ansible-collections/hcp-ansible
ansible-collections/hcp-ansible
4
0
Fork 0
Code Issues 3 Pull Requests Actions Packages Projects 1 Releases Wiki Activity

feat(deploy): add haproxy deployment, integrate with consul

Browse Source
This commit is contained in:
Bertrand Lanson 2024-03-17 10:57:02 +01:00
parent 29f26051d3
commit c4768c7f6b
15 changed files with 518 additions and 448 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

45
molecule/no_tls_multi_node/molecule.yml
View File

@ -12,10 +12,11 @@ platforms:
box: generic/${MOLECULE_TEST_OS}
cpus: 2
memory: 4096
# interfaces:
# - network_name: private_network
# ip: 192.168.122.91
# auto_config: true
interfaces:
- network_name: private_network
ip: 192.168.100.91
auto_config: true
type: static
groups:
- common
- haproxy_servers
@ -23,10 +24,11 @@ platforms:
box: generic/${MOLECULE_TEST_OS}
cpus: 2
memory: 4096
# interfaces:
# - network_name: private_network
# ip: 192.168.122.92
# auto_config: true
interfaces:
- network_name: private_network
ip: 192.168.100.92
auto_config: true
type: static
groups:
- common
- haproxy_servers
@ -34,10 +36,11 @@ platforms:
box: generic/${MOLECULE_TEST_OS}
cpus: 4
memory: 4096
# interfaces:
# - network_name: private_network
# ip: 192.168.122.101
# auto_config: true
interfaces:
- network_name: private_network
ip: 192.168.100.101
auto_config: true
type: static
groups:
- common
- vault_servers
@ -47,10 +50,11 @@ platforms:
box: generic/${MOLECULE_TEST_OS}
cpus: 4
memory: 4096
# interfaces:
# - network_name: private_network
# ip: 192.168.122.102
# auto_config: true
interfaces:
- network_name: private_network
ip: 192.168.100.102
auto_config: true
type: static
groups:
- common
- vault_servers
@ -60,10 +64,11 @@ platforms:
box: generic/${MOLECULE_TEST_OS}
cpus: 4
memory: 4096
# interfaces:
# - network_name: private_network
# ip: 192.168.122.103
# auto_config: true
interfaces:
- network_name: private_network
ip: 192.168.100.103
auto_config: true
type: static
groups:
- common
- vault_servers

2
molecule/no_tls_multi_node/requirements.yml
View File

@ -6,6 +6,8 @@ roles:
- name: ednz_cloud.manage_pip_packages
- name: ednz_cloud.install_docker
- name: ednz_cloud.docker_systemd_service
- name: ednz_cloud.deploy_haproxy
- name: ednz_cloud.deploy_keepalived
collections:
- name: ednz_cloud.hashistack

3
molecule/no_tls_single_node/requirements.yml
View File

@ -3,8 +3,11 @@
roles:
- name: ednz_cloud.manage_repositories
- name: ednz_cloud.manage_apt_packages
- name: ednz_cloud.manage_pip_packages
- name: ednz_cloud.install_docker
- name: ednz_cloud.docker_systemd_service
- name: ednz_cloud.deploy_haproxy
- name: ednz_cloud.deploy_keepalived
collections:
- name: ednz_cloud.hashistack

9
playbooks/deploy.yml
View File

@ -10,6 +10,15 @@
ansible.builtin.import_tasks:
file: tasks/load_vars.yml
- name: "Deploy Haproxy & Keepalived"
ansible.builtin.import_tasks:
file: tasks/haproxy/haproxy_deploy.yml
when:
- enable_haproxy | bool
- "'haproxy_servers' in group_names"
tags:
- haproxy
- name: "Deploy Consul"
ansible.builtin.import_tasks:
file: tasks/consul/consul_deploy.yml

