Compare commits
2 Commits
10bea17054
...
34e30b0a5f
Author | SHA1 | Date | |
---|---|---|---|
34e30b0a5f | |||
265aa4ce42 |
@ -1,4 +1,12 @@
|
|||||||
---
|
---
|
||||||
|
# Molecule specific variables
|
||||||
|
|
||||||
|
hashistack_ca_action: "root_ca,int_ca,leaf_cert,renew_root,"
|
||||||
|
hashistack_ca_directory: "{{ hashistack_sub_configuration_directories['certificates'] }}"
|
||||||
|
hashistack_ca_directory_owner: "{{ lookup('env', 'USER') }}"
|
||||||
|
hashistack_ca_domain: ednz.lab
|
||||||
|
hashistack_ca_intermediate_name_constraints_critical: false
|
||||||
|
|
||||||
##########################
|
##########################
|
||||||
# General options ########
|
# General options ########
|
||||||
##########################
|
##########################
|
||||||
@ -9,7 +17,7 @@
|
|||||||
# enable_nomad: "yes"
|
# enable_nomad: "yes"
|
||||||
|
|
||||||
# haproxy_version: "2.8"
|
# haproxy_version: "2.8"
|
||||||
# nomad_version: "1.8.1"
|
nomad_version: "1.8.2"
|
||||||
# consul_version: "1.18.1"
|
# consul_version: "1.18.1"
|
||||||
# vault_version: "1.16.2"
|
# vault_version: "1.16.2"
|
||||||
|
|
||||||
@ -264,16 +272,16 @@ vault_enable_tls: true
|
|||||||
######################
|
######################
|
||||||
|
|
||||||
nomad_enable_tls: true
|
nomad_enable_tls: true
|
||||||
nomad_tls_configuration:
|
# nomad_tls_configuration:
|
||||||
http: true
|
# http: true
|
||||||
rpc: true
|
# rpc: true
|
||||||
ca_file: "/etc/ssl/certs/ca-certificates.crt"
|
# ca_file: "/etc/ssl/certs/ca-certificates.crt"
|
||||||
cert_file: "{{ nomad_certificates_directory }}/cert.pem"
|
# cert_file: "{{ nomad_certificates_directory }}/cert.pem"
|
||||||
key_file: "{{ nomad_certificates_directory }}/key.pem"
|
# key_file: "{{ nomad_certificates_directory }}/key.pem"
|
||||||
verify_server_hostname: true
|
# verify_server_hostname: true
|
||||||
# nomad_certificates_directory: "{{ hashicorp_nomad_config_dir }}/tls"
|
# nomad_certificates_directory: "{{ hashicorp_nomad_config_dir }}/tls"
|
||||||
# nomad_certificates_extra_files_dir:
|
# nomad_certificates_extra_files_dir:
|
||||||
# - src: "{{ sub_configuration_directories['certificates'] }}/nomad/{{ inventory_hostname }}"
|
# - src: "{{ hashistack_sub_configuration_directories['certificates'] }}/nomad/{{ inventory_hostname }}"
|
||||||
# dest: "{{ nomad_certificates_directory }}"
|
# dest: "{{ nomad_certificates_directory }}"
|
||||||
|
|
||||||
#############################
|
#############################
|
||||||
|
@ -0,0 +1,8 @@
|
|||||||
|
---
|
||||||
|
nomad_client_configuration:
|
||||||
|
enabled: "{{ nomad_enable_client }}"
|
||||||
|
state_dir: "{{ nomad_data_dir }}/client"
|
||||||
|
cni_path: "{{ cni_plugins_install_path | default('/opt/cni/bin') }}"
|
||||||
|
bridge_network_name: nomad
|
||||||
|
bridge_network_subnet: "172.26.64.0/20"
|
||||||
|
node_pool: ingress
|
Binary file not shown.
@ -8,7 +8,7 @@ driver:
|
|||||||
provider:
|
provider:
|
||||||
name: libvirt
|
name: libvirt
|
||||||
platforms:
|
platforms:
|
||||||
- name: proxy01
|
- name: proxy01.ednz.lab
|
||||||
box: generic/${MOLECULE_TEST_OS}
|
box: generic/${MOLECULE_TEST_OS}
|
||||||
cpus: 2
|
cpus: 2
|
||||||
memory: 2048
|
memory: 2048
|
||||||
@ -20,8 +20,9 @@ platforms:
|
|||||||
groups:
|
groups:
|
||||||
- common
|
- common
|
||||||
- haproxy_servers
|
- haproxy_servers
|
||||||
|
- nomad_clients
|
||||||
- consul_agents
|
- consul_agents
|
||||||
- name: proxy02
|
- name: proxy02.ednz.lab
|
||||||
box: generic/${MOLECULE_TEST_OS}
|
box: generic/${MOLECULE_TEST_OS}
|
||||||
cpus: 2
|
cpus: 2
|
||||||
memory: 2048
|
memory: 2048
|
||||||
@ -33,8 +34,9 @@ platforms:
|
|||||||
groups:
|
groups:
|
||||||
- common
|
- common
|
||||||
- haproxy_servers
|
- haproxy_servers
|
||||||
|
- nomad_clients
|
||||||
- consul_agents
|
- consul_agents
|
||||||
- name: hashistack01
|
- name: hashistack01.ednz.lab
|
||||||
box: generic/${MOLECULE_TEST_OS}
|
box: generic/${MOLECULE_TEST_OS}
|
||||||
cpus: 4
|
cpus: 4
|
||||||
memory: 2048
|
memory: 2048
|
||||||
@ -48,7 +50,7 @@ platforms:
|
|||||||
- vault_servers
|
- vault_servers
|
||||||
- consul_servers
|
- consul_servers
|
||||||
- nomad_servers
|
- nomad_servers
|
||||||
- name: hashistack02
|
- name: hashistack02.ednz.lab
|
||||||
box: generic/${MOLECULE_TEST_OS}
|
box: generic/${MOLECULE_TEST_OS}
|
||||||
cpus: 4
|
cpus: 4
|
||||||
memory: 2048
|
memory: 2048
|
||||||
@ -62,7 +64,7 @@ platforms:
|
|||||||
- vault_servers
|
- vault_servers
|
||||||
- consul_servers
|
- consul_servers
|
||||||
- nomad_servers
|
- nomad_servers
|
||||||
- name: hashistack03
|
- name: hashistack03.ednz.lab
|
||||||
box: generic/${MOLECULE_TEST_OS}
|
box: generic/${MOLECULE_TEST_OS}
|
||||||
cpus: 4
|
cpus: 4
|
||||||
memory: 2048
|
memory: 2048
|
||||||
@ -76,7 +78,7 @@ platforms:
|
|||||||
- vault_servers
|
- vault_servers
|
||||||
- consul_servers
|
- consul_servers
|
||||||
- nomad_servers
|
- nomad_servers
|
||||||
- name: hashistack04
|
- name: hashistack04.ednz.lab
|
||||||
box: generic/${MOLECULE_TEST_OS}
|
box: generic/${MOLECULE_TEST_OS}
|
||||||
cpus: 4
|
cpus: 4
|
||||||
memory: 2048
|
memory: 2048
|
||||||
|
@ -2,9 +2,6 @@
|
|||||||
- name: Include certificate generation playbook
|
- name: Include certificate generation playbook
|
||||||
ansible.builtin.import_playbook: ednz_cloud.hashistack.generate_certs.yml
|
ansible.builtin.import_playbook: ednz_cloud.hashistack.generate_certs.yml
|
||||||
|
|
||||||
# - name: Include credentials generation playbook
|
|
||||||
# ansible.builtin.import_playbook: ednz_cloud.hashistack.generate_credentials.yml
|
|
||||||
|
|
||||||
- name: Include bootstrap playbook
|
- name: Include bootstrap playbook
|
||||||
ansible.builtin.import_playbook: ednz_cloud.hashistack.bootstrap.yml
|
ansible.builtin.import_playbook: ednz_cloud.hashistack.bootstrap.yml
|
||||||
|
|
||||||
|
@ -5,9 +5,6 @@ roles:
|
|||||||
- name: ednz_cloud.manage_apt_packages
|
- name: ednz_cloud.manage_apt_packages
|
||||||
- name: ednz_cloud.manage_pip_packages
|
- name: ednz_cloud.manage_pip_packages
|
||||||
- name: ednz_cloud.install_docker
|
- name: ednz_cloud.install_docker
|
||||||
- name: ednz_cloud.docker_systemd_service
|
|
||||||
# - name: ednz_cloud.deploy_haproxy
|
|
||||||
# - name: ednz_cloud.deploy_keepalived
|
|
||||||
|
|
||||||
collections:
|
collections:
|
||||||
- name: ednz_cloud.hashistack
|
- name: ednz_cloud.hashistack
|
||||||
|
@ -5,25 +5,19 @@
|
|||||||
|
|
||||||
manage_pip_packages_allow_break_system_packages: "{{ ansible_distribution == 'Debian' and ansible_distribution_version == '12' }}"
|
manage_pip_packages_allow_break_system_packages: "{{ ansible_distribution == 'Debian' and ansible_distribution_version == '12' }}"
|
||||||
|
|
||||||
configuration_directory: "{{ lookup('env', 'PWD') }}/etc/hashistack"
|
hashistack_configuration_directory: "{{ lookup('env', 'PWD') }}/etc/hashistack"
|
||||||
sub_configuration_directories:
|
hashistack_sub_configuration_directories:
|
||||||
secrets: "{{ configuration_directory }}/secrets"
|
secrets: "{{ hashistack_configuration_directory }}/secrets"
|
||||||
certificates: "{{ configuration_directory }}/certificates"
|
certificates: "{{ hashistack_configuration_directory }}/certificates"
|
||||||
nomad_servers: "{{ configuration_directory }}/nomad_servers"
|
nomad_servers: "{{ hashistack_configuration_directory }}/nomad_servers"
|
||||||
vault_servers: "{{ configuration_directory }}/vault_servers"
|
vault_servers: "{{ hashistack_configuration_directory }}/vault_servers"
|
||||||
consul_servers: "{{ configuration_directory }}/consul_servers"
