feat(nomad): move variables to globals.yml, adjust bootstrap module for nomad ACLs
All checks were successful
development / Check commit compliance (push) Successful in 6s
All checks were successful
development / Check commit compliance (push) Successful in 6s
This commit is contained in:
parent
95a1d80f76
commit
074da0289a
@ -9,7 +9,7 @@
|
|||||||
# enable_nomad: "yes"
|
# enable_nomad: "yes"
|
||||||
|
|
||||||
# haproxy_version: "2.8"
|
# haproxy_version: "2.8"
|
||||||
# nomad_version: "1.7.7"
|
# nomad_version: "1.8.1"
|
||||||
# consul_version: "1.18.1"
|
# consul_version: "1.18.1"
|
||||||
# vault_version: "1.16.2"
|
# vault_version: "1.16.2"
|
||||||
|
|
||||||
@ -112,9 +112,9 @@ consul_enable_tls: true
|
|||||||
|
|
||||||
# extra_consul_container_volumes: []
|
# extra_consul_container_volumes: []
|
||||||
|
|
||||||
#######################
|
##############################
|
||||||
# extra configuration #
|
# consul extra configuration #
|
||||||
#######################
|
##############################
|
||||||
|
|
||||||
# consul_extra_configuration: {}
|
# consul_extra_configuration: {}
|
||||||
# consul_extra_files_list: []
|
# consul_extra_files_list: []
|
||||||
@ -202,9 +202,76 @@ vault_enable_tls: true
|
|||||||
|
|
||||||
# extra_vault_container_volumes: []
|
# extra_vault_container_volumes: []
|
||||||
|
|
||||||
#####################
|
#############################
|
||||||
# extra configuration
|
# vault extra configuration #
|
||||||
#####################
|
#############################
|
||||||
|
|
||||||
# vault_extra_configuration: {}
|
# vault_extra_configuration: {}
|
||||||
# vault_extra_files_list: []
|
# vault_extra_files_list: []
|
||||||
|
|
||||||
|
#####################################################
|
||||||
|
# #
|
||||||
|
# Nomad #
|
||||||
|
# #
|
||||||
|
#####################################################
|
||||||
|
|
||||||
|
# nomad_datacenter: dc1
|
||||||
|
# nomad_region: global
|
||||||
|
|
||||||
|
###########################
|
||||||
|
# nomad ACL configuration #
|
||||||
|
###########################
|
||||||
|
|
||||||
|
# nomad_acl_configuration:
|
||||||
|
# enabled: true
|
||||||
|
# token_ttl: 30s
|
||||||
|
# policy_ttl: 60s
|
||||||
|
# role_ttl: 60s
|
||||||
|
|
||||||
|
############################
|
||||||
|
# nomad consul integration #
|
||||||
|
############################
|
||||||
|
|
||||||
|
# nomad_enable_consul_integration: "{{ enable_consul | bool }}"
|
||||||
|
# nomad_consul_integration_configuration:
|
||||||
|
# address: "127.0.0.1:{{ hashicorp_consul_configuration.ports.https if consul_enable_tls else hashicorp_consul_configuration.ports.http }}"
|
||||||
|
# auto_advertise: true
|
||||||
|
# ssl: "{{ consul_enable_tls | bool }}"
|
||||||
|
# token: "{{ _credentials.consul.tokens.nomad.server.secret_id if nomad_enable_server else _credentials.consul.tokens.nomad.client.secret_id}}"
|
||||||
|
# tags: []
|
||||||
|
|
||||||
|
############################
|
||||||
|
# nomad vault integration #
|
||||||
|
############################
|
||||||
|
|
||||||
|
# nomad_enable_vault_integration: false
|
||||||
|
# nomad_vault_integration_configuration: {}
|
||||||
|
|
||||||
|
###############################
|
||||||
|
# nomad drivers configuration #
|
||||||
|
###############################
|
||||||
|
|
||||||
|
######################
|
||||||
|
