fix: Make Consul commands conditional on TLS configuration

Problem
-------
Consul operator commands in remove_node.yml were hardcoded to use HTTPS
and TLS certificates, causing failures when TLS is disabled on the cluster.

Error encountered:
  FAILED! => {"attempts": 3, "cmd": ["consul", "operator", "raft",
  "list-peers", "-http-addr=https://127.0.0.1:8500",
  "-ca-file=/etc/consul/tls/ca.crt"], "msg": "non-zero return code",
  "rc": 1, "stderr": "Error initializing client: Error loading CA File:
  open /etc/consul/tls/ca.crt: no such file or directory"}

Solution
--------
Made all Consul CLI commands conditionally use TLS based on the
consul_tls_enable variable:

- Added play-level variables to eliminate code duplication:
  * consul_http_addr: Conditionally uses https/http
  * consul_ca_flag: Conditionally includes -ca-file flag
  * consul_client_flags: Conditionally includes client cert/key flags

- Updated four Consul commands to use these variables:
  1. consul operator raft list-peers (pre-removal check)
  2. consul force-leave
  3. consul operator raft remove-peer
  4. consul operator raft list-peers (post-removal verification)

Implementation
--------------
Uses Jinja2 templating to check consul_tls_enable | default(false) | bool,
defaulting to false if undefined. This ensures backward compatibility and
allows the playbook to work with both TLS-enabled and TLS-disabled Consul
clusters.

Resolved with: Claude Sonnet 4.5 (Cascade IDE)

Author: tired-engineer

automation/playbooks/remove_node.yml

@@ -216,14 +216,20 @@
   gather_facts: true
   vars:
     target_node: "{{ node_to_remove | default('') }}"
+    consul_http_addr: "{% if consul_tls_enable | default(false) | bool %}https{% else %}http{% endif %}://127.0.0.1:8500"
+    consul_ca_flag: "{% if consul_tls_enable | default(false) | bool %}-ca-file=/etc/consul/tls/ca.crt{% endif %}"
+    consul_client_flags: >-
+      {% if consul_tls_enable | default(false) | bool %}
+      -client-cert=/etc/consul/tls/server.crt -client-key=/etc/consul/tls/server.key
+      {% endif %}
   tasks:
     - block:
         - name: Fetch consul cluster members before removal
           run_once: true # noqa run-once
           ansible.builtin.command: >-
-            consul operator raft list-peers \
-              -http-addr=https://127.0.0.1:8500 \
-              -ca-file=/etc/consul/tls/ca.crt
+            consul operator raft list-peers
+            -http-addr={{ consul_http_addr }}
+            {{ consul_ca_flag }}
           changed_when: false
           register: consul_members_list_before
           until: consul_members_list_before.rc == 0
@@ -250,10 +256,10 @@
         - name: Force-leave target node from consul cluster
           run_once: true # noqa run-once
           ansible.builtin.command: >-
-            consul force-leave \
-              -http-addr=https://127.0.0.1:8500 \
-              -ca-file=/etc/consul/tls/ca.crt \
-              {{ hostvars[target_node].ansible_hostname | default(target_node) }}
+            consul force-leave
+            -http-addr={{ consul_http_addr }}
+            {{ consul_ca_flag }}
+            {{ hostvars[target_node].ansible_hostname | default(target_node) }}
           when:
             - inventory_hostname != target_node
             - consul_members_list_before.stdout | default('') is search(hostvars[target_node].ansible_hostname | default(target_node))
@@ -278,11 +284,10 @@
         - name: Remove target node from the Raft configuration
           run_once: true # noqa run-once
           ansible.builtin.command: >-
-            consul operator raft remove-peer -id="{{ target_raft_id }}" \
-              -http-addr=https://127.0.0.1:8500 \
-              -ca-file=/etc/consul/tls/ca.crt \
-              -client-cert=/etc/consul/tls/server.crt \
-              -client-key=/etc/consul/tls/server.key
+            consul operator raft remove-peer -id="{{ target_raft_id }}"
+            -http-addr={{ consul_http_addr }}
+            {{ consul_ca_flag }}
+            {{ consul_client_flags }}
           register: raft_remove_result
           until: raft_remove_result.rc == 0
           retries: 3
@@ -313,9 +318,9 @@
         - name: Fetch consul cluster members after removal
           run_once: true # noqa run-once
           ansible.builtin.command: >-
-            consul operator raft list-peers \
-              -http-addr=https://127.0.0.1:8500 \
-              -ca-file=/etc/consul/tls/ca.crt
+            consul operator raft list-peers
+            -http-addr={{ consul_http_addr }}
+            {{ consul_ca_flag }}
           changed_when: false
           register: consul_members_list_after
           until: consul_members_list_after.rc == 0