|
consul_servers: "{{ hashistack_configuration_directory }}/consul_servers"
|
||||||
|
|
||||||
configuration_global_vars_file: "globals.yml"
|
hashistack_configuration_global_vars_file: "globals.yml"
|
||||||
configuration_credentials_vars_file: "credentials.yml"
|
hashistack_configuration_credentials_vars_file: "credentials.yml"
|
||||||
|
|
||||||
hashistack_remote_config_dir: "/etc/hashistack"
|
hashistack_remote_config_dir: "/etc/hashistack"
|
||||||
hashistack_remote_data_dir: "/opt/hashistack"
|
hashistack_remote_log_dir: "/var/log/hashistack"
|
||||||
hashistack_remote_log_dir: /var/log/hashistack
|
|
||||||
|
|
||||||
default_container_extra_volumes:
|
|
||||||
- "/etc/timezone:/etc/timezone"
|
|
||||||
- "/etc/localtime:/etc/localtime"
|
|
||||||
- "/etc/ssl/certs/ca-certificates.crt:/etc/ssl/certs/ca-certificates.crt:ro"
|
|
||||||
|
|
||||||
###################
|
###################
|
||||||
# support options #
|
# support options #
|
||||||
|
4
playbooks/group_vars/all/cni.yml
Normal file
4
playbooks/group_vars/all/cni.yml
Normal file
@ -0,0 +1,4 @@
|
|||||||
|
---
|
||||||
|
cni_plugins_version: "v1.5.1"
|
||||||
|
cni_plugins_install_path: /opt/cni/bin
|
||||||
|
cni_plugins_install_consul_cni: true
|
@ -1,10 +1,4 @@
|
|||||||
---
|
---
|
||||||
#####################################################
|
|
||||||
# #
|
|
||||||
# Non-Editable #
|
|
||||||
# #
|
|
||||||
#####################################################
|
|
||||||
|
|
||||||
consul_init_server: "{{ (inventory_hostname == groups['consul_servers'][0]) | bool }}"
|
consul_init_server: "{{ (inventory_hostname == groups['consul_servers'][0]) | bool }}"
|
||||||
|
|
||||||
#####################
|
#####################
|
||||||
@ -16,36 +10,106 @@ consul_api_scheme: "{{ 'https' if consul_enable_tls else 'http' }}"
|
|||||||
consul_api_port:
|
consul_api_port:
|
||||||
http: 8500
|
http: 8500
|
||||||
https: 8501
|
https: 8501
|
||||||
|
consul_grpc_port:
|
||||||
|
http: 8502
|
||||||
|
https: 8503
|
||||||
|
|
||||||
##########################
|
##########
|
||||||
# consul haproxy backend #
|
# Consul #
|
||||||
##########################
|
##########
|
||||||
|
|
||||||
consul_haproxy_frontend_options:
|
consul_config_dir: "{{ hashistack_remote_config_dir }}/consul.d"
|
||||||
- acl is_consul hdr(host) -i {{ consul_fqdn }}
|
consul_data_dir: "/opt/consul"
|
||||||
- use_backend consul_external if is_consul
|
consul_certs_dir: "{{ consul_config_dir }}/tls"
|
||||||
|
consul_logs_dir: "{{ hashistack_remote_log_dir }}/consul"
|
||||||
|
|
||||||
consul_haproxy_backends:
|
consul_envoy_install: false
|
||||||
- name: consul_external
|
consul_envoy_version: latest
|
||||||
options: "{{ consul_external_backend_options + consul_external_backend_servers }}"
|
|
||||||
|
|
||||||
consul_external_backend_options:
|
consul_extra_files: true
|
||||||
- description consul external http backend
|
# consul_extra_files_list: []
|
||||||
- option forwardfor
|
|
||||||
- option httpchk
|
|
||||||
- http-check send meth GET uri /
|
|
||||||
- default-server inter 2s fastinter 1s downinter 1s
|
|
||||||
|
|
||||||
consul_external_backend_servers: |
|
consul_env_variables: {}
|
||||||
[
|
|
||||||
{% for host in groups['consul_servers'] %}
|
|
||||||
'server consul-{{ hostvars[host].api_interface_address }} {{ hostvars[host].api_interface_address }}:{{ hostvars[host].consul_api_port[consul_api_scheme] }} check {{ 'ssl verify none ' if consul_enable_tls }}inter 5s'{% if not loop.last %},{% endif %}
|
|
||||||
{% endfor %}
|
|
||||||
]
|
|
||||||
|
|
||||||
############################
|
#######################
|
||||||
# consul ACL configuration #
|
# extra configuration #
|
||||||
############################
|
#######################
|
||||||
|
|
||||||
|
# You should prioritize adding configuration
|
||||||
|
# to the configuration entries below, this
|
||||||
|
# option should be used to add pieces of configuration not
|
||||||
|
# available through standard variables.
|
||||||
|
|
||||||
|
# consul_extra_configuration: {}
|
||||||
|
|
||||||
|
###########
|
||||||
|
# general #
|
||||||
|
###########
|
||||||
|
|
||||||
|
# consul_domain: consul
|
||||||
|
# consul_datacenter: dc1
|
||||||
|
# consul_primary_datacenter: "{{ consul_datacenter }}"
|
||||||
|
# consul_gossip_encryption_key: "{{ _credentials.consul.gossip_encryption_key }}"
|
||||||
|
# consul_enable_script_checks: false
|
||||||
|
|
||||||
|
#######################
|
||||||
|
# leave configuration #
|
||||||
|
#######################
|
||||||
|
|
||||||
|
consul_leave_on_terminate: true
|
||||||
|
consul_rejoin_after_leave: true
|
||||||
|
|
||||||
|
######################
|
||||||
|
# join configuration #
|
||||||
|
######################
|
||||||
|
|
||||||
|
consul_join_configuration:
|
||||||
|
retry_join: |
|
||||||
|
{{
|
||||||
|
groups['consul_servers'] |
|
||||||
|
map('extract', hostvars, ['consul_address_configuration', 'bind_addr']) |
|
||||||
|
list |
|
||||||
|
to_json |
|
||||||
|
from_json
|
||||||
|
}}
|
||||||
|
retry_interval: 30s
|
||||||
|
retry_max: 0
|
||||||
|
|
||||||
|
########################
|
||||||
|
# server configuration #
|
||||||
|
########################
|
||||||
|
|
||||||
|
consul_enable_server: "{{ 'consul_servers' in group_names }}"
|
||||||
|
consul_bootstrap_expect: "{{ (groups['consul_servers'] | length) }}"
|
||||||
|
|
||||||
|
####################
|
||||||
|
# ui configuration #
|
||||||
|
####################
|
||||||
|
|
||||||
|
consul_ui_configuration:
|
||||||
|
enabled: "{{ consul_enable_server }}"
|
||||||
|
|
||||||
|
#########################
|
||||||
|
# address configuration #
|
||||||
|
#########################
|
||||||
|
|
||||||
|
consul_bind_addr: "0.0.0.0"
|
||||||
|
consul_advertise_addr: "{{ api_interface_address }}"
|
||||||
|
consul_address_configuration:
|
||||||
|
client_addr: "{{ consul_bind_addr }}"
|
||||||
|
bind_addr: "{{ consul_advertise_addr }}"
|
||||||
|
advertise_addr: "{{ consul_advertise_addr }}"
|
||||||
|
|
||||||
|
#####################
|
||||||
|
# ACL configuration #
|
||||||
|
#####################
|
||||||
|
|
||||||
|
consul_acl_configuration:
|
||||||
|
enabled: true
|
||||||
|
default_policy: "deny"
|
||||||
|
enable_token_persistence: true
|
||||||
|
tokens:
|
||||||
|
agent: "{{ _credentials.consul.tokens.agent.secret_id }}"
|
||||||
|
|
||||||
consul_default_agent_policy: |
|
consul_default_agent_policy: |
|
||||||
node_prefix "" {
|
node_prefix "" {
|
||||||
@ -55,84 +119,56 @@ consul_default_agent_policy: |
|
|||||||
policy = "read"
|
policy = "read"
|
||||||
}
|
}
|
||||||
|
|
||||||
#######################
|
##############################
|
||||||
# consul internal tls #
|
# service mesh configuration #
|
||||||
#######################
|
##############################
|
||||||
|
|
||||||
|
consul_mesh_configuration:
|
||||||
|
enabled: true
|
||||||
|
|
||||||
|
#####################
|
||||||
|
# DNS configuration #
|
||||||
|
#####################
|
||||||
|
|
||||||
|
consul_dns_configuration:
|
||||||
|
allow_stale: true
|
||||||
|
enable_truncate: true
|
||||||
|
only_passing: true
|
||||||
|
|
||||||
|
################
|
||||||
|
# internal tls #
|
||||||
|
################
|
||||||
|
|
||||||
|
# consul_enable_tls: false
|
||||||
|
consul_tls_configuration:
|
||||||
|
defaults:
|
||||||
|
ca_file: "/etc/ssl/certs/ca-certificates.crt"
|
||||||
|
cert_file: "{{ consul_certs_dir }}/fullchain.crt"
|
||||||
|
key_file: "{{ consul_certs_dir }}/cert.key"
|
||||||
|
verify_incoming: false
|
||||||
|
verify_outgoing: true
