From cdb94d9848cf091eba32e873fd527cf80fad058b Mon Sep 17 00:00:00 2001 From: Bertrand Lanson Date: Sun, 15 Sep 2024 21:38:55 +0200 Subject: [PATCH] test: adjust globals.yml for tls and no_tls multinode setups --- .../etc/hashistack/globals.yml | 312 +++--------------- .../tls_multi_node/etc/hashistack/globals.yml | 307 +++-------------- 2 files changed, 108 insertions(+), 511 deletions(-) diff --git a/molecule/no_tls_multi_node/etc/hashistack/globals.yml b/molecule/no_tls_multi_node/etc/hashistack/globals.yml index 4a02ac8..477fe52 100644 --- a/molecule/no_tls_multi_node/etc/hashistack/globals.yml +++ b/molecule/no_tls_multi_node/etc/hashistack/globals.yml @@ -1,293 +1,91 @@ --- # Molecule specific variables -########################## -# General options ######## -########################## +################### +# General options # +################### -# enable_haproxy: "yes" -# enable_vault: "yes" -# enable_consul: "yes" -# enable_nomad: "yes" +enable_vault: "yes" +enable_consul: "yes" +enable_nomad: "yes" -# haproxy_version: "2.8" -nomad_version: "1.8.2" +nomad_version: "1.8.3" # consul_version: "1.18.1" -# vault_version: "1.16.2" - -# consul_fqdn: consul.ednz.lab -# vault_fqdn: vault.ednz.lab -# nomad_fqdn: nomad.ednz.lab - -# hashistack_external_vip_interface: "eth0" -# hashistack_external_vip_addr: "192.168.121.100" -# hashistack_internal_vip_interface: "{{ hashistack_external_vip_interface }}" -# hashistack_internal_vip_addr: "{{ hashistack_external_vip_addr }}" +vault_version: "1.17.2" api_interface: "eth1" # api_interface_address: "{{ ansible_facts[api_interface]['ipv4']['address'] }}" -######################## -# external tls options # -######################## - -# enable_tls_external: false -# external_tls_externally_managed_certs: false +################### +# logging options # +################### +enable_log_to_file: true ######################## # internal tls options # ######################## # enable_tls_internal: false # internal_tls_externally_managed_certs: false +########## +# Consul # +########## -##################################################### -# # -# Consul # -# # -##################################################### +# hashistack_consul_domain: consul +# hashistack_consul_datacenter: dc1 +# hashistack_consul_primary_datacenter: "{{ consul_datacenter }}" +# hashistack_consul_gossip_encryption_key: "{{ _credentials.consul.gossip_encryption_key }}" +# hashistack_consul_enable_script_checks: false -# consul_domain: consul -# consul_datacenter: dc1 -# consul_primary_datacenter: dc1 -# consul_leave_on_terminate: true -# consul_rejoin_after_leave: true -# consul_enable_script_checks: true -# consul_gossip_encryption_key: "{{ 'mysupersecretgossipencryptionkey'|b64encode }}" +# hashistack_consul_extra_files_list: [] +# hashistack_consul_extra_configuration: {} -################################ -# consul address configuration # -################################ +# hashistack_consul_enable_tls: "{{ enable_tls_internal }}" -# consul_address_configuration: -# # The address to which Consul will bind client interfaces, -# # including the HTTP and DNS servers. -# client_addr: "0.0.0.0" -# # The address that should be bound to for internal cluster communications. -# bind_addr: "{{ api_interface_address }}" -# # The advertise address is used to change the address that we advertise to other nodes in the cluster. -# advertise_addr: "{{ api_interface_address }}" +# hashistack_consul_log_level: info -############################ -# consul ACL configuration # -############################ +######### +# Vault # +######### -# consul_acl_configuration: -# enabled: true -# default_policy: "deny" # can be allow or deny -# enable_token_persistence: true +# hashistack_vault_cluster_name: vault +# hashistack_vault_bind_addr: "0.0.0.0" +# hashistack_vault_cluster_addr: "{{ api_interface_address }}" +# hashistack_vault_enable_ui: true +# hashistack_vault_disable_mlock: false +# hashistack_vault_disable_cache: false -############################ -# consul DNS configuration # -############################ +# hashistack_vault_extra_files_list: [] +# hashistack_vault_extra_configuration: {} -# consul_dns_configuration: -# allow_stale: true -# enable_truncate: true -# only_passing: true +# hashistack_vault_enable_tls: "{{ enable_tls_internal }}" -########################### -# consul ui configuration # -########################### +# hashistack_vault_enable_service_registration: "{{ enable_consul | bool }}" -# consul_ui_configuration: -# enabled: "{{ 'consul_servers' in group_names }}" +# hashistack_vault_enable_plugins: false -##################################### -# consul service mesh configuration # -##################################### +# hashistack_vault_log_level: info -# consul_mesh_configuration: -# enabled: true +######### +# Nomad # +######### -############################ -# consul tls configuration # -############################ +# hashistack_nomad_region: global +# hashistack_nomad_datacenter: dc1 -# consul_enable_tls: "{{ enable_tls_internal }}" -# consul_tls_configuration: -# defaults: -# ca_file: "/etc/ssl/certs/ca-certificates.crt" -# cert_file: "{{ consul_certificates_directory }}/cert.pem" -# key_file: "{{ consul_certificates_directory }}/key.pem" -# verify_incoming: false -# verify_outgoing: true -# internal_rpc: -# verify_server_hostname: true +# hashistack_nomad_extra_files_list: [] +# hashistack_nomad_extra_configuration: {} -############################ -# consul container volumes # -############################ +# hashistack_nomad_autopilot_configuration: {} -# extra_consul_container_volumes: [] +# hashistack_nomad_driver_enable_docker: true +# hashistack_nomad_driver_enable_podman: false +# hashistack_nomad_driver_enable_raw_exec: false +# hashistack_nomad_driver_enable_java: false +# hashistack_nomad_driver_enable_qemu: false -############################## -# consul extra configuration # -############################## +# hashistack_nomad_driver_configuration: {} -# consul_extra_configuration: {} -# consul_extra_files_list: [] +# hashistack_nomad_log_level: info -##################################################### -# # -# Vault # -# # -##################################################### - -# vault_cluster_name: vault -# vault_enable_ui: true -# vault_seal_configuration: -# key_shares: 3 -# key_threshold: 2 - -################# -# vault storage # -################# - -# vault_storage_configuration: -# raft: -# path: "{{ hashicorp_vault_data_dir }}/data" -# node_id: "{{ ansible_hostname }}" -# retry_join: | -# [ -# {% for host in groups['vault_servers'] %} -# { -# 'leader_api_addr': '{{ "https" if vault_enable_tls else "http"}}://{{ hostvars[host].api_interface_address }}:8200' -# }{% if not loop.last %},{% endif %} -# {% endfor %} -# ] - -################## -# vault listener # -################## - -# vault_enable_tls: "{{ enable_tls_internal }}" -# vault_tls_verify: false -# vault_listener_configuration: -# tcp: -# address: "0.0.0.0:8200" -# tls_disable: true - -# vault_tls_listener_configuration: -# tcp: -# tls_disable: false -# tls_cert_file: "{{ vault_certificates_directory }}/cert.pem" -# tls_key_file: "{{ vault_certificates_directory }}/key.pem" -# tls_disable_client_certs: true - -# vault_extra_listener_configuration: {} - -######################## -# service registration # -######################## - -# vault_enable_service_registration: false -# vault_service_registration_configuration: -# consul: -# address: "127.0.0.1:8500" -# scheme: "http" -# token: "" - -################# -# vault plugins # -################# - -# vault_enable_plugins: false - -########### -# logging # -########### - -# vault_enable_log_to_file: false -# vault_logging_configuration: -# log_level: info -# log_format: standard -# log_rotate_duration: 24h -# log_rotate_max_files: 30 - -########################### -# vault container volumes # -########################### - -# extra_vault_container_volumes: [] - -############################# -# vault extra configuration # -############################# - -# vault_extra_configuration: {} -# vault_extra_files_list: [] - -##################################################### -# # -# Nomad # -# # -##################################################### - -# nomad_datacenter: dc1 -# nomad_region: global - -########################### -# nomad ACL configuration # -########################### - -# nomad_acl_configuration: -# enabled: true -# token_ttl: 30s -# policy_ttl: 60s -# role_ttl: 60s - -############################ -# nomad consul integration # -############################ - -# nomad_enable_consul_integration: "{{ enable_consul | bool }}" -# nomad_consul_integration_configuration: -# address: "127.0.0.1:{{ hashicorp_consul_configuration.ports.https if consul_enable_tls else hashicorp_consul_configuration.ports.http }}" -# auto_advertise: true -# ssl: "{{ consul_enable_tls | bool }}" -# token: "{{ _credentials.consul.tokens.nomad.server.secret_id if nomad_enable_server else _credentials.consul.tokens.nomad.client.secret_id}}" -# tags: [] - -############################ -# nomad vault integration # -############################ - -# nomad_enable_vault_integration: false -# nomad_vault_integration_configuration: {} - -############################### -# nomad drivers configuration # -############################### - -# nomad_driver_enable_docker: yes -# nomad_driver_enable_podman: no -# nomad_driver_enable_raw_exec: no -# nomad_driver_enable_java: no -# nomad_driver_enable_qemu: no - -# nomad_driver_extra_configuration: {} - -###################### -# nomad internal tls # -###################### - -# nomad_enable_tls: "{{ enable_tls_internal }}" -# nomad_tls_configuration: -# http: true -# rpc: true -# ca_file: "/etc/ssl/certs/ca-certificates.crt" -# cert_file: "{{ nomad_certificates_directory }}/cert.pem" -# key_file: "{{ nomad_certificates_directory }}/key.pem" -# verify_server_hostname: true -# nomad_certificates_directory: "{{ hashicorp_nomad_config_dir }}/tls" -# nomad_certificates_extra_files_dir: -# - src: "{{ hashistack_sub_configuration_directories['certificates'] }}/nomad/{{ inventory_hostname }}" -# dest: "{{ nomad_certificates_directory }}" - -############################# -# nomad extra configuration # -############################# - -# nomad_extra_configuration: {} -# nomad_extra_files_list: [] +# hashistack_nomad_enable_tls: "{{ enable_tls_internal }}" diff --git a/molecule/tls_multi_node/etc/hashistack/globals.yml b/molecule/tls_multi_node/etc/hashistack/globals.yml index b0bca38..c3baeb3 100644 --- a/molecule/tls_multi_node/etc/hashistack/globals.yml +++ b/molecule/tls_multi_node/etc/hashistack/globals.yml @@ -7,38 +7,26 @@ hashistack_ca_directory_owner: "{{ lookup('env', 'USER') }}" hashistack_ca_domain: ednz.lab hashistack_ca_intermediate_name_constraints_critical: false -########################## -# General options ######## -########################## +################### +# General options # +################### -# enable_haproxy: "yes" -# enable_vault: "yes" -# enable_consul: "yes" -# enable_nomad: "yes" +enable_vault: "yes" +enable_consul: "yes" +enable_nomad: "yes" -# haproxy_version: "2.8" nomad_version: "1.8.3" # consul_version: "1.18.1" vault_version: "1.17.2" -# consul_fqdn: consul.ednz.lab -# vault_fqdn: vault.ednz.lab -# nomad_fqdn: nomad.ednz.lab - -# hashistack_external_vip_interface: "eth0" -# hashistack_external_vip_addr: "192.168.121.100" -# hashistack_internal_vip_interface: "{{ hashistack_external_vip_interface }}" -# hashistack_internal_vip_addr: "{{ hashistack_external_vip_addr }}" - api_interface: "eth1" # api_interface_address: "{{ ansible_facts[api_interface]['ipv4']['address'] }}" -######################## -# external tls options # -######################## +################### +# logging options # +################### -enable_tls_external: true -# external_tls_externally_managed_certs: false +enable_log_to_file: true ######################## # internal tls options # @@ -46,254 +34,65 @@ enable_tls_external: true enable_tls_internal: true # internal_tls_externally_managed_certs: false +########## +# Consul # +########## -##################################################### -# # -# Consul # -# # -##################################################### +# hashistack_consul_domain: consul +# hashistack_consul_datacenter: dc1 +# hashistack_consul_primary_datacenter: "{{ consul_datacenter }}" +# hashistack_consul_gossip_encryption_key: "{{ _credentials.consul.gossip_encryption_key }}" +# hashistack_consul_enable_script_checks: false -# consul_domain: consul -# consul_datacenter: dc1 -# consul_primary_datacenter: dc1 -# consul_leave_on_terminate: true -# consul_rejoin_after_leave: true -# consul_enable_script_checks: true -# consul_gossip_encryption_key: "{{ 'mysupersecretgossipencryptionkey'|b64encode }}" +# hashistack_consul_extra_files_list: [] +# hashistack_consul_extra_configuration: {} -################################ -# consul address configuration # -################################ +# hashistack_consul_enable_tls: "{{ enable_tls_internal }}" -# consul_address_configuration: -# # The address to which Consul will bind client interfaces, -# # including the HTTP and DNS servers. -# client_addr: "0.0.0.0" -# # The address that should be bound to for internal cluster communications. -# bind_addr: "{{ api_interface_address }}" -# # The advertise address is used to change the address that we advertise to other nodes in the cluster. -# advertise_addr: "{{ api_interface_address }}" +# hashistack_consul_log_level: info -############################ -# consul ACL configuration # -############################ +######### +# Vault # +######### -# consul_acl_configuration: -# enabled: true -# default_policy: "deny" # can be allow or deny -# enable_token_persistence: true +# hashistack_vault_cluster_name: vault +# hashistack_vault_bind_addr: "0.0.0.0" +# hashistack_vault_cluster_addr: "{{ api_interface_address }}" +# hashistack_vault_enable_ui: true +# hashistack_vault_disable_mlock: false +# hashistack_vault_disable_cache: false -############################ -# consul DNS configuration # -############################ +# hashistack_vault_extra_files_list: [] +# hashistack_vault_extra_configuration: {} -# consul_dns_configuration: -# allow_stale: true -# enable_truncate: true -# only_passing: true +# hashistack_vault_enable_tls: "{{ enable_tls_internal }}" -########################### -# consul ui configuration # -########################### +# hashistack_vault_enable_service_registration: "{{ enable_consul | bool }}" -# consul_ui_configuration: -# enabled: "{{ 'consul_servers' in group_names }}" +# hashistack_vault_enable_plugins: false -##################################### -# consul service mesh configuration # -##################################### +# hashistack_vault_log_level: info -# consul_mesh_configuration: -# enabled: true +######### +# Nomad # +######### -############################ -# consul tls configuration # -############################ +# hashistack_nomad_region: global +# hashistack_nomad_datacenter: dc1 -# consul_enable_tls: "{{ enable_tls_internal }}" -# consul_tls_configuration: -# defaults: -# ca_file: "/etc/ssl/certs/ca-certificates.crt" -# cert_file: "{{ consul_certificates_directory }}/cert.pem" -# key_file: "{{ consul_certificates_directory }}/key.pem" -# verify_incoming: false -# verify_outgoing: true -# internal_rpc: -# verify_server_hostname: true +# hashistack_nomad_extra_files_list: [] +# hashistack_nomad_extra_configuration: {} -############################ -# consul container volumes # -############################ +# hashistack_nomad_autopilot_configuration: {} -# extra_consul_container_volumes: [] +# hashistack_nomad_driver_enable_docker: true +# hashistack_nomad_driver_enable_podman: false +# hashistack_nomad_driver_enable_raw_exec: false +# hashistack_nomad_driver_enable_java: false +# hashistack_nomad_driver_enable_qemu: false -############################## -# consul extra configuration # -############################## +# hashistack_nomad_driver_configuration: {} -# consul_extra_configuration: {} -# consul_extra_files_list: [] +# hashistack_nomad_log_level: info -##################################################### -# # -# Vault # -# # -##################################################### - -# vault_cluster_name: vault -# vault_enable_ui: true -# vault_seal_configuration: -# key_shares: 3 -# key_threshold: 2 - -################# -# vault storage # -################# - -# vault_storage_configuration: -# raft: -# path: "{{ hashicorp_vault_data_dir }}/data" -# node_id: "{{ ansible_hostname }}" -# retry_join: | -# [ -# {% for host in groups['vault_servers'] %} -# { -# 'leader_api_addr': '{{ "https" if vault_enable_tls else "http"}}://{{ hostvars[host].api_interface_address }}:8200' -# }{% if not loop.last %},{% endif %} -# {% endfor %} -# ] - -################## -# vault listener # -################## - -# vault_enable_tls: "{{ enable_tls_internal }}" -# vault_tls_verify: false -# vault_listener_configuration: -# tcp: -# address: "0.0.0.0:8200" -# tls_disable: true - -# vault_tls_listener_configuration: -# tcp: -# tls_disable: false -# tls_cert_file: "{{ vault_certificates_directory }}/cert.pem" -# tls_key_file: "{{ vault_certificates_directory }}/key.pem" -# tls_disable_client_certs: true - -# vault_extra_listener_configuration: {} - -######################## -# service registration # -######################## - -# vault_enable_service_registration: false -# vault_service_registration_configuration: -# consul: -# address: "127.0.0.1:8500" -# scheme: "http" -# token: "" - -################# -# vault plugins # -################# - -# vault_enable_plugins: false - -########### -# logging # -########### - -# vault_enable_log_to_file: false -# vault_logging_configuration: -# log_level: info -# log_format: standard -# log_rotate_duration: 24h -# log_rotate_max_files: 30 - -########################### -# vault container volumes # -########################### - -# extra_vault_container_volumes: [] - -############################# -# vault extra configuration # -############################# - -# vault_extra_configuration: {} -# vault_extra_files_list: [] - -##################################################### -# # -# Nomad # -# # -##################################################### - -# nomad_datacenter: dc1 -# nomad_region: global - -########################### -# nomad ACL configuration # -########################### - -# nomad_acl_configuration: -# enabled: true -# token_ttl: 30s -# policy_ttl: 60s -# role_ttl: 60s - -############################ -# nomad consul integration # -############################ - -# nomad_enable_consul_integration: "{{ enable_consul | bool }}" -# nomad_consul_integration_configuration: -# address: "127.0.0.1:{{ hashicorp_consul_configuration.ports.https if consul_enable_tls else hashicorp_consul_configuration.ports.http }}" -# auto_advertise: true -# ssl: "{{ consul_enable_tls | bool }}" -# token: "{{ _credentials.consul.tokens.nomad.server.secret_id if nomad_enable_server else _credentials.consul.tokens.nomad.client.secret_id}}" -# tags: [] - -############################ -# nomad vault integration # -############################ - -# nomad_enable_vault_integration: false -# nomad_vault_integration_configuration: {} - -############################### -# nomad drivers configuration # -############################### - -# nomad_driver_enable_docker: yes -# nomad_driver_enable_podman: no -# nomad_driver_enable_raw_exec: no -# nomad_driver_enable_java: no -# nomad_driver_enable_qemu: no - -# nomad_driver_extra_configuration: {} - -###################### -# nomad internal tls # -###################### - -# nomad_enable_tls: "{{ enable_tls_internal }}" -# nomad_tls_configuration: -# http: true -# rpc: true -# ca_file: "/etc/ssl/certs/ca-certificates.crt" -# cert_file: "{{ nomad_certificates_directory }}/cert.pem" -# key_file: "{{ nomad_certificates_directory }}/key.pem" -# verify_server_hostname: true -# nomad_certificates_directory: "{{ hashicorp_nomad_config_dir }}/tls" -# nomad_certificates_extra_files_dir: -# - src: "{{ hashistack_sub_configuration_directories['certificates'] }}/nomad/{{ inventory_hostname }}" -# dest: "{{ nomad_certificates_directory }}" - -############################# -# nomad extra configuration # -############################# - -# nomad_extra_configuration: {} -# nomad_extra_files_list: [] +# hashistack_nomad_enable_tls: "{{ enable_tls_internal }}"