feat: add global variables for nomad deployment

2024-05-16 17:25:41 +02:00 · 2024-05-16 17:25:41 +02:00 · 30adf2ba7a
commit 30adf2ba7a
parent cdeee7436c
13 changed files with 215 additions and 35 deletions
--- a/.gitmodules
+++ b/.gitmodules
@ -1,6 +0,0 @@
-[submodule "roles/hashicorp_consul"]
-	path = roles/hashicorp_consul
-	url = https://github.com/ednz-cloud/hashicorp_consul
-[submodule "roles/hashicorp_vault"]
-	path = roles/hashicorp_vault
-	url = https://github.com/ednz-cloud/hashicorp_vault
--- a/nomad.json
+++ b/nomad.json
@ -0,0 +1,94 @@
+{
+  "acl": {
+    "enabled": true
+  },
+  "advertise": {
+    "http": "10.1.20.101",
+    "rpc": "10.1.20.101",
+    "serf": "10.1.20.101"
+  },
+  "bind_addr": "0.0.0.0",
+  "client": {
+    "bridge_network_name": "nomad",
+    "bridge_network_subnet": "172.26.64.0/20",
+    "cni_path": "/opt/cni/bin",
+    "enabled": true,
+    "node_class": "managers",
+    "reserved": {
+      "cpu": 500,
+      "memory": 300
+    },
+    "servers": [
+      "hs1.ednz.fr",
+      "hs2.ednz.fr",
+      "hs3.ednz.fr"
+    ]
+  },
+  "consul": {
+    "address": "127.0.0.1:8501",
+    "auto_advertise": true,
+    "grpc_address": "127.0.0.1:8503",
+    "grpc_ca_file": "/opt/nomad/tls/ca.pem",
+    "ssl": true,
+    "token": "8c6eaa1c-0d71-b25e-1019-a34966700fa4"
+  },
+  "data_dir": "/opt/nomad",
+  "datacenter": "gre1",
+  "leave_on_terminate": false,
+  "log_level": "INFO",
+  "plugin": {
+    "docker": {
+      "config": {
+        "allow_caps": [
+          "all"
+        ],
+        "allow_privileged": true,
+        "auth": {
+          "config": "/etc/nomad.d/extra_files/docker_auth.json"
+        },
+        "endpoint": "unix:///var/run/docker.sock",
+        "volumes": {
+          "enabled": true
+        }
+      }
+    }
+  },
+  "server": {
+    "bootstrap_expect": 3,
+    "enabled": true,
+    "server_join": {
+      "retry_join": [
+        "hs1.ednz.fr",
+        "hs2.ednz.fr",
+        "hs3.ednz.fr"
+      ]
+    }
+  },
+  "telemetry": {
+    "collection_interval": "1s",
+    "disable_dispatched_job_summary_metrics": false,
+    "disable_hostname": false,
+    "prefix_filter": [],
+    "prometheus_metrics": true,
+    "publish_allocation_metrics": true,
+    "publish_node_metrics": true,
+    "use_node_name": false
+  },
+  "tls": {
+    "ca_file": "/opt/nomad/tls/ca.pem",
+    "cert_file": "/opt/nomad/tls/cert.pem",
+    "http": true,
+    "key_file": "/opt/nomad/tls/key.pem",
+    "rpc": true,
+    "verify_server_hostname": true
+  },
+  "ui": {
+    "enabled": true
+  },
+  "vault": {
+    "address": "https://vault.service.consul:8200",
+    "create_from_role": "nomad-cluster",
+    "enabled": true,
+    "token": "hvs.CAESIEOC5_8vTfD16xXhxs-TV23JEXWWRIgSIc01dm8Hb2YLGh4KHGh2cy5xRVg0T3pDV3FhazBZQWZEaExkM2VqejU"
+  }
+}
--- a/playbooks/deploy.yml
+++ b/playbooks/deploy.yml
@ -23,7 +23,7 @@

