From d270161c2860e5dad1877d4e67e85ac7000a2cfc Mon Sep 17 00:00:00 2001 From: Bertrand Lanson Date: Sun, 28 Jan 2024 22:34:27 +0100 Subject: [PATCH] feat(docs): start writing the architecture guide --- .gitignore | 3 +- docs/architecture_guide.md.md | 94 +++++++++++++++++++++++++++++++ playbooks/group_vars/all.yml | 48 +++++++++++----- playbooks/inventory/multinode.ini | 4 ++ 4 files changed, 135 insertions(+), 14 deletions(-) create mode 100644 docs/architecture_guide.md.md diff --git a/.gitignore b/.gitignore index dbdf997..feab726 100644 --- a/.gitignore +++ b/.gitignore @@ -2,4 +2,5 @@ **/__pycache__ .vscode roles/ednxzu.* -vault_config \ No newline at end of file +vault_config +consul_config \ No newline at end of file diff --git a/docs/architecture_guide.md.md b/docs/architecture_guide.md.md new file mode 100644 index 0000000..9d33415 --- /dev/null +++ b/docs/architecture_guide.md.md @@ -0,0 +1,94 @@ +# Architecture Guide + +Hashistack-Ansible allows you to deploy a number of architecture, wether you want to deploy a dev, testing, or production environment. These different architectures are described in this section. + +## Dev deployment + +If you only want to deploy a test environment, you can simply add a simgle host to each service that you want to deploy. + +```ini +[haproxy_servers] + +[vault_servers] +test01 + +[consul_servers] +test01 + +[nomad_servers] +test01 +``` + +In this example, you will end end with each service running on a single host, with no clustering, and no redundancy. This setup *IS NOT RECOMMENDED** for anything but testing purposes, as it provides zero resiliency, and will break if anything goes down. + +For this setup, the only requirement is for the target host to have a network interface that you can ssh into from the deployment host. + +The architecture would like something like this: + +```mermaid +graph LR; + client[Client] -->|http| server{ + Vault Server + Consul Server + Nomad Server + }; +``` + +## Testing/Preprod deployment + +## Production deployment + +For production use, it is recommended to separate concerns as much as possible. This means that consul, vault and nomad, as well as the haproxy services, should be on different nodes altogether. The **client-facing** and **cluster-facing** interfaces should also be separated. + +Ideally, you would need: + - an odd number (3 to 5) of consul servers + - an odd number (3 to 5) of vault servers + - an odd number (3 to 5) of nomad servers + - multiple (2 to 3) haproxy servers + +The **nomad**, **vault** and **consul** servers should have **two network interfaces**, and one of them should be reachable from the haproxy nodes. + +The architecture for this infrastructure would look like: + +```mermaid +graph TD + client[Client] -->|https :443| keepalived + keepalived[VIP] --> haproxy1[HAProxy] & haproxy2[HAProxy] + subgraph frontends + direction LR + haproxy1[HAProxy] + haproxy2[HAProxy] + end + + haproxy1[HAProxy] & haproxy2[HAProxy] -->|http :8500| consul + + subgraph consul + direction LR + consul1[Consul 01] <--> consul2[Consul 02] & consul3[Consul 03] & consul4[Consul 04] & consul5[Consul 05] + consul2[Consul 02] <--> consul3[Consul 03] & consul4[Consul 04] & consul5[Consul 05] + consul3[Consul 03] <--> consul4[Consul 04] & consul5[Consul 05] + consul4[Consul 04] <--> consul5[Consul 05] + + end + + haproxy1[HAProxy] & haproxy2[HAProxy] -->|http :8200| vault + + subgraph vault + direction LR + vault1[Vault 01] <--> vault2[Vault 02] + vault2[Vault 02] <--> vault3[Vault 03] + vault3[Vault 03] <--> vault1[Vault 01] + end + + vault -->|Service registration| consul + haproxy1[HAProxy] & haproxy2[HAProxy] -->|http :4646| nomad + + subgraph nomad + direction LR + nomad1[Nomad 01] <--> nomad2[Nomad 02] + nomad2[Nomad 02] <--> nomad3[Nomad 03] + nomad3[Nomad 03] <--> nomad1[Nomad 01] + end + + nomad -->|Service registration| consul +``` diff --git a/playbooks/group_vars/all.yml b/playbooks/group_vars/all.yml index 0993faf..9f6a595 100644 --- a/playbooks/group_vars/all.yml +++ b/playbooks/group_vars/all.yml @@ -3,7 +3,7 @@ # General options ######## ########################## -enable_vault: "yes" +enable_vault: "no" enable_consul: "yes" enable_nomad: "no" @@ -114,12 +114,6 @@ consul_acl_configuration: default_policy: "deny" # can be allow or deny enable_token_persistence: true -##################### -# extra configuration -##################### - -consul_extra_configuration: {} - ########################## # consul DNS configuration ########################## @@ -129,6 +123,30 @@ consul_dns_configuration: enable_truncate: true only_passing: true +######################### +# consul ui configuration +######################### + +consul_ui_configuration: + enabled: true + +################################### +# consul service mesh configuration +################################### + +consul_mesh_configuration: + enabled: true + +##################### +# extra configuration +##################### + +consul_extra_configuration: {} + +############### +# configuration +############### + hashi_consul_start_service: true hashi_consul_version: latest hashi_consul_deploy_method: "{{ deployment_method }}" @@ -138,8 +156,8 @@ hashi_consul_data_dir: "/opt/consul" hashi_consul_extra_files: false hashi_consul_extra_files_src: "{{ sub_configuration_directories.consul_servers }}/config" hashi_consul_extra_files_dst: "{{ hashi_consul_config_dir }}/config" -hashi_consul_envoy_install: false -hashi_consul_envoy_version: latest +hashi_consul_envoy_install: true +hashi_consul_envoy_version: v1.27.2 hashi_consul_configuration: domain: "{{ consul_domain }}" datacenter: "{{ consul_datacenter }}" @@ -154,10 +172,8 @@ hashi_consul_configuration: to_json | from_json }}" - ui_config: - enabled: true - connect: - enabled: false + ui_config: "{{ consul_ui_configuration }}" + connect: "{{ consul_mesh_configuration }}" leave_on_terminate: true rejoin_after_leave: true enable_script_checks: true @@ -196,6 +212,7 @@ vault_seal_configuration: ######### # storage ######### + vault_storage_configuration: raft: path: "{{ hashi_vault_data_dir }}/data" @@ -212,6 +229,7 @@ vault_storage_configuration: ########## # listener ########## + vault_enable_tls: false vault_listener_configuration: tcp: @@ -239,12 +257,14 @@ vault_service_registration_configuration: ######### # plugins ######### + vault_enable_plugins: true vault_plugin_directory: "{{ hashi_vault_extra_files_dst }}/plugin" ######### # logging ######### + vault_enable_log_to_file: false vault_logging_configuration: log_level: info @@ -255,6 +275,7 @@ vault_logging_configuration: ######################### # vault container volumes ######################### + extra_vault_container_volumes: [] ##################### @@ -266,6 +287,7 @@ vault_extra_configuration: {} ############### # configuration ############### + hashi_vault_start_service: true hashi_vault_version: latest hashi_vault_deploy_method: "{{ deployment_method }}" diff --git a/playbooks/inventory/multinode.ini b/playbooks/inventory/multinode.ini index ac433c1..9ec1f26 100644 --- a/playbooks/inventory/multinode.ini +++ b/playbooks/inventory/multinode.ini @@ -1,3 +1,7 @@ +[haproxy_servers] +haproxy01 +haproxy02 + [vault_servers] vault01 vault02