feat(docs): start writing the architecture guide

2024-01-28 22:34:27 +01:00 · 2024-01-28 22:34:27 +01:00 · d270161c28
commit d270161c28
parent ec231bf184
4 changed files with 135 additions and 14 deletions
--- a/.gitignore
+++ b/.gitignore
@ -2,4 +2,5 @@
 **/__pycache__
 .vscode
 roles/ednxzu.*
-vault_config
+vault_config
+consul_config
--- a/docs/architecture_guide.md.md
+++ b/docs/architecture_guide.md.md
@ -0,0 +1,94 @@
+# Architecture Guide
+
+Hashistack-Ansible allows you to deploy a number of architecture, wether you want to deploy a dev, testing, or production environment. These different architectures are described in this section.
+
+## Dev deployment
+
+If you only want to deploy a test environment, you can simply add a simgle host to each service that you want to deploy.
+
+```ini
+[haproxy_servers]
+
+[vault_servers]
+test01
+
+[consul_servers]
+test01
+
+[nomad_servers]
+test01
+```
+
+In this example, you will end end with each service running on a single host, with no clustering, and no redundancy. This setup *IS NOT RECOMMENDED** for anything but testing purposes, as it provides zero resiliency, and will break if anything goes down.
+
+For this setup, the only requirement is for the target host to have a network interface that you can ssh into from the deployment host.
+
+The architecture would like something like this:
+
+```mermaid
+graph LR;
+  client[Client] -->|http| server{
+    Vault Server
+    Consul Server
+    Nomad Server
+  };
+```
+
+## Testing/Preprod deployment
+
+## Production deployment
+
+For production use, it is recommended to separate concerns as much as possible. This means that consul, vault and nomad, as well as the haproxy services, should be on different nodes altogether. The **client-facing** and **cluster-facing** interfaces should also be separated.
+
+Ideally, you would need:
+  - an odd number (3 to 5) of consul servers
+  - an odd number (3 to 5) of vault servers
+  - an odd number (3 to 5) of nomad servers
+  - multiple (2 to 3) haproxy servers
+
+The **nomad**, **vault** and **consul** servers should have **two network interfaces**, and one of them should be reachable from the haproxy nodes.
+
+The architecture for this infrastructure would look like:
+
+```mermaid
+graph TD
+  client[Client] -->|https :443| keepalived
+  keepalived[VIP] --> haproxy1[HAProxy] & haproxy2[HAProxy]
+  subgraph frontends
+  direction LR
+    haproxy1[HAProxy]
+    haproxy2[HAProxy]
+  end
+
+  haproxy1[HAProxy] & haproxy2[HAProxy] -->|http :8500| consul
+
+  subgraph consul
+  direction LR
+    consul1[Consul 01] <--> consul2[Consul 02] & consul3[Consul 03] & consul4[Consul 04] & consul5[Consul 05]
+    consul2[Consul 02] <--> consul3[Consul 03] & consul4[Consul 04] & consul5[Consul 05]
+    consul3[Consul 03] <--> consul4[Consul 04] & consul5[Consul 05]
+    consul4[Consul 04] <--> consul5[Consul 05]
+
+  end
+
+  haproxy1[HAProxy] & haproxy2[HAProxy] -->|http :8200| vault
+
+  subgraph vault
+  direction LR
+    vault1[Vault 01] <--> vault2[Vault 02]
+    vault2[Vault 02] <--> vault3[Vault 03]
+    vault3[Vault 03] <--> vault1[Vault 01]
+  end
+
+  vault -->|Service registration| consul
+  haproxy1[HAProxy] & haproxy2[HAProxy] -->|http :4646| nomad
+
+  subgraph nomad
+  direction LR
+    nomad1[Nomad 01] <--> nomad2[Nomad 02]
+    nomad2[Nomad 02] <--> nomad3[Nomad 03]
+    nomad3[Nomad 03] <--> nomad1[Nomad 01]
+  end
+
+  nomad -->|Service registration| consul
+```
--- a/playbooks/group_vars/all.yml
+++ b/playbooks/group_vars/all.yml
@ -3,7 +3,7 @@
 # General options ########
 ##########################

-enable_vault: "yes"
+enable_vault: "no"
 enable_consul: "yes"
 enable_nomad: "no"

@ -114,12 +114,6 @@ consul_acl_configuration:
  default_policy: "deny" # can be allow or deny
  enable_token_persistence: true

-#####################
-# extra configuration
-#####################
-
-consul_extra_configuration: {}
-
 ##########################
 # consul DNS configuration
 ##########################
@ -129,6 +123,30 @@ consul_dns_configuration:
  enable_truncate: true
  only_passing: true

+#########################
+# consul ui configuration
+#########################
+
+consul_ui_configuration:
+  enabled: true
+
+###################################
+# consul service mesh configuration
+###################################
+
+consul_mesh_configuration:
+  enabled: true
+
+#####################
+# extra configuration
+#####################
+
+consul_extra_configuration: {}
+
+###############
+# configuration
+###############
+
 hashi_consul_start_service: true
 hashi_consul_version: latest
 hashi_consul_deploy_method: "{{ deployment_method }}"
@ -138,8 +156,8 @@ hashi_consul_data_dir: "/opt/consul"
 hashi_consul_extra_files: false
 hashi_consul_extra_files_src: "{{ sub_configuration_directories.consul_servers }}/config"
 hashi_consul_extra_files_dst: "{{ hashi_consul_config_dir }}/config"
-hashi_consul_envoy_install: false
-hashi_consul_envoy_version: latest
+hashi_consul_envoy_install: true
+hashi_consul_envoy_version: v1.27.2
 hashi_consul_configuration:
  domain: "{{ consul_domain }}"
  datacenter: "{{ consul_datacenter }}"
@ -154,10 +172,8 @@ hashi_consul_configuration:
    to_json |
    from_json
    }}"
-  ui_config:
-    enabled: true
-  connect:
-    enabled: false
+  ui_config: "{{ consul_ui_configuration }}"
+  connect: "{{ consul_mesh_configuration }}"
  leave_on_terminate: true
  rejoin_after_leave: true
  enable_script_checks: true
@ -196,6 +212,7 @@ vault_seal_configuration:
 #########
 # storage
 #########
+
 vault_storage_configuration:
  raft:
    path: "{{ hashi_vault_data_dir }}/data"
@ -212,6 +229,7 @@ vault_storage_configuration:
 ##########
 # listener
 ##########
+
 vault_enable_tls: false
 vault_listener_configuration:
  tcp:
@ -239,12 +257,14 @@ vault_service_registration_configuration:
 #########
 # plugins
 #########
+
 vault_enable_plugins: true
 vault_plugin_directory: "{{ hashi_vault_extra_files_dst }}/plugin"

 #########
 # logging
 #########
+
 vault_enable_log_to_file: false
 vault_logging_configuration:
  log_level: info
@ -255,6 +275,7 @@ vault_logging_configuration:
 #########################
 # vault container volumes
 #########################
+
 extra_vault_container_volumes: []

 #####################
@ -266,6 +287,7 @@ vault_extra_configuration: {}
 ###############
 # configuration
 ###############
+
 hashi_vault_start_service: true
 hashi_vault_version: latest
 hashi_vault_deploy_method: "{{ deployment_method }}"
--- a/playbooks/inventory/multinode.ini
+++ b/playbooks/inventory/multinode.ini
@ -1,3 +1,7 @@
+[haproxy_servers]
+haproxy01
+haproxy02
+
 [vault_servers]
 vault01
 vault02