Compare commits
42 Commits
393516f03b
...
97b14b5160
Author | SHA1 | Date | |
---|---|---|---|
97b14b5160 | |||
2b8faa2bf5 | |||
259f273fd9 | |||
9703fad7c9 | |||
01a53c6a3a | |||
8f1b3cf66a | |||
646f81e50b | |||
34e30b0a5f | |||
265aa4ce42 | |||
10bea17054 | |||
d194e5ef23 | |||
9371296d80 | |||
0852eae2fc | |||
9bd5d0222e | |||
459d176979 | |||
27d8fc79a3 | |||
41c6064d01 | |||
ff66fe22ae | |||
bc2aa9353b | |||
69fa4aecde | |||
09d0304748 | |||
ca65a44eac | |||
f73b7bb63e | |||
61087388e6 | |||
c7ed8c09a3 | |||
2c9f538cef | |||
c30e3e84d5 | |||
f2c4f67b54 | |||
b07cdea49c | |||
3fa7c7bc32 | |||
a574caac26 | |||
51605ab239 | |||
962af038cf | |||
a8faaeb21f | |||
eeb4f6615c | |||
7f8d8654a4 | |||
1448d10c93 | |||
594188b28f | |||
8bf82336f8 | |||
01d91eae57 | |||
b7bd59d5fa | |||
c9241b9e92 |
1
.cz.toml
1
.cz.toml
@ -4,3 +4,4 @@ version_provider = "scm"
|
||||
version_files = ["galaxy.yml:^version"]
|
||||
update_changelog_on_bump = true
|
||||
major_version_zero = true
|
||||
tag_format = "v$version"
|
||||
|
@ -1,3 +1,4 @@
|
||||
---
|
||||
repos:
|
||||
- repo: https://github.com/pre-commit/pre-commit-hooks
|
||||
rev: v4.5.0
|
||||
|
@ -6,7 +6,7 @@
|
||||
|
||||
Hashistack Ansible uses a configuration directory to store all the configuration files and other artifacts.
|
||||
|
||||
This directory is defined with the variable `configuration_directory`. By default, it will look at `{{ lookup('env', 'PWD') }}/etc/hashistack`, which equals `$(pwd)/etc/hashistack`.
|
||||
This directory is defined with the variable `hashistack_configuration_directory`. By default, it will look at `{{ lookup('env', 'PWD') }}/etc/hashistack`, which equals `$(pwd)/etc/hashistack`.
|
||||
|
||||
Under this directory, you are expected to place the `globals.yml` file, with your configuration.
|
||||
|
||||
@ -18,9 +18,9 @@ Additionally, subdirectories can be used to tailor the configuration further.
|
||||
|
||||
Each group within the `inventory` will look at a directory named after itself:
|
||||
|
||||
- nomad_servers group will look for `{{ configuration_directory }}/nomad_servers`
|
||||
- vault_servers group will look for `{{ configuration_directory }}/vault_servers`
|
||||
- consul_servers group will look for `{{ configuration_directory }}/consul_servers`
|
||||
- nomad_servers group will look for `{{ hashistack_configuration_directory }}/nomad_servers`
|
||||
- vault_servers group will look for `{{ hashistack_configuration_directory }}/vault_servers`
|
||||
- consul_servers group will look for `{{ hashistack_configuration_directory }}/consul_servers`
|
||||
|
||||
Within each of these directories, you can place an additional `globals.yml file`, that will superseed the file at the root of the configuration directory.
|
||||
|
||||
|
@ -112,6 +112,16 @@ This will install roles that are not packaged with the collection, but are still
|
||||
|
||||
You should now have some roles inside `./roles/`.
|
||||
|
||||
9. Copy `inventory` file and `globals.yml `file locally
|
||||
|
||||
```bash
|
||||
cp collections/ansible_collections/ednz_cloud/hashistack/playbooks/inventory/multinode.ini inventory/
|
||||
```
|
||||
|
||||
```bash
|
||||
cp collections/ansible_collections/ednz_cloud/hashistack/playbooks/group_vars/all/globals.yml etc/hashistack/globals.yml
|
||||
```
|
||||
|
||||
## Generate Credentials
|
||||
|
||||
Before deploying your infrastructure with Hashistack-Ansible, you need to generate credentials that will be used to bootstrap the various clusters.
|
||||
|
@ -1 +1,6 @@
|
||||
# TLS Guide
|
||||
|
||||
|
||||
create certificate/ca directory
|
||||
|
||||
`ansible-playbook -i inventory/multinode.ini ednz_cloud.hashistack.generate_certs.yml`
|
||||
|
@ -11,7 +11,7 @@ license_file: "LICENSE"
|
||||
|
||||
# A list of tags you want to associate with the collection for indexing/searching. A tag name has the same character
|
||||
# requirements as 'namespace' and 'name'
|
||||
tags: []
|
||||
tags: ["tools"]
|
||||
dependencies: {}
|
||||
repository: https://git.ednz.fr/ansible-collections/hashistack
|
||||
documentation: http://docs.example.com
|
||||
|
8
molecule/cni_default/converge.yml
Normal file
8
molecule/cni_default/converge.yml
Normal file
@ -0,0 +1,8 @@
|
||||
---
|
||||
- name: Converge
|
||||
hosts: all
|
||||
become: true
|
||||
tasks:
|
||||
- name: "Include ednz_cloud.hashistack.cni"
|
||||
ansible.builtin.include_role:
|
||||
name: "ednz_cloud.hashistack.cni"
|
37
molecule/cni_default/molecule.yml
Normal file
37
molecule/cni_default/molecule.yml
Normal file
@ -0,0 +1,37 @@
|
||||
---
|
||||
dependency:
|
||||
name: galaxy
|
||||
options:
|
||||
requirements-file: ./requirements.yml
|
||||
driver:
|
||||
name: docker
|
||||
platforms:
|
||||
- name: instance
|
||||
image: geerlingguy/docker-${MOLECULE_TEST_OS}-ansible
|
||||
command: ""
|
||||
volumes:
|
||||
- /sys/fs/cgroup:/sys/fs/cgroup
|
||||
cgroupns_mode: host
|
||||
privileged: true
|
||||
pre_build_image: true
|
||||
provisioner:
|
||||
name: ansible
|
||||
config_options:
|
||||
defaults:
|
||||
remote_tmp: /tmp/.ansible
|
||||
verifier:
|
||||
name: ansible
|
||||
scenario:
|
||||
name: cni_default
|
||||
test_sequence:
|
||||
- dependency
|
||||
- cleanup
|
||||
- destroy
|
||||
- syntax
|
||||
- create
|
||||
- prepare
|
||||
- converge
|
||||
- idempotence
|
||||
- verify
|
||||
- cleanup
|
||||
- destroy
|
13
molecule/cni_default/prepare.yml
Normal file
13
molecule/cni_default/prepare.yml
Normal file
@ -0,0 +1,13 @@
|
||||
---
|
||||
- name: Prepare
|
||||
hosts: all
|
||||
become: true
|
||||
tasks:
|
||||
- name: "Install pre-required system packages"
|
||||
ansible.builtin.include_role:
|
||||
name: ednz_cloud.manage_apt_packages
|
||||
vars:
|
||||
manage_apt_packages_list:
|
||||
- name: unzip
|
||||
version: latest
|
||||
state: present
|
4
molecule/cni_default/requirements.yml
Normal file
4
molecule/cni_default/requirements.yml
Normal file
@ -0,0 +1,4 @@
|
||||
---
|
||||
# requirements file for molecule
|
||||
roles:
|
||||
- name: ednz_cloud.manage_apt_packages
|
6
molecule/cni_default/verify.yml
Normal file
6
molecule/cni_default/verify.yml
Normal file
@ -0,0 +1,6 @@
|
||||
---
|
||||
- name: Verify
|
||||
hosts: all
|
||||
gather_facts: true
|
||||
become: true
|
||||
tasks: []
|
8
molecule/consul_default/converge.yml
Normal file
8
molecule/consul_default/converge.yml
Normal file
@ -0,0 +1,8 @@
|
||||
---
|
||||
- name: Converge
|
||||
hosts: all
|
||||
become: true
|
||||
tasks:
|
||||
- name: "Include ednz_cloud.hashistack.consul"
|
||||
ansible.builtin.include_role:
|
||||
name: "ednz_cloud.hashistack.consul"
|
37
molecule/consul_default/molecule.yml
Normal file
37
molecule/consul_default/molecule.yml
Normal file
@ -0,0 +1,37 @@
|
||||
---
|
||||
dependency:
|
||||
name: galaxy
|
||||
options:
|
||||
requirements-file: ./requirements.yml
|
||||
driver:
|
||||
name: docker
|
||||
platforms:
|
||||
- name: instance
|
||||
image: geerlingguy/docker-${MOLECULE_TEST_OS}-ansible
|
||||
command: ""
|
||||
volumes:
|
||||
- /sys/fs/cgroup:/sys/fs/cgroup
|
||||
cgroupns_mode: host
|
||||
privileged: true
|
||||
pre_build_image: true
|
||||
provisioner:
|
||||
name: ansible
|
||||
config_options:
|
||||
defaults:
|
||||
remote_tmp: /tmp/.ansible
|
||||
verifier:
|
||||
name: ansible
|
||||
scenario:
|
||||
name: consul_default
|
||||
test_sequence:
|
||||
- dependency
|
||||
- cleanup
|
||||
- destroy
|
||||
- syntax
|
||||
- create
|
||||
- prepare
|
||||
- converge
|
||||
- idempotence
|
||||
- verify
|
||||
- cleanup
|
||||
- destroy
|
13
molecule/consul_default/prepare.yml
Normal file
13
molecule/consul_default/prepare.yml
Normal file
@ -0,0 +1,13 @@
|
||||
---
|
||||
- name: Prepare
|
||||
hosts: all
|
||||
become: true
|
||||
tasks:
|
||||
- name: "Install pre-required system packages"
|
||||
ansible.builtin.include_role:
|
||||
name: ednz_cloud.manage_apt_packages
|
||||
vars:
|
||||
manage_apt_packages_list:
|
||||
- name: unzip
|
||||
version: latest
|
||||
state: present
|
4
molecule/consul_default/requirements.yml
Normal file
4
molecule/consul_default/requirements.yml
Normal file
@ -0,0 +1,4 @@
|
||||
---
|
||||
# requirements file for molecule
|
||||
roles:
|
||||
- name: ednz_cloud.manage_apt_packages
|
170
molecule/consul_default/verify.yml
Normal file
170
molecule/consul_default/verify.yml
Normal file
@ -0,0 +1,170 @@
|
||||
---
|
||||
- name: Verify
|
||||
hosts: all
|
||||
gather_facts: true
|
||||
become: true
|
||||
tasks:
|
||||
- name: "Test: consul user and group"
|
||||
block:
|
||||
- name: "Getent user consul"
|
||||
ansible.builtin.getent:
|
||||
database: passwd
|
||||
key: consul
|
||||
register: consul_user
|
||||
|
||||
- name: "Getent group consul"
|
||||
ansible.builtin.getent:
|
||||
database: group
|
||||
key: consul
|
||||
register: consul_group
|
||||
|
||||
- name: "Verify consul user and group"
|
||||
ansible.builtin.assert:
|
||||
that:
|
||||
- not consul_user.failed
|
||||
- not consul_group.failed
|
||||
- "'consul' in consul_user.ansible_facts.getent_passwd.keys()"
|
||||
- "'/home/consul' in consul_user.ansible_facts.getent_passwd['consul']"
|
||||
- "'/bin/false' in consul_user.ansible_facts.getent_passwd['consul']"
|
||||
- "'consul' in consul_group.ansible_facts.getent_group.keys()"
|
||||
|
||||
- name: "Test: binary /usr/local/bin/consul"
|
||||
block:
|
||||
- name: "Stat binary /usr/local/bin/consul"
|
||||
ansible.builtin.stat:
|
||||
path: "/usr/local/bin/consul"
|
||||
register: stat_usr_local_bin_consul
|
||||
|
||||
- name: "Verify binary /usr/local/bin/consul"
|
||||
ansible.builtin.assert:
|
||||
that:
|
||||
- stat_usr_local_bin_consul.stat.exists
|
||||
- stat_usr_local_bin_consul.stat.isreg
|
||||
- stat_usr_local_bin_consul.stat.pw_name == 'root'
|
||||
- stat_usr_local_bin_consul.stat.gr_name == 'root'
|
||||
- stat_usr_local_bin_consul.stat.mode == '0755'
|
||||
|
||||
- name: "Test: directory /etc/consul.d"
|
||||
block:
|
||||
- name: "Stat directory /etc/consul.d"
|
||||
ansible.builtin.stat:
|
||||
path: "/etc/consul.d"
|
||||
register: stat_etc_consul_d
|
||||
|
||||
- name: "Stat file /etc/consul.d/consul.env"
|
||||
ansible.builtin.stat:
|
||||
path: "/etc/consul.d/consul.env"
|
||||
register: stat_etc_consul_d_consul_env
|
||||
|
||||
- name: "Stat file /etc/consul.d/consul.json"
|
||||
ansible.builtin.stat:
|
||||
path: "/etc/consul.d/consul.json"
|
||||
register: stat_etc_consul_d_consul_json
|
||||
|
||||
- name: "Slurp file /etc/consul.d/consul.json"
|
||||
ansible.builtin.slurp:
|
||||
src: "/etc/consul.d/consul.json"
|
||||
register: slurp_etc_consul_d_consul_json
|
||||
|
||||
- name: "Verify directory /etc/consul.d"
|
||||
ansible.builtin.assert:
|
||||
that:
|
||||
- stat_etc_consul_d.stat.exists
|
||||
- stat_etc_consul_d.stat.isdir
|
||||
- stat_etc_consul_d.stat.pw_name == 'consul'
|
||||
- stat_etc_consul_d.stat.gr_name == 'consul'
|
||||
- stat_etc_consul_d.stat.mode == '0755'
|
||||
- stat_etc_consul_d_consul_env.stat.exists
|
||||
- stat_etc_consul_d_consul_env.stat.isreg
|
||||
- stat_etc_consul_d_consul_env.stat.pw_name == 'consul'
|
||||
- stat_etc_consul_d_consul_env.stat.gr_name == 'consul'
|
||||
- stat_etc_consul_d_consul_env.stat.mode == '0600'
|
||||
- stat_etc_consul_d_consul_json.stat.exists
|
||||
- stat_etc_consul_d_consul_json.stat.isreg
|
||||
- stat_etc_consul_d_consul_json.stat.pw_name == 'consul'
|
||||
- stat_etc_consul_d_consul_json.stat.gr_name == 'consul'
|
||||
- stat_etc_consul_d_consul_json.stat.mode == '0600'
|
||||
- slurp_etc_consul_d_consul_json.content != ''
|
||||
|
||||
- name: "Test: directory /opt/consul"
|
||||
block:
|
||||
- name: "Stat directory /opt/consul"
|
||||
ansible.builtin.stat:
|
||||
path: "/opt/consul"
|
||||
register: stat_opt_consul
|
||||
|
||||
- name: "Verify directory /opt/consul"
|
||||
ansible.builtin.assert:
|
||||
that:
|
||||
- stat_opt_consul.stat.exists
|
||||
- stat_opt_consul.stat.isdir
|
||||
- stat_opt_consul.stat.pw_name == 'consul'
|
||||
- stat_opt_consul.stat.gr_name == 'consul'
|
||||
- stat_opt_consul.stat.mode == '0755'
|
||||
|
||||
- name: "Test: service consul"
|
||||
block:
|
||||
- name: "Get service consul"
|
||||
ansible.builtin.service_facts:
|
||||
|
||||
- name: "Stat file /etc/systemd/system/consul.service"
|
||||
ansible.builtin.stat:
|
||||
path: "/etc/systemd/system/consul.service"
|
||||
register: stat_etc_systemd_system_consul_service
|
||||
|
||||
- name: "Slurp file /etc/systemd/system/consul.service"
|
||||
ansible.builtin.slurp:
|
||||
src: "/etc/systemd/system/consul.service"
|
||||
register: slurp_etc_systemd_system_consul_service
|
||||
|
||||
- name: "Verify service consul"
|
||||
ansible.builtin.assert:
|
||||
that:
|
||||
- stat_etc_systemd_system_consul_service.stat.exists
|
||||
- stat_etc_systemd_system_consul_service.stat.isreg
|
||||
- stat_etc_systemd_system_consul_service.stat.pw_name == 'root'
|
||||
- stat_etc_systemd_system_consul_service.stat.gr_name == 'root'
|
||||
- stat_etc_systemd_system_consul_service.stat.mode == '0644'
|
||||
- slurp_etc_systemd_system_consul_service.content != ''
|
||||
- ansible_facts.services['consul.service'] is defined
|
||||
- ansible_facts.services['consul.service']['source'] == 'systemd'
|
||||
- ansible_facts.services['consul.service']['state'] == 'running'
|
||||
- ansible_facts.services['consul.service']['status'] == 'enabled'
|
||||
|
||||
- name: "Test: interaction consul"
|
||||
block:
|
||||
- name: "Command consul kv put"
|
||||
ansible.builtin.command: "consul kv put foo bar"
|
||||
environment:
|
||||
CONSUL_HTTP_ADDR: "http://{{ ansible_default_ipv4.address }}:8500"
|
||||
changed_when: false
|
||||
register: consul_kv_put
|
||||
|
||||
- name: "Command consul kv get"
|
||||
ansible.builtin.command: "consul kv get foo"
|
||||
environment:
|
||||
CONSUL_HTTP_ADDR: "http://{{ ansible_default_ipv4.address }}:8500"
|
||||
changed_when: false
|
||||
register: consul_kv_get
|
||||
|
||||
- name: "Command consul kv delete"
|
||||
ansible.builtin.command: "consul kv delete foo"
|
||||
environment:
|
||||
CONSUL_HTTP_ADDR: "http://{{ ansible_default_ipv4.address }}:8500"
|
||||
changed_when: false
|
||||
register: consul_kv_delete
|
||||
|
||||
- name: "Command consul members"
|
||||
ansible.builtin.command: "consul members"
|
||||
environment:
|
||||
CONSUL_HTTP_ADDR: "http://{{ ansible_default_ipv4.address }}:8500"
|
||||
changed_when: false
|
||||
register: consul_members
|
||||
|
||||
- name: "Verify consul interaction"
|
||||
ansible.builtin.assert:
|
||||
that:
|
||||
- "'instance' in consul_members.stdout"
|
||||
- consul_kv_put.stdout == 'Success! Data written to: foo'
|
||||
- consul_kv_get.stdout == 'bar'
|
||||
- consul_kv_delete.stdout == 'Success! Deleted key: foo'
|
8
molecule/consul_with_acl_enabled/converge.yml
Normal file
8
molecule/consul_with_acl_enabled/converge.yml
Normal file
@ -0,0 +1,8 @@
|
||||
---
|
||||
- name: Converge
|
||||
hosts: all
|
||||
become: true
|
||||
tasks:
|
||||
- name: "Include ednz_cloud.hashistack.consul"
|
||||
ansible.builtin.include_role:
|
||||
name: "ednz_cloud.hashistack.consul"
|
23
molecule/consul_with_acl_enabled/group_vars/all.yml
Normal file
23
molecule/consul_with_acl_enabled/group_vars/all.yml
Normal file
@ -0,0 +1,23 @@
|
||||
---
|
||||
#####################
|
||||
# ACL configuration #
|
||||
#####################
|
||||
|
||||
consul_acl_configuration:
|
||||
enabled: true
|
||||
default_policy: "deny"
|
||||
enable_token_persistence: true
|
||||
tokens:
|
||||
initial_management: "1a1f2ce5-3730-47de-9a9c-89e037376bab"
|
||||
agent: "1a1f2ce5-3730-47de-9a9c-89e037376bab"
|
||||
|
||||
###########
|
||||
# logging #
|
||||
###########
|
||||
|
||||
consul_log_level: info
|
||||
consul_enable_log_to_file: true
|
||||
consul_log_to_file_configuration:
|
||||
log_file: "{{ consul_logs_dir }}/consul.log"
|
||||
log_rotate_duration: 24h
|
||||
log_rotate_max_files: 30
|
37
molecule/consul_with_acl_enabled/molecule.yml
Normal file
37
molecule/consul_with_acl_enabled/molecule.yml
Normal file
@ -0,0 +1,37 @@
|
||||
---
|
||||
dependency:
|
||||
name: galaxy
|
||||
options:
|
||||
requirements-file: ./requirements.yml
|
||||
driver:
|
||||
name: docker
|
||||
platforms:
|
||||
- name: instance
|
||||
image: geerlingguy/docker-${MOLECULE_TEST_OS}-ansible
|
||||
command: ""
|
||||
volumes:
|
||||
- /sys/fs/cgroup:/sys/fs/cgroup
|
||||
cgroupns_mode: host
|
||||
privileged: true
|
||||
pre_build_image: true
|
||||
provisioner:
|
||||
name: ansible
|
||||
config_options:
|
||||
defaults:
|
||||
remote_tmp: /tmp/.ansible
|
||||
verifier:
|
||||
name: ansible
|
||||
scenario:
|
||||
name: consul_with_acl_enabled
|
||||
test_sequence:
|
||||
- dependency
|
||||
- cleanup
|
||||
- destroy
|
||||
- syntax
|
||||
- create
|
||||
- prepare
|
||||
- converge
|
||||
- idempotence
|
||||
- verify
|
||||
- cleanup
|
||||
- destroy
|
13
molecule/consul_with_acl_enabled/prepare.yml
Normal file
13
molecule/consul_with_acl_enabled/prepare.yml
Normal file
@ -0,0 +1,13 @@
|
||||
---
|
||||
- name: Prepare
|
||||
hosts: all
|
||||
become: true
|
||||
tasks:
|
||||
- name: "Install pre-required system packages"
|
||||
ansible.builtin.include_role:
|
||||
name: ednz_cloud.manage_apt_packages
|
||||
vars:
|
||||
manage_apt_packages_list:
|
||||
- name: unzip
|
||||
version: latest
|
||||
state: present
|
4
molecule/consul_with_acl_enabled/requirements.yml
Normal file
4
molecule/consul_with_acl_enabled/requirements.yml
Normal file
@ -0,0 +1,4 @@
|
||||
---
|
||||
# requirements file for molecule
|
||||
roles:
|
||||
- name: ednz_cloud.manage_apt_packages
|
176
molecule/consul_with_acl_enabled/verify.yml
Normal file
176
molecule/consul_with_acl_enabled/verify.yml
Normal file
@ -0,0 +1,176 @@
|
||||
---
|
||||
- name: Verify
|
||||
hosts: all
|
||||
gather_facts: true
|
||||
become: true
|
||||
tasks:
|
||||
- name: "Test: consul user and group"
|
||||
block:
|
||||
- name: "Getent user consul"
|
||||
ansible.builtin.getent:
|
||||
database: passwd
|
||||
key: consul
|
||||
register: consul_user
|
||||
|
||||
- name: "Getent group consul"
|
||||
ansible.builtin.getent:
|
||||
database: group
|
||||
key: consul
|
||||
register: consul_group
|
||||
|
||||
- name: "Verify consul user and group"
|
||||
ansible.builtin.assert:
|
||||
that:
|
||||
- not consul_user.failed
|
||||
- not consul_group.failed
|
||||
- "'consul' in consul_user.ansible_facts.getent_passwd.keys()"
|
||||
- "'/home/consul' in consul_user.ansible_facts.getent_passwd['consul']"
|
||||
- "'/bin/false' in consul_user.ansible_facts.getent_passwd['consul']"
|
||||
- "'consul' in consul_group.ansible_facts.getent_group.keys()"
|
||||
|
||||
- name: "Test: binary /usr/local/bin/consul"
|
||||
block:
|
||||
- name: "Stat binary /usr/local/bin/consul"
|
||||
ansible.builtin.stat:
|
||||
path: "/usr/local/bin/consul"
|
||||
register: stat_usr_local_bin_consul
|
||||
|
||||
- name: "Verify binary /usr/local/bin/consul"
|
||||
ansible.builtin.assert:
|
||||
that:
|
||||
- stat_usr_local_bin_consul.stat.exists
|
||||
- stat_usr_local_bin_consul.stat.isreg
|
||||
- stat_usr_local_bin_consul.stat.pw_name == 'root'
|
||||
- stat_usr_local_bin_consul.stat.gr_name == 'root'
|
||||
- stat_usr_local_bin_consul.stat.mode == '0755'
|
||||
|
||||
- name: "Test: directory /etc/consul.d"
|
||||
block:
|
||||
- name: "Stat directory /etc/consul.d"
|
||||
ansible.builtin.stat:
|
||||
path: "/etc/consul.d"
|
||||
register: stat_etc_consul_d
|
||||
|
||||
- name: "Stat file /etc/consul.d/consul.env"
|
||||
ansible.builtin.stat:
|
||||
path: "/etc/consul.d/consul.env"
|
||||
register: stat_etc_consul_d_consul_env
|
||||
|
||||
- name: "Stat file /etc/consul.d/consul.json"
|
||||
ansible.builtin.stat:
|
||||
path: "/etc/consul.d/consul.json"
|
||||
register: stat_etc_consul_d_consul_json
|
||||
|
||||
- name: "Slurp file /etc/consul.d/consul.json"
|
||||
ansible.builtin.slurp:
|
||||
src: "/etc/consul.d/consul.json"
|
||||
register: slurp_etc_consul_d_consul_json
|
||||
|
||||
- name: "Verify directory /etc/consul.d"
|
||||
ansible.builtin.assert:
|
||||
that:
|
||||
- stat_etc_consul_d.stat.exists
|
||||
- stat_etc_consul_d.stat.isdir
|
||||
- stat_etc_consul_d.stat.pw_name == 'consul'
|
||||
- stat_etc_consul_d.stat.gr_name == 'consul'
|
||||
- stat_etc_consul_d.stat.mode == '0755'
|
||||
- stat_etc_consul_d_consul_env.stat.exists
|
||||
- stat_etc_consul_d_consul_env.stat.isreg
|
||||
- stat_etc_consul_d_consul_env.stat.pw_name == 'consul'
|
||||
- stat_etc_consul_d_consul_env.stat.gr_name == 'consul'
|
||||
- stat_etc_consul_d_consul_env.stat.mode == '0600'
|
||||
- stat_etc_consul_d_consul_json.stat.exists
|
||||
- stat_etc_consul_d_consul_json.stat.isreg
|
||||
- stat_etc_consul_d_consul_json.stat.pw_name == 'consul'
|
||||
- stat_etc_consul_d_consul_json.stat.gr_name == 'consul'
|
||||
- stat_etc_consul_d_consul_json.stat.mode == '0600'
|
||||
- slurp_etc_consul_d_consul_json.content != ''
|
||||
|
||||
- name: "Test: directory /opt/consul"
|
||||
block:
|
||||
- name: "Stat directory /opt/consul"
|
||||
ansible.builtin.stat:
|
||||
path: "/opt/consul"
|
||||
register: stat_opt_consul
|
||||
|
||||
- name: "Verify directory /opt/consul"
|
||||
ansible.builtin.assert:
|
||||
that:
|
||||
- stat_opt_consul.stat.exists
|
||||
- stat_opt_consul.stat.isdir
|
||||
- stat_opt_consul.stat.pw_name == 'consul'
|
||||
- stat_opt_consul.stat.gr_name == 'consul'
|
||||
- stat_opt_consul.stat.mode == '0755'
|
||||
|
||||
- name: "Test: service consul"
|
||||
block:
|
||||
- name: "Get service consul"
|
||||
ansible.builtin.service_facts:
|
||||
|
||||
- name: "Stat file /etc/systemd/system/consul.service"
|
||||
ansible.builtin.stat:
|
||||
path: "/etc/systemd/system/consul.service"
|
||||
register: stat_etc_systemd_system_consul_service
|
||||
|
||||
- name: "Slurp file /etc/systemd/system/consul.service"
|
||||
ansible.builtin.slurp:
|
||||
src: "/etc/systemd/system/consul.service"
|
||||
register: slurp_etc_systemd_system_consul_service
|
||||
|
||||
- name: "Verify service consul"
|
||||
ansible.builtin.assert:
|
||||
that:
|
||||
- stat_etc_systemd_system_consul_service.stat.exists
|
||||
- stat_etc_systemd_system_consul_service.stat.isreg
|
||||
- stat_etc_systemd_system_consul_service.stat.pw_name == 'root'
|
||||
- stat_etc_systemd_system_consul_service.stat.gr_name == 'root'
|
||||
- stat_etc_systemd_system_consul_service.stat.mode == '0644'
|
||||
- slurp_etc_systemd_system_consul_service.content != ''
|
||||
- ansible_facts.services['consul.service'] is defined
|
||||
- ansible_facts.services['consul.service']['source'] == 'systemd'
|
||||
- ansible_facts.services['consul.service']['state'] == 'running'
|
||||
- ansible_facts.services['consul.service']['status'] == 'enabled'
|
||||
|
||||
- name: "Test: interaction consul"
|
||||
vars:
|
||||
acl_token: "1a1f2ce5-3730-47de-9a9c-89e037376bab"
|
||||
block:
|
||||
- name: "Command consul kv put"
|
||||
ansible.builtin.command: "consul kv put foo bar"
|
||||
environment:
|
||||
CONSUL_HTTP_ADDR: "http://{{ ansible_default_ipv4.address }}:8500"
|
||||
CONSUL_HTTP_TOKEN: "{{ acl_token }}"
|
||||
changed_when: false
|
||||
register: consul_kv_put
|
||||
|
||||
- name: "Command consul kv get"
|
||||
ansible.builtin.command: "consul kv get foo"
|
||||
environment:
|
||||
CONSUL_HTTP_ADDR: "http://{{ ansible_default_ipv4.address }}:8500"
|
||||
CONSUL_HTTP_TOKEN: "{{ acl_token }}"
|
||||
changed_when: false
|
||||
register: consul_kv_get
|
||||
|
||||
- name: "Command consul kv delete"
|
||||
ansible.builtin.command: "consul kv delete foo"
|
||||
environment:
|
||||
CONSUL_HTTP_ADDR: "http://{{ ansible_default_ipv4.address }}:8500"
|
||||
CONSUL_HTTP_TOKEN: "{{ acl_token }}"
|
||||
changed_when: false
|
||||
register: consul_kv_delete
|
||||
|
||||
- name: "Command consul members"
|
||||
ansible.builtin.command: "consul members"
|
||||
environment:
|
||||
CONSUL_HTTP_ADDR: "http://{{ ansible_default_ipv4.address }}:8500"
|
||||
CONSUL_HTTP_TOKEN: "{{ acl_token }}"
|
||||
changed_when: false
|
||||
register: consul_members
|
||||
|
||||
- name: "Verify consul interaction"
|
||||
ansible.builtin.assert:
|
||||
that:
|
||||
- "'instance' in consul_members.stdout"
|
||||
- consul_kv_put.stdout == 'Success! Data written to: foo'
|
||||
- consul_kv_get.stdout == 'bar'
|
||||
- consul_kv_delete.stdout == 'Success! Deleted key: foo'
|
10
molecule/hashistack_ca_default/converge.yml
Normal file
10
molecule/hashistack_ca_default/converge.yml
Normal file
@ -0,0 +1,10 @@
|
||||
---
|
||||
- name: Converge
|
||||
hosts: all
|
||||
become: true
|
||||
tasks:
|
||||
- name: "Include ednz_cloud.hashistack.hashistack_ca"
|
||||
ansible.builtin.include_role:
|
||||
name: "ednz_cloud.hashistack.hashistack_ca"
|
||||
apply:
|
||||
delegate_to: localhost
|
111
molecule/hashistack_ca_default/group_vars/all.yml
Normal file
111
molecule/hashistack_ca_default/group_vars/all.yml
Normal file
@ -0,0 +1,111 @@
|
||||
---
|
||||
hashistack_ca_directory: "{{ lookup('env', 'PWD') }}/etc/hashistack/certificates"
|
||||
hashistack_ca_use_cryptography: false
|
||||
hashistack_ca_action: "noop"
|
||||
hashistack_ca_domain: ednz.fr
|
||||
hashistack_ca_directory_owner: "{{ lookup('env', 'USER') }}"
|
||||
|
||||
##############################
|
||||
# Root Certificate Authority #
|
||||
##############################
|
||||
hashistack_ca_root_org_name: EDNZ Cloud
|
||||
hashistack_ca_root_country: FR
|
||||
hashistack_ca_root_locality: Paris
|
||||
hashistack_ca_root_common_name: "{{ hashistack_ca_domain }} Root CA"
|
||||
hashistack_ca_root_email:
|
||||
hashistack_ca_root_key_usage:
|
||||
- keyCertSign
|
||||
- cRLSign
|
||||
hashistack_ca_root_key_usage_critical: true
|
||||
hashistack_ca_root_basic_constraints:
|
||||
- CA:TRUE
|
||||
hashistack_ca_root_basic_constraints_critical: true
|
||||
|
||||
# Optional fields
|
||||
hashistack_ca_root_state_or_province_name:
|
||||
hashistack_ca_root_email_address:
|
||||
|
||||
# Validity
|
||||
hashistack_ca_root_valid_for: 1825d
|
||||
hashistack_ca_root_renew_threshold: 180d
|
||||
|
||||
######################################
|
||||
# Intermediate Certificate Authority #
|
||||
######################################
|
||||
hashistack_ca_intermediate_org_name: EDNZ Cloud Intermediate
|
||||
hashistack_ca_intermediate_country: FR
|
||||
hashistack_ca_intermediate_locality: Paris
|
||||
hashistack_ca_intermediate_common_name: "{{ hashistack_ca_domain }} Intermediate CA"
|
||||
hashistack_ca_intermediate_email:
|
||||
hashistack_ca_intermediate_key_usage:
|
||||
- keyCertSign
|
||||
- cRLSign
|
||||
hashistack_ca_intermediate_key_usage_critical: true
|
||||
hashistack_ca_intermediate_basic_constraints:
|
||||
- CA:TRUE
|
||||
- pathlen:0
|
||||
hashistack_ca_intermediate_basic_constraints_critical: true
|
||||
|
||||
# Optional fields
|
||||
hashistack_ca_intermediate_state_or_province_name:
|
||||
hashistack_ca_intermediate_email_address:
|
||||
|
||||
# Validity
|
||||
hashistack_ca_intermediate_valid_for: 365d
|
||||
hashistack_ca_intermediate_renew_threshold: 90d
|
||||
|
||||
# Name Constraints
|
||||
hashistack_ca_intermediate_name_constraints_permitted:
|
||||
- "DNS:.{{ hashistack_ca_domain }}"
|
||||
- DNS:.nomad
|
||||
- DNS:.consul
|
||||
- DNS:localhost
|
||||
- IP:192.168.0.0/16
|
||||
- IP:172.16.0.0/16
|
||||
- IP:10.0.0.0/8
|
||||
- IP:127.0.0.0/8
|
||||
hashistack_ca_intermediate_name_constraints_critical: "{{ (hashistack_ca_intermediate_name_constraints_permitted is defined and hashistack_ca_intermediate_name_constraints_permitted | length > 0) }}"
|
||||
|
||||
#####################
|
||||
# Leaf certificates #
|
||||
#####################
|
||||
|
||||
hashistack_ca_leaf_valid_for: 90d
|
||||
hashistack_ca_leaf_renew_threshold: 30d
|
||||
|
||||
############################
