feat: add global variables for nomad deployment
All checks were successful
development / Check commit compliance (push) Successful in 34s

This commit is contained in:
Bertrand Lanson 2024-05-16 17:25:41 +02:00
parent cdeee7436c
commit 30adf2ba7a
13 changed files with 215 additions and 35 deletions

6
.gitmodules vendored
View File

@ -1,6 +0,0 @@
[submodule "roles/hashicorp_consul"]
path = roles/hashicorp_consul
url = https://github.com/ednz-cloud/hashicorp_consul
[submodule "roles/hashicorp_vault"]
path = roles/hashicorp_vault
url = https://github.com/ednz-cloud/hashicorp_vault

94
nomad.json Normal file
View File

@ -0,0 +1,94 @@
{
"acl": {
"enabled": true
},
"advertise": {
"http": "10.1.20.101",
"rpc": "10.1.20.101",
"serf": "10.1.20.101"
},
"bind_addr": "0.0.0.0",
"client": {
"bridge_network_name": "nomad",
"bridge_network_subnet": "172.26.64.0/20",
"cni_path": "/opt/cni/bin",
"enabled": true,
"node_class": "managers",
"reserved": {
"cpu": 500,
"memory": 300
},
"servers": [
"hs1.ednz.fr",
"hs2.ednz.fr",
"hs3.ednz.fr"
]
},
"consul": {
"address": "127.0.0.1:8501",
"auto_advertise": true,
"grpc_address": "127.0.0.1:8503",
"grpc_ca_file": "/opt/nomad/tls/ca.pem",
"ssl": true,
"token": "8c6eaa1c-0d71-b25e-1019-a34966700fa4"
},
"data_dir": "/opt/nomad",
"datacenter": "gre1",
"leave_on_terminate": false,
"log_level": "INFO",
"plugin": {
"docker": {
"config": {
"allow_caps": [
"all"
],
"allow_privileged": true,
"auth": {
"config": "/etc/nomad.d/extra_files/docker_auth.json"
},
"endpoint": "unix:///var/run/docker.sock",
"volumes": {
"enabled": true
}
}
}
},
"server": {
"bootstrap_expect": 3,
"enabled": true,
"server_join": {
"retry_join": [
"hs1.ednz.fr",
"hs2.ednz.fr",
"hs3.ednz.fr"
]
}
},
"telemetry": {
"collection_interval": "1s",
"disable_dispatched_job_summary_metrics": false,
"disable_hostname": false,
"prefix_filter": [],
"prometheus_metrics": true,
"publish_allocation_metrics": true,
"publish_node_metrics": true,
"use_node_name": false
},
"tls": {
"ca_file": "/opt/nomad/tls/ca.pem",
"cert_file": "/opt/nomad/tls/cert.pem",
"http": true,
"key_file": "/opt/nomad/tls/key.pem",
"rpc": true,
"verify_server_hostname": true
},
"ui": {
"enabled": true
},
"vault": {
"address": "https://vault.service.consul:8200",
"create_from_role": "nomad-cluster",
"enabled": true,
"token": "hvs.CAESIEOC5_8vTfD16xXhxs-TV23JEXWWRIgSIc01dm8Hb2YLGh4KHGh2cy5xRVg0T3pDV3FhazBZQWZEaExkM2VqejU"
}
}

View File

@ -23,7 +23,7 @@
- name: "Deploy Consul Agents" - name: "Deploy Consul Agents"
ansible.builtin.include_role: ansible.builtin.include_role:
name: ednz_cloud.hashistack.hashicorp_consul name: ednz_cloud.hashicorp_consul
when: when:
- enable_consul | bool - enable_consul | bool
- "'consul_agents' in group_names" - "'consul_agents' in group_names"

