TLS as separate tasks hard disable

ansible-community · Mar 23, 2017 · 7bff3d5 · 7bff3d5
1 parent 12811f1
commit 7bff3d5
Show file tree

Hide file tree

Showing 5 changed files with 32 additions and 18 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -163,3 +163,10 @@
 - Remove duplicate cluster_address var
 - Update README / consistent variable style / more links to docs
 
+## v1.3.8
+
+- Move TLS bits to separate task
+- Short circuit TLS bits as bad things™ were happening due to the empty
+  cert and key values during the Vault SSL Certificate and Key copy ops
+  (probably an Ansible bug, copying entire contents of files to vault etc dir)
+  No bueno
diff --git a/defaults/main.yml b/defaults/main.yml
@@ -30,9 +30,9 @@ vault_backend: vault_backend_consul.j2
 vault_cluster_disable: false
 vault_cluster_address: "{{ hostvars[inventory_hostname]['ansible_'+vault_iface]['ipv4']['address'] }}"
 vault_tls_disable: 1
-vault_tls_cert_file:
+vault_tls_cert_file: "../files/dummy.crt"
 vault_tls_cert_file_dest: "{{ vault_config_path }}/vault.crt" # /etc/pki/tls/certs/vault.crt
-vault_tls_key_file:
+vault_tls_key_file: "../files/dummy.key"
 vault_tls_key_file_dest: "{{ vault_config_path }}/vault.key" # "/etc/pki/tls/private/vault.key"
 vault_tls_min_version: tls12
 vault_tls_cipher_suites:

diff --git a/tasks/main.yml b/tasks/main.yml
@@ -57,21 +57,9 @@
     - "{{ vault_log_path }}"
     - "{{ vault_run_path }}"
 
-- name: Vault SSL Certificate and Key
-  copy:
-    src:    "{{ item.src }}"
-    dest:   "{{ item.dest }}"
-    owner:  "{{ vault_user }}"
-    group:  "{{ vault_group }}"
-    mode:   "{{ item.mode }}"
-  with_items:
-    - src:  "{{ vault_tls_cert_file }}"
-      dest: "{{ vault_tls_cert_file_dest }}"
-      mode: 0644
-    - src:  "{{ vault_tls_key_file }}"
-      dest: "{{ vault_tls_key_file_dest }}"
-      mode: 0600
-  when: vault_tls_cert_file is defined and vault_tls_key_file is defined
+- name: TLS configuration
+  include: ../tasks/tls.yml
+  when: vault_tls_disable == 0
 
 - name: Vault listener configuration
   template:

diff --git a/tasks/tls.yml b/tasks/tls.yml
@@ -0,0 +1,19 @@
+---
+# File: tasks/tls.yml - TLS tasks for Vault
+
+- name: Vault SSL Certificate and Key
+  copy:
+    src:    "{{ item.src }}"
+    dest:   "{{ item.dest }}"
+    owner:  "{{ vault_user }}"
+    group:  "{{ vault_group }}"
+    mode:   "{{ item.mode }}"
+  with_items:
+    - src:  "{{ vault_tls_cert_file }}"
+      dest: "{{ vault_tls_cert_file_dest }}"
+      mode: 0644
+    - src:  "{{ vault_tls_key_file }}"
+      dest: "{{ vault_tls_key_file_dest }}"
+      mode: 0600
+  # These checks fail even though there are no values for the vars
+  when: vault_tls_cert_file is defined and vault_tls_key_file is defined
diff --git a/version.txt b/version.txt
@@ -1 +1 @@
-v1.3.7
+v1.3.8