d2ac242af10c6f56407eef Mon Sep 17 00:00:00 2001 From: AnithaAnnem Date: Thu, 5 Mar 2026 15:46:08 +0530 Subject: [PATCH 046/412] Update main.yml --- consul-role/tasks/main.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/consul-role/tasks/main.yml b/consul-role/tasks/main.yml index b1735b9..2402660 100644 --- a/consul-role/tasks/main.yml +++ b/consul-role/tasks/main.yml @@ -5,16 +5,16 @@ - name: Include directory tasks ansible.builtin.include_tasks: directories.yml +- name: Include ACL tasks + ansible.builtin.include_tasks: acl.yml + when: consul_acl_enabled + - name: Include configuration tasks ansible.builtin.include_tasks: config.yml - name: Include service tasks ansible.builtin.include_tasks: service.yml -- name: Include ACL tasks - ansible.builtin.include_tasks: acl.yml - when: consul_acl_enabled - - name: Include RBAC tasks ansible.builtin.include_tasks: rbac.yml when: consul_acl_enabled From a2e8f30dab047d8217953ed538b977776bcec626 Mon Sep 17 00:00:00 2001 From: AnithaAnnem Date: Thu, 5 Mar 2026 15:56:48 +0530 Subject: [PATCH 047/412] Update acl.yml --- consul-role/tasks/acl.yml | 7 ------- 1 file changed, 7 deletions(-) diff --git a/consul-role/tasks/acl.yml b/consul-role/tasks/acl.yml index 4006d2c..244c464 100644 --- a/consul-role/tasks/acl.yml +++ b/consul-role/tasks/acl.yml @@ -22,10 +22,3 @@ no_log: true failed_when: false -- name: Set consul_master_token globally - set_fact: - consul_master_token: "{{ consul_bootstrap.stdout | regex_search('SecretID:\\s+(.*)', '\\1') }}" - run_once: true - delegate_to: localhost - delegate_facts: true - no_log: true From b816309b0f9374f52abfb62af51dca79ebea88e6 Mon Sep 17 00:00:00 2001 From: AnithaAnnem Date: Thu, 5 Mar 2026 15:57:27 +0530 Subject: [PATCH 048/412] Update main.yml --- consul-role/tasks/main.yml | 4 ---- 1 file changed, 4 deletions(-) diff --git a/consul-role/tasks/main.yml b/consul-role/tasks/main.yml index 2402660..ce869b6 100644 --- a/consul-role/tasks/main.yml +++ b/consul-role/tasks/main.yml @@ -14,7 +14,3 @@ - name: Include service tasks ansible.builtin.include_tasks: service.yml - -- name: Include RBAC tasks - ansible.builtin.include_tasks: rbac.yml - when: consul_acl_enabled From 42099fab30f2c504dc604e8037f412aebce5b407 Mon Sep 17 00:00:00 2001 From: AnithaAnnem Date: Thu, 5 Mar 2026 15:57:41 +0530 Subject: [PATCH 049/412] Delete consul-role/tasks/rbac.yml --- consul-role/tasks/rbac.yml | 29 ----------------------------- 1 file changed, 29 deletions(-) delete mode 100644 consul-role/tasks/rbac.yml diff --git a/consul-role/tasks/rbac.yml b/consul-role/tasks/rbac.yml deleted file mode 100644 index 04ebdc5..0000000 --- a/consul-role/tasks/rbac.yml +++ /dev/null @@ -1,29 +0,0 @@ -- name: Create Read Policy - command: > - consul acl policy create - -name read-policy - -rules @/tmp/read-policy.hcl - environment: - CONSUL_HTTP_ADDR: "https://{{ consul_bind_addr }}:8501" - CONSUL_CACERT: "/etc/consul.d/certs/consul-agent-ca.pem" - run_once: true - -- name: Create Developer Role - command: > - consul acl role create - -name developer-role - -policy-name read-policy - environment: - CONSUL_HTTP_ADDR: "https://{{ consul_bind_addr }}:8501" - CONSUL_CACERT: "/etc/consul.d/certs/consul-agent-ca.pem" - run_once: true - -- name: Create Developer Token - command: > - consul acl token create - -description "Developer Token" - -role-name developer-role - environment: - CONSUL_HTTP_ADDR: "https://{{ consul_bind_addr }}:8501" - CONSUL_CACERT: "/etc/consul.d/certs/consul-agent-ca.pem" - run_once: true From 3f32d0ec742f77b9f1be682c2b50ea0e0fff9d1e Mon Sep 17 00:00:00 2001 From: AnithaAnnem Date: Thu, 5 Mar 2026 15:58:01 +0530 Subject: [PATCH 050/412] Delete consul-role/templates/admin-policy.hcl.j2 --- consul-role/templates/admin-policy.hcl.j2 | 13 ------------- 1 file changed, 13 deletions(-) delete mode 100644 consul-role/templates/admin-policy.hcl.j2 diff --git a/consul-role/templates/admin-policy.hcl.j2 b/consul-role/templates/admin-policy.hcl.j2 deleted file mode 100644 index b406954..0000000 --- a/consul-role/templates/admin-policy.hcl.j2 +++ /dev/null @@ -1,13 +0,0 @@ -node_prefix "" { - policy = "write" -} - -service_prefix "" { - policy = "write" -} - -kv_prefix "" { - policy = "write" -} - -acl = "write" From ebf6ed65279fb128876612f9b3821e5dca8cfb75 Mon Sep 17 00:00:00 2001 From: AnithaAnnem Date: Thu, 5 Mar 2026 15:58:27 +0530 Subject: [PATCH 051/412] Delete consul-role/templates/read-policy.hcl.j2 --- consul-role/templates/read-policy.hcl.j2 | 7 ------- 1 file changed, 7 deletions(-) delete mode 100644 consul-role/templates/read-policy.hcl.j2 diff --git a/consul-role/templates/read-policy.hcl.j2 b/consul-role/templates/read-policy.hcl.j2 deleted file mode 100644 index 90d3a1c..0000000 --- a/consul-role/templates/read-policy.hcl.j2 +++ /dev/null @@ -1,7 +0,0 @@ -node_prefix "" { - policy = "read" -} - -service_prefix "" { - policy = "read" -} From 3cd085ec2123d75b49a92371b0c27bff8caf1faa Mon Sep 17 00:00:00 2001 From: AnithaAnnem Date: Thu, 5 Mar 2026 16:14:39 +0530 Subject: [PATCH 052/412] Create acl_policies.yml --- consul-role/tasks/acl_policies.yml | 22 ++++++++++++++++++++++ 1 file changed, 22 insertions(+) create mode 100644 consul-role/tasks/acl_policies.yml diff --git a/consul-role/tasks/acl_policies.yml b/consul-role/tasks/acl_policies.yml new file mode 100644 index 0000000..a34aaa0 --- /dev/null +++ b/consul-role/tasks/acl_policies.yml @@ -0,0 +1,22 @@ +--- +- name: Copy policy files + ansible.builtin.template: + src: "policies/{{ item }}.hcl.j2" + dest: "/tmp/{{ item }}.hcl" + loop: + - agent-policy + - service-policy + - readonly-policy + +- name: Create Consul policies + ansible.builtin.command: > + consul acl policy create + -name {{ item }} + -rules @/tmp/{{ item }}.hcl + -token {{ consul_master_token }} + loop: + - agent-policy + - service-policy + - readonly-policy + run_once: true + failed_when: false From 4e8f04c096dca4495d42eff864fd71f9b8ebccbc Mon Sep 17 00:00:00 2001 From: AnithaAnnem Date: Thu, 5 Mar 2026 16:15:03 +0530 Subject: [PATCH 053/412] Create acl_tokens.yml --- consul-role/tasks/acl_tokens.yml | 30 ++++++++++++++++++++++++++++++ 1 file changed, 30 insertions(+) create mode 100644 consul-role/tasks/acl_tokens.yml diff --git a/consul-role/tasks/acl_tokens.yml b/consul-role/tasks/acl_tokens.yml new file mode 100644 index 0000000..b6157b9 --- /dev/null +++ b/consul-role/tasks/acl_tokens.yml @@ -0,0 +1,30 @@ +--- +- name: Create agent token + ansible.builtin.command: > + consul acl token create + -description "Agent Token" + -policy-name agent-policy + -token {{ consul_master_token }} + register: agent_token + run_once: true + failed_when: false + +- name: Create service token + ansible.builtin.command: > + consul acl token create + -description "Service Token" + -policy-name service-policy + -token {{ consul_master_token }} + register: service_token + run_once: true + failed_when: false + +- name: Create readonly token + ansible.builtin.command: > + consul acl token create + -description "Readonly Token" + -policy-name readonly-policy + -token {{ consul_master_token }} + register: readonly_token + run_once: true + failed_when: false From 110e4de9377d8a3b725cbbe07b2cb3f4ad94d713 Mon Sep 17 00:00:00 2001 From: AnithaAnnem Date: Thu, 5 Mar 2026 16:15:31 +0530 Subject: [PATCH 054/412] Create agent-policy.hcl.j2 --- consul-role/templates/policies/agent-policy.hcl.j2 | 11 +++++++++++ 1 file changed, 11 insertions(+) create mode 100644 consul-role/templates/policies/agent-policy.hcl.j2 diff --git a/consul-role/templates/policies/agent-policy.hcl.j2 b/consul-role/templates/policies/agent-policy.hcl.j2 new file mode 100644 index 0000000..6ad8420 --- /dev/null +++ b/consul-role/templates/policies/agent-policy.hcl.j2 @@ -0,0 +1,11 @@ +node_prefix "" { + policy = "write" +} + +service_prefix "" { + policy = "read" +} + +agent_prefix "" { + policy = "write" +} From 8c3b9c514b2d4b1bed3c71e73d22d41c517f65e1 Mon Sep 17 00:00:00 2001 From: AnithaAnnem Date: Thu, 5 Mar 2026 16:15:52 +0530 Subject: [PATCH 055/412] Create service-policy.hcl.j2 --- consul-role/templates/policies/service-policy.hcl.j2 | 7 +++++++ 1 file changed, 7 insertions(+) create mode 100644 consul-role/templates/policies/service-policy.hcl.j2 diff --git a/consul-role/templates/policies/service-policy.hcl.j2 b/consul-role/templates/policies/service-policy.hcl.j2 new file mode 100644 index 0000000..47bd12c --- /dev/null +++ b/consul-role/templates/policies/service-policy.hcl.j2 @@ -0,0 +1,7 @@ +service_prefix "" { + policy = "write" +} + +node_prefix "" { + policy = "read" +} From b41d492a96b505aea4d8c9d4bc76ed9d26df5faf Mon Sep 17 00:00:00 2001 From: AnithaAnnem Date: Thu, 5 Mar 2026 16:16:12 +0530 Subject: [PATCH 056/412] Create readonly-policy.hcl.j2 --- consul-role/templates/policies/readonly-policy.hcl.j2 | 11 +++++++++++ 1 file changed, 11 insertions(+) create mode 100644 consul-role/templates/policies/readonly-policy.hcl.j2 diff --git a/consul-role/templates/policies/readonly-policy.hcl.j2 b/consul-role/templates/policies/readonly-policy.hcl.j2 new file mode 100644 index 0000000..09b4b13 --- /dev/null +++ b/consul-role/templates/policies/readonly-policy.hcl.j2 @@ -0,0 +1,11 @@ +node_prefix "" { + policy = "read" +} + +service_prefix "" { + policy = "read" +} + +key_prefix "" { + policy = "read" +} From 6df0c0af5a3b90a23249b0842e62a58972f31243 Mon Sep 17 00:00:00 2001 From: AnithaAnnem Date: Thu, 5 Mar 2026 16:16:59 +0530 Subject: [PATCH 057/412] Update acl.yml --- consul-role/tasks/acl.yml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/consul-role/tasks/acl.yml b/consul-role/tasks/acl.yml index 244c464..18c5151 100644 --- a/consul-role/tasks/acl.yml +++ b/consul-role/tasks/acl.yml @@ -22,3 +22,9 @@ no_log: true failed_when: false +- name: Extract bootstrap token + ansible.builtin.set_fact: + consul_master_token: "{{ consul_bootstrap.stdout | regex_search('SecretID:\\s+(\\S+)', '\\1') }}" + when: consul_bootstrap.stdout is defined + run_once: true + From 1fe8ec30fe2ec3e89a4ebd3d730edc227a7e5aec Mon Sep 17 00:00:00 2001 From: AnithaAnnem Date: Thu, 5 Mar 2026 16:18:24 +0530 Subject: [PATCH 058/412] Update acl.yml --- consul-role/tasks/acl.yml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/consul-role/tasks/acl.yml b/consul-role/tasks/acl.yml index 18c5151..a490333 100644 --- a/consul-role/tasks/acl.yml +++ b/consul-role/tasks/acl.yml @@ -28,3 +28,9 @@ when: consul_bootstrap.stdout is defined run_once: true +- name: Create ACL policies + ansible.builtin.include_tasks: acl_policies.yml + +- name: Create ACL tokens + ansible.builtin.include_tasks: acl_tokens.yml + From 6b7261c7a7dc9bd1e4e736fda59068fa76b0e83b Mon Sep 17 00:00:00 2001 From: AnithaAnnem Date: Thu, 5 Mar 2026 16:20:03 +0530 Subject: [PATCH 059/412] Update main.yml --- consul-role/tasks/main.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/consul-role/tasks/main.yml b/consul-role/tasks/main.yml index ce869b6..6410f1e 100644 --- a/consul-role/tasks/main.yml +++ b/consul-role/tasks/main.yml @@ -5,12 +5,12 @@ - name: Include directory tasks ansible.builtin.include_tasks: directories.yml -- name: Include ACL tasks - ansible.builtin.include_tasks: acl.yml - when: consul_acl_enabled - - name: Include configuration tasks ansible.builtin.include_tasks: config.yml - name: Include service tasks ansible.builtin.include_tasks: service.yml + +- name: Include ACL tasks + ansible.builtin.include_tasks: acl.yml + when: consul_acl_enabled From b84941f6d3fdd611692b9fa85369d7b9f1320d67 Mon Sep 17 00:00:00 2001 From: AnithaAnnem Date: Thu, 5 Mar 2026 16:23:32 +0530 Subject: [PATCH 060/412] Update acl.yml --- consul-role/tasks/acl.yml | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/consul-role/tasks/acl.yml b/consul-role/tasks/acl.yml index a490333..7197a85 100644 --- a/consul-role/tasks/acl.yml +++ b/consul-role/tasks/acl.yml @@ -28,6 +28,16 @@ when: consul_bootstrap.stdout is defined run_once: true +- name: Save bootstrap token + ansible.builtin.copy: + content: "{{ consul_master_token }}" + dest: "{{ consul_config_dir }}/bootstrap.token" + owner: "{{ consul_user }}" + group: "{{ consul_group }}" + mode: "0600" + when: consul_master_token is defined + run_once: true + - name: Create ACL policies ansible.builtin.include_tasks: acl_policies.yml From e5a809f07904303b9252a7de41ffdcfc590be865 Mon Sep 17 00:00:00 2001 From: AnithaAnnem Date: Thu, 5 Mar 2026 17:32:35 +0530 Subject: [PATCH 061/412] Create rbac.yml --- consul-role/tasks/rbac.yml | 22 ++++++++++++++++++++++ 1 file changed, 22 insertions(+) create mode 100644 consul-role/tasks/rbac.yml diff --git a/consul-role/tasks/rbac.yml b/consul-role/tasks/rbac.yml new file mode 100644 index 0000000..a091af5 --- /dev/null +++ b/consul-role/tasks/rbac.yml @@ -0,0 +1,22 @@ +- name: Copy read policy file + copy: + src: read-policy.hcl + dest: /tmp/read-policy.hcl + +- name: Create read policy + command: consul acl policy create -name read-policy -rules @/tmp/read-policy.hcl + environment: + CONSUL_HTTP_TOKEN: "{{ consul_master_token }}" + run_once: true + +- name: Create read role + command: consul acl role create -name read-role -policy-name read-policy + environment: + CONSUL_HTTP_TOKEN: "{{ consul_master_token }}" + run_once: true + +- name: Create application token + command: consul acl token create -description "App Read Token" -role-name read-role + environment: + CONSUL_HTTP_TOKEN: "{{ consul_master_token }}" + run_once: true From 0ecc6ce240a0bac74b57791f26f9673c1fb9e166 Mon Sep 17 00:00:00 2001 From: AnithaAnnem Date: Thu, 5 Mar 2026 17:33:07 +0530 Subject: [PATCH 062/412] Update main.yml --- consul-role/tasks/main.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/consul-role/tasks/main.yml b/consul-role/tasks/main.yml index 6410f1e..b1735b9 100644 --- a/consul-role/tasks/main.yml +++ b/consul-role/tasks/main.yml @@ -14,3 +14,7 @@ - name: Include ACL tasks ansible.builtin.include_tasks: acl.yml when: consul_acl_enabled + +- name: Include RBAC tasks + ansible.builtin.include_tasks: rbac.yml + when: consul_acl_enabled From d5db01ac138f0a46a5ad29eed582efef2bf5323f Mon Sep 17 00:00:00 2001 From: AnithaAnnem Date: Thu, 5 Mar 2026 17:38:02 +0530 Subject: [PATCH 063/412] Create read-policy.hcl --- consul-role/files/read-policy.hcl | 15 +++++++++++++++ 1 file changed, 15 insertions(+) create mode 100644 consul-role/files/read-policy.hcl diff --git a/consul-role/files/read-policy.hcl b/consul-role/files/read-policy.hcl new file mode 100644 index 0000000..cb2a930 --- /dev/null +++ b/consul-role/files/read-policy.hcl @@ -0,0 +1,15 @@ +node_prefix "" { + policy = "read" +} + +service_prefix "" { + policy = "read" +} + +agent_prefix "" { + policy = "read" +} + +key_prefix "" { + policy = "read" +} From 0750888be2b4a82503e3d310c100d49e1eb1e281 Mon Sep 17 00:00:00 2001 From: AnithaAnnem Date: Thu, 5 Mar 2026 17:40:05 +0530 Subject: [PATCH 064/412] Update rbac.yml --- consul-role/tasks/rbac.yml | 45 ++++++++++++++++++++++++++++++++++---- 1 file changed, 41 insertions(+), 4 deletions(-) diff --git a/consul-role/tasks/rbac.yml b/consul-role/tasks/rbac.yml index a091af5..bce3c12 100644 --- a/consul-role/tasks/rbac.yml +++ b/consul-role/tasks/rbac.yml @@ -1,22 +1,59 @@ +--- - name: Copy read policy file - copy: + ansible.builtin.copy: src: read-policy.hcl dest: /tmp/read-policy.hcl + mode: "0644" +# ------------------------- +# CHECK POLICY +# ------------------------- +- name: Check existing policies + ansible.builtin.command: consul acl policy list + register: policy_list + environment: + CONSUL_HTTP_TOKEN: "{{ consul_master_token }}" + changed_when: false + run_once: true + +# ------------------------- +# CREATE POLICY +# ------------------------- - name: Create read policy - command: consul acl policy create -name read-policy -rules @/tmp/read-policy.hcl + ansible.builtin.command: consul acl policy create -name read-policy -rules @/tmp/read-policy.hcl environment: CONSUL_HTTP_TOKEN: "{{ consul_master_token }}" + when: "'read-policy' not in policy_list.stdout" run_once: true +# ------------------------- +# CHECK ROLES +# ------------------------- +- name: Check existing roles + ansible.builtin.command: consul acl role list + register: role_list + environment: + CONSUL_HTTP_TOKEN: "{{ consul_master_token }}" + changed_when: false + run_once: true + +# ------------------------- +# CREATE ROLE +# ------------------------- - name: Create read role - command: consul acl role create -name read-role -policy-name read-policy + ansible.builtin.command: consul acl role create -name read-role -policy-name read-policy environment: CONSUL_HTTP_TOKEN: "{{ consul_master_token }}" + when: "'read-role' not in role_list.stdout" run_once: true +# ------------------------- +# CREATE APPLICATION TOKEN +# ------------------------- - name: Create application token - command: consul acl token create -description "App Read Token" -role-name read-role + ansible.builtin.command: consul acl token create -description "App Read Token" -role-name read-role environment: CONSUL_HTTP_TOKEN: "{{ consul_master_token }}" + register: app_token run_once: true + From 00192b369b5812ef6d46534b61bdc5de43a36b05 Mon Sep 17 00:00:00 2001 From: AnithaAnnem Date: Thu, 5 Mar 2026 17:45:37 +0530 Subject: [PATCH 065/412] Update rbac.yml --- consul-role/tasks/rbac.yml | 41 +++++++++++++++++++++++++++----------- 1 file changed, 29 insertions(+), 12 deletions(-) diff --git a/consul-role/tasks/rbac.yml b/consul-role/tasks/rbac.yml index bce3c12..11739b8 100644 --- a/consul-role/tasks/rbac.yml +++ b/consul-role/tasks/rbac.yml @@ -1,4 +1,7 @@ --- +# ------------------------- +# COPY POLICY FILE +# ------------------------- - name: Copy read policy file ansible.builtin.copy: src: read-policy.hcl @@ -6,25 +9,31 @@ mode: "0644" # ------------------------- -# CHECK POLICY +# CHECK EXISTING POLICIES # ------------------------- - name: Check existing policies ansible.builtin.command: consul acl policy list register: policy_list - environment: - CONSUL_HTTP_TOKEN: "{{ consul_master_token }}" changed_when: false run_once: true + environment: + CONSUL_HTTP_ADDR: "https://127.0.0.1:8501" + CONSUL_HTTP_TOKEN: "{{ consul_master_token }}" + CONSUL_CLIENT_CERT: "{{ consul_config_dir }}/certs/tls.crt" + CONSUL_CLIENT_KEY: "{{ consul_config_dir }}/certs/tls.key" # ------------------------- # CREATE POLICY # ------------------------- - name: Create read policy ansible.builtin.command: consul acl policy create -name read-policy -rules @/tmp/read-policy.hcl - environment: - CONSUL_HTTP_TOKEN: "{{ consul_master_token }}" when: "'read-policy' not in policy_list.stdout" run_once: true + environment: + CONSUL_HTTP_ADDR: "https://127.0.0.1:8501" + CONSUL_HTTP_TOKEN: "{{ consul_master_token }}" + CONSUL_CLIENT_CERT: "{{ consul_config_dir }}/certs/tls.crt" + CONSUL_CLIENT_KEY: "{{ consul_config_dir }}/certs/tls.key" # ------------------------- # CHECK ROLES @@ -32,28 +41,36 @@ - name: Check existing roles ansible.builtin.command: consul acl role list register: role_list - environment: - CONSUL_HTTP_TOKEN: "{{ consul_master_token }}" changed_when: false run_once: true + environment: + CONSUL_HTTP_ADDR: "https://127.0.0.1:8501" + CONSUL_HTTP_TOKEN: "{{ consul_master_token }}" + CONSUL_CLIENT_CERT: "{{ consul_config_dir }}/certs/tls.crt" + CONSUL_CLIENT_KEY: "{{ consul_config_dir }}/certs/tls.key" # ------------------------- # CREATE ROLE # ------------------------- - name: Create read role ansible.builtin.command: consul acl role create -name read-role -policy-name read-policy - environment: - CONSUL_HTTP_TOKEN: "{{ consul_master_token }}" when: "'read-role' not in role_list.stdout" run_once: true + environment: + CONSUL_HTTP_ADDR: "https://127.0.0.1:8501" + CONSUL_HTTP_TOKEN: "{{ consul_master_token }}" + CONSUL_CLIENT_CERT: "{{ consul_config_dir }}/certs/tls.crt" + CONSUL_CLIENT_KEY: "{{ consul_config_dir }}/certs/tls.key" # ------------------------- # CREATE APPLICATION TOKEN # ------------------------- - name: Create application token ansible.builtin.command: consul acl token create -description "App Read Token" -role-name read-role - environment: - CONSUL_HTTP_TOKEN: "{{ consul_master_token }}" register: app_token run_once: true - + environment: + CONSUL_HTTP_ADDR: "https://127.0.0.1:8501" + CONSUL_HTTP_TOKEN: "{{ consul_master_token }}" + CONSUL_CLIENT_CERT: "{{ consul_config_dir }}/certs/tls.crt" + CONSUL_CLIENT_KEY: "{{ consul_config_dir }}/certs/tls.key" From 4e2732c025e33df93311f9cc325f1876c91717f3 Mon Sep 17 00:00:00 2001 From: AnithaAnnem Date: Thu, 5 Mar 2026 17:54:32 +0530 Subject: [PATCH 066/412] Update rbac.yml --- consul-role/tasks/rbac.yml | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/consul-role/tasks/rbac.yml b/consul-role/tasks/rbac.yml index 11739b8..e86816b 100644 --- a/consul-role/tasks/rbac.yml +++ b/consul-role/tasks/rbac.yml @@ -17,7 +17,7 @@ changed_when: false run_once: true environment: - CONSUL_HTTP_ADDR: "https://127.0.0.1:8501" + CONSUL_HTTP_ADDR: "https://{{ consul_bind_addr }}:8501" CONSUL_HTTP_TOKEN: "{{ consul_master_token }}" CONSUL_CLIENT_CERT: "{{ consul_config_dir }}/certs/tls.crt" CONSUL_CLIENT_KEY: "{{ consul_config_dir }}/certs/tls.key" @@ -30,7 +30,7 @@ when: "'read-policy' not in policy_list.stdout" run_once: true environment: - CONSUL_HTTP_ADDR: "https://127.0.0.1:8501" + CONSUL_HTTP_ADDR: "https://{{ consul_bind_addr }}:8501" CONSUL_HTTP_TOKEN: "{{ consul_master_token }}" CONSUL_CLIENT_CERT: "{{ consul_config_dir }}/certs/tls.crt" CONSUL_CLIENT_KEY: "{{ consul_config_dir }}/certs/tls.key" @@ -44,7 +44,7 @@ changed_when: false run_once: true environment: - CONSUL_HTTP_ADDR: "https://127.0.0.1:8501" + CONSUL_HTTP_ADDR: "https://{{ consul_bind_addr }}:8501" CONSUL_HTTP_TOKEN: "{{ consul_master_token }}" CONSUL_CLIENT_CERT: "{{ consul_config_dir }}/certs/tls.crt" CONSUL_CLIENT_KEY: "{{ consul_config_dir }}/certs/tls.key" @@ -57,7 +57,7 @@ when: "'read-role' not in role_list.stdout" run_once: true environment: - CONSUL_HTTP_ADDR: "https://127.0.0.1:8501" + CONSUL_HTTP_ADDR: "https://{{ consul_bind_addr }}:8501" CONSUL_HTTP_TOKEN: "{{ consul_master_token }}" CONSUL_CLIENT_CERT: "{{ consul_config_dir }}/certs/tls.crt" CONSUL_CLIENT_KEY: "{{ consul_config_dir }}/certs/tls.key" @@ -70,7 +70,7 @@ register: app_token run_once: true environment: - CONSUL_HTTP_ADDR: "https://127.0.0.1:8501" + CONSUL_HTTP_ADDR: "https://{{ consul_bind_addr }}:8501" CONSUL_HTTP_TOKEN: "{{ consul_master_token }}" CONSUL_CLIENT_CERT: "{{ consul_config_dir }}/certs/tls.crt" CONSUL_CLIENT_KEY: "{{ consul_config_dir }}/certs/tls.key" From 5ff8fe343fea19eb9c3ae2adbaef3caa90aef6b5 Mon Sep 17 00:00:00 2001 From: AnithaAnnem Date: Thu, 5 Mar 2026 18:37:41 +0530 Subject: [PATCH 067/412] Update rbac.yml --- consul-role/tasks/rbac.yml | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/consul-role/tasks/rbac.yml b/consul-role/tasks/rbac.yml index e86816b..c8a2892 100644 --- a/consul-role/tasks/rbac.yml +++ b/consul-role/tasks/rbac.yml @@ -21,6 +21,7 @@ CONSUL_HTTP_TOKEN: "{{ consul_master_token }}" CONSUL_CLIENT_CERT: "{{ consul_config_dir }}/certs/tls.crt" CONSUL_CLIENT_KEY: "{{ consul_config_dir }}/certs/tls.key" + CONSUL_HTTP_SSL_VERIFY: "false" # ------------------------- # CREATE POLICY @@ -34,6 +35,7 @@ CONSUL_HTTP_TOKEN: "{{ consul_master_token }}" CONSUL_CLIENT_CERT: "{{ consul_config_dir }}/certs/tls.crt" CONSUL_CLIENT_KEY: "{{ consul_config_dir }}/certs/tls.key" + CONSUL_HTTP_SSL_VERIFY: "false" # ------------------------- # CHECK ROLES @@ -48,6 +50,7 @@ CONSUL_HTTP_TOKEN: "{{ consul_master_token }}" CONSUL_CLIENT_CERT: "{{ consul_config_dir }}/certs/tls.crt" CONSUL_CLIENT_KEY: "{{ consul_config_dir }}/certs/tls.key" + CONSUL_HTTP_SSL_VERIFY: "false" # ------------------------- # CREATE ROLE @@ -61,6 +64,7 @@ CONSUL_HTTP_TOKEN: "{{ consul_master_token }}" CONSUL_CLIENT_CERT: "{{ consul_config_dir }}/certs/tls.crt" CONSUL_CLIENT_KEY: "{{ consul_config_dir }}/certs/tls.key" + CONSUL_HTTP_SSL_VERIFY: "false" # ------------------------- # CREATE APPLICATION TOKEN @@ -74,3 +78,4 @@ CONSUL_HTTP_TOKEN: "{{ consul_master_token }}" CONSUL_CLIENT_CERT: "{{ consul_config_dir }}/certs/tls.crt" CONSUL_CLIENT_KEY: "{{ consul_config_dir }}/certs/tls.key" + CONSUL_HTTP_SSL_VERIFY: "false" From cccd49a6de0ba7492acf3c4bd4b25467cd2c39bf Mon Sep 17 00:00:00 2001 From: AnithaAnnem Date: Thu, 5 Mar 2026 18:43:03 +0530 Subject: [PATCH 068/412] Update rbac.yml --- consul-role/tasks/rbac.yml | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/consul-role/tasks/rbac.yml b/consul-role/tasks/rbac.yml index c8a2892..dc927e9 100644 --- a/consul-role/tasks/rbac.yml +++ b/consul-role/tasks/rbac.yml @@ -18,7 +18,7 @@ run_once: true environment: CONSUL_HTTP_ADDR: "https://{{ consul_bind_addr }}:8501" - CONSUL_HTTP_TOKEN: "{{ consul_master_token }}" + CONSUL_HTTP_TOKEN: "{{ lookup('env','consul_master_token') }}" CONSUL_CLIENT_CERT: "{{ consul_config_dir }}/certs/tls.crt" CONSUL_CLIENT_KEY: "{{ consul_config_dir }}/certs/tls.key" CONSUL_HTTP_SSL_VERIFY: "false" @@ -32,7 +32,7 @@ run_once: true environment: CONSUL_HTTP_ADDR: "https://{{ consul_bind_addr }}:8501" - CONSUL_HTTP_TOKEN: "{{ consul_master_token }}" + CONSUL_HTTP_TOKEN: "{{ lookup('env','consul_master_token') }}" CONSUL_CLIENT_CERT: "{{ consul_config_dir }}/certs/tls.crt" CONSUL_CLIENT_KEY: "{{ consul_config_dir }}/certs/tls.key" CONSUL_HTTP_SSL_VERIFY: "false" @@ -47,7 +47,7 @@ run_once: true environment: CONSUL_HTTP_ADDR: "https://{{ consul_bind_addr }}:8501" - CONSUL_HTTP_TOKEN: "{{ consul_master_token }}" + CONSUL_HTTP_TOKEN: "{{ lookup('env','consul_master_token') }}" CONSUL_CLIENT_CERT: "{{ consul_config_dir }}/certs/tls.crt" CONSUL_CLIENT_KEY: "{{ consul_config_dir }}/certs/tls.key" CONSUL_HTTP_SSL_VERIFY: "false" @@ -61,7 +61,7 @@ run_once: true environment: CONSUL_HTTP_ADDR: "https://{{ consul_bind_addr }}:8501" - CONSUL_HTTP_TOKEN: "{{ consul_master_token }}" + CONSUL_HTTP_TOKEN: "{{ lookup('env','consul_master_token') }}" CONSUL_CLIENT_CERT: "{{ consul_config_dir }}/certs/tls.crt" CONSUL_CLIENT_KEY: "{{ consul_config_dir }}/certs/tls.key" CONSUL_HTTP_SSL_VERIFY: "false" @@ -75,7 +75,7 @@ run_once: true environment: CONSUL_HTTP_ADDR: "https://{{ consul_bind_addr }}:8501" - CONSUL_HTTP_TOKEN: "{{ consul_master_token }}" + CONSUL_HTTP_TOKEN: "{{ lookup('env','consul_master_token') }}" CONSUL_CLIENT_CERT: "{{ consul_config_dir }}/certs/tls.crt" CONSUL_CLIENT_KEY: "{{ consul_config_dir }}/certs/tls.key" CONSUL_HTTP_SSL_VERIFY: "false" From 0f5a6c15d0a7766b38398ef5432d38bbf46dd3f9 Mon Sep 17 00:00:00 2001 From: AnithaAnnem Date: Thu, 5 Mar 2026 19:30:45 +0530 Subject: [PATCH 069/412] Update rbac.yml --- consul-role/tasks/rbac.yml | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/consul-role/tasks/rbac.yml b/consul-role/tasks/rbac.yml index dc927e9..0dc8cf6 100644 --- a/consul-role/tasks/rbac.yml +++ b/consul-role/tasks/rbac.yml @@ -23,6 +23,11 @@ CONSUL_CLIENT_KEY: "{{ consul_config_dir }}/certs/tls.key" CONSUL_HTTP_SSL_VERIFY: "false" +- name: Debug Token Presence + debug: + msg: "The token value is: {{ lookup('env','consul_master_token') }}" + run_once: true + # ------------------------- # CREATE POLICY # ------------------------- From 8f17d181e54153f77c310d6011aa9f64057018d2 Mon Sep 17 00:00:00 2001 From: AnithaAnnem Date: Thu, 5 Mar 2026 19:37:08 +0530 Subject: [PATCH 070/412] Update rbac.yml --- consul-role/tasks/rbac.yml | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/consul-role/tasks/rbac.yml b/consul-role/tasks/rbac.yml index 0dc8cf6..fc566a5 100644 --- a/consul-role/tasks/rbac.yml +++ b/consul-role/tasks/rbac.yml @@ -8,6 +8,11 @@ dest: /tmp/read-policy.hcl mode: "0644" +- name: Debug Token Presence + debug: + msg: "The token value is: {{ lookup('env','consul_master_token') }}" + run_once: true + # ------------------------- # CHECK EXISTING POLICIES # ------------------------- @@ -23,11 +28,6 @@ CONSUL_CLIENT_KEY: "{{ consul_config_dir }}/certs/tls.key" CONSUL_HTTP_SSL_VERIFY: "false" -- name: Debug Token Presence - debug: - msg: "The token value is: {{ lookup('env','consul_master_token') }}" - run_once: true - # ------------------------- # CREATE POLICY # ------------------------- From 812ccf311ac9b440e511fe6826783f925e7cacad Mon Sep 17 00:00:00 2001 From: AnithaAnnem Date: Thu, 5 Mar 2026 19:49:04 +0530 Subject: [PATCH 071/412] Update rbac.yml --- consul-role/tasks/rbac.yml | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/consul-role/tasks/rbac.yml b/consul-role/tasks/rbac.yml index fc566a5..d3e3de9 100644 --- a/consul-role/tasks/rbac.yml +++ b/consul-role/tasks/rbac.yml @@ -23,11 +23,12 @@ run_once: true environment: CONSUL_HTTP_ADDR: "https://{{ consul_bind_addr }}:8501" - CONSUL_HTTP_TOKEN: "{{ lookup('env','consul_master_token') }}" + CONSUL_HTTP_TOKEN: "{{ consul_master_token }}" CONSUL_CLIENT_CERT: "{{ consul_config_dir }}/certs/tls.crt" CONSUL_CLIENT_KEY: "{{ consul_config_dir }}/certs/tls.key" CONSUL_HTTP_SSL_VERIFY: "false" + # ------------------------- # CREATE POLICY # ------------------------- @@ -37,7 +38,7 @@ run_once: true environment: CONSUL_HTTP_ADDR: "https://{{ consul_bind_addr }}:8501" - CONSUL_HTTP_TOKEN: "{{ lookup('env','consul_master_token') }}" + CONSUL_HTTP_TOKEN: "{{ consul_master_token }}" CONSUL_CLIENT_CERT: "{{ consul_config_dir }}/certs/tls.crt" CONSUL_CLIENT_KEY: "{{ consul_config_dir }}/certs/tls.key" CONSUL_HTTP_SSL_VERIFY: "false" @@ -52,7 +53,7 @@ run_once: true environment: CONSUL_HTTP_ADDR: "https://{{ consul_bind_addr }}:8501" - CONSUL_HTTP_TOKEN: "{{ lookup('env','consul_master_token') }}" + CONSUL_HTTP_TOKEN: "{{ consul_master_token }}" CONSUL_CLIENT_CERT: "{{ consul_config_dir }}/certs/tls.crt" CONSUL_CLIENT_KEY: "{{ consul_config_dir }}/certs/tls.key" CONSUL_HTTP_SSL_VERIFY: "false" @@ -66,7 +67,7 @@ run_once: true environment: CONSUL_HTTP_ADDR: "https://{{ consul_bind_addr }}:8501" - CONSUL_HTTP_TOKEN: "{{ lookup('env','consul_master_token') }}" + CONSUL_HTTP_TOKEN: "{{ consul_master_token }}" CONSUL_CLIENT_CERT: "{{ consul_config_dir }}/certs/tls.crt" CONSUL_CLIENT_KEY: "{{ consul_config_dir }}/certs/tls.key" CONSUL_HTTP_SSL_VERIFY: "false" @@ -80,7 +81,7 @@ run_once: true environment: CONSUL_HTTP_ADDR: "https://{{ consul_bind_addr }}:8501" - CONSUL_HTTP_TOKEN: "{{ lookup('env','consul_master_token') }}" + CONSUL_HTTP_TOKEN: "{{ consul_master_token }}" CONSUL_CLIENT_CERT: "{{ consul_config_dir }}/certs/tls.crt" CONSUL_CLIENT_KEY: "{{ consul_config_dir }}/certs/tls.key" CONSUL_HTTP_SSL_VERIFY: "false" From 402b6922fff6b0b98d303f78c1c90f8489cc5d33 Mon Sep 17 00:00:00 2001 From: AnithaAnnem Date: Thu, 5 Mar 2026 19:56:07 +0530 Subject: [PATCH 072/412] Update rbac.yml --- consul-role/tasks/rbac.yml | 21 +++++++++++++++++++++ 1 file changed, 21 insertions(+) diff --git a/consul-role/tasks/rbac.yml b/consul-role/tasks/rbac.yml index d3e3de9..30d72cf 100644 --- a/consul-role/tasks/rbac.yml +++ b/consul-role/tasks/rbac.yml @@ -1,3 +1,4 @@ + --- # ------------------------- # COPY POLICY FILE @@ -13,6 +14,26 @@ msg: "The token value is: {{ lookup('env','consul_master_token') }}" run_once: true +# ------------------------- +# LOAD THE TOKEN FIRST +# ------------------------- +- name: Load existing bootstrap token from server + ansible.builtin.slurp: + src: "{{ consul_config_dir }}/bootstrap.token" + register: bootstrap_file + run_once: true + +- name: Set token fact for subsequent tasks + ansible.builtin.set_fact: + consul_master_token: "{{ bootstrap_file.content | b64decode | trim }}" + run_once: true + +# Now your debug will actually show something! +- name: Debug Token Presence + ansible.builtin.debug: + msg: "The token value is now loaded: {{ consul_master_token }}" + run_once: true + # ------------------------- # CHECK EXISTING POLICIES # ------------------------- From 57ee4326363ed569d7643c63a7059bf2a42395fb Mon Sep 17 00:00:00 2001 From: AnithaAnnem Date: Thu, 5 Mar 2026 20:05:08 +0530 Subject: [PATCH 073/412] Update rbac.yml --- consul-role/tasks/rbac.yml | 83 +++++++++++++++++++++----------------- 1 file changed, 47 insertions(+), 36 deletions(-) diff --git a/consul-role/tasks/rbac.yml b/consul-role/tasks/rbac.yml index 30d72cf..5cf0f49 100644 --- a/consul-role/tasks/rbac.yml +++ b/consul-role/tasks/rbac.yml @@ -1,42 +1,66 @@ - --- # ------------------------- -# COPY POLICY FILE +# 1. LOAD OR GENERATE TOKEN # ------------------------- -- name: Copy read policy file - ansible.builtin.copy: - src: read-policy.hcl - dest: /tmp/read-policy.hcl - mode: "0644" - -- name: Debug Token Presence - debug: - msg: "The token value is: {{ lookup('env','consul_master_token') }}" +- name: Check if bootstrap token file exists + ansible.builtin.stat: + path: "{{ consul_config_dir }}/bootstrap.token" + register: token_file_stat run_once: true -# ------------------------- -# LOAD THE TOKEN FIRST -# ------------------------- -- name: Load existing bootstrap token from server +- name: Load existing token from file ansible.builtin.slurp: src: "{{ consul_config_dir }}/bootstrap.token" - register: bootstrap_file + register: slurped_token + when: token_file_stat.stat.exists and token_file_stat.stat.size > 0 run_once: true -- name: Set token fact for subsequent tasks +- name: Set token fact from file ansible.builtin.set_fact: - consul_master_token: "{{ bootstrap_file.content | b64decode | trim }}" + consul_master_token: "{{ slurped_token.content | b64decode | trim }}" + when: slurped_token.content is defined + run_once: true + +- name: Bootstrap ACL if token is missing + ansible.builtin.command: consul acl bootstrap + register: bootstrap_output run_once: true + # Only run if the variable is still empty/undefined + when: consul_master_token is not defined or consul_master_token == "" + failed_when: false # Ignore if already bootstrapped previously + +- name: Extract and Save New Token + block: + - name: Parse SecretID from bootstrap + ansible.builtin.set_fact: + consul_master_token: "{{ bootstrap_output.stdout | regex_search('SecretID:\\s+([a-fA-F0-9-]+)', '\\1') }}" + when: bootstrap_output.rc == 0 -# Now your debug will actually show something! -- name: Debug Token Presence - ansible.builtin.debug: - msg: "The token value is now loaded: {{ consul_master_token }}" + - name: Save new token to server + ansible.builtin.copy: + content: "{{ consul_master_token }}" + dest: "{{ consul_config_dir }}/bootstrap.token" + owner: "{{ consul_user }}" + mode: "0600" + when: consul_master_token is defined and consul_master_token != "" + when: bootstrap_output.changed + run_once: true + +- name: Verify Token is Loaded + ansible.builtin.fail: + msg: "FATAL: Could not find a valid Consul token in {{ consul_config_dir }}/bootstrap.token and bootstrap failed." + when: consul_master_token is not defined or consul_master_token == "" run_once: true # ------------------------- -# CHECK EXISTING POLICIES +# 2. POLICIES AND ROLES # ------------------------- +- name: Copy read policy file + ansible.builtin.copy: + src: read-policy.hcl + dest: /tmp/read-policy.hcl + mode: "0644" + - name: Check existing policies ansible.builtin.command: consul acl policy list register: policy_list @@ -49,10 +73,6 @@ CONSUL_CLIENT_KEY: "{{ consul_config_dir }}/certs/tls.key" CONSUL_HTTP_SSL_VERIFY: "false" - -# ------------------------- -# CREATE POLICY -# ------------------------- - name: Create read policy ansible.builtin.command: consul acl policy create -name read-policy -rules @/tmp/read-policy.hcl when: "'read-policy' not in policy_list.stdout" @@ -64,9 +84,6 @@ CONSUL_CLIENT_KEY: "{{ consul_config_dir }}/certs/tls.key" CONSUL_HTTP_SSL_VERIFY: "false" -# ------------------------- -# CHECK ROLES -# ------------------------- - name: Check existing roles ansible.builtin.command: consul acl role list register: role_list @@ -79,9 +96,6 @@ CONSUL_CLIENT_KEY: "{{ consul_config_dir }}/certs/tls.key" CONSUL_HTTP_SSL_VERIFY: "false" -# ------------------------- -# CREATE ROLE -# ------------------------- - name: Create read role ansible.builtin.command: consul acl role create -name read-role -policy-name read-policy when: "'read-role' not in role_list.stdout" @@ -93,9 +107,6 @@ CONSUL_CLIENT_KEY: "{{ consul_config_dir }}/certs/tls.key" CONSUL_HTTP_SSL_VERIFY: "false" -# ------------------------- -# CREATE APPLICATION TOKEN -# ------------------------- - name: Create application token ansible.builtin.command: consul acl token create -description "App Read Token" -role-name read-role register: app_token From f6b33fbf20bad73cefea8283870cb0bcc7b85af6 Mon Sep 17 00:00:00 2001 From: AnithaAnnem Date: Thu, 5 Mar 2026 20:13:42 +0530 Subject: [PATCH 074/412] Update rbac.yml --- consul-role/tasks/rbac.yml | 54 ++++++++++++++++++++++++-------------- 1 file changed, 34 insertions(+), 20 deletions(-) diff --git a/consul-role/tasks/rbac.yml b/consul-role/tasks/rbac.yml index 5cf0f49..959eade 100644 --- a/consul-role/tasks/rbac.yml +++ b/consul-role/tasks/rbac.yml @@ -18,38 +18,52 @@ - name: Set token fact from file ansible.builtin.set_fact: consul_master_token: "{{ slurped_token.content | b64decode | trim }}" - when: slurped_token.content is defined + when: + - token_file_stat.stat.exists + - slurped_token.content is defined run_once: true - name: Bootstrap ACL if token is missing ansible.builtin.command: consul acl bootstrap register: bootstrap_output run_once: true - # Only run if the variable is still empty/undefined - when: consul_master_token is not defined or consul_master_token == "" - failed_when: false # Ignore if already bootstrapped previously + # Only run if we haven't successfully loaded a token yet + when: consul_master_token is not defined or consul_master_token == "" or consul_master_token == "[]" + failed_when: false -- name: Extract and Save New Token - block: - - name: Parse SecretID from bootstrap - ansible.builtin.set_fact: - consul_master_token: "{{ bootstrap_output.stdout | regex_search('SecretID:\\s+([a-fA-F0-9-]+)', '\\1') }}" - when: bootstrap_output.rc == 0 - - - name: Save new token to server - ansible.builtin.copy: - content: "{{ consul_master_token }}" - dest: "{{ consul_config_dir }}/bootstrap.token" - owner: "{{ consul_user }}" - mode: "0600" - when: consul_master_token is defined and consul_master_token != "" +- name: Debug Bootstrap Output (If changed) + ansible.builtin.debug: + var: bootstrap_output.stdout when: bootstrap_output.changed run_once: true +- name: Extract SecretID from bootstrap output + ansible.builtin.set_fact: + # Uses a more precise regex for UUIDs and picks the first match + consul_master_token: "{{ bootstrap_output.stdout | regex_search('SecretID:\\s+([a-fA-F0-9-]+)', '\\1') | first }}" + when: + - bootstrap_output.stdout is defined + - "'SecretID:' in bootstrap_output.stdout" + run_once: true + +- name: Save new token to server + ansible.builtin.copy: + content: "{{ consul_master_token }}" + dest: "{{ consul_config_dir }}/bootstrap.token" + owner: "{{ consul_user }}" + group: "{{ consul_group }}" + mode: "0600" + when: + - bootstrap_output.changed + - consul_master_token is defined + - consul_master_token != "" + - consul_master_token != "[]" + run_once: true + - name: Verify Token is Loaded ansible.builtin.fail: - msg: "FATAL: Could not find a valid Consul token in {{ consul_config_dir }}/bootstrap.token and bootstrap failed." - when: consul_master_token is not defined or consul_master_token == "" + msg: "FATAL: Variable 'consul_master_token' is empty. If 'Already bootstrapped' error appeared, check /etc/consul.d/bootstrap.token on the server." + when: consul_master_token is not defined or consul_master_token == "" or consul_master_token == "[]" run_once: true # ------------------------- From ddf0b09a00eac2125b30bd805fec85a6b2129c2f Mon Sep 17 00:00:00 2001 From: anitha Date: Fri, 6 Mar 2026 00:06:34 +0530 Subject: [PATCH 075/412] vars/main.yml modified --- consul-role/vars/main.yml | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/consul-role/vars/main.yml b/consul-role/vars/main.yml index 7c5ac5c..de3e72c 100644 --- a/consul-role/vars/main.yml +++ b/consul-role/vars/main.yml @@ -2,3 +2,12 @@ # vars file for consul consul_binary_url: "https://releases.hashicorp.com/consul/{{ consul_version }}/consul_{{ consul_version }}_linux_amd64.zip" consul_zip_path: "/tmp/consul_{{ consul_version }}.zip" + +consul_master_token: !vault | + $ANSIBLE_VAULT;1.1;AES256 + 64363638396462636134353637383865643931373664373034623536366134623235306438356164 + 3665393634643363396437333436363936303835343166650a343639663665373161376433613932 + 62343336303839303038376437393965396165633039636339326363396530636564313630326265 + 3134613636396265300a633636396164363365353066633964306534316163303264623764643532 + 39323234346661383638313135346537613530333537636461343631653639663232373632646665 + 3634393638313962393166316439633230643331383665623634 From adffebcc9930ea739ba9c4d5e0df46d349bffb16 Mon Sep 17 00:00:00 2001 From: AnithaAnnem Date: Fri, 6 Mar 2026 00:14:56 +0530 Subject: [PATCH 076/412] Update rbac.yml --- consul-role/tasks/rbac.yml | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/consul-role/tasks/rbac.yml b/consul-role/tasks/rbac.yml index 959eade..543caea 100644 --- a/consul-role/tasks/rbac.yml +++ b/consul-role/tasks/rbac.yml @@ -2,10 +2,13 @@ # ------------------------- # 1. LOAD OR GENERATE TOKEN # ------------------------- -- name: Check if bootstrap token file exists - ansible.builtin.stat: - path: "{{ consul_config_dir }}/bootstrap.token" - register: token_file_stat + +# Verify Consul master token exists + +- name: Verify Consul master token exists + ansible.builtin.fail: + msg: "consul_master_token is not defined or empty" + when: consul_master_token is not defined or consul_master_token == "" run_once: true - name: Load existing token from file From db8ebb5b7f5101d632d8f0e6876ab756b0e03b0d Mon Sep 17 00:00:00 2001 From: AnithaAnnem Date: Fri, 6 Mar 2026 00:17:33 +0530 Subject: [PATCH 077/412] Update acl.yml --- consul-role/tasks/acl.yml | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/consul-role/tasks/acl.yml b/consul-role/tasks/acl.yml index 7197a85..7f42e54 100644 --- a/consul-role/tasks/acl.yml +++ b/consul-role/tasks/acl.yml @@ -13,6 +13,9 @@ changed_when: false run_once: true no_log: true + environment: + CONSUL_HTTP_ADDR: "https://{{ consul_bind_addr }}:8501" + CONSUL_HTTP_TOKEN: "{{ consul_master_token }}" - name: Bootstrap ACL (only once) ansible.builtin.command: consul acl bootstrap @@ -21,6 +24,8 @@ when: acl_check.rc != 0 no_log: true failed_when: false + environment: + CONSUL_HTTP_ADDR: "https://{{ consul_bind_addr }}:8501" - name: Extract bootstrap token ansible.builtin.set_fact: @@ -43,4 +48,3 @@ - name: Create ACL tokens ansible.builtin.include_tasks: acl_tokens.yml - From 1bb8a29bf29b8932481b4c09c0a65c2e333ce87e Mon Sep 17 00:00:00 2001 From: AnithaAnnem Date: Fri, 6 Mar 2026 00:18:45 +0530 Subject: [PATCH 078/412] Update acl_policies.yml --- consul-role/tasks/acl_policies.yml | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/consul-role/tasks/acl_policies.yml b/consul-role/tasks/acl_policies.yml index a34aaa0..0cfc97d 100644 --- a/consul-role/tasks/acl_policies.yml +++ b/consul-role/tasks/acl_policies.yml @@ -13,10 +13,13 @@ consul acl policy create -name {{ item }} -rules @/tmp/{{ item }}.hcl - -token {{ consul_master_token }} loop: - agent-policy - service-policy - readonly-policy run_once: true failed_when: false + environment: + CONSUL_HTTP_ADDR: "https://{{ consul_bind_addr }}:8501" + CONSUL_HTTP_TOKEN: "{{ consul_master_token }}" + CONSUL_HTTP_SSL_VERIFY: "false" From 5b5fa87824dbf553bbee1db389089678bd1db33d Mon Sep 17 00:00:00 2001 From: AnithaAnnem Date: Fri, 6 Mar 2026 00:19:35 +0530 Subject: [PATCH 079/412] Update acl_tokens.yml --- consul-role/tasks/acl_tokens.yml | 15 ++++++++++++--- 1 file changed, 12 insertions(+), 3 deletions(-) diff --git a/consul-role/tasks/acl_tokens.yml b/consul-role/tasks/acl_tokens.yml index b6157b9..c54ba42 100644 --- a/consul-role/tasks/acl_tokens.yml +++ b/consul-role/tasks/acl_tokens.yml @@ -4,27 +4,36 @@ consul acl token create -description "Agent Token" -policy-name agent-policy - -token {{ consul_master_token }} register: agent_token run_once: true failed_when: false + environment: + CONSUL_HTTP_ADDR: "https://{{ consul_bind_addr }}:8501" + CONSUL_HTTP_TOKEN: "{{ consul_master_token }}" + CONSUL_HTTP_SSL_VERIFY: "false" - name: Create service token ansible.builtin.command: > consul acl token create -description "Service Token" -policy-name service-policy - -token {{ consul_master_token }} register: service_token run_once: true failed_when: false + environment: + CONSUL_HTTP_ADDR: "https://{{ consul_bind_addr }}:8501" + CONSUL_HTTP_TOKEN: "{{ consul_master_token }}" + CONSUL_HTTP_SSL_VERIFY: "false" - name: Create readonly token ansible.builtin.command: > consul acl token create -description "Readonly Token" -policy-name readonly-policy - -token {{ consul_master_token }} register: readonly_token run_once: true failed_when: false + environment: + CONSUL_HTTP_ADDR: "https://{{ consul_bind_addr }}:8501" + CONSUL_HTTP_TOKEN: "{{ consul_master_token }}" + CONSUL_HTTP_SSL_VERIFY: "false" From 99cc42c92528234b8b13a19ef3183a048d25c555 Mon Sep 17 00:00:00 2001 From: AnithaAnnem Date: Fri, 6 Mar 2026 00:21:00 +0530 Subject: [PATCH 080/412] Update acl_tokens.yml --- consul-role/tasks/acl_tokens.yml | 91 ++++++++++++++++++++++++-------- 1 file changed, 70 insertions(+), 21 deletions(-) diff --git a/consul-role/tasks/acl_tokens.yml b/consul-role/tasks/acl_tokens.yml index c54ba42..3e4ebad 100644 --- a/consul-role/tasks/acl_tokens.yml +++ b/consul-role/tasks/acl_tokens.yml @@ -1,39 +1,88 @@ --- -- name: Create agent token + +* name: Create agent token ansible.builtin.command: > - consul acl token create - -description "Agent Token" - -policy-name agent-policy + consul acl token create + -description "Agent Token" + -policy-name agent-policy register: agent_token run_once: true failed_when: false environment: - CONSUL_HTTP_ADDR: "https://{{ consul_bind_addr }}:8501" - CONSUL_HTTP_TOKEN: "{{ consul_master_token }}" - CONSUL_HTTP_SSL_VERIFY: "false" + CONSUL_HTTP_ADDR: "https://{{ consul_bind_addr }}:8501" + CONSUL_HTTP_TOKEN: "{{ consul_master_token }}" + CONSUL_HTTP_SSL_VERIFY: "false" + +* name: Extract agent token + ansible.builtin.set_fact: + consul_agent_token_generated: "{{ agent_token.stdout | regex_search('SecretID:\s+(\S+)', '\1') }}" + when: agent_token.stdout is defined + run_once: true -- name: Create service token +* name: Save agent token + ansible.builtin.copy: + content: "{{ consul_agent_token_generated }}" + dest: "{{ consul_config_dir }}/agent.token" + owner: "{{ consul_user }}" + group: "{{ consul_group }}" + mode: "0600" + when: consul_agent_token_generated is defined + run_once: true + +* name: Create service token ansible.builtin.command: > - consul acl token create - -description "Service Token" - -policy-name service-policy + consul acl token create + -description "Service Token" + -policy-name service-policy register: service_token run_once: true failed_when: false environment: - CONSUL_HTTP_ADDR: "https://{{ consul_bind_addr }}:8501" - CONSUL_HTTP_TOKEN: "{{ consul_master_token }}" - CONSUL_HTTP_SSL_VERIFY: "false" + CONSUL_HTTP_ADDR: "https://{{ consul_bind_addr }}:8501" + CONSUL_HTTP_TOKEN: "{{ consul_master_token }}" + CONSUL_HTTP_SSL_VERIFY: "false" + +* name: Extract service token + ansible.builtin.set_fact: + consul_service_token_generated: "{{ service_token.stdout | regex_search('SecretID:\s+(\S+)', '\1') }}" + when: service_token.stdout is defined + run_once: true -- name: Create readonly token +* name: Save service token + ansible.builtin.copy: + content: "{{ consul_service_token_generated }}" + dest: "{{ consul_config_dir }}/service.token" + owner: "{{ consul_user }}" + group: "{{ consul_group }}" + mode: "0600" + when: consul_service_token_generated is defined + run_once: true + +* name: Create readonly token ansible.builtin.command: > - consul acl token create - -description "Readonly Token" - -policy-name readonly-policy + consul acl token create + -description "Readonly Token" + -policy-name readonly-policy register: readonly_token run_once: true failed_when: false environment: - CONSUL_HTTP_ADDR: "https://{{ consul_bind_addr }}:8501" - CONSUL_HTTP_TOKEN: "{{ consul_master_token }}" - CONSUL_HTTP_SSL_VERIFY: "false" + CONSUL_HTTP_ADDR: "https://{{ consul_bind_addr }}:8501" + CONSUL_HTTP_TOKEN: "{{ consul_master_token }}" + CONSUL_HTTP_SSL_VERIFY: "false" + +* name: Extract readonly token + ansible.builtin.set_fact: + consul_readonly_token_generated: "{{ readonly_token.stdout | regex_search('SecretID:\s+(\S+)', '\1') }}" + when: readonly_token.stdout is defined + run_once: true + +* name: Save readonly token + ansible.builtin.copy: + content: "{{ consul_readonly_token_generated }}" + dest: "{{ consul_config_dir }}/readonly.token" + owner: "{{ consul_user }}" + group: "{{ consul_group }}" + mode: "0600" + when: consul_readonly_token_generated is defined + run_once: true From 8088eac1e230ea382bfb25d68aefdb74841a713c Mon Sep 17 00:00:00 2001 From: AnithaAnnem Date: Fri, 6 Mar 2026 00:29:37 +0530 Subject: [PATCH 081/412] Update acl_tokens.yml --- consul-role/tasks/acl_tokens.yml | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/consul-role/tasks/acl_tokens.yml b/consul-role/tasks/acl_tokens.yml index 3e4ebad..bd59cc1 100644 --- a/consul-role/tasks/acl_tokens.yml +++ b/consul-role/tasks/acl_tokens.yml @@ -1,6 +1,6 @@ --- -* name: Create agent token +- name: Create agent token ansible.builtin.command: > consul acl token create -description "Agent Token" @@ -13,13 +13,13 @@ CONSUL_HTTP_TOKEN: "{{ consul_master_token }}" CONSUL_HTTP_SSL_VERIFY: "false" -* name: Extract agent token +- name: Extract agent token ansible.builtin.set_fact: consul_agent_token_generated: "{{ agent_token.stdout | regex_search('SecretID:\s+(\S+)', '\1') }}" when: agent_token.stdout is defined run_once: true -* name: Save agent token +- name: Save agent token ansible.builtin.copy: content: "{{ consul_agent_token_generated }}" dest: "{{ consul_config_dir }}/agent.token" @@ -29,7 +29,7 @@ when: consul_agent_token_generated is defined run_once: true -* name: Create service token +- name: Create service token ansible.builtin.command: > consul acl token create -description "Service Token" @@ -42,13 +42,13 @@ CONSUL_HTTP_TOKEN: "{{ consul_master_token }}" CONSUL_HTTP_SSL_VERIFY: "false" -* name: Extract service token +- name: Extract service token ansible.builtin.set_fact: consul_service_token_generated: "{{ service_token.stdout | regex_search('SecretID:\s+(\S+)', '\1') }}" when: service_token.stdout is defined run_once: true -* name: Save service token +- name: Save service token ansible.builtin.copy: content: "{{ consul_service_token_generated }}" dest: "{{ consul_config_dir }}/service.token" @@ -58,7 +58,7 @@ when: consul_service_token_generated is defined run_once: true -* name: Create readonly token +- name: Create readonly token ansible.builtin.command: > consul acl token create -description "Readonly Token" @@ -71,13 +71,13 @@ CONSUL_HTTP_TOKEN: "{{ consul_master_token }}" CONSUL_HTTP_SSL_VERIFY: "false" -* name: Extract readonly token +- name: Extract readonly token ansible.builtin.set_fact: consul_readonly_token_generated: "{{ readonly_token.stdout | regex_search('SecretID:\s+(\S+)', '\1') }}" when: readonly_token.stdout is defined run_once: true -* name: Save readonly token +- name: Save readonly token ansible.builtin.copy: content: "{{ consul_readonly_token_generated }}" dest: "{{ consul_config_dir }}/readonly.token" From c87576aea9c1a62a5fd1d9dc07a501541b5d9b60 Mon Sep 17 00:00:00 2001 From: AnithaAnnem Date: Fri, 6 Mar 2026 00:33:10 +0530 Subject: [PATCH 082/412] Update acl_tokens.yml --- consul-role/tasks/acl_tokens.yml | 74 ++++++++++++++++---------------- 1 file changed, 38 insertions(+), 36 deletions(-) diff --git a/consul-role/tasks/acl_tokens.yml b/consul-role/tasks/acl_tokens.yml index bd59cc1..52ff946 100644 --- a/consul-role/tasks/acl_tokens.yml +++ b/consul-role/tasks/acl_tokens.yml @@ -2,87 +2,89 @@ - name: Create agent token ansible.builtin.command: > - consul acl token create - -description "Agent Token" - -policy-name agent-policy + consul acl token create + -description "Agent Token" + -policy-name agent-policy register: agent_token run_once: true failed_when: false environment: - CONSUL_HTTP_ADDR: "https://{{ consul_bind_addr }}:8501" - CONSUL_HTTP_TOKEN: "{{ consul_master_token }}" - CONSUL_HTTP_SSL_VERIFY: "false" + CONSUL_HTTP_ADDR: "https://{{ consul_bind_addr }}:8501" + CONSUL_HTTP_TOKEN: "{{ consul_master_token }}" + CONSUL_HTTP_SSL_VERIFY: "false" - name: Extract agent token ansible.builtin.set_fact: - consul_agent_token_generated: "{{ agent_token.stdout | regex_search('SecretID:\s+(\S+)', '\1') }}" + consul_agent_token_generated: "{{ agent_token.stdout | regex_search('SecretID:\\s+(\\S+)', '\\1') }}" when: agent_token.stdout is defined run_once: true - name: Save agent token ansible.builtin.copy: - content: "{{ consul_agent_token_generated }}" - dest: "{{ consul_config_dir }}/agent.token" - owner: "{{ consul_user }}" - group: "{{ consul_group }}" - mode: "0600" + content: "{{ consul_agent_token_generated }}" + dest: "{{ consul_config_dir }}/agent.token" + owner: "{{ consul_user }}" + group: "{{ consul_group }}" + mode: "0600" when: consul_agent_token_generated is defined run_once: true + - name: Create service token ansible.builtin.command: > - consul acl token create - -description "Service Token" - -policy-name service-policy + consul acl token create + -description "Service Token" + -policy-name service-policy register: service_token run_once: true failed_when: false environment: - CONSUL_HTTP_ADDR: "https://{{ consul_bind_addr }}:8501" - CONSUL_HTTP_TOKEN: "{{ consul_master_token }}" - CONSUL_HTTP_SSL_VERIFY: "false" + CONSUL_HTTP_ADDR: "https://{{ consul_bind_addr }}:8501" + CONSUL_HTTP_TOKEN: "{{ consul_master_token }}" + CONSUL_HTTP_SSL_VERIFY: "false" - name: Extract service token ansible.builtin.set_fact: - consul_service_token_generated: "{{ service_token.stdout | regex_search('SecretID:\s+(\S+)', '\1') }}" + consul_service_token_generated: "{{ service_token.stdout | regex_search('SecretID:\\s+(\\S+)', '\\1') }}" when: service_token.stdout is defined run_once: true - name: Save service token ansible.builtin.copy: - content: "{{ consul_service_token_generated }}" - dest: "{{ consul_config_dir }}/service.token" - owner: "{{ consul_user }}" - group: "{{ consul_group }}" - mode: "0600" + content: "{{ consul_service_token_generated }}" + dest: "{{ consul_config_dir }}/service.token" + owner: "{{ consul_user }}" + group: "{{ consul_group }}" + mode: "0600" when: consul_service_token_generated is defined run_once: true + - name: Create readonly token ansible.builtin.command: > - consul acl token create - -description "Readonly Token" - -policy-name readonly-policy + consul acl token create + -description "Readonly Token" + -policy-name readonly-policy register: readonly_token run_once: true failed_when: false environment: - CONSUL_HTTP_ADDR: "https://{{ consul_bind_addr }}:8501" - CONSUL_HTTP_TOKEN: "{{ consul_master_token }}" - CONSUL_HTTP_SSL_VERIFY: "false" + CONSUL_HTTP_ADDR: "https://{{ consul_bind_addr }}:8501" + CONSUL_HTTP_TOKEN: "{{ consul_master_token }}" + CONSUL_HTTP_SSL_VERIFY: "false" - name: Extract readonly token ansible.builtin.set_fact: - consul_readonly_token_generated: "{{ readonly_token.stdout | regex_search('SecretID:\s+(\S+)', '\1') }}" + consul_readonly_token_generated: "{{ readonly_token.stdout | regex_search('SecretID:\\s+(\\S+)', '\\1') }}" when: readonly_token.stdout is defined run_once: true - name: Save readonly token ansible.builtin.copy: - content: "{{ consul_readonly_token_generated }}" - dest: "{{ consul_config_dir }}/readonly.token" - owner: "{{ consul_user }}" - group: "{{ consul_group }}" - mode: "0600" + content: "{{ consul_readonly_token_generated }}" + dest: "{{ consul_config_dir }}/readonly.token" + owner: "{{ consul_user }}" + group: "{{ consul_group }}" + mode: "0600" when: consul_readonly_token_generated is defined run_once: true From 94ae3f19b9fba84c583417eec868bd61e72c6b3d Mon Sep 17 00:00:00 2001 From: AnithaAnnem Date: Fri, 6 Mar 2026 10:59:56 +0530 Subject: [PATCH 083/412] Update acl.yml --- consul-role/tasks/acl.yml | 59 ++++++++++++++++++++++++++++----------- 1 file changed, 42 insertions(+), 17 deletions(-) diff --git a/consul-role/tasks/acl.yml b/consul-role/tasks/acl.yml index 7f42e54..e5b61bb 100644 --- a/consul-role/tasks/acl.yml +++ b/consul-role/tasks/acl.yml @@ -6,43 +6,68 @@ delay: 5 timeout: 60 -- name: Check if ACL bootstrap already done - ansible.builtin.command: consul acl policy list - register: acl_check - failed_when: false - changed_when: false +# 1. First, check if we already have a saved token on the server +- name: Check for existing bootstrap token file + ansible.builtin.stat: + path: "{{ consul_config_dir }}/bootstrap.token" + register: token_file_on_disk + run_once: true + +# 2. If the file exists, LOAD IT into the variable +- name: Load existing token from disk + ansible.builtin.slurp: + src: "{{ consul_config_dir }}/bootstrap.token" + register: slurped_token + when: token_file_on_disk.stat.exists run_once: true - no_log: true - environment: - CONSUL_HTTP_ADDR: "https://{{ consul_bind_addr }}:8501" - CONSUL_HTTP_TOKEN: "{{ consul_master_token }}" -- name: Bootstrap ACL (only once) +- name: Set master token from file + ansible.builtin.set_fact: + consul_master_token: "{{ slurped_token.content | b64decode | trim }}" + when: token_file_on_disk.stat.exists + run_once: true + +# 3. ONLY if the variable is still empty, try to Bootstrap +- name: Bootstrap ACL (only if no token found yet) ansible.builtin.command: consul acl bootstrap register: consul_bootstrap run_once: true - when: acl_check.rc != 0 + when: consul_master_token is not defined or consul_master_token == "" + failed_when: false no_log: true - failed_when: false environment: CONSUL_HTTP_ADDR: "https://{{ consul_bind_addr }}:8501" -- name: Extract bootstrap token +# 4. Extract and Save the token if we just bootstrapped +- name: Extract new bootstrap token ansible.builtin.set_fact: - consul_master_token: "{{ consul_bootstrap.stdout | regex_search('SecretID:\\s+(\\S+)', '\\1') }}" - when: consul_bootstrap.stdout is defined + consul_master_token: "{{ consul_bootstrap.stdout | regex_search('SecretID:\\s+([a-fA-F0-9-]+)', '\\1') | first }}" + when: + - consul_bootstrap.stdout is defined + - "'SecretID:' in consul_bootstrap.stdout" run_once: true -- name: Save bootstrap token +- name: Save new bootstrap token to file ansible.builtin.copy: content: "{{ consul_master_token }}" dest: "{{ consul_config_dir }}/bootstrap.token" owner: "{{ consul_user }}" group: "{{ consul_group }}" mode: "0600" - when: consul_master_token is defined + when: + - consul_bootstrap.changed + - consul_master_token is defined run_once: true +# 5. Final Safety Check +- name: Verify Consul master token exists + ansible.builtin.assert: + that: + - consul_master_token is defined + - consul_master_token != "" + msg: "FATAL: consul_master_token is empty. Check if /etc/consul.d/bootstrap.token exists on the server." + +# 6. Proceed with policies - name: Create ACL policies ansible.builtin.include_tasks: acl_policies.yml From 980f9d330fdf948d367377207ab946f1414582da Mon Sep 17 00:00:00 2001 From: AnithaAnnem Date: Fri, 6 Mar 2026 11:00:44 +0530 Subject: [PATCH 084/412] Update acl_policies.yml --- consul-role/tasks/acl_policies.yml | 25 +++++++++++++++++-------- 1 file changed, 17 insertions(+), 8 deletions(-) diff --git a/consul-role/tasks/acl_policies.yml b/consul-role/tasks/acl_policies.yml index 0cfc97d..e00366b 100644 --- a/consul-role/tasks/acl_policies.yml +++ b/consul-role/tasks/acl_policies.yml @@ -3,23 +3,32 @@ ansible.builtin.template: src: "policies/{{ item }}.hcl.j2" dest: "/tmp/{{ item }}.hcl" + mode: "0644" loop: - agent-policy - service-policy - readonly-policy +- name: List existing policies + ansible.builtin.command: consul acl policy list + register: existing_policies + run_once: true + changed_when: false + environment: &consul_env + CONSUL_HTTP_ADDR: "https://{{ consul_bind_addr }}:8501" + CONSUL_HTTP_TOKEN: "{{ consul_master_token }}" + CONSUL_HTTP_SSL_VERIFY: "false" + # Add these if your Consul uses TLS certificates: + CONSUL_CLIENT_CERT: "{{ consul_config_dir }}/certs/tls.crt" + CONSUL_CLIENT_KEY: "{{ consul_config_dir }}/certs/tls.key" + - name: Create Consul policies ansible.builtin.command: > - consul acl policy create - -name {{ item }} - -rules @/tmp/{{ item }}.hcl + consul acl policy create -name {{ item }} -rules @/tmp/{{ item }}.hcl loop: - agent-policy - service-policy - readonly-policy + when: item not in existing_policies.stdout run_once: true - failed_when: false - environment: - CONSUL_HTTP_ADDR: "https://{{ consul_bind_addr }}:8501" - CONSUL_HTTP_TOKEN: "{{ consul_master_token }}" - CONSUL_HTTP_SSL_VERIFY: "false" + environment: *consul_env From e097d0d31aa01268dc6d1a5884fb0cfd0b8655da Mon Sep 17 00:00:00 2001 From: AnithaAnnem Date: Fri, 6 Mar 2026 11:02:40 +0530 Subject: [PATCH 085/412] Update acl_tokens.yml --- consul-role/tasks/acl_tokens.yml | 52 +++++++++++++++----------------- 1 file changed, 25 insertions(+), 27 deletions(-) diff --git a/consul-role/tasks/acl_tokens.yml b/consul-role/tasks/acl_tokens.yml index 52ff946..3b58e64 100644 --- a/consul-role/tasks/acl_tokens.yml +++ b/consul-role/tasks/acl_tokens.yml @@ -1,34 +1,32 @@ --- -- name: Create agent token - ansible.builtin.command: > - consul acl token create - -description "Agent Token" - -policy-name agent-policy - register: agent_token - run_once: true - failed_when: false - environment: - CONSUL_HTTP_ADDR: "https://{{ consul_bind_addr }}:8501" - CONSUL_HTTP_TOKEN: "{{ consul_master_token }}" - CONSUL_HTTP_SSL_VERIFY: "false" +- name: Create Consul Tokens + block: + - name: Check if agent token exists on disk + ansible.builtin.stat: + path: "{{ consul_config_dir }}/agent.token" + register: agent_token_stat -- name: Extract agent token - ansible.builtin.set_fact: - consul_agent_token_generated: "{{ agent_token.stdout | regex_search('SecretID:\\s+(\\S+)', '\\1') }}" - when: agent_token.stdout is defined - run_once: true - -- name: Save agent token - ansible.builtin.copy: - content: "{{ consul_agent_token_generated }}" - dest: "{{ consul_config_dir }}/agent.token" - owner: "{{ consul_user }}" - group: "{{ consul_group }}" - mode: "0600" - when: consul_agent_token_generated is defined - run_once: true + - name: Create agent token + ansible.builtin.command: > + consul acl token create -description "Agent Token" -policy-name agent-policy + register: agent_token_output + when: not agent_token_stat.stat.exists + run_once: true + environment: *consul_env + - name: Save agent token + ansible.builtin.copy: + # Use regex_search and | first for clean extraction + content: "{{ agent_token_output.stdout | regex_search('SecretID:\\s+([a-fA-F0-9-]+)', '\\1') | first }}" + dest: "{{ consul_config_dir }}/agent.token" + owner: "{{ consul_user }}" + group: "{{ consul_group }}" + mode: "0600" + when: + - not agent_token_stat.stat.exists + - agent_token_output.stdout is defined + run_once: true - name: Create service token ansible.builtin.command: > From d52a9fc5f335f4b6a04954917164d5aff3ab31a4 Mon Sep 17 00:00:00 2001 From: AnithaAnnem Date: Fri, 6 Mar 2026 11:39:49 +0530 Subject: [PATCH 086/412] Update acl.yml --- consul-role/tasks/acl.yml | 66 +++++++++++++++++++-------------------- 1 file changed, 32 insertions(+), 34 deletions(-) diff --git a/consul-role/tasks/acl.yml b/consul-role/tasks/acl.yml index e5b61bb..56609d2 100644 --- a/consul-role/tasks/acl.yml +++ b/consul-role/tasks/acl.yml @@ -6,70 +6,68 @@ delay: 5 timeout: 60 -# 1. First, check if we already have a saved token on the server +# A. Check if the file already exists on the first node - name: Check for existing bootstrap token file ansible.builtin.stat: path: "{{ consul_config_dir }}/bootstrap.token" register: token_file_on_disk - run_once: true -# 2. If the file exists, LOAD IT into the variable +# B. Load it if it's there - name: Load existing token from disk ansible.builtin.slurp: src: "{{ consul_config_dir }}/bootstrap.token" register: slurped_token - when: token_file_on_disk.stat.exists - run_once: true + become: true + when: token_file_on_disk.stat.exists and token_file_on_disk.stat.size > 0 -- name: Set master token from file +- name: Set master token fact from file ansible.builtin.set_fact: consul_master_token: "{{ slurped_token.content | b64decode | trim }}" - when: token_file_on_disk.stat.exists - run_once: true + when: + - token_file_on_disk.stat.exists + - slurped_token.content is defined -# 3. ONLY if the variable is still empty, try to Bootstrap -- name: Bootstrap ACL (only if no token found yet) - ansible.builtin.command: consul acl bootstrap +# C. Bootstrap ONLY if we still don't have a token +- name: Bootstrap ACL + ansible.builtin.command: consul acl bootstrap -format=json register: consul_bootstrap run_once: true when: consul_master_token is not defined or consul_master_token == "" - failed_when: false - no_log: true + failed_when: false environment: CONSUL_HTTP_ADDR: "https://{{ consul_bind_addr }}:8501" + CONSUL_HTTP_SSL_VERIFY: "false" -# 4. Extract and Save the token if we just bootstrapped -- name: Extract new bootstrap token +- name: Extract new token from bootstrap output ansible.builtin.set_fact: - consul_master_token: "{{ consul_bootstrap.stdout | regex_search('SecretID:\\s+([a-fA-F0-9-]+)', '\\1') | first }}" + consul_master_token: "{{ (consul_bootstrap.stdout | from_json).SecretID }}" when: - - consul_bootstrap.stdout is defined - - "'SecretID:' in consul_bootstrap.stdout" + - consul_bootstrap.changed + - consul_bootstrap.stdout | length > 0 + - "'SecretID' in consul_bootstrap.stdout" run_once: true -- name: Save new bootstrap token to file +# D. Share this token with all other hosts (.35 and .138) +- name: Propagate token to all hosts in the play + ansible.builtin.set_fact: + consul_master_token: "{{ hostvars[ansible_play_hosts[0]]['consul_master_token'] }}" + # Only set it if the current host doesn't have it yet + when: consul_master_token is not defined or consul_master_token == "" + +# E. Save it to the disk of ALL nodes +- name: Save bootstrap token to file ansible.builtin.copy: content: "{{ consul_master_token }}" dest: "{{ consul_config_dir }}/bootstrap.token" owner: "{{ consul_user }}" group: "{{ consul_group }}" mode: "0600" - when: - - consul_bootstrap.changed - - consul_master_token is defined - run_once: true - -# 5. Final Safety Check -- name: Verify Consul master token exists - ansible.builtin.assert: - that: - - consul_master_token is defined - - consul_master_token != "" - msg: "FATAL: consul_master_token is empty. Check if /etc/consul.d/bootstrap.token exists on the server." + become: true + when: consul_master_token is defined and consul_master_token != "" -# 6. Proceed with policies -- name: Create ACL policies +# F. Proceed to the next steps +- name: Include ACL policies ansible.builtin.include_tasks: acl_policies.yml -- name: Create ACL tokens +- name: Include ACL tokens ansible.builtin.include_tasks: acl_tokens.yml From f8547f69a9307a7a9a3cee0d3c0b06b1ca41cee9 Mon Sep 17 00:00:00 2001 From: AnithaAnnem Date: Fri, 6 Mar 2026 11:49:42 +0530 Subject: [PATCH 087/412] Update acl_tokens.yml --- consul-role/tasks/acl_tokens.yml | 94 ++++++++++++-------------------- 1 file changed, 34 insertions(+), 60 deletions(-) diff --git a/consul-role/tasks/acl_tokens.yml b/consul-role/tasks/acl_tokens.yml index 3b58e64..f85e180 100644 --- a/consul-role/tasks/acl_tokens.yml +++ b/consul-role/tasks/acl_tokens.yml @@ -1,6 +1,5 @@ --- - -- name: Create Consul Tokens +- name: Create Agent Token block: - name: Check if agent token exists on disk ansible.builtin.stat: @@ -13,11 +12,13 @@ register: agent_token_output when: not agent_token_stat.stat.exists run_once: true - environment: *consul_env + environment: + CONSUL_HTTP_ADDR: "https://{{ consul_bind_addr }}:8501" + CONSUL_HTTP_TOKEN: "{{ consul_master_token }}" + CONSUL_HTTP_SSL_VERIFY: "false" - name: Save agent token ansible.builtin.copy: - # Use regex_search and | first for clean extraction content: "{{ agent_token_output.stdout | regex_search('SecretID:\\s+([a-fA-F0-9-]+)', '\\1') | first }}" dest: "{{ consul_config_dir }}/agent.token" owner: "{{ consul_user }}" @@ -26,63 +27,36 @@ when: - not agent_token_stat.stat.exists - agent_token_output.stdout is defined + - "'SecretID' in agent_token_output.stdout" run_once: true -- name: Create service token - ansible.builtin.command: > - consul acl token create - -description "Service Token" - -policy-name service-policy - register: service_token - run_once: true - failed_when: false - environment: - CONSUL_HTTP_ADDR: "https://{{ consul_bind_addr }}:8501" - CONSUL_HTTP_TOKEN: "{{ consul_master_token }}" - CONSUL_HTTP_SSL_VERIFY: "false" - -- name: Extract service token - ansible.builtin.set_fact: - consul_service_token_generated: "{{ service_token.stdout | regex_search('SecretID:\\s+(\\S+)', '\\1') }}" - when: service_token.stdout is defined - run_once: true - -- name: Save service token - ansible.builtin.copy: - content: "{{ consul_service_token_generated }}" - dest: "{{ consul_config_dir }}/service.token" - owner: "{{ consul_user }}" - group: "{{ consul_group }}" - mode: "0600" - when: consul_service_token_generated is defined - run_once: true - - -- name: Create readonly token - ansible.builtin.command: > - consul acl token create - -description "Readonly Token" - -policy-name readonly-policy - register: readonly_token - run_once: true - failed_when: false - environment: - CONSUL_HTTP_ADDR: "https://{{ consul_bind_addr }}:8501" - CONSUL_HTTP_TOKEN: "{{ consul_master_token }}" - CONSUL_HTTP_SSL_VERIFY: "false" +- name: Create Service Token + block: + - name: Check if service token exists on disk + ansible.builtin.stat: + path: "{{ consul_config_dir }}/service.token" + register: service_token_stat -- name: Extract readonly token - ansible.builtin.set_fact: - consul_readonly_token_generated: "{{ readonly_token.stdout | regex_search('SecretID:\\s+(\\S+)', '\\1') }}" - when: readonly_token.stdout is defined - run_once: true + - name: Create service token + ansible.builtin.command: > + consul acl token create -description "Service Token" -policy-name service-policy + register: service_token_output + when: not service_token_stat.stat.exists + run_once: true + environment: + CONSUL_HTTP_ADDR: "https://{{ consul_bind_addr }}:8501" + CONSUL_HTTP_TOKEN: "{{ consul_master_token }}" + CONSUL_HTTP_SSL_VERIFY: "false" -- name: Save readonly token - ansible.builtin.copy: - content: "{{ consul_readonly_token_generated }}" - dest: "{{ consul_config_dir }}/readonly.token" - owner: "{{ consul_user }}" - group: "{{ consul_group }}" - mode: "0600" - when: consul_readonly_token_generated is defined - run_once: true + - name: Save service token + ansible.builtin.copy: + content: "{{ service_token_output.stdout | regex_search('SecretID:\\s+([a-fA-F0-9-]+)', '\\1') | first }}" + dest: "{{ consul_config_dir }}/service.token" + owner: "{{ consul_user }}" + group: "{{ consul_group }}" + mode: "0600" + when: + - not service_token_stat.stat.exists + - service_token_output.stdout is defined + - "'SecretID' in service_token_output.stdout" + run_once: true From dbe599c0015f4c5d3624ab747dbd1ada742996d2 Mon Sep 17 00:00:00 2001 From: AnithaAnnem Date: Fri, 6 Mar 2026 11:51:10 +0530 Subject: [PATCH 088/412] Update acl_tokens.yml From 4887b11467493d936dda84623f0a57a9d808787c Mon Sep 17 00:00:00 2001 From: AnithaAnnem Date: Fri, 6 Mar 2026 11:56:14 +0530 Subject: [PATCH 089/412] Update rbac.yml --- consul-role/tasks/rbac.yml | 72 ++------------------------------------ 1 file changed, 2 insertions(+), 70 deletions(-) diff --git a/consul-role/tasks/rbac.yml b/consul-role/tasks/rbac.yml index 543caea..b8c9a1d 100644 --- a/consul-role/tasks/rbac.yml +++ b/consul-role/tasks/rbac.yml @@ -1,77 +1,9 @@ --- # ------------------------- -# 1. LOAD OR GENERATE TOKEN +# POLICIES AND ROLES ONLY +# (Bootstrap logic removed because it is handled in acl.yml) # ------------------------- -# Verify Consul master token exists - -- name: Verify Consul master token exists - ansible.builtin.fail: - msg: "consul_master_token is not defined or empty" - when: consul_master_token is not defined or consul_master_token == "" - run_once: true - -- name: Load existing token from file - ansible.builtin.slurp: - src: "{{ consul_config_dir }}/bootstrap.token" - register: slurped_token - when: token_file_stat.stat.exists and token_file_stat.stat.size > 0 - run_once: true - -- name: Set token fact from file - ansible.builtin.set_fact: - consul_master_token: "{{ slurped_token.content | b64decode | trim }}" - when: - - token_file_stat.stat.exists - - slurped_token.content is defined - run_once: true - -- name: Bootstrap ACL if token is missing - ansible.builtin.command: consul acl bootstrap - register: bootstrap_output - run_once: true - # Only run if we haven't successfully loaded a token yet - when: consul_master_token is not defined or consul_master_token == "" or consul_master_token == "[]" - failed_when: false - -- name: Debug Bootstrap Output (If changed) - ansible.builtin.debug: - var: bootstrap_output.stdout - when: bootstrap_output.changed - run_once: true - -- name: Extract SecretID from bootstrap output - ansible.builtin.set_fact: - # Uses a more precise regex for UUIDs and picks the first match - consul_master_token: "{{ bootstrap_output.stdout | regex_search('SecretID:\\s+([a-fA-F0-9-]+)', '\\1') | first }}" - when: - - bootstrap_output.stdout is defined - - "'SecretID:' in bootstrap_output.stdout" - run_once: true - -- name: Save new token to server - ansible.builtin.copy: - content: "{{ consul_master_token }}" - dest: "{{ consul_config_dir }}/bootstrap.token" - owner: "{{ consul_user }}" - group: "{{ consul_group }}" - mode: "0600" - when: - - bootstrap_output.changed - - consul_master_token is defined - - consul_master_token != "" - - consul_master_token != "[]" - run_once: true - -- name: Verify Token is Loaded - ansible.builtin.fail: - msg: "FATAL: Variable 'consul_master_token' is empty. If 'Already bootstrapped' error appeared, check /etc/consul.d/bootstrap.token on the server." - when: consul_master_token is not defined or consul_master_token == "" or consul_master_token == "[]" - run_once: true - -# ------------------------- -# 2. POLICIES AND ROLES -# ------------------------- - name: Copy read policy file ansible.builtin.copy: src: read-policy.hcl From a420545ab9cb4afdff2502fc5168258c46c7e370 Mon Sep 17 00:00:00 2001 From: AnithaAnnem Date: Fri, 6 Mar 2026 12:29:51 +0530 Subject: [PATCH 090/412] Update acl_policies.yml --- consul-role/tasks/acl_policies.