View File

@ -8,25 +8,33 @@
tasks: tasks:
- name: "Generate consul credentials" - name: "Generate consul credentials"
block: block:
- name: "Generate consul gossip encryption key"
ansible.builtin.set_fact:
_consul_gossip_encryption_key: "{{ lookup('ansible.builtin.password', '/dev/null', chars=['ascii_letters','digits']) | b64encode }}"
- name: "Generate consul root credentials" - name: "Generate consul root credentials"
ansible.builtin.set_fact: ansible.builtin.set_fact:
_consul_root_token: "{{ lookup('password', '/dev/null chars=ascii_letters,digits') | to_uuid }}" _consul_root_token: "{{ lookup('ansible.builtin.password', '/dev/null', chars=['ascii_letters','digits']) | to_uuid }}"
- name: "Generate consul agents credentials" - name: "Generate consul agents credentials"
ansible.builtin.set_fact: ansible.builtin.set_fact:
_cosul_agents_accessor: "{{ lookup('password', '/dev/null chars=ascii_letters,digits') | to_uuid }}" _cosul_agents_accessor: "{{ lookup('ansible.builtin.password', '/dev/null', chars=['ascii_letters','digits']) | to_uuid }}"
_consul_agents_token: "{{ lookup('password', '/dev/null chars=ascii_letters,digits') | to_uuid }}" _consul_agents_token: "{{ lookup('ansible.builtin.password', '/dev/null', chars=['ascii_letters','digits']) | to_uuid }}"
- name: "Generate consul vault credentials" - name: "Generate consul vault credentials"
ansible.builtin.set_fact: ansible.builtin.set_fact:
_cosul_vault_accessor: "{{ lookup('password', '/dev/null chars=ascii_letters,digits') | to_uuid }}" _cosul_vault_accessor: "{{ lookup('ansible.builtin.password', '/dev/null', chars=['ascii_letters','digits']) | to_uuid }}"
_consul_vault_token: "{{ lookup('password', '/dev/null chars=ascii_letters,digits') | to_uuid }}" _consul_vault_token: "{{ lookup('ansible.builtin.password', '/dev/null', chars=['ascii_letters','digits']) | to_uuid }}"
- name: "Generate nomad credentials" - name: "Generate nomad credentials"
block: block:
- name: "Generate nomad gossip encryption key"
ansible.builtin.set_fact:
_nomad_gossip_encryption_key: "{{ lookup('ansible.builtin.password', '/dev/null', chars=['ascii_letters','digits']) | b64encode }}"
- name: "Generate nomad root credentials" - name: "Generate nomad root credentials"
ansible.builtin.set_fact: ansible.builtin.set_fact:
_nomad_root_token: "{{ lookup('password', '/dev/null chars=ascii_letters,digits') | to_uuid }}" _nomad_root_token: "{{ lookup('ansible.builtin.password', '/dev/null', chars=['ascii_letters','digits']) | to_uuid }}"
- name: "Write credentials file" - name: "Write credentials file"
ansible.builtin.template: ansible.builtin.template:

View File

@ -88,7 +88,7 @@ hashi_consul_configuration:
datacenter: "{{ consul_datacenter }}" datacenter: "{{ consul_datacenter }}"
primary_datacenter: "{{ consul_primary_datacenter }}" primary_datacenter: "{{ consul_primary_datacenter }}"
data_dir: "{{ hashi_consul_data_dir }}" data_dir: "{{ hashi_consul_data_dir }}"
encrypt: "{{ consul_gossip_encryption_key }}" encrypt: "{{ _credentials.consul.gossip_encryption_key }}"
server: "{{ 'consul_servers' in group_names }}" server: "{{ 'consul_servers' in group_names }}"
retry_join: "{{ retry_join: "{{
groups['consul_servers'] | groups['consul_servers'] |

View File

@ -46,7 +46,6 @@ consul_primary_datacenter: dc1
consul_leave_on_terminate: true consul_leave_on_terminate: true
consul_rejoin_after_leave: true consul_rejoin_after_leave: true
consul_enable_script_checks: true consul_enable_script_checks: true
consul_gossip_encryption_key: "{{ 'mysupersecretgossipencryptionkey'|b64encode }}"
################################ ################################
# consul address configuration # # consul address configuration #

