ansible-collections/hashistack
ansible-collections/hashistack
4
0
Fork 0
Code Issues 5 Pull Requests Actions Packages Projects 1 Releases Wiki Activity

Compare commits

base: ansible-collections:97b14b5160a1c13e710c3fcd7a9d75bb74c3e515
Branches Tags
ansible-collections:main
ansible-collections:v0.8.1
ansible-collections:v0.8.0
ansible-collections:v0.7.0
ansible-collections:v0.6.2
ansible-collections:v0.6.1
ansible-collections:v0.6.0
ansible-collections:v0.5.0
ansible-collections:v0.4.0
ansible-collections:v0.3.0
ansible-collections:v0.2.0
ansible-collections:v0.1.0
..
compare: ansible-collections:393516f03bc0f3de2bb2d412ae2c9606f7cf9b86
Branches Tags
ansible-collections:main
ansible-collections:v0.8.1
ansible-collections:v0.8.0
ansible-collections:v0.7.0
ansible-collections:v0.6.2
ansible-collections:v0.6.1
ansible-collections:v0.6.0
ansible-collections:v0.5.0
ansible-collections:v0.4.0
ansible-collections:v0.3.0
ansible-collections:v0.2.0
ansible-collections:v0.1.0

No commits in common. "97b14b5160a1c13e710c3fcd7a9d75bb74c3e515" and "393516f03bc0f3de2bb2d412ae2c9606f7cf9b86" have entirely different histories.
97b14b5160 ... 393516f03b

163 changed files with 1684 additions and 6328 deletions
Show Stats Expand all files Collapse all files

1
.cz.toml
View File

@ -4,4 +4,3 @@ version_provider = "scm"
version_files = ["galaxy.yml:^version"] version_files = ["galaxy.yml:^version"]
update_changelog_on_bump = true update_changelog_on_bump = true
major_version_zero = true major_version_zero = true
tag_format = "v$version"

1
.pre-commit-config.yaml
View File

@ -1,4 +1,3 @@
---
repos: repos:
- repo: https://github.com/pre-commit/pre-commit-hooks - repo: https://github.com/pre-commit/pre-commit-hooks
rev: v4.5.0 rev: v4.5.0

8
docs/general.md
View File

@ -6,7 +6,7 @@
Hashistack Ansible uses a configuration directory to store all the configuration files and other artifacts. Hashistack Ansible uses a configuration directory to store all the configuration files and other artifacts.
This directory is defined with the variable `hashistack_configuration_directory`. By default, it will look at `{{ lookup('env', 'PWD') }}/etc/hashistack`, which equals `$(pwd)/etc/hashistack`. This directory is defined with the variable `configuration_directory`. By default, it will look at `{{ lookup('env', 'PWD') }}/etc/hashistack`, which equals `$(pwd)/etc/hashistack`.
Under this directory, you are expected to place the `globals.yml` file, with your configuration. Under this directory, you are expected to place the `globals.yml` file, with your configuration.
@ -18,9 +18,9 @@ Additionally, subdirectories can be used to tailor the configuration further.
Each group within the `inventory` will look at a directory named after itself: Each group within the `inventory` will look at a directory named after itself:
- nomad_servers group will look for `{{ hashistack_configuration_directory }}/nomad_servers` - nomad_servers group will look for `{{ configuration_directory }}/nomad_servers`
- vault_servers group will look for `{{ hashistack_configuration_directory }}/vault_servers` - vault_servers group will look for `{{ configuration_directory }}/vault_servers`
- consul_servers group will look for `{{ hashistack_configuration_directory }}/consul_servers` - consul_servers group will look for `{{ configuration_directory }}/consul_servers`
Within each of these directories, you can place an additional `globals.yml file`, that will superseed the file at the root of the configuration directory. Within each of these directories, you can place an additional `globals.yml file`, that will superseed the file at the root of the configuration directory.

10
docs/quick_start.md
View File

@ -112,16 +112,6 @@ This will install roles that are not packaged with the collection, but are still
You should now have some roles inside `./roles/`. You should now have some roles inside `./roles/`.
9. Copy `inventory` file and `globals.yml `file locally
```bash
cp collections/ansible_collections/ednz_cloud/hashistack/playbooks/inventory/multinode.ini inventory/
```
```bash
cp collections/ansible_collections/ednz_cloud/hashistack/playbooks/group_vars/all/globals.yml etc/hashistack/globals.yml
```
## Generate Credentials ## Generate Credentials
Before deploying your infrastructure with Hashistack-Ansible, you need to generate credentials that will be used to bootstrap the various clusters. Before deploying your infrastructure with Hashistack-Ansible, you need to generate credentials that will be used to bootstrap the various clusters.

5
docs/tls_guide.md
View File

@ -1,6 +1 @@
# TLS Guide # TLS Guide
create certificate/ca directory
`ansible-playbook -i inventory/multinode.ini ednz_cloud.hashistack.generate_certs.yml`

2
galaxy.yml
View File

@ -11,7 +11,7 @@ license_file: "LICENSE"
# A list of tags you want to associate with the collection for indexing/searching. A tag name has the same character # A list of tags you want to associate with the collection for indexing/searching. A tag name has the same character
# requirements as 'namespace' and 'name' # requirements as 'namespace' and 'name'
tags: ["tools"] tags: []
dependencies: {} dependencies: {}
repository: https://git.ednz.fr/ansible-collections/hashistack repository: https://git.ednz.fr/ansible-collections/hashistack
documentation: http://docs.example.com documentation: http://docs.example.com

8
molecule/cni_default/converge.yml
View File

@ -1,8 +0,0 @@
---
- name: Converge
hosts: all
become: true
tasks:
- name: "Include ednz_cloud.hashistack.cni"
ansible.builtin.include_role:
name: "ednz_cloud.hashistack.cni"

37
molecule/cni_default/molecule.yml
View File

@ -1,37 +0,0 @@
---
dependency:
name: galaxy
options:
requirements-file: ./requirements.yml
driver:
name: docker
platforms:
- name: instance
image: geerlingguy/docker-${MOLECULE_TEST_OS}-ansible
command: ""
volumes:
- /sys/fs/cgroup:/sys/fs/cgroup
cgroupns_mode: host
privileged: true
pre_build_image: true
provisioner:
name: ansible
config_options:
defaults:
remote_tmp: /tmp/.ansible
verifier:
name: ansible
scenario:
name: cni_default
test_sequence:
- dependency
- cleanup
- destroy
- syntax
- create
- prepare
- converge
- idempotence
- verify
- cleanup
- destroy

13
molecule/cni_default/prepare.yml
View File

@ -1,13 +0,0 @@
---
- name: Prepare
hosts: all
become: true
tasks:
- name: "Install pre-required system packages"
ansible.builtin.include_role:
name: ednz_cloud.manage_apt_packages
vars:
manage_apt_packages_list:
- name: unzip
version: latest
state: present

4
molecule/cni_default/requirements.yml
View File

@ -1,4 +0,0 @@
---
# requirements file for molecule
roles:
- name: ednz_cloud.manage_apt_packages

6
molecule/cni_default/verify.yml
View File

@ -1,6 +0,0 @@
---
- name: Verify
hosts: all
gather_facts: true
become: true
tasks: []

8
molecule/consul_default/converge.yml
View File

@ -1,8 +0,0 @@
---
- name: Converge
hosts: all
become: true
tasks:
- name: "Include ednz_cloud.hashistack.consul"
ansible.builtin.include_role:
name: "ednz_cloud.hashistack.consul"

37
molecule/consul_default/molecule.yml
View File

@ -1,37 +0,0 @@
---
dependency:
name: galaxy
options:
requirements-file: ./requirements.yml
driver:
name: docker
platforms:
- name: instance
image: geerlingguy/docker-${MOLECULE_TEST_OS}-ansible
command: ""
volumes:
- /sys/fs/cgroup:/sys/fs/cgroup
cgroupns_mode: host
privileged: true
pre_build_image: true
provisioner:
name: ansible
config_options:
defaults:
remote_tmp: /tmp/.ansible
verifier:
name: ansible
scenario:
name: consul_default
test_sequence:
- dependency
- cleanup
- destroy
- syntax
- create
- prepare
- converge
- idempotence
- verify
- cleanup
- destroy

13
molecule/consul_default/prepare.yml
View File

@ -1,13 +0,0 @@
---
- name: Prepare
hosts: all
become: true
tasks:
- name: "Install pre-required system packages"
ansible.builtin.include_role:
name: ednz_cloud.manage_apt_packages
vars:
manage_apt_packages_list:
- name: unzip
version: latest
state: present

4
molecule/consul_default/requirements.yml
View File

@ -1,4 +0,0 @@
---
# requirements file for molecule
roles:
- name: ednz_cloud.manage_apt_packages

170
molecule/consul_default/verify.yml
View File

@ -1,170 +0,0 @@
---
- name: Verify
hosts: all
gather_facts: true
become: true
tasks:
- name: "Test: consul user and group"
block:
- name: "Getent user consul"
ansible.builtin.getent:
database: passwd
key: consul
register: consul_user
- name: "Getent group consul"
ansible.builtin.getent:
database: group
key: consul
register: consul_group
- name: "Verify consul user and group"
ansible.builtin.assert:
that:
- not consul_user.failed
- not consul_group.failed
- "'consul' in consul_user.ansible_facts.getent_passwd.keys()"
- "'/home/consul' in consul_user.ansible_facts.getent_passwd['consul']"
- "'/bin/false' in consul_user.ansible_facts.getent_passwd['consul']"
- "'consul' in consul_group.ansible_facts.getent_group.keys()"
- name: "Test: binary /usr/local/bin/consul"
block:
- name: "Stat binary /usr/local/bin/consul"
ansible.builtin.stat:
path: "/usr/local/bin/consul"
register: stat_usr_local_bin_consul
- name: "Verify binary /usr/local/bin/consul"
ansible.builtin.assert:
that:
- stat_usr_local_bin_consul.stat.exists
- stat_usr_local_bin_consul.stat.isreg
- stat_usr_local_bin_consul.stat.pw_name == 'root'
- stat_usr_local_bin_consul.stat.gr_name == 'root'
- stat_usr_local_bin_consul.stat.mode == '0755'
- name: "Test: directory /etc/consul.d"
block:
- name: "Stat directory /etc/consul.d"
ansible.builtin.stat:
path: "/etc/consul.d"
register: stat_etc_consul_d
- name: "Stat file /etc/consul.d/consul.env"
ansible.builtin.stat:
path: "/etc/consul.d/consul.env"
register: stat_etc_consul_d_consul_env
- name: "Stat file /etc/consul.d/consul.json"
ansible.builtin.stat:
path: "/etc/consul.d/consul.json"
register: stat_etc_consul_d_consul_json
- name: "Slurp file /etc/consul.d/consul.json"
ansible.builtin.slurp:
src: "/etc/consul.d/consul.json"
register: slurp_etc_consul_d_consul_json
- name: "Verify directory /etc/consul.d"
ansible.builtin.assert:
that:
- stat_etc_consul_d.stat.exists
- stat_etc_consul_d.stat.isdir
- stat_etc_consul_d.stat.pw_name == 'consul'
- stat_etc_consul_d.stat.gr_name == 'consul'
- stat_etc_consul_d.stat.mode == '0755'
- stat_etc_consul_d_consul_env.stat.exists
- stat_etc_consul_d_consul_env.stat.isreg
- stat_etc_consul_d_consul_env.stat.pw_name == 'consul'
- stat_etc_consul_d_consul_env.stat.gr_name == 'consul'
- stat_etc_consul_d_consul_env.stat.mode == '0600'
- stat_etc_consul_d_consul_json.stat.exists
- stat_etc_consul_d_consul_json.stat.isreg
- stat_etc_consul_d_consul_json.stat.pw_name == 'consul'
- stat_etc_consul_d_consul_json.stat.gr_name == 'consul'
- stat_etc_consul_d_consul_json.stat.mode == '0600'
- slurp_etc_consul_d_consul_json.content != ''
- name: "Test: directory /opt/consul"
block:
- name: "Stat directory /opt/consul"
ansible.builtin.stat:
path: "/opt/consul"
register: stat_opt_consul
- name: "Verify directory /opt/consul"
ansible.builtin.assert:
that:
- stat_opt_consul.stat.exists
- stat_opt_consul.stat.isdir
- stat_opt_consul.stat.pw_name == 'consul'
- stat_opt_consul.stat.gr_name == 'consul'
- stat_opt_consul.stat.mode == '0755'
- name: "Test: service consul"
block:
- name: "Get service consul"
ansible.builtin.service_facts:
- name: "Stat file /etc/systemd/system/consul.service"
ansible.builtin.stat:
path: "/etc/systemd/system/consul.service"
register: stat_etc_systemd_system_consul_service
- name: "Slurp file /etc/systemd/system/consul.service"
ansible.builtin.slurp:
src: "/etc/systemd/system/consul.service"
register: slurp_etc_systemd_system_consul_service
- name: "Verify service consul"
ansible.builtin.assert:
that:
- stat_etc_systemd_system_consul_service.stat.exists
- stat_etc_systemd_system_consul_service.stat.isreg
- stat_etc_systemd_system_consul_service.stat.pw_name == 'root'
- stat_etc_systemd_system_consul_service.stat.gr_name == 'root'
- stat_etc_systemd_system_consul_service.stat.mode == '0644'
- slurp_etc_systemd_system_consul_service.content != ''
- ansible_facts.services['consul.service'] is defined
- ansible_facts.services['consul.service']['source'] == 'systemd'
- ansible_facts.services['consul.service']['state'] == 'running'
- ansible_facts.services['consul.service']['status'] == 'enabled'
- name: "Test: interaction consul"
block:
- name: "Command consul kv put"
ansible.builtin.command: "consul kv put foo bar"
environment:
CONSUL_HTTP_ADDR: "http://{{ ansible_default_ipv4.address }}:8500"
changed_when: false
register: consul_kv_put
- name: "Command consul kv get"
ansible.builtin.command: "consul kv get foo"
environment:
CONSUL_HTTP_ADDR: "http://{{ ansible_default_ipv4.address }}:8500"
changed_when: false
register: consul_kv_get
- name: "Command consul kv delete"
ansible.builtin.command: "consul kv delete foo"
environment:
CONSUL_HTTP_ADDR: "http://{{ ansible_default_ipv4.address }}:8500"
changed_when: false
register: consul_kv_delete
- name: "Command consul members"
ansible.builtin.command: "consul members"
environment:
CONSUL_HTTP_ADDR: "http://{{ ansible_default_ipv4.address }}:8500"
changed_when: false
register: consul_members
- name: "Verify consul interaction"
ansible.builtin.assert:
that:
- "'instance' in consul_members.stdout"
- consul_kv_put.stdout == 'Success! Data written to: foo'
- consul_kv_get.stdout == 'bar'
- consul_kv_delete.stdout == 'Success! Deleted key: foo'

8
molecule/consul_with_acl_enabled/converge.yml
View File

@ -1,8 +0,0 @@
---
- name: Converge
hosts: all
become: true
tasks:
- name: "Include ednz_cloud.hashistack.consul"
ansible.builtin.include_role:
name: "ednz_cloud.hashistack.consul"

23
molecule/consul_with_acl_enabled/group_vars/all.yml
View File

@ -1,23 +0,0 @@
---
#####################
# ACL configuration #
#####################
consul_acl_configuration:
enabled: true
default_policy: "deny"
enable_token_persistence: true
tokens:
initial_management: "1a1f2ce5-3730-47de-9a9c-89e037376bab"
agent: "1a1f2ce5-3730-47de-9a9c-89e037376bab"
###########
# logging #
###########
consul_log_level: info
consul_enable_log_to_file: true
consul_log_to_file_configuration:
log_file: "{{ consul_logs_dir }}/consul.log"
log_rotate_duration: 24h
log_rotate_max_files: 30

37
molecule/consul_with_acl_enabled/molecule.yml
View File

@ -1,37 +0,0 @@
---
dependency:
name: galaxy
options:
requirements-file: ./requirements.yml
driver:
name: docker
platforms:
- name: instance
image: geerlingguy/docker-${MOLECULE_TEST_OS}-ansible
command: ""
volumes:
- /sys/fs/cgroup:/sys/fs/cgroup
cgroupns_mode: host
privileged: true
pre_build_image: true
provisioner:
name: ansible
config_options:
defaults:
remote_tmp: /tmp/.ansible
verifier:
name: ansible
scenario:
name: consul_with_acl_enabled
test_sequence:
- dependency
- cleanup
- destroy
- syntax
- create
- prepare
- converge
- idempotence
- verify
- cleanup
- destroy

13
molecule/consul_with_acl_enabled/prepare.yml
View File

@ -1,13 +0,0 @@
---
- name: Prepare
hosts: all
become: true
tasks:
- name: "Install pre-required system packages"
ansible.builtin.include_role:
name: ednz_cloud.manage_apt_packages
vars:
manage_apt_packages_list:
- name: unzip
version: latest
state: present

4
molecule/consul_with_acl_enabled/requirements.yml
View File

@ -1,4 +0,0 @@
---
# requirements file for molecule
roles:
- name: ednz_cloud.manage_apt_packages

176
molecule/consul_with_acl_enabled/verify.yml
View File

@ -1,176 +0,0 @@
---
- name: Verify
hosts: all
gather_facts: true
become: true
tasks:
- name: "Test: consul user and group"
block:
- name: "Getent user consul"
ansible.builtin.getent:
database: passwd
key: consul
register: consul_user
- name: "Getent group consul"
ansible.builtin.getent:
database: group
key: consul
register: consul_group
- name: "Verify consul user and group"
ansible.builtin.assert:
that:
- not consul_user.failed
- not consul_group.failed
- "'consul' in consul_user.ansible_facts.getent_passwd.keys()"
- "'/home/consul' in consul_user.ansible_facts.getent_passwd['consul']"
- "'/bin/false' in consul_user.ansible_facts.getent_passwd['consul']"
- "'consul' in consul_group.ansible_facts.getent_group.keys()"
- name: "Test: binary /usr/local/bin/consul"
block:
- name: "Stat binary /usr/local/bin/consul"
ansible.builtin.stat:
path: "/usr/local/bin/consul"
register: stat_usr_local_bin_consul
- name: "Verify binary /usr/local/bin/consul"
ansible.builtin.assert:
that:
- stat_usr_local_bin_consul.stat.exists
- stat_usr_local_bin_consul.stat.isreg
- stat_usr_local_bin_consul.stat.pw_name == 'root'
- stat_usr_local_bin_consul.stat.gr_name == 'root'
- stat_usr_local_bin_consul.stat.mode == '0755'
- name: "Test: directory /etc/consul.d"
block:
- name: "Stat directory /etc/consul.d"
ansible.builtin.stat:
path: "/etc/consul.d"
register: stat_etc_consul_d
- name: "Stat file /etc/consul.d/consul.env"
ansible.builtin.stat:
path: "/etc/consul.d/consul.env"
register: stat_etc_consul_d_consul_env
- name: "Stat file /etc/consul.d/consul.json"
ansible.builtin.stat:
path: "/etc/consul.d/consul.json"
register: stat_etc_consul_d_consul_json
- name: "Slurp file /etc/consul.d/consul.json"
ansible.builtin.slurp:
src: "/etc/consul.d/consul.json"
register: slurp_etc_consul_d_consul_json
- name: "Verify directory /etc/consul.d"
ansible.builtin.assert:
that:
- stat_etc_consul_d.stat.exists
- stat_etc_consul_d.stat.isdir
- stat_etc_consul_d.stat.pw_name == 'consul'
- stat_etc_consul_d.stat.gr_name == 'consul'
- stat_etc_consul_d.stat.mode == '0755'
- stat_etc_consul_d_consul_env.stat.exists
- stat_etc_consul_d_consul_env.stat.isreg
- stat_etc_consul_d_consul_env.stat.pw_name == 'consul'
- stat_etc_consul_d_consul_env.stat.gr_name == 'consul'
- stat_etc_consul_d_consul_env.stat.mode == '0600'
- stat_etc_consul_d_consul_json.stat.exists
- stat_etc_consul_d_consul_json.stat.isreg
- stat_etc_consul_d_consul_json.stat.pw_name == 'consul'
- stat_etc_consul_d_consul_json.stat.gr_name == 'consul'
- stat_etc_consul_d_consul_json.stat.mode == '0600'
- slurp_etc_consul_d_consul_json.content != ''
- name: "Test: directory /opt/consul"
block:
- name: "Stat directory /opt/consul"
ansible.builtin.stat:
path: "/opt/consul"
register: stat_opt_consul
- name: "Verify directory /opt/consul"
ansible.builtin.assert:
that:
- stat_opt_consul.stat.exists
- stat_opt_consul.stat.isdir
- stat_opt_consul.stat.pw_name == 'consul'
- stat_opt_consul.stat.gr_name == 'consul'
- stat_opt_consul.stat.mode == '0755'
- name: "Test: service consul"
block:
- name: "Get service consul"
ansible.builtin.service_facts:
- name: "Stat file /etc/systemd/system/consul.service"
ansible.builtin.stat:
path: "/etc/systemd/system/consul.service"
register: stat_etc_systemd_system_consul_service
- name: "Slurp file /etc/systemd/system/consul.service"
ansible.builtin.slurp:
src: "/etc/systemd/system/consul.service"
register: slurp_etc_systemd_system_consul_service
- name: "Verify service consul"
ansible.builtin.assert:
that:
- stat_etc_systemd_system_consul_service.stat.exists
- stat_etc_systemd_system_consul_service.stat.isreg
- stat_etc_systemd_system_consul_service.stat.pw_name == 'root'
- stat_etc_systemd_system_consul_service.stat.gr_name == 'root'
- stat_etc_systemd_system_consul_service.stat.mode == '0644'
- slurp_etc_systemd_system_consul_service.content != ''
- ansible_facts.services['consul.service'] is defined
- ansible_facts.services['consul.service']['source'] == 'systemd'
- ansible_facts.services['consul.service']['state'] == 'running'
- ansible_facts.services['consul.service']['status'] == 'enabled'
- name: "Test: interaction consul"
vars:
acl_token: "1a1f2ce5-3730-47de-9a9c-89e037376bab"
block:
- name: "Command consul kv put"
ansible.builtin.command: "consul kv put foo bar"
environment:
CONSUL_HTTP_ADDR: "http://{{ ansible_default_ipv4.address }}:8500"
CONSUL_HTTP_TOKEN: "{{ acl_token }}"
changed_when: false
register: consul_kv_put
- name: "Command consul kv get"
ansible.builtin.command: "consul kv get foo"
environment:
CONSUL_HTTP_ADDR: "http://{{ ansible_default_ipv4.address }}:8500"
CONSUL_HTTP_TOKEN: "{{ acl_token }}"
changed_when: false
register: consul_kv_get
- name: "Command consul kv delete"
ansible.builtin.command: "consul kv delete foo"
environment:
CONSUL_HTTP_ADDR: "http://{{ ansible_default_ipv4.address }}:8500"
CONSUL_HTTP_TOKEN: "{{ acl_token }}"
changed_when: false
register: consul_kv_delete
- name: "Command consul members"
ansible.builtin.command: "consul members"
environment:
CONSUL_HTTP_ADDR: "http://{{ ansible_default_ipv4.address }}:8500"
CONSUL_HTTP_TOKEN: "{{ acl_token }}"
changed_when: false
register: consul_members
- name: "Verify consul interaction"
ansible.builtin.assert:
that:
- "'instance' in consul_members.stdout"
- consul_kv_put.stdout == 'Success! Data written to: foo'
- consul_kv_get.stdout == 'bar'
- consul_kv_delete.stdout == 'Success! Deleted key: foo'

10
molecule/hashistack_ca_default/converge.yml
View File

@ -1,10 +0,0 @@
---
- name: Converge
hosts: all
become: true
tasks:
- name: "Include ednz_cloud.hashistack.hashistack_ca"
ansible.builtin.include_role:
name: "ednz_cloud.hashistack.hashistack_ca"
apply:
delegate_to: localhost

