Tested on: Debian 11
This role sets a Consul cluster.
This role assumes that TLS certificates will be provisioned at:
/etc/consul.d/server.key/etc/consul.d/server.pem/etc/consul.d/ca.pem
Warning: This role requires manual boostrap for ACLs, see below
| Var | Default value | Description |
|---|---|---|
| consul_nodes_group | undefined |
Name of the ansible group all consul nodes are in |
| consul_gossip_key | undefined |
Key used for gossip encryption (generate using consul keygen) |
| consul_dc_name | default |
Name of the DC |
| consul_servers | [] |
List of consul servers in this DC (IPs) |
| consul_raft_multiplier | 5 |
Raft timing multiplier |
| consul_default_token_action | allow |
Whether to allow or deny requests by default |
| consul_bind_addr | 0.0.0.0 |
Address to bind to for client connections |
Unfortunately, at this point in time, ACL bootstrapping has to be done manually:
- Start by rolling out with
consul_default_token_actionset toallow - Pick one node to start the bootstrap procedure on and SSH in:
- go to
/etc/consul.d/acl. A README has been generated by the role - Follow the instructions - they have been generated specifically for your environment
- go to
- After you finish those steps, set
consul_default_token_actiontodeny