Compare commits

..

18 Commits

Author SHA1 Message Date
30b07ccec4
chore: add more tags to collection metadata
Some checks failed
development / Check commit compliance (push) Successful in 5s
pull-requests-open / Check commit compliance (pull_request) Successful in 9s
build-deploy / Bump version and create changelog with commitizen (push) Has been cancelled
2024-09-16 20:15:24 +02:00
3a6586719b
ci: add nomad and consul tests, only run tests when they change
All checks were successful
development / Check commit compliance (push) Successful in 5s
pull-requests-open / Check commit compliance (pull_request) Successful in 7s
2024-09-16 19:43:52 +02:00
74180864f8
chore: remove unused dependencies from roles/requirements.yml
All checks were successful
development / Check commit compliance (push) Successful in 5s
test / Retrieve Credentials (pull_request) Successful in 1s
pull-requests-open / Check commit compliance (pull_request) Successful in 8s
test / end_to_end_vault (vault_default, debian11) (pull_request) Successful in 1m37s
test / end_to_end_vault (vault_default, debian12) (pull_request) Successful in 1m59s
test / end_to_end_vault (vault_default, ubuntu2004) (pull_request) Successful in 1m38s
test / end_to_end_vault (vault_default, ubuntu2204) (pull_request) Successful in 1m43s
test / end_to_end_vault (vault_default, ubuntu2404) (pull_request) Successful in 1m53s
test / end_to_end_vault (vault_with_raft_enabled, debian11) (pull_request) Successful in 1m45s
test / end_to_end_vault (vault_with_raft_enabled, debian12) (pull_request) Successful in 1m56s
test / end_to_end_vault (vault_with_raft_enabled, ubuntu2004) (pull_request) Successful in 1m49s
test / end_to_end_vault (vault_with_raft_enabled, ubuntu2204) (pull_request) Successful in 1m50s
test / end_to_end_vault (vault_with_raft_enabled, ubuntu2404) (pull_request) Successful in 1m52s
2024-09-15 23:21:04 +02:00
9fad4928b2
ci: pass secets to reusable workflow
Some checks failed
development / Check commit compliance (push) Successful in 5s
test / Retrieve Credentials (pull_request) Successful in 1s
pull-requests-open / Check commit compliance (pull_request) Successful in 9s
test / end_to_end_vault (vault_default, debian11) (pull_request) Failing after 13s
test / end_to_end_vault (vault_default, debian12) (pull_request) Failing after 13s
test / end_to_end_vault (vault_default, ubuntu2004) (pull_request) Failing after 6s
test / end_to_end_vault (vault_default, ubuntu2204) (pull_request) Failing after 6s
test / end_to_end_vault (vault_default, ubuntu2404) (pull_request) Failing after 6s
test / end_to_end_vault (vault_with_raft_enabled, debian11) (pull_request) Failing after 6s
test / end_to_end_vault (vault_with_raft_enabled, debian12) (pull_request) Failing after 6s
test / end_to_end_vault (vault_with_raft_enabled, ubuntu2004) (pull_request) Failing after 6s
test / end_to_end_vault (vault_with_raft_enabled, ubuntu2204) (pull_request) Failing after 6s
test / end_to_end_vault (vault_with_raft_enabled, ubuntu2404) (pull_request) Failing after 6s
2024-09-15 23:08:47 +02:00
2441791ffe
ci: pass secets to reusable workflow
Some checks failed
development / Check commit compliance (push) Successful in 5s
test / Retrieve Credentials (pull_request) Successful in 1s
pull-requests-open / Check commit compliance (pull_request) Successful in 10s
test / end_to_end_vault (debian11, vault_default) (pull_request) Failing after 9s
test / end_to_end_vault (debian11, vault_with_raft_enabled) (pull_request) Failing after 9s
test / end_to_end_vault (debian12, vault_default) (pull_request) Failing after 2s
test / end_to_end_vault (debian12, vault_with_raft_enabled) (pull_request) Failing after 2s
test / end_to_end_vault (ubuntu2004, vault_default) (pull_request) Failing after 2s
test / end_to_end_vault (ubuntu2004, vault_with_raft_enabled) (pull_request) Failing after 2s
test / end_to_end_vault (ubuntu2204, vault_default) (pull_request) Failing after 2s
test / end_to_end_vault (ubuntu2204, vault_with_raft_enabled) (pull_request) Failing after 2s
test / end_to_end_vault (ubuntu2404, vault_default) (pull_request) Failing after 2s
test / end_to_end_vault (ubuntu2404, vault_with_raft_enabled) (pull_request) Failing after 4s
2024-09-15 23:04:14 +02:00
c291ff2f68
ci: pass secets to reusable workflow
Some checks failed
development / Check commit compliance (push) Successful in 6s
test / Retrieve Credentials (pull_request) Successful in 1s
pull-requests-open / Check commit compliance (pull_request) Successful in 12s
test / end_to_end_vault (debian11, vault_default) (pull_request) Failing after 33s
test / end_to_end_vault (debian12, vault_default) (pull_request) Failing after 2s
test / end_to_end_vault (debian11, vault_with_raft_enabled) (pull_request) Failing after 40s
test / end_to_end_vault (debian12, vault_with_raft_enabled) (pull_request) Failing after 2s
test / end_to_end_vault (ubuntu2004, vault_default) (pull_request) Failing after 2s
test / end_to_end_vault (ubuntu2004, vault_with_raft_enabled) (pull_request) Failing after 2s
test / end_to_end_vault (ubuntu2204, vault_default) (pull_request) Failing after 2s
test / end_to_end_vault (ubuntu2204, vault_with_raft_enabled) (pull_request) Failing after 2s
test / end_to_end_vault (ubuntu2404, vault_default) (pull_request) Failing after 2s
test / end_to_end_vault (ubuntu2404, vault_with_raft_enabled) (pull_request) Failing after 2s
2024-09-15 23:01:50 +02:00
65cccdbae5
ci: pass secets to reusable workflow
Some checks failed
development / Check commit compliance (push) Successful in 5s
test / Retrieve Credentials (pull_request) Successful in 2s
test / end_to_end_vault (debian11, vault_default) (pull_request) Failing after 6s
test / end_to_end_vault (debian11, vault_with_raft_enabled) (pull_request) Failing after 8s
test / end_to_end_vault (debian12, vault_default) (pull_request) Failing after 0s
test / end_to_end_vault (debian12, vault_with_raft_enabled) (pull_request) Failing after 1s
test / end_to_end_vault (ubuntu2004, vault_default) (pull_request) Failing after 0s
test / end_to_end_vault (ubuntu2004, vault_with_raft_enabled) (pull_request) Failing after 1s
test / end_to_end_vault (ubuntu2204, vault_default) (pull_request) Failing after 0s
test / end_to_end_vault (ubuntu2204, vault_with_raft_enabled) (pull_request) Failing after 1s
test / end_to_end_vault (ubuntu2404, vault_default) (pull_request) Failing after 0s
test / end_to_end_vault (ubuntu2404, vault_with_raft_enabled) (pull_request) Failing after 1s
pull-requests-open / Check commit compliance (pull_request) Successful in 10s
2024-09-15 23:00:26 +02:00
530034556d
ci: pass secets to reusable workflow
All checks were successful
development / Check commit compliance (push) Successful in 5s
test / end_to_end_vault (debian11, vault_default) (pull_request) Successful in 8s
test / end_to_end_vault (debian11, vault_with_raft_enabled) (pull_request) Successful in 7s
test / end_to_end_vault (debian12, vault_default) (pull_request) Successful in 1s
test / end_to_end_vault (debian12, vault_with_raft_enabled) (pull_request) Successful in 2s
test / end_to_end_vault (ubuntu2004, vault_default) (pull_request) Successful in 1s
test / end_to_end_vault (ubuntu2004, vault_with_raft_enabled) (pull_request) Successful in 2s
test / end_to_end_vault (ubuntu2204, vault_default) (pull_request) Successful in 1s
test / end_to_end_vault (ubuntu2204, vault_with_raft_enabled) (pull_request) Successful in 2s
test / end_to_end_vault (ubuntu2404, vault_default) (pull_request) Successful in 1s
test / end_to_end_vault (ubuntu2404, vault_with_raft_enabled) (pull_request) Successful in 2s
pull-requests-open / Check commit compliance (pull_request) Successful in 9s
2024-09-15 22:51:47 +02:00
d4c4bb1cf1
ci: do not use matrix inside reusable workflow
Some checks failed
development / Check commit compliance (push) Successful in 5s
test / end_to_end_vault (debian11, vault_default) (pull_request) Failing after 7s
test / end_to_end_vault (debian12, vault_default) (pull_request) Failing after 2s
test / end_to_end_vault (debian11, vault_with_raft_enabled) (pull_request) Failing after 7s
test / end_to_end_vault (debian12, vault_with_raft_enabled) (pull_request) Failing after 1s
test / end_to_end_vault (ubuntu2004, vault_default) (pull_request) Failing after 2s
test / end_to_end_vault (ubuntu2004, vault_with_raft_enabled) (pull_request) Failing after 1s
test / end_to_end_vault (ubuntu2204, vault_default) (pull_request) Failing after 2s
test / end_to_end_vault (ubuntu2204, vault_with_raft_enabled) (pull_request) Failing after 1s
test / end_to_end_vault (ubuntu2404, vault_default) (pull_request) Failing after 2s
test / end_to_end_vault (ubuntu2404, vault_with_raft_enabled) (pull_request) Failing after 1s
pull-requests-open / Check commit compliance (pull_request) Successful in 11s
2024-09-15 22:47:29 +02:00
844e2584de
ci: fix path for workflow
Some checks are pending
test / end_to_end_vault (pull_request) Waiting to run
development / Check commit compliance (push) Successful in 5s
pull-requests-open / Check commit compliance (pull_request) Successful in 12s
2024-09-15 22:43:11 +02:00
32e09b9cc2
ci: test reusable workflows
Some checks failed
development / Check commit compliance (push) Successful in 5s
test / end_to_end_vault (pull_request) Failing after 5s
pull-requests-open / Check commit compliance (pull_request) Successful in 10s
2024-09-15 22:42:29 +02:00
cdb94d9848
test: adjust globals.yml for tls and no_tls multinode setups
All checks were successful
development / Check commit compliance (push) Successful in 5s
pull-requests-open / Check commit compliance (pull_request) Successful in 9s
2024-09-15 21:38:55 +02:00
7567e09191
feat: add default variables files for nomad and vault
All checks were successful
development / Check commit compliance (push) Successful in 5s
2024-09-15 21:37:10 +02:00
a1f336e7e7
feat: add override options for all consul variables
All checks were successful
development / Check commit compliance (push) Successful in 5s
2024-09-15 21:36:29 +02:00
bf73df226a
feat: use override variables in globals.yml
All checks were successful
development / Check commit compliance (push) Successful in 26s
2024-09-11 22:20:53 +02:00
a5c72c969f
feat: add ovveride options for vault variables 2024-09-11 22:20:28 +02:00
0e89312874
feat: add ovveride options for nomad variables 2024-09-11 22:20:12 +02:00
c551fb7b04
feat: add version documentation to nomad_acl_bootstrap module 2024-09-10 22:03:46 +02:00
16 changed files with 1206 additions and 898 deletions