0
molecule/hashistack_ca_default/etc/hashistack/.gitkeep
View File

111
molecule/hashistack_ca_default/group_vars/all.yml
View File

@ -1,111 +0,0 @@
---
hashistack_ca_directory: "{{ lookup('env', 'PWD') }}/etc/hashistack/certificates"
hashistack_ca_use_cryptography: false
hashistack_ca_action: "noop"
hashistack_ca_domain: ednz.fr
hashistack_ca_directory_owner: "{{ lookup('env', 'USER') }}"
##############################
# Root Certificate Authority #
##############################
hashistack_ca_root_org_name: EDNZ Cloud
hashistack_ca_root_country: FR
hashistack_ca_root_locality: Paris
hashistack_ca_root_common_name: "{{ hashistack_ca_domain }} Root CA"
hashistack_ca_root_email:
hashistack_ca_root_key_usage:
- keyCertSign
- cRLSign
hashistack_ca_root_key_usage_critical: true
hashistack_ca_root_basic_constraints:
- CA:TRUE
hashistack_ca_root_basic_constraints_critical: true
# Optional fields
hashistack_ca_root_state_or_province_name:
hashistack_ca_root_email_address:
# Validity
hashistack_ca_root_valid_for: 1825d
hashistack_ca_root_renew_threshold: 180d
######################################
# Intermediate Certificate Authority #
######################################
hashistack_ca_intermediate_org_name: EDNZ Cloud Intermediate
hashistack_ca_intermediate_country: FR
hashistack_ca_intermediate_locality: Paris
hashistack_ca_intermediate_common_name: "{{ hashistack_ca_domain }} Intermediate CA"
hashistack_ca_intermediate_email:
hashistack_ca_intermediate_key_usage:
- keyCertSign
- cRLSign
hashistack_ca_intermediate_key_usage_critical: true
hashistack_ca_intermediate_basic_constraints:
- CA:TRUE
- pathlen:0
hashistack_ca_intermediate_basic_constraints_critical: true
# Optional fields
hashistack_ca_intermediate_state_or_province_name:
hashistack_ca_intermediate_email_address:
# Validity
hashistack_ca_intermediate_valid_for: 365d
hashistack_ca_intermediate_renew_threshold: 90d
# Name Constraints
hashistack_ca_intermediate_name_constraints_permitted:
- "DNS:.{{ hashistack_ca_domain }}"
- DNS:.nomad
- DNS:.consul
- DNS:localhost
- IP:192.168.0.0/16
- IP:172.16.0.0/16
- IP:10.0.0.0/8
- IP:127.0.0.0/8
hashistack_ca_intermediate_name_constraints_critical: "{{ (hashistack_ca_intermediate_name_constraints_permitted is defined and hashistack_ca_intermediate_name_constraints_permitted | length > 0) }}"
#####################
# Leaf certificates #
#####################
hashistack_ca_leaf_valid_for: 90d
hashistack_ca_leaf_renew_threshold: 30d
############################
# Consul Leaf Certificates #
############################
hashistack_ca_consul_org_name: "{{ hashistack_ca_root_org_name }}"
hashistack_ca_consul_common_name: "{{ inventory_hostname }}"
hashistack_ca_consul_csr_sans:
- "DNS:{{ inventory_hostname~'.'~hashistack_ca_domain }}"
- "DNS:consul.service.consul"
- "DNS:localhost"
- "IP:127.0.0.1"
###########################
# Nomad Leaf Certificates #
###########################
hashistack_ca_nomad_org_name: "{{ hashistack_ca_root_org_name }}"
hashistack_ca_nomad_common_name: "{{ inventory_hostname }}"
hashistack_ca_nomad_csr_sans:
- "DNS:{{ inventory_hostname~'.'~hashistack_ca_domain }}"
- DNS:server.global.nomad
- DNS:client.global.nomad
- "DNS:nomad.service.consul"
- "DNS:localhost"
- "IP:127.0.0.1"
###########################
# Vault Leaf Certificates #
###########################
hashistack_ca_vault_org_name: "{{ hashistack_ca_root_org_name }}"
hashistack_ca_vault_common_name: "{{ inventory_hostname }}"
hashistack_ca_vault_csr_sans:
- "DNS:{{ inventory_hostname~'.'~hashistack_ca_domain }}"
- "DNS:vault.service.consul"
- "DNS:active.vault.service.consul"
- "DNS:standby.vault.service.consul"
- "DNS:localhost"
- "IP:127.0.0.1"

65
molecule/hashistack_ca_default/molecule.yml
View File

@ -1,65 +0,0 @@
---
dependency:
name: galaxy
options:
requirements-file: ./requirements.yml
driver:
name: docker
platforms:
- name: consul-vault
image: geerlingguy/docker-${MOLECULE_TEST_OS}-ansible
command: ""
volumes:
- /sys/fs/cgroup:/sys/fs/cgroup
cgroupns_mode: host
privileged: true
pre_build_image: true
groups:
- common
- consul_servers
- vault_servers
- name: vault-nomad
image: geerlingguy/docker-${MOLECULE_TEST_OS}-ansible
command: ""
volumes:
- /sys/fs/cgroup:/sys/fs/cgroup
cgroupns_mode: host
privileged: true
pre_build_image: true
groups:
- common
- nomad_clients
- vault_servers
- name: nomad-consul
image: geerlingguy/docker-${MOLECULE_TEST_OS}-ansible
command: ""
volumes:
- /sys/fs/cgroup:/sys/fs/cgroup
cgroupns_mode: host
privileged: true
pre_build_image: true
groups:
- common
- nomad_clients
- consul_agents
provisioner:
name: ansible
config_options:
defaults:
remote_tmp: /tmp/.ansible
verifier:
name: ansible
scenario:
name: hashistack_ca_default
test_sequence:
- dependency
- cleanup
- destroy
- syntax
- create
- prepare
- converge
- idempotence
- verify
- cleanup
- destroy

13
molecule/hashistack_ca_default/prepare.yml
View File

@ -1,13 +0,0 @@
---
- name: Prepare
hosts: all
become: true
tasks:
- name: "Install pre-required system packages"
ansible.builtin.include_role:
name: ednz_cloud.manage_apt_packages
vars:
manage_apt_packages_list:
- name: unzip
version: latest
state: present

4
molecule/hashistack_ca_default/requirements.yml
View File

@ -1,4 +0,0 @@
---
# requirements file for molecule
roles:
- name: ednz_cloud.manage_apt_packages

6
molecule/hashistack_ca_default/verify.yml
View File

@ -1,6 +0,0 @@
---
- name: Verify
hosts: all
gather_facts: true
become: true
tasks: []

39
molecule/no_tls_multi_node/etc/hashistack/globals.yml
View File

@ -1,12 +1,4 @@
--- ---
# Molecule specific variables
hashistack_ca_action: "root_ca,int_ca,leaf_cert,renew_root,"
hashistack_ca_directory: "{{ hashistack_sub_configuration_directories['certificates'] }}"
hashistack_ca_directory_owner: "{{ lookup('env', 'USER') }}"
hashistack_ca_domain: ednz.lab
hashistack_ca_intermediate_name_constraints_critical: false
########################## ##########################
# General options ######## # General options ########
########################## ##########################
@ -17,7 +9,7 @@ hashistack_ca_intermediate_name_constraints_critical: false
# enable_nomad: "yes" # enable_nomad: "yes"
# haproxy_version: "2.8" # haproxy_version: "2.8"
nomad_version: "1.8.2" # nomad_version: "1.8.1"
# consul_version: "1.18.1" # consul_version: "1.18.1"
# vault_version: "1.16.2" # vault_version: "1.16.2"
@ -40,13 +32,6 @@ api_interface: "eth1"
enable_tls_external: true enable_tls_external: true
# external_tls_externally_managed_certs: false # external_tls_externally_managed_certs: false
########################
# internal tls options #
########################
enable_tls_internal: true
# internal_tls_externally_managed_certs: false
##################################################### #####################################################
# # # #
# Consul # # Consul #
@ -110,7 +95,7 @@ enable_tls_internal: true
# consul tls configuration # # consul tls configuration #
############################ ############################
# consul_enable_tls: "{{ enable_tls_internal }}" consul_enable_tls: true
# consul_tls_configuration: # consul_tls_configuration:
# defaults: # defaults:
# ca_file: "/etc/ssl/certs/ca-certificates.crt" # ca_file: "/etc/ssl/certs/ca-certificates.crt"
@ -167,7 +152,7 @@ enable_tls_internal: true
# vault listener # # vault listener #
################## ##################
# vault_enable_tls: "{{ enable_tls_internal }}" vault_enable_tls: true
# vault_tls_verify: false # vault_tls_verify: false
# vault_listener_configuration: # vault_listener_configuration:
# tcp: # tcp:
@ -278,17 +263,17 @@ enable_tls_internal: true
# nomad internal tls # # nomad internal tls #
###################### ######################
# nomad_enable_tls: "{{ enable_tls_internal }}" nomad_enable_tls: true
# nomad_tls_configuration: nomad_tls_configuration:
# http: true http: true
# rpc: true rpc: true
# ca_file: "/etc/ssl/certs/ca-certificates.crt" ca_file: "/etc/ssl/certs/ca-certificates.crt"
# cert_file: "{{ nomad_certificates_directory }}/cert.pem" cert_file: "{{ nomad_certificates_directory }}/cert.pem"
# key_file: "{{ nomad_certificates_directory }}/key.pem" key_file: "{{ nomad_certificates_directory }}/key.pem"
# verify_server_hostname: true verify_server_hostname: true
# nomad_certificates_directory: "{{ hashicorp_nomad_config_dir }}/tls" # nomad_certificates_directory: "{{ hashicorp_nomad_config_dir }}/tls"
# nomad_certificates_extra_files_dir: # nomad_certificates_extra_files_dir:
# - src: "{{ hashistack_sub_configuration_directories['certificates'] }}/nomad/{{ inventory_hostname }}" # - src: "{{ sub_configuration_directories['certificates'] }}/nomad/{{ inventory_hostname }}"
# dest: "{{ nomad_certificates_directory }}" # dest: "{{ nomad_certificates_directory }}"
############################# #############################

8
molecule/no_tls_multi_node/etc/hashistack/haproxy_servers/globals.yml
View File

@ -1,8 +0,0 @@
---
nomad_client_configuration:
enabled: "{{ nomad_enable_client }}"
state_dir: "{{ nomad_data_dir }}/client"
cni_path: "{{ cni_plugins_install_path | default('/opt/cni/bin') }}"
bridge_network_name: nomad
bridge_network_subnet: "172.26.64.0/20"
node_pool: ingress

BIN
molecule/no_tls_multi_node/etc/hashistack/vault_servers/config/plugin/vault-plugin-auth-openstack Executable file
View File

Binary file not shown.

14
molecule/no_tls_multi_node/molecule.yml
View File

@ -8,7 +8,7 @@ driver:
provider: provider:
name: libvirt name: libvirt
platforms: platforms:
- name: proxy01.ednz.lab - name: proxy01
box: generic/${MOLECULE_TEST_OS} box: generic/${MOLECULE_TEST_OS}
cpus: 2 cpus: 2
memory: 2048 memory: 2048
@ -20,9 +20,8 @@ platforms:
groups: groups:
- common - common
- haproxy_servers - haproxy_servers
- nomad_clients
- consul_agents - consul_agents
- name: proxy02.ednz.lab - name: proxy02
box: generic/${MOLECULE_TEST_OS} box: generic/${MOLECULE_TEST_OS}
cpus: 2 cpus: 2
memory: 2048 memory: 2048
@ -34,9 +33,8 @@ platforms:
groups: groups:
- common - common
- haproxy_servers - haproxy_servers
- nomad_clients
- consul_agents - consul_agents
- name: hashistack01.ednz.lab - name: hashistack01
box: generic/${MOLECULE_TEST_OS} box: generic/${MOLECULE_TEST_OS}
cpus: 4 cpus: 4
memory: 2048 memory: 2048
@ -50,7 +48,7 @@ platforms:
- vault_servers - vault_servers
- consul_servers - consul_servers
- nomad_servers - nomad_servers
- name: hashistack02.ednz.lab - name: hashistack02
box: generic/${MOLECULE_TEST_OS} box: generic/${MOLECULE_TEST_OS}
cpus: 4 cpus: 4
memory: 2048 memory: 2048
@ -64,7 +62,7 @@ platforms:
- vault_servers - vault_servers
- consul_servers - consul_servers
- nomad_servers - nomad_servers
- name: hashistack03.ednz.lab - name: hashistack03
box: generic/${MOLECULE_TEST_OS} box: generic/${MOLECULE_TEST_OS}
cpus: 4 cpus: 4
memory: 2048 memory: 2048
@ -78,7 +76,7 @@ platforms:
- vault_servers - vault_servers
- consul_servers - consul_servers
- nomad_servers - nomad_servers
- name: hashistack04.ednz.lab - name: hashistack04
box: generic/${MOLECULE_TEST_OS} box: generic/${MOLECULE_TEST_OS}
cpus: 4 cpus: 4
memory: 2048 memory: 2048

3
molecule/no_tls_multi_node/prepare.yml
View File

@ -2,6 +2,9 @@
- name: Include certificate generation playbook - name: Include certificate generation playbook
ansible.builtin.import_playbook: ednz_cloud.hashistack.generate_certs.yml ansible.builtin.import_playbook: ednz_cloud.hashistack.generate_certs.yml
# - name: Include credentials generation playbook
# ansible.builtin.import_playbook: ednz_cloud.hashistack.generate_credentials.yml
- name: Include bootstrap playbook - name: Include bootstrap playbook
ansible.builtin.import_playbook: ednz_cloud.hashistack.bootstrap.yml ansible.builtin.import_playbook: ednz_cloud.hashistack.bootstrap.yml

3
molecule/no_tls_multi_node/requirements.yml
View File

@ -5,6 +5,9 @@ roles:
- name: ednz_cloud.manage_apt_packages - name: ednz_cloud.manage_apt_packages
- name: ednz_cloud.manage_pip_packages - name: ednz_cloud.manage_pip_packages
- name: ednz_cloud.install_docker - name: ednz_cloud.install_docker
- name: ednz_cloud.docker_systemd_service
# - name: ednz_cloud.deploy_haproxy
# - name: ednz_cloud.deploy_keepalived
collections: collections:
- name: ednz_cloud.hashistack - name: ednz_cloud.hashistack

8
molecule/nomad_default/converge.yml
View File

@ -1,8 +0,0 @@
---
- name: Converge
hosts: all
become: true
tasks:
- name: "Include ednz_cloud.hashistack.nomad"
ansible.builtin.include_role:
name: "ednz_cloud.hashistack.nomad"

37
molecule/nomad_default/molecule.yml
View File

@ -1,37 +0,0 @@
---
dependency:
name: galaxy
options:
requirements-file: ./requirements.yml
driver:
name: docker
platforms:
- name: instance
image: geerlingguy/docker-${MOLECULE_TEST_OS}-ansible
command: ""
volumes:
- /sys/fs/cgroup:/sys/fs/cgroup
cgroupns_mode: host
privileged: true
pre_build_image: true
provisioner:
name: ansible
config_options:
defaults:
remote_tmp: /tmp/.ansible
verifier:
name: ansible
scenario:
name: nomad_default
test_sequence:
- dependency
- cleanup
- destroy
- syntax
- create
- prepare
- converge
- idempotence
- verify
- cleanup
- destroy

13
molecule/nomad_default/prepare.yml
View File

@ -1,13 +0,0 @@
---
- name: Prepare
hosts: all
become: true
tasks:
- name: "Install pre-required system packages"
ansible.builtin.include_role:
name: ednz_cloud.manage_apt_packages
vars:
manage_apt_packages_list:
- name: unzip
version: latest
state: present

5
molecule/nomad_default/requirements.yml
View File

@ -1,5 +0,0 @@
---
# requirements file for molecule
roles:
- name: ednz_cloud.manage_repositories
- name: ednz_cloud.manage_apt_packages

170
molecule/nomad_default/verify.yml
View File

@ -1,170 +0,0 @@
---
- name: Verify
hosts: all
gather_facts: true
become: true
tasks:
- name: "Test: nomad user and group"
block:
- name: "Getent user nomad"
ansible.builtin.getent:
database: passwd
key: nomad
register: nomad_user
- name: "Getent group nomad"
ansible.builtin.getent:
database: group
key: nomad
register: nomad_group
- name: "Verify nomad user and group"
ansible.builtin.assert:
that:
- not nomad_user.failed
- not nomad_group.failed
- "'nomad' in nomad_user.ansible_facts.getent_passwd.keys()"
- "'/home/nomad' in nomad_user.ansible_facts.getent_passwd['nomad']"
- "'/bin/false' in nomad_user.ansible_facts.getent_passwd['nomad']"
- "'nomad' in nomad_group.ansible_facts.getent_group.keys()"
- name: "Test: binary /usr/local/bin/nomad"
block:
- name: "Stat binary /usr/local/bin/nomad"
ansible.builtin.stat:
path: "/usr/local/bin/nomad"
register: stat_usr_local_bin_nomad
- name: "Verify binary /usr/local/bin/nomad"
ansible.builtin.assert:
that:
- stat_usr_local_bin_nomad.stat.exists
- stat_usr_local_bin_nomad.stat.isreg
- stat_usr_local_bin_nomad.stat.pw_name == 'root'
- stat_usr_local_bin_nomad.stat.gr_name == 'root'
- stat_usr_local_bin_nomad.stat.mode == '0755'
- name: "Test: directory /etc/nomad.d"
block:
- name: "Stat directory /etc/nomad.d"
ansible.builtin.stat:
path: "/etc/nomad.d"
register: stat_etc_nomad_d
- name: "Stat file /etc/nomad.d/nomad.env"
ansible.builtin.stat:
path: "/etc/nomad.d/nomad.env"
register: stat_etc_nomad_d_nomad_env
- name: "Stat file /etc/nomad.d/nomad.json"
ansible.builtin.stat:
path: "/etc/nomad.d/nomad.json"
register: stat_etc_nomad_d_nomad_json
- name: "Slurp file /etc/nomad.d/nomad.json"
ansible.builtin.slurp:
src: "/etc/nomad.d/nomad.json"
register: slurp_etc_nomad_d_nomad_json
- name: "Verify directory /etc/nomad.d"
ansible.builtin.assert:
that:
- stat_etc_nomad_d.stat.exists
- stat_etc_nomad_d.stat.isdir
- stat_etc_nomad_d.stat.pw_name == 'nomad'
- stat_etc_nomad_d.stat.gr_name == 'nomad'
- stat_etc_nomad_d.stat.mode == '0755'
- stat_etc_nomad_d_nomad_env.stat.exists
- stat_etc_nomad_d_nomad_env.stat.isreg
- stat_etc_nomad_d_nomad_env.stat.pw_name == 'nomad'
- stat_etc_nomad_d_nomad_env.stat.gr_name == 'nomad'
- stat_etc_nomad_d_nomad_env.stat.mode == '0600'
- stat_etc_nomad_d_nomad_json.stat.exists
- stat_etc_nomad_d_nomad_json.stat.isreg
- stat_etc_nomad_d_nomad_json.stat.pw_name == 'nomad'
- stat_etc_nomad_d_nomad_json.stat.gr_name == 'nomad'
- stat_etc_nomad_d_nomad_json.stat.mode == '0600'
- slurp_etc_nomad_d_nomad_json.content != ''
- name: "Test: directory /opt/nomad"
block:
- name: "Stat directory /opt/nomad"
ansible.builtin.stat:
path: "/opt/nomad"
register: stat_opt_nomad
- name: "Verify directory /opt/nomad"
ansible.builtin.assert:
that:
- stat_opt_nomad.stat.exists
- stat_opt_nomad.stat.isdir
- stat_opt_nomad.stat.pw_name == 'nomad'
- stat_opt_nomad.stat.gr_name == 'nomad'
- stat_opt_nomad.stat.mode == '0755'
- name: "Test: service nomad"
block:
- name: "Get service nomad"
ansible.builtin.service_facts:
- name: "Stat file /etc/systemd/system/nomad.service"
ansible.builtin.stat:
path: "/etc/systemd/system/nomad.service"
register: stat_etc_systemd_system_nomad_service
- name: "Slurp file /etc/systemd/system/nomad.service"
ansible.builtin.slurp:
src: "/etc/systemd/system/nomad.service"
register: slurp_etc_systemd_system_nomad_service
- name: "Verify service nomad"
ansible.builtin.assert:
that:
- stat_etc_systemd_system_nomad_service.stat.exists
- stat_etc_systemd_system_nomad_service.stat.isreg
- stat_etc_systemd_system_nomad_service.stat.pw_name == 'root'
- stat_etc_systemd_system_nomad_service.stat.gr_name == 'root'
- stat_etc_systemd_system_nomad_service.stat.mode == '0644'
- slurp_etc_systemd_system_nomad_service.content != ''
- ansible_facts.services['nomad.service'] is defined
- ansible_facts.services['nomad.service']['source'] == 'systemd'
- ansible_facts.services['nomad.service']['state'] == 'running'
- ansible_facts.services['nomad.service']['status'] == 'enabled'
- name: "Test: interaction nomad"
block:
- name: "Command nomad var put"
ansible.builtin.command: "nomad var put secret/foobar foo=bar"
environment:
NOMAD_ADDR: "http://{{ ansible_default_ipv4.address }}:4646"
changed_when: false
register: nomad_var_put
- name: "Command nomad var get"
ansible.builtin.command: "nomad var get secret/foobar"
environment:
NOMAD_ADDR: "http://{{ ansible_default_ipv4.address }}:4646"
changed_when: false
register: nomad_var_get
- name: "Command nomad var purge"
ansible.builtin.command: "nomad var purge secret/foobar"
environment:
NOMAD_ADDR: "http://{{ ansible_default_ipv4.address }}:4646"
changed_when: false
register: nomad_var_purge
- name: "Command nomad server members"
ansible.builtin.command: "nomad server members"
environment:
NOMAD_ADDR: "http://{{ ansible_default_ipv4.address }}:4646"
changed_when: false
register: nomad_server_members
- name: "Verify nomad interaction"
ansible.builtin.assert:
that:
- "'instance.global' in nomad_server_members.stdout"
- "'\"Items\": {\n \"foo\": \"bar\"\n }' in nomad_var_put.stdout"
- "'\"Items\": {\n \"foo\": \"bar\"\n }' in nomad_var_get.stdout"
- nomad_var_purge.stdout == 'Successfully purged variable \"secret/foobar\"!'

8
molecule/nomad_with_acl_enabled/converge.yml
View File

@ -1,8 +0,0 @@
---
- name: Converge
hosts: all
become: true
tasks:
- name: "Include ednz_cloud.hashistack.nomad"
ansible.builtin.include_role:
name: "ednz_cloud.hashistack.nomad"

12
molecule/nomad_with_acl_enabled/group_vars/all.yml
View File

@ -1,12 +0,0 @@
---
# defaults file for hashicorp_nomad
#####################
# ACL configuration #
#####################
nomad_acl_configuration:
enabled: true
token_ttl: 30s
policy_ttl: 60s
role_ttl: 60s

37
molecule/nomad_with_acl_enabled/molecule.yml
View File

@ -1,37 +0,0 @@
---
dependency:
name: galaxy
options:
requirements-file: ./requirements.yml
driver:
name: docker
platforms:
- name: instance
image: geerlingguy/docker-${MOLECULE_TEST_OS}-ansible
command: ""
volumes:
- /sys/fs/cgroup:/sys/fs/cgroup
cgroupns_mode: host
privileged: true
pre_build_image: true
provisioner:
name: ansible
config_options:
defaults:
remote_tmp: /tmp/.ansible
verifier:
name: ansible
scenario:
name: nomad_with_acl_enabled
test_sequence:
- dependency
- cleanup
- destroy
- syntax
- create
- prepare
- converge
- idempotence
- verify
- cleanup
- destroy

13
molecule/nomad_with_acl_enabled/prepare.yml
View File

@ -1,13 +0,0 @@
---
- name: Prepare
hosts: all
become: true
tasks:
- name: "Install pre-required system packages"
ansible.builtin.include_role:
name: ednz_cloud.manage_apt_packages
vars:
manage_apt_packages_list:
- name: unzip
version: latest
state: present

5
molecule/nomad_with_acl_enabled/requirements.yml
View File

@ -1,5 +0,0 @@
---
# requirements file for molecule
roles:
- name: ednz_cloud.manage_repositories
- name: ednz_cloud.manage_apt_packages

