feat: add global variables for nomad deployment
All checks were successful
development / Check commit compliance (push) Successful in 34s
All checks were successful
development / Check commit compliance (push) Successful in 34s
This commit is contained in:
parent
cdeee7436c
commit
30adf2ba7a
6
.gitmodules
vendored
6
.gitmodules
vendored
@ -1,6 +0,0 @@
|
|||||||
[submodule "roles/hashicorp_consul"]
|
|
||||||
path = roles/hashicorp_consul
|
|
||||||
url = https://github.com/ednz-cloud/hashicorp_consul
|
|
||||||
[submodule "roles/hashicorp_vault"]
|
|
||||||
path = roles/hashicorp_vault
|
|
||||||
url = https://github.com/ednz-cloud/hashicorp_vault
|
|
94
nomad.json
Normal file
94
nomad.json
Normal file
@ -0,0 +1,94 @@
|
|||||||
|
{
|
||||||
|
"acl": {
|
||||||
|
"enabled": true
|
||||||
|
},
|
||||||
|
"advertise": {
|
||||||
|
"http": "10.1.20.101",
|
||||||
|
"rpc": "10.1.20.101",
|
||||||
|
"serf": "10.1.20.101"
|
||||||
|
},
|
||||||
|
"bind_addr": "0.0.0.0",
|
||||||
|
"client": {
|
||||||
|
"bridge_network_name": "nomad",
|
||||||
|
"bridge_network_subnet": "172.26.64.0/20",
|
||||||
|
"cni_path": "/opt/cni/bin",
|
||||||
|
"enabled": true,
|
||||||
|
"node_class": "managers",
|
||||||
|
"reserved": {
|
||||||
|
"cpu": 500,
|
||||||
|
"memory": 300
|
||||||
|
},
|
||||||
|
"servers": [
|
||||||
|
"hs1.ednz.fr",
|
||||||
|
"hs2.ednz.fr",
|
||||||
|
"hs3.ednz.fr"
|
||||||
|
]
|
||||||
|
},
|
||||||
|
"consul": {
|
||||||
|
"address": "127.0.0.1:8501",
|
||||||
|
"auto_advertise": true,
|
||||||
|
"grpc_address": "127.0.0.1:8503",
|
||||||
|
"grpc_ca_file": "/opt/nomad/tls/ca.pem",
|
||||||
|
"ssl": true,
|
||||||
|
"token": "8c6eaa1c-0d71-b25e-1019-a34966700fa4"
|
||||||
|
},
|
||||||
|
"data_dir": "/opt/nomad",
|
||||||
|
"datacenter": "gre1",
|
||||||
|
"leave_on_terminate": false,
|
||||||
|
"log_level": "INFO",
|
||||||
|
"plugin": {
|
||||||
|
"docker": {
|
||||||
|
"config": {
|
||||||
|
"allow_caps": [
|
||||||
|
"all"
|
||||||
|
],
|
||||||
|
"allow_privileged": true,
|
||||||
|
"auth": {
|
||||||
|
"config": "/etc/nomad.d/extra_files/docker_auth.json"
|
||||||
|
},
|
||||||
|
"endpoint": "unix:///var/run/docker.sock",
|
||||||
|
"volumes": {
|
||||||
|
"enabled": true
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
},
|
||||||
|
"server": {
|
||||||
|
"bootstrap_expect": 3,
|
||||||
|
"enabled": true,
|
||||||
|
"server_join": {
|
||||||
|
"retry_join": [
|
||||||
|
"hs1.ednz.fr",
|
||||||
|
"hs2.ednz.fr",
|
||||||
|
"hs3.ednz.fr"
|
||||||
|
]
|
||||||
|
}
|
||||||
|
},
|
||||||
|
"telemetry": {
|
||||||
|
"collection_interval": "1s",
|
||||||
|
"disable_dispatched_job_summary_metrics": false,
|
||||||
|
"disable_hostname": false,
|
||||||
|
"prefix_filter": [],
|
||||||
|
"prometheus_metrics": true,
|
||||||
|
"publish_allocation_metrics": true,
|
||||||
|
"publish_node_metrics": true,
|
||||||
|
"use_node_name": false
|
||||||
|
},
|
||||||
|
"tls": {
|
||||||
|
"ca_file": "/opt/nomad/tls/ca.pem",
|
||||||
|
"cert_file": "/opt/nomad/tls/cert.pem",
|
||||||
|
"http": true,
|
||||||
|
"key_file": "/opt/nomad/tls/key.pem",
|
||||||
|
"rpc": true,
|
||||||
|
"verify_server_hostname": true
|
||||||
|
},
|
||||||
|
"ui": {
|
||||||
|
"enabled": true
|
||||||
|
},
|
||||||
|
"vault": {
|
||||||
|
"address": "https://vault.service.consul:8200",
|
||||||
|
"create_from_role": "nomad-cluster",
|
||||||
|