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/consul-role/tasks/acl_policies.yml b/consul-role/tasks/acl_policies.yml index e00366b..71c5638 100644 --- a/consul-role/tasks/acl_policies.yml +++ b/consul-role/tasks/acl_policies.yml @@ -18,7 +18,6 @@ CONSUL_HTTP_ADDR: "https://{{ consul_bind_addr }}:8501" CONSUL_HTTP_TOKEN: "{{ consul_master_token }}" CONSUL_HTTP_SSL_VERIFY: "false" - # Add these if your Consul uses TLS certificates: CONSUL_CLIENT_CERT: "{{ consul_config_dir }}/certs/tls.crt" CONSUL_CLIENT_KEY: "{{ consul_config_dir }}/certs/tls.key" From 2993b089f0d7df7671014053f0604705968d27bc Mon Sep 17 00:00:00 2001 From: AnithaAnnem Date: Fri, 6 Mar 2026 12:30:45 +0530 Subject: [PATCH 091/412] Update rbac.yml --- consul-role/tasks/rbac.yml | 44 ++++++++++++-------------------------- 1 file changed, 14 insertions(+), 30 deletions(-) diff --git a/consul-role/tasks/rbac.yml b/consul-role/tasks/rbac.yml index b8c9a1d..400c56b 100644 --- a/consul-role/tasks/rbac.yml +++ b/consul-role/tasks/rbac.yml @@ -1,9 +1,4 @@ --- -# ------------------------- -# POLICIES AND ROLES ONLY -# (Bootstrap logic removed because it is handled in acl.yml) -# ------------------------- - - name: Copy read policy file ansible.builtin.copy: src: read-policy.hcl @@ -15,7 +10,7 @@ register: policy_list changed_when: false run_once: true - environment: + environment: &consul_env CONSUL_HTTP_ADDR: "https://{{ consul_bind_addr }}:8501" CONSUL_HTTP_TOKEN: "{{ consul_master_token }}" CONSUL_CLIENT_CERT: "{{ consul_config_dir }}/certs/tls.crt" @@ -26,43 +21,32 @@ ansible.builtin.command: consul acl policy create -name read-policy -rules @/tmp/read-policy.hcl when: "'read-policy' not in policy_list.stdout" run_once: true - environment: - CONSUL_HTTP_ADDR: "https://{{ consul_bind_addr }}:8501" - CONSUL_HTTP_TOKEN: "{{ consul_master_token }}" - CONSUL_CLIENT_CERT: "{{ consul_config_dir }}/certs/tls.crt" - CONSUL_CLIENT_KEY: "{{ consul_config_dir }}/certs/tls.key" - CONSUL_HTTP_SSL_VERIFY: "false" + environment: *consul_env - name: Check existing roles ansible.builtin.command: consul acl role list register: role_list changed_when: false run_once: true - environment: - CONSUL_HTTP_ADDR: "https://{{ consul_bind_addr }}:8501" - CONSUL_HTTP_TOKEN: "{{ consul_master_token }}" - CONSUL_CLIENT_CERT: "{{ consul_config_dir }}/certs/tls.crt" - CONSUL_CLIENT_KEY: "{{ consul_config_dir }}/certs/tls.key" - CONSUL_HTTP_SSL_VERIFY: "false" + environment: *consul_env - name: Create read role ansible.builtin.command: consul acl role create -name read-role -policy-name read-policy when: "'read-role' not in role_list.stdout" run_once: true - environment: - CONSUL_HTTP_ADDR: "https://{{ consul_bind_addr }}:8501" - CONSUL_HTTP_TOKEN: "{{ consul_master_token }}" - CONSUL_CLIENT_CERT: "{{ consul_config_dir }}/certs/tls.crt" - CONSUL_CLIENT_KEY: "{{ consul_config_dir }}/certs/tls.key" - CONSUL_HTTP_SSL_VERIFY: "false" + environment: *consul_env + +# NEW CHECK (IMPORTANT) +- name: Check existing tokens + ansible.builtin.command: consul acl token list + register: token_list + changed_when: false + run_once: true + environment: *consul_env - name: Create application token ansible.builtin.command: consul acl token create -description "App Read Token" -role-name read-role register: app_token + when: "'App Read Token' not in token_list.stdout" run_once: true - environment: - CONSUL_HTTP_ADDR: "https://{{ consul_bind_addr }}:8501" - CONSUL_HTTP_TOKEN: "{{ consul_master_token }}" - CONSUL_CLIENT_CERT: "{{ consul_config_dir }}/certs/tls.crt" - CONSUL_CLIENT_KEY: "{{ consul_config_dir }}/certs/tls.key" - CONSUL_HTTP_SSL_VERIFY: "false" + environment: *consul_env From ce0b493ea7a17bfc231a33037ac3d4d5b300bed2 Mon Sep 17 00:00:00 2001 From: AnithaAnnem Date: Fri, 6 Mar 2026 12:31:32 +0530 Subject: [PATCH 092/412] Update acl_tokens.yml --- consul-role/tasks/acl_tokens.yml | 13 ++++++------- 1 file changed, 6 insertions(+), 7 deletions(-) diff --git a/consul-role/tasks/acl_tokens.yml b/consul-role/tasks/acl_tokens.yml index f85e180..74592f2 100644 --- a/consul-role/tasks/acl_tokens.yml +++ b/consul-role/tasks/acl_tokens.yml @@ -1,6 +1,7 @@ --- - name: Create Agent Token block: + - name: Check if agent token exists on disk ansible.builtin.stat: path: "{{ consul_config_dir }}/agent.token" @@ -12,7 +13,7 @@ register: agent_token_output when: not agent_token_stat.stat.exists run_once: true - environment: + environment: &consul_env CONSUL_HTTP_ADDR: "https://{{ consul_bind_addr }}:8501" CONSUL_HTTP_TOKEN: "{{ consul_master_token }}" CONSUL_HTTP_SSL_VERIFY: "false" @@ -24,7 +25,7 @@ owner: "{{ consul_user }}" group: "{{ consul_group }}" mode: "0600" - when: + when: - not agent_token_stat.stat.exists - agent_token_output.stdout is defined - "'SecretID' in agent_token_output.stdout" @@ -32,6 +33,7 @@ - name: Create Service Token block: + - name: Check if service token exists on disk ansible.builtin.stat: path: "{{ consul_config_dir }}/service.token" @@ -43,10 +45,7 @@ register: service_token_output when: not service_token_stat.stat.exists run_once: true - environment: - CONSUL_HTTP_ADDR: "https://{{ consul_bind_addr }}:8501" - CONSUL_HTTP_TOKEN: "{{ consul_master_token }}" - CONSUL_HTTP_SSL_VERIFY: "false" + environment: *consul_env - name: Save service token ansible.builtin.copy: @@ -55,7 +54,7 @@ owner: "{{ consul_user }}" group: "{{ consul_group }}" mode: "0600" - when: + when: - not service_token_stat.stat.exists - service_token_output.stdout is defined - "'SecretID' in service_token_output.stdout" From 175097d7622a1035fc47d07bc225a17fb62f28e3 Mon Sep 17 00:00:00 2001 From: AnithaAnnem Date: Fri, 6 Mar 2026 12:55:30 +0530 Subject: [PATCH 093/412] Update acl_tokens.yml --- consul-role/tasks/acl_tokens.yml | 24 ++++++++++++++++++------ 1 file changed, 18 insertions(+), 6 deletions(-) diff --git a/consul-role/tasks/acl_tokens.yml b/consul-role/tasks/acl_tokens.yml index 74592f2..4416ec0 100644 --- a/consul-role/tasks/acl_tokens.yml +++ b/consul-role/tasks/acl_tokens.yml @@ -1,4 +1,15 @@ --- +# NEW TASK (IMPORTANT) +- name: Check existing tokens in consul + ansible.builtin.command: consul acl token list + register: existing_tokens + changed_when: false + run_once: true + environment: &consul_env + CONSUL_HTTP_ADDR: "https://{{ consul_bind_addr }}:8501" + CONSUL_HTTP_TOKEN: "{{ consul_master_token }}" + CONSUL_HTTP_SSL_VERIFY: "false" + - name: Create Agent Token block: @@ -11,12 +22,11 @@ ansible.builtin.command: > consul acl token create -description "Agent Token" -policy-name agent-policy register: agent_token_output - when: not agent_token_stat.stat.exists + when: + - not agent_token_stat.stat.exists + - "'Agent Token' not in existing_tokens.stdout" run_once: true - environment: &consul_env - CONSUL_HTTP_ADDR: "https://{{ consul_bind_addr }}:8501" - CONSUL_HTTP_TOKEN: "{{ consul_master_token }}" - CONSUL_HTTP_SSL_VERIFY: "false" + environment: *consul_env - name: Save agent token ansible.builtin.copy: @@ -43,7 +53,9 @@ ansible.builtin.command: > consul acl token create -description "Service Token" -policy-name service-policy register: service_token_output - when: not service_token_stat.stat.exists + when: + - not service_token_stat.stat.exists + - "'Service Token' not in existing_tokens.stdout" run_once: true environment: *consul_env From 768e1c951268da64aee69b2930e93d3adaedc026 Mon Sep 17 00:00:00 2001 From: AnithaAnnem Date: Fri, 6 Mar 2026 13:07:11 +0530 Subject: [PATCH 094/412] Update rbac.yml --- consul-role/tasks/rbac.yml | 37 ++++++++++++++++++++++++++++--------- 1 file changed, 28 insertions(+), 9 deletions(-) diff --git a/consul-role/tasks/rbac.yml b/consul-role/tasks/rbac.yml index 400c56b..51132db 100644 --- a/consul-role/tasks/rbac.yml +++ b/consul-role/tasks/rbac.yml @@ -36,17 +36,36 @@ run_once: true environment: *consul_env -# NEW CHECK (IMPORTANT) -- name: Check existing tokens - ansible.builtin.command: consul acl token list - register: token_list - changed_when: false + +# ------------------------------------------------ +# APPLICATION TOKEN (NO DUPLICATES) +# ------------------------------------------------ + +- name: Check if application token exists on disk + ansible.builtin.stat: + path: "{{ consul_config_dir }}/app.token" + register: app_token_stat run_once: true - environment: *consul_env - name: Create application token - ansible.builtin.command: consul acl token create -description "App Read Token" -role-name read-role - register: app_token - when: "'App Read Token' not in token_list.stdout" + ansible.builtin.command: > + consul acl token create + -description "App Read Token" + -role-name read-role + register: app_token_output + when: not app_token_stat.stat.exists run_once: true environment: *consul_env + +- name: Save application token + ansible.builtin.copy: + content: "{{ app_token_output.stdout | regex_search('SecretID:\\s+([a-fA-F0-9-]+)', '\\1') | first }}" + dest: "{{ consul_config_dir }}/app.token" + owner: "{{ consul_user }}" + group: "{{ consul_group }}" + mode: "0600" + when: + - not app_token_stat.stat.exists + - app_token_output.stdout is defined + - "'SecretID' in app_token_output.stdout" + run_once: true From 0b8f7879b81b09ec3c9d9fa629b5e214aadaa3e3 Mon Sep 17 00:00:00 2001 From: AnithaAnnem Date: Fri, 6 Mar 2026 13:26:09 +0530 Subject: [PATCH 095/412] Update acl.yml --- consul-role/tasks/acl.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/consul-role/tasks/acl.yml b/consul-role/tasks/acl.yml index 56609d2..9624e73 100644 --- a/consul-role/tasks/acl.yml +++ b/consul-role/tasks/acl.yml @@ -47,7 +47,7 @@ - "'SecretID' in consul_bootstrap.stdout" run_once: true -# D. Share this token with all other hosts (.35 and .138) +# D. Share this token with all other hosts - name: Propagate token to all hosts in the play ansible.builtin.set_fact: consul_master_token: "{{ hostvars[ansible_play_hosts[0]]['consul_master_token'] }}" From c060801bbcd40042b2a35fc6bbcca11614e48202 Mon Sep 17 00:00:00 2001 From: AnithaAnnem Date: Fri, 6 Mar 2026 17:56:51 +0530 Subject: [PATCH 096/412] Update main.yml --- consul-role/defaults/main.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/consul-role/defaults/main.yml b/consul-role/defaults/main.yml index 163277d..596e040 100644 --- a/consul-role/defaults/main.yml +++ b/consul-role/defaults/main.yml @@ -23,3 +23,6 @@ consul_acl_token_persistence: true consul_agent_token: "" consul_client_addr: "0.0.0.0" + +# Gossip Encryption +consul_encrypt_key: "" From 29e695c336f3a166b80b2eee5bad1ef45cf128c1 Mon Sep 17 00:00:00 2001 From: AnithaAnnem Date: Fri, 6 Mar 2026 18:07:48 +0530 Subject: [PATCH 097/412] Update server.hcl.j2 From da20094ee60c434cc44db4c2d5ad591ce5205b97 Mon Sep 17 00:00:00 2001 From: AnithaAnnem Date: Fri, 6 Mar 2026 18:08:01 +0530 Subject: [PATCH 098/412] Update main.yml --- consul-role/defaults/main.yml | 3 --- 1 file changed, 3 deletions(-) diff --git a/consul-role/defaults/main.yml b/consul-role/defaults/main.yml index 596e040..163277d 100644 --- a/consul-role/defaults/main.yml +++ b/consul-role/defaults/main.yml @@ -23,6 +23,3 @@ consul_acl_token_persistence: true consul_agent_token: "" consul_client_addr: "0.0.0.0" - -# Gossip Encryption -consul_encrypt_key: "" From df91afb54404f226190c3a8ecb6aa20986b47e12 Mon Sep 17 00:00:00 2001 From: AnithaAnnem Date: Fri, 6 Mar 2026 18:30:25 +0530 Subject: [PATCH 099/412] Update main.yml --- consul-role/defaults/main.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/consul-role/defaults/main.yml b/consul-role/defaults/main.yml index 163277d..1aa21c8 100644 --- a/consul-role/defaults/main.yml +++ b/consul-role/defaults/main.yml @@ -23,3 +23,6 @@ consul_acl_token_persistence: true consul_agent_token: "" consul_client_addr: "0.0.0.0" + +# Gossip Encryption +consul_gossip_key: "" From ecacfd3d10b5985174890df31e7789a34edd9968 Mon Sep 17 00:00:00 2001 From: AnithaAnnem Date: Fri, 6 Mar 2026 18:30:49 +0530 Subject: [PATCH 100/412] Update server.hcl.j2 --- consul-role/templates/server.hcl.j2 | 2 ++ 1 file changed, 2 insertions(+) diff --git a/consul-role/templates/server.hcl.j2 b/consul-role/templates/server.hcl.j2 index 2bd28fd..e1d2d80 100644 --- a/consul-role/templates/server.hcl.j2 +++ b/consul-role/templates/server.hcl.j2 @@ -3,6 +3,8 @@ bind_addr = "{{ consul_bind_addr }}" client_addr = "{{ consul_client_addr }}" data_dir = "{{ consul_data_dir }}" +encrypt = "{{ consul_gossip_key }}" + server = {{ consul_is_server | lower }} bootstrap_expect = {{ consul_bootstrap_expect }} From b567812ed4e343c3c3dc66323101df9c3463e1ba Mon Sep 17 00:00:00 2001 From: AnithaAnnem Date: Fri, 6 Mar 2026 18:35:20 +0530 Subject: [PATCH 101/412] Update main.yml --- consul-role/vars/main.yml | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/consul-role/vars/main.yml b/consul-role/vars/main.yml index de3e72c..8923dd0 100644 --- a/consul-role/vars/main.yml +++ b/consul-role/vars/main.yml @@ -11,3 +11,13 @@ consul_master_token: !vault | 3134613636396265300a633636396164363365353066633964306534316163303264623764643532 39323234346661383638313135346537613530333537636461343631653639663232373632646665 3634393638313962393166316439633230643331383665623634 + + +consul_gossip_key: !vault | + $ANSIBLE_VAULT;1.1;AES256 + 63666262323562663362346564363332353364663338396337333031616437373863316130613631 + 3966663365653036316364323537386530643666653564370a653438393136666436396230326464 + 39393738346630353432623434353063666161653832346438343566366664303464353334306532 + 3937633962373832620a353432336365323433306165633264363638353235643666633564393761 + 61353532316133616630396362333265316132333038323639396139333761326537636330346334 + 3336343330373533333435306264313430313662346364643637 From 1afee98e653e60e25497f840a2e3d0f3c1481e01 Mon Sep 17 00:00:00 2001 From: AnithaAnnem Date: Mon, 9 Mar 2026 12:44:24 +0530 Subject: [PATCH 102/412] Update server.hcl.j2 --- consul-role/templates/server.hcl.j2 | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/consul-role/templates/server.hcl.j2 b/consul-role/templates/server.hcl.j2 index e1d2d80..f096eed 100644 --- a/consul-role/templates/server.hcl.j2 +++ b/consul-role/templates/server.hcl.j2 @@ -41,7 +41,10 @@ tls { defaults { cert_file = "{{ consul_config_dir }}/certs/tls.crt" key_file = "{{ consul_config_dir }}/certs/tls.key" - verify_incoming = false - verify_outgoing = false + ca_file = "{{ consul_config_dir }}/certs/tls.crt" + + verify_incoming = true + verify_outgoing = true + verify_server_hostname = true } } From 98a4698c55bdfe3daceb733864e8216580d75fe1 Mon Sep 17 00:00:00 2001 From: AnithaAnnem Date: Mon, 9 Mar 2026 12:46:49 +0530 Subject: [PATCH 103/412] Update acl.yml --- consul-role/tasks/acl.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/consul-role/tasks/acl.yml b/consul-role/tasks/acl.yml index 9624e73..1d3a8f3 100644 --- a/consul-role/tasks/acl.yml +++ b/consul-role/tasks/acl.yml @@ -36,7 +36,7 @@ failed_when: false environment: CONSUL_HTTP_ADDR: "https://{{ consul_bind_addr }}:8501" - CONSUL_HTTP_SSL_VERIFY: "false" + CONSUL_CACERT: "{{ consul_config_dir }}/certs/tls.crt" - name: Extract new token from bootstrap output ansible.builtin.set_fact: From bc8688abcdc77d2afdc3addda6483af4919b33a0 Mon Sep 17 00:00:00 2001 From: AnithaAnnem Date: Mon, 9 Mar 2026 12:48:09 +0530 Subject: [PATCH 104/412] Update acl_policies.yml --- consul-role/tasks/acl_policies.yml | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/consul-role/tasks/acl_policies.yml b/consul-role/tasks/acl_policies.yml index 71c5638..f77671a 100644 --- a/consul-role/tasks/acl_policies.yml +++ b/consul-role/tasks/acl_policies.yml @@ -17,9 +17,7 @@ environment: &consul_env CONSUL_HTTP_ADDR: "https://{{ consul_bind_addr }}:8501" CONSUL_HTTP_TOKEN: "{{ consul_master_token }}" - CONSUL_HTTP_SSL_VERIFY: "false" - CONSUL_CLIENT_CERT: "{{ consul_config_dir }}/certs/tls.crt" - CONSUL_CLIENT_KEY: "{{ consul_config_dir }}/certs/tls.key" + CONSUL_CACERT: "{{ consul_config_dir }}/certs/tls.crt" - name: Create Consul policies ansible.builtin.command: > From ebd54df77f3dac6ab8749f168058d0f497c3dec3 Mon Sep 17 00:00:00 2001 From: AnithaAnnem Date: Mon, 9 Mar 2026 12:49:15 +0530 Subject: [PATCH 105/412] Update acl_tokens.yml --- consul-role/tasks/acl_tokens.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/consul-role/tasks/acl_tokens.yml b/consul-role/tasks/acl_tokens.yml index 4416ec0..0b79713 100644 --- a/consul-role/tasks/acl_tokens.yml +++ b/consul-role/tasks/acl_tokens.yml @@ -8,7 +8,7 @@ environment: &consul_env CONSUL_HTTP_ADDR: "https://{{ consul_bind_addr }}:8501" CONSUL_HTTP_TOKEN: "{{ consul_master_token }}" - CONSUL_HTTP_SSL_VERIFY: "false" + CONSUL_CACERT: "{{ consul_config_dir }}/certs/tls.crt" - name: Create Agent Token block: From 527b061f2d90bd763b11aab4056446fa4cfcc79f Mon Sep 17 00:00:00 2001 From: AnithaAnnem Date: Mon, 9 Mar 2026 12:50:30 +0530 Subject: [PATCH 106/412] Update rbac.yml --- consul-role/tasks/rbac.yml | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/consul-role/tasks/rbac.yml b/consul-role/tasks/rbac.yml index 51132db..94215a6 100644 --- a/consul-role/tasks/rbac.yml +++ b/consul-role/tasks/rbac.yml @@ -13,10 +13,8 @@ environment: &consul_env CONSUL_HTTP_ADDR: "https://{{ consul_bind_addr }}:8501" CONSUL_HTTP_TOKEN: "{{ consul_master_token }}" - CONSUL_CLIENT_CERT: "{{ consul_config_dir }}/certs/tls.crt" - CONSUL_CLIENT_KEY: "{{ consul_config_dir }}/certs/tls.key" - CONSUL_HTTP_SSL_VERIFY: "false" - + CONSUL_CACERT: "{{ consul_config_dir }}/certs/tls.crt" + - name: Create read policy ansible.builtin.command: consul acl policy create -name read-policy -rules @/tmp/read-policy.hcl when: "'read-policy' not in policy_list.stdout" From be61c12d20404e31ffdde5f2a4de1ae7c4b6c3e0 Mon Sep 17 00:00:00 2001 From: AnithaAnnem Date: Mon, 9 Mar 2026 13:28:09 +0530 Subject: [PATCH 107/412] Update acl.yml --- consul-role/tasks/acl.yml | 34 ++++++++++++++++++---------------- 1 file changed, 18 insertions(+), 16 deletions(-) diff --git a/consul-role/tasks/acl.yml b/consul-role/tasks/acl.yml index 1d3a8f3..e517647 100644 --- a/consul-role/tasks/acl.yml +++ b/consul-role/tasks/acl.yml @@ -6,55 +6,55 @@ delay: 5 timeout: 60 -# A. Check if the file already exists on the first node +# Check bootstrap token - name: Check for existing bootstrap token file ansible.builtin.stat: path: "{{ consul_config_dir }}/bootstrap.token" register: token_file_on_disk -# B. Load it if it's there - name: Load existing token from disk ansible.builtin.slurp: src: "{{ consul_config_dir }}/bootstrap.token" register: slurped_token become: true - when: token_file_on_disk.stat.exists and token_file_on_disk.stat.size > 0 + when: + - token_file_on_disk.stat.exists + - token_file_on_disk.stat.size > 0 - name: Set master token fact from file ansible.builtin.set_fact: consul_master_token: "{{ slurped_token.content | b64decode | trim }}" - when: - - token_file_on_disk.stat.exists + when: + - token_file_on_disk.stat.exists - slurped_token.content is defined -# C. Bootstrap ONLY if we still don't have a token +# Bootstrap ACL - name: Bootstrap ACL ansible.builtin.command: consul acl bootstrap -format=json register: consul_bootstrap run_once: true - when: consul_master_token is not defined or consul_master_token == "" failed_when: false + when: consul_master_token is not defined or consul_master_token == "" environment: CONSUL_HTTP_ADDR: "https://{{ consul_bind_addr }}:8501" - CONSUL_CACERT: "{{ consul_config_dir }}/certs/tls.crt" + CONSUL_HTTP_SSL_VERIFY: "false" - name: Extract new token from bootstrap output ansible.builtin.set_fact: consul_master_token: "{{ (consul_bootstrap.stdout | from_json).SecretID }}" - when: + run_once: true + when: - consul_bootstrap.changed - consul_bootstrap.stdout | length > 0 - "'SecretID' in consul_bootstrap.stdout" - run_once: true -# D. Share this token with all other hosts -- name: Propagate token to all hosts in the play +# Share token to all hosts +- name: Propagate token to all hosts ansible.builtin.set_fact: consul_master_token: "{{ hostvars[ansible_play_hosts[0]]['consul_master_token'] }}" - # Only set it if the current host doesn't have it yet when: consul_master_token is not defined or consul_master_token == "" -# E. Save it to the disk of ALL nodes +# Save token - name: Save bootstrap token to file ansible.builtin.copy: content: "{{ consul_master_token }}" @@ -63,9 +63,11 @@ group: "{{ consul_group }}" mode: "0600" become: true - when: consul_master_token is defined and consul_master_token != "" + when: + - consul_master_token is defined + - consul_master_token != "" -# F. Proceed to the next steps +# Next tasks - name: Include ACL policies ansible.builtin.include_tasks: acl_policies.yml From d09a9106867e6c33af35e6e8484d85c6f931fc87 Mon Sep 17 00:00:00 2001 From: AnithaAnnem Date: Mon, 9 Mar 2026 13:28:44 +0530 Subject: [PATCH 108/412] Update server.hcl.j2 --- consul-role/templates/server.hcl.j2 | 19 +++++++------------ 1 file changed, 7 insertions(+), 12 deletions(-) diff --git a/consul-role/templates/server.hcl.j2 b/consul-role/templates/server.hcl.j2 index f096eed..c172121 100644 --- a/consul-role/templates/server.hcl.j2 +++ b/consul-role/templates/server.hcl.j2 @@ -1,7 +1,7 @@ -node_name = "{{ consul_node_name }}" -bind_addr = "{{ consul_bind_addr }}" +node_name = "{{ consul_node_name }}" +bind_addr = "{{ consul_bind_addr }}" client_addr = "{{ consul_client_addr }}" -data_dir = "{{ consul_data_dir }}" +data_dir = "{{ consul_data_dir }}" encrypt = "{{ consul_gossip_key }}" @@ -23,15 +23,13 @@ acl { default_policy = "{{ consul_acl_default_policy }}" enable_token_persistence = {{ consul_acl_token_persistence | lower }} - - {% if consul_agent_token is defined and consul_agent_token != "" %} +{% if consul_agent_token is defined and consul_agent_token != "" %} tokens { agent = "{{ consul_agent_token }}" } - {% endif %} +{% endif %} } - ports { http = -1 https = 8501 @@ -41,10 +39,7 @@ tls { defaults { cert_file = "{{ consul_config_dir }}/certs/tls.crt" key_file = "{{ consul_config_dir }}/certs/tls.key" - ca_file = "{{ consul_config_dir }}/certs/tls.crt" - - verify_incoming = true - verify_outgoing = true - verify_server_hostname = true + verify_incoming = false + verify_outgoing = false } } From 85df82215ab4f2f79622e0901716a607270845b4 Mon Sep 17 00:00:00 2001 From: AnithaAnnem Date: Mon, 9 Mar 2026 13:31:41 +0530 Subject: [PATCH 109/412] Update acl_policies.yml --- consul-role/tasks/acl_policies.yml | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/consul-role/tasks/acl_policies.yml b/consul-role/tasks/acl_policies.yml index f77671a..b43ed2e 100644 --- a/consul-role/tasks/acl_policies.yml +++ b/consul-role/tasks/acl_policies.yml @@ -17,11 +17,15 @@ environment: &consul_env CONSUL_HTTP_ADDR: "https://{{ consul_bind_addr }}:8501" CONSUL_HTTP_TOKEN: "{{ consul_master_token }}" - CONSUL_CACERT: "{{ consul_config_dir }}/certs/tls.crt" + CONSUL_HTTP_SSL_VERIFY: "false" + CONSUL_CLIENT_CERT: "{{ consul_config_dir }}/certs/tls.crt" + CONSUL_CLIENT_KEY: "{{ consul_config_dir }}/certs/tls.key" - name: Create Consul policies ansible.builtin.command: > - consul acl policy create -name {{ item }} -rules @/tmp/{{ item }}.hcl + consul acl policy create + -name {{ item }} + -rules @/tmp/{{ item }}.hcl loop: - agent-policy - service-policy From c2b5a3ec786d9064727a95086cb320a05faecff1 Mon Sep 17 00:00:00 2001 From: AnithaAnnem Date: Mon, 9 Mar 2026 13:32:04 +0530 Subject: [PATCH 110/412] Update acl_tokens.yml --- consul-role/tasks/acl_tokens.yml | 118 ++++++++++++++++--------------- 1 file changed, 62 insertions(+), 56 deletions(-) diff --git a/consul-role/tasks/acl_tokens.yml b/consul-role/tasks/acl_tokens.yml index 0b79713..ab3caa6 100644 --- a/consul-role/tasks/acl_tokens.yml +++ b/consul-role/tasks/acl_tokens.yml @@ -1,5 +1,5 @@ --- -# NEW TASK (IMPORTANT) +# Check existing tokens - name: Check existing tokens in consul ansible.builtin.command: consul acl token list register: existing_tokens @@ -8,66 +8,72 @@ environment: &consul_env CONSUL_HTTP_ADDR: "https://{{ consul_bind_addr }}:8501" CONSUL_HTTP_TOKEN: "{{ consul_master_token }}" - CONSUL_CACERT: "{{ consul_config_dir }}/certs/tls.crt" + CONSUL_HTTP_SSL_VERIFY: "false" -- name: Create Agent Token - block: +#################################### +# Agent Token +#################################### - - name: Check if agent token exists on disk - ansible.builtin.stat: - path: "{{ consul_config_dir }}/agent.token" - register: agent_token_stat +- name: Check if agent token exists on disk + ansible.builtin.stat: + path: "{{ consul_config_dir }}/agent.token" + register: agent_token_stat - - name: Create agent token - ansible.builtin.command: > - consul acl token create -description "Agent Token" -policy-name agent-policy - register: agent_token_output - when: - - not agent_token_stat.stat.exists - - "'Agent Token' not in existing_tokens.stdout" - run_once: true - environment: *consul_env +- name: Create agent token + ansible.builtin.command: > + consul acl token create + -description "Agent Token" + -policy-name agent-policy + register: agent_token_output + when: + - not agent_token_stat.stat.exists + - "'Agent Token' not in existing_tokens.stdout" + run_once: true + environment: *consul_env - - name: Save agent token - ansible.builtin.copy: - content: "{{ agent_token_output.stdout | regex_search('SecretID:\\s+([a-fA-F0-9-]+)', '\\1') | first }}" - dest: "{{ consul_config_dir }}/agent.token" - owner: "{{ consul_user }}" - group: "{{ consul_group }}" - mode: "0600" - when: - - not agent_token_stat.stat.exists - - agent_token_output.stdout is defined - - "'SecretID' in agent_token_output.stdout" - run_once: true +- name: Save agent token + ansible.builtin.copy: + content: "{{ agent_token_output.stdout | regex_search('SecretID:\\s+([a-fA-F0-9-]+)', '\\1') | first }}" + dest: "{{ consul_config_dir }}/agent.token" + owner: "{{ consul_user }}" + group: "{{ consul_group }}" + mode: "0600" + when: + - not agent_token_stat.stat.exists + - agent_token_output.stdout is defined + - "'SecretID' in agent_token_output.stdout" + run_once: true -- name: Create Service Token - block: +#################################### +# Service Token +#################################### - - name: Check if service token exists on disk - ansible.builtin.stat: - path: "{{ consul_config_dir }}/service.token" - register: service_token_stat +- name: Check if service token exists on disk + ansible.builtin.stat: + path: "{{ consul_config_dir }}/service.token" + register: service_token_stat - - name: Create service token - ansible.builtin.command: > - consul acl token create -description "Service Token" -policy-name service-policy - register: service_token_output - when: - - not service_token_stat.stat.exists - - "'Service Token' not in existing_tokens.stdout" - run_once: true - environment: *consul_env +- name: Create service token + ansible.builtin.command: > + consul acl token create + -description "Service Token" + -policy-name service-policy + register: service_token_output + when: + - not service_token_stat.stat.exists + - "'Service Token' not in existing_tokens.stdout" + run_once: true + environment: *consul_env - - name: Save service token - ansible.builtin.copy: - content: "{{ service_token_output.stdout | regex_search('SecretID:\\s+([a-fA-F0-9-]+)', '\\1') | first }}" - dest: "{{ consul_config_dir }}/service.token" - owner: "{{ consul_user }}" - group: "{{ consul_group }}" - mode: "0600" - when: - - not service_token_stat.stat.exists - - service_token_output.stdout is defined - - "'SecretID' in service_token_output.stdout" - run_once: true +- name: Save service token + ansible.builtin.copy: + content: "{{ service_token_output.stdout | regex_search('SecretID:\\s+([a-fA-F0-9-]+)', '\\1') | first }}" + dest: "{{ consul_config_dir }}/service.token" + owner: "{{ consul_user }}" + group: "{{ consul_group }}" + mode: "0600" + when: + - not service_token_stat.stat.exists + - service_token_output.stdout is defined + - "'SecretID' in service_token_output.stdout" + run_once: true From 71d8c8cad9e8864a2a393d2a6d2ae904a6357094 Mon Sep 17 00:00:00 2001 From: AnithaAnnem Date: Mon, 9 Mar 2026 13:32:27 +0530 Subject: [PATCH 111/412] Update rbac.yml --- consul-role/tasks/rbac.yml | 17 ++++++++++++----- 1 file changed, 12 insertions(+), 5 deletions(-) diff --git a/consul-role/tasks/rbac.yml b/consul-role/tasks/rbac.yml index 94215a6..cdfa142 100644 --- a/consul-role/tasks/rbac.yml +++ b/consul-role/tasks/rbac.yml @@ -13,10 +13,15 @@ environment: &consul_env CONSUL_HTTP_ADDR: "https://{{ consul_bind_addr }}:8501" CONSUL_HTTP_TOKEN: "{{ consul_master_token }}" - CONSUL_CACERT: "{{ consul_config_dir }}/certs/tls.crt" - + CONSUL_CLIENT_CERT: "{{ consul_config_dir }}/certs/tls.crt" + CONSUL_CLIENT_KEY: "{{ consul_config_dir }}/certs/tls.key" + CONSUL_HTTP_SSL_VERIFY: "false" + - name: Create read policy - ansible.builtin.command: consul acl policy create -name read-policy -rules @/tmp/read-policy.hcl + ansible.builtin.command: > + consul acl policy create + -name read-policy + -rules @/tmp/read-policy.hcl when: "'read-policy' not in policy_list.stdout" run_once: true environment: *consul_env @@ -29,12 +34,14 @@ environment: *consul_env - name: Create read role - ansible.builtin.command: consul acl role create -name read-role -policy-name read-policy + ansible.builtin.command: > + consul acl role create + -name read-role + -policy-name read-policy when: "'read-role' not in role_list.stdout" run_once: true environment: *consul_env - # ------------------------------------------------ # APPLICATION TOKEN (NO DUPLICATES) # ------------------------------------------------ From f605f0812718ac6b142659300972025c0e3d58fb Mon Sep 17 00:00:00 2001 From: AnithaAnnem Date: Mon, 9 Mar 2026 14:56:41 +0530 Subject: [PATCH 112/412] Update server.hcl.j2 --- consul-role/templates/server.hcl.j2 | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/consul-role/templates/server.hcl.j2 b/consul-role/templates/server.hcl.j2 index c172121..387fe13 100644 --- a/consul-role/templates/server.hcl.j2 +++ b/consul-role/templates/server.hcl.j2 @@ -37,9 +37,10 @@ ports { tls { defaults { + ca_file = "{{ consul_config_dir }}/certs/tls.crt" cert_file = "{{ consul_config_dir }}/certs/tls.crt" key_file = "{{ consul_config_dir }}/certs/tls.key" - verify_incoming = false - verify_outgoing = false + verify_incoming = true + verify_outgoing = true } } From a0c75ee9a7a7ac673cc4a1652e5d203a78e9caba Mon Sep 17 00:00:00 2001 From: AnithaAnnem Date: Mon, 9 Mar 2026 14:59:04 +0530 Subject: [PATCH 113/412] Update acl_policies.yml --- consul-role/tasks/acl_policies.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/consul-role/tasks/acl_policies.yml b/consul-role/tasks/acl_policies.yml index b43ed2e..0bb3cee 100644 --- a/consul-role/tasks/acl_policies.yml +++ b/consul-role/tasks/acl_policies.yml @@ -18,8 +18,8 @@ CONSUL_HTTP_ADDR: "https://{{ consul_bind_addr }}:8501" CONSUL_HTTP_TOKEN: "{{ consul_master_token }}" CONSUL_HTTP_SSL_VERIFY: "false" - CONSUL_CLIENT_CERT: "{{ consul_config_dir }}/certs/tls.crt" - CONSUL_CLIENT_KEY: "{{ consul_config_dir }}/certs/tls.key" + CONSUL_CACERT: "{{ consul_config_dir }}/certs/tls.crt" + CONSUL_HTTP_SSL_VERIFY: "true" - name: Create Consul policies ansible.builtin.command: > From 10167a677d3a32b46b90a14975287c602b8f827d Mon Sep 17 00:00:00 2001 From: AnithaAnnem Date: Mon, 9 Mar 2026 14:59:44 +0530 Subject: [PATCH 114/412] Update rbac.yml --- consul-role/tasks/rbac.yml | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/consul-role/tasks/rbac.yml b/consul-role/tasks/rbac.yml index cdfa142..7b068bf 100644 --- a/consul-role/tasks/rbac.yml +++ b/consul-role/tasks/rbac.yml @@ -13,9 +13,8 @@ environment: &consul_env CONSUL_HTTP_ADDR: "https://{{ consul_bind_addr }}:8501" CONSUL_HTTP_TOKEN: "{{ consul_master_token }}" - CONSUL_CLIENT_CERT: "{{ consul_config_dir }}/certs/tls.crt" - CONSUL_CLIENT_KEY: "{{ consul_config_dir }}/certs/tls.key" - CONSUL_HTTP_SSL_VERIFY: "false" + CONSUL_CACERT: "{{ consul_config_dir }}/certs/tls.crt" + CONSUL_HTTP_SSL_VERIFY: "true" - name: Create read policy ansible.builtin.command: > From 208cc22efd7330186f290e6840c9c3bf2e79fc7d Mon Sep 17 00:00:00 2001 From: AnithaAnnem Date: Mon, 9 Mar 2026 15:22:47 +0530 Subject: [PATCH 115/412] Update acl_policies.yml --- consul-role/tasks/acl_policies.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/consul-role/tasks/acl_policies.yml b/consul-role/tasks/acl_policies.yml index 0bb3cee..8a4da7e 100644 --- a/consul-role/tasks/acl_policies.yml +++ b/consul-role/tasks/acl_policies.yml @@ -17,7 +17,6 @@ environment: &consul_env CONSUL_HTTP_ADDR: "https://{{ consul_bind_addr }}:8501" CONSUL_HTTP_TOKEN: "{{ consul_master_token }}" - CONSUL_HTTP_SSL_VERIFY: "false" CONSUL_CACERT: "{{ consul_config_dir }}/certs/tls.crt" CONSUL_HTTP_SSL_VERIFY: "true" From 2d1920f8b5ff2329e245be69eb65ac759d3132d2 Mon Sep 17 00:00:00 2001 From: AnithaAnnem Date: Mon, 9 Mar 2026 15:24:09 +0530 Subject: [PATCH 116/412] Update acl_tokens.yml --- consul-role/tasks/acl_tokens.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/consul-role/tasks/acl_tokens.yml b/consul-role/tasks/acl_tokens.yml index ab3caa6..dded93e 100644 --- a/consul-role/tasks/acl_tokens.yml +++ b/consul-role/tasks/acl_tokens.yml @@ -8,7 +8,7 @@ environment: &consul_env CONSUL_HTTP_ADDR: "https://{{ consul_bind_addr }}:8501" CONSUL_HTTP_TOKEN: "{{ consul_master_token }}" - CONSUL_HTTP_SSL_VERIFY: "false" + CONSUL_HTTP_SSL_VERIFY: "true" #################################### # Agent Token From 5210b4326a013e1d8f5304f1230313e50742a701 Mon Sep 17 00:00:00 2001 From: AnithaAnnem Date: Mon, 9 Mar 2026 15:24:31 +0530 Subject: [PATCH 117/412] Update acl.yml --- consul-role/tasks/acl.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/consul-role/tasks/acl.yml b/consul-role/tasks/acl.yml index e517647..fe3155d 100644 --- a/consul-role/tasks/acl.yml +++ b/consul-role/tasks/acl.yml @@ -37,7 +37,7 @@ when: consul_master_token is not defined or consul_master_token == "" environment: CONSUL_HTTP_ADDR: "https://{{ consul_bind_addr }}:8501" - CONSUL_HTTP_SSL_VERIFY: "false" + CONSUL_HTTP_SSL_VERIFY: "true" - name: Extract new token from bootstrap output ansible.builtin.set_fact: From 8e342ed7b60d0e445793a71d222c18feeb07515e Mon Sep 17 00:00:00 2001 From: AnithaAnnem Date: Tue, 10 Mar 2026 08:50:34 +0530 Subject: [PATCH 118/412] Update main.yml --- consul-role/vars/main.yml | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/consul-role/vars/main.yml b/consul-role/vars/main.yml index 8923dd0..abddc4f 100644 --- a/consul-role/vars/main.yml +++ b/consul-role/vars/main.yml @@ -1,8 +1,22 @@ --- # vars file for consul + + +# DNS Mapping for TLS Compliance +consul_dns_mapping: + "192.168.8.138": "consul-leader.opstree.dev" + "192.168.8.220": "consul-quorum-1.opstree.dev" + "192.168.8.35": "consul-quorum-2.opstree.dev" + +# Helper to resolve the FQDN based on the IP being used for the task +current_node_fqdn: "{{ consul_dns_mapping[ansible_host] | default(inventory_hostname) }}" + +# Installation variables consul_binary_url: "https://releases.hashicorp.com/consul/{{ consul_version }}/consul_{{ consul_version }}_linux_amd64.zip" consul_zip_path: "/tmp/consul_{{ consul_version }}.zip" + +# Sensitive Keys consul_master_token: !vault | $ANSIBLE_VAULT;1.1;AES256 64363638396462636134353637383865643931373664373034623536366134623235306438356164 From f602a3c84d2d0cafe0be4c477a66cb95eb8841b7 Mon Sep 17 00:00:00 2001 From: AnithaAnnem Date: Tue, 10 Mar 2026 08:53:15 +0530 Subject: [PATCH 119/412] Update server.hcl.j2 --- consul-role/templates/server.hcl.j2 | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/consul-role/templates/server.hcl.j2 b/consul-role/templates/server.hcl.j2 index 387fe13..5ba74c7 100644 --- a/consul-role/templates/server.hcl.j2 +++ b/consul-role/templates/server.hcl.j2 @@ -12,10 +12,11 @@ ui_config { enabled = {{ consul_enable_ui | lower }} } +# Use the new DNS names for joining the cluster retry_join = [ -{% for host in play_hosts %} - "{{ hostvars[host]['ansible_host'] | default(host) }}"{% if not loop.last %},{% endif %} -{% endfor %} + "consul-leader.opstree.dev", + "consul-quorum-1.opstree.dev", + "consul-quorum-2.opstree.dev" ] acl { @@ -42,5 +43,8 @@ tls { key_file = "{{ consul_config_dir }}/certs/tls.key" verify_incoming = true verify_outgoing = true + + # This ensures that servers verify each other using the DNS names in the certs + verify_server_hostname = true } } From b1d62b97ab8cc61a910b68497c0b65084708046b Mon Sep 17 00:00:00 2001 From: AnithaAnnem Date: Tue, 10 Mar 2026 09:00:05 +0530 Subject: [PATCH 120/412] Update acl_policies.yml --- consul-role/tasks/acl_policies.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/consul-role/tasks/acl_policies.yml b/consul-role/tasks/acl_policies.yml index 8a4da7e..6bc13aa 100644 --- a/consul-role/tasks/acl_policies.yml +++ b/consul-role/tasks/acl_policies.yml @@ -15,7 +15,8 @@ run_once: true changed_when: false environment: &consul_env - CONSUL_HTTP_ADDR: "https://{{ consul_bind_addr }}:8501" + #CONSUL_HTTP_ADDR: "https://{{ consul_bind_addr }}:8501" + CONSUL_HTTP_ADDR: "https://{{ current_node_fqdn }}:8501" CONSUL_HTTP_TOKEN: "{{ consul_master_token }}" CONSUL_CACERT: "{{ consul_config_dir }}/certs/tls.crt" CONSUL_HTTP_SSL_VERIFY: "true" From fd778e7078241d1dba7201c410d29699838fa964 Mon Sep 17 00:00:00 2001 From: AnithaAnnem Date: Tue, 10 Mar 2026 09:01:18 +0530 Subject: [PATCH 121/412] Update acl_tokens.yml --- consul-role/tasks/acl_tokens.yml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/consul-role/tasks/acl_tokens.yml b/consul-role/tasks/acl_tokens.yml index dded93e..348dc1f 100644 --- a/consul-role/tasks/acl_tokens.yml +++ b/consul-role/tasks/acl_tokens.yml @@ -6,9 +6,11 @@ changed_when: false run_once: true environment: &consul_env - CONSUL_HTTP_ADDR: "https://{{ consul_bind_addr }}:8501" + #CONSUL_HTTP_ADDR: "https://{{ consul_bind_addr }}:8501" + CONSUL_HTTP_ADDR: "https://{{ current_node_fqdn }}:8501" CONSUL_HTTP_TOKEN: "{{ consul_master_token }}" CONSUL_HTTP_SSL_VERIFY: "true" + CONSUL_CACERT: "{{ consul_config_dir }}/certs/tls.crt" #################################### # Agent Token From ab91a447b412ffc86d9a4e2213e2d15060505eee Mon Sep 17 00:00:00 2001 From: AnithaAnnem Date: Tue, 10 Mar 2026 09:01:56 +0530 Subject: [PATCH 122/412] Update rbac.yml --- consul-role/tasks/rbac.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/consul-role/tasks/rbac.yml b/consul-role/tasks/rbac.yml index 7b068bf..17a70f2 100644 --- a/consul-role/tasks/rbac.yml +++ b/consul-role/tasks/rbac.yml @@ -11,7 +11,8 @@ changed_when: false run_once: true environment: &consul_env - CONSUL_HTTP_ADDR: "https://{{ consul_bind_addr }}:8501" + #CONSUL_HTTP_ADDR: "https://{{ consul_bind_addr }}:8501" + CONSUL_HTTP_ADDR: "https://{{ current_node_fqdn }}:8501" CONSUL_HTTP_TOKEN: "{{ consul_master_token }}" CONSUL_CACERT: "{{ consul_config_dir }}/certs/tls.crt" CONSUL_HTTP_SSL_VERIFY: "true" From 0e44980ceb61933432b0f1490c78b482ca92c448 Mon Sep 17 00:00:00 2001 From: AnithaAnnem Date: Tue, 10 Mar 2026 09:02:43 +0530 Subject: [PATCH 123/412] Update acl.yml --- consul-role/tasks/acl.yml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/consul-role/tasks/acl.yml b/consul-role/tasks/acl.yml index fe3155d..3413872 100644 --- a/consul-role/tasks/acl.yml +++ b/consul-role/tasks/acl.yml @@ -36,8 +36,10 @@ failed_when: false when: consul_master_token is not defined or consul_master_token == "" environment: - CONSUL_HTTP_ADDR: "https://{{ consul_bind_addr }}:8501" + #CONSUL_HTTP_ADDR: "https://{{ consul_bind_addr }}:8501" + CONSUL_HTTP_ADDR: "https://{{ current_node_fqdn }}:8501" CONSUL_HTTP_SSL_VERIFY: "true" + CONSUL_CACERT: "{{ consul_config_dir }}/certs/tls.crt" - name: Extract new token from bootstrap output ansible.builtin.set_fact: From 7ceef4aafab1539d9d65e841cc93087a4a8102de Mon Sep 17 00:00:00 2001 From: AnithaAnnem Date: Tue, 10 Mar 2026 11:17:41 +0530 Subject: [PATCH 124/412] Update server.hcl.j2 --- consul-role/templates/server.hcl.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/consul-role/templates/server.hcl.j2 b/consul-role/templates/server.hcl.j2 index 5ba74c7..385a7c5 100644 --- a/consul-role/templates/server.hcl.j2 +++ b/consul-role/templates/server.hcl.j2 @@ -41,7 +41,7 @@ tls { ca_file = "{{ consul_config_dir }}/certs/tls.crt" cert_file = "{{ consul_config_dir }}/certs/tls.crt" key_file = "{{ consul_config_dir }}/certs/tls.key" - verify_incoming = true + verify_incoming = false verify_outgoing = true # This ensures that servers verify each other using the DNS names in the certs From 59166d6bfc952fb74bd64b62a8ae10c85e2ae637 Mon Sep 17 00:00:00 2001 From: AnithaAnnem Date: Tue, 10 Mar 2026 11:24:24 +0530 Subject: [PATCH 125/412] Update server.hcl.j2 --- consul-role/templates/server.hcl.j2 | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) diff --git a/consul-role/templates/server.hcl.j2 b/consul-role/templates/server.hcl.j2 index 385a7c5..661074b 100644 --- a/consul-role/templates/server.hcl.j2 +++ b/consul-role/templates/server.hcl.j2 @@ -12,11 +12,10 @@ ui_config { enabled = {{ consul_enable_ui | lower }} } -# Use the new DNS names for joining the cluster retry_join = [ - "consul-leader.opstree.dev", - "consul-quorum-1.opstree.dev", - "consul-quorum-2.opstree.dev" +{% for host in play_hosts %} + "{{ hostvars[host]['ansible_host'] | default(host) }}"{% if not loop.last %},{% endif %} +{% endfor %} ] acl { @@ -42,7 +41,7 @@ tls { cert_file = "{{ consul_config_dir }}/certs/tls.crt" key_file = "{{ consul_config_dir }}/certs/tls.key" verify_incoming = false - verify_outgoing = true + verify_outgoing = false # This ensures that servers verify each other using the DNS names in the certs verify_server_hostname = true From f76c8afc4956ac7995ce7d42134255db0c10806e Mon Sep 17 00:00:00 2001 From: AnithaAnnem Date: Tue, 10 Mar 2026 11:25:23 +0530 Subject: [PATCH 126/412] Update acl.yml --- consul-role/tasks/acl.yml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/consul-role/tasks/acl.yml b/consul-role/tasks/acl.yml index 3413872..26af2f8 100644 --- a/consul-role/tasks/acl.yml +++ b/consul-role/tasks/acl.yml @@ -36,8 +36,7 @@ failed_when: false when: consul_master_token is not defined or consul_master_token == "" environment: - #CONSUL_HTTP_ADDR: "https://{{ consul_bind_addr }}:8501" - CONSUL_HTTP_ADDR: "https://{{ current_node_fqdn }}:8501" + CONSUL_HTTP_ADDR: "https://{{ consul_bind_addr }}:8501" CONSUL_HTTP_SSL_VERIFY: "true" CONSUL_CACERT: "{{ consul_config_dir }}/certs/tls.crt" From e8d85d9227992554b3b0fd628643833695e5982d Mon Sep 17 00:00:00 2001 From: AnithaAnnem Date: Tue, 10 Mar 2026 11:25:47 +0530 Subject: [PATCH 127/412] Update acl_policies.yml --- consul-role/tasks/acl_policies.yml | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/consul-role/tasks/acl_policies.yml b/consul-role/tasks/acl_policies.yml index 6bc13aa..f1e8ca3 100644 --- a/consul-role/tasks/acl_policies.yml +++ b/consul-role/tasks/acl_policies.yml @@ -15,11 +15,10 @@ run_once: true changed_when: false environment: &consul_env - #CONSUL_HTTP_ADDR: "https://{{ consul_bind_addr }}:8501" - CONSUL_HTTP_ADDR: "https://{{ current_node_fqdn }}:8501" + CONSUL_HTTP_ADDR: "https://{{ consul_bind_addr }}:8501" CONSUL_HTTP_TOKEN: "{{ consul_master_token }}" CONSUL_CACERT: "{{ consul_config_dir }}/certs/tls.crt" - CONSUL_HTTP_SSL_VERIFY: "true" + CONSUL_HTTP_SSL_VERIFY: "false" - name: Create Consul policies ansible.builtin.command: > From d71beee52b71f924faf0fe0c9be9ee8ce9084a01 Mon Sep 17 00:00:00 2001 From: AnithaAnnem Date: Tue, 10 Mar 2026 11:26:10 +0530 Subject: [PATCH 128/412] Update acl.yml --- consul-role/tasks/acl.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/consul-role/tasks/acl.yml b/consul-role/tasks/acl.yml index 26af2f8..5f454d6 100644 --- a/consul-role/tasks/acl.yml +++ b/consul-role/tasks/acl.yml @@ -37,7 +37,7 @@ when: consul_master_token is not defined or consul_master_token == "" environment: CONSUL_HTTP_ADDR: "https://{{ consul_bind_addr }}:8501" - CONSUL_HTTP_SSL_VERIFY: "true" + CONSUL_HTTP_SSL_VERIFY: "false" CONSUL_CACERT: "{{ consul_config_dir }}/certs/tls.crt" - name: Extract new token from bootstrap output From e0e7153fd66a266e6db0cd5593b0189a48b36434 Mon Sep 17 00:00:00 2001 From: AnithaAnnem Date: Tue, 10 Mar 2026 11:26:46 +0530 Subject: [PATCH 129/412] Update acl_tokens.yml --- consul-role/tasks/acl_tokens.yml | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/consul-role/tasks/acl_tokens.yml b/consul-role/tasks/acl_tokens.yml index 348dc1f..cfb92cb 100644 --- a/consul-role/tasks/acl_tokens.yml +++ b/consul-role/tasks/acl_tokens.yml @@ -6,10 +6,9 @@ changed_when: false run_once: true environment: &consul_env - #CONSUL_HTTP_ADDR: "https://{{ consul_bind_addr }}:8501" - CONSUL_HTTP_ADDR: "https://{{ current_node_fqdn }}:8501" + CONSUL_HTTP_ADDR: "https://{{ consul_bind_addr }}:8501" CONSUL_HTTP_TOKEN: "{{ consul_master_token }}" - CONSUL_HTTP_SSL_VERIFY: "true" + CONSUL_HTTP_SSL_VERIFY: "false" CONSUL_CACERT: "{{ consul_config_dir }}/certs/tls.crt" #################################### From c67cd4cc1afc23515c6ab6cafef6c16948419187 Mon Sep 17 00:00:00 2001 From: AnithaAnnem Date: Tue, 10 Mar 2026 11:27:12 +0530 Subject: [PATCH 130/412] Update rbac.yml --- consul-role/tasks/rbac.yml | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/consul-role/tasks/rbac.yml b/consul-role/tasks/rbac.yml index 17a70f2..cd4366f 100644 --- a/consul-role/tasks/rbac.yml +++ b/consul-role/tasks/rbac.yml @@ -11,11 +11,10 @@ changed_when: false run_once: true environment: &consul_env - #CONSUL_HTTP_ADDR: "https://{{ consul_bind_addr }}:8501" - CONSUL_HTTP_ADDR: "https://{{ current_node_fqdn }}:8501" + CONSUL_HTTP_ADDR: "https://{{ consul_bind_addr }}:8501" CONSUL_HTTP_TOKEN: "{{ consul_master_token }}" CONSUL_CACERT: "{{ consul_config_dir }}/certs/tls.crt" - CONSUL_HTTP_SSL_VERIFY: "true" + CONSUL_HTTP_SSL_VERIFY: "false" - name: Create read policy ansible.builtin.command: > From 2a9c9ba19578ed4ba2b5bd92042c8183543dc2f6 Mon Sep 17 00:00:00 2001 From: AnithaAnnem Date: Tue, 10 Mar 2026 11:27:58 +0530 Subject: [PATCH 131/412] Update server.hcl.j2 --- consul-role/templates/server.hcl.j2 | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/consul-role/templates/server.hcl.j2 b/consul-role/templates/server.hcl.j2 index 661074b..abda29e 100644 --- a/consul-role/templates/server.hcl.j2 +++ b/consul-role/templates/server.hcl.j2 @@ -43,7 +43,6 @@ tls { verify_incoming = false verify_outgoing = false - # This ensures that servers verify each other using the DNS names in the certs - verify_server_hostname = true + } } From 013c803b82178c8f16df44406add1c4443d94763 Mon Sep 17 00:00:00 2001 From: AnithaAnnem Date: Tue, 10 Mar 2026 11:28:16 +0530 Subject: [PATCH 132/412] Update main.yml --- consul-role/vars/main.yml | 9 --------- 1 file changed, 9 deletions(-) diff --git a/consul-role/vars/main.yml b/consul-role/vars/main.yml index abddc4f..5092e2d 100644 --- a/consul-role/vars/main.yml +++ b/consul-role/vars/main.yml @@ -2,15 +2,6 @@ # vars file for consul -# DNS Mapping for TLS Compliance -consul_dns_mapping: - "192.168.8.138": "consul-leader.opstree.dev" - "192.168.8.220": "consul-quorum-1.opstree.dev" - "192.168.8.35": "consul-quorum-2.opstree.dev" - -# Helper to resolve the FQDN based on the IP being used for the task -current_node_fqdn: "{{ consul_dns_mapping[ansible_host] | default(inventory_hostname) }}" - # Installation variables consul_binary_url: "https://releases.hashicorp.com/consul/{{ consul_version }}/consul_{{ consul_version }}_linux_amd64.zip" consul_zip_path: "/tmp/consul_{{ consul_version }}.zip" From c87622d72225682a495d65f61bbff6387812e5e2 Mon Sep 17 00:00:00 2001 From: AnithaAnnem Date: Tue, 10 Mar 2026 11:40:24 +0530 Subject: [PATCH 133/412] Update server.hcl.j2 --- consul-role/templates/server.hcl.j2 | 2 ++ 1 file changed, 2 insertions(+) diff --git a/consul-role/templates/server.hcl.j2 b/consul-role/templates/server.hcl.j2 index abda29e..8feae97 100644 --- a/consul-role/templates/server.hcl.j2 +++ b/consul-role/templates/server.hcl.j2 @@ -43,6 +43,8 @@ tls { verify_incoming = false verify_outgoing = false + verify_server_hostname = false + } } From fb580952f6632e61dc675612841424a5fab51dd5 Mon Sep 17 00:00:00 2001 From: AnithaAnnem Date: Tue, 10 Mar 2026 11:52:18 +0530 Subject: [PATCH 134/412] Update server.hcl.j2 --- consul-role/templates/server.hcl.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/consul-role/templates/server.hcl.j2 b/consul-role/templates/server.hcl.j2 index 8feae97..5261ac7 100644 --- a/consul-role/templates/server.hcl.j2 +++ b/consul-role/templates/server.hcl.j2 @@ -37,7 +37,7 @@ ports { tls { defaults { - ca_file = "{{ consul_config_dir }}/certs/tls.crt" + #ca_file = "{{ consul_config_dir }}/certs/tls.crt" cert_file = "{{ consul_config_dir }}/certs/tls.crt" key_file = "{{ consul_config_dir }}/certs/tls.key" verify_incoming = false From 9baa343195ac2c534aa5152fa08096abd971ebf5 Mon Sep 17 00:00:00 2001 From: AnithaAnnem Date: Tue, 10 Mar 2026 11:52:42 +0530 Subject: [PATCH 135/412] Update acl.yml --- consul-role/tasks/acl.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/consul-role/tasks/acl.yml b/consul-role/tasks/acl.yml index 5f454d6..9ab31dc 100644 --- a/consul-role/tasks/acl.yml +++ b/consul-role/tasks/acl.yml @@ -38,7 +38,7 @@ environment: CONSUL_HTTP_ADDR: "https://{{ consul_bind_addr }}:8501" CONSUL_HTTP_SSL_VERIFY: "false" - CONSUL_CACERT: "{{ consul_config_dir }}/certs/tls.crt" + #CONSUL_CACERT: "{{ consul_config_dir }}/certs/tls.crt" - name: Extract new token from bootstrap output ansible.builtin.set_fact: From 898a8c2e06c6e5161f15579397520dce9a3ff17b Mon Sep 17 00:00:00 2001 From: AnithaAnnem Date: Tue, 10 Mar 2026 11:52:56 +0530 Subject: [PATCH 136/412] Update acl_policies.yml --- consul-role/tasks/acl_policies.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/consul-role/tasks/acl_policies.yml b/consul-role/tasks/acl_policies.yml index f1e8ca3..902e50b 100644 --- a/consul-role/tasks/acl_policies.yml +++ b/consul-role/tasks/acl_policies.yml @@ -17,7 +17,7 @@ environment: &consul_env CONSUL_HTTP_ADDR: "https://{{ consul_bind_addr }}:8501" CONSUL_HTTP_TOKEN: "{{ consul_master_token }}" - CONSUL_CACERT: "{{ consul_config_dir }}/certs/tls.crt" + #CONSUL_CACERT: "{{ consul_config_dir }}/certs/tls.crt" CONSUL_HTTP_SSL_VERIFY: "false" - name: Create Consul policies From ade040ffb8fb5a31e955b60291a4b967c746dfca Mon Sep 17 00:00:00 2001 From: AnithaAnnem Date: Tue, 10 Mar 2026 11:53:14 +0530 Subject: [PATCH 137/412] Update acl_tokens.yml --- consul-role/tasks/acl_tokens.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/consul-role/tasks/acl_tokens.yml b/consul-role/tasks/acl_tokens.yml index cfb92cb..dc09ecb 100644 --- a/consul-role/tasks/acl_tokens.yml +++ b/consul-role/tasks/acl_tokens.yml @@ -9,7 +9,7 @@ CONSUL_HTTP_ADDR: "https://{{ consul_bind_addr }}:8501" CONSUL_HTTP_TOKEN: "{{ consul_master_token }}" CONSUL_HTTP_SSL_VERIFY: "false" - CONSUL_CACERT: "{{ consul_config_dir }}/certs/tls.crt" + #CONSUL_CACERT: "{{ consul_config_dir }}/certs/tls.crt" #################################### # Agent Token From 78c6a2f271e22ca2ff00edb92024dbd6c5fedb8c Mon Sep 17 00:00:00 2001 From: AnithaAnnem Date: Tue, 10 Mar 2026 11:53:35 +0530 Subject: [PATCH 138/412] Update rbac.yml --- consul-role/tasks/rbac.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/consul-role/tasks/rbac.yml b/consul-role/tasks/rbac.yml index cd4366f..d24f46f 100644 --- a/consul-role/tasks/rbac.yml +++ b/consul-role/tasks/rbac.yml @@ -13,7 +13,7 @@ environment: &consul_env CONSUL_HTTP_ADDR: "https://{{ consul_bind_addr }}:8501" CONSUL_HTTP_TOKEN: "{{ consul_master_token }}" - CONSUL_CACERT: "{{ consul_config_dir }}/certs/tls.crt" + #CONSUL_CACERT: "{{ consul_config_dir }}/certs/tls.crt" CONSUL_HTTP_SSL_VERIFY: "false" - name: Create read policy From 1682137364b13c127223a90801e4e83eea9145bc Mon Sep 17 00:00:00 2001 From: AnithaAnnem Date: Tue, 10 Mar 2026 12:38:36 +0530 Subject: [PATCH 139/412] Update server.hcl.j2 --- consul-role/templates/server.hcl.j2 | 13 ++++++++++--- 1 file changed, 10 insertions(+), 3 deletions(-) diff --git a/consul-role/templates/server.hcl.j2 b/consul-role/templates/server.hcl.j2 index 5261ac7..6d68cee 100644 --- a/consul-role/templates/server.hcl.j2 +++ b/consul-role/templates/server.hcl.j2 @@ -37,13 +37,20 @@ ports { tls { defaults { - #ca_file = "{{ consul_config_dir }}/certs/tls.crt" + ca_file = "{{ consul_config_dir }}/certs/tls.crt" cert_file = "{{ consul_config_dir }}/certs/tls.crt" key_file = "{{ consul_config_dir }}/certs/tls.key" + + # This allows the browser to reach the "Login" page verify_incoming = false - verify_outgoing = false - verify_server_hostname = false + # This keeps the backend server-to-server traffic secure + verify_incoming_rpc = true + + + verify_outgoing = true + + verify_server_hostname = true } From 9dd4678aca7e3a15cfcb11729df9719c13124172 Mon Sep 17 00:00:00 2001 From: AnithaAnnem Date: Tue, 10 Mar 2026 16:39:45 +0530 Subject: [PATCH 140/412] Update acl_policies.yml --- consul-role/tasks/acl_policies.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/consul-role/tasks/acl_policies.yml b/consul-role/tasks/acl_policies.yml index 902e50b..f1e8ca3 100644 --- a/consul-role/tasks/acl_policies.yml +++ b/consul-role/tasks/acl_policies.yml @@ -17,7 +17,7 @@ environment: &consul_env CONSUL_HTTP_ADDR: "https://{{ consul_bind_addr }}:8501" CONSUL_HTTP_TOKEN: "{{ consul_master_token }}" - #CONSUL_CACERT: "{{ consul_config_dir }}/certs/tls.crt" + CONSUL_CACERT: "{{ consul_config_dir }}/certs/tls.crt" CONSUL_HTTP_SSL_VERIFY: "false" - name: Create Consul policies From 0a43b50158800b5a081ddc8f4cf424351f7555be Mon Sep 17 00:00:00 2001 From: AnithaAnnem Date: Tue, 10 Mar 2026 16:39:55 +0530 Subject: [PATCH 141/412] Update acl_tokens.yml --- consul-role/tasks/acl_tokens.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/consul-role/tasks/acl_tokens.yml b/consul-role/tasks/acl_tokens.yml index dc09ecb..cfb92cb 100644 --- a/consul-role/tasks/acl_tokens.yml +++ b/consul-role/tasks/acl_tokens.yml @@ -9,7 +9,7 @@ CONSUL_HTTP_ADDR: "https://{{ consul_bind_addr }}:8501" CONSUL_HTTP_TOKEN: "{{ consul_master_token }}" CONSUL_HTTP_SSL_VERIFY: "false" - #CONSUL_CACERT: "{{ consul_config_dir }}/certs/tls.crt" + CONSUL_CACERT: "{{ consul_config_dir }}/certs/tls.crt" #################################### # Agent Token From 8f6d3be105f60a26e5dbad7f02768e5d096d1a9a Mon Sep 17 00:00:00 2001 From: AnithaAnnem Date: Tue, 10 Mar 2026 16:40:13 +0530 Subject: [PATCH 142/412] Update rbac.yml --- consul-role/tasks/rbac.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/consul-role/tasks/rbac.yml b/consul-role/tasks/rbac.yml index d24f46f..cd4366f 100644 --- a/consul-role/tasks/rbac.yml +++ b/consul-role/tasks/rbac.yml @@ -13,7 +13,7 @@ environment: &consul_env CONSUL_HTTP_ADDR: "https://{{ consul_bind_addr }}:8501" CONSUL_HTTP_TOKEN: "{{ consul_master_token }}" - #CONSUL_CACERT: "{{ consul_config_dir }}/certs/tls.crt" + CONSUL_CACERT: "{{ consul_config_dir }}/certs/tls.crt" CONSUL_HTTP_SSL_VERIFY: "false" - name: Create read policy From 59bd8382033cbf9cd7fc1b54e7a6c9177c7de02d Mon Sep 17 00:00:00 2001 From: AnithaAnnem Date: Tue, 10 Mar 2026 16:54:05 +0530 Subject: [PATCH 143/412] Update acl_policies.yml --- consul-role/tasks/acl_policies.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/consul-role/tasks/acl_policies.yml b/consul-role/tasks/acl_policies.yml index f1e8ca3..bd9234a 100644 --- a/consul-role/tasks/acl_policies.yml +++ b/consul-role/tasks/acl_policies.yml @@ -18,6 +18,8 @@ CONSUL_HTTP_ADDR: "https://{{ consul_bind_addr }}:8501" CONSUL_HTTP_TOKEN: "{{ consul_master_token }}" CONSUL_CACERT: "{{ consul_config_dir }}/certs/tls.crt" + CONSUL_CLIENT_CERT: "{{ consul_config_dir }}/certs/tls.crt" + CONSUL_CLIENT_KEY: "{{ consul_config_dir }}/certs/tls.key" CONSUL_HTTP_SSL_VERIFY: "false" - name: Create Consul policies From 0c8301e870f95fbebb8340fc26cbbe13e841a82e Mon Sep 17 00:00:00 2001 From: AnithaAnnem Date: Tue, 10 Mar 2026 17:05:43 +0530 Subject: [PATCH 144/412] Update acl_policies.yml --- consul-role/tasks/acl_policies.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/consul-role/tasks/acl_policies.yml b/consul-role/tasks/acl_policies.yml index bd9234a..79afd93 100644 --- a/consul-role/tasks/acl_policies.yml +++ b/consul-role/tasks/acl_policies.yml @@ -13,6 +13,7 @@ ansible.builtin.command: consul acl policy list register: existing_policies run_once: true + become: true changed_when: false environment: &consul_env CONSUL_HTTP_ADDR: "https://{{ consul_bind_addr }}:8501" From c6580255ca707b3bfd67026f0469e0a286f6122b Mon Sep 17 00:00:00 2001 From: AnithaAnnem Date: Tue, 10 Mar 2026 17:12:05 +0530 Subject: [PATCH 145/412] Update acl_policies.yml --- consul-role/tasks/acl_policies.yml | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) diff --git a/consul-role/tasks/acl_policies.yml b/consul-role/tasks/acl_policies.yml index 79afd93..1d49c41 100644 --- a/consul-role/tasks/acl_policies.yml +++ b/consul-role/tasks/acl_policies.yml @@ -1,4 +1,21 @@ --- + +- name: Ensure certificate directory is accessible + ansible.builtin.file: + path: "{{ consul_config_dir }}/certs" + state: directory + mode: "0755" + become: true + +- name: Fix certificate file permissions + ansible.builtin.file: + path: "{{ consul_config_dir }}/certs/{{ item.file }}" + mode: "{{ item.mode }}" + loop: + - { file: "tls.crt", mode: "0644" } + - { file: "tls.key", mode: "0640" } + become: true + - name: Copy policy files ansible.builtin.template: src: "policies/{{ item }}.hcl.j2" @@ -9,6 +26,7 @@ - service-policy - readonly-policy + - name: List existing policies ansible.builtin.command: consul acl policy list register: existing_policies From d348d5ad8373f965048df4d953fae2f6df5337b8 Mon Sep 17 00:00:00 2001 From: AnithaAnnem Date: Tue, 10 Mar 2026 17:20:05 +0530 Subject: [PATCH 146/412] Update server.hcl.j2 --- consul-role/templates/server.hcl.j2 | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/consul-role/templates/server.hcl.j2 b/consul-role/templates/server.hcl.j2 index 6d68cee..4fe8bdf 100644 --- a/consul-role/templates/server.hcl.j2 +++ b/consul-role/templates/server.hcl.j2 @@ -48,9 +48,9 @@ tls { verify_incoming_rpc = true - verify_outgoing = true + verify_outgoing = false - verify_server_hostname = true + #verify_server_hostname = true } From 6142d9d336d4e919d84473c4613265d51c7f407c Mon Sep 17 00:00:00 2001 From: AnithaAnnem Date: Tue, 10 Mar 2026 17:30:49 +0530 Subject: [PATCH 147/412] Update acl_policies.yml --- consul-role/tasks/acl_policies.yml | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/consul-role/tasks/acl_policies.yml b/consul-role/tasks/acl_policies.yml index 1d49c41..475f12c 100644 --- a/consul-role/tasks/acl_policies.yml +++ b/consul-role/tasks/acl_policies.yml @@ -39,7 +39,14 @@ CONSUL_CACERT: "{{ consul_config_dir }}/certs/tls.crt" CONSUL_CLIENT_CERT: "{{ consul_config_dir }}/certs/tls.crt" CONSUL_CLIENT_KEY: "{{ consul_config_dir }}/certs/tls.key" - CONSUL_HTTP_SSL_VERIFY: "false" + #CONSUL_HTTP_SSL_VERIFY: "false" + + # KEY FIX: This ensures TLS remains secure by verifying the + # server's identity against the DNS name in the certificate. + CONSUL_TLS_SERVER_NAME: "opstree.dev" + + # We set this to true to enforce security now that we have the server name fix + CONSUL_HTTP_SSL_VERIFY: "true" - name: Create Consul policies ansible.builtin.command: > From 1972deab5206fedad675ed7a585d0a4ce860b375 Mon Sep 17 00:00:00 2001 From: AnithaAnnem Date: Tue, 10 Mar 2026 17:33:30 +0530 Subject: [PATCH 148/412] Update acl_tokens.yml --- consul-role/tasks/acl_tokens.