diff --git a/.gitea/workflows/e2e-tests-consul.yml b/.gitea/workflows/e2e-tests-consul.yml new file mode 100644 index 0000000..f6aaead --- /dev/null +++ b/.gitea/workflows/e2e-tests-consul.yml @@ -0,0 +1,48 @@ +--- +name: test +on: + pull_request: + types: + - opened + - edited + - synchronize + branches: + - main + paths: + - roles/consul/** + +jobs: + retrieve-credentials: + name: Retrieve Credentials + runs-on: ubuntu-latest + outputs: + registry-username: ${{ steps.import-secrets.outputs.GITEA_ACTIONS_USERNAME }} + registry-token: ${{ steps.import-secrets.outputs.GITEA_ACTIONS_TOKEN }} + steps: + - name: Get secrets from vault + id: import-secrets + uses: hashicorp/vault-action@v3 + with: + url: "https://vault.ednz.fr" + method: approle + roleId: ${{ secrets.VAULT_APPROLE_ID }} + secretId: ${{ secrets.VAULT_APPROLE_SECRET_ID }} + secrets: | + kv/data/applications/gitea/users/actions username | GITEA_ACTIONS_USERNAME ; + kv/data/applications/gitea/users/actions token_write | GITEA_ACTIONS_TOKEN ; + + end_to_end_vault: + needs: retrieve-credentials + strategy: + matrix: + test_os: + ["debian11", "debian12", "ubuntu2004", "ubuntu2204", "ubuntu2404"] + scenario: ["consul_default", "consul_with_acl_enabled"] + uses: ./.gitea/workflows/e2e-tests.yml + with: + role: vault + scenario: ${{ matrix.scenario }} + test_os: ${{ matrix.test_os }} + secrets: + GITEA_ACTIONS_USERNAME: ${{ needs.retrieve-credentials.outputs.registry-username }} + GITEA_ACTIONS_TOKEN: ${{ needs.retrieve-credentials.outputs.registry-token }} diff --git a/.gitea/workflows/e2e-tests-nomad.yml b/.gitea/workflows/e2e-tests-nomad.yml new file mode 100644 index 0000000..ae1ebf6 --- /dev/null +++ b/.gitea/workflows/e2e-tests-nomad.yml @@ -0,0 +1,48 @@ +--- +name: test +on: + pull_request: + types: + - opened + - edited + - synchronize + branches: + - main + paths: + - roles/nomad/** + +jobs: + retrieve-credentials: + name: Retrieve Credentials + runs-on: ubuntu-latest + outputs: + registry-username: ${{ steps.import-secrets.outputs.GITEA_ACTIONS_USERNAME }} + registry-token: ${{ steps.import-secrets.outputs.GITEA_ACTIONS_TOKEN }} + steps: + - name: Get secrets from vault + id: import-secrets + uses: hashicorp/vault-action@v3 + with: + url: "https://vault.ednz.fr" + method: approle + roleId: ${{ secrets.VAULT_APPROLE_ID }} + secretId: ${{ secrets.VAULT_APPROLE_SECRET_ID }} + secrets: | + kv/data/applications/gitea/users/actions username | GITEA_ACTIONS_USERNAME ; + kv/data/applications/gitea/users/actions token_write | GITEA_ACTIONS_TOKEN ; + + end_to_end_vault: + needs: retrieve-credentials + strategy: + matrix: + test_os: + ["debian11", "debian12", "ubuntu2004", "ubuntu2204", "ubuntu2404"] + scenario: ["nomad_default", "nomad_with_acl_enabled"] + uses: ./.gitea/workflows/e2e-tests.yml + with: + role: vault + scenario: ${{ matrix.scenario }} + test_os: ${{ matrix.test_os }} + secrets: + GITEA_ACTIONS_USERNAME: ${{ needs.retrieve-credentials.outputs.registry-username }} + GITEA_ACTIONS_TOKEN: ${{ needs.retrieve-credentials.outputs.registry-token }} diff --git a/.gitea/workflows/e2e-tests-vault.yml b/.gitea/workflows/e2e-tests-vault.yml new file mode 100644 index 0000000..1cd869b --- /dev/null +++ b/.gitea/workflows/e2e-tests-vault.yml @@ -0,0 +1,49 @@ +--- +name: test +on: + pull_request: + types: + - opened + - edited + - synchronize + branches: + - main + paths: + - roles/vault/** + - plugins/modules/vault_unseal.py + +jobs: + retrieve-credentials: + name: Retrieve Credentials + runs-on: ubuntu-latest + outputs: + registry-username: ${{ steps.import-secrets.outputs.GITEA_ACTIONS_USERNAME }} + registry-token: ${{ steps.import-secrets.outputs.GITEA_ACTIONS_TOKEN }} + steps: + - name: Get secrets from vault + id: import-secrets + uses: hashicorp/vault-action@v3 + with: + url: "https://vault.ednz.fr" + method: approle + roleId: ${{ secrets.VAULT_APPROLE_ID }} + secretId: ${{ secrets.VAULT_APPROLE_SECRET_ID }} + secrets: | + kv/data/applications/gitea/users/actions username | GITEA_ACTIONS_USERNAME ; + kv/data/applications/gitea/users/actions token_write | GITEA_ACTIONS_TOKEN ; + + end_to_end_vault: + needs: retrieve-credentials + strategy: + matrix: + test_os: + ["debian11", "debian12", "ubuntu2004", "ubuntu2204", "ubuntu2404"] + scenario: ["vault_default", "vault_with_raft_enabled"] + uses: ./.gitea/workflows/e2e-tests.yml + with: + role: vault + scenario: ${{ matrix.scenario }} + test_os: ${{ matrix.test_os }} + secrets: + GITEA_ACTIONS_USERNAME: ${{ needs.retrieve-credentials.outputs.registry-username }} + GITEA_ACTIONS_TOKEN: ${{ needs.retrieve-credentials.outputs.registry-token }} diff --git a/.gitea/workflows/e2e-tests.yml b/.gitea/workflows/e2e-tests.yml new file mode 100644 index 0000000..fd822c5 --- /dev/null +++ b/.gitea/workflows/e2e-tests.yml @@ -0,0 +1,47 @@ +--- +name: End-to-end tests + +on: + workflow_call: + inputs: + role: + required: true + type: string + description: "Which role should be tested" + scenario: + required: true + type: string + description: "Which scenarios should be run" + test_os: + required: true + type: string + description: "On which OS to run the tests" + secrets: + GITEA_ACTIONS_USERNAME: + required: true + GITEA_ACTIONS_TOKEN: + required: true + +jobs: + molecule-test: + name: Molecule tests + runs-on: ubuntu-latest + container: + image: git.ednz.fr/container-factory/ansible-runner:act-latest + credentials: + username: ${{ secrets.GITEA_ACTIONS_USERNAME }} + password: ${{ secrets.GITEA_ACTIONS_TOKEN }} + env: + ANSIBLE_HOST_KEY_CHECKING: "false" + ANSIBLE_FORCE_COLOR: "true" + ANSIBLE_PYTHON_INTERPRETER: /usr/bin/python3 + steps: + - name: Checkout + uses: actions/checkout@v3 + + - name: "Molecule test" + run: molecule test -s ${{ inputs.scenario }} + shell: bash + working-directory: ${{ gitea.workspace }} + env: + MOLECULE_TEST_OS: ${{ inputs.test_os }} diff --git a/galaxy.yml b/galaxy.yml index 47e2822..b521575 100644 --- a/galaxy.yml +++ b/galaxy.yml @@ -11,7 +11,7 @@ license_file: "LICENSE" # A list of tags you want to associate with the collection for indexing/searching. A tag name has the same character # requirements as 'namespace' and 'name' -tags: ["tools"] +tags: ["tools", "hashicorp", "nomad", "vault", "consul"] dependencies: {} repository: https://git.ednz.fr/ansible-collections/hashistack documentation: http://docs.example.com diff --git a/molecule/no_tls_multi_node/etc/hashistack/globals.yml b/molecule/no_tls_multi_node/etc/hashistack/globals.yml index 4a02ac8..477fe52 100644 --- a/molecule/no_tls_multi_node/etc/hashistack/globals.yml +++ b/molecule/no_tls_multi_node/etc/hashistack/globals.yml @@ -1,293 +1,91 @@ --- # Molecule specific variables -########################## -# General options ######## -########################## +################### +# General options # +################### -# enable_haproxy: "yes" -# enable_vault: "yes" -# enable_consul: "yes" -# enable_nomad: "yes" +enable_vault: "yes" +enable_consul: "yes" +enable_nomad: "yes" -# haproxy_version: "2.8" -nomad_version: "1.8.2" +nomad_version: "1.8.3" # consul_version: "1.18.1" -# vault_version: "1.16.2" - -# consul_fqdn: consul.ednz.lab -# vault_fqdn: vault.ednz.lab -# nomad_fqdn: nomad.ednz.lab - -# hashistack_external_vip_interface: "eth0" -# hashistack_external_vip_addr: "192.168.121.100" -# hashistack_internal_vip_interface: "{{ hashistack_external_vip_interface }}" -# hashistack_internal_vip_addr: "{{ hashistack_external_vip_addr }}" +vault_version: "1.17.2" api_interface: "eth1" # api_interface_address: "{{ ansible_facts[api_interface]['ipv4']['address'] }}" -######################## -# external tls options # -######################## - -# enable_tls_external: false -# external_tls_externally_managed_certs: false +################### +# logging options # +################### +enable_log_to_file: true ######################## # internal tls options # ######################## # enable_tls_internal: false # internal_tls_externally_managed_certs: false +########## +# Consul # +########## -##################################################### -# # -# Consul # -# # -##################################################### +# hashistack_consul_domain: consul +# hashistack_consul_datacenter: dc1 +# hashistack_consul_primary_datacenter: "{{ consul_datacenter }}" +# hashistack_consul_gossip_encryption_key: "{{ _credentials.consul.gossip_encryption_key }}" +# hashistack_consul_enable_script_checks: false -# consul_domain: consul -# consul_datacenter: dc1 -# consul_primary_datacenter: dc1 -# consul_leave_on_terminate: true -# consul_rejoin_after_leave: true -# consul_enable_script_checks: true -# consul_gossip_encryption_key: "{{ 'mysupersecretgossipencryptionkey'|b64encode }}" +# hashistack_consul_extra_files_list: [] +# hashistack_consul_extra_configuration: {} -################################ -# consul address configuration # -################################ +# hashistack_consul_enable_tls: "{{ enable_tls_internal }}" -# consul_address_configuration: -# # The address to which Consul will bind client interfaces, -# # including the HTTP and DNS servers. -# client_addr: "0.0.0.0" -# # The address that should be bound to for internal cluster communications. -# bind_addr: "{{ api_interface_address }}" -# # The advertise address is used to change the address that we advertise to other nodes in the cluster. -# advertise_addr: "{{ api_interface_address }}" +# hashistack_consul_log_level: info -############################ -# consul ACL configuration # -############################ +######### +# Vault # +######### -# consul_acl_configuration: -# enabled: true -# default_policy: "deny" # can be allow or deny -# enable_token_persistence: true +# hashistack_vault_cluster_name: vault +# hashistack_vault_bind_addr: "0.0.0.0" +# hashistack_vault_cluster_addr: "{{ api_interface_address }}" +# hashistack_vault_enable_ui: true +# hashistack_vault_disable_mlock: false +# hashistack_vault_disable_cache: false -############################ -# consul DNS configuration # -############################ +# hashistack_vault_extra_files_list: [] +# hashistack_vault_extra_configuration: {} -# consul_dns_configuration: -# allow_stale: true -# enable_truncate: true -# only_passing: true +# hashistack_vault_enable_tls: "{{ enable_tls_internal }}" -########################### -# consul ui configuration # -########################### +# hashistack_vault_enable_service_registration: "{{ enable_consul | bool }}" -# consul_ui_configuration: -# enabled: "{{ 'consul_servers' in group_names }}" +# hashistack_vault_enable_plugins: false -##################################### -# consul service mesh configuration # -##################################### +# hashistack_vault_log_level: info -# consul_mesh_configuration: -# enabled: true +######### +# Nomad # +######### -############################ -# consul tls configuration # -############################ +# hashistack_nomad_region: global +# hashistack_nomad_datacenter: dc1 -# consul_enable_tls: "{{ enable_tls_internal }}" -# consul_tls_configuration: -# defaults: -# ca_file: "/etc/ssl/certs/ca-certificates.crt" -# cert_file: "{{ consul_certificates_directory }}/cert.pem" -# key_file: "{{ consul_certificates_directory }}/key.pem" -# verify_incoming: false -# verify_outgoing: true -# internal_rpc: -# verify_server_hostname: true +# hashistack_nomad_extra_files_list: [] +# hashistack_nomad_extra_configuration: {} -############################ -# consul container volumes # -############################ +# hashistack_nomad_autopilot_configuration: {} -# extra_consul_container_volumes: [] +# hashistack_nomad_driver_enable_docker: true +# hashistack_nomad_driver_enable_podman: false +# hashistack_nomad_driver_enable_raw_exec: false +# hashistack_nomad_driver_enable_java: false +# hashistack_nomad_driver_enable_qemu: false -############################## -# consul extra configuration # -############################## +# hashistack_nomad_driver_configuration: {} -# consul_extra_configuration: {} -# consul_extra_files_list: [] +# hashistack_nomad_log_level: info -##################################################### -# # -# Vault # -# # -##################################################### - -# vault_cluster_name: vault -# vault_enable_ui: true -# vault_seal_configuration: -# key_shares: 3 -# key_threshold: 2 - -################# -# vault storage # -################# - -# vault_storage_configuration: -# raft: -# path: "{{ hashicorp_vault_data_dir }}/data" -# node_id: "{{ ansible_hostname }}" -# retry_join: | -# [ -# {% for host in groups['vault_servers'] %} -# { -# 'leader_api_addr': '{{ "https" if vault_enable_tls else "http"}}://{{ hostvars[host].api_interface_address }}:8200' -# }{% if not loop.last %},{% endif %} -# {% endfor %} -# ] - -################## -# vault listener # -################## - -# vault_enable_tls: "{{ enable_tls_internal }}" -# vault_tls_verify: false -# vault_listener_configuration: -# tcp: -# address: "0.0.0.0:8200" -# tls_disable: true - -# vault_tls_listener_configuration: -# tcp: -# tls_disable: false -# tls_cert_file: "{{ vault_certificates_directory }}/cert.pem" -# tls_key_file: "{{ vault_certificates_directory }}/key.pem" -# tls_disable_client_certs: true - -# vault_extra_listener_configuration: {} - -######################## -# service registration # -######################## - -# vault_enable_service_registration: false -# vault_service_registration_configuration: -# consul: -# address: "127.0.0.1:8500" -# scheme: "http" -# token: "" - -################# -# vault plugins # -################# - -# vault_enable_plugins: false - -########### -# logging # -########### - -# vault_enable_log_to_file: false -# vault_logging_configuration: -# log_level: info -# log_format: standard -# log_rotate_duration: 24h -# log_rotate_max_files: 30 - -########################### -# vault container volumes # -########################### - -# extra_vault_container_volumes: [] - -############################# -# vault extra configuration # -############################# - -# vault_extra_configuration: {} -# vault_extra_files_list: [] - -##################################################### -# # -# Nomad # -# # -##################################################### - -# nomad_datacenter: dc1 -# nomad_region: global - -########################### -# nomad ACL configuration # -########################### - -# nomad_acl_configuration: -# enabled: true -# token_ttl: 30s -# policy_ttl: 60s -# role_ttl: 60s - -############################ -# nomad consul integration # -############################ - -# nomad_enable_consul_integration: "{{ enable_consul | bool }}" -# nomad_consul_integration_configuration: -# address: "127.0.0.1:{{ hashicorp_consul_configuration.ports.https if consul_enable_tls else hashicorp_consul_configuration.ports.http }}" -# auto_advertise: true -# ssl: "{{ consul_enable_tls | bool }}" -# token: "{{ _credentials.consul.tokens.nomad.server.secret_id if nomad_enable_server else _credentials.consul.tokens.nomad.client.secret_id}}" -# tags: [] - -############################ -# nomad vault integration # -############################ - -# nomad_enable_vault_integration: false -# nomad_vault_integration_configuration: {} - -############################### -# nomad drivers configuration # -############################### - -# nomad_driver_enable_docker: yes -# nomad_driver_enable_podman: no -# nomad_driver_enable_raw_exec: no -# nomad_driver_enable_java: no -# nomad_driver_enable_qemu: no - -# nomad_driver_extra_configuration: {} - -###################### -# nomad internal tls # -###################### - -# nomad_enable_tls: "{{ enable_tls_internal }}" -# nomad_tls_configuration: -# http: true -# rpc: true -# ca_file: "/etc/ssl/certs/ca-certificates.crt" -# cert_file: "{{ nomad_certificates_directory }}/cert.pem" -# key_file: "{{ nomad_certificates_directory }}/key.pem" -# verify_server_hostname: true -# nomad_certificates_directory: "{{ hashicorp_nomad_config_dir }}/tls" -# nomad_certificates_extra_files_dir: -# - src: "{{ hashistack_sub_configuration_directories['certificates'] }}/nomad/{{ inventory_hostname }}" -# dest: "{{ nomad_certificates_directory }}" - -############################# -# nomad extra configuration # -############################# - -# nomad_extra_configuration: {} -# nomad_extra_files_list: [] +# hashistack_nomad_enable_tls: "{{ enable_tls_internal }}" diff --git a/molecule/tls_multi_node/etc/hashistack/globals.yml b/molecule/tls_multi_node/etc/hashistack/globals.yml index b0bca38..c3baeb3 100644 --- a/molecule/tls_multi_node/etc/hashistack/globals.yml +++ b/molecule/tls_multi_node/etc/hashistack/globals.yml @@ -7,38 +7,26 @@ hashistack_ca_directory_owner: "{{ lookup('env', 'USER') }}" hashistack_ca_domain: ednz.lab hashistack_ca_intermediate_name_constraints_critical: false -########################## -# General options ######## -########################## +################### +# General options # +################### -# enable_haproxy: "yes" -# enable_vault: "yes" -# enable_consul: "yes" -# enable_nomad: "yes" +enable_vault: "yes" +enable_consul: "yes" +enable_nomad: "yes" -# haproxy_version: "2.8" nomad_version: "1.8.3" # consul_version: "1.18.1" vault_version: "1.17.2" -# consul_fqdn: consul.ednz.lab -# vault_fqdn: vault.ednz.lab -# nomad_fqdn: nomad.ednz.lab - -# hashistack_external_vip_interface: "eth0" -# hashistack_external_vip_addr: "192.168.121.100" -# hashistack_internal_vip_interface: "{{ hashistack_external_vip_interface }}" -# hashistack_internal_vip_addr: "{{ hashistack_external_vip_addr }}" - api_interface: "eth1" # api_interface_address: "{{ ansible_facts[api_interface]['ipv4']['address'] }}" -######################## -# external tls options # -######################## +################### +# logging options # +################### -enable_tls_external: true -# external_tls_externally_managed_certs: false +enable_log_to_file: true ######################## # internal tls options # @@ -46,254 +34,65 @@ enable_tls_external: true enable_tls_internal: true # internal_tls_externally_managed_certs: false +########## +# Consul # +########## -##################################################### -# # -# Consul # -# # -##################################################### +# hashistack_consul_domain: consul +# hashistack_consul_datacenter: dc1 +# hashistack_consul_primary_datacenter: "{{ consul_datacenter }}" +# hashistack_consul_gossip_encryption_key: "{{ _credentials.consul.gossip_encryption_key }}" +# hashistack_consul_enable_script_checks: false -# consul_domain: consul -# consul_datacenter: dc1 -# consul_primary_datacenter: dc1 -# consul_leave_on_terminate: true -# consul_rejoin_after_leave: true -# consul_enable_script_checks: true -# consul_gossip_encryption_key: "{{ 'mysupersecretgossipencryptionkey'|b64encode }}" +# hashistack_consul_extra_files_list: [] +# hashistack_consul_extra_configuration: {} -################################ -# consul address configuration # -################################ +# hashistack_consul_enable_tls: "{{ enable_tls_internal }}" -# consul_address_configuration: -# # The address to which Consul will bind client interfaces, -# # including the HTTP and DNS servers. -# client_addr: "0.0.0.0" -# # The