From c4768c7f6bd0319fdb642b9620562cab0f97ce0a Mon Sep 17 00:00:00 2001 From: Bertrand Lanson Date: Sun, 17 Mar 2024 10:57:02 +0100 Subject: [PATCH] feat(deploy): add haproxy deployment, integrate with consul --- molecule/no_tls_multi_node/molecule.yml | 45 +- molecule/no_tls_multi_node/requirements.yml | 2 + molecule/no_tls_single_node/requirements.yml | 3 + playbooks/deploy.yml | 9 + playbooks/group_vars/all.yml | 421 ------------------- playbooks/group_vars/all/all.yml | 78 ++++ playbooks/group_vars/all/consul.yml | 178 ++++++++ playbooks/group_vars/all/haproxy.yml | 77 ++++ playbooks/group_vars/all/nomad.yml | 18 + playbooks/group_vars/all/vault.yml | 111 +++++ playbooks/tasks/consul/consul_vars.yml | 6 - playbooks/tasks/haproxy/haproxy_deploy.yml | 9 + playbooks/tasks/haproxy/haproxy_vars.yml | 0 playbooks/tasks/load_vars.yml | 7 + roles/hashicorp_consul | 2 +- 15 files changed, 518 insertions(+), 448 deletions(-) delete mode 100644 playbooks/group_vars/all.yml create mode 100644 playbooks/group_vars/all/all.yml create mode 100644 playbooks/group_vars/all/consul.yml create mode 100644 playbooks/group_vars/all/haproxy.yml create mode 100644 playbooks/group_vars/all/nomad.yml create mode 100644 playbooks/group_vars/all/vault.yml create mode 100644 playbooks/tasks/haproxy/haproxy_deploy.yml create mode 100644 playbooks/tasks/haproxy/haproxy_vars.yml diff --git a/molecule/no_tls_multi_node/molecule.yml b/molecule/no_tls_multi_node/molecule.yml index d3b1d0b..b43b37b 100644 --- a/molecule/no_tls_multi_node/molecule.yml +++ b/molecule/no_tls_multi_node/molecule.yml @@ -12,10 +12,11 @@ platforms: box: generic/${MOLECULE_TEST_OS} cpus: 2 memory: 4096 - # interfaces: - # - network_name: private_network - # ip: 192.168.122.91 - # auto_config: true + interfaces: + - network_name: private_network + ip: 192.168.100.91 + auto_config: true + type: static groups: - common - haproxy_servers @@ -23,10 +24,11 @@ platforms: box: generic/${MOLECULE_TEST_OS} cpus: 2 memory: 4096 - # interfaces: - # - network_name: private_network - # ip: 192.168.122.92 - # auto_config: true + interfaces: + - network_name: private_network + ip: 192.168.100.92 + auto_config: true + type: static groups: - common - haproxy_servers @@ -34,10 +36,11 @@ platforms: box: generic/${MOLECULE_TEST_OS} cpus: 4 memory: 4096 - # interfaces: - # - network_name: private_network - # ip: 192.168.122.101 - # auto_config: true + interfaces: + - network_name: private_network + ip: 192.168.100.101 + auto_config: true + type: static groups: - common - vault_servers @@ -47,10 +50,11 @@ platforms: box: generic/${MOLECULE_TEST_OS} cpus: 4 memory: 4096 - # interfaces: - # - network_name: private_network - # ip: 192.168.122.102 - # auto_config: true + interfaces: + - network_name: private_network + ip: 192.168.100.102 + auto_config: true + type: static groups: - common - vault_servers @@ -60,10 +64,11 @@ platforms: box: generic/${MOLECULE_TEST_OS} cpus: 4 memory: 4096 - # interfaces: - # - network_name: private_network - # ip: 192.168.122.103 - # auto_config: true + interfaces: + - network_name: private_network + ip: 192.168.100.103 + auto_config: true + type: static groups: - common - vault_servers diff --git a/molecule/no_tls_multi_node/requirements.yml b/molecule/no_tls_multi_node/requirements.yml index 42a18bb..b025327 100644 --- a/molecule/no_tls_multi_node/requirements.yml +++ b/molecule/no_tls_multi_node/requirements.yml @@ -6,6 +6,8 @@ roles: - name: ednz_cloud.manage_pip_packages - name: ednz_cloud.install_docker - name: ednz_cloud.docker_systemd_service + - name: ednz_cloud.deploy_haproxy + - name: ednz_cloud.deploy_keepalived collections: - name: ednz_cloud.hashistack diff --git a/molecule/no_tls_single_node/requirements.yml b/molecule/no_tls_single_node/requirements.yml index 4391e35..b025327 100644 --- a/molecule/no_tls_single_node/requirements.yml +++ b/molecule/no_tls_single_node/requirements.yml @@ -3,8 +3,11 @@ roles: - name: ednz_cloud.manage_repositories - name: ednz_cloud.manage_apt_packages + - name: ednz_cloud.manage_pip_packages - name: ednz_cloud.install_docker - name: ednz_cloud.docker_systemd_service + - name: ednz_cloud.deploy_haproxy + - name: ednz_cloud.deploy_keepalived collections: - name: ednz_cloud.hashistack diff --git a/playbooks/deploy.yml b/playbooks/deploy.yml index 1c87c17..b45af06 100644 --- a/playbooks/deploy.yml +++ b/playbooks/deploy.yml @@ -10,6 +10,15 @@ ansible.builtin.import_tasks: file: tasks/load_vars.yml + - name: "Deploy Haproxy & Keepalived" + ansible.builtin.import_tasks: + file: tasks/haproxy/haproxy_deploy.yml + when: + - enable_haproxy | bool + - "'haproxy_servers' in group_names" + tags: + - haproxy + - name: "Deploy Consul" ansible.builtin.import_tasks: file: tasks/consul/consul_deploy.yml diff --git a/playbooks/group_vars/all.yml b/playbooks/group_vars/all.yml deleted file mode 100644 index da0012a..0000000 --- a/playbooks/group_vars/all.yml +++ /dev/null @@ -1,421 +0,0 @@ ---- -########################## -# General options ######## -########################## - -enable_vault: "no" -enable_consul: "yes" -enable_nomad: "no" - -nomad_version: latest -consul_version: latest -vault_version: latest - -deployment_method: "host" -api_interface: "eth0" -api_interface_address: "{{ ansible_facts[api_interface]['ipv4']['address'] }}" - -########################## -# Helper options ######### -########################## - -# manage_pip_packages_allow_break_system_packages: true - -vault_versions: - host: "{{ vault_version }}{% '*' if vault_version != 'latest' %}" - docker: "{{ vault_version }}" - -consul_versions: - host: "{{ consul_version }}{% '*' if consul_version != 'latest' %}" - docker: "{{ consul_version }}" - -nomad_versions: - host: "{{ nomad_version }}{% '*' if nomad_version != 'latest' %}" - docker: "{{ nomad_version }}" - -configuration_directory: "{{ lookup('env', 'PWD') }}/etc/hashistack" -sub_configuration_directories: - nomad_servers: "{{ configuration_directory }}/nomad_servers" - vault_servers: "{{ configuration_directory }}/vault_servers" - consul_servers: "{{ configuration_directory }}/consul_servers" - -configuration_global_vars_file: "globals.yml" - -default_container_extra_volumes: - - "/etc/timezone:/etc/timezone" - - "/etc/localtime:/etc/localtime" - -################# -# Support options -################# - -hashistack_supported_distributions: - - ubuntu - - debian - -hashistack_supported_distribution_versions: - debian: - - "11" - - "12" - ubuntu: - - "20.04" - - "22.04" - -preflight_enable_host_ntp_checks: true -haproxy_required_ports: [80, 443] -vault_required_ports: [8200, 8201] -consul_required_ports: [8300, 8301, 8302, 8500, 8501, 8502, 8503, 8600] -nomad_required_ports: [] - -##################################################### -# # -# HAProxy Configuration # -# # -##################################################### - -deploy_haproxy_deploy_method: host # deployment method, either host or docker -deploy_haproxy_version: "2.8" - -deploy_haproxy_env_variables: {} -deploy_haproxy_start_service: true -deploy_haproxy_cert_dir: "" -deploy_haproxy_extra_container_volumes: [] -deploy_haproxy_global: - - log /dev/log local0 - - log /dev/log local1 notice - - stats socket {{ deploy_haproxy_socket }} level admin - - chroot {{ deploy_haproxy_chroot }} - - daemon - - description hashistack haproxy - -deploy_haproxy_defaults: - - log global - - mode http - - option httplog - - option dontlognull - - timeout connect 5000 - - timeout client 5000 - - timeout server 5000 - -deploy_haproxy_frontends: - [] - # - name: default - # options: - # - description default frontend - # - mode http - # - bind :80 - # - default_backend default - -deploy_haproxy_backends: - [] - # - name: default - # options: - # - description default backend - # - option forwardfor - # - option httpchk - # - http-check send meth GET uri / - # - server srv_nginx1 172.17.0.4:80 check inter 5s - # - server srv_nginx2 172.17.0.3:80 check inter 5s - -deploy_haproxy_listen: - - name: monitoring - options: - - bind :9000 - - mode http - - option