185
molecule/nomad_with_acl_enabled/verify.yml
View File

@ -1,185 +0,0 @@
---
- name: Verify
hosts: all
gather_facts: true
become: true
tasks:
- name: "Test: nomad user and group"
block:
- name: "Getent user nomad"
ansible.builtin.getent:
database: passwd
key: nomad
register: nomad_user
- name: "Getent group nomad"
ansible.builtin.getent:
database: group
key: nomad
register: nomad_group
- name: "Verify nomad user and group"
ansible.builtin.assert:
that:
- not nomad_user.failed
- not nomad_group.failed
- "'nomad' in nomad_user.ansible_facts.getent_passwd.keys()"
- "'/home/nomad' in nomad_user.ansible_facts.getent_passwd['nomad']"
- "'/bin/false' in nomad_user.ansible_facts.getent_passwd['nomad']"
- "'nomad' in nomad_group.ansible_facts.getent_group.keys()"
- name: "Test: binary /usr/local/bin/nomad"
block:
- name: "Stat binary /usr/local/bin/nomad"
ansible.builtin.stat:
path: "/usr/local/bin/nomad"
register: stat_usr_local_bin_nomad
- name: "Verify binary /usr/local/bin/nomad"
ansible.builtin.assert:
that:
- stat_usr_local_bin_nomad.stat.exists
- stat_usr_local_bin_nomad.stat.isreg
- stat_usr_local_bin_nomad.stat.pw_name == 'root'
- stat_usr_local_bin_nomad.stat.gr_name == 'root'
- stat_usr_local_bin_nomad.stat.mode == '0755'
- name: "Test: directory /etc/nomad.d"
block:
- name: "Stat directory /etc/nomad.d"
ansible.builtin.stat:
path: "/etc/nomad.d"
register: stat_etc_nomad_d
- name: "Stat file /etc/nomad.d/nomad.env"
ansible.builtin.stat:
path: "/etc/nomad.d/nomad.env"
register: stat_etc_nomad_d_nomad_env
- name: "Stat file /etc/nomad.d/nomad.json"
ansible.builtin.stat:
path: "/etc/nomad.d/nomad.json"
register: stat_etc_nomad_d_nomad_json
- name: "Slurp file /etc/nomad.d/nomad.json"
ansible.builtin.slurp:
src: "/etc/nomad.d/nomad.json"
register: slurp_etc_nomad_d_nomad_json
- name: "Verify directory /etc/nomad.d"
ansible.builtin.assert:
that:
- stat_etc_nomad_d.stat.exists
- stat_etc_nomad_d.stat.isdir
- stat_etc_nomad_d.stat.pw_name == 'nomad'
- stat_etc_nomad_d.stat.gr_name == 'nomad'
- stat_etc_nomad_d.stat.mode == '0755'
- stat_etc_nomad_d_nomad_env.stat.exists
- stat_etc_nomad_d_nomad_env.stat.isreg
- stat_etc_nomad_d_nomad_env.stat.pw_name == 'nomad'
- stat_etc_nomad_d_nomad_env.stat.gr_name == 'nomad'
- stat_etc_nomad_d_nomad_env.stat.mode == '0600'
- stat_etc_nomad_d_nomad_json.stat.exists
- stat_etc_nomad_d_nomad_json.stat.isreg
- stat_etc_nomad_d_nomad_json.stat.pw_name == 'nomad'
- stat_etc_nomad_d_nomad_json.stat.gr_name == 'nomad'
- stat_etc_nomad_d_nomad_json.stat.mode == '0600'
- slurp_etc_nomad_d_nomad_json.content != ''
- name: "Test: directory /opt/nomad"
block:
- name: "Stat directory /opt/nomad"
ansible.builtin.stat:
path: "/opt/nomad"
register: stat_opt_nomad
- name: "Verify directory /opt/nomad"
ansible.builtin.assert:
that:
- stat_opt_nomad.stat.exists
- stat_opt_nomad.stat.isdir
- stat_opt_nomad.stat.pw_name == 'nomad'
- stat_opt_nomad.stat.gr_name == 'nomad'
- stat_opt_nomad.stat.mode == '0755'
- name: "Test: service nomad"
block:
- name: "Get service nomad"
ansible.builtin.service_facts:
- name: "Stat file /etc/systemd/system/nomad.service"
ansible.builtin.stat:
path: "/etc/systemd/system/nomad.service"
register: stat_etc_systemd_system_nomad_service
- name: "Slurp file /etc/systemd/system/nomad.service"
ansible.builtin.slurp:
src: "/etc/systemd/system/nomad.service"
register: slurp_etc_systemd_system_nomad_service
- name: "Verify service nomad"
ansible.builtin.assert:
that:
- stat_etc_systemd_system_nomad_service.stat.exists
- stat_etc_systemd_system_nomad_service.stat.isreg
- stat_etc_systemd_system_nomad_service.stat.pw_name == 'root'
- stat_etc_systemd_system_nomad_service.stat.gr_name == 'root'
- stat_etc_systemd_system_nomad_service.stat.mode == '0644'
- slurp_etc_systemd_system_nomad_service.content != ''
- ansible_facts.services['nomad.service'] is defined
- ansible_facts.services['nomad.service']['source'] == 'systemd'
- ansible_facts.services['nomad.service']['state'] == 'running'
- ansible_facts.services['nomad.service']['status'] == 'enabled'
- name: "Test: bootstrap acl nomad"
block:
- name: "Command nomad acl bootstrap"
ansible.builtin.command: "nomad acl bootstrap -json"
environment:
NOMAD_ADDR: "http://{{ ansible_default_ipv4.address }}:4646"
changed_when: false
register: nomad_acl_bootstrap
- name: "Test: interaction nomad"
vars:
acl_token: "{{ nomad_acl_bootstrap.stdout|from_json|json_query('SecretID') }}"
block:
- name: "Command nomad var put"
ansible.builtin.command: "nomad var put secret/foobar foo=bar"
environment:
NOMAD_ADDR: "http://{{ ansible_default_ipv4.address }}:4646"
NOMAD_TOKEN: "{{ acl_token }}"
changed_when: false
register: nomad_var_put
- name: "Command nomad var get"
ansible.builtin.command: "nomad var get secret/foobar"
environment:
NOMAD_ADDR: "http://{{ ansible_default_ipv4.address }}:4646"
NOMAD_TOKEN: "{{ acl_token }}"
changed_when: false
register: nomad_var_get
- name: "Command nomad var purge"
ansible.builtin.command: "nomad var purge secret/foobar"
environment:
NOMAD_ADDR: "http://{{ ansible_default_ipv4.address }}:4646"
NOMAD_TOKEN: "{{ acl_token }}"
changed_when: false
register: nomad_var_purge
- name: "Command nomad server members"
ansible.builtin.command: "nomad server members"
environment:
NOMAD_ADDR: "http://{{ ansible_default_ipv4.address }}:4646"
NOMAD_TOKEN: "{{ acl_token }}"
changed_when: false
register: nomad_server_members
- name: "Verify nomad interaction"
ansible.builtin.assert:
that:
- "'instance.global' in nomad_server_members.stdout"
- "'\"Items\": {\n \"foo\": \"bar\"\n }' in nomad_var_put.stdout"
- "'\"Items\": {\n \"foo\": \"bar\"\n }' in nomad_var_get.stdout"
- nomad_var_purge.stdout == 'Successfully purged variable \"secret/foobar\"!'

8
molecule/vault_default/converge.yml
View File

@ -1,8 +0,0 @@
---
- name: Converge
hosts: all
become: true
tasks:
- name: "Include ednz_cloud.hashistack.vault"
ansible.builtin.include_role:
name: "ednz_cloud.hashistack.vault"

37
molecule/vault_default/molecule.yml
View File

@ -1,37 +0,0 @@
---
dependency:
name: galaxy
options:
requirements-file: ./requirements.yml
driver:
name: docker
platforms:
- name: instance
image: geerlingguy/docker-${MOLECULE_TEST_OS}-ansible
command: ""
volumes:
- /sys/fs/cgroup:/sys/fs/cgroup
cgroupns_mode: host
privileged: true
pre_build_image: true
provisioner:
name: ansible
config_options:
defaults:
remote_tmp: /tmp/.ansible
verifier:
name: ansible
scenario:
name: vault_default
test_sequence:
- dependency
- cleanup
- destroy
- syntax
- create
- prepare
- converge
- idempotence
- verify
- cleanup
- destroy

13
molecule/vault_default/prepare.yml
View File

@ -1,13 +0,0 @@
---
- name: Prepare
hosts: all
become: true
tasks:
- name: "Install pre-required system packages"
ansible.builtin.include_role:
name: ednz_cloud.manage_apt_packages
vars:
manage_apt_packages_list:
- name: unzip
version: latest
state: present

4
molecule/vault_default/requirements.yml
View File

@ -1,4 +0,0 @@
---
# requirements file for molecule
roles:
- name: ednz_cloud.manage_apt_packages

185
molecule/vault_default/verify.yml
View File

@ -1,185 +0,0 @@
---
- name: Verify
hosts: all
gather_facts: true
become: true
tasks:
- name: "Test: vault user and group"
block:
- name: "Getent user vault"
ansible.builtin.getent:
database: passwd
key: vault
register: vault_user
- name: "Getent group vault"
ansible.builtin.getent:
database: group
key: vault
register: vault_group
- name: "Verify vault user and group"
ansible.builtin.assert:
that:
- not vault_user.failed
- not vault_group.failed
- "'vault' in vault_user.ansible_facts.getent_passwd.keys()"
- "'/home/vault' in vault_user.ansible_facts.getent_passwd['vault']"
- "'/bin/false' in vault_user.ansible_facts.getent_passwd['vault']"
- "'vault' in vault_group.ansible_facts.getent_group.keys()"
- name: "Test: binary /usr/local/bin/vault"
block:
- name: "Stat binary /usr/local/bin/vault"
ansible.builtin.stat:
path: "/usr/local/bin/vault"
register: stat_usr_local_bin_vault
- name: "Verify binary /usr/local/bin/vault"
ansible.builtin.assert:
that:
- stat_usr_local_bin_vault.stat.exists
- stat_usr_local_bin_vault.stat.isreg
- stat_usr_local_bin_vault.stat.pw_name == 'root'
- stat_usr_local_bin_vault.stat.gr_name == 'root'
- stat_usr_local_bin_vault.stat.mode == '0755'
- name: "Test: directory /etc/vault.d"
block:
- name: "Stat directory /etc/vault.d"
ansible.builtin.stat:
path: "/etc/vault.d"
register: stat_etc_vault_d
- name: "Stat file /etc/vault.d/vault.env"
ansible.builtin.stat:
path: "/etc/vault.d/vault.env"
register: stat_etc_vault_d_vault_env
- name: "Stat file /etc/vault.d/vault.json"
ansible.builtin.stat:
path: "/etc/vault.d/vault.json"
register: stat_etc_vault_d_vault_json
- name: "Slurp file /etc/vault.d/vault.json"
ansible.builtin.slurp:
src: "/etc/vault.d/vault.json"
register: slurp_etc_vault_d_vault_json
- name: "Verify directory /etc/vault.d"
ansible.builtin.assert:
that:
- stat_etc_vault_d.stat.exists
- stat_etc_vault_d.stat.isdir
- stat_etc_vault_d.stat.pw_name == 'vault'
- stat_etc_vault_d.stat.gr_name == 'vault'
- stat_etc_vault_d.stat.mode == '0755'
- stat_etc_vault_d_vault_env.stat.exists
- stat_etc_vault_d_vault_env.stat.isreg
- stat_etc_vault_d_vault_env.stat.pw_name == 'vault'
- stat_etc_vault_d_vault_env.stat.gr_name == 'vault'
- stat_etc_vault_d_vault_env.stat.mode == '0600'
- stat_etc_vault_d_vault_json.stat.exists
- stat_etc_vault_d_vault_json.stat.isreg
- stat_etc_vault_d_vault_json.stat.pw_name == 'vault'
- stat_etc_vault_d_vault_json.stat.gr_name == 'vault'
- stat_etc_vault_d_vault_json.stat.mode == '0600'
- slurp_etc_vault_d_vault_json.content != ''
- name: "Test: directory /opt/vault"
block:
- name: "Stat directory /opt/vault"
ansible.builtin.stat:
path: "/opt/vault"
register: stat_opt_vault
- name: "Verify directory /opt/vault"
ansible.builtin.assert:
that:
- stat_opt_vault.stat.exists
- stat_opt_vault.stat.isdir
- stat_opt_vault.stat.pw_name == 'vault'
- stat_opt_vault.stat.gr_name == 'vault'
- stat_opt_vault.stat.mode == '0755'
- name: "Test: service vault"
block:
- name: "Get service vault"
ansible.builtin.service_facts:
- name: "Stat file /etc/systemd/system/vault.service"
ansible.builtin.stat:
path: "/etc/systemd/system/vault.service"
register: stat_etc_systemd_system_vault_service
- name: "Slurp file /etc/systemd/system/vault.service"
ansible.builtin.slurp:
src: "/etc/systemd/system/vault.service"
register: slurp_etc_systemd_system_vault_service
- name: "Verify service vault"
ansible.builtin.assert:
that:
- stat_etc_systemd_system_vault_service.stat.exists
- stat_etc_systemd_system_vault_service.stat.isreg
- stat_etc_systemd_system_vault_service.stat.pw_name == 'root'
- stat_etc_systemd_system_vault_service.stat.gr_name == 'root'
- stat_etc_systemd_system_vault_service.stat.mode == '0644'
- slurp_etc_systemd_system_vault_service.content != ''
- ansible_facts.services['vault.service'] is defined
- ansible_facts.services['vault.service']['source'] == 'systemd'
- ansible_facts.services['vault.service']['state'] == 'running'
- ansible_facts.services['vault.service']['status'] == 'enabled'
- name: "Test: bootstrap vault cluster"
block:
- name: "Command vault operator init"
ansible.builtin.command: "vault operator init -non-interactive -key-shares=3 -key-threshold=2 -format=json"
environment:
VAULT_ADDR: http://{{ ansible_default_ipv4.address }}:8200
changed_when: false
register: vault_operator_init
- name: "Test: unseal vault cluster"
vars:
vault_unseal_keys: "{{ vault_operator_init.stdout|from_json|json_query('unseal_keys_hex') }}"
block:
- name: "Command vault operator unseal"
ansible.builtin.command: "vault operator unseal -format=json {{ vault_unseal_keys[0] }}"
environment:
VAULT_ADDR: http://{{ ansible_default_ipv4.address }}:8200
changed_when: false
register: vault_operator_unseal_0
- name: "Command vault operator unseal"
ansible.builtin.command: "vault operator unseal -format=json {{ vault_unseal_keys[1] }}"
environment:
VAULT_ADDR: http://{{ ansible_default_ipv4.address }}:8200
changed_when: false
register: vault_operator_unseal_1
- name: "Verify vault operator unseal"
vars:
vault_seal_state_0: "{{ vault_operator_unseal_0.stdout|from_json|json_query('sealed') }}"
vault_seal_state_1: "{{ vault_operator_unseal_1.stdout|from_json|json_query('sealed') }}"
ansible.builtin.assert:
that:
- vault_seal_state_0
- not vault_seal_state_1
- name: "Test: vault interaction"
vars:
root_token: "{{ vault_operator_init.stdout|from_json|json_query('root_token') }}"
block:
- name: "Command vault secret enable"
ansible.builtin.command: "vault secrets enable -version=1 kv"
environment:
VAULT_ADDR: http://{{ ansible_default_ipv4.address }}:8200
VAULT_TOKEN: "{{ root_token }}"
changed_when: false
register: vault_secret_enable
- name: "Verify vault interaction"
ansible.builtin.assert:
that:
- vault_secret_enable.stdout == 'Success! Enabled the kv secrets engine at: kv/'

8
molecule/vault_with_raft_enabled/converge.yml
View File

@ -1,8 +0,0 @@
---
- name: Converge
hosts: all
become: true
tasks:
- name: "Include ednz_cloud.hashistack.vault"
ansible.builtin.include_role:
name: "ednz_cloud.hashistack.vault"

13
molecule/vault_with_raft_enabled/group_vars/all.yml
View File

@ -1,13 +0,0 @@
---
# defaults file for hashicorp_vault
#########################
# storage configuration #
#########################
vault_storage_configuration:
raft:
path: "{{ vault_data_dir }}"
node_id: "{{ ansible_hostname }}"
retry_join:
- leader_api_addr: "http://{{ vault_cluster_addr }}:8200"

37
molecule/vault_with_raft_enabled/molecule.yml
View File

@ -1,37 +0,0 @@
---
dependency:
name: galaxy
options:
requirements-file: ./requirements.yml
driver:
name: docker
platforms:
- name: instance
image: geerlingguy/docker-${MOLECULE_TEST_OS}-ansible
command: ""
volumes:
- /sys/fs/cgroup:/sys/fs/cgroup
cgroupns_mode: host
privileged: true
pre_build_image: true
provisioner:
name: ansible
config_options:
defaults:
remote_tmp: /tmp/.ansible
verifier:
name: ansible
scenario:
name: vault_with_raft_enabled
test_sequence:
- dependency
- cleanup
- destroy
- syntax
- create
- prepare
- converge
- idempotence
- verify
- cleanup
- destroy

13
molecule/vault_with_raft_enabled/prepare.yml
View File

@ -1,13 +0,0 @@
---
- name: Prepare
hosts: all
become: true
tasks:
- name: "Install pre-required system packages"
ansible.builtin.include_role:
name: ednz_cloud.manage_apt_packages
vars:
manage_apt_packages_list:
- name: unzip
version: latest
state: present

4
molecule/vault_with_raft_enabled/requirements.yml
View File

@ -1,4 +0,0 @@
---
# requirements file for molecule
roles:
- name: ednz_cloud.manage_apt_packages

185
molecule/vault_with_raft_enabled/verify.yml
View File

@ -1,185 +0,0 @@
---
- name: Verify
hosts: all
gather_facts: true
become: true
tasks:
- name: "Test: vault user and group"
block:
- name: "Getent user vault"
ansible.builtin.getent:
database: passwd
key: vault
register: vault_user
- name: "Getent group vault"
ansible.builtin.getent:
database: group
key: vault
register: vault_group
- name: "Verify vault user and group"
ansible.builtin.assert:
that:
- not vault_user.failed
- not vault_group.failed
- "'vault' in vault_user.ansible_facts.getent_passwd.keys()"
- "'/home/vault' in vault_user.ansible_facts.getent_passwd['vault']"
- "'/bin/false' in vault_user.ansible_facts.getent_passwd['vault']"
- "'vault' in vault_group.ansible_facts.getent_group.keys()"
- name: "Test: binary /usr/local/bin/vault"
block:
- name: "Stat binary /usr/local/bin/vault"
ansible.builtin.stat:
path: "/usr/local/bin/vault"
register: stat_usr_local_bin_vault
- name: "Verify binary /usr/local/bin/vault"
ansible.builtin.assert:
that:
- stat_usr_local_bin_vault.stat.exists
- stat_usr_local_bin_vault.stat.isreg
- stat_usr_local_bin_vault.stat.pw_name == 'root'
- stat_usr_local_bin_vault.stat.gr_name == 'root'
- stat_usr_local_bin_vault.stat.mode == '0755'
- name: "Test: directory /etc/vault.d"
block:
- name: "Stat directory /etc/vault.d"
ansible.builtin.stat:
path: "/etc/vault.d"
register: stat_etc_vault_d
- name: "Stat file /etc/vault.d/vault.env"
ansible.builtin.stat:
path: "/etc/vault.d/vault.env"
register: stat_etc_vault_d_vault_env
- name: "Stat file /etc/vault.d/vault.json"
ansible.builtin.stat:
path: "/etc/vault.d/vault.json"
register: stat_etc_vault_d_vault_json
- name: "Slurp file /etc/vault.d/vault.json"
ansible.builtin.slurp:
src: "/etc/vault.d/vault.json"
register: slurp_etc_vault_d_vault_json
- name: "Verify directory /etc/vault.d"
ansible.builtin.assert:
that:
- stat_etc_vault_d.stat.exists
- stat_etc_vault_d.stat.isdir
- stat_etc_vault_d.stat.pw_name == 'vault'
- stat_etc_vault_d.stat.gr_name == 'vault'
- stat_etc_vault_d.stat.mode == '0755'
- stat_etc_vault_d_vault_env.stat.exists
- stat_etc_vault_d_vault_env.stat.isreg
- stat_etc_vault_d_vault_env.stat.pw_name == 'vault'
- stat_etc_vault_d_vault_env.stat.gr_name == 'vault'
- stat_etc_vault_d_vault_env.stat.mode == '0600'
- stat_etc_vault_d_vault_json.stat.exists
- stat_etc_vault_d_vault_json.stat.isreg
- stat_etc_vault_d_vault_json.stat.pw_name == 'vault'
- stat_etc_vault_d_vault_json.stat.gr_name == 'vault'
- stat_etc_vault_d_vault_json.stat.mode == '0600'
- slurp_etc_vault_d_vault_json.content != ''
- name: "Test: directory /opt/vault"
block:
- name: "Stat directory /opt/vault"
ansible.builtin.stat:
path: "/opt/vault"
register: stat_opt_vault
- name: "Verify directory /opt/vault"
ansible.builtin.assert:
that:
- stat_opt_vault.stat.exists
- stat_opt_vault.stat.isdir
- stat_opt_vault.stat.pw_name == 'vault'
- stat_opt_vault.stat.gr_name == 'vault'
- stat_opt_vault.stat.mode == '0755'
- name: "Test: service vault"
block:
- name: "Get service vault"
ansible.builtin.service_facts:
- name: "Stat file /etc/systemd/system/vault.service"
ansible.builtin.stat:
path: "/etc/systemd/system/vault.service"
register: stat_etc_systemd_system_vault_service
- name: "Slurp file /etc/systemd/system/vault.service"
ansible.builtin.slurp:
src: "/etc/systemd/system/vault.service"
register: slurp_etc_systemd_system_vault_service
- name: "Verify service vault"
ansible.builtin.assert:
that:
- stat_etc_systemd_system_vault_service.stat.exists
- stat_etc_systemd_system_vault_service.stat.isreg
- stat_etc_systemd_system_vault_service.stat.pw_name == 'root'
- stat_etc_systemd_system_vault_service.stat.gr_name == 'root'
- stat_etc_systemd_system_vault_service.stat.mode == '0644'
- slurp_etc_systemd_system_vault_service.content != ''
- ansible_facts.services['vault.service'] is defined
- ansible_facts.services['vault.service']['source'] == 'systemd'
- ansible_facts.services['vault.service']['state'] == 'running'
- ansible_facts.services['vault.service']['status'] == 'enabled'
- name: "Test: bootstrap vault cluster"
block:
- name: "Command vault operator init"
ansible.builtin.command: "vault operator init -non-interactive -key-shares=3 -key-threshold=2 -tls-skip-verify -format=json"
environment:
VAULT_ADDR: "http://{{ ansible_default_ipv4.address }}:8200"
changed_when: false
register: vault_operator_init
- name: "Test: unseal vault cluster"
vars:
vault_unseal_keys: "{{ vault_operator_init.stdout|from_json|json_query('unseal_keys_hex') }}"
block:
- name: "Command vault operator unseal"
ansible.builtin.command: "vault operator unseal -format=json -tls-skip-verify {{ vault_unseal_keys[0] }}"
environment:
VAULT_ADDR: "http://{{ ansible_default_ipv4.address }}:8200"
changed_when: false
register: vault_operator_unseal_0
- name: "Command vault operator unseal"
ansible.builtin.command: "vault operator unseal -format=json -tls-skip-verify {{ vault_unseal_keys[1] }}"
environment:
VAULT_ADDR: "http://{{ ansible_default_ipv4.address }}:8200"
changed_when: false
register: vault_operator_unseal_1
- name: "Verify vault operator unseal"
vars:
vault_seal_state_0: "{{ vault_operator_unseal_0.stdout|from_json|json_query('sealed') }}"
vault_seal_state_1: "{{ vault_operator_unseal_1.stdout|from_json|json_query('sealed') }}"
ansible.builtin.assert:
that:
- vault_seal_state_0
- not vault_seal_state_1
- name: "Test: vault interaction"
vars:
root_token: "{{ vault_operator_init.stdout|from_json|json_query('root_token') }}"
block:
- name: "Command vault secret enable"
ansible.builtin.command: "vault secrets enable -version=1 -tls-skip-verify kv"
environment:
VAULT_ADDR: "http://{{ ansible_default_ipv4.address }}:8200"
VAULT_TOKEN: "{{ root_token }}"
changed_when: false
register: vault_secret_enable
- name: "Verify vault interaction"
ansible.builtin.assert:
that:
- vault_secret_enable.stdout == 'Success! Enabled the kv secrets engine at: kv/'

25
playbooks/bootstrap.yml
View File

@ -1,19 +1,10 @@
--- ---
# hashistack prepare playbook # hashistack prepare playbook
- name: "Bootstrap" - name: "Bootstrap"
hosts: all, !deployment hosts: all
gather_facts: true gather_facts: true
become: true become: true
tasks: tasks:
- name: "Isntall unzip with package manager"
ansible.builtin.include_role:
name: ednz_cloud.manage_apt_packages
vars:
manage_apt_packages_list:
- name: unzip
version: latest
state: present
- name: "Install hvac library with pip" - name: "Install hvac library with pip"
ansible.builtin.include_role: ansible.builtin.include_role:
name: ednz_cloud.manage_pip_packages name: ednz_cloud.manage_pip_packages
@ -36,6 +27,20 @@
state: present state: present
when: "'haproxy_servers' in group_names" when: "'haproxy_servers' in group_names"
- name: "Include ednz_cloud.install_docker"
ansible.builtin.include_role:
name: ednz_cloud.install_docker
vars:
install_docker_edition: ce
install_docker_auto_update: false
install_docker_start_service: true
install_docker_compose: false
install_docker_python_packages: false
install_docker_users:
- "{{ ansible_user }}"
install_docker_daemon_options: {}
#! when: "'nomad_agents' in group_names"
- name: "Ensure /etc/localtime exists" - name: "Ensure /etc/localtime exists"
ansible.builtin.file: ansible.builtin.file:
src: /etc/timezone src: /etc/timezone

69
playbooks/deploy.yml
View File

@ -1,55 +1,68 @@
--- ---
# hashistack deployment playbook # hashistack deployment playbook
- name: "Deploy" - name: "Deploy"
hosts: "{{ target | default('all, !deployment') }}" hosts: all
strategy: linear strategy: linear
gather_facts: true gather_facts: true
any_errors_fatal: true
become: true become: true
tasks: tasks:
- name: "Import variables" - name: "Import variables"
ansible.builtin.include_role: ansible.builtin.import_tasks:
name: ednz_cloud.hashistack.hashistack file: tasks/load_vars.yml
tags: tags:
- always - always
# Consul nodes deployment
- name: "Deploy Consul" - name: "Deploy Consul"
tags: tags:
- consul - consul
when: when:
- enable_consul | bool - enable_consul | bool
ansible.builtin.include_tasks: block:
file: tasks/consul/consul_deploy.yml - name: "Deploy Consul Control Plane"
ansible.builtin.import_tasks:
file: tasks/consul/consul_deploy.yml
when:
- "'consul_servers' in group_names"
# Vault nodes deployment - name: "Deploy Consul Agents"
- name: "Deploy Vault" ansible.builtin.include_role:
name: ednz_cloud.hashicorp_consul
when:
- "'consul_agents' in group_names"
- name: "Deploy Haproxy & Keepalived"
ansible.builtin.import_tasks:
file: tasks/haproxy/haproxy_deploy.yml
when:
- enable_haproxy | bool
- "'haproxy_servers' in group_names"
tags: tags:
- vault - haproxy
- name: "Deploy Vault"
ansible.builtin.import_tasks:
file: tasks/vault/vault_deploy.yml
when: when:
- enable_vault | bool - enable_vault | bool
ansible.builtin.include_tasks: - "'vault_servers' in group_names"
file: tasks/vault/vault_deploy.yml tags:
- vault
# Nomad nodes deployment
- name: "Deploy Nomad" - name: "Deploy Nomad"
tags: tags:
- nomad - nomad
when: when:
- enable_nomad | bool - enable_nomad | bool
ansible.builtin.include_tasks: block:
file: tasks/nomad/nomad_deploy.yml - name: "Deploy Nomad Control Plane"
ansible.builtin.import_tasks:
file: tasks/nomad/nomad_deploy.yml
when:
- "('nomad_servers' in group_names)"
# - fail: - name: "Deploy Nomad Clients"
# Haproxy nodes deployment ansible.builtin.include_role:
# - name: "Deploy Proxies" name: ednz_cloud.hashicorp_nomad
# tags: when:
# - haproxy - "('nomad_clients' in group_names)"
# when: - "('nomad_servers' not in group_names)"
# - enable_haproxy | bool
# block:
# - name: "Deploy Haproxy & Keepalived"
# ansible.builtin.import_tasks:
# file: tasks/haproxy/haproxy_deploy.yml
# when:
# - "'haproxy_servers' in group_names"

