From 7bff3d5c61fa213834aa6fe281722ae87c6f2db5 Mon Sep 17 00:00:00 2001
From: Brian Shumate <brian@brianshumate.com>
Date: Thu, 23 Mar 2017 14:20:35 -0400
Subject: [PATCH] TLS as separate tasks hard disable

---
 CHANGELOG.md      |  7 +++++++
 defaults/main.yml |  4 ++--
 tasks/main.yml    | 18 +++---------------
 tasks/tls.yml     | 19 +++++++++++++++++++
 version.txt       |  2 +-
 5 files changed, 32 insertions(+), 18 deletions(-)
 create mode 100644 tasks/tls.yml

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 9169788a..9642508c 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -163,3 +163,10 @@
 - Remove duplicate cluster_address var
 - Update README / consistent variable style / more links to docs
 
+## v1.3.8
+
+- Move TLS bits to separate task
+- Short circuit TLS bits as bad things™ were happening due to the empty
+  cert and key values during the Vault SSL Certificate and Key copy ops
+  (probably an Ansible bug, copying entire contents of files to vault etc dir)
+  No bueno
diff --git a/defaults/main.yml b/defaults/main.yml
index b5703d97..bfb323fe 100644
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -30,9 +30,9 @@ vault_backend: vault_backend_consul.j2
 vault_cluster_disable: false
 vault_cluster_address: "{{ hostvars[inventory_hostname]['ansible_'+vault_iface]['ipv4']['address'] }}"
 vault_tls_disable: 1
-vault_tls_cert_file:
+vault_tls_cert_file: "../files/dummy.crt"
 vault_tls_cert_file_dest: "{{ vault_config_path }}/vault.crt" # /etc/pki/tls/certs/vault.crt
-vault_tls_key_file:
+vault_tls_key_file: "../files/dummy.key"
 vault_tls_key_file_dest: "{{ vault_config_path }}/vault.key" # "/etc/pki/tls/private/vault.key"
 vault_tls_min_version: tls12
 vault_tls_cipher_suites:
diff --git a/tasks/main.yml b/tasks/main.yml
index 7e3f8d1e..da2dfb88 100644
--- a/tasks/main.yml
+++ b/tasks/main.yml
@@ -57,21 +57,9 @@
     - "{{ vault_log_path }}"
     - "{{ vault_run_path }}"
 
-- name: Vault SSL Certificate and Key
-  copy:
-    src:    "{{ item.src }}"
-    dest:   "{{ item.dest }}"
-    owner:  "{{ vault_user }}"
-    group:  "{{ vault_group }}"
-    mode:   "{{ item.mode }}"
-  with_items:
-    - src:  "{{ vault_tls_cert_file }}"
-      dest: "{{ vault_tls_cert_file_dest }}"
-      mode: 0644
-    - src:  "{{ vault_tls_key_file }}"
-      dest: "{{ vault_tls_key_file_dest }}"
-      mode: 0600
-  when: vault_tls_cert_file is defined and vault_tls_key_file is defined
+- name: TLS configuration
+  include: ../tasks/tls.yml
+  when: vault_tls_disable == 0
 
 - name: Vault listener configuration
   template:
diff --git a/tasks/tls.yml b/tasks/tls.yml
new file mode 100644
index 00000000..cc4b59e5
--- /dev/null
+++ b/tasks/tls.yml
@@ -0,0 +1,19 @@
+---
+# File: tasks/tls.yml - TLS tasks for Vault
+
+- name: Vault SSL Certificate and Key
+  copy:
+    src:    "{{ item.src }}"
+    dest:   "{{ item.dest }}"
+    owner:  "{{ vault_user }}"
+    group:  "{{ vault_group }}"
+    mode:   "{{ item.mode }}"
+  with_items:
+    - src:  "{{ vault_tls_cert_file }}"
+      dest: "{{ vault_tls_cert_file_dest }}"
+      mode: 0644
+    - src:  "{{ vault_tls_key_file }}"
+      dest: "{{ vault_tls_key_file_dest }}"
+      mode: 0600
+  # These checks fail even though there are no values for the vars
+  when: vault_tls_cert_file is defined and vault_tls_key_file is defined
diff --git a/version.txt b/version.txt
index f995ee2e..99473ff3 100644
--- a/version.txt
+++ b/version.txt
@@ -1 +1 @@
-v1.3.7
+v1.3.8