diff --git a/.gitignore b/.gitignore index 514fff4..12e5e2b 100644 --- a/.gitignore +++ b/.gitignore @@ -5,3 +5,5 @@ roles/ednz_cloud.* vault_config.yml consul_config.yml **/certificates/** +**/secrets/credentials.yml +**/secrets/vault.yml diff --git a/playbooks/tasks/misc/load_all_vars.yml b/playbooks/tasks/misc/load_all_vars.yml new file mode 100644 index 0000000..9142d0d --- /dev/null +++ b/playbooks/tasks/misc/load_all_vars.yml @@ -0,0 +1,216 @@ +--- +# hashistack variable injection playbook +- name: "Load global variables" + block: + - name: "Stat global configuration file" + ansible.builtin.stat: + path: "{{ configuration_directory }}/{{ configuration_global_vars_file }}" + register: _global_config_file + delegate_to: localhost + + - name: "Make sure global configuration file exists" + ansible.builtin.assert: + that: + - _global_config_file.stat.exists + fail_msg: >- + Main configuration file {{ _global_config_file.stat.path }} was not found, cannot continue without it. + delegate_to: localhost + + - name: "Load global variables" + ansible.builtin.include_vars: + dir: "{{ configuration_directory }}" + files_matching: "{{ configuration_global_vars_file }}" + depth: 1 + delegate_to: localhost + +- name: "Load credentials variables" + block: + - name: "Stat credentials file" + ansible.builtin.stat: + path: "{{ sub_configuration_directories['secrets'] }}/{{ configuration_credentials_vars_file }}" + register: _credentials_file + delegate_to: localhost + + - name: "Stat vault credentials file" + ansible.builtin.stat: + path: "{{ sub_configuration_directories['secrets'] }}/vault.yml" + register: _vault_credentials_file + delegate_to: localhost + + - name: "Make sure credentials file exists" + ansible.builtin.assert: + that: + - _credentials_file.stat.exists + fail_msg: >- + Credentials file {{ _credentials_file.stat.path }} was not found, cannot continue without it. + delegate_to: localhost + + - name: "Load credentials variables" + ansible.builtin.include_vars: + dir: "{{ sub_configuration_directories['secrets'] }}" + files_matching: "{{ configuration_credentials_vars_file }}" + depth: 1 + name: _credentials + delegate_to: localhost + + - name: "Load vault credentials if vault.yml exists" + ansible.builtin.include_vars: + dir: "{{ sub_configuration_directories['secrets'] }}" + files_matching: "vault.yml" + depth: 1 + name: _vault_credentials + when: _vault_credentials_file.stat.exists + delegate_to: localhost + + - name: "Merge vault credentials into _credentials" + vars: + _config_to_merge: + vault: "{{ _vault_credentials }}" + ansible.builtin.set_fact: + _credentials: "{{ _credentials | combine(_vault_credentials, recursive=true) }}" + when: _vault_credentials_file.stat.exists + delegate_to: localhost + +- name: "Load group specific variables" + block: + - name: "Stat group specific config file" + ansible.builtin.stat: + path: "{{ configuration_directory }}/{{ group_name }}/{{ configuration_global_vars_file }}" + register: _group_config_file + loop: "{{ group_names }}" + loop_control: + loop_var: group_name + + - name: Load group specific variables + ansible.builtin.include_vars: + dir: "{{ configuration_directory }}/{{ item.group_name }}" + files_matching: "{{ configuration_global_vars_file }}" + depth: 1 + loop: "{{ _group_config_file.results }}" + when: item.stat.exists + and item.group_name in group_names + loop_control: + loop_var: item + delegate_to: localhost + +- name: "Load host specific variables" + block: + - name: "Stat host specific config file" + ansible.builtin.stat: + path: "{{ configuration_directory }}/{{ group_name }}/{{ inventory_hostname }}/{{ configuration_global_vars_file }}" + register: _host_config_file + loop: "{{ group_names }}" + loop_control: + loop_var: group_name + delegate_to: localhost + + - name: Load host specific variables + ansible.builtin.include_vars: + dir: "{{ configuration_directory }}/{{ item.group_name }}/{{ inventory_hostname }}" + files_matching: "{{ configuration_global_vars_file }}" + loop: "{{ _host_config_file.results }}" + when: item.stat.exists + loop_control: + loop_var: item + delegate_to: localhost + +- name: "Ensure remote directories exists" + ansible.builtin.file: + path: "{{ item }}" + state: directory + owner: root + group: root + mode: 0755 + recurse: yes + loop: + - "{{ hashistack_remote_config_dir }}" + - "{{ hashistack_remote_data_dir }}" + +- name: "Load custom CA certificates" + block: + - name: "Check