feat: playbooks revamp
All checks were successful
development / Check commit compliance (push) Successful in 5s

This commit is contained in:
Bertrand Lanson 2024-08-17 14:09:24 +02:00
parent 9703fad7c9
commit 259f273fd9
Signed by: lanson
SSH Key Fingerprint: SHA256:/nqc6HGqld/PS208F6FUOvZlUzTS0rGpNNwR5O2bQBw
18 changed files with 86 additions and 1026 deletions

View File

@ -8,7 +8,7 @@
become: true
tasks:
- name: "Import variables"
ansible.builtin.import_role:
ansible.builtin.include_role:
name: ednz_cloud.hashistack.hashistack
tags:
- always
@ -19,7 +19,7 @@
- consul
when:
- enable_consul | bool
ansible.builtin.import_tasks:
ansible.builtin.include_tasks:
file: tasks/consul/consul_deploy.yml
# Vault nodes deployment
@ -28,7 +28,7 @@
- vault
when:
- enable_vault | bool
ansible.builtin.import_tasks:
ansible.builtin.include_tasks:
file: tasks/vault/vault_deploy.yml
# Nomad nodes deployment
@ -37,7 +37,7 @@
- nomad
when:
- enable_nomad | bool
ansible.builtin.import_tasks:
ansible.builtin.include_tasks:
file: tasks/nomad/nomad_deploy.yml
# - fail:

View File

@ -7,363 +7,15 @@
become: true
tasks:
- name: "Import variables"
ansible.builtin.import_role:
ansible.builtin.include_role:
name: ednz_cloud.hashistack.hashistack
tags:
- always
- name: "Create temporary cert directory in {{ hashistack_sub_configuration_directories['certificates'] }}" # noqa: run-once[task]
ansible.builtin.file:
path: "{{ hashistack_sub_configuration_directories['certificates'] }}/external"
state: directory
owner: "{{ lookup('env', 'USER') }}"
group: "{{ lookup('env', 'USER') }}"
mode: "0755"
delegate_to: localhost
run_once: true
- name: "Create Certificate Authority"
ansible.builtin.include_role:
name: ednz_cloud.hashistack.hashistack_ca
apply:
delegate_to: localhost
tags:
- always
- name: "Generate external certificates" # noqa: run-once[task]
tags:
- always
delegate_to: localhost
run_once: true
block:
- name: "Create temporary cert directory in {{ hashistack_sub_configuration_directories['certificates'] }}" # noqa: run-once[task]
ansible.builtin.file:
path: "{{ hashistack_sub_configuration_directories['certificates'] }}/external"
state: directory
owner: "{{ lookup('env', 'USER') }}"
group: "{{ lookup('env', 'USER') }}"
mode: "0755"
- name: "Create private keys"
community.crypto.openssl_privatekey:
path: "{{ hashistack_sub_configuration_directories['certificates'] }}/external/{{ item.fqdn }}.pem.key"
owner: "{{ lookup('env', 'USER') }}"
group: "{{ lookup('env', 'USER') }}"
loop:
- name: nomad
fqdn: "{{ nomad_fqdn }}"
- name: vault
fqdn: "{{ vault_fqdn }}"
- name: consul
fqdn: "{{ consul_fqdn }}"
- name: "Create certificate signing request"
community.crypto.openssl_csr_pipe:
privatekey_path: "{{ hashistack_sub_configuration_directories['certificates'] }}/external/{{ item.fqdn }}.pem.key"
common_name: "{{ item.fqdn }}"
organization_name: EDNZ Cloud
register: csr
loop:
- name: nomad
fqdn: "{{ nomad_fqdn }}"
- name: vault
fqdn: "{{ vault_fqdn }}"
- name: consul
fqdn: "{{ consul_fqdn }}"
- name: "Create self-signed certificate from CSR"
community.crypto.x509_certificate:
path: "{{ hashistack_sub_configuration_directories['certificates'] }}/external/{{ item.item.fqdn }}.pem"
csr_content: "{{ item.csr }}"
privatekey_path: "{{ hashistack_sub_configuration_directories['certificates'] }}/external/{{ item.item.fqdn }}.pem.key"
provider: selfsigned
owner: "{{ lookup('env', 'USER') }}"
group: "{{ lookup('env', 'USER') }}"
loop: "{{ csr.results }}"
- name: "Generate internal certificates"
tags:
- never
- internal
delegate_to: localhost
vars:
hashistack_ca_key_path: "{{ hashistack_sub_configuration_directories['certificates'] }}/ca/ca.key"
hashistack_ca_cert_path: "{{ hashistack_sub_configuration_directories['certificates'] }}/ca/ca.crt"
block:
- name: "Create internal CA" # noqa: run-once[task]
run_once: true
block:
- name: "Create temporary cert directory in {{ hashistack_sub_configuration_directories['certificates'] }}" # noqa: run-once[task]
ansible.builtin.file:
path: "{{ hashistack_sub_configuration_directories['certificates'] }}/ca"
state: directory
owner: "{{ lookup('env', 'USER') }}"
group: "{{ lookup('env', 'USER') }}"
mode: "0755"
- name: "Create CA private key"
community.crypto.openssl_privatekey:
path: "{{ hashistack_ca_key_path }}"
owner: "{{ lookup('env', 'USER') }}"
group: "{{ lookup('env', 'USER') }}"
- name: "Create CA signing request"
community.crypto.openssl_csr_pipe:
privatekey_path: "{{ hashistack_ca_key_path }}"
common_name: "CA"
organization_name: EDNZ Cloud
use_common_name_for_san: false
basic_constraints:
- CA:TRUE
basic_constraints_critical: true
key_usage:
- keyCertSign
key_usage_critical: true
register: ca_csr
- name: "Create self-signed CA certificate from CSR"
community.crypto.x509_certificate:
path: "{{ hashistack_ca_cert_path }}"
csr_content: "{{ ca_csr.csr }}"
privatekey_path: "{{ hashistack_ca_key_path }}"
provider: selfsigned
owner: "{{ lookup('env', 'USER') }}"
group: "{{ lookup('env', 'USER') }}"
- name: "Create Vault certificates"
when:
- "'vault_servers' in group_names"
vars:
vault_private_key_path: "{{ hashistack_sub_configuration_directories['certificates'] }}/vault/{{ inventory_hostname }}/key.pem"
vault_certificate_path: "{{ hashistack_sub_configuration_directories['certificates'] }}/vault/{{ inventory_hostname }}/cert.pem"
block:
- name: "Create temporary cert directory in {{ hashistack_sub_configuration_directories['certificates'] }}" # noqa: run-once[task]
ansible.builtin.file:
path: "{{ hashistack_sub_configuration_directories['certificates'] }}/vault/{{ inventory_hostname }}"
state: directory
owner: "{{ lookup('env', 'USER') }}"
group: "{{ lookup('env', 'USER') }}"
mode: "0755"
- name: "Create Vault certificate keys"
community.crypto.openssl_privatekey:
path: "{{ vault_private_key_path }}"
owner: "{{ lookup('env', 'USER') }}"
group: "{{ lookup('env', 'USER') }}"
- name: "Create CSRs for Vault servers"
community.crypto.openssl_csr_pipe:
privatekey_path: "{{ vault_private_key_path }}"
common_name: "{{ inventory_hostname }}"
subject_alt_name:
- "DNS:{{ inventory_hostname }}"
- "DNS:active.vault.service.consul"
- "DNS:standby.vault.service.consul"
- "DNS:vault.service.consul"
- "DNS:localhost"
- "IP:{{ api_interface_address }}"
- "IP:127.0.0.1"
key_usage_critical: true
key_usage:
- Digital Signature
- Key Encipherment
- Key Agreement
extended_key_usage:
- TLS Web Server Authentication
- TLS Web Client Authentication
organization_name: EDNZ Cloud
use_common_name_for_san: false
register: vault_csr
- name: "Sign certificates with internal CA"
community.crypto.x509_certificate:
path: "{{ vault_certificate_path }}"
csr_content: "{{ vault_csr.csr }}"
provider: ownca
ownca_path: "{{ hashistack_ca_cert_path }}"
ownca_privatekey_path: "{{ hashistack_ca_key_path }}"
ownca_not_after: "+365d"
ownca_not_before: "-1d"
- name: "Concatenate CA and Child certificates"
block:
- name: "Read content of ca.crt"
ansible.builtin.slurp:
src: "{{ hashistack_ca_cert_path }}"
register: ca_crt_content
- name: "Read content of cert.pem"
ansible.builtin.slurp:
src: "{{ vault_certificate_path }}"
register: cert_pem_content
- name: "Concatenate certificates"
ansible.builtin.copy:
content: |
{{ cert_pem_content['content'] | b64decode }}{{ ca_crt_content['content'] | b64decode }}
dest: "{{ vault_certificate_path }}"
owner: "{{ lookup('env', 'USER') }}"
group: "{{ lookup('env', 'USER') }}"
mode: "0644"
- name: "Create Consul certificates"
when:
- "('consul_servers' in group_names) or ('consul_agents' in group_names)"
vars:
consul_private_key_path: "{{ hashistack_sub_configuration_directories['certificates'] }}/consul/{{ inventory_hostname }}/key.pem"
consul_certificate_path: "{{ hashistack_sub_configuration_directories['certificates'] }}/consul/{{ inventory_hostname }}/cert.pem"
block:
- name: "Create temporary cert directory in {{ hashistack_sub_configuration_directories['certificates'] }}" # noqa: run-once[task]
ansible.builtin.file:
path: "{{ hashistack_sub_configuration_directories['certificates'] }}/consul/{{ inventory_hostname }}"
state: directory
owner: "{{ lookup('env', 'USER') }}"
group: "{{ lookup('env', 'USER') }}"
mode: "0755"
- name: "Create Consul certificate keys"
community.crypto.openssl_privatekey:
path: "{{ consul_private_key_path }}"
owner: "{{ lookup('env', 'USER') }}"
group: "{{ lookup('env', 'USER') }}"
- name: "Create CSRs for Consul servers"
vars:
consul_csr_sans: >-
{%- set sans_list = [
'DNS:' + inventory_hostname,
'DNS:consul.service.consul',
'DNS:localhost',
'IP:' + api_interface_address,
'IP:127.0.0.1'
] -%}
{%- if consul_enable_server -%}
{%- set _ = sans_list.append('DNS:server.' ~ consul_datacenter ~ '.' ~ consul_domain) -%}
{%- endif -%}
{{ sans_list }}
community.crypto.openssl_csr_pipe:
privatekey_path: "{{ consul_private_key_path }}"
common_name: "{{ inventory_hostname }}"
subject_alt_name: "{{ consul_csr_sans }}"
key_usage_critical: true
key_usage:
- Digital Signature
- Key Encipherment
- Key Agreement
extended_key_usage:
- TLS Web Server Authentication
- TLS Web Client Authentication
organization_name: EDNZ Cloud
use_common_name_for_san: false
register: consul_csr
- name: "Sign certificates with internal CA"
community.crypto.x509_certificate:
path: "{{ consul_certificate_path }}"
csr_content: "{{ consul_csr.csr }}"
provider: ownca
ownca_path: "{{ hashistack_ca_cert_path }}"
ownca_privatekey_path: "{{ hashistack_ca_key_path }}"
ownca_not_after: "+365d"
ownca_not_before: "-1d"
- name: "Concatenate CA and Child certificates"
block:
- name: "Read content of ca.crt"
ansible.builtin.slurp:
src: "{{ hashistack_ca_cert_path }}"
register: ca_crt_content
- name: "Read content of cert.pem"
ansible.builtin.slurp:
src: "{{ consul_certificate_path }}"
register: cert_pem_content
- name: "Concatenate certificates"
ansible.builtin.copy:
content: |
{{ cert_pem_content['content'] | b64decode }}{{ ca_crt_content['content'] | b64decode }}
dest: "{{ consul_certificate_path }}"
owner: "{{ lookup('env', 'USER') }}"
group: "{{ lookup('env', 'USER') }}"
mode: "0644"
- name: "Create Nomad certificates"
when:
- "('nomad_servers' in group_names) or ('nomad_clients' in group_names)"
vars:
nomad_private_key_path: "{{ hashistack_sub_configuration_directories['certificates'] }}/nomad/{{ inventory_hostname }}/key.pem"
nomad_certificate_path: "{{ hashistack_sub_configuration_directories['certificates'] }}/nomad/{{ inventory_hostname }}/cert.pem"
block:
- name: "Create temporary cert directory in {{ hashistack_sub_configuration_directories['certificates'] }}" # noqa: run-once[task]
ansible.builtin.file:
path: "{{ hashistack_sub_configuration_directories['certificates'] }}/nomad/{{ inventory_hostname }}"
state: directory
owner: "{{ lookup('env', 'USER') }}"
group: "{{ lookup('env', 'USER') }}"
mode: "0755"
- name: "Create Nomad certificate keys"
community.crypto.openssl_privatekey:
path: "{{ nomad_private_key_path }}"
owner: "{{ lookup('env', 'USER') }}"
group: "{{ lookup('env', 'USER') }}"
- name: "Create CSRs for Nomad servers"
vars:
nomad_csr_sans: >-
{%- set sans_list = [
'DNS:' + inventory_hostname,
'DNS:localhost',
'IP:' + api_interface_address,
'IP:127.0.0.1'
] -%}
{%- if nomad_enable_server -%}
{%- set _ = sans_list.append('DNS:server.' ~ nomad_region ~ '.nomad') -%}
{%- if (enable_consul | bool) -%}
{%- set _ = sans_list.append('DNS:nomad.service.consul') -%}
{%- endif -%}
{%- endif -%}
{%- if nomad_enable_client -%}
{%- set _ = sans_list.append('DNS:client.' ~ nomad_region ~ '.nomad') -%}
{%- endif -%}
{{ sans_list }}
community.crypto.openssl_csr_pipe:
privatekey_path: "{{ nomad_private_key_path }}"
common_name: "{{ inventory_hostname }}"
subject_alt_name: "{{ nomad_csr_sans }}"
key_usage_critical: true
key_usage:
- Digital Signature
- Key Encipherment
extended_key_usage:
- TLS Web Server Authentication
- TLS Web Client Authentication
organization_name: EDNZ Cloud
use_common_name_for_san: false
register: nomad_csr
- name: "Sign certificates with internal CA"
community.crypto.x509_certificate:
path: "{{ nomad_certificate_path }}"
csr_content: "{{ nomad_csr.csr }}"
provider: ownca
ownca_path: "{{ hashistack_ca_cert_path }}"
ownca_privatekey_path: "{{ hashistack_ca_key_path }}"
ownca_not_after: "+365d"
ownca_not_before: "-1d"
- name: "Concatenate CA and Child certificates"
block:
- name: "Read content of ca.crt"
ansible.builtin.slurp:
src: "{{ hashistack_ca_cert_path }}"
register: ca_crt_content
- name: "Read content of cert.pem"
ansible.builtin.slurp:
src: "{{ nomad_certificate_path }}"
register: cert_pem_content
- name: "Concatenate certificates"
ansible.builtin.copy:
content: |
{{ cert_pem_content['content'] | b64decode }}{{ ca_crt_content['content'] | b64decode }}
dest: "{{ nomad_certificate_path }}"
owner: "{{ lookup('env', 'USER') }}"
group: "{{ lookup('env', 'USER') }}"
mode: "0644"