"enabled": true,
|
||||||
|
"token": "hvs.CAESIEOC5_8vTfD16xXhxs-TV23JEXWWRIgSIc01dm8Hb2YLGh4KHGh2cy5xRVg0T3pDV3FhazBZQWZEaExkM2VqejU"
|
||||||
|
}
|
||||||
|
}
|
@ -23,7 +23,7 @@
|
|||||||
|
|
||||||
- name: "Deploy Consul Agents"
|
- name: "Deploy Consul Agents"
|
||||||
ansible.builtin.include_role:
|
ansible.builtin.include_role:
|
||||||
name: ednz_cloud.hashistack.hashicorp_consul
|
name: ednz_cloud.hashicorp_consul
|
||||||
when:
|
when:
|
||||||
- enable_consul | bool
|
- enable_consul | bool
|
||||||
- "'consul_agents' in group_names"
|
- "'consul_agents' in group_names"
|
||||||
|
@ -8,25 +8,33 @@
|
|||||||
tasks:
|
tasks:
|
||||||
- name: "Generate consul credentials"
|
- name: "Generate consul credentials"
|
||||||
block:
|
block:
|
||||||
|
- name: "Generate consul gossip encryption key"
|
||||||
|
ansible.builtin.set_fact:
|
||||||
|
_consul_gossip_encryption_key: "{{ lookup('ansible.builtin.password', '/dev/null', chars=['ascii_letters','digits']) | b64encode }}"
|
||||||
|
|
||||||
- name: "Generate consul root credentials"
|
- name: "Generate consul root credentials"
|
||||||
ansible.builtin.set_fact:
|
ansible.builtin.set_fact:
|
||||||
_consul_root_token: "{{ lookup('password', '/dev/null chars=ascii_letters,digits') | to_uuid }}"
|
_consul_root_token: "{{ lookup('ansible.builtin.password', '/dev/null', chars=['ascii_letters','digits']) | to_uuid }}"
|
||||||
|
|
||||||
- name: "Generate consul agents credentials"
|
- name: "Generate consul agents credentials"
|
||||||
ansible.builtin.set_fact:
|
ansible.builtin.set_fact:
|
||||||
_cosul_agents_accessor: "{{ lookup('password', '/dev/null chars=ascii_letters,digits') | to_uuid }}"
|
_cosul_agents_accessor: "{{ lookup('ansible.builtin.password', '/dev/null', chars=['ascii_letters','digits']) | to_uuid }}"
|
||||||
_consul_agents_token: "{{ lookup('password', '/dev/null chars=ascii_letters,digits') | to_uuid }}"
|
_consul_agents_token: "{{ lookup('ansible.builtin.password', '/dev/null', chars=['ascii_letters','digits']) | to_uuid }}"
|
||||||
|
|
||||||
- name: "Generate consul vault credentials"
|
- name: "Generate consul vault credentials"
|
||||||
ansible.builtin.set_fact:
|
ansible.builtin.set_fact:
|
||||||
_cosul_vault_accessor: "{{ lookup('password', '/dev/null chars=ascii_letters,digits') | to_uuid }}"
|
_cosul_vault_accessor: "{{ lookup('ansible.builtin.password', '/dev/null', chars=['ascii_letters','digits']) | to_uuid }}"
|
||||||
_consul_vault_token: "{{ lookup('password', '/dev/null chars=ascii_letters,digits') | to_uuid }}"
|
_consul_vault_token: "{{ lookup('ansible.builtin.password', '/dev/null', chars=['ascii_letters','digits']) | to_uuid }}"
|
||||||
|
|
||||||
- name: "Generate nomad credentials"
|
- name: "Generate nomad credentials"
|
||||||
block:
|
block:
|
||||||
|
- name: "Generate nomad gossip encryption key"
|
||||||
|
ansible.builtin.set_fact:
|
||||||
|
_nomad_gossip_encryption_key: "{{ lookup('ansible.builtin.password', '/dev/null', chars=['ascii_letters','digits']) | b64encode }}"
|
||||||
|
|
||||||
- name: "Generate nomad root credentials"
|
- name: "Generate nomad root credentials"
|
||||||
ansible.builtin.set_fact:
|
ansible.builtin.set_fact:
|
||||||
_nomad_root_token: "{{ lookup('password', '/dev/null chars=ascii_letters,digits') | to_uuid }}"
|
_nomad_root_token: "{{ lookup('ansible.builtin.password', '/dev/null', chars=['ascii_letters','digits']) | to_uuid }}"