address that should be bound to for internal cluster communications. -# bind_addr: "{{ api_interface_address }}" -# # The advertise address is used to change the address that we advertise to other nodes in the cluster. -# advertise_addr: "{{ api_interface_address }}" +# hashistack_consul_log_level: info -############################ -# consul ACL configuration # -############################ +######### +# Vault # +######### -# consul_acl_configuration: -# enabled: true -# default_policy: "deny" # can be allow or deny -# enable_token_persistence: true +# hashistack_vault_cluster_name: vault +# hashistack_vault_bind_addr: "0.0.0.0" +# hashistack_vault_cluster_addr: "{{ api_interface_address }}" +# hashistack_vault_enable_ui: true +# hashistack_vault_disable_mlock: false +# hashistack_vault_disable_cache: false -############################ -# consul DNS configuration # -############################ +# hashistack_vault_extra_files_list: [] +# hashistack_vault_extra_configuration: {} -# consul_dns_configuration: -# allow_stale: true -# enable_truncate: true -# only_passing: true +# hashistack_vault_enable_tls: "{{ enable_tls_internal }}" -########################### -# consul ui configuration # -########################### +# hashistack_vault_enable_service_registration: "{{ enable_consul | bool }}" -# consul_ui_configuration: -# enabled: "{{ 'consul_servers' in group_names }}" +# hashistack_vault_enable_plugins: false -##################################### -# consul service mesh configuration # -##################################### +# hashistack_vault_log_level: info -# consul_mesh_configuration: -# enabled: true +######### +# Nomad # +######### -############################ -# consul tls configuration # -############################ +# hashistack_nomad_region: global +# hashistack_nomad_datacenter: dc1 -# consul_enable_tls: "{{ enable_tls_internal }}" -# consul_tls_configuration: -# defaults: -# ca_file: "/etc/ssl/certs/ca-certificates.crt" -# cert_file: "{{ consul_certificates_directory }}/cert.pem" -# key_file: "{{ consul_certificates_directory }}/key.pem" -# verify_incoming: false -# verify_outgoing: true -# internal_rpc: -# verify_server_hostname: true +# hashistack_nomad_extra_files_list: [] +# hashistack_nomad_extra_configuration: {} -############################ -# consul container volumes # -############################ +# hashistack_nomad_autopilot_configuration: {} -# extra_consul_container_volumes: [] +# hashistack_nomad_driver_enable_docker: true +# hashistack_nomad_driver_enable_podman: false +# hashistack_nomad_driver_enable_raw_exec: false +# hashistack_nomad_driver_enable_java: false +# hashistack_nomad_driver_enable_qemu: false -############################## -# consul extra configuration # -############################## +# hashistack_nomad_driver_configuration: {} -# consul_extra_configuration: {} -# consul_extra_files_list: [] +# hashistack_nomad_log_level: info -##################################################### -# # -# Vault # -# # -##################################################### - -# vault_cluster_name: vault -# vault_enable_ui: true -# vault_seal_configuration: -# key_shares: 3 -# key_threshold: 2 - -################# -# vault storage # -################# - -# vault_storage_configuration: -# raft: -# path: "{{ hashicorp_vault_data_dir }}/data" -# node_id: "{{ ansible_hostname }}" -# retry_join: | -# [ -# {% for host in groups['vault_servers'] %} -# { -# 'leader_api_addr': '{{ "https" if vault_enable_tls else "http"}}://{{ hostvars[host].api_interface_address }}:8200' -# }{% if not loop.last %},{% endif %} -# {% endfor %} -# ] - -################## -# vault listener # -################## - -# vault_enable_tls: "{{ enable_tls_internal }}" -# vault_tls_verify: false -# vault_listener_configuration: -# tcp: -# address: "0.0.0.0:8200" -# tls_disable: true - -# vault_tls_listener_configuration: -# tcp: -# tls_disable: false -# tls_cert_file: "{{ vault_certificates_directory }}/cert.pem" -# tls_key_file: "{{ vault_certificates_directory }}/key.pem" -# tls_disable_client_certs: true - -# vault_extra_listener_configuration: {} - -######################## -# service registration # -######################## - -# vault_enable_service_registration: false -# vault_service_registration_configuration: -# consul: -# address: "127.0.0.1:8500" -# scheme: "http" -# token: "" - -################# -# vault plugins # -################# - -# vault_enable_plugins: false - -########### -# logging # -########### - -# vault_enable_log_to_file: false -# vault_logging_configuration: -# log_level: info -# log_format: standard -# log_rotate_duration: 24h -# log_rotate_max_files: 30 - -########################### -# vault container volumes # -########################### - -# extra_vault_container_volumes: [] - -############################# -# vault extra configuration # -############################# - -# vault_extra_configuration: {} -# vault_extra_files_list: [] - -##################################################### -# # -# Nomad # -# # -##################################################### - -# nomad_datacenter: dc1 -# nomad_region: global - -########################### -# nomad ACL configuration # -########################### - -# nomad_acl_configuration: -# enabled: true -# token_ttl: 30s -# policy_ttl: 60s -# role_ttl: 60s - -############################ -# nomad consul integration # -############################ - -# nomad_enable_consul_integration: "{{ enable_consul | bool }}" -# nomad_consul_integration_configuration: -# address: "127.0.0.1:{{ hashicorp_consul_configuration.ports.https if consul_enable_tls else hashicorp_consul_configuration.ports.http }}" -# auto_advertise: true -# ssl: "{{ consul_enable_tls | bool }}" -# token: "{{ _credentials.consul.tokens.nomad.server.secret_id if nomad_enable_server else _credentials.consul.tokens.nomad.client.secret_id}}" -# tags: [] - -############################ -# nomad vault integration # -############################ - -# nomad_enable_vault_integration: false -# nomad_vault_integration_configuration: {} - -############################### -# nomad drivers configuration # -############################### - -# nomad_driver_enable_docker: yes -# nomad_driver_enable_podman: no -# nomad_driver_enable_raw_exec: no -# nomad_driver_enable_java: no -# nomad_driver_enable_qemu: no - -# nomad_driver_extra_configuration: {} - -###################### -# nomad internal tls # -###################### - -# nomad_enable_tls: "{{ enable_tls_internal }}" -# nomad_tls_configuration: -# http: true -# rpc: true -# ca_file: "/etc/ssl/certs/ca-certificates.crt" -# cert_file: "{{ nomad_certificates_directory }}/cert.pem" -# key_file: "{{ nomad_certificates_directory }}/key.pem" -# verify_server_hostname: true -# nomad_certificates_directory: "{{ hashicorp_nomad_config_dir }}/tls" -# nomad_certificates_extra_files_dir: -# - src: "{{ hashistack_sub_configuration_directories['certificates'] }}/nomad/{{ inventory_hostname }}" -# dest: "{{ nomad_certificates_directory }}" - -############################# -# nomad extra configuration # -############################# - -# nomad_extra_configuration: {} -# nomad_extra_files_list: [] +# hashistack_nomad_enable_tls: "{{ enable_tls_internal }}" diff --git a/playbooks/group_vars/all/consul.yml b/playbooks/group_vars/all/consul.yml index f58de29..305578d 100644 --- a/playbooks/group_vars/all/consul.yml +++ b/playbooks/group_vars/all/consul.yml @@ -3,18 +3,14 @@ # Consul # ########## -consul_config_dir: "{{ hashistack_remote_config_dir }}/consul.d" -consul_data_dir: "/opt/consul" -consul_certs_dir: "{{ consul_config_dir }}/tls" -consul_logs_dir: "{{ hashistack_remote_log_dir }}/consul" - -consul_envoy_install: false -consul_envoy_version: latest - -consul_extra_files: true -# consul_extra_files_list: [] - -consul_env_variables: {} +# hashistack_consul_config_dir: +# hashistack_consul_data_dir: +# hashistack_consul_certs_dir: +# hashistack_consul_logs_dir: +# hashistack_consul_envoy_install: +# hashistack_consul_envoy_version: +# hashistack_consul_extra_files_list: +# hashistack_consul_env_variables: ####################### # extra configuration # @@ -25,140 +21,89 @@ consul_env_variables: {} # option should be used to add pieces of configuration not # available through standard variables. -# consul_extra_configuration: {} +# hashistack_consul_extra_configuration: ########### # general # ########### -# consul_domain: consul -# consul_datacenter: dc1 -# consul_primary_datacenter: "{{ consul_datacenter }}" -# consul_gossip_encryption_key: "{{ _credentials.consul.gossip_encryption_key }}" -# consul_enable_script_checks: false +# hashistack_consul_domain: +# hashistack_consul_datacenter: +# hashistack_consul_primary_datacenter: +# hashistack_consul_gossip_encryption_key: +# hashistack_consul_enable_script_checks: ####################### # leave configuration # ####################### -consul_leave_on_terminate: true -consul_rejoin_after_leave: true +# hashistack_consul_leave_on_terminate: +# hashistack_consul_rejoin_after_leave: ###################### # join configuration # ###################### -consul_join_configuration: - retry_join: | - {{ - groups['consul_servers'] | - map('extract', hostvars, ['consul_address_configuration', 'bind_addr']) | - list | - to_json | - from_json - }} - retry_interval: 30s - retry_max: 0 +# hashistack_consul_join_configuration: ######################## # server configuration # ######################## -consul_enable_server: "{{ 'consul_servers' in group_names }}" -consul_bootstrap_expect: "{{ (groups['consul_servers'] | length) }}" +# hashistack_consul_enable_server: +# hashistack_consul_bootstrap_expect: #################### # ui configuration # #################### -consul_ui_configuration: - enabled: "{{ consul_enable_server }}" +# hashistack_consul_ui_configuration: ######################### # address configuration # ######################### -consul_bind_addr: "0.0.0.0" -consul_advertise_addr: "{{ api_interface_address }}" -consul_address_configuration: - client_addr: "{{ consul_bind_addr }}" - bind_addr: "{{ consul_advertise_addr }}" - advertise_addr: "{{ consul_advertise_addr }}" +# hashistack_consul_bind_addr: +# hashistack_consul_advertise_addr: +# hashistack_consul_address_configuration: ##################### # ACL configuration # ##################### -consul_acl_configuration: - enabled: true - default_policy: "deny" - enable_token_persistence: true - tokens: - agent: "{{ _credentials.consul.tokens.agent.secret_id }}" - -consul_default_agent_policy: | - node_prefix "" { - policy = "write" - } - service_prefix "" { - policy = "read" - } +# hashistack_consul_acl_configuration: ############################## # service mesh configuration # ############################## -consul_mesh_configuration: - enabled: true +# hashistack_consul_mesh_configuration: ##################### # DNS configuration # ##################### -consul_dns_configuration: - allow_stale: true - enable_truncate: true - only_passing: true +# hashistack_consul_dns_configuration: ################ # internal tls # ################ -# consul_enable_tls: false -consul_tls_configuration: - defaults: - ca_file: "/etc/ssl/certs/ca-certificates.crt" - cert_file: "{{ consul_certs_dir }}/fullchain.crt" - key_file: "{{ consul_certs_dir }}/cert.key" - verify_incoming: false - verify_outgoing: true - internal_rpc: - verify_server_hostname: true - -consul_certificates_extra_files_dir: > - {{ - [] if external_tls_externally_managed_certs | bool else - [{ - 'src': "{{ hashistack_sub_configuration_directories['certificates'] }}/consul/{{ inventory_hostname }}", - 'dest': "{{ consul_certs_dir }}" - }] - }} +# hashistack_consul_enable_tls: +# hashistack_consul_tls_configuration: ########################### # telemetry configuration # ########################### -consul_enable_prometheus_metrics: false -consul_prometheus_retention_time: 60s -consul_telemetry_configuration: {} +# hashistack_consul_enable_prometheus_metrics: +# hashistack_consul_prometheus_retention_time: +# hashistack_consul_telemetry_configuration: ########### # logging # ########### -# consul_log_level: info -consul_enable_log_to_file: "{{ enable_log_to_file | bool }}" -consul_log_to_file_configuration: - log_file: "{{ consul_logs_dir }}/consul.log" - log_rotate_duration: 24h - log_rotate_max_files: 30 +# hashistack_consul_log_level: +# hashistack_consul_enable_log_to_file: +# hashistack_consul_log_to_file_configuration: diff --git a/playbooks/group_vars/all/consul_default.yml b/playbooks/group_vars/all/consul_default.yml new file mode 100644 index 0000000..99ea7ac --- /dev/null +++ b/playbooks/group_vars/all/consul_default.yml @@ -0,0 +1,252 @@ +--- +########## +# Consul # +########## + +hashistack_default_consul_config_dir: "{{ hashistack_remote_config_dir }}/consul.d" +consul_config_dir: "{{ hashistack_consul_config_dir | default(hashistack_default_consul_config_dir) }}" + +hashistack_default_consul_data_dir: "/opt/consul" +consul_data_dir: "{{ hashistack_consul_data_dir | default(hashistack_default_consul_data_dir)}}" + +hashistack_default_consul_certs_dir: "{{ consul_config_dir }}/tls" +consul_certs_dir: "{{ hashistack_consul_certs_dir | default(hashistack_default_consul_certs_dir) }}" + +hashistack_default_consul_logs_dir: "{{ hashistack_remote_log_dir }}/consul" +consul_logs_dir: "{{ hashistack_consul_logs_dir | default(hashistack_default_consul_logs_dir) }}" + +hashistack_default_consul_envoy_install: false +consul_envoy_install: "{{ hashistack_consul_envoy_install | default(hashistack_default_consul_envoy_install) }}" + +hashistack_default_consul_envoy_version: latest +consul_envoy_version: "{{ hashistack_consul_envoy_version | default(hashistack_default_consul_envoy_version) }}" + +consul_extra_files: true + +hashistack_default_consul_extra_files_list: [] +consul_extra_files_list: "{{ hashistack_consul_extra_files_list | default(hashistack_default_consul_extra_files_list) }}" + +hashistack_default_consul_env_variables: {} +consul_env_variables: "{{ hashistack_consul_env_variables | default(hashistack_default_consul_env_variables) }}" + +####################### +# extra configuration # +####################### + +# You should prioritize adding configuration +# to the configuration entries below, this +# option should be used to add pieces of configuration not +# available through standard variables. + +hashistack_default_consul_extra_configuration: {} +consul_extra_configuration: >- + {{ + hashistack_default_consul_extra_configuration | + combine((hashistack_consul_extra_configuration | default({})), recursive=true) + }} + +########### +# general # +########### + +hashistack_default_consul_domain: consul +consul_domain: "{{ hashistack_consul_domain | default(hashistack_default_consul_domain) }}" + +hashistack_default_consul_datacenter: dc1 +consul_datacenter: "{{ hashistack_consul_datacenter | default(hashistack_default_consul_datacenter) }}" + +hashistack_default_consul_primary_datacenter: "{{ consul_datacenter }}" +consul_primary_datacenter: "{{ hashistack_consul_primary_datacenter | default(hashistack_default_consul_primary_datacenter) }}" + +hashistack_default_consul_gossip_encryption_key: "{{ _credentials.consul.gossip_encryption_key }}" +consul_gossip_encryption_key: "{{ hashistack_consul_gossip_encryption_key | default(hashistack_default_consul_gossip_encryption_key) }}" + +hashistack_default_consul_enable_script_checks: false +consul_enable_script_checks: "{{ hashistack_consul_enable_script_checks | default(hashistack_default_consul_enable_script_checks) }}" + +####################### +# leave configuration # +####################### + +hashistack_default_consul_leave_on_terminate: true +consul_leave_on_terminate: "{{ hashistack_consul_leave_on_terminate | default(hashistack_default_consul_leave_on_terminate) }}" + +hashistack_default_consul_rejoin_after_leave: true +consul_rejoin_after_leave: "{{ hashistack_consul_rejoin_after_leave | default(hashistack_default_consul_rejoin_after_leave) }}" + +###################### +# join configuration # +###################### + +hashistack_default_consul_join_configuration: + retry_join: | + {{ + groups['consul_servers'] | + map('extract', hostvars, ['consul_address_configuration', 'bind_addr']) | + list | + to_json | + from_json + }} + retry_interval: 30s + retry_max: 0 +consul_join_configuration: >- + {{ + hashistack_default_consul_join_configuration | + combine((hashistack_consul_join_configuration | default({})), recursive=true) + }} + +######################## +# server configuration # +######################## + +hashistack_default_consul_enable_server: "{{ 'consul_servers' in group_names }}" +consul_enable_server: "{{ hashistack_consul_enable_server | default(hashistack_default_consul_enable_server) }}" + +hashistack_default_consul_bootstrap_expect: "{{ (groups['consul_servers'] | length) }}" +consul_bootstrap_expect: "{{ hashistack_consul_bootstrap_expect | default(hashistack_default_consul_bootstrap_expect) }}" + +#################### +# ui configuration # +#################### + +hashistack_default_consul_ui_configuration: + enabled: "{{ consul_enable_server }}" +consul_ui_configuration: >- + {{ + hashistack_default_consul_ui_configuration | + combine((hashistack_consul_ui_configuration | default({})), recursive=true) + }} + +######################### +# address configuration # +######################### + +hashistack_default_consul_bind_addr: "0.0.0.0" +consul_bind_addr: "{{ hashistack_consul_bind_addr | default(hashistack_default_consul_bind_addr) }}" + +hashistack_default_consul_advertise_addr: "{{ api_interface_address }}" +consul_advertise_addr: "{{ hashistack_consul_advertise_addr | default(hashistack_default_consul_advertise_addr) }}" + +hashistack_default_consul_address_configuration: + client_addr: "{{ consul_bind_addr }}" + bind_addr: "{{ consul_advertise_addr }}" + advertise_addr: "{{ consul_advertise_addr }}" +consul_address_configuration: >- + {{ + hashistack_default_consul_address_configuration | + combine((hashistack_consul_address_configuration | default({})), recursive=true) + }} + +##################### +# ACL configuration # +##################### + +hashistack_default_consul_acl_configuration: + enabled: true + default_policy: "deny" + enable_token_persistence: true + tokens: + agent: "{{ _credentials.consul.tokens.agent.secret_id }}" +consul_acl_configuration: >- + {{ + hashistack_default_consul_acl_configuration | + combine((hashistack_consul_acl_configuration | default({})), recursive=true) + }} + +consul_default_agent_policy: | + node_prefix "" { + policy = "write" + } + service_prefix "" { + policy = "read" + } + +############################## +# service mesh configuration # +############################## + +hashistack_default_consul_mesh_configuration: + enabled: true +consul_mesh_configuration: >- + {{ + hashistack_default_consul_mesh_configuration | + combine((hashistack_consul_mesh_configuration | default({})), recursive=true) + }} + +##################### +# DNS configuration # +##################### + +hashistack_default_consul_dns_configuration: + allow_stale: true + enable_truncate: true + only_passing: true +consul_dns_configuration: >- + {{ + hashistack_default_consul_dns_configuration | + combine((hashistack_consul_dns_configuration | default({})), recursive=true) + }} + +################ +# internal tls # +################ + +hashistack_default_consul_enable_tls: "{{ enable_tls_internal }}" +consul_enable_tls: "{{ hashistack_consul_enable_tls | default(hashistack_default_consul_enable_tls) }}" + +hashistack_default_consul_tls_configuration: + defaults: + ca_file: "/etc/ssl/certs/ca-certificates.crt" + cert_file: "{{ consul_certs_dir }}/fullchain.crt" + key_file: "{{ consul_certs_dir }}/cert.key" + verify_incoming: false + verify_outgoing: true + internal_rpc: + verify_server_hostname: true +consul_tls_configuration: >- + {{ + hashistack_default_consul_tls_configuration | + combine((hashistack_consul_tls_configuration | default({})), recursive=true) + }} + +consul_certificates_extra_files_dir: > + {{ + [] if internal_tls_externally_managed_certs | bool else + [{ + 'src': "{{ hashistack_sub_configuration_directories['certificates'] }}/consul/{{ inventory_hostname }}", + 'dest': "{{ consul_certs_dir }}" + }] + }} + +########################### +# telemetry configuration # +########################### + +hashistack_default_consul_enable_prometheus_metrics: false +consul_enable_prometheus_metrics: "{{ hashistack_consul_enable_prometheus_metrics | default(hashistack_default_consul_enable_prometheus_metrics) }}" + +hashistack_default_consul_prometheus_retention_time: 60s +consul_prometheus_retention_time: "{{ hashistack_consul_prometheus_retention_time | default(hashistack_default_consul_prometheus_retention_time) }}" + +hashistack_default_consul_telemetry_configuration: {} +consul_telemetry_configuration: "{{ hashistack_consul_telemetry_configuration | default(hashistack_default_consul_telemetry_configuration) }}" + +########### +# logging # +########### + +hashistack_default_consul_log_level: info +consul_log_level: "{{ hashistack_consul_log_level | default(hashistack_default_consul_log_level) }}" + +hashistack_default_consul_enable_log_to_file: "{{ enable_log_to_file | bool }}" +consul_enable_log_to_file: "{{ hashistack_consul_enable_log_to_file | default(hashistack_default_consul_enable_log_to_file) }}" + +hashistack_default_consul_log_to_file_configuration: + log_file: "{{ consul_logs_dir }}/consul.log" + log_rotate_duration: 24h + log_rotate_max_files: 30 +consul_log_to_file_configuration: >- + {{ + hashistack_default_consul_log_to_file_configuration | + combine((hashistack_consul_log_to_file_configuration | default({})), recursive=true) + }} diff --git a/playbooks/group_vars/all/globals.yml b/playbooks/group_vars/all/globals.yml index 0e25e9c..50db0f7 100644 --- a/playbooks/group_vars/all/globals.yml +++ b/playbooks/group_vars/all/globals.yml @@ -11,10 +11,6 @@ nomad_version: "1.8.1" consul_version: "1.18.1" vault_version: "1.16.2" -consul_fqdn: consul.ednz.lab -vault_fqdn: vault.ednz.lab -nomad_fqdn: nomad.ednz.lab - api_interface: "eth0" api_interface_address: "{{ ansible_facts[api_interface]['ipv4']['address'] }}" @@ -24,79 +20,71 @@ api_interface_address: "{{ ansible_facts[api_interface]['ipv4']['address'] }}" enable_log_to_file: true -######################## -# external tls options # -######################## - -enable_tls_external: false -external_tls_externally_managed_certs: false - ######################## # internal tls options # ######################## enable_tls_internal: false internal_tls_externally_managed_certs: false - ########## # Consul # ########## -consul_domain: consul -consul_datacenter: dc1 -consul_primary_datacenter: "{{ consul_datacenter }}" -consul_gossip_encryption_key: "{{ _credentials.consul.gossip_encryption_key }}" -consul_enable_script_checks: false +# hashistack_consul_domain: consul +# hashistack_consul_datacenter: dc1 +# hashistack_consul_primary_datacenter: "{{ consul_datacenter }}" +# hashistack_consul_gossip_encryption_key: "{{ _credentials.consul.gossip_encryption_key }}" +# hashistack_consul_enable_script_checks: false -consul_extra_files_list: [] -consul_extra_configuration: {} +# hashistack_consul_extra_files_list: [] +# hashistack_consul_extra_configuration: {} -consul_enable_tls: "{{ enable_tls_internal }}" +# hashistack_consul_enable_tls: "{{ enable_tls_internal }}" -consul_log_level: info +# hashistack_consul_log_level: info ######### # Vault # ######### -vault_cluster_name: vault -vault_bind_addr: "0.0.0.0" -vault_cluster_addr: "{{ api_interface_address }}" -vault_enable_ui: true -vault_disable_mlock: false -vault_disable_cache: false +# hashistack_vault_cluster_name: vault +# hashistack_vault_bind_addr: "0.0.0.0" +# hashistack_vault_cluster_addr: "{{ api_interface_address }}" +# hashistack_vault_enable_ui: true +# hashistack_vault_disable_mlock: false +# hashistack_vault_disable_cache: false -vault_extra_files_list: [] -vault_extra_configuration: {} +# hashistack_vault_extra_files_list: [] +# hashistack_vault_extra_configuration: {} -vault_enable_tls: "{{ enable_tls_internal }}" +# hashistack_vault_enable_tls: "{{ enable_tls_internal }}" -vault_enable_service_registration: "{{ enable_consul | bool }}" +# hashistack_vault_enable_service_registration: "{{ enable_consul | bool }}" -vault_enable_plugins: false +# hashistack_vault_enable_plugins: false -vault_log_level: info +# hashistack_vault_log_level: info ######### # Nomad # ######### -nomad_region: global -nomad_datacenter: dc1 +# hashistack_nomad_region: global +# hashistack_nomad_datacenter: dc1 -nomad_extra_files_list: [] -nomad_extra_configuration: {} +# hashistack_nomad_extra_files_list: [] +# hashistack_nomad_extra_configuration: {} -nomad_autopilot_configuration: {} +# hashistack_nomad_autopilot_configuration: {} -nomad_driver_enable_docker: true -nomad_driver_enable_podman: false -nomad_driver_enable_raw_exec: false -nomad_driver_enable_java: false -nomad_driver_enable_qemu: false +# hashistack_nomad_driver_enable_docker: true +# hashistack_nomad_driver_enable_podman: false +# hashistack_nomad_driver_enable_raw_exec: false +# hashistack_nomad_driver_enable_java: false +# hashistack_nomad_driver_enable_qemu: false -nomad_driver_extra_configuration: {} +# hashistack_nomad_driver_configuration: {} -nomad_log_level: info +# hashistack_nomad_log_level: info -nomad_enable_tls: "{{ enable_tls_internal }}" +# hashistack_nomad_enable_tls: "{{ enable_tls_internal }}" diff --git a/playbooks/group_vars/all/nomad.yml b/playbooks/group_vars/all/nomad.yml index 376fc0c..74da9c5 100644 --- a/playbooks/group_vars/all/nomad.yml +++ b/playbooks/group_vars/all/nomad.yml @@ -3,15 +3,12 @@ # Nomad # ######### -nomad_config_dir: "{{ hashistack_remote_config_dir }}/nomad.d" -nomad_data_dir: "/opt/nomad" -nomad_certs_dir: "{{ nomad_config_dir }}/tls" -nomad_logs_dir: "{{ hashistack_remote_log_dir }}/nomad" - -nomad_extra_files: true -# nomad_extra_files_list: [] - -nomad_env_variables: {} +# hashistack_nomad_config_dir: +# hashistack_nomad_data_dir: +# hashistack_nomad_certs_dir: +# hashistack_nomad_logs_dir: +# hashistack_nomad_extra_files_list: +# hashistack_nomad_env_variables: ####################### # extra configuration # @@ -22,213 +19,94 @@ nomad_env_variables: {} # option should be used to add pieces of configuration not # available through standard variables. -# nomad_extra_configuration: {} +# hashistack_nomad_extra_configuration: ########### # general # ########### -# nomad_region: global -# nomad_datacenter: dc1 +# hashistack_nomad_region: +# hashistack_nomad_datacenter: ######################### # address configuration # ######################### -nomad_bind_addr: "0.0.0.0" -nomad_advertise_addr: "{{ api_interface_address }}" -nomad_address_configuration: - bind_addr: "{{ nomad_bind_addr }}" - addresses: - http: "{{ nomad_advertise_addr }}" - rpc: "{{ nomad_advertise_addr }}" - serf: "{{ nomad_advertise_addr }}" - advertise: - http: "{{ nomad_advertise_addr }}" - rpc: "{{ nomad_advertise_addr }}" - serf: "{{ nomad_advertise_addr }}" - ports: - http: 4646 - rpc: 4647 - serf: 4648 +# hashistack_nomad_bind_addr: +# hashistack_nomad_advertise_addr: +# hashistack_nomad_address_configuration: ########################### # autopilot configuration # ########################### -# nomad_autopilot_configuration: {} +# hashistack_nomad_autopilot_configuration: ####################### # leave configuration # ####################### -nomad_leave_on_interrupt: false -nomad_leave_on_terminate: false - -######################## -# server configuration # -######################## - -nomad_enable_server: "{{ ('nomad_servers' in group_names) | bool }}" -nomad_server_bootstrap_expect: "{{ (groups['nomad_servers'] | length) }}" -nomad_server_configuration: - enabled: "{{ nomad_enable_server }}" - data_dir: "{{ nomad_data_dir }}/server" - encrypt: "{{ _credentials.nomad.gossip_encryption_key }}" - -############################## -# client configuration # -############################## - -nomad_enable_client: "{{ ('nomad_clients' in group_names) | bool }}" -nomad_client_configuration: - enabled: "{{ nomad_enable_client }}" - state_dir: "{{ nomad_data_dir }}/client" - cni_path: "{{ cni_plugins_install_path | default('/opt/cni/bin') }}" - bridge_network_name: nomad - bridge_network_subnet: "172.26.64.0/20" - node_pool: >- - {{ - 'ingress' if 'nomad_ingress' in group_names else - 'controller' if 'nomad_servers' in group_names else - omit - }} +# hashistack_nomad_leave_on_interrupt: +# hashistack_nomad_leave_on_terminate: #################### # ui configuration # #################### -nomad_ui_configuration: - enabled: "{{ nomad_enable_server }}" +# hashistack_nomad_ui_configuration: ######################### # drivers configuration # ######################### -nomad_driver_enable_docker: true -nomad_driver_enable_podman: false -nomad_driver_enable_raw_exec: false -nomad_driver_enable_java: false -nomad_driver_enable_qemu: false - -nomad_driver_configuration: - raw_exec: - enabled: false - -nomad_driver_extra_configuration: {} +# hashistack_nomad_driver_enable_docker: +# hashistack_nomad_driver_enable_podman: +# hashistack_nomad_driver_enable_raw_exec: +# hashistack_nomad_driver_enable_java: +# hashistack_nomad_driver_enable_qemu: +# hashistack_nomad_driver_configuration: ########### # logging # ########### -nomad_log_level: info -nomad_enable_log_to_file: "{{ enable_log_to_file | bool }}" -nomad_log_to_file_configuration: - log_file: "{{ nomad_logs_dir }}/nomad.log" - log_rotate_duration: 24h - log_rotate_max_files: 30 +# hashistack_nomad_log_level: +# hashistack_nomad_enable_log_to_file: +# hashistack_nomad_log_to_file_configuration: ##################### # ACL configuration # ##################### -nomad_acl_configuration: - enabled: true - token_ttl: 30s - policy_ttl: 60s - role_ttl: 60s +# hashistack_nomad_acl_configuration: ################ # internal tls # ################ -# nomad_enable_tls: false -nomad_tls_configuration: - http: true - rpc: true - ca_file: "/etc/ssl/certs/ca-certificates.crt" - cert_file: "{{ nomad_certs_dir }}/fullchain.crt" - key_file: "{{ nomad_certs_dir }}/cert.key" - verify_server_hostname: true - -nomad_certificates_extra_files_dir: > - {{ - [] if external_tls_externally_managed_certs | bool else - [{ - 'src': "{{ hashistack_sub_configuration_directories['certificates'] }}/nomad/{{ inventory_hostname }}", - 'dest': "{{ nomad_certs_dir }}" - }] - }} +# hashistack_nomad_enable_tls: +# hashistack_nomad_tls_configuration: ########################### # telemetry configuration # ########################### -nomad_telemetry_configuration: - collection_interval: 10s - disable_hostname: false - use_node_name: false - publish_allocation_metrics: false - publish_node_metrics: false - prefix_filter: [] - disable_dispatched_job_summary_metrics: false - prometheus_metrics: false +# hashistack_nomad_telemetry_configuration: ###################### # consul integration # ###################### -nomad_enable_consul_integration: "{{ enable_consul | bool }}" -nomad_consul_integration_configuration: - address: >- - 127.0.0.1:{{ consul_api_port[consul_api_scheme] }} - auto_advertise: true - ssl: "{{ consul_enable_tls | bool }}" - token: >- - {{ _credentials.consul.tokens.nomad.server.secret_id if nomad_enable_server else _credentials.consul.tokens.nomad.client.secret_id }} - tags: [] - -nomad_consul_integration_tls_configuration: - ca_file: "/etc/ssl/certs/ca-certificates.crt" - -nomad_consul_integration_server_configuration: - server_auto_join: true - -nomad_consul_integration_client_configuration: - client_auto_join: true - grpc_address: >- - 127.0.0.1:{{ consul_grpc_port[consul_api_scheme] }} - -nomad_consul_integration_client_tls_configuration: - grpc_ca_file: "/etc/ssl/certs/ca-certificates.crt" - -nomad_consul_integration_server_policy: | - agent_prefix "" { - policy = "read" - } - node_prefix "" { - policy = "read" - } - service_prefix "" { - policy = "write" - } - acl = "write" - mesh = "write" - -nomad_consul_integration_client_policy: | - agent_prefix "" { - policy = "read" - } - node_prefix "" { - policy = "read" - } - service_prefix "" { - policy = "write" - } +# hashistack_nomad_enable_consul_integration: +# hashistack_nomad_consul_integration_configuration: +# hashistack_nomad_consul_integration_tls_configuration: +# hashistack_nomad_consul_integration_server_configuration: +# hashistack_nomad_consul_integration_client_configuration: +# hashistack_nomad_consul_integration_client_tls_configuration: ############################ # nomad vault integration # ############################ -nomad_enable_vault_integration: false -nomad_vault_integration_configuration: {} +# hashistack_nomad_enable_vault_integration: +# hashistack_nomad_vault_integration_configuration: diff --git a/playbooks/group_vars/all/nomad_default.yml b/playbooks/group_vars/all/nomad_default.yml new file mode 100644 index 0000000..15233e6 --- /dev/null +++ b/playbooks/group_vars/all/nomad_default.yml @@ -0,0 +1,347 @@ +--- +######### +# Nomad # +######### + +hashistack_default_nomad_config_dir: "{{ hashistack_remote_config_dir }}/nomad.d" +nomad_config_dir: "{{ hashistack_nomad_config_dir | default(hashistack_default_nomad_config_dir) }}" + +hashistack_default_nomad_data_dir: "/opt/nomad" +nomad_data_dir: "{{ hashistack_nomad_data_dir | default(hashistack_default_nomad_data_dir) }}" + +hashistack_default_nomad_certs_dir: "{{ nomad_config_dir }}/tls" +nomad_certs_dir: "{{ hashistack_nomad_certs_dir | default(hashistack_default_nomad_certs_dir) }}" + +hashistack_default_nomad_logs_dir: "{{ hashistack_remote_log_dir }}/nomad" +nomad_logs_dir: "{{ hashistack_nomad_logs_dir | default(hashistack_default_nomad_logs_dir) }}" + +nomad_extra_files: true + +hashistack_default_nomad_extra_files_list: [] +nomad_extra_files_list: "{{ hashistack_nomad_extra_files_list | default(hashistack_default_nomad_extra_files_list) }}" + +hashistack_default_nomad_env_variables: {} +nomad_env_variables: "{{ hashistack_nomad_env_variables | default(hashistack_default_nomad_env_variables) }}" + +####################### +# extra configuration # +####################### + +# You should prioritize adding configuration +# to the configuration entries below, this +# option should be used to add pieces of configuration not +# available through standard variables. + +hashistack_default_nomad_extra_configuration: {} +nomad_extra_configuration: >- + {{ + hashistack_default_nomad_extra_configuration | + combine((hashistack_nomad_extra_configuration | default({})), recursive=true) + }} + +########### +# general # +########### + +hashistack_default_nomad_region: global +nomad_region: "{{ hashistack_nomad_region | default(hashistack_default_nomad_region) }}" + +hashistack_default_nomad_datacenter: dc1 +nomad_datacenter: "{{ hashistack_nomad_datacenter | default(hashistack_default_nomad_datacenter) }}" + +######################### +# address configuration # +######################### + +hashistack_default_nomad_bind_addr: "0.0.0.0" +nomad_bind_addr: "{{ hashistack_nomad_bind_addr | default(hashistack_default_nomad_bind_addr) }}" + +hashistack_default_nomad_advertise_addr: "{{ api_interface_address }}" +nomad_advertise_addr: "{{ hashistack_nomad_advertise_addr | default(hashistack_default_nomad_advertise_addr) }}" + +hashistack_default_nomad_address_configuration: + bind_addr: "{{ nomad_bind_addr }}" + addresses: + http: "{{ nomad_advertise_addr }}" + rpc: "{{ nomad_advertise_addr }}" + serf: "{{ nomad_advertise_addr }}" + advertise: + http: "{{ nomad_advertise_addr }}" + rpc: "{{ nomad_advertise_addr }}" + serf: "{{ nomad_advertise_addr }}" + ports: + http: 4646 + rpc: 4647 + serf: 4648 +nomad_address_configuration: >- + {{ + hashistack_default_nomad_address_configuration | + combine((hashistack_nomad_address_configuration | default({})), recursive=true) + }} + +########################### +# autopilot configuration # +########################### + +hashistack_default_nomad_autopilot_configuration: {} +nomad_autopilot_configuration: "{{ hashistack_nomad_autopilot_configuration | default(hashistack_default_nomad_autopilot_configuration) }}" + +####################### +# leave configuration # +####################### + +hashistack_default_nomad_leave_on_interrupt: false +nomad_leave_on_interrupt: "{{ hashistack_nomad_leave_on_interrupt | default(hashistack_default_nomad_leave_on_interrupt) }}" + +hashistack_default_nomad_leave_on_terminate: false +nomad_leave_on_terminate: "{{ hashistack_nomad_leave_on_terminate | default(hashistack_default_nomad_leave_on_terminate) }}" + +######################## +# server configuration # +######################## + +nomad_enable_server: "{{ ('nomad_servers' in group_names) | bool }}" +nomad_server_bootstrap_expect: "{{ (groups['nomad_servers'] | length) }}" +nomad_server_configuration: + enabled: "{{ nomad_enable_server }}" + data_dir: "{{ nomad_data_dir }}/server" + encrypt: "{{ _credentials.nomad.gossip_encryption_key }}" + +############################## +# client configuration # +############################## + +nomad_enable_client: "{{ ('nomad_clients' in group_names) | bool }}" +nomad_client_configuration: + enabled: "{{ nomad_enable_client }}" + state_dir: "{{ nomad_data_dir }}/client" + cni_path: "{{ cni_plugins_install_path | default('/opt/cni/bin') }}" + bridge_network_name: nomad + bridge_network_subnet: "172.26.64.0/20" + node_pool: >- + {{ + 'ingress' if 'nomad_ingress' in group_names else + 'controller' if 'nomad_servers' in group_names else + omit + }} + +#################### +# ui configuration # +#################### + +hashistack_default_nomad_ui_configuration: + enabled: "{{ nomad_enable_server }}" +nomad_ui_configuration: >- + {{ + hashistack_default_nomad_ui_configuration | + combine((hashistack_nomad_ui_configuration | default({})), recursive=true) + }} + +######################### +# drivers configuration # +######################### + +hashistack_default_nomad_driver_enable_docker: true +nomad_driver_enable_docker: "{{ hashistack_nomad_driver_enable_docker | default(hashistack_default_nomad_driver_enable_docker) }}" + +hashistack_default_nomad_driver_enable_podman: false +nomad_driver_enable_podman: "{{ hashistack_nomad_driver_enable_podman | default(hashistack_default_nomad_driver_enable_podman) }}" + +hashistack_default_nomad_driver_enable_raw_exec: false +nomad_driver_enable_raw_exec: "{{ hashistack_nomad_driver_enable_raw_exec | default(hashistack_default_nomad_driver_enable_raw_exec) }}" + +hashistack_default_nomad_driver_enable_java: false +nomad_driver_enable_java: "{{ hashistack_nomad_driver_enable_java | default(hashistack_default_nomad_driver_enable_java) }}" + +hashistack_default_nomad_driver_enable_qemu: false +nomad_driver_enable_qemu: "{{ hashistack_nomad_driver_enable_qemu | default(hashistack_default_nomad_driver_enable_qemu) }}" + +hashistack_default_nomad_driver_configuration: + raw_exec: + enabled: "{{ nomad_driver_enable_raw_exec }}" +nomad_driver_configuration: >- + {{ + hashistack_default_nomad_driver_configuration | + combine((hashistack_nomad_driver_configuration | default({})), recursive=true) + }} + +nomad_driver_extra_configuration: {} + +########### +# logging # +########### + +hashistack_default_nomad_log_level: info +nomad_log_level: "{{ hashistack_nomad_log_level | default(hashistack_default_nomad_log_level) }}" + +hashistack_default_nomad_enable_log_to_file: "{{ enable_log_to_file | bool }}" +nomad_enable_log_to_file: "{{ hashistack_nomad_enable_log_to_file | default(hashistack_default_nomad_enable_log_to_file) }}" + +hashistack_default_nomad_log_to_file_configuration: + log_file: "{{ nomad_logs_dir }}/nomad.log" + log_rotate_duration: 24h + log_rotate_max_files: 30 +nomad_log_to_file_configuration: >- + {{ + hashistack_default_nomad_log_to_file_configuration | + combine((hashistack_nomad_log_to_file_configuration | default({})), recursive=true) + }} + +##################### +# ACL configuration # +##################### + +hashistack_default_nomad_acl_configuration: + enabled: true + token_ttl: 30s + policy_ttl: 60s + role_ttl: 60s +nomad_acl_configuration: >- + {{ + hashistack_default_nomad_acl_configuration | + combine((hashistack_nomad_acl_configuration | default({})), recursive=true) + }} + +################ +# internal tls # +################ + +hashistack_default_nomad_enable_tls: "{{ enable_tls_internal }}" +nomad_enable_tls: "{{ hashistack_nomad_enable_tls | default(hashistack_default_nomad_enable_tls) }}" + +hashistack_default_nomad_tls_configuration: + http: true + rpc: true + ca_file: "/etc/ssl/certs/ca-certificates.crt" + cert_file: "{{ nomad_certs_dir }}/fullchain.crt" + key_file: "{{ nomad_certs_dir }}/cert.key" + verify_server_hostname: true +nomad_tls_configuration: >- + {{ + hashistack_default_nomad_tls_configuration | + combine((hashistack_nomad_tls_configuration | default({})), recursive=true) + }} + +nomad_certificates_extra_files_dir: > + {{ + [] if internal_tls_externally_managed_certs | bool else + [{ + 'src': "{{ hashistack_sub_configuration_directories['certificates'] }}/nomad/{{ inventory_hostname }}", + 'dest': "{{ nomad_certs_dir }}" + }] + }} + +########################### +# telemetry configuration # +########################### + +hashistack_default_nomad_telemetry_configuration: + collection_interval: 10s + disable_hostname: false + use_node_name: false + publish_allocation_metrics: false + publish_node_metrics: false + prefix_filter: [] + disable_dispatched_job_summary_metrics: false + prometheus_metrics: false +nomad_telemetry_configuration: >- + {{ + hashistack_default_nomad_telemetry_configuration | + combine((hashistack_nomad_telemetry_configuration | default({})), recursive=true) + }} + +###################### +# consul integration # +###################### + +hashistack_default_nomad_enable_consul_integration: "{{ enable_consul | bool }}" +nomad_enable_consul_integration: "{{ hashistack_nomad_enable_consul_integration | default(hashistack_default_nomad_enable_consul_integration) }}" + +hashistack_default_nomad_consul_integration_configuration: + address: >- + 127.0.0.1:{{ consul_api_port[consul_api_scheme] }} + auto_advertise: true + ssl: "{{ consul_enable_tls | bool }}" + token: >- + {{ + _credentials.consul.tokens.nomad.server.secret_id if nomad_enable_server else + _credentials.consul.tokens.nomad.client.secret_id + }} + tags: [] +nomad_consul_integration_configuration: >- + {{ + hashistack_default_nomad_consul_integration_configuration | + combine((hashistack_nomad_consul_integration_configuration | default({})), recursive=true) + }} + +hashistack_default_nomad_consul_integration_tls_configuration: + ca_file: "/etc/ssl/certs/ca-certificates.crt" +nomad_consul_integration_tls_configuration: >- + {{ + hashistack_default_nomad_consul_integration_tls_configuration | + combine((hashistack_nomad_consul_integration_tls_configuration | default({})), recursive=true) + }} + +hashistack_default_nomad_consul_integration_server_configuration: + server_auto_join: true +nomad_consul_integration_server_configuration: >- + {{ + hashistack_default_nomad_consul_integration_server_configuration | + combine((hashistack_nomad_consul_integration_server_configuration | default({})), recursive=true) + }} + +hashistack_default_nomad_consul_integration_client_configuration: + client_auto_join: true + grpc_address: >- + 127.0.0.1:{{ consul_grpc_port[consul_api_scheme] }} +nomad_consul_integration_client_configuration: >- + {{ + hashistack_default_nomad_consul_integration_client_configuration | + combine((hashistack_nomad_consul_integration_client_configuration | default({})), recursive=true) + }} + +hashistack_default_nomad_consul_integration_client_tls_configuration: + grpc_ca_file: "/etc/ssl/certs/ca-certificates.crt" +nomad_consul_integration_client_tls_configuration: >- + {{ + hashistack_default_nomad_consul_integration_client_tls_configuration | + combine((hashistack_nomad_consul_integration_client_tls_configuration | default({})), recursive=true) + }} + +nomad_consul_integration_server_policy: | + agent_prefix "" { + policy = "read" + } + node_prefix "" { + policy = "read" + } + service_prefix "" { + policy = "write" + } + acl = "write" + mesh = "write" + +nomad_consul_integration_client_policy: | + agent_prefix "" { + policy = "read" + } + node_prefix "" { + policy = "read" + } + service_prefix "" { + policy = "write" + } + +############################ +# nomad vault integration # +############################ + +hashistack_default_nomad_enable_vault_integration: false +nomad_enable_vault_integration: "{{ hashistack_nomad_enable_vault_integration | default(hashistack_default_nomad_enable_vault_integration) }}" + +hashistack_default_nomad_vault_integration_configuration: {} +nomad_vault_integration_configuration: >- + {{ + hashistack_default_nomad_vault_integration_configuration | + combine((hashistack_nomad_vault_integration_configuration | default({})), recursive=true) + }} diff --git a/playbooks/group_vars/all/vault.yml b/playbooks/group_vars/all/vault.yml index c5a0f17..77f6717 100644 --- a/playbooks/group_vars/all/vault.yml +++ b/playbooks/group_vars/all/vault.yml @@ -3,15 +3,12 @@ # Vault # ######### -vault_config_dir: "{{ hashistack_remote_config_dir }}/vault.d" -vault_data_dir: "/opt/vault" -vault_certs_dir: "{{ vault_config_dir }}/tls" -vault_logs_dir: "{{ hashistack_remote_log_dir }}/vault" - -vault_extra_files: true -# vault_extra_files_list: [] - -vault_env_variables: {} +# hashistack_vault_config_dir: +# hashistack_vault_data_dir: +# hashistack_vault_certs_dir: +# hashistack_vault_logs_dir: +# hashistack_vault_extra_files_list: +# hashistack_vault_env_variables: ####################### # extra configuration # @@ -22,103 +19,57 @@ vault_env_variables: {} # option should be used to add pieces of configuration not # available through standard variables. -# vault_extra_configuration: {} +# hashistack_vault_extra_configuration: ########### # general # ########### -# vault_cluster_name: vault -# vault_bind_addr: "0.0.0.0" -# vault_cluster_addr: "{{ api_interface_address }}" -# vault_enable_ui: true -# vault_disable_mlock: false -# vault_disable_cache: false +# hashistack_vault_cluster_name: +# hashistack_vault_bind_addr: +# hashistack_vault_cluster_addr: +# hashistack_vault_enable_ui: +# hashistack_vault_disable_mlock: +# hashistack_vault_disable_cache: ###################### # seal configuration # ###################### -vault_seal_configuration: - key_shares: 3 - key_threshold: 2 +# hashistack_vault_seal_configuration: ######################### # storage configuration # ######################### -vault_storage_configuration: - raft: - path: "{{ vault_data_dir }}" - node_id: "{{ ansible_hostname }}" - retry_join: >- - [ - {% for host in groups['vault_servers'] %} - { - 'leader_api_addr': '{{ "https" if vault_enable_tls else "http"}}://{{ hostvars[host].api_interface_address }}:8200' - }{% if not loop.last %},{% endif %} - {% endfor %} - ] +# hashistack_vault_storage_configuration: ########################## # listener configuration # ########################## -# vault_enable_tls: false -vault_listener_configuration: - - tcp: - address: "{{ vault_cluster_addr }}:8200" - tls_disable: true - -vault_tls_listener_configuration: - - tcp: - tls_disable: false - tls_cert_file: "{{ vault_certs_dir }}/fullchain.crt" - tls_key_file: "{{ vault_certs_dir }}/cert.key" - tls_disable_client_certs: true - -vault_certificates_extra_files_dir: > - {{ - [] if external_tls_externally_managed_certs | bool else - [{ - 'src': "{{ hashistack_sub_configuration_directories['certificates'] }}/vault/{{ inventory_hostname }}", - 'dest': "{{ vault_certs_dir }}" - }] - }} - -vault_extra_listener_configuration: [] +# hashistack_vault_enable_tls: +# hashistack_vault_listener_configuration: +# hashistack_vault_tls_listener_configuration: ######################## # service registration # ######################## -# vault_enable_service_registration: "{{ enable_consul | bool }}" -vault_service_registration_configuration: - consul: - address: >- - 127.0.0.1:{{ hostvars[groups['consul_servers'][0]].consul_api_port[hostvars[groups['consul_servers'][0]].consul_api_scheme] }} - scheme: "{{ hostvars[groups['consul_servers'][0]].consul_api_scheme }}" - token: "{{ _credentials.consul.tokens.vault.secret_id }}" - -vault_service_registration_policy: | - service "vault" { - policy = "write" - } +# hashistack_vault_enable_service_registration: +# hashistack_vault_service_registration_configuration: ######################### # plugins configuration # ######################### -# vault_enable_plugins: false -vault_plugins_directory: "{{ vault_config_dir }}/plugins" +# hashistack_vault_enable_plugins: +# hashistack_vault_plugins_directory: ################# # vault logging # ################# -# vault_log_level: info -vault_enable_log_to_file: "{{ enable_log_to_file | bool }}" -vault_log_to_file_configuration: - log_file: "{{ vault_logs_dir }}/vault.log" - log_rotate_duration: 24h - log_rotate_max_files: 30 +# hashistack_vault_log_level: +# hashistack_vault_enable_log_to_file: +# hashistack_vault_log_to_file_configuration: diff --git a/playbooks/group_vars/all/vault_default.yml b/playbooks/group_vars/all/vault_default.yml new file mode 100644 index 0000000..e743cf8 --- /dev/null +++ b/playbooks/group_vars/all/vault_default.yml @@ -0,0 +1,174 @@ +--- +######### +# Vault # +######### + +hashistack_default_vault_config_dir: "{{ hashistack_remote_config_dir }}/vault.d" +vault_config_dir: "{{ hashistack_vault_config_dir | default(hashistack_default_vault_config_dir) }}" + +hashistack_default_vault_data_dir: "/opt/vault" +vault_data_dir: "{{ hashistack_vault_data_dir | default(hashistack_default_vault_data_dir) }}" + +hashistack_default_vault_certs_dir: "{{ vault_config_dir }}/tls" +vault_certs_dir: "{{ hashistack_vault_certs_dir | default(hashistack_default_vault_certs_dir) }}" + +hashistack_default_vault_logs_dir: "{{ hashistack_remote_log_dir }}/vault" +vault_logs_dir: "{{ hashistack_vault_logs_dir | default(hashistack_default_vault_logs_dir) }}" + +vault_extra_files: true + +hashistack_default_vault_extra_files_list: [] +vault_extra_files_list: "{{ hashistack_vault_extra_files_list | default(hashistack_default_vault_extra_files_list) }}" + +hashistack_default_vault_env_variables: {} +vault_env_variables: "{{ hashistack_vault_env_variables | default(hashistack_default_vault_env_variables) }}" + +####################### +# extra configuration # +####################### + +# You should prioritize adding configuration +# to the configuration entries below, this +# option should be used to add pieces of configuration not +# available through standard variables. + +hashistack_default_vault_extra_configuration: {} +vault_extra_configuration: >- + {{ + hashistack_default_vault_extra_configuration | + combine((hashistack_vault_extra_configuration | default({})), recursive=true) + }} + +########### +# general # +########### + +hashistack_default_vault_cluster_name: vault +vault_cluster_name: "{{ hashistack_vault_cluster_name | default(hashistack_default_vault_cluster_name) }}" + +hashistack_default_vault_bind_addr: "0.0.0.0" +vault_bind_addr: "{{ hashistack_vault_bind_addr | default(hashistack_default_vault_bind_addr) }}" + +hashistack_default_vault_cluster_addr: "{{ api_interface_address }}" +vault_cluster_addr: "{{ hashistack_vault_cluster_addr | default(hashistack_default_vault_cluster_addr) }}" + +hashistack_default_vault_enable_ui: true +vault_enable_ui: "{{ hashistack_vault_enable_ui | default(hashistack_default_vault_enable_ui) }}" + +hashistack_default_vault_disable_mlock: false +vault_disable_mlock: "{{ hashistack_vault_disable_mlock | default(hashistack_default_vault_disable_mlock) }}" + +hashistack_default_vault_disable_cache: false +vault_disable_cache: "{{ hashistack_vault_disable_cache | default(hashistack_default_vault_disable_cache) }}" + +###################### +# seal configuration # +###################### + +hashistack_default_vault_seal_configuration: + key_shares: 3 + key_threshold: 2 +vault_seal_configuration: >- + {{ + hashistack_default_vault_seal_configuration | + combine((hashistack_vault_seal_configuration | default({})), recursive=true) + }} + +######################### +# storage configuration # +######################### + +hashistack_default_vault_storage_configuration: + raft: + path: "{{ vault_data_dir }}" + node_id: "{{ ansible_hostname }}" + retry_join: >- + [ + {% for host in groups['vault_servers'] %} + { + 'leader_api_addr': '{{ "https" if vault_enable_tls else "http"}}://{{ hostvars[host].api_interface_address }}:8200' + }{% if not loop.last %},{% endif %} + {% endfor %} + ] +vault_storage_configuration: "{{ hashistack_vault_storage_configuration | default(hashistack_default_vault_storage_configuration) }}" +########################## +# listener configuration # +########################## + +hashistack_default_vault_enable_tls: false +vault_enable_tls: "{{ hashistack_vault_enable_tls | default(hashistack_default_vault_enable_tls) }}" + +hashistack_default_vault_listener_configuration: + - tcp: + address: "{{ vault_cluster_addr }}:8200" + tls_disable: true +vault_listener_configuration: "{{ hashistack_vault_listener_configuration | default(hashistack_default_vault_listener_configuration) }}" + +hashistack_default_vault_tls_listener_configuration: + - tcp: + tls_disable: false + tls_cert_file: "{{ vault_certs_dir }}/fullchain.crt" + tls_key_file: "{{ vault_certs_dir }}/cert.key" + tls_disable_client_certs: true +vault_tls_listener_configuration: "{{ hashistack_vault_tls_listener_configuration | default(hashistack_default_vault_tls_listener_configuration) }}" + +vault_certificates_extra_files_dir: > + {{ + [] if internal_tls_externally_managed_certs | bool else + [{ + 'src': "{{ hashistack_sub_configuration_directories['certificates'] }}/vault/{{ inventory_hostname }}", + 'dest': "{{ vault_certs_dir }}" + }] + }} + +vault_extra_listener_configuration: [] + +######################## +# service registration # +######################## + +hashistack_default_vault_enable_service_registration: "{{ enable_consul | bool }}" +vault_enable_service_registration: "{{ hashistack_vault_enable_service_registration | default(hashistack_default_vault_enable_service_registration) }}" + +hashistack_default_vault_service_registration_configuration: + consul: + address: >- + 127.0.0.1:{{ hostvars[groups['consul_servers'][0]].consul_api_port[hostvars[groups['consul_servers'][0]].consul_api_scheme] }} + scheme: "{{ hostvars[groups['consul_servers'][0]].consul_api_scheme }}" + token: "{{ _credentials.consul.tokens.vault.secret_id }}" +vault_service_registration_configuration: "{{ hashistack_vault_service_registration_configuration | default(hashistack_default_vault_service_registration_configuration) }}" + +vault_service_registration_policy: | + service "vault" { + policy = "write" + } + +######################### +# plugins configuration # +######################### + +hashistack_default_vault_enable_plugins: false +vault_enable_plugins: "{{ hashistack_vault_enable_plugins | default(hashistack_default_vault_enable_plugins) }}" + +hashistack_default_vault_plugins_directory: "{{ vault_config_dir }}/plugins" +vault_plugins_directory: "{{ hashistack_vault_plugins_directory | default(hashistack_default_vault_plugins_directory) }}" + +################# +# vault logging # +################# + +hashistack_default_vault_log_level: info +vault_log_level: "{{ hashistack_vault_log_level | default(hashistack_default_vault_log_level) }}" + +hashistack_default_vault_enable_log_to_file: "{{ enable_log_to_file | bool }}" +vault_enable_log_to_file: "{{ hashistack_vault_enable_log_to_file | default(hashistack_default_vault_enable_log_to_file) }}" + +hashistack_default_vault_log_to_file_configuration: + log_file: "{{ vault_logs_dir }}/vault.log" + log_rotate_duration: 24h + log_rotate_max_files: 30 +vault_log_to_file_configuration: >- + {{ + hashistack_default_vault_log_to_file_configuration | + combine((hashistack_vault_log_to_file_configuration | default({})), recursive=true) + }} diff --git a/plugins/modules/nomad_acl_bootstrap.py b/plugins/modules/nomad_acl_bootstrap.py index 5265ae8..21c45c5 100644 --- a/plugins/modules/nomad_acl_bootstrap.py +++ b/plugins/modules/nomad_acl_bootstrap.py @@ -11,6 +11,8 @@ module: ednz_cloud.hashistack.nomad_acl_bootstrap short_description: Manages the ACL bootstrap of HashiCorp Nomad. +version_added: "0.1.0" + description: - This module bootstraps HashiCorp Nomad ACL, ensuring that it is securely set up for use. diff --git a/roles/requirements.yml b/roles/requirements.yml index 84bdfb1..31ba86e 100644 --- a/roles/requirements.yml +++ b/roles/requirements.yml @@ -13,21 +13,3 @@ roles: - name: ednz_cloud.install_docker src: https://github.com/ednz-cloud/install_docker.git version: main - - name: ednz_cloud.docker_systemd_service - src: https://github.com/ednz-cloud/docker_systemd_service.git - version: main - - name: ednz_cloud.deploy_haproxy - src: https://github.com/ednz-cloud/deploy_haproxy.git - version: main - - name: ednz_cloud.deploy_keepalived - src: https://github.com/ednz-cloud/deploy_keepalived.git - version: main - - name: ednz_cloud.hashicorp_nomad - src: https://github.com/ednz-cloud/hashicorp_nomad.git - version: v0.4.1 - - name: ednz_cloud.hashicorp_consul - src: https://github.com/ednz-cloud/hashicorp_consul.git - version: v0.2.1 - - name: ednz_cloud.hashicorp_vault - src: https://github.com/ednz-cloud/hashicorp_vault.git - version: v0.2.1