View File

@ -33,6 +33,17 @@ nomad_clients
[deployment]
localhost ansible_connection=local
[consul:children]
consul_servers
consul_agents
[nomad:children]
nomad_servers
nomad_clients
[vault:children]
vault_servers
[common:children]
haproxy_servers
vault_servers

View File

@ -3,4 +3,4 @@
block:
- name: "Deploy Consul Agents"
ansible.builtin.include_role:
name: ednz_cloud.hashicorp_consul
name: ednz_cloud.hashistack.consul

View File

@ -1,19 +1,19 @@
---
- name: "Consul control plane"
block:
- name: "Include ednz_cloud.hashicorp_consul"
- name: "Include ednz_cloud.hashistack.consul"
ansible.builtin.include_role:
name: ednz_cloud.hashicorp_consul
name: ednz_cloud.hashistack.consul
- name: "Wait for consul cluster to initialize" # noqa: run-once[task]
- name: "Consul | Wait for consul cluster to initialize" # noqa: run-once[task]
block:
- name: "Wait for consul nodes to stabilize"
- name: "Consul | Wait for consul nodes to stabilize"
ansible.builtin.wait_for:
host: "{{ api_interface_address }}"
port: "{{ consul_api_port[consul_api_scheme] }}"
delay: 10
- name: "Waiting for consul api to respond"
- name: "Consul | Waiting for consul api to respond"
ansible.builtin.uri:
url: "{{ consul_api_addr }}"
validate_certs: no
@ -25,7 +25,7 @@
delay: 5
register: uri_output
- name: "Initialize consul cluster" # noqa: run-once[task]
- name: "Consul | Initialize consul cluster" # noqa: run-once[task]
community.general.consul_acl_bootstrap:
bootstrap_secret: "{{ _credentials.consul.root_token.secret_id }}"
host: "{{ api_interface_address }}"
@ -35,16 +35,16 @@
register: _consul_init_secret
when:
- consul_init_server
- hashicorp_consul_configuration.acl.enabled
- consul_configuration.acl.enabled
- name: "Create consul agents token"
- name: "Consul | Create consul agents token"
when:
- consul_init_server
- hashicorp_consul_configuration.acl.enabled
- consul_configuration.acl.enabled
block:
- name: "Create consul agents token" # noqa: run-once[task] no-handler
- name: "Consul | Create consul agents token" # noqa: run-once[task] no-handler
block:
- name: "Create consul agent policy"
- name: "Consul | Create consul agent policy"
community.general.consul_policy:
token: "{{ _credentials.consul.root_token.secret_id }}"
host: "{{ api_interface_address }}"
@ -56,7 +56,7 @@
rules: "{{ consul_default_agent_policy }}"
register: _consul_agent_policy
- name: "Create consul agents token"
- name: "Consul | Create consul agents token"
community.general.consul_token:
token: "{{ _credentials.consul.root_token.secret_id }}"
host: "{{ api_interface_address }}"
@ -69,10 +69,3 @@
- id: "{{ _consul_agent_policy.policy.ID }}"
state: present
register: _consul_agent_token
- name: "Restart consul service" # noqa: no-handler
ansible.builtin.service:
name: "{{ hashicorp_consul_service_name }}"
state: restarted
throttle: 1
when: _consul_agent_token.changed

