consul_kv: add ca_path option for custom CA certificate (#11817)

* consul_kv: add ca_path option for custom CA certificate Adds ca_path parameter to both the consul_kv module and consul_kv lookup plugin, allowing users to specify a CA bundle for HTTPS connections instead of being limited to toggling certificate validation on/off. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> * consul_kv: add changelog fragment for PR #11817 Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> * consul_kv: address review comments from felixfontein - Fix verify logic: ca_path is ignored when validate_certs=false - Improve validate_certs description to nudge users toward ca_path Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> --------- Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-04-21 11:19:00 +00:00 · 2026-04-17 18:40:59 +12:00 · 2026-04-17 18:40:59 +12:00 · 175808d997
commit 175808d997
parent ef656cb9b6
3 changed files with 31 additions and 4 deletions
--- a/plugins/modules/consul_kv.py
+++ b/plugins/modules/consul_kv.py
@ -94,9 +94,15 @@ options:
    default: http
  validate_certs:
    description:
-      - Whether to verify the tls certificate of the Consul agent.
+      - Whether to verify the TLS certificate of the Consul agent.
+      - Instead of setting this to V(false), please consider using O(ca_path) instead.
    type: bool
    default: true
+  ca_path:
+    description:
+      - The CA bundle to use for HTTPS connections.
+    type: str
+    version_added: "12.6.0"
  datacenter:
    description:
      - The name of the datacenter to query. If unspecified, the query defaults to the datacenter of the Consul agent on O(host).
@ -263,11 +269,14 @@ def remove_value(module):


 def get_consul_api(module):
+    ca_path = module.params.get("ca_path")
+    validate_certs = module.params.get("validate_certs")
+    verify = (ca_path or validate_certs) if validate_certs else False
    return consul.Consul(
        host=module.params.get("host"),
        port=module.params.get("port"),
        scheme=module.params.get("scheme"),
-        verify=module.params.get("validate_certs"),
+        verify=verify,
        token=module.params.get("token"),
        dc=module.params.get("datacenter"),
    )
@ -291,6 +300,7 @@ def main():
            host=dict(type="str", default="localhost"),
            scheme=dict(type="str", default="http"),
            validate_certs=dict(type="bool", default=True),
+            ca_path=dict(type="str"),
            port=dict(type="int", default=8500),
            recurse=dict(type="bool"),
            retrieve=dict(type="bool", default=True),