    - name: "Deploy Consul Agents"
      ansible.builtin.include_role:
-        name: ednz_cloud.hashistack.hashicorp_consul
+        name: ednz_cloud.hashicorp_consul
      when:
        - enable_consul | bool
        - "'consul_agents' in group_names"
--- a/playbooks/generate_credentials.yml
+++ b/playbooks/generate_credentials.yml
@ -8,25 +8,33 @@
  tasks:
    - name: "Generate consul credentials"
      block:
+        - name: "Generate consul gossip encryption key"
+          ansible.builtin.set_fact:
+            _consul_gossip_encryption_key: "{{ lookup('ansible.builtin.password', '/dev/null', chars=['ascii_letters','digits']) | b64encode }}"
+
        - name: "Generate consul root credentials"
          ansible.builtin.set_fact:
-            _consul_root_token: "{{ lookup('password', '/dev/null chars=ascii_letters,digits') | to_uuid }}"
+            _consul_root_token: "{{ lookup('ansible.builtin.password', '/dev/null', chars=['ascii_letters','digits']) | to_uuid }}"

        - name: "Generate consul agents credentials"
          ansible.builtin.set_fact:
-            _cosul_agents_accessor: "{{ lookup('password', '/dev/null chars=ascii_letters,digits') | to_uuid }}"
-            _consul_agents_token: "{{ lookup('password', '/dev/null chars=ascii_letters,digits') | to_uuid }}"
+            _cosul_agents_accessor: "{{ lookup('ansible.builtin.password', '/dev/null', chars=['ascii_letters','digits']) | to_uuid }}"
+            _consul_agents_token: "{{ lookup('ansible.builtin.password', '/dev/null', chars=['ascii_letters','digits']) | to_uuid }}"

        - name: "Generate consul vault credentials"
          ansible.builtin.set_fact:
-            _cosul_vault_accessor: "{{ lookup('password', '/dev/null chars=ascii_letters,digits') | to_uuid }}"
-            _consul_vault_token: "{{ lookup('password', '/dev/null chars=ascii_letters,digits') | to_uuid }}"
+            _cosul_vault_accessor: "{{ lookup('ansible.builtin.password', '/dev/null', chars=['ascii_letters','digits']) | to_uuid }}"
+            _consul_vault_token: "{{ lookup('ansible.builtin.password', '/dev/null', chars=['ascii_letters','digits']) | to_uuid }}"

    - name: "Generate nomad credentials"
      block:
+        - name: "Generate nomad gossip encryption key"
+          ansible.builtin.set_fact:
+            _nomad_gossip_encryption_key: "{{ lookup('ansible.builtin.password', '/dev/null', chars=['ascii_letters','digits']) | b64encode }}"
+
        - name: "Generate nomad root credentials"
          ansible.builtin.set_fact:
-            _nomad_root_token: "{{ lookup('password', '/dev/null chars=ascii_letters,digits') | to_uuid }}"
+            _nomad_root_token: "{{ lookup('ansible.builtin.password', '/dev/null', chars=['ascii_letters','digits']) | to_uuid }}"

    - name: "Write credentials file"
      ansible.builtin.template:
--- a/playbooks/group_vars/all/consul.yml
+++ b/playbooks/group_vars/all/consul.yml
@ -88,7 +88,7 @@ hashi_consul_configuration:
  datacenter: "{{ consul_datacenter }}"
  primary_datacenter: "{{ consul_primary_datacenter }}"
  data_dir: "{{ hashi_consul_data_dir }}"
-  encrypt: "{{ consul_gossip_encryption_key }}"
+  encrypt: "{{ _credentials.consul.gossip_encryption_key }}"
  server: "{{ 'consul_servers' in group_names }}"
  retry_join: "{{
    groups['consul_servers'] |
--- a/playbooks/group_vars/all/globals.yml
+++ b/playbooks/group_vars/all/globals.yml
@ -46,7 +46,6 @@ consul_primary_datacenter: dc1
 consul_leave_on_terminate: true
 consul_rejoin_after_leave: true
 consul_enable_script_checks: true
-consul_gossip_encryption_key: "{{ 'mysupersecretgossipencryptionkey'|b64encode }}"