|
||||||
|
internal_rpc:
|
||||||
|
verify_server_hostname: true
|
||||||
|
|
||||||
consul_certificates_directory: "{{ hashicorp_consul_config_dir }}/tls"
|
|
||||||
consul_certificates_extra_files_dir:
|
consul_certificates_extra_files_dir:
|
||||||
- src: "{{ sub_configuration_directories['certificates'] }}/consul/{{ inventory_hostname }}"
|
- src: "{{ hashistack_sub_configuration_directories['certificates'] }}/consul/{{ inventory_hostname }}"
|
||||||
dest: "{{ consul_certificates_directory }}"
|
dest: "{{ consul_certs_dir }}"
|
||||||
|
|
||||||
##################
|
###########################
|
||||||
# consul logging #
|
# telemetry configuration #
|
||||||
##################
|
###########################
|
||||||
|
|
||||||
|
consul_enable_prometheus_metrics: false
|
||||||
|
consul_prometheus_retention_time: 60s
|
||||||
|
consul_telemetry_configuration: {}
|
||||||
|
|
||||||
|
###########
|
||||||
|
# logging #
|
||||||
|
###########
|
||||||
|
|
||||||
|
# consul_log_level: info
|
||||||
consul_enable_log_to_file: "{{ enable_log_to_file | bool }}"
|
consul_enable_log_to_file: "{{ enable_log_to_file | bool }}"
|
||||||
consul_logging_configuration:
|
consul_log_to_file_configuration:
|
||||||
log_file: "{{ hashistack_remote_log_dir }}/consul/consul.log"
|
log_file: "{{ consul_logs_dir }}/consul.log"
|
||||||
log_level: info
|
|
||||||
log_rotate_duration: 24h
|
log_rotate_duration: 24h
|
||||||
log_rotate_max_files: 30
|
log_rotate_max_files: 30
|
||||||
|
|
||||||
#########################
|
|
||||||
# consul role variables #
|
|
||||||
#########################
|
|
||||||
|
|
||||||
hashicorp_consul_start_service: true
|
|
||||||
hashicorp_consul_service_name: "consul"
|
|
||||||
hashicorp_consul_version: "{{ consul_version }}"
|
|
||||||
hashicorp_consul_env_variables: {}
|
|
||||||
hashicorp_consul_config_dir: "{{ hashistack_remote_config_dir }}/consul.d"
|
|
||||||
hashicorp_consul_data_dir: "{{ hashistack_remote_data_dir }}/consul"
|
|
||||||
hashicorp_consul_extra_files: true
|
|
||||||
hashicorp_consul_extra_files_list: "{{ ([] +
|
|
||||||
(consul_certificates_extra_files_dir if consul_enable_tls else []) +
|
|
||||||
consul_extra_files_list)
|
|
||||||
| unique
|
|
||||||
| sort
|
|
||||||
}}"
|
|
||||||
hashicorp_consul_envoy_install: false
|
|
||||||
hashicorp_consul_envoy_version: v1.27.2
|
|
||||||
hashicorp_consul_configuration:
|
|
||||||
domain: "{{ consul_domain }}"
|
|
||||||
datacenter: "{{ consul_datacenter }}"
|
|
||||||
primary_datacenter: "{{ consul_primary_datacenter }}"
|
|
||||||
data_dir: "{{ hashicorp_consul_data_dir }}"
|
|
||||||
encrypt: "{{ _credentials.consul.gossip_encryption_key }}"
|
|
||||||
server: "{{ 'consul_servers' in group_names }}"
|
|
||||||
retry_join: "{{
|
|
||||||
groups['consul_servers'] |
|
|
||||||
map('extract', hostvars, ['consul_address_configuration', 'bind_addr']) |
|
|
||||||
list |
|
|
||||||
to_json |
|
|
||||||
from_json
|
|
||||||
}}"
|
|
||||||
ui_config: "{{ consul_ui_configuration }}"
|
|
||||||
connect: "{{ consul_mesh_configuration }}"
|
|
||||||
leave_on_terminate: "{{ consul_leave_on_terminate }}"
|
|
||||||
rejoin_after_leave: "{{ consul_rejoin_after_leave }}"
|
|
||||||
enable_script_checks: "{{ consul_enable_script_checks }}"
|
|
||||||
enable_syslog: true
|
|
||||||
acl: "{{ consul_acl_configuration }}"
|
|
||||||
dns_config: "{{ consul_dns_configuration }}"
|
|
||||||
ports:
|
|
||||||
dns: 8600
|
|
||||||
server: 8300
|
|
||||||
serf_lan: 8301
|
|
||||||
serf_wan: 8302
|
|
||||||
sidecar_min_port: 21000
|
|
||||||
sidecar_max_port: 21255
|
|
||||||
expose_min_port: 21500
|
|
||||||
expose_max_port: 21755
|
|
||||||
|
|
||||||
# this is used to circumvent jinja limitation to convert string to integer
|
|
||||||
hashicorp_consul_configuration_string: |
|
|
||||||
ports:
|
|
||||||
http: {{ (consul_api_port.http|int) if not consul_enable_tls else ('-1' | int) }}
|
|
||||||
https: {{ (consul_api_port.https|int) if consul_enable_tls else ('-1' | int) }}
|
|
||||||
grpc: {{ ('8502'|int) if not consul_enable_tls else ('-1' | int) }}
|
|
||||||
grpc_tls: {{ ('8503'|int) if consul_enable_tls else ('-1' | int) }}
|
|
||||||
|
|
||||||
hashicorp_consul_servers_configuration_string: |
|
|
||||||
bootstrap_expect: {{ (groups['consul_servers'] | length) }}
|
|
||||||
|
@ -1,14 +1,13 @@
|
|||||||
---
|
---
|
||||||
##########################
|
###################
|
||||||
# General options ########
|
# General options #
|
||||||
##########################
|
###################
|
||||||
|
|
||||||
enable_haproxy: "yes"
|
enable_ingress: "yes"
|
||||||
enable_vault: "yes"
|
enable_vault: "yes"
|
||||||
enable_consul: "yes"
|
enable_consul: "yes"
|
||||||
enable_nomad: "yes"
|
enable_nomad: "yes"
|
||||||
|
|
||||||
haproxy_version: "2.8"
|
|
||||||
nomad_version: "1.8.1"
|
nomad_version: "1.8.1"
|
||||||
consul_version: "1.18.1"
|
consul_version: "1.18.1"
|
||||||
vault_version: "1.16.2"
|
vault_version: "1.16.2"
|
||||||
@ -17,10 +16,10 @@ consul_fqdn: consul.ednz.lab
|
|||||||
vault_fqdn: vault.ednz.lab
|
vault_fqdn: vault.ednz.lab
|
||||||
nomad_fqdn: nomad.ednz.lab
|
nomad_fqdn: nomad.ednz.lab
|
||||||
|
|
||||||
hashistack_external_vip_interface: "eth0"
|
# hashistack_external_vip_interface: "eth0"
|
||||||
hashistack_external_vip_addr: "192.168.121.100"
|
# hashistack_external_vip_addr: "192.168.121.100"
|
||||||
hashistack_internal_vip_interface: "{{ hashistack_external_vip_interface }}"
|
# hashistack_internal_vip_interface: "{{ hashistack_external_vip_interface }}"
|
||||||
hashistack_internal_vip_addr: "{{ hashistack_external_vip_addr }}"
|
# hashistack_internal_vip_addr: "{{ hashistack_external_vip_addr }}"
|
||||||
|
|
||||||
api_interface: "eth0"
|
api_interface: "eth0"
|
||||||
api_interface_address: "{{ ansible_facts[api_interface]['ipv4']['address'] }}"
|
api_interface_address: "{{ ansible_facts[api_interface]['ipv4']['address'] }}"
|
||||||
@ -38,208 +37,56 @@ enable_log_to_file: true
|
|||||||
enable_tls_external: false
|
enable_tls_external: false
|
||||||
external_tls_externally_managed_certs: false
|
external_tls_externally_managed_certs: false
|
||||||
|
|
||||||
#####################################################
|
##########
|
||||||
# #
|
|
||||||
# Consul #
|
# Consul #
|
||||||
# #
|
##########
|
||||||
#####################################################
|
|
||||||
|
|
||||||
consul_domain: consul
|
consul_domain: consul
|
||||||
consul_datacenter: dc1
|
consul_datacenter: dc1
|
||||||
consul_primary_datacenter: "{{ consul_datacenter }}"
|
consul_primary_datacenter: "{{ consul_datacenter }}"
|
||||||
consul_leave_on_terminate: true
|
consul_gossip_encryption_key: "{{ _credentials.consul.gossip_encryption_key }}"
|
||||||
consul_rejoin_after_leave: true
|
consul_enable_script_checks: false
|
||||||
consul_enable_script_checks: true
|
|
||||||
|
|
||||||
################################
|
consul_extra_files_list: []
|
||||||
# consul address configuration #
|
consul_extra_configuration: {}
|
||||||
################################
|
|
||||||
|
|
||||||
consul_address_configuration:
|
|
||||||
client_addr: "0.0.0.0"
|
|
||||||
bind_addr: "{{ api_interface_address }}"
|
|
||||||
advertise_addr: "{{ api_interface_address }}"
|
|
||||||
|
|
||||||
############################
|
|
||||||
# consul ACL configuration #
|
|
||||||
############################
|
|
||||||
|
|
||||||
consul_acl_configuration:
|
|
||||||
enabled: true
|
|
||||||
default_policy: "deny" # can be allow or deny
|
|
||||||
enable_token_persistence: true
|
|
||||||
|
|
||||||