421
playbooks/group_vars/all.yml
View File

@ -1,421 +0,0 @@
---
##########################
# General options ########
##########################
enable_vault: "no"
enable_consul: "yes"
enable_nomad: "no"
nomad_version: latest
consul_version: latest
vault_version: latest
deployment_method: "host"
api_interface: "eth0"
api_interface_address: "{{ ansible_facts[api_interface]['ipv4']['address'] }}"
##########################
# Helper options #########
##########################
# manage_pip_packages_allow_break_system_packages: true
vault_versions:
host: "{{ vault_version }}{% '*' if vault_version != 'latest' %}"
docker: "{{ vault_version }}"
consul_versions:
host: "{{ consul_version }}{% '*' if consul_version != 'latest' %}"
docker: "{{ consul_version }}"
nomad_versions:
host: "{{ nomad_version }}{% '*' if nomad_version != 'latest' %}"
docker: "{{ nomad_version }}"
configuration_directory: "{{ lookup('env', 'PWD') }}/etc/hashistack"
sub_configuration_directories:
nomad_servers: "{{ configuration_directory }}/nomad_servers"
vault_servers: "{{ configuration_directory }}/vault_servers"
consul_servers: "{{ configuration_directory }}/consul_servers"
configuration_global_vars_file: "globals.yml"
default_container_extra_volumes:
- "/etc/timezone:/etc/timezone"
- "/etc/localtime:/etc/localtime"
#################
# Support options
#################
hashistack_supported_distributions:
- ubuntu
- debian
hashistack_supported_distribution_versions:
debian:
- "11"
- "12"
ubuntu:
- "20.04"
- "22.04"
preflight_enable_host_ntp_checks: true
haproxy_required_ports: [80, 443]
vault_required_ports: [8200, 8201]
consul_required_ports: [8300, 8301, 8302, 8500, 8501, 8502, 8503, 8600]
nomad_required_ports: []
#####################################################
# #
# HAProxy Configuration #
# #
#####################################################
deploy_haproxy_deploy_method: host # deployment method, either host or docker
deploy_haproxy_version: "2.8"
deploy_haproxy_env_variables: {}
deploy_haproxy_start_service: true
deploy_haproxy_cert_dir: ""
deploy_haproxy_extra_container_volumes: []
deploy_haproxy_global:
- log /dev/log local0
- log /dev/log local1 notice
- stats socket {{ deploy_haproxy_socket }} level admin
- chroot {{ deploy_haproxy_chroot }}
- daemon
- description hashistack haproxy
deploy_haproxy_defaults:
- log global
- mode http
- option httplog
- option dontlognull
- timeout connect 5000
- timeout client 5000
- timeout server 5000
deploy_haproxy_frontends:
[]
# - name: default
# options:
# - description default frontend
# - mode http
# - bind :80
# - default_backend default
deploy_haproxy_backends:
[]
# - name: default
# options:
# - description default backend
# - option forwardfor
# - option httpchk
# - http-check send meth GET uri /
# - server srv_nginx1 172.17.0.4:80 check inter 5s
# - server srv_nginx2 172.17.0.3:80 check inter 5s
deploy_haproxy_listen:
- name: monitoring
options:
- bind :9000
- mode http
- option httpchk
- stats enable
- stats uri /stats
- stats refresh 30s
- stats show-desc
- stats show-legends
- stats auth admin:password
- http-check send meth GET uri /health ver HTTP/1.1 hdr Host localhost
- http-check expect status 200
- acl health_check_ok nbsrv() ge 1
- monitor-uri /health
- http-request use-service prometheus-exporter if { path /metrics }
deploy_keepalived_deploy_method: "host"
deploy_keepalived_version: "latest"
deploy_keepalived_start_service: true
deploy_keepalived_env_variables: {}
deploy_keepalived_vrrp_instance_name: "{{ ansible_hostname }}"
deploy_keepalived_interface: "{{ ansible_default_ipv4.interface }}"
deploy_keepalived_state: "BACKUP"
deploy_keepalived_router_id: 50
deploy_keepalived_priority: 100
deploy_keepalived_advert_interval: 1
deploy_keepalived_unicast_source: "{{ ansible_default_ipv4.address }}"
deploy_keepalived_unicast_peers: []
deploy_keepalived_auth_passwd: "password"
deploy_keepalived_virtual_ips:
- 192.168.1.100/32
deploy_keepalived_notify_script: notify.sh
deploy_keepalived_custom_scripts_src:
deploy_keepalived_extra_container_volumes: []
deploy_keepalived_use_custom_config: false
deploy_keepalived_custom_config_src:
#####################################################
# #
# Nomad Configuration #
# #
#####################################################
hashi_nomad_cni_plugins_install: true
hashi_nomad_start_service: true
hashi_nomad_cni_plugins_version: latest
hashi_nomad_cni_plugins_install_path: /opt/cni/bin
hashi_nomad_version: latest
hashi_nomad_deploy_method: host # deployment method, either host or docker
hashi_nomad_env_variables: {}
hashi_nomad_data_dir: /opt/nomad
hashi_nomad_extra_files: false
hashi_nomad_extra_files_src: /tmp/extra_files
hashi_nomad_extra_files_dst: /etc/nomad.d/extra_files
hashi_nomad_configuration: {}
#####################################################
# #
# Consul Configuration #
# #
#####################################################
consul_domain: consul
consul_datacenter: dc1
consul_primary_datacenter: dc1
consul_leave_on_terminate: true
consul_rejoin_after_leave: true
consul_enable_script_checks: true
##############################
# consul address configuration
##############################
consul_address_configuration:
# The address to which Consul will bind client interfaces,
# including the HTTP and DNS servers.
client_addr: "0.0.0.0"