View File

@ -0,0 +1,48 @@
---
name: test
on:
pull_request:
types:
- opened
- edited
- synchronize
branches:
- main
paths:
- roles/consul/**
jobs:
retrieve-credentials:
name: Retrieve Credentials
runs-on: ubuntu-latest
outputs:
registry-username: ${{ steps.import-secrets.outputs.GITEA_ACTIONS_USERNAME }}
registry-token: ${{ steps.import-secrets.outputs.GITEA_ACTIONS_TOKEN }}
steps:
- name: Get secrets from vault
id: import-secrets
uses: hashicorp/vault-action@v3
with:
url: "https://vault.ednz.fr"
method: approle
roleId: ${{ secrets.VAULT_APPROLE_ID }}
secretId: ${{ secrets.VAULT_APPROLE_SECRET_ID }}
secrets: |
kv/data/applications/gitea/users/actions username | GITEA_ACTIONS_USERNAME ;
kv/data/applications/gitea/users/actions token_write | GITEA_ACTIONS_TOKEN ;
end_to_end_vault:
needs: retrieve-credentials
strategy:
matrix:
test_os:
["debian11", "debian12", "ubuntu2004", "ubuntu2204", "ubuntu2404"]
scenario: ["consul_default", "consul_with_acl_enabled"]
uses: ./.gitea/workflows/e2e-tests.yml
with:
role: vault
scenario: ${{ matrix.scenario }}
test_os: ${{ matrix.test_os }}
secrets:
GITEA_ACTIONS_USERNAME: ${{ needs.retrieve-credentials.outputs.registry-username }}
GITEA_ACTIONS_TOKEN: ${{ needs.retrieve-credentials.outputs.registry-token }}

View File

@ -0,0 +1,48 @@
---
name: test
on:
pull_request:
types:
- opened
- edited
- synchronize
branches:
- main
paths:
- roles/nomad/**
jobs:
retrieve-credentials:
name: Retrieve Credentials
runs-on: ubuntu-latest
outputs:
registry-username: ${{ steps.import-secrets.outputs.GITEA_ACTIONS_USERNAME }}
registry-token: ${{ steps.import-secrets.outputs.GITEA_ACTIONS_TOKEN }}
steps:
- name: Get secrets from vault
id: import-secrets
uses: hashicorp/vault-action@v3
with:
url: "https://vault.ednz.fr"
method: approle
roleId: ${{ secrets.VAULT_APPROLE_ID }}
secretId: ${{ secrets.VAULT_APPROLE_SECRET_ID }}
secrets: |
kv/data/applications/gitea/users/actions username | GITEA_ACTIONS_USERNAME ;
kv/data/applications/gitea/users/actions token_write | GITEA_ACTIONS_TOKEN ;
end_to_end_vault:
needs: retrieve-credentials
strategy:
matrix:
test_os:
["debian11", "debian12", "ubuntu2004", "ubuntu2204", "ubuntu2404"]
scenario: ["nomad_default", "nomad_with_acl_enabled"]
uses: ./.gitea/workflows/e2e-tests.yml
with:
role: vault
scenario: ${{ matrix.scenario }}
test_os: ${{ matrix.test_os }}
secrets:
GITEA_ACTIONS_USERNAME: ${{ needs.retrieve-credentials.outputs.registry-username }}
GITEA_ACTIONS_TOKEN: ${{ needs.retrieve-credentials.outputs.registry-token }}

View File

@ -0,0 +1,49 @@
---
name: test
on:
pull_request:
types:
- opened
- edited
- synchronize
branches:
- main
paths:
- roles/vault/**
- plugins/modules/vault_unseal.py
jobs:
retrieve-credentials:
name: Retrieve Credentials
runs-on: ubuntu-latest
outputs:
registry-username: ${{ steps.import-secrets.outputs.GITEA_ACTIONS_USERNAME }}
registry-token: ${{ steps.import-secrets.outputs.GITEA_ACTIONS_TOKEN }}
steps:
- name: Get secrets from vault
id: import-secrets
uses: hashicorp/vault-action@v3
with:
url: "https://vault.ednz.fr"
method: approle
roleId: ${{ secrets.VAULT_APPROLE_ID }}
secretId: ${{ secrets.VAULT_APPROLE_SECRET_ID }}
secrets: |
kv/data/applications/gitea/users/actions username | GITEA_ACTIONS_USERNAME ;
kv/data/applications/gitea/users/actions token_write | GITEA_ACTIONS_TOKEN ;
end_to_end_vault:
needs: retrieve-credentials
strategy:
matrix:
test_os:
["debian11", "debian12", "ubuntu2004", "ubuntu2204", "ubuntu2404"]
scenario: ["vault_default", "vault_with_raft_enabled"]
uses: ./.gitea/workflows/e2e-tests.yml
with:
role: vault
scenario: ${{ matrix.scenario }}
test_os: ${{ matrix.test_os }}
secrets:
GITEA_ACTIONS_USERNAME: ${{ needs.retrieve-credentials.outputs.registry-username }}
GITEA_ACTIONS_TOKEN: ${{ needs.retrieve-credentials.outputs.registry-token }}

View File

@ -0,0 +1,47 @@
---
name: End-to-end tests
on:
workflow_call:
inputs:
role:
required: true
type: string
description: "Which role should be tested"
scenario:
required: true
type: string
description: "Which scenarios should be run"
test_os:
required: true
type: string
description: "On which OS to run the tests"
secrets:
GITEA_ACTIONS_USERNAME:
required: true
GITEA_ACTIONS_TOKEN:
required: true
jobs:
molecule-test:
name: Molecule tests
runs-on: ubuntu-latest
container:
image: git.ednz.fr/container-factory/ansible-runner:act-latest
credentials:
username: ${{ secrets.GITEA_ACTIONS_USERNAME }}
password: ${{ secrets.GITEA_ACTIONS_TOKEN }}
env:
ANSIBLE_HOST_KEY_CHECKING: "false"
ANSIBLE_FORCE_COLOR: "true"
ANSIBLE_PYTHON_INTERPRETER: /usr/bin/python3
steps:
- name: Checkout
uses: actions/checkout@v3
- name: "Molecule test"
run: molecule test -s ${{ inputs.scenario }}
shell: bash
working-directory: ${{ gitea.workspace }}
env:
MOLECULE_TEST_OS: ${{ inputs.test_os }}

View File

@ -11,7 +11,7 @@ license_file: "LICENSE"
# A list of tags you want to associate with the collection for indexing/searching. A tag name has the same character
# requirements as 'namespace' and 'name'
tags: ["tools"]
tags: ["tools", "hashicorp", "nomad", "vault", "consul"]
dependencies: {}
repository: https://git.ednz.fr/ansible-collections/hashistack
documentation: http://docs.example.com

