From d9ff21db6f378dc5a94e8c603cdbd3a10dd21719 Mon Sep 17 00:00:00 2001 From: Bertrand Lanson Date: Wed, 13 Mar 2024 00:02:14 +0100 Subject: [PATCH] feat(consul): start creation of agents token, merge it with primary config if already present --- playbooks/deploy.yml | 83 ++++++++++++++++++--- playbooks/group_vars/all.yml | 127 +++++++++++++++++++++++++++++--- playbooks/preflight.yml | 4 +- playbooks/tasks/consul_vars.yml | 30 ++++++++ 4 files changed, 222 insertions(+), 22 deletions(-) diff --git a/playbooks/deploy.yml b/playbooks/deploy.yml index 1a94d39..f8880dc 100644 --- a/playbooks/deploy.yml +++ b/playbooks/deploy.yml @@ -18,10 +18,6 @@ ansible.builtin.debug: msg: "{{ hashi_vault_configuration }}" - - name: "Debug" - ansible.builtin.debug: - msg: "{{ hashi_consul_configuration }}" - # - ansible.builtin.fail: - name: "Consul" @@ -35,22 +31,39 @@ ansible.builtin.include_role: name: ednz_cloud.hashistack.hashicorp_consul + - name: "Wait for consul cluster to initialize" # noqa: run-once[task] + ansible.builtin.wait_for: + timeout: 15 + delegate_to: localhost + run_once: true + - name: "Initialize consul cluster" # noqa: run-once[task] - ednz_cloud.hashistack.consul_acl_bootstrap: - api_addr: "{{ hashi_consul_configuration['advertise_addr'] }}" + community.general.consul_acl_bootstrap: + host: "{{ hashi_consul_configuration['advertise_addr'] }}" + port: 8500 + scheme: http + state: present run_once: true delegate_to: "{{ groups['consul_servers'] | first }}" - retries: 5 - delay: 5 + # retries: 5 + # delay: 5 register: _consul_init_secret - until: not _consul_init_secret.failed + # until: _consul_init_secret.result is defined + when: hashi_consul_configuration.acl.enabled - name: "Write consul configuration to file" # noqa: run-once[task] no-handler ansible.builtin.copy: - content: "{{ _consul_init_secret.state | to_nice_yaml}}" + content: "{{ + { + 'root_token':{ + 'accessor_id': _consul_init_secret.result.AccessorID, + 'secret_id': _consul_init_secret.result.SecretID + } + } | to_nice_yaml + }}" dest: "{{ sub_configuration_directories.consul_servers }}/consul_config" mode: '0644' - when: _consul_init_secret.changed + when: _consul_init_secret.result is defined run_once: true delegate_to: localhost @@ -59,6 +72,54 @@ file: "{{ sub_configuration_directories.consul_servers }}/consul_config" name: _consul_cluster_config + - name: "Create consul agents token" # noqa: run-once[task] no-handler + # when: + # - _consul_init_secret.changed + # - consul_acl_configuration.enabled + run_once: true + delegate_to: localhost + block: + - name: "Create consul agent policy" + community.general.consul_policy: + host: "{{ hashi_consul_configuration['advertise_addr'] }}" + token: "{{ _consul_cluster_config.root_token.secret_id }}" + port: 8500 + scheme: http + state: present + name: agents-policy + rules: "{{ consul_default_agent_policy }}" + register: _consul_agent_policy + + - name: "Debug Policy" + ansible.builtin.debug: + msg: "{{ _consul_agent_policy }}" + + # - fail: + + - name: "Create consul agents token" + community.general.consul_token: + host: "localhost" # "{{ hashi_consul_configuration['advertise_addr'] }}" + token: "{{ _consul_cluster_config.root_token.secret_id }}" + port: 8500 + scheme: http + state: present + local: true + policies: + - id: _consul_agent_policy.policy.ID + register: _consul_agent_token + + - name: "Write consul agents token to file" # no-handler + ansible.builtin.copy: + content: "{{ + { + 'tokens':{ + 'agent': _consul_agent_token.token.SecretID + } + } | to_nice_yaml + }}" + dest: "{{ sub_configuration_directories.consul_servers }}/consul_config" + mode: '0644' + when: _consul_agent_token.changed - name: "Vault" when: diff --git a/playbooks/group_vars/all.yml b/playbooks/group_vars/all.yml index 4cb56e1..da0012a 100644 --- a/playbooks/group_vars/all.yml +++ b/playbooks/group_vars/all.yml @@ -67,9 +67,103 @@ vault_required_ports: [8200, 8201] consul_required_ports: [8300, 8301, 8302, 8500, 8501, 8502, 8503, 8600] nomad_required_ports: [] -########################## -# Nomad options ########## -########################## +##################################################### +# # +# HAProxy Configuration # +# # +##################################################### + +deploy_haproxy_deploy_method: host # deployment method, either host or docker +deploy_haproxy_version: "2.8" + +deploy_haproxy_env_variables: {} +deploy_haproxy_start_service: true +deploy_haproxy_cert_dir: "" +deploy_haproxy_extra_container_volumes: [] +deploy_haproxy_global: + - log /dev/log local0 + - log /dev/log local1 notice + - stats socket {{ deploy_haproxy_socket }} level admin + - chroot {{ deploy_haproxy_chroot }} + - daemon + - description hashistack haproxy + +deploy_haproxy_defaults: + - log global + - mode http + - option httplog + - option dontlognull + - timeout connect 5000 + - timeout client 5000 + - timeout