|
||||
# Consul Leaf Certificates #
|
||||
############################
|
||||
hashistack_ca_consul_org_name: "{{ hashistack_ca_root_org_name }}"
|
||||
hashistack_ca_consul_common_name: "{{ inventory_hostname }}"
|
||||
hashistack_ca_consul_csr_sans:
|
||||
- "DNS:{{ inventory_hostname~'.'~hashistack_ca_domain }}"
|
||||
- "DNS:consul.service.consul"
|
||||
- "DNS:localhost"
|
||||
- "IP:127.0.0.1"
|
||||
|
||||
###########################
|
||||
# Nomad Leaf Certificates #
|
||||
###########################
|
||||
hashistack_ca_nomad_org_name: "{{ hashistack_ca_root_org_name }}"
|
||||
hashistack_ca_nomad_common_name: "{{ inventory_hostname }}"
|
||||
hashistack_ca_nomad_csr_sans:
|
||||
- "DNS:{{ inventory_hostname~'.'~hashistack_ca_domain }}"
|
||||
- DNS:server.global.nomad
|
||||
- DNS:client.global.nomad
|
||||
- "DNS:nomad.service.consul"
|
||||
- "DNS:localhost"
|
||||
- "IP:127.0.0.1"
|
||||
|
||||
###########################
|
||||
# Vault Leaf Certificates #
|
||||
###########################
|
||||
hashistack_ca_vault_org_name: "{{ hashistack_ca_root_org_name }}"
|
||||
hashistack_ca_vault_common_name: "{{ inventory_hostname }}"
|
||||
hashistack_ca_vault_csr_sans:
|
||||
- "DNS:{{ inventory_hostname~'.'~hashistack_ca_domain }}"
|
||||
- "DNS:vault.service.consul"
|
||||
- "DNS:active.vault.service.consul"
|
||||
- "DNS:standby.vault.service.consul"
|
||||
- "DNS:localhost"
|
||||
- "IP:127.0.0.1"
|
65
molecule/hashistack_ca_default/molecule.yml
Normal file
65
molecule/hashistack_ca_default/molecule.yml
Normal file
@ -0,0 +1,65 @@
|
||||
---
|
||||
dependency:
|
||||
name: galaxy
|
||||
options:
|
||||
requirements-file: ./requirements.yml
|
||||
driver:
|
||||
name: docker
|
||||
platforms:
|
||||
- name: consul-vault
|
||||
image: geerlingguy/docker-${MOLECULE_TEST_OS}-ansible
|
||||
command: ""
|
||||
volumes:
|
||||
- /sys/fs/cgroup:/sys/fs/cgroup
|
||||
cgroupns_mode: host
|
||||
privileged: true
|
||||
pre_build_image: true
|
||||
groups:
|
||||
- common
|
||||
- consul_servers
|
||||
- vault_servers
|
||||
- name: vault-nomad
|
||||
image: geerlingguy/docker-${MOLECULE_TEST_OS}-ansible
|
||||
command: ""
|
||||
volumes:
|
||||
- /sys/fs/cgroup:/sys/fs/cgroup
|
||||
cgroupns_mode: host
|
||||
privileged: true
|
||||
pre_build_image: true
|
||||
groups:
|
||||
- common
|
||||
- nomad_clients
|
||||
- vault_servers
|
||||
- name: nomad-consul
|
||||
image: geerlingguy/docker-${MOLECULE_TEST_OS}-ansible
|
||||
command: ""
|
||||
volumes:
|
||||
- /sys/fs/cgroup:/sys/fs/cgroup
|
||||
cgroupns_mode: host
|
||||
privileged: true
|
||||
pre_build_image: true
|
||||
groups:
|
||||
- common
|
||||
- nomad_clients
|
||||
- consul_agents
|
||||
provisioner:
|
||||
name: ansible
|
||||
config_options:
|
||||
defaults:
|
||||
remote_tmp: /tmp/.ansible
|
||||
verifier:
|
||||
name: ansible
|
||||
scenario:
|
||||
name: hashistack_ca_default
|
||||
test_sequence:
|
||||
- dependency
|
||||
- cleanup
|
||||
- destroy
|
||||
- syntax
|
||||
- create
|
||||
- prepare
|
||||
- converge
|
||||
- idempotence
|
||||
- verify
|
||||
- cleanup
|
||||
- destroy
|
13
molecule/hashistack_ca_default/prepare.yml
Normal file
13
molecule/hashistack_ca_default/prepare.yml
Normal file
@ -0,0 +1,13 @@
|
||||
---
|
||||
- name: Prepare
|
||||
hosts: all
|
||||
become: true
|
||||
tasks:
|
||||
- name: "Install pre-required system packages"
|
||||
ansible.builtin.include_role:
|
||||
name: ednz_cloud.manage_apt_packages
|
||||
vars:
|
||||
manage_apt_packages_list:
|
||||
- name: unzip
|
||||
version: latest
|
||||
state: present
|
4
molecule/hashistack_ca_default/requirements.yml
Normal file
4
molecule/hashistack_ca_default/requirements.yml
Normal file
@ -0,0 +1,4 @@
|
||||
---
|
||||
# requirements file for molecule
|
||||
roles:
|
||||
- name: ednz_cloud.manage_apt_packages
|
6
molecule/hashistack_ca_default/verify.yml
Normal file
6
molecule/hashistack_ca_default/verify.yml
Normal file
@ -0,0 +1,6 @@
|
||||
---
|
||||
- name: Verify
|
||||
hosts: all
|
||||
gather_facts: true
|
||||
become: true
|
||||
tasks: []
|
@ -1,4 +1,12 @@
|
||||
---
|
||||
# Molecule specific variables
|
||||
|
||||
hashistack_ca_action: "root_ca,int_ca,leaf_cert,renew_root,"
|
||||
hashistack_ca_directory: "{{ hashistack_sub_configuration_directories['certificates'] }}"
|
||||
hashistack_ca_directory_owner: "{{ lookup('env', 'USER') }}"
|
||||
hashistack_ca_domain: ednz.lab
|
||||
hashistack_ca_intermediate_name_constraints_critical: false
|
||||
|
||||
##########################
|
||||
# General options ########
|
||||
##########################
|
||||
@ -9,7 +17,7 @@
|
||||
# enable_nomad: "yes"
|
||||
|
||||
# haproxy_version: "2.8"
|
||||
# nomad_version: "1.8.1"
|
||||
nomad_version: "1.8.2"
|
||||
# consul_version: "1.18.1"
|
||||
# vault_version: "1.16.2"
|
||||
|
||||
@ -32,6 +40,13 @@ api_interface: "eth1"
|
||||
enable_tls_external: true
|
||||
# external_tls_externally_managed_certs: false
|
||||
|
||||
########################
|
||||
# internal tls options #
|
||||
########################
|
||||
|
||||
enable_tls_internal: true
|
||||
# internal_tls_externally_managed_certs: false
|
||||
|
||||
#####################################################
|
||||
# #
|
||||
# Consul #
|
||||
@ -95,7 +110,7 @@ enable_tls_external: true
|
||||
# consul tls configuration #
|
||||
############################
|
||||
|
||||
consul_enable_tls: true
|
||||
# consul_enable_tls: "{{ enable_tls_internal }}"
|
||||
# consul_tls_configuration:
|
||||
# defaults:
|
||||
# ca_file: "/etc/ssl/certs/ca-certificates.crt"
|
||||
@ -152,7 +167,7 @@ consul_enable_tls: true
|
||||
# vault listener #
|
||||
##################
|
||||
|
||||
vault_enable_tls: true
|
||||
# vault_enable_tls: "{{ enable_tls_internal }}"
|
||||
# vault_tls_verify: false
|
||||
# vault_listener_configuration:
|
||||
# tcp:
|
||||
@ -263,17 +278,17 @@ vault_enable_tls: true
|
||||
# nomad internal tls #
|
||||
######################
|
||||
|
||||
nomad_enable_tls: true
|
||||
nomad_tls_configuration:
|
||||
http: true
|
||||
rpc: true
|
||||
ca_file: "/etc/ssl/certs/ca-certificates.crt"
|
||||
cert_file: "{{ nomad_certificates_directory }}/cert.pem"
|
||||
key_file: "{{ nomad_certificates_directory }}/key.pem"
|
||||
verify_server_hostname: true
|
||||
# nomad_enable_tls: "{{ enable_tls_internal }}"
|
||||
# nomad_tls_configuration:
|
||||
# http: true
|
||||
# rpc: true
|
||||
# ca_file: "/etc/ssl/certs/ca-certificates.crt"
|
||||
# cert_file: "{{ nomad_certificates_directory }}/cert.pem"
|
||||
# key_file: "{{ nomad_certificates_directory }}/key.pem"
|
||||
# verify_server_hostname: true
|
||||
# nomad_certificates_directory: "{{ hashicorp_nomad_config_dir }}/tls"
|
||||
# nomad_certificates_extra_files_dir:
|
||||
# - src: "{{ sub_configuration_directories['certificates'] }}/nomad/{{ inventory_hostname }}"
|
||||
# - src: "{{ hashistack_sub_configuration_directories['certificates'] }}/nomad/{{ inventory_hostname }}"
|
||||
# dest: "{{ nomad_certificates_directory }}"
|
||||
|
||||
#############################
|
||||
|
@ -0,0 +1,8 @@
|
||||
---
|
||||
nomad_client_configuration:
|
||||
enabled: "{{ nomad_enable_client }}"
|
||||
state_dir: "{{ nomad_data_dir }}/client"
|
||||
cni_path: "{{ cni_plugins_install_path | default('/opt/cni/bin') }}"
|
||||
bridge_network_name: nomad
|
||||
bridge_network_subnet: "172.26.64.0/20"
|
||||
node_pool: ingress
|
Binary file not shown.
@ -8,7 +8,7 @@ driver:
|
||||
provider:
|
||||
name: libvirt
|
||||
platforms:
|
||||
- name: proxy01
|
||||
- name: proxy01.ednz.lab
|
||||
box: generic/${MOLECULE_TEST_OS}
|
||||
cpus: 2
|
||||
memory: 2048
|
||||
@ -20,8 +20,9 @@ platforms:
|
||||
groups:
|
||||
- common
|
||||
- haproxy_servers
|
||||
- nomad_clients
|
||||
- consul_agents
|
||||
- name: proxy02
|
||||
- name: proxy02.ednz.lab
|
||||
box: generic/${MOLECULE_TEST_OS}
|
||||
cpus: 2
|
||||
memory: 2048
|
||||
@ -33,8 +34,9 @@ platforms:
|
||||
groups:
|
||||
- common
|
||||
- haproxy_servers
|
||||
- nomad_clients
|
||||
- consul_agents
|
||||
- name: hashistack01
|
||||
- name: hashistack01.ednz.lab
|
||||
box: generic/${MOLECULE_TEST_OS}
|
||||
cpus: 4
|
||||
memory: 2048
|
||||
@ -48,7 +50,7 @@ platforms:
|
||||
- vault_servers
|
||||
- consul_servers
|
||||
- nomad_servers
|
||||
- name: hashistack02
|
||||
- name: hashistack02.ednz.lab
|
||||
box: generic/${MOLECULE_TEST_OS}
|
||||
cpus: 4
|
||||
memory: 2048
|
||||
@ -62,7 +64,7 @@ platforms:
|
||||
- vault_servers
|
||||
- consul_servers
|
||||
- nomad_servers
|
||||
- name: hashistack03
|
||||
- name: hashistack03.ednz.lab
|
||||
box: generic/${MOLECULE_TEST_OS}
|
||||
cpus: 4
|
||||
memory: 2048
|
||||
@ -76,7 +78,7 @@ platforms:
|
||||
- vault_servers
|
||||
- consul_servers
|
||||
- nomad_servers
|
||||
- name: hashistack04
|
||||
- name: hashistack04.ednz.lab
|
||||
box: generic/${MOLECULE_TEST_OS}
|
||||
cpus: 4
|
||||
memory: 2048
|
||||
|
@ -2,9 +2,6 @@
|
||||
- name: Include certificate generation playbook
|
||||
ansible.builtin.import_playbook: ednz_cloud.hashistack.generate_certs.yml
|
||||
|
||||
# - name: Include credentials generation playbook
|
||||
# ansible.builtin.import_playbook: ednz_cloud.hashistack.generate_credentials.yml
|
||||
|
||||
- name: Include bootstrap playbook
|
||||
ansible.builtin.import_playbook: ednz_cloud.hashistack.bootstrap.yml
|
||||
|
||||
|
@ -5,9 +5,6 @@ roles:
|
||||
- name: ednz_cloud.manage_apt_packages
|
||||
- name: ednz_cloud.manage_pip_packages
|
||||
- name: ednz_cloud.install_docker
|
||||
- name: ednz_cloud.docker_systemd_service
|
||||
# - name: ednz_cloud.deploy_haproxy
|
||||
# - name: ednz_cloud.deploy_keepalived
|
||||
|
||||
collections:
|
||||
- name: ednz_cloud.hashistack
|
||||
|
8
molecule/nomad_default/converge.yml
Normal file
8
molecule/nomad_default/converge.yml
Normal file
@ -0,0 +1,8 @@
|
||||
---
|
||||
- name: Converge
|
||||
hosts: all
|
||||
become: true
|
||||
tasks:
|
||||
- name: "Include ednz_cloud.hashistack.nomad"
|
||||
ansible.builtin.include_role:
|
||||
name: "ednz_cloud.hashistack.nomad"
|
37
molecule/nomad_default/molecule.yml
Normal file
37
molecule/nomad_default/molecule.yml
Normal file
@ -0,0 +1,37 @@
|
||||
---
|
||||
dependency:
|
||||
name: galaxy
|
||||
options:
|
||||
requirements-file: ./requirements.yml
|
||||
driver:
|
||||
name: docker
|
||||
platforms:
|
||||
- name: instance
|
||||
image: geerlingguy/docker-${MOLECULE_TEST_OS}-ansible
|
||||
command: ""
|
||||
volumes:
|
||||
- /sys/fs/cgroup:/sys/fs/cgroup
|
||||
cgroupns_mode: host
|
||||
privileged: true
|
||||
pre_build_image: true
|
||||
provisioner:
|
||||
name: ansible
|
||||
config_options:
|
||||
defaults:
|
||||
remote_tmp: /tmp/.ansible
|
||||
verifier:
|
||||
name: ansible
|
||||
scenario:
|
||||
name: nomad_default
|
||||
test_sequence:
|
||||
- dependency
|
||||
- cleanup
|
||||
- destroy
|
||||
- syntax
|
||||
- create
|
||||
- prepare
|
||||
- converge
|
||||
- idempotence
|
||||
- verify
|
||||
- cleanup
|
||||
- destroy
|
13
molecule/nomad_default/prepare.yml
Normal file
13
molecule/nomad_default/prepare.yml
Normal file
@ -0,0 +1,13 @@
|
||||
---
|
||||
- name: Prepare
|
||||
hosts: all
|
||||
become: true
|
||||
tasks:
|
||||
- name: "Install pre-required system packages"
|
||||
ansible.builtin.include_role:
|
||||
name: ednz_cloud.manage_apt_packages
|
||||
vars:
|
||||
manage_apt_packages_list:
|
||||
- name: unzip
|
||||
version: latest
|
||||
state: present
|
5
molecule/nomad_default/requirements.yml
Normal file
5
molecule/nomad_default/requirements.yml
Normal file
@ -0,0 +1,5 @@
|
||||
---
|
||||
# requirements file for molecule
|
||||
roles:
|
||||
- name: ednz_cloud.manage_repositories
|
||||
- name: ednz_cloud.manage_apt_packages
|
170
molecule/nomad_default/verify.yml
Normal file
170
molecule/nomad_default/verify.yml
Normal file
@ -0,0 +1,170 @@
|
||||
---
|
||||
- name: Verify
|
||||
hosts: all
|
||||
gather_facts: true
|
||||
become: true
|
||||
tasks:
|
||||
- name: "Test: nomad user and group"
|
||||
block:
|
||||
- name: "Getent user nomad"
|
||||
ansible.builtin.getent:
|
||||
database: passwd
|
||||
key: nomad
|
||||
register: nomad_user
|
||||
|
||||
- name: "Getent group nomad"
|
||||
ansible.builtin.getent:
|
||||
database: group
|
||||
key: nomad
|
||||
register: nomad_group
|
||||
|
||||
- name: "Verify nomad user and group"
|
||||
ansible.builtin.assert:
|
||||
that:
|
||||
- not nomad_user.failed
|
||||
- not nomad_group.failed
|
||||
- "'nomad' in nomad_user.ansible_facts.getent_passwd.keys()"
|
||||
- "'/home/nomad' in nomad_user.ansible_facts.getent_passwd['nomad']"
|
||||
- "'/bin/false' in nomad_user.ansible_facts.getent_passwd['nomad']"
|
||||
- "'nomad' in nomad_group.ansible_facts.getent_group.keys()"
|
||||
|
||||
- name: "Test: binary /usr/local/bin/nomad"
|
||||
block:
|
||||
- name: "Stat binary /usr/local/bin/nomad"
|
||||
ansible.builtin.stat:
|
||||
path: "/usr/local/bin/nomad"
|
||||
register: stat_usr_local_bin_nomad
|
||||
|
||||
- name: "Verify binary /usr/local/bin/nomad"
|
||||
ansible.builtin.assert:
|
||||
that:
|
||||
- stat_usr_local_bin_nomad.stat.exists
|
||||
- stat_usr_local_bin_nomad.stat.isreg
|
||||
- stat_usr_local_bin_nomad.stat.pw_name == 'root'
|
||||
- stat_usr_local_bin_nomad.stat.gr_name == 'root'
|
||||
- stat_usr_local_bin_nomad.stat.mode == '0755'
|
||||
|
||||
- name: "Test: directory /etc/nomad.d"
|
||||
block:
|
||||
- name: "Stat directory /etc/nomad.d"
|
||||
ansible.builtin.stat:
|
||||
path: "/etc/nomad.d"
|
||||
register: stat_etc_nomad_d
|
||||
|
||||
- name: "Stat file /etc/nomad.d/nomad.env"
|
||||
ansible.builtin.stat:
|
||||
path: "/etc/nomad.d/nomad.env"
|
||||
register: stat_etc_nomad_d_nomad_env
|
||||
|
||||
- name: "Stat file /etc/nomad.d/nomad.json"
|
||||
ansible.builtin.stat:
|
||||
path: "/etc/nomad.d/nomad.json"
|
||||
register: stat_etc_nomad_d_nomad_json
|
||||
|
||||
- name: "Slurp file /etc/nomad.d/nomad.json"
|
||||
ansible.builtin.slurp:
|
||||
src: "/etc/nomad.d/nomad.json"
|
||||
register: slurp_etc_nomad_d_nomad_json
|
||||
|
||||
- name: "Verify directory /etc/nomad.d"
|
||||
ansible.builtin.assert:
|
||||
that:
|
||||
- stat_etc_nomad_d.stat.exists
|
||||
- stat_etc_nomad_d.stat.isdir
|
||||
- stat_etc_nomad_d.stat.pw_name == 'nomad'
|
||||
- stat_etc_nomad_d.stat.gr_name == 'nomad'
|
||||
- stat_etc_nomad_d.stat.mode == '0755'
|
||||
- stat_etc_nomad_d_nomad_env.stat.exists
|
||||
- stat_etc_nomad_d_nomad_env.stat.isreg
|
||||
- stat_etc_nomad_d_nomad_env.stat.pw_name == 'nomad'
|
||||
- stat_etc_nomad_d_nomad_env.stat.gr_name == 'nomad'
|
||||
- stat_etc_nomad_d_nomad_env.stat.mode == '0600'
|
||||
- stat_etc_nomad_d_nomad_json.stat.exists
|
||||
- stat_etc_nomad_d_nomad_json.stat.isreg
|
||||
- stat_etc_nomad_d_nomad_json.stat.pw_name == 'nomad'
|
||||
- stat_etc_nomad_d_nomad_json.stat.gr_name == 'nomad'
|
||||
- stat_etc_nomad_d_nomad_json.stat.mode == '0600'
|
||||
- slurp_etc_nomad_d_nomad_json.content != ''
|
||||
|
||||
- name: "Test: directory /opt/nomad"
|
||||
block:
|
||||
- name: "Stat directory /opt/nomad"
|
||||
ansible.builtin.stat:
|
||||
path: "/opt/nomad"
|
||||
register: stat_opt_nomad
|
||||
|
||||
- name: "Verify directory /opt/nomad"
|
||||
ansible.builtin.assert:
|
||||
that:
|
||||
- stat_opt_nomad.stat.exists
|
||||
- stat_opt_nomad.stat.isdir
|
||||
- stat_opt_nomad.stat.pw_name == 'nomad'
|
||||
- stat_opt_nomad.stat.gr_name == 'nomad'
|
||||
- stat_opt_nomad.stat.mode == '0755'
|
||||
|
||||
- name: "Test: service nomad"
|
||||
block:
|
||||
- name: "Get service nomad"
|
||||
ansible.builtin.service_facts:
|
||||
|
||||
- name: "Stat file /etc/systemd/system/nomad.service"
|
||||
ansible.builtin.stat:
|
||||
path: "/etc/systemd/system/nomad.service"
|
||||
register: stat_etc_systemd_system_nomad_service
|
||||
|
||||
- name: "Slurp file /etc/systemd/system/nomad.service"
|
||||
ansible.builtin.slurp:
|
||||
src: "/etc/systemd/system/nomad.service"
|
||||
register: slurp_etc_systemd_system_nomad_service
|
||||
|
||||
- name: "Verify service nomad"
|
||||
ansible.builtin.assert:
|
||||
that:
|
||||
- stat_etc_systemd_system_nomad_service.stat.exists
|
||||
- stat_etc_systemd_system_nomad_service.stat.isreg
|
||||
- stat_etc_systemd_system_nomad_service.stat.pw_name == 'root'
|
||||
- stat_etc_systemd_system_nomad_service.stat.gr_name == 'root'
|
||||
- stat_etc_systemd_system_nomad_service.stat.mode == '0644'
|
||||
- slurp_etc_systemd_system_nomad_service.content != ''
|
||||
- ansible_facts.services['nomad.service'] is defined
|
||||
- ansible_facts.services['nomad.service']['source'] == 'systemd'
|
||||
- ansible_facts.services['nomad.service']['state'] == 'running'
|
||||
- ansible_facts.services['nomad.service']['status'] == 'enabled'
|
||||
|
||||
- name: "Test: interaction nomad"
|
||||
block:
|
||||
- name: "Command nomad var put"
|
||||
ansible.builtin.command: "nomad var put secret/foobar foo=bar"
|
||||
environment:
|
||||
NOMAD_ADDR: "http://{{ ansible_default_ipv4.address }}:4646"
|
||||
changed_when: false
|
||||
register: nomad_var_put
|
||||
|
||||
- name: "Command nomad var get"
|
||||
ansible.builtin.command: "nomad var get secret/foobar"
|
||||
environment:
|
||||
NOMAD_ADDR: "http://{{ ansible_default_ipv4.address }}:4646"
|
||||
changed_when: false
|
||||
register: nomad_var_get
|
||||
|
||||
- name: "Command nomad var purge"
|
||||
ansible.builtin.command: "nomad var purge secret/foobar"
|
||||
environment:
|
||||
NOMAD_ADDR: "http://{{ ansible_default_ipv4.address }}:4646"
|
||||
changed_when: false
|
||||
register: nomad_var_purge
|
||||
|
||||
- name: "Command nomad server members"
|
||||
ansible.builtin.command: "nomad server members"
|
||||
environment:
|
||||
NOMAD_ADDR: "http://{{ ansible_default_ipv4.address }}:4646"
|
||||
changed_when: false
|
||||
register: nomad_server_members
|
||||
|
||||
- name: "Verify nomad interaction"
|
||||
ansible.builtin.assert:
|
||||
that:
|
||||
- "'instance.global' in nomad_server_members.stdout"
|
||||
- "'\"Items\": {\n \"foo\": \"bar\"\n }' in nomad_var_put.stdout"
|
||||
- "'\"Items\": {\n \"foo\": \"bar\"\n }' in nomad_var_get.stdout"
|
||||
- nomad_var_purge.stdout == 'Successfully purged variable \"secret/foobar\"!'
|
8
molecule/nomad_with_acl_enabled/converge.yml
Normal file
8
molecule/nomad_with_acl_enabled/converge.yml
Normal file
@ -0,0 +1,8 @@
|
||||
---
|
||||
- name: Converge
|
||||
hosts: all
|
||||
become: true
|
||||
tasks:
|
||||
- name: "Include ednz_cloud.hashistack.nomad"
|
||||
ansible.builtin.include_role:
|
||||
name: "ednz_cloud.hashistack.nomad"
|
12
molecule/nomad_with_acl_enabled/group_vars/all.yml
Normal file
12
molecule/nomad_with_acl_enabled/group_vars/all.yml
Normal file
@ -0,0 +1,12 @@
|
||||
---
|
||||
# defaults file for hashicorp_nomad
|
||||
|
||||
#####################
|
||||
# ACL configuration #
|
||||
#####################
|
||||
|
||||
nomad_acl_configuration:
|
||||
enabled: true
|
||||
token_ttl: 30s
|
||||
policy_ttl: 60s
|
||||
role_ttl: 60s
|
37
molecule/nomad_with_acl_enabled/molecule.yml
Normal file
37
molecule/nomad_with_acl_enabled/molecule.yml
Normal file
@ -0,0 +1,37 @@
|
||||
---
|
||||
dependency:
|
||||
name: galaxy
|
||||
options:
|
||||
requirements-file: ./requirements.yml
|
||||
driver:
|
||||
name: docker
|
||||
platforms:
|
||||
- name: instance
|
||||
image: geerlingguy/docker-${MOLECULE_TEST_OS}-ansible
|
||||
command: ""
|
||||
volumes:
|
||||
- /sys/fs/cgroup:/sys/fs/cgroup
|
||||
cgroupns_mode: host
|
||||
privileged: true
|
||||
pre_build_image: true
|
||||
provisioner:
|
||||
name: ansible
|
||||
config_options:
|
||||
defaults:
|
||||
remote_tmp: /tmp/.ansible
|
||||
verifier:
|
||||
name: ansible
|
||||
scenario:
|
||||
name: nomad_with_acl_enabled
|
||||
test_sequence:
|
||||
- dependency
|
||||
- cleanup
|
||||
- destroy
|
||||
- syntax
|
||||
- create
|
||||
- prepare
|
||||
- converge
|
||||
- idempotence
|
||||
- verify
|
||||
- cleanup
|
||||
- destroy
|
13
molecule/nomad_with_acl_enabled/prepare.yml
Normal file
13
molecule/nomad_with_acl_enabled/prepare.yml
Normal file
@ -0,0 +1,13 @@
|
||||
---
|
||||
- name: Prepare
|
||||
hosts: all
|
||||
become: true
|
||||
tasks:
|
||||
- name: "Install pre-required system packages"
|
||||
ansible.builtin.include_role:
|
||||
name: ednz_cloud.manage_apt_packages
|
||||
vars:
|
||||
manage_apt_packages_list:
|
||||
- name: unzip
|
||||
version: latest
|
||||
state: present
|
5
molecule/nomad_with_acl_enabled/requirements.yml
Normal file
5
molecule/nomad_with_acl_enabled/requirements.yml
Normal file
@ -0,0 +1,5 @@
|
||||
---
|
||||
# requirements file for molecule
|
||||
roles:
|
||||
- name: ednz_cloud.manage_repositories
|
||||
- name: ednz_cloud.manage_apt_packages
|
185
molecule/nomad_with_acl_enabled/verify.yml
Normal file
185
molecule/nomad_with_acl_enabled/verify.yml
Normal file
@ -0,0 +1,185 @@
|
||||
---
|
||||
- name: Verify
|
||||
hosts: all
|
||||
gather_facts: true
|
||||
become: true
|
||||
tasks:
|
||||
- name: "Test: nomad user and group"
|
||||
block:
|
||||
- name: "Getent user nomad"
|
||||
ansible.builtin.getent:
|
||||
database: passwd
|
||||
key: nomad
|
||||
register: nomad_user
|
||||
|
||||
- name: "Getent group nomad"
|
||||
ansible.builtin.getent:
|
||||
database: group
|
||||
key: nomad
|
||||
register: nomad_group
|
||||
|
||||
- name: "Verify nomad user and group"
|
||||
ansible.builtin.assert:
|
||||
that:
|
||||
- not nomad_user.failed
|
||||
- not nomad_group.failed
|
||||
- "'nomad' in nomad_user.ansible_facts.getent_passwd.keys()"
|
||||
- "'/home/nomad' in nomad_user.ansible_facts.getent_passwd['nomad']"
|
||||
- "'/bin/false' in nomad_user.ansible_facts.getent_passwd['nomad']"
|
||||
- "'nomad' in nomad_group.ansible_facts.getent_group.keys()"
|
||||
|
||||
- name: "Test: binary /usr/local/bin/nomad"
|
||||
block:
|
||||
- name: "Stat binary /usr/local/bin/nomad"
|
||||
ansible.builtin.stat:
|
||||
path: "/usr/local/bin/nomad"
|
||||
register: stat_usr_local_bin_nomad
|
||||
|
||||
- name: "Verify binary /usr/local/bin/nomad"
|
||||
ansible.builtin.assert:
|
||||
that:
|
||||
- stat_usr_local_bin_nomad.stat.exists
|
||||
- stat_usr_local_bin_nomad.stat.isreg
|
||||
- stat_usr_local_bin_nomad.stat.pw_name == 'root'
|
||||
- stat_usr_local_bin_nomad.stat.gr_name == 'root'
|
||||
- stat_usr_local_bin_nomad.stat.mode == '0755'
|
||||
|
||||
- name: "Test: directory /etc/nomad.d"
|
||||
block:
|
||||
- name: "Stat directory /etc/nomad.d"
|
||||
ansible.builtin.stat:
|
||||
path: "/etc/nomad.d"
|
||||
register: stat_etc_nomad_d
|
||||
|
||||
- name: "Stat file /etc/nomad.d/nomad.env"
|
||||
ansible.builtin.stat:
|
||||
path: "/etc/nomad.d/nomad.env"
|
||||
register: stat_etc_nomad_d_nomad_env
|
||||
|
||||
- name: "Stat file /etc/nomad.d/nomad.json"
|
||||
ansible.builtin.stat:
|
||||
path: "/etc/nomad.d/nomad.json"
|
||||
register: stat_etc_nomad_d_nomad_json
|
||||
|
||||
- name: "Slurp file /etc/nomad.d/nomad.json"
|
||||
ansible.builtin.slurp:
|
||||
src: "/etc/nomad.d/nomad.json"
|
||||
register: slurp_etc_nomad_d_nomad_json
|
||||
|
||||
- name: "Verify directory /etc/nomad.d"
|
||||
ansible.builtin.assert:
|
||||
that:
|
||||
- stat_etc_nomad_d.stat.exists
|
||||
- stat_etc_nomad_d.stat.isdir
|
||||
- stat_etc_nomad_d.stat.pw_name == 'nomad'
|
||||
- stat_etc_nomad_d.stat.gr_name == 'nomad'
|
||||
- stat_etc_nomad_d.stat.mode == '0755'
|
||||
- stat_etc_nomad_d_nomad_env.stat.exists
|
||||
- stat_etc_nomad_d_nomad_env.stat.isreg
|
||||
- stat_etc_nomad_d_nomad_env.stat.pw_name == 'nomad'
|
||||
- stat_etc_nomad_d_nomad_env.stat.gr_name == 'nomad'
|
||||
- stat_etc_nomad_d_nomad_env.stat.mode == '0600'
|
||||
- stat_etc_nomad_d_nomad_json.stat.exists
|
||||
- stat_etc_nomad_d_nomad_json.stat.isreg
|
||||
- stat_etc_nomad_d_nomad_json.stat.pw_name == 'nomad'
|
||||
- stat_etc_nomad_d_nomad_json.stat.gr_name == 'nomad'
|
||||
- stat_etc_nomad_d_nomad_json.stat.mode == '0600'
|
||||
- slurp_etc_nomad_d_nomad_json.content != ''
|
||||
|
||||
- name: "Test: directory /opt/nomad"
|
||||
block:
|
||||
- name: "Stat directory /opt/nomad"
|
||||
ansible.builtin.stat:
|
||||
path: "/opt/nomad"
|
||||
register: stat_opt_nomad
|
||||
|
||||
- name: "Verify directory /opt/nomad"
|
||||
ansible.builtin.assert:
|
||||
that:
|
||||
- stat_opt_nomad.stat.exists
|
||||
- stat_opt_nomad.stat.isdir
|
||||
- stat_opt_nomad.stat.pw_name == 'nomad'
|
||||
- stat_opt_nomad.stat.gr_name == 'nomad'
|
||||
- stat_opt_nomad.stat.mode == '0755'
|
||||
|
||||
- name: "Test: service nomad"
|
||||
block:
|
||||
- name: "Get service nomad"
|
||||
ansible.builtin.service_facts:
|
||||
|
||||
- name: "Stat file /etc/systemd/system/nomad.service"
|
||||
ansible.builtin.stat:
|
||||
path: "/etc/systemd/system/nomad.service"
|
||||
register: stat_etc_systemd_system_nomad_service
|
||||
|
||||
- name: "Slurp file /etc/systemd/system/nomad.service"
|
||||
ansible.builtin.slurp:
|
||||
src: "/etc/systemd/system/nomad.service"
|
||||
register: slurp_etc_systemd_system_nomad_service
|
||||
|
||||
- name: "Verify service nomad"
|
||||
ansible.builtin.assert:
|
||||
that:
|
||||
- stat_etc_systemd_system_nomad_service.stat.exists
|
||||
- stat_etc_systemd_system_nomad_service.stat.isreg
|
||||
- stat_etc_systemd_system_nomad_service.stat.pw_name == 'root'
|
||||
- stat_etc_systemd_system_nomad_service.stat.gr_name == 'root'
|
||||
- stat_etc_systemd_system_nomad_service.stat.mode == '0644'
|
||||
- slurp_etc_systemd_system_nomad_service.content != ''
|
||||
- ansible_facts.services['nomad.service'] is defined
|
||||
- ansible_facts.services['nomad.service']['source'] == 'systemd'
|
||||
- ansible_facts.services['nomad.service']['state'] == 'running'
|
||||
- ansible_facts.services['nomad.service']['status'] == 'enabled'
|
||||
|
||||
- name: "Test: bootstrap acl nomad"
|
||||
block:
|
||||
- name: "Command nomad acl bootstrap"
|
||||
ansible.builtin.command: "nomad acl bootstrap -json"
|
||||
environment:
|
||||
NOMAD_ADDR: "http://{{ ansible_default_ipv4.address }}:4646"
|
||||
changed_when: false
|
||||
register: nomad_acl_bootstrap
|
||||
|
||||
- name: "Test: interaction nomad"
|
||||
vars:
|
||||
acl_token: "{{ nomad_acl_bootstrap.stdout|from_json|json_query('SecretID') }}"
|
||||
block:
|
||||
- name: "Command nomad var put"
|
||||
ansible.builtin.command: "nomad var put secret/foobar foo=bar"
|
||||
environment:
|
||||
NOMAD_ADDR: "http://{{ ansible_default_ipv4.address }}:4646"
|
||||
NOMAD_TOKEN: "{{ acl_token }}"
|
||||
changed_when: false
|
||||
register: nomad_var_put
|
||||
|
||||
- name: "Command nomad var get"
|
||||
ansible.builtin.command: "nomad var get secret/foobar"
|
||||
environment:
|
||||
NOMAD_ADDR: "http://{{ ansible_default_ipv4.address }}:4646"
|
||||
NOMAD_TOKEN: "{{ acl_token }}"
|
||||
changed_when: false
|
||||
register: nomad_var_get
|
||||
|
||||
- name: "Command nomad var purge"
|
||||
ansible.builtin.command: "nomad var purge secret/foobar"
|
||||
environment:
|
||||
NOMAD_ADDR: "http://{{ ansible_default_ipv4.address }}:4646"
|
||||
NOMAD_TOKEN: "{{ acl_token }}"
|
||||
changed_when: false
|
||||
register: nomad_var_purge
|
||||
|
||||
- name: "Command nomad server members"
|
||||
ansible.builtin.command: "nomad server members"
|
||||
environment:
|
||||
NOMAD_ADDR: "http://{{ ansible_default_ipv4.address }}:4646"
|
||||
NOMAD_TOKEN: "{{ acl_token }}"
|
||||
changed_when: false
|
||||
register: nomad_server_members
|
||||
|
||||
- name: "Verify nomad interaction"
|
||||
ansible.builtin.assert:
|
||||
that:
|
||||
- "'instance.global' in nomad_server_members.stdout"
|
||||
- "'\"Items\": {\n \"foo\": \"bar\"\n }' in nomad_var_put.stdout"
|
||||
- "'\"Items\": {\n \"foo\": \"bar\"\n }' in nomad_var_get.stdout"
|
||||
- nomad_var_purge.stdout == 'Successfully purged variable \"secret/foobar\"!'