362
playbooks/generate_certs.yml
View File

@ -1,21 +1,365 @@
--- ---
# hashistack generate certificates playbook # hashistack generate certificates playbook
- name: "Generate certificates" - name: "Generate certificates"
hosts: all, !deployment hosts: all
strategy: linear strategy: linear
gather_facts: true gather_facts: true
become: true become: true
tasks: tasks:
- name: "Import variables" - name: "Import variables"
ansible.builtin.include_role: ansible.builtin.import_tasks:
name: ednz_cloud.hashistack.hashistack file: tasks/load_vars.yml
tags: tags:
- always - always
- name: "Create Certificate Authority" - name: "Create temporary cert directory in {{ sub_configuration_directories['certificates'] }}" # noqa: run-once[task]
ansible.builtin.include_role: ansible.builtin.file:
name: ednz_cloud.hashistack.hashistack_ca path: "{{ sub_configuration_directories['certificates'] }}/external"
apply: state: directory
delegate_to: localhost owner: "{{ lookup('env', 'USER') }}"
group: "{{ lookup('env', 'USER') }}"
mode: "0755"
delegate_to: localhost
run_once: true
- name: "Generate external certificates" # noqa: run-once[task]
delegate_to: localhost
run_once: true
block:
- name: "Create temporary cert directory in {{ sub_configuration_directories['certificates'] }}" # noqa: run-once[task]
ansible.builtin.file:
path: "{{ sub_configuration_directories['certificates'] }}/external"
state: directory
owner: "{{ lookup('env', 'USER') }}"
group: "{{ lookup('env', 'USER') }}"
mode: "0755"
- name: "Create private keys"
community.crypto.openssl_privatekey:
path: "{{ sub_configuration_directories['certificates'] }}/external/{{ item.fqdn }}.pem.key"
owner: "{{ lookup('env', 'USER') }}"
group: "{{ lookup('env', 'USER') }}"
loop:
- name: nomad
fqdn: "{{ nomad_fqdn }}"
- name: vault
fqdn: "{{ vault_fqdn }}"
- name: consul
fqdn: "{{ consul_fqdn }}"
- name: "Create certificate signing request"
community.crypto.openssl_csr_pipe:
privatekey_path: "{{ sub_configuration_directories['certificates'] }}/external/{{ item.fqdn }}.pem.key"
common_name: "{{ item.fqdn }}"
organization_name: EDNZ Cloud
register: csr
loop:
- name: nomad
fqdn: "{{ nomad_fqdn }}"
- name: vault
fqdn: "{{ vault_fqdn }}"
- name: consul
fqdn: "{{ consul_fqdn }}"
- name: "Create self-signed certificate from CSR"
community.crypto.x509_certificate:
path: "{{ sub_configuration_directories['certificates'] }}/external/{{ item.item.fqdn }}.pem"
csr_content: "{{ item.csr }}"
privatekey_path: "{{ sub_configuration_directories['certificates'] }}/external/{{ item.item.fqdn }}.pem.key"
provider: selfsigned
owner: "{{ lookup('env', 'USER') }}"
group: "{{ lookup('env', 'USER') }}"
loop: "{{ csr.results }}"
- name: "Generate internal certificates"
tags: tags:
- always - never
- internal
delegate_to: localhost
vars:
hashistack_ca_key_path: "{{ sub_configuration_directories['certificates'] }}/ca/ca.key"
hashistack_ca_cert_path: "{{ sub_configuration_directories['certificates'] }}/ca/ca.crt"
block:
- name: "Create internal CA" # noqa: run-once[task]
run_once: true
block:
- name: "Create temporary cert directory in {{ sub_configuration_directories['certificates'] }}" # noqa: run-once[task]
ansible.builtin.file:
path: "{{ sub_configuration_directories['certificates'] }}/ca"
state: directory
owner: "{{ lookup('env', 'USER') }}"
group: "{{ lookup('env', 'USER') }}"
mode: "0755"
- name: "Create CA private key"
community.crypto.openssl_privatekey:
path: "{{ hashistack_ca_key_path }}"
owner: "{{ lookup('env', 'USER') }}"
group: "{{ lookup('env', 'USER') }}"
- name: "Create CA signing request"
community.crypto.openssl_csr_pipe:
privatekey_path: "{{ hashistack_ca_key_path }}"
common_name: "CA"
organization_name: EDNZ Cloud
use_common_name_for_san: false
basic_constraints:
- CA:TRUE
basic_constraints_critical: true
key_usage:
- keyCertSign
key_usage_critical: true
register: ca_csr
- name: "Create self-signed CA certificate from CSR"
community.crypto.x509_certificate:
path: "{{ hashistack_ca_cert_path }}"
csr_content: "{{ ca_csr.csr }}"
privatekey_path: "{{ hashistack_ca_key_path }}"
provider: selfsigned
owner: "{{ lookup('env', 'USER') }}"
group: "{{ lookup('env', 'USER') }}"
- name: "Create Vault certificates"
when:
- "'vault_servers' in group_names"
vars:
vault_private_key_path: "{{ sub_configuration_directories['certificates'] }}/vault/{{ inventory_hostname }}/key.pem"
vault_certificate_path: "{{ sub_configuration_directories['certificates'] }}/vault/{{ inventory_hostname }}/cert.pem"
block:
- name: "Create temporary cert directory in {{ sub_configuration_directories['certificates'] }}" # noqa: run-once[task]
ansible.builtin.file:
path: "{{ sub_configuration_directories['certificates'] }}/vault/{{ inventory_hostname }}"
state: directory
owner: "{{ lookup('env', 'USER') }}"
group: "{{ lookup('env', 'USER') }}"
mode: "0755"
- name: "Create Vault certificate keys"
community.crypto.openssl_privatekey:
path: "{{ vault_private_key_path }}"
owner: "{{ lookup('env', 'USER') }}"
group: "{{ lookup('env', 'USER') }}"
- name: "Create CSRs for Vault servers"
community.crypto.openssl_csr_pipe:
privatekey_path: "{{ vault_private_key_path }}"
common_name: "{{ inventory_hostname }}"
subject_alt_name:
- "DNS:{{ inventory_hostname }}"
- "DNS:active.vault.service.consul"
- "DNS:standby.vault.service.consul"
- "DNS:vault.service.consul"
- "DNS:localhost"
- "IP:{{ api_interface_address }}"
- "IP:127.0.0.1"
key_usage_critical: true
key_usage:
- Digital Signature
- Key Encipherment
- Key Agreement
extended_key_usage:
- TLS Web Server Authentication
- TLS Web Client Authentication
organization_name: EDNZ Cloud
use_common_name_for_san: false
register: vault_csr
- name: "Sign certificates with internal CA"
community.crypto.x509_certificate:
path: "{{ vault_certificate_path }}"
csr_content: "{{ vault_csr.csr }}"
provider: ownca
ownca_path: "{{ hashistack_ca_cert_path }}"
ownca_privatekey_path: "{{ hashistack_ca_key_path }}"
ownca_not_after: "+365d"
ownca_not_before: "-1d"
- name: "Concatenate CA and Child certificates"
block:
- name: "Read content of ca.crt"
ansible.builtin.slurp:
src: "{{ hashistack_ca_cert_path }}"
register: ca_crt_content
- name: "Read content of cert.pem"
ansible.builtin.slurp:
src: "{{ vault_certificate_path }}"
register: cert_pem_content
- name: "Concatenate certificates"
ansible.builtin.copy:
content: |
{{ cert_pem_content['content'] | b64decode }}{{ ca_crt_content['content'] | b64decode }}
dest: "{{ vault_certificate_path }}"
owner: "{{ lookup('env', 'USER') }}"
group: "{{ lookup('env', 'USER') }}"
mode: "0644"
- name: "Create Consul certificates"
when:
- "('consul_servers' in group_names) or ('consul_agents' in group_names)"
vars:
consul_private_key_path: "{{ sub_configuration_directories['certificates'] }}/consul/{{ inventory_hostname }}/key.pem"
consul_certificate_path: "{{ sub_configuration_directories['certificates'] }}/consul/{{ inventory_hostname }}/cert.pem"
block:
- name: "Create temporary cert directory in {{ sub_configuration_directories['certificates'] }}" # noqa: run-once[task]
ansible.builtin.file:
path: "{{ sub_configuration_directories['certificates'] }}/consul/{{ inventory_hostname }}"
state: directory
owner: "{{ lookup('env', 'USER') }}"
group: "{{ lookup('env', 'USER') }}"
mode: "0755"
- name: "Create Consul certificate keys"
community.crypto.openssl_privatekey:
path: "{{ consul_private_key_path }}"
owner: "{{ lookup('env', 'USER') }}"
group: "{{ lookup('env', 'USER') }}"
- name: "Create CSRs for Consul servers"
vars:
consul_csr_sans: >-
{%- set sans_list = [
'DNS:' + inventory_hostname,
'DNS:consul.service.consul',
'DNS:localhost',
'IP:' + api_interface_address,
'IP:127.0.0.1'
] -%}
{%- if hashicorp_consul_configuration.server -%}
{%- set _ = sans_list.append('DNS:server.' ~ hashicorp_consul_configuration.datacenter ~ '.' ~ hashicorp_consul_configuration.domain) -%}
{%- endif -%}
{{ sans_list }}
community.crypto.openssl_csr_pipe:
privatekey_path: "{{ consul_private_key_path }}"
common_name: "{{ inventory_hostname }}"
subject_alt_name: "{{ consul_csr_sans }}"
key_usage_critical: true
key_usage:
- Digital Signature
- Key Encipherment
- Key Agreement
extended_key_usage:
- TLS Web Server Authentication
- TLS Web Client Authentication
organization_name: EDNZ Cloud
use_common_name_for_san: false
register: consul_csr
- name: "Sign certificates with internal CA"
community.crypto.x509_certificate:
path: "{{ consul_certificate_path }}"
csr_content: "{{ consul_csr.csr }}"
provider: ownca
ownca_path: "{{ hashistack_ca_cert_path }}"
ownca_privatekey_path: "{{ hashistack_ca_key_path }}"
ownca_not_after: "+365d"
ownca_not_before: "-1d"
- name: "Concatenate CA and Child certificates"
block:
- name: "Read content of ca.crt"
ansible.builtin.slurp:
src: "{{ hashistack_ca_cert_path }}"
register: ca_crt_content
- name: "Read content of cert.pem"
ansible.builtin.slurp:
src: "{{ consul_certificate_path }}"
register: cert_pem_content
- name: "Concatenate certificates"
ansible.builtin.copy:
content: |
{{ cert_pem_content['content'] | b64decode }}{{ ca_crt_content['content'] | b64decode }}
dest: "{{ consul_certificate_path }}"
owner: "{{ lookup('env', 'USER') }}"
group: "{{ lookup('env', 'USER') }}"
mode: "0644"
- name: "Create Nomad certificates"
when:
- "('nomad_servers' in group_names) or ('nomad_clients' in group_names)"
vars:
nomad_private_key_path: "{{ sub_configuration_directories['certificates'] }}/nomad/{{ inventory_hostname }}/key.pem"
nomad_certificate_path: "{{ sub_configuration_directories['certificates'] }}/nomad/{{ inventory_hostname }}/cert.pem"
block:
- name: "Create temporary cert directory in {{ sub_configuration_directories['certificates'] }}" # noqa: run-once[task]
ansible.builtin.file:
path: "{{ sub_configuration_directories['certificates'] }}/nomad/{{ inventory_hostname }}"
state: directory
owner: "{{ lookup('env', 'USER') }}"
group: "{{ lookup('env', 'USER') }}"
mode: "0755"
- name: "Create Nomad certificate keys"
community.crypto.openssl_privatekey:
path: "{{ nomad_private_key_path }}"
owner: "{{ lookup('env', 'USER') }}"
group: "{{ lookup('env', 'USER') }}"
- name: "Create CSRs for Nomad servers"
vars:
nomad_csr_sans: >-
{%- set sans_list = [
'DNS:' + inventory_hostname,
'DNS:localhost',
'IP:' + api_interface_address,
'IP:127.0.0.1'
] -%}
{%- if hashicorp_nomad_configuration.server.enabled -%}
{%- set _ = sans_list.append('DNS:server.' ~ hashicorp_nomad_configuration.region ~ '.nomad') -%}
{%- if (enable_consul | bool) -%}
{%- set _ = sans_list.append('DNS:nomad.service.consul') -%}
{%- endif -%}
{%- endif -%}
{%- if hashicorp_nomad_configuration.client.enabled -%}
{%- set _ = sans_list.append('DNS:client.' ~ hashicorp_nomad_configuration.region ~ '.nomad') -%}
{%- endif -%}
{{ sans_list }}
community.crypto.openssl_csr_pipe:
privatekey_path: "{{ nomad_private_key_path }}"
common_name: "{{ inventory_hostname }}"
subject_alt_name: "{{ nomad_csr_sans }}"
key_usage_critical: true
key_usage:
- Digital Signature
- Key Encipherment
extended_key_usage:
- TLS Web Server Authentication
- TLS Web Client Authentication
organization_name: EDNZ Cloud
use_common_name_for_san: false
register: nomad_csr
- name: "Sign certificates with internal CA"
community.crypto.x509_certificate:
path: "{{ nomad_certificate_path }}"
csr_content: "{{ nomad_csr.csr }}"
provider: ownca
ownca_path: "{{ hashistack_ca_cert_path }}"
ownca_privatekey_path: "{{ hashistack_ca_key_path }}"
ownca_not_after: "+365d"
ownca_not_before: "-1d"
- name: "Concatenate CA and Child certificates"
block:
- name: "Read content of ca.crt"
ansible.builtin.slurp:
src: "{{ hashistack_ca_cert_path }}"
register: ca_crt_content
- name: "Read content of cert.pem"
ansible.builtin.slurp:
src: "{{ nomad_certificate_path }}"
register: cert_pem_content
- name: "Concatenate certificates"
ansible.builtin.copy:
content: |
{{ cert_pem_content['content'] | b64decode }}{{ ca_crt_content['content'] | b64decode }}
dest: "{{ nomad_certificate_path }}"
owner: "{{ lookup('env', 'USER') }}"
group: "{{ lookup('env', 'USER') }}"
mode: "0644"

36
playbooks/generate_credentials.yml
View File

@ -1,7 +1,7 @@
--- ---
# hashistack generate certificates playbook # hashistack generate certificates playbook
- name: "Generate credentials" - name: "Generate credentials"
hosts: deployment hosts: localhost
strategy: linear strategy: linear
gather_facts: true gather_facts: true
become: true become: true
@ -9,19 +9,8 @@
- name: "Generate consul credentials" - name: "Generate consul credentials"
block: block:
- name: "Generate consul gossip encryption key" - name: "Generate consul gossip encryption key"
block: ansible.builtin.set_fact:
- name: "Generate 24 random bytes and base64 encode" _consul_gossip_encryption_key: "{{ lookup('ansible.builtin.password', '/dev/null', chars=['ascii_letters','digits']) | b64encode }}"
ansible.builtin.shell:
cmd: |
set -o pipefail
dd if=/dev/urandom bs=24 count=1 2>/dev/null | base64
executable: /bin/bash
changed_when: false
register: _consul_random_base64_string
- name: "Generate consul gossip encryption key"
ansible.builtin.set_fact:
_consul_gossip_encryption_key: "{{ _consul_random_base64_string.stdout }}"
- name: "Generate consul root credentials" - name: "Generate consul root credentials"
ansible.builtin.set_fact: ansible.builtin.set_fact:
@ -50,19 +39,8 @@
- name: "Generate nomad credentials" - name: "Generate nomad credentials"
block: block:
- name: "Generate nomad gossip encryption key" - name: "Generate nomad gossip encryption key"
block: ansible.builtin.set_fact:
- name: "Generate 24 random bytes and base64 encode" _nomad_gossip_encryption_key: "{{ lookup('ansible.builtin.password', '/dev/null', chars=['ascii_letters','digits']) | b64encode }}"
ansible.builtin.shell:
cmd: |
set -o pipefail
dd if=/dev/urandom bs=24 count=1 2>/dev/null | base64
executable: /bin/bash
changed_when: false
register: _nomad_random_base64_string
- name: "Generate nomad gossip encryption key"
ansible.builtin.set_fact:
_nomad_gossip_encryption_key: "{{ _nomad_random_base64_string.stdout }}"
- name: "Generate nomad root credentials" - name: "Generate nomad root credentials"
ansible.builtin.set_fact: ansible.builtin.set_fact:
@ -70,7 +48,7 @@
- name: "Ensure secrets directory is created" - name: "Ensure secrets directory is created"
ansible.builtin.file: ansible.builtin.file:
path: "{{ hashistack_sub_configuration_directories['secrets'] }}" path: "{{ sub_configuration_directories['secrets'] }}"
state: directory state: directory
owner: "{{ lookup('env', 'USER') }}" owner: "{{ lookup('env', 'USER') }}"
group: "{{ lookup('env', 'USER') }}" group: "{{ lookup('env', 'USER') }}"
@ -79,7 +57,7 @@
- name: "Write credentials file" - name: "Write credentials file"
ansible.builtin.template: ansible.builtin.template:
src: templates/credentials.yml.j2 src: templates/credentials.yml.j2
dest: "{{ hashistack_sub_configuration_directories['secrets'] }}/{{ hashistack_configuration_credentials_vars_file }}" dest: "{{ sub_configuration_directories['secrets'] }}/{{ configuration_credentials_vars_file }}"
owner: "{{ lookup('env', 'USER') }}" owner: "{{ lookup('env', 'USER') }}"
group: "{{ lookup('env', 'USER') }}" group: "{{ lookup('env', 'USER') }}"
mode: '0644' mode: '0644'

29
playbooks/group_vars/all/all.yml
View File

@ -5,19 +5,24 @@
manage_pip_packages_allow_break_system_packages: "{{ ansible_distribution == 'Debian' and ansible_distribution_version == '12' }}" manage_pip_packages_allow_break_system_packages: "{{ ansible_distribution == 'Debian' and ansible_distribution_version == '12' }}"
hashistack_configuration_directory: "{{ lookup('env', 'PWD') }}/etc/hashistack" configuration_directory: "{{ lookup('env', 'PWD') }}/etc/hashistack"
hashistack_sub_configuration_directories: sub_configuration_directories:
secrets: "{{ hashistack_configuration_directory }}/secrets" secrets: "{{ configuration_directory }}/secrets"
certificates: "{{ hashistack_configuration_directory }}/certificates" certificates: "{{ configuration_directory }}/certificates"
nomad_servers: "{{ hashistack_configuration_directory }}/nomad_servers" nomad_servers: "{{ configuration_directory }}/nomad_servers"
vault_servers: "{{ hashistack_configuration_directory }}/vault_servers" vault_servers: "{{ configuration_directory }}/vault_servers"
consul_servers: "{{ hashistack_configuration_directory }}/consul_servers" consul_servers: "{{ configuration_directory }}/consul_servers"
hashistack_configuration_global_vars_file: "globals.yml" configuration_global_vars_file: "globals.yml"
hashistack_configuration_credentials_vars_file: "credentials.yml" configuration_credentials_vars_file: "credentials.yml"
hashistack_remote_config_dir: "/etc/hashistack" hashistack_remote_config_dir: "/etc/hashistack"
hashistack_remote_log_dir: "/var/log/hashistack" hashistack_remote_data_dir: "/opt/hashistack"
default_container_extra_volumes:
- "/etc/timezone:/etc/timezone"
- "/etc/localtime:/etc/localtime"
- "/etc/ssl/certs/ca-certificates.crt:/etc/ssl/certs/ca-certificates.crt:ro"
################### ###################
# support options # # support options #
@ -39,6 +44,4 @@ preflight_enable_host_ntp_checks: true
haproxy_required_ports: [80, 443] haproxy_required_ports: [80, 443]
vault_required_ports: [8200, 8201] vault_required_ports: [8200, 8201]
consul_required_ports: [8300, 8301, 8302, 8500, 8501, 8502, 8503, 8600] consul_required_ports: [8300, 8301, 8302, 8500, 8501, 8502, 8503, 8600]
nomad_required_ports: [4646, 4647, 4648] nomad_required_ports: []
target: all, !deployment

4
playbooks/group_vars/all/cni.yml
View File

@ -1,4 +0,0 @@
---
cni_plugins_version: "v1.5.1"
cni_plugins_install_path: /opt/cni/bin
cni_plugins_install_consul_cni: true

242
playbooks/group_vars/all/consul.yml
View File

@ -1,5 +1,9 @@
--- ---
consul_init_server: "{{ (inventory_hostname == groups['consul_servers'][0]) | bool }}" #####################################################
# #
# Non-Editable #
# #
#####################################################
##################### #####################
# consul api config # # consul api config #
@ -10,106 +14,36 @@ consul_api_scheme: "{{ 'https' if consul_enable_tls else 'http' }}"
consul_api_port: consul_api_port:
http: 8500 http: 8500
https: 8501 https: 8501
consul_grpc_port:
http: 8502
https: 8503
########## ##########################
# Consul # # consul haproxy backend #
########## ##########################
consul_config_dir: "{{ hashistack_remote_config_dir }}/consul.d" consul_haproxy_frontend_options:
consul_data_dir: "/opt/consul" - acl is_consul hdr(host) -i {{ consul_fqdn }}
consul_certs_dir: "{{ consul_config_dir }}/tls" - use_backend consul_external if is_consul
consul_logs_dir: "{{ hashistack_remote_log_dir }}/consul"
consul_envoy_install: false consul_haproxy_backends:
consul_envoy_version: latest - name: consul_external
options: "{{ consul_external_backend_options + consul_external_backend_servers }}"
consul_extra_files: true consul_external_backend_options:
# consul_extra_files_list: [] - description consul external http backend
- option forwardfor
- option httpchk
- http-check send meth GET uri /
- default-server inter 2s fastinter 1s downinter 1s
consul_env_variables: {} consul_external_backend_servers: |
[
{% for host in groups['consul_servers'] %}
'server consul-{{ hostvars[host].api_interface_address }} {{ hostvars[host].api_interface_address }}:{{ hostvars[host].consul_api_port[consul_api_scheme] }} check {{ 'ssl verify none ' if consul_enable_tls }}inter 5s'{% if not loop.last %},{% endif %}
{% endfor %}
]
####################### ############################
# extra configuration # # consul ACL configuration #
####################### ############################
# You should prioritize adding configuration
# to the configuration entries below, this
# option should be used to add pieces of configuration not
# available through standard variables.
# consul_extra_configuration: {}
###########
# general #
###########
# consul_domain: consul
# consul_datacenter: dc1
# consul_primary_datacenter: "{{ consul_datacenter }}"
# consul_gossip_encryption_key: "{{ _credentials.consul.gossip_encryption_key }}"
# consul_enable_script_checks: false
#######################
# leave configuration #
#######################
consul_leave_on_terminate: true
consul_rejoin_after_leave: true
######################
# join configuration #
######################
consul_join_configuration:
retry_join: |
{{
groups['consul_servers'] |
map('extract', hostvars, ['consul_address_configuration', 'bind_addr']) |
list |
to_json |
from_json
}}
retry_interval: 30s
retry_max: 0
########################
# server configuration #
########################
consul_enable_server: "{{ 'consul_servers' in group_names }}"
consul_bootstrap_expect: "{{ (groups['consul_servers'] | length) }}"
####################
# ui configuration #
####################
consul_ui_configuration:
enabled: "{{ consul_enable_server }}"
#########################
# address configuration #
#########################
consul_bind_addr: "0.0.0.0"
consul_advertise_addr: "{{ api_interface_address }}"
consul_address_configuration:
client_addr: "{{ consul_bind_addr }}"
bind_addr: "{{ consul_advertise_addr }}"
advertise_addr: "{{ consul_advertise_addr }}"
#####################
# ACL configuration #
#####################
consul_acl_configuration:
enabled: true
default_policy: "deny"
enable_token_persistence: true
tokens:
agent: "{{ _credentials.consul.tokens.agent.secret_id }}"
consul_default_agent_policy: | consul_default_agent_policy: |
node_prefix "" { node_prefix "" {
@ -119,61 +53,73 @@ consul_default_agent_policy: |
policy = "read" policy = "read"
} }
############################## #######################
# service mesh configuration # # consul internal tls #
############################## #######################
consul_mesh_configuration: consul_certificates_directory: "{{ hashicorp_consul_config_dir }}/tls"
enabled: true consul_certificates_extra_files_dir:
- src: "{{ sub_configuration_directories['certificates'] }}/consul/{{ inventory_hostname }}"
dest: "{{ consul_certificates_directory }}"
##################### #########################
# DNS configuration # # consul role variables #
##################### #########################
consul_dns_configuration: hashicorp_consul_start_service: true
allow_stale: true hashicorp_consul_service_name: "consul"
enable_truncate: true hashicorp_consul_version: "{{ consul_version }}"
only_passing: true hashicorp_consul_env_variables: {}
hashicorp_consul_config_dir: "/etc/consul.d"
hashicorp_consul_data_dir: "/opt/consul"
hashicorp_consul_extra_files: true
hashicorp_consul_extra_files_list: "{{ ([] +
(consul_certificates_extra_files_dir if consul_enable_tls else []) +
consul_extra_files_list)
| unique
| sort
}}"
hashicorp_consul_envoy_install: false
hashicorp_consul_envoy_version: v1.27.2
hashicorp_consul_configuration:
domain: "{{ consul_domain }}"
datacenter: "{{ consul_datacenter }}"
primary_datacenter: "{{ consul_primary_datacenter }}"
data_dir: "{{ hashicorp_consul_data_dir }}"
encrypt: "{{ _credentials.consul.gossip_encryption_key }}"
server: "{{ 'consul_servers' in group_names }}"
retry_join: "{{
groups['consul_servers'] |
map('extract', hostvars, ['consul_address_configuration', 'bind_addr']) |
list |
to_json |
from_json
}}"
ui_config: "{{ consul_ui_configuration }}"
connect: "{{ consul_mesh_configuration }}"
leave_on_terminate: "{{ consul_leave_on_terminate }}"
rejoin_after_leave: "{{ consul_rejoin_after_leave }}"
enable_script_checks: "{{ consul_enable_script_checks }}"
enable_syslog: true
acl: "{{ consul_acl_configuration }}"
dns_config: "{{ consul_dns_configuration }}"
ports:
dns: 8600
server: 8300
serf_lan: 8301
serf_wan: 8302
sidecar_min_port: 21000
sidecar_max_port: 21255
expose_min_port: 21500
expose_max_port: 21755
################ # this is used to circumvent jinja limitation to convert string to integer
# internal tls # hashicorp_consul_configuration_string: |
################ ports:
http: {{ (consul_api_port.http|int) if not consul_enable_tls else ('-1' | int) }}
https: {{ (consul_api_port.https|int) if consul_enable_tls else ('-1' | int) }}
grpc: {{ ('8502'|int) if not consul_enable_tls else ('-1' | int) }}
grpc_tls: {{ ('8503'|int) if consul_enable_tls else ('-1' | int) }}
# consul_enable_tls: false hashicorp_consul_servers_configuration_string: |
consul_tls_configuration: bootstrap_expect: {{ (groups['consul_servers'] | length) }}
defaults:
ca_file: "/etc/ssl/certs/ca-certificates.crt"
cert_file: "{{ consul_certs_dir }}/fullchain.crt"
key_file: "{{ consul_certs_dir }}/cert.key"
verify_incoming: false
verify_outgoing: true
internal_rpc:
verify_server_hostname: true
consul_certificates_extra_files_dir: >
{{
[] if external_tls_externally_managed_certs | bool else
[{
'src': "{{ hashistack_sub_configuration_directories['certificates'] }}/consul/{{ inventory_hostname }}",
'dest': "{{ consul_certs_dir }}"
}]
}}
###########################
# telemetry configuration #
###########################
consul_enable_prometheus_metrics: false
consul_prometheus_retention_time: 60s
consul_telemetry_configuration: {}
###########
# logging #
###########
# consul_log_level: info
consul_enable_log_to_file: "{{ enable_log_to_file | bool }}"
consul_log_to_file_configuration:
log_file: "{{ consul_logs_dir }}/consul.log"
log_rotate_duration: 24h
log_rotate_max_files: 30