############################
|
|
||||||
# consul DNS configuration #
|
|
||||||
############################
|
|
||||||
|
|
||||||
consul_dns_configuration:
|
|
||||||
allow_stale: true
|
|
||||||
enable_truncate: true
|
|
||||||
only_passing: true
|
|
||||||
|
|
||||||
###########################
|
|
||||||
# consul ui configuration #
|
|
||||||
###########################
|
|
||||||
|
|
||||||
consul_ui_configuration:
|
|
||||||
enabled: "{{ 'consul_servers' in group_names }}"
|
|
||||||
|
|
||||||
#####################################
|
|
||||||
# consul service mesh configuration #
|
|
||||||
#####################################
|
|
||||||
|
|
||||||
consul_mesh_configuration:
|
|
||||||
enabled: true
|
|
||||||
|
|
||||||
############################
|
|
||||||
# consul tls configuration #
|
|
||||||
############################
|
|
||||||
|
|
||||||
consul_enable_tls: false
|
consul_enable_tls: false
|
||||||
consul_tls_configuration:
|
|
||||||
defaults:
|
|
||||||
ca_file: "/etc/ssl/certs/ca-certificates.crt"
|
|
||||||
cert_file: "{{ consul_certificates_directory }}/cert.pem"
|
|
||||||
key_file: "{{ consul_certificates_directory }}/key.pem"
|
|
||||||
verify_incoming: false
|
|
||||||
verify_outgoing: true
|
|
||||||
internal_rpc:
|
|
||||||
verify_server_hostname: true
|
|
||||||
|
|
||||||
############################
|
consul_log_level: info
|
||||||
# consul container volumes #
|
|
||||||
############################
|
|
||||||
|
|
||||||
extra_consul_container_volumes: []
|
#########
|
||||||
|
|
||||||
##############################
|
|
||||||
# consul extra configuration #
|
|
||||||
##############################
|
|
||||||
|
|
||||||
consul_extra_configuration: {}
|
|
||||||
consul_extra_files_list: []
|
|
||||||
|
|
||||||
#####################################################
|
|
||||||
# #
|
|
||||||
# Vault #
|
# Vault #
|
||||||
# #
|
#########
|
||||||
#####################################################
|
|
||||||
|
|
||||||
vault_cluster_name: vault
|
vault_cluster_name: vault
|
||||||
|
vault_bind_addr: "0.0.0.0"
|
||||||
|
vault_cluster_addr: "{{ api_interface_address }}"
|
||||||
vault_enable_ui: true
|
vault_enable_ui: true
|
||||||
vault_seal_configuration:
|
vault_disable_mlock: false
|
||||||
key_shares: 3
|
vault_disable_cache: false
|
||||||
key_threshold: 2
|
|
||||||
|
|
||||||
#################
|
vault_extra_files_list: []
|
||||||
# vault storage #
|
vault_extra_configuration: {}
|
||||||
#################
|
|
||||||
|
|
||||||
vault_storage_configuration:
|
|
||||||
raft:
|
|
||||||
path: "{{ hashicorp_vault_data_dir }}"
|
|
||||||
node_id: "{{ ansible_hostname }}"
|
|
||||||
retry_join: |
|
|
||||||
[
|
|
||||||
{% for host in groups['vault_servers'] %}
|
|
||||||
{
|
|
||||||
'leader_api_addr': '{{ "https" if vault_enable_tls else "http"}}://{{ hostvars[host].api_interface_address }}:8200'
|
|
||||||
}{% if not loop.last %},{% endif %}
|
|
||||||
{% endfor %}
|
|
||||||
]
|
|
||||||
|
|
||||||
##################
|
|
||||||
# vault listener #
|
|
||||||
##################
|
|
||||||
|
|
||||||
vault_enable_tls: false
|
vault_enable_tls: false
|
||||||
vault_tls_verify: false
|
|
||||||
vault_listener_configuration:
|
|
||||||
tcp:
|
|
||||||
address: "0.0.0.0:8200"
|
|
||||||
tls_disable: true
|
|
||||||
|
|
||||||
vault_tls_listener_configuration:
|
|
||||||
tcp:
|
|
||||||
tls_disable: false
|
|
||||||
tls_cert_file: "{{ vault_certificates_directory }}/cert.pem"
|
|
||||||
tls_key_file: "{{ vault_certificates_directory }}/key.pem"
|
|
||||||
tls_disable_client_certs: true
|
|
||||||
|
|
||||||
vault_extra_listener_configuration: {}
|
|
||||||
|
|
||||||
########################
|
|
||||||
# service registration #
|
|
||||||
########################
|
|
||||||
|
|
||||||
vault_enable_service_registration: "{{ enable_consul | bool }}"
|
vault_enable_service_registration: "{{ enable_consul | bool }}"
|
||||||
vault_service_registration_configuration:
|
|
||||||
consul:
|
|
||||||
address: "127.0.0.1:{{ hostvars[groups['consul_servers'][0]].consul_api_port[hostvars[groups['consul_servers'][0]].consul_api_scheme] }}"
|
|
||||||
scheme: "{{ hostvars[groups['consul_servers'][0]].consul_api_scheme }}"
|
|
||||||
token: "{{ _credentials.consul.tokens.vault.secret_id }}"
|
|
||||||
|
|
||||||
#################
|
|
||||||
# vault plugins #
|
|
||||||
#################
|
|
||||||
|
|
||||||
vault_enable_plugins: false
|
vault_enable_plugins: false
|
||||||
|
|
||||||
###########################
|
vault_log_level: info
|
||||||
# vault container volumes #
|
|
||||||
###########################
|
|
||||||
|
|
||||||
extra_vault_container_volumes: []
|
#########
|
||||||
|
|
||||||
#############################
|
|
||||||
# vault extra configuration #
|
|
||||||
#############################
|
|
||||||
|
|
||||||
vault_extra_configuration: {}
|
|
||||||
vault_extra_files_list: []
|
|
||||||
|
|
||||||
#####################################################
|
|
||||||
# #
|
|
||||||
# Nomad #
|
# Nomad #
|
||||||
# #
|
#########
|
||||||
#####################################################
|
|
||||||
|
|
||||||
nomad_datacenter: dc1
|
|
||||||
nomad_region: global
|
nomad_region: global
|
||||||
|
nomad_datacenter: dc1
|
||||||
|
|
||||||
###########################
|
nomad_extra_files_list: []
|
||||||
# nomad ACL configuration #
|
nomad_extra_configuration: {}
|
||||||
###########################
|
|
||||||
|
|
||||||
nomad_acl_configuration:
|
nomad_autopilot_configuration: {}
|
||||||
enabled: true
|
|
||||||
token_ttl: 30s
|
|
||||||
policy_ttl: 60s
|
|
||||||
role_ttl: 60s
|
|
||||||
|
|
||||||
############################
|
|
||||||
# nomad consul integration #
|
|
||||||
############################
|
|
||||||
|
|
||||||
nomad_enable_consul_integration: "{{ enable_consul | bool }}"
|
|
||||||
nomad_consul_integration_configuration:
|
|
||||||
address: "127.0.0.1:{{ hashicorp_consul_configuration.ports.https if consul_enable_tls else hashicorp_consul_configuration.ports.http }}"
|
|
||||||
auto_advertise: true
|
|
||||||
ssl: "{{ consul_enable_tls | bool }}"
|
|
||||||
token: "{{ _credentials.consul.tokens.nomad.server.secret_id if nomad_enable_server else _credentials.consul.tokens.nomad.client.secret_id}}"
|
|
||||||
tags: []
|
|
||||||
|
|
||||||
############################
|
|
||||||
# nomad vault integration #
|
|
||||||
############################
|
|
||||||
|
|
||||||
nomad_enable_vault_integration: false
|
|
||||||
nomad_vault_integration_configuration: {}
|
|
||||||
|
|
||||||
###############################
|
|
||||||
# nomad drivers configuration #
|
|
||||||
###############################
|
|
||||||
|
|
||||||
nomad_driver_enable_docker: true
|
nomad_driver_enable_docker: true
|
||||||
nomad_driver_enable_podman: false
|
nomad_driver_enable_podman: false
|
||||||
@ -249,22 +96,6 @@ nomad_driver_enable_qemu: false
|
|||||||
|
|
||||||
nomad_driver_extra_configuration: {}
|
nomad_driver_extra_configuration: {}
|
||||||
|
|
||||||
######################
|
nomad_log_level: info
|
||||||
# nomad internal tls #
|
|
||||||
######################
|
|
||||||
|
|
||||||
nomad_enable_tls: false
|
nomad_enable_tls: false
|
||||||
nomad_tls_configuration:
|
|
||||||
http: true
|
|
||||||
rpc: true
|
|
||||||
ca_file: "/etc/ssl/certs/ca-certificates.crt"
|
|
||||||
cert_file: "{{ nomad_certificates_directory }}/cert.pem"
|
|
||||||
key_file: "{{ nomad_certificates_directory }}/key.pem"
|
|
||||||
verify_server_hostname: true
|
|
||||||
|
|
||||||
#############################
|
|
||||||
# nomad extra configuration #
|
|