View File

@ -1,293 +1,91 @@
---
# Molecule specific variables
##########################
# General options ########
##########################
###################
# General options #
###################
# enable_haproxy: "yes"
# enable_vault: "yes"
# enable_consul: "yes"
# enable_nomad: "yes"
enable_vault: "yes"
enable_consul: "yes"
enable_nomad: "yes"
# haproxy_version: "2.8"
nomad_version: "1.8.2"
nomad_version: "1.8.3"
# consul_version: "1.18.1"
# vault_version: "1.16.2"
# consul_fqdn: consul.ednz.lab
# vault_fqdn: vault.ednz.lab
# nomad_fqdn: nomad.ednz.lab
# hashistack_external_vip_interface: "eth0"
# hashistack_external_vip_addr: "192.168.121.100"
# hashistack_internal_vip_interface: "{{ hashistack_external_vip_interface }}"
# hashistack_internal_vip_addr: "{{ hashistack_external_vip_addr }}"
vault_version: "1.17.2"
api_interface: "eth1"
# api_interface_address: "{{ ansible_facts[api_interface]['ipv4']['address'] }}"
########################
# external tls options #
########################
# enable_tls_external: false
# external_tls_externally_managed_certs: false
###################
# logging options #
###################
enable_log_to_file: true
########################
# internal tls options #
########################
# enable_tls_internal: false
# internal_tls_externally_managed_certs: false
#####################################################
# #
##########
# Consul #
# #
#####################################################
##########
# consul_domain: consul
# consul_datacenter: dc1
# consul_primary_datacenter: dc1
# consul_leave_on_terminate: true
# consul_rejoin_after_leave: true
# consul_enable_script_checks: true
# consul_gossip_encryption_key: "{{ 'mysupersecretgossipencryptionkey'|b64encode }}"
# hashistack_consul_domain: consul
# hashistack_consul_datacenter: dc1
# hashistack_consul_primary_datacenter: "{{ consul_datacenter }}"
# hashistack_consul_gossip_encryption_key: "{{ _credentials.consul.gossip_encryption_key }}"
# hashistack_consul_enable_script_checks: false
################################
# consul address configuration #
################################
# hashistack_consul_extra_files_list: []
# hashistack_consul_extra_configuration: {}
# consul_address_configuration:
# # The address to which Consul will bind client interfaces,
# # including the HTTP and DNS servers.
# client_addr: "0.0.0.0"
# # The address that should be bound to for internal cluster communications.
# bind_addr: "{{ api_interface_address }}"
# # The advertise address is used to change the address that we advertise to other nodes in the cluster.
# advertise_addr: "{{ api_interface_address }}"
# hashistack_consul_enable_tls: "{{ enable_tls_internal }}"
############################
# consul ACL configuration #
############################
# hashistack_consul_log_level: info
# consul_acl_configuration:
# enabled: true
# default_policy: "deny" # can be allow or deny
# enable_token_persistence: true
############################
# consul DNS configuration #
############################
# consul_dns_configuration:
# allow_stale: true
# enable_truncate: true
# only_passing: true
###########################
# consul ui configuration #
###########################
# consul_ui_configuration:
# enabled: "{{ 'consul_servers' in group_names }}"
#####################################
# consul service mesh configuration #
#####################################
# consul_mesh_configuration:
# enabled: true
############################
# consul tls configuration #
############################
# consul_enable_tls: "{{ enable_tls_internal }}"
# consul_tls_configuration:
# defaults:
# ca_file: "/etc/ssl/certs/ca-certificates.crt"
# cert_file: "{{ consul_certificates_directory }}/cert.pem"
# key_file: "{{ consul_certificates_directory }}/key.pem"
# verify_incoming: false
# verify_outgoing: true
# internal_rpc:
# verify_server_hostname: true
############################
# consul container volumes #
############################
# extra_consul_container_volumes: []
##############################
# consul extra configuration #
##############################
# consul_extra_configuration: {}
# consul_extra_files_list: []
#####################################################
# #
#########
# Vault #
# #
#####################################################
#########
# vault_cluster_name: vault
# vault_enable_ui: true
# vault_seal_configuration:
# key_shares: 3
# key_threshold: 2
# hashistack_vault_cluster_name: vault
# hashistack_vault_bind_addr: "0.0.0.0"
# hashistack_vault_cluster_addr: "{{ api_interface_address }}"
# hashistack_vault_enable_ui: true
# hashistack_vault_disable_mlock: false
# hashistack_vault_disable_cache: false
#################
# vault storage #
#################
# hashistack_vault_extra_files_list: []
# hashistack_vault_extra_configuration: {}
# vault_storage_configuration:
# raft:
# path: "{{ hashicorp_vault_data_dir }}/data"
# node_id: "{{ ansible_hostname }}"
# retry_join: |
# [
# {% for host in groups['vault_servers'] %}
# {
# 'leader_api_addr': '{{ "https" if vault_enable_tls else "http"}}://{{ hostvars[host].api_interface_address }}:8200'
# }{% if not loop.last %},{% endif %}
# {% endfor %}
# ]
# hashistack_vault_enable_tls: "{{ enable_tls_internal }}"
##################
# vault listener #
##################
# hashistack_vault_enable_service_registration: "{{ enable_consul | bool }}"
# vault_enable_tls: "{{ enable_tls_internal }}"
# vault_tls_verify: false
# vault_listener_configuration:
# tcp:
# address: "0.0.0.0:8200"
# tls_disable: true
# hashistack_vault_enable_plugins: false
# vault_tls_listener_configuration:
# tcp:
# tls_disable: false
# tls_cert_file: "{{ vault_certificates_directory }}/cert.pem"
# tls_key_file: "{{ vault_certificates_directory }}/key.pem"
# tls_disable_client_certs: true
# hashistack_vault_log_level: info
# vault_extra_listener_configuration: {}
########################
# service registration #
########################
# vault_enable_service_registration: false
# vault_service_registration_configuration:
# consul:
# address: "127.0.0.1:8500"
# scheme: "http"
# token: ""
#################
# vault plugins #
#################
# vault_enable_plugins: false
###########
# logging #
###########
# vault_enable_log_to_file: false
# vault_logging_configuration:
# log_level: info
# log_format: standard
# log_rotate_duration: 24h
# log_rotate_max_files: 30
###########################
# vault container volumes #
###########################
# extra_vault_container_volumes: []
#############################
# vault extra configuration #
#############################
# vault_extra_configuration: {}
# vault_extra_files_list: []
#####################################################
# #
#########
# Nomad #
# #
#####################################################
#########
# nomad_datacenter: dc1
# nomad_region: global
# hashistack_nomad_region: global
# hashistack_nomad_datacenter: dc1
###########################
# nomad ACL configuration #
###########################
# hashistack_nomad_extra_files_list: []
# hashistack_nomad_extra_configuration: {}
# nomad_acl_configuration:
# enabled: true
# token_ttl: 30s
# policy_ttl: 60s
# role_ttl: 60s
# hashistack_nomad_autopilot_configuration: {}
############################
# nomad consul integration #
############################
# hashistack_nomad_driver_enable_docker: true
# hashistack_nomad_driver_enable_podman: false
# hashistack_nomad_driver_enable_raw_exec: false
# hashistack_nomad_driver_enable_java: false
# hashistack_nomad_driver_enable_qemu: false
# nomad_enable_consul_integration: "{{ enable_consul | bool }}"
# nomad_consul_integration_configuration:
# address: "127.0.0.1:{{ hashicorp_consul_configuration.ports.https if consul_enable_tls else hashicorp_consul_configuration.ports.http }}"
# auto_advertise: true
# ssl: "{{ consul_enable_tls | bool }}"
# token: "{{ _credentials.consul.tokens.nomad.server.secret_id if nomad_enable_server else _credentials.consul.tokens.nomad.client.secret_id}}"
# tags: []
# hashistack_nomad_driver_configuration: {}
############################
# nomad vault integration #
############################
# hashistack_nomad_log_level: info
# nomad_enable_vault_integration: false
# nomad_vault_integration_configuration: {}
###############################
# nomad drivers configuration #
###############################
# nomad_driver_enable_docker: yes
# nomad_driver_enable_podman: no
# nomad_driver_enable_raw_exec: no
# nomad_driver_enable_java: no
# nomad_driver_enable_qemu: no
# nomad_driver_extra_configuration: {}
######################
# nomad internal tls #
######################
# nomad_enable_tls: "{{ enable_tls_internal }}"
# nomad_tls_configuration:
# http: true
# rpc: true
# ca_file: "/etc/ssl/certs/ca-certificates.crt"
# cert_file: "{{ nomad_certificates_directory }}/cert.pem"
# key_file: "{{ nomad_certificates_directory }}/key.pem"
# verify_server_hostname: true
# nomad_certificates_directory: "{{ hashicorp_nomad_config_dir }}/tls"
# nomad_certificates_extra_files_dir:
# - src: "{{ hashistack_sub_configuration_directories['certificates'] }}/nomad/{{ inventory_hostname }}"
# dest: "{{ nomad_certificates_directory }}"
#############################
# nomad extra configuration #
#############################
# nomad_extra_configuration: {}
# nomad_extra_files_list: []
# hashistack_nomad_enable_tls: "{{ enable_tls_internal }}"

View File

@ -7,38 +7,26 @@ hashistack_ca_directory_owner: "{{ lookup('env', 'USER') }}"
hashistack_ca_domain: ednz.lab
hashistack_ca_intermediate_name_constraints_critical: false
##########################
# General options ########
##########################
###################
# General options #
###################
# enable_haproxy: "yes"
# enable_vault: "yes"
# enable_consul: "yes"
# enable_nomad: "yes"
enable_vault: "yes"
enable_consul: "yes"
enable_nomad: "yes"
# haproxy_version: "2.8"
nomad_version: "1.8.3"
# consul_version: "1.18.1"
vault_version: "1.17.2"
# consul_fqdn: consul.ednz.lab
# vault_fqdn: vault.ednz.lab
# nomad_fqdn: nomad.ednz.lab
# hashistack_external_vip_interface: "eth0"
# hashistack_external_vip_addr: "192.168.121.100"
# hashistack_internal_vip_interface: "{{ hashistack_external_vip_interface }}"
# hashistack_internal_vip_addr: "{{ hashistack_external_vip_addr }}"
api_interface: "eth1"
# api_interface_address: "{{ ansible_facts[api_interface]['ipv4']['address'] }}"
########################
# external tls options #
########################
###################
# logging options #
###################
enable_tls_external: true
# external_tls_externally_managed_certs: false
enable_log_to_file: true
########################
# internal tls options #
@ -46,254 +34,65 @@ enable_tls_external: true
enable_tls_internal: true
# internal_tls_externally_managed_certs: false
#####################################################
# #
##########
# Consul #
# #
#####################################################
##########
# consul_domain: consul
# consul_datacenter: dc1
# consul_primary_datacenter: dc1
# consul_leave_on_terminate: true
# consul_rejoin_after_leave: true
# consul_enable_script_checks: true
# consul_gossip_encryption_key: "{{ 'mysupersecretgossipencryptionkey'|b64encode }}"
# hashistack_consul_domain: consul
# hashistack_consul_datacenter: dc1
# hashistack_consul_primary_datacenter: "{{ consul_datacenter }}"
# hashistack_consul_gossip_encryption_key: "{{ _credentials.consul.gossip_encryption_key }}"
# hashistack_consul_enable_script_checks: false
################################
# consul address configuration #
################################
# hashistack_consul_extra_files_list: []
# hashistack_consul_extra_configuration: {}
# consul_address_configuration:
# # The address to which Consul will bind client interfaces,
# # including the HTTP and DNS servers.
# client_addr: "0.0.0.0"
# # The address that should be bound to for internal cluster communications.
# bind_addr: "{{ api_interface_address }}"
# # The advertise address is used to change the address that we advertise to other nodes in the cluster.
# advertise_addr: "{{ api_interface_address }}"
# hashistack_consul_enable_tls: "{{ enable_tls_internal }}"
############################
# consul ACL configuration #
############################
# hashistack_consul_log_level: info
# consul_acl_configuration:
# enabled: true
# default_policy: "deny" # can be allow or deny
# enable_token_persistence: true
############################
# consul DNS configuration #
############################
# consul_dns_configuration:
# allow_stale: true
# enable_truncate: true
# only_passing: true
###########################
# consul ui configuration #
###########################
# consul_ui_configuration:
# enabled: "{{ 'consul_servers' in group_names }}"
#####################################
# consul service mesh configuration #
#####################################
# consul_mesh_configuration:
# enabled: true
############################
# consul tls configuration #
############################
# consul_enable_tls: "{{ enable_tls_internal }}"
# consul_tls_configuration:
# defaults:
# ca_file: "/etc/ssl/certs/ca-certificates.crt"
# cert_file: "{{ consul_certificates_directory }}/cert.pem"
# key_file: "{{ consul_certificates_directory }}/key.pem"
# verify_incoming: false
# verify_outgoing: true
# internal_rpc:
# verify_server_hostname: true
############################
# consul container volumes #
############################
# extra_consul_container_volumes: []
##############################
# consul extra configuration #
##############################
# consul_extra_configuration: {}
# consul_extra_files_list: []
#####################################################
# #
#########
# Vault #
# #
#####################################################
#########
# vault_cluster_name: vault
# vault_enable_ui: true
# vault_seal_configuration:
# key_shares: 3
# key_threshold: 2
# hashistack_vault_cluster_name: vault
# hashistack_vault_bind_addr: "0.0.0.0"
# hashistack_vault_cluster_addr: "{{ api_interface_address }}"
# hashistack_vault_enable_ui: true
# hashistack_vault_disable_mlock: false
# hashistack_vault_disable_cache: false
#################
# vault storage #
#################
# hashistack_vault_extra_files_list: []
# hashistack_vault_extra_configuration: {}
# vault_storage_configuration:
# raft:
# path: "{{ hashicorp_vault_data_dir }}/data"
# node_id: "{{ ansible_hostname }}"
# retry_join: |
# [
# {% for host in groups['vault_servers'] %}
# {
# 'leader_api_addr': '{{ "https" if vault_enable_tls else "http"}}://{{ hostvars[host].api_interface_address }}:8200'
# }{% if not loop.last %},{% endif %}
# {% endfor %}
# ]
# hashistack_vault_enable_tls: "{{ enable_tls_internal }}"
##################
# vault listener #
##################
# hashistack_vault_enable_service_registration: "{{ enable_consul | bool }}"
# vault_enable_tls: "{{ enable_tls_internal }}"
# vault_tls_verify: false
# vault_listener_configuration:
# tcp:
# address: "0.0.0.0:8200"
# tls_disable: true
# hashistack_vault_enable_plugins: false
# vault_tls_listener_configuration:
# tcp:
# tls_disable: false
# tls_cert_file: "{{ vault_certificates_directory }}/cert.pem"
# tls_key_file: "{{ vault_certificates_directory }}/key.pem"
# tls_disable_client_certs: true
# hashistack_vault_log_level: info
# vault_extra_listener_configuration: {}
########################
# service registration #
########################
# vault_enable_service_registration: false
# vault_service_registration_configuration:
# consul:
# address: "127.0.0.1:8500"
# scheme: "http"
# token: ""
#################
# vault plugins #
#################
# vault_enable_plugins: false
###########
# logging #
###########
# vault_enable_log_to_file: false
# vault_logging_configuration:
# log_level: info
# log_format: standard
# log_rotate_duration: 24h
# log_rotate_max_files: 30
###########################
# vault container volumes #
###########################
# extra_vault_container_volumes: []
#############################
# vault extra configuration #
#############################
# vault_extra_configuration: {}
# vault_extra_files_list: []
#####################################################
# #
#########
# Nomad #
# #
#####################################################
#########
# nomad_datacenter: dc1
# nomad_region: global
# hashistack_nomad_region: global
# hashistack_nomad_datacenter: dc1
###########################
# nomad ACL configuration #
###########################
# hashistack_nomad_extra_files_list: []
# hashistack_nomad_extra_configuration: {}
# nomad_acl_configuration:
# enabled: true
# token_ttl: 30s
# policy_ttl: 60s
# role_ttl: 60s
# hashistack_nomad_autopilot_configuration: {}
############################
# nomad consul integration #
############################
# hashistack_nomad_driver_enable_docker: true
# hashistack_nomad_driver_enable_podman: false
# hashistack_nomad_driver_enable_raw_exec: false
# hashistack_nomad_driver_enable_java: false
# hashistack_nomad_driver_enable_qemu: false
# nomad_enable_consul_integration: "{{ enable_consul | bool }}"
# nomad_consul_integration_configuration:
# address: "127.0.0.1:{{ hashicorp_consul_configuration.ports.https if consul_enable_tls else hashicorp_consul_configuration.ports.http }}"
# auto_advertise: true
# ssl: "{{ consul_enable_tls | bool }}"
# token: "{{ _credentials.consul.tokens.nomad.server.secret_id if nomad_enable_server else _credentials.consul.tokens.nomad.client.secret_id}}"
# tags: []
# hashistack_nomad_driver_configuration: {}
############################
# nomad vault integration #
############################
# hashistack_nomad_log_level: info
# nomad_enable_vault_integration: false
# nomad_vault_integration_configuration: {}
###############################
# nomad drivers configuration #
###############################
# nomad_driver_enable_docker: yes
# nomad_driver_enable_podman: no
# nomad_driver_enable_raw_exec: no
# nomad_driver_enable_java: no
# nomad_driver_enable_qemu: no
# nomad_driver_extra_configuration: {}
######################
# nomad internal tls #
######################
# nomad_enable_tls: "{{ enable_tls_internal }}"
# nomad_tls_configuration:
# http: true
# rpc: true
# ca_file: "/etc/ssl/certs/ca-certificates.crt"
# cert_file: "{{ nomad_certificates_directory }}/cert.pem"
# key_file: "{{ nomad_certificates_directory }}/key.pem"
# verify_server_hostname: true
# nomad_certificates_directory: "{{ hashicorp_nomad_config_dir }}/tls"
# nomad_certificates_extra_files_dir:
# - src: "{{ hashistack_sub_configuration_directories['certificates'] }}/nomad/{{ inventory_hostname }}"
# dest: "{{ nomad_certificates_directory }}"
#############################
# nomad extra configuration #
#############################
# nomad_extra_configuration: {}
# nomad_extra_files_list: []
# hashistack_nomad_enable_tls: "{{ enable_tls_internal }}"