285
playbooks/group_vars/all/globals.yml
View File

@ -1,13 +1,14 @@
--- ---
################### ##########################
# General options # # General options ########
################### ##########################
enable_ingress: "yes" enable_haproxy: "yes"
enable_vault: "yes" enable_vault: "yes"
enable_consul: "yes" enable_consul: "yes"
enable_nomad: "yes" enable_nomad: "yes"
haproxy_version: "2.8"
nomad_version: "1.8.1" nomad_version: "1.8.1"
consul_version: "1.18.1" consul_version: "1.18.1"
vault_version: "1.16.2" vault_version: "1.16.2"
@ -16,20 +17,14 @@ consul_fqdn: consul.ednz.lab
vault_fqdn: vault.ednz.lab vault_fqdn: vault.ednz.lab
nomad_fqdn: nomad.ednz.lab nomad_fqdn: nomad.ednz.lab
# hashistack_external_vip_interface: "eth0" hashistack_external_vip_interface: "eth0"
# hashistack_external_vip_addr: "192.168.121.100" hashistack_external_vip_addr: "192.168.121.100"
# hashistack_internal_vip_interface: "{{ hashistack_external_vip_interface }}" hashistack_internal_vip_interface: "{{ hashistack_external_vip_interface }}"
# hashistack_internal_vip_addr: "{{ hashistack_external_vip_addr }}" hashistack_internal_vip_addr: "{{ hashistack_external_vip_addr }}"
api_interface: "eth0" api_interface: "eth0"
api_interface_address: "{{ ansible_facts[api_interface]['ipv4']['address'] }}" api_interface_address: "{{ ansible_facts[api_interface]['ipv4']['address'] }}"
###################
# logging options #
###################
enable_log_to_file: true
######################## ########################
# external tls options # # external tls options #
######################## ########################
@ -37,72 +32,248 @@ enable_log_to_file: true
enable_tls_external: false enable_tls_external: false
external_tls_externally_managed_certs: false external_tls_externally_managed_certs: false
######################## #####################################################
# internal tls options # # #
######################## # Consul #
# #
enable_tls_internal: false #####################################################
internal_tls_externally_managed_certs: false
##########
# Consul #
##########
consul_domain: consul consul_domain: consul
consul_datacenter: dc1 consul_datacenter: dc1
consul_primary_datacenter: "{{ consul_datacenter }}" consul_primary_datacenter: dc1
consul_gossip_encryption_key: "{{ _credentials.consul.gossip_encryption_key }}" consul_leave_on_terminate: true
consul_enable_script_checks: false consul_rejoin_after_leave: true
consul_enable_script_checks: true
################################
# consul address configuration #
################################
consul_address_configuration:
# The address to which Consul will bind client interfaces,
# including the HTTP and DNS servers.
client_addr: "0.0.0.0"
# The address that should be bound to for internal cluster communications.
bind_addr: "{{ api_interface_address }}"
# The advertise address is used to change the address that we advertise to other nodes in the cluster.
advertise_addr: "{{ api_interface_address }}"
############################
# consul ACL configuration #
############################
consul_acl_configuration:
enabled: true
default_policy: "deny" # can be allow or deny
enable_token_persistence: true
############################
# consul DNS configuration #
############################
consul_dns_configuration:
allow_stale: true
enable_truncate: true
only_passing: true
###########################
# consul ui configuration #
###########################
consul_ui_configuration:
enabled: "{{ 'consul_servers' in group_names }}"
#####################################
# consul service mesh configuration #
#####################################
consul_mesh_configuration:
enabled: true
############################
# consul tls configuration #
############################
consul_enable_tls: false
consul_tls_configuration:
defaults:
ca_file: "/etc/ssl/certs/ca-certificates.crt"
cert_file: "{{ consul_certificates_directory }}/cert.pem"
key_file: "{{ consul_certificates_directory }}/key.pem"
verify_incoming: false
verify_outgoing: true
internal_rpc:
verify_server_hostname: true
############################
# consul container volumes #
############################
extra_consul_container_volumes: []
##############################
# consul extra configuration #
##############################
consul_extra_files_list: []
consul_extra_configuration: {} consul_extra_configuration: {}
consul_extra_files_list: []
consul_enable_tls: "{{ enable_tls_internal }}" #####################################################
# #
consul_log_level: info # Vault #
# #
######### #####################################################
# Vault #
#########
vault_cluster_name: vault vault_cluster_name: vault
vault_bind_addr: "0.0.0.0"
vault_cluster_addr: "{{ api_interface_address }}"
vault_enable_ui: true vault_enable_ui: true
vault_disable_mlock: false vault_seal_configuration:
vault_disable_cache: false key_shares: 3
key_threshold: 2
vault_extra_files_list: [] #################
vault_extra_configuration: {} # vault storage #
#################
vault_enable_tls: "{{ enable_tls_internal }}" vault_storage_configuration:
raft:
path: "{{ hashicorp_vault_data_dir }}"
node_id: "{{ ansible_hostname }}"
retry_join: |
[
{% for host in groups['vault_servers'] %}
{
'leader_api_addr': '{{ "https" if vault_enable_tls else "http"}}://{{ hostvars[host].api_interface_address }}:8200'
}{% if not loop.last %},{% endif %}
{% endfor %}
]
##################
# vault listener #
##################
vault_enable_tls: false
vault_tls_verify: false
vault_listener_configuration:
tcp:
address: "0.0.0.0:8200"
tls_disable: true
vault_tls_listener_configuration:
tcp:
tls_disable: false
tls_cert_file: "{{ vault_certificates_directory }}/cert.pem"
tls_key_file: "{{ vault_certificates_directory }}/key.pem"
tls_disable_client_certs: true
vault_extra_listener_configuration: {}
########################
# service registration #
########################
vault_enable_service_registration: "{{ enable_consul | bool }}" vault_enable_service_registration: "{{ enable_consul | bool }}"
vault_service_registration_configuration:
consul:
address: "127.0.0.1:{{ hostvars[groups['consul_servers'][0]].consul_api_port[hostvars[groups['consul_servers'][0]].consul_api_scheme] }}"
scheme: "{{ hostvars[groups['consul_servers'][0]].consul_api_scheme }}"
token: "{{ _credentials.consul.tokens.vault.secret_id }}"
#################
# vault plugins #
#################
vault_enable_plugins: false vault_enable_plugins: false
vault_log_level: info ###########
# logging #
###########
######### vault_enable_log_to_file: false
# Nomad # vault_logging_configuration:
######### log_level: info
log_format: standard
log_rotate_duration: 24h
log_rotate_max_files: 30
###########################
# vault container volumes #
###########################
extra_vault_container_volumes: []
#############################
# vault extra configuration #
#############################
vault_extra_configuration: {}
vault_extra_files_list: []
#####################################################
# #
# Nomad #
# #
#####################################################
nomad_region: global
nomad_datacenter: dc1 nomad_datacenter: dc1
nomad_region: global
nomad_extra_files_list: [] ###########################
nomad_extra_configuration: {} # nomad ACL configuration #
###########################
nomad_autopilot_configuration: {} nomad_acl_configuration:
enabled: true
token_ttl: 30s
policy_ttl: 60s
role_ttl: 60s
nomad_driver_enable_docker: true ############################
nomad_driver_enable_podman: false # nomad consul integration #
nomad_driver_enable_raw_exec: false ############################
nomad_driver_enable_java: false
nomad_driver_enable_qemu: false nomad_enable_consul_integration: "{{ enable_consul | bool }}"
nomad_consul_integration_configuration:
address: "127.0.0.1:{{ hashicorp_consul_configuration.ports.https if consul_enable_tls else hashicorp_consul_configuration.ports.http }}"
auto_advertise: true
ssl: "{{ consul_enable_tls | bool }}"
token: "{{ _credentials.consul.tokens.nomad.server.secret_id if nomad_enable_server else _credentials.consul.tokens.nomad.client.secret_id}}"
tags: []
############################
# nomad vault integration #
############################
nomad_enable_vault_integration: false
nomad_vault_integration_configuration: {}
###############################
# nomad drivers configuration #
###############################
nomad_driver_enable_docker: yes
nomad_driver_enable_podman: no
nomad_driver_enable_raw_exec: no
nomad_driver_enable_java: no
nomad_driver_enable_qemu: no
nomad_driver_extra_configuration: {} nomad_driver_extra_configuration: {}
nomad_log_level: info ######################
# nomad internal tls #
######################
nomad_enable_tls: "{{ enable_tls_internal }}" nomad_enable_tls: false
nomad_tls_configuration:
http: true
rpc: true
ca_file: "/etc/ssl/certs/ca-certificates.crt"
cert_file: "{{ nomad_certificates_directory }}/cert.pem"
key_file: "{{ nomad_certificates_directory }}/key.pem"
verify_server_hostname: true
#############################
# nomad extra configuration #
#############################
nomad_extra_configuration: {}
nomad_extra_files_list: []

2
playbooks/group_vars/all/haproxy.yml
View File

@ -10,7 +10,7 @@ deploy_haproxy_version: "{{ haproxy_version }}"
deploy_haproxy_env_variables: {} deploy_haproxy_env_variables: {}
deploy_haproxy_start_service: true deploy_haproxy_start_service: true
deploy_haproxy_cert_dir: "{{ hashistack_sub_configuration_directories['certificates']~'/external' if (enable_tls_external and not external_tls_externally_managed_certs) }}" deploy_haproxy_cert_dir: "{{ sub_configuration_directories['certificates']~'/external' if (enable_tls_external and not external_tls_externally_managed_certs) }}"
deploy_haproxy_extra_container_volumes: [] deploy_haproxy_extra_container_volumes: []
deploy_haproxy_global: deploy_haproxy_global:
- log /dev/log local0 - log /dev/log local0

130
playbooks/group_vars/all/hashistack_ca.yml
View File

@ -1,130 +0,0 @@
---
# defaults
hashistack_ca_directory: "/etc/hashistack/certificates"
hashistack_ca_use_cryptography: false
hashistack_ca_action: "noop"
hashistack_ca_domain: example.com
hashistack_ca_directory_owner: root
##############################
# Root Certificate Authority #
##############################
hashistack_ca_root_org_name: EDNZ Cloud
hashistack_ca_root_country: FR
hashistack_ca_root_locality: Paris
hashistack_ca_root_common_name: "{{ hashistack_ca_domain }} Root CA"
hashistack_ca_root_email:
hashistack_ca_root_key_usage:
- keyCertSign
- cRLSign
hashistack_ca_root_key_usage_critical: true
hashistack_ca_root_basic_constraints:
- CA:TRUE
hashistack_ca_root_basic_constraints_critical: true
# Optional fields
hashistack_ca_root_state_or_province_name:
hashistack_ca_root_email_address:
# Validity
hashistack_ca_root_valid_for: 1825d
hashistack_ca_root_renew_threshold: 180d
######################################
# Intermediate Certificate Authority #
######################################
hashistack_ca_intermediate_org_name: EDNZ Cloud Intermediate
hashistack_ca_intermediate_country: FR
hashistack_ca_intermediate_locality: Paris
hashistack_ca_intermediate_common_name: "{{ hashistack_ca_domain }} Intermediate CA"
hashistack_ca_intermediate_email:
hashistack_ca_intermediate_key_usage:
- keyCertSign
- cRLSign
hashistack_ca_intermediate_key_usage_critical: true
hashistack_ca_intermediate_basic_constraints:
- CA:TRUE
- pathlen:0
hashistack_ca_intermediate_basic_constraints_critical: true
# Optional fields
hashistack_ca_intermediate_state_or_province_name:
hashistack_ca_intermediate_email_address:
# Validity
hashistack_ca_intermediate_valid_for: 365d
hashistack_ca_intermediate_renew_threshold: 90d
# Name Constraints
hashistack_ca_intermediate_name_constraints_permitted:
- "DNS:.{{ hashistack_ca_domain }}"
- DNS:.nomad
- DNS:.consul
- DNS:localhost
- IP:192.168.0.0/16
- IP:172.16.0.0/16
- IP:10.0.0.0/8
- IP:127.0.0.0/8
hashistack_ca_intermediate_name_constraints_critical: "{{ (hashistack_ca_intermediate_name_constraints_permitted is defined and hashistack_ca_intermediate_name_constraints_permitted | length > 0) }}"
#####################
# Leaf certificates #
#####################
hashistack_ca_leaf_valid_for: 90d
hashistack_ca_leaf_renew_threshold: 30d
############################
# Consul Leaf Certificates #
############################
hashistack_ca_consul_org_name: "{{ hashistack_ca_root_org_name }}"
hashistack_ca_consul_common_name: "{{ inventory_hostname }}"
hashistack_ca_consul_csr_sans: >-
{%- set sans_list = [
'DNS:' + inventory_hostname,
'DNS:consul.service.consul',
'DNS:localhost',
'IP:' + api_interface_address,
'IP:127.0.0.1'
] -%}
{%- if consul_enable_server -%}
{%- set _ = sans_list.append('DNS:server.' ~ consul_datacenter ~ '.' ~ consul_domain) -%}
{%- endif -%}
{{ sans_list }}
###########################
# Nomad Leaf Certificates #
###########################
hashistack_ca_nomad_org_name: "{{ hashistack_ca_root_org_name }}"
hashistack_ca_nomad_common_name: "{{ inventory_hostname }}"
hashistack_ca_nomad_csr_sans: >-
{%- set sans_list = [
'DNS:' + inventory_hostname,
'DNS:localhost',
'IP:' + api_interface_address,
'IP:127.0.0.1'
] -%}
{%- if nomad_enable_server -%}
{%- set _ = sans_list.append('DNS:server.' ~ nomad_region ~ '.nomad') -%}
{%- if (enable_consul | bool) -%}
{%- set _ = sans_list.append('DNS:nomad.service.consul') -%}
{%- endif -%}
{%- endif -%}
{%- if nomad_enable_client -%}
{%- set _ = sans_list.append('DNS:client.' ~ nomad_region ~ '.nomad') -%}
{%- endif -%}
{{ sans_list }}
###########################
# Vault Leaf Certificates #
###########################
hashistack_ca_vault_org_name: "{{ hashistack_ca_root_org_name }}"
hashistack_ca_vault_common_name: "{{ inventory_hostname }}"
hashistack_ca_vault_csr_sans:
- "DNS:{{ inventory_hostname }}"
- "DNS:active.vault.service.consul"
- "DNS:standby.vault.service.consul"
- "DNS:vault.service.consul"
- "DNS:localhost"
- "IP:{{ api_interface_address }}"
- "IP:127.0.0.1"

313
playbooks/group_vars/all/nomad.yml
View File

@ -1,5 +1,9 @@
--- ---
nomad_init_server: "{{ (inventory_hostname == groups['nomad_servers'][0]) | bool }}" #####################################################
# #
# Non-Editable #
# #
#####################################################
#################### ####################
# nomad api config # # nomad api config #
@ -11,188 +15,60 @@ nomad_api_port:
http: "{{ nomad_address_configuration.ports.http }}" http: "{{ nomad_address_configuration.ports.http }}"
https: "{{ nomad_address_configuration.ports.http }}" https: "{{ nomad_address_configuration.ports.http }}"
#########
# Nomad #
#########
nomad_config_dir: "{{ hashistack_remote_config_dir }}/nomad.d"
nomad_data_dir: "/opt/nomad"
nomad_certs_dir: "{{ nomad_config_dir }}/tls"
nomad_logs_dir: "{{ hashistack_remote_log_dir }}/nomad"
nomad_extra_files: true
# nomad_extra_files_list: []
nomad_env_variables: {}
#######################
# extra configuration #
#######################
# You should prioritize adding configuration
# to the configuration entries below, this
# option should be used to add pieces of configuration not
# available through standard variables.
# nomad_extra_configuration: {}
###########
# general #
###########
# nomad_region: global
# nomad_datacenter: dc1
######################### #########################
# address configuration # # nomad haproxy backend #
######################### #########################
nomad_bind_addr: "0.0.0.0" nomad_haproxy_frontend_options:
nomad_advertise_addr: "{{ api_interface_address }}" - acl is_nomad hdr(host) -i {{ nomad_fqdn }}
- use_backend nomad_external if is_nomad
nomad_haproxy_backends:
- name: nomad_external
options: "{{ nomad_external_backend_options + nomad_external_backend_servers }}"
nomad_external_backend_options:
- description nomad external http backend
- option forwardfor
- option httpchk
- http-check send meth GET uri /
- default-server inter 2s fastinter 1s downinter 1s
nomad_external_backend_servers: |
[
{% for host in groups['nomad_servers'] %}
'server nomad-{{ hostvars[host].api_interface_address }} {{ hostvars[host].api_interface_address }}:{{ hostvars[host].nomad_api_port[nomad_api_scheme] }} check {{ 'ssl verify none ' if nomad_enable_tls }}inter 5s'{% if not loop.last %},{% endif %}
{% endfor %}
]
###############################
# nomad address configuration #
###############################
nomad_address_configuration: nomad_address_configuration:
bind_addr: "{{ nomad_bind_addr }}" bind_addr: "{{ api_interface_address }}"
addresses: addresses:
http: "{{ nomad_advertise_addr }}" http: "{{ api_interface_address }}"
rpc: "{{ nomad_advertise_addr }}" rpc: "{{ api_interface_address }}"
serf: "{{ nomad_advertise_addr }}" serf: "{{ api_interface_address }}"
advertise: advertise:
http: "{{ nomad_advertise_addr }}" http: "{{ api_interface_address }}"
rpc: "{{ nomad_advertise_addr }}" rpc: "{{ api_interface_address }}"
serf: "{{ nomad_advertise_addr }}" serf: "{{ api_interface_address }}"
ports: ports:
http: 4646 http: 4646
rpc: 4647 rpc: 4647
serf: 4648 serf: 4648
########################### #################################
# autopilot configuration # # nomad autopilot configuration #
########################### #################################
# nomad_autopilot_configuration: {} nomad_autopilot_configuration: {}
####################### ############################
# leave configuration # # nomad consul integration #
####################### ############################
nomad_leave_on_interrupt: false
nomad_leave_on_terminate: false
########################
# server configuration #
########################
nomad_enable_server: "{{ ('nomad_servers' in group_names) | bool }}"
nomad_server_bootstrap_expect: "{{ (groups['nomad_servers'] | length) }}"
nomad_server_configuration:
enabled: "{{ nomad_enable_server }}"
data_dir: "{{ nomad_data_dir }}/server"
encrypt: "{{ _credentials.nomad.gossip_encryption_key }}"
##############################
# client configuration #
##############################
nomad_enable_client: "{{ ('nomad_clients' in group_names) | bool }}"
nomad_client_configuration:
enabled: "{{ nomad_enable_client }}"
state_dir: "{{ nomad_data_dir }}/client"
cni_path: "{{ cni_plugins_install_path | default('/opt/cni/bin') }}"
bridge_network_name: nomad
bridge_network_subnet: "172.26.64.0/20"
####################
# ui configuration #
####################
nomad_ui_configuration:
enabled: "{{ nomad_enable_server }}"
#########################
# drivers configuration #
#########################
nomad_driver_enable_docker: true
nomad_driver_enable_podman: false
nomad_driver_enable_raw_exec: false
nomad_driver_enable_java: false
nomad_driver_enable_qemu: false
nomad_driver_configuration:
raw_exec:
enabled: false
nomad_driver_extra_configuration: {}
###########
# logging #
###########
nomad_log_level: info
nomad_enable_log_to_file: "{{ enable_log_to_file | bool }}"
nomad_log_to_file_configuration:
log_file: "{{ nomad_logs_dir }}/nomad.log"
log_rotate_duration: 24h
log_rotate_max_files: 30
#####################
# ACL configuration #
#####################
nomad_acl_configuration:
enabled: true
token_ttl: 30s
policy_ttl: 60s
role_ttl: 60s
################
# internal tls #
################
nomad_enable_tls: false
nomad_tls_configuration:
http: true
rpc: true
ca_file: "/etc/ssl/certs/ca-certificates.crt"
cert_file: "{{ nomad_certs_dir }}/fullchain.crt"
key_file: "{{ nomad_certs_dir }}/cert.key"
verify_server_hostname: true
nomad_certificates_extra_files_dir: >
{{
[] if external_tls_externally_managed_certs | bool else
[{
'src': "{{ hashistack_sub_configuration_directories['certificates'] }}/nomad/{{ inventory_hostname }}",
'dest': "{{ nomad_certs_dir }}"
}]
}}
###########################
# telemetry configuration #
###########################
nomad_telemetry_configuration:
collection_interval: 10s
disable_hostname: false
use_node_name: false
publish_allocation_metrics: false
publish_node_metrics: false
prefix_filter: []
disable_dispatched_job_summary_metrics: false
prometheus_metrics: false
######################
# consul integration #
######################
nomad_enable_consul_integration: "{{ enable_consul | bool }}"
nomad_consul_integration_configuration:
address: >-
127.0.0.1:{{ consul_api_port[consul_api_scheme] }}
auto_advertise: true
ssl: "{{ consul_enable_tls | bool }}"
token: >-
{{ _credentials.consul.tokens.nomad.server.secret_id if nomad_enable_server else _credentials.consul.tokens.nomad.client.secret_id }}
tags: []
nomad_consul_integration_tls_configuration: nomad_consul_integration_tls_configuration:
ca_file: "/etc/ssl/certs/ca-certificates.crt" ca_file: "/etc/ssl/certs/ca-certificates.crt"
@ -202,8 +78,7 @@ nomad_consul_integration_server_configuration:
nomad_consul_integration_client_configuration: nomad_consul_integration_client_configuration:
client_auto_join: true client_auto_join: true
grpc_address: >- grpc_address: "127.0.0.1:{{ hashicorp_consul_configuration.ports.grpc_tls if consul_enable_tls else hashicorp_consul_configuration.ports.grpc }}"
127.0.0.1:{{ consul_grpc_port[consul_api_scheme] }}
nomad_consul_integration_client_tls_configuration: nomad_consul_integration_client_tls_configuration:
grpc_ca_file: "/etc/ssl/certs/ca-certificates.crt" grpc_ca_file: "/etc/ssl/certs/ca-certificates.crt"
@ -232,9 +107,93 @@ nomad_consul_integration_client_policy: |
policy = "write" policy = "write"
} }
############################ #############################
# nomad vault integration # # nomad leave configuration #
############################ #############################
nomad_enable_vault_integration: false # node will leave the cluster if the process is stopped
nomad_vault_integration_configuration: {} # and if it is only a client
nomad_leave_on_interrupt: "{{ (('nomad_clients' in group_names) and not ('nomad_servers' in group_names)) | bool }}"
nomad_leave_on_terminate: "{{ (('nomad_clients' in group_names) and not ('nomad_servers' in group_names)) | bool }}"
##########################
# nomad ui configuration #
##########################
nomad_ui_configuration:
enabled: "{{ ('nomad_servers' in group_names) | bool }}"
##############################
# nomad server configuration #
##############################
nomad_enable_server: "{{ ('nomad_servers' in group_names) | bool }}"
nomad_server_configuration:
enabled: "{{ nomad_enable_server }}"
data_dir: "{{ hashicorp_nomad_data_dir }}/server"
encrypt: "{{ _credentials.nomad.gossip_encryption_key }}"
##############################
# nomad client configuration #
##############################
nomad_enable_client: "{{ ('nomad_clients' in group_names) | bool }}"
nomad_client_configuration:
enabled: "{{ nomad_enable_client }}"
state_dir: "{{ hashicorp_nomad_data_dir }}/client"
bridge_network_name: nomad
bridge_network_subnet: "172.26.64.0/20"
###############################
# nomad drivers configuration #
###############################
nomad_driver_configuration:
raw_exec:
enabled: "{{ nomad_driver_enable_raw_exec | bool }}"
######################
# nomad internal tls #
######################
nomad_certificates_directory: "{{ hashicorp_nomad_config_dir }}/tls"
nomad_certificates_extra_files_dir:
- src: "{{ sub_configuration_directories['certificates'] }}/nomad/{{ inventory_hostname }}"
dest: "{{ nomad_certificates_directory }}"
########################
# nomad role variables #
########################
hashicorp_nomad_start_service: true
hashicorp_nomad_service_name: "nomad"
hashicorp_nomad_cni_plugins_install: true
hashicorp_nomad_cni_plugins_version: latest
hashicorp_nomad_cni_plugins_install_path: /opt/cni/bin
hashicorp_nomad_version: "{{ nomad_version }}"
hashicorp_nomad_env_variables: {}
hashicorp_nomad_config_dir: "/etc/nomad.d"
hashicorp_nomad_data_dir: /opt/nomad
hashicorp_nomad_extra_files: true
hashicorp_nomad_extra_files_list: "{{ ([] +
(nomad_certificates_extra_files_dir if nomad_enable_tls else []) +
nomad_extra_files_list)
| unique
| sort
}}"
hashicorp_nomad_configuration:
datacenter: "{{ nomad_datacenter }}"
region: "{{ nomad_region }}"
bind_addr: "0.0.0.0"
data_dir: "{{ hashicorp_nomad_data_dir }}"
leave_on_interrupt: "{{ nomad_leave_on_interrupt }}"
leave_on_terminate: "{{ nomad_leave_on_terminate }}"
acl: "{{ nomad_acl_configuration }}"
server: "{{ nomad_server_configuration }}"
client: "{{ nomad_client_configuration }}"
ui: "{{ nomad_ui_configuration }}"
# this is used to circumvent jinja limitation to convert string to integer
hashicorp_nomad_configuration_string: |
server:
bootstrap_expect: {{ (groups['nomad_servers'] | length) }}

