feat: add global variables for nomad deployment

2024-05-16 17:29:41 +02:00 · 2024-05-16 17:29:41 +02:00 · 08909ceed0
commit 08909ceed0
parent cdeee7436c
12 changed files with 121 additions and 35 deletions
--- a/.gitmodules
+++ b/.gitmodules
@ -1,6 +0,0 @@
-[submodule "roles/hashicorp_consul"]
-	path = roles/hashicorp_consul
-	url = https://github.com/ednz-cloud/hashicorp_consul
-[submodule "roles/hashicorp_vault"]
-	path = roles/hashicorp_vault
-	url = https://github.com/ednz-cloud/hashicorp_vault
--- a/playbooks/deploy.yml
+++ b/playbooks/deploy.yml
@ -23,7 +23,7 @@

    - name: "Deploy Consul Agents"
      ansible.builtin.include_role:
-        name: ednz_cloud.hashistack.hashicorp_consul
+        name: ednz_cloud.hashicorp_consul
      when:
        - enable_consul | bool
        - "'consul_agents' in group_names"
--- a/playbooks/generate_credentials.yml
+++ b/playbooks/generate_credentials.yml
@ -8,25 +8,33 @@
  tasks:
    - name: "Generate consul credentials"
      block:
+        - name: "Generate consul gossip encryption key"
+          ansible.builtin.set_fact:
+            _consul_gossip_encryption_key: "{{ lookup('ansible.builtin.password', '/dev/null', chars=['ascii_letters','digits']) | b64encode }}"
+
        - name: "Generate consul root credentials"
          ansible.builtin.set_fact:
-            _consul_root_token: "{{ lookup('password', '/dev/null chars=ascii_letters,digits') | to_uuid }}"
+            _consul_root_token: "{{ lookup('ansible.builtin.password', '/dev/null', chars=['ascii_letters','digits']) | to_uuid }}"

        - name: "Generate consul agents credentials"
          ansible.builtin.set_fact:
-            _cosul_agents_accessor: "{{ lookup('password', '/dev/null chars=ascii_letters,digits') | to_uuid }}"
-            _consul_agents_token: "{{ lookup('password', '/dev/null chars=ascii_letters,digits') | to_uuid }}"
+            _cosul_agents_accessor: "{{ lookup('ansible.builtin.password', '/dev/null', chars=['ascii_letters','digits']) | to_uuid }}"
+            _consul_agents_token: "{{ lookup('ansible.builtin.password', '/dev/null', chars=['ascii_letters','digits']) | to_uuid }}"

        - name: "Generate consul vault credentials"
          ansible.builtin.set_fact:
-            _cosul_vault_accessor: "{{ lookup('password', '/dev/null chars=ascii_letters,digits') | to_uuid }}"
-            _consul_vault_token: "{{ lookup('password', '/dev/null chars=ascii_letters,digits') | to_uuid }}"
+            _cosul_vault_accessor: "{{ lookup('ansible.builtin.password', '/dev/null', chars=['ascii_letters','digits']) | to_uuid }}"
+            _consul_vault_token: "{{ lookup('ansible.builtin.password', '/dev/null', chars=['ascii_letters','digits']) | to_uuid }}"

    - name: "Generate nomad credentials"
      block:
+        - name: "Generate nomad gossip encryption key"
+          ansible.builtin.set_fact:
+            _nomad_gossip_encryption_key: "{{ lookup('ansible.builtin.password', '/dev/null', chars=['ascii_letters','digits']) | b64encode }}"
+
        - name: "Generate nomad root credentials"
          ansible.builtin.set_fact:
-            _nomad_root_token: "{{ lookup('password', '/dev/null chars=ascii_letters,digits') | to_uuid }}"
+            _nomad_root_token: "{{ lookup('ansible.builtin.password', '/dev/null', chars=['ascii_letters','digits']) | to_uuid }}"