# The address that should be bound to for internal cluster communications.
bind_addr: "{{ api_interface_address }}"
# The advertise address is used to change the address that we advertise to other nodes in the cluster.
advertise_addr: "{{ api_interface_address }}"
##########################
# consul ACL configuration
##########################
consul_acl_configuration:
enabled: true
default_policy: "deny" # can be allow or deny
enable_token_persistence: true
consul_default_agent_policy: |
agent_prefix "" {
policy = "write"
}
node_prefix "" {
policy = "write"
}
service_prefix "" {
policy = "read"
}
##########################
# consul DNS configuration
##########################
consul_dns_configuration:
allow_stale: true
enable_truncate: true
only_passing: true
#########################
# consul ui configuration
#########################
consul_ui_configuration:
enabled: true
###################################
# consul service mesh configuration
###################################
consul_mesh_configuration:
enabled: true
#####################
# extra configuration
#####################
consul_extra_configuration: {}
###############
# configuration
###############
hashi_consul_start_service: true
hashi_consul_version: latest
hashi_consul_deploy_method: "{{ deployment_method }}"
hashi_consul_env_variables: {}
hashi_cosul_config_dir: "/etc/consul.d"
hashi_consul_data_dir: "/opt/consul"
hashi_consul_extra_files: false
hashi_consul_extra_files_src: "{{ sub_configuration_directories.consul_servers }}/config"
hashi_consul_extra_files_dst: "{{ hashi_consul_config_dir }}/config"
hashi_consul_envoy_install: false
hashi_consul_envoy_version: v1.27.2
hashi_consul_configuration:
domain: "{{ consul_domain }}"
datacenter: "{{ consul_datacenter }}"
primary_datacenter: "{{ consul_primary_datacenter }}"
data_dir: "{{ hashi_consul_data_dir }}"
encrypt: "{{ 'mysupersecretgossipencryptionkey'|b64encode }}"
server: "{{ 'consul_servers' in group_names }}"
retry_join: "{{
groups['consul_servers'] |
map('extract', hostvars, ['consul_address_configuration', 'bind_addr']) |
list |
to_json |
from_json
}}"
ui_config: "{{ consul_ui_configuration }}"
connect: "{{ consul_mesh_configuration }}"
leave_on_terminate: true
rejoin_after_leave: true
enable_script_checks: true
enable_syslog: true
log_level: INFO
acl: "{{ consul_acl_configuration }}"
dns_config: "{{ consul_dns_configuration }}"
ports:
dns: 8600
http: 8500
https: -1
grpc: 8502
grpc_tls: 8503
server: 8300
serf_lan: 8301
serf_wan: 8302
sidecar_min_port: 21000
sidecar_max_port: 21255
expose_min_port: 21500
expose_max_port: 21755
# this is used to circumvent jinja limitation to convert string to integer
hashi_consul_configuration_string: |
bootstrap_expect: {{ (groups['consul_servers'] | length) }}
#####################################################
# #
# Vault Configuration #
# #
#####################################################
vault_cluster_name: vault
vault_enable_ui: true
vault_seal_configuration:
key_shares: 3
key_threshold: 2
#########
# storage
#########
vault_storage_configuration:
raft:
path: "{{ hashi_vault_data_dir }}/data"
node_id: "{{ ansible_hostname }}"
retry_join: |
[
{% for host in groups['vault_servers'] %}
{
'leader_api_addr': 'http://{{ hostvars[host].api_interface_address }}:8200'
}{% if not loop.last %},{% endif %}
{% endfor %}
]
##########
# listener
##########
vault_enable_tls: false
vault_listener_configuration:
tcp:
address: "0.0.0.0:8200"
tls_disable: true
vault_tls_listener_configuration:
tcp:
tls_disable: false
tls_cert_file: "{{ hashi_vault_extra_files_dst }}/tls/cert.pem"
tls_key_file: "{{ hashi_vault_extra_files_dst }}/tls/key.pem"
vault_extra_listener_configuration: {}
######################
# service registration
######################
vault_enable_service_registration: false
vault_service_registration_configuration:
consul:
address: "127.0.0.1:8500"
scheme: "http"
#########
# plugins
#########
vault_enable_plugins: true
vault_plugin_directory: "{{ hashi_vault_extra_files_dst }}/plugin"
#########
# logging
#########
vault_enable_log_to_file: false
vault_logging_configuration:
log_level: info
log_format: standard
log_rotate_duration: 24h
log_rotate_max_files: 30
#########################
# vault container volumes
#########################
extra_vault_container_volumes: []
#####################
# extra configuration
#####################
vault_extra_configuration: {}
###############
# configuration
###############
hashi_vault_start_service: true
hashi_vault_version: latest
hashi_vault_deploy_method: "{{ deployment_method }}"
hashi_vault_env_variables: {}
hashi_vault_config_dir: "/etc/vault.d"
hashi_vault_data_dir: "/opt/vault"
hashi_vault_extra_files: true
hashi_vault_extra_files_src: "{{ sub_configuration_directories.vault_servers }}/config"
hashi_vault_extra_files_dst: "{{ hashi_vault_config_dir }}/config"
hashi_vault_extra_container_volumes: "{{ default_container_extra_volumes | union(extra_vault_container_volumes) | unique }}"
hashi_vault_configuration:
cluster_name: "{{ vault_cluster_name }}"
cluster_addr: "http://{{ api_interface_address }}:8201"
api_addr: "http://{{ api_interface_address }}:8200"
ui: "{{ vault_enable_ui }}"
disable_mlock: false
disable_cache: false
listener: "{{ vault_listener_configuration }}"
storage: "{{ vault_storage_configuration }}"