178
playbooks/group_vars/all/vault.yml
View File

@ -1,126 +1,90 @@
--- ---
vault_init_server: "{{ (inventory_hostname == groups['vault_servers'][0]) | bool }}" #####################################################
# #
######### # Non-Editable #
# Vault # # #
######### #####################################################
vault_config_dir: "{{ hashistack_remote_config_dir }}/vault.d"
vault_data_dir: "/opt/vault"
vault_certs_dir: "{{ vault_config_dir }}/tls"
vault_logs_dir: "{{ hashistack_remote_log_dir }}/vault"
vault_extra_files: true
# vault_extra_files_list: []
vault_env_variables: {}
#######################
# extra configuration #
#######################
# You should prioritize adding configuration
# to the configuration entries below, this
# option should be used to add pieces of configuration not
# available through standard variables.
# vault_extra_configuration: {}
###########
# general #
###########
# vault_cluster_name: vault
# vault_bind_addr: "0.0.0.0"
# vault_cluster_addr: "{{ api_interface_address }}"
# vault_enable_ui: true
# vault_disable_mlock: false
# vault_disable_cache: false
######################
# seal configuration #
######################
vault_seal_configuration:
key_shares: 3
key_threshold: 2
######################### #########################
# storage configuration # # vault haproxy backend #
######################### #########################
vault_storage_configuration: vault_haproxy_frontend_options:
raft: - acl is_vault hdr(host) -i {{ vault_fqdn }}
path: "{{ vault_data_dir }}" - use_backend vault_external if is_vault
node_id: "{{ ansible_hostname }}"
retry_join: >-
[
{% for host in groups['vault_servers'] %}
{
'leader_api_addr': '{{ "https" if vault_enable_tls else "http"}}://{{ hostvars[host].api_interface_address }}:8200'
}{% if not loop.last %},{% endif %}
{% endfor %}
]
########################## vault_haproxy_backends:
# listener configuration # - name: vault_external
########################## options: "{{ vault_external_backend_options + vault_external_backend_servers }}"
# vault_enable_tls: false vault_external_backend_options:
vault_listener_configuration: - description vault external http backend
- tcp: - option forwardfor
address: "{{ vault_cluster_addr }}:8200" - option httpchk GET /v1/sys/health?standbyok=true&sealedcode=200&standbycode=200&uninitcode=200
tls_disable: true - http-check expect status 200
- default-server inter 2s fastinter 1s downinter 1s
vault_tls_listener_configuration: vault_external_backend_servers: |
- tcp: [
tls_disable: false {% for host in groups['vault_servers'] %}
tls_cert_file: "{{ vault_certs_dir }}/fullchain.crt" 'server vault-{{ hostvars[host].api_interface_address }} {{ hostvars[host].api_interface_address }}:8200 check {{ 'ssl verify none ' if vault_enable_tls }}inter 5s'{% if not loop.last %},{% endif %}
tls_key_file: "{{ vault_certs_dir }}/cert.key" {% endfor %}
tls_disable_client_certs: true ]
vault_certificates_extra_files_dir: > ######################
{{ # vault internal tls #
[] if external_tls_externally_managed_certs | bool else ######################
[{
'src': "{{ hashistack_sub_configuration_directories['certificates'] }}/vault/{{ inventory_hostname }}",
'dest': "{{ vault_certs_dir }}"
}]
}}
vault_extra_listener_configuration: [] vault_certificates_directory: "{{ hashicorp_vault_config_dir }}/tls"
vault_certificates_extra_files_dir:
- src: "{{ sub_configuration_directories['certificates'] }}/vault/{{ inventory_hostname }}"
dest: "{{ vault_certificates_directory }}"
######################## #################
# service registration # # vault plugins #
######################## #################
# vault_enable_service_registration: "{{ enable_consul | bool }}" vault_plugin_directory: "{{ hashicorp_vault_config_dir }}/plugin"
vault_service_registration_configuration: vault_plugin_extra_files_dir:
consul: - src: "{{ sub_configuration_directories['vault_servers'] }}/plugin"
address: >- dest: "{{ vault_plugin_directory }}"
127.0.0.1:{{ hostvars[groups['consul_servers'][0]].consul_api_port[hostvars[groups['consul_servers'][0]].consul_api_scheme] }}
scheme: "{{ hostvars[groups['consul_servers'][0]].consul_api_scheme }}" ##############################
token: "{{ _credentials.consul.tokens.vault.secret_id }}" # vault service registration #
##############################
vault_service_registration_policy: | vault_service_registration_policy: |
service "vault" { service "vault" {
policy = "write" policy = "write"
} }
######################### ########################
# plugins configuration # # vault role variables #
######################### ########################
# vault_enable_plugins: false hashicorp_vault_start_service: true
vault_plugins_directory: "{{ vault_config_dir }}/plugins" hashicorp_vault_service_name: "vault"
hashicorp_vault_version: "{{ vault_version }}"
################# hashicorp_vault_env_variables: {}
# vault logging # hashicorp_vault_config_dir: "/etc/vault.d"
################# hashicorp_vault_data_dir: "/opt/vault"
hashicorp_vault_extra_files: true
# vault_log_level: info hashicorp_vault_extra_files_list: "{{ ([] +
vault_enable_log_to_file: "{{ enable_log_to_file | bool }}" (vault_certificates_extra_files_dir if vault_enable_tls else []) +
vault_log_to_file_configuration: (vault_plugin_extra_files_dir if vault_enable_plugins else []) +
log_file: "{{ vault_logs_dir }}/vault.log" vault_extra_files_list)
log_rotate_duration: 24h | unique
log_rotate_max_files: 30 | sort
}}"
hashicorp_vault_extra_files_src: "{{ sub_configuration_directories.vault_servers }}/config"
hashicorp_vault_extra_files_dst: "{{ hashicorp_vault_config_dir }}/config"
hashicorp_vault_extra_container_volumes: "{{ default_container_extra_volumes | union(extra_vault_container_volumes) | unique | sort }}"
hashicorp_vault_configuration:
cluster_name: "{{ vault_cluster_name }}"
cluster_addr: "{{ 'https' if vault_enable_tls else 'http'}}://{{ api_interface_address }}:8201"
api_addr: "{{ 'https' if vault_enable_tls else 'http'}}://{{ api_interface_address }}:8200"
ui: "{{ vault_enable_ui }}"
disable_mlock: false
disable_cache: false
listener: "{{ vault_listener_configuration }}"
storage: "{{ vault_storage_configuration }}"

14
playbooks/inventory/multinode.ini
View File

@ -22,8 +22,6 @@ nomad-client01
nomad-client02 nomad-client02
nomad-client03 nomad-client03
[consul_agents]
[consul_agents:children] [consul_agents:children]
haproxy_servers haproxy_servers
vault_servers vault_servers
@ -33,20 +31,8 @@ nomad_clients
[deployment] [deployment]
localhost ansible_connection=local localhost ansible_connection=local
[consul:children]
consul_servers
consul_agents
[nomad:children]
nomad_servers
nomad_clients
[vault:children]
vault_servers
[common:children] [common:children]
haproxy_servers haproxy_servers
vault_servers vault_servers
consul_servers consul_servers
nomad_servers nomad_servers
nomad_clients

54
playbooks/preflight.yml
View File

@ -1,16 +1,14 @@
--- ---
# hashistack deployment playbook # hashistack deployment playbook
- name: "Preflight" - name: "Preflight"
hosts: all, !deployment hosts: all
strategy: linear strategy: linear
gather_facts: true gather_facts: true
become: true become: true
tasks: tasks:
- name: "Import variables" - name: "Import variables"
ansible.builtin.include_role: ansible.builtin.import_tasks:
name: ednz_cloud.hashistack.hashistack file: tasks/load_vars.yml
tags:
- always
- name: "Checking vault inventory" - name: "Checking vault inventory"
ansible.builtin.assert: ansible.builtin.assert:
@ -48,44 +46,44 @@
when: when:
- enable_nomad | bool - enable_nomad | bool
- name: "Checking directory {{ hashistack_configuration_directory }}" # noqa: run-once[task] - name: "Checking directory {{ configuration_directory }}" # noqa: run-once[task]
delegate_to: localhost delegate_to: localhost
run_once: true run_once: true
block: block:
- name: "Stat directory {{ hashistack_configuration_directory }}" - name: "Stat directory {{ configuration_directory }}"
ansible.builtin.stat: ansible.builtin.stat:
path: "{{ hashistack_configuration_directory }}" path: "{{ configuration_directory }}"
register: _stat_config_dir register: _stat_config_dir
- name: "Stat nomad_servers config directory" - name: "Stat nomad_servers config directory"
ansible.builtin.stat: ansible.builtin.stat:
path: "{{ hashistack_sub_configuration_directories.nomad_servers }}" path: "{{ sub_configuration_directories.nomad_servers }}"
register: _stat_config_dir_nomad_servers register: _stat_config_dir_nomad_servers
when: when:
- enable_nomad | bool - enable_nomad | bool
- name: "Stat consul_servers config directory" - name: "Stat consul_servers config directory"
ansible.builtin.stat: ansible.builtin.stat:
path: "{{ hashistack_sub_configuration_directories.consul_servers }}" path: "{{ sub_configuration_directories.consul_servers }}"
register: _stat_config_dir_consul_servers register: _stat_config_dir_consul_servers
when: when:
- enable_consul | bool - enable_consul | bool
- name: "Stat vault_servers config directory" - name: "Stat vault_servers config directory"
ansible.builtin.stat: ansible.builtin.stat:
path: "{{ hashistack_sub_configuration_directories.vault_servers }}" path: "{{ sub_configuration_directories.vault_servers }}"
register: _stat_config_dir_vault_servers register: _stat_config_dir_vault_servers
when: when:
- enable_vault | bool - enable_vault | bool
- name: "Make sure directory exists: {{ hashistack_configuration_directory }}" - name: "Make sure directory exists: {{ configuration_directory }}"
ansible.builtin.assert: ansible.builtin.assert:
that: that:
- _stat_config_dir.stat.exists - _stat_config_dir.stat.exists
- _stat_config_dir.stat.isdir - _stat_config_dir.stat.isdir
- _stat_config_dir.stat.writeable - _stat_config_dir.stat.writeable
- name: "Make sure directory exists: {{ hashistack_sub_configuration_directories.nomad_servers }}" - name: "Make sure directory exists: {{ sub_configuration_directories.nomad_servers }}"
ansible.builtin.assert: ansible.builtin.assert:
that: that:
- _stat_config_dir_nomad_servers.stat.exists - _stat_config_dir_nomad_servers.stat.exists
@ -94,7 +92,7 @@
when: when:
- enable_nomad | bool - enable_nomad | bool
- name: "Make sure directory exists: {{ hashistack_sub_configuration_directories.consul_servers }}" - name: "Make sure directory exists: {{ sub_configuration_directories.consul_servers }}"
ansible.builtin.assert: ansible.builtin.assert:
that: that:
- _stat_config_dir_consul_servers.stat.exists - _stat_config_dir_consul_servers.stat.exists
@ -103,7 +101,7 @@
when: when:
- enable_consul | bool - enable_consul | bool
- name: "Make sure directory exists: {{ hashistack_sub_configuration_directories.vault_servers }}" - name: "Make sure directory exists: {{ sub_configuration_directories.vault_servers }}"
ansible.builtin.assert: ansible.builtin.assert:
that: that:
- _stat_config_dir_vault_servers.stat.exists - _stat_config_dir_vault_servers.stat.exists
@ -113,8 +111,8 @@
- enable_vault | bool - enable_vault | bool
- name: "Checking host OS distribution" - name: "Checking host OS distribution"
# TODO: This needs to work with debian and ubuntu, major version works for debian but not ubuntu, simple version works the other way around... #TODO: This needs to work with debian and ubuntu, major version works for debian but not ubuntu, simple version works the other way around...
# ? seems to work #? seems to work
ansible.builtin.assert: ansible.builtin.assert:
that: that:
- "(ansible_facts.distribution | lower) in hashistack_supported_distributions" - "(ansible_facts.distribution | lower) in hashistack_supported_distributions"
@ -261,7 +259,7 @@
when: vault_port_results.results | length > 0 when: vault_port_results.results | length > 0
- name: "Checking if consul ports are available" - name: "Checking if consul ports are available"
when: inventory_hostname in groups['consul_servers'] or inventory_hostname in groups['consul_agents'] when: inventory_hostname in groups['consul_servers']
block: block:
- name: "Checking if consul ports are available" - name: "Checking if consul ports are available"
ansible.builtin.wait_for: ansible.builtin.wait_for:
@ -280,26 +278,6 @@
with_items: "{{ consul_port_results.results }}" with_items: "{{ consul_port_results.results }}"
when: consul_port_results.results | length > 0 when: consul_port_results.results | length > 0
- name: "Checking if nomad ports are available"
when: inventory_hostname in groups['nomad_servers'] or inventory_hostname in groups['nomad_clients']
block:
- name: "Checking if nomad ports are available"
ansible.builtin.wait_for:
host: "{{ inventory_hostname }}"
port: "{{ item }}"
state: "stopped"
timeout: 5
loop: "{{ nomad_required_ports }}"
ignore_errors: true
register: nomad_port_results
- name: "Assert that nomad ports are not currently in use"
ansible.builtin.assert:
that:
- item.failed == false
with_items: "{{ nomad_port_results.results }}"
when: nomad_port_results.results | length > 0
- name: "Checking if system uses systemd" - name: "Checking if system uses systemd"
become: true become: true
ansible.builtin.assert: ansible.builtin.assert:

6
playbooks/tasks/consul/consul_agents.yml
View File

@ -1,6 +0,0 @@
---
- name: "Consul agents"
block:
- name: "Deploy Consul Agents"
ansible.builtin.include_role:
name: ednz_cloud.hashistack.consul

71
playbooks/tasks/consul/consul_control_plane.yml
View File

@ -1,71 +0,0 @@
---
- name: "Consul control plane"
block:
- name: "Include ednz_cloud.hashistack.consul"
ansible.builtin.include_role:
name: ednz_cloud.hashistack.consul
- name: "Consul | Wait for consul cluster to initialize" # noqa: run-once[task]
block:
- name: "Consul | Wait for consul nodes to stabilize"
ansible.builtin.wait_for:
host: "{{ api_interface_address }}"
port: "{{ consul_api_port[consul_api_scheme] }}"
delay: 10
- name: "Consul | Waiting for consul api to respond"
ansible.builtin.uri:
url: "{{ consul_api_addr }}"
validate_certs: no
return_content: yes
status_code:
- 200
until: uri_output.status == 200
retries: 24
delay: 5
register: uri_output
- name: "Consul | Initialize consul cluster" # noqa: run-once[task]
community.general.consul_acl_bootstrap:
bootstrap_secret: "{{ _credentials.consul.root_token.secret_id }}"
host: "{{ api_interface_address }}"
port: "{{ consul_api_port[consul_api_scheme] }}"
scheme: "{{ consul_api_scheme }}"
state: present
register: _consul_init_secret
when:
- consul_init_server
- consul_configuration.acl.enabled
- name: "Consul | Create consul agents token"
when:
- consul_init_server
- consul_configuration.acl.enabled
block:
- name: "Consul | Create consul agents token" # noqa: run-once[task] no-handler
block:
- name: "Consul | Create consul agent policy"
community.general.consul_policy:
token: "{{ _credentials.consul.root_token.secret_id }}"
host: "{{ api_interface_address }}"
port: "{{ consul_api_port[consul_api_scheme] }}"
scheme: "{{ consul_api_scheme }}"
validate_certs: false
state: present
name: agents-policy
rules: "{{ consul_default_agent_policy }}"
register: _consul_agent_policy
- name: "Consul | Create consul agents token"
community.general.consul_token:
token: "{{ _credentials.consul.root_token.secret_id }}"
host: "{{ api_interface_address }}"
port: "{{ consul_api_port[consul_api_scheme] }}"
scheme: "{{ consul_api_scheme }}"
validate_certs: false
accessor_id: "{{ _credentials.consul.tokens.agent.accessor_id }}"
secret_id: "{{ _credentials.consul.tokens.agent.secret_id }}"
policies:
- id: "{{ _consul_agent_policy.policy.ID }}"
state: present
register: _consul_agent_token

87
playbooks/tasks/consul/consul_deploy.yml
View File

@ -1,19 +1,78 @@
--- ---
- name: "Consul" - name: "Consul"
block: block:
- name: "Deploy Consul Control Plane" - name: "Include ednz_cloud.hashicorp_consul"
ansible.builtin.import_tasks: ansible.builtin.include_role:
file: consul_control_plane.yml name: ednz_cloud.hashicorp_consul
when:
- "'consul_servers' in group_names"
tags:
- consul_servers
- name: "Deploy Consul Agents" - name: "Wait for consul cluster to initialize" # noqa: run-once[task]
ansible.builtin.import_tasks: block:
file: consul_agents.yml - name: "Wait for consul nodes to stabilize"
ansible.builtin.wait_for:
host: "{{ api_interface_address }}"
port: "{{ consul_api_port[consul_api_scheme] }}"
delay: 10
- name: "Waiting for consul api to respond"
ansible.builtin.uri:
url: "{{ consul_api_addr }}"
validate_certs: no
return_content: yes
status_code:
- 200
until: uri_output.status == 200
retries: 24
delay: 5
register: uri_output
- name: "Initialize consul cluster" # noqa: run-once[task]
community.general.consul_acl_bootstrap:
bootstrap_secret: "{{ _credentials.consul.root_token.secret_id }}"
host: "{{ api_interface_address }}"
port: "{{ consul_api_port[consul_api_scheme] }}"
scheme: "{{ consul_api_scheme }}"
state: present
run_once: true
delegate_to: "{{ groups['consul_servers'] | first }}"
register: _consul_init_secret
when: hashicorp_consul_configuration.acl.enabled
- name: "Create consul agents token"
when: when:
- "'consul_agents' in group_names" - consul_acl_configuration.enabled
- "'consul_servers' not in group_names" block:
tags: - name: "Create consul agents token" # noqa: run-once[task] no-handler
- consul_agents run_once: true
block:
- name: "Create consul agent policy"
community.general.consul_policy:
token: "{{ _credentials.consul.root_token.secret_id }}"
host: "{{ api_interface_address }}"
port: "{{ consul_api_port[consul_api_scheme] }}"
scheme: "{{ consul_api_scheme }}"
validate_certs: false
state: present
name: agents-policy
rules: "{{ consul_default_agent_policy }}"
register: _consul_agent_policy
- name: "Create consul agents token"
community.general.consul_token:
token: "{{ _credentials.consul.root_token.secret_id }}"
host: "{{ api_interface_address }}"
port: "{{ consul_api_port[consul_api_scheme] }}"
scheme: "{{ consul_api_scheme }}"
validate_certs: false
accessor_id: "{{ _credentials.consul.tokens.agent.accessor_id }}"
secret_id: "{{ _credentials.consul.tokens.agent.secret_id }}"
policies:
- id: "{{ _consul_agent_policy.policy.ID }}"
state: present
register: _consul_agent_token
- name: "Restart consul service" # noqa: no-handler
ansible.builtin.service:
name: "{{ hashicorp_consul_service_name }}"
state: restarted
throttle: 1
when: _consul_agent_token.changed

67
playbooks/tasks/consul/consul_vars.yml Normal file
View File

@ -0,0 +1,67 @@
---
# hashistack configuration merging for consul
- name: "Consul | Merge stringified configuration"
vars:
_config_to_merge: "{{ hashicorp_consul_configuration_string }}"
ansible.builtin.set_fact:
hashicorp_consul_configuration: "{{
hashicorp_consul_configuration |
combine(_config_to_merge|from_yaml, recursive=true)
}}"
when:
- hashicorp_consul_configuration_string is defined
- name: "Consul | Merge servers specific stringified configuration"
vars:
_config_to_merge: "{{ hashicorp_consul_servers_configuration_string }}"
ansible.builtin.set_fact:
hashicorp_consul_configuration: "{{
hashicorp_consul_configuration |
combine(_config_to_merge|from_yaml, recursive=true)
}}"
when:
- hashicorp_consul_configuration_string is defined
- "'consul_servers' in group_names"
- name: "Consul | Merge addresses configuration"
vars:
_config_to_merge: "{{ consul_address_configuration }}"
ansible.builtin.set_fact:
hashicorp_consul_configuration: "{{
hashicorp_consul_configuration |
combine(_config_to_merge, recursive=true)
}}"
when: consul_address_configuration is defined
- name: "Consul | Merge TLS configuration"
vars:
_config_to_merge:
tls: "{{ consul_tls_configuration }}"
ansible.builtin.set_fact:
hashicorp_consul_configuration: "{{
hashicorp_consul_configuration |
combine(_config_to_merge, recursive=true)
}}"
when: consul_enable_tls
- name: "Consul | Merge token configuration"
delegate_to: localhost
block:
- name: "Consul | Merge token configuration"
vars:
_config_to_merge:
acl:
tokens:
agent: "{{ _credentials.consul.tokens.agent.secret_id }}"
ansible.builtin.set_fact:
hashicorp_consul_configuration: "{{ hashicorp_consul_configuration | default({}) | combine(_config_to_merge, recursive=true) }}"
- name: "Consul | Merge extra configuration settings"
vars:
_config_to_merge: "{{ consul_extra_configuration }}"
ansible.builtin.set_fact:
hashicorp_consul_configuration: "{{
hashicorp_consul_configuration |
combine(_config_to_merge, recursive=true)
}}"
when: consul_extra_configuration is defined