|
||||||
|
|
||||||
- name: "Write credentials file"
|
- name: "Write credentials file"
|
||||||
ansible.builtin.template:
|
ansible.builtin.template:
|
||||||
|
@ -88,7 +88,7 @@ hashi_consul_configuration:
|
|||||||
datacenter: "{{ consul_datacenter }}"
|
datacenter: "{{ consul_datacenter }}"
|
||||||
primary_datacenter: "{{ consul_primary_datacenter }}"
|
primary_datacenter: "{{ consul_primary_datacenter }}"
|
||||||
data_dir: "{{ hashi_consul_data_dir }}"
|
data_dir: "{{ hashi_consul_data_dir }}"
|
||||||
encrypt: "{{ consul_gossip_encryption_key }}"
|
encrypt: "{{ _credentials.consul.gossip_encryption_key }}"
|
||||||
server: "{{ 'consul_servers' in group_names }}"
|
server: "{{ 'consul_servers' in group_names }}"
|
||||||
retry_join: "{{
|
retry_join: "{{
|
||||||
groups['consul_servers'] |
|
groups['consul_servers'] |
|
||||||
|
@ -46,7 +46,6 @@ consul_primary_datacenter: dc1
|
|||||||
consul_leave_on_terminate: true
|
consul_leave_on_terminate: true
|
||||||
consul_rejoin_after_leave: true
|
consul_rejoin_after_leave: true
|
||||||
consul_enable_script_checks: true
|
consul_enable_script_checks: true
|
||||||
consul_gossip_encryption_key: "{{ 'mysupersecretgossipencryptionkey'|b64encode }}"
|
|
||||||
|
|
||||||
################################
|
################################
|
||||||
# consul address configuration #
|
# consul address configuration #
|
||||||
|
@ -1,18 +1,86 @@
|
|||||||
|
---
|
||||||
#####################################################
|
#####################################################
|
||||||
# #
|
# #
|
||||||
# Nomad Configuration #
|
# Non-Editable #
|
||||||
# #
|
# #
|
||||||
#####################################################
|
#####################################################
|
||||||
|
|
||||||
hashi_nomad_cni_plugins_install: true
|
nomad_datacenter: dc1
|
||||||
hashi_nomad_start_service: true
|
|
||||||
hashi_nomad_cni_plugins_version: latest
|
###########################
|
||||||
hashi_nomad_cni_plugins_install_path: /opt/cni/bin
|
# nomad ACL configuration #
|
||||||
hashi_nomad_version: latest
|
###########################
|
||||||
hashi_nomad_deploy_method: host # deployment method, either host or docker
|
|
||||||
hashi_nomad_env_variables: {}
|
nomad_acl_configuration:
|
||||||
hashi_nomad_data_dir: /opt/nomad
|
enabled: true
|
||||||
hashi_nomad_extra_files: false
|
token_ttl: 30s
|
||||||
hashi_nomad_extra_files_src: /tmp/extra_files
|
policy_ttl: 60s
|
||||||
hashi_nomad_extra_files_dst: /etc/nomad.d/extra_files
|
role_ttl: 60s
|
||||||
hashi_nomad_configuration: {}
|
|
||||||
|
#################################
|
||||||
|
# nomad autopilot configuration #
|
||||||
|
#################################
|
||||||
|
|
||||||
|
nomad_autopilot_configuration: {}
|
||||||
|
|
||||||
|
############################
|
||||||
|
# nomad consul integration #
|
||||||
|
############################
|
||||||
|
|
||||||
|
nomad_enable_consul_integration: "{{ enable_consul | bool }}"
|
||||||
|
nomad_consul_integration_configuration: {}
|
||||||
|
|
||||||
|
############################
|
||||||
|
# nomad vault integration #
|
||||||
|
############################
|
||||||
|
|
||||||
|
nomad_enable_vault_integration: false
|
||||||
|
nomad_vault_integration_configuration: {}
|
||||||
|
|
||||||
|
#############################