78
playbooks/group_vars/all/all.yml Normal file
View File

@ -0,0 +1,78 @@
---
##########################
# General options ########
##########################
enable_haproxy: "yes"
enable_vault: "no"
enable_consul: "yes"
enable_nomad: "no"
nomad_version: latest
consul_version: latest
vault_version: latest
deployment_method: "docker"
hashistack_external_vip_interface: "eth0"
hashistack_external_vip_addr: "192.168.121.100"
hashistack_internal_vip_interface: "eth1"
# hashistack_internal_vip_interface: "{{ hashistack_external_vip_interface }}"
hashistack_internal_vip_addr: "192.168.100.100"
# hashistack_internal_vip_addr: "{{ hashistack_external_vip_addr }}"
# api_interface: "eth0"
api_interface: "eth1"
api_interface_address: "{{ ansible_facts[api_interface]['ipv4']['address'] }}"
##########################
# Helper options #########
##########################
# manage_pip_packages_allow_break_system_packages: true
vault_versions:
host: "{{ vault_version }}{% '*' if vault_version != 'latest' %}"
docker: "{{ vault_version }}"
consul_versions:
host: "{{ consul_version }}{% '*' if consul_version != 'latest' %}"
docker: "{{ consul_version }}"
nomad_versions:
host: "{{ nomad_version }}{% '*' if nomad_version != 'latest' %}"
docker: "{{ nomad_version }}"
configuration_directory: "{{ lookup('env', 'PWD') }}/etc/hashistack"
sub_configuration_directories:
nomad_servers: "{{ configuration_directory }}/nomad_servers"
vault_servers: "{{ configuration_directory }}/vault_servers"
consul_servers: "{{ configuration_directory }}/consul_servers"
configuration_global_vars_file: "globals.yml"
default_container_extra_volumes:
- "/etc/timezone:/etc/timezone"
- "/etc/localtime:/etc/localtime"
#################
# Support options
#################
hashistack_supported_distributions:
- ubuntu
- debian
hashistack_supported_distribution_versions:
debian:
- "11"
- "12"
ubuntu:
- "20.04"
- "22.04"
preflight_enable_host_ntp_checks: true
haproxy_required_ports: [80, 443]
vault_required_ports: [8200, 8201]
consul_required_ports: [8300, 8301, 8302, 8500, 8501, 8502, 8503, 8600]
nomad_required_ports: []