View File

@ -1,67 +0,0 @@
---
# hashistack configuration merging for consul
- name: "Consul | Merge stringified configuration"
vars:
_config_to_merge: "{{ hashicorp_consul_configuration_string }}"
ansible.builtin.set_fact:
hashicorp_consul_configuration: "{{
hashicorp_consul_configuration |
combine(_config_to_merge|from_yaml, recursive=true)
}}"
when:
- hashicorp_consul_configuration_string is defined
- name: "Consul | Merge servers specific stringified configuration"
vars:
_config_to_merge: "{{ hashicorp_consul_servers_configuration_string }}"
ansible.builtin.set_fact:
hashicorp_consul_configuration: "{{
hashicorp_consul_configuration |
combine(_config_to_merge|from_yaml, recursive=true)
}}"
when:
- hashicorp_consul_configuration_string is defined
- "'consul_servers' in group_names"
- name: "Consul | Merge addresses configuration"
vars:
_config_to_merge: "{{ consul_address_configuration }}"
ansible.builtin.set_fact:
hashicorp_consul_configuration: "{{
hashicorp_consul_configuration |
combine(_config_to_merge, recursive=true)
}}"
when: consul_address_configuration is defined
- name: "Consul | Merge TLS configuration"
vars:
_config_to_merge:
tls: "{{ consul_tls_configuration }}"
ansible.builtin.set_fact:
hashicorp_consul_configuration: "{{
hashicorp_consul_configuration |
combine(_config_to_merge, recursive=true)
}}"
when: consul_enable_tls
- name: "Consul | Merge token configuration"
delegate_to: localhost
block:
- name: "Consul | Merge token configuration"
vars:
_config_to_merge:
acl:
tokens:
agent: "{{ _credentials.consul.tokens.agent.secret_id }}"
ansible.builtin.set_fact:
hashicorp_consul_configuration: "{{ hashicorp_consul_configuration | default({}) | combine(_config_to_merge, recursive=true) }}"
- name: "Consul | Merge extra configuration settings"
vars:
_config_to_merge: "{{ consul_extra_configuration }}"
ansible.builtin.set_fact:
hashicorp_consul_configuration: "{{
hashicorp_consul_configuration |
combine(_config_to_merge, recursive=true)
}}"
when: consul_extra_configuration is defined