|
8
molecule/vault_default/converge.yml
Normal file
8
molecule/vault_default/converge.yml
Normal file
@ -0,0 +1,8 @@
|
||||
---
|
||||
- name: Converge
|
||||
hosts: all
|
||||
become: true
|
||||
tasks:
|
||||
- name: "Include ednz_cloud.hashistack.vault"
|
||||
ansible.builtin.include_role:
|
||||
name: "ednz_cloud.hashistack.vault"
|
37
molecule/vault_default/molecule.yml
Normal file
37
molecule/vault_default/molecule.yml
Normal file
@ -0,0 +1,37 @@
|
||||
---
|
||||
dependency:
|
||||
name: galaxy
|
||||
options:
|
||||
requirements-file: ./requirements.yml
|
||||
driver:
|
||||
name: docker
|
||||
platforms:
|
||||
- name: instance
|
||||
image: geerlingguy/docker-${MOLECULE_TEST_OS}-ansible
|
||||
command: ""
|
||||
volumes:
|
||||
- /sys/fs/cgroup:/sys/fs/cgroup
|
||||
cgroupns_mode: host
|
||||
privileged: true
|
||||
pre_build_image: true
|
||||
provisioner:
|
||||
name: ansible
|
||||
config_options:
|
||||
defaults:
|
||||
remote_tmp: /tmp/.ansible
|
||||
verifier:
|
||||
name: ansible
|
||||
scenario:
|
||||
name: vault_default
|
||||
test_sequence:
|
||||
- dependency
|
||||
- cleanup
|
||||
- destroy
|
||||
- syntax
|
||||
- create
|
||||
- prepare
|
||||
- converge
|
||||
- idempotence
|
||||
- verify
|
||||
- cleanup
|
||||
- destroy
|
13
molecule/vault_default/prepare.yml
Normal file
13
molecule/vault_default/prepare.yml
Normal file
@ -0,0 +1,13 @@
|
||||
---
|
||||
- name: Prepare
|
||||
hosts: all
|
||||
become: true
|
||||
tasks:
|
||||
- name: "Install pre-required system packages"
|
||||
ansible.builtin.include_role:
|
||||
name: ednz_cloud.manage_apt_packages
|
||||
vars:
|
||||
manage_apt_packages_list:
|
||||
- name: unzip
|
||||
version: latest
|
||||
state: present
|
4
molecule/vault_default/requirements.yml
Normal file
4
molecule/vault_default/requirements.yml
Normal file
@ -0,0 +1,4 @@
|
||||
---
|
||||
# requirements file for molecule
|
||||
roles:
|
||||
- name: ednz_cloud.manage_apt_packages
|
185
molecule/vault_default/verify.yml
Normal file
185
molecule/vault_default/verify.yml
Normal file
@ -0,0 +1,185 @@
|
||||
---
|
||||
- name: Verify
|
||||
hosts: all
|
||||
gather_facts: true
|
||||
become: true
|
||||
tasks:
|
||||
- name: "Test: vault user and group"
|
||||
block:
|
||||
- name: "Getent user vault"
|
||||
ansible.builtin.getent:
|
||||
database: passwd
|
||||
key: vault
|
||||
register: vault_user
|
||||
|
||||
- name: "Getent group vault"
|
||||
ansible.builtin.getent:
|
||||
database: group
|
||||
key: vault
|
||||
register: vault_group
|
||||
|
||||
- name: "Verify vault user and group"
|
||||
ansible.builtin.assert:
|
||||
that:
|
||||
- not vault_user.failed
|
||||
- not vault_group.failed
|
||||
- "'vault' in vault_user.ansible_facts.getent_passwd.keys()"
|
||||
- "'/home/vault' in vault_user.ansible_facts.getent_passwd['vault']"
|
||||
- "'/bin/false' in vault_user.ansible_facts.getent_passwd['vault']"
|
||||
- "'vault' in vault_group.ansible_facts.getent_group.keys()"
|
||||
|
||||
- name: "Test: binary /usr/local/bin/vault"
|
||||
block:
|
||||
- name: "Stat binary /usr/local/bin/vault"
|
||||
ansible.builtin.stat:
|
||||
path: "/usr/local/bin/vault"
|
||||
register: stat_usr_local_bin_vault
|
||||
|
||||
- name: "Verify binary /usr/local/bin/vault"
|
||||
ansible.builtin.assert:
|
||||
that:
|
||||
- stat_usr_local_bin_vault.stat.exists
|
||||
- stat_usr_local_bin_vault.stat.isreg
|
||||
- stat_usr_local_bin_vault.stat.pw_name == 'root'
|
||||
- stat_usr_local_bin_vault.stat.gr_name == 'root'
|
||||
- stat_usr_local_bin_vault.stat.mode == '0755'
|
||||
|
||||
- name: "Test: directory /etc/vault.d"
|
||||
block:
|
||||
- name: "Stat directory /etc/vault.d"
|
||||
ansible.builtin.stat:
|
||||
path: "/etc/vault.d"
|
||||
register: stat_etc_vault_d
|
||||
|
||||
- name: "Stat file /etc/vault.d/vault.env"
|
||||
ansible.builtin.stat:
|
||||
path: "/etc/vault.d/vault.env"
|
||||
register: stat_etc_vault_d_vault_env
|
||||
|
||||
- name: "Stat file /etc/vault.d/vault.json"
|
||||
ansible.builtin.stat:
|
||||
path: "/etc/vault.d/vault.json"
|
||||
register: stat_etc_vault_d_vault_json
|
||||
|
||||
- name: "Slurp file /etc/vault.d/vault.json"
|
||||
ansible.builtin.slurp:
|
||||
src: "/etc/vault.d/vault.json"
|
||||
register: slurp_etc_vault_d_vault_json
|
||||
|
||||
- name: "Verify directory /etc/vault.d"
|
||||
ansible.builtin.assert:
|
||||
that:
|
||||
- stat_etc_vault_d.stat.exists
|
||||
- stat_etc_vault_d.stat.isdir
|
||||
- stat_etc_vault_d.stat.pw_name == 'vault'
|
||||
- stat_etc_vault_d.stat.gr_name == 'vault'
|
||||
- stat_etc_vault_d.stat.mode == '0755'
|
||||
- stat_etc_vault_d_vault_env.stat.exists
|
||||
- stat_etc_vault_d_vault_env.stat.isreg
|
||||
- stat_etc_vault_d_vault_env.stat.pw_name == 'vault'
|
||||
- stat_etc_vault_d_vault_env.stat.gr_name == 'vault'
|
||||
- stat_etc_vault_d_vault_env.stat.mode == '0600'
|
||||
- stat_etc_vault_d_vault_json.stat.exists
|
||||
- stat_etc_vault_d_vault_json.stat.isreg
|
||||
- stat_etc_vault_d_vault_json.stat.pw_name == 'vault'
|
||||
- stat_etc_vault_d_vault_json.stat.gr_name == 'vault'
|
||||
- stat_etc_vault_d_vault_json.stat.mode == '0600'
|
||||
- slurp_etc_vault_d_vault_json.content != ''
|
||||
|
||||
- name: "Test: directory /opt/vault"
|
||||
block:
|
||||
- name: "Stat directory /opt/vault"
|
||||
ansible.builtin.stat:
|
||||
path: "/opt/vault"
|
||||
register: stat_opt_vault
|
||||
|
||||
- name: "Verify directory /opt/vault"
|
||||
ansible.builtin.assert:
|
||||
that:
|
||||
- stat_opt_vault.stat.exists
|
||||
- stat_opt_vault.stat.isdir
|
||||
- stat_opt_vault.stat.pw_name == 'vault'
|
||||
- stat_opt_vault.stat.gr_name == 'vault'
|
||||
- stat_opt_vault.stat.mode == '0755'
|
||||
|
||||
- name: "Test: service vault"
|
||||
block:
|
||||
- name: "Get service vault"
|
||||
ansible.builtin.service_facts:
|
||||
|
||||
- name: "Stat file /etc/systemd/system/vault.service"
|
||||
ansible.builtin.stat:
|
||||
path: "/etc/systemd/system/vault.service"
|
||||
register: stat_etc_systemd_system_vault_service
|
||||
|
||||
- name: "Slurp file /etc/systemd/system/vault.service"
|
||||
ansible.builtin.slurp:
|
||||
src: "/etc/systemd/system/vault.service"
|
||||
register: slurp_etc_systemd_system_vault_service
|
||||
|
||||
- name: "Verify service vault"
|
||||
ansible.builtin.assert:
|
||||
that:
|
||||
- stat_etc_systemd_system_vault_service.stat.exists
|
||||
- stat_etc_systemd_system_vault_service.stat.isreg
|
||||
- stat_etc_systemd_system_vault_service.stat.pw_name == 'root'
|
||||
- stat_etc_systemd_system_vault_service.stat.gr_name == 'root'
|
||||
- stat_etc_systemd_system_vault_service.stat.mode == '0644'
|
||||
- slurp_etc_systemd_system_vault_service.content != ''
|
||||
- ansible_facts.services['vault.service'] is defined
|
||||
- ansible_facts.services['vault.service']['source'] == 'systemd'
|
||||
- ansible_facts.services['vault.service']['state'] == 'running'
|
||||
- ansible_facts.services['vault.service']['status'] == 'enabled'
|
||||
|
||||
- name: "Test: bootstrap vault cluster"
|
||||
block:
|
||||
- name: "Command vault operator init"
|
||||
ansible.builtin.command: "vault operator init -non-interactive -key-shares=3 -key-threshold=2 -format=json"
|
||||
environment:
|
||||
VAULT_ADDR: http://{{ ansible_default_ipv4.address }}:8200
|
||||
changed_when: false
|
||||
register: vault_operator_init
|
||||
|
||||
- name: "Test: unseal vault cluster"
|
||||
vars:
|
||||
vault_unseal_keys: "{{ vault_operator_init.stdout|from_json|json_query('unseal_keys_hex') }}"
|
||||
block:
|
||||
- name: "Command vault operator unseal"
|
||||
ansible.builtin.command: "vault operator unseal -format=json {{ vault_unseal_keys[0] }}"
|
||||
environment:
|
||||
VAULT_ADDR: http://{{ ansible_default_ipv4.address }}:8200
|
||||
changed_when: false
|
||||
register: vault_operator_unseal_0
|
||||
|
||||
- name: "Command vault operator unseal"
|
||||
ansible.builtin.command: "vault operator unseal -format=json {{ vault_unseal_keys[1] }}"
|
||||
environment:
|
||||
VAULT_ADDR: http://{{ ansible_default_ipv4.address }}:8200
|
||||
changed_when: false
|
||||
register: vault_operator_unseal_1
|
||||
|
||||
- name: "Verify vault operator unseal"
|
||||
vars:
|
||||
vault_seal_state_0: "{{ vault_operator_unseal_0.stdout|from_json|json_query('sealed') }}"
|
||||
vault_seal_state_1: "{{ vault_operator_unseal_1.stdout|from_json|json_query('sealed') }}"
|
||||
ansible.builtin.assert:
|
||||
that:
|
||||
- vault_seal_state_0
|
||||
- not vault_seal_state_1
|
||||
|
||||
- name: "Test: vault interaction"
|
||||
vars:
|
||||
root_token: "{{ vault_operator_init.stdout|from_json|json_query('root_token') }}"
|
||||
block:
|
||||
- name: "Command vault secret enable"
|
||||
ansible.builtin.command: "vault secrets enable -version=1 kv"
|
||||
environment:
|
||||
VAULT_ADDR: http://{{ ansible_default_ipv4.address }}:8200
|
||||
VAULT_TOKEN: "{{ root_token }}"
|
||||
changed_when: false
|
||||
register: vault_secret_enable
|
||||
|
||||
- name: "Verify vault interaction"
|
||||
ansible.builtin.assert:
|
||||
that:
|
||||
- vault_secret_enable.stdout == 'Success! Enabled the kv secrets engine at: kv/'
|
8
molecule/vault_with_raft_enabled/converge.yml
Normal file
8
molecule/vault_with_raft_enabled/converge.yml
Normal file
@ -0,0 +1,8 @@
|
||||
---
|
||||
- name: Converge
|
||||
hosts: all
|
||||
become: true
|
||||
tasks:
|
||||
- name: "Include ednz_cloud.hashistack.vault"
|
||||
ansible.builtin.include_role:
|
||||
name: "ednz_cloud.hashistack.vault"
|
13
molecule/vault_with_raft_enabled/group_vars/all.yml
Normal file
13
molecule/vault_with_raft_enabled/group_vars/all.yml
Normal file
@ -0,0 +1,13 @@
|
||||
---
|
||||
# defaults file for hashicorp_vault
|
||||
|
||||
#########################
|
||||
# storage configuration #
|
||||
#########################
|
||||
|
||||
vault_storage_configuration:
|
||||
raft:
|
||||
path: "{{ vault_data_dir }}"
|
||||
node_id: "{{ ansible_hostname }}"
|
||||
retry_join:
|
||||
- leader_api_addr: "http://{{ vault_cluster_addr }}:8200"
|
37
molecule/vault_with_raft_enabled/molecule.yml
Normal file
37
molecule/vault_with_raft_enabled/molecule.yml
Normal file
@ -0,0 +1,37 @@
|
||||
---
|
||||
dependency:
|
||||
name: galaxy
|
||||
options:
|
||||
requirements-file: ./requirements.yml
|
||||
driver:
|
||||
name: docker
|
||||
platforms:
|
||||
- name: instance
|
||||
image: geerlingguy/docker-${MOLECULE_TEST_OS}-ansible
|
||||
command: ""
|
||||
volumes:
|
||||
- /sys/fs/cgroup:/sys/fs/cgroup
|
||||
cgroupns_mode: host
|
||||
privileged: true
|
||||
pre_build_image: true
|
||||
provisioner:
|
||||
name: ansible
|
||||
config_options:
|
||||
defaults:
|
||||
remote_tmp: /tmp/.ansible
|
||||
verifier:
|
||||
name: ansible
|
||||
scenario:
|
||||
name: vault_with_raft_enabled
|
||||
test_sequence:
|
||||
- dependency
|
||||
- cleanup
|
||||
- destroy
|
||||
- syntax
|
||||
- create
|
||||
- prepare
|
||||
- converge
|
||||
- idempotence
|
||||
- verify
|
||||
- cleanup
|
||||
- destroy
|
13
molecule/vault_with_raft_enabled/prepare.yml
Normal file
13
molecule/vault_with_raft_enabled/prepare.yml
Normal file
@ -0,0 +1,13 @@
|
||||
---
|
||||
- name: Prepare
|
||||
hosts: all
|
||||
become: true
|
||||
tasks:
|
||||
- name: "Install pre-required system packages"
|
||||
ansible.builtin.include_role:
|
||||
name: ednz_cloud.manage_apt_packages
|
||||
vars:
|
||||
manage_apt_packages_list:
|
||||
- name: unzip
|
||||
version: latest
|
||||
state: present
|
4
molecule/vault_with_raft_enabled/requirements.yml
Normal file
4
molecule/vault_with_raft_enabled/requirements.yml
Normal file
@ -0,0 +1,4 @@
|
||||
---
|
||||
# requirements file for molecule
|
||||
roles:
|
||||
- name: ednz_cloud.manage_apt_packages
|
185
molecule/vault_with_raft_enabled/verify.yml
Normal file
185
molecule/vault_with_raft_enabled/verify.yml
Normal file
@ -0,0 +1,185 @@
|
||||
---
|
||||
- name: Verify
|
||||
hosts: all
|
||||
gather_facts: true
|
||||
become: true
|
||||
tasks:
|
||||
- name: "Test: vault user and group"
|
||||
block:
|
||||
- name: "Getent user vault"
|
||||
ansible.builtin.getent:
|
||||
database: passwd
|
||||
key: vault
|
||||
register: vault_user
|
||||
|
||||
- name: "Getent group vault"
|
||||
ansible.builtin.getent:
|
||||
database: group
|
||||
key: vault
|
||||
register: vault_group
|
||||
|
||||
- name: "Verify vault user and group"
|
||||
ansible.builtin.assert:
|
||||
that:
|
||||
- not vault_user.failed
|
||||
- not vault_group.failed
|
||||
- "'vault' in vault_user.ansible_facts.getent_passwd.keys()"
|
||||
- "'/home/vault' in vault_user.ansible_facts.getent_passwd['vault']"
|
||||
- "'/bin/false' in vault_user.ansible_facts.getent_passwd['vault']"
|
||||
- "'vault' in vault_group.ansible_facts.getent_group.keys()"
|
||||
|
||||
- name: "Test: binary /usr/local/bin/vault"
|
||||
block:
|
||||
- name: "Stat binary /usr/local/bin/vault"
|
||||
ansible.builtin.stat:
|
||||
path: "/usr/local/bin/vault"
|
||||
register: stat_usr_local_bin_vault
|
||||
|
||||
- name: "Verify binary /usr/local/bin/vault"
|
||||
ansible.builtin.assert:
|
||||
that:
|
||||
- stat_usr_local_bin_vault.stat.exists
|
||||
- stat_usr_local_bin_vault.stat.isreg
|
||||
- stat_usr_local_bin_vault.stat.pw_name == 'root'
|
||||
- stat_usr_local_bin_vault.stat.gr_name == 'root'
|
||||
- stat_usr_local_bin_vault.stat.mode == '0755'
|
||||
|
||||
- name: "Test: directory /etc/vault.d"
|
||||
block:
|
||||
- name: "Stat directory /etc/vault.d"
|
||||
ansible.builtin.stat:
|
||||
path: "/etc/vault.d"
|
||||
register: stat_etc_vault_d
|
||||
|
||||
- name: "Stat file /etc/vault.d/vault.env"
|
||||
ansible.builtin.stat:
|
||||
path: "/etc/vault.d/vault.env"
|
||||
register: stat_etc_vault_d_vault_env
|
||||
|
||||
- name: "Stat file /etc/vault.d/vault.json"
|
||||
ansible.builtin.stat:
|
||||
path: "/etc/vault.d/vault.json"
|
||||
register: stat_etc_vault_d_vault_json
|
||||
|
||||
- name: "Slurp file /etc/vault.d/vault.json"
|
||||
ansible.builtin.slurp:
|
||||
src: "/etc/vault.d/vault.json"
|
||||
register: slurp_etc_vault_d_vault_json
|
||||
|
||||
- name: "Verify directory /etc/vault.d"
|
||||
ansible.builtin.assert:
|
||||
that:
|
||||
- stat_etc_vault_d.stat.exists
|
||||
- stat_etc_vault_d.stat.isdir
|
||||
- stat_etc_vault_d.stat.pw_name == 'vault'
|
||||
- stat_etc_vault_d.stat.gr_name == 'vault'
|
||||
- stat_etc_vault_d.stat.mode == '0755'
|
||||
- stat_etc_vault_d_vault_env.stat.exists
|
||||
- stat_etc_vault_d_vault_env.stat.isreg
|
||||
- stat_etc_vault_d_vault_env.stat.pw_name == 'vault'
|
||||
- stat_etc_vault_d_vault_env.stat.gr_name == 'vault'
|
||||
- stat_etc_vault_d_vault_env.stat.mode == '0600'
|
||||
- stat_etc_vault_d_vault_json.stat.exists
|
||||
- stat_etc_vault_d_vault_json.stat.isreg
|
||||
- stat_etc_vault_d_vault_json.stat.pw_name == 'vault'
|
||||
- stat_etc_vault_d_vault_json.stat.gr_name == 'vault'
|
||||
- stat_etc_vault_d_vault_json.stat.mode == '0600'
|
||||
- slurp_etc_vault_d_vault_json.content != ''
|
||||
|
||||
- name: "Test: directory /opt/vault"
|
||||
block:
|
||||
- name: "Stat directory /opt/vault"
|
||||
ansible.builtin.stat:
|
||||
path: "/opt/vault"
|
||||
register: stat_opt_vault
|
||||
|
||||
- name: "Verify directory /opt/vault"
|
||||
ansible.builtin.assert:
|
||||
that:
|
||||
- stat_opt_vault.stat.exists
|
||||
- stat_opt_vault.stat.isdir
|
||||
- stat_opt_vault.stat.pw_name == 'vault'
|
||||
- stat_opt_vault.stat.gr_name == 'vault'
|
||||
- stat_opt_vault.stat.mode == '0755'
|
||||
|
||||
- name: "Test: service vault"
|
||||
block:
|
||||
- name: "Get service vault"
|
||||
ansible.builtin.service_facts:
|
||||
|
||||
- name: "Stat file /etc/systemd/system/vault.service"
|
||||
ansible.builtin.stat:
|
||||
path: "/etc/systemd/system/vault.service"
|
||||
register: stat_etc_systemd_system_vault_service
|
||||
|
||||
- name: "Slurp file /etc/systemd/system/vault.service"
|
||||
ansible.builtin.slurp:
|
||||
src: "/etc/systemd/system/vault.service"
|
||||
register: slurp_etc_systemd_system_vault_service
|
||||
|
||||
- name: "Verify service vault"
|
||||
ansible.builtin.assert:
|
||||
that:
|
||||
- stat_etc_systemd_system_vault_service.stat.exists
|
||||
- stat_etc_systemd_system_vault_service.stat.isreg
|
||||
- stat_etc_systemd_system_vault_service.stat.pw_name == 'root'
|
||||
- stat_etc_systemd_system_vault_service.stat.gr_name == 'root'
|
||||
- stat_etc_systemd_system_vault_service.stat.mode == '0644'
|
||||
- slurp_etc_systemd_system_vault_service.content != ''
|
||||
- ansible_facts.services['vault.service'] is defined
|
||||
- ansible_facts.services['vault.service']['source'] == 'systemd'
|
||||
- ansible_facts.services['vault.service']['state'] == 'running'
|
||||
- ansible_facts.services['vault.service']['status'] == 'enabled'
|
||||
|
||||
- name: "Test: bootstrap vault cluster"
|
||||
block:
|
||||
- name: "Command vault operator init"
|
||||
ansible.builtin.command: "vault operator init -non-interactive -key-shares=3 -key-threshold=2 -tls-skip-verify -format=json"
|
||||
environment:
|
||||
VAULT_ADDR: "http://{{ ansible_default_ipv4.address }}:8200"
|
||||
changed_when: false
|
||||
register: vault_operator_init
|
||||
|
||||
- name: "Test: unseal vault cluster"
|
||||
vars:
|
||||
vault_unseal_keys: "{{ vault_operator_init.stdout|from_json|json_query('unseal_keys_hex') }}"
|
||||
block:
|
||||
- name: "Command vault operator unseal"
|
||||
ansible.builtin.command: "vault operator unseal -format=json -tls-skip-verify {{ vault_unseal_keys[0] }}"
|
||||
environment:
|
||||
VAULT_ADDR: "http://{{ ansible_default_ipv4.address }}:8200"
|
||||
changed_when: false
|
||||
register: vault_operator_unseal_0
|
||||
|
||||
- name: "Command vault operator unseal"
|
||||
ansible.builtin.command: "vault operator unseal -format=json -tls-skip-verify {{ vault_unseal_keys[1] }}"
|
||||
environment:
|
||||
VAULT_ADDR: "http://{{ ansible_default_ipv4.address }}:8200"
|
||||
changed_when: false
|
||||
register: vault_operator_unseal_1
|
||||
|
||||
- name: "Verify vault operator unseal"
|
||||
vars:
|
||||
vault_seal_state_0: "{{ vault_operator_unseal_0.stdout|from_json|json_query('sealed') }}"
|
||||
vault_seal_state_1: "{{ vault_operator_unseal_1.stdout|from_json|json_query('sealed') }}"
|
||||
ansible.builtin.assert:
|
||||
that:
|
||||
- vault_seal_state_0
|
||||
- not vault_seal_state_1
|
||||
|
||||
- name: "Test: vault interaction"
|
||||
vars:
|
||||
root_token: "{{ vault_operator_init.stdout|from_json|json_query('root_token') }}"
|
||||
block:
|
||||
- name: "Command vault secret enable"
|
||||
ansible.builtin.command: "vault secrets enable -version=1 -tls-skip-verify kv"
|
||||
environment:
|
||||
VAULT_ADDR: "http://{{ ansible_default_ipv4.address }}:8200"
|
||||
VAULT_TOKEN: "{{ root_token }}"
|
||||
changed_when: false
|
||||
register: vault_secret_enable
|
||||
|
||||
- name: "Verify vault interaction"
|
||||
ansible.builtin.assert:
|
||||
that:
|
||||
- vault_secret_enable.stdout == 'Success! Enabled the kv secrets engine at: kv/'
|
@ -1,10 +1,19 @@
|
||||
---
|
||||
# hashistack prepare playbook
|
||||
- name: "Bootstrap"
|
||||
hosts: all
|
||||
hosts: all, !deployment
|
||||
gather_facts: true
|
||||
become: true
|
||||
tasks:
|
||||
- name: "Isntall unzip with package manager"
|
||||
ansible.builtin.include_role:
|
||||
name: ednz_cloud.manage_apt_packages
|
||||
vars:
|
||||
manage_apt_packages_list:
|
||||
- name: unzip
|
||||
version: latest
|
||||
state: present
|
||||
|
||||
- name: "Install hvac library with pip"
|
||||
ansible.builtin.include_role:
|
||||
name: ednz_cloud.manage_pip_packages
|
||||
@ -27,20 +36,6 @@
|
||||
state: present
|
||||
when: "'haproxy_servers' in group_names"
|
||||
|
||||
- name: "Include ednz_cloud.install_docker"
|
||||
ansible.builtin.include_role:
|
||||
name: ednz_cloud.install_docker
|
||||
vars:
|
||||
install_docker_edition: ce
|
||||
install_docker_auto_update: false
|
||||
install_docker_start_service: true
|
||||
install_docker_compose: false
|
||||
install_docker_python_packages: false
|
||||
install_docker_users:
|
||||
- "{{ ansible_user }}"
|
||||
install_docker_daemon_options: {}
|
||||
#! when: "'nomad_agents' in group_names"
|
||||
|
||||
- name: "Ensure /etc/localtime exists"
|
||||
ansible.builtin.file:
|
||||
src: /etc/timezone
|
||||
|
@ -1,68 +1,55 @@
|
||||
---
|
||||
# hashistack deployment playbook
|
||||
- name: "Deploy"
|
||||
hosts: all
|
||||
hosts: "{{ target | default('all, !deployment') }}"
|
||||
strategy: linear
|
||||
gather_facts: true
|
||||
any_errors_fatal: true
|
||||
become: true
|
||||
tasks:
|
||||
- name: "Import variables"
|
||||
ansible.builtin.import_tasks:
|
||||
file: tasks/load_vars.yml
|
||||
ansible.builtin.include_role:
|
||||
name: ednz_cloud.hashistack.hashistack
|
||||
tags:
|
||||
- always
|
||||
|
||||
# Consul nodes deployment
|
||||
- name: "Deploy Consul"
|
||||
tags:
|
||||
- consul
|
||||
when:
|
||||
- enable_consul | bool
|
||||
block:
|
||||
- name: "Deploy Consul Control Plane"
|
||||
ansible.builtin.import_tasks:
|
||||
ansible.builtin.include_tasks:
|
||||
file: tasks/consul/consul_deploy.yml
|
||||
when:
|
||||
- "'consul_servers' in group_names"
|
||||
|
||||
- name: "Deploy Consul Agents"
|
||||
ansible.builtin.include_role:
|
||||
name: ednz_cloud.hashicorp_consul
|
||||
when:
|
||||
- "'consul_agents' in group_names"
|
||||
|
||||
- name: "Deploy Haproxy & Keepalived"
|
||||
ansible.builtin.import_tasks:
|
||||
file: tasks/haproxy/haproxy_deploy.yml
|
||||
when:
|
||||
- enable_haproxy | bool
|
||||
- "'haproxy_servers' in group_names"
|
||||
tags:
|
||||
- haproxy
|
||||
|
||||
# Vault nodes deployment
|
||||
- name: "Deploy Vault"
|
||||
ansible.builtin.import_tasks:
|
||||
file: tasks/vault/vault_deploy.yml
|
||||
when:
|
||||
- enable_vault | bool
|
||||
- "'vault_servers' in group_names"
|
||||
tags:
|
||||
- vault
|
||||
when:
|
||||
- enable_vault | bool
|
||||
ansible.builtin.include_tasks:
|
||||
file: tasks/vault/vault_deploy.yml
|
||||
|
||||
# Nomad nodes deployment
|
||||
- name: "Deploy Nomad"
|
||||
tags:
|
||||
- nomad
|
||||
when:
|
||||
- enable_nomad | bool
|
||||
block:
|
||||
- name: "Deploy Nomad Control Plane"
|
||||
ansible.builtin.import_tasks:
|
||||
ansible.builtin.include_tasks:
|
||||
file: tasks/nomad/nomad_deploy.yml
|
||||