View File

@ -1,18 +1,86 @@
---
##################################################### #####################################################
# # # #
# Nomad Configuration # # Non-Editable #
# # # #
##################################################### #####################################################
hashi_nomad_cni_plugins_install: true nomad_datacenter: dc1
hashi_nomad_start_service: true
hashi_nomad_cni_plugins_version: latest ###########################
hashi_nomad_cni_plugins_install_path: /opt/cni/bin # nomad ACL configuration #
hashi_nomad_version: latest ###########################
hashi_nomad_deploy_method: host # deployment method, either host or docker
hashi_nomad_env_variables: {} nomad_acl_configuration:
hashi_nomad_data_dir: /opt/nomad enabled: true
hashi_nomad_extra_files: false token_ttl: 30s
hashi_nomad_extra_files_src: /tmp/extra_files policy_ttl: 60s
hashi_nomad_extra_files_dst: /etc/nomad.d/extra_files role_ttl: 60s
hashi_nomad_configuration: {}
#################################
# nomad autopilot configuration #
#################################
nomad_autopilot_configuration: {}
############################
# nomad consul integration #
############################
nomad_enable_consul_integration: "{{ enable_consul | bool }}"
nomad_consul_integration_configuration: {}
############################
# nomad vault integration #
############################
nomad_enable_vault_integration: false
nomad_vault_integration_configuration: {}
#############################
# nomad leave configuration #
#############################
# node will leave the cluster if the process is stopped
# and if it is only a client
nomad_leave_on_interrupt: "{{ (('nomad_clients' in group_names) and (not 'nomad_servers' in group_names)) | bool }}"
nomad_leave_on_terminate: "{{ (('nomad_clients' in group_names) and (not 'nomad_servers' in group_names)) | bool }}"
##############################
# nomad server configuration #
##############################
nomad_server_configuration:
enabled: "{{ 'nomad_servers' in group_names }}"
data_dir: "{{ hashicorp_nomad_data_dir }}/server"
encrypt: "{{ _credentials.nomad.gossip_encryption_key }}"
##############################
# nomad client configuration #
##############################
nomad_client_configuration:
enabled: "{{ 'nomad_clients' in group_names | bool }}"
state_dir: "{{ hashicorp_nomad_data_dir }}/client"
hashicorp_nomad_cni_plugins_install: true
hashicorp_nomad_start_service: true
hashicorp_nomad_cni_plugins_version: latest
hashicorp_nomad_cni_plugins_install_path: /opt/cni/bin
hashicorp_nomad_version: latest
hashicorp_nomad_deploy_method: host # deployment method, either host or docker
hashicorp_nomad_env_variables: {}
hashicorp_nomad_config_dir: "/etc/nomad.d"
hashicorp_nomad_data_dir: /opt/nomad
hashicorp_nomad_extra_files: false
hashicorp_nomad_extra_files_src: /tmp/extra_files
hashicorp_nomad_extra_files_dst: /etc/nomad.d/extra_files
hashicorp_nomad_configuration:
datacenter: "{{ nomad_datacenter }}"
bind_addr: "0.0.0.0"
data_dir: "{{ hashicorp_nomad_data_dir }}"
leave_on_interrupt: "{{ (('nomad_clients' in group_names) and (not 'nomad_servers' in group_names)) | bool }}"
leave_on_terminate: "{{ (('nomad_clients' in group_names) and (not 'nomad_servers' in group_names)) | bool }}"
acl: "{{ nomad_acl_configuration }}"
server: "{{ nomad_server_configuration }}"
client: "{{ nomad_client_configuration }}"

View File

@ -1,9 +1,9 @@
--- ---
- name: "Consul" - name: "Consul"
block: block:
- name: "Include ednz_cloud.hashistack.hashicorp_consul" - name: "Include ednz_cloud.hashicorp_consul"
ansible.builtin.include_role: ansible.builtin.include_role:
name: ednz_cloud.hashistack.hashicorp_consul name: ednz_cloud.hashicorp_consul
- name: "Wait for consul cluster to initialize" # noqa: run-once[task] - name: "Wait for consul cluster to initialize" # noqa: run-once[task]
ansible.builtin.uri: ansible.builtin.uri:

View File

@ -38,9 +38,9 @@
state: present state: present
when: _consul_vault_policy.changed when: _consul_vault_policy.changed
- name: "Include ednz_cloud.hashistack.hashicorp_consul" - name: "Include ednz_cloud.hashicorp_consul"
ansible.builtin.include_role: ansible.builtin.include_role:
name: ednz_cloud.hashistack.hashicorp_vault name: ednz_cloud.hashicorp_vault
- name: "Initialize vault cluster" # noqa: run-once[task] - name: "Initialize vault cluster" # noqa: run-once[task]
ednz_cloud.hashistack.vault_init: ednz_cloud.hashistack.vault_init:

View File

@ -1,5 +1,6 @@
--- ---
consul: consul:
gossip_encryption_key: "{{ _consul_gossip_encryption_key }}"
root_token: root_token:
secret_id: "{{ _consul_root_token }}" secret_id: "{{ _consul_root_token }}"
tokens: tokens:
@ -10,4 +11,6 @@ consul:
accessor_id: "{{ _consul_vault_accessor }}" accessor_id: "{{ _consul_vault_accessor }}"
secret_id: "{{ _consul_vault_token }}" secret_id: "{{ _consul_vault_token }}"
nomad: nomad:
root_token: "{{ _nomad_root_token }}" gossip_encryption_key: "{{ _nomad_gossip_encryption_key }}"
root_token:
secret_id: "{{ _nomad_root_token }}"

@ -1 +0,0 @@
Subproject commit 56696c3552308225d4e5b91efc8e4bf75d31d2f3

@ -1 +0,0 @@
Subproject commit 738c347df8efd4965eda14167171343be13bed75

View File

@ -3,15 +3,31 @@
roles: roles:
- name: ednz_cloud.manage_repositories - name: ednz_cloud.manage_repositories
src: https://github.com/ednz-cloud/manage_repositories.git src: https://github.com/ednz-cloud/manage_repositories.git
version: main
- name: ednz_cloud.manage_apt_packages - name: ednz_cloud.manage_apt_packages
src: https://github.com/ednz-cloud/manage_apt_packages.git src: https://github.com/ednz-cloud/manage_apt_packages.git
version: main
- name: ednz_cloud.manage_pip_packages - name: ednz_cloud.manage_pip_packages
src: https://github.com/ednz-cloud/manage_pip_packages.git src: https://github.com/ednz-cloud/manage_pip_packages.git
version: main
- name: ednz_cloud.install_docker - name: ednz_cloud.install_docker
src: https://github.com/ednz-cloud/install_docker.git src: https://github.com/ednz-cloud/install_docker.git
version: main
- name: ednz_cloud.docker_systemd_service - name: ednz_cloud.docker_systemd_service
src: https://github.com/ednz-cloud/docker_systemd_service.git src: https://github.com/ednz-cloud/docker_systemd_service.git
version: main
- name: ednz_cloud.deploy_haproxy - name: ednz_cloud.deploy_haproxy
src: https://github.com/ednz-cloud/deploy_haproxy.git src: https://github.com/ednz-cloud/deploy_haproxy.git
version: main
- name: ednz_cloud.deploy_keepalived - name: ednz_cloud.deploy_keepalived
src: https://github.com/ednz-cloud/deploy_keepalived.git src: https://github.com/ednz-cloud/deploy_keepalived.git
version: main
- name: ednz_cloud.hashicorp_nomad
src: https://github.com/ednz-cloud/hashicorp_nomad.git
version: v0.1.0
- name: ednz_cloud.hashicorp_consul
src: https://github.com/ednz-cloud/hashicorp_consul.git
version: main
- name: ednz_cloud.hashicorp_vault
src: https://github.com/ednz-cloud/hashicorp_vault.git
version: main