||||||
#############################
|
|
||||||
|
|
||||||
nomad_extra_configuration: {}
|
|
||||||
nomad_extra_files_list: []
|
|
||||||
|
@ -10,7 +10,7 @@ deploy_haproxy_version: "{{ haproxy_version }}"
|
|||||||
|
|
||||||
deploy_haproxy_env_variables: {}
|
deploy_haproxy_env_variables: {}
|
||||||
deploy_haproxy_start_service: true
|
deploy_haproxy_start_service: true
|
||||||
deploy_haproxy_cert_dir: "{{ sub_configuration_directories['certificates']~'/external' if (enable_tls_external and not external_tls_externally_managed_certs) }}"
|
deploy_haproxy_cert_dir: "{{ hashistack_sub_configuration_directories['certificates']~'/external' if (enable_tls_external and not external_tls_externally_managed_certs) }}"
|
||||||
deploy_haproxy_extra_container_volumes: []
|
deploy_haproxy_extra_container_volumes: []
|
||||||
deploy_haproxy_global:
|
deploy_haproxy_global:
|
||||||
- log /dev/log local0
|
- log /dev/log local0
|
||||||
|
130
playbooks/group_vars/all/hashistack_ca.yml
Normal file
130
playbooks/group_vars/all/hashistack_ca.yml
Normal file
@ -0,0 +1,130 @@
|
|||||||
|
---
|
||||||
|
# defaults
|
||||||
|
hashistack_ca_directory: "/etc/hashistack/certificates"
|
||||||
|
hashistack_ca_use_cryptography: false
|
||||||
|
hashistack_ca_action: "noop"
|
||||||
|
hashistack_ca_domain: example.com
|
||||||
|
hashistack_ca_directory_owner: root
|
||||||
|
|
||||||
|
##############################
|
||||||
|
# Root Certificate Authority #
|
||||||
|
##############################
|
||||||
|
hashistack_ca_root_org_name: EDNZ Cloud
|
||||||
|
hashistack_ca_root_country: FR
|
||||||
|
hashistack_ca_root_locality: Paris
|
||||||
|
hashistack_ca_root_common_name: "{{ hashistack_ca_domain }} Root CA"
|
||||||
|
hashistack_ca_root_email:
|
||||||
|
hashistack_ca_root_key_usage:
|
||||||
|
- keyCertSign
|
||||||
|
- cRLSign
|
||||||
|
hashistack_ca_root_key_usage_critical: true
|
||||||
|
hashistack_ca_root_basic_constraints:
|
||||||
|
- CA:TRUE
|
||||||
|
hashistack_ca_root_basic_constraints_critical: true
|
||||||
|
|
||||||
|
# Optional fields
|
||||||
|
hashistack_ca_root_state_or_province_name:
|
||||||
|
hashistack_ca_root_email_address:
|
||||||
|
|
||||||
|
# Validity
|
||||||
|
hashistack_ca_root_valid_for: 1825d
|
||||||
|
hashistack_ca_root_renew_threshold: 180d
|
||||||
|
|
||||||
|
######################################
|
||||||
|
# Intermediate Certificate Authority #
|
||||||
|
######################################
|
||||||
|
hashistack_ca_intermediate_org_name: EDNZ Cloud Intermediate
|
||||||
|
hashistack_ca_intermediate_country: FR
|
||||||
|
hashistack_ca_intermediate_locality: Paris
|
||||||
|
hashistack_ca_intermediate_common_name: "{{ hashistack_ca_domain }} Intermediate CA"
|
||||||
|
hashistack_ca_intermediate_email:
|
||||||
|
hashistack_ca_intermediate_key_usage:
|
||||||
|
- keyCertSign
|
||||||
|
- cRLSign
|
||||||
|
hashistack_ca_intermediate_key_usage_critical: true
|
||||||
|
hashistack_ca_intermediate_basic_constraints:
|
||||||
|
- CA:TRUE
|
||||||
|
- pathlen:0
|
||||||
|
hashistack_ca_intermediate_basic_constraints_critical: true
|
||||||
|
|
||||||
|
# Optional fields
|
||||||
|
hashistack_ca_intermediate_state_or_province_name:
|
||||||
|
hashistack_ca_intermediate_email_address:
|
||||||
|
|
||||||
|
# Validity
|
||||||
|
hashistack_ca_intermediate_valid_for: 365d
|
||||||
|
hashistack_ca_intermediate_renew_threshold: 90d
|
||||||
|
|
||||||
|
# Name Constraints
|
||||||
|
hashistack_ca_intermediate_name_constraints_permitted:
|
||||||
|
- "DNS:.{{ hashistack_ca_domain }}"
|
||||||
|
- DNS:.nomad
|
||||||
|
- DNS:.consul
|
||||||
|
- DNS:localhost
|
||||||
|
- IP:192.168.0.0/16
|
||||||
|
- IP:172.16.0.0/16
|
||||||
|
- IP:10.0.0.0/8
|
||||||
|
- IP:127.0.0.0/8
|
||||||
|
hashistack_ca_intermediate_name_constraints_critical: "{{ (hashistack_ca_intermediate_name_constraints_permitted is defined and hashistack_ca_intermediate_name_constraints_permitted | length > 0) }}"
|
||||||
|
|
||||||
|
#####################
|
||||||
|
# Leaf certificates #
|
||||||
|
#####################
|
||||||
|
|
||||||
|
hashistack_ca_leaf_valid_for: 90d
|
||||||
|
hashistack_ca_leaf_renew_threshold: 30d
|
||||||
|
|
||||||
|
############################
|
||||||
|
# Consul Leaf Certificates #
|
||||||
|
############################
|
||||||
|
hashistack_ca_consul_org_name: "{{ hashistack_ca_root_org_name }}"
|
||||||
|
hashistack_ca_consul_common_name: "{{ inventory_hostname }}"
|
||||||
|
hashistack_ca_consul_csr_sans: >-
|
||||||
|
{%- set sans_list = [
|
||||||
|
'DNS:' + inventory_hostname,
|
||||||
|
'DNS:consul.service.consul',
|
||||||
|
'DNS:localhost',
|
||||||
|
'IP:' + api_interface_address,
|
||||||
|
'IP:127.0.0.1'
|
||||||
|
] -%}
|
||||||
|
{%- if consul_enable_server -%}
|
||||||
|
{%- set _ = sans_list.append('DNS:server.' ~ consul_datacenter ~ '.' ~ consul_domain) -%}
|
||||||
|
{%- endif -%}
|
||||||
|
{{ sans_list }}
|
||||||
|
|
||||||
|
###########################
|
||||||
|
# Nomad Leaf Certificates #
|
||||||
|
###########################
|
||||||
|
hashistack_ca_nomad_org_name: "{{ hashistack_ca_root_org_name }}"
|
||||||
|
hashistack_ca_nomad_common_name: "{{ inventory_hostname }}"
|
||||||
|
hashistack_ca_nomad_csr_sans: >-
|
||||||
|
{%- set sans_list = [
|
||||||
|
'DNS:' + inventory_hostname,
|
||||||
|
'DNS:localhost',
|
||||||
|
'IP:' + api_interface_address,
|
||||||
|
'IP:127.0.0.1'
|
||||||
|
] -%}
|
||||||
|
{%- if nomad_enable_server -%}
|
||||||
|
{%- set _ = sans_list.append('DNS:server.' ~ nomad_region ~ '.nomad') -%}
|
||||||
|
{%- if (enable_consul | bool) -%}
|
||||||
|
{%- set _ = sans_list.append('DNS:nomad.service.consul') -%}
|
||||||
|
{%- endif -%}
|
||||||
|
{%- endif -%}
|
||||||
|
{%- if nomad_enable_client -%}
|
||||||
|
{%- set _ = sans_list.append('DNS:client.' ~ nomad_region ~ '.nomad') -%}
|
||||||
|
{%- endif -%}
|
||||||
|
{{ sans_list }}
|
||||||
|
|
||||||
|
###########################
|
||||||
|
# Vault Leaf Certificates #
|
||||||
|
###########################
|
||||||
|
hashistack_ca_vault_org_name: "{{ hashistack_ca_root_org_name }}"
|
||||||
|
hashistack_ca_vault_common_name: "{{ inventory_hostname }}"
|
||||||
|
hashistack_ca_vault_csr_sans:
|
||||||
|
- "DNS:{{ inventory_hostname }}"
|
||||||
|
- "DNS:active.vault.service.consul"
|
||||||
|
- "DNS:standby.vault.service.consul"
|
||||||
|
- "DNS:vault.service.consul"
|
||||||
|
- "DNS:localhost"
|
||||||
|
- "IP:{{ api_interface_address }}"
|
||||||
|
- "IP:127.0.0.1"
|
@ -1,10 +1,4 @@
|
|||||||
---
|
---
|
||||||
#####################################################
|
|
||||||
# #
|
|
||||||
# Non-Editable #
|
|
||||||
# #
|
|
||||||
#####################################################
|
|
||||||
|
|
||||||
nomad_init_server: "{{ (inventory_hostname == groups['nomad_servers'][0]) | bool }}"
|
nomad_init_server: "{{ (inventory_hostname == groups['nomad_servers'][0]) | bool }}"
|
||||||
|
|
||||||
####################
|
####################
|
||||||
@ -17,60 +11,183 @@ nomad_api_port:
|
|||||||
http: "{{ nomad_address_configuration.ports.http }}"
|
http: "{{ nomad_address_configuration.ports.http }}"
|
||||||
https: "{{ nomad_address_configuration.ports.http }}"
|
https: "{{ nomad_address_configuration.ports.http }}"
|
||||||
|
|
||||||
|
#########
|
||||||
|
# Nomad #
|
||||||
|
#########
|
||||||
|
|
||||||
|
nomad_config_dir: "{{ hashistack_remote_config_dir }}/nomad.d"
|
||||||
|
nomad_data_dir: "/opt/nomad"
|
||||||
|
nomad_certs_dir: "{{ nomad_config_dir }}/tls"
|
||||||
|
nomad_logs_dir: "{{ hashistack_remote_log_dir }}/nomad"
