fix: implement longer wait to stabilize consul cluster before bootstrapping to avoid timeout errors
All checks were successful
development / Check commit compliance (push) Successful in 30s
All checks were successful
development / Check commit compliance (push) Successful in 30s
This commit is contained in:
parent
074da0289a
commit
fd9a0e3c55
1
docs/extra_configuration.md
Normal file
1
docs/extra_configuration.md
Normal file
@ -0,0 +1 @@
|
|||||||
|
# Adding extra configuration options
|
@ -35,7 +35,7 @@ Note that not all versions of haproxy are available as a package on all supporte
|
|||||||
deployment_method: "docker"
|
deployment_method: "docker"
|
||||||
```
|
```
|
||||||
|
|
||||||
### General Settings
|
### General settings
|
||||||
|
|
||||||
There aren't many settings that you can configure to deploy the HAProxy frontends. First you'll need to configure a Virtual IP, and pass it in the `globals.yml` configuration file.
|
There aren't many settings that you can configure to deploy the HAProxy frontends. First you'll need to configure a Virtual IP, and pass it in the `globals.yml` configuration file.
|
||||||
|
|
||||||
|
82
docs/nomad_clusters.md
Normal file
82
docs/nomad_clusters.md
Normal file
@ -0,0 +1,82 @@
|
|||||||
|
# Deploying a Nomad cluster
|
||||||
|
|
||||||
|
This documentation explains each steps necessary to successfully deploy a Nomad cluster using the ednz_cloud.hashistack ansible collection.
|
||||||
|
|
||||||
|
## Prerequisites
|
||||||
|
|
||||||
|
You should, before attempting any deployment, have read through the [Quick Start Guide](./quick_start.md). These steps are necessary in order to ensure smooth operations going forward.
|
||||||
|
|
||||||
|
## Variables
|
||||||
|
|
||||||
|
### Basics
|
||||||
|
|
||||||
|
First, in order to deploy a nomad cluster, you need to enable it.
|
||||||
|
|
||||||
|
```yaml
|
||||||
|
enable_nomad: "yes"
|
||||||
|
```
|
||||||
|
|
||||||
|
Selecting the nomad version to install is done with the `nomad_version` variable.
|
||||||
|
|
||||||
|
```yaml
|
||||||
|
nomad_version: latest
|
||||||
|
```
|
||||||
|
|
||||||
|
The vault version can either be `latest` or `X.Y.Z`.
|
||||||
|
|
||||||
|
For production deployment, it is recommended to use the `X.Y.Z` syntax.
|
||||||
|
|
||||||
|
### General settings
|
||||||
|
|
||||||
|
First, you can change some general settings for nomad, like the dc and region options.
|
||||||
|
|
||||||
|
```yaml
|
||||||
|
nomad_datacenter: dc1
|
||||||
|
nomad_region: global
|
||||||
|
```
|
||||||
|
|
||||||
|
### ACLs settings
|
||||||
|
|
||||||
|
By default, ACLs are enabled on nomad, and automatically bootstrapped.
|
||||||
|
You can change this by editing the `nomad_acl_configuration` variable:
|
||||||
|
|
||||||
|
```yaml
|
||||||
|
nomad_acl_configuration:
|
||||||
|
enabled: true
|
||||||
|
token_ttl: 30s
|
||||||
|
policy_ttl: 60s
|
||||||
|
role_ttl: 60s
|
||||||
|
```
|
||||||
|
|
||||||
|
### Consul integration settings
|
||||||
|
|
||||||
|
By default, if consul if also enabled, nomad will use it to register itself as a consul service and also use consul to automatically join the cluster.
|
||||||
|
|
||||||
|
```yaml
|
||||||
|
nomad_enable_consul_integration: "{{ enable_consul | bool }}"
|
||||||
|
nomad_consul_integration_configuration:
|
||||||
|
address: "127.0.0.1:{{ hashicorp_consul_configuration.ports.https if consul_enable_tls else hashicorp_consul_configuration.ports.http }}"
|
||||||
|
auto_advertise: true
|
||||||
|
ssl: "{{ consul_enable_tls | bool }}"
|
||||||
|
token: "{{ _credentials.consul.tokens.nomad.server.secret_id if nomad_enable_server else _credentials.consul.tokens.nomad.client.secret_id}}"
|
||||||
|
tags: []
|
||||||
|
```
|
||||||
|
|
||||||
|
Optionally, you can add tags to you nomad services, or disable the consul integration if you don't plan on using it.
|
||||||
|
|
||||||
|
### Vault integration settings
|
||||||
|
|
||||||
|
Vault integration for nomad is by default disabled, as it requires some vault configuration that is out of the scope of this collection.