178
playbooks/group_vars/all/consul.yml Normal file
View File

@ -0,0 +1,178 @@
---
#####################################################
# #
# Consul Configuration #
# #
#####################################################
consul_domain: consul
consul_datacenter: dc1
consul_primary_datacenter: dc1
consul_leave_on_terminate: true
consul_rejoin_after_leave: true
consul_enable_script_checks: true
########################
# consul haproxy backend
########################
consul_haproxy_frontends:
- name: consul_internal
options:
- description consul internal gossip frontend
- mode tcp
- option tcplog
- bind :{{ hashi_consul_configuration.ports.serf_lan }}
- default_backend consul_internal
- name: consul_external
options:
- description consul external http frontend
- mode http
- bind :80
- default_backend consul_external
consul_haproxy_backends:
- name: consul_internal
options: "{{ consul_internal_backend_options + consul_internal_backend_servers }}"
- name: consul_external
options: "{{ consul_external_backend_options + consul_external_backend_servers }}"
consul_internal_backend_options:
- description consul internal gossip backend
consul_internal_backend_servers: |
[
{% for host in groups['consul_servers'] %}
'server {{ hostvars[host].api_interface_address }} {{ hostvars[host].api_interface_address }}:{{ hashi_consul_configuration.ports.serf_lan }} check inter 3s'{% if not loop.last %},{% endif %}
{% endfor %}
]
consul_external_backend_options:
- description consul external http backend
- option forwardfor
- option httpchk
- http-check send meth GET uri /
consul_external_backend_servers: |
[
{% for host in groups['consul_servers'] %}
'server {{ hostvars[host].api_interface_address }} {{ hostvars[host].api_interface_address }}:{{ hashi_consul_configuration.ports.http }} check inter 5s'{% if not loop.last %},{% endif %}
{% endfor %}
]
##############################
# consul address configuration
##############################
consul_address_configuration:
# The address to which Consul will bind client interfaces,
# including the HTTP and DNS servers.
client_addr: "0.0.0.0"
# The address that should be bound to for internal cluster communications.
bind_addr: "{{ api_interface_address }}"
# The advertise address is used to change the address that we advertise to other nodes in the cluster.
advertise_addr: "{{ api_interface_address }}"
##########################
# consul ACL configuration
##########################
consul_acl_configuration:
enabled: true
default_policy: "deny" # can be allow or deny
enable_token_persistence: true
consul_default_agent_policy: |
agent_prefix "" {
policy = "write"
}
node_prefix "" {
policy = "write"
}
service_prefix "" {
policy = "read"
}
##########################
# consul DNS configuration
##########################
consul_dns_configuration:
allow_stale: true
enable_truncate: true
only_passing: true
#########################
# consul ui configuration
#########################
consul_ui_configuration:
enabled: true
###################################
# consul service mesh configuration
###################################
consul_mesh_configuration:
enabled: true
#####################
# extra configuration
#####################
consul_extra_configuration: {}
###############
# configuration
###############
hashi_consul_start_service: true
hashi_consul_version: latest
hashi_consul_deploy_method: "{{ deployment_method }}"
hashi_consul_env_variables: {}
hashi_cosul_config_dir: "/etc/consul.d"
hashi_consul_data_dir: "/opt/consul"
hashi_consul_extra_files: false
hashi_consul_extra_files_src: "{{ sub_configuration_directories.consul_servers }}/config"
hashi_consul_extra_files_dst: "{{ hashi_consul_config_dir }}/config"
hashi_consul_envoy_install: false
hashi_consul_envoy_version: v1.27.2
hashi_consul_configuration:
domain: "{{ consul_domain }}"
datacenter: "{{ consul_datacenter }}"
primary_datacenter: "{{ consul_primary_datacenter }}"
data_dir: "{{ hashi_consul_data_dir }}"
encrypt: "" # "{{ 'mysupersecretgossipencryptionkey'|b64encode }}"
server: "{{ 'consul_servers' in group_names }}"
retry_join: "{{
groups['consul_servers'] |
map('extract', hostvars, ['consul_address_configuration', 'bind_addr']) |
list |
to_json |
from_json
}}"
ui_config: "{{ consul_ui_configuration }}"
connect: "{{ consul_mesh_configuration }}"
leave_on_terminate: true
rejoin_after_leave: true
enable_script_checks: true
enable_syslog: "{{ deployment_method == 'host' }}"
log_level: INFO
acl: "{{ consul_acl_configuration }}"
dns_config: "{{ consul_dns_configuration }}"
ports:
dns: 8600
http: 8500
https: -1
grpc: 8502
grpc_tls: 8503
server: 8300
serf_lan: 8301
serf_wan: 8302
sidecar_min_port: 21000
sidecar_max_port: 21255
expose_min_port: 21500
expose_max_port: 21755
# this is used to circumvent jinja limitation to convert string to integer
hashi_consul_configuration_string: |
bootstrap_expect: {{ (groups['consul_servers'] | length) }}