View File

@ -1,205 +0,0 @@
---
# hashistack variable injection playbook
- name: "Load global variables"
block:
- name: "Stat global configuration file"
ansible.builtin.stat:
path: "{{ configuration_directory }}/{{ configuration_global_vars_file }}"
register: _global_config_file
delegate_to: localhost
- name: "Make sure global configuration file exists"
ansible.builtin.assert:
that:
- _global_config_file.stat.exists
fail_msg: >-
Main configuration file {{ _global_config_file.stat.path }} was not found, cannot continue without it.
delegate_to: localhost
- name: "Load global variables"
ansible.builtin.include_vars:
dir: "{{ configuration_directory }}"
files_matching: "{{ configuration_global_vars_file }}"
depth: 1
delegate_to: localhost
- name: "Load credentials variables"
block:
- name: "Stat credentials file"
ansible.builtin.stat:
path: "{{ sub_configuration_directories['secrets'] }}/{{ configuration_credentials_vars_file }}"
register: _credentials_file
delegate_to: localhost
- name: "Stat vault credentials file"
ansible.builtin.stat:
path: "{{ sub_configuration_directories['secrets'] }}/vault.yml"
register: _vault_credentials_file
delegate_to: localhost
- name: "Make sure credentials file exists"
ansible.builtin.assert:
that:
- _credentials_file.stat.exists
fail_msg: >-
Credentials file {{ _credentials_file.stat.path }} was not found, cannot continue without it.
delegate_to: localhost
- name: "Load credentials variables"
ansible.builtin.include_vars:
dir: "{{ sub_configuration_directories['secrets'] }}"
files_matching: "{{ configuration_credentials_vars_file }}"
depth: 1
name: _credentials
delegate_to: localhost
- name: "Load vault credentials if vault.yml exists"
ansible.builtin.include_vars:
dir: "{{ sub_configuration_directories['secrets'] }}"
files_matching: "vault.yml"
depth: 1
name: _vault_credentials
when: _vault_credentials_file.stat.exists
delegate_to: localhost
- name: "Merge vault credentials into _credentials"
vars:
_config_to_merge:
vault: "{{ _vault_credentials }}"
ansible.builtin.set_fact:
_credentials: "{{ _credentials | combine(_vault_credentials, recursive=true) }}"
when: _vault_credentials_file.stat.exists
delegate_to: localhost
- name: "Load group specific variables"
block:
- name: "Stat group specific config file"
ansible.builtin.stat:
path: "{{ configuration_directory }}/{{ group_name }}/{{ configuration_global_vars_file }}"
register: _group_config_file
loop: "{{ group_names }}"
loop_control:
loop_var: group_name
- name: Load group specific variables
ansible.builtin.include_vars:
dir: "{{ configuration_directory }}/{{ item.group_name }}"
files_matching: "{{ configuration_global_vars_file }}"
depth: 1
loop: "{{ _group_config_file.results }}"
when: item.stat.exists
and item.group_name in group_names
loop_control:
loop_var: item
delegate_to: localhost
- name: "Load host specific variables"
block:
- name: "Stat host specific config file"
ansible.builtin.stat:
path: "{{ configuration_directory }}/{{ group_name }}/{{ inventory_hostname }}/{{ configuration_global_vars_file }}"
register: _host_config_file
loop: "{{ group_names }}"
loop_control:
loop_var: group_name
delegate_to: localhost
- name: Load host specific variables
ansible.builtin.include_vars:
dir: "{{ configuration_directory }}/{{ item.group_name }}/{{ inventory_hostname }}"
files_matching: "{{ configuration_global_vars_file }}"
loop: "{{ _host_config_file.results }}"
when: item.stat.exists
loop_control:
loop_var: item
delegate_to: localhost
- name: "Ensure remote directories exists"
ansible.builtin.file:
path: "{{ item }}"
state: directory
owner: root
group: root
mode: 0755
loop:
- "{{ hashistack_remote_config_dir }}"
- "{{ hashistack_remote_data_dir }}"
- name: "Load custom CA certificates"
block:
- name: "Check if CA directory exists"
ansible.builtin.stat:
path: "{{ sub_configuration_directories['certificates'] }}/ca"
register: _hashistack_ca_directory
delegate_to: localhost
- name: "Find custom ca certificates to copy"
ansible.builtin.find:
paths: "{{ sub_configuration_directories['certificates'] }}/ca"
patterns: "*.crt"
register: _hashistack_cacert_files
delegate_to: localhost
when: _hashistack_ca_directory.stat.exists and _hashistack_ca_directory.stat.isdir
- name: "Ensure remote ca directory exists"
ansible.builtin.file:
path: "{{ hashistack_remote_config_dir }}/ca"
state: directory
owner: root
group: root
mode: 0755
- name: "Copy custom ca certificates"
ansible.builtin.copy:
src: "{{ item.path }}"
dest: "{{ hashistack_remote_config_dir }}/ca/{{ item.path | basename }}"
owner: root
group: root
mode: 0644
loop: "{{ _hashistack_cacert_files.files }}"
register: _hashistack_copied_ca
- name: "Copy and update trust store"
block:
- name: "Copy ca certificates to /usr/loca/share/ca-certificates"
ansible.builtin.file:
state: link
src: "{{ item.dest }}"
dest: "/usr/local/share/ca-certificates/hashistack-customca-{{ item.dest | basename }}"
owner: root
group: root
loop: "{{ _hashistack_copied_ca.results }}"
register: _hashistack_usr_local_share_ca_certificates
- name: "Update the trust store"
ansible.builtin.command: update-ca-certificates
changed_when: false
when: _hashistack_usr_local_share_ca_certificates.changed
# - name: "Initialize list of CA certificates"
# ansible.builtin.set_fact:
# hashistack_cacert_extra_files: []
# delegate_to: localhost
# - name: "Add custom CA to list of extra certificates"
# ansible.builtin.set_fact:
# hashistack_cacert_extra_files: "{{
# hashistack_cacert_extra_files | default([])
# + [{'src': item.path, 'dest': '/etc/ssl/certs/hashistack-custom-' + item.path | basename}] }}"
# loop: "{{ _hashistack_cacert_files.files }}"
# delegate_to: localhost
# when: _hashistack_cacert_files.matched > 0
- name: "Merge consul configurations"
ansible.builtin.import_tasks:
file: "consul/consul_vars.yml"
when:
- enable_consul | bool
- "('consul_servers' in group_names) or ('consul_agents' in group_names)"
- name: "Merge vault configurations"
ansible.builtin.import_tasks:
file: "vault/vault_vars.yml"
when:
- enable_vault | bool
- "'vault_servers' in group_names"

View File

@ -1,51 +0,0 @@
---
- name: "Check if CA directory exists"
ansible.builtin.stat:
path: "{{ sub_configuration_directories['certificates'] }}/ca"
register: _hashistack_ca_directory
delegate_to: localhost
- name: "Find custom ca certificates to copy"
ansible.builtin.find:
paths: "{{ sub_configuration_directories['certificates'] }}/ca"
patterns: "*.crt"
register: _hashistack_cacert_files
delegate_to: localhost
when: _hashistack_ca_directory.stat.exists and _hashistack_ca_directory.stat.isdir
- name: "Ensure remote ca directory exists"
ansible.builtin.file:
path: "{{ hashistack_remote_config_dir }}/ca"
state: directory
owner: root
group: root
mode: 0755
- name: "Copy custom ca certificates"
ansible.builtin.copy:
src: "{{ item.path }}"
dest: "{{ hashistack_remote_config_dir }}/ca/{{ item.path | basename }}"
owner: root
group: root
mode: 0644
loop: "{{ _hashistack_cacert_files.files }}"
register: _hashistack_copied_ca
when: not _hashistack_cacert_files.skipped | default(False)
- name: "Copy and update trust store"
when: not _hashistack_copied_ca.skipped | default(False)
block:
- name: "Copy ca certificates to /usr/local/share/ca-certificates"
ansible.builtin.file:
state: link
src: "{{ item.dest }}"
dest: "/usr/local/share/ca-certificates/hashistack-customca-{{ item.dest | basename }}"
owner: root
group: root
loop: "{{ _hashistack_copied_ca.results }}"
register: _hashistack_usr_local_share_ca_certificates
- name: "Update the trust store" # noqa: no-handler
ansible.builtin.command: update-ca-certificates
changed_when: false
when: _hashistack_usr_local_share_ca_certificates.changed

