diff --git a/playbooks/deploy.yml b/playbooks/deploy.yml index daf26fa..e0a49aa 100644 --- a/playbooks/deploy.yml +++ b/playbooks/deploy.yml @@ -2,20 +2,22 @@ # hashistack deployment playbook - name: "Deploy" hosts: all + strategy: linear gather_facts: true become: true tasks: - - name: "debug" + - name: "Debug" ansible.builtin.debug: msg: "{{ hashi_vault_configuration.listener }}" - name: "Import variables" ansible.builtin.import_tasks: - file: load_vars.yml + file: tasks/load_vars.yml - name: "Vault" - when: enable_vault | bool - when: "'vault_servers' in group_names" + when: + - enable_vault | bool + - "'vault_servers' in group_names" tags: - vault block: @@ -23,7 +25,7 @@ ansible.builtin.include_role: name: ednxzu.hashistack.hashicorp_vault - - name: "Initialize vault cluster" + - name: "Initialize vault cluster" # noqa: run-once[task] ednxzu.hashistack.vault_init: api_url: "{{ hashi_vault_configuration['api_addr'] }}" key_shares: 3 @@ -35,10 +37,10 @@ register: _vault_init_secret until: not _vault_init_secret.failed - - name: "Write vault configuration to file" + - name: "Write vault configuration to file" # noqa: run-once[task] no-handler ansible.builtin.copy: content: "{{ _vault_init_secret.state | to_nice_yaml}}" - dest: "{{ configuration_directory }}/vault_servers/vault_config" + dest: "{{ sub_configuration_directories.vault_servers }}/vault_config" mode: '0644' when: _vault_init_secret.changed run_once: true @@ -46,10 +48,10 @@ - name: "Load vault cluster variables necessary for unseal operation" ansible.builtin.include_vars: - file: "{{ configuration_directory }}/vault/vault_config" + file: "{{ sub_configuration_directories.vault_servers }}/vault_config" name: _vault_cluster_config - - name: "Unseal the bootstrap node" + - name: "Unseal the bootstrap node" # noqa: run-once[task] no-handler ednxzu.hashistack.vault_unseal: api_url: "{{ hashi_vault_configuration['api_addr'] }}" key_shares: "{{ _vault_cluster_config['keys'] }}" diff --git a/playbooks/group_vars/all.yml b/playbooks/group_vars/all.yml index ad1e81f..93651c4 100644 --- a/playbooks/group_vars/all.yml +++ b/playbooks/group_vars/all.yml @@ -4,8 +4,8 @@ ########################## enable_vault: "yes" -enable_consul: "yes" -enable_nomad: "yes" +enable_consul: "no" +enable_nomad: "no" deployment_method: "host" api_interface: "eth0" @@ -14,7 +14,7 @@ api_interface_address: "{{ ansible_facts[api_interface]['ipv4']['address'] }}" configuration_directory: "{{ lookup('env', 'PWD') }}/etc/hashistack" sub_configuration_directories: nomad_servers: "{{ configuration_directory }}/nomad_servers" - vault_servers: "{{ configuration_directory }}/vault_servers " + vault_servers: "{{ configuration_directory }}/vault_servers" consul_servers: "{{ configuration_directory }}/consul_servers" configuration_global_vars_file: "globals.yml" @@ -40,8 +40,8 @@ hashistack_supported_distribution_versions: - "22.04" preflight_enable_host_ntp_checks: true -vault_required_ports: [8200,8201] -consul_required_ports: [8300,8301,8302,8500,8501,8502,8503,8600] +vault_required_ports: [8200, 8201] +consul_required_ports: [8300, 8301, 8302, 8500, 8501, 8502, 8503, 8600] nomad_required_ports: [] ########################## @@ -59,7 +59,6 @@ hashi_nomad_data_dir: /opt/nomad hashi_nomad_extra_files: false hashi_nomad_extra_files_src: /tmp/extra_files hashi_nomad_extra_files_dst: /etc/nomad.d/extra_files -#! nomad configuration hashi_nomad_configuration: {} ########################## @@ -76,7 +75,6 @@ hashi_consul_extra_files_src: /tmp/extra_files hashi_consul_extra_files_dst: /etc/consul.d/extra_files hashi_consul_envoy_install: false hashi_consul_envoy_version: latest -#! consul configuration hashi_consul_configuration: {} ########################## @@ -136,7 +134,6 @@ hashi_vault_extra_files: false hashi_vault_extra_files_src: /tmp/extra_files hashi_vault_extra_files_dst: /etc/vault.d/extra_files hashi_vault_extra_container_volumes: "{{ default_container_extra_volumes | union(extra_vault_container_volumes) | unique }}" -#! vault configuration hashi_vault_configuration: cluster_name: "{{ vault_cluster_name }}" cluster_addr: "http://{{ api_interface_address }}:8201" diff --git a/playbooks/preflight.yml b/playbooks/preflight.yml index 045edbc..35c57b4 100644 --- a/playbooks/preflight.yml +++ b/playbooks/preflight.yml @@ -2,9 +2,14 @@ # hashistack deployment playbook - name: "Preflight" hosts: all + strategy: linear gather_facts: true become: true tasks: + - name: "Import variables" + ansible.builtin.import_tasks: + file: tasks/load_vars.yml + - name: "Checking vault inventory" ansible.builtin.assert: that: @@ -41,8 +46,9 @@ when: - enable_nomad | bool - - name: "Checking directory {{ configuration_directory }}" + - name: "Checking directory {{ configuration_directory }}" # noqa: run-once[task] delegate_to: localhost + run_once: true block: - name: "Stat directory {{ configuration_directory }}" ansible.builtin.stat: @@ -70,21 +76,43 @@ when: - enable_vault | bool - - name: "Make sure required directories exist" + - name: "Make sure directory exists: {{ configuration_directory }}" ansible.builtin.assert: that: - _stat_config_dir.stat.exists - _stat_config_dir.stat.isdir - - _stat_config_dir.stat.writable - - _stat_config_dir_nomad_servers.stat.exists if enable_nomad - - _stat_config_dir_nomad_servers.stat.isdir if enable_nomad - - _stat_config_dir_nomad_servers.stat.writeable if enable_nomad - - _stat_config_dir_consul_servers.stat.exists if enable_consul - - _stat_config_dir_consul_servers.stat.isdir if enable_consul - - _stat_config_dir_consul_servers.stat.writeable if enable_consul - - _stat_config_dir_vault_servers.stat.exists if enable_vault - - _stat_config_dir_vault_servers.stat.isdir if enable_vault - - _stat_config_dir_vault_servers.stat.writeable if enable_vault + - _stat_config_dir.stat.writeable + + - name: "Make sure directory exists: {{ sub_configuration_directories.nomad_servers }}" + ansible.builtin.assert: + that: + - _stat_config_dir_nomad_servers.stat.exists + - _stat_config_dir_nomad_servers.stat.isdir + - _stat_config_dir_nomad_servers.stat.writeable + when: + - enable_nomad | bool + + - name: "Make sure directory exists: {{ sub_configuration_directories.consul_servers }}" + ansible.builtin.assert: + that: + - _stat_config_dir_consul_servers.stat.exists + - _stat_config_dir_consul_servers.stat.isdir + - _stat_config_dir_consul_servers.stat.writeable + when: + - enable_consul | bool + + - name: "Debug" + ansible.builtin.debug: + msg: "{{ _stat_config_dir_vault_servers }}" + + - name: "Make sure directory exists: {{ sub_configuration_directories.vault_servers }}" + ansible.builtin.assert: + that: + - _stat_config_dir_vault_servers.stat.exists + - _stat_config_dir_vault_servers.stat.isdir + - _stat_config_dir_vault_servers.stat.writeable + when: + - enable_vault | bool - name: "Checking host OS distribution" ansible.builtin.assert: @@ -262,13 +290,3 @@ fail_msg: >- The python sdk for docker is really out of date, you need to install a more recent version of it in order to use this tool. - - - name: "Debug" - ansible.builtin.debug: - msg: "{{ groups['vault_servers'] }}" - - - name: "Debug" - ansible.builtin.debug: - msg: "{{ hashi_vault_configuration.storage }}" - - # - ansible.builtin.fail: diff --git a/playbooks/load_vars.yml b/playbooks/tasks/load_vars.yml similarity index 100% rename from playbooks/load_vars.yml rename to playbooks/tasks/load_vars.yml