From ff66fe22ae8f00b6697c8435ef0bf879092da334 Mon Sep 17 00:00:00 2001 From: Bertrand Lanson Date: Mon, 22 Jul 2024 23:04:05 +0200 Subject: [PATCH] feat(hashistack): move variable loading to specific role --- roles/hashistack/defaults/main.yml | 17 ++++++ roles/hashistack/handlers/main.yml | 2 + roles/hashistack/meta/main.yml | 25 +++++++++ .../hashistack/tasks/load_ca_certificates.yml | 52 +++++++++++++++++++ .../tasks/load_credentials_vars.yml | 47 +++++++++++++++++ roles/hashistack/tasks/load_global_vars.yml | 29 +++++++++++ roles/hashistack/tasks/load_group_vars.yml | 22 ++++++++ roles/hashistack/tasks/load_host_vars.yml | 19 +++++++ roles/hashistack/tasks/main.yml | 32 ++++++++++++ roles/hashistack/vars/main.yml | 2 + 10 files changed, 247 insertions(+) create mode 100644 roles/hashistack/defaults/main.yml create mode 100644 roles/hashistack/handlers/main.yml create mode 100644 roles/hashistack/meta/main.yml create mode 100644 roles/hashistack/tasks/load_ca_certificates.yml create mode 100644 roles/hashistack/tasks/load_credentials_vars.yml create mode 100644 roles/hashistack/tasks/load_global_vars.yml create mode 100644 roles/hashistack/tasks/load_group_vars.yml create mode 100644 roles/hashistack/tasks/load_host_vars.yml create mode 100644 roles/hashistack/tasks/main.yml create mode 100644 roles/hashistack/vars/main.yml diff --git a/roles/hashistack/defaults/main.yml b/roles/hashistack/defaults/main.yml new file mode 100644 index 0000000..e9554f3 --- /dev/null +++ b/roles/hashistack/defaults/main.yml @@ -0,0 +1,17 @@ +--- +# defaults file for hashistack +hashistack_configuration_directory: "{{ lookup('env', 'PWD') }}/etc/hashistack" +hashistack_sub_configuration_directories: + secrets: "{{ hashistack_configuration_directory }}/secrets" + certificates: "{{ hashistack_configuration_directory }}/certificates" + nomad_servers: "{{ hashistack_configuration_directory }}/nomad_servers" + vault_servers: "{{ hashistack_configuration_directory }}/vault_servers" + consul_servers: "{{ hashistack_configuration_directory }}/consul_servers" + +hashistack_configuration_global_vars_file: "globals.yml" +hashistack_configuration_credentials_vars_file: "credentials.yml" + +hashistack_remote_config_dir: "/etc/hashistack" +hashistack_remote_log_dir: "/var/log/hashistack" + +hashistack_only_load_credentials: false diff --git a/roles/hashistack/handlers/main.yml b/roles/hashistack/handlers/main.yml new file mode 100644 index 0000000..e0911c6 --- /dev/null +++ b/roles/hashistack/handlers/main.yml @@ -0,0 +1,2 @@ +--- +# handlers file for hashistack diff --git a/roles/hashistack/meta/main.yml b/roles/hashistack/meta/main.yml new file mode 100644 index 0000000..7db3860 --- /dev/null +++ b/roles/hashistack/meta/main.yml @@ -0,0 +1,25 @@ +--- +# meta file for hashistack +galaxy_info: + namespace: "ednz_cloud" + role_name: "hashistack" + author: "Bertrand Lanson" + description: "Merge variables for the playbooks contained in ednz_cloud.hashistack collection" + license: "license (BSD, MIT)" + min_ansible_version: "2.10" + platforms: + - name: Ubuntu + versions: + - focal + - jammy + - noble + - name: Debian + versions: + - bullseye + - bookworm + galaxy_tags: + - "ubuntu" + - "debian" + - "hashicorp" + +dependencies: [] diff --git a/roles/hashistack/tasks/load_ca_certificates.yml b/roles/hashistack/tasks/load_ca_certificates.yml new file mode 100644 index 0000000..5636347 --- /dev/null +++ b/roles/hashistack/tasks/load_ca_certificates.yml @@ -0,0 +1,52 @@ +--- +# task/load_ca_certificates file for hashistack +- name: "Check if CA directory exists" + ansible.builtin.stat: + path: "{{ hashistack_sub_configuration_directories['certificates'] }}/ca" + register: _hashistack_ca_directory + delegate_to: localhost + +- name: "Find custom ca certificates to copy" + ansible.builtin.find: + paths: "{{ hashistack_sub_configuration_directories['certificates'] }}/ca" + patterns: "*.crt" + register: _hashistack_cacert_files + delegate_to: localhost + when: _hashistack_ca_directory.stat.exists and _hashistack_ca_directory.stat.isdir + +- name: "Ensure remote ca directory exists" + ansible.builtin.file: + path: "{{ hashistack_remote_config_dir }}/ca" + state: directory + owner: root + group: root + mode: 0755 + +- name: "Copy custom ca certificates" + ansible.builtin.copy: + src: "{{ item.path }}" + dest: "{{ hashistack_remote_config_dir }}/ca/{{ item.path | basename }}" + owner: root + group: root + mode: 0644 + loop: "{{ _hashistack_cacert_files.files }}" + register: _hashistack_copied_ca + when: not _hashistack_cacert_files.skipped | default(False) + +- name: "Copy and update trust store" + when: not _hashistack_copied_ca.skipped | default(False) + block: + - name: "Copy ca certificates to /usr/local/share/ca-certificates" + ansible.builtin.file: + state: link + src: "{{ item.dest }}" + dest: "/usr/local/share/ca-certificates/hashistack-customca-{{ item.dest | basename }}" + owner: root + group: root + loop: "{{ _hashistack_copied_ca.results }}" + register: _hashistack_usr_local_share_ca_certificates + + - name: "Update the trust store" # noqa: no-handler + ansible.builtin.command: update-ca-certificates + changed_when: false + when: _hashistack_usr_local_share_ca_certificates.changed diff --git a/roles/hashistack/tasks/load_credentials_vars.yml b/roles/hashistack/tasks/load_credentials_vars.yml new file mode 100644 index 0000000..b791254 --- /dev/null +++ b/roles/hashistack/tasks/load_credentials_vars.yml @@ -0,0 +1,47 @@ +--- +# task/load_credentials_vars file for hashistack +- name: "Variables | Stat credentials file" + ansible.builtin.stat: + path: "{{ hashistack_sub_configuration_directories['secrets'] }}/{{ hashistack_configuration_credentials_vars_file }}" + register: _credentials_file + delegate_to: localhost + +- name: "Variables | Stat vault credentials file" + ansible.builtin.stat: + path: "{{ hashistack_sub_configuration_directories['secrets'] }}/vault.yml" + register: _vault_credentials_file + delegate_to: localhost + +- name: "Variables | Make sure credentials file exists" + ansible.builtin.assert: + that: + - _credentials_file.stat.exists + fail_msg: >- + Credentials file {{ _credentials_file.stat.path }} was not found, cannot continue without it. + delegate_to: localhost + +- name: "Variables | Load credentials variables" + ansible.builtin.include_vars: + dir: "{{ hashistack_sub_configuration_directories['secrets'] }}" + files_matching: "{{ hashistack_configuration_credentials_vars_file }}" + depth: 1 + name: _credentials + delegate_to: localhost + +- name: "Variables | Load vault credentials if vault.yml exists" + ansible.builtin.include_vars: + dir: "{{ hashistack_sub_configuration_directories['secrets'] }}" + files_matching: "vault.yml" + depth: 1 + name: _vault_credentials + when: _vault_credentials_file.stat.exists + delegate_to: localhost + +- name: "Variables | Merge vault credentials into _credentials" + vars: + _config_to_merge: + vault: "{{ _vault_credentials }}" + ansible.builtin.set_fact: + _credentials: "{{ _credentials | combine(_config_to_merge, recursive=true) }}" + when: _vault_credentials_file.stat.exists + delegate_to: localhost diff --git a/roles/hashistack/tasks/load_global_vars.yml b/roles/hashistack/tasks/load_global_vars.yml new file mode 100644 index 0000000..0099bdb --- /dev/null +++ b/roles/hashistack/tasks/load_global_vars.yml @@ -0,0 +1,29 @@ +--- +# task/load_global_vars file for hashistack +- name: "Variables | Include all default variables" + ansible.builtin.include_vars: + dir: "{{ playbook_dir }}/group_vars/all/" + depth: 1 + extensions: ["yml"] + delegate_to: localhost + +- name: "Variables | Stat global configuration file" + ansible.builtin.stat: + path: "{{ hashistack_configuration_directory }}/{{ hashistack_configuration_global_vars_file }}" + register: _global_config_file + delegate_to: localhost + +- name: "Variables | Make sure global configuration file exists" + ansible.builtin.assert: + that: + - _global_config_file.stat.exists + fail_msg: >- + Main configuration file {{ _global_config_file.stat.path }} was not found, cannot continue without it. + delegate_to: localhost + +- name: "Variables | Load global variables" + ansible.builtin.include_vars: + dir: "{{ hashistack_configuration_directory }}" + files_matching: "{{ hashistack_configuration_global_vars_file }}" + depth: 1 + delegate_to: localhost diff --git a/roles/hashistack/tasks/load_group_vars.yml b/roles/hashistack/tasks/load_group_vars.yml new file mode 100644 index 0000000..e18360f --- /dev/null +++ b/roles/hashistack/tasks/load_group_vars.yml @@ -0,0 +1,22 @@ +--- +# task/load_group_vars file for hashistack +- name: "Variables | Stat group specific config file" + ansible.builtin.stat: + path: "{{ hashistack_configuration_directory }}/{{ group_name }}/{{ hashistack_configuration_global_vars_file }}" + register: _group_config_file + loop: "{{ group_names }}" + loop_control: + loop_var: group_name + delegate_to: localhost + +- name: "Variables | Load group specific variables" + ansible.builtin.include_vars: + dir: "{{ hashistack_configuration_directory }}/{{ item.group_name }}" + files_matching: "{{ hashistack_configuration_global_vars_file }}" + depth: 1 + loop: "{{ _group_config_file.results }}" + when: item.stat.exists + and item.group_name in group_names + loop_control: + loop_var: item + delegate_to: localhost diff --git a/roles/hashistack/tasks/load_host_vars.yml b/roles/hashistack/tasks/load_host_vars.yml new file mode 100644 index 0000000..78533a7 --- /dev/null +++ b/roles/hashistack/tasks/load_host_vars.yml @@ -0,0 +1,19 @@ +--- +- name: "Variables | Stat host specific config file" + ansible.builtin.stat: + path: "{{ hashistack_configuration_directory }}/{{ group_name }}/{{ inventory_hostname }}/{{ hashistack_configuration_global_vars_file }}" + register: _host_config_file + loop: "{{ group_names }}" + loop_control: + loop_var: group_name + delegate_to: localhost + +- name: "Variables | Load host specific variables" + ansible.builtin.include_vars: + dir: "{{ hashistack_configuration_directory }}/{{ item.group_name }}/{{ inventory_hostname }}" + files_matching: "{{ hashistack_configuration_global_vars_file }}" + loop: "{{ _host_config_file.results }}" + when: item.stat.exists + loop_control: + loop_var: item + delegate_to: localhost diff --git a/roles/hashistack/tasks/main.yml b/roles/hashistack/tasks/main.yml new file mode 100644 index 0000000..ef6e017 --- /dev/null +++ b/roles/hashistack/tasks/main.yml @@ -0,0 +1,32 @@ +--- +# task/main file for hashi_vars +- name: "Variables | Load global variables" + ansible.builtin.include_tasks: load_global_vars.yml + when: not hashistack_only_load_credentials + +- name: "Variables | Load credentials variables" + ansible.builtin.include_tasks: load_credentials_vars.yml + +- name: "Variables | Load group specific variables" + ansible.builtin.include_tasks: load_group_vars.yml + when: not hashistack_only_load_credentials + +- name: "Variables | Load host specific variables" + ansible.builtin.include_tasks: load_host_vars.yml + when: not hashistack_only_load_credentials + +- name: "Ensure remote directories exists" + ansible.builtin.file: + path: "{{ item }}" + state: directory + owner: root + group: root + mode: 0755 + loop: + - "{{ hashistack_remote_config_dir }}" + - "{{ hashistack_remote_log_dir }}" + when: not hashistack_only_load_credentials + +- name: "Variables | Load custom CA certificates" + ansible.builtin.include_tasks: load_ca_certificates.yml + when: not hashistack_only_load_credentials diff --git a/roles/hashistack/vars/main.yml b/roles/hashistack/vars/main.yml new file mode 100644 index 0000000..622dbc0 --- /dev/null +++ b/roles/hashistack/vars/main.yml @@ -0,0 +1,2 @@ +--- +# vars file for hashistack