View File

@ -1,46 +0,0 @@
---
- name: "Stat credentials file"
ansible.builtin.stat:
path: "{{ sub_configuration_directories['secrets'] }}/{{ configuration_credentials_vars_file }}"
register: _credentials_file
delegate_to: localhost
- name: "Stat vault credentials file"
ansible.builtin.stat:
path: "{{ sub_configuration_directories['secrets'] }}/vault.yml"
register: _vault_credentials_file
delegate_to: localhost
- name: "Make sure credentials file exists"
ansible.builtin.assert:
that:
- _credentials_file.stat.exists
fail_msg: >-
Credentials file {{ _credentials_file.stat.path }} was not found, cannot continue without it.
delegate_to: localhost
- name: "Load credentials variables"
ansible.builtin.include_vars:
dir: "{{ sub_configuration_directories['secrets'] }}"
files_matching: "{{ configuration_credentials_vars_file }}"
depth: 1
name: _credentials
delegate_to: localhost
- name: "Load vault credentials if vault.yml exists"
ansible.builtin.include_vars:
dir: "{{ sub_configuration_directories['secrets'] }}"
files_matching: "vault.yml"
depth: 1
name: _vault_credentials
when: _vault_credentials_file.stat.exists
delegate_to: localhost
- name: "Merge vault credentials into _credentials"
vars:
_config_to_merge:
vault: "{{ _vault_credentials }}"
ansible.builtin.set_fact:
_credentials: "{{ _credentials | combine(_config_to_merge, recursive=true) }}"
when: _vault_credentials_file.stat.exists
delegate_to: localhost

View File

@ -1,28 +0,0 @@
---
- name: "Include all default variables"
ansible.builtin.include_vars:
dir: "../../group_vars/all"
depth: 1
extensions: ["yml"]
delegate_to: localhost
- name: "Stat global configuration file"
ansible.builtin.stat:
path: "{{ configuration_directory }}/{{ configuration_global_vars_file }}"
register: _global_config_file
delegate_to: localhost
- name: "Make sure global configuration file exists"
ansible.builtin.assert:
that:
- _global_config_file.stat.exists
fail_msg: >-
Main configuration file {{ _global_config_file.stat.path }} was not found, cannot continue without it.
delegate_to: localhost
- name: "Load global variables"
ansible.builtin.include_vars:
dir: "{{ configuration_directory }}"
files_matching: "{{ configuration_global_vars_file }}"
depth: 1
delegate_to: localhost

View File

@ -1,20 +0,0 @@
---
- name: "Stat group specific config file"
ansible.builtin.stat:
path: "{{ configuration_directory }}/{{ group_name }}/{{ configuration_global_vars_file }}"
register: _group_config_file
loop: "{{ group_names }}"
loop_control:
loop_var: group_name
- name: Load group specific variables
ansible.builtin.include_vars:
dir: "{{ configuration_directory }}/{{ item.group_name }}"
files_matching: "{{ configuration_global_vars_file }}"
depth: 1
loop: "{{ _group_config_file.results }}"
when: item.stat.exists
and item.group_name in group_names
loop_control:
loop_var: item
delegate_to: localhost

View File

@ -1,19 +0,0 @@
---
- name: "Stat host specific config file"
ansible.builtin.stat:
path: "{{ configuration_directory }}/{{ group_name }}/{{ inventory_hostname }}/{{ configuration_global_vars_file }}"
register: _host_config_file
loop: "{{ group_names }}"
loop_control:
loop_var: group_name
delegate_to: localhost
- name: Load host specific variables
ansible.builtin.include_vars:
dir: "{{ configuration_directory }}/{{ item.group_name }}/{{ inventory_hostname }}"
files_matching: "{{ configuration_global_vars_file }}"
loop: "{{ _host_config_file.results }}"
when: item.stat.exists
loop_control:
loop_var: item
delegate_to: localhost

View File

@ -1,11 +1,15 @@
---
- name: "Nomad clients"
block:
- name: "Install docker driver"
- name: "Nomad | Install docker driver"
ansible.builtin.include_role:
name: ednz_cloud.install_docker
when: nomad_driver_enable_docker
- name: "Deploy Nomad Clients"
- name: "Include ednz_cloud.hashistack.cni"
ansible.builtin.include_role:
name: ednz_cloud.hashicorp_nomad
name: ednz_cloud.hashistack.cni
- name: "Nomad | Deploy Clients"
ansible.builtin.include_role:
name: ednz_cloud.hashistack.nomad

View File

@ -1,7 +1,7 @@
---
- name: "Nomad control plane"
block:
- name: "Create consul tokens for service registration"
- name: "Nomad | Create consul tokens for service registration"
when:
- nomad_init_server
- enable_consul
@ -11,9 +11,9 @@
_consul_port: "{{ hostvars[groups['consul_servers'][0]].consul_api_port[hostvars[groups['consul_servers'][0]].consul_api_scheme] }}"
_consul_scheme: "{{ hostvars[groups['consul_servers'][0]].consul_api_scheme }}"
block:
- name: "Create server credentials"
- name: "Nomad | Create server credentials"
block:
- name: "Create consul server policy"
- name: "Nomad | Create consul server policy"
community.general.consul_policy:
token: "{{ _credentials.consul.root_token.secret_id }}"
host: "{{ _consul_host }}"
@ -25,7 +25,7 @@
rules: "{{ nomad_consul_integration_server_policy }}"
register: _consul_nomad_server_policy
- name: "Create consul server token" # noqa: no-handler
- name: "Nomad | Create consul server token" # noqa: no-handler
community.general.consul_token:
token: "{{ _credentials.consul.root_token.secret_id }}"
host: "{{ _consul_host }}"
@ -39,9 +39,9 @@
state: present
when: _consul_nomad_server_policy.changed
- name: "Create client credentials"
- name: "Nomad | Create client credentials"
block:
- name: "Create consul client policy"
- name: "Nomad | Create consul client policy"
community.general.consul_policy:
token: "{{ _credentials.consul.root_token.secret_id }}"
host: "{{ _consul_host }}"
@ -53,7 +53,7 @@
rules: "{{ nomad_consul_integration_client_policy }}"
register: _consul_nomad_client_policy
- name: "Create consul client token" # noqa: no-handler
- name: "Nomad | Create consul client token" # noqa: no-handler
community.general.consul_token:
token: "{{ _credentials.consul.root_token.secret_id }}"
host: "{{ _consul_host }}"
@ -67,11 +67,16 @@
state: present
when: _consul_nomad_client_policy.changed
- name: "Include ednz_cloud.hashicorp_nomad"
- name: "Include ednz_cloud.hashistack.cni"
ansible.builtin.include_role:
name: ednz_cloud.hashicorp_nomad
name: ednz_cloud.hashistack.cni
when: nomad_enable_client
- name: "Initialize nomad cluster" # noqa: run-once[task]
- name: "Include ednz_cloud.hashistack.nomad"
ansible.builtin.include_role:
name: ednz_cloud.hashistack.nomad
- name: "Nomad | Initialize nomad cluster" # noqa: run-once[task]
ednz_cloud.hashistack.nomad_acl_bootstrap:
bootstrap_secret: "{{ _credentials.nomad.root_token.secret_id }}"
api_url: "{{ nomad_api_addr }}"
@ -79,4 +84,4 @@
register: _nomad_init_secret
when:
- nomad_init_server
- hashicorp_nomad_configuration.acl.enabled
- nomad_configuration.acl.enabled

