ansible-collections/hcp-ansible
ansible-collections/hcp-ansible
4
0
Fork 0
Code Issues 3 Pull Requests Actions Packages Projects 1 Releases Wiki Activity

feat: split load_vars play into multiple specific plays

Browse Source
This commit is contained in:
Bertrand Lanson 2024-05-03 22:22:59 +02:00
parent 370fc65b23
commit fa742277b2
7 changed files with 380 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
.gitignore vendored
View File

@ -5,3 +5,5 @@ roles/ednz_cloud.*
vault_config.yml vault_config.yml
consul_config.yml consul_config.yml
**/certificates/** **/certificates/**
**/secrets/credentials.yml
**/secrets/vault.yml

216
playbooks/tasks/misc/load_all_vars.yml Normal file
View File

@ -0,0 +1,216 @@
---
# hashistack variable injection playbook
- name: "Load global variables"
block:
- name: "Stat global configuration file"
ansible.builtin.stat:
path: "{{ configuration_directory }}/{{ configuration_global_vars_file }}"
register: _global_config_file
delegate_to: localhost
- name: "Make sure global configuration file exists"
ansible.builtin.assert:
that:
- _global_config_file.stat.exists
fail_msg: >-
Main configuration file {{ _global_config_file.stat.path }} was not found, cannot continue without it.
delegate_to: localhost
- name: "Load global variables"
ansible.builtin.include_vars:
dir: "{{ configuration_directory }}"
files_matching: "{{ configuration_global_vars_file }}"
depth: 1
delegate_to: localhost
- name: "Load credentials variables"
block:
- name: "Stat credentials file"
ansible.builtin.stat:
path: "{{ sub_configuration_directories['secrets'] }}/{{ configuration_credentials_vars_file }}"
register: _credentials_file
delegate_to: localhost
- name: "Stat vault credentials file"
ansible.builtin.stat:
path: "{{ sub_configuration_directories['secrets'] }}/vault.yml"
register: _vault_credentials_file
delegate_to: localhost
- name: "Make sure credentials file exists"
ansible.builtin.assert:
that:
- _credentials_file.stat.exists
fail_msg: >-
Credentials file {{ _credentials_file.stat.path }} was not found, cannot continue without it.
delegate_to: localhost
- name: "Load credentials variables"
ansible.builtin.include_vars:
dir: "{{ sub_configuration_directories['secrets'] }}"
files_matching: "{{ configuration_credentials_vars_file }}"
depth: 1
name: _credentials
delegate_to: localhost
- name: "Load vault credentials if vault.yml exists"
ansible.builtin.include_vars:
dir: "{{ sub_configuration_directories['secrets'] }}"
files_matching: "vault.yml"
depth: 1
name: _vault_credentials
when: _vault_credentials_file.stat.exists
delegate_to: localhost
- name: "Merge vault credentials into _credentials"
vars:
_config_to_merge:
vault: "{{ _vault_credentials }}"
ansible.builtin.set_fact:
_credentials: "{{ _credentials | combine(_vault_credentials, recursive=true) }}"
when: _vault_credentials_file.stat.exists
delegate_to: localhost
- name: "Load group specific variables"
block:
- name: "Stat group specific config file"
ansible.builtin.stat:
path: "{{ configuration_directory }}/{{ group_name }}/{{ configuration_global_vars_file }}"
register: _group_config_file
loop: "{{ group_names }}"
loop_control:
loop_var: group_name
- name: Load group specific variables
ansible.builtin.include_vars:
dir: "{{ configuration_directory }}/{{ item.group_name }}"
files_matching: "{{ configuration_global_vars_file }}"
depth: 1
loop: "{{ _group_config_file.results }}"
when: item.stat.exists
and item.group_name in group_names
loop_control:
loop_var: item
delegate_to: localhost
- name: "Load host specific variables"
block:
- name: "Stat host specific config file"
ansible.builtin.stat:
path: "{{ configuration_directory }}/{{ group_name }}/{{ inventory_hostname }}/{{ configuration_global_vars_file }}"
register: _host_config_file
loop: "{{ group_names }}"
loop_control:
loop_var: group_name
delegate_to: localhost
- name: Load host specific variables
ansible.builtin.include_vars:
dir: "{{ configuration_directory }}/{{ item.group_name }}/{{ inventory_hostname }}"
files_matching: "{{ configuration_global_vars_file }}"
loop: "{{ _host_config_file.results }}"
when: item.stat.exists
loop_control:
loop_var: item
delegate_to: localhost
- name: "Ensure remote directories exists"
ansible.builtin.file:
path: "{{ item }}"
state: directory
owner: root
group: root
mode: 0755
recurse: yes
loop:
- "{{ hashistack_remote_config_dir }}"
- "{{ hashistack_remote_data_dir }}"
- name: "Load custom CA certificates"
block:
- name: "Check if CA directory exists"
ansible.builtin.stat:
path: "{{ sub_configuration_directories['certificates'] }}/ca"
register: _hashistack_ca_directory
delegate_to: localhost
- name: "Find custom ca certificates to copy"
ansible.builtin.find:
paths: "{{ sub_configuration_directories['certificates'] }}/ca"
patterns: "*.crt"
register: _hashistack_cacert_files
delegate_to: localhost
when: _hashistack_ca_directory.stat.exists and _hashistack_ca_directory.stat.isdir
- ansible.builtin.debug:
msg: "{{ _hashistack_cacert_files }}"
- name: "Ensure remote ca directory exists"
ansible.builtin.file:
path: "{{ hashistack_remote_config_dir }}/ca"
state: directory
owner: root
group: root
mode: 0755
- name: "Copy custom ca certificates"
ansible.builtin.copy:
src: "{{ item.path }}"
dest: "{{ hashistack_remote_config_dir }}/ca/{{ item.path | basename }}"
owner: root
group: root
mode: 0644
loop: "{{ _hashistack_cacert_files.files }}"
register: _hashistack_copied_ca
- name: "Copy and update trust store"
block:
- name: "Copy ca certificates to /usr/loca/share/ca-certificates"
ansible.builtin.file:
state: link
src: "{{ item.dest }}"
dest: "/usr/local/share/ca-certificates/hashistack-customca-{{ item.dest | basename }}"
owner: root
group: root
loop: "{{ _hashistack_copied_ca.results }}"
register: _hashistack_usr_local_share_ca_certificates
- name: "Update the trust store"
ansible.builtin.command: update-ca-certificates
changed_when: false
when: _hashistack_usr_local_share_ca_certificates.changed
# - name: "Initialize list of CA certificates"
# ansible.builtin.set_fact:
# hashistack_cacert_extra_files: []
# delegate_to: localhost
# - name: "Add custom CA to list of extra certificates"
# ansible.builtin.set_fact:
# hashistack_cacert_extra_files: "{{
# hashistack_cacert_extra_files | default([])
# + [{'src': item.path, 'dest': '/etc/ssl/certs/hashistack-custom-' + item.path | basename}] }}"
# loop: "{{ _hashistack_cacert_files.files }}"
# delegate_to: localhost
# when: _hashistack_cacert_files.matched > 0
- name: "Merge consul configurations"
ansible.builtin.import_tasks:
file: "consul/consul_vars.yml"
when:
- enable_consul | bool
- "('consul_servers' in group_names) or ('consul_agents' in group_names)"
- name: "Merge vault configurations"
ansible.builtin.import_tasks:
file: "vault/vault_vars.yml"
when:
- enable_vault | bool
- "'vault_servers' in group_names"
- debug:
msg: "{{ deploy_haproxy_frontends }}"
- debug:
msg: "{{ deploy_haproxy_backends }}"
# - fail:

52
playbooks/tasks/misc/load_ca_certificates.yml Normal file
View File

@ -0,0 +1,52 @@
---
- name: "Check if CA directory exists"
ansible.builtin.stat:
path: "{{ sub_configuration_directories['certificates'] }}/ca"
register: _hashistack_ca_directory
delegate_to: localhost
- name: "Find custom ca certificates to copy"
ansible.builtin.find:
paths: "{{ sub_configuration_directories['certificates'] }}/ca"
patterns: "*.crt"
register: _hashistack_cacert_files
delegate_to: localhost
when: _hashistack_ca_directory.stat.exists and _hashistack_ca_directory.stat.isdir
- ansible.builtin.debug:
msg: "{{ _hashistack_cacert_files }}"
- name: "Ensure remote ca directory exists"
ansible.builtin.file:
path: "{{ hashistack_remote_config_dir }}/ca"
state: directory
owner: root
group: root
mode: 0755
- name: "Copy custom ca certificates"
ansible.builtin.copy:
src: "{{ item.path }}"
dest: "{{ hashistack_remote_config_dir }}/ca/{{ item.path | basename }}"
owner: root
group: root
mode: 0644
loop: "{{ _hashistack_cacert_files.files }}"
register: _hashistack_copied_ca
- name: "Copy and update trust store"
block:
- name: "Copy ca certificates to /usr/loca/share/ca-certificates"
ansible.builtin.file:
state: link
src: "{{ item.dest }}"
dest: "/usr/local/share/ca-certificates/hashistack-customca-{{ item.dest | basename }}"
owner: root
group: root
loop: "{{ _hashistack_copied_ca.results }}"
register: _hashistack_usr_local_share_ca_certificates
- name: "Update the trust store"
ansible.builtin.command: update-ca-certificates
changed_when: false
when: _hashistack_usr_local_share_ca_certificates.changed