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/consul-role/tasks/acl_tokens.yml b/consul-role/tasks/acl_tokens.yml index cfb92cb..8933de9 100644 --- a/consul-role/tasks/acl_tokens.yml +++ b/consul-role/tasks/acl_tokens.yml @@ -8,7 +8,7 @@ environment: &consul_env CONSUL_HTTP_ADDR: "https://{{ consul_bind_addr }}:8501" CONSUL_HTTP_TOKEN: "{{ consul_master_token }}" - CONSUL_HTTP_SSL_VERIFY: "false" + CONSUL_HTTP_SSL_VERIFY: "true" CONSUL_CACERT: "{{ consul_config_dir }}/certs/tls.crt" #################################### From 4f0aee9fe5118c8b687d76bff0dda1acbc361739 Mon Sep 17 00:00:00 2001 From: AnithaAnnem Date: Tue, 10 Mar 2026 17:34:21 +0530 Subject: [PATCH 149/412] Update acl.yml --- consul-role/tasks/acl.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/consul-role/tasks/acl.yml b/consul-role/tasks/acl.yml index 9ab31dc..bc1ea8b 100644 --- a/consul-role/tasks/acl.yml +++ b/consul-role/tasks/acl.yml @@ -37,7 +37,7 @@ when: consul_master_token is not defined or consul_master_token == "" environment: CONSUL_HTTP_ADDR: "https://{{ consul_bind_addr }}:8501" - CONSUL_HTTP_SSL_VERIFY: "false" + CONSUL_HTTP_SSL_VERIFY: "true" #CONSUL_CACERT: "{{ consul_config_dir }}/certs/tls.crt" - name: Extract new token from bootstrap output From e4ce0ea61af8239fef43861929408e427d3ccc0b Mon Sep 17 00:00:00 2001 From: AnithaAnnem Date: Tue, 10 Mar 2026 17:35:34 +0530 Subject: [PATCH 150/412] Update rbac.yml --- consul-role/tasks/rbac.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/consul-role/tasks/rbac.yml b/consul-role/tasks/rbac.yml index cd4366f..7b068bf 100644 --- a/consul-role/tasks/rbac.yml +++ b/consul-role/tasks/rbac.yml @@ -14,7 +14,7 @@ CONSUL_HTTP_ADDR: "https://{{ consul_bind_addr }}:8501" CONSUL_HTTP_TOKEN: "{{ consul_master_token }}" CONSUL_CACERT: "{{ consul_config_dir }}/certs/tls.crt" - CONSUL_HTTP_SSL_VERIFY: "false" + CONSUL_HTTP_SSL_VERIFY: "true" - name: Create read policy ansible.builtin.command: > From 08dba485faad2c4528211ea3bc6aac76ea7917c6 Mon Sep 17 00:00:00 2001 From: AnithaAnnem Date: Tue, 10 Mar 2026 22:28:58 +0530 Subject: [PATCH 151/412] Update acl.yml --- consul-role/tasks/acl.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/consul-role/tasks/acl.yml b/consul-role/tasks/acl.yml index bc1ea8b..9ab31dc 100644 --- a/consul-role/tasks/acl.yml +++ b/consul-role/tasks/acl.yml @@ -37,7 +37,7 @@ when: consul_master_token is not defined or consul_master_token == "" environment: CONSUL_HTTP_ADDR: "https://{{ consul_bind_addr }}:8501" - CONSUL_HTTP_SSL_VERIFY: "true" + CONSUL_HTTP_SSL_VERIFY: "false" #CONSUL_CACERT: "{{ consul_config_dir }}/certs/tls.crt" - name: Extract new token from bootstrap output From e4e66f211d59a73063c9fa78e33a9ec2d21e13af Mon Sep 17 00:00:00 2001 From: AnithaAnnem Date: Tue, 10 Mar 2026 22:29:46 +0530 Subject: [PATCH 152/412] Update acl_policies.yml --- consul-role/tasks/acl_policies.yml | 13 ++----------- 1 file changed, 2 insertions(+), 11 deletions(-) diff --git a/consul-role/tasks/acl_policies.yml b/consul-role/tasks/acl_policies.yml index 475f12c..c6709fd 100644 --- a/consul-role/tasks/acl_policies.yml +++ b/consul-role/tasks/acl_policies.yml @@ -36,17 +36,8 @@ environment: &consul_env CONSUL_HTTP_ADDR: "https://{{ consul_bind_addr }}:8501" CONSUL_HTTP_TOKEN: "{{ consul_master_token }}" - CONSUL_CACERT: "{{ consul_config_dir }}/certs/tls.crt" - CONSUL_CLIENT_CERT: "{{ consul_config_dir }}/certs/tls.crt" - CONSUL_CLIENT_KEY: "{{ consul_config_dir }}/certs/tls.key" - #CONSUL_HTTP_SSL_VERIFY: "false" - - # KEY FIX: This ensures TLS remains secure by verifying the - # server's identity against the DNS name in the certificate. - CONSUL_TLS_SERVER_NAME: "opstree.dev" - - # We set this to true to enforce security now that we have the server name fix - CONSUL_HTTP_SSL_VERIFY: "true" + CONSUL_CACERT: "{{ consul_config_dir }}/certs/tls.crt" + CONSUL_HTTP_SSL_VERIFY: "false" - name: Create Consul policies ansible.builtin.command: > From 021f9c8568fa51f2d091a19060442921c905ee6a Mon Sep 17 00:00:00 2001 From: AnithaAnnem Date: Tue, 10 Mar 2026 22:30:10 +0530 Subject: [PATCH 153/412] Update acl_tokens.yml --- consul-role/tasks/acl_tokens.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/consul-role/tasks/acl_tokens.yml b/consul-role/tasks/acl_tokens.yml index 8933de9..cfb92cb 100644 --- a/consul-role/tasks/acl_tokens.yml +++ b/consul-role/tasks/acl_tokens.yml @@ -8,7 +8,7 @@ environment: &consul_env CONSUL_HTTP_ADDR: "https://{{ consul_bind_addr }}:8501" CONSUL_HTTP_TOKEN: "{{ consul_master_token }}" - CONSUL_HTTP_SSL_VERIFY: "true" + CONSUL_HTTP_SSL_VERIFY: "false" CONSUL_CACERT: "{{ consul_config_dir }}/certs/tls.crt" #################################### From 04e4dd58b5562c5cd252df37f3e9cbe73056c8e0 Mon Sep 17 00:00:00 2001 From: AnithaAnnem Date: Tue, 10 Mar 2026 22:44:01 +0530 Subject: [PATCH 154/412] Update rbac.yml --- consul-role/tasks/rbac.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/consul-role/tasks/rbac.yml b/consul-role/tasks/rbac.yml index 7b068bf..cd4366f 100644 --- a/consul-role/tasks/rbac.yml +++ b/consul-role/tasks/rbac.yml @@ -14,7 +14,7 @@ CONSUL_HTTP_ADDR: "https://{{ consul_bind_addr }}:8501" CONSUL_HTTP_TOKEN: "{{ consul_master_token }}" CONSUL_CACERT: "{{ consul_config_dir }}/certs/tls.crt" - CONSUL_HTTP_SSL_VERIFY: "true" + CONSUL_HTTP_SSL_VERIFY: "false" - name: Create read policy ansible.builtin.command: > From 5a06196ac71d70ad018a96888a8b3eba4f3b783b Mon Sep 17 00:00:00 2001 From: AnithaAnnem Date: Tue, 10 Mar 2026 22:44:57 +0530 Subject: [PATCH 155/412] Update server.hcl.j2 --- consul-role/templates/server.hcl.j2 | 8 -------- 1 file changed, 8 deletions(-) diff --git a/consul-role/templates/server.hcl.j2 b/consul-role/templates/server.hcl.j2 index 4fe8bdf..244a608 100644 --- a/consul-role/templates/server.hcl.j2 +++ b/consul-role/templates/server.hcl.j2 @@ -40,17 +40,9 @@ tls { ca_file = "{{ consul_config_dir }}/certs/tls.crt" cert_file = "{{ consul_config_dir }}/certs/tls.crt" key_file = "{{ consul_config_dir }}/certs/tls.key" - - # This allows the browser to reach the "Login" page verify_incoming = false - - # This keeps the backend server-to-server traffic secure - verify_incoming_rpc = true - - verify_outgoing = false - #verify_server_hostname = true } From 20f60377841066d45611a47930bb1c01fb03cbd6 Mon Sep 17 00:00:00 2001 From: AnithaAnnem Date: Tue, 10 Mar 2026 23:18:23 +0530 Subject: [PATCH 156/412] Update server.hcl.j2 --- consul-role/templates/server.hcl.j2 | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/consul-role/templates/server.hcl.j2 b/consul-role/templates/server.hcl.j2 index 244a608..b33bb0e 100644 --- a/consul-role/templates/server.hcl.j2 +++ b/consul-role/templates/server.hcl.j2 @@ -40,8 +40,8 @@ tls { ca_file = "{{ consul_config_dir }}/certs/tls.crt" cert_file = "{{ consul_config_dir }}/certs/tls.crt" key_file = "{{ consul_config_dir }}/certs/tls.key" - verify_incoming = false - verify_outgoing = false + verify_incoming = true + verify_outgoing = true From 9aff8581f2b24a17724d2a7dbc2a5f64c0247ed3 Mon Sep 17 00:00:00 2001 From: AnithaAnnem Date: Tue, 10 Mar 2026 23:18:55 +0530 Subject: [PATCH 157/412] Update server.hcl.j2 --- consul-role/templates/server.hcl.j2 | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/consul-role/templates/server.hcl.j2 b/consul-role/templates/server.hcl.j2 index b33bb0e..3c69208 100644 --- a/consul-role/templates/server.hcl.j2 +++ b/consul-role/templates/server.hcl.j2 @@ -43,6 +43,12 @@ tls { verify_incoming = true verify_outgoing = true + https { + # Setting this to false allows your browser to connect + # without you needing to install a client cert in the browser, + # but the connection itself remains encrypted. + verify_incoming = false + } From 56c2829e0ad6a11a153016477eb66550da149c74 Mon Sep 17 00:00:00 2001 From: AnithaAnnem Date: Tue, 10 Mar 2026 23:20:05 +0530 Subject: [PATCH 158/412] Update acl.yml --- consul-role/tasks/acl.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/consul-role/tasks/acl.yml b/consul-role/tasks/acl.yml index 9ab31dc..bc1ea8b 100644 --- a/consul-role/tasks/acl.yml +++ b/consul-role/tasks/acl.yml @@ -37,7 +37,7 @@ when: consul_master_token is not defined or consul_master_token == "" environment: CONSUL_HTTP_ADDR: "https://{{ consul_bind_addr }}:8501" - CONSUL_HTTP_SSL_VERIFY: "false" + CONSUL_HTTP_SSL_VERIFY: "true" #CONSUL_CACERT: "{{ consul_config_dir }}/certs/tls.crt" - name: Extract new token from bootstrap output From efadd9409c719125ddff2d036913029e8d310abf Mon Sep 17 00:00:00 2001 From: AnithaAnnem Date: Tue, 10 Mar 2026 23:20:21 +0530 Subject: [PATCH 159/412] Update acl_policies.yml --- consul-role/tasks/acl_policies.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/consul-role/tasks/acl_policies.yml b/consul-role/tasks/acl_policies.yml index c6709fd..810f584 100644 --- a/consul-role/tasks/acl_policies.yml +++ b/consul-role/tasks/acl_policies.yml @@ -37,7 +37,7 @@ CONSUL_HTTP_ADDR: "https://{{ consul_bind_addr }}:8501" CONSUL_HTTP_TOKEN: "{{ consul_master_token }}" CONSUL_CACERT: "{{ consul_config_dir }}/certs/tls.crt" - CONSUL_HTTP_SSL_VERIFY: "false" + CONSUL_HTTP_SSL_VERIFY: "true" - name: Create Consul policies ansible.builtin.command: > From 427369f1dcc91bc18ed67a098f8b11af549da2f8 Mon Sep 17 00:00:00 2001 From: AnithaAnnem Date: Tue, 10 Mar 2026 23:20:36 +0530 Subject: [PATCH 160/412] Update acl_tokens.yml --- consul-role/tasks/acl_tokens.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/consul-role/tasks/acl_tokens.yml b/consul-role/tasks/acl_tokens.yml index cfb92cb..8933de9 100644 --- a/consul-role/tasks/acl_tokens.yml +++ b/consul-role/tasks/acl_tokens.yml @@ -8,7 +8,7 @@ environment: &consul_env CONSUL_HTTP_ADDR: "https://{{ consul_bind_addr }}:8501" CONSUL_HTTP_TOKEN: "{{ consul_master_token }}" - CONSUL_HTTP_SSL_VERIFY: "false" + CONSUL_HTTP_SSL_VERIFY: "true" CONSUL_CACERT: "{{ consul_config_dir }}/certs/tls.crt" #################################### From a6c91798e1003dea908734ae18d3d26dfa907cff Mon Sep 17 00:00:00 2001 From: AnithaAnnem Date: Tue, 10 Mar 2026 23:20:54 +0530 Subject: [PATCH 161/412] Update rbac.yml --- consul-role/tasks/rbac.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/consul-role/tasks/rbac.yml b/consul-role/tasks/rbac.yml index cd4366f..7b068bf 100644 --- a/consul-role/tasks/rbac.yml +++ b/consul-role/tasks/rbac.yml @@ -14,7 +14,7 @@ CONSUL_HTTP_ADDR: "https://{{ consul_bind_addr }}:8501" CONSUL_HTTP_TOKEN: "{{ consul_master_token }}" CONSUL_CACERT: "{{ consul_config_dir }}/certs/tls.crt" - CONSUL_HTTP_SSL_VERIFY: "false" + CONSUL_HTTP_SSL_VERIFY: "true" - name: Create read policy ansible.builtin.command: > From 46e8ccf38fe44bb1c0cafe03a7936c66dc52fd76 Mon Sep 17 00:00:00 2001 From: AnithaAnnem Date: Tue, 10 Mar 2026 23:29:25 +0530 Subject: [PATCH 162/412] Update server.hcl.j2 --- consul-role/templates/server.hcl.j2 | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/consul-role/templates/server.hcl.j2 b/consul-role/templates/server.hcl.j2 index 3c69208..2c12304 100644 --- a/consul-role/templates/server.hcl.j2 +++ b/consul-role/templates/server.hcl.j2 @@ -35,7 +35,7 @@ ports { https = 8501 } -tls { +{# tls { defaults { ca_file = "{{ consul_config_dir }}/certs/tls.crt" cert_file = "{{ consul_config_dir }}/certs/tls.crt" @@ -47,7 +47,7 @@ tls { # Setting this to false allows your browser to connect # without you needing to install a client cert in the browser, # but the connection itself remains encrypted. - verify_incoming = false + verify_incoming = false #} From b3fbe1f51c96adc94cb7a1c59c0205ffe703706b Mon Sep 17 00:00:00 2001 From: AnithaAnnem Date: Tue, 10 Mar 2026 23:30:03 +0530 Subject: [PATCH 163/412] Update main.yml --- consul-role/tasks/main.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/consul-role/tasks/main.yml b/consul-role/tasks/main.yml index b1735b9..dce2fb8 100644 --- a/consul-role/tasks/main.yml +++ b/consul-role/tasks/main.yml @@ -5,8 +5,8 @@ - name: Include directory tasks ansible.builtin.include_tasks: directories.yml -- name: Include configuration tasks - ansible.builtin.include_tasks: config.yml +# - name: Include configuration tasks +# ansible.builtin.include_tasks: config.yml - name: Include service tasks ansible.builtin.include_tasks: service.yml From ef015cc8bf995c96df6992f0a8a591690182aef1 Mon Sep 17 00:00:00 2001 From: AnithaAnnem Date: Tue, 10 Mar 2026 23:31:01 +0530 Subject: [PATCH 164/412] Update rbac.yml --- consul-role/tasks/rbac.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/consul-role/tasks/rbac.yml b/consul-role/tasks/rbac.yml index 7b068bf..c1e29f9 100644 --- a/consul-role/tasks/rbac.yml +++ b/consul-role/tasks/rbac.yml @@ -11,10 +11,10 @@ changed_when: false run_once: true environment: &consul_env - CONSUL_HTTP_ADDR: "https://{{ consul_bind_addr }}:8501" + CONSUL_HTTP_ADDR: "https://{{ consul_bind_addr }}:8500" CONSUL_HTTP_TOKEN: "{{ consul_master_token }}" - CONSUL_CACERT: "{{ consul_config_dir }}/certs/tls.crt" - CONSUL_HTTP_SSL_VERIFY: "true" + # CONSUL_CACERT: "{{ consul_config_dir }}/certs/tls.crt" + # CONSUL_HTTP_SSL_VERIFY: "true" - name: Create read policy ansible.builtin.command: > From 5cb31db51f380ee3ee37ebf366d714c35d80181b Mon Sep 17 00:00:00 2001 From: AnithaAnnem Date: Tue, 10 Mar 2026 23:31:53 +0530 Subject: [PATCH 165/412] Update acl.yml --- consul-role/tasks/acl.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/consul-role/tasks/acl.yml b/consul-role/tasks/acl.yml index bc1ea8b..390cc82 100644 --- a/consul-role/tasks/acl.yml +++ b/consul-role/tasks/acl.yml @@ -36,8 +36,8 @@ failed_when: false when: consul_master_token is not defined or consul_master_token == "" environment: - CONSUL_HTTP_ADDR: "https://{{ consul_bind_addr }}:8501" - CONSUL_HTTP_SSL_VERIFY: "true" + CONSUL_HTTP_ADDR: "https://{{ consul_bind_addr }}:8500" + #CONSUL_HTTP_SSL_VERIFY: "true" #CONSUL_CACERT: "{{ consul_config_dir }}/certs/tls.crt" - name: Extract new token from bootstrap output From 6a0489cf9ed258eb76e54097e7684edacbe73188 Mon Sep 17 00:00:00 2001 From: AnithaAnnem Date: Tue, 10 Mar 2026 23:32:16 +0530 Subject: [PATCH 166/412] Update acl_policies.yml --- consul-role/tasks/acl_policies.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/consul-role/tasks/acl_policies.yml b/consul-role/tasks/acl_policies.yml index 810f584..f7d1b28 100644 --- a/consul-role/tasks/acl_policies.yml +++ b/consul-role/tasks/acl_policies.yml @@ -34,10 +34,10 @@ become: true changed_when: false environment: &consul_env - CONSUL_HTTP_ADDR: "https://{{ consul_bind_addr }}:8501" + CONSUL_HTTP_ADDR: "https://{{ consul_bind_addr }}:8500" CONSUL_HTTP_TOKEN: "{{ consul_master_token }}" - CONSUL_CACERT: "{{ consul_config_dir }}/certs/tls.crt" - CONSUL_HTTP_SSL_VERIFY: "true" + # CONSUL_CACERT: "{{ consul_config_dir }}/certs/tls.crt" + # CONSUL_HTTP_SSL_VERIFY: "true" - name: Create Consul policies ansible.builtin.command: > From cb1af4307fa304b7cd146c653389fc7402f3832f Mon Sep 17 00:00:00 2001 From: AnithaAnnem Date: Tue, 10 Mar 2026 23:32:39 +0530 Subject: [PATCH 167/412] Update acl_tokens.yml --- consul-role/tasks/acl_tokens.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/consul-role/tasks/acl_tokens.yml b/consul-role/tasks/acl_tokens.yml index 8933de9..79002af 100644 --- a/consul-role/tasks/acl_tokens.yml +++ b/consul-role/tasks/acl_tokens.yml @@ -6,10 +6,10 @@ changed_when: false run_once: true environment: &consul_env - CONSUL_HTTP_ADDR: "https://{{ consul_bind_addr }}:8501" + CONSUL_HTTP_ADDR: "https://{{ consul_bind_addr }}:8500" CONSUL_HTTP_TOKEN: "{{ consul_master_token }}" - CONSUL_HTTP_SSL_VERIFY: "true" - CONSUL_CACERT: "{{ consul_config_dir }}/certs/tls.crt" + # CONSUL_HTTP_SSL_VERIFY: "true" + # CONSUL_CACERT: "{{ consul_config_dir }}/certs/tls.crt" #################################### # Agent Token From 9e8dc38e2985e4a5320d29a8f3f15cc9115723e9 Mon Sep 17 00:00:00 2001 From: AnithaAnnem Date: Tue, 10 Mar 2026 23:37:54 +0530 Subject: [PATCH 168/412] Update acl.yml --- consul-role/tasks/acl.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/consul-role/tasks/acl.yml b/consul-role/tasks/acl.yml index 390cc82..8045e6a 100644 --- a/consul-role/tasks/acl.yml +++ b/consul-role/tasks/acl.yml @@ -36,7 +36,7 @@ failed_when: false when: consul_master_token is not defined or consul_master_token == "" environment: - CONSUL_HTTP_ADDR: "https://{{ consul_bind_addr }}:8500" + CONSUL_HTTP_ADDR: "http://{{ consul_bind_addr }}:8500" #CONSUL_HTTP_SSL_VERIFY: "true" #CONSUL_CACERT: "{{ consul_config_dir }}/certs/tls.crt" From db8d88ab7c433ec4202816e7001a16fd56fc7c11 Mon Sep 17 00:00:00 2001 From: AnithaAnnem Date: Tue, 10 Mar 2026 23:38:16 +0530 Subject: [PATCH 169/412] Update acl_policies.yml --- consul-role/tasks/acl_policies.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/consul-role/tasks/acl_policies.yml b/consul-role/tasks/acl_policies.yml index f7d1b28..c48e4ba 100644 --- a/consul-role/tasks/acl_policies.yml +++ b/consul-role/tasks/acl_policies.yml @@ -34,7 +34,7 @@ become: true changed_when: false environment: &consul_env - CONSUL_HTTP_ADDR: "https://{{ consul_bind_addr }}:8500" + CONSUL_HTTP_ADDR: "http://{{ consul_bind_addr }}:8500" CONSUL_HTTP_TOKEN: "{{ consul_master_token }}" # CONSUL_CACERT: "{{ consul_config_dir }}/certs/tls.crt" # CONSUL_HTTP_SSL_VERIFY: "true" From 49c81042f7c4c1ee83288c5f2175ada7ecaacdc5 Mon Sep 17 00:00:00 2001 From: AnithaAnnem Date: Tue, 10 Mar 2026 23:39:16 +0530 Subject: [PATCH 170/412] Update acl_tokens.yml --- consul-role/tasks/acl_tokens.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/consul-role/tasks/acl_tokens.yml b/consul-role/tasks/acl_tokens.yml index 79002af..f26a384 100644 --- a/consul-role/tasks/acl_tokens.yml +++ b/consul-role/tasks/acl_tokens.yml @@ -6,7 +6,7 @@ changed_when: false run_once: true environment: &consul_env - CONSUL_HTTP_ADDR: "https://{{ consul_bind_addr }}:8500" + CONSUL_HTTP_ADDR: "http://{{ consul_bind_addr }}:8500" CONSUL_HTTP_TOKEN: "{{ consul_master_token }}" # CONSUL_HTTP_SSL_VERIFY: "true" # CONSUL_CACERT: "{{ consul_config_dir }}/certs/tls.crt" From 8813fcfb1d03d26f55ddb8c1d30f4f8a9cb5ad91 Mon Sep 17 00:00:00 2001 From: AnithaAnnem Date: Tue, 10 Mar 2026 23:39:28 +0530 Subject: [PATCH 171/412] Update rbac.yml --- consul-role/tasks/rbac.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/consul-role/tasks/rbac.yml b/consul-role/tasks/rbac.yml index c1e29f9..62c021e 100644 --- a/consul-role/tasks/rbac.yml +++ b/consul-role/tasks/rbac.yml @@ -11,7 +11,7 @@ changed_when: false run_once: true environment: &consul_env - CONSUL_HTTP_ADDR: "https://{{ consul_bind_addr }}:8500" + CONSUL_HTTP_ADDR: "http://{{ consul_bind_addr }}:8500" CONSUL_HTTP_TOKEN: "{{ consul_master_token }}" # CONSUL_CACERT: "{{ consul_config_dir }}/certs/tls.crt" # CONSUL_HTTP_SSL_VERIFY: "true" From 61f9b268c865d11976a82e1f8587c46a5836b970 Mon Sep 17 00:00:00 2001 From: AnithaAnnem Date: Tue, 10 Mar 2026 23:40:04 +0530 Subject: [PATCH 172/412] Update server.hcl.j2 --- consul-role/templates/server.hcl.j2 | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/consul-role/templates/server.hcl.j2 b/consul-role/templates/server.hcl.j2 index 2c12304..f2437c1 100644 --- a/consul-role/templates/server.hcl.j2 +++ b/consul-role/templates/server.hcl.j2 @@ -31,8 +31,8 @@ acl { } ports { - http = -1 - https = 8501 + http = 8500 + https = -1 } {# tls { From d27f8766a26589a1928a5e0b26dcb958476bb9e3 Mon Sep 17 00:00:00 2001 From: AnithaAnnem Date: Tue, 10 Mar 2026 23:51:13 +0530 Subject: [PATCH 173/412] Update server.hcl.j2 --- consul-role/templates/server.hcl.j2 | 13 +++++-------- 1 file changed, 5 insertions(+), 8 deletions(-) diff --git a/consul-role/templates/server.hcl.j2 b/consul-role/templates/server.hcl.j2 index f2437c1..cf83b48 100644 --- a/consul-role/templates/server.hcl.j2 +++ b/consul-role/templates/server.hcl.j2 @@ -35,7 +35,8 @@ ports { https = -1 } -{# tls { +{# +tls { defaults { ca_file = "{{ consul_config_dir }}/certs/tls.crt" cert_file = "{{ consul_config_dir }}/certs/tls.crt" @@ -44,12 +45,8 @@ ports { verify_outgoing = true https { - # Setting this to false allows your browser to connect - # without you needing to install a client cert in the browser, - # but the connection itself remains encrypted. - verify_incoming = false #} - - - + verify_incoming = false + } } } +#} From c7ce2ee380344d42baf2f6e68a9cbc55eda73fea Mon Sep 17 00:00:00 2001 From: AnithaAnnem Date: Tue, 10 Mar 2026 23:55:43 +0530 Subject: [PATCH 174/412] Update server.hcl.j2 --- consul-role/templates/server.hcl.j2 | 15 --------------- 1 file changed, 15 deletions(-) diff --git a/consul-role/templates/server.hcl.j2 b/consul-role/templates/server.hcl.j2 index cf83b48..20f9a11 100644 --- a/consul-role/templates/server.hcl.j2 +++ b/consul-role/templates/server.hcl.j2 @@ -35,18 +35,3 @@ ports { https = -1 } -{# -tls { - defaults { - ca_file = "{{ consul_config_dir }}/certs/tls.crt" - cert_file = "{{ consul_config_dir }}/certs/tls.crt" - key_file = "{{ consul_config_dir }}/certs/tls.key" - verify_incoming = true - verify_outgoing = true - - https { - verify_incoming = false - } - } -} -#} From a0f178bd85879e3d075184912566757be2f17d63 Mon Sep 17 00:00:00 2001 From: AnithaAnnem Date: Tue, 10 Mar 2026 23:56:21 +0530 Subject: [PATCH 175/412] Update acl.yml --- consul-role/tasks/acl.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/consul-role/tasks/acl.yml b/consul-role/tasks/acl.yml index 8045e6a..4a95a3a 100644 --- a/consul-role/tasks/acl.yml +++ b/consul-role/tasks/acl.yml @@ -1,8 +1,8 @@ --- -- name: Wait for Consul HTTPS API +- name: Wait for Consul HTTP API ansible.builtin.wait_for: host: "{{ consul_bind_addr }}" - port: 8501 + port: 8500 delay: 5 timeout: 60 From c17397b76d852f9589c49c9bc6fa524a469143ac Mon Sep 17 00:00:00 2001 From: AnithaAnnem Date: Wed, 11 Mar 2026 00:03:54 +0530 Subject: [PATCH 176/412] Update server.hcl.j2 --- consul-role/templates/server.hcl.j2 | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/consul-role/templates/server.hcl.j2 b/consul-role/templates/server.hcl.j2 index 20f9a11..982c7f7 100644 --- a/consul-role/templates/server.hcl.j2 +++ b/consul-role/templates/server.hcl.j2 @@ -1,6 +1,6 @@ node_name = "{{ consul_node_name }}" bind_addr = "{{ consul_bind_addr }}" -client_addr = "{{ consul_client_addr }}" +client_addr = "0.0.0.0" data_dir = "{{ consul_data_dir }}" encrypt = "{{ consul_gossip_key }}" @@ -34,4 +34,3 @@ ports { http = 8500 https = -1 } - From 81e618584d2c09303c732be5ff31071ab7eab663 Mon Sep 17 00:00:00 2001 From: AnithaAnnem Date: Wed, 11 Mar 2026 00:19:58 +0530 Subject: [PATCH 177/412] Update acl.yml --- consul-role/tasks/acl.yml | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/consul-role/tasks/acl.yml b/consul-role/tasks/acl.yml index 4a95a3a..57ea7b4 100644 --- a/consul-role/tasks/acl.yml +++ b/consul-role/tasks/acl.yml @@ -1,8 +1,8 @@ --- -- name: Wait for Consul HTTP API +- name: Wait for Consul HTTPs API ansible.builtin.wait_for: host: "{{ consul_bind_addr }}" - port: 8500 + port: 8501 delay: 5 timeout: 60 @@ -36,9 +36,9 @@ failed_when: false when: consul_master_token is not defined or consul_master_token == "" environment: - CONSUL_HTTP_ADDR: "http://{{ consul_bind_addr }}:8500" - #CONSUL_HTTP_SSL_VERIFY: "true" - #CONSUL_CACERT: "{{ consul_config_dir }}/certs/tls.crt" + CONSUL_HTTP_ADDR: "https://{{ consul_bind_addr }}:8501" + CONSUL_HTTP_SSL_VERIFY: "true" + CONSUL_CACERT: "{{ consul_config_dir }}/certs/tls.crt" - name: Extract new token from bootstrap output ansible.builtin.set_fact: From 25a212e0a4e24711aa7a9cbf0d7eb465ad801a19 Mon Sep 17 00:00:00 2001 From: AnithaAnnem Date: Wed, 11 Mar 2026 00:20:28 +0530 Subject: [PATCH 178/412] Update acl_policies.yml --- consul-role/tasks/acl_policies.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/consul-role/tasks/acl_policies.yml b/consul-role/tasks/acl_policies.yml index c48e4ba..810f584 100644 --- a/consul-role/tasks/acl_policies.yml +++ b/consul-role/tasks/acl_policies.yml @@ -34,10 +34,10 @@ become: true changed_when: false environment: &consul_env - CONSUL_HTTP_ADDR: "http://{{ consul_bind_addr }}:8500" + CONSUL_HTTP_ADDR: "https://{{ consul_bind_addr }}:8501" CONSUL_HTTP_TOKEN: "{{ consul_master_token }}" - # CONSUL_CACERT: "{{ consul_config_dir }}/certs/tls.crt" - # CONSUL_HTTP_SSL_VERIFY: "true" + CONSUL_CACERT: "{{ consul_config_dir }}/certs/tls.crt" + CONSUL_HTTP_SSL_VERIFY: "true" - name: Create Consul policies ansible.builtin.command: > From b53f0664306f8cca613e4d8f1d90ff273f68c6ae Mon Sep 17 00:00:00 2001 From: AnithaAnnem Date: Wed, 11 Mar 2026 00:20:52 +0530 Subject: [PATCH 179/412] Update acl_tokens.yml --- consul-role/tasks/acl_tokens.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/consul-role/tasks/acl_tokens.yml b/consul-role/tasks/acl_tokens.yml index f26a384..8933de9 100644 --- a/consul-role/tasks/acl_tokens.yml +++ b/consul-role/tasks/acl_tokens.yml @@ -6,10 +6,10 @@ changed_when: false run_once: true environment: &consul_env - CONSUL_HTTP_ADDR: "http://{{ consul_bind_addr }}:8500" + CONSUL_HTTP_ADDR: "https://{{ consul_bind_addr }}:8501" CONSUL_HTTP_TOKEN: "{{ consul_master_token }}" - # CONSUL_HTTP_SSL_VERIFY: "true" - # CONSUL_CACERT: "{{ consul_config_dir }}/certs/tls.crt" + CONSUL_HTTP_SSL_VERIFY: "true" + CONSUL_CACERT: "{{ consul_config_dir }}/certs/tls.crt" #################################### # Agent Token From ed1f50bab30dc4eb5262808f27ee54608caf9a05 Mon Sep 17 00:00:00 2001 From: AnithaAnnem Date: Wed, 11 Mar 2026 00:21:18 +0530 Subject: [PATCH 180/412] Update rbac.yml --- consul-role/tasks/rbac.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/consul-role/tasks/rbac.yml b/consul-role/tasks/rbac.yml index 62c021e..7b068bf 100644 --- a/consul-role/tasks/rbac.yml +++ b/consul-role/tasks/rbac.yml @@ -11,10 +11,10 @@ changed_when: false run_once: true environment: &consul_env - CONSUL_HTTP_ADDR: "http://{{ consul_bind_addr }}:8500" + CONSUL_HTTP_ADDR: "https://{{ consul_bind_addr }}:8501" CONSUL_HTTP_TOKEN: "{{ consul_master_token }}" - # CONSUL_CACERT: "{{ consul_config_dir }}/certs/tls.crt" - # CONSUL_HTTP_SSL_VERIFY: "true" + CONSUL_CACERT: "{{ consul_config_dir }}/certs/tls.crt" + CONSUL_HTTP_SSL_VERIFY: "true" - name: Create read policy ansible.builtin.command: > From f2194cfb2635f3ff221779d96f656c038027c6c1 Mon Sep 17 00:00:00 2001 From: AnithaAnnem Date: Wed, 11 Mar 2026 00:21:40 +0530 Subject: [PATCH 181/412] Update main.yml --- consul-role/tasks/main.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/consul-role/tasks/main.yml b/consul-role/tasks/main.yml index dce2fb8..b1735b9 100644 --- a/consul-role/tasks/main.yml +++ b/consul-role/tasks/main.yml @@ -5,8 +5,8 @@ - name: Include directory tasks ansible.builtin.include_tasks: directories.yml -# - name: Include configuration tasks -# ansible.builtin.include_tasks: config.yml +- name: Include configuration tasks + ansible.builtin.include_tasks: config.yml - name: Include service tasks ansible.builtin.include_tasks: service.yml From 7e52d2b85c6af6a6c72d281c28424b5cbbfe9a9a Mon Sep 17 00:00:00 2001 From: AnithaAnnem Date: Wed, 11 Mar 2026 00:23:20 +0530 Subject: [PATCH 182/412] Update server.hcl.j2 --- consul-role/templates/server.hcl.j2 | 19 +++++++++++++++++-- 1 file changed, 17 insertions(+), 2 deletions(-) diff --git a/consul-role/templates/server.hcl.j2 b/consul-role/templates/server.hcl.j2 index 982c7f7..d1b666a 100644 --- a/consul-role/templates/server.hcl.j2 +++ b/consul-role/templates/server.hcl.j2 @@ -31,6 +31,21 @@ acl { } ports { - http = 8500 - https = -1 + http = -1 + https = 8500 +} + +tls { + defaults { + ca_file = "{{ consul_config_dir }}/certs/tls.crt" + cert_file = "{{ consul_config_dir }}/certs/tls.crt" + key_file = "{{ consul_config_dir }}/certs/tls.key" + + verify_incoming = true + verify_outgoing = true + } + + https { + verify_incoming = false + } } From 185f068dfce1041375a022cfb175de723eac0086 Mon Sep 17 00:00:00 2001 From: AnithaAnnem Date: Wed, 11 Mar 2026 00:31:24 +0530 Subject: [PATCH 183/412] Update server.hcl.j2 --- consul-role/templates/server.hcl.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/consul-role/templates/server.hcl.j2 b/consul-role/templates/server.hcl.j2 index d1b666a..23ab958 100644 --- a/consul-role/templates/server.hcl.j2 +++ b/consul-role/templates/server.hcl.j2 @@ -32,7 +32,7 @@ acl { ports { http = -1 - https = 8500 + https = 8501 } tls { From 5ff4caa7b942ccdf8b15f1f89843caf636598faf Mon Sep 17 00:00:00 2001 From: AnithaAnnem Date: Wed, 11 Mar 2026 00:42:53 +0530 Subject: [PATCH 184/412] Update server.hcl.j2 --- consul-role/templates/server.hcl.j2 | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/consul-role/templates/server.hcl.j2 b/consul-role/templates/server.hcl.j2 index 23ab958..99cbe7e 100644 --- a/consul-role/templates/server.hcl.j2 +++ b/consul-role/templates/server.hcl.j2 @@ -41,8 +41,8 @@ tls { cert_file = "{{ consul_config_dir }}/certs/tls.crt" key_file = "{{ consul_config_dir }}/certs/tls.key" - verify_incoming = true - verify_outgoing = true + verify_incoming = false + verify_outgoing = false } https { From 258a0454f93f4273ee4c88118f25c3e832c640d5 Mon Sep 17 00:00:00 2001 From: AnithaAnnem Date: Wed, 11 Mar 2026 00:43:10 +0530 Subject: [PATCH 185/412] Update acl.yml --- consul-role/tasks/acl.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/consul-role/tasks/acl.yml b/consul-role/tasks/acl.yml index 57ea7b4..02f2b20 100644 --- a/consul-role/tasks/acl.yml +++ b/consul-role/tasks/acl.yml @@ -37,7 +37,7 @@ when: consul_master_token is not defined or consul_master_token == "" environment: CONSUL_HTTP_ADDR: "https://{{ consul_bind_addr }}:8501" - CONSUL_HTTP_SSL_VERIFY: "true" + CONSUL_HTTP_SSL_VERIFY: "false" CONSUL_CACERT: "{{ consul_config_dir }}/certs/tls.crt" - name: Extract new token from bootstrap output From bf48dd65de7362846153a2f206c837905e6d6505 Mon Sep 17 00:00:00 2001 From: AnithaAnnem Date: Wed, 11 Mar 2026 00:43:23 +0530 Subject: [PATCH 186/412] Update acl_policies.yml --- consul-role/tasks/acl_policies.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/consul-role/tasks/acl_policies.yml b/consul-role/tasks/acl_policies.yml index 810f584..c6709fd 100644 --- a/consul-role/tasks/acl_policies.yml +++ b/consul-role/tasks/acl_policies.yml @@ -37,7 +37,7 @@ CONSUL_HTTP_ADDR: "https://{{ consul_bind_addr }}:8501" CONSUL_HTTP_TOKEN: "{{ consul_master_token }}" CONSUL_CACERT: "{{ consul_config_dir }}/certs/tls.crt" - CONSUL_HTTP_SSL_VERIFY: "true" + CONSUL_HTTP_SSL_VERIFY: "false" - name: Create Consul policies ansible.builtin.command: > From 5f05250911f01639481c2290975432d0bd689db8 Mon Sep 17 00:00:00 2001 From: AnithaAnnem Date: Wed, 11 Mar 2026 00:43:35 +0530 Subject: [PATCH 187/412] Update acl_tokens.yml --- consul-role/tasks/acl_tokens.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/consul-role/tasks/acl_tokens.yml b/consul-role/tasks/acl_tokens.yml index 8933de9..cfb92cb 100644 --- a/consul-role/tasks/acl_tokens.yml +++ b/consul-role/tasks/acl_tokens.yml @@ -8,7 +8,7 @@ environment: &consul_env CONSUL_HTTP_ADDR: "https://{{ consul_bind_addr }}:8501" CONSUL_HTTP_TOKEN: "{{ consul_master_token }}" - CONSUL_HTTP_SSL_VERIFY: "true" + CONSUL_HTTP_SSL_VERIFY: "false" CONSUL_CACERT: "{{ consul_config_dir }}/certs/tls.crt" #################################### From 47cf2785474a9b9343c58691c326a8740548badb Mon Sep 17 00:00:00 2001 From: AnithaAnnem Date: Wed, 11 Mar 2026 00:43:50 +0530 Subject: [PATCH 188/412] Update rbac.yml --- consul-role/tasks/rbac.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/consul-role/tasks/rbac.yml b/consul-role/tasks/rbac.yml index 7b068bf..cd4366f 100644 --- a/consul-role/tasks/rbac.yml +++ b/consul-role/tasks/rbac.yml @@ -14,7 +14,7 @@ CONSUL_HTTP_ADDR: "https://{{ consul_bind_addr }}:8501" CONSUL_HTTP_TOKEN: "{{ consul_master_token }}" CONSUL_CACERT: "{{ consul_config_dir }}/certs/tls.crt" - CONSUL_HTTP_SSL_VERIFY: "true" + CONSUL_HTTP_SSL_VERIFY: "false" - name: Create read policy ansible.builtin.command: > From 08aa190946047d3231feac0ec3ae6e258ec3bda9 Mon Sep 17 00:00:00 2001 From: AnithaAnnem Date: Wed, 11 Mar 2026 10:28:10 +0530 Subject: [PATCH 189/412] Update server.hcl.j2 --- consul-role/templates/server.hcl.j2 | 18 +++++++++++++++--- 1 file changed, 15 insertions(+), 3 deletions(-) diff --git a/consul-role/templates/server.hcl.j2 b/consul-role/templates/server.hcl.j2 index 99cbe7e..f1696d9 100644 --- a/consul-role/templates/server.hcl.j2 +++ b/consul-role/templates/server.hcl.j2 @@ -41,11 +41,23 @@ tls { cert_file = "{{ consul_config_dir }}/certs/tls.crt" key_file = "{{ consul_config_dir }}/certs/tls.key" - verify_incoming = false - verify_outgoing = false + # CHANGE THESE TO TRUE + verify_incoming = true + verify_outgoing = true + } + + internal_rpc { + verify_server_hostname = true } https { - verify_incoming = false + # Set to true if you want the UI/API to require a client cert + # Usually kept false for browser access, but encrypted via HTTPS + verify_incoming = false } } + +# Ensure auto_encrypt is enabled if you want clients to get certs from servers +auto_encrypt { + allow_for_agents = true +} From 2949b4f8303ba2f37cb282142a0a202dfce116a0 Mon Sep 17 00:00:00 2001 From: AnithaAnnem Date: Wed, 11 Mar 2026 10:28:32 +0530 Subject: [PATCH 190/412] Update acl.yml --- consul-role/tasks/acl.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/consul-role/tasks/acl.yml b/consul-role/tasks/acl.yml index 02f2b20..57ea7b4 100644 --- a/consul-role/tasks/acl.yml +++ b/consul-role/tasks/acl.yml @@ -37,7 +37,7 @@ when: consul_master_token is not defined or consul_master_token == "" environment: CONSUL_HTTP_ADDR: "https://{{ consul_bind_addr }}:8501" - CONSUL_HTTP_SSL_VERIFY: "false" + CONSUL_HTTP_SSL_VERIFY: "true" CONSUL_CACERT: "{{ consul_config_dir }}/certs/tls.crt" - name: Extract new token from bootstrap output From 2833680487d623f2fb3d0939bbb78c4ec7d36736 Mon Sep 17 00:00:00 2001 From: AnithaAnnem Date: Wed, 11 Mar 2026 10:28:46 +0530 Subject: [PATCH 191/412] Update acl_policies.yml --- consul-role/tasks/acl_policies.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/consul-role/tasks/acl_policies.yml b/consul-role/tasks/acl_policies.yml index c6709fd..810f584 100644 --- a/consul-role/tasks/acl_policies.yml +++ b/consul-role/tasks/acl_policies.yml @@ -37,7 +37,7 @@ CONSUL_HTTP_ADDR: "https://{{ consul_bind_addr }}:8501" CONSUL_HTTP_TOKEN: "{{ consul_master_token }}" CONSUL_CACERT: "{{ consul_config_dir }}/certs/tls.crt" - CONSUL_HTTP_SSL_VERIFY: "false" + CONSUL_HTTP_SSL_VERIFY: "true" - name: Create Consul policies ansible.builtin.command: > From 043f37e87674749316bdaa2291ca42f1a428e1b6 Mon Sep 17 00:00:00 2001 From: AnithaAnnem Date: Wed, 11 Mar 2026 10:28:58 +0530 Subject: [PATCH 192/412] Update acl_tokens.yml --- consul-role/tasks/acl_tokens.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/consul-role/tasks/acl_tokens.yml b/consul-role/tasks/acl_tokens.yml index cfb92cb..8933de9 100644 --- a/consul-role/tasks/acl_tokens.yml +++ b/consul-role/tasks/acl_tokens.yml @@ -8,7 +8,7 @@ environment: &consul_env CONSUL_HTTP_ADDR: "https://{{ consul_bind_addr }}:8501" CONSUL_HTTP_TOKEN: "{{ consul_master_token }}" - CONSUL_HTTP_SSL_VERIFY: "false" + CONSUL_HTTP_SSL_VERIFY: "true" CONSUL_CACERT: "{{ consul_config_dir }}/certs/tls.crt" #################################### From fa5e1621ea18703bd2287e135df4fe0ef14e925a Mon Sep 17 00:00:00 2001 From: AnithaAnnem Date: Wed, 11 Mar 2026 10:29:12 +0530 Subject: [PATCH 193/412] Update rbac.yml --- consul-role/tasks/rbac.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/consul-role/tasks/rbac.yml b/consul-role/tasks/rbac.yml index cd4366f..7b068bf 100644 --- a/consul-role/tasks/rbac.yml +++ b/consul-role/tasks/rbac.yml @@ -14,7 +14,7 @@ CONSUL_HTTP_ADDR: "https://{{ consul_bind_addr }}:8501" CONSUL_HTTP_TOKEN: "{{ consul_master_token }}" CONSUL_CACERT: "{{ consul_config_dir }}/certs/tls.crt" - CONSUL_HTTP_SSL_VERIFY: "false" + CONSUL_HTTP_SSL_VERIFY: "true" - name: Create read policy ansible.builtin.command: > From 97c4d4debb20c1c994f766586ac3a8ea997e0daf Mon Sep 17 00:00:00 2001 From: AnithaAnnem Date: Wed, 11 Mar 2026 14:56:27 +0530 Subject: [PATCH 194/412] Update and rename tls.crt to consul-agent-ca.pem --- consul-role/files/consul-agent-ca.pem | 18 +++ consul-role/files/tls.crt | 151 -------------------------- 2 files changed, 18 insertions(+), 151 deletions(-) create mode 100644 consul-role/files/consul-agent-ca.pem delete mode 100644 consul-role/files/tls.crt diff --git a/consul-role/files/consul-agent-ca.pem b/consul-role/files/consul-agent-ca.pem new file mode 100644 index 0000000..3437125 --- /dev/null +++ b/consul-role/files/consul-agent-ca.pem @@ -0,0 +1,18 @@ +-----BEGIN CERTIFICATE----- +MIIC7TCCApSgAwIBAgIRAK4GgQsx3X3bDBHnyJDAb5owCgYIKoZIzj0EAwIwgbkx +CzAJBgNVBAYTAlVTMQswCQYDVQQIEwJDQTEWMBQGA1UEBxMNU2FuIEZyYW5jaXNj +bzEaMBgGA1UECRMRMTAxIFNlY29uZCBTdHJlZXQxDjAMBgNVBBETBTk0MTA1MRcw +FQYDVQQKEw5IYXNoaUNvcnAgSW5jLjFAMD4GA1UEAxM3Q29uc3VsIEFnZW50IENB +IDIzMTMxOTQ0MjM2NTUwNzc2MTk5NzMyMzc5NzUwNTk4OTcwMTUzMDAeFw0yNjAz +MTEwOTEzNDZaFw0zMTAzMTAwOTEzNDZaMIG5MQswCQYDVQQGEwJVUzELMAkGA1UE +CBMCQ0ExFjAUBgNVBAcTDVNhbiBGcmFuY2lzY28xGjAYBgNVBAkTETEwMSBTZWNv +bmQgU3RyZWV0MQ4wDAYDVQQREwU5NDEwNTEXMBUGA1UEChMOSGFzaGlDb3JwIElu +Yy4xQDA+BgNVBAMTN0NvbnN1bCBBZ2VudCBDQSAyMzEzMTk0NDIzNjU1MDc3NjE5 +OTczMjM3OTc1MDU5ODk3MDE1MzAwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAARa +Dn5nKtXx8LsZUb4oYdFEX/MkMxdmfpaI7cgvNZWXr1mcggB2m818ZsgVU7VNLaza +RsFYsyRwM8lF3+Me93zTo3sweTAOBgNVHQ8BAf8EBAMCAYYwDwYDVR0TAQH/BAUw +AwEB/zApBgNVHQ4EIgQg5lOQ/GKjzAfJgtDAwgzS4AE2WSMQa45T2T3svSL/Toww +KwYDVR0jBCQwIoAg5lOQ/GKjzAfJgtDAwgzS4AE2WSMQa45T2T3svSL/TowwCgYI +KoZIzj0EAwIDRwAwRAIgd6dWxWZMKNZSNbUCTNHojmtV09AbommVbtWpCfGsiuwC +ICMiY6x20yW1Z4HV2SGRJLHM/zpGGdWV7RwFCINHhkl1 +-----END CERTIFICATE----- diff --git a/consul-role/files/tls.crt b/consul-role/files/tls.crt deleted file mode 100644 index abc52ec..0000000 --- a/consul-role/files/tls.crt +++ /dev/null @@ -1,151 +0,0 @@ -$ANSIBLE_VAULT;1.1;AES256 -61613835646636313838366631336531666238383732616633663761656665373937393766386435 -6436626561306637373332376363393163633038623934350a343430366231643565343766386635 -39616431333462653938323731326461643932643930383164616239336337623838633530663239 -3666343633666566650a633630313662353339313164306561356165666365643037353731386338 -61373231633565333736656662333339323131663931323733313965353435643937326262393133 -31356365643765653931623534663830316132653531643662313166326664643035346231386666 -30313161663531303861306435326565623534306662346336313233623232336333613763356434 -33346364666465353335616162386131316331343430313838366632373262383233303466633539 -38653237386534353764383835653439363361323161356532656161633731643765663030356237 -35656536303334393937353735336532653737313131316666363862343831633131346363346639 -30336332333637396634353766653931363036653163333532633530393534396230396639333130 -31303331346135356662383235326331353038316537313634363338663565313163323462663662 -62396235646639303531386365366532373865623436353464626232646232366138646436633834 -32373364383537616465663134643236363463653663646161643237616366313032643162653063 -39313735386638353732633531663261356663323066366430376137363930366263356439643734 -65623766323436383438383965373366666234323635643439343561373237333463356462353137 -61643539353435623732363135663863323863313534303339313538366564336332303837633436 -30336561373935663365303935313937326331353863353265343335343836326431663531393732 -64376330383266383364623032343034663662313330373832613839333561333933366334663333 -37356139316535343037613062626133376433346136326264613534363736333463353636356531 -66613138373932656366626634636537643036333362303565386135663461323238623337386665 -32646562343734386137616464306330643266356330636563626432613862636234363831366630 -64396366623138353236343530343166323837366566393338373362393931376361653431316461 -62633335383763333966616361363132363063383265373532353639393333353262303062363566 -34313063343938383530303062353138323533356235633362383039373864623631663364313134 -36323562613764643462366462376563656333346130366132653232623436326232323935303038 -63666433636538323365613735626262656563383431623333636263323934303963393962316130 -30373233316530643462663630323762373936653536393337373162663634306436666362323564 -65346666306263333238653131383034383765396438663935363331306132663061363163313837 -39366635376632653737353133666266663935303830643361666438386430633266333030306563 -65386165366238373365316430613763383439353731316134313966613765313736656238643431 -37363864653439656233343430313066393161333434373639353563646239303264613635326466 -39306261336330396238663532306266653735333864386434633031366164613838393430633464 -33613061376234353662333165356462643232353030323334306539313263306166323135663532 -66633839316465656261636461363563616561616234303165363533346661376534656635393663 -34613231343937386264613537393538353333623662653539623539383337363963303365376632 -39326265633161356161616366616333313839626562363332636631323338363139363565383939 -32303138306532356561373538383332313962613933343366636537633034356134663439343835 -30343461356234373238343761613431613962306232653632316161663236366439333931303432 -66616365316631326464396236646632653066343936363266623134653437373136356437343063 -33643531373633333731663634383937343464633261393139623630323861363435356562303834 -39313430393364386262633263633234643838616338656131356165316662663661646331623266 -32393365383865613033353161326635613561393633643132623365386132663139663966353532 -62306131396666313830313461346264306137646637373264306435656363356439363763363430 -66376630643235303063323831313133303538393538666137333439383338323764663935373332 -31666533323338613864336437653732313436323133396134336336643838386165393664366333 -34303930396330373837313833353331343236363334616231386566306163303436336663366264 -35633739626433653239623436636264333434323839616136643339616231323465343330623861 -34613264666635616634326461316330333732653364393235653461376538326132363136356534 -33326337656564356137356162353934376238326364333062363362343839303061663264383338 -62613438623862363334353763653465333466653035653461623533323862343062323932343966 -66326438633731323964363036623164616432636365396336383236303134306239623239313835 -64353265633664636431626362646130353764663062393732643433303364393033643837356633 -36336163316132373834376531643539313632306539643666663233333963303562616535616339 -33386235313938353436653566643934623934653139663535623536643530626465383133303362 -61616633646363303463646335366163383233656336333635616535386134356131666132336333 -62303032636465333131393863663037643133626137636161386331663233653466393964396230 -39636661663230353334636661663730303936633538623732336437356338376638353131313334 -34373664663838396132353831303032613231396439303237633363356534366134333033366130 -63353230633963376330376330366238666330646137386131336230346434316533663336653163 -34323833373634633565343137626364653530346231303336633839343064653336343363333363 -37393862343437323737653938313466393639333736383335633435666532633432666163323836 -65326662363262636566333563623735306363623666386362346665353535323330633034663564 -31366638663161653337643431626561373334656437363033393961383261386432313933643762 -33353866353938646462616338323532663665346132376436363132643136303035363938383538 -61313662316236383534313038653765376362346537626566343630613239613239623530623564 -37303764323935623031643462356230626164653333326337316463323833643562663234666262 -62623365383864613831313136333039613334313566383432616638623165613137393839323938 -37356365346539663431663963333735613532366539396432626632333231623337613735356439 -30626135393337613131336339366138396539653739316637666564343833356332666161333166 -63313530343666396434323235363730636564386639346135353066633432356638656133373566 -37646231333537376465396663323263323931666264663030636635623139393462303334343766 -36616533346132366432633838306135613065663464366565346133336362356538663130666232 -35643862663361656234646131613066333531656565313934323537353035616166313262363132 -61373532336139633764373836353765646638376536343638633033323166626238336261366635 -66393837636138636434386339656131613834353663666438646262363864366537373333656139 -30626363333862633734626266646338323733386136333263373039343662343665663836323634 -31333737626366316364373962666331623361343063626264393661643834616238616665336137 -33653061323465313832326465613663383533643838343064346166653032313438663330656463 -65383365323766323632333165356361643863376466303336653762336135626263626433623539 -66386337393538613864633336643765303832376662363333663934313233303038373366616634 -32303863623764386237313665393861633331626164646263613762643462663836636139303832 -35643763376563323766643964656565636131356266333231366462393665306561393239663334 -65653663323335613762613832656163396332633665303132393139663633336561353434653731 -63373636396336623537366137663939313538666437363365346335636432363732323530616239 -36353239666135646239346165386665373361643265353136373834343738653064613331626539 -30336465353439306461616562616264363039396563666634656361396635306364386262363162 -65616230623038386461373631366261383835396365363562363338313939353235356666663061 -32333765343837323135323535376634656366343464653738346638343764663865653030336632 -65366138656635303931393062643064343734393561323762343732613066313364373237663664 -38313162393561373233336537663761646566636661663337613133396435383038366135316363 -38663933663039333830343531363538343534636234313261313330666164376464646436666638 -63623961313031326664623164643864336661653433383332333533656239373337343831643033 -32376436643363633965306439663033303937333938383161643030373763646163326139343039 -63633336363438373131613630633763393663366636386336393738663365626466373236313933 -64653861373830333034656664393463393034336361336637313062326237646633313261336234 -37313936623832643163383964323266386433636166343065353962646136383863663462386537 -64343363633462353065646436346365363265316465343763643634396531646265333966633362 -31333731363436363835616530393466383462393866393633393230323532643662376664353536 -35326263343331323365643763343733636238383965333538386438656538616438626532363164 -33303236346235313165323161373266643263373933376435306432336334613939333831383533 -36656362626138386330356136613339653833373633316334393366393265313637323431383035 -37336361306638356237653537653330336365396135626565376635646262653762613531373737 -61613330626266643730313133646663313330323539363835323636356533633032343763313262 -36323466616161653734623836633566653732633530656566366362346332646464343164643539 -35313466313963646633353663353034633638393931353831353632623666353538316639353133 -65383462343935663535303463636365313632386161653037326236656461356331363935663031 -64326531356535666266666361346564646633636165663061636636353162303435626530333834 -33303031353361306433656661356632663961663365663264313335636435623161643637616537 -31613133383335623836656561623065383939366663363838663161373535326135323163313831 -62343237353164633936353038663835353861666563616432313932636538646332363638323966 -39386433366630316361646462633737396535623061343334323062343566373262323363383662 -36646631643139663862666233663637336163616363363231623438653839313635363065366535 -64303866313165333235393530353236303165316636336464383238333764633730313237363134 -61636564653461383633373532313861373937346263646563663663656630313437656464383931 -38653134633963386633313162643438653330626164363564633935373264373937306331633161 -61323838323863663737343663393432373637643365643731643231323735666266353565646531 -37343531626633616665343361643235333762643933303263633637366534626464346663633535 -65343734336437326138393332386363616164656230353634386134396430303964623232353361 -34396638343566346436616632396538653762623338333063633939626339663330633662343363 -39353161613831303737386635333431616431313966393232626133336638313539363230326332 -34376566653638333731653066633538313062363530636663613162313262393235326362383635 -31663338393261653238323465656435666133356466383730636264393138613032313231333162 -66623531636438386263363436396639663239383037373234613565303861336166363063313431 -39653731623937333039653839643534643335346338616263616266613962396531623666666636 -64656330306430376338396331643135656638313530336337373035653463386439653434366135 -30646639633966626134393931623333376165643966393365383433343637633836643133313064 -33653835633238633931646437613565636236326265343162313163623236353831303230343961 -31373133336632306133356664353363303336376331383635616333346561346235363534303538 -39623334336334386162666165313164623839333238396637333835323231653765646133653339 -35386531376430356633336262653964336362306561666430303562613839623730303034323866 -34353734343561613733313134333761366561333262663263643137306431643762663364666434 -65313239386465633263646265376231336564386238303832313537343865633637373830313032 -33393034323830663535653464326462303039333931356332633532383234333936393735393464 -64306665376238303734306565373930373735303730623437623835663764643134316263363939 -37363039336630313965663463653930313961633032613362663530653766376134336263633832 -32363161623266656130316130313335613966363435383730623636343331336636373030626535 -30363330303435306133386662306563636265616566393436373635313762323566333337616265 -33303733616233656332356230396231313666346332613233303132383537613063396532656330 -36376338323161633036623232343833396333306439306261343039373836373832303539343363 -66376662656630393430343638366230393066313839653863643865633365356631393236643739 -65323564343135373532633731663333626163633239356362313234306438386638336236613433 -62386664356264313264653938333135303861313436653463363731633361373635326663663736 -63383830396136633630326565336437303162613762386538366436366263363962376338353535 -32613835373264363138366433373338616235653930623334643738623434393032373061396363 -66393335633339653332383664643638323966663462383863333235633232613363663132383735 -63373831396663633261373130366432643030356430313066303863666531326461373835636361 -31313130313336656664376230316266646232356564303638346533636631356430613265366333 -62616161343666616565346638326335646266643765346533623762643039396366623564323964 -3637303531393962393731653663636435313765373030383261 From e5e9dc13de2de213aaa77f2ad02ff8eb09847244 Mon Sep 17 00:00:00 2001 From: AnithaAnnem Date: Wed, 11 Mar 2026 14:57:31 +0530 Subject: [PATCH 195/412] Update and rename tls.key to dc1-server-consul-0.pem --- consul-role/files/dc1-server-consul-0.pem | 16 ++++++++++++++++ consul-role/files/tls.key | 18 ------------------ 2 files changed, 16 insertions(+), 18 deletions(-) create mode 100644 consul-role/files/dc1-server-consul-0.pem delete mode 100644 consul-role/files/tls.key diff --git a/consul-role/files/dc1-server-consul-0.pem b/consul-role/files/dc1-server-consul-0.pem new file mode 100644 index 0000000..cbb31f1 --- /dev/null +++ b/consul-role/files/dc1-server-consul-0.pem @@ -0,0 +1,16 @@ +-----BEGIN CERTIFICATE----- +MIICnDCCAkOgAwIBAgIRAM9bw8GQ1xIAIffE3IqkCegwCgYIKoZIzj0EAwIwgbkx +CzAJBgNVBAYTAlVTMQswCQYDVQQIEwJDQTEWMBQGA1UEBxMNU2FuIEZyYW5jaXNj +bzEaMBgGA1UECRMRMTAxIFNlY29uZCBTdHJlZXQxDjAMBgNVBBETBTk0MTA1MRcw +FQYDVQQKEw5IYXNoaUNvcnAgSW5jLjFAMD4GA1UEAxM3Q29uc3VsIEFnZW50IENB +IDIzMTMxOTQ0MjM2NTUwNzc2MTk5NzMyMzc5NzUwNTk4OTcwMTUzMDAeFw0yNjAz +MTEwOTE0MDRaFw0yNzAzMTEwOTE0MDRaMBwxGjAYBgNVBAMTEXNlcnZlci5kYzEu +Y29uc3VsMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE/UlwzAeIeL2QnbDOyqcs +uA5pl4k2YOVWL4NUd7qpqg6NV2LhB0C+EMVKxg7flgubvL0H1lWvS1+J4hBv44uM +2qOBxzCBxDAOBgNVHQ8BAf8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsG +AQUFBwMCMAwGA1UdEwEB/wQCMAAwKQYDVR0OBCIEIBCDxJ16+CWBPpvwpwDzx6aW +c/wBcYaIc8u4ojhepsqvMCsGA1UdIwQkMCKAIOZTkPxio8wHyYLQwMIM0uABNlkj +EGuOU9k97L0i/06MMC0GA1UdEQQmMCSCEXNlcnZlci5kYzEuY29uc3Vsgglsb2Nh +bGhvc3SHBH8AAAEwCgYIKoZIzj0EAwIDRwAwRAIgOFWWzxUhUosiQx1nCV40Rus4 +rTj+aOc33VTYYl9SmLYCIDysXj30PBuYfh0VuzIJHS9Eo6rUzSQwUq7cMIeORM/X +-----END CERTIFICATE----- diff --git a/consul-role/files/tls.key b/consul-role/files/tls.key deleted file mode 100644 index a034b01..0000000 --- a/consul-role/files/tls.key +++ /dev/null @@ -1,18 +0,0 @@ -$ANSIBLE_VAULT;1.1;AES256 -35363165663164346535373537666464623866333963363164643665343235383137346531666336 -3962316134666537653164313731333563323462356239610a303662613932663063653666373634 -61653766646361383964633439343133613864353334623230316263376166626566613564326266 -6230346562383034360a376661376563343762356535386637626339343661636336363231373365 -33616664303737303638346431386265613030303931373138656532633134366666656635613366 -61323231383932613364343164373439656337323234393439373262313563346462373363623939 -34643432363135343162626564383837333364363262316266656430386163353231323565373237 -62636563633138666532623039636138626631303463326237666463613963323362386265303031 -35306635613837666238646531363339316361643234646132656638636433353537653239373465 -32623734363639396438363134393264363566663866363331313333663565616435656430633930 -32633937653666313462613463616434376236333930313437376437646231643231363332346233 -33363465653136626336393162386530313665356336303064363932633561633861356136336563 -38323964633063356330356435646231666539363936376239313866646332376666316266383261 -66633761343538393964656539366264373835623131333061633338616665633436356139353063 -36663434353034336530303438663534393937346439356536346466306630633064633561656432 -64623763343430303333343866383537353366646265323535383733373436383562396338303735 -3932 From 73b4a4fc5e2cbd0ea526eb0ab03805810149b565 Mon Sep 17 00:00:00 2001 From: AnithaAnnem Date: Wed, 11 Mar 2026 14:58:09 +0530 Subject: [PATCH 196/412] Create dc1-server-consul-0-key.pem --- consul-role/files/dc1-server-consul-0-key.pem | 5 +++++ 1 file changed, 5 insertions(+) create mode 100644 consul-role/files/dc1-server-consul-0-key.pem diff --git a/consul-role/files/dc1-server-consul-0-key.pem b/consul-role/files/dc1-server-consul-0-key.pem new file mode 100644 index 0000000..1575e83 --- /dev/null +++ b/consul-role/files/dc1-server-consul-0-key.pem @@ -0,0 +1,5 @@ +-----BEGIN EC PRIVATE KEY----- +MHcCAQEEIJsh2Io5FJ/xBT2ETOuJCgPv3LB7cBAU24KMt/9/FSiooAoGCCqGSM49 +AwEHoUQDQgAE/UlwzAeIeL2QnbDOyqcsuA5pl4k2YOVWL4NUd7qpqg6NV2LhB0C+ +EMVKxg7flgubvL0H1lWvS1+J4hBv44uM2g== +-----END EC PRIVATE KEY----- From a32eb13f3edd11104158bdbdda0003a863c3a753 Mon Sep 17 00:00:00 2001 From: AnithaAnnem Date: Wed, 11 Mar 2026 15:00:46 +0530 Subject: [PATCH 197/412] Update config.yml --- consul-role/tasks/config.yml | 23 +++++++++++++++-------- 1 file changed, 15 insertions(+), 8 deletions(-) diff --git a/consul-role/tasks/config.yml b/consul-role/tasks/config.yml index 20f3534..235bf3d 100644 --- a/consul-role/tasks/config.yml +++ b/consul-role/tasks/config.yml @@ -1,3 +1,4 @@ +--- - name: Create TLS cert directory ansible.builtin.file: path: "{{ consul_config_dir }}/certs" @@ -6,23 +7,29 @@ group: "{{ consul_group }}" mode: "0750" -- name: Copy TLS certificate +- name: Copy CA certificate ansible.builtin.copy: - src: tls.crt - dest: "{{ consul_config_dir }}/certs/tls.crt" + src: consul-agent-ca.pem + dest: "{{ consul_config_dir }}/certs/consul-agent-ca.pem" owner: "{{ consul_user }}" group: "{{ consul_group }}" mode: "0644" - notify: Restart Consul -- name: Copy TLS private key +- name: Copy Server certificate ansible.builtin.copy: - src: tls.key - dest: "{{ consul_config_dir }}/certs/tls.key" + src: dc1-server-consul-0.pem + dest: "{{ consul_config_dir }}/certs/dc1-server-consul-0.pem" + owner: "{{ consul_user }}" + group: "{{ consul_group }}" + mode: "0644" + +- name: Copy Server key + ansible.builtin.copy: + src: dc1-server-consul-0-key.pem + dest: "{{ consul_config_dir }}/certs/dc1-server-consul-0-key.pem" owner: "{{ consul_user }}" group: "{{ consul_group }}" mode: "0600" - notify: Restart Consul - name: Deploy Consul server configuration ansible.builtin.template: From 8c420a489ce2fe65694ae8b5947d68dfb6e2b5f2 Mon Sep 17 00:00:00 2001 From: AnithaAnnem Date: Wed, 11 Mar 2026 15:01:21 +0530 Subject: [PATCH 198/412] Update server.hcl.j2 --- consul-role/templates/server.hcl.j2 | 12 ++++-------- 1 file changed, 4 insertions(+), 8 deletions(-) diff --git a/consul-role/templates/server.hcl.j2 b/consul-role/templates/server.hcl.j2 index f1696d9..00ec1a2 100644 --- a/consul-role/templates/server.hcl.j2 +++ b/consul-role/templates/server.hcl.j2 @@ -37,11 +37,10 @@ ports { tls { defaults { - ca_file = "{{ consul_config_dir }}/certs/tls.crt" - cert_file = "{{ consul_config_dir }}/certs/tls.crt" - key_file = "{{ consul_config_dir }}/certs/tls.key" + ca_file = "{{ consul_config_dir }}/certs/consul-agent-ca.pem" + cert_file = "{{ consul_config_dir }}/certs/dc1-server-consul-0.pem" + key_file = "{{ consul_config_dir }}/certs/dc1-server-consul-0-key.pem" - # CHANGE THESE TO TRUE verify_incoming = true verify_outgoing = true } @@ -51,12 +50,9 @@ tls { } https { - # Set to true if you want the UI/API to require a client cert - # Usually kept false for browser access, but encrypted via HTTPS - verify_incoming = false + verify_incoming = false } } - # Ensure auto_encrypt is enabled if you want clients to get certs from servers auto_encrypt { allow_for_agents = true From 60cf490c8714141dac3937cc1dc7b9ba47ef07bf Mon Sep 17 00:00:00 2001 From: AnithaAnnem Date: Wed, 11 Mar 2026 15:03:07 +0530 Subject: [PATCH 199/412] Update acl.yml --- consul-role/tasks/acl.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/consul-role/tasks/acl.yml b/consul-role/tasks/acl.yml index 57ea7b4..ce792cf 100644 --- a/consul-role/tasks/acl.yml +++ b/consul-role/tasks/acl.yml @@ -38,7 +38,8 @@ environment: CONSUL_HTTP_ADDR: "https://{{ consul_bind_addr }}:8501" CONSUL_HTTP_SSL_VERIFY: "true" - CONSUL_CACERT: "{{ consul_config_dir }}/certs/tls.crt" + # This must point to the CA file, not the server cert + CONSUL_CACERT: "{{ consul_config_dir }}/certs/consul-agent-ca.pem" - name: Extract new token from bootstrap output ansible.builtin.set_fact: From 90077be1c82d710400ccb4af409e48505e56697e Mon Sep 17 00:00:00 2001 From: AnithaAnnem Date: Wed, 11 Mar 2026 15:04:32 +0530 Subject: [PATCH 200/412] Update acl_policies.yml --- consul-role/tasks/acl_policies.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/consul-role/tasks/acl_policies.yml b/consul-role/tasks/acl_policies.yml index 810f584..7b52e3b 100644 --- a/consul-role/tasks/acl_policies.yml +++ b/consul-role/tasks/acl_policies.yml @@ -36,7 +36,8 @@ environment: &consul_env CONSUL_HTTP_ADDR: "https://{{ consul_bind_addr }}:8501" CONSUL_HTTP_TOKEN: "{{ consul_master_token }}" - CONSUL_CACERT: "{{ consul_config_dir }}/certs/tls.crt" + # This must point to the CA file, not the server cert + CONSUL_CACERT: "{{ consul_config_dir }}/certs/consul-agent-ca.pem" CONSUL_HTTP_SSL_VERIFY: "true" - name: Create Consul policies From 85782e55f5f7f8893bacee5b81ee606ed32b5e8c Mon Sep 17 00:00:00 2001 From: AnithaAnnem Date: Wed, 11 Mar 2026 15:04:53 +0530 Subject: [PATCH 201/412] Update rbac.yml --- consul-role/tasks/rbac.