View File

@ -5,7 +5,7 @@
ansible.builtin.import_tasks:
file: nomad_control_plane.yml
when:
- "'nomad_servers' in group_names"
- nomad_enable_server
tags:
- nomad_servers
@ -13,7 +13,7 @@
ansible.builtin.import_tasks:
file: nomad_clients.yml
when:
- "'nomad_clients' in group_names"
- "'nomad_servers' not in group_names"
- nomad_enable_client
- not nomad_enable_server
tags:
- nomad_clients

View File

@ -1,125 +0,0 @@
---
# hashistack configuration merging for nomad
- name: "Nomad | Merge stringified configuration"
vars:
_config_to_merge: "{{ hashicorp_nomad_configuration_string }}"
ansible.builtin.set_fact:
hashicorp_nomad_configuration: "{{
hashicorp_nomad_configuration |
combine(_config_to_merge|from_yaml, recursive=true)
}}"
when:
- hashicorp_nomad_configuration_string is defined
- "'nomad_servers' in group_names"
- name: "Nomad | Merge addresses configuration"
vars:
_config_to_merge: "{{ nomad_address_configuration }}"
ansible.builtin.set_fact:
hashicorp_nomad_configuration: "{{
hashicorp_nomad_configuration |
combine(_config_to_merge, recursive=true)
}}"
when: nomad_address_configuration is defined
- name: "Nomad | Merge consul integration configuration"
when:
- enable_consul | bool
- nomad_enable_consul_integration | bool
block:
- name: "Nomad | Merge consul tls configuration"
when:
- nomad_consul_integration_configuration.ssl is defined
- nomad_consul_integration_configuration.ssl | bool
block:
- name: "Nomad | Merge consul default client configuration"
vars:
_config_to_merge: "{{ nomad_consul_integration_tls_configuration }}"
ansible.builtin.set_fact:
nomad_consul_integration_configuration: "{{
nomad_consul_integration_configuration |
combine(_config_to_merge, recursive=true)
}}"
- name: "Nomad | Merge consul configuration for nomad servers"
when:
- nomad_enable_server
block:
- name: "Nomad | Merge consul default server configuration"
vars:
_config_to_merge: "{{ nomad_consul_integration_server_configuration }}"
ansible.builtin.set_fact:
nomad_consul_integration_configuration: "{{
nomad_consul_integration_configuration |
combine(_config_to_merge, recursive=true)
}}"
- name: "Nomad | Merge consul configuration for nomad clients"
when:
- nomad_enable_client
block:
- name: "Nomad | Merge consul default client configuration"
vars:
_config_to_merge: "{{ nomad_consul_integration_client_configuration }}"
ansible.builtin.set_fact:
nomad_consul_integration_configuration: "{{
nomad_consul_integration_configuration |
combine(_config_to_merge, recursive=true)
}}"
- name: "Nomad | Merge consul tls client configuration"
vars:
_config_to_merge: "{{ nomad_consul_integration_client_tls_configuration }}"
ansible.builtin.set_fact:
nomad_consul_integration_configuration: "{{
nomad_consul_integration_configuration |
combine(_config_to_merge, recursive=true)
}}"
when:
- nomad_consul_integration_configuration.ssl is defined
- nomad_consul_integration_configuration.ssl | bool
- name: "Nomad | Merge consul block into main configuration"
vars:
_config_to_merge:
consul: "{{ nomad_consul_integration_configuration }}"
ansible.builtin.set_fact:
hashicorp_nomad_configuration: "{{
hashicorp_nomad_configuration |
combine(_config_to_merge, recursive=true)
}}"
- name: "Nomad | Merge TLS configuration"
vars:
_config_to_merge:
tls: "{{ nomad_tls_configuration }}"
ansible.builtin.set_fact:
hashicorp_nomad_configuration: "{{
hashicorp_nomad_configuration |
combine(_config_to_merge, recursive=true)
}}"
when: nomad_enable_tls
- name: "Nomad | Merge plugin configuration"
vars:
_config_to_merge:
plugin: "{{
nomad_driver_configuration |
combine(nomad_driver_extra_configuration, recursive=true)
}}"
ansible.builtin.set_fact:
hashicorp_nomad_configuration: "{{
hashicorp_nomad_configuration |
combine(_config_to_merge, recursive=true)
}}"
when: "'nomad_clients' in group_names"
- name: "Nomad | Merge extra configuration settings"
vars:
_config_to_merge: "{{ nomad_extra_configuration }}"
ansible.builtin.set_fact:
hashicorp_nomad_configuration: "{{
hashicorp_nomad_configuration |
combine(_config_to_merge, recursive=true)
}}"
when: nomad_extra_configuration is defined