when:
|
||||
- "('nomad_servers' in group_names)"
|
||||
|
||||
- name: "Deploy Nomad Clients"
|
||||
ansible.builtin.include_role:
|
||||
name: ednz_cloud.hashicorp_nomad
|
||||
when:
|
||||
- "('nomad_clients' in group_names)"
|
||||
- "('nomad_servers' not in group_names)"
|
||||
# - fail:
|
||||
# Haproxy nodes deployment
|
||||
# - name: "Deploy Proxies"
|
||||
# tags:
|
||||
# - haproxy
|
||||
# when:
|
||||
# - enable_haproxy | bool
|
||||
# block:
|
||||
# - name: "Deploy Haproxy & Keepalived"
|
||||
# ansible.builtin.import_tasks:
|
||||
# file: tasks/haproxy/haproxy_deploy.yml
|
||||
# when:
|
||||
# - "'haproxy_servers' in group_names"
|
||||
|
@ -1,365 +1,21 @@
|
||||
---
|
||||
# hashistack generate certificates playbook
|
||||
- name: "Generate certificates"
|
||||
hosts: all
|
||||
hosts: all, !deployment
|
||||
strategy: linear
|
||||
gather_facts: true
|
||||
become: true
|
||||
tasks:
|
||||
- name: "Import variables"
|
||||
ansible.builtin.import_tasks:
|
||||
file: tasks/load_vars.yml
|
||||
ansible.builtin.include_role:
|
||||
name: ednz_cloud.hashistack.hashistack
|
||||
tags:
|
||||
- always
|
||||
|
||||
- name: "Create temporary cert directory in {{ sub_configuration_directories['certificates'] }}" # noqa: run-once[task]
|
||||
ansible.builtin.file:
|
||||
path: "{{ sub_configuration_directories['certificates'] }}/external"
|
||||
state: directory
|
||||
owner: "{{ lookup('env', 'USER') }}"
|
||||
group: "{{ lookup('env', 'USER') }}"
|
||||
mode: "0755"
|
||||
- name: "Create Certificate Authority"
|
||||
ansible.builtin.include_role:
|
||||
name: ednz_cloud.hashistack.hashistack_ca
|
||||
apply:
|
||||
delegate_to: localhost
|
||||
run_once: true
|
||||
|
||||
- name: "Generate external certificates" # noqa: run-once[task]
|
||||
delegate_to: localhost
|
||||
run_once: true
|
||||
block:
|
||||
- name: "Create temporary cert directory in {{ sub_configuration_directories['certificates'] }}" # noqa: run-once[task]
|
||||
ansible.builtin.file:
|
||||
path: "{{ sub_configuration_directories['certificates'] }}/external"
|
||||
state: directory
|
||||
owner: "{{ lookup('env', 'USER') }}"
|
||||
group: "{{ lookup('env', 'USER') }}"
|
||||
mode: "0755"
|
||||
|
||||
- name: "Create private keys"
|
||||
community.crypto.openssl_privatekey:
|
||||
path: "{{ sub_configuration_directories['certificates'] }}/external/{{ item.fqdn }}.pem.key"
|
||||
owner: "{{ lookup('env', 'USER') }}"
|
||||
group: "{{ lookup('env', 'USER') }}"
|
||||
loop:
|
||||
- name: nomad
|
||||
fqdn: "{{ nomad_fqdn }}"
|
||||
- name: vault
|
||||
fqdn: "{{ vault_fqdn }}"
|
||||
- name: consul
|
||||
fqdn: "{{ consul_fqdn }}"
|
||||
|
||||
- name: "Create certificate signing request"
|
||||
community.crypto.openssl_csr_pipe:
|
||||
privatekey_path: "{{ sub_configuration_directories['certificates'] }}/external/{{ item.fqdn }}.pem.key"
|
||||
common_name: "{{ item.fqdn }}"
|
||||
organization_name: EDNZ Cloud
|
||||
register: csr
|
||||
loop:
|
||||
- name: nomad
|
||||
fqdn: "{{ nomad_fqdn }}"
|
||||
- name: vault
|
||||
fqdn: "{{ vault_fqdn }}"
|
||||
- name: consul
|
||||
fqdn: "{{ consul_fqdn }}"
|
||||
|
||||
- name: "Create self-signed certificate from CSR"
|
||||
community.crypto.x509_certificate:
|
||||
path: "{{ sub_configuration_directories['certificates'] }}/external/{{ item.item.fqdn }}.pem"
|
||||
csr_content: "{{ item.csr }}"
|
||||
privatekey_path: "{{ sub_configuration_directories['certificates'] }}/external/{{ item.item.fqdn }}.pem.key"
|
||||
provider: selfsigned
|
||||
owner: "{{ lookup('env', 'USER') }}"
|
||||
group: "{{ lookup('env', 'USER') }}"
|
||||
loop: "{{ csr.results }}"
|
||||
|
||||
- name: "Generate internal certificates"
|
||||
tags:
|
||||
- never
|
||||
- internal
|
||||
delegate_to: localhost
|
||||
vars:
|
||||
hashistack_ca_key_path: "{{ sub_configuration_directories['certificates'] }}/ca/ca.key"
|
||||
hashistack_ca_cert_path: "{{ sub_configuration_directories['certificates'] }}/ca/ca.crt"
|
||||
block:
|
||||
- name: "Create internal CA" # noqa: run-once[task]
|
||||
run_once: true
|
||||
block:
|
||||
- name: "Create temporary cert directory in {{ sub_configuration_directories['certificates'] }}" # noqa: run-once[task]
|
||||
ansible.builtin.file:
|
||||
path: "{{ sub_configuration_directories['certificates'] }}/ca"
|
||||
state: directory
|
||||
owner: "{{ lookup('env', 'USER') }}"
|
||||
group: "{{ lookup('env', 'USER') }}"
|
||||
mode: "0755"
|
||||
|
||||
- name: "Create CA private key"
|
||||
community.crypto.openssl_privatekey:
|
||||
path: "{{ hashistack_ca_key_path }}"
|
||||
owner: "{{ lookup('env', 'USER') }}"
|
||||
group: "{{ lookup('env', 'USER') }}"
|
||||
|
||||
- name: "Create CA signing request"
|
||||
community.crypto.openssl_csr_pipe:
|
||||
privatekey_path: "{{ hashistack_ca_key_path }}"
|
||||
common_name: "CA"
|
||||
organization_name: EDNZ Cloud
|
||||
use_common_name_for_san: false
|
||||
basic_constraints:
|
||||
- CA:TRUE
|
||||
basic_constraints_critical: true
|
||||
key_usage:
|
||||
- keyCertSign
|
||||
key_usage_critical: true
|
||||
register: ca_csr
|
||||
|
||||
- name: "Create self-signed CA certificate from CSR"
|
||||
community.crypto.x509_certificate:
|
||||
path: "{{ hashistack_ca_cert_path }}"
|
||||
csr_content: "{{ ca_csr.csr }}"
|
||||
privatekey_path: "{{ hashistack_ca_key_path }}"
|
||||
provider: selfsigned
|
||||
owner: "{{ lookup('env', 'USER') }}"
|
||||
group: "{{ lookup('env', 'USER') }}"
|
||||
|
||||
- name: "Create Vault certificates"
|
||||
when:
|
||||
- "'vault_servers' in group_names"
|
||||
vars:
|
||||
vault_private_key_path: "{{ sub_configuration_directories['certificates'] }}/vault/{{ inventory_hostname }}/key.pem"
|
||||
vault_certificate_path: "{{ sub_configuration_directories['certificates'] }}/vault/{{ inventory_hostname }}/cert.pem"
|
||||
block:
|
||||
- name: "Create temporary cert directory in {{ sub_configuration_directories['certificates'] }}" # noqa: run-once[task]
|
||||
ansible.builtin.file:
|
||||
path: "{{ sub_configuration_directories['certificates'] }}/vault/{{ inventory_hostname }}"
|
||||
state: directory
|
||||
owner: "{{ lookup('env', 'USER') }}"
|
||||
group: "{{ lookup('env', 'USER') }}"
|
||||
mode: "0755"
|
||||
|
||||
- name: "Create Vault certificate keys"
|
||||
community.crypto.openssl_privatekey:
|
||||
path: "{{ vault_private_key_path }}"
|
||||
owner: "{{ lookup('env', 'USER') }}"
|
||||
group: "{{ lookup('env', 'USER') }}"
|
||||
|
||||
- name: "Create CSRs for Vault servers"
|
||||
community.crypto.openssl_csr_pipe:
|
||||
privatekey_path: "{{ vault_private_key_path }}"
|
||||
common_name: "{{ inventory_hostname }}"
|
||||
subject_alt_name:
|
||||
- "DNS:{{ inventory_hostname }}"
|
||||
- "DNS:active.vault.service.consul"
|
||||
- "DNS:standby.vault.service.consul"
|
||||
- "DNS:vault.service.consul"
|
||||
- "DNS:localhost"
|
||||
- "IP:{{ api_interface_address }}"
|
||||
- "IP:127.0.0.1"
|
||||
key_usage_critical: true
|
||||
key_usage:
|
||||
- Digital Signature
|
||||
- Key Encipherment
|
||||
- Key Agreement
|
||||
extended_key_usage:
|
||||
- TLS Web Server Authentication
|
||||
- TLS Web Client Authentication
|
||||
organization_name: EDNZ Cloud
|
||||
use_common_name_for_san: false
|
||||
register: vault_csr
|
||||
|
||||
- name: "Sign certificates with internal CA"
|
||||
community.crypto.x509_certificate:
|
||||
path: "{{ vault_certificate_path }}"
|
||||
csr_content: "{{ vault_csr.csr }}"
|
||||
provider: ownca
|
||||
ownca_path: "{{ hashistack_ca_cert_path }}"
|
||||
ownca_privatekey_path: "{{ hashistack_ca_key_path }}"
|
||||
ownca_not_after: "+365d"
|
||||
ownca_not_before: "-1d"
|
||||
|
||||
- name: "Concatenate CA and Child certificates"
|
||||
block:
|
||||
- name: "Read content of ca.crt"
|
||||
ansible.builtin.slurp:
|
||||
src: "{{ hashistack_ca_cert_path }}"
|
||||
register: ca_crt_content
|
||||
|
||||
- name: "Read content of cert.pem"
|
||||
ansible.builtin.slurp:
|
||||
src: "{{ vault_certificate_path }}"
|
||||
register: cert_pem_content
|
||||
|
||||
- name: "Concatenate certificates"
|
||||
ansible.builtin.copy:
|
||||
content: |
|
||||
{{ cert_pem_content['content'] | b64decode }}{{ ca_crt_content['content'] | b64decode }}
|
||||
dest: "{{ vault_certificate_path }}"
|
||||
owner: "{{ lookup('env', 'USER') }}"
|
||||
group: "{{ lookup('env', 'USER') }}"
|
||||
mode: "0644"
|
||||
|
||||
- name: "Create Consul certificates"
|
||||
when:
|
||||
- "('consul_servers' in group_names) or ('consul_agents' in group_names)"
|
||||
vars:
|
||||
consul_private_key_path: "{{ sub_configuration_directories['certificates'] }}/consul/{{ inventory_hostname }}/key.pem"
|
||||
consul_certificate_path: "{{ sub_configuration_directories['certificates'] }}/consul/{{ inventory_hostname }}/cert.pem"
|
||||
block:
|
||||
- name: "Create temporary cert directory in {{ sub_configuration_directories['certificates'] }}" # noqa: run-once[task]
|
||||
ansible.builtin.file:
|
||||
path: "{{ sub_configuration_directories['certificates'] }}/consul/{{ inventory_hostname }}"
|
||||
state: directory
|
||||
owner: "{{ lookup('env', 'USER') }}"
|
||||
group: "{{ lookup('env', 'USER') }}"
|
||||
mode: "0755"
|
||||
|
||||
- name: "Create Consul certificate keys"
|
||||
community.crypto.openssl_privatekey:
|
||||
path: "{{ consul_private_key_path }}"
|
||||
owner: "{{ lookup('env', 'USER') }}"
|
||||
group: "{{ lookup('env', 'USER') }}"
|
||||
|
||||
- name: "Create CSRs for Consul servers"
|
||||
vars:
|
||||
consul_csr_sans: >-
|
||||
{%- set sans_list = [
|
||||
'DNS:' + inventory_hostname,
|
||||
'DNS:consul.service.consul',
|
||||
'DNS:localhost',
|
||||
'IP:' + api_interface_address,
|
||||
'IP:127.0.0.1'
|
||||
] -%}
|
||||
{%- if hashicorp_consul_configuration.server -%}
|
||||
{%- set _ = sans_list.append('DNS:server.' ~ hashicorp_consul_configuration.datacenter ~ '.' ~ hashicorp_consul_configuration.domain) -%}
|
||||
{%- endif -%}
|
||||
{{ sans_list }}
|
||||
community.crypto.openssl_csr_pipe:
|
||||
privatekey_path: "{{ consul_private_key_path }}"
|
||||
common_name: "{{ inventory_hostname }}"
|
||||
subject_alt_name: "{{ consul_csr_sans }}"
|
||||
key_usage_critical: true
|
||||
key_usage:
|
||||
- Digital Signature
|
||||
- Key Encipherment
|
||||
- Key Agreement
|
||||
extended_key_usage:
|
||||
- TLS Web Server Authentication
|
||||
- TLS Web Client Authentication
|
||||
organization_name: EDNZ Cloud
|
||||
use_common_name_for_san: false
|
||||
register: consul_csr
|
||||
|
||||
- name: "Sign certificates with internal CA"
|
||||
community.crypto.x509_certificate:
|
||||
path: "{{ consul_certificate_path }}"
|
||||
csr_content: "{{ consul_csr.csr }}"
|
||||
provider: ownca
|
||||
ownca_path: "{{ hashistack_ca_cert_path }}"
|
||||
ownca_privatekey_path: "{{ hashistack_ca_key_path }}"
|
||||
ownca_not_after: "+365d"
|
||||
ownca_not_before: "-1d"
|
||||
|
||||
- name: "Concatenate CA and Child certificates"
|
||||
block:
|
||||
- name: "Read content of ca.crt"
|
||||
ansible.builtin.slurp:
|
||||
src: "{{ hashistack_ca_cert_path }}"
|
||||
register: ca_crt_content
|
||||
|
||||
- name: "Read content of cert.pem"
|
||||
ansible.builtin.slurp:
|
||||
src: "{{ consul_certificate_path }}"
|
||||
register: cert_pem_content
|
||||
|
||||
- name: "Concatenate certificates"
|
||||
ansible.builtin.copy:
|
||||
content: |
|
||||
{{ cert_pem_content['content'] | b64decode }}{{ ca_crt_content['content'] | b64decode }}
|
||||
dest: "{{ consul_certificate_path }}"
|
||||
owner: "{{ lookup('env', 'USER') }}"
|
||||
group: "{{ lookup('env', 'USER') }}"
|
||||
mode: "0644"
|
||||
|
||||
- name: "Create Nomad certificates"
|
||||
when:
|
||||
- "('nomad_servers' in group_names) or ('nomad_clients' in group_names)"
|
||||
vars:
|
||||
nomad_private_key_path: "{{ sub_configuration_directories['certificates'] }}/nomad/{{ inventory_hostname }}/key.pem"
|
||||
nomad_certificate_path: "{{ sub_configuration_directories['certificates'] }}/nomad/{{ inventory_hostname }}/cert.pem"
|
||||
block:
|
||||
- name: "Create temporary cert directory in {{ sub_configuration_directories['certificates'] }}" # noqa: run-once[task]
|
||||
ansible.builtin.file:
|
||||
path: "{{ sub_configuration_directories['certificates'] }}/nomad/{{ inventory_hostname }}"
|
||||
state: directory
|
||||
owner: "{{ lookup('env', 'USER') }}"
|
||||
group: "{{ lookup('env', 'USER') }}"
|
||||
mode: "0755"
|
||||
|
||||
- name: "Create Nomad certificate keys"
|
||||
community.crypto.openssl_privatekey:
|
||||
path: "{{ nomad_private_key_path }}"
|
||||
owner: "{{ lookup('env', 'USER') }}"
|
||||
group: "{{ lookup('env', 'USER') }}"
|
||||
|
||||
- name: "Create CSRs for Nomad servers"
|
||||
vars:
|
||||
nomad_csr_sans: >-
|
||||
{%- set sans_list = [
|
||||
'DNS:' + inventory_hostname,
|
||||
'DNS:localhost',
|
||||
'IP:' + api_interface_address,
|
||||
'IP:127.0.0.1'
|
||||
] -%}
|
||||
{%- if hashicorp_nomad_configuration.server.enabled -%}
|
||||
{%- set _ = sans_list.append('DNS:server.' ~ hashicorp_nomad_configuration.region ~ '.nomad') -%}
|
||||
{%- if (enable_consul | bool) -%}
|
||||
{%- set _ = sans_list.append('DNS:nomad.service.consul') -%}
|
||||
{%- endif -%}
|
||||
{%- endif -%}
|
||||
{%- if hashicorp_nomad_configuration.client.enabled -%}
|
||||
{%- set _ = sans_list.append('DNS:client.' ~ hashicorp_nomad_configuration.region ~ '.nomad') -%}
|
||||
{%- endif -%}
|
||||
{{ sans_list }}
|
||||
community.crypto.openssl_csr_pipe:
|
||||
privatekey_path: "{{ nomad_private_key_path }}"
|
||||
common_name: "{{ inventory_hostname }}"
|
||||
subject_alt_name: "{{ nomad_csr_sans }}"
|
||||
key_usage_critical: true
|
||||
key_usage:
|
||||
- Digital Signature
|
||||
- Key Encipherment
|
||||
extended_key_usage:
|
||||
- TLS Web Server Authentication
|
||||
- TLS Web Client Authentication
|
||||
organization_name: EDNZ Cloud
|
||||
use_common_name_for_san: false
|
||||
register: nomad_csr
|
||||
|
||||
- name: "Sign certificates with internal CA"
|
||||
community.crypto.x509_certificate:
|
||||
path: "{{ nomad_certificate_path }}"
|
||||
csr_content: "{{ nomad_csr.csr }}"
|
||||
provider: ownca
|
||||
ownca_path: "{{ hashistack_ca_cert_path }}"
|
||||
ownca_privatekey_path: "{{ hashistack_ca_key_path }}"
|
||||
ownca_not_after: "+365d"
|
||||
ownca_not_before: "-1d"
|
||||
|
||||
- name: "Concatenate CA and Child certificates"
|
||||
block:
|
||||
- name: "Read content of ca.crt"
|
||||
ansible.builtin.slurp:
|
||||
src: "{{ hashistack_ca_cert_path }}"
|
||||
register: ca_crt_content
|
||||
|
||||
- name: "Read content of cert.pem"
|
||||
ansible.builtin.slurp:
|
||||
src: "{{ nomad_certificate_path }}"
|
||||
register: cert_pem_content
|
||||
|
||||
- name: "Concatenate certificates"
|
||||
ansible.builtin.copy:
|
||||
content: |
|
||||
{{ cert_pem_content['content'] | b64decode }}{{ ca_crt_content['content'] | b64decode }}
|
||||
dest: "{{ nomad_certificate_path }}"
|
||||
owner: "{{ lookup('env', 'USER') }}"
|
||||
group: "{{ lookup('env', 'USER') }}"
|
||||
mode: "0644"
|
||||
- always
|
||||
|
@ -1,16 +1,27 @@
|
||||
---
|
||||
# hashistack generate certificates playbook
|
||||
- name: "Generate credentials"
|
||||
hosts: localhost
|
||||
hosts: deployment
|
||||
strategy: linear
|
||||
gather_facts: true
|
||||
become: true
|
||||
tasks:
|
||||
- name: "Generate consul credentials"
|
||||
block:
|
||||
- name: "Generate consul gossip encryption key"
|
||||
block:
|
||||
- name: "Generate 24 random bytes and base64 encode"
|
||||
ansible.builtin.shell:
|
||||
cmd: |
|
||||
set -o pipefail
|
||||
dd if=/dev/urandom bs=24 count=1 2>/dev/null | base64
|
||||
executable: /bin/bash
|
||||
changed_when: false
|
||||
register: _consul_random_base64_string
|
||||
|
||||
- name: "Generate consul gossip encryption key"
|
||||
ansible.builtin.set_fact:
|
||||
_consul_gossip_encryption_key: "{{ lookup('ansible.builtin.password', '/dev/null', chars=['ascii_letters','digits']) | b64encode }}"
|
||||
_consul_gossip_encryption_key: "{{ _consul_random_base64_string.stdout }}"
|
||||
|
||||
- name: "Generate consul root credentials"
|
||||
ansible.builtin.set_fact:
|
||||
@ -38,9 +49,20 @@
|
||||
|
||||
- name: "Generate nomad credentials"
|
||||
block:
|
||||
- name: "Generate nomad gossip encryption key"
|
||||
block:
|
||||
- name: "Generate 24 random bytes and base64 encode"
|
||||
ansible.builtin.shell:
|
||||
cmd: |
|
||||
set -o pipefail
|
||||
dd if=/dev/urandom bs=24 count=1 2>/dev/null | base64
|
||||
executable: /bin/bash
|
||||
changed_when: false
|
||||
register: _nomad_random_base64_string
|
||||
|
||||
- name: "Generate nomad gossip encryption key"
|
||||
ansible.builtin.set_fact:
|
||||
_nomad_gossip_encryption_key: "{{ lookup('ansible.builtin.password', '/dev/null', chars=['ascii_letters','digits']) | b64encode }}"
|
||||
_nomad_gossip_encryption_key: "{{ _nomad_random_base64_string.stdout }}"
|
||||
|
||||
- name: "Generate nomad root credentials"
|
||||
ansible.builtin.set_fact:
|
||||
@ -48,7 +70,7 @@
|
||||
|
||||
- name: "Ensure secrets directory is created"
|
||||
ansible.builtin.file:
|
||||
path: "{{ sub_configuration_directories['secrets'] }}"
|
||||
path: "{{ hashistack_sub_configuration_directories['secrets'] }}"
|
||||
state: directory
|
||||
owner: "{{ lookup('env', 'USER') }}"
|
||||
group: "{{ lookup('env', 'USER') }}"
|
||||
@ -57,7 +79,7 @@
|
||||
- name: "Write credentials file"
|
||||
ansible.builtin.template:
|
||||
src: templates/credentials.yml.j2
|
||||
dest: "{{ sub_configuration_directories['secrets'] }}/{{ configuration_credentials_vars_file }}"
|
||||
dest: "{{ hashistack_sub_configuration_directories['secrets'] }}/{{ hashistack_configuration_credentials_vars_file }}"
|
||||
owner: "{{ lookup('env', 'USER') }}"
|
||||
group: "{{ lookup('env', 'USER') }}"
|
||||
mode: '0644'
|
||||
|
@ -5,24 +5,19 @@
|
||||
|
||||
manage_pip_packages_allow_break_system_packages: "{{ ansible_distribution == 'Debian' and ansible_distribution_version == '12' }}"
|
||||
|
||||
configuration_directory: "{{ lookup('env', 'PWD') }}/etc/hashistack"
|
||||
sub_configuration_directories:
|
||||
secrets: "{{ configuration_directory }}/secrets"
|
||||
certificates: "{{ configuration_directory }}/certificates"
|
||||
nomad_servers: "{{ configuration_directory }}/nomad_servers"
|
||||
vault_servers: "{{ configuration_directory }}/vault_servers"
|
||||
consul_servers: "{{ configuration_directory }}/consul_servers"
|
||||
hashistack_configuration_directory: "{{ lookup('env', 'PWD') }}/etc/hashistack"
|
||||
hashistack_sub_configuration_directories:
|
||||
secrets: "{{ hashistack_configuration_directory }}/secrets"
|
||||
certificates: "{{ hashistack_configuration_directory }}/certificates"
|
||||
nomad_servers: "{{ hashistack_configuration_directory }}/nomad_servers"
|
||||
vault_servers: "{{ hashistack_configuration_directory }}/vault_servers"
|
||||
consul_servers: "{{ hashistack_configuration_directory }}/consul_servers"
|
||||
|
||||
configuration_global_vars_file: "globals.yml"
|
||||
configuration_credentials_vars_file: "credentials.yml"
|
||||
hashistack_configuration_global_vars_file: "globals.yml"
|
||||
hashistack_configuration_credentials_vars_file: "credentials.yml"
|
||||
|
||||
hashistack_remote_config_dir: "/etc/hashistack"
|
||||
hashistack_remote_data_dir: "/opt/hashistack"
|
||||
|
||||
default_container_extra_volumes:
|
||||
- "/etc/timezone:/etc/timezone"
|
||||
- "/etc/localtime:/etc/localtime"
|
||||
- "/etc/ssl/certs/ca-certificates.crt:/etc/ssl/certs/ca-certificates.crt:ro"
|
||||
hashistack_remote_log_dir: "/var/log/hashistack"
|
||||
|
||||
###################
|
||||
# support options #
|
||||
@ -44,4 +39,6 @@ preflight_enable_host_ntp_checks: true
|
||||
haproxy_required_ports: [80, 443]
|
||||
vault_required_ports: [8200, 8201]
|
||||
consul_required_ports: [8300, 8301, 8302, 8500, 8501, 8502, 8503, 8600]
|
||||
nomad_required_ports: []
|
||||
nomad_required_ports: [4646, 4647, 4648]
|
||||
|
||||
target: all, !deployment
|
||||
|
4
playbooks/group_vars/all/cni.yml
Normal file
4
playbooks/group_vars/all/cni.yml
Normal file
@ -0,0 +1,4 @@
|
||||
---
|
||||
cni_plugins_version: "v1.5.1"
|
||||
cni_plugins_install_path: /opt/cni/bin
|
||||
cni_plugins_install_consul_cni: true
|
@ -1,9 +1,5 @@
|
||||
---
|
||||
#####################################################
|
||||
# #
|
||||
# Non-Editable #
|
||||
# #
|
||||
#####################################################
|
||||
consul_init_server: "{{ (inventory_hostname == groups['consul_servers'][0]) | bool }}"
|
||||
|
||||
#####################
|
||||
# consul api config #
|
||||
@ -14,36 +10,106 @@ consul_api_scheme: "{{ 'https' if consul_enable_tls else 'http' }}"
|
||||
consul_api_port:
|
||||
http: 8500
|
||||
https: 8501
|
||||
consul_grpc_port:
|
||||
http: 8502
|
||||
https: 8503
|
||||
|
||||
##########################
|
||||
# consul haproxy backend #
|
||||
##########################
|
||||
##########
|
||||
# Consul #
|
||||
##########
|
||||
|
||||
consul_haproxy_frontend_options:
|
||||
- acl is_consul hdr(host) -i {{ consul_fqdn }}
|
||||
- use_backend consul_external if is_consul
|
||||
consul_config_dir: "{{ hashistack_remote_config_dir }}/consul.d"
|
||||
consul_data_dir: "/opt/consul"
|
||||
consul_certs_dir: "{{ consul_config_dir }}/tls"
|
||||
consul_logs_dir: "{{ hashistack_remote_log_dir }}/consul"
|
||||
|
||||
consul_haproxy_backends:
|
||||
- name: consul_external
|
||||
options: "{{ consul_external_backend_options + consul_external_backend_servers }}"
|
||||
consul_envoy_install: false
|
||||
consul_envoy_version: latest
|
||||
|
||||
consul_external_backend_options:
|
||||
- description consul external http backend
|
||||
- option forwardfor
|
||||
- option httpchk
|
||||
- http-check send meth GET uri /
|
||||
- default-server inter 2s fastinter 1s downinter 1s
|
||||
consul_extra_files: true
|
||||
# consul_extra_files_list: []
|
||||
|
||||
consul_external_backend_servers: |
|
||||
[
|
||||
{% for host in groups['consul_servers'] %}
|
||||
'server consul-{{ hostvars[host].api_interface_address }} {{ hostvars[host].api_interface_address }}:{{ hostvars[host].consul_api_port[consul_api_scheme] }} check {{ 'ssl verify none ' if consul_enable_tls }}inter 5s'{% if not loop.last %},{% endif %}
|
||||
{% endfor %}
|
||||
]