httpchk - - stats enable - - stats uri /stats - - stats refresh 30s - - stats show-desc - - stats show-legends - - stats auth admin:password - - http-check send meth GET uri /health ver HTTP/1.1 hdr Host localhost - - http-check expect status 200 - - acl health_check_ok nbsrv() ge 1 - - monitor-uri /health - - http-request use-service prometheus-exporter if { path /metrics } - -deploy_keepalived_deploy_method: "host" -deploy_keepalived_version: "latest" -deploy_keepalived_start_service: true -deploy_keepalived_env_variables: {} - -deploy_keepalived_vrrp_instance_name: "{{ ansible_hostname }}" -deploy_keepalived_interface: "{{ ansible_default_ipv4.interface }}" -deploy_keepalived_state: "BACKUP" -deploy_keepalived_router_id: 50 -deploy_keepalived_priority: 100 -deploy_keepalived_advert_interval: 1 -deploy_keepalived_unicast_source: "{{ ansible_default_ipv4.address }}" -deploy_keepalived_unicast_peers: [] -deploy_keepalived_auth_passwd: "password" -deploy_keepalived_virtual_ips: - - 192.168.1.100/32 -deploy_keepalived_notify_script: notify.sh - -deploy_keepalived_custom_scripts_src: -deploy_keepalived_extra_container_volumes: [] - -deploy_keepalived_use_custom_config: false -deploy_keepalived_custom_config_src: - -##################################################### -# # -# Nomad Configuration # -# # -##################################################### - -hashi_nomad_cni_plugins_install: true -hashi_nomad_start_service: true -hashi_nomad_cni_plugins_version: latest -hashi_nomad_cni_plugins_install_path: /opt/cni/bin -hashi_nomad_version: latest -hashi_nomad_deploy_method: host # deployment method, either host or docker -hashi_nomad_env_variables: {} -hashi_nomad_data_dir: /opt/nomad -hashi_nomad_extra_files: false -hashi_nomad_extra_files_src: /tmp/extra_files -hashi_nomad_extra_files_dst: /etc/nomad.d/extra_files -hashi_nomad_configuration: {} - -##################################################### -# # -# Consul Configuration # -# # -##################################################### - -consul_domain: consul -consul_datacenter: dc1 -consul_primary_datacenter: dc1 -consul_leave_on_terminate: true -consul_rejoin_after_leave: true -consul_enable_script_checks: true - -############################## -# consul address configuration -############################## - -consul_address_configuration: - # The address to which Consul will bind client interfaces, - # including the HTTP and DNS servers. - client_addr: "0.0.0.0" - # The address that should be bound to for internal cluster communications. - bind_addr: "{{ api_interface_address }}" - # The advertise address is used to change the address that we advertise to other nodes in the cluster. - advertise_addr: "{{ api_interface_address }}" - -########################## -# consul ACL configuration -########################## - -consul_acl_configuration: - enabled: true - default_policy: "deny" # can be allow or deny - enable_token_persistence: true - -consul_default_agent_policy: | - agent_prefix "" { - policy = "write" - } - node_prefix "" { - policy = "write" - } - service_prefix "" { - policy = "read" - } - -########################## -# consul DNS configuration -########################## - -consul_dns_configuration: - allow_stale: true - enable_truncate: true - only_passing: true - -######################### -# consul ui configuration -######################### - -consul_ui_configuration: - enabled: true - -################################### -# consul service mesh configuration -################################### - -consul_mesh_configuration: - enabled: true - -##################### -# extra configuration -##################### - -consul_extra_configuration: {} - -############### -# configuration -############### - -hashi_consul_start_service: true -hashi_consul_version: latest -hashi_consul_deploy_method: "{{ deployment_method }}" -hashi_consul_env_variables: {} -hashi_cosul_config_dir: "/etc/consul.d" -hashi_consul_data_dir: "/opt/consul" -hashi_consul_extra_files: false -hashi_consul_extra_files_src: "{{ sub_configuration_directories.consul_servers }}/config" -hashi_consul_extra_files_dst: "{{ hashi_consul_config_dir }}/config" -hashi_consul_envoy_install: false -hashi_consul_envoy_version: v1.27.2 -hashi_consul_configuration: - domain: "{{ consul_domain }}" - datacenter: "{{ consul_datacenter }}" - primary_datacenter: "{{ consul_primary_datacenter }}" - data_dir: "{{ hashi_consul_data_dir }}" - encrypt: "{{ 'mysupersecretgossipencryptionkey'|b64encode }}" - server: "{{ 'consul_servers' in group_names }}" - retry_join: "{{ - groups['consul_servers'] | - map('extract', hostvars, ['consul_address_configuration', 'bind_addr']) | - list | - to_json | - from_json - }}" - ui_config: "{{ consul_ui_configuration }}" - connect: "{{ consul_mesh_configuration }}" - leave_on_terminate: true - rejoin_after_leave: true - enable_script_checks: true - enable_syslog: true - log_level: INFO - acl: "{{ consul_acl_configuration }}" - dns_config: "{{ consul_dns_configuration }}" - ports: - dns: 8600 - http: 8500 - https: -1 - grpc: 8502 - grpc_tls: 8503 - server: 8300 - serf_lan: 8301 - serf_wan: 8302 - sidecar_min_port: 21000 - sidecar_max_port: 21255 - expose_min_port: 21500 - expose_max_port: 21755 - -# this is used to circumvent jinja limitation to convert string to integer -hashi_consul_configuration_string: | - bootstrap_expect: {{ (groups['consul_servers'] | length) }} - -##################################################### -# # -# Vault Configuration # -# # -##################################################### - -vault_cluster_name: vault -vault_enable_ui: true -vault_seal_configuration: - key_shares: 3 - key_threshold: 2 - -######### -# storage -######### - -vault_storage_configuration: - raft: - path: "{{ hashi_vault_data_dir }}/data" - node_id: "{{ ansible_hostname }}" - retry_join: | - [ - {% for host in groups['vault_servers'] %} - { - 'leader_api_addr': 'http://{{ hostvars[host].api_interface_address }}:8200' - }{% if not loop.last %},{% endif %} - {% endfor %} - ] - -########## -# listener -########## - -vault_enable_tls: false -vault_listener_configuration: - tcp: - address: "0.0.0.0:8200" - tls_disable: true - -vault_tls_listener_configuration: - tcp: - tls_disable: false - tls_cert_file: "{{ hashi_vault_extra_files_dst }}/tls/cert.pem" - tls_key_file: "{{ hashi_vault_extra_files_dst }}/tls/key.pem" - -vault_extra_listener_configuration: {} - -###################### -# service registration -###################### - -vault_enable_service_registration: false -vault_service_registration_configuration: - consul: - address: "127.0.0.1:8500" - scheme: "http" - -######### -# plugins -######### - -vault_enable_plugins: true -vault_plugin_directory: "{{ hashi_vault_extra_files_dst }}/plugin" - -######### -# logging -######### - -vault_enable_log_to_file: false -vault_logging_configuration: - log_level: info - log_format: standard - log_rotate_duration: 24h - log_rotate_max_files: 30 - -######################### -# vault container volumes -######################### - -extra_vault_container_volumes: [] - -##################### -# extra configuration -##################### - -vault_extra_configuration: {} - -############### -# configuration -############### - -hashi_vault_start_service: true -hashi_vault_version: latest -hashi_vault_deploy_method: "{{ deployment_method }}" -hashi_vault_env_variables: {} -hashi_vault_config_dir: "/etc/vault.d" -hashi_vault_data_dir: "/opt/vault" -hashi_vault_extra_files: true -hashi_vault_extra_files_src: "{{ sub_configuration_directories.vault_servers }}/config" -hashi_vault_extra_files_dst: "{{ hashi_vault_config_dir }}/config" -hashi_vault_extra_container_volumes: "{{ default_container_extra_volumes | union(extra_vault_container_volumes) | unique }}" -hashi_vault_configuration: - cluster_name: "{{ vault_cluster_name }}" - cluster_addr: "http://{{ api_interface_address }}:8201" - api_addr: "http://{{ api_interface_address }}:8200" - ui: "{{ vault_enable_ui }}" - disable_mlock: false - disable_cache: false - listener: "{{ vault_listener_configuration }}" - storage: "{{ vault_storage_configuration }}" diff --git a/playbooks/group_vars/all/all.yml b/playbooks/group_vars/all/all.yml new file mode 100644 index 0000000..06beae1 --- /dev/null +++ b/playbooks/group_vars/all/all.yml @@ -0,0 +1,78 @@ +--- +########################## +# General options ######## +########################## + +enable_haproxy: "yes" +enable_vault: "no" +enable_consul: "yes" +enable_nomad: "no" + +nomad_version: latest +consul_version: latest +vault_version: latest + +deployment_method: "docker" + +hashistack_external_vip_interface: "eth0" +hashistack_external_vip_addr: "192.168.121.100" +hashistack_internal_vip_interface: "eth1" +# hashistack_internal_vip_interface: "{{ hashistack_external_vip_interface }}" +hashistack_internal_vip_addr: "192.168.100.100" +# hashistack_internal_vip_addr: "{{ hashistack_external_vip_addr }}" + +# api_interface: "eth0" +api_interface: "eth1" +api_interface_address: "{{ ansible_facts[api_interface]['ipv4']['address'] }}" + +########################## +# Helper options ######### +########################## + +# manage_pip_packages_allow_break_system_packages: true + +vault_versions: + host: "{{ vault_version }}{% '*' if vault_version != 'latest' %}" + docker: "{{ vault_version }}" + +consul_versions: + host: "{{ consul_version }}{% '*' if consul_version != 'latest' %}" + docker: "{{ consul_version }}" + +nomad_versions: + host: "{{ nomad_version }}{% '*' if nomad_version != 'latest' %}" + docker: "{{ nomad_version }}" + +configuration_directory: "{{ lookup('env', 'PWD') }}/etc/hashistack" +sub_configuration_directories: + nomad_servers: "{{ configuration_directory }}/nomad_servers" + vault_servers: "{{ configuration_directory }}/vault_servers" + consul_servers: "{{ configuration_directory }}/consul_servers" + +configuration_global_vars_file: "globals.yml" + +default_container_extra_volumes: + - "/etc/timezone:/etc/timezone" + - "/etc/localtime:/etc/localtime" + +################# +# Support options +################# + +hashistack_supported_distributions: + - ubuntu + - debian + +hashistack_supported_distribution_versions: + debian: + - "11" + - "12" + ubuntu: + - "20.04" + - "22.04" + +preflight_enable_host_ntp_checks: true +haproxy_required_ports: [80, 443] +vault_required_ports: [8200, 8201] +consul_required_ports: [8300, 8301, 8302, 8500, 8501, 8502, 8503, 8600] +nomad_required_ports: [] diff --git a/playbooks/group_vars/all/consul.yml b/playbooks/group_vars/all/consul.yml new file mode 100644 index 0000000..b40c47f --- /dev/null +++ b/playbooks/group_vars/all/consul.yml @@ -0,0 +1,178 @@ +--- +##################################################### +# # +# Consul Configuration # +# # +##################################################### + +consul_domain: consul +consul_datacenter: dc1 +consul_primary_datacenter: dc1 +consul_leave_on_terminate: true +consul_rejoin_after_leave: true +consul_enable_script_checks: true + +######################## +# consul haproxy backend +######################## +consul_haproxy_frontends: + - name: consul_internal + options: + - description consul internal gossip frontend + - mode tcp + - option tcplog + - bind :{{ hashi_consul_configuration.ports.serf_lan }} + - default_backend consul_internal + - name: consul_external + options: + - description consul external http frontend + - mode http + - bind :80 + - default_backend consul_external + +consul_haproxy_backends: + - name: consul_internal + options: "{{ consul_internal_backend_options + consul_internal_backend_servers }}" + - name: consul_external + options: "{{ consul_external_backend_options + consul_external_backend_servers }}" + +consul_internal_backend_options: + - description consul internal gossip backend + +consul_internal_backend_servers: | + [ + {% for host in groups['consul_servers'] %} + 'server {{ hostvars[host].api_interface_address }} {{ hostvars[host].api_interface_address }}:{{ hashi_consul_configuration.ports.serf_lan }} check inter 3s'{% if not loop.last %},{% endif %} + {% endfor %} + ] + +consul_external_backend_options: + - description consul external http backend + - option forwardfor + - option httpchk + - http-check send meth GET uri / + +consul_external_backend_servers: | + [ + {% for host in groups['consul_servers'] %} + 'server {{ hostvars[host].api_interface_address }} {{ hostvars[host].api_interface_address }}:{{ hashi_consul_configuration.ports.http }} check inter 5s'{% if not loop.last %},{% endif %} + {% endfor %} + ] + +############################## +# consul address configuration +############################## + +consul_address_configuration: + # The address to which Consul will bind client interfaces, + # including the HTTP and DNS servers. + client_addr: "0.0.0.0" + # The address that should be bound to for internal cluster communications. + bind_addr: "{{ api_interface_address }}" + # The advertise address is used to change the address that we advertise to other nodes in the cluster. + advertise_addr: "{{ api_interface_address }}" + +########################## +# consul ACL configuration +########################## + +consul_acl_configuration: + enabled: true + default_policy: "deny" # can be allow or deny + enable_token_persistence: true + +consul_default_agent_policy: | + agent_prefix "" { + policy = "write" + } + node_prefix "" { + policy = "write" + } + service_prefix "" { + policy = "read" + } + +########################## +# consul DNS configuration +########################## + +consul_dns_configuration: + allow_stale: true + enable_truncate: true + only_passing: true + +######################### +# consul ui configuration +######################### + +consul_ui_configuration: + enabled: true + +################################### +# consul service mesh configuration +################################### + +consul_mesh_configuration: + enabled: true + +##################### +# extra configuration +##################### + +consul_extra_configuration: {} + +############### +# configuration +############### + +hashi_consul_start_service: true +hashi_consul_version: latest +hashi_consul_deploy_method: "{{ deployment_method }}" +hashi_consul_env_variables: {} +hashi_cosul_config_dir: "/etc/consul.d" +hashi_consul_data_dir: "/opt/consul" +hashi_consul_extra_files: false +hashi_consul_extra_files_src: "{{ sub_configuration_directories.consul_servers }}/config" +hashi_consul_extra_files_dst: "{{ hashi_consul_config_dir }}/config" +hashi_consul_envoy_install: false +hashi_consul_envoy_version: v1.27.2 +hashi_consul_configuration: + domain: "{{ consul_domain }}" + datacenter: "{{ consul_datacenter }}" + primary_datacenter: "{{ consul_primary_datacenter }}" + data_dir: "{{ hashi_consul_data_dir }}" + encrypt: "" # "{{ 'mysupersecretgossipencryptionkey'|b64encode }}" + server: "{{ 'consul_servers' in group_names }}" + retry_join: "{{ + groups['consul_servers'] | + map('extract', hostvars, ['consul_address_configuration', 'bind_addr']) | + list | + to_json | + from_json + }}" + ui_config: "{{ consul_ui_configuration }}" + connect: "{{ consul_mesh_configuration }}" + leave_on_terminate: true + rejoin_after_leave: true + enable_script_checks: true + enable_syslog: "{{ deployment_method == 'host' }}" + log_level: INFO + acl: "{{ consul_acl_configuration }}" + dns_config: "{{ consul_dns_configuration }}" + ports: + dns: 8600 + http: 8500 + https: -1 + grpc: 8502 + grpc_tls: 8503 + server: 8300 + serf_lan: 8301 + serf_wan: 8302 + sidecar_min_port: 21000 + sidecar_max_port: 21255 + expose_min_port: 21500 + expose_max_port: 21755 + +# this is used to circumvent jinja limitation to convert string to integer +hashi_consul_configuration_string: | + bootstrap_expect: {{ (groups['consul_servers'] | length) }} diff --git a/playbooks/group_vars/all/haproxy.yml b/playbooks/group_vars/all/haproxy.yml new file mode 100644 index 0000000..64361ec --- /dev/null +++ b/playbooks/group_vars/all/haproxy.yml @@ -0,0 +1,77 @@ +--- +##################################################### +# # +# HAProxy Configuration # +# # +##################################################### + +deploy_haproxy_deploy_method: "{{ deployment_method }}" +deploy_haproxy_version: "2.8" + +deploy_haproxy_env_variables: {} +deploy_haproxy_start_service: true +deploy_haproxy_cert_dir: "" +deploy_haproxy_extra_container_volumes: [] +deploy_haproxy_global: + - log /dev/log local0 + - log /dev/log local1 notice + - stats socket {{ deploy_haproxy_socket }} level admin + - chroot {{ deploy_haproxy_chroot }} + - daemon + - description hashistack haproxy + +deploy_haproxy_defaults: + - log global + - mode http + - option httplog + - option dontlognull + - timeout connect 5000 + - timeout client 5000 + - timeout server 5000 + +deploy_haproxy_frontends: "{{ consul_haproxy_frontends }}" + +deploy_haproxy_backends: "{{ consul_haproxy_backends }}" + +deploy_haproxy_listen: + - name: monitoring + options: + - bind :9000 + - mode http + - option httpchk + - stats enable + - stats uri /stats + - stats refresh 30s + - stats show-desc + - stats show-legends + - stats auth admin:password + - http-check send meth GET uri /health ver HTTP/1.1 hdr Host localhost + - http-check expect status 200 + - acl health_check_ok nbsrv() ge 1 + - monitor-uri /health + - http-request use-service prometheus-exporter if { path /metrics } + +deploy_keepalived_deploy_method: "{{ deployment_method }}" +deploy_keepalived_version: "latest" +deploy_keepalived_start_service: true +deploy_keepalived_env_variables: {} + +deploy_keepalived_vrrp_instance_name: "{{ ansible_hostname }}" +deploy_keepalived_interface: "{{ api_interface }}" +deploy_keepalived_state: "BACKUP" +deploy_keepalived_router_id: 50 +deploy_keepalived_priority: 100 +deploy_keepalived_advert_interval: 1 +deploy_keepalived_unicast_source: "{{ api_interface_address }}" +deploy_keepalived_unicast_peers: "{{ groups['haproxy_servers'] | difference([ansible_hostname]) | map('extract', hostvars, ['api_interface_address']) | list }}" +deploy_keepalived_auth_passwd: "password" +deploy_keepalived_virtual_ips: + - "{{ hashistack_external_vip_addr }}/32 dev {{ hashistack_external_vip_interface }}" + - "{{ hashistack_internal_vip_addr }}/32 dev {{ hashistack_internal_vip_interface }}" +deploy_keepalived_notify_script: notify.sh + +deploy_keepalived_custom_scripts_src: +deploy_keepalived_extra_container_volumes: [] + +deploy_keepalived_use_custom_config: false +deploy_keepalived_custom_config_src: diff --git a/playbooks/group_vars/all/nomad.yml b/playbooks/group_vars/all/nomad.yml new file mode 100644 index 0000000..e484058 --- /dev/null +++ b/playbooks/group_vars/all/nomad.yml @@ -0,0 +1,18 @@ +##################################################### +# # +# Nomad Configuration # +# # +##################################################### + +hashi_nomad_cni_plugins_install: true +hashi_nomad_start_service: true +hashi_nomad_cni_plugins_version: latest +hashi_nomad_cni_plugins_install_path: /opt/cni/bin +hashi_nomad_version: latest +hashi_nomad_deploy_method: host # deployment method, either host or docker +hashi_nomad_env_variables: {} +hashi_nomad_data_dir: /opt/nomad +hashi_nomad_extra_files: false +hashi_nomad_extra_files_src: /tmp/extra_files +hashi_nomad_extra_files_dst: /etc/nomad.d/extra_files +hashi_nomad_configuration: {} diff --git a/playbooks/group_vars/all/vault.yml b/playbooks/group_vars/all/vault.yml new file mode 100644 index 0000000..fa50464 --- /dev/null +++ b/playbooks/group_vars/all/vault.yml @@ -0,0 +1,111 @@ +--- +##################################################### +# # +# Vault Configuration # +# # +##################################################### + +vault_cluster_name: vault +vault_enable_ui: true +vault_seal_configuration: + key_shares: 3 + key_threshold: 2 + +######### +# storage +######### + +vault_storage_configuration: + raft: + path: "{{ hashi_vault_data_dir }}/data" + node_id: "{{ ansible_hostname }}" + retry_join: | + [ + {% for host in groups['vault_servers'] %} + { + 'leader_api_addr': 'http://{{ hostvars[host].api_interface_address }}:8200' + }{% if not loop.last %},{% endif %} + {% endfor %} + ] + +########## +# listener +########## + +vault_enable_tls: false +vault_listener_configuration: + tcp: + address: "0.0.0.0:8200" + tls_disable: true + +vault_tls_listener_configuration: + tcp: + tls_disable: false + tls_cert_file: "{{ hashi_vault_extra_files_dst }}/tls/cert.pem" + tls_key_file: "{{ hashi_vault_extra_files_dst }}/tls/key.pem" + +vault_extra_listener_configuration: {} + +###################### +# service registration +###################### + +vault_enable_service_registration: false +vault_service_registration_configuration: + consul: + address: "127.0.0.1:8500" + scheme: "http" + +######### +# plugins +######### + +vault_enable_plugins: true +vault_plugin_directory: "{{ hashi_vault_extra_files_dst }}/plugin" + +######### +# logging +######### + +vault_enable_log_to_file: false +vault_logging_configuration: + log_level: info + log_format: standard + log_rotate_duration: 24h + log_rotate_max_files: 30 + +######################### +# vault container volumes +######################### + +extra_vault_container_volumes: [] + +##################### +# extra configuration +##################### + +vault_extra_configuration: {} + +############### +# configuration +############### + +hashi_vault_start_service: true +hashi_vault_version: latest +hashi_vault_deploy_method: "{{ deployment_method }}" +hashi_vault_env_variables: {} +hashi_vault_config_dir: "/etc/vault.d" +hashi_vault_data_dir: "/opt/vault" +hashi_vault_extra_files: true +hashi_vault_extra_files_src: "{{ sub_configuration_directories.vault_servers }}/config" +hashi_vault_extra_files_dst: "{{ hashi_vault_config_dir }}/config" +hashi_vault_extra_container_volumes: "{{ default_container_extra_volumes | union(extra_vault_container_volumes) | unique }}" +hashi_vault_configuration: + cluster_name: "{{ vault_cluster_name }}" + cluster_addr: "http://{{ api_interface_address }}:8201" + api_addr: "http://{{ api_interface_address }}:8200" + ui: "{{ vault_enable_ui }}" + disable_mlock: false + disable_cache: false + listener: "{{ vault_listener_configuration }}" + storage: "{{ vault_storage_configuration }}" diff --git a/playbooks/tasks/consul/consul_vars.yml b/playbooks/tasks/consul/consul_vars.yml index db558a4..cf05af2 100644 --- a/playbooks/tasks/consul/consul_vars.yml +++ b/playbooks/tasks/consul/consul_vars.yml @@ -43,12 +43,6 @@ hashi_consul_configuration: "{{ hashi_consul_configuration | default({}) | combine(_config_to_merge, recursive=true) }}" when: _consul_cluster_config.tokens is defined -- name: Debug token config - ansible.builtin.debug: - msg: "{{ hashi_consul_configuration }}" - -# - fail: - - name: "Consul | Merge extra configuration settings" vars: _config_to_merge: "{{ consul_extra_configuration }}" diff --git a/playbooks/tasks/haproxy/haproxy_deploy.yml b/playbooks/tasks/haproxy/haproxy_deploy.yml new file mode 100644 index 0000000..9ed5660 --- /dev/null +++ b/playbooks/tasks/haproxy/haproxy_deploy.yml @@ -0,0 +1,9 @@ +- name: "HAProxy" + block: + - name: "Include ednz_cloud.deploy_haproxy" + ansible.builtin.include_role: + name: ednz_cloud.deploy_haproxy + + - name: "Include ednz_cloud.deploy_keepalived" + ansible.builtin.include_role: + name: ednz_cloud.deploy_keepalived diff --git a/playbooks/tasks/haproxy/haproxy_vars.yml b/playbooks/tasks/haproxy/haproxy_vars.yml new file mode 100644 index 0000000..e69de29 diff --git a/playbooks/tasks/load_vars.yml b/playbooks/tasks/load_vars.yml index 82d2c47..fbc90a4 100644 --- a/playbooks/tasks/load_vars.yml +++ b/playbooks/tasks/load_vars.yml @@ -77,3 +77,10 @@ when: - enable_vault | bool - "'vault_servers' in group_names" + +- debug: + msg: "{{ deploy_haproxy_frontends }}" + +- debug: + msg: "{{ deploy_haproxy_backends }}" +# - fail: diff --git a/roles/hashicorp_consul b/roles/hashicorp_consul index 9c906ed..a322d3c 160000 --- a/roles/hashicorp_consul +++ b/roles/hashicorp_consul @@ -1 +1 @@ -Subproject commit 9c906ed7dba091bab9139bd9d68218f421528440 +Subproject commit a322d3c144806ea2524651996e19ff9885b90e16