View File

@ -3,18 +3,14 @@
# Consul #
##########
consul_config_dir: "{{ hashistack_remote_config_dir }}/consul.d"
consul_data_dir: "/opt/consul"
consul_certs_dir: "{{ consul_config_dir }}/tls"
consul_logs_dir: "{{ hashistack_remote_log_dir }}/consul"
consul_envoy_install: false
consul_envoy_version: latest
consul_extra_files: true
# consul_extra_files_list: []
consul_env_variables: {}
# hashistack_consul_config_dir:
# hashistack_consul_data_dir:
# hashistack_consul_certs_dir:
# hashistack_consul_logs_dir:
# hashistack_consul_envoy_install:
# hashistack_consul_envoy_version:
# hashistack_consul_extra_files_list:
# hashistack_consul_env_variables:
#######################
# extra configuration #
@ -25,140 +21,89 @@ consul_env_variables: {}
# option should be used to add pieces of configuration not
# available through standard variables.
# consul_extra_configuration: {}
# hashistack_consul_extra_configuration:
###########
# general #
###########
# consul_domain: consul
# consul_datacenter: dc1
# consul_primary_datacenter: "{{ consul_datacenter }}"
# consul_gossip_encryption_key: "{{ _credentials.consul.gossip_encryption_key }}"
# consul_enable_script_checks: false
# hashistack_consul_domain:
# hashistack_consul_datacenter:
# hashistack_consul_primary_datacenter:
# hashistack_consul_gossip_encryption_key:
# hashistack_consul_enable_script_checks:
#######################
# leave configuration #
#######################
consul_leave_on_terminate: true
consul_rejoin_after_leave: true
# hashistack_consul_leave_on_terminate:
# hashistack_consul_rejoin_after_leave:
######################
# join configuration #
######################
consul_join_configuration:
retry_join: |
{{
groups['consul_servers'] |
map('extract', hostvars, ['consul_address_configuration', 'bind_addr']) |
list |
to_json |
from_json
}}
retry_interval: 30s
retry_max: 0
# hashistack_consul_join_configuration:
########################
# server configuration #
########################
consul_enable_server: "{{ 'consul_servers' in group_names }}"
consul_bootstrap_expect: "{{ (groups['consul_servers'] | length) }}"
# hashistack_consul_enable_server:
# hashistack_consul_bootstrap_expect:
####################
# ui configuration #
####################
consul_ui_configuration:
enabled: "{{ consul_enable_server }}"
# hashistack_consul_ui_configuration:
#########################
# address configuration #
#########################
consul_bind_addr: "0.0.0.0"
consul_advertise_addr: "{{ api_interface_address }}"
consul_address_configuration:
client_addr: "{{ consul_bind_addr }}"
bind_addr: "{{ consul_advertise_addr }}"
advertise_addr: "{{ consul_advertise_addr }}"
# hashistack_consul_bind_addr:
# hashistack_consul_advertise_addr:
# hashistack_consul_address_configuration:
#####################
# ACL configuration #
#####################
consul_acl_configuration:
enabled: true
default_policy: "deny"
enable_token_persistence: true
tokens:
agent: "{{ _credentials.consul.tokens.agent.secret_id }}"
consul_default_agent_policy: |
node_prefix "" {
policy = "write"
}
service_prefix "" {
policy = "read"
}
# hashistack_consul_acl_configuration:
##############################
# service mesh configuration #
##############################
consul_mesh_configuration:
enabled: true
# hashistack_consul_mesh_configuration:
#####################
# DNS configuration #
#####################
consul_dns_configuration:
allow_stale: true
enable_truncate: true
only_passing: true
# hashistack_consul_dns_configuration:
################
# internal tls #
################
# consul_enable_tls: false
consul_tls_configuration:
defaults:
ca_file: "/etc/ssl/certs/ca-certificates.crt"
cert_file: "{{ consul_certs_dir }}/fullchain.crt"
key_file: "{{ consul_certs_dir }}/cert.key"
verify_incoming: false
verify_outgoing: true
internal_rpc:
verify_server_hostname: true
consul_certificates_extra_files_dir: >
{{
[] if external_tls_externally_managed_certs | bool else
[{
'src': "{{ hashistack_sub_configuration_directories['certificates'] }}/consul/{{ inventory_hostname }}",
'dest': "{{ consul_certs_dir }}"
}]
}}
# hashistack_consul_enable_tls:
# hashistack_consul_tls_configuration:
###########################
# telemetry configuration #
###########################
consul_enable_prometheus_metrics: false
consul_prometheus_retention_time: 60s
consul_telemetry_configuration: {}
# hashistack_consul_enable_prometheus_metrics:
# hashistack_consul_prometheus_retention_time:
# hashistack_consul_telemetry_configuration:
###########
# logging #
###########
# consul_log_level: info
consul_enable_log_to_file: "{{ enable_log_to_file | bool }}"
consul_log_to_file_configuration:
log_file: "{{ consul_logs_dir }}/consul.log"
log_rotate_duration: 24h
log_rotate_max_files: 30
# hashistack_consul_log_level:
# hashistack_consul_enable_log_to_file:
# hashistack_consul_log_to_file_configuration:

View File

@ -0,0 +1,252 @@
---
##########
# Consul #
##########
hashistack_default_consul_config_dir: "{{ hashistack_remote_config_dir }}/consul.d"
consul_config_dir: "{{ hashistack_consul_config_dir | default(hashistack_default_consul_config_dir) }}"
hashistack_default_consul_data_dir: "/opt/consul"
consul_data_dir: "{{ hashistack_consul_data_dir | default(hashistack_default_consul_data_dir)}}"
hashistack_default_consul_certs_dir: "{{ consul_config_dir }}/tls"
consul_certs_dir: "{{ hashistack_consul_certs_dir | default(hashistack_default_consul_certs_dir) }}"
hashistack_default_consul_logs_dir: "{{ hashistack_remote_log_dir }}/consul"
consul_logs_dir: "{{ hashistack_consul_logs_dir | default(hashistack_default_consul_logs_dir) }}"
hashistack_default_consul_envoy_install: false
consul_envoy_install: "{{ hashistack_consul_envoy_install | default(hashistack_default_consul_envoy_install) }}"
hashistack_default_consul_envoy_version: latest
consul_envoy_version: "{{ hashistack_consul_envoy_version | default(hashistack_default_consul_envoy_version) }}"
consul_extra_files: true
hashistack_default_consul_extra_files_list: []
consul_extra_files_list: "{{ hashistack_consul_extra_files_list | default(hashistack_default_consul_extra_files_list) }}"
hashistack_default_consul_env_variables: {}
consul_env_variables: "{{ hashistack_consul_env_variables | default(hashistack_default_consul_env_variables) }}"
#######################
# extra configuration #
#######################
# You should prioritize adding configuration
# to the configuration entries below, this
# option should be used to add pieces of configuration not
# available through standard variables.
hashistack_default_consul_extra_configuration: {}
consul_extra_configuration: >-
{{
hashistack_default_consul_extra_configuration |
combine((hashistack_consul_extra_configuration | default({})), recursive=true)
}}
###########
# general #
###########
hashistack_default_consul_domain: consul
consul_domain: "{{ hashistack_consul_domain | default(hashistack_default_consul_domain) }}"
hashistack_default_consul_datacenter: dc1
consul_datacenter: "{{ hashistack_consul_datacenter | default(hashistack_default_consul_datacenter) }}"
hashistack_default_consul_primary_datacenter: "{{ consul_datacenter }}"
consul_primary_datacenter: "{{ hashistack_consul_primary_datacenter | default(hashistack_default_consul_primary_datacenter) }}"
hashistack_default_consul_gossip_encryption_key: "{{ _credentials.consul.gossip_encryption_key }}"
consul_gossip_encryption_key: "{{ hashistack_consul_gossip_encryption_key | default(hashistack_default_consul_gossip_encryption_key) }}"
hashistack_default_consul_enable_script_checks: false
consul_enable_script_checks: "{{ hashistack_consul_enable_script_checks | default(hashistack_default_consul_enable_script_checks) }}"
#######################
# leave configuration #
#######################
hashistack_default_consul_leave_on_terminate: true
consul_leave_on_terminate: "{{ hashistack_consul_leave_on_terminate | default(hashistack_default_consul_leave_on_terminate) }}"
hashistack_default_consul_rejoin_after_leave: true
consul_rejoin_after_leave: "{{ hashistack_consul_rejoin_after_leave | default(hashistack_default_consul_rejoin_after_leave) }}"
######################
# join configuration #
######################
hashistack_default_consul_join_configuration:
retry_join: |
{{
groups['consul_servers'] |
map('extract', hostvars, ['consul_address_configuration', 'bind_addr']) |
list |
to_json |
from_json
}}
retry_interval: 30s
retry_max: 0
consul_join_configuration: >-
{{
hashistack_default_consul_join_configuration |
combine((hashistack_consul_join_configuration | default({})), recursive=true)
}}
########################
# server configuration #
########################
hashistack_default_consul_enable_server: "{{ 'consul_servers' in group_names }}"
consul_enable_server: "{{ hashistack_consul_enable_server | default(hashistack_default_consul_enable_server) }}"
hashistack_default_consul_bootstrap_expect: "{{ (groups['consul_servers'] | length) }}"
consul_bootstrap_expect: "{{ hashistack_consul_bootstrap_expect | default(hashistack_default_consul_bootstrap_expect) }}"
####################
# ui configuration #
####################
hashistack_default_consul_ui_configuration:
enabled: "{{ consul_enable_server }}"
consul_ui_configuration: >-
{{
hashistack_default_consul_ui_configuration |
combine((hashistack_consul_ui_configuration | default({})), recursive=true)
}}
#########################
# address configuration #
#########################
hashistack_default_consul_bind_addr: "0.0.0.0"
consul_bind_addr: "{{ hashistack_consul_bind_addr | default(hashistack_default_consul_bind_addr) }}"
hashistack_default_consul_advertise_addr: "{{ api_interface_address }}"
consul_advertise_addr: "{{ hashistack_consul_advertise_addr | default(hashistack_default_consul_advertise_addr) }}"
hashistack_default_consul_address_configuration:
client_addr: "{{ consul_bind_addr }}"
bind_addr: "{{ consul_advertise_addr }}"
advertise_addr: "{{ consul_advertise_addr }}"
consul_address_configuration: >-
{{
hashistack_default_consul_address_configuration |
combine((hashistack_consul_address_configuration | default({})), recursive=true)
}}
#####################
# ACL configuration #
#####################
hashistack_default_consul_acl_configuration:
enabled: true
default_policy: "deny"
enable_token_persistence: true
tokens:
agent: "{{ _credentials.consul.tokens.agent.secret_id }}"
consul_acl_configuration: >-
{{
hashistack_default_consul_acl_configuration |
combine((hashistack_consul_acl_configuration | default({})), recursive=true)
}}
consul_default_agent_policy: |
node_prefix "" {
policy = "write"
}
service_prefix "" {
policy = "read"
}
##############################
# service mesh configuration #
##############################
hashistack_default_consul_mesh_configuration:
enabled: true
consul_mesh_configuration: >-
{{
hashistack_default_consul_mesh_configuration |
combine((hashistack_consul_mesh_configuration | default({})), recursive=true)
}}
#####################
# DNS configuration #
#####################
hashistack_default_consul_dns_configuration:
allow_stale: true
enable_truncate: true
only_passing: true
consul_dns_configuration: >-
{{
hashistack_default_consul_dns_configuration |
combine((hashistack_consul_dns_configuration | default({})), recursive=true)
}}
################
# internal tls #
################
hashistack_default_consul_enable_tls: "{{ enable_tls_internal }}"
consul_enable_tls: "{{ hashistack_consul_enable_tls | default(hashistack_default_consul_enable_tls) }}"
hashistack_default_consul_tls_configuration:
defaults:
ca_file: "/etc/ssl/certs/ca-certificates.crt"
cert_file: "{{ consul_certs_dir }}/fullchain.crt"
key_file: "{{ consul_certs_dir }}/cert.key"
verify_incoming: false
verify_outgoing: true
internal_rpc:
verify_server_hostname: true
consul_tls_configuration: >-
{{
hashistack_default_consul_tls_configuration |
combine((hashistack_consul_tls_configuration | default({})), recursive=true)
}}
consul_certificates_extra_files_dir: >
{{
[] if internal_tls_externally_managed_certs | bool else
[{
'src': "{{ hashistack_sub_configuration_directories['certificates'] }}/consul/{{ inventory_hostname }}",
'dest': "{{ consul_certs_dir }}"
}]
}}
###########################
# telemetry configuration #
###########################
hashistack_default_consul_enable_prometheus_metrics: false
consul_enable_prometheus_metrics: "{{ hashistack_consul_enable_prometheus_metrics | default(hashistack_default_consul_enable_prometheus_metrics) }}"
hashistack_default_consul_prometheus_retention_time: 60s
consul_prometheus_retention_time: "{{ hashistack_consul_prometheus_retention_time | default(hashistack_default_consul_prometheus_retention_time) }}"
hashistack_default_consul_telemetry_configuration: {}
consul_telemetry_configuration: "{{ hashistack_consul_telemetry_configuration | default(hashistack_default_consul_telemetry_configuration) }}"
###########
# logging #
###########
hashistack_default_consul_log_level: info
consul_log_level: "{{ hashistack_consul_log_level | default(hashistack_default_consul_log_level) }}"
hashistack_default_consul_enable_log_to_file: "{{ enable_log_to_file | bool }}"
consul_enable_log_to_file: "{{ hashistack_consul_enable_log_to_file | default(hashistack_default_consul_enable_log_to_file) }}"
hashistack_default_consul_log_to_file_configuration:
log_file: "{{ consul_logs_dir }}/consul.log"
log_rotate_duration: 24h
log_rotate_max_files: 30
consul_log_to_file_configuration: >-
{{
hashistack_default_consul_log_to_file_configuration |
combine((hashistack_consul_log_to_file_configuration | default({})), recursive=true)
}}

View File

@ -11,10 +11,6 @@ nomad_version: "1.8.1"
consul_version: "1.18.1"
vault_version: "1.16.2"
consul_fqdn: consul.ednz.lab
vault_fqdn: vault.ednz.lab
nomad_fqdn: nomad.ednz.lab
api_interface: "eth0"
api_interface_address: "{{ ansible_facts[api_interface]['ipv4']['address'] }}"
@ -24,79 +20,71 @@ api_interface_address: "{{ ansible_facts[api_interface]['ipv4']['address'] }}"
enable_log_to_file: true
########################
# external tls options #
########################
enable_tls_external: false
external_tls_externally_managed_certs: false
########################
# internal tls options #
########################
enable_tls_internal: false
internal_tls_externally_managed_certs: false
##########
# Consul #
##########
consul_domain: consul
consul_datacenter: dc1
consul_primary_datacenter: "{{ consul_datacenter }}"
consul_gossip_encryption_key: "{{ _credentials.consul.gossip_encryption_key }}"
consul_enable_script_checks: false
# hashistack_consul_domain: consul
# hashistack_consul_datacenter: dc1
# hashistack_consul_primary_datacenter: "{{ consul_datacenter }}"
# hashistack_consul_gossip_encryption_key: "{{ _credentials.consul.gossip_encryption_key }}"
# hashistack_consul_enable_script_checks: false
consul_extra_files_list: []
consul_extra_configuration: {}
# hashistack_consul_extra_files_list: []
# hashistack_consul_extra_configuration: {}
consul_enable_tls: "{{ enable_tls_internal }}"
# hashistack_consul_enable_tls: "{{ enable_tls_internal }}"
consul_log_level: info
# hashistack_consul_log_level: info
#########
# Vault #
#########
vault_cluster_name: vault
vault_bind_addr: "0.0.0.0"
vault_cluster_addr: "{{ api_interface_address }}"
vault_enable_ui: true
vault_disable_mlock: false
vault_disable_cache: false
# hashistack_vault_cluster_name: vault
# hashistack_vault_bind_addr: "0.0.0.0"
# hashistack_vault_cluster_addr: "{{ api_interface_address }}"
# hashistack_vault_enable_ui: true
# hashistack_vault_disable_mlock: false
# hashistack_vault_disable_cache: false
vault_extra_files_list: []
vault_extra_configuration: {}
# hashistack_vault_extra_files_list: []
# hashistack_vault_extra_configuration: {}
vault_enable_tls: "{{ enable_tls_internal }}"
# hashistack_vault_enable_tls: "{{ enable_tls_internal }}"
vault_enable_service_registration: "{{ enable_consul | bool }}"
# hashistack_vault_enable_service_registration: "{{ enable_consul | bool }}"
vault_enable_plugins: false
# hashistack_vault_enable_plugins: false
vault_log_level: info
# hashistack_vault_log_level: info
#########
# Nomad #
#########
nomad_region: global
nomad_datacenter: dc1
# hashistack_nomad_region: global
# hashistack_nomad_datacenter: dc1
nomad_extra_files_list: []
nomad_extra_configuration: {}
# hashistack_nomad_extra_files_list: []
# hashistack_nomad_extra_configuration: {}
nomad_autopilot_configuration: {}
# hashistack_nomad_autopilot_configuration: {}
nomad_driver_enable_docker: true
nomad_driver_enable_podman: false
nomad_driver_enable_raw_exec: false
nomad_driver_enable_java: false
nomad_driver_enable_qemu: false
# hashistack_nomad_driver_enable_docker: true
# hashistack_nomad_driver_enable_podman: false
# hashistack_nomad_driver_enable_raw_exec: false
# hashistack_nomad_driver_enable_java: false
# hashistack_nomad_driver_enable_qemu: false
nomad_driver_extra_configuration: {}
# hashistack_nomad_driver_configuration: {}
nomad_log_level: info
# hashistack_nomad_log_level: info
nomad_enable_tls: "{{ enable_tls_internal }}"
# hashistack_nomad_enable_tls: "{{ enable_tls_internal }}"