|
||||
consul_env_variables: {}
|
||||
|
||||
############################
|
||||
# consul ACL configuration #
|
||||
############################
|
||||
#######################
|
||||
# extra configuration #
|
||||
#######################
|
||||
|
||||
# You should prioritize adding configuration
|
||||
# to the configuration entries below, this
|
||||
# option should be used to add pieces of configuration not
|
||||
# available through standard variables.
|
||||
|
||||
# consul_extra_configuration: {}
|
||||
|
||||
###########
|
||||
# general #
|
||||
###########
|
||||
|
||||
# consul_domain: consul
|
||||
# consul_datacenter: dc1
|
||||
# consul_primary_datacenter: "{{ consul_datacenter }}"
|
||||
# consul_gossip_encryption_key: "{{ _credentials.consul.gossip_encryption_key }}"
|
||||
# consul_enable_script_checks: false
|
||||
|
||||
#######################
|
||||
# leave configuration #
|
||||
#######################
|
||||
|
||||
consul_leave_on_terminate: true
|
||||
consul_rejoin_after_leave: true
|
||||
|
||||
######################
|
||||
# join configuration #
|
||||
######################
|
||||
|
||||
consul_join_configuration:
|
||||
retry_join: |
|
||||
{{
|
||||
groups['consul_servers'] |
|
||||
map('extract', hostvars, ['consul_address_configuration', 'bind_addr']) |
|
||||
list |
|
||||
to_json |
|
||||
from_json
|
||||
}}
|
||||
retry_interval: 30s
|
||||
retry_max: 0
|
||||
|
||||
########################
|
||||
# server configuration #
|
||||
########################
|
||||
|
||||
consul_enable_server: "{{ 'consul_servers' in group_names }}"
|
||||
consul_bootstrap_expect: "{{ (groups['consul_servers'] | length) }}"
|
||||
|
||||
####################
|
||||
# ui configuration #
|
||||
####################
|
||||
|
||||
consul_ui_configuration:
|
||||
enabled: "{{ consul_enable_server }}"
|
||||
|
||||
#########################
|
||||
# address configuration #
|
||||
#########################
|
||||
|
||||
consul_bind_addr: "0.0.0.0"
|
||||
consul_advertise_addr: "{{ api_interface_address }}"
|
||||
consul_address_configuration:
|
||||
client_addr: "{{ consul_bind_addr }}"
|
||||
bind_addr: "{{ consul_advertise_addr }}"
|
||||
advertise_addr: "{{ consul_advertise_addr }}"
|
||||
|
||||
#####################
|
||||
# ACL configuration #
|
||||
#####################
|
||||
|
||||
consul_acl_configuration:
|
||||
enabled: true
|
||||
default_policy: "deny"
|
||||
enable_token_persistence: true
|
||||
tokens:
|
||||
agent: "{{ _credentials.consul.tokens.agent.secret_id }}"
|
||||
|
||||
consul_default_agent_policy: |
|
||||
node_prefix "" {
|
||||
@ -53,73 +119,61 @@ consul_default_agent_policy: |
|
||||
policy = "read"
|
||||
}
|
||||
|
||||
#######################
|
||||
# consul internal tls #
|
||||
#######################
|
||||
##############################
|
||||
# service mesh configuration #
|
||||
##############################
|
||||
|
||||
consul_certificates_directory: "{{ hashicorp_consul_config_dir }}/tls"
|
||||
consul_certificates_extra_files_dir:
|
||||
- src: "{{ sub_configuration_directories['certificates'] }}/consul/{{ inventory_hostname }}"
|
||||
dest: "{{ consul_certificates_directory }}"
|
||||
consul_mesh_configuration:
|
||||
enabled: true
|
||||
|
||||
#########################
|
||||
# consul role variables #
|
||||
#########################
|
||||
#####################
|
||||
# DNS configuration #
|
||||
#####################
|
||||
|
||||
hashicorp_consul_start_service: true
|
||||
hashicorp_consul_service_name: "consul"
|
||||
hashicorp_consul_version: "{{ consul_version }}"
|
||||
hashicorp_consul_env_variables: {}
|
||||
hashicorp_consul_config_dir: "/etc/consul.d"
|
||||
hashicorp_consul_data_dir: "/opt/consul"
|
||||
hashicorp_consul_extra_files: true
|
||||
hashicorp_consul_extra_files_list: "{{ ([] +
|
||||
(consul_certificates_extra_files_dir if consul_enable_tls else []) +
|
||||
consul_extra_files_list)
|
||||
| unique
|
||||
| sort
|
||||
}}"
|
||||
hashicorp_consul_envoy_install: false
|
||||
hashicorp_consul_envoy_version: v1.27.2
|
||||
hashicorp_consul_configuration:
|
||||
domain: "{{ consul_domain }}"
|
||||
datacenter: "{{ consul_datacenter }}"
|
||||
primary_datacenter: "{{ consul_primary_datacenter }}"
|
||||
data_dir: "{{ hashicorp_consul_data_dir }}"
|
||||
encrypt: "{{ _credentials.consul.gossip_encryption_key }}"
|
||||
server: "{{ 'consul_servers' in group_names }}"
|
||||
retry_join: "{{
|
||||
groups['consul_servers'] |
|
||||
map('extract', hostvars, ['consul_address_configuration', 'bind_addr']) |
|
||||
list |
|
||||
to_json |
|
||||
from_json
|
||||
}}"
|
||||
ui_config: "{{ consul_ui_configuration }}"
|
||||
connect: "{{ consul_mesh_configuration }}"
|
||||
leave_on_terminate: "{{ consul_leave_on_terminate }}"
|
||||
rejoin_after_leave: "{{ consul_rejoin_after_leave }}"
|
||||
enable_script_checks: "{{ consul_enable_script_checks }}"
|
||||
enable_syslog: true
|
||||
acl: "{{ consul_acl_configuration }}"
|
||||
dns_config: "{{ consul_dns_configuration }}"
|
||||
ports:
|
||||
dns: 8600
|
||||
server: 8300
|
||||
serf_lan: 8301
|
||||
serf_wan: 8302
|
||||
sidecar_min_port: 21000
|
||||
sidecar_max_port: 21255
|
||||
expose_min_port: 21500
|
||||
expose_max_port: 21755
|
||||
consul_dns_configuration:
|
||||
allow_stale: true
|
||||
enable_truncate: true
|
||||
only_passing: true
|
||||
|
||||
# this is used to circumvent jinja limitation to convert string to integer
|
||||
hashicorp_consul_configuration_string: |
|
||||
ports:
|
||||
http: {{ (consul_api_port.http|int) if not consul_enable_tls else ('-1' | int) }}
|
||||
https: {{ (consul_api_port.https|int) if consul_enable_tls else ('-1' | int) }}
|
||||
grpc: {{ ('8502'|int) if not consul_enable_tls else ('-1' | int) }}
|
||||
grpc_tls: {{ ('8503'|int) if consul_enable_tls else ('-1' | int) }}
|
||||
################
|
||||
# internal tls #
|
||||
################
|
||||
|
||||
hashicorp_consul_servers_configuration_string: |
|
||||
bootstrap_expect: {{ (groups['consul_servers'] | length) }}
|
||||
# consul_enable_tls: false
|
||||
consul_tls_configuration:
|
||||
defaults:
|
||||
ca_file: "/etc/ssl/certs/ca-certificates.crt"
|
||||
cert_file: "{{ consul_certs_dir }}/fullchain.crt"
|
||||
key_file: "{{ consul_certs_dir }}/cert.key"
|
||||
verify_incoming: false
|
||||
verify_outgoing: true
|
||||
internal_rpc:
|
||||
verify_server_hostname: true
|
||||
|
||||
consul_certificates_extra_files_dir: >
|
||||
{{
|
||||
[] if external_tls_externally_managed_certs | bool else
|
||||
[{
|
||||
'src': "{{ hashistack_sub_configuration_directories['certificates'] }}/consul/{{ inventory_hostname }}",
|
||||
'dest': "{{ consul_certs_dir }}"
|
||||
}]
|
||||
}}
|
||||
|
||||
###########################
|
||||
# telemetry configuration #
|
||||
###########################
|
||||
|
||||
consul_enable_prometheus_metrics: false
|
||||
consul_prometheus_retention_time: 60s
|
||||
consul_telemetry_configuration: {}
|
||||
|
||||
###########
|
||||
# logging #
|
||||
###########
|
||||
|
||||
# consul_log_level: info
|
||||
consul_enable_log_to_file: "{{ enable_log_to_file | bool }}"
|
||||
consul_log_to_file_configuration:
|
||||
log_file: "{{ consul_logs_dir }}/consul.log"
|
||||
log_rotate_duration: 24h
|
||||
log_rotate_max_files: 30
|
||||
|
@ -1,14 +1,13 @@
|
||||
---
|
||||
##########################
|
||||
# General options ########
|
||||
##########################
|
||||
###################
|
||||
# General options #
|
||||
###################
|
||||
|
||||
enable_haproxy: "yes"
|
||||
enable_ingress: "yes"
|
||||
enable_vault: "yes"
|
||||
enable_consul: "yes"
|
||||
enable_nomad: "yes"
|
||||
|
||||
haproxy_version: "2.8"
|
||||
nomad_version: "1.8.1"
|
||||
consul_version: "1.18.1"
|
||||
vault_version: "1.16.2"
|
||||
@ -17,14 +16,20 @@ consul_fqdn: consul.ednz.lab
|
||||
vault_fqdn: vault.ednz.lab
|
||||
nomad_fqdn: nomad.ednz.lab
|
||||
|
||||
hashistack_external_vip_interface: "eth0"
|
||||
hashistack_external_vip_addr: "192.168.121.100"
|
||||
hashistack_internal_vip_interface: "{{ hashistack_external_vip_interface }}"
|
||||
hashistack_internal_vip_addr: "{{ hashistack_external_vip_addr }}"
|
||||
# hashistack_external_vip_interface: "eth0"
|
||||
# hashistack_external_vip_addr: "192.168.121.100"
|
||||
# hashistack_internal_vip_interface: "{{ hashistack_external_vip_interface }}"
|
||||
# hashistack_internal_vip_addr: "{{ hashistack_external_vip_addr }}"
|
||||
|
||||
api_interface: "eth0"
|
||||
api_interface_address: "{{ ansible_facts[api_interface]['ipv4']['address'] }}"
|
||||
|
||||
###################
|
||||
# logging options #
|
||||
###################
|
||||
|
||||
enable_log_to_file: true
|
||||
|
||||
########################
|
||||
# external tls options #
|
||||
########################
|
||||
@ -32,248 +37,72 @@ api_interface_address: "{{ ansible_facts[api_interface]['ipv4']['address'] }}"
|
||||
enable_tls_external: false
|
||||
external_tls_externally_managed_certs: false
|
||||
|
||||
#####################################################
|
||||
# #
|
||||
########################
|
||||
# internal tls options #
|
||||
########################
|
||||
|
||||
enable_tls_internal: false
|
||||
internal_tls_externally_managed_certs: false
|
||||
|
||||
##########
|
||||
# Consul #
|
||||
# #
|
||||
#####################################################
|
||||
##########
|
||||
|
||||
consul_domain: consul
|
||||
consul_datacenter: dc1
|
||||
consul_primary_datacenter: dc1
|
||||
consul_leave_on_terminate: true
|
||||
consul_rejoin_after_leave: true
|
||||
consul_enable_script_checks: true
|
||||
consul_primary_datacenter: "{{ consul_datacenter }}"
|
||||
consul_gossip_encryption_key: "{{ _credentials.consul.gossip_encryption_key }}"
|
||||
consul_enable_script_checks: false
|
||||
|
||||
################################
|
||||
# consul address configuration #
|
||||
################################
|
||||
|
||||
consul_address_configuration:
|
||||
# The address to which Consul will bind client interfaces,
|
||||
# including the HTTP and DNS servers.
|
||||
client_addr: "0.0.0.0"
|
||||
# The address that should be bound to for internal cluster communications.
|
||||
bind_addr: "{{ api_interface_address }}"
|
||||
# The advertise address is used to change the address that we advertise to other nodes in the cluster.
|
||||
advertise_addr: "{{ api_interface_address }}"
|
||||
|
||||
############################
|
||||
# consul ACL configuration #
|
||||
############################
|
||||
|
||||
consul_acl_configuration:
|
||||
enabled: true
|
||||
default_policy: "deny" # can be allow or deny
|
||||
enable_token_persistence: true
|
||||
|
||||
############################
|
||||
# consul DNS configuration #
|
||||
############################
|
||||
|
||||
consul_dns_configuration:
|
||||
allow_stale: true
|
||||
enable_truncate: true
|
||||
only_passing: true
|
||||
|
||||
###########################
|
||||
# consul ui configuration #
|
||||
###########################
|
||||
|
||||
consul_ui_configuration:
|
||||
enabled: "{{ 'consul_servers' in group_names }}"
|
||||
|
||||
#####################################
|
||||
# consul service mesh configuration #
|
||||
#####################################
|
||||
|
||||
consul_mesh_configuration:
|
||||
enabled: true
|
||||
|
||||
############################
|
||||
# consul tls configuration #
|
||||
############################
|
||||
|
||||
consul_enable_tls: false
|
||||
consul_tls_configuration:
|
||||
defaults:
|
||||
ca_file: "/etc/ssl/certs/ca-certificates.crt"
|
||||
cert_file: "{{ consul_certificates_directory }}/cert.pem"
|
||||
key_file: "{{ consul_certificates_directory }}/key.pem"
|
||||
verify_incoming: false
|
||||
verify_outgoing: true
|
||||
internal_rpc:
|
||||
verify_server_hostname: true
|
||||
|
||||
############################
|
||||
# consul container volumes #
|
||||
############################
|
||||
|
||||
extra_consul_container_volumes: []
|
||||
|
||||
##############################
|
||||
# consul extra configuration #
|
||||
##############################
|
||||
|
||||
consul_extra_configuration: {}
|
||||
consul_extra_files_list: []
|
||||
consul_extra_configuration: {}
|
||||
|
||||
#####################################################
|
||||
# #
|
||||
consul_enable_tls: "{{ enable_tls_internal }}"
|
||||
|
||||
consul_log_level: info
|
||||
|
||||
#########
|
||||
# Vault #
|
||||
# #
|
||||
#####################################################
|
||||
#########
|
||||
|
||||
vault_cluster_name: vault
|
||||
vault_bind_addr: "0.0.0.0"
|
||||
vault_cluster_addr: "{{ api_interface_address }}"
|
||||
vault_enable_ui: true
|
||||
vault_seal_configuration:
|
||||
key_shares: 3
|
||||
key_threshold: 2
|
||||
vault_disable_mlock: false
|
||||
vault_disable_cache: false
|
||||
|
||||
#################
|
||||
# vault storage #
|
||||
#################
|
||||
vault_extra_files_list: []
|
||||
vault_extra_configuration: {}
|
||||
|
||||
vault_storage_configuration:
|
||||
raft:
|
||||
path: "{{ hashicorp_vault_data_dir }}"
|
||||
node_id: "{{ ansible_hostname }}"
|
||||
retry_join: |
|
||||
[
|
||||
{% for host in groups['vault_servers'] %}
|
||||
{
|
||||
'leader_api_addr': '{{ "https" if vault_enable_tls else "http"}}://{{ hostvars[host].api_interface_address }}:8200'
|
||||
}{% if not loop.last %},{% endif %}
|
||||
{% endfor %}
|
||||
]
|
||||
|
||||
##################
|
||||
# vault listener #
|
||||
##################
|
||||
|
||||
vault_enable_tls: false
|
||||
vault_tls_verify: false
|
||||
vault_listener_configuration:
|
||||
tcp:
|
||||
address: "0.0.0.0:8200"
|
||||
tls_disable: true
|
||||
|
||||
vault_tls_listener_configuration:
|
||||
tcp:
|
||||
tls_disable: false
|
||||
tls_cert_file: "{{ vault_certificates_directory }}/cert.pem"
|
||||
tls_key_file: "{{ vault_certificates_directory }}/key.pem"
|
||||
tls_disable_client_certs: true
|
||||
|
||||
vault_extra_listener_configuration: {}
|
||||
|
||||
########################
|
||||
# service registration #
|
||||
########################
|
||||
vault_enable_tls: "{{ enable_tls_internal }}"
|
||||
|
||||
vault_enable_service_registration: "{{ enable_consul | bool }}"
|
||||
vault_service_registration_configuration:
|
||||
consul:
|
||||
address: "127.0.0.1:{{ hostvars[groups['consul_servers'][0]].consul_api_port[hostvars[groups['consul_servers'][0]].consul_api_scheme] }}"
|
||||
scheme: "{{ hostvars[groups['consul_servers'][0]].consul_api_scheme }}"
|
||||
token: "{{ _credentials.consul.tokens.vault.secret_id }}"
|
||||
|
||||
#################
|
||||
# vault plugins #
|
||||
#################
|
||||
|
||||
vault_enable_plugins: false
|
||||
|
||||
###########
|
||||
# logging #
|
||||
###########
|
||||
vault_log_level: info
|
||||
|
||||
vault_enable_log_to_file: false
|
||||
vault_logging_configuration:
|
||||
log_level: info
|
||||
log_format: standard
|
||||
log_rotate_duration: 24h
|
||||
log_rotate_max_files: 30
|
||||
|
||||
###########################
|
||||
# vault container volumes #
|
||||
###########################
|
||||
|
||||
extra_vault_container_volumes: []
|
||||
|
||||
#############################
|
||||
# vault extra configuration #
|
||||
#############################
|
||||
|
||||
vault_extra_configuration: {}
|
||||
vault_extra_files_list: []
|
||||
|
||||
#####################################################
|
||||
# #
|
||||
#########
|
||||
# Nomad #
|
||||
# #
|
||||
#####################################################
|
||||
#########
|
||||
|
||||
nomad_datacenter: dc1
|
||||
nomad_region: global
|
||||
nomad_datacenter: dc1
|
||||
|
||||
###########################
|
||||
# nomad ACL configuration #
|
||||
###########################
|
||||
nomad_extra_files_list: []
|
||||
nomad_extra_configuration: {}
|
||||
|
||||
nomad_acl_configuration:
|
||||
enabled: true
|
||||
token_ttl: 30s
|
||||
policy_ttl: 60s
|
||||
role_ttl: 60s
|
||||
nomad_autopilot_configuration: {}
|
||||
|
||||
############################
|
||||
# nomad consul integration #
|
||||
############################
|
||||
|
||||
nomad_enable_consul_integration: "{{ enable_consul | bool }}"
|
||||
nomad_consul_integration_configuration:
|
||||
address: "127.0.0.1:{{ hashicorp_consul_configuration.ports.https if consul_enable_tls else hashicorp_consul_configuration.ports.http }}"
|
||||
auto_advertise: true
|
||||
ssl: "{{ consul_enable_tls | bool }}"
|
||||
token: "{{ _credentials.consul.tokens.nomad.server.secret_id if nomad_enable_server else _credentials.consul.tokens.nomad.client.secret_id}}"
|
||||
tags: []
|
||||
|
||||
############################
|
||||
# nomad vault integration #
|
||||
############################
|
||||
|
||||
nomad_enable_vault_integration: false
|
||||
nomad_vault_integration_configuration: {}
|
||||
|
||||
###############################
|
||||
# nomad drivers configuration #
|
||||
###############################
|
||||
|
||||
nomad_driver_enable_docker: yes
|
||||
nomad_driver_enable_podman: no
|
||||
nomad_driver_enable_raw_exec: no
|
||||
nomad_driver_enable_java: no
|
||||
nomad_driver_enable_qemu: no
|
||||
nomad_driver_enable_docker: true
|
||||
nomad_driver_enable_podman: false
|
||||
nomad_driver_enable_raw_exec: false
|
||||
nomad_driver_enable_java: false
|
||||
nomad_driver_enable_qemu: false
|
||||
|
||||
nomad_driver_extra_configuration: {}
|
||||
|
||||
######################
|
||||
# nomad internal tls #
|
||||
######################
|
||||
nomad_log_level: info
|
||||
|
||||
nomad_enable_tls: false
|
||||
nomad_tls_configuration:
|
||||
http: true
|
||||
rpc: true
|
||||
ca_file: "/etc/ssl/certs/ca-certificates.crt"
|
||||
cert_file: "{{ nomad_certificates_directory }}/cert.pem"
|
||||
key_file: "{{ nomad_certificates_directory }}/key.pem"
|
||||
verify_server_hostname: true
|
||||
|
||||
#############################
|
||||
# nomad extra configuration #
|
||||
#############################
|
||||
|
||||
nomad_extra_configuration: {}
|
||||
nomad_extra_files_list: []
|
||||
nomad_enable_tls: "{{ enable_tls_internal }}"
|
||||
|
@ -10,7 +10,7 @@ deploy_haproxy_version: "{{ haproxy_version }}"
|
||||
|
||||
deploy_haproxy_env_variables: {}
|
||||
deploy_haproxy_start_service: true
|
||||
deploy_haproxy_cert_dir: "{{ sub_configuration_directories['certificates']~'/external' if (enable_tls_external and not external_tls_externally_managed_certs) }}"
|
||||
deploy_haproxy_cert_dir: "{{ hashistack_sub_configuration_directories['certificates']~'/external' if (enable_tls_external and not external_tls_externally_managed_certs) }}"
|
||||
deploy_haproxy_extra_container_volumes: []
|
||||
deploy_haproxy_global:
|
||||
- log /dev/log local0
|
||||
|
130
playbooks/group_vars/all/hashistack_ca.yml
Normal file
130
playbooks/group_vars/all/hashistack_ca.yml
Normal file
@ -0,0 +1,130 @@
|
||||
---
|
||||
# defaults
|
||||
hashistack_ca_directory: "/etc/hashistack/certificates"
|
||||
hashistack_ca_use_cryptography: false
|
||||
hashistack_ca_action: "noop"
|
||||
hashistack_ca_domain: example.com
|
||||
hashistack_ca_directory_owner: root
|
||||
|
||||
##############################
|
||||
# Root Certificate Authority #
|
||||
##############################
|
||||
hashistack_ca_root_org_name: EDNZ Cloud
|
||||
hashistack_ca_root_country: FR
|
||||
hashistack_ca_root_locality: Paris
|
||||
hashistack_ca_root_common_name: "{{ hashistack_ca_domain }} Root CA"
|
||||
hashistack_ca_root_email:
|
||||
hashistack_ca_root_key_usage:
|
||||
- keyCertSign
|
||||
- cRLSign
|
||||
hashistack_ca_root_key_usage_critical: true
|
||||
hashistack_ca_root_basic_constraints:
|
||||
- CA:TRUE
|
||||
hashistack_ca_root_basic_constraints_critical: true
|
||||
|
||||
# Optional fields
|
||||
hashistack_ca_root_state_or_province_name:
|
||||
hashistack_ca_root_email_address:
|
||||
|
||||
# Validity
|
||||
hashistack_ca_root_valid_for: 1825d
|
||||
hashistack_ca_root_renew_threshold: 180d
|
||||
|
||||
######################################
|
||||
# Intermediate Certificate Authority #
|
||||
######################################
|
||||
hashistack_ca_intermediate_org_name: EDNZ Cloud Intermediate
|
||||
hashistack_ca_intermediate_country: FR
|
||||
hashistack_ca_intermediate_locality: Paris
|
||||
hashistack_ca_intermediate_common_name: "{{ hashistack_ca_domain }} Intermediate CA"
|
||||
hashistack_ca_intermediate_email:
|
||||
hashistack_ca_intermediate_key_usage:
|
||||
- keyCertSign
|
||||
- cRLSign
|
||||
hashistack_ca_intermediate_key_usage_critical: true
|
||||
hashistack_ca_intermediate_basic_constraints:
|
||||
- CA:TRUE
|
||||
- pathlen:0
|
||||
hashistack_ca_intermediate_basic_constraints_critical: true
|
||||
|
||||
# Optional fields
|
||||
hashistack_ca_intermediate_state_or_province_name:
|
||||
hashistack_ca_intermediate_email_address:
|
||||
|
||||
# Validity
|
||||
hashistack_ca_intermediate_valid_for: 365d
|
||||
hashistack_ca_intermediate_renew_threshold: 90d
|
||||
|
||||
# Name Constraints
|
||||
hashistack_ca_intermediate_name_constraints_permitted:
|
||||
- "DNS:.{{ hashistack_ca_domain }}"
|
||||
- DNS:.nomad
|
||||
- DNS:.consul
|
||||
- DNS:localhost
|
||||
- IP:192.168.0.0/16
|
||||
- IP:172.16.0.0/16
|
||||
- IP:10.0.0.0/8
|
||||
- IP:127.0.0.0/8
|
||||
hashistack_ca_intermediate_name_constraints_critical: "{{ (hashistack_ca_intermediate_name_constraints_permitted is defined and hashistack_ca_intermediate_name_constraints_permitted | length > 0) }}"
|
||||
|
||||
#####################
|
||||
# Leaf certificates #
|
||||
#####################
|
||||
|
||||
hashistack_ca_leaf_valid_for: 90d
|
||||
hashistack_ca_leaf_renew_threshold: 30d
|
||||
|
||||
############################
|
||||
# Consul Leaf Certificates #
|
||||
############################
|
||||
hashistack_ca_consul_org_name: "{{ hashistack_ca_root_org_name }}"
|
||||
hashistack_ca_consul_common_name: "{{ inventory_hostname }}"
|
||||
hashistack_ca_consul_csr_sans: >-
|
||||
{%- set sans_list = [
|
||||
'DNS:' + inventory_hostname,
|
||||
'DNS:consul.service.consul',
|
||||
'DNS:localhost',
|
||||
'IP:' + api_interface_address,
|
||||
'IP:127.0.0.1'
|
||||
] -%}
|
||||
{%- if consul_enable_server -%}
|
||||
{%- set _ = sans_list.append('DNS:server.' ~ consul_datacenter ~ '.' ~ consul_domain) -%}
|
||||
{%- endif -%}
|
||||
{{ sans_list }}
|
||||
|
||||
###########################
|
||||
# Nomad Leaf Certificates #
|
||||
###########################
|
||||
hashistack_ca_nomad_org_name: "{{ hashistack_ca_root_org_name }}"
|
||||
hashistack_ca_nomad_common_name: "{{ inventory_hostname }}"
|
||||
hashistack_ca_nomad_csr_sans: >-
|
||||
{%- set sans_list = [
|
||||
'DNS:' + inventory_hostname,
|
||||
'DNS:localhost',
|
||||
'IP:' + api_interface_address,
|
||||
'IP:127.0.0.1'
|
||||
] -%}
|
||||
{%- if nomad_enable_server -%}
|
||||
{%- set _ = sans_list.append('DNS:server.' ~ nomad_region ~ '.nomad') -%}
|
||||
{%- if (enable_consul | bool) -%}
|
||||
{%- set _ = sans_list.append('DNS:nomad.service.consul') -%}
|
||||
{%- endif -%}
|
||||
{%- endif -%}
|
||||
{%- if nomad_enable_client -%}
|
||||
{%- set _ = sans_list.append('DNS:client.' ~ nomad_region ~ '.nomad') -%}
|
||||
{%- endif -%}
|
||||
{{ sans_list }}
|
||||
|
||||
###########################
|
||||
# Vault Leaf Certificates #
|
||||
###########################
|
||||
hashistack_ca_vault_org_name: "{{ hashistack_ca_root_org_name }}"
|
||||
hashistack_ca_vault_common_name: "{{ inventory_hostname }}"
|
||||
hashistack_ca_vault_csr_sans:
|
||||
- "DNS:{{ inventory_hostname }}"
|
||||
- "DNS:active.vault.service.consul"
|
||||
- "DNS:standby.vault.service.consul"
|
||||
- "DNS:vault.service.consul"
|
||||
- "DNS:localhost"
|
||||
- "IP:{{ api_interface_address }}"
|
||||
- "IP:127.0.0.1"
|
@ -1,9 +1,5 @@
|
||||
---
|
||||
#####################################################
|
||||
# #
|
||||
# Non-Editable #
|
||||
# #
|
||||
#####################################################
|
||||
nomad_init_server: "{{ (inventory_hostname == groups['nomad_servers'][0]) | bool }}"
|
||||
|
||||
####################
|
||||
# nomad api config #
|
||||
@ -15,60 +11,188 @@ nomad_api_port:
|
||||
http: "{{ nomad_address_configuration.ports.http }}"
|
||||
https: "{{ nomad_address_configuration.ports.http }}"
|
||||
|
||||
#########
|
||||
# Nomad #
|
||||
#########
|
||||
|
||||
nomad_config_dir: "{{ hashistack_remote_config_dir }}/nomad.d"
|
||||
nomad_data_dir: "/opt/nomad"
|
||||
nomad_certs_dir: "{{ nomad_config_dir }}/tls"
|
||||
nomad_logs_dir: "{{ hashistack_remote_log_dir }}/nomad"