    - name: "Write credentials file"
      ansible.builtin.template:
--- a/playbooks/group_vars/all/consul.yml
+++ b/playbooks/group_vars/all/consul.yml
@ -88,7 +88,7 @@ hashi_consul_configuration:
  datacenter: "{{ consul_datacenter }}"
  primary_datacenter: "{{ consul_primary_datacenter }}"
  data_dir: "{{ hashi_consul_data_dir }}"
-  encrypt: "{{ consul_gossip_encryption_key }}"
+  encrypt: "{{ _credentials.consul.gossip_encryption_key }}"
  server: "{{ 'consul_servers' in group_names }}"
  retry_join: "{{
    groups['consul_servers'] |
--- a/playbooks/group_vars/all/globals.yml
+++ b/playbooks/group_vars/all/globals.yml
@ -46,7 +46,6 @@ consul_primary_datacenter: dc1
 consul_leave_on_terminate: true
 consul_rejoin_after_leave: true
 consul_enable_script_checks: true
-consul_gossip_encryption_key: "{{ 'mysupersecretgossipencryptionkey'|b64encode }}"

 ################################
 # consul address configuration #
--- a/playbooks/group_vars/all/nomad.yml
+++ b/playbooks/group_vars/all/nomad.yml
@ -1,18 +1,86 @@
+---
 #####################################################
 #                                                   #
-#                Nomad Configuration                #
+#                Non-Editable                       #
 #                                                   #
 #####################################################

-hashi_nomad_cni_plugins_install: true
-hashi_nomad_start_service: true
-hashi_nomad_cni_plugins_version: latest
-hashi_nomad_cni_plugins_install_path: /opt/cni/bin
-hashi_nomad_version: latest
-hashi_nomad_deploy_method: host # deployment method, either host or docker
-hashi_nomad_env_variables: {}
-hashi_nomad_data_dir: /opt/nomad
-hashi_nomad_extra_files: false
-hashi_nomad_extra_files_src: /tmp/extra_files
-hashi_nomad_extra_files_dst: /etc/nomad.d/extra_files
-hashi_nomad_configuration: {}
+nomad_datacenter: dc1
+
+###########################
+# nomad ACL configuration #
+###########################
+
+nomad_acl_configuration:
+  enabled: true
+  token_ttl: 30s
+  policy_ttl: 60s
+  role_ttl: 60s
+
+#################################
+# nomad autopilot configuration #
+#################################
+
+nomad_autopilot_configuration: {}
+
+############################
+# nomad consul integration #
+############################
+
+nomad_enable_consul_integration: "{{ enable_consul | bool }}"
+nomad_consul_integration_configuration: {}
+
+############################
+# nomad vault integration #
+############################
+
+nomad_enable_vault_integration: false
+nomad_vault_integration_configuration: {}
+
+#############################
+# nomad leave configuration #
+#############################
+
+# node will leave the cluster if the process is stopped
+# and if it is only a client
+nomad_leave_on_interrupt: "{{ (('nomad_clients' in group_names) and (not 'nomad_servers' in group_names)) | bool }}"
+nomad_leave_on_terminate: "{{ (('nomad_clients' in group_names) and (not 'nomad_servers' in group_names)) | bool }}"
+
+##############################
+# nomad server configuration #
+##############################
+
+nomad_server_configuration:
+  enabled: "{{ 'nomad_servers' in group_names }}"
+  data_dir: "{{ hashicorp_nomad_data_dir }}/server"
+  encrypt: "{{ _credentials.nomad.gossip_encryption_key }}"
+
+##############################
+# nomad client configuration #
+##############################
+
+nomad_client_configuration:
+  enabled: "{{ 'nomad_clients' in group_names | bool }}"
+  state_dir: "{{ hashicorp_nomad_data_dir }}/client"
+
+hashicorp_nomad_cni_plugins_install: true
+hashicorp_nomad_start_service: true
+hashicorp_nomad_cni_plugins_version: latest
+hashicorp_nomad_cni_plugins_install_path: /opt/cni/bin
+hashicorp_nomad_version: latest
+hashicorp_nomad_deploy_method: host # deployment method, either host or docker
+hashicorp_nomad_env_variables: {}
+hashicorp_nomad_config_dir: "/etc/nomad.d"
+hashicorp_nomad_data_dir: /opt/nomad
+hashicorp_nomad_extra_files: false
+hashicorp_nomad_extra_files_src: /tmp/extra_files
+hashicorp_nomad_extra_files_dst: /etc/nomad.d/extra_files
+hashicorp_nomad_configuration:
+  datacenter: "{{ nomad_datacenter }}"
+  bind_addr: "0.0.0.0"
+  data_dir: "{{ hashicorp_nomad_data_dir }}"
+  leave_on_interrupt: "{{ (('nomad_clients' in group_names) and (not 'nomad_servers' in group_names)) | bool }}"
+  leave_on_terminate: "{{ (('nomad_clients' in group_names) and (not 'nomad_servers' in group_names)) | bool }}"
+  acl: "{{ nomad_acl_configuration }}"
+  server: "{{ nomad_server_configuration }}"
+  client: "{{ nomad_client_configuration }}"
--- a/playbooks/tasks/consul/consul_deploy.yml
+++ b/playbooks/tasks/consul/consul_deploy.yml
@ -1,9 +1,9 @@
 ---
 - name: "Consul"
  block:
-    - name: "Include ednz_cloud.hashistack.hashicorp_consul"
+    - name: "Include ednz_cloud.hashicorp_consul"
      ansible.builtin.include_role:
-        name: ednz_cloud.hashistack.hashicorp_consul
+        name: ednz_cloud.hashicorp_consul