# nomad internal tls #
|
||||||
|
######################
|
||||||
|
|
||||||
|
nomad_enable_tls: true
|
||||||
|
nomad_tls_configuration:
|
||||||
|
http: true
|
||||||
|
rpc: true
|
||||||
|
rpc_upgrade_mode: true
|
||||||
|
ca_file: "/etc/ssl/certs/ca-certificates.crt"
|
||||||
|
cert_file: "{{ nomad_certificates_directory }}/cert.pem"
|
||||||
|
key_file: "{{ nomad_certificates_directory }}/key.pem"
|
||||||
|
verify_server_hostname: true
|
||||||
|
# nomad_certificates_directory: "{{ hashicorp_nomad_config_dir }}/tls"
|
||||||
|
# nomad_certificates_extra_files_dir:
|
||||||
|
# - src: "{{ sub_configuration_directories['certificates'] }}/nomad/{{ inventory_hostname }}"
|
||||||
|
# dest: "{{ nomad_certificates_directory }}"
|
||||||
|
|
||||||
|
#############################
|
||||||
|
# nomad extra configuration #
|
||||||
|
#############################
|
||||||
|
|
||||||
|
# nomad_extra_configuration: {}
|
||||||
|
# nomad_extra_files_list: []
|
||||||
|
@ -277,3 +277,89 @@
|
|||||||
owner: "{{ lookup('env', 'USER') }}"
|
owner: "{{ lookup('env', 'USER') }}"
|
||||||
group: "{{ lookup('env', 'USER') }}"
|
group: "{{ lookup('env', 'USER') }}"
|
||||||
mode: "0644"
|
mode: "0644"
|
||||||
|
|
||||||
|
- name: "Create Nomad certificates"
|
||||||
|
when:
|
||||||
|
- "('nomad_servers' in group_names) or ('nomad_clients' in group_names)"
|
||||||
|
vars:
|
||||||
|
nomad_private_key_path: "{{ sub_configuration_directories['certificates'] }}/nomad/{{ inventory_hostname }}/key.pem"
|
||||||
|
nomad_certificate_path: "{{ sub_configuration_directories['certificates'] }}/nomad/{{ inventory_hostname }}/cert.pem"
|
||||||
|
block:
|
||||||
|
- name: "Create temporary cert directory in {{ sub_configuration_directories['certificates'] }}" # noqa: run-once[task]
|
||||||
|
ansible.builtin.file:
|
||||||
|
path: "{{ sub_configuration_directories['certificates'] }}/nomad/{{ inventory_hostname }}"
|
||||||
|
state: directory
|
||||||
|
owner: "{{ lookup('env', 'USER') }}"
|
||||||
|
group: "{{ lookup('env', 'USER') }}"
|
||||||
|
mode: "0755"
|
||||||
|
|
||||||
|
- name: "Create Nomad certificate keys"
|
||||||
|
community.crypto.openssl_privatekey:
|
||||||
|
path: "{{ nomad_private_key_path }}"
|
||||||
|
owner: "{{ lookup('env', 'USER') }}"
|
||||||
|
group: "{{ lookup('env', 'USER') }}"
|
||||||
|
|
||||||
|
- name: "Create CSRs for Nomad servers"
|
||||||
|
vars:
|
||||||
|
nomad_csr_sans: >-
|
||||||
|
{%- set sans_list = [
|
||||||
|
'DNS:' + inventory_hostname,
|
||||||
|
'DNS:localhost',
|
||||||
|
'IP:' + api_interface_address,
|
||||||
|
'IP:127.0.0.1'
|
||||||
|
] -%}
|
||||||
|
{%- if hashicorp_nomad_configuration.server.enabled -%}
|
||||||
|
{%- set _ = sans_list.append('DNS:server.' ~ hashicorp_nomad_configuration.region ~ '.nomad') -%}
|
||||||
|
{%- if (enable_consul | bool) -%}
|
||||||
|
{%- set _ = sans_list.append('DNS:nomad.service.consul') -%}
|
||||||
|
{%- endif -%}
|
||||||
|
{%- endif -%}
|
||||||
|
{%- if hashicorp_nomad_configuration.client.enabled -%}
|
||||||
|
{%- set _ = sans_list.append('DNS:client.' ~ hashicorp_nomad_configuration.region ~ '.nomad') -%}
|
||||||
|
{%- endif -%}
|
||||||
|
{{ sans_list }}
|
||||||
|
community.crypto.openssl_csr_pipe:
|
||||||
|
privatekey_path: "{{ nomad_private_key_path }}"
|
||||||
|
common_name: "{{ inventory_hostname }}"
|
||||||
|
subject_alt_name: "{{ nomad_csr_sans }}"