|
||||
|
||||
nomad_extra_files: true
|
||||
# nomad_extra_files_list: []
|
||||
|
||||
nomad_env_variables: {}
|
||||
|
||||
#######################
|
||||
# extra configuration #
|
||||
#######################
|
||||
|
||||
# You should prioritize adding configuration
|
||||
# to the configuration entries below, this
|
||||
# option should be used to add pieces of configuration not
|
||||
# available through standard variables.
|
||||
|
||||
# nomad_extra_configuration: {}
|
||||
|
||||
###########
|
||||
# general #
|
||||
###########
|
||||
|
||||
# nomad_region: global
|
||||
# nomad_datacenter: dc1
|
||||
|
||||
#########################
|
||||
# nomad haproxy backend #
|
||||
# address configuration #
|
||||
#########################
|
||||
|
||||
nomad_haproxy_frontend_options:
|
||||
- acl is_nomad hdr(host) -i {{ nomad_fqdn }}
|
||||
- use_backend nomad_external if is_nomad
|
||||
|
||||
nomad_haproxy_backends:
|
||||
- name: nomad_external
|
||||
options: "{{ nomad_external_backend_options + nomad_external_backend_servers }}"
|
||||
|
||||
nomad_external_backend_options:
|
||||
- description nomad external http backend
|
||||
- option forwardfor
|
||||
- option httpchk
|
||||
- http-check send meth GET uri /
|
||||
- default-server inter 2s fastinter 1s downinter 1s
|
||||
|
||||
nomad_external_backend_servers: |
|
||||
[
|
||||
{% for host in groups['nomad_servers'] %}
|
||||
'server nomad-{{ hostvars[host].api_interface_address }} {{ hostvars[host].api_interface_address }}:{{ hostvars[host].nomad_api_port[nomad_api_scheme] }} check {{ 'ssl verify none ' if nomad_enable_tls }}inter 5s'{% if not loop.last %},{% endif %}
|
||||
{% endfor %}
|
||||
]
|
||||
|
||||
###############################
|
||||
# nomad address configuration #
|
||||
###############################
|
||||
|
||||
nomad_bind_addr: "0.0.0.0"
|
||||
nomad_advertise_addr: "{{ api_interface_address }}"
|
||||
nomad_address_configuration:
|
||||
bind_addr: "{{ api_interface_address }}"
|
||||
bind_addr: "{{ nomad_bind_addr }}"
|
||||
addresses:
|
||||
http: "{{ api_interface_address }}"
|
||||
rpc: "{{ api_interface_address }}"
|
||||
serf: "{{ api_interface_address }}"
|
||||
http: "{{ nomad_advertise_addr }}"
|
||||
rpc: "{{ nomad_advertise_addr }}"
|
||||
serf: "{{ nomad_advertise_addr }}"
|
||||
advertise:
|
||||
http: "{{ api_interface_address }}"
|
||||
rpc: "{{ api_interface_address }}"
|
||||
serf: "{{ api_interface_address }}"
|
||||
http: "{{ nomad_advertise_addr }}"
|
||||
rpc: "{{ nomad_advertise_addr }}"
|
||||
serf: "{{ nomad_advertise_addr }}"
|
||||
ports:
|
||||
http: 4646
|
||||
rpc: 4647
|
||||
serf: 4648
|
||||
|
||||
#################################
|
||||
# nomad autopilot configuration #
|
||||
#################################
|
||||
###########################
|
||||
# autopilot configuration #
|
||||
###########################
|
||||
|
||||
nomad_autopilot_configuration: {}
|
||||
# nomad_autopilot_configuration: {}
|
||||
|
||||
############################
|
||||
# nomad consul integration #
|
||||
############################
|
||||
#######################
|
||||
# leave configuration #
|
||||
#######################
|
||||
|
||||
nomad_leave_on_interrupt: false
|
||||
nomad_leave_on_terminate: false
|
||||
|
||||
########################
|
||||
# server configuration #
|
||||
########################
|
||||
|
||||
nomad_enable_server: "{{ ('nomad_servers' in group_names) | bool }}"
|
||||
nomad_server_bootstrap_expect: "{{ (groups['nomad_servers'] | length) }}"
|
||||
nomad_server_configuration:
|
||||
enabled: "{{ nomad_enable_server }}"
|
||||
data_dir: "{{ nomad_data_dir }}/server"
|
||||
encrypt: "{{ _credentials.nomad.gossip_encryption_key }}"
|
||||
|
||||
##############################
|
||||
# client configuration #
|
||||
##############################
|
||||
|
||||
nomad_enable_client: "{{ ('nomad_clients' in group_names) | bool }}"
|
||||
nomad_client_configuration:
|
||||
enabled: "{{ nomad_enable_client }}"
|
||||
state_dir: "{{ nomad_data_dir }}/client"
|
||||
cni_path: "{{ cni_plugins_install_path | default('/opt/cni/bin') }}"
|
||||
bridge_network_name: nomad
|
||||
bridge_network_subnet: "172.26.64.0/20"
|
||||
|
||||
####################
|
||||
# ui configuration #
|
||||
####################
|
||||
|
||||
nomad_ui_configuration:
|
||||
enabled: "{{ nomad_enable_server }}"
|
||||
|
||||
#########################
|
||||
# drivers configuration #
|
||||
#########################
|
||||
|
||||
nomad_driver_enable_docker: true
|
||||
nomad_driver_enable_podman: false
|
||||
nomad_driver_enable_raw_exec: false
|
||||
nomad_driver_enable_java: false
|
||||
nomad_driver_enable_qemu: false
|
||||
|
||||
nomad_driver_configuration:
|
||||
raw_exec:
|
||||
enabled: false
|
||||
|
||||
nomad_driver_extra_configuration: {}
|
||||
|
||||
###########
|
||||
# logging #
|
||||
###########
|
||||
|
||||
nomad_log_level: info
|
||||
nomad_enable_log_to_file: "{{ enable_log_to_file | bool }}"
|
||||
nomad_log_to_file_configuration:
|
||||
log_file: "{{ nomad_logs_dir }}/nomad.log"
|
||||
log_rotate_duration: 24h
|
||||
log_rotate_max_files: 30
|
||||
|
||||
#####################
|
||||
# ACL configuration #
|
||||
#####################
|
||||
|
||||
nomad_acl_configuration:
|
||||
enabled: true
|
||||
token_ttl: 30s
|
||||
policy_ttl: 60s
|
||||
role_ttl: 60s
|
||||
|
||||
################
|
||||
# internal tls #
|
||||
################
|
||||
|
||||
nomad_enable_tls: false
|
||||
nomad_tls_configuration:
|
||||
http: true
|
||||
rpc: true
|
||||
ca_file: "/etc/ssl/certs/ca-certificates.crt"
|
||||
cert_file: "{{ nomad_certs_dir }}/fullchain.crt"
|
||||
key_file: "{{ nomad_certs_dir }}/cert.key"
|
||||
verify_server_hostname: true
|
||||
|
||||
nomad_certificates_extra_files_dir: >
|
||||
{{
|
||||
[] if external_tls_externally_managed_certs | bool else
|
||||
[{
|
||||
'src': "{{ hashistack_sub_configuration_directories['certificates'] }}/nomad/{{ inventory_hostname }}",
|
||||
'dest': "{{ nomad_certs_dir }}"
|
||||
}]
|
||||
}}
|
||||
|
||||
###########################
|
||||
# telemetry configuration #
|
||||
###########################
|
||||
|
||||
nomad_telemetry_configuration:
|
||||
collection_interval: 10s
|
||||
disable_hostname: false
|
||||
use_node_name: false
|
||||
publish_allocation_metrics: false
|
||||
publish_node_metrics: false
|
||||
prefix_filter: []
|
||||
disable_dispatched_job_summary_metrics: false
|
||||
prometheus_metrics: false
|
||||
|
||||
######################
|
||||
# consul integration #
|
||||
######################
|
||||
|
||||
nomad_enable_consul_integration: "{{ enable_consul | bool }}"
|
||||
nomad_consul_integration_configuration:
|
||||
address: >-
|
||||
127.0.0.1:{{ consul_api_port[consul_api_scheme] }}
|
||||
auto_advertise: true
|
||||
ssl: "{{ consul_enable_tls | bool }}"
|
||||
token: >-
|
||||
{{ _credentials.consul.tokens.nomad.server.secret_id if nomad_enable_server else _credentials.consul.tokens.nomad.client.secret_id }}
|
||||
tags: []
|
||||
|
||||
nomad_consul_integration_tls_configuration:
|
||||
ca_file: "/etc/ssl/certs/ca-certificates.crt"
|
||||
@ -78,7 +202,8 @@ nomad_consul_integration_server_configuration:
|
||||
|
||||
nomad_consul_integration_client_configuration:
|
||||
client_auto_join: true
|
||||
grpc_address: "127.0.0.1:{{ hashicorp_consul_configuration.ports.grpc_tls if consul_enable_tls else hashicorp_consul_configuration.ports.grpc }}"
|
||||
grpc_address: >-
|
||||
127.0.0.1:{{ consul_grpc_port[consul_api_scheme] }}
|
||||
|
||||
nomad_consul_integration_client_tls_configuration:
|
||||
grpc_ca_file: "/etc/ssl/certs/ca-certificates.crt"
|
||||
@ -107,93 +232,9 @@ nomad_consul_integration_client_policy: |
|
||||
policy = "write"
|
||||
}
|
||||
|
||||
#############################
|
||||
# nomad leave configuration #
|
||||
#############################
|
||||
############################
|
||||
# nomad vault integration #
|
||||
############################
|
||||
|
||||
# node will leave the cluster if the process is stopped
|
||||
# and if it is only a client
|
||||
nomad_leave_on_interrupt: "{{ (('nomad_clients' in group_names) and not ('nomad_servers' in group_names)) | bool }}"
|
||||
nomad_leave_on_terminate: "{{ (('nomad_clients' in group_names) and not ('nomad_servers' in group_names)) | bool }}"
|
||||
|
||||
##########################
|
||||
# nomad ui configuration #
|
||||
##########################
|
||||
|
||||
nomad_ui_configuration:
|
||||
enabled: "{{ ('nomad_servers' in group_names) | bool }}"
|
||||
|
||||
##############################
|
||||
# nomad server configuration #
|
||||
##############################
|
||||
|
||||
nomad_enable_server: "{{ ('nomad_servers' in group_names) | bool }}"
|
||||
nomad_server_configuration:
|
||||
enabled: "{{ nomad_enable_server }}"
|
||||
data_dir: "{{ hashicorp_nomad_data_dir }}/server"
|
||||
encrypt: "{{ _credentials.nomad.gossip_encryption_key }}"
|
||||
|
||||
##############################
|
||||
# nomad client configuration #
|
||||
##############################
|
||||
|
||||
nomad_enable_client: "{{ ('nomad_clients' in group_names) | bool }}"
|
||||
nomad_client_configuration:
|
||||
enabled: "{{ nomad_enable_client }}"
|
||||
state_dir: "{{ hashicorp_nomad_data_dir }}/client"
|
||||
bridge_network_name: nomad
|
||||
bridge_network_subnet: "172.26.64.0/20"
|
||||
|
||||
###############################
|
||||
# nomad drivers configuration #
|
||||
###############################
|
||||
|
||||
nomad_driver_configuration:
|
||||
raw_exec:
|
||||
enabled: "{{ nomad_driver_enable_raw_exec | bool }}"
|
||||
|
||||
######################
|
||||
# nomad internal tls #
|
||||
######################
|
||||
|
||||
nomad_certificates_directory: "{{ hashicorp_nomad_config_dir }}/tls"
|
||||
nomad_certificates_extra_files_dir:
|
||||
- src: "{{ sub_configuration_directories['certificates'] }}/nomad/{{ inventory_hostname }}"
|
||||
dest: "{{ nomad_certificates_directory }}"
|
||||
|
||||
########################
|
||||
# nomad role variables #
|
||||
########################
|
||||
|
||||
hashicorp_nomad_start_service: true
|
||||
hashicorp_nomad_service_name: "nomad"
|
||||
hashicorp_nomad_cni_plugins_install: true
|
||||
hashicorp_nomad_cni_plugins_version: latest
|
||||
hashicorp_nomad_cni_plugins_install_path: /opt/cni/bin
|
||||
hashicorp_nomad_version: "{{ nomad_version }}"
|
||||
hashicorp_nomad_env_variables: {}
|
||||
hashicorp_nomad_config_dir: "/etc/nomad.d"
|
||||
hashicorp_nomad_data_dir: /opt/nomad
|
||||
hashicorp_nomad_extra_files: true
|
||||
hashicorp_nomad_extra_files_list: "{{ ([] +
|
||||
(nomad_certificates_extra_files_dir if nomad_enable_tls else []) +
|
||||
nomad_extra_files_list)
|
||||
| unique
|
||||
| sort
|
||||
}}"
|
||||
hashicorp_nomad_configuration:
|
||||
datacenter: "{{ nomad_datacenter }}"
|
||||
region: "{{ nomad_region }}"
|
||||
bind_addr: "0.0.0.0"
|
||||
data_dir: "{{ hashicorp_nomad_data_dir }}"
|
||||
leave_on_interrupt: "{{ nomad_leave_on_interrupt }}"
|
||||
leave_on_terminate: "{{ nomad_leave_on_terminate }}"
|
||||
acl: "{{ nomad_acl_configuration }}"
|
||||
server: "{{ nomad_server_configuration }}"
|
||||
client: "{{ nomad_client_configuration }}"
|
||||
ui: "{{ nomad_ui_configuration }}"
|
||||
|
||||
# this is used to circumvent jinja limitation to convert string to integer
|
||||
hashicorp_nomad_configuration_string: |
|
||||
server:
|
||||
bootstrap_expect: {{ (groups['nomad_servers'] | length) }}
|
||||
nomad_enable_vault_integration: false
|
||||
nomad_vault_integration_configuration: {}
|
||||
|
@ -1,90 +1,126 @@
|
||||
---
|
||||
#####################################################
|
||||
# #
|
||||
# Non-Editable #
|
||||
# #
|
||||
#####################################################
|
||||
vault_init_server: "{{ (inventory_hostname == groups['vault_servers'][0]) | bool }}"
|
||||
|
||||
#########
|
||||
# Vault #
|
||||
#########
|
||||
|
||||
vault_config_dir: "{{ hashistack_remote_config_dir }}/vault.d"
|
||||
vault_data_dir: "/opt/vault"
|
||||
vault_certs_dir: "{{ vault_config_dir }}/tls"
|
||||
vault_logs_dir: "{{ hashistack_remote_log_dir }}/vault"
|
||||
|
||||
vault_extra_files: true
|
||||
# vault_extra_files_list: []
|
||||
|
||||
vault_env_variables: {}
|
||||
|
||||
#######################
|
||||
# extra configuration #
|
||||
#######################
|
||||
|
||||
# You should prioritize adding configuration
|
||||
# to the configuration entries below, this
|
||||
# option should be used to add pieces of configuration not
|
||||
# available through standard variables.
|
||||
|
||||
# vault_extra_configuration: {}
|
||||
|
||||
###########
|
||||
# general #
|
||||
###########
|
||||
|
||||
# vault_cluster_name: vault
|
||||
# vault_bind_addr: "0.0.0.0"
|
||||
# vault_cluster_addr: "{{ api_interface_address }}"
|
||||
# vault_enable_ui: true
|
||||
# vault_disable_mlock: false
|
||||
# vault_disable_cache: false
|
||||
|
||||
######################
|
||||
# seal configuration #
|
||||
######################
|
||||
|
||||
vault_seal_configuration:
|
||||
key_shares: 3
|
||||
key_threshold: 2
|
||||
|
||||
#########################
|
||||
# vault haproxy backend #
|
||||
# storage configuration #
|
||||
#########################
|
||||
|
||||
vault_haproxy_frontend_options:
|
||||
- acl is_vault hdr(host) -i {{ vault_fqdn }}
|
||||
- use_backend vault_external if is_vault
|
||||
|
||||
vault_haproxy_backends:
|
||||
- name: vault_external
|
||||
options: "{{ vault_external_backend_options + vault_external_backend_servers }}"
|
||||
|
||||
vault_external_backend_options:
|
||||
- description vault external http backend
|
||||
- option forwardfor
|
||||
- option httpchk GET /v1/sys/health?standbyok=true&sealedcode=200&standbycode=200&uninitcode=200
|
||||
- http-check expect status 200
|
||||
- default-server inter 2s fastinter 1s downinter 1s
|
||||
|
||||
vault_external_backend_servers: |
|
||||
vault_storage_configuration:
|
||||
raft:
|
||||
path: "{{ vault_data_dir }}"
|
||||
node_id: "{{ ansible_hostname }}"
|
||||
retry_join: >-
|
||||
[
|
||||
{% for host in groups['vault_servers'] %}
|
||||
'server vault-{{ hostvars[host].api_interface_address }} {{ hostvars[host].api_interface_address }}:8200 check {{ 'ssl verify none ' if vault_enable_tls }}inter 5s'{% if not loop.last %},{% endif %}
|
||||
{
|
||||
'leader_api_addr': '{{ "https" if vault_enable_tls else "http"}}://{{ hostvars[host].api_interface_address }}:8200'
|
||||
}{% if not loop.last %},{% endif %}
|
||||
{% endfor %}
|
||||
]
|
||||
|
||||
######################
|
||||
# vault internal tls #
|
||||
######################
|
||||
##########################
|
||||
# listener configuration #
|
||||
##########################
|
||||
|
||||
vault_certificates_directory: "{{ hashicorp_vault_config_dir }}/tls"
|
||||
vault_certificates_extra_files_dir:
|
||||
- src: "{{ sub_configuration_directories['certificates'] }}/vault/{{ inventory_hostname }}"
|
||||
dest: "{{ vault_certificates_directory }}"
|
||||
# vault_enable_tls: false
|
||||
vault_listener_configuration:
|
||||
- tcp:
|
||||
address: "{{ vault_cluster_addr }}:8200"
|
||||
tls_disable: true
|
||||
|
||||
#################
|
||||
# vault plugins #
|
||||
#################
|
||||
vault_tls_listener_configuration:
|
||||
- tcp:
|
||||
tls_disable: false
|
||||
tls_cert_file: "{{ vault_certs_dir }}/fullchain.crt"
|
||||
tls_key_file: "{{ vault_certs_dir }}/cert.key"
|
||||
tls_disable_client_certs: true
|
||||
|
||||
vault_plugin_directory: "{{ hashicorp_vault_config_dir }}/plugin"
|
||||
vault_plugin_extra_files_dir:
|
||||
- src: "{{ sub_configuration_directories['vault_servers'] }}/plugin"
|
||||
dest: "{{ vault_plugin_directory }}"
|
||||
vault_certificates_extra_files_dir: >
|
||||
{{
|
||||
[] if external_tls_externally_managed_certs | bool else
|
||||
[{
|
||||
'src': "{{ hashistack_sub_configuration_directories['certificates'] }}/vault/{{ inventory_hostname }}",
|
||||
'dest': "{{ vault_certs_dir }}"
|
||||
}]
|
||||
}}
|
||||
|
||||
##############################
|
||||
# vault service registration #
|
||||
##############################
|
||||
vault_extra_listener_configuration: []
|
||||
|
||||
########################
|
||||
# service registration #
|
||||
########################
|
||||
|
||||
# vault_enable_service_registration: "{{ enable_consul | bool }}"
|
||||
vault_service_registration_configuration:
|
||||
consul:
|
||||
address: >-
|
||||
127.0.0.1:{{ hostvars[groups['consul_servers'][0]].consul_api_port[hostvars[groups['consul_servers'][0]].consul_api_scheme] }}
|
||||
scheme: "{{ hostvars[groups['consul_servers'][0]].consul_api_scheme }}"
|
||||
token: "{{ _credentials.consul.tokens.vault.secret_id }}"
|
||||
|
||||
vault_service_registration_policy: |
|
||||
service "vault" {
|
||||
policy = "write"
|
||||
}
|
||||
|
||||
########################
|
||||
# vault role variables #
|
||||
########################
|
||||
#########################
|
||||
# plugins configuration #
|
||||
#########################
|
||||
|
||||
hashicorp_vault_start_service: true
|
||||
hashicorp_vault_service_name: "vault"
|
||||
hashicorp_vault_version: "{{ vault_version }}"
|
||||
hashicorp_vault_env_variables: {}
|
||||
hashicorp_vault_config_dir: "/etc/vault.d"
|
||||
hashicorp_vault_data_dir: "/opt/vault"
|
||||
hashicorp_vault_extra_files: true
|
||||
hashicorp_vault_extra_files_list: "{{ ([] +
|
||||
(vault_certificates_extra_files_dir if vault_enable_tls else []) +
|
||||
(vault_plugin_extra_files_dir if vault_enable_plugins else []) +
|
||||
vault_extra_files_list)
|
||||
| unique
|
||||
| sort
|
||||
}}"
|
||||
hashicorp_vault_extra_files_src: "{{ sub_configuration_directories.vault_servers }}/config"
|
||||
hashicorp_vault_extra_files_dst: "{{ hashicorp_vault_config_dir }}/config"
|
||||
hashicorp_vault_extra_container_volumes: "{{ default_container_extra_volumes | union(extra_vault_container_volumes) | unique | sort }}"
|
||||
hashicorp_vault_configuration:
|
||||
cluster_name: "{{ vault_cluster_name }}"
|
||||
cluster_addr: "{{ 'https' if vault_enable_tls else 'http'}}://{{ api_interface_address }}:8201"
|
||||
api_addr: "{{ 'https' if vault_enable_tls else 'http'}}://{{ api_interface_address }}:8200"
|
||||
ui: "{{ vault_enable_ui }}"
|
||||
disable_mlock: false
|
||||
disable_cache: false
|
||||
listener: "{{ vault_listener_configuration }}"
|
||||
storage: "{{ vault_storage_configuration }}"
|
||||
# vault_enable_plugins: false
|
||||
vault_plugins_directory: "{{ vault_config_dir }}/plugins"
|
||||
|
||||
#################
|
||||
# vault logging #
|
||||
#################
|
||||
|
||||
# vault_log_level: info
|
||||
vault_enable_log_to_file: "{{ enable_log_to_file | bool }}"
|
||||
vault_log_to_file_configuration:
|
||||
log_file: "{{ vault_logs_dir }}/vault.log"
|
||||
log_rotate_duration: 24h
|
||||
log_rotate_max_files: 30
|
||||
|
@ -22,6 +22,8 @@ nomad-client01
|
||||
nomad-client02
|
||||
nomad-client03
|
||||
|
||||
[consul_agents]
|
||||
|
||||
[consul_agents:children]
|
||||
haproxy_servers
|
||||
vault_servers
|
||||
@ -31,8 +33,20 @@ nomad_clients
|
||||
[deployment]
|
||||
localhost ansible_connection=local
|
||||
|
||||
[consul:children]
|
||||
consul_servers
|
||||
consul_agents
|
||||
|
||||
[nomad:children]
|
||||
nomad_servers
|
||||
nomad_clients
|
||||
|
||||
[vault:children]
|
||||
vault_servers
|
||||
|
||||
[common:children]
|
||||
haproxy_servers
|
||||
vault_servers
|
||||
consul_servers
|
||||
nomad_servers
|
||||
nomad_clients
|
||||
|
@ -1,14 +1,16 @@
|
||||
---
|
||||
# hashistack deployment playbook
|
||||
- name: "Preflight"
|
||||
hosts: all
|
||||
hosts: all, !deployment
|
||||
strategy: linear
|
||||
gather_facts: true
|
||||
become: true
|
||||
tasks:
|
||||
- name: "Import variables"
|
||||
ansible.builtin.import_tasks:
|
||||
file: tasks/load_vars.yml
|
||||
ansible.builtin.include_role:
|
||||
name: ednz_cloud.hashistack.hashistack
|
||||
tags:
|
||||
- always
|
||||
|
||||
- name: "Checking vault inventory"
|
||||
ansible.builtin.assert:
|
||||
@ -46,44 +48,44 @@
|
||||
when:
|
||||
- enable_nomad | bool
|
||||
|
||||
- name: "Checking directory {{ configuration_directory }}" # noqa: run-once[task]
|
||||
- name: "Checking directory {{ hashistack_configuration_directory }}" # noqa: run-once[task]
|
||||
delegate_to: localhost
|
||||
run_once: true
|
||||
block:
|
||||
- name: "Stat directory {{ configuration_directory }}"
|
||||
- name: "Stat directory {{ hashistack_configuration_directory }}"
|
||||
ansible.builtin.stat:
|
||||
path: "{{ configuration_directory }}"
|
||||
path: "{{ hashistack_configuration_directory }}"
|
||||
register: _stat_config_dir
|
||||
|
||||
- name: "Stat nomad_servers config directory"
|
||||
ansible.builtin.stat:
|
||||
path: "{{ sub_configuration_directories.nomad_servers }}"
|
||||
path: "{{ hashistack_sub_configuration_directories.nomad_servers }}"
|
||||
register: _stat_config_dir_nomad_servers
|
||||
when:
|
||||
- enable_nomad | bool
|
||||
|
||||
- name: "Stat consul_servers config directory"
|
||||
ansible.builtin.stat:
|
||||
path: "{{ sub_configuration_directories.consul_servers }}"
|
||||
path: "{{ hashistack_sub_configuration_directories.consul_servers }}"
|
||||
register: _stat_config_dir_consul_servers
|
||||
when:
|
||||
- enable_consul | bool
|
||||
|
||||
- name: "Stat vault_servers config directory"
|
||||
ansible.builtin.stat:
|
||||
path: "{{ sub_configuration_directories.vault_servers }}"
|
||||
path: "{{ hashistack_sub_configuration_directories.vault_servers }}"
|
||||
register: _stat_config_dir_vault_servers
|
||||
when:
|
||||
- enable_vault | bool
|
||||
|
||||
- name: "Make sure directory exists: {{ configuration_directory }}"
|
||||
- name: "Make sure directory exists: {{ hashistack_configuration_directory }}"
|
||||
ansible.builtin.assert:
|
||||
that:
|
||||
- _stat_config_dir.stat.exists
|
||||
- _stat_config_dir.stat.isdir
|
||||
- _stat_config_dir.stat.writeable
|
||||
|
||||
- name: "Make sure directory exists: {{ sub_configuration_directories.nomad_servers }}"
|
||||
- name: "Make sure directory exists: {{ hashistack_sub_configuration_directories.nomad_servers }}"
|
||||
ansible.builtin.assert:
|
||||
that:
|
||||
- _stat_config_dir_nomad_servers.stat.exists
|
||||
@ -92,7 +94,7 @@
|
||||
when:
|
||||
- enable_nomad | bool
|
||||
|
||||
- name: "Make sure directory exists: {{ sub_configuration_directories.consul_servers }}"
|
||||
- name: "Make sure directory exists: {{ hashistack_sub_configuration_directories.consul_servers }}"
|
||||
ansible.builtin.assert:
|
||||
that:
|
||||
- _stat_config_dir_consul_servers.stat.exists
|
||||
@ -101,7 +103,7 @@
|
||||
when:
|
||||
- enable_consul | bool
|
||||
|
||||
- name: "Make sure directory exists: {{ sub_configuration_directories.vault_servers }}"
|
||||
- name: "Make sure directory exists: {{ hashistack_sub_configuration_directories.vault_servers }}"
|
||||
ansible.builtin.assert:
|
||||
that:
|
||||
- _stat_config_dir_vault_servers.stat.exists
|
||||
@ -111,8 +113,8 @@
|
||||
- enable_vault | bool
|
||||
|
||||
- name: "Checking host OS distribution"
|
||||
#TODO: This needs to work with debian and ubuntu, major version works for debian but not ubuntu, simple version works the other way around...
|
||||
#? seems to work
|
||||
# TODO: This needs to work with debian and ubuntu, major version works for debian but not ubuntu, simple version works the other way around...
|
||||
# ? seems to work
|
||||
ansible.builtin.assert:
|
||||
that:
|
||||
- "(ansible_facts.distribution | lower) in hashistack_supported_distributions"
|
||||
@ -259,7 +261,7 @@
|
||||
when: vault_port_results.results | length > 0
|
||||
|
||||
- name: "Checking if consul ports are available"
|
||||
when: inventory_hostname in groups['consul_servers']
|
||||
when: inventory_hostname in groups['consul_servers'] or inventory_hostname in groups['consul_agents']
|
||||
block:
|
||||
- name: "Checking if consul ports are available"
|
||||
ansible.builtin.wait_for:
|
||||
@ -278,6 +280,26 @@
|
||||
with_items: "{{ consul_port_results.results }}"
|
||||
when: consul_port_results.results | length > 0
|
||||
|
||||
- name: "Checking if nomad ports are available"
|
||||
when: inventory_hostname in groups['nomad_servers'] or inventory_hostname in groups['nomad_clients']
|
||||
block:
|
||||
- name: "Checking if nomad ports are available"
|
||||
ansible.builtin.wait_for:
|
||||
host: "{{ inventory_hostname }}"
|
||||
port: "{{ item }}"
|
||||
state: "stopped"
|
||||
timeout: 5
|
||||
loop: "{{ nomad_required_ports }}"
|
||||
ignore_errors: true
|
||||
register: nomad_port_results
|
||||
|
||||
- name: "Assert that nomad ports are not currently in use"
|
||||
ansible.builtin.assert:
|
||||
that:
|
||||
- item.failed == false
|
||||
with_items: "{{ nomad_port_results.results }}"
|
||||
when: nomad_port_results.results | length > 0
|
||||
|
||||
- name: "Checking if system uses systemd"
|
||||
become: true
|
||||
ansible.builtin.assert:
|
||||
|
6
playbooks/tasks/consul/consul_agents.yml
Normal file
6
playbooks/tasks/consul/consul_agents.yml
Normal file
@ -0,0 +1,6 @@
|
||||
---
|
||||
- name: "Consul agents"
|
||||
block:
|
||||
- name: "Deploy Consul Agents"
|
||||
ansible.builtin.include_role:
|
||||
name: ednz_cloud.hashistack.consul
|
71
playbooks/tasks/consul/consul_control_plane.yml
Normal file
71
playbooks/tasks/consul/consul_control_plane.yml
Normal file
@ -0,0 +1,71 @@
|
||||
---
|
||||
- name: "Consul control plane"
|
||||
block:
|
||||
- name: "Include ednz_cloud.hashistack.consul"
|
||||
ansible.builtin.include_role:
|
||||
name: ednz_cloud.hashistack.consul
|
||||
|
||||
- name: "Consul | Wait for consul cluster to initialize" # noqa: run-once[task]
|
||||
block:
|
||||
- name: "Consul | Wait for consul nodes to stabilize"
|
||||
ansible.builtin.wait_for:
|
||||
host: "{{ api_interface_address }}"
|
||||
port: "{{ consul_api_port[consul_api_scheme] }}"
|
||||
delay: 10
|
||||
|
||||
- name: "Consul | Waiting for consul api to respond"
|
||||
ansible.builtin.uri:
|
||||
url: "{{ consul_api_addr }}"
|
||||
validate_certs: no
|
||||
return_content: yes
|
||||
status_code:
|
||||
- 200
|
||||
until: uri_output.status == 200
|
||||
retries: 24
|
||||
delay: 5
|
||||
register: uri_output
|
||||
|
||||
- name: "Consul | Initialize consul cluster" # noqa: run-once[task]
|
||||
community.general.consul_acl_bootstrap:
|
||||
bootstrap_secret: "{{ _credentials.consul.root_token.secret_id }}"
|
||||
host: "{{ api_interface_address }}"
|
||||
port: "{{ consul_api_port[consul_api_scheme] }}"
|
||||
scheme: "{{ consul_api_scheme }}"
|
||||
state: present
|
||||
register: _consul_init_secret
|
||||
when:
|
||||
- consul_init_server
|
||||
- consul_configuration.acl.enabled
|
||||
|
||||
- name: "Consul | Create consul agents token"
|
||||
when:
|
||||
- consul_init_server
|
||||
- consul_configuration.acl.enabled
|
||||
block:
|
||||
- name: "Consul | Create consul agents token" # noqa: run-once[task] no-handler
|
||||
block:
|
||||
- name: "Consul | Create consul agent policy"
|
||||
community.general.consul_policy:
|
||||
token: "{{ _credentials.consul.root_token.secret_id }}"
|
||||
host: "{{ api_interface_address }}"
|
||||
port: "{{ consul_api_port[consul_api_scheme] }}"
|
||||
scheme: "{{ consul_api_scheme }}"
|
||||
validate_certs: false
|
||||
state: present
|
||||
name: agents-policy
|
||||
rules: "{{ consul_default_agent_policy }}"
|
||||
register: _consul_agent_policy
|
||||
|
||||
- name: "Consul | Create consul agents token"
|
||||
community.general.consul_token:
|
||||
token: "{{ _credentials.consul.root_token.secret_id }}"
|
||||
host: "{{ api_interface_address }}"
|
||||
port: "{{ consul_api_port[consul_api_scheme] }}"
|
||||
scheme: "{{ consul_api_scheme }}"
|
||||
validate_certs: false
|
||||
accessor_id: "{{ _credentials.consul.tokens.agent.accessor_id }}"
|
||||
secret_id: "{{ _credentials.consul.tokens.agent.secret_id }}"
|
||||
policies:
|
||||
- id: "{{ _consul_agent_policy.policy.ID }}"
|
||||
state: present
|
||||
register: _consul_agent_token
|
@ -1,78 +1,19 @@
|
||||
---
|
||||
- name: "Consul"
|
||||
block:
|
||||
- name: "Include ednz_cloud.hashicorp_consul"
|
||||
ansible.builtin.include_role:
|
||||
name: ednz_cloud.hashicorp_consul
|
||||
|
||||
- name: "Wait for consul cluster to initialize" # noqa: run-once[task]
|
||||
block:
|
||||
- name: "Wait for consul nodes to stabilize"
|
||||
ansible.builtin.wait_for:
|
||||
host: "{{ api_interface_address }}"
|
||||
port: "{{ consul_api_port[consul_api_scheme] }}"
|
||||
delay: 10
|
||||
|
||||
- name: "Waiting for consul api to respond"
|
||||
ansible.builtin.uri:
|
||||
url: "{{ consul_api_addr }}"
|
||||
validate_certs: no
|
||||
return_content: yes
|
||||
status_code:
|
||||
- 200
|
||||
until: uri_output.status == 200
|
||||
retries: 24
|
||||
delay: 5
|
||||
register: uri_output
|
||||
|
||||
- name: "Initialize consul cluster" # noqa: run-once[task]
|
||||
community.general.consul_acl_bootstrap:
|
||||
bootstrap_secret: "{{ _credentials.consul.root_token.secret_id }}"
|
||||
host: "{{ api_interface_address }}"
|
||||
port: "{{ consul_api_port[consul_api_scheme] }}"
|
||||
scheme: "{{ consul_api_scheme }}"
|
||||
state: present
|
||||
run_once: true
|
||||
delegate_to: "{{ groups['consul_servers'] | first }}"
|
||||
register: _consul_init_secret
|
||||
when: hashicorp_consul_configuration.acl.enabled
|
||||
|
||||
- name: "Create consul agents token"
|
||||
- name: "Deploy Consul Control Plane"
|
||||
ansible.builtin.import_tasks:
|
||||
file: consul_control_plane.yml
|
||||
when:
|
||||
- consul_acl_configuration.enabled
|
||||
block:
|
||||
- name: "Create consul agents token" # noqa: run-once[task] no-handler
|
||||
run_once: true
|
||||
block:
|
||||
- name: "Create consul agent policy"
|
||||
community.general.consul_policy:
|
||||
token: "{{ _credentials.consul.root_token.secret_id }}"
|
||||
host: "{{ api_interface_address }}"
|
||||
port: "{{ consul_api_port[consul_api_scheme] }}"
|
||||
scheme: "{{ consul_api_scheme }}"
|
||||
validate_certs: false
|
||||
state: present
|
||||
name: agents-policy
|
||||
rules: "{{ consul_default_agent_policy }}"
|
||||
register: _consul_agent_policy
|
||||
- "'consul_servers' in group_names"
|
||||
tags:
|
||||
- consul_servers
|
||||
|
||||
- name: "Create consul agents token"
|
||||
community.general.consul_token:
|
||||
token: "{{ _credentials.consul.root_token.secret_id }}"
|
||||
host: "{{ api_interface_address }}"
|
||||
port: "{{ consul_api_port[consul_api_scheme] }}"
|
||||
scheme: "{{ consul_api_scheme }}"
|
||||
validate_certs: false
|
||||
accessor_id: "{{ _credentials.consul.tokens.agent.accessor_id }}"
|
||||
secret_id: "{{ _credentials.consul.tokens.agent.secret_id }}"
|
||||
policies:
|
||||
- id: "{{ _consul_agent_policy.policy.ID }}"
|
||||
state: present
|
||||
register: _consul_agent_token
|
||||
|
||||
- name: "Restart consul service" # noqa: no-handler
|
||||
ansible.builtin.service:
|
||||
name: "{{ hashicorp_consul_service_name }}"
|
||||
state: restarted
|
||||
throttle: 1
|
||||
when: _consul_agent_token.changed
|
||||
- name: "Deploy Consul Agents"
|
||||
ansible.builtin.import_tasks:
|
||||
file: consul_agents.yml
|
||||
when:
|
||||
- "'consul_agents' in group_names"
|
||||
- "'consul_servers' not in group_names"
|
||||
tags:
|
||||
- consul_agents
|
||||
|
@ -1,67 +0,0 @@
|
||||
---
|
||||
# hashistack configuration merging for consul
|
||||
- name: "Consul | Merge stringified configuration"
|
||||
vars:
|
||||
_config_to_merge: "{{ hashicorp_consul_configuration_string }}"
|
||||
ansible.builtin.set_fact:
|
||||
hashicorp_consul_configuration: "{{
|
||||
hashicorp_consul_configuration |
|
||||
combine(_config_to_merge|from_yaml, recursive=true)
|
||||
}}"
|
||||
when:
|
||||
- hashicorp_consul_configuration_string is defined
|
||||
|
||||
- name: "Consul | Merge servers specific stringified configuration"
|
||||
vars:
|
||||
_config_to_merge: "{{ hashicorp_consul_servers_configuration_string }}"
|
||||
ansible.builtin.set_fact:
|
||||
hashicorp_consul_configuration: "{{
|
||||
hashicorp_consul_configuration |
|
||||
combine(_config_to_merge|from_yaml, recursive=true)
|
||||
}}"
|
||||
when:
|
||||
- hashicorp_consul_configuration_string is defined
|
||||
- "'consul_servers' in group_names"
|
||||
|
||||
- name: "Consul | Merge addresses configuration"
|
||||
vars:
|
||||
_config_to_merge: "{{ consul_address_configuration }}"
|
||||
ansible.builtin.set_fact:
|
||||
hashicorp_consul_configuration: "{{
|
||||
hashicorp_consul_configuration |
|
||||
combine(_config_to_merge, recursive=true)
|
||||
}}"
|
||||
when: consul_address_configuration is defined
|
||||
|
||||
- name: "Consul | Merge TLS configuration"
|
||||
vars:
|
||||
_config_to_merge:
|
||||
tls: "{{ consul_tls_configuration }}"
|
||||
ansible.builtin.set_fact:
|
||||
hashicorp_consul_configuration: "{{
|
||||
hashicorp_consul_configuration |
|
||||
combine(_config_to_merge, recursive=true)
|
||||
}}"
|
||||
when: consul_enable_tls
|
||||
|
||||
- name: "Consul | Merge token configuration"
|
||||
delegate_to: localhost
|
||||
block:
|
||||
- name: "Consul | Merge token configuration"
|
||||
vars:
|
||||
_config_to_merge:
|
||||
acl:
|
||||
tokens:
|
||||
agent: "{{ _credentials.consul.tokens.agent.secret_id }}"
|
||||
ansible.builtin.set_fact:
|
||||
hashicorp_consul_configuration: "{{ hashicorp_consul_configuration | default({}) | combine(_config_to_merge, recursive=true) }}"
|
||||
|
||||
- name: "Consul | Merge extra configuration settings"
|
||||
vars:
|
||||
_config_to_merge: "{{ consul_extra_configuration }}"
|
||||
ansible.builtin.set_fact:
|
||||
hashicorp_consul_configuration: "{{
|
||||
hashicorp_consul_configuration |
|
||||
combine(_config_to_merge, recursive=true)
|
||||
}}"
|
||||
when: consul_extra_configuration is defined
|
@ -23,7 +23,6 @@
|
||||
owner: root
|
||||
group: root
|
||||
mode: 0755
|
||||
recurse: yes
|
||||
loop:
|
||||
- "{{ hashistack_remote_config_dir }}"
|
||||
- "{{ hashistack_remote_data_dir }}"
|
||||
@ -52,3 +51,8 @@
|
||||
when:
|
||||
- enable_nomad | bool
|
||||
- "('nomad_servers' in group_names) or ('nomad_clients' in group_names)"
|
||||
# - name: "Print all config"
|
||||
# ansible.builtin.debug:
|
||||
# msg: "{{ hostvars[inventory_hostname] }}"
|
||||
#
|
||||
# - fail:
|
||||
|
@ -1,206 +0,0 @@
|
||||
---
|
||||
# hashistack variable injection playbook
|
||||
- name: "Load global variables"
|
||||
block:
|
||||
- name: "Stat global configuration file"
|
||||
ansible.builtin.stat:
|
||||
path: "{{ configuration_directory }}/{{ configuration_global_vars_file }}"
|
||||
register: _global_config_file
|
||||
delegate_to: localhost
|
||||
|
||||
- name: "Make sure global configuration file exists"
|
||||
ansible.builtin.assert:
|
||||
that:
|
||||
- _global_config_file.stat.exists
|
||||
fail_msg: >-
|
||||
Main configuration file {{ _global_config_file.stat.path }} was not found, cannot continue without it.