6
playbooks/tasks/load_vars.yml
View File

@ -23,6 +23,7 @@
owner: root owner: root
group: root group: root
mode: 0755 mode: 0755
recurse: yes
loop: loop:
- "{{ hashistack_remote_config_dir }}" - "{{ hashistack_remote_config_dir }}"
- "{{ hashistack_remote_data_dir }}" - "{{ hashistack_remote_data_dir }}"
@ -51,8 +52,3 @@
when: when:
- enable_nomad | bool - enable_nomad | bool
- "('nomad_servers' in group_names) or ('nomad_clients' in group_names)" - "('nomad_servers' in group_names) or ('nomad_clients' in group_names)"
# - name: "Print all config"
# ansible.builtin.debug:
# msg: "{{ hostvars[inventory_hostname] }}"
#
# - fail:

206
playbooks/tasks/misc/load_all_vars.yml Normal file
View File

@ -0,0 +1,206 @@
---
# hashistack variable injection playbook
- name: "Load global variables"
block:
- name: "Stat global configuration file"
ansible.builtin.stat:
path: "{{ configuration_directory }}/{{ configuration_global_vars_file }}"
register: _global_config_file
delegate_to: localhost
- name: "Make sure global configuration file exists"
ansible.builtin.assert:
that:
- _global_config_file.stat.exists
fail_msg: >-
Main configuration file {{ _global_config_file.stat.path }} was not found, cannot continue without it.
delegate_to: localhost
- name: "Load global variables"
ansible.builtin.include_vars:
dir: "{{ configuration_directory }}"
files_matching: "{{ configuration_global_vars_file }}"
depth: 1
delegate_to: localhost
- name: "Load credentials variables"
block:
- name: "Stat credentials file"
ansible.builtin.stat:
path: "{{ sub_configuration_directories['secrets'] }}/{{ configuration_credentials_vars_file }}"
register: _credentials_file
delegate_to: localhost
- name: "Stat vault credentials file"
ansible.builtin.stat:
path: "{{ sub_configuration_directories['secrets'] }}/vault.yml"
register: _vault_credentials_file
delegate_to: localhost
- name: "Make sure credentials file exists"
ansible.builtin.assert:
that:
- _credentials_file.stat.exists
fail_msg: >-
Credentials file {{ _credentials_file.stat.path }} was not found, cannot continue without it.
delegate_to: localhost
- name: "Load credentials variables"
ansible.builtin.include_vars:
dir: "{{ sub_configuration_directories['secrets'] }}"
files_matching: "{{ configuration_credentials_vars_file }}"
depth: 1
name: _credentials
delegate_to: localhost
- name: "Load vault credentials if vault.yml exists"
ansible.builtin.include_vars:
dir: "{{ sub_configuration_directories['secrets'] }}"
files_matching: "vault.yml"
depth: 1
name: _vault_credentials
when: _vault_credentials_file.stat.exists
delegate_to: localhost
- name: "Merge vault credentials into _credentials"
vars:
_config_to_merge:
vault: "{{ _vault_credentials }}"
ansible.builtin.set_fact:
_credentials: "{{ _credentials | combine(_vault_credentials, recursive=true) }}"
when: _vault_credentials_file.stat.exists
delegate_to: localhost
- name: "Load group specific variables"
block:
- name: "Stat group specific config file"
ansible.builtin.stat:
path: "{{ configuration_directory }}/{{ group_name }}/{{ configuration_global_vars_file }}"
register: _group_config_file
loop: "{{ group_names }}"
loop_control:
loop_var: group_name
- name: Load group specific variables
ansible.builtin.include_vars:
dir: "{{ configuration_directory }}/{{ item.group_name }}"
files_matching: "{{ configuration_global_vars_file }}"
depth: 1
loop: "{{ _group_config_file.results }}"
when: item.stat.exists
and item.group_name in group_names
loop_control:
loop_var: item
delegate_to: localhost
- name: "Load host specific variables"
block:
- name: "Stat host specific config file"
ansible.builtin.stat:
path: "{{ configuration_directory }}/{{ group_name }}/{{ inventory_hostname }}/{{ configuration_global_vars_file }}"
register: _host_config_file
loop: "{{ group_names }}"
loop_control:
loop_var: group_name
delegate_to: localhost
- name: Load host specific variables
ansible.builtin.include_vars:
dir: "{{ configuration_directory }}/{{ item.group_name }}/{{ inventory_hostname }}"
files_matching: "{{ configuration_global_vars_file }}"
loop: "{{ _host_config_file.results }}"
when: item.stat.exists
loop_control:
loop_var: item
delegate_to: localhost
- name: "Ensure remote directories exists"
ansible.builtin.file:
path: "{{ item }}"
state: directory
owner: root
group: root
mode: 0755
recurse: yes
loop:
- "{{ hashistack_remote_config_dir }}"
- "{{ hashistack_remote_data_dir }}"
- name: "Load custom CA certificates"
block:
- name: "Check if CA directory exists"
ansible.builtin.stat:
path: "{{ sub_configuration_directories['certificates'] }}/ca"
register: _hashistack_ca_directory
delegate_to: localhost
- name: "Find custom ca certificates to copy"
ansible.builtin.find:
paths: "{{ sub_configuration_directories['certificates'] }}/ca"
patterns: "*.crt"
register: _hashistack_cacert_files
delegate_to: localhost
when: _hashistack_ca_directory.stat.exists and _hashistack_ca_directory.stat.isdir
- name: "Ensure remote ca directory exists"
ansible.builtin.file:
path: "{{ hashistack_remote_config_dir }}/ca"
state: directory
owner: root
group: root
mode: 0755
- name: "Copy custom ca certificates"
ansible.builtin.copy:
src: "{{ item.path }}"
dest: "{{ hashistack_remote_config_dir }}/ca/{{ item.path | basename }}"
owner: root
group: root
mode: 0644
loop: "{{ _hashistack_cacert_files.files }}"
register: _hashistack_copied_ca
- name: "Copy and update trust store"
block:
- name: "Copy ca certificates to /usr/loca/share/ca-certificates"
ansible.builtin.file:
state: link
src: "{{ item.dest }}"
dest: "/usr/local/share/ca-certificates/hashistack-customca-{{ item.dest | basename }}"
owner: root
group: root
loop: "{{ _hashistack_copied_ca.results }}"
register: _hashistack_usr_local_share_ca_certificates
- name: "Update the trust store"
ansible.builtin.command: update-ca-certificates
changed_when: false
when: _hashistack_usr_local_share_ca_certificates.changed
# - name: "Initialize list of CA certificates"
# ansible.builtin.set_fact:
# hashistack_cacert_extra_files: []
# delegate_to: localhost
# - name: "Add custom CA to list of extra certificates"
# ansible.builtin.set_fact:
# hashistack_cacert_extra_files: "{{
# hashistack_cacert_extra_files | default([])
# + [{'src': item.path, 'dest': '/etc/ssl/certs/hashistack-custom-' + item.path | basename}] }}"
# loop: "{{ _hashistack_cacert_files.files }}"
# delegate_to: localhost
# when: _hashistack_cacert_files.matched > 0
- name: "Merge consul configurations"
ansible.builtin.import_tasks:
file: "consul/consul_vars.yml"
when:
- enable_consul | bool
- "('consul_servers' in group_names) or ('consul_agents' in group_names)"
- name: "Merge vault configurations"
ansible.builtin.import_tasks:
file: "vault/vault_vars.yml"
when:
- enable_vault | bool
- "'vault_servers' in group_names"

9
roles/hashistack/tasks/load_ca_certificates.yml → playbooks/tasks/misc/load_ca_certificates.yml
View File

@ -1,14 +1,13 @@
--- ---
# task/load_ca_certificates file for hashistack
- name: "Check if CA directory exists" - name: "Check if CA directory exists"
ansible.builtin.stat: ansible.builtin.stat:
path: "{{ hashistack_sub_configuration_directories['certificates'] }}/ca" path: "{{ sub_configuration_directories['certificates'] }}/ca"
register: _hashistack_ca_directory register: _hashistack_ca_directory
delegate_to: localhost delegate_to: localhost
- name: "Find custom ca certificates to copy" - name: "Find custom ca certificates to copy"
ansible.builtin.find: ansible.builtin.find:
paths: "{{ hashistack_sub_configuration_directories['certificates'] }}/ca" paths: "{{ sub_configuration_directories['certificates'] }}/ca"
patterns: "*.crt" patterns: "*.crt"
register: _hashistack_cacert_files register: _hashistack_cacert_files
delegate_to: localhost delegate_to: localhost
@ -31,12 +30,10 @@
mode: 0644 mode: 0644
loop: "{{ _hashistack_cacert_files.files }}" loop: "{{ _hashistack_cacert_files.files }}"
register: _hashistack_copied_ca register: _hashistack_copied_ca
when: not _hashistack_cacert_files.skipped | default(False)
- name: "Copy and update trust store" - name: "Copy and update trust store"
when: not _hashistack_copied_ca.skipped | default(False)
block: block:
- name: "Copy ca certificates to /usr/local/share/ca-certificates" - name: "Copy ca certificates to /usr/loca/share/ca-certificates"
ansible.builtin.file: ansible.builtin.file:
state: link state: link
src: "{{ item.dest }}" src: "{{ item.dest }}"

23
roles/hashistack/tasks/load_credentials_vars.yml → playbooks/tasks/misc/load_credentials_vars.yml
View File

@ -1,18 +1,17 @@
--- ---
# task/load_credentials_vars file for hashistack - name: "Stat credentials file"
- name: "Variables | Stat credentials file"
ansible.builtin.stat: ansible.builtin.stat:
path: "{{ hashistack_sub_configuration_directories['secrets'] }}/{{ hashistack_configuration_credentials_vars_file }}" path: "{{ sub_configuration_directories['secrets'] }}/{{ configuration_credentials_vars_file }}"
register: _credentials_file register: _credentials_file
delegate_to: localhost delegate_to: localhost
- name: "Variables | Stat vault credentials file" - name: "Stat vault credentials file"
ansible.builtin.stat: ansible.builtin.stat:
path: "{{ hashistack_sub_configuration_directories['secrets'] }}/vault.yml" path: "{{ sub_configuration_directories['secrets'] }}/vault.yml"
register: _vault_credentials_file register: _vault_credentials_file
delegate_to: localhost delegate_to: localhost
- name: "Variables | Make sure credentials file exists" - name: "Make sure credentials file exists"
ansible.builtin.assert: ansible.builtin.assert:
that: that:
- _credentials_file.stat.exists - _credentials_file.stat.exists
@ -20,24 +19,24 @@
Credentials file {{ _credentials_file.stat.path }} was not found, cannot continue without it. Credentials file {{ _credentials_file.stat.path }} was not found, cannot continue without it.
delegate_to: localhost delegate_to: localhost
- name: "Variables | Load credentials variables" - name: "Load credentials variables"
ansible.builtin.include_vars: ansible.builtin.include_vars:
dir: "{{ hashistack_sub_configuration_directories['secrets'] }}" dir: "{{ sub_configuration_directories['secrets'] }}"
files_matching: "{{ hashistack_configuration_credentials_vars_file }}" files_matching: "{{ configuration_credentials_vars_file }}"
depth: 1 depth: 1
name: _credentials name: _credentials
delegate_to: localhost delegate_to: localhost
- name: "Variables | Load vault credentials if vault.yml exists" - name: "Load vault credentials if vault.yml exists"
ansible.builtin.include_vars: ansible.builtin.include_vars:
dir: "{{ hashistack_sub_configuration_directories['secrets'] }}" dir: "{{ sub_configuration_directories['secrets'] }}"
files_matching: "vault.yml" files_matching: "vault.yml"
depth: 1 depth: 1
name: _vault_credentials name: _vault_credentials
when: _vault_credentials_file.stat.exists when: _vault_credentials_file.stat.exists
delegate_to: localhost delegate_to: localhost
- name: "Variables | Merge vault credentials into _credentials" - name: "Merge vault credentials into _credentials"
vars: vars:
_config_to_merge: _config_to_merge:
vault: "{{ _vault_credentials }}" vault: "{{ _vault_credentials }}"

21
playbooks/tasks/misc/load_global_vars.yml Normal file
View File

@ -0,0 +1,21 @@
---
- name: "Stat global configuration file"
ansible.builtin.stat:
path: "{{ configuration_directory }}/{{ configuration_global_vars_file }}"
register: _global_config_file
delegate_to: localhost
- name: "Make sure global configuration file exists"
ansible.builtin.assert:
that:
- _global_config_file.stat.exists
fail_msg: >-
Main configuration file {{ _global_config_file.stat.path }} was not found, cannot continue without it.
delegate_to: localhost
- name: "Load global variables"
ansible.builtin.include_vars:
dir: "{{ configuration_directory }}"
files_matching: "{{ configuration_global_vars_file }}"
depth: 1
delegate_to: localhost

20
playbooks/tasks/misc/load_group_vars.yml Normal file
View File

@ -0,0 +1,20 @@
---
- name: "Stat group specific config file"
ansible.builtin.stat:
path: "{{ configuration_directory }}/{{ group_name }}/{{ configuration_global_vars_file }}"
register: _group_config_file
loop: "{{ group_names }}"
loop_control:
loop_var: group_name
- name: Load group specific variables
ansible.builtin.include_vars:
dir: "{{ configuration_directory }}/{{ item.group_name }}"
files_matching: "{{ configuration_global_vars_file }}"
depth: 1
loop: "{{ _group_config_file.results }}"
when: item.stat.exists
and item.group_name in group_names
loop_control:
loop_var: item
delegate_to: localhost

19
playbooks/tasks/misc/load_host_vars.yml Normal file
View File

@ -0,0 +1,19 @@
---
- name: "Stat host specific config file"
ansible.builtin.stat:
path: "{{ configuration_directory }}/{{ group_name }}/{{ inventory_hostname }}/{{ configuration_global_vars_file }}"
register: _host_config_file
loop: "{{ group_names }}"
loop_control:
loop_var: group_name
delegate_to: localhost
- name: Load host specific variables
ansible.builtin.include_vars:
dir: "{{ configuration_directory }}/{{ item.group_name }}/{{ inventory_hostname }}"
files_matching: "{{ configuration_global_vars_file }}"
loop: "{{ _host_config_file.results }}"
when: item.stat.exists
loop_control:
loop_var: item
delegate_to: localhost

15
playbooks/tasks/nomad/nomad_clients.yml
View File

@ -1,15 +0,0 @@
---
- name: "Nomad clients"
block:
- name: "Nomad | Install docker driver"
ansible.builtin.include_role:
name: ednz_cloud.install_docker
when: nomad_driver_enable_docker
- name: "Include ednz_cloud.hashistack.cni"
ansible.builtin.include_role:
name: ednz_cloud.hashistack.cni
- name: "Nomad | Deploy Clients"
ansible.builtin.include_role:
name: ednz_cloud.hashistack.nomad

87
playbooks/tasks/nomad/nomad_control_plane.yml
View File

@ -1,87 +0,0 @@
---
- name: "Nomad control plane"
block:
- name: "Nomad | Create consul tokens for service registration"
when:
- nomad_init_server
- enable_consul
- nomad_enable_consul_integration
vars:
_consul_host: "{{ hostvars[groups['consul_servers'][0]].api_interface_address }}"
_consul_port: "{{ hostvars[groups['consul_servers'][0]].consul_api_port[hostvars[groups['consul_servers'][0]].consul_api_scheme] }}"
_consul_scheme: "{{ hostvars[groups['consul_servers'][0]].consul_api_scheme }}"
block:
- name: "Nomad | Create server credentials"
block:
- name: "Nomad | Create consul server policy"
community.general.consul_policy:
token: "{{ _credentials.consul.root_token.secret_id }}"
host: "{{ _consul_host }}"
port: "{{ _consul_port }}"
scheme: "{{ _consul_scheme }}"
validate_certs: false
state: present
name: nomad-server-policy
rules: "{{ nomad_consul_integration_server_policy }}"
register: _consul_nomad_server_policy
- name: "Nomad | Create consul server token" # noqa: no-handler
community.general.consul_token:
token: "{{ _credentials.consul.root_token.secret_id }}"
host: "{{ _consul_host }}"
port: "{{ _consul_port }}"
scheme: "{{ _consul_scheme }}"
validate_certs: false
accessor_id: "{{ _credentials.consul.tokens.nomad.server.accessor_id }}"
secret_id: "{{ _credentials.consul.tokens.nomad.server.secret_id }}"
policies:
- id: "{{ _consul_nomad_server_policy.policy.ID }}"
state: present
when: _consul_nomad_server_policy.changed
- name: "Nomad | Create client credentials"
block:
- name: "Nomad | Create consul client policy"
community.general.consul_policy:
token: "{{ _credentials.consul.root_token.secret_id }}"
host: "{{ _consul_host }}"
port: "{{ _consul_port }}"
scheme: "{{ _consul_scheme }}"
validate_certs: false
state: present
name: nomad-client-policy
rules: "{{ nomad_consul_integration_client_policy }}"
register: _consul_nomad_client_policy
- name: "Nomad | Create consul client token" # noqa: no-handler
community.general.consul_token:
token: "{{ _credentials.consul.root_token.secret_id }}"
host: "{{ _consul_host }}"
port: "{{ _consul_port }}"
scheme: "{{ _consul_scheme }}"
validate_certs: false
accessor_id: "{{ _credentials.consul.tokens.nomad.client.accessor_id }}"
secret_id: "{{ _credentials.consul.tokens.nomad.client.secret_id }}"
policies:
- id: "{{ _consul_nomad_client_policy.policy.ID }}"
state: present
when: _consul_nomad_client_policy.changed
- name: "Include ednz_cloud.hashistack.cni"
ansible.builtin.include_role:
name: ednz_cloud.hashistack.cni
when: nomad_enable_client
- name: "Include ednz_cloud.hashistack.nomad"
ansible.builtin.include_role:
name: ednz_cloud.hashistack.nomad
- name: "Nomad | Initialize nomad cluster" # noqa: run-once[task]
ednz_cloud.hashistack.nomad_acl_bootstrap:
bootstrap_secret: "{{ _credentials.nomad.root_token.secret_id }}"
api_url: "{{ nomad_api_addr }}"
tls_verify: false
register: _nomad_init_secret
when:
- nomad_init_server
- nomad_configuration.acl.enabled

92
playbooks/tasks/nomad/nomad_deploy.yml
View File

@ -1,19 +1,83 @@
--- ---
- name: "Nomad" - name: "Nomad"
block: block:
- name: "Deploy Nomad Control Plane" - name: "Create consul tokens for service registration"
ansible.builtin.import_tasks:
file: nomad_control_plane.yml
when: when:
- nomad_enable_server - enable_consul
tags: - nomad_enable_consul_integration
- nomad_servers delegate_to: "{{ groups['consul_servers'] | first }}"
vars:
_consul_host: "{{ hostvars[groups['consul_servers'][0]].api_interface_address }}"
_consul_port: "{{ hostvars[groups['consul_servers'][0]].consul_api_port[hostvars[groups['consul_servers'][0]].consul_api_scheme] }}"
_consul_scheme: "{{ hostvars[groups['consul_servers'][0]].consul_api_scheme }}"
run_once: true
block:
- name: "Create server credentials"
block:
- name: "Create consul server policy"
community.general.consul_policy:
token: "{{ _credentials.consul.root_token.secret_id }}"
host: "{{ _consul_host }}"
port: "{{ _consul_port }}"
scheme: "{{ _consul_scheme }}"
validate_certs: false
state: present
name: nomad-server-policy
rules: "{{ nomad_consul_integration_server_policy }}"
register: _consul_nomad_server_policy
- name: "Deploy Nomad Clients" - name: "Create consul server token"
ansible.builtin.import_tasks: community.general.consul_token:
file: nomad_clients.yml token: "{{ _credentials.consul.root_token.secret_id }}"
when: host: "{{ _consul_host }}"
- nomad_enable_client port: "{{ _consul_port }}"
- not nomad_enable_server scheme: "{{ _consul_scheme }}"
tags: validate_certs: false
- nomad_clients accessor_id: "{{ _credentials.consul.tokens.nomad.server.accessor_id }}"
secret_id: "{{ _credentials.consul.tokens.nomad.server.secret_id }}"
policies:
- id: "{{ _consul_nomad_server_policy.policy.ID }}"
state: present
when: _consul_nomad_server_policy.changed
- name: "Create client credentials"
block:
- name: "Create consul client policy"
community.general.consul_policy:
token: "{{ _credentials.consul.root_token.secret_id }}"
host: "{{ _consul_host }}"
port: "{{ _consul_port }}"
scheme: "{{ _consul_scheme }}"
validate_certs: false
state: present
name: nomad-client-policy
rules: "{{ nomad_consul_integration_client_policy }}"
register: _consul_nomad_client_policy
- name: "Create consul client token"
community.general.consul_token:
token: "{{ _credentials.consul.root_token.secret_id }}"
host: "{{ _consul_host }}"
port: "{{ _consul_port }}"
scheme: "{{ _consul_scheme }}"
validate_certs: false
accessor_id: "{{ _credentials.consul.tokens.nomad.client.accessor_id }}"
secret_id: "{{ _credentials.consul.tokens.nomad.client.secret_id }}"
policies:
- id: "{{ _consul_nomad_client_policy.policy.ID }}"
state: present
when: _consul_nomad_client_policy.changed
- name: "Include ednz_cloud.hashicorp_nomad"
ansible.builtin.include_role:
name: ednz_cloud.hashicorp_nomad
- name: "Initialize nomad cluster" # noqa: run-once[task]
ednz_cloud.hashistack.nomad_acl_bootstrap:
bootstrap_secret: "{{ _credentials.nomad.root_token.secret_id }}"
api_url: "{{ nomad_api_addr }}"
tls_verify: false
run_once: true
delegate_to: "{{ groups['nomad_servers'] | first }}"
register: _nomad_init_secret
when: hashicorp_nomad_configuration.acl.enabled

83
roles/nomad/tasks/merge_variables.yml → playbooks/tasks/nomad/nomad_vars.yml
View File

@ -1,25 +1,30 @@
--- ---
# task/merge_variables file for hashicorp_nomad # hashistack configuration merging for nomad
- name: "Nomad | Merge stringified configuration" - name: "Nomad | Merge stringified configuration"
vars: vars:
_config_to_merge: "{{ nomad_configuration_string }}" _config_to_merge: "{{ hashicorp_nomad_configuration_string }}"
ansible.builtin.set_fact: ansible.builtin.set_fact:
nomad_configuration: "{{ hashicorp_nomad_configuration: "{{
nomad_configuration | hashicorp_nomad_configuration |
combine(_config_to_merge|from_yaml, recursive=true) combine(_config_to_merge|from_yaml, recursive=true)
}}" }}"
when:
- hashicorp_nomad_configuration_string is defined
- "'nomad_servers' in group_names"
- name: "Nomad | Merge addresses configuration" - name: "Nomad | Merge addresses configuration"
vars: vars:
_config_to_merge: "{{ nomad_address_configuration }}" _config_to_merge: "{{ nomad_address_configuration }}"
ansible.builtin.set_fact: ansible.builtin.set_fact:
nomad_configuration: "{{ hashicorp_nomad_configuration: "{{
nomad_configuration | hashicorp_nomad_configuration |
combine(_config_to_merge, recursive=true) combine(_config_to_merge, recursive=true)
}}" }}"
when: nomad_address_configuration is defined
- name: "Nomad | Merge consul integration configuration" - name: "Nomad | Merge consul integration configuration"
when: when:
- enable_consul | bool
- nomad_enable_consul_integration | bool - nomad_enable_consul_integration | bool
block: block:
- name: "Nomad | Merge consul tls configuration" - name: "Nomad | Merge consul tls configuration"
@ -79,32 +84,21 @@
_config_to_merge: _config_to_merge:
consul: "{{ nomad_consul_integration_configuration }}" consul: "{{ nomad_consul_integration_configuration }}"
ansible.builtin.set_fact: ansible.builtin.set_fact:
nomad_configuration: "{{ hashicorp_nomad_configuration: "{{
nomad_configuration | hashicorp_nomad_configuration |
combine(_config_to_merge, recursive=true) combine(_config_to_merge, recursive=true)
}}" }}"
- name: "Nomad | Merge TLS configuration" - name: "Nomad | Merge TLS configuration"
when: nomad_enable_tls | bool vars:
block: _config_to_merge:
- name: "Nomad | Merge TLS configuration" tls: "{{ nomad_tls_configuration }}"
vars: ansible.builtin.set_fact:
_config_to_merge: hashicorp_nomad_configuration: "{{
tls: "{{ nomad_tls_configuration }}" hashicorp_nomad_configuration |
ansible.builtin.set_fact: combine(_config_to_merge, recursive=true)
nomad_configuration: "{{ }}"
nomad_configuration | when: nomad_enable_tls
combine(_config_to_merge, recursive=true)
}}"
- name: "Nomad | Add certificates directory to extra_files_dir"
ansible.builtin.set_fact:
nomad_extra_files_list: "{{
nomad_extra_files_list +
nomad_certificates_extra_files_dir
| unique
| sort
}}"
- name: "Nomad | Merge plugin configuration" - name: "Nomad | Merge plugin configuration"
vars: vars:
@ -114,37 +108,22 @@
combine(nomad_driver_extra_configuration, recursive=true) combine(nomad_driver_extra_configuration, recursive=true)
}}" }}"
ansible.builtin.set_fact: ansible.builtin.set_fact:
nomad_configuration: "{{ hashicorp_nomad_configuration: "{{
nomad_configuration | hashicorp_nomad_configuration |
combine(_config_to_merge, recursive=true) combine(_config_to_merge, recursive=true)
}}" }}"
when: nomad_enable_client | bool when: "'nomad_clients' in group_names"
- name: "Nomad | Merge extra configuration settings" - name: "Nomad | Merge extra configuration settings"
vars: vars:
_config_to_merge: "{{ nomad_extra_configuration }}" _config_to_merge: "{{ nomad_extra_configuration }}"
ansible.builtin.set_fact: ansible.builtin.set_fact:
nomad_configuration: "{{ hashicorp_nomad_configuration: "{{
nomad_configuration | hashicorp_nomad_configuration |
combine(_config_to_merge, recursive=true) combine(_config_to_merge, recursive=true)
}}" }}"
when: nomad_extra_configuration is defined
- name: "Nomad | Merge log to file configuration" - name: "Print nomad configuration"
vars: ansible.builtin.debug:
_config_to_merge: "{{ nomad_log_to_file_configuration }}" msg: "{{ hashicorp_nomad_configuration }}"
ansible.builtin.set_fact:
nomad_configuration: "{{
nomad_configuration |
combine(_config_to_merge, recursive=true)
}}"
when: nomad_enable_log_to_file
- name: "Nomad | Merge telemetry configuration"
vars:
_config_to_merge:
telemetry: "{{ nomad_telemetry_configuration }}"
ansible.builtin.set_fact:
nomad_configuration: "{{
nomad_configuration |
combine(_config_to_merge, recursive=true)
}}"