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/consul-role/tasks/rbac.yml b/consul-role/tasks/rbac.yml index 7b068bf..cb6aedf 100644 --- a/consul-role/tasks/rbac.yml +++ b/consul-role/tasks/rbac.yml @@ -13,7 +13,8 @@ environment: &consul_env CONSUL_HTTP_ADDR: "https://{{ consul_bind_addr }}:8501" CONSUL_HTTP_TOKEN: "{{ consul_master_token }}" - CONSUL_CACERT: "{{ consul_config_dir }}/certs/tls.crt" + # This must point to the CA file, not the server cert + CONSUL_CACERT: "{{ consul_config_dir }}/certs/consul-agent-ca.pem" CONSUL_HTTP_SSL_VERIFY: "true" - name: Create read policy From d1c5978f34b58ed51336e575b83205a17c69036d Mon Sep 17 00:00:00 2001 From: AnithaAnnem Date: Wed, 11 Mar 2026 15:06:03 +0530 Subject: [PATCH 202/412] Update acl_policies.yml --- consul-role/tasks/acl_policies.yml | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/consul-role/tasks/acl_policies.yml b/consul-role/tasks/acl_policies.yml index 7b52e3b..2f34292 100644 --- a/consul-role/tasks/acl_policies.yml +++ b/consul-role/tasks/acl_policies.yml @@ -12,8 +12,9 @@ path: "{{ consul_config_dir }}/certs/{{ item.file }}" mode: "{{ item.mode }}" loop: - - { file: "tls.crt", mode: "0644" } - - { file: "tls.key", mode: "0640" } + - { file: "consul-agent-ca.pem", mode: "0644" } + - { file: "dc1-server-consul-0.pem", mode: "0644" } + - { file: "dc1-server-consul-0-key.pem", mode: "0600" } become: true - name: Copy policy files From 731b41a6a308a9b6a2407ccb68fe6a09fa21f551 Mon Sep 17 00:00:00 2001 From: AnithaAnnem Date: Wed, 11 Mar 2026 15:08:27 +0530 Subject: [PATCH 203/412] Update consul-agent-ca.pem --- consul-role/files/consul-agent-ca.pem | 77 ++++++++++++++++++++------- 1 file changed, 59 insertions(+), 18 deletions(-) diff --git a/consul-role/files/consul-agent-ca.pem b/consul-role/files/consul-agent-ca.pem index 3437125..fda3dc5 100644 --- a/consul-role/files/consul-agent-ca.pem +++ b/consul-role/files/consul-agent-ca.pem @@ -1,18 +1,59 @@ ------BEGIN CERTIFICATE----- -MIIC7TCCApSgAwIBAgIRAK4GgQsx3X3bDBHnyJDAb5owCgYIKoZIzj0EAwIwgbkx -CzAJBgNVBAYTAlVTMQswCQYDVQQIEwJDQTEWMBQGA1UEBxMNU2FuIEZyYW5jaXNj -bzEaMBgGA1UECRMRMTAxIFNlY29uZCBTdHJlZXQxDjAMBgNVBBETBTk0MTA1MRcw -FQYDVQQKEw5IYXNoaUNvcnAgSW5jLjFAMD4GA1UEAxM3Q29uc3VsIEFnZW50IENB -IDIzMTMxOTQ0MjM2NTUwNzc2MTk5NzMyMzc5NzUwNTk4OTcwMTUzMDAeFw0yNjAz -MTEwOTEzNDZaFw0zMTAzMTAwOTEzNDZaMIG5MQswCQYDVQQGEwJVUzELMAkGA1UE -CBMCQ0ExFjAUBgNVBAcTDVNhbiBGcmFuY2lzY28xGjAYBgNVBAkTETEwMSBTZWNv -bmQgU3RyZWV0MQ4wDAYDVQQREwU5NDEwNTEXMBUGA1UEChMOSGFzaGlDb3JwIElu -Yy4xQDA+BgNVBAMTN0NvbnN1bCBBZ2VudCBDQSAyMzEzMTk0NDIzNjU1MDc3NjE5 -OTczMjM3OTc1MDU5ODk3MDE1MzAwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAARa -Dn5nKtXx8LsZUb4oYdFEX/MkMxdmfpaI7cgvNZWXr1mcggB2m818ZsgVU7VNLaza -RsFYsyRwM8lF3+Me93zTo3sweTAOBgNVHQ8BAf8EBAMCAYYwDwYDVR0TAQH/BAUw -AwEB/zApBgNVHQ4EIgQg5lOQ/GKjzAfJgtDAwgzS4AE2WSMQa45T2T3svSL/Toww -KwYDVR0jBCQwIoAg5lOQ/GKjzAfJgtDAwgzS4AE2WSMQa45T2T3svSL/TowwCgYI -KoZIzj0EAwIDRwAwRAIgd6dWxWZMKNZSNbUCTNHojmtV09AbommVbtWpCfGsiuwC -ICMiY6x20yW1Z4HV2SGRJLHM/zpGGdWV7RwFCINHhkl1 ------END CERTIFICATE----- +$ANSIBLE_VAULT;1.1;AES256 +32333035613836613231343661386562356361393036386332333534353638356337383461663363 +6166373039663833346532366362376231643135313863630a386462363832336261383466626664 +36656530376531386638383832346236623637306131383766613338383532663962376534633730 +3139626431653032350a643931663539356333376362333361323838646534613238306263666264 +32386436653535306164346465623731643633383237336464656233316433646139613539323835 +62316637646166653837316633313232323962616333366662626535376537376131393561633661 +33313433623133616530646564616335323862643135386565616637323065623464616535363962 +36336463353237343966643961383831623463306638383865316565323664396533656231316565 +66353136316161643862323935643436646336646437353632343261656433643033346435346665 +39396537623665383132663436376136613036386631323230623232646130323966346264633665 +37383235356434343232363233303362653666323361313435333862316236633461663031353663 +30663432646635616164383338393430323261386632616539356636613233663762613934643333 +32356463653332346236396532623337373835666330386131646566613938316637383830323539 +34316531313732303762313733383136663962643836643037623734616564633338626661323337 +66303266366238623063656663366435303065393633323938306236636664326261323965306262 +61313334666361333364636534366331353466653164393866383239323233323164323965633437 +66313837366538323862376639383233653762366361346531353561373766303064636332376665 +38383438326563353761353961316134623639623661303165373062373766313737386536663739 +38353032393461633130303464353739326664613061623762366333303664366363343934343934 +61343336616530613832386462393930613734326630343864643163356637396164313230336565 +34343864396561323632343830643835363030656630373833363638663834653164643964363839 +39393230396633383835303864643730626131623662376139393062303333323537333632663936 +30633964323433353365613339306565646536313433396631336532303837333032613732326165 +31373365306137656436316330623139666230383665356233343866656531386131343837386438 +30303539663030646439366631323831306331656132663336373533383035643331653639376264 +37383365323862333263333361373833383330616432383232396138623632653935346561383762 +62636433316363393863636462363233346464646565383439663634633734383666653939366266 +34393332643532396665643638666435343966376163396165633563356261613138633963613366 +62643736666365343338336534393962326461393437333033343061626535616635643034316361 +63633866393331336261373163363931623539653939356665323863663130373136303739646161 +33633763343535643634373338613637323939303831376266353934343536393162623434316661 +32613061316539373563306262373465356361313433323431323763636638333238363837663066 +64363537316333346664313235346164363331646635383936313638376437623336616363343064 +34366233363231373265373631346537613238303738393437306139376661333539393665396230 +30363636326262626162386331306338633264313037373262303232326565303231383431393838 +36636562616438336435663833363566343937356132626432383338653437306531353239346561 +34386533343531393965363864646535613636326563376536363436353738303433653663303034 +64346262316139356562343537386365323032363266393837653834383162636535383166353432 +35626464336135326362383862666366393961346337333333353366353131306635393264373463 +61313738393831613933383431346665633961343536636231316437393731653538666331383665 +37306336393166376466366530656663376663613733393637323338353864303738623639653031 +64623337626331306362313337666231626531356538343732383632666364373863623039623233 +62386539323437393562353232343030393730323663633637336233343061663532653166376535 +36633535363437643064633232343865643164306562623833306532636264346164313262333762 +38656532313130663732313863373636363263363831636537633963613937376633663834343932 +66316436376166633864653866376435303539333166353433663936363232333464623464383366 +31663939343365633662346463666533386134616637323532366135353365373534666338663934 +31373063653132386534653736613466633037346665316533626632633665323861666462346234 +34393136356236623337323661303966323537613664616434343238333934313537303837363636 +30383466383432633838623562303031616236393063316537333731316161356139386166396166 +31663937393965386535613530396636303833656239646138353063356162386464353161613738 +33666138663739316362616536666666393537646135323431376565326361313765663330396466 +35643965333137633063636339626234323566663064653335373738376664306332343838393738 +37393133346634346461393437663531633165613733356335383163613339333265363130363262 +39656464316634663931386432343238626637353231663766303935333964303631613330396138 +62363363303961326134376433633132613162386534363562353935303537313037323136653364 +38363235343736663830306439666338363562363563383230343036393632363032336666313861 +6537393066313539316630623865373933376332316337396334 From 984356da8e8ba0ed6f03a13bead7945470ddddad Mon Sep 17 00:00:00 2001 From: AnithaAnnem Date: Wed, 11 Mar 2026 15:09:01 +0530 Subject: [PATCH 204/412] Update dc1-server-consul-0-key.pem --- consul-role/files/dc1-server-consul-0-key.pem | 22 ++++++++++++++----- 1 file changed, 17 insertions(+), 5 deletions(-) diff --git a/consul-role/files/dc1-server-consul-0-key.pem b/consul-role/files/dc1-server-consul-0-key.pem index 1575e83..b56b0b7 100644 --- a/consul-role/files/dc1-server-consul-0-key.pem +++ b/consul-role/files/dc1-server-consul-0-key.pem @@ -1,5 +1,17 @@ ------BEGIN EC PRIVATE KEY----- -MHcCAQEEIJsh2Io5FJ/xBT2ETOuJCgPv3LB7cBAU24KMt/9/FSiooAoGCCqGSM49 -AwEHoUQDQgAE/UlwzAeIeL2QnbDOyqcsuA5pl4k2YOVWL4NUd7qpqg6NV2LhB0C+ -EMVKxg7flgubvL0H1lWvS1+J4hBv44uM2g== ------END EC PRIVATE KEY----- +$ANSIBLE_VAULT;1.1;AES256 +65323863353737623966633833623234623736366431343266343034646366383533343765386232 +3237343835336535323862663933643138393839306166310a336632303566666337623330313665 +62333436656466373139666637383162336432336139663162303533623561353333636636666463 +6634336361303630370a656164386434656362333733303735616265306539333233613239643662 +65343136643466633561613165303433396338626230376635376636326531313163663763616534 +31306163366233366338666437386163386333643565303763653036313962353564643132313935 +38376132653863373932313363303839323363333363353235303534353833653263343234303761 +35326666636161383561363337666339363433653362373762363135373332376164373932333838 +34633032323861653061616637623333636433323930356235623261626662666666643661356236 +38616561633131383361316435623236366537663036376339353631333865613135343739376361 +34623131383132316132626537303035363364616161373662386661646634336665363730633364 +32326332636632373531333437326330303138316566333737393861396438623038363138323133 +33626362383330313538663163336434333531353538376462333833306237313039306264303830 +63303831616630666665616639386539613863633362663138393463393065616662323162323262 +30623463633862646530623862663766646135326463333234356137626235613231343135616338 +33623962336565663533 From 1676465d6265098bf0ceba8c5262f9c3e0ec4505 Mon Sep 17 00:00:00 2001 From: AnithaAnnem Date: Wed, 11 Mar 2026 15:09:44 +0530 Subject: [PATCH 205/412] Update dc1-server-consul-0.pem --- consul-role/files/dc1-server-consul-0.pem | 70 +++++++++++++++++------ 1 file changed, 54 insertions(+), 16 deletions(-) diff --git a/consul-role/files/dc1-server-consul-0.pem b/consul-role/files/dc1-server-consul-0.pem index cbb31f1..3c7d7de 100644 --- a/consul-role/files/dc1-server-consul-0.pem +++ b/consul-role/files/dc1-server-consul-0.pem @@ -1,16 +1,54 @@ ------BEGIN CERTIFICATE----- -MIICnDCCAkOgAwIBAgIRAM9bw8GQ1xIAIffE3IqkCegwCgYIKoZIzj0EAwIwgbkx -CzAJBgNVBAYTAlVTMQswCQYDVQQIEwJDQTEWMBQGA1UEBxMNU2FuIEZyYW5jaXNj -bzEaMBgGA1UECRMRMTAxIFNlY29uZCBTdHJlZXQxDjAMBgNVBBETBTk0MTA1MRcw -FQYDVQQKEw5IYXNoaUNvcnAgSW5jLjFAMD4GA1UEAxM3Q29uc3VsIEFnZW50IENB -IDIzMTMxOTQ0MjM2NTUwNzc2MTk5NzMyMzc5NzUwNTk4OTcwMTUzMDAeFw0yNjAz -MTEwOTE0MDRaFw0yNzAzMTEwOTE0MDRaMBwxGjAYBgNVBAMTEXNlcnZlci5kYzEu -Y29uc3VsMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE/UlwzAeIeL2QnbDOyqcs -uA5pl4k2YOVWL4NUd7qpqg6NV2LhB0C+EMVKxg7flgubvL0H1lWvS1+J4hBv44uM -2qOBxzCBxDAOBgNVHQ8BAf8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsG -AQUFBwMCMAwGA1UdEwEB/wQCMAAwKQYDVR0OBCIEIBCDxJ16+CWBPpvwpwDzx6aW -c/wBcYaIc8u4ojhepsqvMCsGA1UdIwQkMCKAIOZTkPxio8wHyYLQwMIM0uABNlkj -EGuOU9k97L0i/06MMC0GA1UdEQQmMCSCEXNlcnZlci5kYzEuY29uc3Vsgglsb2Nh -bGhvc3SHBH8AAAEwCgYIKoZIzj0EAwIDRwAwRAIgOFWWzxUhUosiQx1nCV40Rus4 -rTj+aOc33VTYYl9SmLYCIDysXj30PBuYfh0VuzIJHS9Eo6rUzSQwUq7cMIeORM/X ------END CERTIFICATE----- +$ANSIBLE_VAULT;1.1;AES256 +31383964383761356130353132396262393139643963356636323933663835656534363434393063 +3537313661633531396566623034663961366337356332380a386631326663313032653361653762 +61633631396133623236353334393436373338653166346265383436646333356564646465336162 +3665316565623830350a383037393737356139396337353439666661613032356531343635613363 +33316565323162313437643734653037663037366431323137666162653964363432393134626234 +35643532353531613265373230333936343333303830323565393430393035373166303937353561 +37363833643836353861383164383833333038333761663431316235353836663063343934333264 +35323331353839353231393434306462386661306237373866366362316137663565386366353631 +30653736323264333061636632343939626266373931343432363633653638643037653135306432 +30396433626538636263383566613661326430653262393764633030306663316236363436313331 +32616135333262343432376632303234393838396535613837323361636165643966393838323164 +38303763373765393038386430656363633564626637393833643465623737346137383631623530 +61343038363439643763373838313531383232623039353265333965626161626330343033376564 +66613263363734393037616537333830663138613363666363663632336263633333323036643133 +38393766343931303861633536393435336536323630643631663364303061616437653633646161 +61616436316339623938623136643562653065356564373833386435633633646465333361393466 +64643435373137653337326635653733633132376366373330373361373633316264316335373433 +61646331363731396662393566353033616137303562663733363265316231346566393965633738 +33643262653336343863323962373330353731656437626535323439363932643535643165663935 +35326231653437646636323963366162373231366364666363613738386234333434336562303036 +36623866643134643437636231373762376361376461336430613465396333613535636665313261 +63313431313762653438363330373866376431366665373939303936646665323531353636316665 +64613739313063653064303538376631366632336330356137633537316365353436316665303136 +31353162366238653034343064663661633334323366346331653233336162383834353434323464 +35656134623339626433636537616431353538333663333439346133333838356435343864376530 +37376432333233616666383838633662343364303337373239306231616635393561623936373735 +35613564393662653166333934373533333463366634653066646361343765343235636464633232 +62653661616565356434643562666134626430613561626433633663643034343565333933653639 +63336334313962373137393266353939363337633439653464393661323962643339363761303764 +35333833633032616434363835643936633436326562353364356439306364323131663938323239 +39663661343236383262393166653464333032626630393833386262383765396230633438353633 +30316265316564333639626232326465333334656633323637376165666431623661306235353662 +34373732393537653133383136306161336539623935656439386661663435393533616462346465 +61613030636334623936313034353363333462656164303739313864353763663765323766366330 +64333266643939623037356564396266626566643736636135323939643863313838623661626532 +65643631326562376566393239663437383638363562636433386630663731383961363735303139 +37666338383033653863613438363364373631613233333136626536633566653138663461326664 +34326664653263336462396332633233346566626137326562666465656336306132336263613165 +65366530653333353732346332306135646337326638336263626464646165323635613563393130 +37393561346162306362653336303235366363636239306437613762656436663230386236663438 +65363861326665383133336538643236366464633037383137393833393939363533613638316239 +61383036656535343030643164386539373433393266653265376533333665336438303837616638 +38323733626162396238623838653565353432343530616464663433363135663633613265653365 +30396237336363353033663039326532383236376162623533616539316234336138666133643130 +33313362663032363639643632396662653366663832313836663933373937366264316261336131 +34323664303834393331313865643663353931343965653564373630363534353833356366333332 +34376266613561626539383235656662626461666430353330306631323563613061643739343335 +65333939373934336334623831303262613231303137303239666330623936323362633931393162 +36623166626364633732333835636433336133326132666662376137303765306361646162353535 +63306564343666653739316366656439373735343738303235363938326333666534653937353661 +38653339663266393966396431383862613630313131353431613065393230353963623766306666 +34363130633362616330373134376630633839616133303736633835666239363865323664333938 +3964 From eca8c1632bc5cfd98389d4e2fde98782a8a93cd5 Mon Sep 17 00:00:00 2001 From: AnithaAnnem Date: Wed, 11 Mar 2026 15:37:01 +0530 Subject: [PATCH 206/412] Delete consul-role/files/consul-agent-ca.pem --- consul-role/files/consul-agent-ca.pem | 59 --------------------------- 1 file changed, 59 deletions(-) delete mode 100644 consul-role/files/consul-agent-ca.pem diff --git a/consul-role/files/consul-agent-ca.pem b/consul-role/files/consul-agent-ca.pem deleted file mode 100644 index fda3dc5..0000000 --- a/consul-role/files/consul-agent-ca.pem +++ /dev/null @@ -1,59 +0,0 @@ -$ANSIBLE_VAULT;1.1;AES256 -32333035613836613231343661386562356361393036386332333534353638356337383461663363 -6166373039663833346532366362376231643135313863630a386462363832336261383466626664 -36656530376531386638383832346236623637306131383766613338383532663962376534633730 -3139626431653032350a643931663539356333376362333361323838646534613238306263666264 -32386436653535306164346465623731643633383237336464656233316433646139613539323835 -62316637646166653837316633313232323962616333366662626535376537376131393561633661 -33313433623133616530646564616335323862643135386565616637323065623464616535363962 -36336463353237343966643961383831623463306638383865316565323664396533656231316565 -66353136316161643862323935643436646336646437353632343261656433643033346435346665 -39396537623665383132663436376136613036386631323230623232646130323966346264633665 -37383235356434343232363233303362653666323361313435333862316236633461663031353663 -30663432646635616164383338393430323261386632616539356636613233663762613934643333 -32356463653332346236396532623337373835666330386131646566613938316637383830323539 -34316531313732303762313733383136663962643836643037623734616564633338626661323337 -66303266366238623063656663366435303065393633323938306236636664326261323965306262 -61313334666361333364636534366331353466653164393866383239323233323164323965633437 -66313837366538323862376639383233653762366361346531353561373766303064636332376665 -38383438326563353761353961316134623639623661303165373062373766313737386536663739 -38353032393461633130303464353739326664613061623762366333303664366363343934343934 -61343336616530613832386462393930613734326630343864643163356637396164313230336565 -34343864396561323632343830643835363030656630373833363638663834653164643964363839 -39393230396633383835303864643730626131623662376139393062303333323537333632663936 -30633964323433353365613339306565646536313433396631336532303837333032613732326165 -31373365306137656436316330623139666230383665356233343866656531386131343837386438 -30303539663030646439366631323831306331656132663336373533383035643331653639376264 -37383365323862333263333361373833383330616432383232396138623632653935346561383762 -62636433316363393863636462363233346464646565383439663634633734383666653939366266 -34393332643532396665643638666435343966376163396165633563356261613138633963613366 -62643736666365343338336534393962326461393437333033343061626535616635643034316361 -63633866393331336261373163363931623539653939356665323863663130373136303739646161 -33633763343535643634373338613637323939303831376266353934343536393162623434316661 -32613061316539373563306262373465356361313433323431323763636638333238363837663066 -64363537316333346664313235346164363331646635383936313638376437623336616363343064 -34366233363231373265373631346537613238303738393437306139376661333539393665396230 -30363636326262626162386331306338633264313037373262303232326565303231383431393838 -36636562616438336435663833363566343937356132626432383338653437306531353239346561 -34386533343531393965363864646535613636326563376536363436353738303433653663303034 -64346262316139356562343537386365323032363266393837653834383162636535383166353432 -35626464336135326362383862666366393961346337333333353366353131306635393264373463 -61313738393831613933383431346665633961343536636231316437393731653538666331383665 -37306336393166376466366530656663376663613733393637323338353864303738623639653031 -64623337626331306362313337666231626531356538343732383632666364373863623039623233 -62386539323437393562353232343030393730323663633637336233343061663532653166376535 -36633535363437643064633232343865643164306562623833306532636264346164313262333762 -38656532313130663732313863373636363263363831636537633963613937376633663834343932 -66316436376166633864653866376435303539333166353433663936363232333464623464383366 -31663939343365633662346463666533386134616637323532366135353365373534666338663934 -31373063653132386534653736613466633037346665316533626632633665323861666462346234 -34393136356236623337323661303966323537613664616434343238333934313537303837363636 -30383466383432633838623562303031616236393063316537333731316161356139386166396166 -31663937393965386535613530396636303833656239646138353063356162386464353161613738 -33666138663739316362616536666666393537646135323431376565326361313765663330396466 -35643965333137633063636339626234323566663064653335373738376664306332343838393738 -37393133346634346461393437663531633165613733356335383163613339333265363130363262 -39656464316634663931386432343238626637353231663766303935333964303631613330396138 -62363363303961326134376433633132613162386534363562353935303537313037323136653364 -38363235343736663830306439666338363562363563383230343036393632363032336666313861 -6537393066313539316630623865373933376332316337396334 From 9ded9e0a5340d3c083e389f8874e42b9b9c76e9f Mon Sep 17 00:00:00 2001 From: AnithaAnnem Date: Wed, 11 Mar 2026 15:37:14 +0530 Subject: [PATCH 207/412] Delete consul-role/files/dc1-server-consul-0-key.pem --- consul-role/files/dc1-server-consul-0-key.pem | 17 ----------------- 1 file changed, 17 deletions(-) delete mode 100644 consul-role/files/dc1-server-consul-0-key.pem diff --git a/consul-role/files/dc1-server-consul-0-key.pem b/consul-role/files/dc1-server-consul-0-key.pem deleted file mode 100644 index b56b0b7..0000000 --- a/consul-role/files/dc1-server-consul-0-key.pem +++ /dev/null @@ -1,17 +0,0 @@ -$ANSIBLE_VAULT;1.1;AES256 -65323863353737623966633833623234623736366431343266343034646366383533343765386232 -3237343835336535323862663933643138393839306166310a336632303566666337623330313665 -62333436656466373139666637383162336432336139663162303533623561353333636636666463 -6634336361303630370a656164386434656362333733303735616265306539333233613239643662 -65343136643466633561613165303433396338626230376635376636326531313163663763616534 -31306163366233366338666437386163386333643565303763653036313962353564643132313935 -38376132653863373932313363303839323363333363353235303534353833653263343234303761 -35326666636161383561363337666339363433653362373762363135373332376164373932333838 -34633032323861653061616637623333636433323930356235623261626662666666643661356236 -38616561633131383361316435623236366537663036376339353631333865613135343739376361 -34623131383132316132626537303035363364616161373662386661646634336665363730633364 -32326332636632373531333437326330303138316566333737393861396438623038363138323133 -33626362383330313538663163336434333531353538376462333833306237313039306264303830 -63303831616630666665616639386539613863633362663138393463393065616662323162323262 -30623463633862646530623862663766646135326463333234356137626235613231343135616338 -33623962336565663533 From 2701f0babf8ed223486e700da0721f43cd651736 Mon Sep 17 00:00:00 2001 From: AnithaAnnem Date: Wed, 11 Mar 2026 15:37:24 +0530 Subject: [PATCH 208/412] Delete consul-role/files/dc1-server-consul-0.pem --- consul-role/files/dc1-server-consul-0.pem | 54 ----------------------- 1 file changed, 54 deletions(-) delete mode 100644 consul-role/files/dc1-server-consul-0.pem diff --git a/consul-role/files/dc1-server-consul-0.pem b/consul-role/files/dc1-server-consul-0.pem deleted file mode 100644 index 3c7d7de..0000000 --- a/consul-role/files/dc1-server-consul-0.pem +++ /dev/null @@ -1,54 +0,0 @@ -$ANSIBLE_VAULT;1.1;AES256 -31383964383761356130353132396262393139643963356636323933663835656534363434393063 -3537313661633531396566623034663961366337356332380a386631326663313032653361653762 -61633631396133623236353334393436373338653166346265383436646333356564646465336162 -3665316565623830350a383037393737356139396337353439666661613032356531343635613363 -33316565323162313437643734653037663037366431323137666162653964363432393134626234 -35643532353531613265373230333936343333303830323565393430393035373166303937353561 -37363833643836353861383164383833333038333761663431316235353836663063343934333264 -35323331353839353231393434306462386661306237373866366362316137663565386366353631 -30653736323264333061636632343939626266373931343432363633653638643037653135306432 -30396433626538636263383566613661326430653262393764633030306663316236363436313331 -32616135333262343432376632303234393838396535613837323361636165643966393838323164 -38303763373765393038386430656363633564626637393833643465623737346137383631623530 -61343038363439643763373838313531383232623039353265333965626161626330343033376564 -66613263363734393037616537333830663138613363666363663632336263633333323036643133 -38393766343931303861633536393435336536323630643631663364303061616437653633646161 -61616436316339623938623136643562653065356564373833386435633633646465333361393466 -64643435373137653337326635653733633132376366373330373361373633316264316335373433 -61646331363731396662393566353033616137303562663733363265316231346566393965633738 -33643262653336343863323962373330353731656437626535323439363932643535643165663935 -35326231653437646636323963366162373231366364666363613738386234333434336562303036 -36623866643134643437636231373762376361376461336430613465396333613535636665313261 -63313431313762653438363330373866376431366665373939303936646665323531353636316665 -64613739313063653064303538376631366632336330356137633537316365353436316665303136 -31353162366238653034343064663661633334323366346331653233336162383834353434323464 -35656134623339626433636537616431353538333663333439346133333838356435343864376530 -37376432333233616666383838633662343364303337373239306231616635393561623936373735 -35613564393662653166333934373533333463366634653066646361343765343235636464633232 -62653661616565356434643562666134626430613561626433633663643034343565333933653639 -63336334313962373137393266353939363337633439653464393661323962643339363761303764 -35333833633032616434363835643936633436326562353364356439306364323131663938323239 -39663661343236383262393166653464333032626630393833386262383765396230633438353633 -30316265316564333639626232326465333334656633323637376165666431623661306235353662 -34373732393537653133383136306161336539623935656439386661663435393533616462346465 -61613030636334623936313034353363333462656164303739313864353763663765323766366330 -64333266643939623037356564396266626566643736636135323939643863313838623661626532 -65643631326562376566393239663437383638363562636433386630663731383961363735303139 -37666338383033653863613438363364373631613233333136626536633566653138663461326664 -34326664653263336462396332633233346566626137326562666465656336306132336263613165 -65366530653333353732346332306135646337326638336263626464646165323635613563393130 -37393561346162306362653336303235366363636239306437613762656436663230386236663438 -65363861326665383133336538643236366464633037383137393833393939363533613638316239 -61383036656535343030643164386539373433393266653265376533333665336438303837616638 -38323733626162396238623838653565353432343530616464663433363135663633613265653365 -30396237336363353033663039326532383236376162623533616539316234336138666133643130 -33313362663032363639643632396662653366663832313836663933373937366264316261336131 -34323664303834393331313865643663353931343965653564373630363534353833356366333332 -34376266613561626539383235656662626461666430353330306631323563613061643739343335 -65333939373934336334623831303262613231303137303239666330623936323362633931393162 -36623166626364633732333835636433336133326132666662376137303765306361646162353535 -63306564343666653739316366656439373735343738303235363938326333666534653937353661 -38653339663266393966396431383862613630313131353431613065393230353963623766306666 -34363130633362616330373134376630633839616133303736633835666239363865323664333938 -3964 From c460b4ced2ed0b1d2409633fdd291cadeaedb9c8 Mon Sep 17 00:00:00 2001 From: AnithaAnnem Date: Wed, 11 Mar 2026 15:38:25 +0530 Subject: [PATCH 209/412] Create tls.crt --- consul-role/files/tls.crt | 151 ++++++++++++++++++++++++++++++++++++++ 1 file changed, 151 insertions(+) create mode 100644 consul-role/files/tls.crt diff --git a/consul-role/files/tls.crt b/consul-role/files/tls.crt new file mode 100644 index 0000000..abc52ec --- /dev/null +++ b/consul-role/files/tls.crt @@ -0,0 +1,151 @@ +$ANSIBLE_VAULT;1.1;AES256 +61613835646636313838366631336531666238383732616633663761656665373937393766386435 +6436626561306637373332376363393163633038623934350a343430366231643565343766386635 +39616431333462653938323731326461643932643930383164616239336337623838633530663239 +3666343633666566650a633630313662353339313164306561356165666365643037353731386338 +61373231633565333736656662333339323131663931323733313965353435643937326262393133 +31356365643765653931623534663830316132653531643662313166326664643035346231386666 +30313161663531303861306435326565623534306662346336313233623232336333613763356434 +33346364666465353335616162386131316331343430313838366632373262383233303466633539 +38653237386534353764383835653439363361323161356532656161633731643765663030356237 +35656536303334393937353735336532653737313131316666363862343831633131346363346639 +30336332333637396634353766653931363036653163333532633530393534396230396639333130 +31303331346135356662383235326331353038316537313634363338663565313163323462663662 +62396235646639303531386365366532373865623436353464626232646232366138646436633834 +32373364383537616465663134643236363463653663646161643237616366313032643162653063 +39313735386638353732633531663261356663323066366430376137363930366263356439643734 +65623766323436383438383965373366666234323635643439343561373237333463356462353137 +61643539353435623732363135663863323863313534303339313538366564336332303837633436 +30336561373935663365303935313937326331353863353265343335343836326431663531393732 +64376330383266383364623032343034663662313330373832613839333561333933366334663333 +37356139316535343037613062626133376433346136326264613534363736333463353636356531 +66613138373932656366626634636537643036333362303565386135663461323238623337386665 +32646562343734386137616464306330643266356330636563626432613862636234363831366630 +64396366623138353236343530343166323837366566393338373362393931376361653431316461 +62633335383763333966616361363132363063383265373532353639393333353262303062363566 +34313063343938383530303062353138323533356235633362383039373864623631663364313134 +36323562613764643462366462376563656333346130366132653232623436326232323935303038 +63666433636538323365613735626262656563383431623333636263323934303963393962316130 +30373233316530643462663630323762373936653536393337373162663634306436666362323564 +65346666306263333238653131383034383765396438663935363331306132663061363163313837 +39366635376632653737353133666266663935303830643361666438386430633266333030306563 +65386165366238373365316430613763383439353731316134313966613765313736656238643431 +37363864653439656233343430313066393161333434373639353563646239303264613635326466 +39306261336330396238663532306266653735333864386434633031366164613838393430633464 +33613061376234353662333165356462643232353030323334306539313263306166323135663532 +66633839316465656261636461363563616561616234303165363533346661376534656635393663 +34613231343937386264613537393538353333623662653539623539383337363963303365376632 +39326265633161356161616366616333313839626562363332636631323338363139363565383939 +32303138306532356561373538383332313962613933343366636537633034356134663439343835 +30343461356234373238343761613431613962306232653632316161663236366439333931303432 +66616365316631326464396236646632653066343936363266623134653437373136356437343063 +33643531373633333731663634383937343464633261393139623630323861363435356562303834 +39313430393364386262633263633234643838616338656131356165316662663661646331623266 +32393365383865613033353161326635613561393633643132623365386132663139663966353532 +62306131396666313830313461346264306137646637373264306435656363356439363763363430 +66376630643235303063323831313133303538393538666137333439383338323764663935373332 +31666533323338613864336437653732313436323133396134336336643838386165393664366333 +34303930396330373837313833353331343236363334616231386566306163303436336663366264 +35633739626433653239623436636264333434323839616136643339616231323465343330623861 +34613264666635616634326461316330333732653364393235653461376538326132363136356534 +33326337656564356137356162353934376238326364333062363362343839303061663264383338 +62613438623862363334353763653465333466653035653461623533323862343062323932343966 +66326438633731323964363036623164616432636365396336383236303134306239623239313835 +64353265633664636431626362646130353764663062393732643433303364393033643837356633 +36336163316132373834376531643539313632306539643666663233333963303562616535616339 +33386235313938353436653566643934623934653139663535623536643530626465383133303362 +61616633646363303463646335366163383233656336333635616535386134356131666132336333 +62303032636465333131393863663037643133626137636161386331663233653466393964396230 +39636661663230353334636661663730303936633538623732336437356338376638353131313334 +34373664663838396132353831303032613231396439303237633363356534366134333033366130 +63353230633963376330376330366238666330646137386131336230346434316533663336653163 +34323833373634633565343137626364653530346231303336633839343064653336343363333363 +37393862343437323737653938313466393639333736383335633435666532633432666163323836 +65326662363262636566333563623735306363623666386362346665353535323330633034663564 +31366638663161653337643431626561373334656437363033393961383261386432313933643762 +33353866353938646462616338323532663665346132376436363132643136303035363938383538 +61313662316236383534313038653765376362346537626566343630613239613239623530623564 +37303764323935623031643462356230626164653333326337316463323833643562663234666262 +62623365383864613831313136333039613334313566383432616638623165613137393839323938 +37356365346539663431663963333735613532366539396432626632333231623337613735356439 +30626135393337613131336339366138396539653739316637666564343833356332666161333166 +63313530343666396434323235363730636564386639346135353066633432356638656133373566 +37646231333537376465396663323263323931666264663030636635623139393462303334343766 +36616533346132366432633838306135613065663464366565346133336362356538663130666232 +35643862663361656234646131613066333531656565313934323537353035616166313262363132 +61373532336139633764373836353765646638376536343638633033323166626238336261366635 +66393837636138636434386339656131613834353663666438646262363864366537373333656139 +30626363333862633734626266646338323733386136333263373039343662343665663836323634 +31333737626366316364373962666331623361343063626264393661643834616238616665336137 +33653061323465313832326465613663383533643838343064346166653032313438663330656463 +65383365323766323632333165356361643863376466303336653762336135626263626433623539 +66386337393538613864633336643765303832376662363333663934313233303038373366616634 +32303863623764386237313665393861633331626164646263613762643462663836636139303832 +35643763376563323766643964656565636131356266333231366462393665306561393239663334 +65653663323335613762613832656163396332633665303132393139663633336561353434653731 +63373636396336623537366137663939313538666437363365346335636432363732323530616239 +36353239666135646239346165386665373361643265353136373834343738653064613331626539 +30336465353439306461616562616264363039396563666634656361396635306364386262363162 +65616230623038386461373631366261383835396365363562363338313939353235356666663061 +32333765343837323135323535376634656366343464653738346638343764663865653030336632 +65366138656635303931393062643064343734393561323762343732613066313364373237663664 +38313162393561373233336537663761646566636661663337613133396435383038366135316363 +38663933663039333830343531363538343534636234313261313330666164376464646436666638 +63623961313031326664623164643864336661653433383332333533656239373337343831643033 +32376436643363633965306439663033303937333938383161643030373763646163326139343039 +63633336363438373131613630633763393663366636386336393738663365626466373236313933 +64653861373830333034656664393463393034336361336637313062326237646633313261336234 +37313936623832643163383964323266386433636166343065353962646136383863663462386537 +64343363633462353065646436346365363265316465343763643634396531646265333966633362 +31333731363436363835616530393466383462393866393633393230323532643662376664353536 +35326263343331323365643763343733636238383965333538386438656538616438626532363164 +33303236346235313165323161373266643263373933376435306432336334613939333831383533 +36656362626138386330356136613339653833373633316334393366393265313637323431383035 +37336361306638356237653537653330336365396135626565376635646262653762613531373737 +61613330626266643730313133646663313330323539363835323636356533633032343763313262 +36323466616161653734623836633566653732633530656566366362346332646464343164643539 +35313466313963646633353663353034633638393931353831353632623666353538316639353133 +65383462343935663535303463636365313632386161653037326236656461356331363935663031 +64326531356535666266666361346564646633636165663061636636353162303435626530333834 +33303031353361306433656661356632663961663365663264313335636435623161643637616537 +31613133383335623836656561623065383939366663363838663161373535326135323163313831 +62343237353164633936353038663835353861666563616432313932636538646332363638323966 +39386433366630316361646462633737396535623061343334323062343566373262323363383662 +36646631643139663862666233663637336163616363363231623438653839313635363065366535 +64303866313165333235393530353236303165316636336464383238333764633730313237363134 +61636564653461383633373532313861373937346263646563663663656630313437656464383931 +38653134633963386633313162643438653330626164363564633935373264373937306331633161 +61323838323863663737343663393432373637643365643731643231323735666266353565646531 +37343531626633616665343361643235333762643933303263633637366534626464346663633535 +65343734336437326138393332386363616164656230353634386134396430303964623232353361 +34396638343566346436616632396538653762623338333063633939626339663330633662343363 +39353161613831303737386635333431616431313966393232626133336638313539363230326332 +34376566653638333731653066633538313062363530636663613162313262393235326362383635 +31663338393261653238323465656435666133356466383730636264393138613032313231333162 +66623531636438386263363436396639663239383037373234613565303861336166363063313431 +39653731623937333039653839643534643335346338616263616266613962396531623666666636 +64656330306430376338396331643135656638313530336337373035653463386439653434366135 +30646639633966626134393931623333376165643966393365383433343637633836643133313064 +33653835633238633931646437613565636236326265343162313163623236353831303230343961 +31373133336632306133356664353363303336376331383635616333346561346235363534303538 +39623334336334386162666165313164623839333238396637333835323231653765646133653339 +35386531376430356633336262653964336362306561666430303562613839623730303034323866 +34353734343561613733313134333761366561333262663263643137306431643762663364666434 +65313239386465633263646265376231336564386238303832313537343865633637373830313032 +33393034323830663535653464326462303039333931356332633532383234333936393735393464 +64306665376238303734306565373930373735303730623437623835663764643134316263363939 +37363039336630313965663463653930313961633032613362663530653766376134336263633832 +32363161623266656130316130313335613966363435383730623636343331336636373030626535 +30363330303435306133386662306563636265616566393436373635313762323566333337616265 +33303733616233656332356230396231313666346332613233303132383537613063396532656330 +36376338323161633036623232343833396333306439306261343039373836373832303539343363 +66376662656630393430343638366230393066313839653863643865633365356631393236643739 +65323564343135373532633731663333626163633239356362313234306438386638336236613433 +62386664356264313264653938333135303861313436653463363731633361373635326663663736 +63383830396136633630326565336437303162613762386538366436366263363962376338353535 +32613835373264363138366433373338616235653930623334643738623434393032373061396363 +66393335633339653332383664643638323966663462383863333235633232613363663132383735 +63373831396663633261373130366432643030356430313066303863666531326461373835636361 +31313130313336656664376230316266646232356564303638346533636631356430613265366333 +62616161343666616565346638326335646266643765346533623762643039396366623564323964 +3637303531393962393731653663636435313765373030383261 From 0c6e2098224616405401ef022b2fe7ea3e9ae580 Mon Sep 17 00:00:00 2001 From: AnithaAnnem Date: Wed, 11 Mar 2026 15:39:37 +0530 Subject: [PATCH 210/412] Create tls.key --- consul-role/files/tls.key | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) create mode 100644 consul-role/files/tls.key diff --git a/consul-role/files/tls.key b/consul-role/files/tls.key new file mode 100644 index 0000000..a034b01 --- /dev/null +++ b/consul-role/files/tls.key @@ -0,0 +1,18 @@ +$ANSIBLE_VAULT;1.1;AES256 +35363165663164346535373537666464623866333963363164643665343235383137346531666336 +3962316134666537653164313731333563323462356239610a303662613932663063653666373634 +61653766646361383964633439343133613864353334623230316263376166626566613564326266 +6230346562383034360a376661376563343762356535386637626339343661636336363231373365 +33616664303737303638346431386265613030303931373138656532633134366666656635613366 +61323231383932613364343164373439656337323234393439373262313563346462373363623939 +34643432363135343162626564383837333364363262316266656430386163353231323565373237 +62636563633138666532623039636138626631303463326237666463613963323362386265303031 +35306635613837666238646531363339316361643234646132656638636433353537653239373465 +32623734363639396438363134393264363566663866363331313333663565616435656430633930 +32633937653666313462613463616434376236333930313437376437646231643231363332346233 +33363465653136626336393162386530313665356336303064363932633561633861356136336563 +38323964633063356330356435646231666539363936376239313866646332376666316266383261 +66633761343538393964656539366264373835623131333061633338616665633436356139353063 +36663434353034336530303438663534393937346439356536346466306630633064633561656432 +64623763343430303333343866383537353366646265323535383733373436383562396338303735 +3932 From 6b6f268bc4bf99f5bb8e2ef3ae72963d5b1b9fd6 Mon Sep 17 00:00:00 2001 From: AnithaAnnem Date: Wed, 11 Mar 2026 15:40:44 +0530 Subject: [PATCH 211/412] Update acl.yml --- consul-role/tasks/acl.yml | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/consul-role/tasks/acl.yml b/consul-role/tasks/acl.yml index ce792cf..02f2b20 100644 --- a/consul-role/tasks/acl.yml +++ b/consul-role/tasks/acl.yml @@ -37,9 +37,8 @@ when: consul_master_token is not defined or consul_master_token == "" environment: CONSUL_HTTP_ADDR: "https://{{ consul_bind_addr }}:8501" - CONSUL_HTTP_SSL_VERIFY: "true" - # This must point to the CA file, not the server cert - CONSUL_CACERT: "{{ consul_config_dir }}/certs/consul-agent-ca.pem" + CONSUL_HTTP_SSL_VERIFY: "false" + CONSUL_CACERT: "{{ consul_config_dir }}/certs/tls.crt" - name: Extract new token from bootstrap output ansible.builtin.set_fact: From 5afac80925456703341ea76511422d82e6262e16 Mon Sep 17 00:00:00 2001 From: AnithaAnnem Date: Wed, 11 Mar 2026 15:43:55 +0530 Subject: [PATCH 212/412] Update acl_policies.yml --- consul-role/tasks/acl_policies.yml | 10 ++++------ 1 file changed, 4 insertions(+), 6 deletions(-) diff --git a/consul-role/tasks/acl_policies.yml b/consul-role/tasks/acl_policies.yml index 2f34292..c6709fd 100644 --- a/consul-role/tasks/acl_policies.yml +++ b/consul-role/tasks/acl_policies.yml @@ -12,9 +12,8 @@ path: "{{ consul_config_dir }}/certs/{{ item.file }}" mode: "{{ item.mode }}" loop: - - { file: "consul-agent-ca.pem", mode: "0644" } - - { file: "dc1-server-consul-0.pem", mode: "0644" } - - { file: "dc1-server-consul-0-key.pem", mode: "0600" } + - { file: "tls.crt", mode: "0644" } + - { file: "tls.key", mode: "0640" } become: true - name: Copy policy files @@ -37,9 +36,8 @@ environment: &consul_env CONSUL_HTTP_ADDR: "https://{{ consul_bind_addr }}:8501" CONSUL_HTTP_TOKEN: "{{ consul_master_token }}" - # This must point to the CA file, not the server cert - CONSUL_CACERT: "{{ consul_config_dir }}/certs/consul-agent-ca.pem" - CONSUL_HTTP_SSL_VERIFY: "true" + CONSUL_CACERT: "{{ consul_config_dir }}/certs/tls.crt" + CONSUL_HTTP_SSL_VERIFY: "false" - name: Create Consul policies ansible.builtin.command: > From fa3abe4e13f812834695d7464a49b75ea118e4e3 Mon Sep 17 00:00:00 2001 From: AnithaAnnem Date: Wed, 11 Mar 2026 15:44:20 +0530 Subject: [PATCH 213/412] Update acl_tokens.yml --- consul-role/tasks/acl_tokens.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/consul-role/tasks/acl_tokens.yml b/consul-role/tasks/acl_tokens.yml index 8933de9..cfb92cb 100644 --- a/consul-role/tasks/acl_tokens.yml +++ b/consul-role/tasks/acl_tokens.yml @@ -8,7 +8,7 @@ environment: &consul_env CONSUL_HTTP_ADDR: "https://{{ consul_bind_addr }}:8501" CONSUL_HTTP_TOKEN: "{{ consul_master_token }}" - CONSUL_HTTP_SSL_VERIFY: "true" + CONSUL_HTTP_SSL_VERIFY: "false" CONSUL_CACERT: "{{ consul_config_dir }}/certs/tls.crt" #################################### From 0af6e1cb3344f96a0730818b42dcdcadd32db0ca Mon Sep 17 00:00:00 2001 From: AnithaAnnem Date: Wed, 11 Mar 2026 15:47:01 +0530 Subject: [PATCH 214/412] Update config.yml --- consul-role/tasks/config.yml | 23 ++++++++--------------- 1 file changed, 8 insertions(+), 15 deletions(-) diff --git a/consul-role/tasks/config.yml b/consul-role/tasks/config.yml index 235bf3d..20f3534 100644 --- a/consul-role/tasks/config.yml +++ b/consul-role/tasks/config.yml @@ -1,4 +1,3 @@ ---- - name: Create TLS cert directory ansible.builtin.file: path: "{{ consul_config_dir }}/certs" @@ -7,29 +6,23 @@ group: "{{ consul_group }}" mode: "0750" -- name: Copy CA certificate +- name: Copy TLS certificate ansible.builtin.copy: - src: consul-agent-ca.pem - dest: "{{ consul_config_dir }}/certs/consul-agent-ca.pem" - owner: "{{ consul_user }}" - group: "{{ consul_group }}" - mode: "0644" - -- name: Copy Server certificate - ansible.builtin.copy: - src: dc1-server-consul-0.pem - dest: "{{ consul_config_dir }}/certs/dc1-server-consul-0.pem" + src: tls.crt + dest: "{{ consul_config_dir }}/certs/tls.crt" owner: "{{ consul_user }}" group: "{{ consul_group }}" mode: "0644" + notify: Restart Consul -- name: Copy Server key +- name: Copy TLS private key ansible.builtin.copy: - src: dc1-server-consul-0-key.pem - dest: "{{ consul_config_dir }}/certs/dc1-server-consul-0-key.pem" + src: tls.key + dest: "{{ consul_config_dir }}/certs/tls.key" owner: "{{ consul_user }}" group: "{{ consul_group }}" mode: "0600" + notify: Restart Consul - name: Deploy Consul server configuration ansible.builtin.template: From 590668e83e746ab7d9fec6d2e5fc33a7c0e8cb48 Mon Sep 17 00:00:00 2001 From: AnithaAnnem Date: Wed, 11 Mar 2026 15:47:28 +0530 Subject: [PATCH 215/412] Update rbac.yml --- consul-role/tasks/rbac.yml | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/consul-role/tasks/rbac.yml b/consul-role/tasks/rbac.yml index cb6aedf..cd4366f 100644 --- a/consul-role/tasks/rbac.yml +++ b/consul-role/tasks/rbac.yml @@ -13,9 +13,8 @@ environment: &consul_env CONSUL_HTTP_ADDR: "https://{{ consul_bind_addr }}:8501" CONSUL_HTTP_TOKEN: "{{ consul_master_token }}" - # This must point to the CA file, not the server cert - CONSUL_CACERT: "{{ consul_config_dir }}/certs/consul-agent-ca.pem" - CONSUL_HTTP_SSL_VERIFY: "true" + CONSUL_CACERT: "{{ consul_config_dir }}/certs/tls.crt" + CONSUL_HTTP_SSL_VERIFY: "false" - name: Create read policy ansible.builtin.command: > From f18841a48120d8c0aba108a309fca363c15e0254 Mon Sep 17 00:00:00 2001 From: AnithaAnnem Date: Wed, 11 Mar 2026 15:48:38 +0530 Subject: [PATCH 216/412] Update server.hcl.j2 --- consul-role/templates/server.hcl.j2 | 21 ++++----------------- 1 file changed, 4 insertions(+), 17 deletions(-) diff --git a/consul-role/templates/server.hcl.j2 b/consul-role/templates/server.hcl.j2 index 00ec1a2..b7ac524 100644 --- a/consul-role/templates/server.hcl.j2 +++ b/consul-role/templates/server.hcl.j2 @@ -37,23 +37,10 @@ ports { tls { defaults { - ca_file = "{{ consul_config_dir }}/certs/consul-agent-ca.pem" - cert_file = "{{ consul_config_dir }}/certs/dc1-server-consul-0.pem" - key_file = "{{ consul_config_dir }}/certs/dc1-server-consul-0-key.pem" + ca_file = "{{ consul_config_dir }}/certs/tls.crt" + cert_file = "{{ consul_config_dir }}/certs/tls.crt" + key_file = "{{ consul_config_dir }}/certs/tls.key" - verify_incoming = true - verify_outgoing = true - } - - internal_rpc { - verify_server_hostname = true - } - - https { verify_incoming = false + verify_outgoing = false } -} -# Ensure auto_encrypt is enabled if you want clients to get certs from servers -auto_encrypt { - allow_for_agents = true -} From f76d0ee872738eeed58575542a279dd9a44f36ef Mon Sep 17 00:00:00 2001 From: AnithaAnnem Date: Wed, 11 Mar 2026 16:05:33 +0530 Subject: [PATCH 217/412] Update server.hcl.j2 --- consul-role/templates/server.hcl.j2 | 2 ++ 1 file changed, 2 insertions(+) diff --git a/consul-role/templates/server.hcl.j2 b/consul-role/templates/server.hcl.j2 index b7ac524..fef8d90 100644 --- a/consul-role/templates/server.hcl.j2 +++ b/consul-role/templates/server.hcl.j2 @@ -37,6 +37,7 @@ ports { tls { defaults { + ca_file = "{{ consul_config_dir }}/certs/tls.crt" cert_file = "{{ consul_config_dir }}/certs/tls.crt" key_file = "{{ consul_config_dir }}/certs/tls.key" @@ -44,3 +45,4 @@ tls { verify_incoming = false verify_outgoing = false } +} From 99a4bccf9cb3e28bd3a98f70a4ffc6773c58e58e Mon Sep 17 00:00:00 2001 From: AnithaAnnem Date: Wed, 11 Mar 2026 22:17:18 +0530 Subject: [PATCH 218/412] Update read-policy.hcl --- consul-role/files/read-policy.hcl | 9 +-------- 1 file changed, 1 insertion(+), 8 deletions(-) diff --git a/consul-role/files/read-policy.hcl b/consul-role/files/read-policy.hcl index cb2a930..6871898 100644 --- a/consul-role/files/read-policy.hcl +++ b/consul-role/files/read-policy.hcl @@ -1,3 +1,4 @@ +# Allow DNS to find nodes and services node_prefix "" { policy = "read" } @@ -5,11 +6,3 @@ node_prefix "" { service_prefix "" { policy = "read" } - -agent_prefix "" { - policy = "read" -} - -key_prefix "" { - policy = "read" -} From 42e6f96f5b4943739884ad0b9f17749c485028fa Mon Sep 17 00:00:00 2001 From: AnithaAnnem Date: Wed, 11 Mar 2026 22:36:14 +0530 Subject: [PATCH 219/412] Update main.yml --- consul-role/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/consul-role/defaults/main.yml b/consul-role/defaults/main.yml index 1aa21c8..00c51cb 100644 --- a/consul-role/defaults/main.yml +++ b/consul-role/defaults/main.yml @@ -19,7 +19,7 @@ consul_enable_ui: true # ACL consul_acl_enabled: true consul_acl_default_policy: "deny" -consul_acl_token_persistence: true +consul_acl_token_persistence: false consul_agent_token: "" consul_client_addr: "0.0.0.0" From 998fbc501928a6b967e035a6020d8c339acfd3bc Mon Sep 17 00:00:00 2001 From: AnithaAnnem Date: Thu, 12 Mar 2026 12:54:53 +0530 Subject: [PATCH 220/412] Update read-policy.hcl --- consul-role/files/read-policy.hcl | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/consul-role/files/read-policy.hcl b/consul-role/files/read-policy.hcl index 6871898..f3e1480 100644 --- a/consul-role/files/read-policy.hcl +++ b/consul-role/files/read-policy.hcl @@ -4,5 +4,5 @@ node_prefix "" { } service_prefix "" { - policy = "read" + policy = "write" } From b593bb50cb1c8bdee02a2a6e8802ea903ac7b12b Mon Sep 17 00:00:00 2001 From: AnithaAnnem Date: Fri, 13 Mar 2026 10:59:34 +0530 Subject: [PATCH 221/412] Update main.yml --- consul-role/defaults/main.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/consul-role/defaults/main.yml b/consul-role/defaults/main.yml index 00c51cb..76cde6f 100644 --- a/consul-role/defaults/main.yml +++ b/consul-role/defaults/main.yml @@ -26,3 +26,7 @@ consul_client_addr: "0.0.0.0" # Gossip Encryption consul_gossip_key: "" + +# Monitoring +consul_telemetry_enabled: true +consul_prometheus_retention: "60s" From 8387744f3d50aa7b602288b1061d48ecf2091d03 Mon Sep 17 00:00:00 2001 From: AnithaAnnem Date: Fri, 13 Mar 2026 11:01:40 +0530 Subject: [PATCH 222/412] Update server.hcl.j2 --- consul-role/templates/server.hcl.j2 | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/consul-role/templates/server.hcl.j2 b/consul-role/templates/server.hcl.j2 index fef8d90..2a909df 100644 --- a/consul-role/templates/server.hcl.j2 +++ b/consul-role/templates/server.hcl.j2 @@ -18,6 +18,11 @@ retry_join = [ {% endfor %} ] +telemetry { + prometheus_retention_time = "{{ consul_prometheus_retention }}" + disable_hostname = true +} + acl { enabled = {{ consul_acl_enabled | lower }} default_policy = "{{ consul_acl_default_policy }}" From 1db7e125276b64ad787a1ced8234b4e63e1fba49 Mon Sep 17 00:00:00 2001 From: AnithaAnnem Date: Fri, 13 Mar 2026 11:02:36 +0530 Subject: [PATCH 223/412] Create monitoring-policy.hcl.j2 --- consul-role/templates/policies/monitoring-policy.hcl.j2 | 9 +++++++++ 1 file changed, 9 insertions(+) create mode 100644 consul-role/templates/policies/monitoring-policy.hcl.j2 diff --git a/consul-role/templates/policies/monitoring-policy.hcl.j2 b/consul-role/templates/policies/monitoring-policy.hcl.j2 new file mode 100644 index 0000000..d96bc6d --- /dev/null +++ b/consul-role/templates/policies/monitoring-policy.hcl.j2 @@ -0,0 +1,9 @@ +agent_prefix "" { + policy = "read" +} +node_prefix "" { + policy = "read" +} +service_prefix "" { + policy = "read" +} From 96071b8487124ffd6f9c6e4e9cdcf9810ede1001 Mon Sep 17 00:00:00 2001 From: AnithaAnnem Date: Fri, 13 Mar 2026 11:03:52 +0530 Subject: [PATCH 224/412] Update acl_policies.yml --- consul-role/tasks/acl_policies.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/consul-role/tasks/acl_policies.yml b/consul-role/tasks/acl_policies.yml index c6709fd..bded614 100644 --- a/consul-role/tasks/acl_policies.yml +++ b/consul-role/tasks/acl_policies.yml @@ -25,6 +25,7 @@ - agent-policy - service-policy - readonly-policy + - monitoring-policy - name: List existing policies From 3c3009dc9226497de6fd95d4abcbc9159b0afb04 Mon Sep 17 00:00:00 2001 From: AnithaAnnem Date: Fri, 13 Mar 2026 11:04:54 +0530 Subject: [PATCH 225/412] Update acl_tokens.yml --- consul-role/tasks/acl_tokens.yml | 31 +++++++++++++++++++++++++++++++ 1 file changed, 31 insertions(+) diff --git a/consul-role/tasks/acl_tokens.yml b/consul-role/tasks/acl_tokens.yml index cfb92cb..f22cb5c 100644 --- a/consul-role/tasks/acl_tokens.yml +++ b/consul-role/tasks/acl_tokens.yml @@ -78,3 +78,34 @@ - service_token_output.stdout is defined - "'SecretID' in service_token_output.stdout" run_once: true + + #################################### +# Monitoring +#################################### + +- name: Check if monitoring token exists on disk + ansible.builtin.stat: + path: "{{ consul_config_dir }}/prometheus.token" + register: prom_token_stat + +- name: Create Prometheus monitoring token + ansible.builtin.command: > + consul acl token create + -description "Prometheus Metrics Token" + -policy-name monitoring-policy + register: prom_token_output + when: + - not prom_token_stat.stat.exists + - "'Prometheus Metrics Token' not in existing_tokens.stdout" + run_once: true + environment: *consul_env + +- name: Save Prometheus token + ansible.builtin.copy: + content: "{{ prom_token_output.stdout | regex_search('SecretID:\\s+([a-fA-F0-9-]+)', '\\1') | first }}" + dest: "{{ consul_config_dir }}/prometheus.token" + owner: "{{ consul_user }}" + group: "{{ consul_group }}" + mode: "0600" + when: prom_token_output.changed + run_once: true From 2eb18693916dc48fa6b40b142dfff03234fad3bb Mon Sep 17 00:00:00 2001 From: AnithaAnnem Date: Fri, 13 Mar 2026 11:17:35 +0530 Subject: [PATCH 226/412] Update acl_policies.yml --- consul-role/tasks/acl_policies.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/consul-role/tasks/acl_policies.yml b/consul-role/tasks/acl_policies.yml index bded614..e5440a7 100644 --- a/consul-role/tasks/acl_policies.yml +++ b/consul-role/tasks/acl_policies.yml @@ -49,6 +49,7 @@ - agent-policy - service-policy - readonly-policy + - monitoring-policy when: item not in existing_policies.stdout run_once: true environment: *consul_env From b75381762faec77bb8389a5a00a7158698ad474c Mon Sep 17 00:00:00 2001 From: AnithaAnnem Date: Fri, 13 Mar 2026 11:44:32 +0530 Subject: [PATCH 227/412] Update acl_tokens.yml --- consul-role/tasks/acl_tokens.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/consul-role/tasks/acl_tokens.yml b/consul-role/tasks/acl_tokens.yml index f22cb5c..74a11db 100644 --- a/consul-role/tasks/acl_tokens.yml +++ b/consul-role/tasks/acl_tokens.yml @@ -43,7 +43,6 @@ - not agent_token_stat.stat.exists - agent_token_output.stdout is defined - "'SecretID' in agent_token_output.stdout" - run_once: true #################################### # Service Token From bc19e91cb399ad52c70a585d1d30e9f6fc2c84fa Mon Sep 17 00:00:00 2001 From: AnithaAnnem Date: Fri, 13 Mar 2026 12:08:09 +0530 Subject: [PATCH 228/412] Update acl_tokens.yml --- consul-role/tasks/acl_tokens.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/consul-role/tasks/acl_tokens.yml b/consul-role/tasks/acl_tokens.yml index 74a11db..f901b71 100644 --- a/consul-role/tasks/acl_tokens.yml +++ b/consul-role/tasks/acl_tokens.yml @@ -107,4 +107,3 @@ group: "{{ consul_group }}" mode: "0600" when: prom_token_output.changed - run_once: true From fe81b1b487e896a6d5c58eec05fff28ebd5e4312 Mon Sep 17 00:00:00 2001 From: AnithaAnnem Date: Fri, 13 Mar 2026 12:12:58 +0530 Subject: [PATCH 229/412] Create prometheus-consul.yml.j2 --- .../templates/prometheus-consul.yml.j2 | 27 +++++++++++++++++++ 1 file changed, 27 insertions(+) create mode 100644 consul-role/templates/prometheus-consul.yml.j2 diff --git a/consul-role/templates/prometheus-consul.yml.j2 b/consul-role/templates/prometheus-consul.yml.j2 new file mode 100644 index 0000000..842060e --- /dev/null +++ b/consul-role/templates/prometheus-consul.yml.j2 @@ -0,0 +1,27 @@ +# Prometheus scrape configuration for Consul Cluster +scrape_configs: + - job_name: 'consul-cluster' + scheme: https + metrics_path: '/v1/agent/metrics' + params: + format: ['prometheus'] + tls_config: + insecure_skip_verify: true + # This matches your Envoy DNS name + server_name: "consul.opstree.dev" + + # This pulls the token that was generated in your acl_tokens.yml task + bearer_token: "{{ consul_prometheus_token }}" + + static_configs: + - targets: +{% for host in play_hosts %} + - "{{ hostvars[host]['ansible_host'] }}:8501" +{% endfor %} + + # This cleans up the labels in Prometheus so you see the IP instead of IP:8501 + relabel_configs: + - source_labels: [__address__] + target_label: instance + regex: '([^:]+)(?::\d+)?' + replacement: '${1}' From 098bc8a5aac38dabbadddac01c5912c978e24626 Mon Sep 17 00:00:00 2001 From: AnithaAnnem Date: Fri, 13 Mar 2026 12:13:43 +0530 Subject: [PATCH 230/412] Update acl_tokens.yml --- consul-role/tasks/acl_tokens.yml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/consul-role/tasks/acl_tokens.yml b/consul-role/tasks/acl_tokens.yml index f901b71..a8ddacc 100644 --- a/consul-role/tasks/acl_tokens.yml +++ b/consul-role/tasks/acl_tokens.yml @@ -107,3 +107,9 @@ group: "{{ consul_group }}" mode: "0600" when: prom_token_output.changed + +- name: Set Prometheus token fact for use in templates + ansible.builtin.set_fact: + consul_prometheus_token: "{{ prom_token_output.stdout | regex_search('SecretID:\\s+([a-fA-F0-9-]+)', '\\1') | first }}" + when: prom_token_output.changed + run_once: true From d44ee3b4f54c7412c34232516440e22774f949c1 Mon Sep 17 00:00:00 2001 From: AnithaAnnem Date: Fri, 13 Mar 2026 12:24:23 +0530 Subject: [PATCH 231/412] Update acl_tokens.yml --- consul-role/tasks/acl_tokens.yml | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/consul-role/tasks/acl_tokens.yml b/consul-role/tasks/acl_tokens.yml index a8ddacc..8e1bbff 100644 --- a/consul-role/tasks/acl_tokens.yml +++ b/consul-role/tasks/acl_tokens.yml @@ -99,14 +99,16 @@ run_once: true environment: *consul_env -- name: Save Prometheus token +- name: Save Prometheus token to all nodes ansible.builtin.copy: - content: "{{ prom_token_output.stdout | regex_search('SecretID:\\s+([a-fA-F0-9-]+)', '\\1') | first }}" + # Use hostvars to get the token from the first host where it was generated + content: "{{ hostvars[ansible_play_hosts[0]]['prom_token_output']['stdout'] | regex_search('SecretID:\\s+([a-fA-F0-9-]+)', '\\1') | first }}" dest: "{{ consul_config_dir }}/prometheus.token" owner: "{{ consul_user }}" group: "{{ consul_group }}" mode: "0600" - when: prom_token_output.changed + become: true + # Remove run_once so it saves to all 3 nodes - name: Set Prometheus token fact for use in templates ansible.builtin.set_fact: From 3156d4a40f056c286a9057b88adf11fdf185daa3 Mon Sep 17 00:00:00 2001 From: AnithaAnnem Date: Fri, 13 Mar 2026 12:30:01 +0530 Subject: [PATCH 232/412] Update acl_tokens.yml --- consul-role/tasks/acl_tokens.yml | 44 ++++++++++++++++++++------------ 1 file changed, 28 insertions(+), 16 deletions(-) diff --git a/consul-role/tasks/acl_tokens.yml b/consul-role/tasks/acl_tokens.yml index 8e1bbff..b33cd41 100644 --- a/consul-role/tasks/acl_tokens.yml +++ b/consul-role/tasks/acl_tokens.yml @@ -78,40 +78,52 @@ - "'SecretID' in service_token_output.stdout" run_once: true - #################################### -# Monitoring +#################################### +# Monitoring Token Logic #################################### -- name: Check if monitoring token exists on disk +- name: Check if monitoring token exists on disk (Node 1) ansible.builtin.stat: path: "{{ consul_config_dir }}/prometheus.token" - register: prom_token_stat + register: prom_token_stat_node1 + run_once: true + delegate_to: "{{ ansible_play_hosts[0] }}" -- name: Create Prometheus monitoring token +- name: Create Prometheus monitoring token if missing ansible.builtin.command: > consul acl token create -description "Prometheus Metrics Token" -policy-name monitoring-policy register: prom_token_output when: - - not prom_token_stat.stat.exists + - not prom_token_stat_node1.stat.exists - "'Prometheus Metrics Token' not in existing_tokens.stdout" run_once: true environment: *consul_env -- name: Save Prometheus token to all nodes +- name: Slurp existing token if it was already on disk + ansible.builtin.slurp: + src: "{{ consul_config_dir }}/prometheus.token" + register: slurped_prom_token + when: prom_token_stat_node1.stat.exists + run_once: true + delegate_to: "{{ ansible_play_hosts[0] }}" + +- name: Set Prometheus token fact + ansible.builtin.set_fact: + consul_prometheus_token: >- + {{ + (prom_token_output.stdout | regex_search('SecretID:\s+([a-fA-F0-9-]+)', '\1') | first) + if (prom_token_output.changed) + else (slurped_prom_token.content | b64decode | trim) + }} + run_once: true + +- name: Ensure Prometheus token is on all nodes ansible.builtin.copy: - # Use hostvars to get the token from the first host where it was generated - content: "{{ hostvars[ansible_play_hosts[0]]['prom_token_output']['stdout'] | regex_search('SecretID:\\s+([a-fA-F0-9-]+)', '\\1') | first }}" + content: "{{ hostvars[ansible_play_hosts[0]]['consul_prometheus_token'] }}" dest: "{{ consul_config_dir }}/prometheus.token" owner: "{{ consul_user }}" group: "{{ consul_group }}" mode: "0600" become: true - # Remove run_once so it saves to all 3 nodes - -- name: Set Prometheus token fact for use in templates - ansible.builtin.set_fact: - consul_prometheus_token: "{{ prom_token_output.stdout | regex_search('SecretID:\\s+([a-fA-F0-9-]+)', '\\1') | first }}" - when: prom_token_output.changed - run_once: true From 1076834415e31a85e76e5eb265c91bb3f4e766ed Mon Sep 17 00:00:00 2001 From: AnithaAnnem Date: Fri, 13 Mar 2026 15:16:14 +0530 Subject: [PATCH 233/412] Update main.yml --- consul-role/vars/main.yml | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/consul-role/vars/main.yml b/consul-role/vars/main.yml index 5092e2d..c545c5a 100644 --- a/consul-role/vars/main.yml +++ b/consul-role/vars/main.yml @@ -26,3 +26,10 @@ consul_gossip_key: !vault | 3937633962373832620a353432336365323433306165633264363638353235643666633564393761 61353532316133616630396362333265316132333038323639396139333761326537636330346334 3336343330373533333435306264313430313662346364643637 + + + +# Divya's Keycloak Details for POC +poc_service_name: "keycloak" +poc_service_ip: "192.168.8.30" +poc_service_port: 8080 From f9942f0fd6d99e2f2cedc4b94134725fd3da5cf8 Mon Sep 17 00:00:00 2001 From: AnithaAnnem Date: Fri, 13 Mar 2026 15:17:40 +0530 Subject: [PATCH 234/412] Create keycloak-service.json.j2 --- consul-role/templates/keycloak-service.json.j2 | 14 ++++++++++++++ 1 file changed, 14 insertions(+) create mode 100644 consul-role/templates/keycloak-service.json.j2 diff --git a/consul-role/templates/keycloak-service.json.j2 b/consul-role/templates/keycloak-service.json.j2 new file mode 100644 index 0000000..fe15f00 --- /dev/null +++ b/consul-role/templates/keycloak-service.json.j2 @@ -0,0 +1,14 @@ +{ + "service": { + "name": "{{ poc_service_name }}", + "address": "{{ poc_service_ip }}", + "port": {{ poc_service_port }}, + "check": { + "id": "keycloak-check", + "name": "Keycloak Port Listen Check", + "tcp": "{{ poc_service_ip }}:{{ poc_service_port }}", + "interval": "10s", + "timeout": "2s" + } + } +} From 42b7c83822da4c6f9989536d2e8f1f142c6a1528 Mon Sep 17 00:00:00 2001 From: AnithaAnnem Date: Fri, 13 Mar 2026 15:18:22 +0530 Subject: [PATCH 235/412] Update config.yml --- consul-role/tasks/config.yml | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/consul-role/tasks/config.yml b/consul-role/tasks/config.yml index 20f3534..f4f1776 100644 --- a/consul-role/tasks/config.yml +++ b/consul-role/tasks/config.yml @@ -32,3 +32,13 @@ group: "{{ consul_group }}" mode: "0640" notify: Restart Consul + + +- name: Register Keycloak POC Service + ansible.builtin.template: + src: keycloak-service.json.j2 + dest: "{{ consul_config_dir }}/keycloak.json" + owner: "{{ consul_user }}" + group: "{{ consul_group }}" + mode: "0640" + notify: Restart Consul From ef53ef9c2aa7af79f6a97e3a8397127ca59bab93 Mon Sep 17 00:00:00 2001 From: AnithaAnnem Date: Fri, 13 Mar 2026 15:35:18 +0530 Subject: [PATCH 236/412] Update keycloak-service.json.j2 --- consul-role/templates/keycloak-service.json.j2 | 1 + 1 file changed, 1 insertion(+) diff --git a/consul-role/templates/keycloak-service.json.j2 b/consul-role/templates/keycloak-service.json.j2 index fe15f00..046ab07 100644 --- a/consul-role/templates/keycloak-service.json.j2 +++ b/consul-role/templates/keycloak-service.json.j2 @@ -3,6 +3,7 @@ "name": "{{ poc_service_name }}", "address": "{{ poc_service_ip }}", "port": {{ poc_service_port }}, + "token": "{{ lookup('file', '/etc/consul.d/service.token') }}", "check": { "id": "keycloak-check", "name": "Keycloak Port Listen Check", From e90fedac36a6d616d8b91d9497ad3472ba3812b3 Mon Sep 17 00:00:00 2001 From: AnithaAnnem Date: Fri, 13 Mar 2026 15:38:34 +0530 Subject: [PATCH 237/412] Update config.yml --- consul-role/tasks/config.yml | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/consul-role/tasks/config.yml b/consul-role/tasks/config.yml index f4f1776..f5f83ef 100644 --- a/consul-role/tasks/config.yml +++ b/consul-role/tasks/config.yml @@ -34,6 +34,11 @@ notify: Restart Consul +- name: Read service token from server + ansible.builtin.slurp: + src: "{{ consul_config_dir }}/service.token" + register: remote_service_token + - name: Register Keycloak POC Service ansible.builtin.template: src: keycloak-service.json.j2 @@ -41,4 +46,7 @@ owner: "{{ consul_user }}" group: "{{ consul_group }}" mode: "0640" + vars: + # This decodes the base64 token from the remote server + actual_service_token: "{{ remote_service_token['content'] | b64decode | trim }}" notify: Restart Consul From 2ee4ac92208c0214a95be391f36f479c8a548ca6 Mon Sep 17 00:00:00 2001 From: AnithaAnnem Date: Fri, 13 Mar 2026 15:39:08 +0530 Subject: [PATCH 238/412] Update keycloak-service.json.j2 --- consul-role/templates/keycloak-service.json.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/consul-role/templates/keycloak-service.json.j2 b/consul-role/templates/keycloak-service.json.j2 index 046ab07..c9ae8a8 100644 --- a/consul-role/templates/keycloak-service.json.j2 +++ b/consul-role/templates/keycloak-service.json.j2 @@ -3,7 +3,7 @@ "name": "{{ poc_service_name }}", "address": "{{ poc_service_ip }}", "port": {{ poc_service_port }}, - "token": "{{ lookup('file', '/etc/consul.d/service.token') }}", + "token": "{{ actual_service_token }}", "check": { "id": "keycloak-check", "name": "Keycloak Port Listen Check", From 6801ff60e210e8c913c767b248803a3c149ee4c7 Mon Sep 17 00:00:00 2001 From: AnithaAnnem Date: Fri, 13 Mar 2026 15:52:04 +0530 Subject: [PATCH 239/412] Update keycloak-service.json.j2 --- consul-role/templates/keycloak-service.json.j2 | 9 +-------- 1 file changed, 1 insertion(+), 8 deletions(-) diff --git a/consul-role/templates/keycloak-service.json.j2 b/consul-role/templates/keycloak-service.json.j2 index c9ae8a8..248346f 100644 --- a/consul-role/templates/keycloak-service.json.j2 +++ b/consul-role/templates/keycloak-service.json.j2 @@ -3,13 +3,6 @@ "name": "{{ poc_service_name }}", "address": "{{ poc_service_ip }}", "port": {{ poc_service_port }}, - "token": "{{ actual_service_token }}", - "check": { - "id": "keycloak-check", - "name": "Keycloak Port Listen Check", - "tcp": "{{ poc_service_ip }}:{{ poc_service_port }}", - "interval": "10s", - "timeout": "2s" - } + "token": "{{ actual_service_token }}" } } From 744e85611b2ae88f0c62b1e3f49d3089e6ac57cf Mon Sep 17 00:00:00 2001 From: AnithaAnnem Date: Mon, 16 Mar 2026 09:35:09 +0530 Subject: [PATCH 240/412] Update keycloak-service.json.j2 --- consul-role/templates/keycloak-service.json.j2 | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/consul-role/templates/keycloak-service.json.j2 b/consul-role/templates/keycloak-service.json.j2 index 248346f..e5bf49e 100644 --- a/consul-role/templates/keycloak-service.json.j2 +++ b/consul-role/templates/keycloak-service.json.j2 @@ -3,6 +3,12 @@ "name": "{{ poc_service_name }}", "address": "{{ poc_service_ip }}", "port": {{ poc_service_port }}, - "token": "{{ actual_service_token }}" + "token": "{{ actual_service_token }}", + "check": { + "name": "Keycloak Port Listen Check", + "tcp": "{{ poc_service_ip }}:{{ poc_service_port }}", + "interval": "10s", + "timeout": "2s" + } } } From 10fc05c229993e962e3f24dde9243ef4eda41e6e Mon Sep 17 00:00:00 2001 From: AnithaAnnem Date: Tue, 17 Mar 2026 09:31:46 +0530 Subject: [PATCH 241/412] Update keycloak-service.json.j2 --- consul-role/templates/keycloak-service.json.j2 | 1 - 1 file changed, 1 deletion(-) diff --git a/consul-role/templates/keycloak-service.json.j2 b/consul-role/templates/keycloak-service.json.j2 index e5bf49e..54929ab 100644 --- a/consul-role/templates/keycloak-service.json.j2 +++ b/consul-role/templates/keycloak-service.json.j2 @@ -1,7 +1,6 @@ { "service": { "name": "{{ poc_service_name }}", - "address": "{{ poc_service_ip }}", "port": {{ poc_service_port }}, "token": "{{ actual_service_token }}", "check": { From 630defe8a4398bf7115e741fd56211026886c378 Mon Sep 17 00:00:00 2001 From: AnithaAnnem Date: Tue, 17 Mar 2026 09:32:05 +0530 Subject: [PATCH 242/412] Update main.yml --- consul-role/vars/main.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/consul-role/vars/main.yml b/consul-role/vars/main.yml index c545c5a..402b180 100644 --- a/consul-role/vars/main.yml +++ b/consul-role/vars/main.yml @@ -31,5 +31,4 @@ consul_gossip_key: !vault | # Divya's Keycloak Details for POC poc_service_name: "keycloak" -poc_service_ip: "192.168.8.30" poc_service_port: 8080 From 28ab8c91032dc219e603654b32ef44e1b388647a Mon Sep 17 00:00:00 2001 From: AnithaAnnem Date: Thu, 19 Mar 2026 11:16:15 +0530 Subject: [PATCH 243/412] Update config.yml --- consul-role/tasks/config.yml | 46 ++++++++++++++++++------------------ 1 file changed, 23 insertions(+), 23 deletions(-) diff --git a/consul-role/tasks/config.yml b/consul-role/tasks/config.yml index f5f83ef..8e8c076 100644 --- a/consul-role/tasks/config.yml +++ b/consul-role/tasks/config.yml @@ -1,28 +1,28 @@ -- name: Create TLS cert directory - ansible.builtin.file: - path: "{{ consul_config_dir }}/certs" - state: directory - owner: "{{ consul_user }}" - group: "{{ consul_group }}" - mode: "0750" +# - name: Create TLS cert directory +# ansible.builtin.file: +# path: "{{ consul_config_dir }}/certs" +# state: directory +# owner: "{{ consul_user }}" +# group: "{{ consul_group }}" +# mode: "0750" -- name: Copy TLS certificate - ansible.builtin.copy: - src: tls.crt - dest: "{{ consul_config_dir }}/certs/tls.crt" - owner: "{{ consul_user }}" - group: "{{ consul_group }}" - mode: "0644" - notify: Restart Consul +# - name: Copy TLS certificate +# ansible.builtin.copy: +# src: tls.crt +# dest: "{{ consul_config_dir }}/certs/tls.crt" +# owner: "{{ consul_user }}" +# group: "{{ consul_group }}" +# mode: "0644" +# notify: Restart Consul -- name: Copy TLS private key - ansible.builtin.copy: - src: tls.key - dest: "{{ consul_config_dir }}/certs/tls.key" - owner: "{{ consul_user }}" - group: "{{ consul_group }}" - mode: "0600" - notify: Restart Consul +# - name: Copy TLS private key +# ansible.builtin.copy: +# src: tls.key +# dest: "{{ consul_config_dir }}/certs/tls.key" +# owner: "{{ consul_user }}" +# group: "{{ consul_group }}" +# mode: "0600" +# notify: Restart Consul - name: Deploy Consul server configuration ansible.builtin.template: From fd1ecda349befb7e2d673f703714af3eaef2ab7b Mon Sep 17 00:00:00 2001 From: AnithaAnnem Date: Thu, 19 Mar 2026 11:17:45 +0530 Subject: [PATCH 244/412] Update acl_policies.yml --- consul-role/tasks/acl_policies.yml | 52 +++++++++++++++--------------- 1 file changed, 26 insertions(+), 26 deletions(-) diff --git a/consul-role/tasks/acl_policies.yml b/consul-role/tasks/acl_policies.yml index e5440a7..58b3f0a 100644 --- a/consul-role/tasks/acl_policies.yml +++ b/consul-role/tasks/acl_policies.yml @@ -1,31 +1,31 @@ --- -- name: Ensure certificate directory is accessible - ansible.builtin.file: - path: "{{ consul_config_dir }}/certs" - state: directory - mode: "0755" - become: true +# - name: Ensure certificate directory is accessible +# ansible.builtin.file: +# path: "{{ consul_config_dir }}/certs" +# state: directory +# mode: "0755" +# become: true -- name: Fix certificate file permissions - ansible.builtin.file: - path: "{{ consul_config_dir }}/certs/{{ item.file }}" - mode: "{{ item.mode }}" - loop: - - { file: "tls.crt", mode: "0644" } - - { file: "tls.key", mode: "0640" } - become: true +# - name: Fix certificate file permissions +# ansible.builtin.file: +# path: "{{ consul_config_dir }}/certs/{{ item.file }}" +# mode: "{{ item.mode }}" +# loop: +# - { file: "tls.crt", mode: "0644" } +# - { file: "tls.key", mode: "0640" } +# become: true -- name: Copy policy files - ansible.builtin.template: - src: "policies/{{ item }}.hcl.j2" - dest: "/tmp/{{ item }}.hcl" - mode: "0644" - loop: - - agent-policy - - service-policy - - readonly-policy - - monitoring-policy +# - name: Copy policy files +# ansible.builtin.template: +# src: "policies/{{ item }}.hcl.j2" +# dest: "/tmp/{{ item }}.hcl" +# mode: "0644" +# loop: +# - agent-policy +# - service-policy +# - readonly-policy +# - monitoring-policy - name: List existing policies @@ -37,8 +37,8 @@ environment: &consul_env CONSUL_HTTP_ADDR: "https://{{ consul_bind_addr }}:8501" CONSUL_HTTP_TOKEN: "{{ consul_master_token }}" - CONSUL_CACERT: "{{ consul_config_dir }}/certs/tls.crt" - CONSUL_HTTP_SSL_VERIFY: "false" + #CONSUL_CACERT: "{{ consul_config_dir }}/certs/tls.crt" + #CONSUL_HTTP_SSL_VERIFY: "false" - name: Create Consul policies ansible.builtin.command: > From 5f9560c3827f3aac1b1141bb7157fffa31866deb Mon Sep 17 00:00:00 2001 From: AnithaAnnem Date: Thu, 19 Mar 2026 11:19:07 +0530 Subject: [PATCH 245/412] Update acl_tokens.yml --- consul-role/tasks/acl_tokens.