View File

@ -3,15 +3,12 @@
# Nomad #
#########
nomad_config_dir: "{{ hashistack_remote_config_dir }}/nomad.d"
nomad_data_dir: "/opt/nomad"
nomad_certs_dir: "{{ nomad_config_dir }}/tls"
nomad_logs_dir: "{{ hashistack_remote_log_dir }}/nomad"
nomad_extra_files: true
# nomad_extra_files_list: []
nomad_env_variables: {}
# hashistack_nomad_config_dir:
# hashistack_nomad_data_dir:
# hashistack_nomad_certs_dir:
# hashistack_nomad_logs_dir:
# hashistack_nomad_extra_files_list:
# hashistack_nomad_env_variables:
#######################
# extra configuration #
@ -22,213 +19,94 @@ nomad_env_variables: {}
# option should be used to add pieces of configuration not
# available through standard variables.
# nomad_extra_configuration: {}
# hashistack_nomad_extra_configuration:
###########
# general #
###########
# nomad_region: global
# nomad_datacenter: dc1
# hashistack_nomad_region:
# hashistack_nomad_datacenter:
#########################
# address configuration #
#########################
nomad_bind_addr: "0.0.0.0"
nomad_advertise_addr: "{{ api_interface_address }}"
nomad_address_configuration:
bind_addr: "{{ nomad_bind_addr }}"
addresses:
http: "{{ nomad_advertise_addr }}"
rpc: "{{ nomad_advertise_addr }}"
serf: "{{ nomad_advertise_addr }}"
advertise:
http: "{{ nomad_advertise_addr }}"
rpc: "{{ nomad_advertise_addr }}"
serf: "{{ nomad_advertise_addr }}"
ports:
http: 4646
rpc: 4647
serf: 4648
# hashistack_nomad_bind_addr:
# hashistack_nomad_advertise_addr:
# hashistack_nomad_address_configuration:
###########################
# autopilot configuration #
###########################
# nomad_autopilot_configuration: {}
# hashistack_nomad_autopilot_configuration:
#######################
# leave configuration #
#######################
nomad_leave_on_interrupt: false
nomad_leave_on_terminate: false
########################
# server configuration #
########################
nomad_enable_server: "{{ ('nomad_servers' in group_names) | bool }}"
nomad_server_bootstrap_expect: "{{ (groups['nomad_servers'] | length) }}"
nomad_server_configuration:
enabled: "{{ nomad_enable_server }}"
data_dir: "{{ nomad_data_dir }}/server"
encrypt: "{{ _credentials.nomad.gossip_encryption_key }}"
##############################
# client configuration #
##############################
nomad_enable_client: "{{ ('nomad_clients' in group_names) | bool }}"
nomad_client_configuration:
enabled: "{{ nomad_enable_client }}"
state_dir: "{{ nomad_data_dir }}/client"
cni_path: "{{ cni_plugins_install_path | default('/opt/cni/bin') }}"
bridge_network_name: nomad
bridge_network_subnet: "172.26.64.0/20"
node_pool: >-
{{
'ingress' if 'nomad_ingress' in group_names else
'controller' if 'nomad_servers' in group_names else
omit
}}
# hashistack_nomad_leave_on_interrupt:
# hashistack_nomad_leave_on_terminate:
####################
# ui configuration #
####################
nomad_ui_configuration:
enabled: "{{ nomad_enable_server }}"
# hashistack_nomad_ui_configuration:
#########################
# drivers configuration #
#########################
nomad_driver_enable_docker: true
nomad_driver_enable_podman: false
nomad_driver_enable_raw_exec: false
nomad_driver_enable_java: false
nomad_driver_enable_qemu: false
nomad_driver_configuration:
raw_exec:
enabled: false
nomad_driver_extra_configuration: {}
# hashistack_nomad_driver_enable_docker:
# hashistack_nomad_driver_enable_podman:
# hashistack_nomad_driver_enable_raw_exec:
# hashistack_nomad_driver_enable_java:
# hashistack_nomad_driver_enable_qemu:
# hashistack_nomad_driver_configuration:
###########
# logging #
###########
nomad_log_level: info
nomad_enable_log_to_file: "{{ enable_log_to_file | bool }}"
nomad_log_to_file_configuration:
log_file: "{{ nomad_logs_dir }}/nomad.log"
log_rotate_duration: 24h
log_rotate_max_files: 30
# hashistack_nomad_log_level:
# hashistack_nomad_enable_log_to_file:
# hashistack_nomad_log_to_file_configuration:
#####################
# ACL configuration #
#####################
nomad_acl_configuration:
enabled: true
token_ttl: 30s
policy_ttl: 60s
role_ttl: 60s
# hashistack_nomad_acl_configuration:
################
# internal tls #
################
# nomad_enable_tls: false
nomad_tls_configuration:
http: true
rpc: true
ca_file: "/etc/ssl/certs/ca-certificates.crt"
cert_file: "{{ nomad_certs_dir }}/fullchain.crt"
key_file: "{{ nomad_certs_dir }}/cert.key"
verify_server_hostname: true
nomad_certificates_extra_files_dir: >
{{
[] if external_tls_externally_managed_certs | bool else
[{
'src': "{{ hashistack_sub_configuration_directories['certificates'] }}/nomad/{{ inventory_hostname }}",
'dest': "{{ nomad_certs_dir }}"
}]
}}
# hashistack_nomad_enable_tls:
# hashistack_nomad_tls_configuration:
###########################
# telemetry configuration #
###########################
nomad_telemetry_configuration:
collection_interval: 10s
disable_hostname: false
use_node_name: false
publish_allocation_metrics: false
publish_node_metrics: false
prefix_filter: []
disable_dispatched_job_summary_metrics: false
prometheus_metrics: false
# hashistack_nomad_telemetry_configuration:
######################
# consul integration #
######################
nomad_enable_consul_integration: "{{ enable_consul | bool }}"
nomad_consul_integration_configuration:
address: >-
127.0.0.1:{{ consul_api_port[consul_api_scheme] }}
auto_advertise: true
ssl: "{{ consul_enable_tls | bool }}"
token: >-
{{ _credentials.consul.tokens.nomad.server.secret_id if nomad_enable_server else _credentials.consul.tokens.nomad.client.secret_id }}
tags: []
nomad_consul_integration_tls_configuration:
ca_file: "/etc/ssl/certs/ca-certificates.crt"
nomad_consul_integration_server_configuration:
server_auto_join: true
nomad_consul_integration_client_configuration:
client_auto_join: true
grpc_address: >-
127.0.0.1:{{ consul_grpc_port[consul_api_scheme] }}
nomad_consul_integration_client_tls_configuration:
grpc_ca_file: "/etc/ssl/certs/ca-certificates.crt"
nomad_consul_integration_server_policy: |
agent_prefix "" {
policy = "read"
}
node_prefix "" {
policy = "read"
}
service_prefix "" {
policy = "write"
}
acl = "write"
mesh = "write"
nomad_consul_integration_client_policy: |
agent_prefix "" {
policy = "read"
}
node_prefix "" {
policy = "read"
}
service_prefix "" {
policy = "write"
}
# hashistack_nomad_enable_consul_integration:
# hashistack_nomad_consul_integration_configuration:
# hashistack_nomad_consul_integration_tls_configuration:
# hashistack_nomad_consul_integration_server_configuration:
# hashistack_nomad_consul_integration_client_configuration:
# hashistack_nomad_consul_integration_client_tls_configuration:
############################
# nomad vault integration #
############################
nomad_enable_vault_integration: false
nomad_vault_integration_configuration: {}
# hashistack_nomad_enable_vault_integration:
# hashistack_nomad_vault_integration_configuration:

View File

@ -0,0 +1,347 @@
---
#########
# Nomad #
#########
hashistack_default_nomad_config_dir: "{{ hashistack_remote_config_dir }}/nomad.d"
nomad_config_dir: "{{ hashistack_nomad_config_dir | default(hashistack_default_nomad_config_dir) }}"
hashistack_default_nomad_data_dir: "/opt/nomad"
nomad_data_dir: "{{ hashistack_nomad_data_dir | default(hashistack_default_nomad_data_dir) }}"
hashistack_default_nomad_certs_dir: "{{ nomad_config_dir }}/tls"
nomad_certs_dir: "{{ hashistack_nomad_certs_dir | default(hashistack_default_nomad_certs_dir) }}"
hashistack_default_nomad_logs_dir: "{{ hashistack_remote_log_dir }}/nomad"
nomad_logs_dir: "{{ hashistack_nomad_logs_dir | default(hashistack_default_nomad_logs_dir) }}"
nomad_extra_files: true
hashistack_default_nomad_extra_files_list: []
nomad_extra_files_list: "{{ hashistack_nomad_extra_files_list | default(hashistack_default_nomad_extra_files_list) }}"
hashistack_default_nomad_env_variables: {}
nomad_env_variables: "{{ hashistack_nomad_env_variables | default(hashistack_default_nomad_env_variables) }}"
#######################
# extra configuration #
#######################
# You should prioritize adding configuration
# to the configuration entries below, this
# option should be used to add pieces of configuration not
# available through standard variables.
hashistack_default_nomad_extra_configuration: {}
nomad_extra_configuration: >-
{{
hashistack_default_nomad_extra_configuration |
combine((hashistack_nomad_extra_configuration | default({})), recursive=true)
}}
###########
# general #
###########
hashistack_default_nomad_region: global
nomad_region: "{{ hashistack_nomad_region | default(hashistack_default_nomad_region) }}"
hashistack_default_nomad_datacenter: dc1
nomad_datacenter: "{{ hashistack_nomad_datacenter | default(hashistack_default_nomad_datacenter) }}"
#########################
# address configuration #
#########################
hashistack_default_nomad_bind_addr: "0.0.0.0"
nomad_bind_addr: "{{ hashistack_nomad_bind_addr | default(hashistack_default_nomad_bind_addr) }}"
hashistack_default_nomad_advertise_addr: "{{ api_interface_address }}"
nomad_advertise_addr: "{{ hashistack_nomad_advertise_addr | default(hashistack_default_nomad_advertise_addr) }}"
hashistack_default_nomad_address_configuration:
bind_addr: "{{ nomad_bind_addr }}"
addresses:
http: "{{ nomad_advertise_addr }}"
rpc: "{{ nomad_advertise_addr }}"
serf: "{{ nomad_advertise_addr }}"
advertise:
http: "{{ nomad_advertise_addr }}"
rpc: "{{ nomad_advertise_addr }}"
serf: "{{ nomad_advertise_addr }}"
ports:
http: 4646
rpc: 4647
serf: 4648
nomad_address_configuration: >-
{{
hashistack_default_nomad_address_configuration |
combine((hashistack_nomad_address_configuration | default({})), recursive=true)
}}
###########################
# autopilot configuration #
###########################
hashistack_default_nomad_autopilot_configuration: {}
nomad_autopilot_configuration: "{{ hashistack_nomad_autopilot_configuration | default(hashistack_default_nomad_autopilot_configuration) }}"
#######################
# leave configuration #
#######################
hashistack_default_nomad_leave_on_interrupt: false
nomad_leave_on_interrupt: "{{ hashistack_nomad_leave_on_interrupt | default(hashistack_default_nomad_leave_on_interrupt) }}"
hashistack_default_nomad_leave_on_terminate: false
nomad_leave_on_terminate: "{{ hashistack_nomad_leave_on_terminate | default(hashistack_default_nomad_leave_on_terminate) }}"
########################
# server configuration #
########################
nomad_enable_server: "{{ ('nomad_servers' in group_names) | bool }}"
nomad_server_bootstrap_expect: "{{ (groups['nomad_servers'] | length) }}"
nomad_server_configuration:
enabled: "{{ nomad_enable_server }}"
data_dir: "{{ nomad_data_dir }}/server"
encrypt: "{{ _credentials.nomad.gossip_encryption_key }}"
##############################
# client configuration #
##############################
nomad_enable_client: "{{ ('nomad_clients' in group_names) | bool }}"
nomad_client_configuration:
enabled: "{{ nomad_enable_client }}"
state_dir: "{{ nomad_data_dir }}/client"
cni_path: "{{ cni_plugins_install_path | default('/opt/cni/bin') }}"
bridge_network_name: nomad
bridge_network_subnet: "172.26.64.0/20"
node_pool: >-
{{
'ingress' if 'nomad_ingress' in group_names else
'controller' if 'nomad_servers' in group_names else
omit
}}
####################
# ui configuration #
####################
hashistack_default_nomad_ui_configuration:
enabled: "{{ nomad_enable_server }}"
nomad_ui_configuration: >-
{{
hashistack_default_nomad_ui_configuration |
combine((hashistack_nomad_ui_configuration | default({})), recursive=true)
}}
#########################
# drivers configuration #
#########################
hashistack_default_nomad_driver_enable_docker: true
nomad_driver_enable_docker: "{{ hashistack_nomad_driver_enable_docker | default(hashistack_default_nomad_driver_enable_docker) }}"
hashistack_default_nomad_driver_enable_podman: false
nomad_driver_enable_podman: "{{ hashistack_nomad_driver_enable_podman | default(hashistack_default_nomad_driver_enable_podman) }}"
hashistack_default_nomad_driver_enable_raw_exec: false
nomad_driver_enable_raw_exec: "{{ hashistack_nomad_driver_enable_raw_exec | default(hashistack_default_nomad_driver_enable_raw_exec) }}"
hashistack_default_nomad_driver_enable_java: false
nomad_driver_enable_java: "{{ hashistack_nomad_driver_enable_java | default(hashistack_default_nomad_driver_enable_java) }}"
hashistack_default_nomad_driver_enable_qemu: false
nomad_driver_enable_qemu: "{{ hashistack_nomad_driver_enable_qemu | default(hashistack_default_nomad_driver_enable_qemu) }}"
hashistack_default_nomad_driver_configuration:
raw_exec:
enabled: "{{ nomad_driver_enable_raw_exec }}"
nomad_driver_configuration: >-
{{
hashistack_default_nomad_driver_configuration |
combine((hashistack_nomad_driver_configuration | default({})), recursive=true)
}}
nomad_driver_extra_configuration: {}
###########
# logging #
###########
hashistack_default_nomad_log_level: info
nomad_log_level: "{{ hashistack_nomad_log_level | default(hashistack_default_nomad_log_level) }}"
hashistack_default_nomad_enable_log_to_file: "{{ enable_log_to_file | bool }}"
nomad_enable_log_to_file: "{{ hashistack_nomad_enable_log_to_file | default(hashistack_default_nomad_enable_log_to_file) }}"
hashistack_default_nomad_log_to_file_configuration:
log_file: "{{ nomad_logs_dir }}/nomad.log"
log_rotate_duration: 24h
log_rotate_max_files: 30
nomad_log_to_file_configuration: >-
{{
hashistack_default_nomad_log_to_file_configuration |
combine((hashistack_nomad_log_to_file_configuration | default({})), recursive=true)
}}
#####################
# ACL configuration #
#####################
hashistack_default_nomad_acl_configuration:
enabled: true
token_ttl: 30s
policy_ttl: 60s
role_ttl: 60s
nomad_acl_configuration: >-
{{
hashistack_default_nomad_acl_configuration |
combine((hashistack_nomad_acl_configuration | default({})), recursive=true)
}}
################
# internal tls #
################
hashistack_default_nomad_enable_tls: "{{ enable_tls_internal }}"
nomad_enable_tls: "{{ hashistack_nomad_enable_tls | default(hashistack_default_nomad_enable_tls) }}"
hashistack_default_nomad_tls_configuration:
http: true
rpc: true
ca_file: "/etc/ssl/certs/ca-certificates.crt"
cert_file: "{{ nomad_certs_dir }}/fullchain.crt"
key_file: "{{ nomad_certs_dir }}/cert.key"
verify_server_hostname: true
nomad_tls_configuration: >-
{{
hashistack_default_nomad_tls_configuration |
combine((hashistack_nomad_tls_configuration | default({})), recursive=true)
}}
nomad_certificates_extra_files_dir: >
{{
[] if internal_tls_externally_managed_certs | bool else
[{
'src': "{{ hashistack_sub_configuration_directories['certificates'] }}/nomad/{{ inventory_hostname }}",
'dest': "{{ nomad_certs_dir }}"
}]
}}
###########################
# telemetry configuration #
###########################
hashistack_default_nomad_telemetry_configuration:
collection_interval: 10s
disable_hostname: false
use_node_name: false
publish_allocation_metrics: false
publish_node_metrics: false
prefix_filter: []
disable_dispatched_job_summary_metrics: false
prometheus_metrics: false
nomad_telemetry_configuration: >-
{{
hashistack_default_nomad_telemetry_configuration |
combine((hashistack_nomad_telemetry_configuration | default({})), recursive=true)
}}
######################
# consul integration #
######################
hashistack_default_nomad_enable_consul_integration: "{{ enable_consul | bool }}"
nomad_enable_consul_integration: "{{ hashistack_nomad_enable_consul_integration | default(hashistack_default_nomad_enable_consul_integration) }}"
hashistack_default_nomad_consul_integration_configuration:
address: >-
127.0.0.1:{{ consul_api_port[consul_api_scheme] }}
auto_advertise: true
ssl: "{{ consul_enable_tls | bool }}"
token: >-
{{
_credentials.consul.tokens.nomad.server.secret_id if nomad_enable_server else
_credentials.consul.tokens.nomad.client.secret_id
}}
tags: []
nomad_consul_integration_configuration: >-
{{
hashistack_default_nomad_consul_integration_configuration |
combine((hashistack_nomad_consul_integration_configuration | default({})), recursive=true)
}}
hashistack_default_nomad_consul_integration_tls_configuration:
ca_file: "/etc/ssl/certs/ca-certificates.crt"
nomad_consul_integration_tls_configuration: >-
{{
hashistack_default_nomad_consul_integration_tls_configuration |
combine((hashistack_nomad_consul_integration_tls_configuration | default({})), recursive=true)
}}
hashistack_default_nomad_consul_integration_server_configuration:
server_auto_join: true
nomad_consul_integration_server_configuration: >-
{{
hashistack_default_nomad_consul_integration_server_configuration |
combine((hashistack_nomad_consul_integration_server_configuration | default({})), recursive=true)
}}
hashistack_default_nomad_consul_integration_client_configuration:
client_auto_join: true
grpc_address: >-
127.0.0.1:{{ consul_grpc_port[consul_api_scheme] }}
nomad_consul_integration_client_configuration: >-
{{
hashistack_default_nomad_consul_integration_client_configuration |
combine((hashistack_nomad_consul_integration_client_configuration | default({})), recursive=true)
}}
hashistack_default_nomad_consul_integration_client_tls_configuration:
grpc_ca_file: "/etc/ssl/certs/ca-certificates.crt"
nomad_consul_integration_client_tls_configuration: >-
{{
hashistack_default_nomad_consul_integration_client_tls_configuration |
combine((hashistack_nomad_consul_integration_client_tls_configuration | default({})), recursive=true)
}}
nomad_consul_integration_server_policy: |
agent_prefix "" {
policy = "read"
}
node_prefix "" {
policy = "read"
}
service_prefix "" {
policy = "write"
}
acl = "write"
mesh = "write"
nomad_consul_integration_client_policy: |
agent_prefix "" {
policy = "read"
}
node_prefix "" {
policy = "read"
}
service_prefix "" {
policy = "write"
}
############################
# nomad vault integration #
############################
hashistack_default_nomad_enable_vault_integration: false
nomad_enable_vault_integration: "{{ hashistack_nomad_enable_vault_integration | default(hashistack_default_nomad_enable_vault_integration) }}"
hashistack_default_nomad_vault_integration_configuration: {}
nomad_vault_integration_configuration: >-
{{
hashistack_default_nomad_vault_integration_configuration |
combine((hashistack_nomad_vault_integration_configuration | default({})), recursive=true)
}}