|
||||||
|
|
||||||
|
nomad_extra_files: true
|
||||||
|
# nomad_extra_files_list: []
|
||||||
|
|
||||||
|
nomad_env_variables: {}
|
||||||
|
|
||||||
|
#######################
|
||||||
|
# extra configuration #
|
||||||
|
#######################
|
||||||
|
|
||||||
|
# You should prioritize adding configuration
|
||||||
|
# to the configuration entries below, this
|
||||||
|
# option should be used to add pieces of configuration not
|
||||||
|
# available through standard variables.
|
||||||
|
|
||||||
|
# nomad_extra_configuration: {}
|
||||||
|
|
||||||
|
###########
|
||||||
|
# general #
|
||||||
|
###########
|
||||||
|
|
||||||
|
# nomad_region: global
|
||||||
|
# nomad_datacenter: dc1
|
||||||
|
|
||||||
#########################
|
#########################
|
||||||
# nomad haproxy backend #
|
# address configuration #
|
||||||
#########################
|
#########################
|
||||||
|
|
||||||
nomad_haproxy_frontend_options:
|
nomad_bind_addr: "0.0.0.0"
|
||||||
- acl is_nomad hdr(host) -i {{ nomad_fqdn }}
|
nomad_advertise_addr: "{{ api_interface_address }}"
|
||||||
- use_backend nomad_external if is_nomad
|
|
||||||
|
|
||||||
nomad_haproxy_backends:
|
|
||||||
- name: nomad_external
|
|
||||||
options: "{{ nomad_external_backend_options + nomad_external_backend_servers }}"
|
|
||||||
|
|
||||||
nomad_external_backend_options:
|
|
||||||
- description nomad external http backend
|
|
||||||
- option forwardfor
|
|
||||||
- option httpchk
|
|
||||||
- http-check send meth GET uri /
|
|
||||||
- default-server inter 2s fastinter 1s downinter 1s
|
|
||||||
|
|
||||||
nomad_external_backend_servers: |
|
|
||||||
[
|
|
||||||
{% for host in groups['nomad_servers'] %}
|
|
||||||
'server nomad-{{ hostvars[host].api_interface_address }} {{ hostvars[host].api_interface_address }}:{{ hostvars[host].nomad_api_port[nomad_api_scheme] }} check {{ 'ssl verify none ' if nomad_enable_tls }}inter 5s'{% if not loop.last %},{% endif %}
|
|
||||||
{% endfor %}
|
|
||||||
]
|
|
||||||
|
|
||||||
###############################
|
|
||||||
# nomad address configuration #
|
|
||||||
###############################
|
|
||||||
|
|
||||||
nomad_address_configuration:
|
nomad_address_configuration:
|
||||||
bind_addr: "{{ api_interface_address }}"
|
bind_addr: "{{ nomad_bind_addr }}"
|
||||||
addresses:
|
addresses:
|
||||||
http: "{{ api_interface_address }}"
|
http: "{{ nomad_advertise_addr }}"
|
||||||
rpc: "{{ api_interface_address }}"
|
rpc: "{{ nomad_advertise_addr }}"
|
||||||
serf: "{{ api_interface_address }}"
|
serf: "{{ nomad_advertise_addr }}"
|
||||||
advertise:
|
advertise:
|
||||||
http: "{{ api_interface_address }}"
|
http: "{{ nomad_advertise_addr }}"
|
||||||
rpc: "{{ api_interface_address }}"
|
rpc: "{{ nomad_advertise_addr }}"
|
||||||
serf: "{{ api_interface_address }}"
|
serf: "{{ nomad_advertise_addr }}"
|
||||||
ports:
|
ports:
|
||||||
http: 4646
|
http: 4646
|
||||||
rpc: 4647
|
rpc: 4647
|
||||||
serf: 4648
|
serf: 4648
|
||||||
|
|
||||||
#################################
|
###########################
|
||||||
# nomad autopilot configuration #
|
# autopilot configuration #
|
||||||
#################################
|
###########################
|
||||||
|
|
||||||
nomad_autopilot_configuration: {}
|
# nomad_autopilot_configuration: {}
|
||||||
|
|
||||||
############################
|
#######################
|
||||||
# nomad consul integration #
|
# leave configuration #
|
||||||
############################
|
#######################
|
||||||
|
|
||||||
|
nomad_leave_on_interrupt: false
|
||||||
|
nomad_leave_on_terminate: false
|
||||||
|
|
||||||
|
########################
|
||||||
|
# server configuration #
|
||||||
|
########################
|
||||||
|
|
||||||
|
nomad_enable_server: "{{ ('nomad_servers' in group_names) | bool }}"
|
||||||
|
nomad_server_bootstrap_expect: "{{ (groups['nomad_servers'] | length) }}"
|
||||||
|
nomad_server_configuration:
|
||||||
|
enabled: "{{ nomad_enable_server }}"
|
||||||
|
data_dir: "{{ nomad_data_dir }}/server"
|
||||||
|
encrypt: "{{ _credentials.nomad.gossip_encryption_key }}"
|
||||||
|
|
||||||
|
##############################
|
||||||
|
# client configuration #
|
||||||
|
##############################
|
||||||
|
|
||||||
|
nomad_enable_client: "{{ ('nomad_clients' in group_names) | bool }}"
|
||||||
|
nomad_client_configuration:
|
||||||
|
enabled: "{{ nomad_enable_client }}"
|
||||||
|
state_dir: "{{ nomad_data_dir }}/client"
|
||||||
|
cni_path: "{{ cni_plugins_install_path | default('/opt/cni/bin') }}"
|
||||||
|
bridge_network_name: nomad
|
||||||
|
bridge_network_subnet: "172.26.64.0/20"
|
||||||
|
|
||||||
|
####################
|
||||||
|
# ui configuration #
|
||||||
|
####################
|
||||||
|
|
||||||
|
nomad_ui_configuration:
|
||||||
|
enabled: "{{ nomad_enable_server }}"
|
||||||
|
|
||||||
|
#########################
|
||||||
|
# drivers configuration #
|
||||||
|
#########################
|
||||||
|
|
||||||
|
nomad_driver_enable_docker: true
|
||||||
|
nomad_driver_enable_podman: false
|
||||||
|
nomad_driver_enable_raw_exec: false
|
||||||
|
nomad_driver_enable_java: false
|
||||||
|
nomad_driver_enable_qemu: false
|
||||||
|
|
||||||
|
nomad_driver_configuration:
|
||||||
|
raw_exec:
|
||||||
|
enabled: false
|
||||||
|
|
||||||
|
nomad_driver_extra_configuration: {}
|
||||||
|
|
||||||
|
###########
|
||||||
|
# logging #
|
||||||
|
###########
|
||||||
|
|
||||||
|
nomad_log_level: info
|
||||||
|
nomad_enable_log_to_file: "{{ enable_log_to_file | bool }}"
|
||||||
|
nomad_log_to_file_configuration:
|
||||||
|
log_file: "{{ nomad_logs_dir }}/nomad.log"
|
||||||
|
log_rotate_duration: 24h
|
||||||
|
log_rotate_max_files: 30
|
||||||
|
|
||||||
|
#####################
|
||||||
|
# ACL configuration #
|
||||||
|
#####################
|
||||||
|
|
||||||
|
nomad_acl_configuration:
|
||||||
|
enabled: true
|
||||||
|
token_ttl: 30s
|
||||||
|
policy_ttl: 60s
|
||||||
|
role_ttl: 60s
|
||||||
|
|
||||||
|
################
|
||||||
|
# internal tls #
|
||||||
|
################
|
||||||
|
|
||||||
|
nomad_enable_tls: false
|
||||||
|
nomad_tls_configuration:
|
||||||
|
http: true
|
||||||
|
rpc: true
|
||||||
|
ca_file: "/etc/ssl/certs/ca-certificates.crt"
|
||||||
|
cert_file: "{{ nomad_certs_dir }}/fullchain.crt"
|
||||||
|
key_file: "{{ nomad_certs_dir }}/cert.key"
|
||||||
|
verify_server_hostname: true
|
||||||
|
|
||||||
|
nomad_certificates_extra_files_dir:
|
||||||
|
- src: "{{ hashistack_sub_configuration_directories['certificates'] }}/nomad/{{ inventory_hostname }}"
|
||||||
|
dest: "{{ nomad_certs_dir }}"
|
||||||
|
|
||||||
|
###########################
|
||||||
|
# telemetry configuration #
|
||||||
|
###########################
|
||||||
|
|
||||||
|
nomad_telemetry_configuration:
|
||||||
|
collection_interval: 10s
|
||||||
|
disable_hostname: false
|
||||||
|
use_node_name: false
|
||||||
|
publish_allocation_metrics: false
|
||||||
|
publish_node_metrics: false
|
||||||
|
prefix_filter: []
|
||||||
|
disable_dispatched_job_summary_metrics: false