50
playbooks/tasks/misc/load_credentials_vars.yml Normal file
View File

@ -0,0 +1,50 @@
---
- name: "Stat credentials file"
ansible.builtin.stat:
path: "{{ sub_configuration_directories['secrets'] }}/{{ configuration_credentials_vars_file }}"
register: _credentials_file
delegate_to: localhost
- name: "Stat vault credentials file"
ansible.builtin.stat:
path: "{{ sub_configuration_directories['secrets'] }}/vault.yml"
register: _vault_credentials_file
delegate_to: localhost
- name: "Make sure credentials file exists"
ansible.builtin.assert:
that:
- _credentials_file.stat.exists
fail_msg: >-
Credentials file {{ _credentials_file.stat.path }} was not found, cannot continue without it.
delegate_to: localhost
- name: "Load credentials variables"
ansible.builtin.include_vars:
dir: "{{ sub_configuration_directories['secrets'] }}"
files_matching: "{{ configuration_credentials_vars_file }}"
depth: 1
name: _credentials
delegate_to: localhost
- name: "Load vault credentials if vault.yml exists"
ansible.builtin.include_vars:
dir: "{{ sub_configuration_directories['secrets'] }}"
files_matching: "vault.yml"
depth: 1
name: _vault_credentials
when: _vault_credentials_file.stat.exists
delegate_to: localhost
- name: "Merge vault credentials into _credentials"
vars:
_config_to_merge:
vault: "{{ _vault_credentials }}"
ansible.builtin.set_fact:
_credentials: "{{ _credentials | combine(_config_to_merge, recursive=true) }}"
when: _vault_credentials_file.stat.exists
delegate_to: localhost
- name: "Debug _credentials"
ansible.builtin.debug:
msg: "{{ _credentials }}"

21
playbooks/tasks/misc/load_global_vars.yml Normal file
View File

@ -0,0 +1,21 @@
---
- name: "Stat global configuration file"
ansible.builtin.stat:
path: "{{ configuration_directory }}/{{ configuration_global_vars_file }}"
register: _global_config_file
delegate_to: localhost
- name: "Make sure global configuration file exists"
ansible.builtin.assert:
that:
- _global_config_file.stat.exists
fail_msg: >-
Main configuration file {{ _global_config_file.stat.path }} was not found, cannot continue without it.
delegate_to: localhost
- name: "Load global variables"
ansible.builtin.include_vars:
dir: "{{ configuration_directory }}"
files_matching: "{{ configuration_global_vars_file }}"
depth: 1
delegate_to: localhost

20
playbooks/tasks/misc/load_group_vars.yml Normal file
View File

@ -0,0 +1,20 @@
---
- name: "Stat group specific config file"
ansible.builtin.stat:
path: "{{ configuration_directory }}/{{ group_name }}/{{ configuration_global_vars_file }}"
register: _group_config_file
loop: "{{ group_names }}"
loop_control:
loop_var: group_name
- name: Load group specific variables
ansible.builtin.include_vars:
dir: "{{ configuration_directory }}/{{ item.group_name }}"
files_matching: "{{ configuration_global_vars_file }}"
depth: 1
loop: "{{ _group_config_file.results }}"
when: item.stat.exists
and item.group_name in group_names
loop_control:
loop_var: item
delegate_to: localhost

19
playbooks/tasks/misc/load_host_vars.yml Normal file
View File

@ -0,0 +1,19 @@
---
- name: "Stat host specific config file"
ansible.builtin.stat:
path: "{{ configuration_directory }}/{{ group_name }}/{{ inventory_hostname }}/{{ configuration_global_vars_file }}"
register: _host_config_file
loop: "{{ group_names }}"
loop_control:
loop_var: group_name
delegate_to: localhost
- name: Load host specific variables
ansible.builtin.include_vars:
dir: "{{ configuration_directory }}/{{ item.group_name }}/{{ inventory_hostname }}"
files_matching: "{{ configuration_global_vars_file }}"
loop: "{{ _host_config_file.results }}"
when: item.stat.exists
loop_control:
loop_var: item
delegate_to: localhost