|
||||
delegate_to: localhost
|
||||
|
||||
- name: "Load global variables"
|
||||
ansible.builtin.include_vars:
|
||||
dir: "{{ configuration_directory }}"
|
||||
files_matching: "{{ configuration_global_vars_file }}"
|
||||
depth: 1
|
||||
delegate_to: localhost
|
||||
|
||||
- name: "Load credentials variables"
|
||||
block:
|
||||
- name: "Stat credentials file"
|
||||
ansible.builtin.stat:
|
||||
path: "{{ sub_configuration_directories['secrets'] }}/{{ configuration_credentials_vars_file }}"
|
||||
register: _credentials_file
|
||||
delegate_to: localhost
|
||||
|
||||
- name: "Stat vault credentials file"
|
||||
ansible.builtin.stat:
|
||||
path: "{{ sub_configuration_directories['secrets'] }}/vault.yml"
|
||||
register: _vault_credentials_file
|
||||
delegate_to: localhost
|
||||
|
||||
- name: "Make sure credentials file exists"
|
||||
ansible.builtin.assert:
|
||||
that:
|
||||
- _credentials_file.stat.exists
|
||||
fail_msg: >-
|
||||
Credentials file {{ _credentials_file.stat.path }} was not found, cannot continue without it.
|
||||
delegate_to: localhost
|
||||
|
||||
- name: "Load credentials variables"
|
||||
ansible.builtin.include_vars:
|
||||
dir: "{{ sub_configuration_directories['secrets'] }}"
|
||||
files_matching: "{{ configuration_credentials_vars_file }}"
|
||||
depth: 1
|
||||
name: _credentials
|
||||
delegate_to: localhost
|
||||
|
||||
- name: "Load vault credentials if vault.yml exists"
|
||||
ansible.builtin.include_vars:
|
||||
dir: "{{ sub_configuration_directories['secrets'] }}"
|
||||
files_matching: "vault.yml"
|
||||
depth: 1
|
||||
name: _vault_credentials
|
||||
when: _vault_credentials_file.stat.exists
|
||||
delegate_to: localhost
|
||||
|
||||
- name: "Merge vault credentials into _credentials"
|
||||
vars:
|
||||
_config_to_merge:
|
||||
vault: "{{ _vault_credentials }}"
|
||||
ansible.builtin.set_fact:
|
||||
_credentials: "{{ _credentials | combine(_vault_credentials, recursive=true) }}"
|
||||
when: _vault_credentials_file.stat.exists
|
||||
delegate_to: localhost
|
||||
|
||||
- name: "Load group specific variables"
|
||||
block:
|
||||
- name: "Stat group specific config file"
|
||||
ansible.builtin.stat:
|
||||
path: "{{ configuration_directory }}/{{ group_name }}/{{ configuration_global_vars_file }}"
|
||||
register: _group_config_file
|
||||
loop: "{{ group_names }}"
|
||||
loop_control:
|
||||
loop_var: group_name
|
||||
|
||||
- name: Load group specific variables
|
||||
ansible.builtin.include_vars:
|
||||
dir: "{{ configuration_directory }}/{{ item.group_name }}"
|
||||
files_matching: "{{ configuration_global_vars_file }}"
|
||||
depth: 1
|
||||
loop: "{{ _group_config_file.results }}"
|
||||
when: item.stat.exists
|
||||
and item.group_name in group_names
|
||||
loop_control:
|
||||
loop_var: item
|
||||
delegate_to: localhost
|
||||
|
||||
- name: "Load host specific variables"
|
||||
block:
|
||||
- name: "Stat host specific config file"
|
||||
ansible.builtin.stat:
|
||||
path: "{{ configuration_directory }}/{{ group_name }}/{{ inventory_hostname }}/{{ configuration_global_vars_file }}"
|
||||
register: _host_config_file
|
||||
loop: "{{ group_names }}"
|
||||
loop_control:
|
||||
loop_var: group_name
|
||||
delegate_to: localhost
|
||||
|
||||
- name: Load host specific variables
|
||||
ansible.builtin.include_vars:
|
||||
dir: "{{ configuration_directory }}/{{ item.group_name }}/{{ inventory_hostname }}"
|
||||
files_matching: "{{ configuration_global_vars_file }}"
|
||||
loop: "{{ _host_config_file.results }}"
|
||||
when: item.stat.exists
|
||||
loop_control:
|
||||
loop_var: item
|
||||
delegate_to: localhost
|
||||
|
||||
- name: "Ensure remote directories exists"
|
||||
ansible.builtin.file:
|
||||
path: "{{ item }}"
|
||||
state: directory
|
||||
owner: root
|
||||
group: root
|
||||
mode: 0755
|
||||
recurse: yes
|
||||
loop:
|
||||
- "{{ hashistack_remote_config_dir }}"
|
||||
- "{{ hashistack_remote_data_dir }}"
|
||||
|
||||
- name: "Load custom CA certificates"
|
||||
block:
|
||||
- name: "Check if CA directory exists"
|
||||
ansible.builtin.stat:
|
||||
path: "{{ sub_configuration_directories['certificates'] }}/ca"
|
||||
register: _hashistack_ca_directory
|
||||
delegate_to: localhost
|
||||
|
||||
- name: "Find custom ca certificates to copy"
|
||||
ansible.builtin.find:
|
||||
paths: "{{ sub_configuration_directories['certificates'] }}/ca"
|
||||
patterns: "*.crt"
|
||||
register: _hashistack_cacert_files
|
||||
delegate_to: localhost
|
||||
when: _hashistack_ca_directory.stat.exists and _hashistack_ca_directory.stat.isdir
|
||||
|
||||
- name: "Ensure remote ca directory exists"
|
||||
ansible.builtin.file:
|
||||
path: "{{ hashistack_remote_config_dir }}/ca"
|
||||
state: directory
|
||||
owner: root
|
||||
group: root
|
||||
mode: 0755
|
||||
|
||||
- name: "Copy custom ca certificates"
|
||||
ansible.builtin.copy:
|
||||
src: "{{ item.path }}"
|
||||
dest: "{{ hashistack_remote_config_dir }}/ca/{{ item.path | basename }}"
|
||||
owner: root
|
||||
group: root
|
||||
mode: 0644
|
||||
loop: "{{ _hashistack_cacert_files.files }}"
|
||||
register: _hashistack_copied_ca
|
||||
|
||||
- name: "Copy and update trust store"
|
||||
block:
|
||||
- name: "Copy ca certificates to /usr/loca/share/ca-certificates"
|
||||
ansible.builtin.file:
|
||||
state: link
|
||||
src: "{{ item.dest }}"
|
||||
dest: "/usr/local/share/ca-certificates/hashistack-customca-{{ item.dest | basename }}"
|
||||
owner: root
|
||||
group: root
|
||||
loop: "{{ _hashistack_copied_ca.results }}"
|
||||
register: _hashistack_usr_local_share_ca_certificates
|
||||
|
||||
- name: "Update the trust store"
|
||||
ansible.builtin.command: update-ca-certificates
|
||||
changed_when: false
|
||||
when: _hashistack_usr_local_share_ca_certificates.changed
|
||||
|
||||
# - name: "Initialize list of CA certificates"
|
||||
# ansible.builtin.set_fact:
|
||||
# hashistack_cacert_extra_files: []
|
||||
# delegate_to: localhost
|
||||
|
||||
# - name: "Add custom CA to list of extra certificates"
|
||||
# ansible.builtin.set_fact:
|
||||
# hashistack_cacert_extra_files: "{{
|
||||
# hashistack_cacert_extra_files | default([])
|
||||
# + [{'src': item.path, 'dest': '/etc/ssl/certs/hashistack-custom-' + item.path | basename}] }}"
|
||||
# loop: "{{ _hashistack_cacert_files.files }}"
|
||||
# delegate_to: localhost
|
||||
# when: _hashistack_cacert_files.matched > 0
|
||||
|
||||
- name: "Merge consul configurations"
|
||||
ansible.builtin.import_tasks:
|
||||
file: "consul/consul_vars.yml"
|
||||
when:
|
||||
- enable_consul | bool
|
||||
- "('consul_servers' in group_names) or ('consul_agents' in group_names)"
|
||||
|
||||
- name: "Merge vault configurations"
|
||||
ansible.builtin.import_tasks:
|
||||
file: "vault/vault_vars.yml"
|
||||
when:
|
||||
- enable_vault | bool
|
||||
- "'vault_servers' in group_names"
|
@ -1,21 +0,0 @@
|
||||
---
|
||||
- name: "Stat global configuration file"
|
||||
ansible.builtin.stat:
|
||||
path: "{{ configuration_directory }}/{{ configuration_global_vars_file }}"
|
||||
register: _global_config_file
|
||||
delegate_to: localhost
|
||||
|
||||
- name: "Make sure global configuration file exists"
|
||||
ansible.builtin.assert:
|
||||
that:
|
||||
- _global_config_file.stat.exists
|
||||
fail_msg: >-
|
||||
Main configuration file {{ _global_config_file.stat.path }} was not found, cannot continue without it.
|
||||
delegate_to: localhost
|
||||
|
||||
- name: "Load global variables"
|
||||
ansible.builtin.include_vars:
|
||||
dir: "{{ configuration_directory }}"
|
||||
files_matching: "{{ configuration_global_vars_file }}"
|
||||
depth: 1
|
||||
delegate_to: localhost
|
@ -1,20 +0,0 @@
|
||||
---
|
||||
- name: "Stat group specific config file"
|
||||
ansible.builtin.stat:
|
||||
path: "{{ configuration_directory }}/{{ group_name }}/{{ configuration_global_vars_file }}"
|
||||
register: _group_config_file
|
||||
loop: "{{ group_names }}"
|
||||
loop_control:
|
||||
loop_var: group_name
|
||||
|
||||
- name: Load group specific variables
|
||||
ansible.builtin.include_vars:
|
||||
dir: "{{ configuration_directory }}/{{ item.group_name }}"
|
||||
files_matching: "{{ configuration_global_vars_file }}"
|
||||
depth: 1
|
||||
loop: "{{ _group_config_file.results }}"
|
||||
when: item.stat.exists
|
||||
and item.group_name in group_names
|
||||
loop_control:
|
||||
loop_var: item
|
||||
delegate_to: localhost
|
@ -1,19 +0,0 @@
|
||||
---
|
||||
- name: "Stat host specific config file"
|
||||
ansible.builtin.stat:
|
||||
path: "{{ configuration_directory }}/{{ group_name }}/{{ inventory_hostname }}/{{ configuration_global_vars_file }}"
|
||||
register: _host_config_file
|
||||
loop: "{{ group_names }}"
|
||||
loop_control:
|
||||
loop_var: group_name
|
||||
delegate_to: localhost
|
||||
|
||||
- name: Load host specific variables
|
||||
ansible.builtin.include_vars:
|
||||
dir: "{{ configuration_directory }}/{{ item.group_name }}/{{ inventory_hostname }}"
|
||||
files_matching: "{{ configuration_global_vars_file }}"
|
||||
loop: "{{ _host_config_file.results }}"
|
||||
when: item.stat.exists
|
||||
loop_control:
|
||||
loop_var: item
|
||||
delegate_to: localhost
|
15
playbooks/tasks/nomad/nomad_clients.yml
Normal file
15
playbooks/tasks/nomad/nomad_clients.yml
Normal file
@ -0,0 +1,15 @@
|
||||
---
|
||||
- name: "Nomad clients"
|
||||
block:
|
||||
- name: "Nomad | Install docker driver"
|
||||
ansible.builtin.include_role:
|
||||
name: ednz_cloud.install_docker
|
||||
when: nomad_driver_enable_docker
|
||||
|
||||
- name: "Include ednz_cloud.hashistack.cni"
|
||||
ansible.builtin.include_role:
|
||||
name: ednz_cloud.hashistack.cni
|
||||
|
||||
- name: "Nomad | Deploy Clients"
|
||||
ansible.builtin.include_role:
|
||||
name: ednz_cloud.hashistack.nomad
|
87
playbooks/tasks/nomad/nomad_control_plane.yml
Normal file
87
playbooks/tasks/nomad/nomad_control_plane.yml
Normal file
@ -0,0 +1,87 @@
|
||||
---
|
||||
- name: "Nomad control plane"
|
||||
block:
|
||||
- name: "Nomad | Create consul tokens for service registration"
|
||||
when:
|
||||
- nomad_init_server
|
||||
- enable_consul
|
||||
- nomad_enable_consul_integration
|
||||
vars:
|
||||
_consul_host: "{{ hostvars[groups['consul_servers'][0]].api_interface_address }}"
|
||||
_consul_port: "{{ hostvars[groups['consul_servers'][0]].consul_api_port[hostvars[groups['consul_servers'][0]].consul_api_scheme] }}"
|
||||
_consul_scheme: "{{ hostvars[groups['consul_servers'][0]].consul_api_scheme }}"
|
||||
block:
|
||||
- name: "Nomad | Create server credentials"
|
||||
block:
|
||||
- name: "Nomad | Create consul server policy"
|
||||
community.general.consul_policy:
|
||||
token: "{{ _credentials.consul.root_token.secret_id }}"
|
||||
host: "{{ _consul_host }}"
|
||||
port: "{{ _consul_port }}"
|
||||
scheme: "{{ _consul_scheme }}"
|
||||
validate_certs: false
|
||||
state: present
|
||||
name: nomad-server-policy
|
||||
rules: "{{ nomad_consul_integration_server_policy }}"
|
||||
register: _consul_nomad_server_policy
|
||||
|
||||
- name: "Nomad | Create consul server token" # noqa: no-handler
|
||||
community.general.consul_token:
|
||||
token: "{{ _credentials.consul.root_token.secret_id }}"
|
||||
host: "{{ _consul_host }}"
|
||||
port: "{{ _consul_port }}"
|
||||
scheme: "{{ _consul_scheme }}"
|
||||
validate_certs: false
|
||||
accessor_id: "{{ _credentials.consul.tokens.nomad.server.accessor_id }}"
|
||||
secret_id: "{{ _credentials.consul.tokens.nomad.server.secret_id }}"
|
||||
policies:
|
||||
- id: "{{ _consul_nomad_server_policy.policy.ID }}"
|
||||
state: present
|
||||
when: _consul_nomad_server_policy.changed
|
||||
|
||||
- name: "Nomad | Create client credentials"
|
||||
block:
|
||||
- name: "Nomad | Create consul client policy"
|
||||
community.general.consul_policy:
|
||||
token: "{{ _credentials.consul.root_token.secret_id }}"
|
||||
host: "{{ _consul_host }}"
|
||||
port: "{{ _consul_port }}"
|
||||
scheme: "{{ _consul_scheme }}"
|
||||
validate_certs: false
|
||||
state: present
|
||||
name: nomad-client-policy
|
||||
rules: "{{ nomad_consul_integration_client_policy }}"
|
||||
register: _consul_nomad_client_policy
|
||||
|
||||
- name: "Nomad | Create consul client token" # noqa: no-handler
|
||||
community.general.consul_token:
|
||||
token: "{{ _credentials.consul.root_token.secret_id }}"
|
||||
host: "{{ _consul_host }}"
|
||||
port: "{{ _consul_port }}"
|
||||
scheme: "{{ _consul_scheme }}"
|
||||
validate_certs: false
|
||||
accessor_id: "{{ _credentials.consul.tokens.nomad.client.accessor_id }}"
|
||||
secret_id: "{{ _credentials.consul.tokens.nomad.client.secret_id }}"
|
||||
policies:
|
||||
- id: "{{ _consul_nomad_client_policy.policy.ID }}"
|
||||
state: present
|
||||
when: _consul_nomad_client_policy.changed
|
||||
|
||||
- name: "Include ednz_cloud.hashistack.cni"
|
||||
ansible.builtin.include_role:
|
||||
name: ednz_cloud.hashistack.cni
|
||||
when: nomad_enable_client
|
||||
|
||||
- name: "Include ednz_cloud.hashistack.nomad"
|
||||
ansible.builtin.include_role:
|
||||
name: ednz_cloud.hashistack.nomad
|
||||
|
||||
- name: "Nomad | Initialize nomad cluster" # noqa: run-once[task]
|
||||
ednz_cloud.hashistack.nomad_acl_bootstrap:
|
||||
bootstrap_secret: "{{ _credentials.nomad.root_token.secret_id }}"
|
||||
api_url: "{{ nomad_api_addr }}"
|
||||
tls_verify: false
|
||||
register: _nomad_init_secret
|
||||
when:
|
||||
- nomad_init_server
|
||||
- nomad_configuration.acl.enabled
|
@ -1,83 +1,19 @@
|
||||
---
|
||||
- name: "Nomad"
|
||||
block:
|
||||
- name: "Create consul tokens for service registration"
|
||||
- name: "Deploy Nomad Control Plane"
|
||||
ansible.builtin.import_tasks:
|
||||
file: nomad_control_plane.yml
|
||||
when:
|
||||
- enable_consul
|
||||
- nomad_enable_consul_integration
|
||||
delegate_to: "{{ groups['consul_servers'] | first }}"
|
||||
vars:
|
||||
_consul_host: "{{ hostvars[groups['consul_servers'][0]].api_interface_address }}"
|
||||
_consul_port: "{{ hostvars[groups['consul_servers'][0]].consul_api_port[hostvars[groups['consul_servers'][0]].consul_api_scheme] }}"
|
||||
_consul_scheme: "{{ hostvars[groups['consul_servers'][0]].consul_api_scheme }}"
|
||||
run_once: true
|
||||
block:
|
||||
- name: "Create server credentials"
|
||||
block:
|
||||
- name: "Create consul server policy"
|
||||
community.general.consul_policy:
|
||||
token: "{{ _credentials.consul.root_token.secret_id }}"
|
||||
host: "{{ _consul_host }}"
|
||||
port: "{{ _consul_port }}"
|
||||
scheme: "{{ _consul_scheme }}"
|
||||
validate_certs: false
|
||||
state: present
|
||||
name: nomad-server-policy
|
||||
rules: "{{ nomad_consul_integration_server_policy }}"
|
||||
register: _consul_nomad_server_policy
|
||||
- nomad_enable_server
|
||||
tags:
|
||||
- nomad_servers
|
||||
|
||||
- name: "Create consul server token"
|
||||
community.general.consul_token:
|
||||
token: "{{ _credentials.consul.root_token.secret_id }}"
|
||||
host: "{{ _consul_host }}"
|
||||
port: "{{ _consul_port }}"
|
||||
scheme: "{{ _consul_scheme }}"
|
||||
validate_certs: false
|
||||
accessor_id: "{{ _credentials.consul.tokens.nomad.server.accessor_id }}"
|
||||
secret_id: "{{ _credentials.consul.tokens.nomad.server.secret_id }}"
|
||||
policies:
|
||||
- id: "{{ _consul_nomad_server_policy.policy.ID }}"
|
||||
state: present
|
||||
when: _consul_nomad_server_policy.changed
|
||||
|
||||
- name: "Create client credentials"
|
||||
block:
|
||||
- name: "Create consul client policy"
|
||||
community.general.consul_policy:
|
||||
token: "{{ _credentials.consul.root_token.secret_id }}"
|
||||
host: "{{ _consul_host }}"
|
||||
port: "{{ _consul_port }}"
|
||||
scheme: "{{ _consul_scheme }}"
|
||||
validate_certs: false
|
||||
state: present
|
||||
name: nomad-client-policy
|
||||
rules: "{{ nomad_consul_integration_client_policy }}"
|
||||
register: _consul_nomad_client_policy
|
||||
|
||||
- name: "Create consul client token"
|
||||
community.general.consul_token:
|
||||
token: "{{ _credentials.consul.root_token.secret_id }}"
|
||||
host: "{{ _consul_host }}"
|
||||
port: "{{ _consul_port }}"
|
||||
scheme: "{{ _consul_scheme }}"
|
||||
validate_certs: false
|
||||
accessor_id: "{{ _credentials.consul.tokens.nomad.client.accessor_id }}"
|
||||
secret_id: "{{ _credentials.consul.tokens.nomad.client.secret_id }}"
|
||||
policies:
|
||||
- id: "{{ _consul_nomad_client_policy.policy.ID }}"
|
||||
state: present
|
||||
when: _consul_nomad_client_policy.changed
|
||||
|
||||
- name: "Include ednz_cloud.hashicorp_nomad"
|
||||
ansible.builtin.include_role:
|
||||
name: ednz_cloud.hashicorp_nomad
|
||||
|
||||
- name: "Initialize nomad cluster" # noqa: run-once[task]
|
||||
ednz_cloud.hashistack.nomad_acl_bootstrap:
|
||||
bootstrap_secret: "{{ _credentials.nomad.root_token.secret_id }}"
|
||||
api_url: "{{ nomad_api_addr }}"
|
||||
tls_verify: false
|
||||
run_once: true
|
||||
delegate_to: "{{ groups['nomad_servers'] | first }}"
|
||||
register: _nomad_init_secret
|
||||
when: hashicorp_nomad_configuration.acl.enabled
|
||||
- name: "Deploy Nomad Clients"
|
||||
ansible.builtin.import_tasks:
|
||||
file: nomad_clients.yml
|
||||
when:
|
||||
- nomad_enable_client
|
||||
- not nomad_enable_server
|
||||
tags:
|
||||
- nomad_clients
|
||||
|
97
playbooks/tasks/vault/vault_control_plane.yml
Normal file
97
playbooks/tasks/vault/vault_control_plane.yml
Normal file
@ -0,0 +1,97 @@
|
||||
---
|
||||
- name: "Vault control plane"
|
||||
block:
|
||||
- name: "Vault | Create consul token for service registration"
|
||||
when:
|
||||
- vault_init_server
|
||||
- enable_consul
|
||||
- vault_enable_service_registration
|
||||
vars:
|
||||
_consul_vault_sr_host: "{{ hostvars[groups['consul_servers'][0]].api_interface_address }}"
|
||||
_consul_vault_sr_port: "{{ hostvars[groups['consul_servers'][0]].consul_api_port[hostvars[groups['consul_servers'][0]].consul_api_scheme] }}"
|
||||
_consul_vault_sr_scheme: "{{ hostvars[groups['consul_servers'][0]].consul_api_scheme }}"
|
||||
block:
|
||||
- name: "Vault | Create consul vault policy"
|
||||
community.general.consul_policy:
|
||||
token: "{{ _credentials.consul.root_token.secret_id }}"
|
||||
host: "{{ _consul_vault_sr_host }}"
|
||||
port: "{{ _consul_vault_sr_port }}"
|
||||
scheme: "{{ _consul_vault_sr_scheme }}"
|
||||
validate_certs: false
|
||||
state: present
|
||||
name: vault-policy
|
||||
rules: "{{ vault_service_registration_policy }}"
|
||||
register: _consul_vault_policy
|
||||
|
||||
- name: "Vault | Create consul vault token" # noqa: no-handler
|
||||
community.general.consul_token:
|
||||
token: "{{ _credentials.consul.root_token.secret_id }}"
|
||||
host: "{{ _consul_vault_sr_host }}"
|
||||
port: "{{ _consul_vault_sr_port }}"
|
||||
scheme: "{{ _consul_vault_sr_scheme }}"
|
||||
validate_certs: false
|
||||
accessor_id: "{{ _credentials.consul.tokens.vault.accessor_id }}"
|
||||
secret_id: "{{ _credentials.consul.tokens.vault.secret_id }}"
|
||||
policies:
|
||||
- id: "{{ _consul_vault_policy.policy.ID }}"
|
||||
state: present
|
||||
when: _consul_vault_policy.changed
|
||||
|
||||
- name: "Vault | Stat vault secret file"
|
||||
ansible.builtin.stat:
|
||||
path: "{{ hashistack_sub_configuration_directories.secrets }}/vault.yml"
|
||||
register: _vault_needs_early_unseal
|
||||
|
||||
- name: "Include ednz_cloud.hashistack.vault"
|
||||
ansible.builtin.include_role:
|
||||
name: ednz_cloud.hashistack.vault
|
||||
|
||||
- name: "Vault | Initialize vault cluster" # noqa: run-once[task]
|
||||
ednz_cloud.hashistack.vault_init:
|
||||
api_url: "{{ vault_configuration['api_addr'] }}"
|
||||
tls_verify: false
|
||||
key_shares: "{{ vault_seal_configuration['key_shares'] }}"
|
||||
key_threshold: "{{ vault_seal_configuration['key_threshold'] }}"
|
||||
retries: 5
|
||||
delay: 5
|
||||
register: _vault_init_secret
|
||||
until: not _vault_init_secret.failed
|
||||
when: vault_init_server
|
||||
|
||||
- name: "Vault | Write vault configuration to file" # noqa: run-once[task] no-handler
|
||||
ansible.builtin.copy:
|
||||
content: "{{ _vault_init_secret.state | to_nice_yaml(indent=2) }}"
|
||||
dest: "{{ hashistack_sub_configuration_directories.secrets }}/vault.yml"
|
||||
owner: "{{ lookup('env', 'USER') }}"
|
||||
group: "{{ lookup('env', 'USER') }}"
|
||||
mode: "0644"
|
||||
when:
|
||||
- vault_init_server
|
||||
- _vault_init_secret.changed
|
||||
delegate_to: localhost
|
||||
|
||||
- name: "Load vault cluster variables necessary for unseal operation"
|
||||
ansible.builtin.import_role:
|
||||
name: ednz_cloud.hashistack.hashistack
|
||||
vars:
|
||||
hashistack_only_load_credentials: true
|
||||
|
||||
- name: "Vault | Unseal the bootstrap node" # noqa: run-once[task] no-handler
|
||||
ednz_cloud.hashistack.vault_unseal:
|
||||
api_url: "{{ vault_configuration['api_addr'] }}"
|
||||
tls_verify: false
|
||||
key_shares: "{{ _credentials.vault['keys'] }}"
|
||||
when:
|
||||
- vault_init_server
|
||||
- _vault_init_secret.changed
|
||||
register: _vault_unseal_secret
|
||||
|
||||
- name: "Vault | Unseal all vault nodes"
|
||||
ednz_cloud.hashistack.vault_unseal:
|
||||
api_url: "{{ vault_configuration['api_addr'] }}"
|
||||
tls_verify: false
|
||||
key_shares: "{{ _credentials.vault['keys'] }}"
|
||||
retries: 5
|
||||
delay: 5
|
||||
until: _unseal_status.changed or not _unseal_status.failed
|
||||
register: _unseal_status
|
@ -1,96 +1,10 @@
|
||||
---
|
||||
- name: "Vault"
|
||||
block:
|
||||
- name: "Create consul token for service registration"
|
||||
when:
|
||||
- enable_consul
|
||||
- vault_enable_service_registration
|
||||
delegate_to: "{{ groups['consul_servers'] | first }}"
|
||||
vars:
|
||||
_consul_vault_sr_host: "{{ hostvars[groups['consul_servers'][0]].api_interface_address }}"
|
||||
_consul_vault_sr_port: "{{ hostvars[groups['consul_servers'][0]].consul_api_port[hostvars[groups['consul_servers'][0]].consul_api_scheme] }}"
|
||||
_consul_vault_sr_scheme: "{{ hostvars[groups['consul_servers'][0]].consul_api_scheme }}"
|
||||
run_once: true
|
||||
block:
|
||||
- name: "Create consul vault policy"
|
||||
community.general.consul_policy:
|
||||
token: "{{ _credentials.consul.root_token.secret_id }}"
|
||||
host: "{{ _consul_vault_sr_host }}"
|
||||
port: "{{ _consul_vault_sr_port }}"
|
||||
scheme: "{{ _consul_vault_sr_scheme }}"
|
||||
validate_certs: false
|
||||
state: present
|
||||
name: vault-policy
|
||||
rules: "{{ vault_service_registration_policy }}"
|
||||
register: _consul_vault_policy
|
||||
|
||||
- name: "Create consul vault token"
|
||||
community.general.consul_token:
|
||||
token: "{{ _credentials.consul.root_token.secret_id }}"
|
||||
host: "{{ _consul_vault_sr_host }}"
|
||||
port: "{{ _consul_vault_sr_port }}"
|
||||
scheme: "{{ _consul_vault_sr_scheme }}"
|
||||
validate_certs: false
|
||||
accessor_id: "{{ _credentials.consul.tokens.vault.accessor_id }}"
|
||||
secret_id: "{{ _credentials.consul.tokens.vault.secret_id }}"
|
||||
policies:
|
||||
- id: "{{ _consul_vault_policy.policy.ID }}"
|
||||
state: present
|
||||
when: _consul_vault_policy.changed
|
||||
|
||||
- name: "Include ednz_cloud.hashicorp_consul"
|
||||
ansible.builtin.include_role:
|
||||
name: ednz_cloud.hashicorp_vault
|
||||
|
||||
- name: "Initialize vault cluster" # noqa: run-once[task]
|
||||
ednz_cloud.hashistack.vault_init:
|
||||
api_url: "{{ hashicorp_vault_configuration['api_addr'] }}"
|
||||
tls_verify: "{{ vault_tls_verify }}"
|
||||
key_shares: "{{ vault_seal_configuration['key_shares'] }}"
|
||||
key_threshold: "{{ vault_seal_configuration['key_threshold'] }}"
|
||||
run_once: true
|
||||
retries: 5
|
||||
delay: 5
|
||||
delegate_to: "{{ groups['vault_servers'] | first }}"
|
||||
register: _vault_init_secret
|
||||
until: not _vault_init_secret.failed
|
||||
|
||||
- name: "Write vault configuration to file" # noqa: run-once[task] no-handler
|
||||
ansible.builtin.copy:
|
||||
content: "{{ _vault_init_secret.state | to_nice_yaml(indent=2) }}"
|
||||
dest: "{{ sub_configuration_directories.secrets }}/vault.yml"
|
||||
owner: "{{ lookup('env', 'USER') }}"
|
||||
group: "{{ lookup('env', 'USER') }}"
|
||||
mode: "0644"
|
||||
when: _vault_init_secret.changed
|
||||
run_once: true
|
||||
delegate_to: localhost
|
||||
|
||||
# - name: "Load vault cluster variables necessary for unseal operation"
|
||||
# ansible.builtin.include_vars:
|
||||
# file: "{{ sub_configuration_directories.vault_servers }}/vault_config.yml"
|
||||
# name: _vault_cluster_config
|
||||
|
||||
- name: "Load vault cluster variables necessary for unseal operation"
|
||||
- name: "Deploy Vault Control Plane"
|
||||
ansible.builtin.import_tasks:
|
||||
file: ../misc/load_credentials_vars.yml
|
||||
|
||||
- name: "Unseal the bootstrap node" # noqa: run-once[task] no-handler
|
||||
ednz_cloud.hashistack.vault_unseal:
|
||||
api_url: "{{ hashicorp_vault_configuration['api_addr'] }}"
|
||||
tls_verify: "{{ vault_tls_verify }}"
|
||||
key_shares: "{{ _credentials.vault['keys'] }}"
|
||||
run_once: true
|
||||
delegate_to: "{{ groups['vault_servers'] | first }}"
|
||||
when: _vault_init_secret.changed
|
||||
register: _vault_unseal_secret
|
||||
|
||||
- name: "Unseal all vault nodes"
|
||||
ednz_cloud.hashistack.vault_unseal:
|
||||
api_url: "{{ hashicorp_vault_configuration['api_addr'] }}"
|
||||
tls_verify: "{{ vault_tls_verify }}"
|
||||
key_shares: "{{ _credentials.vault['keys'] }}"
|
||||
retries: 5
|
||||
delay: 5
|
||||
until: _unseal_status.changed or not _unseal_status.failed
|
||||
register: _unseal_status
|
||||
file: vault_control_plane.yml
|
||||
when:
|
||||
- "'vault_servers' in group_names"
|
||||
tags:
|
||||
- vault_servers
|
||||
|
@ -1,51 +0,0 @@
|
||||
---
|
||||
# hashistack configuration merging for vault
|
||||
- name: "Vault | Merge listener configuration"
|
||||
ansible.builtin.set_fact:
|
||||
vault_listener_configuration: "{{
|
||||
vault_listener_configuration |
|
||||
combine((vault_enable_tls | bool) | ternary(vault_tls_listener_configuration, {}), recursive=True) |
|
||||
combine(vault_extra_listener_configuration | default({}), recursive=True)
|
||||
}}"
|
||||
|
||||