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/consul-role/tasks/acl_tokens.yml b/consul-role/tasks/acl_tokens.yml index b33cd41..16981da 100644 --- a/consul-role/tasks/acl_tokens.yml +++ b/consul-role/tasks/acl_tokens.yml @@ -8,8 +8,8 @@ environment: &consul_env CONSUL_HTTP_ADDR: "https://{{ consul_bind_addr }}:8501" CONSUL_HTTP_TOKEN: "{{ consul_master_token }}" - CONSUL_HTTP_SSL_VERIFY: "false" - CONSUL_CACERT: "{{ consul_config_dir }}/certs/tls.crt" + #CONSUL_HTTP_SSL_VERIFY: "false" + #CONSUL_CACERT: "{{ consul_config_dir }}/certs/tls.crt" #################################### # Agent Token From e0375e30ed29fba3e0e26707b9edfe4e7eafc512 Mon Sep 17 00:00:00 2001 From: AnithaAnnem Date: Thu, 19 Mar 2026 11:21:53 +0530 Subject: [PATCH 246/412] Update server.hcl.j2 --- consul-role/templates/server.hcl.j2 | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/consul-role/templates/server.hcl.j2 b/consul-role/templates/server.hcl.j2 index 2a909df..68287d4 100644 --- a/consul-role/templates/server.hcl.j2 +++ b/consul-role/templates/server.hcl.j2 @@ -40,14 +40,14 @@ ports { https = 8501 } -tls { - defaults { +#tls { + #defaults { - ca_file = "{{ consul_config_dir }}/certs/tls.crt" - cert_file = "{{ consul_config_dir }}/certs/tls.crt" - key_file = "{{ consul_config_dir }}/certs/tls.key" + #ca_file = "{{ consul_config_dir }}/certs/tls.crt" + #cert_file = "{{ consul_config_dir }}/certs/tls.crt" + #key_file = "{{ consul_config_dir }}/certs/tls.key" - verify_incoming = false - verify_outgoing = false + #verify_incoming = false + #verify_outgoing = false } } From 6f37d270c76a11a4a399f6451447aea6fbf7b1d3 Mon Sep 17 00:00:00 2001 From: AnithaAnnem Date: Thu, 19 Mar 2026 11:23:28 +0530 Subject: [PATCH 247/412] Update server.hcl.j2 --- consul-role/templates/server.hcl.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/consul-role/templates/server.hcl.j2 b/consul-role/templates/server.hcl.j2 index 68287d4..4c9b24f 100644 --- a/consul-role/templates/server.hcl.j2 +++ b/consul-role/templates/server.hcl.j2 @@ -1,6 +1,6 @@ node_name = "{{ consul_node_name }}" bind_addr = "{{ consul_bind_addr }}" -client_addr = "0.0.0.0" +client_addr = "{{ consul_client_addr }}" data_dir = "{{ consul_data_dir }}" encrypt = "{{ consul_gossip_key }}" From aa8c5eef5ddb6a1695f46dd81cc544d0db3f8a98 Mon Sep 17 00:00:00 2001 From: AnithaAnnem Date: Thu, 19 Mar 2026 11:40:26 +0530 Subject: [PATCH 248/412] Update server.hcl.j2 --- consul-role/templates/server.hcl.j2 | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/consul-role/templates/server.hcl.j2 b/consul-role/templates/server.hcl.j2 index 4c9b24f..706117f 100644 --- a/consul-role/templates/server.hcl.j2 +++ b/consul-role/templates/server.hcl.j2 @@ -36,8 +36,8 @@ acl { } ports { - http = -1 - https = 8501 + http = 8500 + #https = 8501 } #tls { From d34412e742072ac807de9bd38a73c454a2fdb318 Mon Sep 17 00:00:00 2001 From: AnithaAnnem Date: Thu, 19 Mar 2026 11:44:35 +0530 Subject: [PATCH 249/412] Update acl.yml --- consul-role/tasks/acl.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/consul-role/tasks/acl.yml b/consul-role/tasks/acl.yml index 02f2b20..f9071d0 100644 --- a/consul-role/tasks/acl.yml +++ b/consul-role/tasks/acl.yml @@ -1,8 +1,8 @@ --- -- name: Wait for Consul HTTPs API +- name: Wait for Consul HTTP API ansible.builtin.wait_for: host: "{{ consul_bind_addr }}" - port: 8501 + port: 8500 delay: 5 timeout: 60 From 93cd30def0b7217c9af2861933619bef881a8bcf Mon Sep 17 00:00:00 2001 From: AnithaAnnem Date: Thu, 19 Mar 2026 11:44:57 +0530 Subject: [PATCH 250/412] Update acl_policies.yml --- consul-role/tasks/acl_policies.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/consul-role/tasks/acl_policies.yml b/consul-role/tasks/acl_policies.yml index 58b3f0a..42a704e 100644 --- a/consul-role/tasks/acl_policies.yml +++ b/consul-role/tasks/acl_policies.yml @@ -35,7 +35,7 @@ become: true changed_when: false environment: &consul_env - CONSUL_HTTP_ADDR: "https://{{ consul_bind_addr }}:8501" + CONSUL_HTTP_ADDR: "https://{{ consul_bind_addr }}:8500" CONSUL_HTTP_TOKEN: "{{ consul_master_token }}" #CONSUL_CACERT: "{{ consul_config_dir }}/certs/tls.crt" #CONSUL_HTTP_SSL_VERIFY: "false" From 7e2134f151101b656eec485055305cae3970fb01 Mon Sep 17 00:00:00 2001 From: AnithaAnnem Date: Thu, 19 Mar 2026 11:45:22 +0530 Subject: [PATCH 251/412] Update acl_tokens.yml --- consul-role/tasks/acl_tokens.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/consul-role/tasks/acl_tokens.yml b/consul-role/tasks/acl_tokens.yml index 16981da..a4664e4 100644 --- a/consul-role/tasks/acl_tokens.yml +++ b/consul-role/tasks/acl_tokens.yml @@ -6,7 +6,7 @@ changed_when: false run_once: true environment: &consul_env - CONSUL_HTTP_ADDR: "https://{{ consul_bind_addr }}:8501" + CONSUL_HTTP_ADDR: "https://{{ consul_bind_addr }}:8500" CONSUL_HTTP_TOKEN: "{{ consul_master_token }}" #CONSUL_HTTP_SSL_VERIFY: "false" #CONSUL_CACERT: "{{ consul_config_dir }}/certs/tls.crt" From c2ae456cd37958a4e9f967d69a11c559d2222d4d Mon Sep 17 00:00:00 2001 From: AnithaAnnem Date: Thu, 19 Mar 2026 11:47:41 +0530 Subject: [PATCH 252/412] Update rbac.yml --- consul-role/tasks/rbac.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/consul-role/tasks/rbac.yml b/consul-role/tasks/rbac.yml index cd4366f..3bdfc15 100644 --- a/consul-role/tasks/rbac.yml +++ b/consul-role/tasks/rbac.yml @@ -11,10 +11,10 @@ changed_when: false run_once: true environment: &consul_env - CONSUL_HTTP_ADDR: "https://{{ consul_bind_addr }}:8501" + CONSUL_HTTP_ADDR: "https://{{ consul_bind_addr }}:8500" CONSUL_HTTP_TOKEN: "{{ consul_master_token }}" - CONSUL_CACERT: "{{ consul_config_dir }}/certs/tls.crt" - CONSUL_HTTP_SSL_VERIFY: "false" + #CONSUL_CACERT: "{{ consul_config_dir }}/certs/tls.crt" + #CONSUL_HTTP_SSL_VERIFY: "false" - name: Create read policy ansible.builtin.command: > From e68e8c1c0dddce35336310f4f11853258339805a Mon Sep 17 00:00:00 2001 From: AnithaAnnem Date: Thu, 19 Mar 2026 12:00:23 +0530 Subject: [PATCH 253/412] Update acl.yml --- consul-role/tasks/acl.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/consul-role/tasks/acl.yml b/consul-role/tasks/acl.yml index f9071d0..fe0aed7 100644 --- a/consul-role/tasks/acl.yml +++ b/consul-role/tasks/acl.yml @@ -36,9 +36,9 @@ failed_when: false when: consul_master_token is not defined or consul_master_token == "" environment: - CONSUL_HTTP_ADDR: "https://{{ consul_bind_addr }}:8501" - CONSUL_HTTP_SSL_VERIFY: "false" - CONSUL_CACERT: "{{ consul_config_dir }}/certs/tls.crt" + CONSUL_HTTP_ADDR: "http://{{ consul_bind_addr }}:8500" + #CONSUL_HTTP_SSL_VERIFY: "false" + #CONSUL_CACERT: "{{ consul_config_dir }}/certs/tls.crt" - name: Extract new token from bootstrap output ansible.builtin.set_fact: From ea001c9d28800f9626121d352ad0659e228a8e4a Mon Sep 17 00:00:00 2001 From: AnithaAnnem Date: Thu, 19 Mar 2026 12:00:50 +0530 Subject: [PATCH 254/412] Update acl_policies.yml --- consul-role/tasks/acl_policies.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/consul-role/tasks/acl_policies.yml b/consul-role/tasks/acl_policies.yml index 42a704e..e920f29 100644 --- a/consul-role/tasks/acl_policies.yml +++ b/consul-role/tasks/acl_policies.yml @@ -35,7 +35,7 @@ become: true changed_when: false environment: &consul_env - CONSUL_HTTP_ADDR: "https://{{ consul_bind_addr }}:8500" + CONSUL_HTTP_ADDR: "http://{{ consul_bind_addr }}:8500" CONSUL_HTTP_TOKEN: "{{ consul_master_token }}" #CONSUL_CACERT: "{{ consul_config_dir }}/certs/tls.crt" #CONSUL_HTTP_SSL_VERIFY: "false" From c976cca6ffe105ac6cd8dd88ee514ed139ddb8eb Mon Sep 17 00:00:00 2001 From: AnithaAnnem Date: Thu, 19 Mar 2026 12:01:14 +0530 Subject: [PATCH 255/412] Update rbac.yml --- consul-role/tasks/rbac.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/consul-role/tasks/rbac.yml b/consul-role/tasks/rbac.yml index 3bdfc15..d37c496 100644 --- a/consul-role/tasks/rbac.yml +++ b/consul-role/tasks/rbac.yml @@ -11,7 +11,7 @@ changed_when: false run_once: true environment: &consul_env - CONSUL_HTTP_ADDR: "https://{{ consul_bind_addr }}:8500" + CONSUL_HTTP_ADDR: "http://{{ consul_bind_addr }}:8500" CONSUL_HTTP_TOKEN: "{{ consul_master_token }}" #CONSUL_CACERT: "{{ consul_config_dir }}/certs/tls.crt" #CONSUL_HTTP_SSL_VERIFY: "false" From dd95ba820d70de05752f6a21d20f419ebf74c01e Mon Sep 17 00:00:00 2001 From: AnithaAnnem Date: Thu, 19 Mar 2026 12:26:40 +0530 Subject: [PATCH 256/412] Update acl_tokens.yml --- consul-role/tasks/acl_tokens.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/consul-role/tasks/acl_tokens.yml b/consul-role/tasks/acl_tokens.yml index a4664e4..25be1ec 100644 --- a/consul-role/tasks/acl_tokens.yml +++ b/consul-role/tasks/acl_tokens.yml @@ -6,7 +6,7 @@ changed_when: false run_once: true environment: &consul_env - CONSUL_HTTP_ADDR: "https://{{ consul_bind_addr }}:8500" + CONSUL_HTTP_ADDR: "http://{{ consul_bind_addr }}:8500" CONSUL_HTTP_TOKEN: "{{ consul_master_token }}" #CONSUL_HTTP_SSL_VERIFY: "false" #CONSUL_CACERT: "{{ consul_config_dir }}/certs/tls.crt" From b1810310e6434153e8269433128f1b8bcd555f11 Mon Sep 17 00:00:00 2001 From: AnithaAnnem Date: Thu, 19 Mar 2026 12:30:29 +0530 Subject: [PATCH 257/412] Update acl.yml --- consul-role/tasks/acl.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/consul-role/tasks/acl.yml b/consul-role/tasks/acl.yml index fe0aed7..30fa8a6 100644 --- a/consul-role/tasks/acl.yml +++ b/consul-role/tasks/acl.yml @@ -3,8 +3,8 @@ ansible.builtin.wait_for: host: "{{ consul_bind_addr }}" port: 8500 - delay: 5 - timeout: 60 + delay: 15 + timeout: 120 # Check bootstrap token - name: Check for existing bootstrap token file From 8923765db235213a78df175af0ebf59a1b2de7ba Mon Sep 17 00:00:00 2001 From: AnithaAnnem Date: Thu, 19 Mar 2026 12:41:27 +0530 Subject: [PATCH 258/412] Delete consul-role/templates/keycloak-service.json.j2 --- consul-role/templates/keycloak-service.json.j2 | 13 ------------- 1 file changed, 13 deletions(-) delete mode 100644 consul-role/templates/keycloak-service.json.j2 diff --git a/consul-role/templates/keycloak-service.json.j2 b/consul-role/templates/keycloak-service.json.j2 deleted file mode 100644 index 54929ab..0000000 --- a/consul-role/templates/keycloak-service.json.j2 +++ /dev/null @@ -1,13 +0,0 @@ -{ - "service": { - "name": "{{ poc_service_name }}", - "port": {{ poc_service_port }}, - "token": "{{ actual_service_token }}", - "check": { - "name": "Keycloak Port Listen Check", - "tcp": "{{ poc_service_ip }}:{{ poc_service_port }}", - "interval": "10s", - "timeout": "2s" - } - } -} From 8c4e263f556bc25af5ffed750ed660a2ac8dfbaf Mon Sep 17 00:00:00 2001 From: AnithaAnnem Date: Thu, 19 Mar 2026 12:41:48 +0530 Subject: [PATCH 259/412] Update main.yml --- consul-role/vars/main.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/consul-role/vars/main.yml b/consul-role/vars/main.yml index 402b180..aecd177 100644 --- a/consul-role/vars/main.yml +++ b/consul-role/vars/main.yml @@ -29,6 +29,6 @@ consul_gossip_key: !vault | -# Divya's Keycloak Details for POC -poc_service_name: "keycloak" -poc_service_port: 8080 +# # Divya's Keycloak Details for POC +# poc_service_name: "keycloak" +# poc_service_port: 8080 From 6065d42cdf719ac696f5b570cf2f9fc74760fa07 Mon Sep 17 00:00:00 2001 From: AnithaAnnem Date: Thu, 19 Mar 2026 12:55:46 +0530 Subject: [PATCH 260/412] Update config.yml --- consul-role/tasks/config.yml | 30 +++++++++++++++--------------- 1 file changed, 15 insertions(+), 15 deletions(-) diff --git a/consul-role/tasks/config.yml b/consul-role/tasks/config.yml index 8e8c076..b51950d 100644 --- a/consul-role/tasks/config.yml +++ b/consul-role/tasks/config.yml @@ -34,19 +34,19 @@ notify: Restart Consul -- name: Read service token from server - ansible.builtin.slurp: - src: "{{ consul_config_dir }}/service.token" - register: remote_service_token +# - name: Read service token from server +# ansible.builtin.slurp: +# src: "{{ consul_config_dir }}/service.token" +# register: remote_service_token -- name: Register Keycloak POC Service - ansible.builtin.template: - src: keycloak-service.json.j2 - dest: "{{ consul_config_dir }}/keycloak.json" - owner: "{{ consul_user }}" - group: "{{ consul_group }}" - mode: "0640" - vars: - # This decodes the base64 token from the remote server - actual_service_token: "{{ remote_service_token['content'] | b64decode | trim }}" - notify: Restart Consul +# - name: Register Keycloak POC Service +# ansible.builtin.template: +# src: keycloak-service.json.j2 +# dest: "{{ consul_config_dir }}/keycloak.json" +# owner: "{{ consul_user }}" +# group: "{{ consul_group }}" +# mode: "0640" +# vars: +# # This decodes the base64 token from the remote server +# actual_service_token: "{{ remote_service_token['content'] | b64decode | trim }}" +# notify: Restart Consul From 97178d1cea406762c023df68a009aeb059eb1a21 Mon Sep 17 00:00:00 2001 From: AnithaAnnem Date: Thu, 19 Mar 2026 13:05:22 +0530 Subject: [PATCH 261/412] Update acl.yml --- consul-role/tasks/acl.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/consul-role/tasks/acl.yml b/consul-role/tasks/acl.yml index 30fa8a6..5987767 100644 --- a/consul-role/tasks/acl.yml +++ b/consul-role/tasks/acl.yml @@ -1,7 +1,8 @@ --- - name: Wait for Consul HTTP API ansible.builtin.wait_for: - host: "{{ consul_bind_addr }}" + #host: "{{ consul_bind_addr }}" + host: "127.0.0.1" port: 8500 delay: 15 timeout: 120 From 3712ab4bf3221325f0b618f0967b787785f55ce6 Mon Sep 17 00:00:00 2001 From: AnithaAnnem Date: Thu, 19 Mar 2026 13:06:09 +0530 Subject: [PATCH 262/412] Update acl_policies.yml --- consul-role/tasks/acl_policies.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/consul-role/tasks/acl_policies.yml b/consul-role/tasks/acl_policies.yml index e920f29..51880b3 100644 --- a/consul-role/tasks/acl_policies.yml +++ b/consul-role/tasks/acl_policies.yml @@ -35,7 +35,7 @@ become: true changed_when: false environment: &consul_env - CONSUL_HTTP_ADDR: "http://{{ consul_bind_addr }}:8500" + CONSUL_HTTP_ADDR: "http://127.0.0.1:8500" CONSUL_HTTP_TOKEN: "{{ consul_master_token }}" #CONSUL_CACERT: "{{ consul_config_dir }}/certs/tls.crt" #CONSUL_HTTP_SSL_VERIFY: "false" From 24a56ff02f00c357b03e5a6f5959a3c62dc84448 Mon Sep 17 00:00:00 2001 From: AnithaAnnem Date: Thu, 19 Mar 2026 13:06:54 +0530 Subject: [PATCH 263/412] Update acl_tokens.yml --- consul-role/tasks/acl_tokens.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/consul-role/tasks/acl_tokens.yml b/consul-role/tasks/acl_tokens.yml index 25be1ec..c4816bf 100644 --- a/consul-role/tasks/acl_tokens.yml +++ b/consul-role/tasks/acl_tokens.yml @@ -6,7 +6,7 @@ changed_when: false run_once: true environment: &consul_env - CONSUL_HTTP_ADDR: "http://{{ consul_bind_addr }}:8500" + CONSUL_HTTP_ADDR: "http://127.0.0.1:8500" CONSUL_HTTP_TOKEN: "{{ consul_master_token }}" #CONSUL_HTTP_SSL_VERIFY: "false" #CONSUL_CACERT: "{{ consul_config_dir }}/certs/tls.crt" From ab1b9b658abfae7d61fc3a7302925b3fb10d2107 Mon Sep 17 00:00:00 2001 From: AnithaAnnem Date: Thu, 19 Mar 2026 13:08:08 +0530 Subject: [PATCH 264/412] Update rbac.yml --- consul-role/tasks/rbac.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/consul-role/tasks/rbac.yml b/consul-role/tasks/rbac.yml index d37c496..d9d8d38 100644 --- a/consul-role/tasks/rbac.yml +++ b/consul-role/tasks/rbac.yml @@ -11,7 +11,8 @@ changed_when: false run_once: true environment: &consul_env - CONSUL_HTTP_ADDR: "http://{{ consul_bind_addr }}:8500" + #CONSUL_HTTP_ADDR: "http://{{ consul_bind_addr }}:8500" + CONSUL_HTTP_ADDR: "http://127.0.0.1:8500" CONSUL_HTTP_TOKEN: "{{ consul_master_token }}" #CONSUL_CACERT: "{{ consul_config_dir }}/certs/tls.crt" #CONSUL_HTTP_SSL_VERIFY: "false" From ce247367f321ed9dbe0680b144f9b485f8759607 Mon Sep 17 00:00:00 2001 From: AnithaAnnem Date: Thu, 19 Mar 2026 13:10:06 +0530 Subject: [PATCH 265/412] Update acl.yml --- consul-role/tasks/acl.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/consul-role/tasks/acl.yml b/consul-role/tasks/acl.yml index 5987767..5583909 100644 --- a/consul-role/tasks/acl.yml +++ b/consul-role/tasks/acl.yml @@ -37,7 +37,8 @@ failed_when: false when: consul_master_token is not defined or consul_master_token == "" environment: - CONSUL_HTTP_ADDR: "http://{{ consul_bind_addr }}:8500" + #CONSUL_HTTP_ADDR: "http://{{ consul_bind_addr }}:8500" + CONSUL_HTTP_ADDR: "http://127.0.0.1:8500" #CONSUL_HTTP_SSL_VERIFY: "false" #CONSUL_CACERT: "{{ consul_config_dir }}/certs/tls.crt" From 441adcc7281612133f75d9bca12ecca24b6da7db Mon Sep 17 00:00:00 2001 From: AnithaAnnem Date: Thu, 19 Mar 2026 13:17:58 +0530 Subject: [PATCH 266/412] Update acl.yml --- consul-role/tasks/acl.yml | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/consul-role/tasks/acl.yml b/consul-role/tasks/acl.yml index 5583909..30fa8a6 100644 --- a/consul-role/tasks/acl.yml +++ b/consul-role/tasks/acl.yml @@ -1,8 +1,7 @@ --- - name: Wait for Consul HTTP API ansible.builtin.wait_for: - #host: "{{ consul_bind_addr }}" - host: "127.0.0.1" + host: "{{ consul_bind_addr }}" port: 8500 delay: 15 timeout: 120 @@ -37,8 +36,7 @@ failed_when: false when: consul_master_token is not defined or consul_master_token == "" environment: - #CONSUL_HTTP_ADDR: "http://{{ consul_bind_addr }}:8500" - CONSUL_HTTP_ADDR: "http://127.0.0.1:8500" + CONSUL_HTTP_ADDR: "http://{{ consul_bind_addr }}:8500" #CONSUL_HTTP_SSL_VERIFY: "false" #CONSUL_CACERT: "{{ consul_config_dir }}/certs/tls.crt" From ba8fb084357debc5eaf64d99631be65a680fa75b Mon Sep 17 00:00:00 2001 From: AnithaAnnem Date: Thu, 19 Mar 2026 13:18:23 +0530 Subject: [PATCH 267/412] Update acl_policies.yml --- consul-role/tasks/acl_policies.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/consul-role/tasks/acl_policies.yml b/consul-role/tasks/acl_policies.yml index 51880b3..e920f29 100644 --- a/consul-role/tasks/acl_policies.yml +++ b/consul-role/tasks/acl_policies.yml @@ -35,7 +35,7 @@ become: true changed_when: false environment: &consul_env - CONSUL_HTTP_ADDR: "http://127.0.0.1:8500" + CONSUL_HTTP_ADDR: "http://{{ consul_bind_addr }}:8500" CONSUL_HTTP_TOKEN: "{{ consul_master_token }}" #CONSUL_CACERT: "{{ consul_config_dir }}/certs/tls.crt" #CONSUL_HTTP_SSL_VERIFY: "false" From fbcde4c9604ae9b7c912fd38ec61c88e18169009 Mon Sep 17 00:00:00 2001 From: AnithaAnnem Date: Thu, 19 Mar 2026 13:18:40 +0530 Subject: [PATCH 268/412] Update acl_tokens.yml --- consul-role/tasks/acl_tokens.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/consul-role/tasks/acl_tokens.yml b/consul-role/tasks/acl_tokens.yml index c4816bf..25be1ec 100644 --- a/consul-role/tasks/acl_tokens.yml +++ b/consul-role/tasks/acl_tokens.yml @@ -6,7 +6,7 @@ changed_when: false run_once: true environment: &consul_env - CONSUL_HTTP_ADDR: "http://127.0.0.1:8500" + CONSUL_HTTP_ADDR: "http://{{ consul_bind_addr }}:8500" CONSUL_HTTP_TOKEN: "{{ consul_master_token }}" #CONSUL_HTTP_SSL_VERIFY: "false" #CONSUL_CACERT: "{{ consul_config_dir }}/certs/tls.crt" From 6b3c2172744ca783c159b42925cdf1478d1def4b Mon Sep 17 00:00:00 2001 From: AnithaAnnem Date: Thu, 19 Mar 2026 13:19:21 +0530 Subject: [PATCH 269/412] Update rbac.yml --- consul-role/tasks/rbac.yml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/consul-role/tasks/rbac.yml b/consul-role/tasks/rbac.yml index d9d8d38..d37c496 100644 --- a/consul-role/tasks/rbac.yml +++ b/consul-role/tasks/rbac.yml @@ -11,8 +11,7 @@ changed_when: false run_once: true environment: &consul_env - #CONSUL_HTTP_ADDR: "http://{{ consul_bind_addr }}:8500" - CONSUL_HTTP_ADDR: "http://127.0.0.1:8500" + CONSUL_HTTP_ADDR: "http://{{ consul_bind_addr }}:8500" CONSUL_HTTP_TOKEN: "{{ consul_master_token }}" #CONSUL_CACERT: "{{ consul_config_dir }}/certs/tls.crt" #CONSUL_HTTP_SSL_VERIFY: "false" From ceb4955854aade5c427f6b87855e34679672103f Mon Sep 17 00:00:00 2001 From: AnithaAnnem Date: Thu, 19 Mar 2026 13:36:38 +0530 Subject: [PATCH 270/412] Update acl.yml --- consul-role/tasks/acl.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/consul-role/tasks/acl.yml b/consul-role/tasks/acl.yml index 30fa8a6..751257c 100644 --- a/consul-role/tasks/acl.yml +++ b/consul-role/tasks/acl.yml @@ -2,7 +2,7 @@ - name: Wait for Consul HTTP API ansible.builtin.wait_for: host: "{{ consul_bind_addr }}" - port: 8500 + port: 8501 delay: 15 timeout: 120 @@ -36,7 +36,7 @@ failed_when: false when: consul_master_token is not defined or consul_master_token == "" environment: - CONSUL_HTTP_ADDR: "http://{{ consul_bind_addr }}:8500" + CONSUL_HTTP_ADDR: "http://{{ consul_bind_addr }}:8501" #CONSUL_HTTP_SSL_VERIFY: "false" #CONSUL_CACERT: "{{ consul_config_dir }}/certs/tls.crt" From 016610be31721adb79f7d3e16b4a7fdb82be7abb Mon Sep 17 00:00:00 2001 From: AnithaAnnem Date: Thu, 19 Mar 2026 13:36:54 +0530 Subject: [PATCH 271/412] Update acl_policies.yml --- consul-role/tasks/acl_policies.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/consul-role/tasks/acl_policies.yml b/consul-role/tasks/acl_policies.yml index e920f29..7a3cd9b 100644 --- a/consul-role/tasks/acl_policies.yml +++ b/consul-role/tasks/acl_policies.yml @@ -35,7 +35,7 @@ become: true changed_when: false environment: &consul_env - CONSUL_HTTP_ADDR: "http://{{ consul_bind_addr }}:8500" + CONSUL_HTTP_ADDR: "http://{{ consul_bind_addr }}:8501" CONSUL_HTTP_TOKEN: "{{ consul_master_token }}" #CONSUL_CACERT: "{{ consul_config_dir }}/certs/tls.crt" #CONSUL_HTTP_SSL_VERIFY: "false" From c63ee430e08aca8da20452133321d1609b879055 Mon Sep 17 00:00:00 2001 From: AnithaAnnem Date: Thu, 19 Mar 2026 13:37:29 +0530 Subject: [PATCH 272/412] Update acl_tokens.yml --- consul-role/tasks/acl_tokens.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/consul-role/tasks/acl_tokens.yml b/consul-role/tasks/acl_tokens.yml index 25be1ec..dab558c 100644 --- a/consul-role/tasks/acl_tokens.yml +++ b/consul-role/tasks/acl_tokens.yml @@ -6,7 +6,7 @@ changed_when: false run_once: true environment: &consul_env - CONSUL_HTTP_ADDR: "http://{{ consul_bind_addr }}:8500" + CONSUL_HTTP_ADDR: "http://{{ consul_bind_addr }}:8501" CONSUL_HTTP_TOKEN: "{{ consul_master_token }}" #CONSUL_HTTP_SSL_VERIFY: "false" #CONSUL_CACERT: "{{ consul_config_dir }}/certs/tls.crt" From 8a9479f4f270c31b6e1b3c72e145745052fa7982 Mon Sep 17 00:00:00 2001 From: AnithaAnnem Date: Thu, 19 Mar 2026 13:38:06 +0530 Subject: [PATCH 273/412] Update rbac.yml --- consul-role/tasks/rbac.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/consul-role/tasks/rbac.yml b/consul-role/tasks/rbac.yml index d37c496..ebebffd 100644 --- a/consul-role/tasks/rbac.yml +++ b/consul-role/tasks/rbac.yml @@ -11,7 +11,7 @@ changed_when: false run_once: true environment: &consul_env - CONSUL_HTTP_ADDR: "http://{{ consul_bind_addr }}:8500" + CONSUL_HTTP_ADDR: "http://{{ consul_bind_addr }}:8501" CONSUL_HTTP_TOKEN: "{{ consul_master_token }}" #CONSUL_CACERT: "{{ consul_config_dir }}/certs/tls.crt" #CONSUL_HTTP_SSL_VERIFY: "false" From 3e8b3bff77c2e1cd44c15f1a889f4f01fc3cd49b Mon Sep 17 00:00:00 2001 From: AnithaAnnem Date: Thu, 19 Mar 2026 13:38:40 +0530 Subject: [PATCH 274/412] Update server.hcl.j2 --- consul-role/templates/server.hcl.j2 | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/consul-role/templates/server.hcl.j2 b/consul-role/templates/server.hcl.j2 index 706117f..b2b58a0 100644 --- a/consul-role/templates/server.hcl.j2 +++ b/consul-role/templates/server.hcl.j2 @@ -36,8 +36,7 @@ acl { } ports { - http = 8500 - #https = 8501 + http = 8501 } #tls { From 3e45dbdac8b7b71b76692f96e99d454a3183a55e Mon Sep 17 00:00:00 2001 From: AnithaAnnem Date: Thu, 19 Mar 2026 13:44:34 +0530 Subject: [PATCH 275/412] Update acl_policies.yml --- consul-role/tasks/acl_policies.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/consul-role/tasks/acl_policies.yml b/consul-role/tasks/acl_policies.yml index 7a3cd9b..58b3f0a 100644 --- a/consul-role/tasks/acl_policies.yml +++ b/consul-role/tasks/acl_policies.yml @@ -35,7 +35,7 @@ become: true changed_when: false environment: &consul_env - CONSUL_HTTP_ADDR: "http://{{ consul_bind_addr }}:8501" + CONSUL_HTTP_ADDR: "https://{{ consul_bind_addr }}:8501" CONSUL_HTTP_TOKEN: "{{ consul_master_token }}" #CONSUL_CACERT: "{{ consul_config_dir }}/certs/tls.crt" #CONSUL_HTTP_SSL_VERIFY: "false" From 00b3cf6c88582a5e86e6b0fd19e9ddd58e013121 Mon Sep 17 00:00:00 2001 From: AnithaAnnem Date: Thu, 19 Mar 2026 13:44:56 +0530 Subject: [PATCH 276/412] Update acl.yml --- consul-role/tasks/acl.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/consul-role/tasks/acl.yml b/consul-role/tasks/acl.yml index 751257c..8a1462f 100644 --- a/consul-role/tasks/acl.yml +++ b/consul-role/tasks/acl.yml @@ -1,5 +1,5 @@ --- -- name: Wait for Consul HTTP API +- name: Wait for Consul HTTPs API ansible.builtin.wait_for: host: "{{ consul_bind_addr }}" port: 8501 @@ -36,7 +36,7 @@ failed_when: false when: consul_master_token is not defined or consul_master_token == "" environment: - CONSUL_HTTP_ADDR: "http://{{ consul_bind_addr }}:8501" + CONSUL_HTTP_ADDR: "https://{{ consul_bind_addr }}:8501" #CONSUL_HTTP_SSL_VERIFY: "false" #CONSUL_CACERT: "{{ consul_config_dir }}/certs/tls.crt" From a61def9fea455c1caa627b5afff3ab0067d4108e Mon Sep 17 00:00:00 2001 From: AnithaAnnem Date: Thu, 19 Mar 2026 13:45:32 +0530 Subject: [PATCH 277/412] Update acl_tokens.yml --- consul-role/tasks/acl_tokens.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/consul-role/tasks/acl_tokens.yml b/consul-role/tasks/acl_tokens.yml index dab558c..16981da 100644 --- a/consul-role/tasks/acl_tokens.yml +++ b/consul-role/tasks/acl_tokens.yml @@ -6,7 +6,7 @@ changed_when: false run_once: true environment: &consul_env - CONSUL_HTTP_ADDR: "http://{{ consul_bind_addr }}:8501" + CONSUL_HTTP_ADDR: "https://{{ consul_bind_addr }}:8501" CONSUL_HTTP_TOKEN: "{{ consul_master_token }}" #CONSUL_HTTP_SSL_VERIFY: "false" #CONSUL_CACERT: "{{ consul_config_dir }}/certs/tls.crt" From 034bddde5802461d12a24abb78d0756f416833e7 Mon Sep 17 00:00:00 2001 From: AnithaAnnem Date: Thu, 19 Mar 2026 13:45:57 +0530 Subject: [PATCH 278/412] Update rbac.yml --- consul-role/tasks/rbac.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/consul-role/tasks/rbac.yml b/consul-role/tasks/rbac.yml index ebebffd..6df4b90 100644 --- a/consul-role/tasks/rbac.yml +++ b/consul-role/tasks/rbac.yml @@ -11,7 +11,7 @@ changed_when: false run_once: true environment: &consul_env - CONSUL_HTTP_ADDR: "http://{{ consul_bind_addr }}:8501" + CONSUL_HTTP_ADDR: "https://{{ consul_bind_addr }}:8501" CONSUL_HTTP_TOKEN: "{{ consul_master_token }}" #CONSUL_CACERT: "{{ consul_config_dir }}/certs/tls.crt" #CONSUL_HTTP_SSL_VERIFY: "false" From f6cbca6680f58fdf329900e0a8d71caef929bd97 Mon Sep 17 00:00:00 2001 From: AnithaAnnem Date: Thu, 19 Mar 2026 13:52:27 +0530 Subject: [PATCH 279/412] Update acl_policies.yml --- consul-role/tasks/acl_policies.yml | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/consul-role/tasks/acl_policies.yml b/consul-role/tasks/acl_policies.yml index 58b3f0a..5169bff 100644 --- a/consul-role/tasks/acl_policies.yml +++ b/consul-role/tasks/acl_policies.yml @@ -37,8 +37,8 @@ environment: &consul_env CONSUL_HTTP_ADDR: "https://{{ consul_bind_addr }}:8501" CONSUL_HTTP_TOKEN: "{{ consul_master_token }}" - #CONSUL_CACERT: "{{ consul_config_dir }}/certs/tls.crt" - #CONSUL_HTTP_SSL_VERIFY: "false" + CONSUL_CACERT: "{{ consul_config_dir }}/certs/tls.crt" + CONSUL_HTTP_SSL_VERIFY: "false" - name: Create Consul policies ansible.builtin.command: > @@ -53,3 +53,9 @@ when: item not in existing_policies.stdout run_once: true environment: *consul_env + + + + + + From 8a39a83bd816a30b3368920008f06bc20a69d2db Mon Sep 17 00:00:00 2001 From: AnithaAnnem Date: Thu, 19 Mar 2026 13:55:40 +0530 Subject: [PATCH 280/412] Update acl_policies.yml --- consul-role/tasks/acl_policies.yml | 54 ++++++++++++++++++++---------- 1 file changed, 37 insertions(+), 17 deletions(-) diff --git a/consul-role/tasks/acl_policies.yml b/consul-role/tasks/acl_policies.yml index 5169bff..d2e8006 100644 --- a/consul-role/tasks/acl_policies.yml +++ b/consul-role/tasks/acl_policies.yml @@ -28,6 +28,34 @@ # - monitoring-policy +# - name: List existing policies +# ansible.builtin.command: consul acl policy list +# register: existing_policies +# run_once: true +# become: true +# changed_when: false +# environment: &consul_env +# CONSUL_HTTP_ADDR: "https://{{ consul_bind_addr }}:8501" +# CONSUL_HTTP_TOKEN: "{{ consul_master_token }}" +# CONSUL_CACERT: "{{ consul_config_dir }}/certs/tls.crt" +# CONSUL_HTTP_SSL_VERIFY: "false" + +# - name: Create Consul policies +# ansible.builtin.command: > +# consul acl policy create +# -name {{ item }} +# -rules @/tmp/{{ item }}.hcl +# loop: +# - agent-policy +# - service-policy +# - readonly-policy +# - monitoring-policy +# when: item not in existing_policies.stdout +# run_once: true +# environment: *consul_env + + + - name: List existing policies ansible.builtin.command: consul acl policy list register: existing_policies @@ -35,27 +63,19 @@ become: true changed_when: false environment: &consul_env + # CHANGE 1: Use https instead of http CONSUL_HTTP_ADDR: "https://{{ consul_bind_addr }}:8501" CONSUL_HTTP_TOKEN: "{{ consul_master_token }}" - CONSUL_CACERT: "{{ consul_config_dir }}/certs/tls.crt" + + # CHANGE 2: Uncomment and provide the cert files for the handshake + CONSUL_CACERT: "{{ consul_config_dir }}/certs/tls.crt" + CONSUL_CLIENT_CERT: "{{ consul_config_dir }}/certs/tls.crt" + CONSUL_CLIENT_KEY: "{{ consul_config_dir }}/certs/tls.key" + + # CHANGE 3: Add the Server Name to match your cert (opstree.dev) + CONSUL_TLS_SERVER_NAME: "opstree.dev" CONSUL_HTTP_SSL_VERIFY: "false" -- name: Create Consul policies - ansible.builtin.command: > - consul acl policy create - -name {{ item }} - -rules @/tmp/{{ item }}.hcl - loop: - - agent-policy - - service-policy - - readonly-policy - - monitoring-policy - when: item not in existing_policies.stdout - run_once: true - environment: *consul_env - - - From ed3789a9b24e3e7d0d78ec91a7dd63a7b210541b Mon Sep 17 00:00:00 2001 From: AnithaAnnem Date: Thu, 19 Mar 2026 13:59:43 +0530 Subject: [PATCH 281/412] Update acl_tokens.yml --- consul-role/tasks/acl_tokens.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/consul-role/tasks/acl_tokens.yml b/consul-role/tasks/acl_tokens.yml index 16981da..b33cd41 100644 --- a/consul-role/tasks/acl_tokens.yml +++ b/consul-role/tasks/acl_tokens.yml @@ -8,8 +8,8 @@ environment: &consul_env CONSUL_HTTP_ADDR: "https://{{ consul_bind_addr }}:8501" CONSUL_HTTP_TOKEN: "{{ consul_master_token }}" - #CONSUL_HTTP_SSL_VERIFY: "false" - #CONSUL_CACERT: "{{ consul_config_dir }}/certs/tls.crt" + CONSUL_HTTP_SSL_VERIFY: "false" + CONSUL_CACERT: "{{ consul_config_dir }}/certs/tls.crt" #################################### # Agent Token From 7e33c808d170fb4f26f7f5f6ea32b502447210f2 Mon Sep 17 00:00:00 2001 From: AnithaAnnem Date: Thu, 19 Mar 2026 14:03:45 +0530 Subject: [PATCH 282/412] Update rbac.yml --- consul-role/tasks/rbac.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/consul-role/tasks/rbac.yml b/consul-role/tasks/rbac.yml index 6df4b90..cd4366f 100644 --- a/consul-role/tasks/rbac.yml +++ b/consul-role/tasks/rbac.yml @@ -13,8 +13,8 @@ environment: &consul_env CONSUL_HTTP_ADDR: "https://{{ consul_bind_addr }}:8501" CONSUL_HTTP_TOKEN: "{{ consul_master_token }}" - #CONSUL_CACERT: "{{ consul_config_dir }}/certs/tls.crt" - #CONSUL_HTTP_SSL_VERIFY: "false" + CONSUL_CACERT: "{{ consul_config_dir }}/certs/tls.crt" + CONSUL_HTTP_SSL_VERIFY: "false" - name: Create read policy ansible.builtin.command: > From 7fef5d360f9b18c705fbe02dbef2c870658e7db4 Mon Sep 17 00:00:00 2001 From: AnithaAnnem Date: Thu, 19 Mar 2026 14:20:01 +0530 Subject: [PATCH 283/412] Update rbac.yml --- consul-role/tasks/rbac.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/consul-role/tasks/rbac.yml b/consul-role/tasks/rbac.yml index cd4366f..d24f46f 100644 --- a/consul-role/tasks/rbac.yml +++ b/consul-role/tasks/rbac.yml @@ -13,7 +13,7 @@ environment: &consul_env CONSUL_HTTP_ADDR: "https://{{ consul_bind_addr }}:8501" CONSUL_HTTP_TOKEN: "{{ consul_master_token }}" - CONSUL_CACERT: "{{ consul_config_dir }}/certs/tls.crt" + #CONSUL_CACERT: "{{ consul_config_dir }}/certs/tls.crt" CONSUL_HTTP_SSL_VERIFY: "false" - name: Create read policy From f340a2066e69a770da64f5d20fc92f8bd08530c5 Mon Sep 17 00:00:00 2001 From: AnithaAnnem Date: Thu, 19 Mar 2026 14:20:47 +0530 Subject: [PATCH 284/412] Update acl.yml --- consul-role/tasks/acl.yml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/consul-role/tasks/acl.yml b/consul-role/tasks/acl.yml index 8a1462f..f4a3570 100644 --- a/consul-role/tasks/acl.yml +++ b/consul-role/tasks/acl.yml @@ -37,8 +37,7 @@ when: consul_master_token is not defined or consul_master_token == "" environment: CONSUL_HTTP_ADDR: "https://{{ consul_bind_addr }}:8501" - #CONSUL_HTTP_SSL_VERIFY: "false" - #CONSUL_CACERT: "{{ consul_config_dir }}/certs/tls.crt" + - name: Extract new token from bootstrap output ansible.builtin.set_fact: From 0811bd2180ade29e617b22bef95f2fd69661614d Mon Sep 17 00:00:00 2001 From: AnithaAnnem Date: Thu, 19 Mar 2026 14:21:34 +0530 Subject: [PATCH 285/412] Update acl_policies.yml --- consul-role/tasks/acl_policies.yml | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) diff --git a/consul-role/tasks/acl_policies.yml b/consul-role/tasks/acl_policies.yml index d2e8006..a13565e 100644 --- a/consul-role/tasks/acl_policies.yml +++ b/consul-role/tasks/acl_policies.yml @@ -67,12 +67,11 @@ CONSUL_HTTP_ADDR: "https://{{ consul_bind_addr }}:8501" CONSUL_HTTP_TOKEN: "{{ consul_master_token }}" - # CHANGE 2: Uncomment and provide the cert files for the handshake - CONSUL_CACERT: "{{ consul_config_dir }}/certs/tls.crt" - CONSUL_CLIENT_CERT: "{{ consul_config_dir }}/certs/tls.crt" - CONSUL_CLIENT_KEY: "{{ consul_config_dir }}/certs/tls.key" + # CONSUL_CACERT: "{{ consul_config_dir }}/certs/tls.crt" + # CONSUL_CLIENT_CERT: "{{ consul_config_dir }}/certs/tls.crt" + # CONSUL_CLIENT_KEY: "{{ consul_config_dir }}/certs/tls.key" - # CHANGE 3: Add the Server Name to match your cert (opstree.dev) + # # CHANGE 3: Add the Server Name to match your cert (opstree.dev) CONSUL_TLS_SERVER_NAME: "opstree.dev" CONSUL_HTTP_SSL_VERIFY: "false" From c2a63571b2f49c50c33ffaedd4f7c61d643d151c Mon Sep 17 00:00:00 2001 From: AnithaAnnem Date: Thu, 19 Mar 2026 14:21:56 +0530 Subject: [PATCH 286/412] Update acl_tokens.yml --- consul-role/tasks/acl_tokens.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/consul-role/tasks/acl_tokens.yml b/consul-role/tasks/acl_tokens.yml index b33cd41..595b6e5 100644 --- a/consul-role/tasks/acl_tokens.yml +++ b/consul-role/tasks/acl_tokens.yml @@ -9,7 +9,7 @@ CONSUL_HTTP_ADDR: "https://{{ consul_bind_addr }}:8501" CONSUL_HTTP_TOKEN: "{{ consul_master_token }}" CONSUL_HTTP_SSL_VERIFY: "false" - CONSUL_CACERT: "{{ consul_config_dir }}/certs/tls.crt" + #CONSUL_CACERT: "{{ consul_config_dir }}/certs/tls.crt" #################################### # Agent Token From 6d0b1a08fd9ab4982d239a5758333e6b09867008 Mon Sep 17 00:00:00 2001 From: AnithaAnnem Date: Thu, 19 Mar 2026 14:23:18 +0530 Subject: [PATCH 287/412] Delete consul-role/files/tls.key --- consul-role/files/tls.key | 18 ------------------ 1 file changed, 18 deletions(-) delete mode 100644 consul-role/files/tls.key diff --git a/consul-role/files/tls.key b/consul-role/files/tls.key deleted file mode 100644 index a034b01..0000000 --- a/consul-role/files/tls.key +++ /dev/null @@ -1,18 +0,0 @@ -$ANSIBLE_VAULT;1.1;AES256 -35363165663164346535373537666464623866333963363164643665343235383137346531666336 -3962316134666537653164313731333563323462356239610a303662613932663063653666373634 -61653766646361383964633439343133613864353334623230316263376166626566613564326266 -6230346562383034360a376661376563343762356535386637626339343661636336363231373365 -33616664303737303638346431386265613030303931373138656532633134366666656635613366 -61323231383932613364343164373439656337323234393439373262313563346462373363623939 -34643432363135343162626564383837333364363262316266656430386163353231323565373237 -62636563633138666532623039636138626631303463326237666463613963323362386265303031 -35306635613837666238646531363339316361643234646132656638636433353537653239373465 -32623734363639396438363134393264363566663866363331313333663565616435656430633930 -32633937653666313462613463616434376236333930313437376437646231643231363332346233 -33363465653136626336393162386530313665356336303064363932633561633861356136336563 -38323964633063356330356435646231666539363936376239313866646332376666316266383261 -66633761343538393964656539366264373835623131333061633338616665633436356139353063 -36663434353034336530303438663534393937346439356536346466306630633064633561656432 -64623763343430303333343866383537353366646265323535383733373436383562396338303735 -3932 From de3d7d4fa28cd4fa8570fd11cbd3fe931d2ee5ca Mon Sep 17 00:00:00 2001 From: AnithaAnnem Date: Thu, 19 Mar 2026 14:23:29 +0530 Subject: [PATCH 288/412] Delete consul-role/files/tls.crt --- consul-role/files/tls.crt | 151 -------------------------------------- 1 file changed, 151 deletions(-) delete mode 100644 consul-role/files/tls.crt diff --git a/consul-role/files/tls.crt b/consul-role/files/tls.crt deleted file mode 100644 index abc52ec..0000000 --- a/consul-role/files/tls.crt +++ /dev/null @@ -1,151 +0,0 @@ -$ANSIBLE_VAULT;1.1;AES256 -61613835646636313838366631336531666238383732616633663761656665373937393766386435 -6436626561306637373332376363393163633038623934350a343430366231643565343766386635 -39616431333462653938323731326461643932643930383164616239336337623838633530663239 -3666343633666566650a633630313662353339313164306561356165666365643037353731386338 -61373231633565333736656662333339323131663931323733313965353435643937326262393133 -31356365643765653931623534663830316132653531643662313166326664643035346231386666 -30313161663531303861306435326565623534306662346336313233623232336333613763356434 -33346364666465353335616162386131316331343430313838366632373262383233303466633539 -38653237386534353764383835653439363361323161356532656161633731643765663030356237 -35656536303334393937353735336532653737313131316666363862343831633131346363346639 -30336332333637396634353766653931363036653163333532633530393534396230396639333130 -31303331346135356662383235326331353038316537313634363338663565313163323462663662 -62396235646639303531386365366532373865623436353464626232646232366138646436633834 -32373364383537616465663134643236363463653663646161643237616366313032643162653063 -39313735386638353732633531663261356663323066366430376137363930366263356439643734 -65623766323436383438383965373366666234323635643439343561373237333463356462353137 -61643539353435623732363135663863323863313534303339313538366564336332303837633436 -30336561373935663365303935313937326331353863353265343335343836326431663531393732 -64376330383266383364623032343034663662313330373832613839333561333933366334663333 -37356139316535343037613062626133376433346136326264613534363736333463353636356531 -66613138373932656366626634636537643036333362303565386135663461323238623337386665 -32646562343734386137616464306330643266356330636563626432613862636234363831366630 -64396366623138353236343530343166323837366566393338373362393931376361653431316461 -62633335383763333966616361363132363063383265373532353639393333353262303062363566 -34313063343938383530303062353138323533356235633362383039373864623631663364313134 -36323562613764643462366462376563656333346130366132653232623436326232323935303038 -63666433636538323365613735626262656563383431623333636263323934303963393962316130 -30373233316530643462663630323762373936653536393337373162663634306436666362323564 -65346666306263333238653131383034383765396438663935363331306132663061363163313837 -39366635376632653737353133666266663935303830643361666438386430633266333030306563 -65386165366238373365316430613763383439353731316134313966613765313736656238643431 -37363864653439656233343430313066393161333434373639353563646239303264613635326466 -39306261336330396238663532306266653735333864386434633031366164613838393430633464 -33613061376234353662333165356462643232353030323334306539313263306166323135663532 -66633839316465656261636461363563616561616234303165363533346661376534656635393663 -34613231343937386264613537393538353333623662653539623539383337363963303365376632 -39326265633161356161616366616333313839626562363332636631323338363139363565383939 -32303138306532356561373538383332313962613933343366636537633034356134663439343835 -30343461356234373238343761613431613962306232653632316161663236366439333931303432 -66616365316631326464396236646632653066343936363266623134653437373136356437343063 -33643531373633333731663634383937343464633261393139623630323861363435356562303834 -39313430393364386262633263633234643838616338656131356165316662663661646331623266 -32393365383865613033353161326635613561393633643132623365386132663139663966353532 -62306131396666313830313461346264306137646637373264306435656363356439363763363430 -66376630643235303063323831313133303538393538666137333439383338323764663935373332 -31666533323338613864336437653732313436323133396134336336643838386165393664366333 -34303930396330373837313833353331343236363334616231386566306163303436336663366264 -35633739626433653239623436636264333434323839616136643339616231323465343330623861 -34613264666635616634326461316330333732653364393235653461376538326132363136356534 -33326337656564356137356162353934376238326364333062363362343839303061663264383338 -62613438623862363334353763653465333466653035653461623533323862343062323932343966 -66326438633731323964363036623164616432636365396336383236303134306239623239313835 -64353265633664636431626362646130353764663062393732643433303364393033643837356633 -36336163316132373834376531643539313632306539643666663233333963303562616535616339 -33386235313938353436653566643934623934653139663535623536643530626465383133303362 -61616633646363303463646335366163383233656336333635616535386134356131666132336333 -62303032636465333131393863663037643133626137636161386331663233653466393964396230 -39636661663230353334636661663730303936633538623732336437356338376638353131313334 -34373664663838396132353831303032613231396439303237633363356534366134333033366130 -63353230633963376330376330366238666330646137386131336230346434316533663336653163 -34323833373634633565343137626364653530346231303336633839343064653336343363333363 -37393862343437323737653938313466393639333736383335633435666532633432666163323836 -65326662363262636566333563623735306363623666386362346665353535323330633034663564 -31366638663161653337643431626561373334656437363033393961383261386432313933643762 -33353866353938646462616338323532663665346132376436363132643136303035363938383538 -61313662316236383534313038653765376362346537626566343630613239613239623530623564 -37303764323935623031643462356230626164653333326337316463323833643562663234666262 -62623365383864613831313136333039613334313566383432616638623165613137393839323938 -37356365346539663431663963333735613532366539396432626632333231623337613735356439 -30626135393337613131336339366138396539653739316637666564343833356332666161333166 -63313530343666396434323235363730636564386639346135353066633432356638656133373566 -37646231333537376465396663323263323931666264663030636635623139393462303334343766 -36616533346132366432633838306135613065663464366565346133336362356538663130666232 -35643862663361656234646131613066333531656565313934323537353035616166313262363132 -61373532336139633764373836353765646638376536343638633033323166626238336261366635 -66393837636138636434386339656131613834353663666438646262363864366537373333656139 -30626363333862633734626266646338323733386136333263373039343662343665663836323634 -31333737626366316364373962666331623361343063626264393661643834616238616665336137 -33653061323465313832326465613663383533643838343064346166653032313438663330656463 -65383365323766323632333165356361643863376466303336653762336135626263626433623539 -66386337393538613864633336643765303832376662363333663934313233303038373366616634 -32303863623764386237313665393861633331626164646263613762643462663836636139303832 -35643763376563323766643964656565636131356266333231366462393665306561393239663334 -65653663323335613762613832656163396332633665303132393139663633336561353434653731 -63373636396336623537366137663939313538666437363365346335636432363732323530616239 -36353239666135646239346165386665373361643265353136373834343738653064613331626539 -30336465353439306461616562616264363039396563666634656361396635306364386262363162 -65616230623038386461373631366261383835396365363562363338313939353235356666663061 -32333765343837323135323535376634656366343464653738346638343764663865653030336632 -65366138656635303931393062643064343734393561323762343732613066313364373237663664 -38313162393561373233336537663761646566636661663337613133396435383038366135316363 -38663933663039333830343531363538343534636234313261313330666164376464646436666638 -63623961313031326664623164643864336661653433383332333533656239373337343831643033 -32376436643363633965306439663033303937333938383161643030373763646163326139343039 -63633336363438373131613630633763393663366636386336393738663365626466373236313933 -64653861373830333034656664393463393034336361336637313062326237646633313261336234 -37313936623832643163383964323266386433636166343065353962646136383863663462386537 -64343363633462353065646436346365363265316465343763643634396531646265333966633362 -31333731363436363835616530393466383462393866393633393230323532643662376664353536 -35326263343331323365643763343733636238383965333538386438656538616438626532363164 -33303236346235313165323161373266643263373933376435306432336334613939333831383533 -36656362626138386330356136613339653833373633316334393366393265313637323431383035 -37336361306638356237653537653330336365396135626565376635646262653762613531373737 -61613330626266643730313133646663313330323539363835323636356533633032343763313262 -36323466616161653734623836633566653732633530656566366362346332646464343164643539 -35313466313963646633353663353034633638393931353831353632623666353538316639353133 -65383462343935663535303463636365313632386161653037326236656461356331363935663031 -64326531356535666266666361346564646633636165663061636636353162303435626530333834 -33303031353361306433656661356632663961663365663264313335636435623161643637616537 -31613133383335623836656561623065383939366663363838663161373535326135323163313831 -62343237353164633936353038663835353861666563616432313932636538646332363638323966 -39386433366630316361646462633737396535623061343334323062343566373262323363383662 -36646631643139663862666233663637336163616363363231623438653839313635363065366535 -64303866313165333235393530353236303165316636336464383238333764633730313237363134 -61636564653461383633373532313861373937346263646563663663656630313437656464383931 -38653134633963386633313162643438653330626164363564633935373264373937306331633161 -61323838323863663737343663393432373637643365643731643231323735666266353565646531 -37343531626633616665343361643235333762643933303263633637366534626464346663633535 -65343734336437326138393332386363616164656230353634386134396430303964623232353361 -34396638343566346436616632396538653762623338333063633939626339663330633662343363 -39353161613831303737386635333431616431313966393232626133336638313539363230326332 -34376566653638333731653066633538313062363530636663613162313262393235326362383635 -31663338393261653238323465656435666133356466383730636264393138613032313231333162 -66623531636438386263363436396639663239383037373234613565303861336166363063313431 -39653731623937333039653839643534643335346338616263616266613962396531623666666636 -64656330306430376338396331643135656638313530336337373035653463386439653434366135 -30646639633966626134393931623333376165643966393365383433343637633836643133313064 -33653835633238633931646437613565636236326265343162313163623236353831303230343961 -31373133336632306133356664353363303336376331383635616333346561346235363534303538 -39623334336334386162666165313164623839333238396637333835323231653765646133653339 -35386531376430356633336262653964336362306561666430303562613839623730303034323866 -34353734343561613733313134333761366561333262663263643137306431643762663364666434 -65313239386465633263646265376231336564386238303832313537343865633637373830313032 -33393034323830663535653464326462303039333931356332633532383234333936393735393464 -64306665376238303734306565373930373735303730623437623835663764643134316263363939 -37363039336630313965663463653930313961633032613362663530653766376134336263633832 -32363161623266656130316130313335613966363435383730623636343331336636373030626535 -30363330303435306133386662306563636265616566393436373635313762323566333337616265 -33303733616233656332356230396231313666346332613233303132383537613063396532656330 -36376338323161633036623232343833396333306439306261343039373836373832303539343363 -66376662656630393430343638366230393066313839653863643865633365356631393236643739 -65323564343135373532633731663333626163633239356362313234306438386638336236613433 -62386664356264313264653938333135303861313436653463363731633361373635326663663736 -63383830396136633630326565336437303162613762386538366436366263363962376338353535 -32613835373264363138366433373338616235653930623334643738623434393032373061396363 -66393335633339653332383664643638323966663462383863333235633232613363663132383735 -63373831396663633261373130366432643030356430313066303863666531326461373835636361 -31313130313336656664376230316266646232356564303638346533636631356430613265366333 -62616161343666616565346638326335646266643765346533623762643039396366623564323964 -3637303531393962393731653663636435313765373030383261 From 9851cad47e4c0070088507ad09234bf645b9afb9 Mon Sep 17 00:00:00 2001 From: AnithaAnnem Date: Thu, 19 Mar 2026 14:31:09 +0530 Subject: [PATCH 289/412] Update acl_policies.yml --- consul-role/tasks/acl_policies.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/consul-role/tasks/acl_policies.yml b/consul-role/tasks/acl_policies.yml index a13565e..a751295 100644 --- a/consul-role/tasks/acl_policies.yml +++ b/consul-role/tasks/acl_policies.yml @@ -67,9 +67,9 @@ CONSUL_HTTP_ADDR: "https://{{ consul_bind_addr }}:8501" CONSUL_HTTP_TOKEN: "{{ consul_master_token }}" - # CONSUL_CACERT: "{{ consul_config_dir }}/certs/tls.crt" - # CONSUL_CLIENT_CERT: "{{ consul_config_dir }}/certs/tls.crt" - # CONSUL_CLIENT_KEY: "{{ consul_config_dir }}/certs/tls.key" + CONSUL_CACERT: "{{ consul_config_dir }}/certs/tls.crt" + CONSUL_CLIENT_CERT: "{{ consul_config_dir }}/certs/tls.crt" + CONSUL_CLIENT_KEY: "{{ consul_config_dir }}/certs/tls.key" # # CHANGE 3: Add the Server Name to match your cert (opstree.dev) CONSUL_TLS_SERVER_NAME: "opstree.dev" From c1eb7ee0c198aca09ea4861320639a0a3d3206f4 Mon Sep 17 00:00:00 2001 From: AnithaAnnem Date: Thu, 19 Mar 2026 14:31:30 +0530 Subject: [PATCH 290/412] Update acl_tokens.yml --- consul-role/tasks/acl_tokens.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/consul-role/tasks/acl_tokens.yml b/consul-role/tasks/acl_tokens.yml index 595b6e5..b33cd41 100644 --- a/consul-role/tasks/acl_tokens.yml +++ b/consul-role/tasks/acl_tokens.yml @@ -9,7 +9,7 @@ CONSUL_HTTP_ADDR: "https://{{ consul_bind_addr }}:8501" CONSUL_HTTP_TOKEN: "{{ consul_master_token }}" CONSUL_HTTP_SSL_VERIFY: "false" - #CONSUL_CACERT: "{{ consul_config_dir }}/certs/tls.crt" + CONSUL_CACERT: "{{ consul_config_dir }}/certs/tls.crt" #################################### # Agent Token From 5c3b26db1a675a24ca8e7a747cc4104f4fb1b2ce Mon Sep 17 00:00:00 2001 From: AnithaAnnem Date: Thu, 19 Mar 2026 14:31:44 +0530 Subject: [PATCH 291/412] Update rbac.yml --- consul-role/tasks/rbac.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/consul-role/tasks/rbac.yml b/consul-role/tasks/rbac.yml index d24f46f..cd4366f 100644 --- a/consul-role/tasks/rbac.yml +++ b/consul-role/tasks/rbac.yml @@ -13,7 +13,7 @@ environment: &consul_env CONSUL_HTTP_ADDR: "https://{{ consul_bind_addr }}:8501" CONSUL_HTTP_TOKEN: "{{ consul_master_token }}" - #CONSUL_CACERT: "{{ consul_config_dir }}/certs/tls.crt" + CONSUL_CACERT: "{{ consul_config_dir }}/certs/tls.crt" CONSUL_HTTP_SSL_VERIFY: "false" - name: Create read policy From e5c46e72e54c40389520248a3774e5c0fa3c4c7f Mon Sep 17 00:00:00 2001 From: AnithaAnnem Date: Thu, 19 Mar 2026 14:41:49 +0530 Subject: [PATCH 292/412] Update server.hcl.j2 --- consul-role/templates/server.hcl.j2 | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/consul-role/templates/server.hcl.j2 b/consul-role/templates/server.hcl.j2 index b2b58a0..50f9c36 100644 --- a/consul-role/templates/server.hcl.j2 +++ b/consul-role/templates/server.hcl.j2 @@ -48,5 +48,5 @@ ports { #verify_incoming = false #verify_outgoing = false - } -} +# } +#} From 8e0a4fdf4b6a54b99e5a7dfed23d0c21e75b0038 Mon Sep 17 00:00:00 2001 From: AnithaAnnem Date: Thu, 19 Mar 2026 14:47:07 +0530 Subject: [PATCH 293/412] Update config.yml --- consul-role/tasks/config.yml | 18 ------------------ 1 file changed, 18 deletions(-) diff --git a/consul-role/tasks/config.yml b/consul-role/tasks/config.yml index b51950d..26ab574 100644 --- a/consul-role/tasks/config.yml +++ b/consul-role/tasks/config.yml @@ -32,21 +32,3 @@ group: "{{ consul_group }}" mode: "0640" notify: Restart Consul - - -# - name: Read service token from server -# ansible.builtin.slurp: -# src: "{{ consul_config_dir }}/service.token" -# register: remote_service_token - -# - name: Register Keycloak POC Service -# ansible.builtin.template: -# src: keycloak-service.json.j2 -# dest: "{{ consul_config_dir }}/keycloak.json" -# owner: "{{ consul_user }}" -# group: "{{ consul_group }}" -# mode: "0640" -# vars: -# # This decodes the base64 token from the remote server -# actual_service_token: "{{ remote_service_token['content'] | b64decode | trim }}" -# notify: Restart Consul From c825db2783b7e582b9fa216f757881a8133a43e0 Mon Sep 17 00:00:00 2001 From: AnithaAnnem Date: Thu, 19 Mar 2026 14:48:39 +0530 Subject: [PATCH 294/412] Update server.hcl.j2 --- consul-role/templates/server.hcl.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/consul-role/templates/server.hcl.j2 b/consul-role/templates/server.hcl.j2 index 50f9c36..5c9aafe 100644 --- a/consul-role/templates/server.hcl.j2 +++ b/consul-role/templates/server.hcl.j2 @@ -36,7 +36,7 @@ acl { } ports { - http = 8501 + https = 8501 } #tls { From 4bca5c5720792a8f5810e4157439a7d7f3688f59 Mon Sep 17 00:00:00 2001 From: AnithaAnnem Date: Thu, 19 Mar 2026 14:55:51 +0530 Subject: [PATCH 295/412] Update server.hcl.j2 --- consul-role/templates/server.hcl.j2 | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/consul-role/templates/server.hcl.j2 b/consul-role/templates/server.hcl.j2 index 5c9aafe..bb72d74 100644 --- a/consul-role/templates/server.hcl.j2 +++ b/consul-role/templates/server.hcl.j2 @@ -39,14 +39,14 @@ ports { https = 8501 } -#tls { - #defaults { +tls { + defaults { - #ca_file = "{{ consul_config_dir }}/certs/tls.crt" - #cert_file = "{{ consul_config_dir }}/certs/tls.crt" - #key_file = "{{ consul_config_dir }}/certs/tls.key" + ca_file = "{{ consul_config_dir }}/certs/tls.crt" + cert_file = "{{ consul_config_dir }}/certs/tls.crt" + key_file = "{{ consul_config_dir }}/certs/tls.key" - #verify_incoming = false - #verify_outgoing = false -# } -#} + verify_incoming = false + verify_outgoing = false + } +} From 18f613c73a03ae5848a88b4148b94000aa548d8a Mon Sep 17 00:00:00 2001 From: AnithaAnnem Date: Thu, 19 Mar 2026 15:44:33 +0530 Subject: [PATCH 296/412] Update acl_policies.yml --- consul-role/tasks/acl_policies.yml | 22 +++++++--------------- 1 file changed, 7 insertions(+), 15 deletions(-) diff --git a/consul-role/tasks/acl_policies.yml b/consul-role/tasks/acl_policies.yml index a751295..92d3780 100644 --- a/consul-role/tasks/acl_policies.yml +++ b/consul-role/tasks/acl_policies.yml @@ -55,26 +55,18 @@ # environment: *consul_env - -- name: List existing policies +- name: List existing policies via Envoy TLS ansible.builtin.command: consul acl policy list register: existing_policies run_once: true - become: true + become: true # <--- VERY IMPORTANT changed_when: false - environment: &consul_env - # CHANGE 1: Use https instead of http + environment: CONSUL_HTTP_ADDR: "https://{{ consul_bind_addr }}:8501" CONSUL_HTTP_TOKEN: "{{ consul_master_token }}" - - CONSUL_CACERT: "{{ consul_config_dir }}/certs/tls.crt" - CONSUL_CLIENT_CERT: "{{ consul_config_dir }}/certs/tls.crt" - CONSUL_CLIENT_KEY: "{{ consul_config_dir }}/certs/tls.key" - - # # CHANGE 3: Add the Server Name to match your cert (opstree.dev) + # Using the Envoy-managed identity + CONSUL_CACERT: "/etc/envoy/tls/dev.crt" + CONSUL_CLIENT_CERT: "/etc/envoy/tls/dev.crt" + CONSUL_CLIENT_KEY: "/etc/envoy/tls/dev.key" CONSUL_TLS_SERVER_NAME: "opstree.dev" CONSUL_HTTP_SSL_VERIFY: "false" - - - - From d7351e539f0fadf781f1fe3d71770c117edab270 Mon Sep 17 00:00:00 2001 From: AnithaAnnem Date: Thu, 19 Mar 2026 15:52:44 +0530 Subject: [PATCH 297/412] Update acl_policies.yml --- consul-role/tasks/acl_policies.yml | 13 +++++++------ 1 file changed, 7 insertions(+), 6 deletions(-) diff --git a/consul-role/tasks/acl_policies.yml b/consul-role/tasks/acl_policies.yml index 92d3780..53aeeae 100644 --- a/consul-role/tasks/acl_policies.yml +++ b/consul-role/tasks/acl_policies.yml @@ -59,14 +59,15 @@ ansible.builtin.command: consul acl policy list register: existing_policies run_once: true - become: true # <--- VERY IMPORTANT - changed_when: false + become: true environment: CONSUL_HTTP_ADDR: "https://{{ consul_bind_addr }}:8501" CONSUL_HTTP_TOKEN: "{{ consul_master_token }}" - # Using the Envoy-managed identity - CONSUL_CACERT: "/etc/envoy/tls/dev.crt" - CONSUL_CLIENT_CERT: "/etc/envoy/tls/dev.crt" - CONSUL_CLIENT_KEY: "/etc/envoy/tls/dev.key" + + # Switch these to the actual paths where the files exist + CONSUL_CACERT: "{{ consul_config_dir }}/certs/tls.crt" + CONSUL_CLIENT_CERT: "{{ consul_config_dir }}/certs/tls.crt" + CONSUL_CLIENT_KEY: "{{ consul_config_dir }}/certs/tls.key" + CONSUL_TLS_SERVER_NAME: "opstree.dev" CONSUL_HTTP_SSL_VERIFY: "false" From 0d645483a2b3a164cf17dbf69a70526465b076fd Mon Sep 17 00:00:00 2001 From: AnithaAnnem Date: Thu, 19 Mar 2026 15:57:23 +0530 Subject: [PATCH 298/412] Update acl_policies.yml --- consul-role/tasks/acl_policies.yml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/consul-role/tasks/acl_policies.yml b/consul-role/tasks/acl_policies.yml index 53aeeae..883d48a 100644 --- a/consul-role/tasks/acl_policies.yml +++ b/consul-role/tasks/acl_policies.yml @@ -61,7 +61,7 @@ run_once: true become: true environment: - CONSUL_HTTP_ADDR: "https://{{ consul_bind_addr }}:8501" + CONSUL_HTTP_ADDR: "http://{{ consul_bind_addr }}:8501" CONSUL_HTTP_TOKEN: "{{ consul_master_token }}" # Switch these to the actual paths where the files exist @@ -71,3 +71,5 @@ CONSUL_TLS_SERVER_NAME: "opstree.dev" CONSUL_HTTP_SSL_VERIFY: "false" + + From 1e20fa8102cc871f30032376ec23f16abd565580 Mon Sep 17 00:00:00 2001 From: AnithaAnnem Date: Thu, 19 Mar 2026 16:00:48 +0530 Subject: [PATCH 299/412] Update acl_tokens.yml --- consul-role/tasks/acl_tokens.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/consul-role/tasks/acl_tokens.yml b/consul-role/tasks/acl_tokens.yml index b33cd41..ee64d4f 100644 --- a/consul-role/tasks/acl_tokens.yml +++ b/consul-role/tasks/acl_tokens.yml @@ -6,7 +6,7 @@ changed_when: false run_once: true environment: &consul_env - CONSUL_HTTP_ADDR: "https://{{ consul_bind_addr }}:8501" + CONSUL_HTTP_ADDR: "http://{{ consul_bind_addr }}:8501" CONSUL_HTTP_TOKEN: "{{ consul_master_token }}" CONSUL_HTTP_SSL_VERIFY: "false" CONSUL_CACERT: "{{ consul_config_dir }}/certs/tls.crt" From c67d9807ed634902a2127b80427494a3b2089a7a Mon Sep 17 00:00:00 2001 From: AnithaAnnem Date: Thu, 19 Mar 2026 16:04:04 +0530 Subject: [PATCH 300/412] Update rbac.yml --- consul-role/tasks/rbac.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/consul-role/tasks/rbac.yml b/consul-role/tasks/rbac.yml index cd4366f..6586748 100644 --- a/consul-role/tasks/rbac.yml +++ b/consul-role/tasks/rbac.yml @@ -11,7 +11,7 @@ changed_when: false run_once: true environment: &consul_env - CONSUL_HTTP_ADDR: "https://{{ consul_bind_addr }}:8501" + CONSUL_HTTP_ADDR: "http://{{ consul_bind_addr }}:8501" CONSUL_HTTP_TOKEN: "{{ consul_master_token }}" CONSUL_CACERT: "{{ consul_config_dir }}/certs/tls.crt" CONSUL_HTTP_SSL_VERIFY: "false" From 4006ff2c5357ebfa787f42b481bf20d42b470c80 Mon Sep 17 00:00:00 2001 From: AnithaAnnem Date: Thu, 19 Mar 2026 17:33:51 +0530 Subject: [PATCH 301/412] Update acl_policies.yml --- consul-role/tasks/acl_policies.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/consul-role/tasks/acl_policies.yml b/consul-role/tasks/acl_policies.yml index 883d48a..b6fbdf4 100644 --- a/consul-role/tasks/acl_policies.yml +++ b/consul-role/tasks/acl_policies.yml @@ -61,7 +61,7 @@ run_once: true become: true environment: - CONSUL_HTTP_ADDR: "http://{{ consul_bind_addr }}:8501" + CONSUL_HTTP_ADDR: "https://{{ consul_bind_addr }}:8501" CONSUL_HTTP_TOKEN: "{{ consul_master_token }}" # Switch these to the actual paths where the files exist From 54fe8af21cee44dae4753d115b7a180f1d35440d Mon Sep 17 00:00:00 2001 From: AnithaAnnem Date: Thu, 19 Mar 2026 17:34:14 +0530 Subject: [PATCH 302/412] Update acl_tokens.yml --- consul-role/tasks/acl_tokens.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/consul-role/tasks/acl_tokens.yml b/consul-role/tasks/acl_tokens.yml index ee64d4f..b33cd41 100644 --- a/consul-role/tasks/acl_tokens.yml +++ b/consul-role/tasks/acl_tokens.yml @@ -6,7 +6,7 @@ changed_when: false run_once: true environment: &consul_env - CONSUL_HTTP_ADDR: "http://{{ consul_bind_addr }}:8501" + CONSUL_HTTP_ADDR: "https://{{ consul_bind_addr }}:8501" CONSUL_HTTP_TOKEN: "{{ consul_master_token }}" CONSUL_HTTP_SSL_VERIFY: "false" CONSUL_CACERT: "{{ consul_config_dir }}/certs/tls.crt" From 92a16af8640af00ad3ddac2876fb8f8f0398941b Mon Sep 17 00:00:00 2001 From: AnithaAnnem Date: Thu, 19 Mar 2026 17:35:00 +0530 Subject: [PATCH 303/412] Update rbac.yml --- consul-role/tasks/rbac.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/consul-role/tasks/rbac.yml b/consul-role/tasks/rbac.yml index 6586748..cd4366f 100644 --- a/consul-role/tasks/rbac.yml +++ b/consul-role/tasks/rbac.yml @@ -11,7 +11,7 @@ changed_when: false run_once: true environment: &consul_env - CONSUL_HTTP_ADDR: "http://{{ consul_bind_addr }}:8501" + CONSUL_HTTP_ADDR: "https://{{ consul_bind_addr }}:8501" CONSUL_HTTP_TOKEN: "{{ consul_master_token }}" CONSUL_CACERT: "{{ consul_config_dir }}/certs/tls.crt" CONSUL_HTTP_SSL_VERIFY: "false" From 988e4dc059e0ca988f85e9f42b0e1e36d8bb134b Mon Sep 17 00:00:00 2001 From: AnithaAnnem Date: Thu, 19 Mar 2026 17:55:40 +0530 Subject: [PATCH 304/412] Update server.hcl.j2 --- consul-role/templates/server.hcl.j2 | 1 + 1 file changed, 1 insertion(+) diff --git a/consul-role/templates/server.hcl.j2 b/consul-role/templates/server.hcl.j2 index bb72d74..a95344b 100644 --- a/consul-role/templates/server.hcl.j2 +++ b/consul-role/templates/server.hcl.j2 @@ -36,6 +36,7 @@ acl { } ports { + http = -1 https = 8501 } From 5ee44ec40c71a28a0b78c1ef9729502341308786 Mon Sep 17 00:00:00 2001 From: AnithaAnnem Date: Thu, 19 Mar 2026 21:25:44 +0530 Subject: [PATCH 305/412] Update install.yml --- consul-role/tasks/install.yml | 2 -- 1 file changed, 2 deletions(-) diff --git a/consul-role/tasks/install.yml b/consul-role/tasks/install.yml index a3cdc0b..8da5aeb 100644 --- a/consul-role/tasks/install.yml +++ b/consul-role/tasks/install.yml @@ -7,13 +7,11 @@ state: present update_cache: true - - name: Create consul group ansible.builtin.group: name: "{{ consul_group }}" system: true - - name: Create consul user ansible.builtin.user: name: "{{ consul_user }}" From 66a174a82d93d6ccfe1d52401ded3ed4170c42a4 Mon Sep 17 00:00:00 2001 From: AnithaAnnem Date: Thu, 19 Mar 2026 21:27:50 +0530 Subject: [PATCH 306/412] Update config.yml --- consul-role/tasks/config.yml | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/consul-role/tasks/config.yml b/consul-role/tasks/config.yml index 26ab574..31445b7 100644 --- a/consul-role/tasks/config.yml +++ b/consul-role/tasks/config.yml @@ -1,3 +1,14 @@ +- name: Create Consul directories + ansible.builtin.file: + path: "{{ item }}" + state: directory + owner: "{{ consul_user }}" + group: "{{ consul_group }}" + mode: "0750" + loop: + - "{{ consul_data_dir }}" + - "{{ consul_config_dir }}" + # - name: Create TLS cert directory # ansible.builtin.file: # path: "{{ consul_config_dir }}/certs" From 1bf70a0e7051a36e55a1a3fff82234d7e491bd18 Mon Sep 17 00:00:00 2001 From: AnithaAnnem Date: Thu, 19 Mar 2026 21:29:06 +0530 Subject: [PATCH 307/412] Update config.yml --- consul-role/tasks/config.yml | 51 +++++++++++++++++++----------------- 1 file changed, 27 insertions(+), 24 deletions(-) diff --git a/consul-role/tasks/config.yml b/consul-role/tasks/config.yml index 31445b7..332fd44 100644 --- a/consul-role/tasks/config.yml +++ b/consul-role/tasks/config.yml @@ -8,32 +8,35 @@ loop: - "{{ consul_data_dir }}" - "{{ consul_config_dir }}" - -# - name: Create TLS cert directory -# ansible.builtin.file: -# path: "{{ consul_config_dir }}/certs" -# state: directory -# owner: "{{ consul_user }}" -# group: "{{ consul_group }}" -# mode: "0750" -# - name: Copy TLS certificate -# ansible.builtin.copy: -# src: tls.crt -# dest: "{{ consul_config_dir }}/certs/tls.crt" -# owner: "{{ consul_user }}" -# group: "{{ consul_group }}" -# mode: "0644" -# notify: Restart Consul +- name: Create TLS cert directory + ansible.builtin.file: + path: "{{ consul_config_dir }}/certs" + state: directory + owner: "{{ consul_user }}" + group: "{{ consul_group }}" + mode: "0750" + when: consul_tls_enabled + +- name: Copy TLS certificate + ansible.builtin.copy: + src: tls.crt + dest: "{{ consul_config_dir }}/certs/tls.crt" + owner: "{{ consul_user }}" + group: "{{ consul_group }}" + mode: "0644" + notify: Restart Consul + when: consul_tls_enabled -# - name: Copy TLS private key -# ansible.builtin.copy: -# src: tls.key -# dest: "{{ consul_config_dir }}/certs/tls.key" -# owner: "{{ consul_user }}" -# group: "{{ consul_group }}" -# mode: "0600" -# notify: Restart Consul +- name: Copy TLS private key + ansible.builtin.copy: + src: tls.key + dest: "{{ consul_config_dir }}/certs/tls.key" + owner: "{{ consul_user }}" + group: "{{ consul_group }}" + mode: "0600" + notify: Restart Consul + when: consul_tls_enabled - name: Deploy Consul server configuration ansible.builtin.template: From 7caceea989677910d7a2c88585fc47e921a3606f Mon Sep 17 00:00:00 2001 From: AnithaAnnem Date: Thu, 19 Mar 2026 21:30:29 +0530 Subject: [PATCH 308/412] Update main.yml --- consul-role/handlers/main.yml | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/consul-role/handlers/main.yml b/consul-role/handlers/main.yml index de11d96..b37f139 100644 --- a/consul-role/handlers/main.yml +++ b/consul-role/handlers/main.yml @@ -1,10 +1,8 @@ --- # handlers file for consul + - name: Restart Consul ansible.builtin.systemd: name: consul state: restarted - -- name: Reload systemd - ansible.builtin.systemd: daemon_reload: true From 2411124289a0cc1221f78b9e7bd23c762205f23a Mon Sep 17 00:00:00 2001 From: AnithaAnnem Date: Thu, 19 Mar 2026 21:35:39 +0530 Subject: [PATCH 309/412] Update acl.yml --- consul-role/tasks/acl.