Skip to content

fix: Make Consul commands conditional on TLS configuration #1345

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
Nov 14, 2025
Merged

fix: Make Consul commands conditional on TLS configuration #1345

merged 2 commits into from
Nov 14, 2025

Conversation

@tired-engineer
Copy link
Contributor

@tired-engineer tired-engineer commented Nov 14, 2025
edited
Loading

Fixes #1344

Problem

Consul operator commands in remove_node.yml were hardcoded to use HTTPS and TLS certificates, causing failures when TLS is disabled on the cluster.

Error encountered:
FAILED! => {"attempts": 3, "cmd": ["consul", "operator", "raft",
"list-peers", "-http-addr=https://127.0.0.1:8500",
"-ca-file=/etc/consul/tls/ca.crt"], "msg": "non-zero return code",
"rc": 1, "stderr": "Error initializing client: Error loading CA File:
open /etc/consul/tls/ca.crt: no such file or directory"}

Solution

Made all Consul CLI commands conditionally use TLS based on the consul_tls_enable variable:

  • Added play-level variables to eliminate code duplication:

    • consul_http_addr: Conditionally uses https/http
    • consul_ca_flag: Conditionally includes -ca-file flag
    • consul_client_flags: Conditionally includes client cert/key flags

  • Updated four Consul commands to use these variables:

    1. consul operator raft list-peers (pre-removal check)
    2. consul force-leave
    3. consul operator raft remove-peer
    4. consul operator raft list-peers (post-removal verification)

Implementation

Uses Jinja2 templating to check consul_tls_enable | default(false) | bool, defaulting to false if undefined. This ensures backward compatibility and allows the playbook to work with both TLS-enabled and TLS-disabled Consul clusters.

Resolved with: Claude Sonnet 4.5 (Cascade IDE)

@tired-engineer
fix: Make Consul commands conditional on TLS configuration
eecf1dc 
Problem
-------
Consul operator commands in remove_node.yml were hardcoded to use HTTPS
and TLS certificates, causing failures when TLS is disabled on the cluster.

Error encountered:
  FAILED! => {"attempts": 3, "cmd": ["consul", "operator", "raft",
  "list-peers", "-http-addr=https://127.0.0.1:8500",
  "-ca-file=/etc/consul/tls/ca.crt"], "msg": "non-zero return code",
  "rc": 1, "stderr": "Error initializing client: Error loading CA File:
  open /etc/consul/tls/ca.crt: no such file or directory"}

Solution
--------
Made all Consul CLI commands conditionally use TLS based on the
consul_tls_enable variable:

- Added play-level variables to eliminate code duplication:
  * consul_http_addr: Conditionally uses https/http
  * consul_ca_flag: Conditionally includes -ca-file flag
  * consul_client_flags: Conditionally includes client cert/key flags

- Updated four Consul commands to use these variables:
  1. consul operator raft list-peers (pre-removal check)
  2. consul force-leave
  3. consul operator raft remove-peer
  4. consul operator raft list-peers (post-removal verification)

Implementation
--------------
Uses Jinja2 templating to check consul_tls_enable | default(false) | bool,
defaulting to false if undefined. This ensures backward compatibility and
allows the playbook to work with both TLS-enabled and TLS-disabled Consul
clusters.

Resolved with: Claude Sonnet 4.5 (Cascade IDE)
@vitabaks
Copy link
Owner

vitabaks commented Nov 14, 2025

Ok. Thanks for the contribution!

@vitabaks vitabaks requested a review from Copilot November 14, 2025 15:09
Copilot finished reviewing on behalf of vitabaks November 14, 2025 15:11
Copilot AI reviewed Nov 14, 2025
View reviewed changes
Copy link

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

This PR fixes Consul operator commands in the remove_node.yml playbook to work correctly when TLS is disabled. Previously, commands were hardcoded to use HTTPS and TLS certificates, causing failures when consul_tls_enable was false.

  • Introduced play-level variables (consul_http_addr, consul_ca_flag, consul_client_flags) to conditionally include TLS-related flags based on consul_tls_enable
  • Updated four Consul CLI commands to use these conditional variables instead of hardcoded TLS parameters
  • Added proper defaults to ensure backward compatibility (defaults to false if undefined)

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@vitabaks
Change default Consul TLS enable to true
f5f15a8 
Updated the default value for consul_tls_enable from false to true in remove_node.yml.
@vitabaks vitabaks merged commit 403597e into vitabaks:master Nov 14, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[Bug] Hardcoded Consul TLS configuration does not allow to remove node

2 participants

@tired-engineer @vitabaks