 ################################
 # consul address configuration #
--- a/playbooks/group_vars/all/nomad.yml
+++ b/playbooks/group_vars/all/nomad.yml
@ -1,18 +1,86 @@
+---
 #####################################################
 #                                                   #
-#                Nomad Configuration                #
+#                Non-Editable                       #
 #                                                   #
 #####################################################

-hashi_nomad_cni_plugins_install: true
-hashi_nomad_start_service: true
-hashi_nomad_cni_plugins_version: latest
-hashi_nomad_cni_plugins_install_path: /opt/cni/bin
-hashi_nomad_version: latest
-hashi_nomad_deploy_method: host # deployment method, either host or docker
-hashi_nomad_env_variables: {}
-hashi_nomad_data_dir: /opt/nomad
-hashi_nomad_extra_files: false
-hashi_nomad_extra_files_src: /tmp/extra_files
-hashi_nomad_extra_files_dst: /etc/nomad.d/extra_files
-hashi_nomad_configuration: {}
+nomad_datacenter: dc1
+
+###########################
+# nomad ACL configuration #
+###########################
+
+nomad_acl_configuration:
+  enabled: true
+  token_ttl: 30s
+  policy_ttl: 60s
+  role_ttl: 60s
+
+#################################
+# nomad autopilot configuration #
+#################################
+
+nomad_autopilot_configuration: {}
+
+############################
+# nomad consul integration #
+############################
+
+nomad_enable_consul_integration: "{{ enable_consul | bool }}"
+nomad_consul_integration_configuration: {}
+
+############################
+# nomad vault integration #
+############################
+
+nomad_enable_vault_integration: false
+nomad_vault_integration_configuration: {}
+
+#############################
+# nomad leave configuration #
+#############################
+
+# node will leave the cluster if the process is stopped
+# and if it is only a client
+nomad_leave_on_interrupt: "{{ (('nomad_clients' in group_names) and (not 'nomad_servers' in group_names)) | bool }}"
+nomad_leave_on_terminate: "{{ (('nomad_clients' in group_names) and (not 'nomad_servers' in group_names)) | bool }}"
+
+##############################
+# nomad server configuration #
+##############################
+
+nomad_server_configuration:
+  enabled: "{{ 'nomad_servers' in group_names }}"
+  data_dir: "{{ hashicorp_nomad_data_dir }}/server"
+  encrypt: "{{ _credentials.nomad.gossip_encryption_key }}"
+
+##############################
+# nomad client configuration #
+##############################
+
+nomad_client_configuration:
+  enabled: "{{ 'nomad_clients' in group_names | bool }}"
+  state_dir: "{{ hashicorp_nomad_data_dir }}/client"
+
+hashicorp_nomad_cni_plugins_install: true
+hashicorp_nomad_start_service: true
+hashicorp_nomad_cni_plugins_version: latest
+hashicorp_nomad_cni_plugins_install_path: /opt/cni/bin
+hashicorp_nomad_version: latest
+hashicorp_nomad_deploy_method: host # deployment method, either host or docker
+hashicorp_nomad_env_variables: {}
+hashicorp_nomad_config_dir: "/etc/nomad.d"
+hashicorp_nomad_data_dir: /opt/nomad
+hashicorp_nomad_extra_files: false
+hashicorp_nomad_extra_files_src: /tmp/extra_files
+hashicorp_nomad_extra_files_dst: /etc/nomad.d/extra_files
+hashicorp_nomad_configuration:
+  datacenter: "{{ nomad_datacenter }}"
+  bind_addr: "0.0.0.0"
+  data_dir: "{{ hashicorp_nomad_data_dir }}"
+  leave_on_interrupt: "{{ (('nomad_clients' in group_names) and (not 'nomad_servers' in group_names)) | bool }}"
+  leave_on_terminate: "{{ (('nomad_clients' in group_names) and (not 'nomad_servers' in group_names)) | bool }}"
+  acl: "{{ nomad_acl_configuration }}"
+  server: "{{ nomad_server_configuration }}"
+  client: "{{ nomad_client_configuration }}"
--- a/playbooks/tasks/consul/consul_deploy.yml
+++ b/playbooks/tasks/consul/consul_deploy.yml
@ -1,9 +1,9 @@
 ---
 - name: "Consul"
  block:
-    - name: "Include ednz_cloud.hashistack.hashicorp_consul"
+    - name: "Include ednz_cloud.hashicorp_consul"
      ansible.builtin.include_role:
-        name: ednz_cloud.hashistack.hashicorp_consul
+        name: ednz_cloud.hashicorp_consul