77
playbooks/group_vars/all/haproxy.yml Normal file
View File

@ -0,0 +1,77 @@
---
#####################################################
# #
# HAProxy Configuration #
# #
#####################################################
deploy_haproxy_deploy_method: "{{ deployment_method }}"
deploy_haproxy_version: "2.8"
deploy_haproxy_env_variables: {}
deploy_haproxy_start_service: true
deploy_haproxy_cert_dir: ""
deploy_haproxy_extra_container_volumes: []
deploy_haproxy_global:
- log /dev/log local0
- log /dev/log local1 notice
- stats socket {{ deploy_haproxy_socket }} level admin
- chroot {{ deploy_haproxy_chroot }}
- daemon
- description hashistack haproxy
deploy_haproxy_defaults:
- log global
- mode http
- option httplog
- option dontlognull
- timeout connect 5000
- timeout client 5000
- timeout server 5000
deploy_haproxy_frontends: "{{ consul_haproxy_frontends }}"
deploy_haproxy_backends: "{{ consul_haproxy_backends }}"
deploy_haproxy_listen:
- name: monitoring
options:
- bind :9000
- mode http
- option httpchk
- stats enable
- stats uri /stats
- stats refresh 30s
- stats show-desc
- stats show-legends
- stats auth admin:password
- http-check send meth GET uri /health ver HTTP/1.1 hdr Host localhost
- http-check expect status 200
- acl health_check_ok nbsrv() ge 1
- monitor-uri /health
- http-request use-service prometheus-exporter if { path /metrics }
deploy_keepalived_deploy_method: "{{ deployment_method }}"
deploy_keepalived_version: "latest"
deploy_keepalived_start_service: true
deploy_keepalived_env_variables: {}
deploy_keepalived_vrrp_instance_name: "{{ ansible_hostname }}"
deploy_keepalived_interface: "{{ api_interface }}"
deploy_keepalived_state: "BACKUP"
deploy_keepalived_router_id: 50
deploy_keepalived_priority: 100
deploy_keepalived_advert_interval: 1
deploy_keepalived_unicast_source: "{{ api_interface_address }}"
deploy_keepalived_unicast_peers: "{{ groups['haproxy_servers'] | difference([ansible_hostname]) | map('extract', hostvars, ['api_interface_address']) | list }}"
deploy_keepalived_auth_passwd: "password"
deploy_keepalived_virtual_ips:
- "{{ hashistack_external_vip_addr }}/32 dev {{ hashistack_external_vip_interface }}"
- "{{ hashistack_internal_vip_addr }}/32 dev {{ hashistack_internal_vip_interface }}"
deploy_keepalived_notify_script: notify.sh
deploy_keepalived_custom_scripts_src:
deploy_keepalived_extra_container_volumes: []
deploy_keepalived_use_custom_config: false
deploy_keepalived_custom_config_src:

18
playbooks/group_vars/all/nomad.yml Normal file
View File

@ -0,0 +1,18 @@
#####################################################
# #
# Nomad Configuration #
# #
#####################################################
hashi_nomad_cni_plugins_install: true
hashi_nomad_start_service: true
hashi_nomad_cni_plugins_version: latest
hashi_nomad_cni_plugins_install_path: /opt/cni/bin
hashi_nomad_version: latest
hashi_nomad_deploy_method: host # deployment method, either host or docker
hashi_nomad_env_variables: {}
hashi_nomad_data_dir: /opt/nomad
hashi_nomad_extra_files: false
hashi_nomad_extra_files_src: /tmp/extra_files
hashi_nomad_extra_files_dst: /etc/nomad.d/extra_files
hashi_nomad_configuration: {}