    - name: "Wait for consul cluster to initialize" # noqa: run-once[task]
      ansible.builtin.uri:
--- a/playbooks/tasks/vault/vault_deploy.yml
+++ b/playbooks/tasks/vault/vault_deploy.yml
@ -38,9 +38,9 @@
            state: present
          when: _consul_vault_policy.changed

-    - name: "Include ednz_cloud.hashistack.hashicorp_consul"
+    - name: "Include ednz_cloud.hashicorp_consul"
      ansible.builtin.include_role:
-        name: ednz_cloud.hashistack.hashicorp_vault
+        name: ednz_cloud.hashicorp_vault

    - name: "Initialize vault cluster" # noqa: run-once[task]
      ednz_cloud.hashistack.vault_init:
--- a/playbooks/templates/credentials.yml.j2
+++ b/playbooks/templates/credentials.yml.j2
@ -1,5 +1,6 @@
 ---
 consul:
+  gossip_encryption_key: "{{ _consul_gossip_encryption_key }}"
  root_token:
    secret_id: "{{ _consul_root_token }}"
  tokens:
@ -10,4 +11,6 @@ consul:
      accessor_id: "{{ _consul_vault_accessor }}"
      secret_id: "{{ _consul_vault_token }}"
 nomad:
-  root_token: "{{ _nomad_root_token }}"
+  gossip_encryption_key: "{{ _nomad_gossip_encryption_key }}"
+  root_token:
+    secret_id: "{{ _nomad_root_token }}"
--- a/roles/hashicorp_consul
+++ b/roles/hashicorp_consul
@ -1 +0,0 @@
-Subproject commit 56696c3552308225d4e5b91efc8e4bf75d31d2f3
--- a/roles/hashicorp_vault
+++ b/roles/hashicorp_vault
@ -1 +0,0 @@
-Subproject commit 738c347df8efd4965eda14167171343be13bed75
--- a/roles/requirements.yml
+++ b/roles/requirements.yml
@ -3,15 +3,31 @@
 roles:
  - name: ednz_cloud.manage_repositories
    src: https://github.com/ednz-cloud/manage_repositories.git
+    version: main
  - name: ednz_cloud.manage_apt_packages
    src: https://github.com/ednz-cloud/manage_apt_packages.git
+    version: main
  - name: ednz_cloud.manage_pip_packages
    src: https://github.com/ednz-cloud/manage_pip_packages.git
+    version: main
  - name: ednz_cloud.install_docker
    src: https://github.com/ednz-cloud/install_docker.git
+    version: main
  - name: ednz_cloud.docker_systemd_service
    src: https://github.com/ednz-cloud/docker_systemd_service.git
+    version: main
  - name: ednz_cloud.deploy_haproxy
    src: https://github.com/ednz-cloud/deploy_haproxy.git
+    version: main
  - name: ednz_cloud.deploy_keepalived
    src: https://github.com/ednz-cloud/deploy_keepalived.git
+    version: main
+  - name: ednz_cloud.hashicorp_nomad
+    src: https://github.com/ednz-cloud/hashicorp_nomad.git
+    version: v0.1.0
+  - name: ednz_cloud.hashicorp_consul
+    src: https://github.com/ednz-cloud/hashicorp_consul.git
+    version: main
+  - name: ednz_cloud.hashicorp_vault
+    src: https://github.com/ednz-cloud/hashicorp_vault.git
+    version: main
				`@ -1 +0,0 @@`
				`Subproject commit 56696c3552308225d4e5b91efc8e4bf75d31d2f3`
				`@ -1 +0,0 @@`
				`Subproject commit 738c347df8efd4965eda14167171343be13bed75`