|
||||||
|
# nomad leave configuration #
|
||||||
|
#############################
|
||||||
|
|
||||||
|
# node will leave the cluster if the process is stopped
|
||||||
|
# and if it is only a client
|
||||||
|
nomad_leave_on_interrupt: "{{ (('nomad_clients' in group_names) and (not 'nomad_servers' in group_names)) | bool }}"
|
||||||
|
nomad_leave_on_terminate: "{{ (('nomad_clients' in group_names) and (not 'nomad_servers' in group_names)) | bool }}"
|
||||||
|
|
||||||
|
##############################
|
||||||
|
# nomad server configuration #
|
||||||
|
##############################
|
||||||
|
|
||||||
|
nomad_server_configuration:
|
||||||
|
enabled: "{{ 'nomad_servers' in group_names }}"
|
||||||
|
data_dir: "{{ hashicorp_nomad_data_dir }}/server"
|
||||||
|
encrypt: "{{ _credentials.nomad.gossip_encryption_key }}"
|
||||||
|
|
||||||
|
##############################
|
||||||
|
# nomad client configuration #
|
||||||
|
##############################
|
||||||
|
|
||||||
|
nomad_client_configuration:
|
||||||
|
enabled: "{{ 'nomad_clients' in group_names | bool }}"
|
||||||
|
state_dir: "{{ hashicorp_nomad_data_dir }}/client"
|
||||||
|
|
||||||
|
hashicorp_nomad_cni_plugins_install: true
|
||||||
|
hashicorp_nomad_start_service: true
|
||||||
|
hashicorp_nomad_cni_plugins_version: latest
|
||||||
|
hashicorp_nomad_cni_plugins_install_path: /opt/cni/bin
|
||||||
|
hashicorp_nomad_version: latest
|
||||||
|
hashicorp_nomad_deploy_method: host # deployment method, either host or docker
|
||||||
|
hashicorp_nomad_env_variables: {}
|
||||||
|
hashicorp_nomad_config_dir: "/etc/nomad.d"
|
||||||
|
hashicorp_nomad_data_dir: /opt/nomad
|
||||||
|
hashicorp_nomad_extra_files: false
|
||||||
|
hashicorp_nomad_extra_files_src: /tmp/extra_files
|
||||||
|
hashicorp_nomad_extra_files_dst: /etc/nomad.d/extra_files
|
||||||
|
hashicorp_nomad_configuration:
|
||||||
|
datacenter: "{{ nomad_datacenter }}"
|
||||||
|
bind_addr: "0.0.0.0"
|
||||||
|
data_dir: "{{ hashicorp_nomad_data_dir }}"
|
||||||
|
leave_on_interrupt: "{{ (('nomad_clients' in group_names) and (not 'nomad_servers' in group_names)) | bool }}"
|
||||||
|
leave_on_terminate: "{{ (('nomad_clients' in group_names) and (not 'nomad_servers' in group_names)) | bool }}"
|
||||||
|
acl: "{{ nomad_acl_configuration }}"
|
||||||
|
server: "{{ nomad_server_configuration }}"
|
||||||
|
client: "{{ nomad_client_configuration }}"
|
||||||
|
@ -1,9 +1,9 @@
|
|||||||
---
|
---
|
||||||
- name: "Consul"
|
- name: "Consul"
|
||||||
block:
|
block:
|
||||||
- name: "Include ednz_cloud.hashistack.hashicorp_consul"
|
- name: "Include ednz_cloud.hashicorp_consul"
|
||||||
ansible.builtin.include_role:
|
ansible.builtin.include_role:
|
||||||
name: ednz_cloud.hashistack.hashicorp_consul
|
name: ednz_cloud.hashicorp_consul
|
||||||
|
|
||||||
- name: "Wait for consul cluster to initialize" # noqa: run-once[task]
|
- name: "Wait for consul cluster to initialize" # noqa: run-once[task]
|
||||||
ansible.builtin.uri:
|
ansible.builtin.uri:
|
||||||
|
@ -38,9 +38,9 @@
|
|||||||
state: present
|
state: present
|
||||||
when: _consul_vault_policy.changed
|
when: _consul_vault_policy.changed
|
||||||
|
|
||||||
- name: "Include ednz_cloud.hashistack.hashicorp_consul"
|
- name: "Include ednz_cloud.hashicorp_consul"
|
||||||
ansible.builtin.include_role:
|
ansible.builtin.include_role:
|
||||||