97
playbooks/tasks/vault/vault_control_plane.yml
View File

@ -1,97 +0,0 @@
---
- name: "Vault control plane"
block:
- name: "Vault | Create consul token for service registration"
when:
- vault_init_server
- enable_consul
- vault_enable_service_registration
vars:
_consul_vault_sr_host: "{{ hostvars[groups['consul_servers'][0]].api_interface_address }}"
_consul_vault_sr_port: "{{ hostvars[groups['consul_servers'][0]].consul_api_port[hostvars[groups['consul_servers'][0]].consul_api_scheme] }}"
_consul_vault_sr_scheme: "{{ hostvars[groups['consul_servers'][0]].consul_api_scheme }}"
block:
- name: "Vault | Create consul vault policy"
community.general.consul_policy:
token: "{{ _credentials.consul.root_token.secret_id }}"
host: "{{ _consul_vault_sr_host }}"
port: "{{ _consul_vault_sr_port }}"
scheme: "{{ _consul_vault_sr_scheme }}"
validate_certs: false
state: present
name: vault-policy
rules: "{{ vault_service_registration_policy }}"
register: _consul_vault_policy
- name: "Vault | Create consul vault token" # noqa: no-handler
community.general.consul_token:
token: "{{ _credentials.consul.root_token.secret_id }}"
host: "{{ _consul_vault_sr_host }}"
port: "{{ _consul_vault_sr_port }}"
scheme: "{{ _consul_vault_sr_scheme }}"
validate_certs: false
accessor_id: "{{ _credentials.consul.tokens.vault.accessor_id }}"
secret_id: "{{ _credentials.consul.tokens.vault.secret_id }}"
policies:
- id: "{{ _consul_vault_policy.policy.ID }}"
state: present
when: _consul_vault_policy.changed
- name: "Vault | Stat vault secret file"
ansible.builtin.stat:
path: "{{ hashistack_sub_configuration_directories.secrets }}/vault.yml"
register: _vault_needs_early_unseal
- name: "Include ednz_cloud.hashistack.vault"
ansible.builtin.include_role:
name: ednz_cloud.hashistack.vault
- name: "Vault | Initialize vault cluster" # noqa: run-once[task]
ednz_cloud.hashistack.vault_init:
api_url: "{{ vault_configuration['api_addr'] }}"
tls_verify: false
key_shares: "{{ vault_seal_configuration['key_shares'] }}"
key_threshold: "{{ vault_seal_configuration['key_threshold'] }}"
retries: 5
delay: 5
register: _vault_init_secret
until: not _vault_init_secret.failed
when: vault_init_server
- name: "Vault | Write vault configuration to file" # noqa: run-once[task] no-handler
ansible.builtin.copy:
content: "{{ _vault_init_secret.state | to_nice_yaml(indent=2) }}"
dest: "{{ hashistack_sub_configuration_directories.secrets }}/vault.yml"
owner: "{{ lookup('env', 'USER') }}"
group: "{{ lookup('env', 'USER') }}"
mode: "0644"
when:
- vault_init_server
- _vault_init_secret.changed
delegate_to: localhost
- name: "Load vault cluster variables necessary for unseal operation"
ansible.builtin.import_role:
name: ednz_cloud.hashistack.hashistack
vars:
hashistack_only_load_credentials: true
- name: "Vault | Unseal the bootstrap node" # noqa: run-once[task] no-handler
ednz_cloud.hashistack.vault_unseal:
api_url: "{{ vault_configuration['api_addr'] }}"
tls_verify: false
key_shares: "{{ _credentials.vault['keys'] }}"
when:
- vault_init_server
- _vault_init_secret.changed
register: _vault_unseal_secret
- name: "Vault | Unseal all vault nodes"
ednz_cloud.hashistack.vault_unseal:
api_url: "{{ vault_configuration['api_addr'] }}"
tls_verify: false
key_shares: "{{ _credentials.vault['keys'] }}"
retries: 5
delay: 5
until: _unseal_status.changed or not _unseal_status.failed
register: _unseal_status

98
playbooks/tasks/vault/vault_deploy.yml
View File

@ -1,10 +1,96 @@
--- ---
- name: "Vault" - name: "Vault"
block: block:
- name: "Deploy Vault Control Plane" - name: "Create consul token for service registration"
ansible.builtin.import_tasks:
file: vault_control_plane.yml
when: when:
- "'vault_servers' in group_names" - enable_consul
tags: - vault_enable_service_registration
- vault_servers delegate_to: "{{ groups['consul_servers'] | first }}"
vars:
_consul_vault_sr_host: "{{ hostvars[groups['consul_servers'][0]].api_interface_address }}"
_consul_vault_sr_port: "{{ hostvars[groups['consul_servers'][0]].consul_api_port[hostvars[groups['consul_servers'][0]].consul_api_scheme] }}"
_consul_vault_sr_scheme: "{{ hostvars[groups['consul_servers'][0]].consul_api_scheme }}"
run_once: true
block:
- name: "Create consul vault policy"
community.general.consul_policy:
token: "{{ _credentials.consul.root_token.secret_id }}"
host: "{{ _consul_vault_sr_host }}"
port: "{{ _consul_vault_sr_port }}"
scheme: "{{ _consul_vault_sr_scheme }}"
validate_certs: false
state: present
name: vault-policy
rules: "{{ vault_service_registration_policy }}"
register: _consul_vault_policy
- name: "Create consul vault token"
community.general.consul_token:
token: "{{ _credentials.consul.root_token.secret_id }}"
host: "{{ _consul_vault_sr_host }}"
port: "{{ _consul_vault_sr_port }}"
scheme: "{{ _consul_vault_sr_scheme }}"
validate_certs: false
accessor_id: "{{ _credentials.consul.tokens.vault.accessor_id }}"
secret_id: "{{ _credentials.consul.tokens.vault.secret_id }}"
policies:
- id: "{{ _consul_vault_policy.policy.ID }}"
state: present
when: _consul_vault_policy.changed
- name: "Include ednz_cloud.hashicorp_consul"
ansible.builtin.include_role:
name: ednz_cloud.hashicorp_vault
- name: "Initialize vault cluster" # noqa: run-once[task]
ednz_cloud.hashistack.vault_init:
api_url: "{{ hashicorp_vault_configuration['api_addr'] }}"
tls_verify: "{{ vault_tls_verify }}"
key_shares: "{{ vault_seal_configuration['key_shares'] }}"
key_threshold: "{{ vault_seal_configuration['key_threshold'] }}"
run_once: true
retries: 5
delay: 5
delegate_to: "{{ groups['vault_servers'] | first }}"
register: _vault_init_secret
until: not _vault_init_secret.failed
- name: "Write vault configuration to file" # noqa: run-once[task] no-handler
ansible.builtin.copy:
content: "{{ _vault_init_secret.state | to_nice_yaml(indent=2) }}"
dest: "{{ sub_configuration_directories.secrets }}/vault.yml"
owner: "{{ lookup('env', 'USER') }}"
group: "{{ lookup('env', 'USER') }}"
mode: "0644"
when: _vault_init_secret.changed
run_once: true
delegate_to: localhost
# - name: "Load vault cluster variables necessary for unseal operation"
# ansible.builtin.include_vars:
# file: "{{ sub_configuration_directories.vault_servers }}/vault_config.yml"
# name: _vault_cluster_config
- name: "Load vault cluster variables necessary for unseal operation"
ansible.builtin.import_tasks:
file: ../misc/load_credentials_vars.yml
- name: "Unseal the bootstrap node" # noqa: run-once[task] no-handler
ednz_cloud.hashistack.vault_unseal:
api_url: "{{ hashicorp_vault_configuration['api_addr'] }}"
tls_verify: "{{ vault_tls_verify }}"
key_shares: "{{ _credentials.vault['keys'] }}"
run_once: true
delegate_to: "{{ groups['vault_servers'] | first }}"
when: _vault_init_secret.changed
register: _vault_unseal_secret
- name: "Unseal all vault nodes"
ednz_cloud.hashistack.vault_unseal:
api_url: "{{ hashicorp_vault_configuration['api_addr'] }}"
tls_verify: "{{ vault_tls_verify }}"
key_shares: "{{ _credentials.vault['keys'] }}"
retries: 5
delay: 5
until: _unseal_status.changed or not _unseal_status.failed
register: _unseal_status

51
playbooks/tasks/vault/vault_vars.yml Normal file
View File

@ -0,0 +1,51 @@
---
# hashistack configuration merging for vault
- name: "Vault | Merge listener configuration"
ansible.builtin.set_fact:
vault_listener_configuration: "{{
vault_listener_configuration |
combine((vault_enable_tls | bool) | ternary(vault_tls_listener_configuration, {}), recursive=True) |
combine(vault_extra_listener_configuration | default({}), recursive=True)
}}"
- name: "Vault | Merge service registration configuration"
vars:
_config_to_merge:
service_registration: "{{ vault_service_registration_configuration }}"
ansible.builtin.set_fact:
hashicorp_vault_configuration: "{{
hashicorp_vault_configuration |
combine(_config_to_merge)
}}"
when: vault_enable_service_registration
- name: "Vault | Merge plugins configuration"
vars:
_config_to_merge:
plugin_directory: "{{ vault_plugin_directory }}"
ansible.builtin.set_fact:
hashicorp_vault_configuration: "{{
hashicorp_vault_configuration |
combine(_config_to_merge)
}}"
when: vault_enable_plugins
- name: "Vault | Merge logging configuration"
vars:
_config_to_merge: "{{ vault_logging_configuration }}"
ansible.builtin.set_fact:
hashicorp_vault_configuration: "{{
hashicorp_vault_configuration |
combine(_config_to_merge)
}}"
when: vault_enable_log_to_file
- name: "Vault | Merge extra configuration settings"
vars:
_config_to_merge: "{{ vault_extra_configuration }}"
ansible.builtin.set_fact:
hashicorp_vault_configuration: "{{
hashicorp_vault_configuration |
combine(_config_to_merge)
}}"
when: vault_extra_configuration is defined

2
playbooks/templates/credentials.yml.j2
View File

@ -5,7 +5,7 @@ consul:
secret_id: "{{ _consul_root_token }}" secret_id: "{{ _consul_root_token }}"
tokens: tokens:
agent: agent:
accessor_id: "{{ _consul_agents_accessor }}" accessor_id: "{{ _consul_agents_accesor }}"
secret_id: "{{ _consul_agents_token }}" secret_id: "{{ _consul_agents_token }}"
vault: vault:
accessor_id: "{{ _consul_vault_accessor }}" accessor_id: "{{ _consul_vault_accessor }}"

7
roles/cni/defaults/main.yml
View File

@ -1,7 +0,0 @@
---
# defaults file for cni
cni_plugins_version: "latest"
cni_plugins_install_path: /opt/cni/bin
cni_plugins_install_consul_cni: false
cni_user: nomad
cni_group: nomad

2
roles/cni/handlers/main.yml
View File

@ -1,2 +0,0 @@
---
# handlers file for cni

28
roles/cni/meta/main.yml
View File

@ -1,28 +0,0 @@
---
# meta file for cni
galaxy_info:
namespace: "ednz_cloud"
role_name: "cni"
author: "Bertrand Lanson"
description: "Install the default cni plugins and the consul-cni plugin"
license: "license (BSD, MIT)"
min_ansible_version: "2.10"
platforms:
- name: Ubuntu
versions:
- focal
- jammy
- noble
- name: Debian
versions:
- bullseye
- bookworm
galaxy_tags:
- "ubuntu"
- "debian"
- "hashicorp"
- "cni"
- "networking"
- "consul"
dependencies: []

70
roles/cni/tasks/cni_install.yml
View File

@ -1,70 +0,0 @@
---
# task/cni_install file for cni
- name: "CNI Plugins | Get release for cni_plugins:{{ cni_plugins_version }}"
vars:
_cni_plugins_url_ext: "{% if cni_plugins_version == 'latest'%}releases{% else %}releases/tags{% endif %}"
ansible.builtin.uri:
url: "{{ cni_github_api }}/{{ cni_github_project }}/{{ _cni_plugins_url_ext }}/{{ cni_plugins_version }}"
return_content: true
register: _cni_plugins_latest_release
- name: "CNI Plugins | Check if cni plugin is already installed"
ansible.builtin.stat:
path: "{{ cni_plugins_install_path }}/.version"
changed_when: false
check_mode: false
register: _cni_plugins_is_installed
- name: "CNI Plugins | Check current cni plugin version"
ansible.builtin.command: "cat {{ cni_plugins_install_path }}/.version"
changed_when: false
check_mode: false
register: _cni_plugins_old_release
when: _cni_plugins_is_installed.stat.exists
- name: "CNI Plugins | Set facts for wanted cni plugins release"
ansible.builtin.set_fact:
cni_plugins_wanted_version: "{{ _cni_plugins_latest_release.json['tag_name']|regex_replace('v', '') }}"
when: _cni_plugins_latest_release.json is defined
and (_cni_plugins_latest_release.json | length > 0)
- name: "CNI Plugins | Set facts for current cni plugins release"
ansible.builtin.set_fact:
cni_plugins_current_version: "{{ _cni_plugins_old_release.stdout | regex_replace('v', '') }}"
when: _cni_plugins_old_release.stdout is defined
and (_cni_plugins_old_release.stdout | length > 0)
- name: "CNI Plugins | Install cni plugins"
when: cni_plugins_current_version is not defined
or cni_plugins_wanted_version not in cni_plugins_current_version
block:
- name: "CNI Plugins | Install cni plugins version:{{ cni_plugins_version }}"
ansible.builtin.get_url:
url: "{{ cni_github_url }}/{{ cni_github_project }}/releases/download/v{{ cni_plugins_wanted_version }}/cni-plugins-linux-{{ cni_architecture }}-v{{ cni_plugins_wanted_version }}.tgz"
dest: "/tmp/cni_plugin.tgz"
mode: "0644"
register: _cni_plugins_download_archive
until: _cni_plugins_download_archive is succeeded
retries: 5
delay: 2
check_mode: false
- name: "CNI Plugins | Unpack cni plugins"
ansible.builtin.unarchive:
src: "/tmp/cni_plugin.tgz"
dest: "{{ cni_plugins_install_path }}"
owner: "{{ cni_user }}"
group: "{{ cni_group }}"
mode: "0755"
remote_src: true
- name: "CNI Plugins | Remove temporary archive"
ansible.builtin.file:
path: "/tmp/cni_plugin.tgz"
state: absent
- name: "CNI Plugins | Update version file"
ansible.builtin.copy:
content: "{{ cni_plugins_wanted_version }}"
dest: "{{ cni_plugins_install_path }}/.version"
mode: "0600"

114
roles/cni/tasks/consul_cni_install.yml
View File

@ -1,114 +0,0 @@
---
# task/consul_cni_install file for cni
- name: "CNI Plugins | Set wanted consul-cni version to latest tag"
ansible.builtin.set_fact:
_cni_consul_cni_wanted_version: "{{ _cni_plugins_latest_release.json['tag_name']|regex_replace('v', '') }}"
when: cni_plugins_version == 'latest'
- name: "CNI Plugins | Set wanted consul-cni version to {{ cni_plugins_version }}"
ansible.builtin.set_fact:
_cni_consul_cni_wanted_version: "{{ cni_plugins_version|regex_replace('v', '') }}"
when: cni_plugins_version != 'latest'
- name: "CNI Plugins | Get current consul-cni version"
block:
- name: "CNI Plugins | Stat consul-cni version file"
ansible.builtin.stat:
path: "{{ cni_plugins_install_path }}/.consul-cni-version"
changed_when: false
check_mode: false
register: _cni_consul_cni_version_file
- name: "CNI Plugins | Get current consul-cni version"
ansible.builtin.slurp:
src: "{{ _cni_consul_cni_version_file.stat.path }}"
when:
- _cni_consul_cni_version_file.stat.exists
- _cni_consul_cni_version_file.stat.isreg
register: _cni_consul_cni_current_version
- name: "CNI Plugins | Download and install consul-cni binary"
when: _cni_consul_cni_current_version is not defined
or _cni_consul_cni_wanted_version != (_cni_consul_cni_current_version.content|default('')|b64decode)
block:
- name: "CNI Plugins | Set consul-cni package name to download"
ansible.builtin.set_fact:
_cni_consul_cni_package_name: >-
consul-cni_{{ _cni_consul_cni_wanted_version }}_linux_{{ cni_deb_architecture_map[ansible_architecture] }}.zip
_cni_consul_cni_shasum_file_name: >-
consul-cni_{{ _cni_consul_cni_wanted_version }}_SHA256SUMS
- name: "CNI Plugins | Download checksum file for consul-cni archive"
ansible.builtin.get_url:
url: "{{ cni_consul_cni_repository_url }}/{{ _cni_consul_cni_wanted_version }}/{{ _cni_consul_cni_shasum_file_name }}"
dest: "/tmp/{{ _cni_consul_cni_shasum_file_name }}"
mode: "0644"
register: _cni_consul_cni_checksum_file
until: _cni_consul_cni_checksum_file is succeeded
retries: 5
delay: 2
check_mode: false
- name: "CNI Plugins | Extract correct checksum from checksum file"
ansible.builtin.command:
cmd: 'grep "{{ _cni_consul_cni_package_name }}" /tmp/{{ _cni_consul_cni_shasum_file_name }}'
changed_when: false
register: _cni_consul_cni_expected_checksum_line
- name: "CNI Plugins | Parse the expected checksum"
ansible.builtin.set_fact:
_cni_consul_cni_expected_checksum: "{{ _cni_consul_cni_expected_checksum_line.stdout.split()[0] }}"
- name: "CNI Plugins | Download consul-cni binary archive"
ansible.builtin.get_url:
url: "{{ cni_consul_cni_repository_url }}/{{ _cni_consul_cni_wanted_version }}/{{ _cni_consul_cni_package_name }}"
dest: "/tmp/{{ _cni_consul_cni_package_name }}"
mode: "0644"
checksum: "sha256:{{ _cni_consul_cni_expected_checksum }}"
register: _cni_consul_cni_binary_archive
until: _cni_consul_cni_binary_archive is succeeded
retries: 5
delay: 2
check_mode: false
- name: "CNI Plugins | Create temporary directory for archive decompression"
ansible.builtin.file:
path: /tmp/consul-cni
state: directory
mode: "0755"
- name: "CNI Plugins | Unpack consul-cni archive"
ansible.builtin.unarchive:
src: "/tmp/{{ _cni_consul_cni_package_name }}"
dest: "/tmp/consul-cni"
owner: "{{ cni_user }}"
group: "{{ cni_group }}"
mode: "0755"
remote_src: true
- name: "CNI Plugins | Copy consul-cni binary to {{ cni_plugins_install_path }}"
ansible.builtin.copy:
src: /tmp/consul-cni/consul-cni
dest: "{{ cni_plugins_install_path }}"
owner: "{{ cni_user }}"
group: "{{ cni_user }}"
mode: "0755"
remote_src: true
force: true
- name: "CNI Plugins | Update consul-cni version file"
ansible.builtin.copy:
content: "{{ _cni_consul_cni_wanted_version }}"
dest: "{{ cni_plugins_install_path }}/.consul-cni-version"
owner: "{{ cni_user }}"
group: "{{ cni_group }}"
mode: "0600"
- name: "CNI Plugins | Cleanup temporary directory"
ansible.builtin.file:
path: "{{ item }}"
state: absent
loop:
- /tmp/consul-cni
- /tmp/{{ _cni_consul_cni_package_name }}
- /tmp/{{ _cni_consul_cni_shasum_file_name }}

10
roles/cni/tasks/main.yml
View File

@ -1,10 +0,0 @@
---
# task/main file for cni
- name: "CNI Plugins | Import prerequisites.yml"
ansible.builtin.include_tasks: prerequisites.yml
- name: "CNI Plugins | Import cni_install.yml"
ansible.builtin.include_tasks: cni_install.yml
- name: "CNI Plugins | Import consul_cni_install.yml"
ansible.builtin.include_tasks: consul_cni_install.yml

21
roles/cni/tasks/prerequisites.yml
View File

@ -1,21 +0,0 @@
---
# task/prerequisites file for cni
- name: "CNI Plugins | Create group {{ cni_group }}"
ansible.builtin.group:
name: "{{ cni_user }}"
state: present
- name: "CNI Plugins | Create user {{ cni_user }}"
ansible.builtin.user:
name: "{{ cni_user }}"
group: "{{ cni_group }}"
shell: /bin/false
state: present
- name: "CNI Plugins | Create directory {{ cni_plugins_install_path }}"
ansible.builtin.file:
path: "{{ cni_plugins_install_path }}"
state: directory
owner: "{{ cni_user }}"
group: "{{ cni_group }}"
mode: "0755"

11
roles/cni/vars/main.yml
View File

@ -1,11 +0,0 @@
---
cni_github_api: https://api.github.com/repos
cni_github_project: containernetworking/plugins
cni_github_url: https://github.com
cni_deb_architecture_map:
x86_64: "amd64"
aarch64: "arm64"
armv7l: "arm"
armv6l: "arm"
cni_architecture: "{{ cni_deb_architecture_map[ansible_architecture] | default(ansible_architecture) }}"
cni_consul_cni_repository_url: https://releases.hashicorp.com/consul-cni

146
roles/consul/defaults/main.yml
View File

@ -1,146 +0,0 @@
---
# defaults file for hashicorp_consul
consul_version: "latest"
consul_start_service: true
consul_config_dir: "/etc/consul.d"
consul_data_dir: "/opt/consul"
consul_certs_dir: "{{ consul_config_dir }}/tls"
consul_logs_dir: "/var/log/consul"
consul_envoy_install: false
consul_envoy_version: latest
consul_extra_files: false
consul_extra_files_list: []
consul_env_variables: {}
#######################
# extra configuration #
#######################
# You should prioritize adding configuration
# to the configuration entries below, this
# option should be used to add pieces of configuration not
# available through standard variables.
consul_extra_configuration: {}
###########
# general #
###########
consul_domain: consul
consul_datacenter: dc1
consul_primary_datacenter: "{{ consul_datacenter }}"
consul_gossip_encryption_key: "{{ 'mysupersecretgossipencryptionkey'|b64encode }}"
consul_enable_script_checks: false
#######################
# leave configuration #
#######################
consul_leave_on_terminate: true
consul_rejoin_after_leave: true
######################
# join configuration #
######################
consul_join_configuration:
retry_join:
- "{{ ansible_default_ipv4.address }}"
retry_interval: 30s
retry_max: 0
########################
# server configuration #
########################
consul_enable_server: true
consul_bootstrap_expect: 1
####################
# ui configuration #
####################
consul_ui_configuration:
enabled: "{{ consul_enable_server }}"
#########################
# address configuration #
#########################
consul_bind_addr: "0.0.0.0"
consul_advertise_addr: "{{ ansible_default_ipv4.address }}"
consul_address_configuration:
client_addr: "{{ consul_bind_addr }}"
bind_addr: "{{ consul_advertise_addr }}"
advertise_addr: "{{ consul_advertise_addr }}"
#####################
# ACL configuration #
#####################
consul_acl_configuration:
enabled: false
default_policy: "deny"
enable_token_persistence: true
# tokens:
# agent: ""
##############################
# service mesh configuration #
##############################
consul_mesh_configuration:
enabled: false
#####################
# DNS configuration #
#####################
consul_dns_configuration:
allow_stale: true
enable_truncate: true
only_passing: true
################
# internal tls #
################
consul_enable_tls: false
consul_tls_configuration:
defaults:
ca_file: "/etc/ssl/certs/ca-certificates.crt"
cert_file: "{{ consul_certs_dir }}/cert.pem"
key_file: "{{ consul_certs_dir }}/key.pem"
verify_incoming: false
verify_outgoing: true
internal_rpc:
verify_server_hostname: true
consul_certificates_extra_files_dir:
[]
# - src: ""
# dest: "{{ consul_certs_dir }}"
###########################
# telemetry configuration #
###########################
consul_enable_prometheus_metrics: false
consul_prometheus_retention_time: 60s
consul_telemetry_configuration: {}
###########
# logging #
###########
consul_log_level: info
consul_enable_log_to_file: false
consul_log_to_file_configuration:
log_file: "{{ consul_logs_dir }}/consul.log"
log_rotate_duration: 24h
log_rotate_max_files: 30

2
roles/consul/handlers/main.yml
View File

@ -1,2 +0,0 @@
---
# handlers file for hashicorp_consul

Some files were not shown because too many files have changed in this diff Show More