|
||||||
|
prometheus_metrics: false
|
||||||
|
|
||||||
|
######################
|
||||||
|
# consul integration #
|
||||||
|
######################
|
||||||
|
|
||||||
|
nomad_enable_consul_integration: "{{ enable_consul | bool }}"
|
||||||
|
nomad_consul_integration_configuration:
|
||||||
|
address: >-
|
||||||
|
127.0.0.1:{{ consul_api_port[consul_api_scheme] }}
|
||||||
|
auto_advertise: true
|
||||||
|
ssl: "{{ consul_enable_tls | bool }}"
|
||||||
|
token: >-
|
||||||
|
{{ _credentials.consul.tokens.nomad.server.secret_id if nomad_enable_server else _credentials.consul.tokens.nomad.client.secret_id }}
|
||||||
|
tags: []
|
||||||
|
|
||||||
nomad_consul_integration_tls_configuration:
|
nomad_consul_integration_tls_configuration:
|
||||||
ca_file: "/etc/ssl/certs/ca-certificates.crt"
|
ca_file: "/etc/ssl/certs/ca-certificates.crt"
|
||||||
@ -80,7 +197,8 @@ nomad_consul_integration_server_configuration:
|
|||||||
|
|
||||||
nomad_consul_integration_client_configuration:
|
nomad_consul_integration_client_configuration:
|
||||||
client_auto_join: true
|
client_auto_join: true
|
||||||
grpc_address: "127.0.0.1:{{ hashicorp_consul_configuration.ports.grpc_tls if consul_enable_tls else hashicorp_consul_configuration.ports.grpc }}"
|
grpc_address: >-
|
||||||
|
127.0.0.1:{{ consul_grpc_port[consul_api_scheme] }}
|
||||||
|
|
||||||
nomad_consul_integration_client_tls_configuration:
|
nomad_consul_integration_client_tls_configuration:
|
||||||
grpc_ca_file: "/etc/ssl/certs/ca-certificates.crt"
|
grpc_ca_file: "/etc/ssl/certs/ca-certificates.crt"
|
||||||
@ -109,104 +227,9 @@ nomad_consul_integration_client_policy: |
|
|||||||
policy = "write"
|
policy = "write"
|
||||||
}
|
}
|
||||||
|
|
||||||
#############################
|
############################
|
||||||
# nomad leave configuration #
|
# nomad vault integration #
|
||||||
#############################
|
############################
|
||||||
|
|
||||||
# node will leave the cluster if the process is stopped
|
nomad_enable_vault_integration: false
|
||||||
# and if it is only a client
|
nomad_vault_integration_configuration: {}
|
||||||
nomad_leave_on_interrupt: "{{ (('nomad_clients' in group_names) and not ('nomad_servers' in group_names)) | bool }}"
|
|
||||||
nomad_leave_on_terminate: "{{ (('nomad_clients' in group_names) and not ('nomad_servers' in group_names)) | bool }}"
|
|
||||||
|
|
||||||
##########################
|
|
||||||
# nomad ui configuration #
|
|
||||||
##########################
|
|
||||||
|
|
||||||
nomad_ui_configuration:
|
|
||||||
enabled: "{{ ('nomad_servers' in group_names) | bool }}"
|
|
||||||
|
|
||||||
##############################
|
|
||||||
# nomad server configuration #
|
|
||||||
##############################
|
|
||||||
|
|
||||||
nomad_enable_server: "{{ ('nomad_servers' in group_names) | bool }}"
|
|
||||||
nomad_server_configuration:
|
|
||||||
enabled: "{{ nomad_enable_server }}"
|
|
||||||
data_dir: "{{ hashicorp_nomad_data_dir }}/server"
|
|
||||||
encrypt: "{{ _credentials.nomad.gossip_encryption_key }}"
|
|
||||||
|
|
||||||
##############################
|
|
||||||
# nomad client configuration #
|
|
||||||
##############################
|
|
||||||
|
|
||||||
nomad_enable_client: "{{ ('nomad_clients' in group_names) | bool }}"
|
|
||||||
nomad_client_configuration:
|
|
||||||
enabled: "{{ nomad_enable_client }}"
|
|
||||||
state_dir: "{{ hashicorp_nomad_data_dir }}/client"
|
|
||||||
bridge_network_name: nomad
|
|
||||||
bridge_network_subnet: "172.26.64.0/20"
|
|
||||||
|
|
||||||
###############################
|
|
||||||
# nomad drivers configuration #
|
|
||||||
###############################
|
|
||||||
|
|
||||||
nomad_driver_configuration:
|
|
||||||
raw_exec:
|
|
||||||
enabled: "{{ nomad_driver_enable_raw_exec | bool }}"
|
|
||||||
|
|
||||||
######################
|
|
||||||
# nomad internal tls #
|
|
||||||
######################
|
|
||||||
|
|
||||||
nomad_certificates_directory: "{{ hashicorp_nomad_config_dir }}/tls"
|
|
||||||
nomad_certificates_extra_files_dir:
|
|
||||||
- src: "{{ sub_configuration_directories['certificates'] }}/nomad/{{ inventory_hostname }}"
|
|
||||||
dest: "{{ nomad_certificates_directory }}"
|
|
||||||
|
|
||||||
#################
|
|
||||||
# nomad logging #
|
|
||||||
#################
|
|
||||||
|
|
||||||
nomad_enable_log_to_file: "{{ enable_log_to_file | bool }}"
|
|
||||||
nomad_logging_configuration:
|
|
||||||
log_file: "{{ hashistack_remote_log_dir }}/nomad/nomad.log"
|
|
||||||
log_level: info
|
|
||||||
log_rotate_duration: 24h
|
|
||||||
log_rotate_max_files: 30
|
|
||||||
|
|
||||||
########################
|
|
||||||
# nomad role variables #
|
|
||||||
########################
|
|
||||||
|
|
||||||
hashicorp_nomad_start_service: true
|
|
||||||
hashicorp_nomad_service_name: "nomad"
|
|
||||||
hashicorp_nomad_cni_plugins_install: true
|
|
||||||
hashicorp_nomad_cni_plugins_version: latest
|
|
||||||
hashicorp_nomad_cni_plugins_install_path: /opt/cni/bin
|
|
||||||
hashicorp_nomad_version: "{{ nomad_version }}"
|
|
||||||
hashicorp_nomad_env_variables: {}
|
|
||||||
hashicorp_nomad_config_dir: "{{ hashistack_remote_config_dir }}/nomad.d"
|
|
||||||
hashicorp_nomad_data_dir: "{{ hashistack_remote_data_dir }}/nomad"
|
|
||||||
hashicorp_nomad_extra_files: true
|
|
||||||
hashicorp_nomad_extra_files_list: "{{ ([] +
|
|
||||||
(nomad_certificates_extra_files_dir if nomad_enable_tls else []) +
|
|
||||||
nomad_extra_files_list)
|
|
||||||
| unique
|
|
||||||
| sort
|
|
||||||
}}"
|
|
||||||
hashicorp_nomad_configuration:
|
|
||||||
datacenter: "{{ nomad_datacenter }}"
|
|
||||||
region: "{{ nomad_region }}"
|
|
||||||
bind_addr: "0.0.0.0"
|
|
||||||
data_dir: "{{ hashicorp_nomad_data_dir }}"
|
|
||||||
leave_on_interrupt: "{{ nomad_leave_on_interrupt }}"
|
|
||||||
leave_on_terminate: "{{ nomad_leave_on_terminate }}"
|
|
||||||
acl: "{{ nomad_acl_configuration }}"
|
|
||||||
server: "{{ nomad_server_configuration }}"
|
|
||||||
client: "{{ nomad_client_configuration }}"
|
|
||||||
ui: "{{ nomad_ui_configuration }}"
|
|
||||||
|
|
||||||
# this is used to circumvent jinja limitation to convert string to integer
|
|
||||||
hashicorp_nomad_configuration_string: |
|
|
||||||
server:
|
|
||||||
bootstrap_expect: {{ (groups['nomad_servers'] | length) }}
|
|
||||||
|
@ -1,100 +1,121 @@
|
|||||||
---
|
---
|
||||||
#####################################################
|
|
||||||
# #
|
|
||||||
# Non-Editable #
|
|
||||||
# #
|
|
||||||
#####################################################
|
|
||||||
|
|
||||||
vault_init_server: "{{ (inventory_hostname == groups['vault_servers'][0]) | bool }}"
|
vault_init_server: "{{ (inventory_hostname == groups['vault_servers'][0]) | bool }}"
|
||||||
|
|
||||||
|
#########
|
||||||
|
# Vault #
|
||||||
|
#########
|
||||||
|
|
||||||
|
vault_config_dir: "{{ hashistack_remote_config_dir }}/vault.d"
|
||||||
|
vault_data_dir: "/opt/vault"
|
||||||
|
vault_certs_dir: "{{ vault_config_dir }}/tls"
|
||||||
|
vault_logs_dir: "{{ hashistack_remote_log_dir }}/vault"