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/consul-role/tasks/acl.yml b/consul-role/tasks/acl.yml index f4a3570..ad03042 100644 --- a/consul-role/tasks/acl.yml +++ b/consul-role/tasks/acl.yml @@ -2,7 +2,7 @@ - name: Wait for Consul HTTPs API ansible.builtin.wait_for: host: "{{ consul_bind_addr }}" - port: 8501 + port: "{{ consul_https_port }}" delay: 15 timeout: 120 From 97221cb47f8bc6a018afe99861e7f9c59fcdaa94 Mon Sep 17 00:00:00 2001 From: AnithaAnnem Date: Thu, 19 Mar 2026 21:37:45 +0530 Subject: [PATCH 310/412] Update acl.yml --- consul-role/tasks/acl.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/consul-role/tasks/acl.yml b/consul-role/tasks/acl.yml index ad03042..9848c78 100644 --- a/consul-role/tasks/acl.yml +++ b/consul-role/tasks/acl.yml @@ -36,7 +36,7 @@ failed_when: false when: consul_master_token is not defined or consul_master_token == "" environment: - CONSUL_HTTP_ADDR: "https://{{ consul_bind_addr }}:8501" + CONSUL_HTTP_ADDR: "https://{{ consul_bind_addr }}:{{ consul_https_port }}" - name: Extract new token from bootstrap output From 15e01d4bb9155c78be95bad61b5acd5afe8c8e13 Mon Sep 17 00:00:00 2001 From: AnithaAnnem Date: Thu, 19 Mar 2026 21:47:10 +0530 Subject: [PATCH 311/412] Update acl_policies.yml --- consul-role/tasks/acl_policies.yml | 105 +++++++++++------------------ 1 file changed, 40 insertions(+), 65 deletions(-) diff --git a/consul-role/tasks/acl_policies.yml b/consul-role/tasks/acl_policies.yml index b6fbdf4..1d0f8d4 100644 --- a/consul-role/tasks/acl_policies.yml +++ b/consul-role/tasks/acl_policies.yml @@ -1,75 +1,50 @@ --- - -# - name: Ensure certificate directory is accessible -# ansible.builtin.file: -# path: "{{ consul_config_dir }}/certs" -# state: directory -# mode: "0755" -# become: true - -# - name: Fix certificate file permissions -# ansible.builtin.file: -# path: "{{ consul_config_dir }}/certs/{{ item.file }}" -# mode: "{{ item.mode }}" -# loop: -# - { file: "tls.crt", mode: "0644" } -# - { file: "tls.key", mode: "0640" } -# become: true - -# - name: Copy policy files -# ansible.builtin.template: -# src: "policies/{{ item }}.hcl.j2" -# dest: "/tmp/{{ item }}.hcl" -# mode: "0644" -# loop: -# - agent-policy -# - service-policy -# - readonly-policy -# - monitoring-policy - - -# - name: List existing policies -# ansible.builtin.command: consul acl policy list -# register: existing_policies -# run_once: true -# become: true -# changed_when: false -# environment: &consul_env -# CONSUL_HTTP_ADDR: "https://{{ consul_bind_addr }}:8501" -# CONSUL_HTTP_TOKEN: "{{ consul_master_token }}" -# CONSUL_CACERT: "{{ consul_config_dir }}/certs/tls.crt" -# CONSUL_HTTP_SSL_VERIFY: "false" - -# - name: Create Consul policies -# ansible.builtin.command: > -# consul acl policy create -# -name {{ item }} -# -rules @/tmp/{{ item }}.hcl -# loop: -# - agent-policy -# - service-policy -# - readonly-policy -# - monitoring-policy -# when: item not in existing_policies.stdout -# run_once: true -# environment: *consul_env - - - name: List existing policies via Envoy TLS ansible.builtin.command: consul acl policy list register: existing_policies run_once: true - become: true + become: true environment: - CONSUL_HTTP_ADDR: "https://{{ consul_bind_addr }}:8501" + CONSUL_HTTP_ADDR: "https://{{ consul_bind_addr }}:{{ consul_https_port }}" CONSUL_HTTP_TOKEN: "{{ consul_master_token }}" - - # Switch these to the actual paths where the files exist CONSUL_CACERT: "{{ consul_config_dir }}/certs/tls.crt" CONSUL_CLIENT_CERT: "{{ consul_config_dir }}/certs/tls.crt" CONSUL_CLIENT_KEY: "{{ consul_config_dir }}/certs/tls.key" - - CONSUL_TLS_SERVER_NAME: "opstree.dev" - CONSUL_HTTP_SSL_VERIFY: "false" - - + CONSUL_TLS_SERVER_NAME: "{{ consul_tls_server_name }}" + CONSUL_HTTP_SSL_VERIFY: "{{ consul_tls_verify | ternary('true','false') }}" + when: consul_tls_enabled + +- name: Copy policy files + ansible.builtin.template: + src: "policies/{{ item }}.hcl.j2" + dest: "/tmp/{{ item }}.hcl" + mode: "0644" + loop: + - agent-policy + - service-policy + - readonly-policy + - monitoring-policy + +- name: Create Consul policies + ansible.builtin.command: > + consul acl policy create + -name {{ item }} + -rules @/tmp/{{ item }}.hcl + loop: + - agent-policy + - service-policy + - readonly-policy + - monitoring-policy + when: + - consul_tls_enabled + - item not in existing_policies.stdout + run_once: true + become: true + environment: + CONSUL_HTTP_ADDR: "https://{{ consul_bind_addr }}:{{ consul_https_port }}" + CONSUL_HTTP_TOKEN: "{{ consul_master_token }}" + CONSUL_CACERT: "{{ consul_config_dir }}/certs/tls.crt" + CONSUL_CLIENT_CERT: "{{ consul_config_dir }}/certs/tls.crt" + CONSUL_CLIENT_KEY: "{{ consul_config_dir }}/certs/tls.key" + CONSUL_TLS_SERVER_NAME: "{{ consul_tls_server_name }}" + CONSUL_HTTP_SSL_VERIFY: "{{ consul_tls_verify | ternary('true','false') }}" From 1bc2fd0640d1849c86d5c2a56ac82df300642643 Mon Sep 17 00:00:00 2001 From: AnithaAnnem Date: Thu, 19 Mar 2026 21:51:29 +0530 Subject: [PATCH 312/412] Update acl_tokens.yml --- consul-role/tasks/acl_tokens.yml | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/consul-role/tasks/acl_tokens.yml b/consul-role/tasks/acl_tokens.yml index b33cd41..f9e8a4a 100644 --- a/consul-role/tasks/acl_tokens.yml +++ b/consul-role/tasks/acl_tokens.yml @@ -6,9 +6,9 @@ changed_when: false run_once: true environment: &consul_env - CONSUL_HTTP_ADDR: "https://{{ consul_bind_addr }}:8501" + CONSUL_HTTP_ADDR: "{{ consul_scheme }}://{{ consul_bind_addr }}:{{ consul_api_port }}" CONSUL_HTTP_TOKEN: "{{ consul_master_token }}" - CONSUL_HTTP_SSL_VERIFY: "false" + CONSUL_HTTP_SSL_VERIFY: "{{ consul_tls_verify | ternary('true','false') }}" CONSUL_CACERT: "{{ consul_config_dir }}/certs/tls.crt" #################################### @@ -31,6 +31,7 @@ - "'Agent Token' not in existing_tokens.stdout" run_once: true environment: *consul_env + no_log: true - name: Save agent token ansible.builtin.copy: @@ -43,6 +44,7 @@ - not agent_token_stat.stat.exists - agent_token_output.stdout is defined - "'SecretID' in agent_token_output.stdout" + no_log: true #################################### # Service Token @@ -64,6 +66,7 @@ - "'Service Token' not in existing_tokens.stdout" run_once: true environment: *consul_env + no_log: true - name: Save service token ansible.builtin.copy: @@ -74,9 +77,10 @@ mode: "0600" when: - not service_token_stat.stat.exists - - service_token_output.stdout is defined + - agent_token_output.stdout is defined - "'SecretID' in service_token_output.stdout" run_once: true + no_log: true #################################### # Monitoring Token Logic From 16bffc6d8c4da63a1a7ed847e23ded5400d7214c Mon Sep 17 00:00:00 2001 From: AnithaAnnem Date: Thu, 19 Mar 2026 21:57:20 +0530 Subject: [PATCH 313/412] Update rbac.yml --- consul-role/tasks/rbac.yml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/consul-role/tasks/rbac.yml b/consul-role/tasks/rbac.yml index cd4366f..c4550f4 100644 --- a/consul-role/tasks/rbac.yml +++ b/consul-role/tasks/rbac.yml @@ -11,7 +11,7 @@ changed_when: false run_once: true environment: &consul_env - CONSUL_HTTP_ADDR: "https://{{ consul_bind_addr }}:8501" + CONSUL_HTTP_ADDR: "https://{{ consul_bind_addr }}:{{ consul_https_port }}" CONSUL_HTTP_TOKEN: "{{ consul_master_token }}" CONSUL_CACERT: "{{ consul_config_dir }}/certs/tls.crt" CONSUL_HTTP_SSL_VERIFY: "false" @@ -60,6 +60,7 @@ when: not app_token_stat.stat.exists run_once: true environment: *consul_env + no_log: true - name: Save application token ansible.builtin.copy: @@ -73,3 +74,4 @@ - app_token_output.stdout is defined - "'SecretID' in app_token_output.stdout" run_once: true + no_log: true From e102ba2bea3eb0c53b50d38f8db6e91cc7c82721 Mon Sep 17 00:00:00 2001 From: AnithaAnnem Date: Thu, 19 Mar 2026 22:01:50 +0530 Subject: [PATCH 314/412] Update main.yml --- consul-role/defaults/main.yml | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/consul-role/defaults/main.yml b/consul-role/defaults/main.yml index 76cde6f..913c21c 100644 --- a/consul-role/defaults/main.yml +++ b/consul-role/defaults/main.yml @@ -16,6 +16,15 @@ consul_bootstrap_expect: "{{ play_hosts | length }}" consul_enable_ui: true +# Ports +consul_http_port: 8500 +consul_https_port: 8501 +consul_use_tls: true + +# TLS +consul_tls_server_name: "opstree.dev" +consul_tls_verify: false + # ACL consul_acl_enabled: true consul_acl_default_policy: "deny" From 24ecdc825dafe67eb75ca6f3410c77b9254c136d Mon Sep 17 00:00:00 2001 From: AnithaAnnem Date: Thu, 19 Mar 2026 22:13:37 +0530 Subject: [PATCH 315/412] Update main.yml --- consul-role/defaults/main.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/consul-role/defaults/main.yml b/consul-role/defaults/main.yml index 913c21c..94631a7 100644 --- a/consul-role/defaults/main.yml +++ b/consul-role/defaults/main.yml @@ -24,6 +24,7 @@ consul_use_tls: true # TLS consul_tls_server_name: "opstree.dev" consul_tls_verify: false +consul_tls_enabled: false # ACL consul_acl_enabled: true From a365bba388d7ee49cfa923f4601db0c9852d744d Mon Sep 17 00:00:00 2001 From: AnithaAnnem Date: Thu, 19 Mar 2026 22:18:13 +0530 Subject: [PATCH 316/412] Update acl_tokens.yml --- consul-role/tasks/acl_tokens.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/consul-role/tasks/acl_tokens.yml b/consul-role/tasks/acl_tokens.yml index f9e8a4a..e161deb 100644 --- a/consul-role/tasks/acl_tokens.yml +++ b/consul-role/tasks/acl_tokens.yml @@ -6,7 +6,7 @@ changed_when: false run_once: true environment: &consul_env - CONSUL_HTTP_ADDR: "{{ consul_scheme }}://{{ consul_bind_addr }}:{{ consul_api_port }}" + CONSUL_HTTP_ADDR: "https://{{ consul_bind_addr }}:{{ consul_https_port }}" CONSUL_HTTP_TOKEN: "{{ consul_master_token }}" CONSUL_HTTP_SSL_VERIFY: "{{ consul_tls_verify | ternary('true','false') }}" CONSUL_CACERT: "{{ consul_config_dir }}/certs/tls.crt" From addc389b388c89089b7d844bbf2f0b4261c43729 Mon Sep 17 00:00:00 2001 From: anitha Date: Thu, 19 Mar 2026 23:52:24 +0530 Subject: [PATCH 317/412] moving all the files out from the consul-role directory --- defaults/main.yml | 42 +++++++ files/read-policy.hcl | 8 ++ handlers/main.yml | 8 ++ meta/main.yml | 34 +++++ tasks/acl.yml | 75 +++++++++++ tasks/acl_policies.yml | 50 ++++++++ tasks/acl_tokens.yml | 133 ++++++++++++++++++++ tasks/config.yml | 48 +++++++ tasks/directories.yml | 10 ++ tasks/install.yml | 34 +++++ tasks/main.yml | 20 +++ tasks/rbac.yml | 77 ++++++++++++ tasks/service.yml | 14 +++ templates/consul.service.j2 | 16 +++ templates/policies/agent-policy.hcl.j2 | 11 ++ templates/policies/monitoring-policy.hcl.j2 | 9 ++ templates/policies/readonly-policy.hcl.j2 | 11 ++ templates/policies/service-policy.hcl.j2 | 7 ++ templates/prometheus-consul.yml.j2 | 27 ++++ templates/server.hcl.j2 | 53 ++++++++ tests/test.yml | 6 + vars/main.yml | 34 +++++ 22 files changed, 727 insertions(+) create mode 100644 defaults/main.yml create mode 100644 files/read-policy.hcl create mode 100644 handlers/main.yml create mode 100644 meta/main.yml create mode 100644 tasks/acl.yml create mode 100644 tasks/acl_policies.yml create mode 100644 tasks/acl_tokens.yml create mode 100644 tasks/config.yml create mode 100644 tasks/directories.yml create mode 100644 tasks/install.yml create mode 100644 tasks/main.yml create mode 100644 tasks/rbac.yml create mode 100644 tasks/service.yml create mode 100644 templates/consul.service.j2 create mode 100644 templates/policies/agent-policy.hcl.j2 create mode 100644 templates/policies/monitoring-policy.hcl.j2 create mode 100644 templates/policies/readonly-policy.hcl.j2 create mode 100644 templates/policies/service-policy.hcl.j2 create mode 100644 templates/prometheus-consul.yml.j2 create mode 100644 templates/server.hcl.j2 create mode 100644 tests/test.yml create mode 100644 vars/main.yml diff --git a/defaults/main.yml b/defaults/main.yml new file mode 100644 index 0000000..94631a7 --- /dev/null +++ b/defaults/main.yml @@ -0,0 +1,42 @@ +--- +# defaults file for consul +consul_version: "1.17.0" +consul_user: "consul" +consul_group: "consul" + +consul_install_dir: "/usr/local/bin" +consul_data_dir: "/var/lib/consul" +consul_config_dir: "/etc/consul.d" + +consul_node_name: "{{ inventory_hostname }}" +consul_bind_addr: "{{ ansible_host }}" + +consul_is_server: true +consul_bootstrap_expect: "{{ play_hosts | length }}" + +consul_enable_ui: true + +# Ports +consul_http_port: 8500 +consul_https_port: 8501 +consul_use_tls: true + +# TLS +consul_tls_server_name: "opstree.dev" +consul_tls_verify: false +consul_tls_enabled: false + +# ACL +consul_acl_enabled: true +consul_acl_default_policy: "deny" +consul_acl_token_persistence: false +consul_agent_token: "" + +consul_client_addr: "0.0.0.0" + +# Gossip Encryption +consul_gossip_key: "" + +# Monitoring +consul_telemetry_enabled: true +consul_prometheus_retention: "60s" diff --git a/files/read-policy.hcl b/files/read-policy.hcl new file mode 100644 index 0000000..f3e1480 --- /dev/null +++ b/files/read-policy.hcl @@ -0,0 +1,8 @@ +# Allow DNS to find nodes and services +node_prefix "" { + policy = "read" +} + +service_prefix "" { + policy = "write" +} diff --git a/handlers/main.yml b/handlers/main.yml new file mode 100644 index 0000000..b37f139 --- /dev/null +++ b/handlers/main.yml @@ -0,0 +1,8 @@ +--- +# handlers file for consul + +- name: Restart Consul + ansible.builtin.systemd: + name: consul + state: restarted + daemon_reload: true diff --git a/meta/main.yml b/meta/main.yml new file mode 100644 index 0000000..ea68190 --- /dev/null +++ b/meta/main.yml @@ -0,0 +1,34 @@ +galaxy_info: + author: your name + description: your role description + company: your company (optional) + + # If the issue tracker for your role is not on github, uncomment the + # next line and provide a value + # issue_tracker_url: http://example.com/issue/tracker + + # Choose a valid license ID from https://spdx.org - some suggested licenses: + # - BSD-3-Clause (default) + # - MIT + # - GPL-2.0-or-later + # - GPL-3.0-only + # - Apache-2.0 + # - CC-BY-4.0 + license: license (GPL-2.0-or-later, MIT, etc) + + min_ansible_version: 2.1 + + # If this a Container Enabled role, provide the minimum Ansible Container version. + # min_ansible_container_version: + + galaxy_tags: [] + # List tags for your role here, one per line. A tag is a keyword that describes + # and categorizes the role. Users find roles by searching for tags. Be sure to + # remove the '[]' above, if you add tags to this list. + # + # NOTE: A tag is limited to a single word comprised of alphanumeric characters. + # Maximum 20 tags per role. + +dependencies: [] + # List your role dependencies here, one per line. Be sure to remove the '[]' above, + # if you add dependencies to this list. diff --git a/tasks/acl.yml b/tasks/acl.yml new file mode 100644 index 0000000..9848c78 --- /dev/null +++ b/tasks/acl.yml @@ -0,0 +1,75 @@ +--- +- name: Wait for Consul HTTPs API + ansible.builtin.wait_for: + host: "{{ consul_bind_addr }}" + port: "{{ consul_https_port }}" + delay: 15 + timeout: 120 + +# Check bootstrap token +- name: Check for existing bootstrap token file + ansible.builtin.stat: + path: "{{ consul_config_dir }}/bootstrap.token" + register: token_file_on_disk + +- name: Load existing token from disk + ansible.builtin.slurp: + src: "{{ consul_config_dir }}/bootstrap.token" + register: slurped_token + become: true + when: + - token_file_on_disk.stat.exists + - token_file_on_disk.stat.size > 0 + +- name: Set master token fact from file + ansible.builtin.set_fact: + consul_master_token: "{{ slurped_token.content | b64decode | trim }}" + when: + - token_file_on_disk.stat.exists + - slurped_token.content is defined + +# Bootstrap ACL +- name: Bootstrap ACL + ansible.builtin.command: consul acl bootstrap -format=json + register: consul_bootstrap + run_once: true + failed_when: false + when: consul_master_token is not defined or consul_master_token == "" + environment: + CONSUL_HTTP_ADDR: "https://{{ consul_bind_addr }}:{{ consul_https_port }}" + + +- name: Extract new token from bootstrap output + ansible.builtin.set_fact: + consul_master_token: "{{ (consul_bootstrap.stdout | from_json).SecretID }}" + run_once: true + when: + - consul_bootstrap.changed + - consul_bootstrap.stdout | length > 0 + - "'SecretID' in consul_bootstrap.stdout" + +# Share token to all hosts +- name: Propagate token to all hosts + ansible.builtin.set_fact: + consul_master_token: "{{ hostvars[ansible_play_hosts[0]]['consul_master_token'] }}" + when: consul_master_token is not defined or consul_master_token == "" + +# Save token +- name: Save bootstrap token to file + ansible.builtin.copy: + content: "{{ consul_master_token }}" + dest: "{{ consul_config_dir }}/bootstrap.token" + owner: "{{ consul_user }}" + group: "{{ consul_group }}" + mode: "0600" + become: true + when: + - consul_master_token is defined + - consul_master_token != "" + +# Next tasks +- name: Include ACL policies + ansible.builtin.include_tasks: acl_policies.yml + +- name: Include ACL tokens + ansible.builtin.include_tasks: acl_tokens.yml diff --git a/tasks/acl_policies.yml b/tasks/acl_policies.yml new file mode 100644 index 0000000..1d0f8d4 --- /dev/null +++ b/tasks/acl_policies.yml @@ -0,0 +1,50 @@ +--- +- name: List existing policies via Envoy TLS + ansible.builtin.command: consul acl policy list + register: existing_policies + run_once: true + become: true + environment: + CONSUL_HTTP_ADDR: "https://{{ consul_bind_addr }}:{{ consul_https_port }}" + CONSUL_HTTP_TOKEN: "{{ consul_master_token }}" + CONSUL_CACERT: "{{ consul_config_dir }}/certs/tls.crt" + CONSUL_CLIENT_CERT: "{{ consul_config_dir }}/certs/tls.crt" + CONSUL_CLIENT_KEY: "{{ consul_config_dir }}/certs/tls.key" + CONSUL_TLS_SERVER_NAME: "{{ consul_tls_server_name }}" + CONSUL_HTTP_SSL_VERIFY: "{{ consul_tls_verify | ternary('true','false') }}" + when: consul_tls_enabled + +- name: Copy policy files + ansible.builtin.template: + src: "policies/{{ item }}.hcl.j2" + dest: "/tmp/{{ item }}.hcl" + mode: "0644" + loop: + - agent-policy + - service-policy + - readonly-policy + - monitoring-policy + +- name: Create Consul policies + ansible.builtin.command: > + consul acl policy create + -name {{ item }} + -rules @/tmp/{{ item }}.hcl + loop: + - agent-policy + - service-policy + - readonly-policy + - monitoring-policy + when: + - consul_tls_enabled + - item not in existing_policies.stdout + run_once: true + become: true + environment: + CONSUL_HTTP_ADDR: "https://{{ consul_bind_addr }}:{{ consul_https_port }}" + CONSUL_HTTP_TOKEN: "{{ consul_master_token }}" + CONSUL_CACERT: "{{ consul_config_dir }}/certs/tls.crt" + CONSUL_CLIENT_CERT: "{{ consul_config_dir }}/certs/tls.crt" + CONSUL_CLIENT_KEY: "{{ consul_config_dir }}/certs/tls.key" + CONSUL_TLS_SERVER_NAME: "{{ consul_tls_server_name }}" + CONSUL_HTTP_SSL_VERIFY: "{{ consul_tls_verify | ternary('true','false') }}" diff --git a/tasks/acl_tokens.yml b/tasks/acl_tokens.yml new file mode 100644 index 0000000..e161deb --- /dev/null +++ b/tasks/acl_tokens.yml @@ -0,0 +1,133 @@ +--- +# Check existing tokens +- name: Check existing tokens in consul + ansible.builtin.command: consul acl token list + register: existing_tokens + changed_when: false + run_once: true + environment: &consul_env + CONSUL_HTTP_ADDR: "https://{{ consul_bind_addr }}:{{ consul_https_port }}" + CONSUL_HTTP_TOKEN: "{{ consul_master_token }}" + CONSUL_HTTP_SSL_VERIFY: "{{ consul_tls_verify | ternary('true','false') }}" + CONSUL_CACERT: "{{ consul_config_dir }}/certs/tls.crt" + +#################################### +# Agent Token +#################################### + +- name: Check if agent token exists on disk + ansible.builtin.stat: + path: "{{ consul_config_dir }}/agent.token" + register: agent_token_stat + +- name: Create agent token + ansible.builtin.command: > + consul acl token create + -description "Agent Token" + -policy-name agent-policy + register: agent_token_output + when: + - not agent_token_stat.stat.exists + - "'Agent Token' not in existing_tokens.stdout" + run_once: true + environment: *consul_env + no_log: true + +- name: Save agent token + ansible.builtin.copy: + content: "{{ agent_token_output.stdout | regex_search('SecretID:\\s+([a-fA-F0-9-]+)', '\\1') | first }}" + dest: "{{ consul_config_dir }}/agent.token" + owner: "{{ consul_user }}" + group: "{{ consul_group }}" + mode: "0600" + when: + - not agent_token_stat.stat.exists + - agent_token_output.stdout is defined + - "'SecretID' in agent_token_output.stdout" + no_log: true + +#################################### +# Service Token +#################################### + +- name: Check if service token exists on disk + ansible.builtin.stat: + path: "{{ consul_config_dir }}/service.token" + register: service_token_stat + +- name: Create service token + ansible.builtin.command: > + consul acl token create + -description "Service Token" + -policy-name service-policy + register: service_token_output + when: + - not service_token_stat.stat.exists + - "'Service Token' not in existing_tokens.stdout" + run_once: true + environment: *consul_env + no_log: true + +- name: Save service token + ansible.builtin.copy: + content: "{{ service_token_output.stdout | regex_search('SecretID:\\s+([a-fA-F0-9-]+)', '\\1') | first }}" + dest: "{{ consul_config_dir }}/service.token" + owner: "{{ consul_user }}" + group: "{{ consul_group }}" + mode: "0600" + when: + - not service_token_stat.stat.exists + - agent_token_output.stdout is defined + - "'SecretID' in service_token_output.stdout" + run_once: true + no_log: true + +#################################### +# Monitoring Token Logic +#################################### + +- name: Check if monitoring token exists on disk (Node 1) + ansible.builtin.stat: + path: "{{ consul_config_dir }}/prometheus.token" + register: prom_token_stat_node1 + run_once: true + delegate_to: "{{ ansible_play_hosts[0] }}" + +- name: Create Prometheus monitoring token if missing + ansible.builtin.command: > + consul acl token create + -description "Prometheus Metrics Token" + -policy-name monitoring-policy + register: prom_token_output + when: + - not prom_token_stat_node1.stat.exists + - "'Prometheus Metrics Token' not in existing_tokens.stdout" + run_once: true + environment: *consul_env + +- name: Slurp existing token if it was already on disk + ansible.builtin.slurp: + src: "{{ consul_config_dir }}/prometheus.token" + register: slurped_prom_token + when: prom_token_stat_node1.stat.exists + run_once: true + delegate_to: "{{ ansible_play_hosts[0] }}" + +- name: Set Prometheus token fact + ansible.builtin.set_fact: + consul_prometheus_token: >- + {{ + (prom_token_output.stdout | regex_search('SecretID:\s+([a-fA-F0-9-]+)', '\1') | first) + if (prom_token_output.changed) + else (slurped_prom_token.content | b64decode | trim) + }} + run_once: true + +- name: Ensure Prometheus token is on all nodes + ansible.builtin.copy: + content: "{{ hostvars[ansible_play_hosts[0]]['consul_prometheus_token'] }}" + dest: "{{ consul_config_dir }}/prometheus.token" + owner: "{{ consul_user }}" + group: "{{ consul_group }}" + mode: "0600" + become: true diff --git a/tasks/config.yml b/tasks/config.yml new file mode 100644 index 0000000..332fd44 --- /dev/null +++ b/tasks/config.yml @@ -0,0 +1,48 @@ +- name: Create Consul directories + ansible.builtin.file: + path: "{{ item }}" + state: directory + owner: "{{ consul_user }}" + group: "{{ consul_group }}" + mode: "0750" + loop: + - "{{ consul_data_dir }}" + - "{{ consul_config_dir }}" + +- name: Create TLS cert directory + ansible.builtin.file: + path: "{{ consul_config_dir }}/certs" + state: directory + owner: "{{ consul_user }}" + group: "{{ consul_group }}" + mode: "0750" + when: consul_tls_enabled + +- name: Copy TLS certificate + ansible.builtin.copy: + src: tls.crt + dest: "{{ consul_config_dir }}/certs/tls.crt" + owner: "{{ consul_user }}" + group: "{{ consul_group }}" + mode: "0644" + notify: Restart Consul + when: consul_tls_enabled + +- name: Copy TLS private key + ansible.builtin.copy: + src: tls.key + dest: "{{ consul_config_dir }}/certs/tls.key" + owner: "{{ consul_user }}" + group: "{{ consul_group }}" + mode: "0600" + notify: Restart Consul + when: consul_tls_enabled + +- name: Deploy Consul server configuration + ansible.builtin.template: + src: server.hcl.j2 + dest: "{{ consul_config_dir }}/server.hcl" + owner: "{{ consul_user }}" + group: "{{ consul_group }}" + mode: "0640" + notify: Restart Consul diff --git a/tasks/directories.yml b/tasks/directories.yml new file mode 100644 index 0000000..6478b0a --- /dev/null +++ b/tasks/directories.yml @@ -0,0 +1,10 @@ +- name: Create Consul directories + ansible.builtin.file: + path: "{{ item }}" + state: directory + owner: "{{ consul_user }}" + group: "{{ consul_group }}" + mode: "0750" + loop: + - "{{ consul_data_dir }}" + - "{{ consul_config_dir }}" diff --git a/tasks/install.yml b/tasks/install.yml new file mode 100644 index 0000000..8da5aeb --- /dev/null +++ b/tasks/install.yml @@ -0,0 +1,34 @@ +- name: Install required packages + ansible.builtin.apt: + name: + - unzip + - wget + - curl + state: present + update_cache: true + +- name: Create consul group + ansible.builtin.group: + name: "{{ consul_group }}" + system: true + +- name: Create consul user + ansible.builtin.user: + name: "{{ consul_user }}" + group: "{{ consul_group }}" + system: true + shell: /sbin/nologin + create_home: false + +- name: Download Consul binary + ansible.builtin.get_url: + url: "{{ consul_binary_url }}" + dest: "{{ consul_zip_path }}" + mode: "0644" + +- name: Unarchive Consul + ansible.builtin.unarchive: + src: "{{ consul_zip_path }}" + dest: "{{ consul_install_dir }}" + remote_src: true + mode: "0755" diff --git a/tasks/main.yml b/tasks/main.yml new file mode 100644 index 0000000..b1735b9 --- /dev/null +++ b/tasks/main.yml @@ -0,0 +1,20 @@ +--- +- name: Include installation tasks + ansible.builtin.include_tasks: install.yml + +- name: Include directory tasks + ansible.builtin.include_tasks: directories.yml + +- name: Include configuration tasks + ansible.builtin.include_tasks: config.yml + +- name: Include service tasks + ansible.builtin.include_tasks: service.yml + +- name: Include ACL tasks + ansible.builtin.include_tasks: acl.yml + when: consul_acl_enabled + +- name: Include RBAC tasks + ansible.builtin.include_tasks: rbac.yml + when: consul_acl_enabled diff --git a/tasks/rbac.yml b/tasks/rbac.yml new file mode 100644 index 0000000..c4550f4 --- /dev/null +++ b/tasks/rbac.yml @@ -0,0 +1,77 @@ +--- +- name: Copy read policy file + ansible.builtin.copy: + src: read-policy.hcl + dest: /tmp/read-policy.hcl + mode: "0644" + +- name: Check existing policies + ansible.builtin.command: consul acl policy list + register: policy_list + changed_when: false + run_once: true + environment: &consul_env + CONSUL_HTTP_ADDR: "https://{{ consul_bind_addr }}:{{ consul_https_port }}" + CONSUL_HTTP_TOKEN: "{{ consul_master_token }}" + CONSUL_CACERT: "{{ consul_config_dir }}/certs/tls.crt" + CONSUL_HTTP_SSL_VERIFY: "false" + +- name: Create read policy + ansible.builtin.command: > + consul acl policy create + -name read-policy + -rules @/tmp/read-policy.hcl + when: "'read-policy' not in policy_list.stdout" + run_once: true + environment: *consul_env + +- name: Check existing roles + ansible.builtin.command: consul acl role list + register: role_list + changed_when: false + run_once: true + environment: *consul_env + +- name: Create read role + ansible.builtin.command: > + consul acl role create + -name read-role + -policy-name read-policy + when: "'read-role' not in role_list.stdout" + run_once: true + environment: *consul_env + +# ------------------------------------------------ +# APPLICATION TOKEN (NO DUPLICATES) +# ------------------------------------------------ + +- name: Check if application token exists on disk + ansible.builtin.stat: + path: "{{ consul_config_dir }}/app.token" + register: app_token_stat + run_once: true + +- name: Create application token + ansible.builtin.command: > + consul acl token create + -description "App Read Token" + -role-name read-role + register: app_token_output + when: not app_token_stat.stat.exists + run_once: true + environment: *consul_env + no_log: true + +- name: Save application token + ansible.builtin.copy: + content: "{{ app_token_output.stdout | regex_search('SecretID:\\s+([a-fA-F0-9-]+)', '\\1') | first }}" + dest: "{{ consul_config_dir }}/app.token" + owner: "{{ consul_user }}" + group: "{{ consul_group }}" + mode: "0600" + when: + - not app_token_stat.stat.exists + - app_token_output.stdout is defined + - "'SecretID' in app_token_output.stdout" + run_once: true + no_log: true diff --git a/tasks/service.yml b/tasks/service.yml new file mode 100644 index 0000000..0983725 --- /dev/null +++ b/tasks/service.yml @@ -0,0 +1,14 @@ +- name: Deploy systemd service + ansible.builtin.template: + src: consul.service.j2 + dest: /etc/systemd/system/consul.service + mode: "0644" + notify: + - Reload systemd + - Restart Consul + +- name: Enable and start Consul + ansible.builtin.systemd: + name: consul + enabled: true + state: started diff --git a/templates/consul.service.j2 b/templates/consul.service.j2 new file mode 100644 index 0000000..281d3cc --- /dev/null +++ b/templates/consul.service.j2 @@ -0,0 +1,16 @@ +[Unit] +Description=Consul Agent +Requires=network-online.target +After=network-online.target + +[Service] +User={{ consul_user }} +Group={{ consul_group }} +ExecStart={{ consul_install_dir }}/consul agent -config-dir={{ consul_config_dir }} +ExecReload=/bin/kill -HUP $MAINPID +KillSignal=SIGINT +Restart=on-failure +LimitNOFILE=65536 + +[Install] +WantedBy=multi-user.target diff --git a/templates/policies/agent-policy.hcl.j2 b/templates/policies/agent-policy.hcl.j2 new file mode 100644 index 0000000..6ad8420 --- /dev/null +++ b/templates/policies/agent-policy.hcl.j2 @@ -0,0 +1,11 @@ +node_prefix "" { + policy = "write" +} + +service_prefix "" { + policy = "read" +} + +agent_prefix "" { + policy = "write" +} diff --git a/templates/policies/monitoring-policy.hcl.j2 b/templates/policies/monitoring-policy.hcl.j2 new file mode 100644 index 0000000..d96bc6d --- /dev/null +++ b/templates/policies/monitoring-policy.hcl.j2 @@ -0,0 +1,9 @@ +agent_prefix "" { + policy = "read" +} +node_prefix "" { + policy = "read" +} +service_prefix "" { + policy = "read" +} diff --git a/templates/policies/readonly-policy.hcl.j2 b/templates/policies/readonly-policy.hcl.j2 new file mode 100644 index 0000000..09b4b13 --- /dev/null +++ b/templates/policies/readonly-policy.hcl.j2 @@ -0,0 +1,11 @@ +node_prefix "" { + policy = "read" +} + +service_prefix "" { + policy = "read" +} + +key_prefix "" { + policy = "read" +} diff --git a/templates/policies/service-policy.hcl.j2 b/templates/policies/service-policy.hcl.j2 new file mode 100644 index 0000000..47bd12c --- /dev/null +++ b/templates/policies/service-policy.hcl.j2 @@ -0,0 +1,7 @@ +service_prefix "" { + policy = "write" +} + +node_prefix "" { + policy = "read" +} diff --git a/templates/prometheus-consul.yml.j2 b/templates/prometheus-consul.yml.j2 new file mode 100644 index 0000000..842060e --- /dev/null +++ b/templates/prometheus-consul.yml.j2 @@ -0,0 +1,27 @@ +# Prometheus scrape configuration for Consul Cluster +scrape_configs: + - job_name: 'consul-cluster' + scheme: https + metrics_path: '/v1/agent/metrics' + params: + format: ['prometheus'] + tls_config: + insecure_skip_verify: true + # This matches your Envoy DNS name + server_name: "consul.opstree.dev" + + # This pulls the token that was generated in your acl_tokens.yml task + bearer_token: "{{ consul_prometheus_token }}" + + static_configs: + - targets: +{% for host in play_hosts %} + - "{{ hostvars[host]['ansible_host'] }}:8501" +{% endfor %} + + # This cleans up the labels in Prometheus so you see the IP instead of IP:8501 + relabel_configs: + - source_labels: [__address__] + target_label: instance + regex: '([^:]+)(?::\d+)?' + replacement: '${1}' diff --git a/templates/server.hcl.j2 b/templates/server.hcl.j2 new file mode 100644 index 0000000..a95344b --- /dev/null +++ b/templates/server.hcl.j2 @@ -0,0 +1,53 @@ +node_name = "{{ consul_node_name }}" +bind_addr = "{{ consul_bind_addr }}" +client_addr = "{{ consul_client_addr }}" +data_dir = "{{ consul_data_dir }}" + +encrypt = "{{ consul_gossip_key }}" + +server = {{ consul_is_server | lower }} +bootstrap_expect = {{ consul_bootstrap_expect }} + +ui_config { + enabled = {{ consul_enable_ui | lower }} +} + +retry_join = [ +{% for host in play_hosts %} + "{{ hostvars[host]['ansible_host'] | default(host) }}"{% if not loop.last %},{% endif %} +{% endfor %} +] + +telemetry { + prometheus_retention_time = "{{ consul_prometheus_retention }}" + disable_hostname = true +} + +acl { + enabled = {{ consul_acl_enabled | lower }} + default_policy = "{{ consul_acl_default_policy }}" + enable_token_persistence = {{ consul_acl_token_persistence | lower }} + +{% if consul_agent_token is defined and consul_agent_token != "" %} + tokens { + agent = "{{ consul_agent_token }}" + } +{% endif %} +} + +ports { + http = -1 + https = 8501 +} + +tls { + defaults { + + ca_file = "{{ consul_config_dir }}/certs/tls.crt" + cert_file = "{{ consul_config_dir }}/certs/tls.crt" + key_file = "{{ consul_config_dir }}/certs/tls.key" + + verify_incoming = false + verify_outgoing = false + } +} diff --git a/tests/test.yml b/tests/test.yml new file mode 100644 index 0000000..eca63c9 --- /dev/null +++ b/tests/test.yml @@ -0,0 +1,6 @@ +- name: Deploy Consul Cluster + hosts: all + become: true + roles: + - consul-role + diff --git a/vars/main.yml b/vars/main.yml new file mode 100644 index 0000000..aecd177 --- /dev/null +++ b/vars/main.yml @@ -0,0 +1,34 @@ +--- +# vars file for consul + + +# Installation variables +consul_binary_url: "https://releases.hashicorp.com/consul/{{ consul_version }}/consul_{{ consul_version }}_linux_amd64.zip" +consul_zip_path: "/tmp/consul_{{ consul_version }}.zip" + + +# Sensitive Keys +consul_master_token: !vault | + $ANSIBLE_VAULT;1.1;AES256 + 64363638396462636134353637383865643931373664373034623536366134623235306438356164 + 3665393634643363396437333436363936303835343166650a343639663665373161376433613932 + 62343336303839303038376437393965396165633039636339326363396530636564313630326265 + 3134613636396265300a633636396164363365353066633964306534316163303264623764643532 + 39323234346661383638313135346537613530333537636461343631653639663232373632646665 + 3634393638313962393166316439633230643331383665623634 + + +consul_gossip_key: !vault | + $ANSIBLE_VAULT;1.1;AES256 + 63666262323562663362346564363332353364663338396337333031616437373863316130613631 + 3966663365653036316364323537386530643666653564370a653438393136666436396230326464 + 39393738346630353432623434353063666161653832346438343566366664303464353334306532 + 3937633962373832620a353432336365323433306165633264363638353235643666633564393761 + 61353532316133616630396362333265316132333038323639396139333761326537636330346334 + 3336343330373533333435306264313430313662346364643637 + + + +# # Divya's Keycloak Details for POC +# poc_service_name: "keycloak" +# poc_service_port: 8080 From 8913df8aa9ad8c04fed8ac8d0935fdb513285ee1 Mon Sep 17 00:00:00 2001 From: anitha Date: Fri, 20 Mar 2026 00:07:57 +0530 Subject: [PATCH 318/412] deleting the consul-role --- consul-role/README.md | 308 ------------------ consul-role/defaults/main.yml | 42 --- consul-role/files/read-policy.hcl | 8 - consul-role/handlers/main.yml | 8 - consul-role/meta/main.yml | 34 -- consul-role/tasks/acl.yml | 75 ----- consul-role/tasks/acl_policies.yml | 50 --- consul-role/tasks/acl_tokens.yml | 133 -------- consul-role/tasks/config.yml | 48 --- consul-role/tasks/directories.yml | 10 - consul-role/tasks/install.yml | 34 -- consul-role/tasks/main.yml | 20 -- consul-role/tasks/rbac.yml | 77 ----- consul-role/tasks/service.yml | 14 - consul-role/templates/consul.service.j2 | 16 - .../templates/policies/agent-policy.hcl.j2 | 11 - .../policies/monitoring-policy.hcl.j2 | 9 - .../templates/policies/readonly-policy.hcl.j2 | 11 - .../templates/policies/service-policy.hcl.j2 | 7 - .../templates/prometheus-consul.yml.j2 | 27 -- consul-role/templates/server.hcl.j2 | 53 --- consul-role/tests/test.yml | 6 - consul-role/vars/main.yml | 34 -- 23 files changed, 1035 deletions(-) delete mode 100644 consul-role/README.md delete mode 100644 consul-role/defaults/main.yml delete mode 100644 consul-role/files/read-policy.hcl delete mode 100644 consul-role/handlers/main.yml delete mode 100644 consul-role/meta/main.yml delete mode 100644 consul-role/tasks/acl.yml delete mode 100644 consul-role/tasks/acl_policies.yml delete mode 100644 consul-role/tasks/acl_tokens.yml delete mode 100644 consul-role/tasks/config.yml delete mode 100644 consul-role/tasks/directories.yml delete mode 100644 consul-role/tasks/install.yml delete mode 100644 consul-role/tasks/main.yml delete mode 100644 consul-role/tasks/rbac.yml delete mode 100644 consul-role/tasks/service.yml delete mode 100644 consul-role/templates/consul.service.j2 delete mode 100644 consul-role/templates/policies/agent-policy.hcl.j2 delete mode 100644 consul-role/templates/policies/monitoring-policy.hcl.j2 delete mode 100644 consul-role/templates/policies/readonly-policy.hcl.j2 delete mode 100644 consul-role/templates/policies/service-policy.hcl.j2 delete mode 100644 consul-role/templates/prometheus-consul.yml.j2 delete mode 100644 consul-role/templates/server.hcl.j2 delete mode 100644 consul-role/tests/test.yml delete mode 100644 consul-role/vars/main.yml diff --git a/consul-role/README.md b/consul-role/README.md deleted file mode 100644 index 1090d95..0000000 --- a/consul-role/README.md +++ /dev/null @@ -1,308 +0,0 @@ -# HashiCorp Consul Ansible Role - -## Table of Contents - -1. [Overview](#1-overview) -2. [Supported Operating Systems](#2-supported-operating-systems) -3. [Prerequisites & Known Limitations](#3-prerequisites--known-limitations) -4. [Architecture & Core Components](#4-architecture--core-components) -5. [Configuration Overview](#5-configuration-overview) -6. [Installation Flow](#6-installation-flow) -7. [Running Consul](#7-running-consul) -8. [Validation & Testing](#8-validation--testing) -9. [Best Practices Followed](#9-best-practices-followed) -10. [Troubleshooting](#10-troubleshooting) -11. [Conclusion](#11-conclusion) -12. [References](#12-references) -13. [Author](#13-author) - -## 1. Overview - -**HashiCorp Consul** is a service networking platform that enables: - -- Service Discovery -- Service Mesh -- Health Checking -- Key-Value Storage -- Secure Service-to-Service Communication - -It is widely used in distributed systems and microservices architectures to provide dynamic infrastructure management. - -### Problems Consul Solves - -- How do services find each other? -- How do we secure service communication? -- How do we monitor service health? -- How do we manage configuration centrally? - -### Supported Environments - -Consul works across: - -- Virtual Machines -- Kubernetes -- Hybrid environments -- Multi-cloud deployments - ---- - -## 2. Supported Operating Systems - -Consul supports multiple operating systems: - -### Linux -- Ubuntu -- Debian -- RHEL -- CentOS -- Amazon Linux - -### Other Platforms -- Windows -- macOS -- Kubernetes environments -- Cloud platforms: - - AWS - - Azure - - GCP - -> Consul is written in **Go** and distributed as a single binary. - ---- - -## 3. Prerequisites & Known Limitations - -### Prerequisites - -- Network connectivity between cluster nodes -- Minimum **3 nodes** for production cluster (recommended) -- Proper firewall configuration (ports **8300–8600**) -- Stable DNS or IP addressing -- TLS certificates (for secure production environments) - -### Known Limitations - -- Requires quorum for leader election -- Performance depends on cluster size and network latency -- Misconfigured ACLs can block cluster operations -- Not a replacement for full configuration management tools - ---- - -## 4. Architecture & Core Components - -Consul architecture consists of the following components: - -### 4.1 Servers - -- Maintain cluster state -- Participate in **Raft consensus** -- Handle leader election - -### 4.2 Clients (Agents) - -- Run on application nodes -- Register services -- Perform health checks - -### 4.3 Datacenter - -- Logical grouping of nodes in a specific environment - -### 4.4 Gossip Protocol - -- Used for node membership -- Handles failure detection - -### 4.5 Raft Consensus - -- Provides strong consistency -- Manages leader election among servers - -### 4.6 Key-Value Store - -- Stores configuration data centrally -- Used for dynamic application configuration - -### 4.7 Service Mesh (Connect) - -- Provides secure service-to-service communication -- Uses **mTLS (Mutual TLS)** -- Enables zero-trust networking between services - ---- - -## 5. Configuration Overview - -Consul can be configured using: - -- HCL files -- JSON configuration files -- Command-line flags -- Environment variables - -### Important Configuration Parameters - -| Parameter | Description | -|-------------------|------------| -| `node_name` | Unique node identifier | -| `bind_addr` | Address to bind Consul to | -| `data_dir` | Directory for Consul data | -| `server` | Defines server or client mode (`true/false`) | -| `bootstrap_expect` | Number of servers expected for cluster formation | -| `retry_join` | List of nodes to join cluster | -| `acl` | Enables Access Control Lists | -| `ui_config` | UI configuration settings | - -### ACL Configuration Includes - -- Enable/Disable ACLs -- Default policies -- Token management -- Token persistence - ---- - -## 6. Installation Flow -### Step 1: Download Binary -``` -wget https://releases.hashicorp.com/consul//consul__linux_amd64.zip -``` - -### Step 2: Unzip -``` -unzip consul__linux_amd64.zip -``` - -### Step 3: Move Binary -``` -sudo mv consul /usr/local/bin/ -``` - -### Step 4: Verify Installation -``` -consul --version -``` - -# 7. Running Consul -## Start a Single Server (Development Mode) -``` -consul agent -dev -``` - -## Start Server Node -``` -consul agent -server -bootstrap-expect=3 \ - -node=node1 \ - -bind= \ - -data-dir=/var/lib/consul \ - -config-dir=/etc/consul.d -``` -## Start Client Node -``` -consul agent \ - -node=client1 \ - -bind= \ - -data-dir=/var/lib/consul \ - -config-dir=/etc/consul.d -``` - -# 8. Validation & Testing -## Check Cluster Members -``` -consul members -``` -## Check Leader -``` -consul operator raft list-peers -``` -## Check Services -``` -consul catalog services -``` -## Access UI - -Default UI URL: - -``` -http://:8500 -``` - -# 9. Best Practices Followed - -- Always use minimum 3 server nodes - -- Enable ACLs in production - -- Use TLS encryption - -- Avoid running in -dev mode in production - -- Monitor health checks continuously - -- Secure gossip communication - -- Use proper token management - -# 10. Troubleshooting -## Consul Not Starting - -- Check systemd logs - -``` -journalctl -u consul -``` -## No Leader Elected - -- Ensure minimum quorum - -- Verify bootstrap_expect value - -- Check network connectivity - -## ACL Errors - -- Verify bootstrap token - -- Ensure token persistence is enabled - -- Check default policy - -## Node Not Joining - -- Verify retry_join - -- Check firewall ports - -- Validate bind address - -# 11. Conclusion - -HashiCorp Consul is a powerful service networking solution designed for modern distributed systems. - -It provides: - -- Reliable service discovery - -- Secure service communication - -- Centralized configuration - -- High availability clustering - -Consul simplifies infrastructure complexity and enables scalable microservices architecture. - -# 12. References - - -| Purpose | Link | -|---------|------| -| Consul Official Documentation | https://developer.hashicorp.com/consul/docs | -| Consul Installation Guide | https://developer.hashicorp.com/consul/docs/install | -| Consul ACL Documentation | https://developer.hashicorp.com/consul/docs/security/acl | -| Consul Service Mesh Guide | https://developer.hashicorp.com/consul/docs/connect | - -# 13. Author - -**Author**: Annem Anitha -**Last Updated:** 25-Feb-2026 diff --git a/consul-role/defaults/main.yml b/consul-role/defaults/main.yml deleted file mode 100644 index 94631a7..0000000 --- a/consul-role/defaults/main.yml +++ /dev/null @@ -1,42 +0,0 @@ ---- -# defaults file for consul -consul_version: "1.17.0" -consul_user: "consul" -consul_group: "consul" - -consul_install_dir: "/usr/local/bin" -consul_data_dir: "/var/lib/consul" -consul_config_dir: "/etc/consul.d" - -consul_node_name: "{{ inventory_hostname }}" -consul_bind_addr: "{{ ansible_host }}" - -consul_is_server: true -consul_bootstrap_expect: "{{ play_hosts | length }}" - -consul_enable_ui: true - -# Ports -consul_http_port: 8500 -consul_https_port: 8501 -consul_use_tls: true - -# TLS -consul_tls_server_name: "opstree.dev" -consul_tls_verify: false -consul_tls_enabled: false - -# ACL -consul_acl_enabled: true -consul_acl_default_policy: "deny" -consul_acl_token_persistence: false -consul_agent_token: "" - -consul_client_addr: "0.0.0.0" - -# Gossip Encryption -consul_gossip_key: "" - -# Monitoring -consul_telemetry_enabled: true -consul_prometheus_retention: "60s" diff --git a/consul-role/files/read-policy.hcl b/consul-role/files/read-policy.hcl deleted file mode 100644 index f3e1480..0000000 --- a/consul-role/files/read-policy.hcl +++ /dev/null @@ -1,8 +0,0 @@ -# Allow DNS to find nodes and services -node_prefix "" { - policy = "read" -} - -service_prefix "" { - policy = "write" -} diff --git a/consul-role/handlers/main.yml b/consul-role/handlers/main.yml deleted file mode 100644 index b37f139..0000000 --- a/consul-role/handlers/main.yml +++ /dev/null @@ -1,8 +0,0 @@ ---- -# handlers file for consul - -- name: Restart Consul - ansible.builtin.systemd: - name: consul - state: restarted - daemon_reload: true diff --git a/consul-role/meta/main.yml b/consul-role/meta/main.yml deleted file mode 100644 index ea68190..0000000 --- a/consul-role/meta/main.yml +++ /dev/null @@ -1,34 +0,0 @@ -galaxy_info: - author: your name - description: your role description - company: your company (optional) - - # If the issue tracker for your role is not on github, uncomment the - # next line and provide a value - # issue_tracker_url: http://example.com/issue/tracker - - # Choose a valid license ID from https://spdx.org - some suggested licenses: - # - BSD-3-Clause (default) - # - MIT - # - GPL-2.0-or-later - # - GPL-3.0-only - # - Apache-2.0 - # - CC-BY-4.0 - license: license (GPL-2.0-or-later, MIT, etc) - - min_ansible_version: 2.1 - - # If this a Container Enabled role, provide the minimum Ansible Container version. - # min_ansible_container_version: - - galaxy_tags: [] - # List tags for your role here, one per line. A tag is a keyword that describes - # and categorizes the role. Users find roles by searching for tags. Be sure to - # remove the '[]' above, if you add tags to this list. - # - # NOTE: A tag is limited to a single word comprised of alphanumeric characters. - # Maximum 20 tags per role. - -dependencies: [] - # List your role dependencies here, one per line. Be sure to remove the '[]' above, - # if you add dependencies to this list. diff --git a/consul-role/tasks/acl.yml b/consul-role/tasks/acl.yml deleted file mode 100644 index 9848c78..0000000 --- a/consul-role/tasks/acl.yml +++ /dev/null @@ -1,75 +0,0 @@ ---- -- name: Wait for Consul HTTPs API - ansible.builtin.wait_for: - host: "{{ consul_bind_addr }}" - port: "{{ consul_https_port }}" - delay: 15 - timeout: 120 - -# Check bootstrap token -- name: Check for existing bootstrap token file - ansible.builtin.stat: - path: "{{ consul_config_dir }}/bootstrap.token" - register: token_file_on_disk - -- name: Load existing token from disk - ansible.builtin.slurp: - src: "{{ consul_config_dir }}/bootstrap.token" - register: slurped_token - become: true - when: - - token_file_on_disk.stat.exists - - token_file_on_disk.stat.size > 0 - -- name: Set master token fact from file - ansible.builtin.set_fact: - consul_master_token: "{{ slurped_token.content | b64decode | trim }}" - when: - - token_file_on_disk.stat.exists - - slurped_token.content is defined - -# Bootstrap ACL -- name: Bootstrap ACL - ansible.builtin.command: consul acl bootstrap -format=json - register: consul_bootstrap - run_once: true - failed_when: false - when: consul_master_token is not defined or consul_master_token == "" - environment: - CONSUL_HTTP_ADDR: "https://{{ consul_bind_addr }}:{{ consul_https_port }}" - - -- name: Extract new token from bootstrap output - ansible.builtin.set_fact: - consul_master_token: "{{ (consul_bootstrap.stdout | from_json).SecretID }}" - run_once: true - when: - - consul_bootstrap.changed - - consul_bootstrap.stdout | length > 0 - - "'SecretID' in consul_bootstrap.stdout" - -# Share token to all hosts -- name: Propagate token to all hosts - ansible.builtin.set_fact: - consul_master_token: "{{ hostvars[ansible_play_hosts[0]]['consul_master_token'] }}" - when: consul_master_token is not defined or consul_master_token == "" - -# Save token -- name: Save bootstrap token to file - ansible.builtin.copy: - content: "{{ consul_master_token }}" - dest: "{{ consul_config_dir }}/bootstrap.token" - owner: "{{ consul_user }}" - group: "{{ consul_group }}" - mode: "0600" - become: true - when: - - consul_master_token is defined - - consul_master_token != "" - -# Next tasks -- name: Include ACL policies - ansible.builtin.include_tasks: acl_policies.yml - -- name: Include ACL tokens - ansible.builtin.include_tasks: acl_tokens.yml diff --git a/consul-role/tasks/acl_policies.yml b/consul-role/tasks/acl_policies.yml deleted file mode 100644 index 1d0f8d4..0000000 --- a/consul-role/tasks/acl_policies.yml +++ /dev/null @@ -1,50 +0,0 @@ ---- -- name: List existing policies via Envoy TLS - ansible.builtin.command: consul acl policy list - register: existing_policies - run_once: true - become: true - environment: - CONSUL_HTTP_ADDR: "https://{{ consul_bind_addr }}:{{ consul_https_port }}" - CONSUL_HTTP_TOKEN: "{{ consul_master_token }}" - CONSUL_CACERT: "{{ consul_config_dir }}/certs/tls.crt" - CONSUL_CLIENT_CERT: "{{ consul_config_dir }}/certs/tls.crt" - CONSUL_CLIENT_KEY: "{{ consul_config_dir }}/certs/tls.key" - CONSUL_TLS_SERVER_NAME: "{{ consul_tls_server_name }}" - CONSUL_HTTP_SSL_VERIFY: "{{ consul_tls_verify | ternary('true','false') }}" - when: consul_tls_enabled - -- name: Copy policy files - ansible.builtin.template: - src: "policies/{{ item }}.hcl.j2" - dest: "/tmp/{{ item }}.hcl" - mode: "0644" - loop: - - agent-policy - - service-policy - - readonly-policy - - monitoring-policy - -- name: Create Consul policies - ansible.builtin.command: > - consul acl policy create - -name {{ item }} - -rules @/tmp/{{ item }}.hcl - loop: - - agent-policy - - service-policy - - readonly-policy - - monitoring-policy - when: - - consul_tls_enabled - - item not in existing_policies.stdout - run_once: true - become: true - environment: - CONSUL_HTTP_ADDR: "https://{{ consul_bind_addr }}:{{ consul_https_port }}" - CONSUL_HTTP_TOKEN: "{{ consul_master_token }}" - CONSUL_CACERT: "{{ consul_config_dir }}/certs/tls.crt" - CONSUL_CLIENT_CERT: "{{ consul_config_dir }}/certs/tls.crt" - CONSUL_CLIENT_KEY: "{{ consul_config_dir }}/certs/tls.key" - CONSUL_TLS_SERVER_NAME: "{{ consul_tls_server_name }}" - CONSUL_HTTP_SSL_VERIFY: "{{ consul_tls_verify | ternary('true','false') }}" diff --git a/consul-role/tasks/acl_tokens.yml b/consul-role/tasks/acl_tokens.yml deleted file mode 100644 index e161deb..0000000 --- a/consul-role/tasks/acl_tokens.yml +++ /dev/null @@ -1,133 +0,0 @@ ---- -# Check existing tokens -- name: Check existing tokens in consul - ansible.builtin.command: consul acl token list - register: existing_tokens - changed_when: false - run_once: true - environment: &consul_env - CONSUL_HTTP_ADDR: "https://{{ consul_bind_addr }}:{{ consul_https_port }}" - CONSUL_HTTP_TOKEN: "{{ consul_master_token }}" - CONSUL_HTTP_SSL_VERIFY: "{{ consul_tls_verify | ternary('true','false') }}" - CONSUL_CACERT: "{{ consul_config_dir }}/certs/tls.crt" - -#################################### -# Agent Token -#################################### - -- name: Check if agent token exists on disk - ansible.builtin.stat: - path: "{{ consul_config_dir }}/agent.token" - register: agent_token_stat - -- name: Create agent token - ansible.builtin.command: > - consul acl token create - -description "Agent Token" - -policy-name agent-policy - register: agent_token_output - when: - - not agent_token_stat.stat.exists - - "'Agent Token' not in existing_tokens.stdout" - run_once: true - environment: *consul_env - no_log: true - -- name: Save agent token - ansible.builtin.copy: - content: "{{ agent_token_output.stdout | regex_search('SecretID:\\s+([a-fA-F0-9-]+)', '\\1') | first }}" - dest: "{{ consul_config_dir }}/agent.token" - owner: "{{ consul_user }}" - group: "{{ consul_group }}" - mode: "0600" - when: - - not agent_token_stat.stat.exists - - agent_token_output.stdout is defined - - "'SecretID' in agent_token_output.stdout" - no_log: true - -#################################### -# Service Token -#################################### - -- name: Check if service token exists on disk - ansible.builtin.stat: - path: "{{ consul_config_dir }}/service.token" - register: service_token_stat - -- name: Create service token - ansible.builtin.command: > - consul acl token create - -description "Service Token" - -policy-name service-policy - register: service_token_output - when: - - not service_token_stat.stat.exists - - "'Service Token' not in existing_tokens.stdout" - run_once: true - environment: *consul_env - no_log: true - -- name: Save service token - ansible.builtin.copy: - content: "{{ service_token_output.stdout | regex_search('SecretID:\\s+([a-fA-F0-9-]+)', '\\1') | first }}" - dest: "{{ consul_config_dir }}/service.token" - owner: "{{ consul_user }}" - group: "{{ consul_group }}" - mode: "0600" - when: - - not service_token_stat.stat.exists - - agent_token_output.stdout is defined - - "'SecretID' in service_token_output.stdout" - run_once: true - no_log: true - -#################################### -# Monitoring Token Logic -#################################### - -- name: Check if monitoring token exists on disk (Node 1) - ansible.builtin.stat: - path: "{{ consul_config_dir }}/prometheus.token" - register: prom_token_stat_node1 - run_once: true - delegate_to: "{{ ansible_play_hosts[0] }}" - -- name: Create Prometheus monitoring token if missing - ansible.builtin.command: > - consul acl token create - -description "Prometheus Metrics Token" - -policy-name monitoring-policy - register: prom_token_output - when: - - not prom_token_stat_node1.stat.exists - - "'Prometheus Metrics Token' not in existing_tokens.stdout" - run_once: true - environment: *consul_env - -- name: Slurp existing token if it was already on disk - ansible.builtin.slurp: - src: "{{ consul_config_dir }}/prometheus.token" - register: slurped_prom_token - when: prom_token_stat_node1.stat.exists - run_once: true - delegate_to: "{{ ansible_play_hosts[0] }}" - -- name: Set Prometheus token fact - ansible.builtin.set_fact: - consul_prometheus_token: >- - {{ - (prom_token_output.stdout | regex_search('SecretID:\s+([a-fA-F0-9-]+)', '\1') | first) - if (prom_token_output.changed) - else (slurped_prom_token.content | b64decode | trim) - }} - run_once: true - -- name: Ensure Prometheus token is on all nodes - ansible.builtin.copy: - content: "{{ hostvars[ansible_play_hosts[0]]['consul_prometheus_token'] }}" - dest: "{{ consul_config_dir }}/prometheus.token" - owner: "{{ consul_user }}" - group: "{{ consul_group }}" - mode: "0600" - become: true diff --git a/consul-role/tasks/config.yml b/consul-role/tasks/config.yml deleted file mode 100644 index 332fd44..0000000 --- a/consul-role/tasks/config.yml +++ /dev/null @@ -1,48 +0,0 @@ -- name: Create Consul directories - ansible.builtin.file: - path: "{{ item }}" - state: directory - owner: "{{ consul_user }}" - group: "{{ consul_group }}" - mode: "0750" - loop: - - "{{ consul_data_dir }}" - - "{{ consul_config_dir }}" - -- name: Create TLS cert directory - ansible.builtin.file: - path: "{{ consul_config_dir }}/certs" - state: directory - owner: "{{ consul_user }}" - group: "{{ consul_group }}" - mode: "0750" - when: consul_tls_enabled - -- name: Copy TLS certificate - ansible.builtin.copy: - src: tls.crt - dest: "{{ consul_config_dir }}/certs/tls.crt" - owner: "{{ consul_user }}" - group: "{{ consul_group }}" - mode: "0644" - notify: Restart Consul - when: consul_tls_enabled - -- name: Copy TLS private key - ansible.builtin.copy: - src: tls.key - dest: "{{ consul_config_dir }}/certs/tls.key" - owner: "{{ consul_user }}" - group: "{{ consul_group }}" - mode: "0600" - notify: Restart Consul - when: consul_tls_enabled - -- name: Deploy Consul server configuration - ansible.builtin.template: - src: server.hcl.j2 - dest: "{{ consul_config_dir }}/server.hcl" - owner: "{{ consul_user }}" - group: "{{ consul_group }}" - mode: "0640" - notify: Restart Consul diff --git a/consul-role/tasks/directories.yml b/consul-role/tasks/directories.yml deleted file mode 100644 index 6478b0a..0000000 --- a/consul-role/tasks/directories.yml +++ /dev/null @@ -1,10 +0,0 @@ -- name: Create Consul directories - ansible.builtin.file: - path: "{{ item }}" - state: directory - owner: "{{ consul_user }}" - group: "{{ consul_group }}" - mode: "0750" - loop: - - "{{ consul_data_dir }}" - - "{{ consul_config_dir }}" diff --git a/consul-role/tasks/install.yml b/consul-role/tasks/install.yml deleted file mode 100644 index 8da5aeb..0000000 --- a/consul-role/tasks/install.yml +++ /dev/null @@ -1,34 +0,0 @@ -- name: Install required packages - ansible.builtin.apt: - name: - - unzip - - wget - - curl - state: present - update_cache: true - -- name: Create consul group - ansible.builtin.group: - name: "{{ consul_group }}" - system: true - -- name: Create consul user - ansible.builtin.user: - name: "{{ consul_user }}" - group: "{{ consul_group }}" - system: true - shell: /sbin/nologin - create_home: false - -- name: Download Consul binary - ansible.builtin.get_url: - url: "{{ consul_binary_url }}" - dest: "{{ consul_zip_path }}" - mode: "0644" - -- name: Unarchive Consul - ansible.builtin.unarchive: - src: "{{ consul_zip_path }}" - dest: "{{ consul_install_dir }}" - remote_src: true - mode: "0755" diff --git a/consul-role/tasks/main.yml b/consul-role/tasks/main.yml deleted file mode 100644 index b1735b9..0000000 --- a/consul-role/tasks/main.yml +++ /dev/null @@ -1,20 +0,0 @@ ---- -- name: Include installation tasks - ansible.builtin.include_tasks: install.yml - -- name: Include directory tasks - ansible.builtin.include_tasks: directories.yml - -- name: Include configuration tasks - ansible.builtin.include_tasks: config.yml - -- name: Include service tasks - ansible.builtin.include_tasks: service.yml - -- name: Include ACL tasks - ansible.builtin.include_tasks: acl.yml - when: consul_acl_enabled - -- name: Include RBAC tasks - ansible.builtin.include_tasks: rbac.yml - when: consul_acl_enabled diff --git a/consul-role/tasks/rbac.yml b/consul-role/tasks/rbac.yml deleted file mode 100644 index c4550f4..0000000 --- a/consul-role/tasks/rbac.yml +++ /dev/null @@ -1,77 +0,0 @@ ---- -- name: Copy read policy file - ansible.builtin.copy: - src: read-policy.hcl - dest: /tmp/read-policy.hcl - mode: "0644" - -- name: Check existing policies - ansible.builtin.command: consul acl policy list - register: policy_list - changed_when: false - run_once: true - environment: &consul_env - CONSUL_HTTP_ADDR: "https://{{ consul_bind_addr }}:{{ consul_https_port }}" - CONSUL_HTTP_TOKEN: "{{ consul_master_token }}" - CONSUL_CACERT: "{{ consul_config_dir }}/certs/tls.crt" - CONSUL_HTTP_SSL_VERIFY: "false" - -- name: Create read policy - ansible.builtin.command: > - consul acl policy create - -name read-policy - -rules @/tmp/read-policy.hcl - when: "'read-policy' not in policy_list.stdout" - run_once: true - environment: *consul_env - -- name: Check existing roles - ansible.builtin.command: consul acl role list - register: role_list - changed_when: false - run_once: true - environment: *consul_env - -- name: Create read role - ansible.builtin.command: > - consul acl role create - -name read-role - -policy-name read-policy - when: "'read-role' not in role_list.stdout" - run_once: true - environment: *consul_env - -# ------------------------------------------------ -# APPLICATION TOKEN (NO DUPLICATES) -# ------------------------------------------------ - -- name: Check if application token exists on disk - ansible.builtin.stat: - path: "{{ consul_config_dir }}/app.token" - register: app_token_stat - run_once: true - -- name: Create application token - ansible.builtin.command: > - consul acl token create - -description "App Read Token" - -role-name read-role - register: app_token_output - when: not app_token_stat.stat.exists - run_once: true - environment: *consul_env - no_log: true - -- name: Save application token - ansible.builtin.copy: - content: "{{ app_token_output.stdout | regex_search('SecretID:\\s+([a-fA-F0-9-]+)', '\\1') | first }}" - dest: "{{ consul_config_dir }}/app.token" - owner: "{{ consul_user }}" - group: "{{ consul_group }}" - mode: "0600" - when: - - not app_token_stat.stat.exists - - app_token_output.stdout is defined - - "'SecretID' in app_token_output.stdout" - run_once: true - no_log: true diff --git a/consul-role/tasks/service.yml b/consul-role/tasks/service.yml deleted file mode 100644 index 0983725..0000000 --- a/consul-role/tasks/service.yml +++ /dev/null @@ -1,14 +0,0 @@ -- name: Deploy systemd service - ansible.builtin.template: - src: consul.service.j2 - dest: /etc/systemd/system/consul.service - mode: "0644" - notify: - - Reload systemd - - Restart Consul - -- name: Enable and start Consul - ansible.builtin.systemd: - name: consul - enabled: true - state: started diff --git a/consul-role/templates/consul.service.j2 b/consul-role/templates/consul.service.j2 deleted file mode 100644 index 281d3cc..0000000 --- a/consul-role/templates/consul.service.j2 +++ /dev/null @@ -1,16 +0,0 @@ -[Unit] -Description=Consul Agent -Requires=network-online.target -After=network-online.target - -[Service] -User={{ consul_user }} -Group={{ consul_group }} -ExecStart={{ consul_install_dir }}/consul agent -config-dir={{ consul_config_dir }} -ExecReload=/bin/kill -HUP $MAINPID -KillSignal=SIGINT -Restart=on-failure -LimitNOFILE=65536 - -[Install] -WantedBy=multi-user.target diff --git a/consul-role/templates/policies/agent-policy.hcl.j2 b/consul-role/templates/policies/agent-policy.hcl.j2 deleted file mode 100644 index 6ad8420..0000000 --- a/consul-role/templates/policies/agent-policy.hcl.j2 +++ /dev/null @@ -1,11 +0,0 @@ -node_prefix "" { - policy = "write" -} - -service_prefix "" { - policy = "read" -} - -agent_prefix "" { - policy = "write" -} diff --git a/consul-role/templates/policies/monitoring-policy.hcl.j2 b/consul-role/templates/policies/monitoring-policy.hcl.j2 deleted file mode 100644 index d96bc6d..0000000 --- a/consul-role/templates/policies/monitoring-policy.hcl.j2 +++ /dev/null @@ -1,9 +0,0 @@ -agent_prefix "" { - policy = "read" -} -node_prefix "" { - policy = "read" -} -service_prefix "" { - policy = "read" -} diff --git a/consul-role/templates/policies/readonly-policy.hcl.j2 b/consul-role/templates/policies/readonly-policy.hcl.j2 deleted file mode 100644 index 09b4b13..0000000 --- a/consul-role/templates/policies/readonly-policy.hcl.j2 +++ /dev/null @@ -1,11 +0,0 @@ -node_prefix "" { - policy = "read" -} - -service_prefix "" { - policy = "read" -} - -key_prefix "" { - policy = "read" -} diff --git a/consul-role/templates/policies/service-policy.hcl.j2 b/consul-role/templates/policies/service-policy.hcl.j2 deleted file mode 100644 index 47bd12c..0000000 --- a/consul-role/templates/policies/service-policy.hcl.j2 +++ /dev/null @@ -1,7 +0,0 @@ -service_prefix "" { - policy = "write" -} - -node_prefix "" { - policy = "read" -} diff --git a/consul-role/templates/prometheus-consul.yml.j2 b/consul-role/templates/prometheus-consul.yml.j2 deleted file mode 100644 index 842060e..0000000 --- a/consul-role/templates/prometheus-consul.yml.j2 +++ /dev/null @@ -1,27 +0,0 @@ -# Prometheus scrape configuration for Consul Cluster -scrape_configs: - - job_name: 'consul-cluster' - scheme: https - metrics_path: '/v1/agent/metrics' - params: - format: ['prometheus'] - tls_config: - insecure_skip_verify: true - # This matches your Envoy DNS name - server_name: "consul.opstree.dev" - - # This pulls the token that was generated in your acl_tokens.yml task - bearer_token: "{{ consul_prometheus_token }}" - - static_configs: - - targets: -{% for host in play_hosts %} - - "{{ hostvars[host]['ansible_host'] }}:8501" -{% endfor %} - - # This cleans up the labels in Prometheus so you see the IP instead of IP:8501 - relabel_configs: - - source_labels: [__address__] - target_label: instance - regex: '([^:]+)(?::\d+)?' - replacement: '${1}' diff --git a/consul-role/templates/server.hcl.j2 b/consul-role/templates/server.hcl.j2 deleted file mode 100644 index a95344b..0000000 --- a/consul-role/templates/server.hcl.j2 +++ /dev/null @@ -1,53 +0,0 @@ -node_name = "{{ consul_node_name }}" -bind_addr = "{{ consul_bind_addr }}" -client_addr = "{{ consul_client_addr }}" -data_dir = "{{ consul_data_dir }}" - -encrypt = "{{ consul_gossip_key }}" - -server = {{ consul_is_server | lower }} -bootstrap_expect = {{ consul_bootstrap_expect }} - -ui_config { - enabled = {{ consul_enable_ui | lower }} -} - -retry_join = [ -{% for host in play_hosts %} - "{{ hostvars[host]['ansible_host'] | default(host) }}"{% if not loop.last %},{% endif %} -{% endfor %} -] - -telemetry { - prometheus_retention_time = "{{ consul_prometheus_retention }}" - disable_hostname = true -} - -acl { - enabled = {{ consul_acl_enabled | lower }} - default_policy = "{{ consul_acl_default_policy }}" - enable_token_persistence = {{ consul_acl_token_persistence | lower }} - -{% if consul_agent_token is defined and consul_agent_token != "" %} - tokens { - agent = "{{ consul_agent_token }}" - } -{% endif %} -} - -ports { - http = -1 - https = 8501 -} - -tls { - defaults { - - ca_file = "{{ consul_config_dir }}/certs/tls.crt" - cert_file = "{{ consul_config_dir }}/certs/tls.crt" - key_file = "{{ consul_config_dir }}/certs/tls.key" - - verify_incoming = false - verify_outgoing = false - } -} diff --git a/consul-role/tests/test.yml b/consul-role/tests/test.yml deleted file mode 100644 index eca63c9..0000000 --- a/consul-role/tests/test.yml +++ /dev/null @@ -1,6 +0,0 @@ -- name: Deploy Consul Cluster - hosts: all - become: true - roles: - - consul-role - diff --git a/consul-role/vars/main.yml b/consul-role/vars/main.yml deleted file mode 100644 index aecd177..0000000 --- a/consul-role/vars/main.yml +++ /dev/null @@ -1,34 +0,0 @@ ---- -# vars file for consul - - -# Installation variables -consul_binary_url: "https://releases.hashicorp.com/consul/{{ consul_version }}/consul_{{ consul_version }}_linux_amd64.zip" -consul_zip_path: "/tmp/consul_{{ consul_version }}.zip" - - -# Sensitive Keys -consul_master_token: !vault | - $ANSIBLE_VAULT;1.1;AES256 - 64363638396462636134353637383865643931373664373034623536366134623235306438356164 - 3665393634643363396437333436363936303835343166650a343639663665373161376433613932 - 62343336303839303038376437393965396165633039636339326363396530636564313630326265 - 3134613636396265300a633636396164363365353066633964306534316163303264623764643532 - 39323234346661383638313135346537613530333537636461343631653639663232373632646665 - 3634393638313962393166316439633230643331383665623634 - - -consul_gossip_key: !vault | - $ANSIBLE_VAULT;1.1;AES256 - 63666262323562663362346564363332353364663338396337333031616437373863316130613631 - 3966663365653036316364323537386530643666653564370a653438393136666436396230326464 - 39393738346630353432623434353063666161653832346438343566366664303464353334306532 - 3937633962373832620a353432336365323433306165633264363638353235643666633564393761 - 61353532316133616630396362333265316132333038323639396139333761326537636330346334 - 3336343330373533333435306264313430313662346364643637 - - - -# # Divya's Keycloak Details for POC -# poc_service_name: "keycloak" -# poc_service_port: 8080 From bb70e414c93c4df55bfd3d6383fe71a8abcdb8a2 Mon Sep 17 00:00:00 2001 From: AnithaAnnem Date: Fri, 20 Mar 2026 00:23:01 +0530 Subject: [PATCH 319/412] Create consul-readme.md --- consul-readme.md | 331 +++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 331 insertions(+) create mode 100644 consul-readme.md diff --git a/consul-readme.md b/consul-readme.md new file mode 100644 index 0000000..3dd5a61 --- /dev/null +++ b/consul-readme.md @@ -0,0 +1,331 @@ +## Table of Contents + +1. [Overview](#1-overview) +2. [Supported Operating Systems](#2-supported-operating-systems) +3. [Prerequisites & Known Limitations](#3-prerequisites--known-limitations) +4. [Architecture & Core Components](#4-architecture--core-components) +5. [Configuration Overview](#5-configuration-overview) +6. [Installation Flow](#6-installation-flow) +7. [Running Consul](#7-running-consul) +8. [Validation & Testing](#8-validation--testing) +9. [Best Practices Followed](#9-best-practices-followed) +10. [Troubleshooting](#10-troubleshooting) +11. [Conclusion](#11-conclusion) +12. [References](#12-references) +13. [Author](#13-author) + +## 1. Overview + +**HashiCorp Consul** is a service networking platform that enables: + +- Service Discovery +- Service Mesh +- Health Checking +- Key-Value Storage +- Secure Service-to-Service Communication + +It is widely used in distributed systems and microservices architectures to provide dynamic infrastructure management. + +### Problems Consul Solves + +- How do services find each other? +- How do we secure service communication? +- How do we monitor service health? +- How do we manage configuration centrally? + +### Supported Environments + +Consul works across: + +- Virtual Machines +- Kubernetes +- Hybrid environments +- Multi-cloud deployments + +--- + +## 2. Supported Operating Systems + +Consul supports multiple operating systems: + +### Linux +- Ubuntu +- Debian +- RHEL +- CentOS +- Amazon Linux + +### Other Platforms +- Windows +- macOS +- Kubernetes environments +- Cloud platforms: + - AWS + - Azure + - GCP + +> Consul is written in **Go** and distributed as a single binary. + +--- + +## 3. Prerequisites & Known Limitations + +### Prerequisites + +- Network connectivity between cluster nodes +- Minimum **3 nodes** for production cluster (recommended) +- Proper firewall configuration (ports **8300–8600**) +- Stable DNS or IP addressing +- TLS certificates (for secure production environments) + +### Known Limitations + +- Requires quorum for leader election +- Performance depends on cluster size and network latency +- Misconfigured ACLs can block cluster operations +- Not a replacement for full configuration management tools + +--- + +## 4. Architecture & Core Components + +Consul architecture consists of the following components: + +### 4.1 Servers + +- Maintain cluster state +- Participate in **Raft consensus** +- Handle leader election + +### 4.2 Clients (Agents) + +- Run on application nodes +- Register services +- Perform health checks + +### 4.3 Datacenter + +- Logical grouping of nodes in a specific environment + +### 4.4 Gossip Protocol + +- Used for node membership +- Handles failure detection + +### 4.5 Raft Consensus + +- Provides strong consistency +- Manages leader election among servers + +### 4.6 Key-Value Store + +- Stores configuration data centrally +- Used for dynamic application configuration + +### 4.7 Service Mesh (Connect) + +- Provides secure service-to-service communication +- Uses **mTLS (Mutual TLS)** +- Enables zero-trust networking between services + +--- + + + +## Role Structure +``` +. +├── inventory.ini +├── site.yml +└── roles/ + └── consul/ + ├── defaults/ + │ └── main.yml + ├── files/ + │ └── read-policy.hcl + ├── handlers/ + │ └── main.yml + ├── meta/ + │ └── main.yml + ├── tasks/ + │ ├── acl.yml + │ ├── acl_policies.yml + │ ├── acl_tokens.yml + │ ├── config.yml + │ ├── directories.yml + │ ├── install.yml + │ ├── main.yml + │ ├── rbac.yml + │ └── service.yml + ├── templates/ + │ ├── consul.service.j2 + │ ├── prometheus-consul.yml.j2 + │ ├── server.hcl.j2 + │ └── policies/ + │ ├── agent-policy.hcl.j2 + │ ├── monitoring-policy.hcl.j2 + │ ├── readonly-policy.hcl.j2 + │ └── service-policy.hcl.j2 + ├── tests/ + │ └── test.yml + └── vars/ + └── main.yml +``` + +## 5. Configuration Overview + +Consul can be configured using: + +- HCL files +- JSON configuration files +- Command-line flags +- Environment variables + +### Important Configuration Parameters + +| Parameter | Description | +|-------------------|------------| +| `node_name` | Unique node identifier | +| `bind_addr` | Address to bind Consul to | +| `data_dir` | Directory for Consul data | +| `server` | Defines server or client mode (`true/false`) | +| `bootstrap_expect` | Number of servers expected for cluster formation | +| `retry_join` | List of nodes to join cluster | +| `acl` | Enables Access Control Lists | +| `ui_config` | UI configuration settings | + +### ACL Configuration Includes + +- Enable/Disable ACLs +- Default policies +- Token management +- Token persistence + +--- + +## 6. Installation Flow +### Step 1: Download Binary +``` +wget https://releases.hashicorp.com/consul/1.17.0/consul_1.17.0_linux_amd64.zip +``` + +### Step 2: Unzip +``` +unzip consul_1.17.0_linux_amd64.zip +``` + +### Step 3: Move Binary +``` +sudo mv consul /usr/local/bin/ +``` + +### Step 4: Verify Installation +``` +consul --version +``` + +# 7. Running the Playbook +``` +ansible-playbook -i inventory.ini site.yml +``` + +# 8. Validation & Testing +## Check Cluster Members +``` +consul members +``` +## Check Leader +``` +consul operator raft list-peers +``` +## Check Services +``` +consul catalog services +``` +## Access UI + +Default UI URL: + +``` +http://:8500 +``` + +# 9. Best Practices Followed + +- Always use minimum 3 server nodes + +- Enable ACLs in production + +- Use TLS encryption + +- Avoid running in -dev mode in production + +- Monitor health checks continuously + +- Secure gossip communication + +- Use proper token management + +# 10. Troubleshooting +## Consul Not Starting + +- Check systemd logs + +``` +journalctl -u consul +``` +## No Leader Elected + +- Ensure minimum quorum + +- Verify bootstrap_expect value + +- Check network connectivity + +## ACL Errors + +- Verify bootstrap token + +- Ensure token persistence is enabled + +- Check default policy + +## Node Not Joining + +- Verify retry_join + +- Check firewall ports + +- Validate bind address + +# 11. Conclusion + +HashiCorp Consul is a powerful service networking solution designed for modern distributed systems. + +It provides: + +- Reliable service discovery + +- Secure service communication + +- Centralized configuration + +- High availability clustering + +Consul simplifies infrastructure complexity and enables scalable microservices architecture. + +# 12. References + + +| Purpose | Link | +|---------|------| +| Consul Official Documentation | https://developer.hashicorp.com/consul/docs | +| Consul Installation Guide | https://developer.hashicorp.com/consul/docs/install | +| Consul ACL Documentation | https://developer.hashicorp.com/consul/docs/security/acl | +| Consul Service Mesh Guide | https://developer.hashicorp.com/consul/docs/connect | + +# 13. Author + +**Author**: Annem Anitha +**Last Updated:** 25-Feb-2026 + From a9f29770b218110ec3964e667046911fee02c455 Mon Sep 17 00:00:00 2001 From: AnithaAnnem Date: Fri, 20 Mar 2026 00:24:01 +0530 Subject: [PATCH 320/412] Update consul-readme.md --- consul-readme.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/consul-readme.md b/consul-readme.md index 3dd5a61..e2c7c02 100644 --- a/consul-readme.md +++ b/consul-readme.md @@ -224,12 +224,12 @@ sudo mv consul /usr/local/bin/ consul --version ``` -# 7. Running the Playbook +## 7. Running the Playbook ``` ansible-playbook -i inventory.ini site.yml ``` -# 8. Validation & Testing +## 8. Validation & Testing ## Check Cluster Members ``` consul members @@ -250,7 +250,7 @@ Default UI URL: http://:8500 ``` -# 9. Best Practices Followed +## 9. Best Practices Followed - Always use minimum 3 server nodes From 61ce8c9741070d71cd4a47667bec1f620370cdf3 Mon Sep 17 00:00:00 2001 From: AnithaAnnem Date: Fri, 20 Mar 2026 00:25:03 +0530 Subject: [PATCH 321/412] Update consul-readme.md --- consul-readme.md | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/consul-readme.md b/consul-readme.md index e2c7c02..5f7e1de 100644 --- a/consul-readme.md +++ b/consul-readme.md @@ -1,3 +1,9 @@ + +# Consul Ansible Role + +image + + ## Table of Contents 1. [Overview](#1-overview) From d59011a413630d9a358c718bc8e5702235dda874 Mon Sep 17 00:00:00 2001 From: AnithaAnnem Date: Fri, 20 Mar 2026 12:39:16 +0530 Subject: [PATCH 322/412] Update main.yml --- meta/main.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/meta/main.yml b/meta/main.yml index ea68190..c65c44f 100644 --- a/meta/main.yml +++ b/meta/main.yml @@ -1,7 +1,7 @@ galaxy_info: - author: your name - description: your role description - company: your company (optional) + author: Annem Anitha + description: Create consul cluster with any number of nodes + company: opstree # If the issue tracker for your role is not on github, uncomment the # next line and provide a value From 7b09b6f792cfdbf639fda540fa94fb1b3d9d48d6 Mon Sep 17 00:00:00 2001 From: AnithaAnnem Date: Fri, 20 Mar 2026 12:48:31 +0530 Subject: [PATCH 323/412] Update main.yml --- tasks/main.yml | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/tasks/main.yml b/tasks/main.yml index b1735b9..d410de7 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -1,10 +1,7 @@ --- - name: Include installation tasks ansible.builtin.include_tasks: install.yml - -- name: Include directory tasks - ansible.builtin.include_tasks: directories.yml - + - name: Include configuration tasks ansible.builtin.include_tasks: config.yml From c8d7cb776b90e3548098dceedac3a196dd10f893 Mon Sep 17 00:00:00 2001 From: AnithaAnnem Date: Fri, 20 Mar 2026 12:48:55 +0530 Subject: [PATCH 324/412] Delete tasks/directories.yml --- tasks/directories.yml | 10 ---------- 1 file changed, 10 deletions(-) delete mode 100644 tasks/directories.yml diff --git a/tasks/directories.yml b/tasks/directories.yml deleted file mode 100644 index 6478b0a..0000000 --- a/tasks/directories.yml +++ /dev/null @@ -1,10 +0,0 @@ -- name: Create Consul directories - ansible.builtin.file: - path: "{{ item }}" - state: directory - owner: "{{ consul_user }}" - group: "{{ consul_group }}" - mode: "0750" - loop: - - "{{ consul_data_dir }}" - - "{{ consul_config_dir }}" From d60bead15da683c777f3a812b33f22036ed464fd Mon Sep 17 00:00:00 2001 From: AnithaAnnem Date: Fri, 20 Mar 2026 12:52:01 +0530 Subject: [PATCH 325/412] Update service.yml --- tasks/service.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/tasks/service.yml b/tasks/service.yml index 0983725..cf1e6a8 100644 --- a/tasks/service.yml +++ b/tasks/service.yml @@ -4,7 +4,6 @@ dest: /etc/systemd/system/consul.service mode: "0644" notify: - - Reload systemd - Restart Consul - name: Enable and start Consul From ab02cb59c04787c11f67a18f46bfd0ad7f5e8958 Mon Sep 17 00:00:00 2001 From: AnithaAnnem Date: Fri, 20 Mar 2026 12:55:21 +0530 Subject: [PATCH 326/412] Update acl.yml --- tasks/acl.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/tasks/acl.yml b/tasks/acl.yml index 9848c78..1d1fe60 100644 --- a/tasks/acl.yml +++ b/tasks/acl.yml @@ -43,6 +43,7 @@ ansible.builtin.set_fact: consul_master_token: "{{ (consul_bootstrap.stdout | from_json).SecretID }}" run_once: true + no_log: true when: - consul_bootstrap.changed - consul_bootstrap.stdout | length > 0 @@ -52,6 +53,7 @@ - name: Propagate token to all hosts ansible.builtin.set_fact: consul_master_token: "{{ hostvars[ansible_play_hosts[0]]['consul_master_token'] }}" + no_log: true when: consul_master_token is not defined or consul_master_token == "" # Save token From 257b2eca0bebb6ba18011a543d89436b029b4ddc Mon Sep 17 00:00:00 2001 From: AnithaAnnem Date: Fri, 20 Mar 2026 13:05:22 +0530 Subject: [PATCH 327/412] Update rbac.yml --- tasks/rbac.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/tasks/rbac.yml b/tasks/rbac.yml index c4550f4..70e9cb4 100644 --- a/tasks/rbac.yml +++ b/tasks/rbac.yml @@ -11,10 +11,10 @@ changed_when: false run_once: true environment: &consul_env - CONSUL_HTTP_ADDR: "https://{{ consul_bind_addr }}:{{ consul_https_port }}" - CONSUL_HTTP_TOKEN: "{{ consul_master_token }}" - CONSUL_CACERT: "{{ consul_config_dir }}/certs/tls.crt" - CONSUL_HTTP_SSL_VERIFY: "false" + CONSUL_HTTP_ADDR: >- + {{ 'https' if consul_tls_enabled else 'http' }}://{{ consul_bind_addr }}:{{ consul_https_port if consul_tls_enabled else consul_http_port }} + CONSUL_HTTP_TOKEN: "{{ consul_master_token }}" + CONSUL_HTTP_SSL_VERIFY: "{{ consul_tls_verify | ternary('true','false') }}" - name: Create read policy ansible.builtin.command: > From f85c92ba45b1e19c3140e9fb76401a8689c99c04 Mon Sep 17 00:00:00 2001 From: AnithaAnnem Date: Fri, 20 Mar 2026 13:07:16 +0530 Subject: [PATCH 328/412] Update server.hcl.j2 --- templates/server.hcl.j2 | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/templates/server.hcl.j2 b/templates/server.hcl.j2 index a95344b..7d7a7ba 100644 --- a/templates/server.hcl.j2 +++ b/templates/server.hcl.j2 @@ -36,8 +36,9 @@ acl { } ports { - http = -1 - https = 8501 + http = {{ consul_http_port }} + https = {{ consul_https_port }} +} } tls { From 12219a1f7729c858e2d8ab48ffbdea1c20f5e160 Mon Sep 17 00:00:00 2001 From: AnithaAnnem Date: Fri, 20 Mar 2026 13:14:01 +0530 Subject: [PATCH 329/412] Update consul-readme.md --- consul-readme.md | 20 ++++++++++++++++++++ 1 file changed, 20 insertions(+) diff --git a/consul-readme.md b/consul-readme.md index 5f7e1de..756f1c7 100644 --- a/consul-readme.md +++ b/consul-readme.md @@ -256,6 +256,26 @@ Default UI URL: http://:8500 ``` +## Vault Usage (IMPORTANT) + +Sensitive values like: + +- consul_master_token + +- consul_gossip_key + +are stored using Ansible Vault. + +### To Run Playbook: +``` +ansible-playbook -i inventory.ini site.yml --ask-vault-pass +``` + +### OR using password file: +``` +ansible-playbook -i inventory.ini site.yml --vault-password-file vault_pass.txt +``` + ## 9. Best Practices Followed - Always use minimum 3 server nodes From 2723bcd5c76c48a492006a85b44f9e5ab640cc5a Mon Sep 17 00:00:00 2001 From: AnithaAnnem Date: Fri, 20 Mar 2026 13:22:44 +0530 Subject: [PATCH 330/412] Update rbac.yml --- tasks/rbac.yml | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) diff --git a/tasks/rbac.yml b/tasks/rbac.yml index 70e9cb4..b0e5f66 100644 --- a/tasks/rbac.yml +++ b/tasks/rbac.yml @@ -10,11 +10,10 @@ register: policy_list changed_when: false run_once: true - environment: &consul_env - CONSUL_HTTP_ADDR: >- - {{ 'https' if consul_tls_enabled else 'http' }}://{{ consul_bind_addr }}:{{ consul_https_port if consul_tls_enabled else consul_http_port }} - CONSUL_HTTP_TOKEN: "{{ consul_master_token }}" - CONSUL_HTTP_SSL_VERIFY: "{{ consul_tls_verify | ternary('true','false') }}" + environment: + CONSUL_HTTP_ADDR: "{{ 'https' if consul_tls_enabled else 'http' }}://{{ consul_bind_addr }}:{{ consul_https_port if consul_tls_enabled else consul_http_port }}" + CONSUL_HTTP_TOKEN: "{{ consul_master_token }}" + CONSUL_HTTP_SSL_VERIFY: "{{ consul_tls_verify | ternary('true','false') }}" - name: Create read policy ansible.builtin.command: > From b74d31e6e620c52acd3119980c9ec6728f63ce3e Mon Sep 17 00:00:00 2001 From: AnithaAnnem Date: Fri, 20 Mar 2026 13:34:00 +0530 Subject: [PATCH 331/412] Update rbac.yml --- tasks/rbac.yml | 20 ++++++++++++++++---- 1 file changed, 16 insertions(+), 4 deletions(-) diff --git a/tasks/rbac.yml b/tasks/rbac.yml index b0e5f66..b8d8c0d 100644 --- a/tasks/rbac.yml +++ b/tasks/rbac.yml @@ -22,14 +22,20 @@ -rules @/tmp/read-policy.hcl when: "'read-policy' not in policy_list.stdout" run_once: true - environment: *consul_env + environment: + CONSUL_HTTP_ADDR: "{{ 'https' if consul_tls_enabled else 'http' }}://{{ consul_bind_addr }}:{{ consul_https_port if consul_tls_enabled else consul_http_port }}" + CONSUL_HTTP_TOKEN: "{{ consul_master_token }}" + CONSUL_HTTP_SSL_VERIFY: "{{ consul_tls_verify | ternary('true','false') }}" - name: Check existing roles ansible.builtin.command: consul acl role list register: role_list changed_when: false run_once: true - environment: *consul_env + environment: + CONSUL_HTTP_ADDR: "{{ 'https' if consul_tls_enabled else 'http' }}://{{ consul_bind_addr }}:{{ consul_https_port if consul_tls_enabled else consul_http_port }}" + CONSUL_HTTP_TOKEN: "{{ consul_master_token }}" + CONSUL_HTTP_SSL_VERIFY: "{{ consul_tls_verify | ternary('true','false') }}" - name: Create read role ansible.builtin.command: > @@ -38,7 +44,10 @@ -policy-name read-policy when: "'read-role' not in role_list.stdout" run_once: true - environment: *consul_env + environment: + CONSUL_HTTP_ADDR: "{{ 'https' if consul_tls_enabled else 'http' }}://{{ consul_bind_addr }}:{{ consul_https_port if consul_tls_enabled else consul_http_port }}" + CONSUL_HTTP_TOKEN: "{{ consul_master_token }}" + CONSUL_HTTP_SSL_VERIFY: "{{ consul_tls_verify | ternary('true','false') }}" # ------------------------------------------------ # APPLICATION TOKEN (NO DUPLICATES) @@ -58,8 +67,11 @@ register: app_token_output when: not app_token_stat.stat.exists run_once: true - environment: *consul_env no_log: true + environment: + CONSUL_HTTP_ADDR: "{{ 'https' if consul_tls_enabled else 'http' }}://{{ consul_bind_addr }}:{{ consul_https_port if consul_tls_enabled else consul_http_port }}" + CONSUL_HTTP_TOKEN: "{{ consul_master_token }}" + CONSUL_HTTP_SSL_VERIFY: "{{ consul_tls_verify | ternary('true','false') }}" - name: Save application token ansible.builtin.copy: From 38ad65551f487b1422318e8d80bf7844f65be983 Mon Sep 17 00:00:00 2001 From: AnithaAnnem Date: Fri, 20 Mar 2026 15:04:26 +0530 Subject: [PATCH 332/412] Update server.hcl.j2 --- templates/server.hcl.j2 | 1 - 1 file changed, 1 deletion(-) diff --git a/templates/server.hcl.j2 b/templates/server.hcl.j2 index 7d7a7ba..8563bbf 100644 --- a/templates/server.hcl.j2 +++ b/templates/server.hcl.j2 @@ -39,7 +39,6 @@ ports { http = {{ consul_http_port }} https = {{ consul_https_port }} } -} tls { defaults { From 463d4257c0aba48b962b5564fca34da05ce1f85f Mon Sep 17 00:00:00 2001 From: AnithaAnnem Date: Mon, 23 Mar 2026 10:55:03 +0530 Subject: [PATCH 333/412] Rename consul-readme.md to Readme.md --- consul-readme.md => Readme.md | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename consul-readme.md => Readme.md (100%) diff --git a/consul-readme.md b/Readme.md similarity index 100% rename from consul-readme.md rename to Readme.md From 45fba5ea3cf112b807a97abf318a336e4e117298 Mon Sep 17 00:00:00 2001 From: AnithaAnnem Date: Tue, 24 Mar 2026 13:03:45 +0530 Subject: [PATCH 334/412] Update main.yml --- vars/main.yml | 6 ------ 1 file changed, 6 deletions(-) diff --git a/vars/main.yml b/vars/main.yml index aecd177..5092e2d 100644 --- a/vars/main.yml +++ b/vars/main.yml @@ -26,9 +26,3 @@ consul_gossip_key: !vault | 3937633962373832620a353432336365323433306165633264363638353235643666633564393761 61353532316133616630396362333265316132333038323639396139333761326537636330346334 3336343330373533333435306264313430313662346364643637 - - - -# # Divya's Keycloak Details for POC -# poc_service_name: "keycloak" -# poc_service_port: 8080 From 4dd90789dc0cf23d9fd1dce3789d6266988ecf51 Mon Sep 17 00:00:00 2001 From: AnithaAnnem Date: Tue, 24 Mar 2026 13:09:49 +0530 Subject: [PATCH 335/412] Update acl_tokens.yml --- tasks/acl_tokens.yml | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/tasks/acl_tokens.yml b/tasks/acl_tokens.yml index e161deb..e9a8899 100644 --- a/tasks/acl_tokens.yml +++ b/tasks/acl_tokens.yml @@ -131,3 +131,15 @@ group: "{{ consul_group }}" mode: "0600" become: true + +#################################### +# Anonymous Token (Metrics Access) +#################################### + +- name: Allow Anonymous Token to read metrics + ansible.builtin.command: > + consul acl token update -id 00000000-0000-0000-0000-000000000002 + -description "Anonymous Token - Metrics Access" + -policy-name monitoring-policy + run_once: true + environment: *consul_env From bf197151a4cb260a4d36a8411b85fd08eede2c4d Mon Sep 17 00:00:00 2001 From: AnithaAnnem Date: Tue, 7 Apr 2026 16:28:13 +0530 Subject: [PATCH 336/412] Create backup.yml --- tasks/backup.yml | 43 +++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 43 insertions(+) create mode 100644 tasks/backup.yml diff --git a/tasks/backup.yml b/tasks/backup.yml new file mode 100644 index 0000000..54620c6 --- /dev/null +++ b/tasks/backup.yml @@ -0,0 +1,43 @@ +--- +- name: Install MinIO Client (mc) + ansible.builtin.get_url: + url: https://dl.min.io/client/mc/release/linux-amd64/mc + dest: /usr/local/bin/mc + mode: '0755' + become: true + +- name: Configure mc alias + ansible.builtin.command: + cmd: "mc alias set dr-minio {{ consul_backup_minio_endpoint }} {{ consul_backup_access_key }} {{ consul_backup_secret_key }}" + changed_when: false + no_log: true + +- name: Set backup filename + ansible.builtin.set_fact: + consul_backup_name: "consul_v1_backup_{{ lookup('pipe', 'date +%Y%m%d_%H%M%S') }}.snap" + +- name: Take Consul Snapshot + ansible.builtin.command: + cmd: "consul snapshot save {{ consul_config_dir }}/{{ consul_backup_name }}" + environment: + CONSUL_HTTP_ADDR: "https://127.0.0.1:{{ consul_https_port }}" + CONSUL_HTTP_TOKEN: "{{ consul_master_token }}" + CONSUL_HTTP_SSL_VERIFY: "false" + register: snapshot_result + run_once: true + +- name: Upload Snapshot to MinIO + ansible.builtin.command: + cmd: "mc cp {{ consul_config_dir }}/{{ consul_backup_name }} dr-minio/{{ consul_backup_bucket }}/" + when: snapshot_result.rc == 0 + run_once: true + +- name: Cleanup local snapshot file + ansible.builtin.file: + path: "{{ consul_config_dir }}/{{ consul_backup_name }}" + state: absent + +- name: Remove old backups from MinIO + ansible.builtin.command: + cmd: "mc rm --recursive --older-than {{ consul_backups_to_keep_remote }}d dr-minio/{{ consul_backup_bucket }}/" + run_once: true From 38dc79870c933108243e8b7ad66456cbebebc139 Mon Sep 17 00:00:00 2001 From: AnithaAnnem Date: Tue, 7 Apr 2026 16:29:03 +0530 Subject: [PATCH 337/412] Update main.yml --- tasks/main.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/tasks/main.yml b/tasks/main.yml index d410de7..f0a7174 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -15,3 +15,7 @@ - name: Include RBAC tasks ansible.builtin.include_tasks: rbac.yml when: consul_acl_enabled + +- name: Include Backup tasks + ansible.builtin.include_tasks: backup.yml + when: consul_backup_enabled | bool From 84fa78d7c8e0a48f23601a7bcd15140a07181821 Mon Sep 17 00:00:00 2001 From: AnithaAnnem Date: Tue, 7 Apr 2026 17:19:45 +0530 Subject: [PATCH 338/412] Update main.yml --- defaults/main.yml | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/defaults/main.yml b/defaults/main.yml index 94631a7..ed90b2f 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -40,3 +40,13 @@ consul_gossip_key: "" # Monitoring consul_telemetry_enabled: true consul_prometheus_retention: "60s" + +# Backup & DR Configuration +consul_backup_enabled: true +consul_backup_minio_endpoint: "{{ lookup('env', 'MINIO_Endpoint') }}" +consul_backup_bucket: "consul-backups" +consul_backups_to_keep_remote: 7 + +# S3/MinIO backup credentials +consul_backup_s3_access_key: "{{ lookup('env', 'MINIO_ROOT_USER') }}" +consul_backup_s3_secret_key: "{{ lookup('env', 'MINIO_ROOT_PASSWORD') }}" From 2028602a902c33116d431124e06370f6c3a5d419 Mon Sep 17 00:00:00 2001 From: AnithaAnnem Date: Wed, 8 Apr 2026 16:20:01 +0530 Subject: [PATCH 339/412] Update backup.yml --- tasks/backup.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tasks/backup.yml b/tasks/backup.yml index 54620c6..2c142b4 100644 --- a/tasks/backup.yml +++ b/tasks/backup.yml @@ -8,7 +8,7 @@ - name: Configure mc alias ansible.builtin.command: - cmd: "mc alias set dr-minio {{ consul_backup_minio_endpoint }} {{ consul_backup_access_key }} {{ consul_backup_secret_key }}" + cmd: "mc alias set dr-minio {{ consul_backup_minio_endpoint }} {{ consul_backup_s3_access_key }} {{ consul_backup_s3_secret_key }}" changed_when: false no_log: true From 10a81e20b5931aad43982d7b25a0c90668a88568 Mon Sep 17 00:00:00 2001 From: AnithaAnnem Date: Wed, 8 Apr 2026 16:30:04 +0530 Subject: [PATCH 340/412] Update backup.yml --- tasks/backup.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tasks/backup.yml b/tasks/backup.yml index 2c142b4..418eee4 100644 --- a/tasks/backup.yml +++ b/tasks/backup.yml @@ -9,7 +9,7 @@ - name: Configure mc alias ansible.builtin.command: cmd: "mc alias set dr-minio {{ consul_backup_minio_endpoint }} {{ consul_backup_s3_access_key }} {{ consul_backup_s3_secret_key }}" - changed_when: false + become: true no_log: true - name: Set backup filename From 886d9c213c6a7f8495aebc3f712e99ffbbde0070 Mon Sep 17 00:00:00 2001 From: AnithaAnnem Date: Thu, 9 Apr 2026 10:54:41 +0530 Subject: [PATCH 341/412] Update main.yml --- defaults/main.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index ed90b2f..a019018 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -48,5 +48,5 @@ consul_backup_bucket: "consul-backups" consul_backups_to_keep_remote: 7 # S3/MinIO backup credentials -consul_backup_s3_access_key: "{{ lookup('env', 'MINIO_ROOT_USER') }}" -consul_backup_s3_secret_key: "{{ lookup('env', 'MINIO_ROOT_PASSWORD') }}" +consul_backup_s3_access_key: "{{ lookup('env', 'MINIO_ACCESS_KEY') }}" +consul_backup_s3_secret_key: "{{ lookup('env', 'MINIO_SECRET_KEY') }}" From fe66150a1e2e8e772c1e8ebbca6023ff50eb0d84 Mon Sep 17 00:00:00 2001 From: AnithaAnnem Date: Thu, 9 Apr 2026 11:23:12 +0530 Subject: [PATCH 342/412] Update backup.yml --- tasks/backup.yml | 68 ++++++++++++++++++++++++++---------------------- 1 file changed, 37 insertions(+), 31 deletions(-) diff --git a/tasks/backup.yml b/tasks/backup.yml index 418eee4..b837eee 100644 --- a/tasks/backup.yml +++ b/tasks/backup.yml @@ -1,43 +1,49 @@ --- -- name: Install MinIO Client (mc) - ansible.builtin.get_url: - url: https://dl.min.io/client/mc/release/linux-amd64/mc - dest: /usr/local/bin/mc - mode: '0755' +- name: Install awscli + ansible.builtin.package: + name: awscli + state: present become: true -- name: Configure mc alias - ansible.builtin.command: - cmd: "mc alias set dr-minio {{ consul_backup_minio_endpoint }} {{ consul_backup_s3_access_key }} {{ consul_backup_s3_secret_key }}" - become: true - no_log: true - -- name: Set backup filename +- name: Set backup name ansible.builtin.set_fact: - consul_backup_name: "consul_v1_backup_{{ lookup('pipe', 'date +%Y%m%d_%H%M%S') }}.snap" + consul_backup_name: "consul_backup_{{ lookup('pipe', 'date +%Y%m%d_%H%M%S') }}" -- name: Take Consul Snapshot +- name: Ensure backup directory exists + ansible.builtin.file: + path: /tmp/consul-backups + state: directory + mode: "0755" + +- name: Take Consul snapshot ansible.builtin.command: - cmd: "consul snapshot save {{ consul_config_dir }}/{{ consul_backup_name }}" - environment: - CONSUL_HTTP_ADDR: "https://127.0.0.1:{{ consul_https_port }}" - CONSUL_HTTP_TOKEN: "{{ consul_master_token }}" - CONSUL_HTTP_SSL_VERIFY: "false" + cmd: "consul snapshot save /tmp/consul-backups/{{ consul_backup_name }}.snap" register: snapshot_result - run_once: true + become: true + changed_when: "'Saved' in (snapshot_result.stdout | default(''))" + when: consul_backup_enabled | bool -- name: Upload Snapshot to MinIO - ansible.builtin.command: - cmd: "mc cp {{ consul_config_dir }}/{{ consul_backup_name }} dr-minio/{{ consul_backup_bucket }}/" - when: snapshot_result.rc == 0 +- name: Upload backup to MinIO (S3) + ansible.builtin.command: > + aws s3 cp /tmp/consul-backups/{{ consul_backup_name }}.snap + s3://{{ consul_backup_bucket }}/consul-backups/{{ consul_backup_name }}.snap + --endpoint-url {{ consul_backup_minio_endpoint }} + --no-verify-ssl + environment: + AWS_ACCESS_KEY_ID: "{{ consul_backup_s3_access_key }}" + AWS_SECRET_ACCESS_KEY: "{{ consul_backup_s3_secret_key }}" + register: upload_result + retries: 3 + delay: 20 + until: upload_result.rc == 0 run_once: true + become: true + changed_when: upload_result.rc == 0 + when: + - consul_backup_enabled | bool -- name: Cleanup local snapshot file +- name: Delete local backup file ansible.builtin.file: - path: "{{ consul_config_dir }}/{{ consul_backup_name }}" + path: "/tmp/consul-backups/{{ consul_backup_name }}.snap" state: absent - -- name: Remove old backups from MinIO - ansible.builtin.command: - cmd: "mc rm --recursive --older-than {{ consul_backups_to_keep_remote }}d dr-minio/{{ consul_backup_bucket }}/" - run_once: true + when: consul_backup_enabled | bool From 8f4f8f50ac6439f017a9c8e348a2b08fcfd74a16 Mon Sep 17 00:00:00 2001 From: AnithaAnnem Date: Thu, 9 Apr 2026 11:24:23 +0530 Subject: [PATCH 343/412] Create consul-backup-config.yml.j2 --- templates/consul-backup-config.yml.j2 | 14 ++++++++++++++ 1 file changed, 14 insertions(+) create mode 100644 templates/consul-backup-config.yml.j2 diff --git a/templates/consul-backup-config.yml.j2 b/templates/consul-backup-config.yml.j2 new file mode 100644 index 0000000..48d2ae9 --- /dev/null +++ b/templates/consul-backup-config.yml.j2 @@ -0,0 +1,14 @@ +# Consul Backup Configuration + +general: + remote_storage: {{ 's3' if consul_backup_enabled else 'none' }} + backups_to_keep_remote: {{ consul_backups_to_keep_remote }} + +s3: + bucket: "{{ consul_backup_bucket }}" + path: "consul-backups" + access_key: "{{ consul_backup_s3_access_key }}" + secret_key: "{{ consul_backup_s3_secret_key }}" + endpoint: "{{ consul_backup_minio_endpoint }}" + force_path_style: true + disable_ssl: true From 8fb75207c0d13ac5a001921bfa32ad629e4e8855 Mon Sep 17 00:00:00 2001 From: AnithaAnnem Date: Thu, 9 Apr 2026 11:31:28 +0530 Subject: [PATCH 344/412] Update backup.yml --- tasks/backup.yml | 57 ++++++++++++++++++++++++------------------------ 1 file changed, 29 insertions(+), 28 deletions(-) diff --git a/tasks/backup.yml b/tasks/backup.yml index b837eee..b52c1a2 100644 --- a/tasks/backup.yml +++ b/tasks/backup.yml @@ -1,49 +1,50 @@ --- -- name: Install awscli - ansible.builtin.package: - name: awscli - state: present +- name: Download consul-backup script + ansible.builtin.get_url: + url: "https://raw.githubusercontent.com/opstree/consul-backup/main/consul-backup.sh" + dest: /usr/local/bin/consul-backup + mode: "0755" become: true - name: Set backup name ansible.builtin.set_fact: - consul_backup_name: "consul_backup_{{ lookup('pipe', 'date +%Y%m%d_%H%M%S') }}" + consul_backup_name: "backup_{{ lookup('pipe', 'date +%Y%m%d_%H%M%S') }}" -- name: Ensure backup directory exists +- name: Ensure config directory exists ansible.builtin.file: - path: /tmp/consul-backups + path: /etc/consul-backup state: directory + owner: root + group: root mode: "0755" + become: true + +- name: Configure consul-backup + ansible.builtin.template: + src: consul-backup-config.yml.j2 + dest: /etc/consul-backup/config.yml + owner: root + group: root + mode: "0640" + become: true + when: consul_backup_enabled | bool -- name: Take Consul snapshot +- name: Create Consul backup ansible.builtin.command: - cmd: "consul snapshot save /tmp/consul-backups/{{ consul_backup_name }}.snap" - register: snapshot_result + cmd: "consul-backup create {{ consul_backup_name }}" + register: backup_create become: true - changed_when: "'Saved' in (snapshot_result.stdout | default(''))" + changed_when: "'done' in (backup_create.stdout | default(''))" when: consul_backup_enabled | bool -- name: Upload backup to MinIO (S3) - ansible.builtin.command: > - aws s3 cp /tmp/consul-backups/{{ consul_backup_name }}.snap - s3://{{ consul_backup_bucket }}/consul-backups/{{ consul_backup_name }}.snap - --endpoint-url {{ consul_backup_minio_endpoint }} - --no-verify-ssl - environment: - AWS_ACCESS_KEY_ID: "{{ consul_backup_s3_access_key }}" - AWS_SECRET_ACCESS_KEY: "{{ consul_backup_s3_secret_key }}" +- name: Upload backup to remote storage + ansible.builtin.command: + cmd: "consul-backup upload {{ consul_backup_name }} -v" register: upload_result retries: 3 delay: 20 until: upload_result.rc == 0 run_once: true become: true - changed_when: upload_result.rc == 0 - when: - - consul_backup_enabled | bool - -- name: Delete local backup file - ansible.builtin.file: - path: "/tmp/consul-backups/{{ consul_backup_name }}.snap" - state: absent + changed_when: "'done' in (upload_result.stdout | default(''))" when: consul_backup_enabled | bool From 3707dd7308888a2ec570ec795a00ccac703161a2 Mon Sep 17 00:00:00 2001 From: AnithaAnnem Date: Thu, 9 Apr 2026 11:31:47 +0530 Subject: [PATCH 345/412] Update consul-backup-config.yml.j2 --- templates/consul-backup-config.yml.j2 | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/templates/consul-backup-config.yml.j2 b/templates/consul-backup-config.yml.j2 index 48d2ae9..4ef1abb 100644 --- a/templates/consul-backup-config.yml.j2 +++ b/templates/consul-backup-config.yml.j2 @@ -2,11 +2,16 @@ general: remote_storage: {{ 's3' if consul_backup_enabled else 'none' }} + backups_to_keep_local: 1 backups_to_keep_remote: {{ consul_backups_to_keep_remote }} +consul: + address: "127.0.0.1:8500" + s3: bucket: "{{ consul_backup_bucket }}" path: "consul-backups" + compression_level: 1 access_key: "{{ consul_backup_s3_access_key }}" secret_key: "{{ consul_backup_s3_secret_key }}" endpoint: "{{ consul_backup_minio_endpoint }}" From e452dd128f7b57781b3dbe54aa46b1f91414f5de Mon Sep 17 00:00:00 2001 From: AnithaAnnem Date: Thu, 9 Apr 2026 11:44:45 +0530 Subject: [PATCH 346/412] Delete templates/consul-backup-config.yml.j2 --- templates/consul-backup-config.yml.j2 | 19 ------------------- 1 file changed, 19 deletions(-) delete mode 100644 templates/consul-backup-config.yml.j2 diff --git a/templates/consul-backup-config.yml.j2 b/templates/consul-backup-config.yml.j2 deleted file mode 100644 index 4ef1abb..0000000 --- a/templates/consul-backup-config.yml.j2 +++ /dev/null @@ -1,19 +0,0 @@ -# Consul Backup Configuration - -general: - remote_storage: {{ 's3' if consul_backup_enabled else 'none' }} - backups_to_keep_local: 1 - backups_to_keep_remote: {{ consul_backups_to_keep_remote }} - -consul: - address: "127.0.0.1:8500" - -s3: - bucket: "{{ consul_backup_bucket }}" - path: "consul-backups" - compression_level: 1 - access_key: "{{ consul_backup_s3_access_key }}" - secret_key: "{{ consul_backup_s3_secret_key }}" - endpoint: "{{ consul_backup_minio_endpoint }}" - force_path_style: true - disable_ssl: true From adcf8ba38f3d2ea063b4065c72e6ff8c1be88b10 Mon Sep 17 00:00:00 2001 From: AnithaAnnem Date: Thu, 9 Apr 2026 11:44:58 +0530 Subject: [PATCH 347/412] Update backup.yml --- tasks/backup.yml | 60 +++++++++++++++++++++++++----------------------- 1 file changed, 31 insertions(+), 29 deletions(-) diff --git a/tasks/backup.yml b/tasks/backup.yml index b52c1a2..53e5c0b 100644 --- a/tasks/backup.yml +++ b/tasks/backup.yml @@ -1,50 +1,52 @@ --- -- name: Download consul-backup script - ansible.builtin.get_url: - url: "https://raw.githubusercontent.com/opstree/consul-backup/main/consul-backup.sh" - dest: /usr/local/bin/consul-backup - mode: "0755" +- name: Install awscli + ansible.builtin.package: + name: awscli + state: present become: true - name: Set backup name ansible.builtin.set_fact: - consul_backup_name: "backup_{{ lookup('pipe', 'date +%Y%m%d_%H%M%S') }}" + consul_backup_name: "consul_backup_{{ lookup('pipe', 'date +%Y%m%d_%H%M%S') }}" -- name: Ensure config directory exists +- name: Ensure backup directory exists ansible.builtin.file: - path: /etc/consul-backup + path: /tmp/consul-backups state: directory - owner: root - group: root mode: "0755" - become: true - -- name: Configure consul-backup - ansible.builtin.template: - src: consul-backup-config.yml.j2 - dest: /etc/consul-backup/config.yml - owner: root - group: root - mode: "0640" - become: true - when: consul_backup_enabled | bool -- name: Create Consul backup +- name: Take Consul snapshot ansible.builtin.command: - cmd: "consul-backup create {{ consul_backup_name }}" - register: backup_create + cmd: "consul snapshot save /tmp/consul-backups/{{ consul_backup_name }}.snap" + environment: + CONSUL_HTTP_ADDR: "https://127.0.0.1:{{ consul_https_port }}" + CONSUL_HTTP_TOKEN: "{{ consul_master_token }}" + CONSUL_HTTP_SSL_VERIFY: "false" + register: snapshot_result become: true - changed_when: "'done' in (backup_create.stdout | default(''))" when: consul_backup_enabled | bool -- name: Upload backup to remote storage - ansible.builtin.command: - cmd: "consul-backup upload {{ consul_backup_name }} -v" +- name: Upload backup to MinIO (S3) + ansible.builtin.command: > + aws s3 cp /tmp/consul-backups/{{ consul_backup_name }}.snap + s3://{{ consul_backup_bucket }}/consul-backups/{{ consul_backup_name }}.snap + --endpoint-url {{ consul_backup_minio_endpoint }} + --no-verify-ssl + environment: + AWS_ACCESS_KEY_ID: "{{ consul_backup_s3_access_key }}" + AWS_SECRET_ACCESS_KEY: "{{ consul_backup_s3_secret_key }}" register: upload_result retries: 3 delay: 20 until: upload_result.rc == 0 run_once: true become: true - changed_when: "'done' in (upload_result.stdout | default(''))" + when: + - consul_backup_enabled | bool + - snapshot_result.rc == 0 + +- name: Delete local backup file + ansible.builtin.file: + path: "/tmp/consul-backups/{{ consul_backup_name }}.snap" + state: absent when: consul_backup_enabled | bool From 6b817865fc06c50e32d5c086ba430b2f166b83e1 Mon Sep 17 00:00:00 2001 From: AnithaAnnem Date: Thu, 9 Apr 2026 11:48:40 +0530 Subject: [PATCH 348/412] Update backup.yml --- tasks/backup.yml | 13 ++++++++++--- 1 file changed, 10 insertions(+), 3 deletions(-) diff --git a/tasks/backup.yml b/tasks/backup.yml index 53e5c0b..ce31d80 100644 --- a/tasks/backup.yml +++ b/tasks/backup.yml @@ -1,6 +1,12 @@ --- -- name: Install awscli +- name: Install pip3 ansible.builtin.package: + name: python3-pip + state: present + become: true + +- name: Install awscli via pip + ansible.builtin.pip: name: awscli state: present become: true @@ -24,6 +30,7 @@ CONSUL_HTTP_SSL_VERIFY: "false" register: snapshot_result become: true + changed_when: snapshot_result.rc == 0 when: consul_backup_enabled | bool - name: Upload backup to MinIO (S3) @@ -41,9 +48,9 @@ until: upload_result.rc == 0 run_once: true become: true - when: + when: - consul_backup_enabled | bool - - snapshot_result.rc == 0 + - snapshot_result is succeeded - name: Delete local backup file ansible.builtin.file: From 2ff2fd98a76aa6fe742fa0ed6341f288fb5c60f5 Mon Sep 17 00:00:00 2001 From: AnithaAnnem Date: Thu, 9 Apr 2026 11:54:47 +0530 Subject: [PATCH 349/412] Update backup.yml --- tasks/backup.yml | 17 ++++++++++------- 1 file changed, 10 insertions(+), 7 deletions(-) diff --git a/tasks/backup.yml b/tasks/backup.yml index ce31d80..58b334d 100644 --- a/tasks/backup.yml +++ b/tasks/backup.yml @@ -1,15 +1,21 @@ --- -- name: Install pip3 - ansible.builtin.package: - name: python3-pip +- name: Install awscli via apt + ansible.builtin.apt: + name: awscli state: present + update_cache: true become: true + register: apt_install + ignore_errors: true -- name: Install awscli via pip +# Fallback if apt fails: Install via pip with the break-system-packages flag +- name: Install awscli via pip (fallback) ansible.builtin.pip: name: awscli state: present + extra_args: --break-system-packages become: true + when: apt_install is failed - name: Set backup name ansible.builtin.set_fact: @@ -31,7 +37,6 @@ register: snapshot_result become: true changed_when: snapshot_result.rc == 0 - when: consul_backup_enabled | bool - name: Upload backup to MinIO (S3) ansible.builtin.command: > @@ -49,11 +54,9 @@ run_once: true become: true when: - - consul_backup_enabled | bool - snapshot_result is succeeded - name: Delete local backup file ansible.builtin.file: path: "/tmp/consul-backups/{{ consul_backup_name }}.snap" state: absent - when: consul_backup_enabled | bool From d1b78e9467d4d9471c22b2d20b3403a645f8d79b Mon Sep 17 00:00:00 2001 From: AnithaAnnem Date: Thu, 9 Apr 2026 12:38:27 +0530 Subject: [PATCH 350/412] Update backup.yml --- tasks/backup.yml | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/tasks/backup.yml b/tasks/backup.yml index 58b334d..18cb15c 100644 --- a/tasks/backup.yml +++ b/tasks/backup.yml @@ -8,7 +8,6 @@ register: apt_install ignore_errors: true -# Fallback if apt fails: Install via pip with the break-system-packages flag - name: Install awscli via pip (fallback) ansible.builtin.pip: name: awscli @@ -40,7 +39,7 @@ - name: Upload backup to MinIO (S3) ansible.builtin.command: > - aws s3 cp /tmp/consul-backups/{{ consul_backup_name }}.snap + /usr/local/bin/aws s3 cp /tmp/consul-backups/{{ consul_backup_name }}.snap s3://{{ consul_backup_bucket }}/consul-backups/{{ consul_backup_name }}.snap --endpoint-url {{ consul_backup_minio_endpoint }} --no-verify-ssl @@ -53,8 +52,7 @@ until: upload_result.rc == 0 run_once: true become: true - when: - - snapshot_result is succeeded + when: snapshot_result is succeeded - name: Delete local backup file ansible.builtin.file: From 86134b39698b028a392e07140d809a4e7d3980bb Mon Sep 17 00:00:00 2001 From: AnithaAnnem Date: Thu, 9 Apr 2026 12:46:50 +0530 Subject: [PATCH 351/412] Update backup.yml --- tasks/backup.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/tasks/backup.yml b/tasks/backup.yml index 18cb15c..9055c41 100644 --- a/tasks/backup.yml +++ b/tasks/backup.yml @@ -1,14 +1,14 @@ --- -- name: Install awscli via apt +- name: Install AWS CLI (Try apt first with correct name) ansible.builtin.apt: - name: awscli + name: aws-cli state: present update_cache: true become: true register: apt_install ignore_errors: true -- name: Install awscli via pip (fallback) +- name: Install AWS CLI via pip (Fallback for missing packages) ansible.builtin.pip: name: awscli state: present @@ -39,7 +39,7 @@ - name: Upload backup to MinIO (S3) ansible.builtin.command: > - /usr/local/bin/aws s3 cp /tmp/consul-backups/{{ consul_backup_name }}.snap + aws s3 cp /tmp/consul-backups/{{ consul_backup_name }}.snap s3://{{ consul_backup_bucket }}/consul-backups/{{ consul_backup_name }}.snap --endpoint-url {{ consul_backup_minio_endpoint }} --no-verify-ssl From ca916af2fb37a25705875e562630f4403e885d9e Mon Sep 17 00:00:00 2001 From: AnithaAnnem Date: Thu, 9 Apr 2026 12:50:18 +0530 Subject: [PATCH 352/412] Update backup.yml --- tasks/backup.yml | 43 +++++++++++++++++++++++++++++-------------- 1 file changed, 29 insertions(+), 14 deletions(-) diff --git a/tasks/backup.yml b/tasks/backup.yml index 9055c41..4cad209 100644 --- a/tasks/backup.yml +++ b/tasks/backup.yml @@ -1,20 +1,35 @@ --- -- name: Install AWS CLI (Try apt first with correct name) - ansible.builtin.apt: - name: aws-cli - state: present - update_cache: true - become: true - register: apt_install +- name: Check if AWS CLI is installed + ansible.builtin.command: aws --version + register: aws_check ignore_errors: true + changed_when: false -- name: Install AWS CLI via pip (Fallback for missing packages) - ansible.builtin.pip: - name: awscli - state: present - extra_args: --break-system-packages - become: true - when: apt_install is failed +- name: Install AWS CLI v2 + block: + - name: Install unzip + ansible.builtin.package: + name: unzip + state: present + become: true + + - name: Download AWS CLI v2 bundle + ansible.builtin.get_url: + url: "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" + dest: "/tmp/awscliv2.zip" + mode: '0644' + + - name: Unarchive AWS CLI bundle + ansible.builtin.unarchive: + src: "/tmp/awscliv2.zip" + dest: "/tmp" + remote_src: true + + - name: Run AWS CLI installation script + ansible.builtin.command: + cmd: "/tmp/aws/install --update" + become: true + when: aws_check.failed - name: Set backup name ansible.builtin.set_fact: From a8b6d6b6c28f30699c47d65cb67fca57e1398ed4 Mon Sep 17 00:00:00 2001 From: AnithaAnnem Date: Thu, 9 Apr 2026 13:05:58 +0530 Subject: [PATCH 353/412] Update main.yml --- defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/defaults/main.yml b/defaults/main.yml index a019018..dc6d3f8 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -43,7 +43,7 @@ consul_prometheus_retention: "60s" # Backup & DR Configuration consul_backup_enabled: true -consul_backup_minio_endpoint: "{{ lookup('env', 'MINIO_Endpoint') }}" +consul_backup_minio_endpoint: "{{ lookup('env', 'MINIO_PUBLIC_ENDPOINT') }}" consul_backup_bucket: "consul-backups" consul_backups_to_keep_remote: 7 From 6548b60027205ac74cf31f28249a5778ceeb923a Mon Sep 17 00:00:00 2001 From: AnithaAnnem Date: Thu, 9 Apr 2026 13:26:38 +0530 Subject: [PATCH 354/412] Update main.yml --- defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/defaults/main.yml b/defaults/main.yml index dc6d3f8..a019018 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -43,7 +43,7 @@ consul_prometheus_retention: "60s" # Backup & DR Configuration consul_backup_enabled: true -consul_backup_minio_endpoint: "{{ lookup('env', 'MINIO_PUBLIC_ENDPOINT') }}" +consul_backup_minio_endpoint: "{{ lookup('env', 'MINIO_Endpoint') }}" consul_backup_bucket: "consul-backups" consul_backups_to_keep_remote: 7 From f8d211b2b4676ccd89c44a99bf42f76fe8389989 Mon Sep 17 00:00:00 2001 From: AnithaAnnem Date: Thu, 9 Apr 2026 13:32:51 +0530 Subject: [PATCH 355/412] Update main.yml --- defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/defaults/main.yml b/defaults/main.yml index a019018..5b9a191 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -44,7 +44,7 @@ consul_prometheus_retention: "60s" # Backup & DR Configuration consul_backup_enabled: true consul_backup_minio_endpoint: "{{ lookup('env', 'MINIO_Endpoint') }}" -consul_backup_bucket: "consul-backups" +consul_backup_bucket: "consul" consul_backups_to_keep_remote: 7 # S3/MinIO backup credentials From f97f5695885726c6e918c1c2c4d050d72e1d6067 Mon Sep 17 00:00:00 2001 From: AnithaAnnem Date: Thu, 9 Apr 2026 13:42:11 +0530 Subject: [PATCH 356/412] Update main.yml --- defaults/main.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index 5b9a191..5e4455d 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -48,5 +48,5 @@ consul_backup_bucket: "consul" consul_backups_to_keep_remote: 7 # S3/MinIO backup credentials -consul_backup_s3_access_key: "{{ lookup('env', 'MINIO_ACCESS_KEY') }}" -consul_backup_s3_secret_key: "{{ lookup('env', 'MINIO_SECRET_KEY') }}" +consul_backup_s3_access_key: "{{ lookup('env', 'MINIO_consul_accesskey') }}" +consul_backup_s3_secret_key: "{{ lookup('env', 'MINIO_consul_secretkey') }}" From 899a5291bb8b124cc6703623a6b6ffcf7e496d78 Mon Sep 17 00:00:00 2001 From: AnithaAnnem Date: Thu, 9 Apr 2026 14:01:30 +0530 Subject: [PATCH 357/412] Update backup.yml --- tasks/backup.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tasks/backup.yml b/tasks/backup.yml index 4cad209..3865beb 100644 --- a/tasks/backup.yml +++ b/tasks/backup.yml @@ -55,7 +55,7 @@ - name: Upload backup to MinIO (S3) ansible.builtin.command: > aws s3 cp /tmp/consul-backups/{{ consul_backup_name }}.snap - s3://{{ consul_backup_bucket }}/consul-backups/{{ consul_backup_name }}.snap + s3://{{ consul_backup_bucket }}/{{ consul_backup_name }}.snap --endpoint-url {{ consul_backup_minio_endpoint }} --no-verify-ssl environment: From fee2997d927e237938de3d9f9838eb280abc183d Mon Sep 17 00:00:00 2001 From: AnithaAnnem Date: Thu, 9 Apr 2026 15:00:41 +0530 Subject: [PATCH 358/412] Update main.yml --- defaults/main.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index 5e4455d..38d01a3 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -43,10 +43,10 @@ consul_prometheus_retention: "60s" # Backup & DR Configuration consul_backup_enabled: true -consul_backup_minio_endpoint: "{{ lookup('env', 'MINIO_Endpoint') }}" +consul_backup_minio_endpoint: "http://minio.ldc.opstree.dev:8443" consul_backup_bucket: "consul" consul_backups_to_keep_remote: 7 # S3/MinIO backup credentials -consul_backup_s3_access_key: "{{ lookup('env', 'MINIO_consul_accesskey') }}" -consul_backup_s3_secret_key: "{{ lookup('env', 'MINIO_consul_secretkey') }}" +consul_backup_s3_access_key: "minioadmin" +consul_backup_s3_secret_key: "opstreeadmin@2510" From b2d3cd48d64789f5450ea709ba149e47c11bbb5f Mon Sep 17 00:00:00 2001 From: AnithaAnnem Date: Thu, 9 Apr 2026 15:42:47 +0530 Subject: [PATCH 359/412] Update backup.yml --- tasks/backup.yml | 35 +++++++++++++++++++++++++++++------ 1 file changed, 29 insertions(+), 6 deletions(-) diff --git a/tasks/backup.yml b/tasks/backup.yml index 3865beb..1dee7c4 100644 --- a/tasks/backup.yml +++ b/tasks/backup.yml @@ -31,9 +31,10 @@ become: true when: aws_check.failed -- name: Set backup name +- name: Set backup name (Fix: Use a single timestamp) ansible.builtin.set_fact: - consul_backup_name: "consul_backup_{{ lookup('pipe', 'date +%Y%m%d_%H%M%S') }}" + # Defining it once here ensures the name doesn't change if the tasks take time + consul_backup_filename: "consul_backup_{{ ansible_date_time.iso8601_basic_short }}.snap" - name: Ensure backup directory exists ansible.builtin.file: @@ -41,6 +42,11 @@ state: directory mode: "0755" +- name: Verify snapshot file exists before upload + ansible.builtin.stat: + path: "/tmp/consul-backups/{{ consul_backup_filename }}" + register: snapshot_file + - name: Take Consul snapshot ansible.builtin.command: cmd: "consul snapshot save /tmp/consul-backups/{{ consul_backup_name }}.snap" @@ -52,22 +58,39 @@ become: true changed_when: snapshot_result.rc == 0 +# - name: Upload backup to MinIO (S3) +# ansible.builtin.command: > +# aws s3 cp /tmp/consul-backups/{{ consul_backup_name }}.snap +# s3://{{ consul_backup_bucket }}/{{ consul_backup_name }}.snap +# --endpoint-url {{ consul_backup_minio_endpoint }} +# --no-verify-ssl +# environment: +# AWS_ACCESS_KEY_ID: "{{ consul_backup_s3_access_key }}" +# AWS_SECRET_ACCESS_KEY: "{{ consul_backup_s3_secret_key }}" +# register: upload_result +# retries: 3 +# delay: 20 +# until: upload_result.rc == 0 +# run_once: true +# become: true +# when: snapshot_result is succeeded - name: Upload backup to MinIO (S3) ansible.builtin.command: > - aws s3 cp /tmp/consul-backups/{{ consul_backup_name }}.snap - s3://{{ consul_backup_bucket }}/{{ consul_backup_name }}.snap + aws s3 cp /tmp/consul-backups/{{ consul_backup_filename }} + s3://{{ consul_backup_bucket }}/{{ consul_backup_filename }} --endpoint-url {{ consul_backup_minio_endpoint }} --no-verify-ssl environment: AWS_ACCESS_KEY_ID: "{{ consul_backup_s3_access_key }}" AWS_SECRET_ACCESS_KEY: "{{ consul_backup_s3_secret_key }}" + AWS_REGION: "us-east-1" # AWS CLI often requires a region set, even for MinIO register: upload_result retries: 3 delay: 20 until: upload_result.rc == 0 - run_once: true + # Only run if the file actually exists on this host + when: snapshot_file.stat.exists become: true - when: snapshot_result is succeeded - name: Delete local backup file ansible.builtin.file: From 6b91d2746da7da17db4cc530c3a3febb55e0bad7 Mon Sep 17 00:00:00 2001 From: AnithaAnnem Date: Thu, 9 Apr 2026 16:19:32 +0530 Subject: [PATCH 360/412] Update backup.yml --- tasks/backup.yml | 140 +++++++++++++++++++++++++++++++++++++---------- 1 file changed, 111 insertions(+), 29 deletions(-) diff --git a/tasks/backup.yml b/tasks/backup.yml index 1dee7c4..e7b884b 100644 --- a/tasks/backup.yml +++ b/tasks/backup.yml @@ -1,3 +1,97 @@ +# --- +# - name: Check if AWS CLI is installed +# ansible.builtin.command: aws --version +# register: aws_check +# ignore_errors: true +# changed_when: false + +# - name: Install AWS CLI v2 +# block: +# - name: Install unzip +# ansible.builtin.package: +# name: unzip +# state: present +# become: true + +# - name: Download AWS CLI v2 bundle +# ansible.builtin.get_url: +# url: "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" +# dest: "/tmp/awscliv2.zip" +# mode: '0644' + +# - name: Unarchive AWS CLI bundle +# ansible.builtin.unarchive: +# src: "/tmp/awscliv2.zip" +# dest: "/tmp" +# remote_src: true + +# - name: Run AWS CLI installation script +# ansible.builtin.command: +# cmd: "/tmp/aws/install --update" +# become: true +# when: aws_check.failed + +# - name: Set backup name (Fix: Use a single timestamp) +# ansible.builtin.set_fact: +# # Defining it once here ensures the name doesn't change if the tasks take time +# consul_backup_filename: "consul_backup_{{ ansible_date_time.iso8601_basic_short }}.snap" + +# - name: Ensure backup directory exists +# ansible.builtin.file: +# path: /tmp/consul-backups +# state: directory +# mode: "0755" + +# - name: Verify snapshot file exists before upload +# ansible.builtin.stat: +# path: "/tmp/consul-backups/{{ consul_backup_filename }}" +# register: snapshot_file + +# - name: Take Consul snapshot +# ansible.builtin.command: +# cmd: "consul snapshot save /tmp/consul-backups/{{ consul_backup_name }}.snap" +# environment: +# CONSUL_HTTP_ADDR: "https://127.0.0.1:{{ consul_https_port }}" +# CONSUL_HTTP_TOKEN: "{{ consul_master_token }}" +# CONSUL_HTTP_SSL_VERIFY: "false" +# register: snapshot_result +# become: true +# changed_when: snapshot_result.rc == 0 + +# # - name: Upload backup to MinIO (S3) +# # ansible.builtin.command: > +# # aws s3 cp /tmp/consul-backups/{{ consul_backup_name }}.snap +# # s3://{{ consul_backup_bucket }}/{{ consul_backup_name }}.snap +# # --endpoint-url {{ consul_backup_minio_endpoint }} +# # --no-verify-ssl +# # environment: +# # AWS_ACCESS_KEY_ID: "{{ consul_backup_s3_access_key }}" +# # AWS_SECRET_ACCESS_KEY: "{{ consul_backup_s3_secret_key }}" +# # register: upload_result +# # retries: 3 +# # delay: 20 +# # until: upload_result.rc == 0 +# # run_once: true +# # become: true +# # when: snapshot_result is succeeded +# - name: Upload backup to MinIO (S3) +# ansible.builtin.command: > +# aws s3 cp /tmp/consul-backups/{{ consul_backup_filename }} +# s3://{{ consul_backup_bucket }}/{{ consul_backup_filename }} +# --endpoint-url {{ consul_backup_minio_endpoint }} +# --no-verify-ssl +# environment: +# AWS_ACCESS_KEY_ID: "{{ consul_backup_s3_access_key }}" +# AWS_SECRET_ACCESS_KEY: "{{ consul_backup_s3_secret_key }}" +# AWS_REGION: "us-east-1" # AWS CLI often requires a region set, even for MinIO +# register: upload_result +# retries: 3 +# delay: 20 +# until: upload_result.rc == 0 +# # Only run if the file actually exists on this host +# when: snapshot_file.stat.exists +# become: true + --- - name: Check if AWS CLI is installed ansible.builtin.command: aws --version @@ -31,10 +125,9 @@ become: true when: aws_check.failed -- name: Set backup name (Fix: Use a single timestamp) +- name: "Set backup name using timestamp" ansible.builtin.set_fact: - # Defining it once here ensures the name doesn't change if the tasks take time - consul_backup_filename: "consul_backup_{{ ansible_date_time.iso8601_basic_short }}.snap" + consul_backup_filename: "consul_backup_{{ lookup('pipe', 'date +%Y%m%d_%H%M%S') }}.snap" - name: Ensure backup directory exists ansible.builtin.file: @@ -42,14 +135,9 @@ state: directory mode: "0755" -- name: Verify snapshot file exists before upload - ansible.builtin.stat: - path: "/tmp/consul-backups/{{ consul_backup_filename }}" - register: snapshot_file - - name: Take Consul snapshot ansible.builtin.command: - cmd: "consul snapshot save /tmp/consul-backups/{{ consul_backup_name }}.snap" + cmd: "consul snapshot save /tmp/consul-backups/{{ consul_backup_filename }}" environment: CONSUL_HTTP_ADDR: "https://127.0.0.1:{{ consul_https_port }}" CONSUL_HTTP_TOKEN: "{{ consul_master_token }}" @@ -58,22 +146,11 @@ become: true changed_when: snapshot_result.rc == 0 -# - name: Upload backup to MinIO (S3) -# ansible.builtin.command: > -# aws s3 cp /tmp/consul-backups/{{ consul_backup_name }}.snap -# s3://{{ consul_backup_bucket }}/{{ consul_backup_name }}.snap -# --endpoint-url {{ consul_backup_minio_endpoint }} -# --no-verify-ssl -# environment: -# AWS_ACCESS_KEY_ID: "{{ consul_backup_s3_access_key }}" -# AWS_SECRET_ACCESS_KEY: "{{ consul_backup_s3_secret_key }}" -# register: upload_result -# retries: 3 -# delay: 20 -# until: upload_result.rc == 0 -# run_once: true -# become: true -# when: snapshot_result is succeeded +- name: Verify snapshot file exists before upload + ansible.builtin.stat: + path: "/tmp/consul-backups/{{ consul_backup_filename }}" + register: snapshot_file + - name: Upload backup to MinIO (S3) ansible.builtin.command: > aws s3 cp /tmp/consul-backups/{{ consul_backup_filename }} @@ -83,16 +160,21 @@ environment: AWS_ACCESS_KEY_ID: "{{ consul_backup_s3_access_key }}" AWS_SECRET_ACCESS_KEY: "{{ consul_backup_s3_secret_key }}" - AWS_REGION: "us-east-1" # AWS CLI often requires a region set, even for MinIO + AWS_REGION: "us-east-1" register: upload_result retries: 3 delay: 20 until: upload_result.rc == 0 - # Only run if the file actually exists on this host - when: snapshot_file.stat.exists + when: snapshot_file.stat.exists become: true - name: Delete local backup file ansible.builtin.file: - path: "/tmp/consul-backups/{{ consul_backup_name }}.snap" + path: "/tmp/consul-backups/{{ consul_backup_filename }}" state: absent + when: upload_result is succeeded + +# - name: Delete local backup file +# ansible.builtin.file: +# path: "/tmp/consul-backups/{{ consul_backup_name }}.snap" +# state: absent From 810ea8baae0d4d152ba5ec0a5e0d335fb4da2a8f Mon Sep 17 00:00:00 2001 From: AnithaAnnem Date: Thu, 9 Apr 2026 16:26:40 +0530 Subject: [PATCH 361/412] Update main.yml --- defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/defaults/main.yml b/defaults/main.yml index 38d01a3..82a7016 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -43,7 +43,7 @@ consul_prometheus_retention: "60s" # Backup & DR Configuration consul_backup_enabled: true -consul_backup_minio_endpoint: "http://minio.ldc.opstree.dev:8443" +consul_backup_minio_endpoint: "https://minio.ldc.opstree.dev:8443" consul_backup_bucket: "consul" consul_backups_to_keep_remote: 7 From 56f9c804797e6aee34284f78b37a1f3f4e360e94 Mon Sep 17 00:00:00 2001 From: AnithaAnnem Date: Thu, 9 Apr 2026 16:28:11 +0530 Subject: [PATCH 362/412] Update backup.yml --- tasks/backup.yml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/tasks/backup.yml b/tasks/backup.yml index e7b884b..f2c7a29 100644 --- a/tasks/backup.yml +++ b/tasks/backup.yml @@ -161,6 +161,8 @@ AWS_ACCESS_KEY_ID: "{{ consul_backup_s3_access_key }}" AWS_SECRET_ACCESS_KEY: "{{ consul_backup_s3_secret_key }}" AWS_REGION: "us-east-1" + # Force path-style for MinIO compatibility + AWS_EC2_METADATA_DISABLED: "true" register: upload_result retries: 3 delay: 20 @@ -168,6 +170,10 @@ when: snapshot_file.stat.exists become: true +- name: Debug Upload Output + ansible.builtin.debug: + var: upload_result.stdout + - name: Delete local backup file ansible.builtin.file: path: "/tmp/consul-backups/{{ consul_backup_filename }}" From 0748de730158276d1139a5547f785a46f887c517 Mon Sep 17 00:00:00 2001 From: AnithaAnnem Date: Thu, 9 Apr 2026 16:34:33 +0530 Subject: [PATCH 363/412] Update main.yml --- defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/defaults/main.yml b/defaults/main.yml index 82a7016..7c6460b 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -43,7 +43,7 @@ consul_prometheus_retention: "60s" # Backup & DR Configuration consul_backup_enabled: true -consul_backup_minio_endpoint: "https://minio.ldc.opstree.dev:8443" +consul_backup_minio_endpoint: "https://minio.ldc.opstree.dev:9000" consul_backup_bucket: "consul" consul_backups_to_keep_remote: 7 From bd32edd592ca2b44e7a934f78f05d72834427e7e Mon Sep 17 00:00:00 2001 From: AnithaAnnem Date: Thu, 9 Apr 2026 16:57:52 +0530 Subject: [PATCH 364/412] Update backup.yml --- tasks/backup.yml | 120 +++++------------------------------------------ 1 file changed, 12 insertions(+), 108 deletions(-) diff --git a/tasks/backup.yml b/tasks/backup.yml index f2c7a29..e01c531 100644 --- a/tasks/backup.yml +++ b/tasks/backup.yml @@ -1,97 +1,3 @@ -# --- -# - name: Check if AWS CLI is installed -# ansible.builtin.command: aws --version -# register: aws_check -# ignore_errors: true -# changed_when: false - -# - name: Install AWS CLI v2 -# block: -# - name: Install unzip -# ansible.builtin.package: -# name: unzip -# state: present -# become: true - -# - name: Download AWS CLI v2 bundle -# ansible.builtin.get_url: -# url: "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" -# dest: "/tmp/awscliv2.zip" -# mode: '0644' - -# - name: Unarchive AWS CLI bundle -# ansible.builtin.unarchive: -# src: "/tmp/awscliv2.zip" -# dest: "/tmp" -# remote_src: true - -# - name: Run AWS CLI installation script -# ansible.builtin.command: -# cmd: "/tmp/aws/install --update" -# become: true -# when: aws_check.failed - -# - name: Set backup name (Fix: Use a single timestamp) -# ansible.builtin.set_fact: -# # Defining it once here ensures the name doesn't change if the tasks take time -# consul_backup_filename: "consul_backup_{{ ansible_date_time.iso8601_basic_short }}.snap" - -# - name: Ensure backup directory exists -# ansible.builtin.file: -# path: /tmp/consul-backups -# state: directory -# mode: "0755" - -# - name: Verify snapshot file exists before upload -# ansible.builtin.stat: -# path: "/tmp/consul-backups/{{ consul_backup_filename }}" -# register: snapshot_file - -# - name: Take Consul snapshot -# ansible.builtin.command: -# cmd: "consul snapshot save /tmp/consul-backups/{{ consul_backup_name }}.snap" -# environment: -# CONSUL_HTTP_ADDR: "https://127.0.0.1:{{ consul_https_port }}" -# CONSUL_HTTP_TOKEN: "{{ consul_master_token }}" -# CONSUL_HTTP_SSL_VERIFY: "false" -# register: snapshot_result -# become: true -# changed_when: snapshot_result.rc == 0 - -# # - name: Upload backup to MinIO (S3) -# # ansible.builtin.command: > -# # aws s3 cp /tmp/consul-backups/{{ consul_backup_name }}.snap -# # s3://{{ consul_backup_bucket }}/{{ consul_backup_name }}.snap -# # --endpoint-url {{ consul_backup_minio_endpoint }} -# # --no-verify-ssl -# # environment: -# # AWS_ACCESS_KEY_ID: "{{ consul_backup_s3_access_key }}" -# # AWS_SECRET_ACCESS_KEY: "{{ consul_backup_s3_secret_key }}" -# # register: upload_result -# # retries: 3 -# # delay: 20 -# # until: upload_result.rc == 0 -# # run_once: true -# # become: true -# # when: snapshot_result is succeeded -# - name: Upload backup to MinIO (S3) -# ansible.builtin.command: > -# aws s3 cp /tmp/consul-backups/{{ consul_backup_filename }} -# s3://{{ consul_backup_bucket }}/{{ consul_backup_filename }} -# --endpoint-url {{ consul_backup_minio_endpoint }} -# --no-verify-ssl -# environment: -# AWS_ACCESS_KEY_ID: "{{ consul_backup_s3_access_key }}" -# AWS_SECRET_ACCESS_KEY: "{{ consul_backup_s3_secret_key }}" -# AWS_REGION: "us-east-1" # AWS CLI often requires a region set, even for MinIO -# register: upload_result -# retries: 3 -# delay: 20 -# until: upload_result.rc == 0 -# # Only run if the file actually exists on this host -# when: snapshot_file.stat.exists -# become: true - --- - name: Check if AWS CLI is installed ansible.builtin.command: aws --version @@ -125,19 +31,23 @@ become: true when: aws_check.failed -- name: "Set backup name using timestamp" +- name: "Set backup constants" ansible.builtin.set_fact: + consul_backup_dir: "/var/backups/consul" consul_backup_filename: "consul_backup_{{ lookup('pipe', 'date +%Y%m%d_%H%M%S') }}.snap" -- name: Ensure backup directory exists +- name: Ensure secure backup directory exists ansible.builtin.file: - path: /tmp/consul-backups + path: "{{ consul_backup_dir }}" state: directory - mode: "0755" + owner: "{{ consul_user | default('consul') }}" + group: "{{ consul_group | default('consul') }}" + mode: "0700" + become: true - name: Take Consul snapshot ansible.builtin.command: - cmd: "consul snapshot save /tmp/consul-backups/{{ consul_backup_filename }}" + cmd: "consul snapshot save {{ consul_backup_dir }}/{{ consul_backup_filename }}" environment: CONSUL_HTTP_ADDR: "https://127.0.0.1:{{ consul_https_port }}" CONSUL_HTTP_TOKEN: "{{ consul_master_token }}" @@ -148,12 +58,12 @@ - name: Verify snapshot file exists before upload ansible.builtin.stat: - path: "/tmp/consul-backups/{{ consul_backup_filename }}" + path: "{{ consul_backup_dir }}/{{ consul_backup_filename }}" register: snapshot_file - name: Upload backup to MinIO (S3) ansible.builtin.command: > - aws s3 cp /tmp/consul-backups/{{ consul_backup_filename }} + aws s3 cp {{ consul_backup_dir }}/{{ consul_backup_filename }} s3://{{ consul_backup_bucket }}/{{ consul_backup_filename }} --endpoint-url {{ consul_backup_minio_endpoint }} --no-verify-ssl @@ -161,7 +71,6 @@ AWS_ACCESS_KEY_ID: "{{ consul_backup_s3_access_key }}" AWS_SECRET_ACCESS_KEY: "{{ consul_backup_s3_secret_key }}" AWS_REGION: "us-east-1" - # Force path-style for MinIO compatibility AWS_EC2_METADATA_DISABLED: "true" register: upload_result retries: 3 @@ -176,11 +85,6 @@ - name: Delete local backup file ansible.builtin.file: - path: "/tmp/consul-backups/{{ consul_backup_filename }}" + path: "{{ consul_backup_dir }}/{{ consul_backup_filename }}" state: absent when: upload_result is succeeded - -# - name: Delete local backup file -# ansible.builtin.file: -# path: "/tmp/consul-backups/{{ consul_backup_name }}.snap" -# state: absent From dec580d3df0a263c9f16a5dcdccf80b5188462eb Mon Sep 17 00:00:00 2001 From: AnithaAnnem Date: Sat, 11 Apr 2026 10:30:31 +0530 Subject: [PATCH 365/412] Update main.yml --- defaults/main.