diff --git a/playbooks/group_vars/all/all.yml b/playbooks/group_vars/all/all.yml index 081aad1..0303894 100644 --- a/playbooks/group_vars/all/all.yml +++ b/playbooks/group_vars/all/all.yml @@ -5,25 +5,19 @@ manage_pip_packages_allow_break_system_packages: "{{ ansible_distribution == 'Debian' and ansible_distribution_version == '12' }}" -configuration_directory: "{{ lookup('env', 'PWD') }}/etc/hashistack" -sub_configuration_directories: - secrets: "{{ configuration_directory }}/secrets" - certificates: "{{ configuration_directory }}/certificates" - nomad_servers: "{{ configuration_directory }}/nomad_servers" - vault_servers: "{{ configuration_directory }}/vault_servers" - consul_servers: "{{ configuration_directory }}/consul_servers" +hashistack_configuration_directory: "{{ lookup('env', 'PWD') }}/etc/hashistack" +hashistack_sub_configuration_directories: + secrets: "{{ hashistack_configuration_directory }}/secrets" + certificates: "{{ hashistack_configuration_directory }}/certificates" + nomad_servers: "{{ hashistack_configuration_directory }}/nomad_servers" + vault_servers: "{{ hashistack_configuration_directory }}/vault_servers" + consul_servers: "{{ hashistack_configuration_directory }}/consul_servers" -configuration_global_vars_file: "globals.yml" -configuration_credentials_vars_file: "credentials.yml" +hashistack_configuration_global_vars_file: "globals.yml" +hashistack_configuration_credentials_vars_file: "credentials.yml" hashistack_remote_config_dir: "/etc/hashistack" -hashistack_remote_data_dir: "/opt/hashistack" -hashistack_remote_log_dir: /var/log/hashistack - -default_container_extra_volumes: - - "/etc/timezone:/etc/timezone" - - "/etc/localtime:/etc/localtime" - - "/etc/ssl/certs/ca-certificates.crt:/etc/ssl/certs/ca-certificates.crt:ro" +hashistack_remote_log_dir: "/var/log/hashistack" ################### # support options # diff --git a/playbooks/group_vars/all/cni.yml b/playbooks/group_vars/all/cni.yml new file mode 100644 index 0000000..5536b6d --- /dev/null +++ b/playbooks/group_vars/all/cni.yml @@ -0,0 +1,4 @@ +--- +cni_plugins_version: "v1.5.1" +cni_plugins_install_path: /opt/cni/bin +cni_plugins_install_consul_cni: true diff --git a/playbooks/group_vars/all/consul.yml b/playbooks/group_vars/all/consul.yml index bbc7648..db0781a 100644 --- a/playbooks/group_vars/all/consul.yml +++ b/playbooks/group_vars/all/consul.yml @@ -1,10 +1,4 @@ --- -##################################################### -# # -# Non-Editable # -# # -##################################################### - consul_init_server: "{{ (inventory_hostname == groups['consul_servers'][0]) | bool }}" ##################### @@ -16,36 +10,106 @@ consul_api_scheme: "{{ 'https' if consul_enable_tls else 'http' }}" consul_api_port: http: 8500 https: 8501 +consul_grpc_port: + http: 8502 + https: 8503 -########################## -# consul haproxy backend # -########################## +########## +# Consul # +########## -consul_haproxy_frontend_options: - - acl is_consul hdr(host) -i {{ consul_fqdn }} - - use_backend consul_external if is_consul +consul_config_dir: "{{ hashistack_remote_config_dir }}/consul.d" +consul_data_dir: "/opt/consul" +consul_certs_dir: "{{ consul_config_dir }}/tls" +consul_logs_dir: "{{ hashistack_remote_log_dir }}/consul" -consul_haproxy_backends: - - name: consul_external - options: "{{ consul_external_backend_options + consul_external_backend_servers }}" +consul_envoy_install: false +consul_envoy_version: latest -consul_external_backend_options: - - description consul external http backend - - option forwardfor - - option httpchk - - http-check send meth GET uri / - - default-server inter 2s fastinter 1s downinter 1s +consul_extra_files: true +# consul_extra_files_list: [] -consul_external_backend_servers: | - [ - {% for host in groups['consul_servers'] %} - 'server consul-{{ hostvars[host].api_interface_address }} {{ hostvars[host].api_interface_address }}:{{ hostvars[host].consul_api_port[consul_api_scheme] }} check {{ 'ssl verify none ' if consul_enable_tls }}inter 5s'{% if not loop.last %},{% endif %} - {% endfor %} - ] +consul_env_variables: {} -############################ -# consul ACL configuration # -############################ +####################### +# extra configuration # +####################### + +# You should prioritize adding configuration +# to the configuration entries below, this +# option should be used to add pieces of configuration not +# available through standard variables. + +# consul_extra_configuration: {} + +########### +# general # +########### + +# consul_domain: consul +# consul_datacenter: dc1 +# consul_primary_datacenter: "{{ consul_datacenter }}" +# consul_gossip_encryption_key: "{{ _credentials.consul.gossip_encryption_key }}" +# consul_enable_script_checks: false + +####################### +# leave configuration # +####################### + +consul_leave_on_terminate: true +consul_rejoin_after_leave: true + +###################### +# join configuration # +###################### + +consul_join_configuration: + retry_join: | + {{ + groups['consul_servers'] | + map('extract', hostvars, ['consul_address_configuration', 'bind_addr']) | + list | + to_json | + from_json + }} + retry_interval: 30s + retry_max: 0 + +######################## +# server configuration # +######################## + +consul_enable_server: "{{ 'consul_servers' in group_names }}" +consul_bootstrap_expect: "{{ (groups['consul_servers'] | length) }}" + +#################### +# ui configuration # +#################### + +consul_ui_configuration: + enabled: "{{ consul_enable_server }}" + +######################### +# address configuration # +######################### + +consul_bind_addr: "0.0.0.0" +consul_advertise_addr: "{{ api_interface_address }}" +consul_address_configuration: + client_addr: "{{ consul_bind_addr }}" + bind_addr: "{{ consul_advertise_addr }}" + advertise_addr: "{{ consul_advertise_addr }}" + +##################### +# ACL configuration # +##################### + +consul_acl_configuration: + enabled: true + default_policy: "deny" + enable_token_persistence: true + tokens: + agent: "{{ _credentials.consul.tokens.agent.secret_id }}" consul_default_agent_policy: | node_prefix "" { @@ -55,84 +119,56 @@ consul_default_agent_policy: | policy = "read" } -####################### -# consul internal tls # -####################### +############################## +# service mesh configuration # +############################## + +consul_mesh_configuration: + enabled: true + +##################### +# DNS configuration # +##################### + +consul_dns_configuration: + allow_stale: true + enable_truncate: true + only_passing: true + +################ +# internal tls # +################ + +# consul_enable_tls: false +consul_tls_configuration: + defaults: + ca_file: "/etc/ssl/certs/ca-certificates.crt" + cert_file: "{{ consul_certs_dir }}/fullchain.crt" + key_file: "{{ consul_certs_dir }}/cert.key" + verify_incoming: false + verify_outgoing: true + internal_rpc: + verify_server_hostname: true -consul_certificates_directory: "{{ hashicorp_consul_config_dir }}/tls" consul_certificates_extra_files_dir: - - src: "{{ sub_configuration_directories['certificates'] }}/consul/{{ inventory_hostname }}" - dest: "{{ consul_certificates_directory }}" + - src: "{{ hashistack_sub_configuration_directories['certificates'] }}/consul/{{ inventory_hostname }}" + dest: "{{ consul_certs_dir }}" -################## -# consul logging # -################## +########################### +# telemetry configuration # +########################### +consul_enable_prometheus_metrics: false +consul_prometheus_retention_time: 60s +consul_telemetry_configuration: {} + +########### +# logging # +########### + +# consul_log_level: info consul_enable_log_to_file: "{{ enable_log_to_file | bool }}" -consul_logging_configuration: - log_file: "{{ hashistack_remote_log_dir }}/consul/consul.log" - log_level: info +consul_log_to_file_configuration: + log_file: "{{ consul_logs_dir }}/consul.log" log_rotate_duration: 24h log_rotate_max_files: 30 - -######################### -# consul role variables # -######################### - -hashicorp_consul_start_service: true -hashicorp_consul_service_name: "consul" -hashicorp_consul_version: "{{ consul_version }}" -hashicorp_consul_env_variables: {} -hashicorp_consul_config_dir: "{{ hashistack_remote_config_dir }}/consul.d" -hashicorp_consul_data_dir: "{{ hashistack_remote_data_dir }}/consul" -hashicorp_consul_extra_files: true -hashicorp_consul_extra_files_list: "{{ ([] + - (consul_certificates_extra_files_dir if consul_enable_tls else []) + - consul_extra_files_list) - | unique - | sort - }}" -hashicorp_consul_envoy_install: false -hashicorp_consul_envoy_version: v1.27.2 -hashicorp_consul_configuration: - domain: "{{ consul_domain }}" - datacenter: "{{ consul_datacenter }}" - primary_datacenter: "{{ consul_primary_datacenter }}" - data_dir: "{{ hashicorp_consul_data_dir }}" - encrypt: "{{ _credentials.consul.gossip_encryption_key }}" - server: "{{ 'consul_servers' in group_names }}" - retry_join: "{{ - groups['consul_servers'] | - map('extract', hostvars, ['consul_address_configuration', 'bind_addr']) | - list | - to_json | - from_json - }}" - ui_config: "{{ consul_ui_configuration }}" - connect: "{{ consul_mesh_configuration }}" - leave_on_terminate: "{{ consul_leave_on_terminate }}" - rejoin_after_leave: "{{ consul_rejoin_after_leave }}" - enable_script_checks: "{{ consul_enable_script_checks }}" - enable_syslog: true - acl: "{{ consul_acl_configuration }}" - dns_config: "{{ consul_dns_configuration }}" - ports: - dns: 8600 - server: 8300 - serf_lan: 8301 - serf_wan: 8302 - sidecar_min_port: 21000 - sidecar_max_port: 21255 - expose_min_port: 21500 - expose_max_port: 21755 - -# this is used to circumvent jinja limitation to convert string to integer -hashicorp_consul_configuration_string: | - ports: - http: {{ (consul_api_port.http|int) if not consul_enable_tls else ('-1' | int) }} - https: {{ (consul_api_port.https|int) if consul_enable_tls else ('-1' | int) }} - grpc: {{ ('8502'|int) if not consul_enable_tls else ('-1' | int) }} - grpc_tls: {{ ('8503'|int) if consul_enable_tls else ('-1' | int) }} - -hashicorp_consul_servers_configuration_string: | - bootstrap_expect: {{ (groups['consul_servers'] | length) }} diff --git a/playbooks/group_vars/all/globals.yml b/playbooks/group_vars/all/globals.yml index 50fefd2..231e3e1 100644 --- a/playbooks/group_vars/all/globals.yml +++ b/playbooks/group_vars/all/globals.yml @@ -1,14 +1,13 @@ --- -########################## -# General options ######## -########################## +################### +# General options # +################### -enable_haproxy: "yes" +enable_ingress: "yes" enable_vault: "yes" enable_consul: "yes" enable_nomad: "yes" -haproxy_version: "2.8" nomad_version: "1.8.1" consul_version: "1.18.1" vault_version: "1.16.2" @@ -17,10 +16,10 @@ consul_fqdn: consul.ednz.lab vault_fqdn: vault.ednz.lab nomad_fqdn: nomad.ednz.lab -hashistack_external_vip_interface: "eth0" -hashistack_external_vip_addr: "192.168.121.100" -hashistack_internal_vip_interface: "{{ hashistack_external_vip_interface }}" -hashistack_internal_vip_addr: "{{ hashistack_external_vip_addr }}" +# hashistack_external_vip_interface: "eth0" +# hashistack_external_vip_addr: "192.168.121.100" +# hashistack_internal_vip_interface: "{{ hashistack_external_vip_interface }}" +# hashistack_internal_vip_addr: "{{ hashistack_external_vip_addr }}" api_interface: "eth0" api_interface_address: "{{ ansible_facts[api_interface]['ipv4']['address'] }}" @@ -38,208 +37,56 @@ enable_log_to_file: true enable_tls_external: false external_tls_externally_managed_certs: false -##################################################### -# # -# Consul # -# # -##################################################### +########## +# Consul # +########## consul_domain: consul consul_datacenter: dc1 consul_primary_datacenter: "{{ consul_datacenter }}" -consul_leave_on_terminate: true -consul_rejoin_after_leave: true -consul_enable_script_checks: true +consul_gossip_encryption_key: "{{ _credentials.consul.gossip_encryption_key }}" +consul_enable_script_checks: false -################################ -# consul address configuration # -################################ - -consul_address_configuration: - client_addr: "0.0.0.0" - bind_addr: "{{ api_interface_address }}" - advertise_addr: "{{ api_interface_address }}" - -############################ -# consul ACL configuration # -############################ - -consul_acl_configuration: - enabled: true - default_policy: "deny" # can be allow or deny - enable_token_persistence: true - -############################ -# consul DNS configuration # -############################ - -consul_dns_configuration: - allow_stale: true - enable_truncate: true - only_passing: true - -########################### -# consul ui configuration # -########################### - -consul_ui_configuration: - enabled: "{{ 'consul_servers' in group_names }}" - -##################################### -# consul service mesh configuration # -##################################### - -consul_mesh_configuration: - enabled: true - -############################ -# consul tls configuration # -############################ +consul_extra_files_list: [] +consul_extra_configuration: {} consul_enable_tls: false -consul_tls_configuration: - defaults: - ca_file: "/etc/ssl/certs/ca-certificates.crt" - cert_file: "{{ consul_certificates_directory }}/cert.pem" - key_file: "{{ consul_certificates_directory }}/key.pem" - verify_incoming: false - verify_outgoing: true - internal_rpc: - verify_server_hostname: true -############################ -# consul container volumes # -############################ +consul_log_level: info -extra_consul_container_volumes: [] - -############################## -# consul extra configuration # -############################## - -consul_extra_configuration: {} -consul_extra_files_list: [] - -##################################################### -# # -# Vault # -# # -##################################################### +######### +# Vault # +######### vault_cluster_name: vault +vault_bind_addr: "0.0.0.0" +vault_cluster_addr: "{{ api_interface_address }}" vault_enable_ui: true -vault_seal_configuration: - key_shares: 3 - key_threshold: 2 +vault_disable_mlock: false +vault_disable_cache: false -################# -# vault storage # -################# - -vault_storage_configuration: - raft: - path: "{{ hashicorp_vault_data_dir }}" - node_id: "{{ ansible_hostname }}" - retry_join: | - [ - {% for host in groups['vault_servers'] %} - { - 'leader_api_addr': '{{ "https" if vault_enable_tls else "http"}}://{{ hostvars[host].api_interface_address }}:8200' - }{% if not loop.last %},{% endif %} - {% endfor %} - ] - -################## -# vault listener # -################## +vault_extra_files_list: [] +vault_extra_configuration: {} vault_enable_tls: false -vault_tls_verify: false -vault_listener_configuration: - tcp: - address: "0.0.0.0:8200" - tls_disable: true - -vault_tls_listener_configuration: - tcp: - tls_disable: false - tls_cert_file: "{{ vault_certificates_directory }}/cert.pem" - tls_key_file: "{{ vault_certificates_directory }}/key.pem" - tls_disable_client_certs: true - -vault_extra_listener_configuration: {} - -######################## -# service registration # -######################## vault_enable_service_registration: "{{ enable_consul | bool }}" -vault_service_registration_configuration: - consul: - address: "127.0.0.1:{{ hostvars[groups['consul_servers'][0]].consul_api_port[hostvars[groups['consul_servers'][0]].consul_api_scheme] }}" - scheme: "{{ hostvars[groups['consul_servers'][0]].consul_api_scheme }}" - token: "{{ _credentials.consul.tokens.vault.secret_id }}" - -################# -# vault plugins # -################# vault_enable_plugins: false -########################### -# vault container volumes # -########################### +vault_log_level: info -extra_vault_container_volumes: [] +######### +# Nomad # +######### -############################# -# vault extra configuration # -############################# - -vault_extra_configuration: {} -vault_extra_files_list: [] - -##################################################### -# # -# Nomad # -# # -##################################################### - -nomad_datacenter: dc1 nomad_region: global +nomad_datacenter: dc1 -########################### -# nomad ACL configuration # -########################### +nomad_extra_files_list: [] +nomad_extra_configuration: {} -nomad_acl_configuration: - enabled: true - token_ttl: 30s - policy_ttl: 60s - role_ttl: 60s - -############################ -# nomad consul integration # -############################ - -nomad_enable_consul_integration: "{{ enable_consul | bool }}" -nomad_consul_integration_configuration: - address: "127.0.0.1:{{ hashicorp_consul_configuration.ports.https if consul_enable_tls else hashicorp_consul_configuration.ports.http }}" - auto_advertise: true - ssl: "{{ consul_enable_tls | bool }}" - token: "{{ _credentials.consul.tokens.nomad.server.secret_id if nomad_enable_server else _credentials.consul.tokens.nomad.client.secret_id}}" - tags: [] - -############################ -# nomad vault integration # -############################ - -nomad_enable_vault_integration: false -nomad_vault_integration_configuration: {} - -############################### -# nomad drivers configuration # -############################### +nomad_autopilot_configuration: {} nomad_driver_enable_docker: true nomad_driver_enable_podman: false @@ -249,22 +96,6 @@ nomad_driver_enable_qemu: false nomad_driver_extra_configuration: {} -###################### -# nomad internal tls # -###################### +nomad_log_level: info nomad_enable_tls: false -nomad_tls_configuration: - http: true - rpc: true - ca_file: "/etc/ssl/certs/ca-certificates.crt" - cert_file: "{{ nomad_certificates_directory }}/cert.pem" - key_file: "{{ nomad_certificates_directory }}/key.pem" - verify_server_hostname: true - -############################# -# nomad extra configuration # -############################# - -nomad_extra_configuration: {} -nomad_extra_files_list: [] diff --git a/playbooks/group_vars/all/haproxy.yml b/playbooks/group_vars/all/haproxy.yml index a5ffef2..2986cfa 100644 --- a/playbooks/group_vars/all/haproxy.yml +++ b/playbooks/group_vars/all/haproxy.yml @@ -10,7 +10,7 @@ deploy_haproxy_version: "{{ haproxy_version }}" deploy_haproxy_env_variables: {} deploy_haproxy_start_service: true -deploy_haproxy_cert_dir: "{{ sub_configuration_directories['certificates']~'/external' if (enable_tls_external and not external_tls_externally_managed_certs) }}" +deploy_haproxy_cert_dir: "{{ hashistack_sub_configuration_directories['certificates']~'/external' if (enable_tls_external and not external_tls_externally_managed_certs) }}" deploy_haproxy_extra_container_volumes: [] deploy_haproxy_global: - log /dev/log local0 diff --git a/playbooks/group_vars/all/hashistack_ca.yml b/playbooks/group_vars/all/hashistack_ca.yml new file mode 100644 index 0000000..6321ac7 --- /dev/null +++ b/playbooks/group_vars/all/hashistack_ca.yml @@ -0,0 +1,130 @@ +--- +# defaults +hashistack_ca_directory: "/etc/hashistack/certificates" +hashistack_ca_use_cryptography: false +hashistack_ca_action: "noop" +hashistack_ca_domain: example.com +hashistack_ca_directory_owner: root + +############################## +# Root Certificate Authority # +############################## +hashistack_ca_root_org_name: EDNZ Cloud +hashistack_ca_root_country: FR +hashistack_ca_root_locality: Paris +hashistack_ca_root_common_name: "{{ hashistack_ca_domain }} Root CA" +hashistack_ca_root_email: +hashistack_ca_root_key_usage: + - keyCertSign + - cRLSign +hashistack_ca_root_key_usage_critical: true +hashistack_ca_root_basic_constraints: + - CA:TRUE +hashistack_ca_root_basic_constraints_critical: true + +# Optional fields +hashistack_ca_root_state_or_province_name: +hashistack_ca_root_email_address: + +# Validity +hashistack_ca_root_valid_for: 1825d +hashistack_ca_root_renew_threshold: 180d + +###################################### +# Intermediate Certificate Authority # +###################################### +hashistack_ca_intermediate_org_name: EDNZ Cloud Intermediate +hashistack_ca_intermediate_country: FR +hashistack_ca_intermediate_locality: Paris +hashistack_ca_intermediate_common_name: "{{ hashistack_ca_domain }} Intermediate CA" +hashistack_ca_intermediate_email: +hashistack_ca_intermediate_key_usage: + - keyCertSign + - cRLSign +hashistack_ca_intermediate_key_usage_critical: true +hashistack_ca_intermediate_basic_constraints: + - CA:TRUE + - pathlen:0 +hashistack_ca_intermediate_basic_constraints_critical: true + +# Optional fields +hashistack_ca_intermediate_state_or_province_name: +hashistack_ca_intermediate_email_address: + +# Validity +hashistack_ca_intermediate_valid_for: 365d +hashistack_ca_intermediate_renew_threshold: 90d + +# Name Constraints +hashistack_ca_intermediate_name_constraints_permitted: + - "DNS:.{{ hashistack_ca_domain }}" + - DNS:.nomad + - DNS:.consul + - DNS:localhost + - IP:192.168.0.0/16 + - IP:172.16.0.0/16 + - IP:10.0.0.0/8 + - IP:127.0.0.0/8 +hashistack_ca_intermediate_name_constraints_critical: "{{ (hashistack_ca_intermediate_name_constraints_permitted is defined and hashistack_ca_intermediate_name_constraints_permitted | length > 0) }}" + +##################### +# Leaf certificates # +##################### + +hashistack_ca_leaf_valid_for: 90d +hashistack_ca_leaf_renew_threshold: 30d + +############################ +# Consul Leaf Certificates # +############################ +hashistack_ca_consul_org_name: "{{ hashistack_ca_root_org_name }}" +hashistack_ca_consul_common_name: "{{ inventory_hostname }}" +hashistack_ca_consul_csr_sans: >- + {%- set sans_list = [ + 'DNS:' + inventory_hostname, + 'DNS:consul.service.consul', + 'DNS:localhost', + 'IP:' + api_interface_address, + 'IP:127.0.0.1' + ] -%} + {%- if consul_enable_server -%} + {%- set _ = sans_list.append('DNS:server.' ~ consul_datacenter ~ '.' ~ consul_domain) -%} + {%- endif -%} + {{ sans_list }} + +########################### +# Nomad Leaf Certificates # +########################### +hashistack_ca_nomad_org_name: "{{ hashistack_ca_root_org_name }}" +hashistack_ca_nomad_common_name: "{{ inventory_hostname }}" +hashistack_ca_nomad_csr_sans: >- + {%- set sans_list = [ + 'DNS:' + inventory_hostname, + 'DNS:localhost', + 'IP:' + api_interface_address, + 'IP:127.0.0.1' + ] -%} + {%- if nomad_enable_server -%} + {%- set _ = sans_list.append('DNS:server.' ~ nomad_region ~ '.nomad') -%} + {%- if (enable_consul | bool) -%} + {%- set _ = sans_list.append('DNS:nomad.service.consul') -%} + {%- endif -%} + {%- endif -%} + {%- if nomad_enable_client -%} + {%- set _ = sans_list.append('DNS:client.' ~ nomad_region ~ '.nomad') -%} + {%- endif -%} + {{ sans_list }} + +########################### +# Vault Leaf Certificates # +########################### +hashistack_ca_vault_org_name: "{{ hashistack_ca_root_org_name }}" +hashistack_ca_vault_common_name: "{{ inventory_hostname }}" +hashistack_ca_vault_csr_sans: + - "DNS:{{ inventory_hostname }}" + - "DNS:active.vault.service.consul" + - "DNS:standby.vault.service.consul" + - "DNS:vault.service.consul" + - "DNS:localhost" + - "IP:{{ api_interface_address }}" + - "IP:127.0.0.1" diff --git a/playbooks/group_vars/all/nomad.yml b/playbooks/group_vars/all/nomad.yml index 9e6fd94..eba3d69 100644 --- a/playbooks/group_vars/all/nomad.yml +++ b/playbooks/group_vars/all/nomad.yml @@ -1,10 +1,4 @@ --- -##################################################### -# # -# Non-Editable # -# # -##################################################### - nomad_init_server: "{{ (inventory_hostname == groups['nomad_servers'][0]) | bool }}" #################### @@ -17,60 +11,183 @@ nomad_api_port: http: "{{ nomad_address_configuration.ports.http }}" https: "{{ nomad_address_configuration.ports.http }}" +######### +# Nomad # +######### + +nomad_config_dir: "{{ hashistack_remote_config_dir }}/nomad.d" +nomad_data_dir: "/opt/nomad" +nomad_certs_dir: "{{ nomad_config_dir }}/tls" +nomad_logs_dir: "{{ hashistack_remote_log_dir }}/nomad" + +nomad_extra_files: true +# nomad_extra_files_list: [] + +nomad_env_variables: {} + +####################### +# extra configuration # +####################### + +# You should prioritize adding configuration +# to the configuration entries below, this +# option should be used to add pieces of configuration not +# available through standard variables. + +# nomad_extra_configuration: {} + +########### +# general # +########### + +# nomad_region: global +# nomad_datacenter: dc1 + ######################### -# nomad haproxy backend # +# address configuration # ######################### -nomad_haproxy_frontend_options: - - acl is_nomad hdr(host) -i {{ nomad_fqdn }} - - use_backend nomad_external if is_nomad - -nomad_haproxy_backends: - - name: nomad_external - options: "{{ nomad_external_backend_options + nomad_external_backend_servers }}" - -nomad_external_backend_options: - - description nomad external http backend - - option forwardfor - - option httpchk - - http-check send meth GET uri / - - default-server inter 2s fastinter 1s downinter 1s - -nomad_external_backend_servers: | - [ - {% for host in groups['nomad_servers'] %} - 'server nomad-{{ hostvars[host].api_interface_address }} {{ hostvars[host].api_interface_address }}:{{ hostvars[host].nomad_api_port[nomad_api_scheme] }} check {{ 'ssl verify none ' if nomad_enable_tls }}inter 5s'{% if not loop.last %},{% endif %} - {% endfor %} - ] - -############################### -# nomad address configuration # -############################### - +nomad_bind_addr: "0.0.0.0" +nomad_advertise_addr: "{{ api_interface_address }}" nomad_address_configuration: - bind_addr: "{{ api_interface_address }}" + bind_addr: "{{ nomad_bind_addr }}" addresses: - http: "{{ api_interface_address }}" - rpc: "{{ api_interface_address }}" - serf: "{{ api_interface_address }}" + http: "{{ nomad_advertise_addr }}" + rpc: "{{ nomad_advertise_addr }}" + serf: "{{ nomad_advertise_addr }}" advertise: - http: "{{ api_interface_address }}" - rpc: "{{ api_interface_address }}" - serf: "{{ api_interface_address }}" + http: "{{ nomad_advertise_addr }}" + rpc: "{{ nomad_advertise_addr }}" + serf: "{{ nomad_advertise_addr }}" ports: http: 4646 rpc: 4647 serf: 4648 -################################# -# nomad autopilot configuration # -################################# +########################### +# autopilot configuration # +########################### -nomad_autopilot_configuration: {} +# nomad_autopilot_configuration: {} -############################ -# nomad consul integration # -############################ +####################### +# leave configuration # +####################### + +nomad_leave_on_interrupt: false +nomad_leave_on_terminate: false + +######################## +# server configuration # +######################## + +nomad_enable_server: "{{ ('nomad_servers' in group_names) | bool }}" +nomad_server_bootstrap_expect: "{{ (groups['nomad_servers'] | length) }}" +nomad_server_configuration: + enabled: "{{ nomad_enable_server }}" + data_dir: "{{ nomad_data_dir }}/server" + encrypt: "{{ _credentials.nomad.gossip_encryption_key }}" + +############################## +# client configuration # +############################## + +nomad_enable_client: "{{ ('nomad_clients' in group_names) | bool }}" +nomad_client_configuration: + enabled: "{{ nomad_enable_client }}" + state_dir: "{{ nomad_data_dir }}/client" + cni_path: "{{ cni_plugins_install_path | default('/opt/cni/bin') }}" + bridge_network_name: nomad + bridge_network_subnet: "172.26.64.0/20" + +#################### +# ui configuration # +#################### + +nomad_ui_configuration: + enabled: "{{ nomad_enable_server }}" + +######################### +# drivers configuration # +######################### + +nomad_driver_enable_docker: true +nomad_driver_enable_podman: false +nomad_driver_enable_raw_exec: false +nomad_driver_enable_java: false +nomad_driver_enable_qemu: false + +nomad_driver_configuration: + raw_exec: + enabled: false + +nomad_driver_extra_configuration: {} + +########### +# logging # +########### + +nomad_log_level: info +nomad_enable_log_to_file: "{{ enable_log_to_file | bool }}" +nomad_log_to_file_configuration: + log_file: "{{ nomad_logs_dir }}/nomad.log" + log_rotate_duration: 24h + log_rotate_max_files: 30 + +##################### +# ACL configuration # +##################### + +nomad_acl_configuration: + enabled: true + token_ttl: 30s + policy_ttl: 60s + role_ttl: 60s + +################ +# internal tls # +################ + +nomad_enable_tls: false +nomad_tls_configuration: + http: true + rpc: true + ca_file: "/etc/ssl/certs/ca-certificates.crt" + cert_file: "{{ nomad_certs_dir }}/fullchain.crt" + key_file: "{{ nomad_certs_dir }}/cert.key" + verify_server_hostname: true + +nomad_certificates_extra_files_dir: + - src: "{{ hashistack_sub_configuration_directories['certificates'] }}/nomad/{{ inventory_hostname }}" + dest: "{{ nomad_certs_dir }}" + +########################### +# telemetry configuration # +########################### + +nomad_telemetry_configuration: + collection_interval: 10s + disable_hostname: false + use_node_name: false + publish_allocation_metrics: false + publish_node_metrics: false + prefix_filter: [] + disable_dispatched_job_summary_metrics: false + prometheus_metrics: false + +###################### +# consul integration # +###################### + +nomad_enable_consul_integration: "{{ enable_consul | bool }}" +nomad_consul_integration_configuration: + address: >- + 127.0.0.1:{{ consul_api_port[consul_api_scheme] }} + auto_advertise: true + ssl: "{{ consul_enable_tls | bool }}" + token: >- + {{ _credentials.consul.tokens.nomad.server.secret_id if nomad_enable_server else _credentials.consul.tokens.nomad.client.secret_id }} + tags: [] nomad_consul_integration_tls_configuration: ca_file: "/etc/ssl/certs/ca-certificates.crt" @@ -80,7 +197,8 @@ nomad_consul_integration_server_configuration: nomad_consul_integration_client_configuration: client_auto_join: true - grpc_address: "127.0.0.1:{{ hashicorp_consul_configuration.ports.grpc_tls if consul_enable_tls else hashicorp_consul_configuration.ports.grpc }}" + grpc_address: >- + 127.0.0.1:{{ consul_grpc_port[consul_api_scheme] }} nomad_consul_integration_client_tls_configuration: grpc_ca_file: "/etc/ssl/certs/ca-certificates.crt" @@ -109,104 +227,9 @@ nomad_consul_integration_client_policy: | policy = "write" } -############################# -# nomad leave configuration # -############################# +############################ +# nomad vault integration # +############################ -# node will leave the cluster if the process is stopped -# and if it is only a client -nomad_leave_on_interrupt: "{{ (('nomad_clients' in group_names) and not ('nomad_servers' in group_names)) | bool }}" -nomad_leave_on_terminate: "{{ (('nomad_clients' in group_names) and not ('nomad_servers' in group_names)) | bool }}" - -########################## -# nomad ui configuration # -########################## - -nomad_ui_configuration: - enabled: "{{ ('nomad_servers' in group_names) | bool }}" - -############################## -# nomad server configuration # -############################## - -nomad_enable_server: "{{ ('nomad_servers' in group_names) | bool }}" -nomad_server_configuration: - enabled: "{{ nomad_enable_server }}" - data_dir: "{{ hashicorp_nomad_data_dir }}/server" - encrypt: "{{ _credentials.nomad.gossip_encryption_key }}" - -############################## -# nomad client configuration # -############################## - -nomad_enable_client: "{{ ('nomad_clients' in group_names) | bool }}" -nomad_client_configuration: - enabled: "{{ nomad_enable_client }}" - state_dir: "{{ hashicorp_nomad_data_dir }}/client" - bridge_network_name: nomad - bridge_network_subnet: "172.26.64.0/20" - -############################### -# nomad drivers configuration # -############################### - -nomad_driver_configuration: - raw_exec: - enabled: "{{ nomad_driver_enable_raw_exec | bool }}" - -###################### -# nomad internal tls # -###################### - -nomad_certificates_directory: "{{ hashicorp_nomad_config_dir }}/tls" -nomad_certificates_extra_files_dir: - - src: "{{ sub_configuration_directories['certificates'] }}/nomad/{{ inventory_hostname }}" - dest: "{{ nomad_certificates_directory }}" - -################# -# nomad logging # -################# - -nomad_enable_log_to_file: "{{ enable_log_to_file | bool }}" -nomad_logging_configuration: - log_file: "{{ hashistack_remote_log_dir }}/nomad/nomad.log" - log_level: info - log_rotate_duration: 24h - log_rotate_max_files: 30 - -######################## -# nomad role variables # -######################## - -hashicorp_nomad_start_service: true -hashicorp_nomad_service_name: "nomad" -hashicorp_nomad_cni_plugins_install: true -hashicorp_nomad_cni_plugins_version: latest -hashicorp_nomad_cni_plugins_install_path: /opt/cni/bin -hashicorp_nomad_version: "{{ nomad_version }}" -hashicorp_nomad_env_variables: {} -hashicorp_nomad_config_dir: "{{ hashistack_remote_config_dir }}/nomad.d" -hashicorp_nomad_data_dir: "{{ hashistack_remote_data_dir }}/nomad" -hashicorp_nomad_extra_files: true -hashicorp_nomad_extra_files_list: "{{ ([] + - (nomad_certificates_extra_files_dir if nomad_enable_tls else []) + - nomad_extra_files_list) - | unique - | sort - }}" -hashicorp_nomad_configuration: - datacenter: "{{ nomad_datacenter }}" - region: "{{ nomad_region }}" - bind_addr: "0.0.0.0" - data_dir: "{{ hashicorp_nomad_data_dir }}" - leave_on_interrupt: "{{ nomad_leave_on_interrupt }}" - leave_on_terminate: "{{ nomad_leave_on_terminate }}" - acl: "{{ nomad_acl_configuration }}" - server: "{{ nomad_server_configuration }}" - client: "{{ nomad_client_configuration }}" - ui: "{{ nomad_ui_configuration }}" - -# this is used to circumvent jinja limitation to convert string to integer -hashicorp_nomad_configuration_string: | - server: - bootstrap_expect: {{ (groups['nomad_servers'] | length) }} +nomad_enable_vault_integration: false +nomad_vault_integration_configuration: {} diff --git a/playbooks/group_vars/all/vault.yml b/playbooks/group_vars/all/vault.yml index 265db5b..aa17855 100644 --- a/playbooks/group_vars/all/vault.yml +++ b/playbooks/group_vars/all/vault.yml @@ -1,100 +1,121 @@ --- -##################################################### -# # -# Non-Editable # -# # -##################################################### - vault_init_server: "{{ (inventory_hostname == groups['vault_servers'][0]) | bool }}" -######################### -# vault haproxy backend # -######################### +######### +# Vault # +######### -vault_haproxy_frontend_options: - - acl is_vault hdr(host) -i {{ vault_fqdn }} - - use_backend vault_external if is_vault +vault_config_dir: "{{ hashistack_remote_config_dir }}/vault.d" +vault_data_dir: "/opt/vault" +vault_certs_dir: "{{ vault_config_dir }}/tls" +vault_logs_dir: "{{ hashistack_remote_log_dir }}/vault" -vault_haproxy_backends: - - name: vault_external - options: "{{ vault_external_backend_options + vault_external_backend_servers }}" +vault_extra_files: true +# vault_extra_files_list: [] -vault_external_backend_options: - - description vault external http backend - - option