- name: "Vault | Merge service registration configuration"
|
||||
vars:
|
||||
_config_to_merge:
|
||||
service_registration: "{{ vault_service_registration_configuration }}"
|
||||
ansible.builtin.set_fact:
|
||||
hashicorp_vault_configuration: "{{
|
||||
hashicorp_vault_configuration |
|
||||
combine(_config_to_merge)
|
||||
}}"
|
||||
when: vault_enable_service_registration
|
||||
|
||||
- name: "Vault | Merge plugins configuration"
|
||||
vars:
|
||||
_config_to_merge:
|
||||
plugin_directory: "{{ vault_plugin_directory }}"
|
||||
ansible.builtin.set_fact:
|
||||
hashicorp_vault_configuration: "{{
|
||||
hashicorp_vault_configuration |
|
||||
combine(_config_to_merge)
|
||||
}}"
|
||||
when: vault_enable_plugins
|
||||
|
||||
- name: "Vault | Merge logging configuration"
|
||||
vars:
|
||||
_config_to_merge: "{{ vault_logging_configuration }}"
|
||||
ansible.builtin.set_fact:
|
||||
hashicorp_vault_configuration: "{{
|
||||
hashicorp_vault_configuration |
|
||||
combine(_config_to_merge)
|
||||
}}"
|
||||
when: vault_enable_log_to_file
|
||||
|
||||
- name: "Vault | Merge extra configuration settings"
|
||||
vars:
|
||||
_config_to_merge: "{{ vault_extra_configuration }}"
|
||||
ansible.builtin.set_fact:
|
||||
hashicorp_vault_configuration: "{{
|
||||
hashicorp_vault_configuration |
|
||||
combine(_config_to_merge)
|
||||
}}"
|
||||
when: vault_extra_configuration is defined
|
@ -5,7 +5,7 @@ consul:
|
||||
secret_id: "{{ _consul_root_token }}"
|
||||
tokens:
|
||||
agent:
|
||||
accessor_id: "{{ _consul_agents_accesor }}"
|
||||
accessor_id: "{{ _consul_agents_accessor }}"
|
||||
secret_id: "{{ _consul_agents_token }}"
|
||||
vault:
|
||||
accessor_id: "{{ _consul_vault_accessor }}"
|
||||
|
7
roles/cni/defaults/main.yml
Normal file
7
roles/cni/defaults/main.yml
Normal file
@ -0,0 +1,7 @@
|
||||
---
|
||||
# defaults file for cni
|
||||
cni_plugins_version: "latest"
|
||||
cni_plugins_install_path: /opt/cni/bin
|
||||
cni_plugins_install_consul_cni: false
|
||||
cni_user: nomad
|
||||
cni_group: nomad
|
2
roles/cni/handlers/main.yml
Normal file
2
roles/cni/handlers/main.yml
Normal file
@ -0,0 +1,2 @@
|
||||
---
|
||||
# handlers file for cni
|
28
roles/cni/meta/main.yml
Normal file
28
roles/cni/meta/main.yml
Normal file
@ -0,0 +1,28 @@
|
||||
---
|
||||
# meta file for cni
|
||||
galaxy_info:
|
||||
namespace: "ednz_cloud"
|
||||
role_name: "cni"
|
||||
author: "Bertrand Lanson"
|
||||
description: "Install the default cni plugins and the consul-cni plugin"
|
||||
license: "license (BSD, MIT)"
|
||||
min_ansible_version: "2.10"
|
||||
platforms:
|
||||
- name: Ubuntu
|
||||
versions:
|
||||
- focal
|
||||
- jammy
|
||||
- noble
|
||||
- name: Debian
|
||||
versions:
|
||||
- bullseye
|
||||
- bookworm
|
||||
galaxy_tags:
|
||||
- "ubuntu"
|
||||
- "debian"
|
||||
- "hashicorp"
|
||||
- "cni"
|
||||
- "networking"
|
||||
- "consul"
|
||||
|
||||
dependencies: []
|
70
roles/cni/tasks/cni_install.yml
Normal file
70
roles/cni/tasks/cni_install.yml
Normal file
@ -0,0 +1,70 @@
|
||||
---
|
||||
# task/cni_install file for cni
|
||||
- name: "CNI Plugins | Get release for cni_plugins:{{ cni_plugins_version }}"
|
||||
vars:
|
||||
_cni_plugins_url_ext: "{% if cni_plugins_version == 'latest'%}releases{% else %}releases/tags{% endif %}"
|
||||
ansible.builtin.uri:
|
||||
url: "{{ cni_github_api }}/{{ cni_github_project }}/{{ _cni_plugins_url_ext }}/{{ cni_plugins_version }}"
|
||||
return_content: true
|
||||
register: _cni_plugins_latest_release
|
||||
|
||||
- name: "CNI Plugins | Check if cni plugin is already installed"
|
||||
ansible.builtin.stat:
|
||||
path: "{{ cni_plugins_install_path }}/.version"
|
||||
changed_when: false
|
||||
check_mode: false
|
||||
register: _cni_plugins_is_installed
|
||||
|
||||
- name: "CNI Plugins | Check current cni plugin version"
|
||||
ansible.builtin.command: "cat {{ cni_plugins_install_path }}/.version"
|
||||
changed_when: false
|
||||
check_mode: false
|
||||
register: _cni_plugins_old_release
|
||||
when: _cni_plugins_is_installed.stat.exists
|
||||
|
||||
- name: "CNI Plugins | Set facts for wanted cni plugins release"
|
||||
ansible.builtin.set_fact:
|
||||
cni_plugins_wanted_version: "{{ _cni_plugins_latest_release.json['tag_name']|regex_replace('v', '') }}"
|
||||
when: _cni_plugins_latest_release.json is defined
|
||||
and (_cni_plugins_latest_release.json | length > 0)
|
||||
|
||||
- name: "CNI Plugins | Set facts for current cni plugins release"
|
||||
ansible.builtin.set_fact:
|
||||
cni_plugins_current_version: "{{ _cni_plugins_old_release.stdout | regex_replace('v', '') }}"
|
||||
when: _cni_plugins_old_release.stdout is defined
|
||||
and (_cni_plugins_old_release.stdout | length > 0)
|
||||
|
||||
- name: "CNI Plugins | Install cni plugins"
|
||||
when: cni_plugins_current_version is not defined
|
||||
or cni_plugins_wanted_version not in cni_plugins_current_version
|
||||
block:
|
||||
- name: "CNI Plugins | Install cni plugins version:{{ cni_plugins_version }}"
|
||||
ansible.builtin.get_url:
|
||||
url: "{{ cni_github_url }}/{{ cni_github_project }}/releases/download/v{{ cni_plugins_wanted_version }}/cni-plugins-linux-{{ cni_architecture }}-v{{ cni_plugins_wanted_version }}.tgz"
|
||||
dest: "/tmp/cni_plugin.tgz"
|
||||
mode: "0644"
|
||||
register: _cni_plugins_download_archive
|
||||
until: _cni_plugins_download_archive is succeeded
|
||||
retries: 5
|
||||
delay: 2
|
||||
check_mode: false
|
||||
|
||||
- name: "CNI Plugins | Unpack cni plugins"
|
||||
ansible.builtin.unarchive:
|
||||
src: "/tmp/cni_plugin.tgz"
|
||||
dest: "{{ cni_plugins_install_path }}"
|
||||
owner: "{{ cni_user }}"
|
||||
group: "{{ cni_group }}"
|
||||
mode: "0755"
|
||||
remote_src: true
|
||||
|
||||
- name: "CNI Plugins | Remove temporary archive"
|
||||
ansible.builtin.file:
|
||||
path: "/tmp/cni_plugin.tgz"
|
||||
state: absent
|
||||
|
||||
- name: "CNI Plugins | Update version file"
|
||||
ansible.builtin.copy:
|
||||
content: "{{ cni_plugins_wanted_version }}"
|
||||
dest: "{{ cni_plugins_install_path }}/.version"
|
||||
mode: "0600"
|
114
roles/cni/tasks/consul_cni_install.yml
Normal file
114
roles/cni/tasks/consul_cni_install.yml
Normal file
@ -0,0 +1,114 @@
|
||||
---
|
||||
# task/consul_cni_install file for cni
|
||||
- name: "CNI Plugins | Set wanted consul-cni version to latest tag"
|
||||
ansible.builtin.set_fact:
|
||||
_cni_consul_cni_wanted_version: "{{ _cni_plugins_latest_release.json['tag_name']|regex_replace('v', '') }}"
|
||||
when: cni_plugins_version == 'latest'
|
||||
|
||||
- name: "CNI Plugins | Set wanted consul-cni version to {{ cni_plugins_version }}"
|
||||
ansible.builtin.set_fact:
|
||||
_cni_consul_cni_wanted_version: "{{ cni_plugins_version|regex_replace('v', '') }}"
|
||||
when: cni_plugins_version != 'latest'
|
||||
|
||||
- name: "CNI Plugins | Get current consul-cni version"
|
||||
block:
|
||||
- name: "CNI Plugins | Stat consul-cni version file"
|
||||
ansible.builtin.stat:
|
||||
path: "{{ cni_plugins_install_path }}/.consul-cni-version"
|
||||
changed_when: false
|
||||
check_mode: false
|
||||
register: _cni_consul_cni_version_file
|
||||
|
||||
- name: "CNI Plugins | Get current consul-cni version"
|
||||
ansible.builtin.slurp:
|
||||
src: "{{ _cni_consul_cni_version_file.stat.path }}"
|
||||
when:
|
||||
- _cni_consul_cni_version_file.stat.exists
|
||||
- _cni_consul_cni_version_file.stat.isreg
|
||||
register: _cni_consul_cni_current_version
|
||||
|
||||
- name: "CNI Plugins | Download and install consul-cni binary"
|
||||
when: _cni_consul_cni_current_version is not defined
|
||||
or _cni_consul_cni_wanted_version != (_cni_consul_cni_current_version.content|default('')|b64decode)
|
||||
block:
|
||||
- name: "CNI Plugins | Set consul-cni package name to download"
|
||||
ansible.builtin.set_fact:
|
||||
_cni_consul_cni_package_name: >-
|
||||
consul-cni_{{ _cni_consul_cni_wanted_version }}_linux_{{ cni_deb_architecture_map[ansible_architecture] }}.zip
|
||||
_cni_consul_cni_shasum_file_name: >-
|
||||
consul-cni_{{ _cni_consul_cni_wanted_version }}_SHA256SUMS
|
||||
|
||||
- name: "CNI Plugins | Download checksum file for consul-cni archive"
|
||||
ansible.builtin.get_url:
|
||||
url: "{{ cni_consul_cni_repository_url }}/{{ _cni_consul_cni_wanted_version }}/{{ _cni_consul_cni_shasum_file_name }}"
|
||||
dest: "/tmp/{{ _cni_consul_cni_shasum_file_name }}"
|
||||
mode: "0644"
|
||||
register: _cni_consul_cni_checksum_file
|
||||
until: _cni_consul_cni_checksum_file is succeeded
|
||||
retries: 5
|
||||
delay: 2
|
||||
check_mode: false
|
||||
|
||||
- name: "CNI Plugins | Extract correct checksum from checksum file"
|
||||
ansible.builtin.command:
|
||||
cmd: 'grep "{{ _cni_consul_cni_package_name }}" /tmp/{{ _cni_consul_cni_shasum_file_name }}'
|
||||
changed_when: false
|
||||
register: _cni_consul_cni_expected_checksum_line
|
||||
|
||||
- name: "CNI Plugins | Parse the expected checksum"
|
||||
ansible.builtin.set_fact:
|
||||
_cni_consul_cni_expected_checksum: "{{ _cni_consul_cni_expected_checksum_line.stdout.split()[0] }}"
|
||||
|
||||
- name: "CNI Plugins | Download consul-cni binary archive"
|
||||
ansible.builtin.get_url:
|
||||
url: "{{ cni_consul_cni_repository_url }}/{{ _cni_consul_cni_wanted_version }}/{{ _cni_consul_cni_package_name }}"
|
||||
dest: "/tmp/{{ _cni_consul_cni_package_name }}"
|
||||
mode: "0644"
|
||||
checksum: "sha256:{{ _cni_consul_cni_expected_checksum }}"
|
||||
register: _cni_consul_cni_binary_archive
|
||||
until: _cni_consul_cni_binary_archive is succeeded
|
||||
retries: 5
|
||||
delay: 2
|
||||
check_mode: false
|
||||
|
||||
- name: "CNI Plugins | Create temporary directory for archive decompression"
|
||||
ansible.builtin.file:
|
||||
path: /tmp/consul-cni
|
||||
state: directory
|
||||
mode: "0755"
|
||||
|
||||
- name: "CNI Plugins | Unpack consul-cni archive"
|
||||
ansible.builtin.unarchive:
|
||||
src: "/tmp/{{ _cni_consul_cni_package_name }}"
|
||||
dest: "/tmp/consul-cni"
|
||||
owner: "{{ cni_user }}"
|
||||
group: "{{ cni_group }}"
|
||||
mode: "0755"
|
||||
remote_src: true
|
||||
|
||||
- name: "CNI Plugins | Copy consul-cni binary to {{ cni_plugins_install_path }}"
|
||||
ansible.builtin.copy:
|
||||
src: /tmp/consul-cni/consul-cni
|
||||
dest: "{{ cni_plugins_install_path }}"
|
||||
owner: "{{ cni_user }}"
|
||||
group: "{{ cni_user }}"
|
||||
mode: "0755"
|
||||
remote_src: true
|
||||
force: true
|
||||
|
||||
- name: "CNI Plugins | Update consul-cni version file"
|
||||
ansible.builtin.copy:
|
||||
content: "{{ _cni_consul_cni_wanted_version }}"
|
||||
dest: "{{ cni_plugins_install_path }}/.consul-cni-version"
|
||||
owner: "{{ cni_user }}"
|
||||
group: "{{ cni_group }}"
|
||||
mode: "0600"
|
||||
|
||||
- name: "CNI Plugins | Cleanup temporary directory"
|
||||
ansible.builtin.file:
|
||||
path: "{{ item }}"
|
||||
state: absent
|
||||
loop:
|
||||
- /tmp/consul-cni
|
||||
- /tmp/{{ _cni_consul_cni_package_name }}
|
||||
- /tmp/{{ _cni_consul_cni_shasum_file_name }}
|
10
roles/cni/tasks/main.yml
Normal file
10
roles/cni/tasks/main.yml
Normal file
@ -0,0 +1,10 @@
|
||||
---
|
||||
# task/main file for cni
|
||||
- name: "CNI Plugins | Import prerequisites.yml"
|
||||
ansible.builtin.include_tasks: prerequisites.yml
|
||||
|
||||
- name: "CNI Plugins | Import cni_install.yml"
|
||||
ansible.builtin.include_tasks: cni_install.yml
|
||||
|
||||
- name: "CNI Plugins | Import consul_cni_install.yml"
|
||||
ansible.builtin.include_tasks: consul_cni_install.yml
|
21
roles/cni/tasks/prerequisites.yml
Normal file
21
roles/cni/tasks/prerequisites.yml
Normal file
@ -0,0 +1,21 @@
|
||||
---
|
||||
# task/prerequisites file for cni
|
||||
- name: "CNI Plugins | Create group {{ cni_group }}"
|
||||
ansible.builtin.group:
|
||||
name: "{{ cni_user }}"
|
||||
state: present
|
||||
|
||||
- name: "CNI Plugins | Create user {{ cni_user }}"
|
||||
ansible.builtin.user:
|
||||
name: "{{ cni_user }}"
|
||||
group: "{{ cni_group }}"
|
||||
shell: /bin/false
|
||||
state: present
|
||||
|
||||
- name: "CNI Plugins | Create directory {{ cni_plugins_install_path }}"
|
||||
ansible.builtin.file:
|
||||
path: "{{ cni_plugins_install_path }}"
|
||||
state: directory
|
||||
owner: "{{ cni_user }}"
|
||||
group: "{{ cni_group }}"
|
||||
mode: "0755"
|
11
roles/cni/vars/main.yml
Normal file
11
roles/cni/vars/main.yml
Normal file
@ -0,0 +1,11 @@
|
||||
---
|
||||
cni_github_api: https://api.github.com/repos
|
||||
cni_github_project: containernetworking/plugins
|
||||
cni_github_url: https://github.com
|
||||
cni_deb_architecture_map:
|
||||
x86_64: "amd64"
|
||||
aarch64: "arm64"
|
||||
armv7l: "arm"
|
||||
armv6l: "arm"
|
||||
cni_architecture: "{{ cni_deb_architecture_map[ansible_architecture] | default(ansible_architecture) }}"
|
||||
cni_consul_cni_repository_url: https://releases.hashicorp.com/consul-cni
|
146
roles/consul/defaults/main.yml
Normal file
146
roles/consul/defaults/main.yml
Normal file
@ -0,0 +1,146 @@
|
||||
---
|
||||
# defaults file for hashicorp_consul
|
||||
|
||||
consul_version: "latest"
|
||||
consul_start_service: true
|
||||
consul_config_dir: "/etc/consul.d"
|
||||
consul_data_dir: "/opt/consul"
|
||||
consul_certs_dir: "{{ consul_config_dir }}/tls"
|
||||
consul_logs_dir: "/var/log/consul"
|
||||
|
||||
consul_envoy_install: false
|
||||
consul_envoy_version: latest
|
||||
|
||||
consul_extra_files: false
|
||||
consul_extra_files_list: []
|
||||
|
||||
consul_env_variables: {}
|
||||
|
||||
#######################
|
||||
# extra configuration #
|
||||
#######################
|
||||
|
||||
# You should prioritize adding configuration
|
||||
# to the configuration entries below, this
|
||||
# option should be used to add pieces of configuration not
|
||||
# available through standard variables.
|
||||
|
||||
consul_extra_configuration: {}
|
||||
|
||||
###########
|
||||
# general #
|
||||
###########
|
||||
|
||||
consul_domain: consul
|
||||
consul_datacenter: dc1
|
||||
consul_primary_datacenter: "{{ consul_datacenter }}"
|
||||
consul_gossip_encryption_key: "{{ 'mysupersecretgossipencryptionkey'|b64encode }}"
|
||||
consul_enable_script_checks: false
|
||||
|
||||
#######################
|
||||
# leave configuration #
|
||||
#######################
|
||||
|
||||
consul_leave_on_terminate: true
|
||||
consul_rejoin_after_leave: true
|
||||
|
||||
######################
|
||||
# join configuration #
|
||||
######################
|
||||
|
||||
consul_join_configuration:
|
||||
retry_join:
|
||||
- "{{ ansible_default_ipv4.address }}"
|
||||
retry_interval: 30s
|
||||
retry_max: 0
|
||||
|
||||
########################
|
||||
# server configuration #
|
||||
########################
|
||||
|
||||
consul_enable_server: true
|
||||
consul_bootstrap_expect: 1
|
||||
|
||||
####################
|
||||
# ui configuration #
|
||||
####################
|
||||
|
||||
consul_ui_configuration:
|
||||
enabled: "{{ consul_enable_server }}"
|
||||
|
||||
#########################
|
||||
# address configuration #
|
||||
#########################
|
||||
|
||||
consul_bind_addr: "0.0.0.0"
|
||||
consul_advertise_addr: "{{ ansible_default_ipv4.address }}"
|
||||
consul_address_configuration:
|
||||
client_addr: "{{ consul_bind_addr }}"
|
||||
bind_addr: "{{ consul_advertise_addr }}"
|
||||
advertise_addr: "{{ consul_advertise_addr }}"
|
||||
|
||||
#####################
|
||||
# ACL configuration #
|
||||
#####################
|
||||
|
||||
consul_acl_configuration:
|
||||
enabled: false
|
||||
default_policy: "deny"
|
||||
enable_token_persistence: true
|
||||
# tokens:
|
||||
# agent: ""
|
||||
|
||||
##############################
|
||||
# service mesh configuration #
|
||||
##############################
|
||||
|
||||
consul_mesh_configuration:
|
||||
enabled: false
|
||||
|
||||
#####################
|
||||
# DNS configuration #
|
||||
#####################
|
||||
|
||||
consul_dns_configuration:
|
||||
allow_stale: true
|
||||
enable_truncate: true
|
||||
only_passing: true
|
||||
|
||||
################
|
||||
# internal tls #
|
||||
################
|
||||
|
||||
consul_enable_tls: false
|
||||
consul_tls_configuration:
|
||||
defaults:
|
||||
ca_file: "/etc/ssl/certs/ca-certificates.crt"
|
||||
cert_file: "{{ consul_certs_dir }}/cert.pem"
|
||||
key_file: "{{ consul_certs_dir }}/key.pem"
|
||||
verify_incoming: false
|
||||
verify_outgoing: true
|
||||
internal_rpc:
|
||||
verify_server_hostname: true
|
||||
|
||||
consul_certificates_extra_files_dir:
|
||||
[]
|
||||
# - src: ""
|
||||
# dest: "{{ consul_certs_dir }}"
|
||||
|
||||
###########################
|
||||
# telemetry configuration #
|
||||
###########################
|
||||
|
||||
consul_enable_prometheus_metrics: false
|
||||
consul_prometheus_retention_time: 60s
|
||||
consul_telemetry_configuration: {}
|
||||
|
||||
###########
|
||||
# logging #
|
||||
###########
|
||||
|
||||
consul_log_level: info
|
||||
consul_enable_log_to_file: false
|
||||
consul_log_to_file_configuration:
|
||||
log_file: "{{ consul_logs_dir }}/consul.log"
|
||||
log_rotate_duration: 24h
|
||||
log_rotate_max_files: 30
|
2
roles/consul/handlers/main.yml
Normal file
2
roles/consul/handlers/main.yml
Normal file
@ -0,0 +1,2 @@
|
||||
---
|
||||
# handlers file for hashicorp_consul
|
26
roles/consul/meta/main.yml
Normal file
26
roles/consul/meta/main.yml
Normal file
@ -0,0 +1,26 @@
|
||||
---
|
||||
# meta file for hashicorp_consul
|
||||
galaxy_info:
|
||||
namespace: "ednz_cloud"
|
||||
role_name: "hashicorp_consul"
|
||||
author: "Bertrand Lanson"
|
||||
description: "Install and configure hashicorp consul for debian-based distros."
|
||||
license: "license (BSD, MIT)"
|
||||
min_ansible_version: "2.10"
|
||||
platforms:
|
||||
- name: Ubuntu
|
||||
versions:
|
||||
- focal
|
||||
- jammy
|
||||
- noble
|
||||
- name: Debian
|
||||
versions:
|
||||
- bullseye
|
||||
- bookworm
|
||||
galaxy_tags:
|
||||
- "ubuntu"
|
||||
- "debian"
|
||||
- "hashicorp"
|
||||
- "consul"
|
||||
|
||||
dependencies: []
|
74
roles/consul/tasks/configure.yml
Normal file
74
roles/consul/tasks/configure.yml
Normal file
@ -0,0 +1,74 @@
|
||||
---
|
||||
# task/configure file for hashicorp_consul
|
||||
- name: "Consul | Create consul.env"
|
||||
ansible.builtin.template:
|
||||
src: consul.env.j2
|
||||
dest: "{{ consul_config_dir }}/consul.env"
|
||||
owner: "{{ consul_user }}"
|
||||
group: "{{ consul_group }}"
|
||||
mode: "0600"
|
||||
register: _consul_env_file
|
||||
|
||||
- name: "Consul | Copy consul.json template"
|
||||
ansible.builtin.template:
|
||||
src: consul.json.j2
|
||||
dest: "{{ consul_config_dir }}/consul.json"
|
||||
owner: "{{ consul_user }}"
|
||||
group: "{{ consul_group }}"
|
||||
mode: "0600"
|
||||
register: _consul_config_file
|
||||
|
||||
- name: "Consul | Set restart-check variable"
|
||||
ansible.builtin.set_fact:
|
||||
_consul_service_need_restart: true
|
||||
when: _consul_env_file.changed or
|
||||
_consul_config_file.changed
|
||||
|
||||
- name: "Consul | Copy extra configuration files"
|
||||
when: consul_extra_files
|
||||
block:
|
||||
- name: "Consul | Get extra file types"
|
||||
ansible.builtin.stat:
|
||||
path: "{{ item.src }}"
|
||||
loop: "{{ consul_extra_files_list }}"
|
||||
register: consul_extra_file_stat
|
||||
delegate_to: localhost
|
||||
|
||||
- name: "Consul | Set list for file sources"
|
||||
vars:
|
||||
_consul_file_sources: []
|
||||
ansible.builtin.set_fact:
|
||||
_consul_file_sources: "{{ _consul_file_sources + [item.item] }}"
|
||||
when: item.stat.isreg
|
||||
loop: "{{ consul_extra_file_stat.results }}"
|
||||
loop_control:
|
||||
loop_var: item
|
||||
delegate_to: localhost
|
||||
|
||||
- name: "Consul | Set list for directory sources"
|
||||
vars:
|
||||
_consul_dir_sources: []
|
||||
ansible.builtin.set_fact:
|
||||
_consul_dir_sources: "{{ _consul_dir_sources + [item.item] }}"
|
||||
when: item.stat.isdir
|
||||
loop: "{{ consul_extra_file_stat.results }}"
|
||||
loop_control:
|
||||
loop_var: item
|
||||
delegate_to: localhost
|
||||
|
||||
- name: "Consul | Template extra file sources"
|
||||
ansible.builtin.template:
|
||||
src: "{{ item.src }}"
|
||||
dest: "{{ item.dest | regex_replace('\\.j2$', '') }}"
|
||||
owner: "{{ consul_user }}"
|
||||
group: "{{ consul_group }}"
|
||||
mode: "0700"
|
||||
loop: "{{ _consul_file_sources }}"
|
||||
when: _consul_file_sources is defined
|
||||
|
||||
- name: "Consul | Template extra directory sources"
|
||||
ansible.builtin.include_tasks: recursive_copy_extra_dirs.yml
|
||||
loop: "{{ _consul_dir_sources }}"
|
||||
loop_control:
|
||||
loop_var: dir_source_item
|
||||
when: _consul_dir_sources is defined
|
141
roles/consul/tasks/install.yml
Normal file
141
roles/consul/tasks/install.yml
Normal file
@ -0,0 +1,141 @@
|
||||
---
|
||||
# task/install file for hashicorp_consul
|
||||
- name: "Consul | Get latest release of consul"
|
||||
when: consul_version == 'latest'
|
||||
block:
|
||||
- name: "Consul | Get latest consul release from github api"
|
||||
ansible.builtin.uri:
|
||||
url: "{{ consul_github_api }}/{{ consul_github_project }}/releases/latest"
|
||||
return_content: true
|
||||
register: _consul_latest_release
|
||||
|
||||
- name: "Consul | Set wanted consul version to latest tag"
|
||||
ansible.builtin.set_fact:
|
||||
_consul_wanted_version: "{{ _consul_latest_release.json['tag_name']|regex_replace('v', '') }}"
|
||||
|
||||
- name: "Consul | Set wanted consul version to {{ consul_version }}"
|
||||
ansible.builtin.set_fact:
|
||||
_consul_wanted_version: "{{ consul_version|regex_replace('v', '') }}"
|
||||
when: consul_version != 'latest'
|
||||
|
||||
- name: "Consul | Get current consul version"
|
||||
block:
|
||||
- name: "Consul | Stat consul version file"
|
||||
ansible.builtin.stat:
|
||||
path: "{{ consul_config_dir }}/.version"
|
||||
changed_when: false
|
||||
check_mode: false
|
||||
register: _consul_version_file
|
||||
|
||||
- name: "Consul | Get current consul version"
|
||||
ansible.builtin.slurp:
|
||||
src: "{{ _consul_version_file.stat.path }}"
|
||||
when:
|
||||
- _consul_version_file.stat.exists
|
||||
- _consul_version_file.stat.isreg
|
||||
register: _consul_current_version
|
||||
|
||||
- name: "Consul | Download and install consul binary"
|
||||
when: _consul_current_version is not defined
|
||||
or _consul_wanted_version != (_consul_current_version.content|default('')|b64decode)
|
||||
block:
|
||||
- name: "Consul | Set consul package name to download"
|
||||
ansible.builtin.set_fact:
|
||||
_consul_package_name: >-
|
||||
consul_{{ _consul_wanted_version }}_linux_{{ consul_deb_architecture_map[ansible_architecture] }}.zip
|
||||
_consul_shasum_file_name: >-
|
||||
consul_{{ _consul_wanted_version }}_SHA256SUMS
|
||||
|
||||
- name: "Consul | Download checksum file for consul archive"
|
||||
ansible.builtin.get_url:
|
||||
url: "{{ consul_repository_url }}/{{ _consul_wanted_version }}/{{ _consul_shasum_file_name }}"
|
||||
dest: "/tmp/{{ _consul_shasum_file_name }}"
|
||||
mode: "0644"
|
||||
register: _consul_checksum_file
|
||||
until: _consul_checksum_file is succeeded
|
||||
retries: 5
|
||||
delay: 2
|
||||
check_mode: false
|
||||
|
||||
- name: "Consul | Extract correct checksum from checksum file"
|
||||
ansible.builtin.command:
|
||||
cmd: 'grep "{{ _consul_package_name }}" /tmp/{{ _consul_shasum_file_name }}'
|
||||
changed_when: false
|
||||
register: _consul_expected_checksum_line
|
||||
|
||||
- name: "Consul | Parse the expected checksum"
|
||||
ansible.builtin.set_fact:
|
||||
_consul_expected_checksum: "{{ _consul_expected_checksum_line.stdout.split()[0] }}"
|
||||
|
||||
- name: "Consul | Download consul binary archive"
|
||||
ansible.builtin.get_url:
|
||||
url: "{{ consul_repository_url }}/{{ _consul_wanted_version }}/{{ _consul_package_name }}"
|
||||
dest: "/tmp/{{ _consul_package_name }}"
|
||||
mode: "0644"
|
||||
checksum: "sha256:{{ _consul_expected_checksum }}"
|
||||
register: _consul_binary_archive
|
||||
until: _consul_binary_archive is succeeded
|
||||
retries: 5
|
||||
delay: 2
|
||||
check_mode: false
|
||||
|
||||
- name: "Consul | Create temporary directory for archive decompression"
|
||||
ansible.builtin.file:
|
||||
path: /tmp/consul
|
||||
state: directory
|
||||
mode: "0755"
|
||||
|
||||
- name: "Consul | Unpack consul archive"
|
||||
ansible.builtin.unarchive:
|
||||
src: "/tmp/{{ _consul_package_name }}"
|
||||
dest: "/tmp/consul"
|
||||
owner: "{{ consul_user }}"
|
||||
group: "{{ consul_group }}"
|
||||
mode: "0755"
|
||||
remote_src: true
|
||||
|
||||
- name: "Consul | Copy consul binary to {{ consul_binary_path }}"
|
||||
ansible.builtin.copy:
|
||||
src: /tmp/consul/consul
|
||||
dest: "{{ consul_binary_path }}"
|
||||
owner: root
|
||||
group: root
|
||||
mode: "0755"
|
||||
remote_src: true
|
||||
force: true
|
||||
|
||||
- name: "Consul | Update consul version file"
|
||||
ansible.builtin.copy:
|
||||
content: "{{ _consul_wanted_version }}"
|
||||
dest: "{{ consul_config_dir }}/.version"
|
||||
owner: "{{ consul_user }}"
|
||||
group: "{{ consul_group }}"
|
||||
mode: "0600"
|
||||
|
||||
- name: "Consul | Set restart-check variable"
|
||||
ansible.builtin.set_fact:
|
||||
_consul_service_need_restart: true
|
||||
|
||||
- name: "Consul | Cleanup temporary directory"
|
||||
ansible.builtin.file:
|
||||
path: "{{ item }}"
|
||||
state: absent
|
||||
loop:
|
||||
- /tmp/consul
|
||||
- /tmp/{{ _consul_package_name }}
|
||||
- /tmp/{{ _consul_shasum_file_name }}
|
||||
|
||||
- name: "Consul | Copy systemd service file for consul"
|
||||
ansible.builtin.template:
|
||||
src: "consul.service.j2"
|
||||
dest: "/etc/systemd/system/{{ consul_service_name }}.service"
|
||||
owner: root
|
||||
group: root
|
||||
mode: "0644"
|
||||
register: _consul_unit_file
|
||||
|
||||
- name: "Consul | Set reload-check & restart-check variable"
|
||||
ansible.builtin.set_fact:
|
||||
_consul_service_need_reload: true
|
||||
_consul_service_need_restart: true
|
||||
when: _consul_unit_file.changed # noqa: no-handler
|
Some files were not shown because too many files have changed in this diff Show More
Loading…
Reference in New Issue
Block a user