View File

@ -3,15 +3,12 @@
# Vault #
#########
vault_config_dir: "{{ hashistack_remote_config_dir }}/vault.d"
vault_data_dir: "/opt/vault"
vault_certs_dir: "{{ vault_config_dir }}/tls"
vault_logs_dir: "{{ hashistack_remote_log_dir }}/vault"
vault_extra_files: true
# vault_extra_files_list: []
vault_env_variables: {}
# hashistack_vault_config_dir:
# hashistack_vault_data_dir:
# hashistack_vault_certs_dir:
# hashistack_vault_logs_dir:
# hashistack_vault_extra_files_list:
# hashistack_vault_env_variables:
#######################
# extra configuration #
@ -22,103 +19,57 @@ vault_env_variables: {}
# option should be used to add pieces of configuration not
# available through standard variables.
# vault_extra_configuration: {}
# hashistack_vault_extra_configuration:
###########
# general #
###########
# vault_cluster_name: vault
# vault_bind_addr: "0.0.0.0"
# vault_cluster_addr: "{{ api_interface_address }}"
# vault_enable_ui: true
# vault_disable_mlock: false
# vault_disable_cache: false
# hashistack_vault_cluster_name:
# hashistack_vault_bind_addr:
# hashistack_vault_cluster_addr:
# hashistack_vault_enable_ui:
# hashistack_vault_disable_mlock:
# hashistack_vault_disable_cache:
######################
# seal configuration #
######################
vault_seal_configuration:
key_shares: 3
key_threshold: 2
# hashistack_vault_seal_configuration:
#########################
# storage configuration #
#########################
vault_storage_configuration:
raft:
path: "{{ vault_data_dir }}"
node_id: "{{ ansible_hostname }}"
retry_join: >-
[
{% for host in groups['vault_servers'] %}
{
'leader_api_addr': '{{ "https" if vault_enable_tls else "http"}}://{{ hostvars[host].api_interface_address }}:8200'
}{% if not loop.last %},{% endif %}
{% endfor %}
]
# hashistack_vault_storage_configuration:
##########################
# listener configuration #
##########################
# vault_enable_tls: false
vault_listener_configuration:
- tcp:
address: "{{ vault_cluster_addr }}:8200"
tls_disable: true
vault_tls_listener_configuration:
- tcp:
tls_disable: false
tls_cert_file: "{{ vault_certs_dir }}/fullchain.crt"
tls_key_file: "{{ vault_certs_dir }}/cert.key"
tls_disable_client_certs: true
vault_certificates_extra_files_dir: >
{{
[] if external_tls_externally_managed_certs | bool else
[{
'src': "{{ hashistack_sub_configuration_directories['certificates'] }}/vault/{{ inventory_hostname }}",
'dest': "{{ vault_certs_dir }}"
}]
}}
vault_extra_listener_configuration: []
# hashistack_vault_enable_tls:
# hashistack_vault_listener_configuration:
# hashistack_vault_tls_listener_configuration:
########################
# service registration #
########################
# vault_enable_service_registration: "{{ enable_consul | bool }}"
vault_service_registration_configuration:
consul:
address: >-
127.0.0.1:{{ hostvars[groups['consul_servers'][0]].consul_api_port[hostvars[groups['consul_servers'][0]].consul_api_scheme] }}
scheme: "{{ hostvars[groups['consul_servers'][0]].consul_api_scheme }}"
token: "{{ _credentials.consul.tokens.vault.secret_id }}"
vault_service_registration_policy: |
service "vault" {
policy = "write"
}
# hashistack_vault_enable_service_registration:
# hashistack_vault_service_registration_configuration:
#########################
# plugins configuration #
#########################
# vault_enable_plugins: false
vault_plugins_directory: "{{ vault_config_dir }}/plugins"
# hashistack_vault_enable_plugins:
# hashistack_vault_plugins_directory:
#################
# vault logging #
#################
# vault_log_level: info
vault_enable_log_to_file: "{{ enable_log_to_file | bool }}"
vault_log_to_file_configuration:
log_file: "{{ vault_logs_dir }}/vault.log"
log_rotate_duration: 24h
log_rotate_max_files: 30
# hashistack_vault_log_level:
# hashistack_vault_enable_log_to_file:
# hashistack_vault_log_to_file_configuration:

View File

@ -0,0 +1,174 @@
---
#########
# Vault #
#########
hashistack_default_vault_config_dir: "{{ hashistack_remote_config_dir }}/vault.d"
vault_config_dir: "{{ hashistack_vault_config_dir | default(hashistack_default_vault_config_dir) }}"
hashistack_default_vault_data_dir: "/opt/vault"
vault_data_dir: "{{ hashistack_vault_data_dir | default(hashistack_default_vault_data_dir) }}"
hashistack_default_vault_certs_dir: "{{ vault_config_dir }}/tls"
vault_certs_dir: "{{ hashistack_vault_certs_dir | default(hashistack_default_vault_certs_dir) }}"
hashistack_default_vault_logs_dir: "{{ hashistack_remote_log_dir }}/vault"
vault_logs_dir: "{{ hashistack_vault_logs_dir | default(hashistack_default_vault_logs_dir) }}"
vault_extra_files: true
hashistack_default_vault_extra_files_list: []
vault_extra_files_list: "{{ hashistack_vault_extra_files_list | default(hashistack_default_vault_extra_files_list) }}"
hashistack_default_vault_env_variables: {}
vault_env_variables: "{{ hashistack_vault_env_variables | default(hashistack_default_vault_env_variables) }}"
#######################
# extra configuration #
#######################
# You should prioritize adding configuration
# to the configuration entries below, this
# option should be used to add pieces of configuration not
# available through standard variables.
hashistack_default_vault_extra_configuration: {}
vault_extra_configuration: >-
{{
hashistack_default_vault_extra_configuration |
combine((hashistack_vault_extra_configuration | default({})), recursive=true)
}}
###########
# general #
###########
hashistack_default_vault_cluster_name: vault
vault_cluster_name: "{{ hashistack_vault_cluster_name | default(hashistack_default_vault_cluster_name) }}"
hashistack_default_vault_bind_addr: "0.0.0.0"
vault_bind_addr: "{{ hashistack_vault_bind_addr | default(hashistack_default_vault_bind_addr) }}"
hashistack_default_vault_cluster_addr: "{{ api_interface_address }}"
vault_cluster_addr: "{{ hashistack_vault_cluster_addr | default(hashistack_default_vault_cluster_addr) }}"
hashistack_default_vault_enable_ui: true
vault_enable_ui: "{{ hashistack_vault_enable_ui | default(hashistack_default_vault_enable_ui) }}"
hashistack_default_vault_disable_mlock: false
vault_disable_mlock: "{{ hashistack_vault_disable_mlock | default(hashistack_default_vault_disable_mlock) }}"
hashistack_default_vault_disable_cache: false
vault_disable_cache: "{{ hashistack_vault_disable_cache | default(hashistack_default_vault_disable_cache) }}"
######################
# seal configuration #
######################
hashistack_default_vault_seal_configuration:
key_shares: 3
key_threshold: 2
vault_seal_configuration: >-
{{
hashistack_default_vault_seal_configuration |
combine((hashistack_vault_seal_configuration | default({})), recursive=true)
}}
#########################
# storage configuration #
#########################
hashistack_default_vault_storage_configuration:
raft:
path: "{{ vault_data_dir }}"
node_id: "{{ ansible_hostname }}"
retry_join: >-
[
{% for host in groups['vault_servers'] %}
{
'leader_api_addr': '{{ "https" if vault_enable_tls else "http"}}://{{ hostvars[host].api_interface_address }}:8200'
}{% if not loop.last %},{% endif %}
{% endfor %}
]
vault_storage_configuration: "{{ hashistack_vault_storage_configuration | default(hashistack_default_vault_storage_configuration) }}"
##########################
# listener configuration #
##########################
hashistack_default_vault_enable_tls: false
vault_enable_tls: "{{ hashistack_vault_enable_tls | default(hashistack_default_vault_enable_tls) }}"
hashistack_default_vault_listener_configuration:
- tcp:
address: "{{ vault_cluster_addr }}:8200"
tls_disable: true
vault_listener_configuration: "{{ hashistack_vault_listener_configuration | default(hashistack_default_vault_listener_configuration) }}"
hashistack_default_vault_tls_listener_configuration:
- tcp:
tls_disable: false
tls_cert_file: "{{ vault_certs_dir }}/fullchain.crt"
tls_key_file: "{{ vault_certs_dir }}/cert.key"
tls_disable_client_certs: true
vault_tls_listener_configuration: "{{ hashistack_vault_tls_listener_configuration | default(hashistack_default_vault_tls_listener_configuration) }}"
vault_certificates_extra_files_dir: >
{{
[] if internal_tls_externally_managed_certs | bool else
[{
'src': "{{ hashistack_sub_configuration_directories['certificates'] }}/vault/{{ inventory_hostname }}",
'dest': "{{ vault_certs_dir }}"
}]
}}
vault_extra_listener_configuration: []
########################
# service registration #
########################
hashistack_default_vault_enable_service_registration: "{{ enable_consul | bool }}"
vault_enable_service_registration: "{{ hashistack_vault_enable_service_registration | default(hashistack_default_vault_enable_service_registration) }}"
hashistack_default_vault_service_registration_configuration:
consul:
address: >-
127.0.0.1:{{ hostvars[groups['consul_servers'][0]].consul_api_port[hostvars[groups['consul_servers'][0]].consul_api_scheme] }}
scheme: "{{ hostvars[groups['consul_servers'][0]].consul_api_scheme }}"
token: "{{ _credentials.consul.tokens.vault.secret_id }}"
vault_service_registration_configuration: "{{ hashistack_vault_service_registration_configuration | default(hashistack_default_vault_service_registration_configuration) }}"
vault_service_registration_policy: |
service "vault" {
policy = "write"
}
#########################
# plugins configuration #
#########################
hashistack_default_vault_enable_plugins: false
vault_enable_plugins: "{{ hashistack_vault_enable_plugins | default(hashistack_default_vault_enable_plugins) }}"
hashistack_default_vault_plugins_directory: "{{ vault_config_dir }}/plugins"
vault_plugins_directory: "{{ hashistack_vault_plugins_directory | default(hashistack_default_vault_plugins_directory) }}"
#################
# vault logging #
#################
hashistack_default_vault_log_level: info
vault_log_level: "{{ hashistack_vault_log_level | default(hashistack_default_vault_log_level) }}"
hashistack_default_vault_enable_log_to_file: "{{ enable_log_to_file | bool }}"
vault_enable_log_to_file: "{{ hashistack_vault_enable_log_to_file | default(hashistack_default_vault_enable_log_to_file) }}"
hashistack_default_vault_log_to_file_configuration:
log_file: "{{ vault_logs_dir }}/vault.log"
log_rotate_duration: 24h
log_rotate_max_files: 30
vault_log_to_file_configuration: >-
{{
hashistack_default_vault_log_to_file_configuration |
combine((hashistack_vault_log_to_file_configuration | default({})), recursive=true)
}}

View File

@ -11,6 +11,8 @@ module: ednz_cloud.hashistack.nomad_acl_bootstrap
short_description: Manages the ACL bootstrap of HashiCorp Nomad.
version_added: "0.1.0"
description:
- This module bootstraps HashiCorp Nomad ACL, ensuring that it is securely set up for use.

View File

@ -13,21 +13,3 @@ roles:
- name: ednz_cloud.install_docker
src: https://github.com/ednz-cloud/install_docker.git
version: main
- name: ednz_cloud.docker_systemd_service
src: https://github.com/ednz-cloud/docker_systemd_service.git
version: main
- name: ednz_cloud.deploy_haproxy
src: https://github.com/ednz-cloud/deploy_haproxy.git
version: main
- name: ednz_cloud.deploy_keepalived
src: https://github.com/ednz-cloud/deploy_keepalived.git
version: main
- name: ednz_cloud.hashicorp_nomad
src: https://github.com/ednz-cloud/hashicorp_nomad.git
version: v0.4.1
- name: ednz_cloud.hashicorp_consul
src: https://github.com/ednz-cloud/hashicorp_consul.git
version: v0.2.1
- name: ednz_cloud.hashicorp_vault
src: https://github.com/ednz-cloud/hashicorp_vault.git
version: v0.2.1