    - name: "Wait for consul cluster to initialize" # noqa: run-once[task]
      ansible.builtin.uri:
--- a/playbooks/tasks/vault/vault_deploy.yml
+++ b/playbooks/tasks/vault/vault_deploy.yml
@ -38,9 +38,9 @@
            state: present
          when: _consul_vault_policy.changed

-    - name: "Include ednz_cloud.hashistack.hashicorp_consul"
+    - name: "Include ednz_cloud.hashicorp_consul"
      ansible.builtin.include_role:
-        name: ednz_cloud.hashistack.hashicorp_vault
+        name: ednz_cloud.hashicorp_vault

    - name: "Initialize vault cluster" # noqa: run-once[task]
      ednz_cloud.hashistack.vault_init:
--- a/playbooks/templates/credentials.yml.j2
+++ b/playbooks/templates/credentials.yml.j2
@ -1,5 +1,6 @@
 ---
 consul:
+  gossip_encryption_key: "{{ _consul_gossip_encryption_key }}"
  root_token:
    secret_id: "{{ _consul_root_token }}"
  tokens:
@ -10,4 +11,6 @@ consul:
      accessor_id: "{{ _consul_vault_accessor }}"
      secret_id: "{{ _consul_vault_token }}"
 nomad:
-  root_token: "{{ _nomad_root_token }}"
+  gossip_encryption_key: "{{ _nomad_gossip_encryption_key }}"
+  root_token:
+    secret_id: "{{ _nomad_root_token }}"
--- a/roles/hashicorp_consul
+++ b/roles/hashicorp_consul
@ -1 +0,0 @@
-Subproject commit 56696c3552308225d4e5b91efc8e4bf75d31d2f3
--- a/roles/hashicorp_vault
+++ b/roles/hashicorp_vault
@ -1 +0,0 @@
-Subproject commit 738c347df8efd4965eda14167171343be13bed75
--- a/roles/requirements.yml
+++ b/roles/requirements.yml
@ -3,15 +3,31 @@
 roles:
  - name: ednz_cloud.manage_repositories
    src: https://github.com/ednz-cloud/manage_repositories.git
+    version: main
  - name: ednz_cloud.manage_apt_packages
    src: https://github.com/ednz-cloud/manage_apt_packages.git
+    version: main
  - name: ednz_cloud.manage_pip_packages
    src: https://github.com/ednz-cloud/manage_pip_packages.git
+    version: main
  - name: ednz_cloud.install_docker
    src: https://github.com/ednz-cloud/install_docker.git
+    version: main
  - name: ednz_cloud.docker_systemd_service
    src: https://github.com/ednz-cloud/docker_systemd_service.git
+    version: main
  - name: ednz_cloud.deploy_haproxy
    src: https://github.com/ednz-cloud/deploy_haproxy.git
+    version: main
  - name: ednz_cloud.deploy_keepalived
    src: https://github.com/ednz-cloud/deploy_keepalived.git
+    version: main
+  - name: ednz_cloud.hashicorp_nomad
+    src: https://github.com/ednz-cloud/hashicorp_nomad.git
+    version: v0.1.0
+  - name: ednz_cloud.hashicorp_consul
+    src: https://github.com/ednz-cloud/hashicorp_consul.git
+    version: main
+  - name: ednz_cloud.hashicorp_vault
+    src: https://github.com/ednz-cloud/hashicorp_vault.git
+    version: main
				`@ -1 +0,0 @@`
				`Subproject commit 56696c3552308225d4e5b91efc8e4bf75d31d2f3`
				`@ -1 +0,0 @@`
				`Subproject commit 738c347df8efd4965eda14167171343be13bed75`