|
||||||
|
key_usage_critical: true
|
||||||
|
key_usage:
|
||||||
|
- Digital Signature
|
||||||
|
- Key Encipherment
|
||||||
|
extended_key_usage:
|
||||||
|
- TLS Web Server Authentication
|
||||||
|
- TLS Web Client Authentication
|
||||||
|
organization_name: EDNZ Cloud
|
||||||
|
use_common_name_for_san: false
|
||||||
|
register: nomad_csr
|
||||||
|
|
||||||
|
- name: "Sign certificates with internal CA"
|
||||||
|
community.crypto.x509_certificate:
|
||||||
|
path: "{{ nomad_certificate_path }}"
|
||||||
|
csr_content: "{{ nomad_csr.csr }}"
|
||||||
|
provider: ownca
|
||||||
|
ownca_path: "{{ hashistack_ca_cert_path }}"
|
||||||
|
ownca_privatekey_path: "{{ hashistack_ca_key_path }}"
|
||||||
|
ownca_not_after: "+365d"
|
||||||
|
ownca_not_before: "-1d"
|
||||||
|
|
||||||
|
- name: "Concatenate CA and Child certificates"
|
||||||
|
block:
|
||||||
|
- name: "Read content of ca.crt"
|
||||||
|
ansible.builtin.slurp:
|
||||||
|
src: "{{ hashistack_ca_cert_path }}"
|
||||||
|
register: ca_crt_content
|
||||||
|
|
||||||
|
- name: "Read content of cert.pem"
|
||||||
|
ansible.builtin.slurp:
|
||||||
|
src: "{{ nomad_certificate_path }}"
|
||||||
|
register: cert_pem_content
|
||||||
|
|
||||||
|
- name: "Concatenate certificates"
|
||||||
|
ansible.builtin.copy:
|
||||||
|
content: |
|
||||||
|
{{ cert_pem_content['content'] | b64decode }}{{ ca_crt_content['content'] | b64decode }}
|
||||||
|
dest: "{{ nomad_certificate_path }}"
|
||||||
|
owner: "{{ lookup('env', 'USER') }}"
|
||||||
|
group: "{{ lookup('env', 'USER') }}"
|
||||||
|
mode: "0644"
|
||||||
|
@ -111,9 +111,9 @@ consul_tls_configuration:
|
|||||||
|
|
||||||
extra_consul_container_volumes: []
|
extra_consul_container_volumes: []
|
||||||
|
|
||||||
#######################
|
##############################
|
||||||
# extra configuration #
|
# consul extra configuration #
|
||||||
#######################
|
##############################
|
||||||
|
|
||||||
consul_extra_configuration: {}
|
consul_extra_configuration: {}
|
||||||
consul_extra_files_list: []
|
consul_extra_files_list: []
|
||||||
@ -201,9 +201,71 @@ vault_logging_configuration:
|
|||||||
|
|
||||||
extra_vault_container_volumes: []
|
extra_vault_container_volumes: []
|
||||||
|
|
||||||
#####################
|
#############################
|
||||||
# extra configuration
|
# vault extra configuration #
|
||||||
#####################
|
#############################
|
||||||
|
|
||||||
vault_extra_configuration: {}
|
vault_extra_configuration: {}
|
||||||
vault_extra_files_list: []
|
vault_extra_files_list: []
|
||||||
|
|
||||||
|
#####################################################
|
||||||
|
# #
|
||||||
|
# Nomad #
|
||||||
|
# #
|
||||||
|
#####################################################
|
||||||
|
|
||||||
|
nomad_datacenter: dc1
|
||||||
|
nomad_region: global
|
||||||
|
|
||||||
|
###########################
|
||||||
|
# nomad ACL configuration #
|
||||||
|
###########################
|
||||||
|
|
||||||
|
nomad_acl_configuration:
|
||||||
|
enabled: true
|
||||||
|
token_ttl: 30s
|
||||||
|
policy_ttl: 60s
|
||||||
|
role_ttl: 60s
|
||||||
|
|
||||||
|
############################
|
||||||
|
# nomad consul integration #
|
||||||
|
############################
|
||||||
|
|
||||||
|
nomad_enable_consul_integration: "{{ enable_consul | bool }}"
|
||||||
|