View File

@ -1,7 +1,7 @@
---
- name: "Vault control plane"
block:
- name: "Create consul token for service registration"
- name: "Vault | Create consul token for service registration"
when:
- vault_init_server
- enable_consul
@ -11,7 +11,7 @@
_consul_vault_sr_port: "{{ hostvars[groups['consul_servers'][0]].consul_api_port[hostvars[groups['consul_servers'][0]].consul_api_scheme] }}"
_consul_vault_sr_scheme: "{{ hostvars[groups['consul_servers'][0]].consul_api_scheme }}"
block:
- name: "Create consul vault policy"
- name: "Vault | Create consul vault policy"
community.general.consul_policy:
token: "{{ _credentials.consul.root_token.secret_id }}"
host: "{{ _consul_vault_sr_host }}"
@ -23,7 +23,7 @@
rules: "{{ vault_service_registration_policy }}"
register: _consul_vault_policy
- name: "Create consul vault token" # noqa: no-handler
- name: "Vault | Create consul vault token" # noqa: no-handler
community.general.consul_token:
token: "{{ _credentials.consul.root_token.secret_id }}"
host: "{{ _consul_vault_sr_host }}"
@ -37,14 +37,19 @@
state: present
when: _consul_vault_policy.changed
- name: "Include ednz_cloud.hashicorp_consul"
ansible.builtin.include_role:
name: ednz_cloud.hashicorp_vault
- name: "Vault | Stat vault secret file"
ansible.builtin.stat:
path: "{{ hashistack_sub_configuration_directories.secrets }}/vault.yml"
register: _vault_needs_early_unseal
- name: "Initialize vault cluster" # noqa: run-once[task]
- name: "Include ednz_cloud.hashistack.vault"
ansible.builtin.include_role:
name: ednz_cloud.hashistack.vault
- name: "Vault | Initialize vault cluster" # noqa: run-once[task]
ednz_cloud.hashistack.vault_init:
api_url: "{{ hashicorp_vault_configuration['api_addr'] }}"
tls_verify: "{{ vault_tls_verify }}"
api_url: "{{ vault_configuration['api_addr'] }}"
tls_verify: false
key_shares: "{{ vault_seal_configuration['key_shares'] }}"
key_threshold: "{{ vault_seal_configuration['key_threshold'] }}"
retries: 5
@ -53,10 +58,10 @@
until: not _vault_init_secret.failed
when: vault_init_server
- name: "Write vault configuration to file" # noqa: run-once[task] no-handler
- name: "Vault | Write vault configuration to file" # noqa: run-once[task] no-handler
ansible.builtin.copy:
content: "{{ _vault_init_secret.state | to_nice_yaml(indent=2) }}"
dest: "{{ sub_configuration_directories.secrets }}/vault.yml"
dest: "{{ hashistack_sub_configuration_directories.secrets }}/vault.yml"
owner: "{{ lookup('env', 'USER') }}"
group: "{{ lookup('env', 'USER') }}"
mode: "0644"
@ -66,23 +71,25 @@
delegate_to: localhost
- name: "Load vault cluster variables necessary for unseal operation"
ansible.builtin.import_tasks:
file: ../misc/load_credentials_vars.yml
ansible.builtin.import_role:
name: ednz_cloud.hashistack.hashistack
vars:
hashistack_only_load_credentials: true
- name: "Unseal the bootstrap node" # noqa: run-once[task] no-handler
- name: "Vault | Unseal the bootstrap node" # noqa: run-once[task] no-handler
ednz_cloud.hashistack.vault_unseal:
api_url: "{{ hashicorp_vault_configuration['api_addr'] }}"
tls_verify: "{{ vault_tls_verify }}"
api_url: "{{ vault_configuration['api_addr'] }}"
tls_verify: false
key_shares: "{{ _credentials.vault['keys'] }}"
when:
- vault_init_server
- _vault_init_secret.changed
register: _vault_unseal_secret
- name: "Unseal all vault nodes"
- name: "Vault | Unseal all vault nodes"
ednz_cloud.hashistack.vault_unseal:
api_url: "{{ hashicorp_vault_configuration['api_addr'] }}"
tls_verify: "{{ vault_tls_verify }}"
api_url: "{{ vault_configuration['api_addr'] }}"
tls_verify: false
key_shares: "{{ _credentials.vault['keys'] }}"
retries: 5
delay: 5

View File

@ -1,51 +0,0 @@
---
# hashistack configuration merging for vault
- name: "Vault | Merge listener configuration"
ansible.builtin.set_fact:
vault_listener_configuration: "{{
vault_listener_configuration |
combine((vault_enable_tls | bool) | ternary(vault_tls_listener_configuration, {}), recursive=True) |
combine(vault_extra_listener_configuration | default({}), recursive=True)
}}"
- name: "Vault | Merge service registration configuration"
vars:
_config_to_merge:
service_registration: "{{ vault_service_registration_configuration }}"
ansible.builtin.set_fact:
hashicorp_vault_configuration: "{{
hashicorp_vault_configuration |
combine(_config_to_merge)
}}"
when: vault_enable_service_registration
- name: "Vault | Merge plugins configuration"
vars:
_config_to_merge:
plugin_directory: "{{ vault_plugin_directory }}"
ansible.builtin.set_fact:
hashicorp_vault_configuration: "{{
hashicorp_vault_configuration |
combine(_config_to_merge)
}}"
when: vault_enable_plugins
- name: "Vault | Merge logging configuration"
vars:
_config_to_merge: "{{ vault_logging_configuration }}"
ansible.builtin.set_fact:
hashicorp_vault_configuration: "{{
hashicorp_vault_configuration |
combine(_config_to_merge)
}}"
when: vault_enable_log_to_file
- name: "Vault | Merge extra configuration settings"
vars:
_config_to_merge: "{{ vault_extra_configuration }}"
ansible.builtin.set_fact:
hashicorp_vault_configuration: "{{
hashicorp_vault_configuration |
combine(_config_to_merge)
}}"
when: vault_extra_configuration is defined