consul_kv: add ca_path option for custom CA certificate (#11817)

* consul_kv: add ca_path option for custom CA certificate

Adds ca_path parameter to both the consul_kv module and consul_kv lookup
plugin, allowing users to specify a CA bundle for HTTPS connections instead
of being limited to toggling certificate validation on/off.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

* consul_kv: add changelog fragment for PR #11817

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

* consul_kv: address review comments from felixfontein

- Fix verify logic: ca_path is ignored when validate_certs=false
- Improve validate_certs description to nudge users toward ca_path

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

---------

Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>

changelogs/fragments/11817-consul-kv-ca-path.yml

@@ -0,0 +1,3 @@
+minor_changes:
+  - consul_kv - add ``ca_path`` option to specify a CA bundle for HTTPS connections (https://github.com/ansible-collections/community.general/pull/11817).
+  - consul_kv lookup plugin - add ``ca_path`` option to specify a CA bundle for HTTPS connections (https://github.com/ansible-collections/community.general/issues/2876, https://github.com/ansible-collections/community.general/pull/11817).

plugins/lookup/consul_kv.py

@@ -57,13 +57,24 @@ options:
       - If you use E(ANSIBLE_CONSUL_URL) this value is used from there.
   validate_certs:
     default: true
-    description: Whether to verify the TLS connection or not.
+    description:
+      - Whether to verify the TLS connection or not.
+      - Instead of setting this to V(false), please consider using O(ca_path) instead.
     type: bool
     env:
       - name: ANSIBLE_CONSUL_VALIDATE_CERTS
     ini:
       - section: lookup_consul
         key: validate_certs
+  ca_path:
+    description: The CA bundle to use for HTTPS connections.
+    type: str
+    version_added: "12.6.0"
+    env:
+      - name: ANSIBLE_CONSUL_CA_PATH
+    ini:
+      - section: lookup_consul
+        key: ca_path
   client_cert:
     description: The client cert to verify the TLS connection.
     type: str
@@ -146,13 +157,16 @@ class LookupModule(LookupBase):
                 port = u.port
 
         validate_certs = self.get_option("validate_certs")
+        ca_path = self.get_option("ca_path")
         client_cert = self.get_option("client_cert")
 
+        verify = (ca_path or validate_certs) if validate_certs else False
+
         values = []
         try:
             for term in terms:
                 params = self.parse_params(term)
-                consul_api = consul.Consul(host=host, port=port, scheme=scheme, verify=validate_certs, cert=client_cert)
+                consul_api = consul.Consul(host=host, port=port, scheme=scheme, verify=verify, cert=client_cert)
 
                 results = consul_api.kv.get(
                     params["key"],

plugins/modules/consul_kv.py

@@ -94,9 +94,15 @@ options:
     default: http
   validate_certs:
     description:
-      - Whether to verify the tls certificate of the Consul agent.
+      - Whether to verify the TLS certificate of the Consul agent.
+      - Instead of setting this to V(false), please consider using O(ca_path) instead.
     type: bool
     default: true
+  ca_path:
+    description:
+      - The CA bundle to use for HTTPS connections.
+    type: str
+    version_added: "12.6.0"
   datacenter:
     description:
       - The name of the datacenter to query. If unspecified, the query defaults to the datacenter of the Consul agent on O(host).
@@ -263,11 +269,14 @@ def remove_value(module):
 
 
 def get_consul_api(module):
+    ca_path = module.params.get("ca_path")
+    validate_certs = module.params.get("validate_certs")
+    verify = (ca_path or validate_certs) if validate_certs else False
     return consul.Consul(
         host=module.params.get("host"),
         port=module.params.get("port"),
         scheme=module.params.get("scheme"),
-        verify=module.params.get("validate_certs"),
+        verify=verify,
         token=module.params.get("token"),
         dc=module.params.get("datacenter"),
     )
@@ -291,6 +300,7 @@ def main():
             host=dict(type="str", default="localhost"),
             scheme=dict(type="str", default="http"),
             validate_certs=dict(type="bool", default=True),
+            ca_path=dict(type="str"),
             port=dict(type="int", default=8500),
             recurse=dict(type="bool"),
             retrieve=dict(type="bool", default=True),