|
||||||
|
|
||||||
|
You can, once you have deployed and configured vault (or if you are using an external vault not managed by the collection), enable the integration
|
||||||
|
|
||||||
|
```yaml
|
||||||
|
nomad_enable_vault_integration: false
|
||||||
|
nomad_vault_integration_configuration: {}
|
||||||
|
```
|
||||||
|
|
||||||
|
For configuration options, please refer to the [Official Documentation](https://developer.hashicorp.com/nomad/docs/configuration/vault)
|
||||||
|
|
||||||
|
### Drivers settings
|
||||||
|
|
||||||
|
### Internal TLS
|
@ -111,3 +111,5 @@ ansible-galaxy install -r ./collections/ansible_collections/ednz_cloud/hashistac
|
|||||||
This will install roles that are not packaged with the collection, but are still required in order to run the playbooks.
|
This will install roles that are not packaged with the collection, but are still required in order to run the playbooks.
|
||||||
|
|
||||||
You should now have some roles inside `./roles/`.
|
You should now have some roles inside `./roles/`.
|
||||||
|
|
||||||
|
## Generate Credentials
|
||||||
|
1
docs/tls_guide.md
Normal file
1
docs/tls_guide.md
Normal file
@ -0,0 +1 @@
|
|||||||
|
# TLS Guide
|
@ -26,15 +26,7 @@ The vault version can either be `latest` or `X.Y.Z`.
|
|||||||
|
|
||||||
For production deployment, it is recommended to use the `X.Y.Z` syntax.
|
For production deployment, it is recommended to use the `X.Y.Z` syntax.
|
||||||
|
|
||||||
The `deployment_method` variable will define how to install vault on the nodes.
|
### General settings
|
||||||
|
|
||||||
By default, it runs vault inside a docker container, but this can be changed to `host` to install vault from the package manager.
|
|
||||||
|
|
||||||
```yaml
|
|
||||||
deployment_method: "docker"
|
|
||||||
```
|
|
||||||
|
|
||||||
### General Settings
|
|
||||||
|
|
||||||
First, you can change some general settings for vault.
|
First, you can change some general settings for vault.
|
||||||
|
|
||||||
@ -46,7 +38,7 @@ vault_seal_configuration:
|
|||||||
key_threshold: 2
|
key_threshold: 2
|
||||||
```
|
```
|
||||||
|
|
||||||
### Storage Settings
|
### Storage settings
|
||||||
|
|
||||||
The storage configuration for vault can be edited as well. By default, vault will be configured to setup `raft` storage between all declared vault servers (in the `vault_servers` group).
|
The storage configuration for vault can be edited as well. By default, vault will be configured to setup `raft` storage between all declared vault servers (in the `vault_servers` group).
|
||||||
|
|
||||||
@ -79,9 +71,9 @@ vault_storage_configuration:
|
|||||||
database: "vault"
|
database: "vault"
|
||||||
```
|
```
|
||||||
|
|
||||||
### Listener Settings
|
### Listener settings
|
||||||
|
|
||||||
#### TCP Listeners
|
#### TCP listeners
|
||||||
|
|
||||||
By default, TLS is **disabled** for vault. This goes against the Hashicorp recommendations on the matter, but there is no simple way to force the use of TLS (yet), without adding a lot of complexity to the deployment.
|
By default, TLS is **disabled** for vault. This goes against the Hashicorp recommendations on the matter, but there is no simple way to force the use of TLS (yet), without adding a lot of complexity to the deployment.
|
||||||
|
|
||||||
|
@ -6,6 +6,14 @@
|
|||||||
name: ednz_cloud.hashicorp_consul
|
name: ednz_cloud.hashicorp_consul
|
||||||
|
|
||||||
- name: "Wait for consul cluster to initialize" # noqa: run-once[task]
|
- name: "Wait for consul cluster to initialize" # noqa: run-once[task]
|
||||||
|
block:
|
||||||
|
- name: "Wait for consul nodes to stabilize"
|
||||||
|
ansible.builtin.wait_for:
|
||||||
|
host: "{{ api_interface_address }}"
|
||||||
|
port: "{{ consul_api_port[consul_api_scheme] }}"
|
||||||
|
delay: 10
|
||||||
|
|
||||||
|
- name: "Waiting for consul api to respond"
|
||||||
ansible.builtin.uri:
|
ansible.builtin.uri:
|
||||||
url: "{{ consul_api_addr }}"
|
url: "{{ consul_api_addr }}"
|
||||||
validate_certs: no
|
validate_certs: no
|
||||||
|
Loading…
Reference in New Issue
Block a user