Skip to content

Generates certificate authority and certificates needed for Consul TLS

License

Notifications You must be signed in to change notification settings

githubixx/ansible-role-consul-ca

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

6 Commits
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

ansible-role-consul-ca

This role is used in Kubernetes the Not So Hard Way With Ansible - Ingress with Traefik. It creates a CA (certificate authority) for Consul certificates and the certificates needed to secure communication between the Consul daemons and Traefik proxy used in the blog post mentioned above. This role is meant to be used for exactly this purpose but it should be useable for other use cases too as it has no dependencies besides CFSSL PKI toolkit binaries installed (also see my Ansible role for this purpose: https://github.com/githubixx/ansible-role-cfssl).

Versions

I tag every release and try to stay with semantic versioning. If you want to use the role I recommend to checkout the latest tag. The master branch is basically development while the tags mark stable releases. But in general I try to keep master in good shape too. A tag 1.0.0+1.0.0 means this is release 1.0.0 of this role and it's meant to be used with Consul version 1.0.0 (but may work with other versions too). If the role itself changes X.Y.Z before the + will increase. If the Consul version changes X.Y.Z after the + will increase. This allows to tag bugfixes and new major versions of the role while it's still developed for a specific Consul release.

Changelog

see CHANGELOG.md

Requirements

This role needs CFSSL PKI toolkit binaries installed. You can use ansible-role-cfssl to install CFSSL locally on your machine. If you want to store the generated certificates and CA's locally or on a network share specify the role variables below in group_vars/all.yml e.g.

Role Variables

This playbook has quite a few variables. But that's mainly information needed for the certificates.

# Where to store the CA and certificate files
consul_ca_conf_directory: "{{ '~/consul/ssl' | expanduser }}"
consul_ca_certificate_owner: "root"
consul_ca_certificate_group: "root"

consul_ca_conf_directory tells Ansible where to store the CA's and certificate files. To enable Ansible to read the files in later runs you should specify a user and group in consul_ca_certificate_owner / consul_ca_certificate_group which has permissions (in most cases this will be the user you use on your workstation).

# Expiry for Consul root certificate
ca_consul_expiry: "87600h"

ca_consul_expiry sets the expiry date for Consul root CA.

# Certificate authority for Consul certificates
ca_consul_csr_cn: "Consul"
ca_consul_csr_key_algo: "rsa"
ca_consul_csr_key_size: "2048"
ca_consul_csr_names_c: "DE"
ca_consul_csr_names_l: "The_Internet"
ca_consul_csr_names_o: "Consul"
ca_consul_csr_names_ou: "BY"
ca_consul_csr_names_st: "Bayern"

This variables are used to create the CSR (certificate signing request) of the CA (certificate authority) which we use to sign certifcates for Consul.

# CSR parameter for Consul certificate
consul_csr_cn: "server.dc1.consul"
consul_csr_key_algo: "rsa"
consul_csr_key_size: "2048"
consul_csr_names_c: "DE"
consul_csr_names_l: "The_Internet"
consul_csr_names_o: "Consul"
consul_csr_names_ou: "BY"
consul_csr_names_st: "Bayern"

This variables are used to create the CSR (certificate signing request) for the certificate that is used to secure the Consul communication. One note about consul_csr_cn: Consul want's the certs and the servers to be server.<data_center>.consul as common name (cn) value (also see Consul: Adding TLS to Consul using Self Signed Certificates. So in Consul's config.json you have a parameter datacenter which is often dc1 by default. E.g. if you have "datacenter": "par1" in Consul's configuration specified the first value in consul_csr_cn should be server.par1.consul. You can specify additional common names afterwards separated by comma's. Even wildcards are possible e.g. consul_csr_cn: "server.dc1.consul,*.example.com" but still the first value should be as mentioned.

Example Playbook

- hosts: consul_instances

  roles:
    - githubixx.consul-ca

License

GNU GENERAL PUBLIC LICENSE Version 3

Author Information

http://www.tauceti.blog

About

Generates certificate authority and certificates needed for Consul TLS

Topics

Resources

License

Stars

Watchers

Forks

Packages

No packages published