server 5000 + +deploy_haproxy_frontends: + [] + # - name: default + # options: + # - description default frontend + # - mode http + # - bind :80 + # - default_backend default + +deploy_haproxy_backends: + [] + # - name: default + # options: + # - description default backend + # - option forwardfor + # - option httpchk + # - http-check send meth GET uri / + # - server srv_nginx1 172.17.0.4:80 check inter 5s + # - server srv_nginx2 172.17.0.3:80 check inter 5s + +deploy_haproxy_listen: + - name: monitoring + options: + - bind :9000 + - mode http + - option httpchk + - stats enable + - stats uri /stats + - stats refresh 30s + - stats show-desc + - stats show-legends + - stats auth admin:password + - http-check send meth GET uri /health ver HTTP/1.1 hdr Host localhost + - http-check expect status 200 + - acl health_check_ok nbsrv() ge 1 + - monitor-uri /health + - http-request use-service prometheus-exporter if { path /metrics } + +deploy_keepalived_deploy_method: "host" +deploy_keepalived_version: "latest" +deploy_keepalived_start_service: true +deploy_keepalived_env_variables: {} + +deploy_keepalived_vrrp_instance_name: "{{ ansible_hostname }}" +deploy_keepalived_interface: "{{ ansible_default_ipv4.interface }}" +deploy_keepalived_state: "BACKUP" +deploy_keepalived_router_id: 50 +deploy_keepalived_priority: 100 +deploy_keepalived_advert_interval: 1 +deploy_keepalived_unicast_source: "{{ ansible_default_ipv4.address }}" +deploy_keepalived_unicast_peers: [] +deploy_keepalived_auth_passwd: "password" +deploy_keepalived_virtual_ips: + - 192.168.1.100/32 +deploy_keepalived_notify_script: notify.sh + +deploy_keepalived_custom_scripts_src: +deploy_keepalived_extra_container_volumes: [] + +deploy_keepalived_use_custom_config: false +deploy_keepalived_custom_config_src: + +##################################################### +# # +# Nomad Configuration # +# # +##################################################### hashi_nomad_cni_plugins_install: true hashi_nomad_start_service: true @@ -84,9 +178,11 @@ hashi_nomad_extra_files_src: /tmp/extra_files hashi_nomad_extra_files_dst: /etc/nomad.d/extra_files hashi_nomad_configuration: {} -########################## -# Consul options ######### -########################## +##################################################### +# # +# Consul Configuration # +# # +##################################################### consul_domain: consul consul_datacenter: dc1 @@ -117,6 +213,17 @@ consul_acl_configuration: default_policy: "deny" # can be allow or deny enable_token_persistence: true +consul_default_agent_policy: | + agent_prefix "" { + policy = "write" + } + node_prefix "" { + policy = "write" + } + service_prefix "" { + policy = "read" + } + ########################## # consul DNS configuration ########################## @@ -202,9 +309,11 @@ hashi_consul_configuration: hashi_consul_configuration_string: | bootstrap_expect: {{ (groups['consul_servers'] | length) }} -########################## -# Vault options ########## -########################## +##################################################### +# # +# Vault Configuration # +# # +##################################################### vault_cluster_name: vault vault_enable_ui: true diff --git a/playbooks/preflight.yml b/playbooks/preflight.yml index 3676515..20658c5 100644 --- a/playbooks/preflight.yml +++ b/playbooks/preflight.yml @@ -305,5 +305,5 @@ The python sdk for docker is really out of date, you need to install a more recent version of it in order to use this tool. - - name: "Fail" - fail: + # - name: "Fail" + # fail: diff --git a/playbooks/tasks/consul_vars.yml b/playbooks/tasks/consul_vars.yml index 6df595b..672b360 100644 --- a/playbooks/tasks/consul_vars.yml +++ b/playbooks/tasks/consul_vars.yml @@ -20,6 +20,36 @@ }}" when: consul_address_configuration is defined +- name: "Consul | Merge token configuration" + delegate_to: localhost + block: + - name: "Consul | Stat consul secrets file" + ansible.builtin.stat: + path: "{{ sub_configuration_directories.consul_servers }}/consul_config" + register: _consul_config_file + + - name: "Consul | Load consul secrets file" + ansible.builtin.include_vars: + file: "{{ sub_configuration_directories.consul_servers }}/consul_config" + name: _consul_cluster_config + when: _consul_config_file.stat.exists + + - name: "Consul | Merge token configuration" + vars: + _config_to_merge: + acl: + tokens: + agent: "{{ _consul_cluster_config.consul_agent_token }}" + ansible.builtin.set_fact: + hashi_consul_configuration: "{{ hashi_consul_configuration | default({}) | combine(_config_to_merge, recursive=true) }}" + when: _consul_cluster_config.consul_agent_token is defined + +- name: Debug token config + ansible.builtin.debug: + msg: "{{ hashi_consul_configuration }}" + +# - fail: + - name: "Consul | Merge extra configuration settings" vars: _config_to_merge: "{{ consul_extra_configuration }}"