nomad_consul_integration_configuration:
|
||||||
|
address: "127.0.0.1:{{ hashicorp_consul_configuration.ports.https if consul_enable_tls else hashicorp_consul_configuration.ports.http }}"
|
||||||
|
auto_advertise: true
|
||||||
|
ssl: "{{ consul_enable_tls | bool }}"
|
||||||
|
token: "{{ _credentials.consul.tokens.nomad.server.secret_id if nomad_enable_server else _credentials.consul.tokens.nomad.client.secret_id}}"
|
||||||
|
tags: []
|
||||||
|
|
||||||
|
############################
|
||||||
|
# nomad vault integration #
|
||||||
|
############################
|
||||||
|
|
||||||
|
nomad_enable_vault_integration: false
|
||||||
|
nomad_vault_integration_configuration: {}
|
||||||
|
|
||||||
|
###############################
|
||||||
|
# nomad drivers configuration #
|
||||||
|
###############################
|
||||||
|
|
||||||
|
######################
|
||||||
|
# nomad internal tls #
|
||||||
|
######################
|
||||||
|
|
||||||
|
nomad_enable_tls: false
|
||||||
|
nomad_tls_configuration:
|
||||||
|
http: true
|
||||||
|
rpc: true
|
||||||
|
ca_file: "/etc/ssl/certs/ca-certificates.crt"
|
||||||
|
cert_file: "{{ nomad_certificates_directory }}/cert.pem"
|
||||||
|
key_file: "{{ nomad_certificates_directory }}/key.pem"
|
||||||
|
verify_server_hostname: true
|
||||||
|
|
||||||
|
#############################
|
||||||
|
# nomad extra configuration #
|
||||||
|
#############################
|
||||||
|
|
||||||
|
nomad_extra_configuration: {}
|
||||||
|
nomad_extra_files_list: []
|
||||||
|
@ -5,8 +5,6 @@
|
|||||||
# #
|
# #
|
||||||
#####################################################
|
#####################################################
|
||||||
|
|
||||||
nomad_datacenter: dc1
|
|
||||||
|
|
||||||
####################
|
####################
|
||||||
# nomad api config #
|
# nomad api config #
|
||||||
####################
|
####################
|
||||||
@ -62,16 +60,6 @@ nomad_address_configuration:
|
|||||||
rpc: 4647
|
rpc: 4647
|
||||||
serf: 4648
|
serf: 4648
|
||||||
|
|
||||||
###########################
|
|
||||||
# nomad ACL configuration #
|
|
||||||
###########################
|
|
||||||
|
|
||||||
nomad_acl_configuration:
|
|
||||||
enabled: true
|
|
||||||
token_ttl: 30s
|
|
||||||
policy_ttl: 60s
|
|
||||||
role_ttl: 60s
|
|
||||||
|
|
||||||
#################################
|
#################################
|
||||||
# nomad autopilot configuration #
|
# nomad autopilot configuration #
|
||||||
#################################
|
#################################
|
||||||
@ -82,14 +70,6 @@ nomad_autopilot_configuration: {}
|
|||||||
# nomad consul integration #
|
# nomad consul integration #
|
||||||
############################
|
############################
|
||||||
|
|
||||||
nomad_enable_consul_integration: "{{ enable_consul | bool }}"
|
|
||||||
nomad_consul_integration_configuration:
|
|
||||||
address: "127.0.0.1:{{ hashicorp_consul_configuration.ports.https if consul_enable_tls else hashicorp_consul_configuration.ports.http }}"
|
|
||||||
auto_advertise: true
|
|
||||||
ssl: "{{ consul_enable_tls | bool }}"
|
|
||||||
token: "{{ _credentials.consul.tokens.nomad.server.secret_id if nomad_enable_server else _credentials.consul.tokens.nomad.client.secret_id}}"
|
|
||||||
tags: []
|
|
||||||
|
|
||||||
nomad_consul_integration_tls_configuration:
|
nomad_consul_integration_tls_configuration:
|
||||||
ca_file: "/etc/ssl/certs/ca-certificates.crt"
|
ca_file: "/etc/ssl/certs/ca-certificates.crt"
|
||||||
|
|
||||||
@ -127,13 +107,6 @@ nomad_consul_integration_client_policy: |
|
|||||||
policy = "write"
|
policy = "write"
|
||||||
}
|
}
|
||||||
|
|
||||||
############################
|
|
||||||
# nomad vault integration #
|
|
||||||
############################
|
|
||||||
|
|
||||||
nomad_enable_vault_integration: false
|
|
||||||
nomad_vault_integration_configuration: {}
|
|
||||||
|
|
||||||
#############################
|
#############################
|
||||||
# nomad leave configuration #
|
# nomad leave configuration #
|
||||||
#############################
|
#############################
|
||||||
@ -179,27 +152,11 @@ nomad_client_configuration:
|
|||||||
# nomad internal tls #
|
# nomad internal tls #
|
||||||
######################
|
######################
|
||||||
|
|
||||||
nomad_enable_tls: false
|
|
||||||
nomad_tls_configuration:
|
|
||||||
http: true
|
|
||||||
rpc: true
|
|
||||||
ca_file: "/etc/ssl/certs/ca-certificates.crt"
|
|
||||||
cert_file: "{{ nomad_certificates_directory }}/cert.pem"
|
|
||||||
key_file: "{{ nomad_certificates_directory }}/key.pem"
|
|
||||||
verify_server_hostname: true
|
|
||||||
|
|
||||||
nomad_certificates_directory: "{{ hashicorp_nomad_config_dir }}/tls"
|
nomad_certificates_directory: "{{ hashicorp_nomad_config_dir }}/tls"
|
||||||
nomad_certificates_extra_files_dir:
|
nomad_certificates_extra_files_dir:
|
||||||
- src: "{{ sub_configuration_directories['certificates'] }}/nomad/{{ inventory_hostname }}"
|
- src: "{{ sub_configuration_directories['certificates'] }}/nomad/{{ inventory_hostname }}"
|
||||||
dest: "{{ nomad_certificates_directory }}"
|
dest: "{{ nomad_certificates_directory }}"
|
||||||
|
|
||||||
#######################
|
|
||||||
# extra configuration #
|
|
||||||
#######################
|
|
||||||
|
|
||||||
nomad_extra_configuration: {}
|
|
||||||
nomad_extra_files_list: []
|
|
||||||
|
|
||||||
########################
|
########################
|
||||||
# nomad role variables #
|
# nomad role variables #
|
||||||
########################
|
########################
|
||||||
@ -213,7 +170,7 @@ hashicorp_nomad_version: "{{ nomad_version }}"
|
|||||||
hashicorp_nomad_env_variables: {}
|
hashicorp_nomad_env_variables: {}
|
||||||
hashicorp_nomad_config_dir: "/etc/nomad.d"
|
hashicorp_nomad_config_dir: "/etc/nomad.d"
|
||||||
hashicorp_nomad_data_dir: /opt/nomad
|
hashicorp_nomad_data_dir: /opt/nomad
|
||||||
hashicorp_nomad_extra_files: false
|
hashicorp_nomad_extra_files: true
|
||||||
hashicorp_nomad_extra_files_list: "{{ ([] +
|
hashicorp_nomad_extra_files_list: "{{ ([] +
|
||||||
(nomad_certificates_extra_files_dir if nomad_enable_tls else []) +
|
(nomad_certificates_extra_files_dir if nomad_enable_tls else []) +
|
||||||
nomad_extra_files_list)
|
nomad_extra_files_list)
|
||||||
@ -222,6 +179,7 @@ hashicorp_nomad_extra_files_list: "{{ ([] +
|
|||||||
}}"
|
}}"
|
||||||
hashicorp_nomad_configuration:
|
hashicorp_nomad_configuration:
|
||||||
datacenter: "{{ nomad_datacenter }}"
|
datacenter: "{{ nomad_datacenter }}"
|
||||||
|
region: "{{ nomad_region }}"
|
||||||
bind_addr: "0.0.0.0"
|
bind_addr: "0.0.0.0"
|
||||||
data_dir: "{{ hashicorp_nomad_data_dir }}"
|
data_dir: "{{ hashicorp_nomad_data_dir }}"
|
||||||