|
||||||
|
|
||||||
|
vault_extra_files: true
|
||||||
|
# vault_extra_files_list: []
|
||||||
|
|
||||||
|
vault_env_variables: {}
|
||||||
|
|
||||||
|
#######################
|
||||||
|
# extra configuration #
|
||||||
|
#######################
|
||||||
|
|
||||||
|
# You should prioritize adding configuration
|
||||||
|
# to the configuration entries below, this
|
||||||
|
# option should be used to add pieces of configuration not
|
||||||
|
# available through standard variables.
|
||||||
|
|
||||||
|
# vault_extra_configuration: {}
|
||||||
|
|
||||||
|
###########
|
||||||
|
# general #
|
||||||
|
###########
|
||||||
|
|
||||||
|
# vault_cluster_name: vault
|
||||||
|
# vault_bind_addr: "0.0.0.0"
|
||||||
|
# vault_cluster_addr: "{{ api_interface_address }}"
|
||||||
|
# vault_enable_ui: true
|
||||||
|
# vault_disable_mlock: false
|
||||||
|
# vault_disable_cache: false
|
||||||
|
|
||||||
|
######################
|
||||||
|
# seal configuration #
|
||||||
|
######################
|
||||||
|
|
||||||
|
vault_seal_configuration:
|
||||||
|
key_shares: 3
|
||||||
|
key_threshold: 2
|
||||||
|
|
||||||
#########################
|
#########################
|
||||||
# vault haproxy backend #
|
# storage configuration #
|
||||||
#########################
|
#########################
|
||||||
|
|
||||||
vault_haproxy_frontend_options:
|
vault_storage_configuration:
|
||||||
- acl is_vault hdr(host) -i {{ vault_fqdn }}
|
raft:
|
||||||
- use_backend vault_external if is_vault
|
path: "{{ vault_data_dir }}"
|
||||||
|
node_id: "{{ ansible_hostname }}"
|
||||||
vault_haproxy_backends:
|
retry_join: >-
|
||||||
- name: vault_external
|
|
||||||
options: "{{ vault_external_backend_options + vault_external_backend_servers }}"
|
|
||||||
|
|
||||||
vault_external_backend_options:
|
|
||||||
- description vault external http backend
|
|
||||||
- option forwardfor
|
|
||||||
- option httpchk GET /v1/sys/health?standbyok=true&sealedcode=200&standbycode=200&uninitcode=200
|
|
||||||
- http-check expect status 200
|
|
||||||
- default-server inter 2s fastinter 1s downinter 1s
|
|
||||||
|
|
||||||
vault_external_backend_servers: |
|
|
||||||
[
|
[
|
||||||
{% for host in groups['vault_servers'] %}
|
{% for host in groups['vault_servers'] %}
|
||||||
'server vault-{{ hostvars[host].api_interface_address }} {{ hostvars[host].api_interface_address }}:8200 check {{ 'ssl verify none ' if vault_enable_tls }}inter 5s'{% if not loop.last %},{% endif %}
|
{
|
||||||
|
'leader_api_addr': '{{ "https" if vault_enable_tls else "http"}}://{{ hostvars[host].api_interface_address }}:8200'
|
||||||
|
}{% if not loop.last %},{% endif %}
|
||||||
{% endfor %}
|
{% endfor %}
|
||||||
]
|
]
|
||||||
|
|
||||||
######################
|
##########################
|
||||||
# vault internal tls #
|
# listener configuration #
|
||||||
######################
|
##########################
|
||||||
|
|
||||||
|
# vault_enable_tls: false
|
||||||
|
vault_listener_configuration:
|
||||||
|
- tcp:
|
||||||
|
address: "{{ vault_cluster_addr }}:8200"
|
||||||
|
tls_disable: true
|
||||||
|
|
||||||
|
vault_tls_listener_configuration:
|
||||||
|
- tcp:
|
||||||
|
tls_disable: false
|
||||||
|
tls_cert_file: "{{ vault_certs_dir }}/fullchain.crt"
|
||||||
|
tls_key_file: "{{ vault_certs_dir }}/cert.key"
|
||||||
|
tls_disable_client_certs: true
|
||||||
|
|
||||||
vault_certificates_directory: "{{ hashicorp_vault_config_dir }}/tls"
|
|
||||||
vault_certificates_extra_files_dir:
|
vault_certificates_extra_files_dir:
|
||||||
- src: "{{ sub_configuration_directories['certificates'] }}/vault/{{ inventory_hostname }}"
|
- src: "{{ hashistack_sub_configuration_directories['certificates'] }}/vault/{{ inventory_hostname }}"
|
||||||
dest: "{{ vault_certificates_directory }}"
|
dest: "{{ vault_certs_dir }}"
|
||||||
|
|
||||||
#################
|
vault_extra_listener_configuration: []
|
||||||
# vault plugins #
|
|
||||||
#################
|
|
||||||
|
|
||||||
vault_plugin_directory: "{{ hashicorp_vault_config_dir }}/plugin"
|
########################
|
||||||
vault_plugin_extra_files_dir:
|
# service registration #
|
||||||
- src: "{{ sub_configuration_directories['vault_servers'] }}/plugin"
|
########################
|
||||||
dest: "{{ vault_plugin_directory }}"
|
|
||||||
|
|
||||||
##############################
|
# vault_enable_service_registration: "{{ enable_consul | bool }}"
|
||||||
# vault service registration #
|
vault_service_registration_configuration:
|
||||||
##############################
|
consul:
|
||||||
|
address: >-
|
||||||
|
127.0.0.1:{{ hostvars[groups['consul_servers'][0]].consul_api_port[hostvars[groups['consul_servers'][0]].consul_api_scheme] }}
|
||||||
|
scheme: "{{ hostvars[groups['consul_servers'][0]].consul_api_scheme }}"
|
||||||
|
token: "{{ _credentials.consul.tokens.vault.secret_id }}"
|
||||||
|
|
||||||
vault_service_registration_policy: |
|
vault_service_registration_policy: |
|
||||||
service "vault" {
|
service "vault" {
|
||||||
policy = "write"
|
policy = "write"
|
||||||
}
|
}
|
||||||
|
|
||||||
|
#########################
|
||||||
|
# plugins configuration #
|
||||||
|
#########################
|
||||||
|
|
||||||
|
# vault_enable_plugins: false
|
||||||
|
vault_plugins_directory: "{{ vault_config_dir }}/plugins"
|
||||||
|
|
||||||
#################
|
#################
|
||||||
# vault logging #
|
# vault logging #
|
||||||
#################
|
#################
|
||||||
|
|
||||||
|
# vault_log_level: info
|
||||||
vault_enable_log_to_file: "{{ enable_log_to_file | bool }}"
|
vault_enable_log_to_file: "{{ enable_log_to_file | bool }}"
|
||||||
vault_logging_configuration:
|
vault_log_to_file_configuration:
|
||||||
log_file: "{{ hashistack_remote_log_dir }}/vault/vault.log"
|
log_file: "{{ vault_logs_dir }}/vault.log"
|
||||||
log_level: info
|
|
||||||
log_rotate_duration: 24h
|
log_rotate_duration: 24h
|
||||||
log_rotate_max_files: 30
|
log_rotate_max_files: 30
|
||||||
|
|
||||||
########################
|
|
||||||
# vault role variables #
|
|
||||||
########################
|
|
||||||
|
|
||||||
hashicorp_vault_start_service: true
|
|
||||||
hashicorp_vault_service_name: "vault"
|
|
||||||
hashicorp_vault_version: "{{ vault_version }}"
|
|
||||||
hashicorp_vault_env_variables: {}
|
|
||||||
hashicorp_vault_config_dir: "{{ hashistack_remote_config_dir }}/vault.d"
|
|
||||||
hashicorp_vault_data_dir: "{{ hashistack_remote_data_dir }}/vault"
|
|
||||||
hashicorp_vault_extra_files: true
|
|
||||||
hashicorp_vault_extra_files_list: "{{ ([] +
|
|
||||||
(vault_certificates_extra_files_dir if vault_enable_tls else []) +
|
|
||||||
(vault_plugin_extra_files_dir if vault_enable_plugins else []) +
|
|
||||||
vault_extra_files_list)
|
|
||||||
| unique
|
|
||||||
| sort
|
|
||||||
}}"
|
|
||||||
hashicorp_vault_configuration:
|
|
||||||
cluster_name: "{{ vault_cluster_name }}"
|
|
||||||
cluster_addr: "{{ 'https' if vault_enable_tls else 'http'}}://{{ api_interface_address }}:8201"
|
|
||||||
api_addr: "{{ 'https' if vault_enable_tls else 'http'}}://{{ api_interface_address }}:8200"
|
|
||||||
ui: "{{ vault_enable_ui }}"
|
|
||||||
disable_mlock: false
|
|
||||||
disable_cache: false
|
|
||||||
listener: "{{ vault_listener_configuration }}"
|
|
||||||
storage: "{{ vault_storage_configuration }}"
|
|
||||||
|
Loading…
Reference in New Issue
Block a user