forwardfor - - option httpchk GET /v1/sys/health?standbyok=true&sealedcode=200&standbycode=200&uninitcode=200 - - http-check expect status 200 - - default-server inter 2s fastinter 1s downinter 1s +vault_env_variables: {} -vault_external_backend_servers: | - [ - {% for host in groups['vault_servers'] %} - 'server vault-{{ hostvars[host].api_interface_address }} {{ hostvars[host].api_interface_address }}:8200 check {{ 'ssl verify none ' if vault_enable_tls }}inter 5s'{% if not loop.last %},{% endif %} - {% endfor %} - ] +####################### +# extra configuration # +####################### + +# You should prioritize adding configuration +# to the configuration entries below, this +# option should be used to add pieces of configuration not +# available through standard variables. + +# vault_extra_configuration: {} + +########### +# general # +########### + +# vault_cluster_name: vault +# vault_bind_addr: "0.0.0.0" +# vault_cluster_addr: "{{ api_interface_address }}" +# vault_enable_ui: true +# vault_disable_mlock: false +# vault_disable_cache: false ###################### -# vault internal tls # +# seal configuration # ###################### -vault_certificates_directory: "{{ hashicorp_vault_config_dir }}/tls" +vault_seal_configuration: + key_shares: 3 + key_threshold: 2 + +######################### +# storage configuration # +######################### + +vault_storage_configuration: + raft: + path: "{{ vault_data_dir }}" + node_id: "{{ ansible_hostname }}" + retry_join: >- + [ + {% for host in groups['vault_servers'] %} + { + 'leader_api_addr': '{{ "https" if vault_enable_tls else "http"}}://{{ hostvars[host].api_interface_address }}:8200' + }{% if not loop.last %},{% endif %} + {% endfor %} + ] + +########################## +# listener configuration # +########################## + +# vault_enable_tls: false +vault_listener_configuration: + - tcp: + address: "{{ vault_cluster_addr }}:8200" + tls_disable: true + +vault_tls_listener_configuration: + - tcp: + tls_disable: false + tls_cert_file: "{{ vault_certs_dir }}/fullchain.crt" + tls_key_file: "{{ vault_certs_dir }}/cert.key" + tls_disable_client_certs: true + vault_certificates_extra_files_dir: - - src: "{{ sub_configuration_directories['certificates'] }}/vault/{{ inventory_hostname }}" - dest: "{{ vault_certificates_directory }}" + - src: "{{ hashistack_sub_configuration_directories['certificates'] }}/vault/{{ inventory_hostname }}" + dest: "{{ vault_certs_dir }}" -################# -# vault plugins # -################# +vault_extra_listener_configuration: [] -vault_plugin_directory: "{{ hashicorp_vault_config_dir }}/plugin" -vault_plugin_extra_files_dir: - - src: "{{ sub_configuration_directories['vault_servers'] }}/plugin" - dest: "{{ vault_plugin_directory }}" +######################## +# service registration # +######################## -############################## -# vault service registration # -############################## +# vault_enable_service_registration: "{{ enable_consul | bool }}" +vault_service_registration_configuration: + consul: + address: >- + 127.0.0.1:{{ hostvars[groups['consul_servers'][0]].consul_api_port[hostvars[groups['consul_servers'][0]].consul_api_scheme] }} + scheme: "{{ hostvars[groups['consul_servers'][0]].consul_api_scheme }}" + token: "{{ _credentials.consul.tokens.vault.secret_id }}" vault_service_registration_policy: | service "vault" { policy = "write" } +######################### +# plugins configuration # +######################### + +# vault_enable_plugins: false +vault_plugins_directory: "{{ vault_config_dir }}/plugins" + ################# # vault logging # ################# +# vault_log_level: info vault_enable_log_to_file: "{{ enable_log_to_file | bool }}" -vault_logging_configuration: - log_file: "{{ hashistack_remote_log_dir }}/vault/vault.log" - log_level: info +vault_log_to_file_configuration: + log_file: "{{ vault_logs_dir }}/vault.log" log_rotate_duration: 24h log_rotate_max_files: 30 - -######################## -# vault role variables # -######################## - -hashicorp_vault_start_service: true -hashicorp_vault_service_name: "vault" -hashicorp_vault_version: "{{ vault_version }}" -hashicorp_vault_env_variables: {} -hashicorp_vault_config_dir: "{{ hashistack_remote_config_dir }}/vault.d" -hashicorp_vault_data_dir: "{{ hashistack_remote_data_dir }}/vault" -hashicorp_vault_extra_files: true -hashicorp_vault_extra_files_list: "{{ ([] + - (vault_certificates_extra_files_dir if vault_enable_tls else []) + - (vault_plugin_extra_files_dir if vault_enable_plugins else []) + - vault_extra_files_list) - | unique - | sort - }}" -hashicorp_vault_configuration: - cluster_name: "{{ vault_cluster_name }}" - cluster_addr: "{{ 'https' if vault_enable_tls else 'http'}}://{{ api_interface_address }}:8201" - api_addr: "{{ 'https' if vault_enable_tls else 'http'}}://{{ api_interface_address }}:8200" - ui: "{{ vault_enable_ui }}" - disable_mlock: false - disable_cache: false - listener: "{{ vault_listener_configuration }}" - storage: "{{ vault_storage_configuration }}"