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index 7c6460b..5e4455d 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -43,10 +43,10 @@ consul_prometheus_retention: "60s" # Backup & DR Configuration consul_backup_enabled: true -consul_backup_minio_endpoint: "https://minio.ldc.opstree.dev:9000" +consul_backup_minio_endpoint: "{{ lookup('env', 'MINIO_Endpoint') }}" consul_backup_bucket: "consul" consul_backups_to_keep_remote: 7 # S3/MinIO backup credentials -consul_backup_s3_access_key: "minioadmin" -consul_backup_s3_secret_key: "opstreeadmin@2510" +consul_backup_s3_access_key: "{{ lookup('env', 'MINIO_consul_accesskey') }}" +consul_backup_s3_secret_key: "{{ lookup('env', 'MINIO_consul_secretkey') }}" From b7d0ceb88363e1753c8206e69c44e63bd3065f47 Mon Sep 17 00:00:00 2001 From: AnithaAnnem Date: Wed, 29 Apr 2026 16:43:41 +0530 Subject: [PATCH 366/412] Update main.yml --- defaults/main.yml | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/defaults/main.yml b/defaults/main.yml index 5e4455d..d4855ba 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -50,3 +50,14 @@ consul_backups_to_keep_remote: 7 # S3/MinIO backup credentials consul_backup_s3_access_key: "{{ lookup('env', 'MINIO_consul_accesskey') }}" consul_backup_s3_secret_key: "{{ lookup('env', 'MINIO_consul_secretkey') }}" + + +# SSO / OIDC Configuration +consul_oidc_enabled: true +consul_public_url: "https://consul.opstree.dev" # Matches your Keycloak Home URL +keycloak_url: "https://keycloak.opstree.dev" +keycloak_realm: "master" + +# Use the Client ID and Secret from your Keycloak console +consul_oidc_client_id: "consul" +consul_oidc_client_secret: "gDshZG8hRy9CBX5Vg8kXZiOsQil89NCN" From b7f51281876f12b34b7097f9d660c98706fe036b Mon Sep 17 00:00:00 2001 From: AnithaAnnem Date: Wed, 29 Apr 2026 16:47:54 +0530 Subject: [PATCH 367/412] Update main.yml --- defaults/main.yml | 21 ++++++++++----------- 1 file changed, 10 insertions(+), 11 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index d4855ba..7705828 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -34,6 +34,16 @@ consul_agent_token: "" consul_client_addr: "0.0.0.0" +# SSO / OIDC Configuration +consul_oidc_enabled: true +consul_public_url: "https://consul.opstree.dev" # Matches your Keycloak Home URL +keycloak_url: "https://keycloak.opstree.dev" +keycloak_realm: "master" + +# Use the Client ID and Secret from your Keycloak console +consul_oidc_client_id: "consul" +consul_oidc_client_secret: "gDshZG8hRy9CBX5Vg8kXZiOsQil89NCN" + # Gossip Encryption consul_gossip_key: "" @@ -50,14 +60,3 @@ consul_backups_to_keep_remote: 7 # S3/MinIO backup credentials consul_backup_s3_access_key: "{{ lookup('env', 'MINIO_consul_accesskey') }}" consul_backup_s3_secret_key: "{{ lookup('env', 'MINIO_consul_secretkey') }}" - - -# SSO / OIDC Configuration -consul_oidc_enabled: true -consul_public_url: "https://consul.opstree.dev" # Matches your Keycloak Home URL -keycloak_url: "https://keycloak.opstree.dev" -keycloak_realm: "master" - -# Use the Client ID and Secret from your Keycloak console -consul_oidc_client_id: "consul" -consul_oidc_client_secret: "gDshZG8hRy9CBX5Vg8kXZiOsQil89NCN" From bc2ffc7526d416e3f0e0a14896c00e4d941107d9 Mon Sep 17 00:00:00 2001 From: AnithaAnnem Date: Wed, 29 Apr 2026 16:52:39 +0530 Subject: [PATCH 368/412] Update server.hcl.j2 --- templates/server.hcl.j2 | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/templates/server.hcl.j2 b/templates/server.hcl.j2 index 8563bbf..067b339 100644 --- a/templates/server.hcl.j2 +++ b/templates/server.hcl.j2 @@ -28,11 +28,13 @@ acl { default_policy = "{{ consul_acl_default_policy }}" enable_token_persistence = {{ consul_acl_token_persistence | lower }} -{% if consul_agent_token is defined and consul_agent_token != "" %} tokens { + # Added initial_management for SSO UI functionality + initial_management = "{{ consul_master_token }}" + {% if consul_agent_token is defined and consul_agent_token != "" %} agent = "{{ consul_agent_token }}" + {% endif %} } -{% endif %} } ports { @@ -42,7 +44,6 @@ ports { tls { defaults { - ca_file = "{{ consul_config_dir }}/certs/tls.crt" cert_file = "{{ consul_config_dir }}/certs/tls.crt" key_file = "{{ consul_config_dir }}/certs/tls.key" From 4f64c8f9787c5a40e94f9b1103549b745e979ec1 Mon Sep 17 00:00:00 2001 From: AnithaAnnem Date: Wed, 29 Apr 2026 16:54:33 +0530 Subject: [PATCH 369/412] Create oidc.yml --- tasks/oidc.yml | 39 +++++++++++++++++++++++++++++++++++++++ 1 file changed, 39 insertions(+) create mode 100644 tasks/oidc.yml diff --git a/tasks/oidc.yml b/tasks/oidc.yml new file mode 100644 index 0000000..a2adf41 --- /dev/null +++ b/tasks/oidc.yml @@ -0,0 +1,39 @@ +--- +- name: Create Keycloak OIDC Auth Method + ansible.builtin.command: > + consul acl auth-method create + -name "keycloak" + -type "oidc" + -description "SSO via Keycloak" + -config '{ + "AllowedRedirectURIs": ["{{ consul_public_url }}/ui/oidc/callback"], + "OIDCDiscoveryURL": "{{ keycloak_url }}/realms/{{ keycloak_realm }}", + "OIDCClientID": "{{ consul_oidc_client_id }}", + "OIDCClientSecret": "{{ consul_oidc_client_secret }}" + }' + environment: + CONSUL_HTTP_ADDR: "https://127.0.0.1:{{ consul_https_port }}" + CONSUL_HTTP_TOKEN: "{{ consul_master_token }}" + CONSUL_HTTP_SSL_VERIFY: "false" + run_once: true + register: oidc_method_out + failed_when: + - oidc_method_out.rc != 0 + - "'already exists' not in oidc_method_out.stderr" + +- name: Create Binding Rule for SSO Users + ansible.builtin.command: > + consul acl binding-rule create + -method "keycloak" + -bind-type "policy" + -bind-name "readonly-policy" + -selector "true" + environment: + CONSUL_HTTP_ADDR: "https://127.0.0.1:{{ consul_https_port }}" + CONSUL_HTTP_TOKEN: "{{ consul_master_token }}" + CONSUL_HTTP_SSL_VERIFY: "false" + run_once: true + register: binding_rule_out + failed_when: + - binding_rule_out.rc != 0 + - "'already exists' not in binding_rule_out.stderr" From 1a74a3ef53cf5890993794832f971b20b4f9c6a6 Mon Sep 17 00:00:00 2001 From: AnithaAnnem Date: Wed, 29 Apr 2026 16:55:17 +0530 Subject: [PATCH 370/412] Update main.yml --- tasks/main.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/tasks/main.yml b/tasks/main.yml index f0a7174..5c759c8 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -19,3 +19,7 @@ - name: Include Backup tasks ansible.builtin.include_tasks: backup.yml when: consul_backup_enabled | bool + +- name: Include OIDC SSO tasks + ansible.builtin.include_tasks: oidc.yml + when: consul_oidc_enabled | bool From e81312982c56ca27b6a9c61462a60c59fbf86d30 Mon Sep 17 00:00:00 2001 From: AnithaAnnem Date: Wed, 29 Apr 2026 17:02:39 +0530 Subject: [PATCH 371/412] Update oidc.yml --- tasks/oidc.yml | 21 ++++++++++----------- 1 file changed, 10 insertions(+), 11 deletions(-) diff --git a/tasks/oidc.yml b/tasks/oidc.yml index a2adf41..e3c8ec6 100644 --- a/tasks/oidc.yml +++ b/tasks/oidc.yml @@ -1,27 +1,26 @@ --- -- name: Create Keycloak OIDC Auth Method +- name: Create Keycloak JWT Auth Method ansible.builtin.command: > consul acl auth-method create -name "keycloak" - -type "oidc" - -description "SSO via Keycloak" + -type "jwt" + -description "JWT Authentication via Keycloak" -config '{ - "AllowedRedirectURIs": ["{{ consul_public_url }}/ui/oidc/callback"], - "OIDCDiscoveryURL": "{{ keycloak_url }}/realms/{{ keycloak_realm }}", - "OIDCClientID": "{{ consul_oidc_client_id }}", - "OIDCClientSecret": "{{ consul_oidc_client_secret }}" + "JWKSURL": "{{ keycloak_url }}/realms/{{ keycloak_realm }}/protocol/openid-connect/certs", + "JWTSupportedAlgs": ["RS256"], + "BoundIssuer": "{{ keycloak_url }}/realms/{{ keycloak_realm }}" }' environment: CONSUL_HTTP_ADDR: "https://127.0.0.1:{{ consul_https_port }}" CONSUL_HTTP_TOKEN: "{{ consul_master_token }}" CONSUL_HTTP_SSL_VERIFY: "false" run_once: true - register: oidc_method_out + register: jwt_method_out failed_when: - - oidc_method_out.rc != 0 - - "'already exists' not in oidc_method_out.stderr" + - jwt_method_out.rc != 0 + - "'already exists' not in jwt_method_out.stderr" -- name: Create Binding Rule for SSO Users +- name: Create Binding Rule for JWT Users ansible.builtin.command: > consul acl binding-rule create -method "keycloak" From 058c96d45ec4f03652bfb1dce10b177b720197db Mon Sep 17 00:00:00 2001 From: AnithaAnnem Date: Wed, 29 Apr 2026 17:07:57 +0530 Subject: [PATCH 372/412] Update oidc.yml --- tasks/oidc.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tasks/oidc.yml b/tasks/oidc.yml index e3c8ec6..7dc1578 100644 --- a/tasks/oidc.yml +++ b/tasks/oidc.yml @@ -26,7 +26,7 @@ -method "keycloak" -bind-type "policy" -bind-name "readonly-policy" - -selector "true" + -selector "value.sub != ''" environment: CONSUL_HTTP_ADDR: "https://127.0.0.1:{{ consul_https_port }}" CONSUL_HTTP_TOKEN: "{{ consul_master_token }}" From 4f02f02b4904767f3a00f57af2bddd39d6acf7bb Mon Sep 17 00:00:00 2001 From: AnithaAnnem Date: Wed, 29 Apr 2026 17:10:56 +0530 Subject: [PATCH 373/412] Update oidc.yml --- tasks/oidc.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/tasks/oidc.yml b/tasks/oidc.yml index 7dc1578..2e8fa4b 100644 --- a/tasks/oidc.yml +++ b/tasks/oidc.yml @@ -16,6 +16,7 @@ CONSUL_HTTP_SSL_VERIFY: "false" run_once: true register: jwt_method_out + # Use failed_when to ignore the error if it already exists failed_when: - jwt_method_out.rc != 0 - "'already exists' not in jwt_method_out.stderr" @@ -26,7 +27,7 @@ -method "keycloak" -bind-type "policy" -bind-name "readonly-policy" - -selector "value.sub != ''" + -selector "" environment: CONSUL_HTTP_ADDR: "https://127.0.0.1:{{ consul_https_port }}" CONSUL_HTTP_TOKEN: "{{ consul_master_token }}" From d90db28f89af67190877a35aef73e460bbe74df2 Mon Sep 17 00:00:00 2001 From: AnithaAnnem Date: Wed, 29 Apr 2026 17:13:48 +0530 Subject: [PATCH 374/412] Update oidc.yml --- tasks/oidc.yml | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) diff --git a/tasks/oidc.yml b/tasks/oidc.yml index 2e8fa4b..be80c05 100644 --- a/tasks/oidc.yml +++ b/tasks/oidc.yml @@ -16,7 +16,6 @@ CONSUL_HTTP_SSL_VERIFY: "false" run_once: true register: jwt_method_out - # Use failed_when to ignore the error if it already exists failed_when: - jwt_method_out.rc != 0 - "'already exists' not in jwt_method_out.stderr" @@ -24,10 +23,10 @@ - name: Create Binding Rule for JWT Users ansible.builtin.command: > consul acl binding-rule create - -method "keycloak" - -bind-type "policy" - -bind-name "readonly-policy" - -selector "" + -method="keycloak" + -bind-type="policy" + -bind-name="readonly-policy" + -selector="" environment: CONSUL_HTTP_ADDR: "https://127.0.0.1:{{ consul_https_port }}" CONSUL_HTTP_TOKEN: "{{ consul_master_token }}" From fdbcb37d4437a87e69c86820513dcde2fcd594f0 Mon Sep 17 00:00:00 2001 From: AnithaAnnem Date: Wed, 29 Apr 2026 21:42:37 +0530 Subject: [PATCH 375/412] Update main.yml --- defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/defaults/main.yml b/defaults/main.yml index 7705828..dc7db9e 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -42,7 +42,7 @@ keycloak_realm: "master" # Use the Client ID and Secret from your Keycloak console consul_oidc_client_id: "consul" -consul_oidc_client_secret: "gDshZG8hRy9CBX5Vg8kXZiOsQil89NCN" +consul_oidc_client_secret: "r2kGOxYip1srrwhxiqRIAXv4bFaJroo3" # Gossip Encryption consul_gossip_key: "" From 3e188f007a7c7cae7ae2bda6937faf26e3cf2c66 Mon Sep 17 00:00:00 2001 From: AnithaAnnem Date: Wed, 29 Apr 2026 21:48:57 +0530 Subject: [PATCH 376/412] Update main.yml --- defaults/main.yml | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index dc7db9e..cd33340 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -36,14 +36,20 @@ consul_client_addr: "0.0.0.0" # SSO / OIDC Configuration consul_oidc_enabled: true -consul_public_url: "https://consul.opstree.dev" # Matches your Keycloak Home URL -keycloak_url: "https://keycloak.opstree.dev" +consul_public_url: "https://opstree.dev" +keycloak_url: "https://opstree.dev" keycloak_realm: "master" -# Use the Client ID and Secret from your Keycloak console +# Keycloak Client Credentials consul_oidc_client_id: "consul" consul_oidc_client_secret: "r2kGOxYip1srrwhxiqRIAXv4bFaJroo3" +# OIDC Specifics +consul_oidc_max_token_ttl: "1h" +consul_oidc_redirect_uris: + - "{{ consul_public_url }}/ui/oidc/callback" + - "http://localhost:8550/oidc/callback" + # Gossip Encryption consul_gossip_key: "" From 173ce964147964a7a1af8140336ae340658eb8b3 Mon Sep 17 00:00:00 2001 From: AnithaAnnem Date: Wed, 29 Apr 2026 21:49:32 +0530 Subject: [PATCH 377/412] Update oidc.yml --- tasks/oidc.yml | 29 +++++++++++++++++++---------- 1 file changed, 19 insertions(+), 10 deletions(-) diff --git a/tasks/oidc.yml b/tasks/oidc.yml index be80c05..97f966c 100644 --- a/tasks/oidc.yml +++ b/tasks/oidc.yml @@ -1,24 +1,33 @@ --- -- name: Create Keycloak JWT Auth Method +- name: Create Keycloak OIDC Auth Method ansible.builtin.command: > consul acl auth-method create -name "keycloak" - -type "jwt" - -description "JWT Authentication via Keycloak" + -type "oidc" + -description "SSO via Keycloak" + -max-token-ttl="{{ consul_oidc_max_token_ttl }}" -config '{ - "JWKSURL": "{{ keycloak_url }}/realms/{{ keycloak_realm }}/protocol/openid-connect/certs", - "JWTSupportedAlgs": ["RS256"], - "BoundIssuer": "{{ keycloak_url }}/realms/{{ keycloak_realm }}" + "OIDCDiscoveryURL": "{{ keycloak_url }}/realms/{{ keycloak_realm }}", + "OIDCClientID": "{{ consul_oidc_client_id }}", + "OIDCClientSecret": "{{ consul_oidc_client_secret }}", + "AllowedRedirectURIs": {{ consul_oidc_redirect_uris | to_json }}, + "ClaimMappings": { + "preferred_username": "username" + }, + "ListClaimMappings": { + "groups": "groups" + } }' environment: CONSUL_HTTP_ADDR: "https://127.0.0.1:{{ consul_https_port }}" CONSUL_HTTP_TOKEN: "{{ consul_master_token }}" CONSUL_HTTP_SSL_VERIFY: "false" run_once: true - register: jwt_method_out + register: oidc_method_out + # rc 1 logic ensures the task doesn't fail if already configured failed_when: - - jwt_method_out.rc != 0 - - "'already exists' not in jwt_method_out.stderr" + - oidc_method_out.rc != 0 + - "'already exists' not in oidc_method_out.stderr" - name: Create Binding Rule for JWT Users ansible.builtin.command: > @@ -26,7 +35,7 @@ -method="keycloak" -bind-type="policy" -bind-name="readonly-policy" - -selector="" + -selector="list.groups contains /consul-users" environment: CONSUL_HTTP_ADDR: "https://127.0.0.1:{{ consul_https_port }}" CONSUL_HTTP_TOKEN: "{{ consul_master_token }}" From c34bd6c68c942496067f1385a7795d461605d8c1 Mon Sep 17 00:00:00 2001 From: AnithaAnnem Date: Thu, 30 Apr 2026 10:27:12 +0530 Subject: [PATCH 378/412] Update oidc.yml --- tasks/oidc.yml | 48 ++++++++++++++++++++++++++++++++++++++++++++---- 1 file changed, 44 insertions(+), 4 deletions(-) diff --git a/tasks/oidc.yml b/tasks/oidc.yml index 97f966c..8607f90 100644 --- a/tasks/oidc.yml +++ b/tasks/oidc.yml @@ -1,4 +1,18 @@ --- +# ✅ Step 1: Check if auth method already exists +- name: Check if Keycloak auth method exists + ansible.builtin.command: > + consul acl auth-method read -name keycloak + environment: + CONSUL_HTTP_ADDR: "https://127.0.0.1:{{ consul_https_port }}" + CONSUL_HTTP_TOKEN: "{{ consul_master_token }}" + CONSUL_HTTP_SSL_VERIFY: "false" + register: auth_method_check + ignore_errors: true + run_once: true + + +# ✅ Step 2: Create ONLY if it does not exist - name: Create Keycloak OIDC Auth Method ansible.builtin.command: > consul acl auth-method create @@ -24,11 +38,37 @@ CONSUL_HTTP_SSL_VERIFY: "false" run_once: true register: oidc_method_out - # rc 1 logic ensures the task doesn't fail if already configured - failed_when: - - oidc_method_out.rc != 0 - - "'already exists' not in oidc_method_out.stderr" + when: auth_method_check.rc != 0 + + +# ✅ Step 3: Update if it already exists +- name: Update Keycloak OIDC Auth Method + ansible.builtin.command: > + consul acl auth-method update + -name "keycloak" + -description "SSO via Keycloak" + -max-token-ttl="{{ consul_oidc_max_token_ttl }}" + -config '{ + "OIDCDiscoveryURL": "{{ keycloak_url }}/realms/{{ keycloak_realm }}", + "OIDCClientID": "{{ consul_oidc_client_id }}", + "OIDCClientSecret": "{{ consul_oidc_client_secret }}", + "AllowedRedirectURIs": {{ consul_oidc_redirect_uris | to_json }}, + "ClaimMappings": { + "preferred_username": "username" + }, + "ListClaimMappings": { + "groups": "groups" + } + }' + environment: + CONSUL_HTTP_ADDR: "https://127.0.0.1:{{ consul_https_port }}" + CONSUL_HTTP_TOKEN: "{{ consul_master_token }}" + CONSUL_HTTP_SSL_VERIFY: "false" + run_once: true + when: auth_method_check.rc == 0 + +# ✅ Step 4: Create binding rule (safe handling) - name: Create Binding Rule for JWT Users ansible.builtin.command: > consul acl binding-rule create From 7c6da863c87e38723b71bfb25df6af533aaf3b13 Mon Sep 17 00:00:00 2001 From: AnithaAnnem Date: Thu, 30 Apr 2026 10:47:51 +0530 Subject: [PATCH 379/412] Update oidc.yml --- tasks/oidc.yml | 7 ++----- 1 file changed, 2 insertions(+), 5 deletions(-) diff --git a/tasks/oidc.yml b/tasks/oidc.yml index 8607f90..b83a3bb 100644 --- a/tasks/oidc.yml +++ b/tasks/oidc.yml @@ -41,7 +41,7 @@ when: auth_method_check.rc != 0 -# ✅ Step 3: Update if it already exists +# ✅ Step 3: Update ONLY allowed fields (FIXED) - name: Update Keycloak OIDC Auth Method ansible.builtin.command: > consul acl auth-method update @@ -50,9 +50,6 @@ -max-token-ttl="{{ consul_oidc_max_token_ttl }}" -config '{ "OIDCDiscoveryURL": "{{ keycloak_url }}/realms/{{ keycloak_realm }}", - "OIDCClientID": "{{ consul_oidc_client_id }}", - "OIDCClientSecret": "{{ consul_oidc_client_secret }}", - "AllowedRedirectURIs": {{ consul_oidc_redirect_uris | to_json }}, "ClaimMappings": { "preferred_username": "username" }, @@ -68,7 +65,7 @@ when: auth_method_check.rc == 0 -# ✅ Step 4: Create binding rule (safe handling) +# ✅ Step 4: Create Binding Rule (idempotent) - name: Create Binding Rule for JWT Users ansible.builtin.command: > consul acl binding-rule create From e3c58d35ba95afdace93570f5d5706e640e6fe19 Mon Sep 17 00:00:00 2001 From: AnithaAnnem Date: Thu, 30 Apr 2026 10:57:30 +0530 Subject: [PATCH 380/412] Update main.yml --- defaults/main.yml | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/defaults/main.yml b/defaults/main.yml index cd33340..3bcb166 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -34,12 +34,17 @@ consul_agent_token: "" consul_client_addr: "0.0.0.0" +--- # SSO / OIDC Configuration consul_oidc_enabled: true +# Use specific subdomains if possible to avoid proxy loops consul_public_url: "https://opstree.dev" -keycloak_url: "https://opstree.dev" +keycloak_url: "https://opstree.dev" keycloak_realm: "master" +# Toggle this to true if you are using self-signed certificates for Keycloak +consul_oidc_insecure_tls: false + # Keycloak Client Credentials consul_oidc_client_id: "consul" consul_oidc_client_secret: "r2kGOxYip1srrwhxiqRIAXv4bFaJroo3" @@ -49,6 +54,7 @@ consul_oidc_max_token_ttl: "1h" consul_oidc_redirect_uris: - "{{ consul_public_url }}/ui/oidc/callback" - "http://localhost:8550/oidc/callback" + # Gossip Encryption consul_gossip_key: "" From afd63a0961eda74094c1b796a164c331812de0de Mon Sep 17 00:00:00 2001 From: AnithaAnnem Date: Thu, 30 Apr 2026 10:59:24 +0530 Subject: [PATCH 381/412] Update main.yml --- defaults/main.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index 3bcb166..8b4d774 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -38,8 +38,8 @@ consul_client_addr: "0.0.0.0" # SSO / OIDC Configuration consul_oidc_enabled: true # Use specific subdomains if possible to avoid proxy loops -consul_public_url: "https://opstree.dev" -keycloak_url: "https://opstree.dev" +consul_public_url: "https://consul.opstree.dev" +keycloak_url: "https://keycloak.opstree.dev" keycloak_realm: "master" # Toggle this to true if you are using self-signed certificates for Keycloak From 7b169db5750e29169b84a6c6d07bfd4108389cb2 Mon Sep 17 00:00:00 2001 From: AnithaAnnem Date: Thu, 30 Apr 2026 11:00:35 +0530 Subject: [PATCH 382/412] Update main.yml --- defaults/main.yml | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index 8b4d774..4f5ffd7 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -37,13 +37,17 @@ consul_client_addr: "0.0.0.0" --- # SSO / OIDC Configuration consul_oidc_enabled: true -# Use specific subdomains if possible to avoid proxy loops consul_public_url: "https://consul.opstree.dev" + +# Internal URL for Consul-to-Keycloak communication (Bypasses Cloudflare) +# Use the internal IP and port where Keycloak is actually listening +keycloak_internal_url: "http://127.0.0.1:8080" + +# Public URL for the Browser/UI keycloak_url: "https://keycloak.opstree.dev" keycloak_realm: "master" -# Toggle this to true if you are using self-signed certificates for Keycloak -consul_oidc_insecure_tls: false +consul_oidc_insecure_tls: true # Set to true if using internal HTTP or self-signed certs # Keycloak Client Credentials consul_oidc_client_id: "consul" @@ -55,6 +59,7 @@ consul_oidc_redirect_uris: - "{{ consul_public_url }}/ui/oidc/callback" - "http://localhost:8550/oidc/callback" + # Gossip Encryption consul_gossip_key: "" From adb9598acfce23bd8425d114e38d0e120e3eef10 Mon Sep 17 00:00:00 2001 From: AnithaAnnem Date: Thu, 30 Apr 2026 11:01:05 +0530 Subject: [PATCH 383/412] Update oidc.yml --- tasks/oidc.yml | 19 +++++++++++-------- 1 file changed, 11 insertions(+), 8 deletions(-) diff --git a/tasks/oidc.yml b/tasks/oidc.yml index b83a3bb..fa8e833 100644 --- a/tasks/oidc.yml +++ b/tasks/oidc.yml @@ -11,7 +11,6 @@ ignore_errors: true run_once: true - # ✅ Step 2: Create ONLY if it does not exist - name: Create Keycloak OIDC Auth Method ansible.builtin.command: > @@ -21,9 +20,11 @@ -description "SSO via Keycloak" -max-token-ttl="{{ consul_oidc_max_token_ttl }}" -config '{ - "OIDCDiscoveryURL": "{{ keycloak_url }}/realms/{{ keycloak_realm }}", + "OIDCDiscoveryURL": "{{ keycloak_internal_url }}/realms/{{ keycloak_realm }}", + "BoundIssuer": "{{ keycloak_url }}/realms/{{ keycloak_realm }}", "OIDCClientID": "{{ consul_oidc_client_id }}", "OIDCClientSecret": "{{ consul_oidc_client_secret }}", + "OIDCInsecureTLS": {{ consul_oidc_insecure_tls | lower }}, "AllowedRedirectURIs": {{ consul_oidc_redirect_uris | to_json }}, "ClaimMappings": { "preferred_username": "username" @@ -37,11 +38,9 @@ CONSUL_HTTP_TOKEN: "{{ consul_master_token }}" CONSUL_HTTP_SSL_VERIFY: "false" run_once: true - register: oidc_method_out when: auth_method_check.rc != 0 - -# ✅ Step 3: Update ONLY allowed fields (FIXED) +# ✅ Step 3: Update WITH all required fields to fix the 522 redirect/timeout - name: Update Keycloak OIDC Auth Method ansible.builtin.command: > consul acl auth-method update @@ -49,7 +48,12 @@ -description "SSO via Keycloak" -max-token-ttl="{{ consul_oidc_max_token_ttl }}" -config '{ - "OIDCDiscoveryURL": "{{ keycloak_url }}/realms/{{ keycloak_realm }}", + "OIDCDiscoveryURL": "{{ keycloak_internal_url }}/realms/{{ keycloak_realm }}", + "BoundIssuer": "{{ keycloak_url }}/realms/{{ keycloak_realm }}", + "OIDCClientID": "{{ consul_oidc_client_id }}", + "OIDCClientSecret": "{{ consul_oidc_client_secret }}", + "OIDCInsecureTLS": {{ consul_oidc_insecure_tls | lower }}, + "AllowedRedirectURIs": {{ consul_oidc_redirect_uris | to_json }}, "ClaimMappings": { "preferred_username": "username" }, @@ -64,9 +68,8 @@ run_once: true when: auth_method_check.rc == 0 - # ✅ Step 4: Create Binding Rule (idempotent) -- name: Create Binding Rule for JWT Users +- name: Create Binding Rule for SSO Users ansible.builtin.command: > consul acl binding-rule create -method="keycloak" From 5eb89bbfc974f1d6402918a06e09c280b71bc151 Mon Sep 17 00:00:00 2001 From: AnithaAnnem Date: Thu, 30 Apr 2026 11:02:30 +0530 Subject: [PATCH 384/412] Update main.yml --- defaults/main.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/defaults/main.yml b/defaults/main.yml index 4f5ffd7..22cb999 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -34,7 +34,6 @@ consul_agent_token: "" consul_client_addr: "0.0.0.0" ---- # SSO / OIDC Configuration consul_oidc_enabled: true consul_public_url: "https://consul.opstree.dev" From 5bc9d629aae7cac26f5670aaec882b5697d137ec Mon Sep 17 00:00:00 2001 From: AnithaAnnem Date: Thu, 30 Apr 2026 11:06:20 +0530 Subject: [PATCH 385/412] Update oidc.yml --- tasks/oidc.yml | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/tasks/oidc.yml b/tasks/oidc.yml index fa8e833..fcf5b55 100644 --- a/tasks/oidc.yml +++ b/tasks/oidc.yml @@ -39,8 +39,8 @@ CONSUL_HTTP_SSL_VERIFY: "false" run_once: true when: auth_method_check.rc != 0 - -# ✅ Step 3: Update WITH all required fields to fix the 522 redirect/timeout + +# ✅ Step 3: Update WITH nested Config block (Required for 1.17.x) - name: Update Keycloak OIDC Auth Method ansible.builtin.command: > consul acl auth-method update @@ -68,6 +68,7 @@ run_once: true when: auth_method_check.rc == 0 + # ✅ Step 4: Create Binding Rule (idempotent) - name: Create Binding Rule for SSO Users ansible.builtin.command: > From 23a4aa59b7e216b9a13c3fe6430d1ee3d7b379a1 Mon Sep 17 00:00:00 2001 From: AnithaAnnem Date: Thu, 30 Apr 2026 11:16:01 +0530 Subject: [PATCH 386/412] Update oidc.yml --- tasks/oidc.yml | 57 ++++++++++---------------------------------------- 1 file changed, 11 insertions(+), 46 deletions(-) diff --git a/tasks/oidc.yml b/tasks/oidc.yml index fcf5b55..b95126f 100644 --- a/tasks/oidc.yml +++ b/tasks/oidc.yml @@ -1,5 +1,4 @@ --- -# ✅ Step 1: Check if auth method already exists - name: Check if Keycloak auth method exists ansible.builtin.command: > consul acl auth-method read -name keycloak @@ -11,26 +10,23 @@ ignore_errors: true run_once: true -# ✅ Step 2: Create ONLY if it does not exist -- name: Create Keycloak OIDC Auth Method +- name: Create or Update Keycloak OIDC Auth Method ansible.builtin.command: > - consul acl auth-method create + consul acl auth-method {{ 'update' if auth_method_check.rc == 0 else 'create' }} -name "keycloak" -type "oidc" -description "SSO via Keycloak" -max-token-ttl="{{ consul_oidc_max_token_ttl }}" -config '{ - "OIDCDiscoveryURL": "{{ keycloak_internal_url }}/realms/{{ keycloak_realm }}", - "BoundIssuer": "{{ keycloak_url }}/realms/{{ keycloak_realm }}", - "OIDCClientID": "{{ consul_oidc_client_id }}", - "OIDCClientSecret": "{{ consul_oidc_client_secret }}", - "OIDCInsecureTLS": {{ consul_oidc_insecure_tls | lower }}, - "AllowedRedirectURIs": {{ consul_oidc_redirect_uris | to_json }}, - "ClaimMappings": { - "preferred_username": "username" - }, - "ListClaimMappings": { - "groups": "groups" + "config": { + "OIDCDiscoveryURL": "{{ keycloak_internal_url }}/realms/{{ keycloak_realm }}", + "BoundIssuer": "{{ keycloak_url }}/realms/{{ keycloak_realm }}", + "OIDCClientID": "{{ consul_oidc_client_id }}", + "OIDCClientSecret": "{{ consul_oidc_client_secret }}", + "OIDCInsecureTLS": {{ consul_oidc_insecure_tls | lower }}, + "AllowedRedirectURIs": {{ consul_oidc_redirect_uris | to_json }}, + "ClaimMappings": { "preferred_username": "username" }, + "ListClaimMappings": { "groups": "groups" } } }' environment: @@ -38,38 +34,7 @@ CONSUL_HTTP_TOKEN: "{{ consul_master_token }}" CONSUL_HTTP_SSL_VERIFY: "false" run_once: true - when: auth_method_check.rc != 0 - -# ✅ Step 3: Update WITH nested Config block (Required for 1.17.x) -- name: Update Keycloak OIDC Auth Method - ansible.builtin.command: > - consul acl auth-method update - -name "keycloak" - -description "SSO via Keycloak" - -max-token-ttl="{{ consul_oidc_max_token_ttl }}" - -config '{ - "OIDCDiscoveryURL": "{{ keycloak_internal_url }}/realms/{{ keycloak_realm }}", - "BoundIssuer": "{{ keycloak_url }}/realms/{{ keycloak_realm }}", - "OIDCClientID": "{{ consul_oidc_client_id }}", - "OIDCClientSecret": "{{ consul_oidc_client_secret }}", - "OIDCInsecureTLS": {{ consul_oidc_insecure_tls | lower }}, - "AllowedRedirectURIs": {{ consul_oidc_redirect_uris | to_json }}, - "ClaimMappings": { - "preferred_username": "username" - }, - "ListClaimMappings": { - "groups": "groups" - } - }' - environment: - CONSUL_HTTP_ADDR: "https://127.0.0.1:{{ consul_https_port }}" - CONSUL_HTTP_TOKEN: "{{ consul_master_token }}" - CONSUL_HTTP_SSL_VERIFY: "false" - run_once: true - when: auth_method_check.rc == 0 - -# ✅ Step 4: Create Binding Rule (idempotent) - name: Create Binding Rule for SSO Users ansible.builtin.command: > consul acl binding-rule create From 8f6c619b423994c4d2f36843675dcd9ca80c54f1 Mon Sep 17 00:00:00 2001 From: AnithaAnnem Date: Thu, 30 Apr 2026 11:17:09 +0530 Subject: [PATCH 387/412] Update main.yml --- defaults/main.yml | 18 +++++------------- 1 file changed, 5 insertions(+), 13 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index 22cb999..8ab5f9b 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -34,31 +34,23 @@ consul_agent_token: "" consul_client_addr: "0.0.0.0" -# SSO / OIDC Configuration +--- consul_oidc_enabled: true -consul_public_url: "https://consul.opstree.dev" +consul_public_url: "https://opstree.dev" -# Internal URL for Consul-to-Keycloak communication (Bypasses Cloudflare) -# Use the internal IP and port where Keycloak is actually listening +# Internal URL to bypass Cloudflare 522. Use 127.0.0.1 if Keycloak is on the same node. keycloak_internal_url: "http://127.0.0.1:8080" - -# Public URL for the Browser/UI -keycloak_url: "https://keycloak.opstree.dev" +keycloak_url: "https://opstree.dev" keycloak_realm: "master" -consul_oidc_insecure_tls: true # Set to true if using internal HTTP or self-signed certs - -# Keycloak Client Credentials consul_oidc_client_id: "consul" consul_oidc_client_secret: "r2kGOxYip1srrwhxiqRIAXv4bFaJroo3" -# OIDC Specifics +consul_oidc_insecure_tls: true consul_oidc_max_token_ttl: "1h" consul_oidc_redirect_uris: - "{{ consul_public_url }}/ui/oidc/callback" - "http://localhost:8550/oidc/callback" - - # Gossip Encryption consul_gossip_key: "" From b66f63aa9ac4d52e3d810c2f21f7f6d8685d546f Mon Sep 17 00:00:00 2001 From: AnithaAnnem Date: Thu, 30 Apr 2026 11:18:43 +0530 Subject: [PATCH 388/412] Update main.yml --- defaults/main.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/defaults/main.yml b/defaults/main.yml index 8ab5f9b..3a6c88c 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -34,7 +34,6 @@ consul_agent_token: "" consul_client_addr: "0.0.0.0" ---- consul_oidc_enabled: true consul_public_url: "https://opstree.dev" From 2a519976e5fb85d4b0751cd14b815989abb22d84 Mon Sep 17 00:00:00 2001 From: AnithaAnnem Date: Thu, 30 Apr 2026 11:19:08 +0530 Subject: [PATCH 389/412] Update main.yml From bb64cdb1efdecf2f244f4aa7c1f4de4d03b0cff7 Mon Sep 17 00:00:00 2001 From: AnithaAnnem Date: Thu, 30 Apr 2026 11:28:57 +0530 Subject: [PATCH 390/412] Update oidc.yml --- tasks/oidc.yml | 30 ++++++++++++++++++++++++++---- 1 file changed, 26 insertions(+), 4 deletions(-) diff --git a/tasks/oidc.yml b/tasks/oidc.yml index b95126f..9be109e 100644 --- a/tasks/oidc.yml +++ b/tasks/oidc.yml @@ -10,15 +10,14 @@ ignore_errors: true run_once: true -- name: Create or Update Keycloak OIDC Auth Method +- name: Create Keycloak OIDC Auth Method ansible.builtin.command: > - consul acl auth-method {{ 'update' if auth_method_check.rc == 0 else 'create' }} + consul acl auth-method create -name "keycloak" -type "oidc" -description "SSO via Keycloak" -max-token-ttl="{{ consul_oidc_max_token_ttl }}" -config '{ - "config": { "OIDCDiscoveryURL": "{{ keycloak_internal_url }}/realms/{{ keycloak_realm }}", "BoundIssuer": "{{ keycloak_url }}/realms/{{ keycloak_realm }}", "OIDCClientID": "{{ consul_oidc_client_id }}", @@ -27,13 +26,36 @@ "AllowedRedirectURIs": {{ consul_oidc_redirect_uris | to_json }}, "ClaimMappings": { "preferred_username": "username" }, "ListClaimMappings": { "groups": "groups" } - } }' environment: CONSUL_HTTP_ADDR: "https://127.0.0.1:{{ consul_https_port }}" CONSUL_HTTP_TOKEN: "{{ consul_master_token }}" CONSUL_HTTP_SSL_VERIFY: "false" run_once: true + when: auth_method_check.rc != 0 + +- name: Update Keycloak OIDC Auth Method + ansible.builtin.command: > + consul acl auth-method update + -name "keycloak" + -description "SSO via Keycloak" + -max-token-ttl="{{ consul_oidc_max_token_ttl }}" + -config '{ + "OIDCDiscoveryURL": "{{ keycloak_internal_url }}/realms/{{ keycloak_realm }}", + "BoundIssuer": "{{ keycloak_url }}/realms/{{ keycloak_realm }}", + "OIDCClientID": "{{ consul_oidc_client_id }}", + "OIDCClientSecret": "{{ consul_oidc_client_secret }}", + "OIDCInsecureTLS": {{ consul_oidc_insecure_tls | lower }}, + "AllowedRedirectURIs": {{ consul_oidc_redirect_uris | to_json }}, + "ClaimMappings": { "preferred_username": "username" }, + "ListClaimMappings": { "groups": "groups" } + }' + environment: + CONSUL_HTTP_ADDR: "https://127.0.0.1:{{ consul_https_port }}" + CONSUL_HTTP_TOKEN: "{{ consul_master_token }}" + CONSUL_HTTP_SSL_VERIFY: "false" + run_once: true + when: auth_method_check.rc == 0 - name: Create Binding Rule for SSO Users ansible.builtin.command: > From 4138694800569f383d44ad7b5b38778b8a9f08ea Mon Sep 17 00:00:00 2001 From: AnithaAnnem Date: Thu, 30 Apr 2026 11:33:00 +0530 Subject: [PATCH 391/412] Update oidc.yml --- tasks/oidc.yml | 32 +++++--------------------------- 1 file changed, 5 insertions(+), 27 deletions(-) diff --git a/tasks/oidc.yml b/tasks/oidc.yml index 9be109e..357f9fd 100644 --- a/tasks/oidc.yml +++ b/tasks/oidc.yml @@ -10,14 +10,15 @@ ignore_errors: true run_once: true -- name: Create Keycloak OIDC Auth Method +- name: Create or Update Keycloak OIDC Auth Method ansible.builtin.command: > - consul acl auth-method create + consul acl auth-method {{ 'update' if auth_method_check.rc == 0 else 'create' }} -name "keycloak" - -type "oidc" + {% if auth_method_check.rc != 0 %}-type "oidc"{% endif %} -description "SSO via Keycloak" -max-token-ttl="{{ consul_oidc_max_token_ttl }}" -config '{ + "Config": { "OIDCDiscoveryURL": "{{ keycloak_internal_url }}/realms/{{ keycloak_realm }}", "BoundIssuer": "{{ keycloak_url }}/realms/{{ keycloak_realm }}", "OIDCClientID": "{{ consul_oidc_client_id }}", @@ -26,36 +27,13 @@ "AllowedRedirectURIs": {{ consul_oidc_redirect_uris | to_json }}, "ClaimMappings": { "preferred_username": "username" }, "ListClaimMappings": { "groups": "groups" } + } }' environment: CONSUL_HTTP_ADDR: "https://127.0.0.1:{{ consul_https_port }}" CONSUL_HTTP_TOKEN: "{{ consul_master_token }}" CONSUL_HTTP_SSL_VERIFY: "false" run_once: true - when: auth_method_check.rc != 0 - -- name: Update Keycloak OIDC Auth Method - ansible.builtin.command: > - consul acl auth-method update - -name "keycloak" - -description "SSO via Keycloak" - -max-token-ttl="{{ consul_oidc_max_token_ttl }}" - -config '{ - "OIDCDiscoveryURL": "{{ keycloak_internal_url }}/realms/{{ keycloak_realm }}", - "BoundIssuer": "{{ keycloak_url }}/realms/{{ keycloak_realm }}", - "OIDCClientID": "{{ consul_oidc_client_id }}", - "OIDCClientSecret": "{{ consul_oidc_client_secret }}", - "OIDCInsecureTLS": {{ consul_oidc_insecure_tls | lower }}, - "AllowedRedirectURIs": {{ consul_oidc_redirect_uris | to_json }}, - "ClaimMappings": { "preferred_username": "username" }, - "ListClaimMappings": { "groups": "groups" } - }' - environment: - CONSUL_HTTP_ADDR: "https://127.0.0.1:{{ consul_https_port }}" - CONSUL_HTTP_TOKEN: "{{ consul_master_token }}" - CONSUL_HTTP_SSL_VERIFY: "false" - run_once: true - when: auth_method_check.rc == 0 - name: Create Binding Rule for SSO Users ansible.builtin.command: > From 7a6c67ea49ea61bcd35a66232e4f319d14d9d6e2 Mon Sep 17 00:00:00 2001 From: AnithaAnnem Date: Thu, 30 Apr 2026 11:37:52 +0530 Subject: [PATCH 392/412] Update oidc.yml --- tasks/oidc.yml | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/tasks/oidc.yml b/tasks/oidc.yml index 357f9fd..9811619 100644 --- a/tasks/oidc.yml +++ b/tasks/oidc.yml @@ -17,8 +17,7 @@ {% if auth_method_check.rc != 0 %}-type "oidc"{% endif %} -description "SSO via Keycloak" -max-token-ttl="{{ consul_oidc_max_token_ttl }}" - -config '{ - "Config": { + -config='{ "OIDCDiscoveryURL": "{{ keycloak_internal_url }}/realms/{{ keycloak_realm }}", "BoundIssuer": "{{ keycloak_url }}/realms/{{ keycloak_realm }}", "OIDCClientID": "{{ consul_oidc_client_id }}", @@ -27,7 +26,6 @@ "AllowedRedirectURIs": {{ consul_oidc_redirect_uris | to_json }}, "ClaimMappings": { "preferred_username": "username" }, "ListClaimMappings": { "groups": "groups" } - } }' environment: CONSUL_HTTP_ADDR: "https://127.0.0.1:{{ consul_https_port }}" From 85bb84ae5f371a7cabe10c1011ac69fa5c247f0b Mon Sep 17 00:00:00 2001 From: AnithaAnnem Date: Thu, 30 Apr 2026 11:41:15 +0530 Subject: [PATCH 393/412] Update oidc.yml --- tasks/oidc.yml | 47 ++++++++++++++++++++++++++--------------------- 1 file changed, 26 insertions(+), 21 deletions(-) diff --git a/tasks/oidc.yml b/tasks/oidc.yml index 9811619..9c6cefd 100644 --- a/tasks/oidc.yml +++ b/tasks/oidc.yml @@ -10,29 +10,34 @@ ignore_errors: true run_once: true -- name: Create or Update Keycloak OIDC Auth Method - ansible.builtin.command: > - consul acl auth-method {{ 'update' if auth_method_check.rc == 0 else 'create' }} - -name "keycloak" - {% if auth_method_check.rc != 0 %}-type "oidc"{% endif %} - -description "SSO via Keycloak" - -max-token-ttl="{{ consul_oidc_max_token_ttl }}" - -config='{ - "OIDCDiscoveryURL": "{{ keycloak_internal_url }}/realms/{{ keycloak_realm }}", - "BoundIssuer": "{{ keycloak_url }}/realms/{{ keycloak_realm }}", - "OIDCClientID": "{{ consul_oidc_client_id }}", - "OIDCClientSecret": "{{ consul_oidc_client_secret }}", - "OIDCInsecureTLS": {{ consul_oidc_insecure_tls | lower }}, - "AllowedRedirectURIs": {{ consul_oidc_redirect_uris | to_json }}, - "ClaimMappings": { "preferred_username": "username" }, - "ListClaimMappings": { "groups": "groups" } - }' - environment: - CONSUL_HTTP_ADDR: "https://127.0.0.1:{{ consul_https_port }}" - CONSUL_HTTP_TOKEN: "{{ consul_master_token }}" - CONSUL_HTTP_SSL_VERIFY: "false" +- name: Create or Update Keycloak OIDC Auth Method via API + ansible.builtin.uri: + url: "https://127.0.0.1:{{ consul_https_port }}/v1/acl/auth-method" + method: "{{ 'PUT' if auth_method_check.rc == 0 else 'POST' }}" + headers: + X-Consul-Token: "{{ consul_master_token }}" + validate_certs: false + body_format: json + body: + Name: "keycloak" + Type: "oidc" + Description: "SSO via Keycloak" + MaxTokenTTL: "{{ consul_oidc_max_token_ttl }}" + Config: + OIDCDiscoveryURL: "{{ keycloak_internal_url }}/realms/{{ keycloak_realm }}" + BoundIssuer: "{{ keycloak_url }}/realms/{{ keycloak_realm }}" + OIDCClientID: "{{ consul_oidc_client_id }}" + OIDCClientSecret: "{{ consul_oidc_client_secret }}" + OIDCInsecureTLS: {{ consul_oidc_insecure_tls | bool }} + AllowedRedirectURIs: {{ consul_oidc_redirect_uris }} + ClaimMappings: + preferred_username: "username" + ListClaimMappings: + groups: "groups" + status_code: [200, 201] run_once: true + - name: Create Binding Rule for SSO Users ansible.builtin.command: > consul acl binding-rule create From 540118d629c18cbb9bad4f53fa1dd8d970f12f3b Mon Sep 17 00:00:00 2001 From: AnithaAnnem Date: Thu, 30 Apr 2026 11:44:09 +0530 Subject: [PATCH 394/412] Update oidc.yml --- tasks/oidc.yml | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/tasks/oidc.yml b/tasks/oidc.yml index 9c6cefd..dc842c2 100644 --- a/tasks/oidc.yml +++ b/tasks/oidc.yml @@ -28,16 +28,15 @@ BoundIssuer: "{{ keycloak_url }}/realms/{{ keycloak_realm }}" OIDCClientID: "{{ consul_oidc_client_id }}" OIDCClientSecret: "{{ consul_oidc_client_secret }}" - OIDCInsecureTLS: {{ consul_oidc_insecure_tls | bool }} - AllowedRedirectURIs: {{ consul_oidc_redirect_uris }} + OIDCInsecureTLS: "{{ consul_oidc_insecure_tls | bool }}" + AllowedRedirectURIs: "{{ consul_oidc_redirect_uris }}" ClaimMappings: preferred_username: "username" ListClaimMappings: groups: "groups" - status_code: [200, 201] + status_code: [200, 201, 204] run_once: true - - name: Create Binding Rule for SSO Users ansible.builtin.command: > consul acl binding-rule create From 07f63ffd4e75008b5fe55932eb455b859c02d7d9 Mon Sep 17 00:00:00 2001 From: AnithaAnnem Date: Thu, 30 Apr 2026 11:53:07 +0530 Subject: [PATCH 395/412] Update oidc.yml --- tasks/oidc.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/tasks/oidc.yml b/tasks/oidc.yml index dc842c2..d5e2293 100644 --- a/tasks/oidc.yml +++ b/tasks/oidc.yml @@ -28,13 +28,13 @@ BoundIssuer: "{{ keycloak_url }}/realms/{{ keycloak_realm }}" OIDCClientID: "{{ consul_oidc_client_id }}" OIDCClientSecret: "{{ consul_oidc_client_secret }}" - OIDCInsecureTLS: "{{ consul_oidc_insecure_tls | bool }}" + OIDCInsecureTLS: true AllowedRedirectURIs: "{{ consul_oidc_redirect_uris }}" ClaimMappings: preferred_username: "username" ListClaimMappings: groups: "groups" - status_code: [200, 201, 204] + status_code: [200, 201] run_once: true - name: Create Binding Rule for SSO Users From 354189fff86d7a27a1e52e0d1f60ebe5c00b1e81 Mon Sep 17 00:00:00 2001 From: AnithaAnnem Date: Thu, 30 Apr 2026 11:53:11 +0530 Subject: [PATCH 396/412] Update main.yml --- defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/defaults/main.yml b/defaults/main.yml index 3a6c88c..be11067 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -38,7 +38,7 @@ consul_oidc_enabled: true consul_public_url: "https://opstree.dev" # Internal URL to bypass Cloudflare 522. Use 127.0.0.1 if Keycloak is on the same node. -keycloak_internal_url: "http://127.0.0.1:8080" +keycloak_internal_url: "http://192.168.8.30:8080" keycloak_url: "https://opstree.dev" keycloak_realm: "master" From 201e606b57313439e4f959509b76e7b640388602 Mon Sep 17 00:00:00 2001 From: AnithaAnnem Date: Thu, 30 Apr 2026 12:32:23 +0530 Subject: [PATCH 397/412] Update main.yml --- defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/defaults/main.yml b/defaults/main.yml index be11067..8b8d820 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -39,7 +39,7 @@ consul_public_url: "https://opstree.dev" # Internal URL to bypass Cloudflare 522. Use 127.0.0.1 if Keycloak is on the same node. keycloak_internal_url: "http://192.168.8.30:8080" -keycloak_url: "https://opstree.dev" +keycloak_url: "http://192.168.8.30:8080" keycloak_realm: "master" consul_oidc_client_id: "consul" From 9abb7090733d79856b051bd7d0899273332370c0 Mon Sep 17 00:00:00 2001 From: AnithaAnnem Date: Thu, 30 Apr 2026 12:34:02 +0530 Subject: [PATCH 398/412] Update oidc.yml --- tasks/oidc.yml | 20 +++++--------------- 1 file changed, 5 insertions(+), 15 deletions(-) diff --git a/tasks/oidc.yml b/tasks/oidc.yml index d5e2293..dc256e3 100644 --- a/tasks/oidc.yml +++ b/tasks/oidc.yml @@ -1,19 +1,9 @@ --- -- name: Check if Keycloak auth method exists - ansible.builtin.command: > - consul acl auth-method read -name keycloak - environment: - CONSUL_HTTP_ADDR: "https://127.0.0.1:{{ consul_https_port }}" - CONSUL_HTTP_TOKEN: "{{ consul_master_token }}" - CONSUL_HTTP_SSL_VERIFY: "false" - register: auth_method_check - ignore_errors: true - run_once: true - -- name: Create or Update Keycloak OIDC Auth Method via API +- name: Upsert Keycloak OIDC Auth Method via API ansible.builtin.uri: - url: "https://127.0.0.1:{{ consul_https_port }}/v1/acl/auth-method" - method: "{{ 'PUT' if auth_method_check.rc == 0 else 'POST' }}" + # PUT to the resource name (/keycloak) handles both create and update + url: "https://127.0.0.1:{{ consul_https_port }}/v1/acl/auth-method/keycloak" + method: PUT headers: X-Consul-Token: "{{ consul_master_token }}" validate_certs: false @@ -34,7 +24,7 @@ preferred_username: "username" ListClaimMappings: groups: "groups" - status_code: [200, 201] + status_code: [200, 201, 204] run_once: true - name: Create Binding Rule for SSO Users From bce53f941fedc522bfcae339563d86f5e250e7f4 Mon Sep 17 00:00:00 2001 From: AnithaAnnem Date: Thu, 30 Apr 2026 12:42:06 +0530 Subject: [PATCH 399/412] Update oidc.yml --- tasks/oidc.yml | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/tasks/oidc.yml b/tasks/oidc.yml index dc256e3..17a3af9 100644 --- a/tasks/oidc.yml +++ b/tasks/oidc.yml @@ -1,7 +1,7 @@ --- - name: Upsert Keycloak OIDC Auth Method via API ansible.builtin.uri: - # PUT to the resource name (/keycloak) handles both create and update + # Using the specific resource path (/keycloak) for an idempotent PUT url: "https://127.0.0.1:{{ consul_https_port }}/v1/acl/auth-method/keycloak" method: PUT headers: @@ -14,11 +14,14 @@ Description: "SSO via Keycloak" MaxTokenTTL: "{{ consul_oidc_max_token_ttl }}" Config: + # These URLs must exactly match the "issuer" from your curl output OIDCDiscoveryURL: "{{ keycloak_internal_url }}/realms/{{ keycloak_realm }}" BoundIssuer: "{{ keycloak_url }}/realms/{{ keycloak_realm }}" OIDCClientID: "{{ consul_oidc_client_id }}" OIDCClientSecret: "{{ consul_oidc_client_secret }}" OIDCInsecureTLS: true + # Required: Consul 1.17.0 often needs the ClientID in BoundAudiences to validate + BoundAudiences: ["{{ consul_oidc_client_id }}"] AllowedRedirectURIs: "{{ consul_oidc_redirect_uris }}" ClaimMappings: preferred_username: "username" From d4ea5c6379855ba36892963938559a3006ebebf9 Mon Sep 17 00:00:00 2001 From: AnithaAnnem Date: Thu, 30 Apr 2026 12:47:30 +0530 Subject: [PATCH 400/412] Update oidc.yml --- tasks/oidc.yml | 18 ++++++------------ 1 file changed, 6 insertions(+), 12 deletions(-) diff --git a/tasks/oidc.yml b/tasks/oidc.yml index 17a3af9..04ed90a 100644 --- a/tasks/oidc.yml +++ b/tasks/oidc.yml @@ -1,7 +1,6 @@ --- - name: Upsert Keycloak OIDC Auth Method via API ansible.builtin.uri: - # Using the specific resource path (/keycloak) for an idempotent PUT url: "https://127.0.0.1:{{ consul_https_port }}/v1/acl/auth-method/keycloak" method: PUT headers: @@ -12,21 +11,16 @@ Name: "keycloak" Type: "oidc" Description: "SSO via Keycloak" - MaxTokenTTL: "{{ consul_oidc_max_token_ttl }}" Config: - # These URLs must exactly match the "issuer" from your curl output - OIDCDiscoveryURL: "{{ keycloak_internal_url }}/realms/{{ keycloak_realm }}" - BoundIssuer: "{{ keycloak_url }}/realms/{{ keycloak_realm }}" + # These MUST match your successful curl output exactly + OIDCDiscoveryURL: "http://192.168.8" + BoundIssuer: "http://192.168.8" OIDCClientID: "{{ consul_oidc_client_id }}" OIDCClientSecret: "{{ consul_oidc_client_secret }}" OIDCInsecureTLS: true - # Required: Consul 1.17.0 often needs the ClientID in BoundAudiences to validate - BoundAudiences: ["{{ consul_oidc_client_id }}"] - AllowedRedirectURIs: "{{ consul_oidc_redirect_uris }}" - ClaimMappings: - preferred_username: "username" - ListClaimMappings: - groups: "groups" + AllowedRedirectURIs: + - "https://opstree.dev" + - "http://localhost:8550/oidc/callback" status_code: [200, 201, 204] run_once: true From 68eccde2a74ed55d130ca7bbe56828378d7c6b0e Mon Sep 17 00:00:00 2001 From: AnithaAnnem Date: Thu, 30 Apr 2026 12:54:52 +0530 Subject: [PATCH 401/412] Update oidc.yml --- tasks/oidc.yml | 17 +++++++++++------ 1 file changed, 11 insertions(+), 6 deletions(-) diff --git a/tasks/oidc.yml b/tasks/oidc.yml index 04ed90a..98bfacc 100644 --- a/tasks/oidc.yml +++ b/tasks/oidc.yml @@ -1,6 +1,7 @@ --- - name: Upsert Keycloak OIDC Auth Method via API ansible.builtin.uri: + # Pointing directly to the method name (/keycloak) performs an idempotent PUT url: "https://127.0.0.1:{{ consul_https_port }}/v1/acl/auth-method/keycloak" method: PUT headers: @@ -11,16 +12,20 @@ Name: "keycloak" Type: "oidc" Description: "SSO via Keycloak" + MaxTokenTTL: "{{ consul_oidc_max_token_ttl }}" Config: - # These MUST match your successful curl output exactly - OIDCDiscoveryURL: "http://192.168.8" - BoundIssuer: "http://192.168.8" + OIDCDiscoveryURL: "{{ keycloak_internal_url }}/realms/{{ keycloak_realm }}" + BoundIssuer: "{{ keycloak_url }}/realms/{{ keycloak_realm }}" OIDCClientID: "{{ consul_oidc_client_id }}" OIDCClientSecret: "{{ consul_oidc_client_secret }}" OIDCInsecureTLS: true - AllowedRedirectURIs: - - "https://opstree.dev" - - "http://localhost:8550/oidc/callback" + # Client ID must be in the audiences list for validation + BoundAudiences: ["{{ consul_oidc_client_id }}"] + AllowedRedirectURIs: "{{ consul_oidc_redirect_uris }}" + ClaimMappings: + preferred_username: "username" + ListClaimMappings: + groups: "groups" status_code: [200, 201, 204] run_once: true From 5245ff7b0e40d999e33287d3314f82ca8d04eb6f Mon Sep 17 00:00:00 2001 From: AnithaAnnem Date: Thu, 30 Apr 2026 13:11:57 +0530 Subject: [PATCH 402/412] Update oidc.yml --- tasks/oidc.yml | 38 ++++++++++++++++++++++++++++++-------- 1 file changed, 30 insertions(+), 8 deletions(-) diff --git a/tasks/oidc.yml b/tasks/oidc.yml index 98bfacc..b87d9bd 100644 --- a/tasks/oidc.yml +++ b/tasks/oidc.yml @@ -1,12 +1,35 @@ --- +# ✅ Step 1: Check if the existing method is JWT (to prevent 500 error on Type change) +- name: Check current Keycloak auth method type + ansible.builtin.uri: + url: "http://127.0.0" + method: GET + headers: + X-Consul-Token: "{{ consul_master_token }}" + status_code: [200, 404] + register: existing_method + run_once: true + +# ✅ Step 2: Delete if it is NOT OIDC (Consul cannot update Type in-place) +- name: Delete existing JWT method to allow OIDC creation + ansible.builtin.uri: + url: "http://127.0.0" + method: DELETE + headers: + X-Consul-Token: "{{ consul_master_token }}" + status_code: [200, 204] + run_once: true + when: + - existing_method.status == 200 + - existing_method.json.Type != 'oidc' + +# ✅ Step 3: Create/Update the OIDC Auth Method - name: Upsert Keycloak OIDC Auth Method via API ansible.builtin.uri: - # Pointing directly to the method name (/keycloak) performs an idempotent PUT - url: "https://127.0.0.1:{{ consul_https_port }}/v1/acl/auth-method/keycloak" - method: PUT + url: "http://127.0.0" + method: POST headers: X-Consul-Token: "{{ consul_master_token }}" - validate_certs: false body_format: json body: Name: "keycloak" @@ -19,16 +42,16 @@ OIDCClientID: "{{ consul_oidc_client_id }}" OIDCClientSecret: "{{ consul_oidc_client_secret }}" OIDCInsecureTLS: true - # Client ID must be in the audiences list for validation BoundAudiences: ["{{ consul_oidc_client_id }}"] AllowedRedirectURIs: "{{ consul_oidc_redirect_uris }}" ClaimMappings: preferred_username: "username" ListClaimMappings: groups: "groups" - status_code: [200, 201, 204] + status_code: [200, 201] run_once: true +# ✅ Step 4: Create Binding Rule - name: Create Binding Rule for SSO Users ansible.builtin.command: > consul acl binding-rule create @@ -37,9 +60,8 @@ -bind-name="readonly-policy" -selector="list.groups contains /consul-users" environment: - CONSUL_HTTP_ADDR: "https://127.0.0.1:{{ consul_https_port }}" + CONSUL_HTTP_ADDR: "http://127.0.0.1:8500" CONSUL_HTTP_TOKEN: "{{ consul_master_token }}" - CONSUL_HTTP_SSL_VERIFY: "false" run_once: true register: binding_rule_out failed_when: From 7b0a663b24a16383b085b861bd31a70042368d48 Mon Sep 17 00:00:00 2001 From: AnithaAnnem Date: Thu, 30 Apr 2026 13:15:57 +0530 Subject: [PATCH 403/412] Update oidc.yml --- tasks/oidc.yml | 28 +++++++++++++--------------- 1 file changed, 13 insertions(+), 15 deletions(-) diff --git a/tasks/oidc.yml b/tasks/oidc.yml index b87d9bd..96f288c 100644 --- a/tasks/oidc.yml +++ b/tasks/oidc.yml @@ -1,8 +1,8 @@ --- -# ✅ Step 1: Check if the existing method is JWT (to prevent 500 error on Type change) -- name: Check current Keycloak auth method type +# ✅ Step 1: Check if the existing method exists (using your working URL) +- name: Check current Keycloak auth method ansible.builtin.uri: - url: "http://127.0.0" + url: "http://127.0.0.1:8500/v1/acl/auth-method/keycloak" method: GET headers: X-Consul-Token: "{{ consul_master_token }}" @@ -10,10 +10,10 @@ register: existing_method run_once: true -# ✅ Step 2: Delete if it is NOT OIDC (Consul cannot update Type in-place) -- name: Delete existing JWT method to allow OIDC creation +# ✅ Step 2: Delete if it is "jwt" (Must do this to change Type to "oidc") +- name: Delete existing JWT method ansible.builtin.uri: - url: "http://127.0.0" + url: "http://127.0.0.1:8500/v1/acl/auth-method/keycloak" method: DELETE headers: X-Consul-Token: "{{ consul_master_token }}" @@ -21,12 +21,12 @@ run_once: true when: - existing_method.status == 200 - - existing_method.json.Type != 'oidc' + - existing_method.json.Type == 'jwt' -# ✅ Step 3: Create/Update the OIDC Auth Method -- name: Upsert Keycloak OIDC Auth Method via API +# ✅ Step 3: Create the OIDC Auth Method +- name: Create Keycloak OIDC Auth Method via API ansible.builtin.uri: - url: "http://127.0.0" + url: "http://127.0.0.1:8500/v1/acl/auth-method" method: POST headers: X-Consul-Token: "{{ consul_master_token }}" @@ -35,20 +35,18 @@ Name: "keycloak" Type: "oidc" Description: "SSO via Keycloak" - MaxTokenTTL: "{{ consul_oidc_max_token_ttl }}" Config: OIDCDiscoveryURL: "{{ keycloak_internal_url }}/realms/{{ keycloak_realm }}" BoundIssuer: "{{ keycloak_url }}/realms/{{ keycloak_realm }}" OIDCClientID: "{{ consul_oidc_client_id }}" OIDCClientSecret: "{{ consul_oidc_client_secret }}" OIDCInsecureTLS: true - BoundAudiences: ["{{ consul_oidc_client_id }}"] - AllowedRedirectURIs: "{{ consul_oidc_redirect_uris }}" + AllowedRedirectURIs: {{ consul_oidc_redirect_uris }} ClaimMappings: preferred_username: "username" ListClaimMappings: groups: "groups" - status_code: [200, 201] + status_code: [200, 201, 204] run_once: true # ✅ Step 4: Create Binding Rule @@ -58,7 +56,7 @@ -method="keycloak" -bind-type="policy" -bind-name="readonly-policy" - -selector="list.groups contains /consul-users" + -selector="list.groups contains consul-users" environment: CONSUL_HTTP_ADDR: "http://127.0.0.1:8500" CONSUL_HTTP_TOKEN: "{{ consul_master_token }}" From 08ffd3bcc2c54bd1efa5b544ff9b406e9e2018c9 Mon Sep 17 00:00:00 2001 From: AnithaAnnem Date: Thu, 30 Apr 2026 13:18:40 +0530 Subject: [PATCH 404/412] Update oidc.yml --- tasks/oidc.yml | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/tasks/oidc.yml b/tasks/oidc.yml index 96f288c..24eeb6b 100644 --- a/tasks/oidc.yml +++ b/tasks/oidc.yml @@ -1,5 +1,5 @@ --- -# ✅ Step 1: Check if the existing method exists (using your working URL) +# ✅ Step 1: Check if the existing method exists - name: Check current Keycloak auth method ansible.builtin.uri: url: "http://127.0.0.1:8500/v1/acl/auth-method/keycloak" @@ -10,7 +10,7 @@ register: existing_method run_once: true -# ✅ Step 2: Delete if it is "jwt" (Must do this to change Type to "oidc") +# ✅ Step 2: Delete if it is "jwt" - name: Delete existing JWT method ansible.builtin.uri: url: "http://127.0.0.1:8500/v1/acl/auth-method/keycloak" @@ -41,7 +41,8 @@ OIDCClientID: "{{ consul_oidc_client_id }}" OIDCClientSecret: "{{ consul_oidc_client_secret }}" OIDCInsecureTLS: true - AllowedRedirectURIs: {{ consul_oidc_redirect_uris }} + # Quotes added here to fix the YAML syntax error + AllowedRedirectURIs: "{{ consul_oidc_redirect_uris }}" ClaimMappings: preferred_username: "username" ListClaimMappings: From 4c00e3ece458a9ffadb77c39357574306da45b47 Mon Sep 17 00:00:00 2001 From: AnithaAnnem Date: Thu, 30 Apr 2026 13:25:13 +0530 Subject: [PATCH 405/412] Update oidc.yml --- tasks/oidc.yml | 15 ++++++++------- 1 file changed, 8 insertions(+), 7 deletions(-) diff --git a/tasks/oidc.yml b/tasks/oidc.yml index 24eeb6b..a2086a2 100644 --- a/tasks/oidc.yml +++ b/tasks/oidc.yml @@ -10,7 +10,8 @@ register: existing_method run_once: true -# ✅ Step 2: Delete if it is "jwt" +# ✅ Step 2: Delete ONLY if it is "jwt" +# (This clears the path for the OIDC type) - name: Delete existing JWT method ansible.builtin.uri: url: "http://127.0.0.1:8500/v1/acl/auth-method/keycloak" @@ -23,11 +24,12 @@ - existing_method.status == 200 - existing_method.json.Type == 'jwt' -# ✅ Step 3: Create the OIDC Auth Method -- name: Create Keycloak OIDC Auth Method via API +# ✅ Step 3: Create or Update the OIDC Auth Method +# Changed to PUT and added the name to the URL to fix the 405 error +- name: Upsert Keycloak OIDC Auth Method via API ansible.builtin.uri: - url: "http://127.0.0.1:8500/v1/acl/auth-method" - method: POST + url: "http://127.0.0.1:8500/v1/acl/auth-method/keycloak" + method: PUT headers: X-Consul-Token: "{{ consul_master_token }}" body_format: json @@ -41,13 +43,12 @@ OIDCClientID: "{{ consul_oidc_client_id }}" OIDCClientSecret: "{{ consul_oidc_client_secret }}" OIDCInsecureTLS: true - # Quotes added here to fix the YAML syntax error AllowedRedirectURIs: "{{ consul_oidc_redirect_uris }}" ClaimMappings: preferred_username: "username" ListClaimMappings: groups: "groups" - status_code: [200, 201, 204] + status_code: [200, 201, 204, 200] run_once: true # ✅ Step 4: Create Binding Rule From 5e77c61ae4fbde45e8ab8e2308a09847a069834b Mon Sep 17 00:00:00 2001 From: AnithaAnnem Date: Thu, 30 Apr 2026 13:29:53 +0530 Subject: [PATCH 406/412] Update oidc.yml --- tasks/oidc.yml | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/tasks/oidc.yml b/tasks/oidc.yml index a2086a2..0c27947 100644 --- a/tasks/oidc.yml +++ b/tasks/oidc.yml @@ -25,7 +25,6 @@ - existing_method.json.Type == 'jwt' # ✅ Step 3: Create or Update the OIDC Auth Method -# Changed to PUT and added the name to the URL to fix the 405 error - name: Upsert Keycloak OIDC Auth Method via API ansible.builtin.uri: url: "http://127.0.0.1:8500/v1/acl/auth-method/keycloak" @@ -43,14 +42,18 @@ OIDCClientID: "{{ consul_oidc_client_id }}" OIDCClientSecret: "{{ consul_oidc_client_secret }}" OIDCInsecureTLS: true - AllowedRedirectURIs: "{{ consul_oidc_redirect_uris }}" + # Fix 1: Explicitly wrap the redirect URI in a list + AllowedRedirectURIs: + - "{{ consul_oidc_redirect_uris }}" + # Fix 2: Add BoundAudiences (required by many OIDC providers) + BoundAudiences: + - "{{ consul_oidc_client_id }}" ClaimMappings: preferred_username: "username" ListClaimMappings: groups: "groups" - status_code: [200, 201, 204, 200] + status_code: [200, 201, 204] run_once: true - # ✅ Step 4: Create Binding Rule - name: Create Binding Rule for SSO Users ansible.builtin.command: > From 7db952f2c543189c1a91aff446e3600377435b63 Mon Sep 17 00:00:00 2001 From: AnithaAnnem Date: Thu, 30 Apr 2026 13:36:22 +0530 Subject: [PATCH 407/412] Update oidc.yml --- tasks/oidc.yml | 35 ++++++++++++++++------------------- 1 file changed, 16 insertions(+), 19 deletions(-) diff --git a/tasks/oidc.yml b/tasks/oidc.yml index 0c27947..6626f5b 100644 --- a/tasks/oidc.yml +++ b/tasks/oidc.yml @@ -10,9 +10,9 @@ register: existing_method run_once: true -# ✅ Step 2: Delete ONLY if it is "jwt" -# (This clears the path for the OIDC type) -- name: Delete existing JWT method +# ✅ Step 2: Delete ONLY if it is not the correct configuration +# This ensures we can change the 'Type' from any failed attempts back to 'jwt' +- name: Delete existing method if not jwt ansible.builtin.uri: url: "http://127.0.0.1:8500/v1/acl/auth-method/keycloak" method: DELETE @@ -22,10 +22,11 @@ run_once: true when: - existing_method.status == 200 - - existing_method.json.Type == 'jwt' + - existing_method.json.Type != 'jwt' -# ✅ Step 3: Create or Update the OIDC Auth Method -- name: Upsert Keycloak OIDC Auth Method via API +# ✅ Step 3: Create or Update the JWT Auth Method +# Note: Using Type 'jwt' because your Consul logs show 'oidc' is not supported +- name: Upsert Keycloak JWT Auth Method via API ansible.builtin.uri: url: "http://127.0.0.1:8500/v1/acl/auth-method/keycloak" method: PUT @@ -34,27 +35,23 @@ body_format: json body: Name: "keycloak" - Type: "oidc" - Description: "SSO via Keycloak" + Type: "jwt" + Description: "JWT Auth via Keycloak" Config: - OIDCDiscoveryURL: "{{ keycloak_internal_url }}/realms/{{ keycloak_realm }}" + # JWT type requires manual JWKS URL instead of Discovery URL + JWKSURL: "{{ keycloak_internal_url }}/realms/{{ keycloak_realm }}/protocol/openid-connect/certs" BoundIssuer: "{{ keycloak_url }}/realms/{{ keycloak_realm }}" - OIDCClientID: "{{ consul_oidc_client_id }}" - OIDCClientSecret: "{{ consul_oidc_client_secret }}" - OIDCInsecureTLS: true - # Fix 1: Explicitly wrap the redirect URI in a list - AllowedRedirectURIs: - - "{{ consul_oidc_redirect_uris }}" - # Fix 2: Add BoundAudiences (required by many OIDC providers) - BoundAudiences: - - "{{ consul_oidc_client_id }}" + JWTSupportedAlgs: ["RS256"] + # Required for many JWT implementations to verify the target + BoundAudiences: ["{{ consul_oidc_client_id }}"] ClaimMappings: preferred_username: "username" ListClaimMappings: groups: "groups" status_code: [200, 201, 204] run_once: true -# ✅ Step 4: Create Binding Rule + +# ✅ Step 4: Create Binding Rule for SSO Users - name: Create Binding Rule for SSO Users ansible.builtin.command: > consul acl binding-rule create From efb83b605ec094a9bd061eb7db89ca5b9bb322f1 Mon Sep 17 00:00:00 2001 From: AnithaAnnem Date: Thu, 30 Apr 2026 13:41:57 +0530 Subject: [PATCH 408/412] Update oidc.yml --- tasks/oidc.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/tasks/oidc.yml b/tasks/oidc.yml index 6626f5b..0cdccdc 100644 --- a/tasks/oidc.yml +++ b/tasks/oidc.yml @@ -58,12 +58,13 @@ -method="keycloak" -bind-type="policy" -bind-name="readonly-policy" - -selector="list.groups contains consul-users" + -selector='list.groups contains "consul-users"' environment: CONSUL_HTTP_ADDR: "http://127.0.0.1:8500" CONSUL_HTTP_TOKEN: "{{ consul_master_token }}" run_once: true register: binding_rule_out + # This part stays the same to handle idempotency failed_when: - binding_rule_out.rc != 0 - "'already exists' not in binding_rule_out.stderr" From de4e2dfa48c80325f4c8291794a92f846e42dee8 Mon Sep 17 00:00:00 2001 From: AnithaAnnem Date: Thu, 30 Apr 2026 13:45:19 +0530 Subject: [PATCH 409/412] Update oidc.yml --- tasks/oidc.yml | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/tasks/oidc.yml b/tasks/oidc.yml index 0cdccdc..eaff08b 100644 --- a/tasks/oidc.yml +++ b/tasks/oidc.yml @@ -56,15 +56,14 @@ ansible.builtin.command: > consul acl binding-rule create -method="keycloak" - -bind-type="policy" - -bind-name="readonly-policy" + -bind-type="role" + -bind-name="readonly-role" -selector='list.groups contains "consul-users"' environment: CONSUL_HTTP_ADDR: "http://127.0.0.1:8500" CONSUL_HTTP_TOKEN: "{{ consul_master_token }}" run_once: true register: binding_rule_out - # This part stays the same to handle idempotency failed_when: - binding_rule_out.rc != 0 - "'already exists' not in binding_rule_out.stderr" From 360797470a68fe29bf920fe2ff6256c8bd15452d Mon Sep 17 00:00:00 2001 From: AnithaAnnem Date: Thu, 30 Apr 2026 15:08:22 +0530 Subject: [PATCH 410/412] Update oidc.yml --- tasks/oidc.yml | 13 ++++++++----- 1 file changed, 8 insertions(+), 5 deletions(-) diff --git a/tasks/oidc.yml b/tasks/oidc.yml index eaff08b..e9c5b3c 100644 --- a/tasks/oidc.yml +++ b/tasks/oidc.yml @@ -11,7 +11,6 @@ run_once: true # ✅ Step 2: Delete ONLY if it is not the correct configuration -# This ensures we can change the 'Type' from any failed attempts back to 'jwt' - name: Delete existing method if not jwt ansible.builtin.uri: url: "http://127.0.0.1:8500/v1/acl/auth-method/keycloak" @@ -24,8 +23,7 @@ - existing_method.status == 200 - existing_method.json.Type != 'jwt' -# ✅ Step 3: Create or Update the JWT Auth Method -# Note: Using Type 'jwt' because your Consul logs show 'oidc' is not supported +# ✅ Step 3: Create or Update the JWT Auth Method (Updated for UI Visibility) - name: Upsert Keycloak JWT Auth Method via API ansible.builtin.uri: url: "http://127.0.0.1:8500/v1/acl/auth-method/keycloak" @@ -38,12 +36,17 @@ Type: "jwt" Description: "JWT Auth via Keycloak" Config: - # JWT type requires manual JWKS URL instead of Discovery URL JWKSURL: "{{ keycloak_internal_url }}/realms/{{ keycloak_realm }}/protocol/openid-connect/certs" BoundIssuer: "{{ keycloak_url }}/realms/{{ keycloak_realm }}" JWTSupportedAlgs: ["RS256"] - # Required for many JWT implementations to verify the target BoundAudiences: ["{{ consul_oidc_client_id }}"] + + # --- ADD THESE TWO LINES TO ENABLE THE UI LOGIN BUTTON --- + OIDCDiscoveryURL: "{{ keycloak_internal_url }}/realms/{{ keycloak_realm }}" + AllowedRedirectURIs: + - "http://192.168.8.35:8500/ui/oidc/callback" + # --------------------------------------------------------- + ClaimMappings: preferred_username: "username" ListClaimMappings: From 6b93973f488b15cecf3fa8d92a3228a23b7400b5 Mon Sep 17 00:00:00 2001 From: AnithaAnnem Date: Thu, 30 Apr 2026 15:12:45 +0530 Subject: [PATCH 411/412] Update oidc.yml --- tasks/oidc.yml | 7 ------- 1 file changed, 7 deletions(-) diff --git a/tasks/oidc.yml b/tasks/oidc.yml index e9c5b3c..9a3b5b0 100644 --- a/tasks/oidc.yml +++ b/tasks/oidc.yml @@ -40,13 +40,6 @@ BoundIssuer: "{{ keycloak_url }}/realms/{{ keycloak_realm }}" JWTSupportedAlgs: ["RS256"] BoundAudiences: ["{{ consul_oidc_client_id }}"] - - # --- ADD THESE TWO LINES TO ENABLE THE UI LOGIN BUTTON --- - OIDCDiscoveryURL: "{{ keycloak_internal_url }}/realms/{{ keycloak_realm }}" - AllowedRedirectURIs: - - "http://192.168.8.35:8500/ui/oidc/callback" - # --------------------------------------------------------- - ClaimMappings: preferred_username: "username" ListClaimMappings: From e719725447449560f627af276ab92a220a11cb2f Mon Sep 17 00:00:00 2001 From: AnithaAnnem Date: Thu, 30 Apr 2026 15:24:08 +0530 Subject: [PATCH 412/412] Update main.yml --- defaults/main.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index 8b8d820..a243fb2 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -38,8 +38,8 @@ consul_oidc_enabled: true consul_public_url: "https://opstree.dev" # Internal URL to bypass Cloudflare 522. Use 127.0.0.1 if Keycloak is on the same node. -keycloak_internal_url: "http://192.168.8.30:8080" -keycloak_url: "http://192.168.8.30:8080" +keycloak_internal_url: "https://keycloak.opstree.dev" +keycloak_url: "https://keycloak.opstree.dev" keycloak_realm: "master" consul_oidc_client_id: "consul"