if CA directory exists" + ansible.builtin.stat: + path: "{{ sub_configuration_directories['certificates'] }}/ca" + register: _hashistack_ca_directory + delegate_to: localhost + + - name: "Find custom ca certificates to copy" + ansible.builtin.find: + paths: "{{ sub_configuration_directories['certificates'] }}/ca" + patterns: "*.crt" + register: _hashistack_cacert_files + delegate_to: localhost + when: _hashistack_ca_directory.stat.exists and _hashistack_ca_directory.stat.isdir + + - ansible.builtin.debug: + msg: "{{ _hashistack_cacert_files }}" + + - name: "Ensure remote ca directory exists" + ansible.builtin.file: + path: "{{ hashistack_remote_config_dir }}/ca" + state: directory + owner: root + group: root + mode: 0755 + + - name: "Copy custom ca certificates" + ansible.builtin.copy: + src: "{{ item.path }}" + dest: "{{ hashistack_remote_config_dir }}/ca/{{ item.path | basename }}" + owner: root + group: root + mode: 0644 + loop: "{{ _hashistack_cacert_files.files }}" + register: _hashistack_copied_ca + + - name: "Copy and update trust store" + block: + - name: "Copy ca certificates to /usr/loca/share/ca-certificates" + ansible.builtin.file: + state: link + src: "{{ item.dest }}" + dest: "/usr/local/share/ca-certificates/hashistack-customca-{{ item.dest | basename }}" + owner: root + group: root + loop: "{{ _hashistack_copied_ca.results }}" + register: _hashistack_usr_local_share_ca_certificates + + - name: "Update the trust store" + ansible.builtin.command: update-ca-certificates + changed_when: false + when: _hashistack_usr_local_share_ca_certificates.changed + + # - name: "Initialize list of CA certificates" + # ansible.builtin.set_fact: + # hashistack_cacert_extra_files: [] + # delegate_to: localhost + + # - name: "Add custom CA to list of extra certificates" + # ansible.builtin.set_fact: + # hashistack_cacert_extra_files: "{{ + # hashistack_cacert_extra_files | default([]) + # + [{'src': item.path, 'dest': '/etc/ssl/certs/hashistack-custom-' + item.path | basename}] }}" + # loop: "{{ _hashistack_cacert_files.files }}" + # delegate_to: localhost + # when: _hashistack_cacert_files.matched > 0 + +- name: "Merge consul configurations" + ansible.builtin.import_tasks: + file: "consul/consul_vars.yml" + when: + - enable_consul | bool + - "('consul_servers' in group_names) or ('consul_agents' in group_names)" + +- name: "Merge vault configurations" + ansible.builtin.import_tasks: + file: "vault/vault_vars.yml" + when: + - enable_vault | bool + - "'vault_servers' in group_names" + +- debug: + msg: "{{ deploy_haproxy_frontends }}" + +- debug: + msg: "{{ deploy_haproxy_backends }}" +# - fail: diff --git a/playbooks/tasks/misc/load_ca_certificates.yml b/playbooks/tasks/misc/load_ca_certificates.yml new file mode 100644 index 0000000..5999284 --- /dev/null +++ b/playbooks/tasks/misc/load_ca_certificates.yml @@ -0,0 +1,52 @@ +--- +- name: "Check if CA directory exists" + ansible.builtin.stat: + path: "{{ sub_configuration_directories['certificates'] }}/ca" + register: _hashistack_ca_directory + delegate_to: localhost + +- name: "Find custom ca certificates to copy" + ansible.builtin.find: + paths: "{{ sub_configuration_directories['certificates'] }}/ca" + patterns: "*.crt" + register: _hashistack_cacert_files + delegate_to: localhost + when: _hashistack_ca_directory.stat.exists and _hashistack_ca_directory.stat.isdir + +- ansible.builtin.debug: + msg: "{{ _hashistack_cacert_files }}" + +- name: "Ensure remote ca directory exists" + ansible.builtin.file: + path: "{{ hashistack_remote_config_dir }}/ca" + state: directory + owner: root + group: root + mode: 0755 + +- name: "Copy custom ca certificates" + ansible.builtin.copy: + src: "{{ item.path }}" + dest: "{{ hashistack_remote_config_dir }}/ca/{{ item.path | basename }}" + owner: root + group: root + mode: 0644 + loop: "{{ _hashistack_cacert_files.files }}" + register: _hashistack_copied_ca + +- name: "Copy and update trust store" + block: + - name: "Copy ca certificates to /usr/loca/share/ca-certificates" + ansible.builtin.file: + state: link + src: "{{ item.dest }}" + dest: "/usr/local/share/ca-certificates/hashistack-customca-{{ item.dest | basename }}" + owner: root + group: root + loop: "{{ _hashistack_copied_ca.results }}" + register: _hashistack_usr_local_share_ca_certificates + + - name: "Update the trust store" + ansible.builtin.command: update-ca-certificates + changed_when: false + when: _hashistack_usr_local_share_ca_certificates.changed diff --git a/playbooks/tasks/misc/load_credentials_vars.yml b/playbooks/tasks/misc/load_credentials_vars.yml new file mode 100644 index 0000000..d448f78 --- /dev/null +++ b/playbooks/tasks/misc/load_credentials_vars.yml @@ -0,0 +1,50 @@ +--- +- name: "Stat credentials file" + ansible.builtin.stat: + path: "{{ sub_configuration_directories['secrets'] }}/{{ configuration_credentials_vars_file }}" + register: _credentials_file + delegate_to: localhost + +- name: "Stat vault credentials file" + ansible.builtin.stat: + path: "{{ sub_configuration_directories['secrets'] }}/vault.yml" + register: _vault_credentials_file + delegate_to: localhost + +- name: "Make sure credentials file exists" + ansible.builtin.assert: + that: + - _credentials_file.stat.exists + fail_msg: >- + Credentials file {{ _credentials_file.stat.path }} was not found, cannot continue without it. + delegate_to: localhost + +- name: "Load credentials variables" + ansible.builtin.include_vars: + dir: "{{ sub_configuration_directories['secrets'] }}" + files_matching: "{{ configuration_credentials_vars_file }}" + depth: 1 + name: _credentials + delegate_to: localhost + +- name: "Load vault credentials if vault.yml exists" + ansible.builtin.include_vars: + dir: "{{ sub_configuration_directories['secrets'] }}" + files_matching: "vault.yml" + depth: 1 + name: _vault_credentials + when: _vault_credentials_file.stat.exists + delegate_to: localhost + +- name: "Merge vault credentials into _credentials" + vars: + _config_to_merge: + vault: "{{ _vault_credentials }}" + ansible.builtin.set_fact: + _credentials: "{{ _credentials | combine(_config_to_merge, recursive=true) }}" + when: _vault_credentials_file.stat.exists + delegate_to: localhost + +- name: "Debug _credentials" + ansible.builtin.debug: + msg: "{{ _credentials }}" diff --git a/playbooks/tasks/misc/load_global_vars.yml b/playbooks/tasks/misc/load_global_vars.yml new file mode 100644 index 0000000..e162ee9 --- /dev/null +++ b/playbooks/tasks/misc/load_global_vars.yml @@ -0,0 +1,21 @@ +--- +- name: "Stat global configuration file" + ansible.builtin.stat: + path: "{{ configuration_directory }}/{{ configuration_global_vars_file }}" + register: _global_config_file + delegate_to: localhost + +- name: "Make sure global configuration file exists" + ansible.builtin.assert: + that: + - _global_config_file.stat.exists + fail_msg: >- + Main configuration file {{ _global_config_file.stat.path }} was not found, cannot continue without it. + delegate_to: localhost + +- name: "Load global variables" + ansible.builtin.include_vars: + dir: "{{ configuration_directory }}" + files_matching: "{{ configuration_global_vars_file }}" + depth: 1 + delegate_to: localhost diff --git a/playbooks/tasks/misc/load_group_vars.yml b/playbooks/tasks/misc/load_group_vars.yml new file mode 100644 index 0000000..d21a475 --- /dev/null +++ b/playbooks/tasks/misc/load_group_vars.yml @@ -0,0 +1,20 @@ +--- +- name: "Stat group specific config file" + ansible.builtin.stat: + path: "{{ configuration_directory }}/{{ group_name }}/{{ configuration_global_vars_file }}" + register: _group_config_file + loop: "{{ group_names }}" + loop_control: + loop_var: group_name + +- name: Load group specific variables + ansible.builtin.include_vars: + dir: "{{ configuration_directory }}/{{ item.group_name }}" + files_matching: "{{ configuration_global_vars_file }}" + depth: 1 + loop: "{{ _group_config_file.results }}" + when: item.stat.exists + and item.group_name in group_names + loop_control: + loop_var: item + delegate_to: localhost diff --git a/playbooks/tasks/misc/load_host_vars.yml b/playbooks/tasks/misc/load_host_vars.yml new file mode 100644 index 0000000..c95c2b7 --- /dev/null +++ b/playbooks/tasks/misc/load_host_vars.yml @@ -0,0 +1,19 @@ +--- +- name: "Stat host specific config file" + ansible.builtin.stat: + path: "{{ configuration_directory }}/{{ group_name }}/{{ inventory_hostname }}/{{ configuration_global_vars_file }}" + register: _host_config_file + loop: "{{ group_names }}" + loop_control: + loop_var: group_name + delegate_to: localhost + +- name: Load host specific variables + ansible.builtin.include_vars: + dir: "{{ configuration_directory }}/{{ item.group_name }}/{{ inventory_hostname }}" + files_matching: "{{ configuration_global_vars_file }}" + loop: "{{ _host_config_file.results }}" + when: item.stat.exists + loop_control: + loop_var: item + delegate_to: localhost