leave_on_interrupt: "{{ nomad_leave_on_interrupt }}"
|
leave_on_interrupt: "{{ nomad_leave_on_interrupt }}"
|
||||||
|
@ -31,7 +31,6 @@
|
|||||||
|
|
||||||
- name: "Create consul agents token"
|
- name: "Create consul agents token"
|
||||||
when:
|
when:
|
||||||
# - _consul_init_secret.changed
|
|
||||||
- consul_acl_configuration.enabled
|
- consul_acl_configuration.enabled
|
||||||
block:
|
block:
|
||||||
- name: "Create consul agents token" # noqa: run-once[task] no-handler
|
- name: "Create consul agents token" # noqa: run-once[task] no-handler
|
||||||
|
@ -43,7 +43,7 @@
|
|||||||
loop: "{{ _hashistack_copied_ca.results }}"
|
loop: "{{ _hashistack_copied_ca.results }}"
|
||||||
register: _hashistack_usr_local_share_ca_certificates
|
register: _hashistack_usr_local_share_ca_certificates
|
||||||
|
|
||||||
- name: "Update the trust store"
|
- name: "Update the trust store" # noqa: no-handler
|
||||||
ansible.builtin.command: update-ca-certificates
|
ansible.builtin.command: update-ca-certificates
|
||||||
changed_when: false
|
changed_when: false
|
||||||
when: _hashistack_usr_local_share_ca_certificates.changed
|
when: _hashistack_usr_local_share_ca_certificates.changed
|
||||||
|
@ -76,6 +76,7 @@
|
|||||||
ednz_cloud.hashistack.nomad_acl_bootstrap:
|
ednz_cloud.hashistack.nomad_acl_bootstrap:
|
||||||
bootstrap_secret: "{{ _credentials.nomad.root_token.secret_id }}"
|
bootstrap_secret: "{{ _credentials.nomad.root_token.secret_id }}"
|
||||||
api_url: "{{ nomad_api_addr }}"
|
api_url: "{{ nomad_api_addr }}"
|
||||||
|
tls_verify: false
|
||||||
run_once: true
|
run_once: true
|
||||||
delegate_to: "{{ groups['nomad_servers'] | first }}"
|
delegate_to: "{{ groups['nomad_servers'] | first }}"
|
||||||
register: _nomad_init_secret
|
register: _nomad_init_secret
|
||||||
|
@ -91,18 +91,25 @@ def bootstrap_nomad_acl(
|
|||||||
if bootstrap_secret:
|
if bootstrap_secret:
|
||||||
payload["BootstrapSecret"] = bootstrap_secret
|
payload["BootstrapSecret"] = bootstrap_secret
|
||||||
|
|
||||||
|
response = None
|
||||||
|
|
||||||
try:
|
try:
|
||||||
response = requests.put(
|
response = requests.post(
|
||||||
f"{api_url}/v1/acl/bootstrap", json=payload, verify=tls_verify
|
f"{api_url}/v1/acl/bootstrap", json=payload, verify=tls_verify
|
||||||
)
|
)
|
||||||
response.raise_for_status()
|
response.raise_for_status()
|
||||||
return True, response.json()
|
return True, response.json()
|
||||||
|
except requests.exceptions.HTTPError as e:
|
||||||
|
if response is not None and response.status_code == 400:
|
||||||
|
try:
|
||||||
|
error_message = response.json().get(
|
||||||
|
"Errors", ["Nomad ACL bootstrap already done"]
|
||||||
|
)[0]
|
||||||
|
except ValueError:
|
||||||
|
error_message = response.text
|
||||||
|
return False, {"message": error_message}
|
||||||
|
raise ValueError(f"Nomad ACL bootstrap failed: {str(e)}")
|
||||||
except requests.exceptions.RequestException as e:
|
except requests.exceptions.RequestException as e:
|
||||||
if (
|
|
||||||
response.status_code == 400
|
|
||||||
and "ACL bootstrap already done" in response.text
|
|
||||||
):
|
|
||||||
return False, {"message": "Nomad ACL system is already bootstrapped"}
|
|
||||||
raise ValueError(f"Nomad ACL bootstrap failed: {str(e)}")
|
raise ValueError(f"Nomad ACL bootstrap failed: {str(e)}")
|
||||||
|
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user