name: ednz_cloud.hashistack.hashicorp_vault
|
name: ednz_cloud.hashicorp_vault
|
||||||
|
|
||||||
- name: "Initialize vault cluster" # noqa: run-once[task]
|
- name: "Initialize vault cluster" # noqa: run-once[task]
|
||||||
ednz_cloud.hashistack.vault_init:
|
ednz_cloud.hashistack.vault_init:
|
||||||
|
@ -1,5 +1,6 @@
|
|||||||
---
|
---
|
||||||
consul:
|
consul:
|
||||||
|
gossip_encryption_key: "{{ _consul_gossip_encryption_key }}"
|
||||||
root_token:
|
root_token:
|
||||||
secret_id: "{{ _consul_root_token }}"
|
secret_id: "{{ _consul_root_token }}"
|
||||||
tokens:
|
tokens:
|
||||||
@ -10,4 +11,6 @@ consul:
|
|||||||
accessor_id: "{{ _consul_vault_accessor }}"
|
accessor_id: "{{ _consul_vault_accessor }}"
|
||||||
secret_id: "{{ _consul_vault_token }}"
|
secret_id: "{{ _consul_vault_token }}"
|
||||||
nomad:
|
nomad:
|
||||||
root_token: "{{ _nomad_root_token }}"
|
gossip_encryption_key: "{{ _nomad_gossip_encryption_key }}"
|
||||||
|
root_token:
|
||||||
|
secret_id: "{{ _nomad_root_token }}"
|
||||||
|
@ -1 +0,0 @@
|
|||||||
Subproject commit 56696c3552308225d4e5b91efc8e4bf75d31d2f3
|
|
@ -1 +0,0 @@
|
|||||||
Subproject commit 738c347df8efd4965eda14167171343be13bed75
|
|
@ -3,15 +3,31 @@
|
|||||||
roles:
|
roles:
|
||||||
- name: ednz_cloud.manage_repositories
|
- name: ednz_cloud.manage_repositories
|
||||||
src: https://github.com/ednz-cloud/manage_repositories.git
|
src: https://github.com/ednz-cloud/manage_repositories.git
|
||||||
|
version: main
|
||||||
- name: ednz_cloud.manage_apt_packages
|
- name: ednz_cloud.manage_apt_packages
|
||||||
src: https://github.com/ednz-cloud/manage_apt_packages.git
|
src: https://github.com/ednz-cloud/manage_apt_packages.git
|
||||||
|
version: main
|
||||||
- name: ednz_cloud.manage_pip_packages
|
- name: ednz_cloud.manage_pip_packages
|
||||||
src: https://github.com/ednz-cloud/manage_pip_packages.git
|
src: https://github.com/ednz-cloud/manage_pip_packages.git
|
||||||
|
version: main
|
||||||
- name: ednz_cloud.install_docker
|
- name: ednz_cloud.install_docker
|
||||||
src: https://github.com/ednz-cloud/install_docker.git
|
src: https://github.com/ednz-cloud/install_docker.git
|
||||||
|
version: main
|
||||||
- name: ednz_cloud.docker_systemd_service
|
- name: ednz_cloud.docker_systemd_service
|
||||||
src: https://github.com/ednz-cloud/docker_systemd_service.git
|
src: https://github.com/ednz-cloud/docker_systemd_service.git
|
||||||
|
version: main
|
||||||
- name: ednz_cloud.deploy_haproxy
|
- name: ednz_cloud.deploy_haproxy
|
||||||
src: https://github.com/ednz-cloud/deploy_haproxy.git
|
src: https://github.com/ednz-cloud/deploy_haproxy.git
|
||||||
|
version: main
|
||||||
- name: ednz_cloud.deploy_keepalived
|
- name: ednz_cloud.deploy_keepalived
|
||||||
src: https://github.com/ednz-cloud/deploy_keepalived.git
|
src: https://github.com/ednz-cloud/deploy_keepalived.git
|
||||||
|
version: main
|
||||||
|
- name: ednz_cloud.hashicorp_nomad
|
||||||
|
src: https://github.com/ednz-cloud/hashicorp_nomad.git
|
||||||
|
version: v0.1.0
|
||||||
|
- name: ednz_cloud.hashicorp_consul
|
||||||
|
src: https://github.com/ednz-cloud/hashicorp_consul.git
|
||||||
|
version: main
|
||||||
|
- name: ednz_cloud.hashicorp_vault
|
||||||
|
src: https://github.com/ednz-cloud/hashicorp_vault.git
|
||||||
|
version: main
|
||||||
|
Loading…
Reference in New Issue
Block a user