111
playbooks/group_vars/all/vault.yml Normal file
View File

@ -0,0 +1,111 @@
---
#####################################################
# #
# Vault Configuration #
# #
#####################################################
vault_cluster_name: vault
vault_enable_ui: true
vault_seal_configuration:
key_shares: 3
key_threshold: 2
#########
# storage
#########
vault_storage_configuration:
raft:
path: "{{ hashi_vault_data_dir }}/data"
node_id: "{{ ansible_hostname }}"
retry_join: |
[
{% for host in groups['vault_servers'] %}
{
'leader_api_addr': 'http://{{ hostvars[host].api_interface_address }}:8200'
}{% if not loop.last %},{% endif %}
{% endfor %}
]
##########
# listener
##########
vault_enable_tls: false
vault_listener_configuration:
tcp:
address: "0.0.0.0:8200"
tls_disable: true
vault_tls_listener_configuration:
tcp:
tls_disable: false
tls_cert_file: "{{ hashi_vault_extra_files_dst }}/tls/cert.pem"
tls_key_file: "{{ hashi_vault_extra_files_dst }}/tls/key.pem"
vault_extra_listener_configuration: {}
######################
# service registration
######################
vault_enable_service_registration: false
vault_service_registration_configuration:
consul:
address: "127.0.0.1:8500"
scheme: "http"
#########
# plugins
#########
vault_enable_plugins: true
vault_plugin_directory: "{{ hashi_vault_extra_files_dst }}/plugin"
#########
# logging
#########
vault_enable_log_to_file: false
vault_logging_configuration:
log_level: info
log_format: standard
log_rotate_duration: 24h
log_rotate_max_files: 30
#########################
# vault container volumes
#########################
extra_vault_container_volumes: []
#####################
# extra configuration
#####################
vault_extra_configuration: {}
###############
# configuration
###############
hashi_vault_start_service: true
hashi_vault_version: latest
hashi_vault_deploy_method: "{{ deployment_method }}"
hashi_vault_env_variables: {}
hashi_vault_config_dir: "/etc/vault.d"
hashi_vault_data_dir: "/opt/vault"
hashi_vault_extra_files: true
hashi_vault_extra_files_src: "{{ sub_configuration_directories.vault_servers }}/config"
hashi_vault_extra_files_dst: "{{ hashi_vault_config_dir }}/config"
hashi_vault_extra_container_volumes: "{{ default_container_extra_volumes | union(extra_vault_container_volumes) | unique }}"
hashi_vault_configuration:
cluster_name: "{{ vault_cluster_name }}"
cluster_addr: "http://{{ api_interface_address }}:8201"
api_addr: "http://{{ api_interface_address }}:8200"
ui: "{{ vault_enable_ui }}"
disable_mlock: false
disable_cache: false
listener: "{{ vault_listener_configuration }}"
storage: "{{ vault_storage_configuration }}"

6
playbooks/tasks/consul/consul_vars.yml
View File

@ -43,12 +43,6 @@
hashi_consul_configuration: "{{ hashi_consul_configuration | default({}) | combine(_config_to_merge, recursive=true) }}"
when: _consul_cluster_config.tokens is defined
- name: Debug token config
ansible.builtin.debug:
msg: "{{ hashi_consul_configuration }}"
# - fail:
- name: "Consul | Merge extra configuration settings"
vars:
_config_to_merge: "{{ consul_extra_configuration }}"

9
playbooks/tasks/haproxy/haproxy_deploy.yml Normal file
View File

@ -0,0 +1,9 @@
- name: "HAProxy"
block:
- name: "Include ednz_cloud.deploy_haproxy"
ansible.builtin.include_role:
name: ednz_cloud.deploy_haproxy
- name: "Include ednz_cloud.deploy_keepalived"
ansible.builtin.include_role:
name: ednz_cloud.deploy_keepalived

0
playbooks/tasks/haproxy/haproxy_vars.yml Normal file
View File

7
playbooks/tasks/load_vars.yml
View File

@ -77,3 +77,10 @@
when:
- enable_vault | bool
- "'vault_servers' in group_names"
- debug:
msg: "{{ deploy_haproxy_frontends }}"
- debug:
msg: "{{ deploy_haproxy_backends }}"
# - fail:

2
roles/hashicorp_consul

@ -1 +1 @@
Subproject commit 9c906ed7dba091bab9139bd9d68218f421528440
Subproject commit a322d3c144806ea2524651996e19ff9885b90e16