feat/major-revamp #11
@ -8,7 +8,7 @@
|
|||||||
become: true
|
become: true
|
||||||
tasks:
|
tasks:
|
||||||
- name: "Import variables"
|
- name: "Import variables"
|
||||||
ansible.builtin.import_role:
|
ansible.builtin.include_role:
|
||||||
name: ednz_cloud.hashistack.hashistack
|
name: ednz_cloud.hashistack.hashistack
|
||||||
tags:
|
tags:
|
||||||
- always
|
- always
|
||||||
@ -19,7 +19,7 @@
|
|||||||
- consul
|
- consul
|
||||||
when:
|
when:
|
||||||
- enable_consul | bool
|
- enable_consul | bool
|
||||||
ansible.builtin.import_tasks:
|
ansible.builtin.include_tasks:
|
||||||
file: tasks/consul/consul_deploy.yml
|
file: tasks/consul/consul_deploy.yml
|
||||||
|
|
||||||
# Vault nodes deployment
|
# Vault nodes deployment
|
||||||
@ -28,7 +28,7 @@
|
|||||||
- vault
|
- vault
|
||||||
when:
|
when:
|
||||||
- enable_vault | bool
|
- enable_vault | bool
|
||||||
ansible.builtin.import_tasks:
|
ansible.builtin.include_tasks:
|
||||||
file: tasks/vault/vault_deploy.yml
|
file: tasks/vault/vault_deploy.yml
|
||||||
|
|
||||||
# Nomad nodes deployment
|
# Nomad nodes deployment
|
||||||
@ -37,7 +37,7 @@
|
|||||||
- nomad
|
- nomad
|
||||||
when:
|
when:
|
||||||
- enable_nomad | bool
|
- enable_nomad | bool
|
||||||
ansible.builtin.import_tasks:
|
ansible.builtin.include_tasks:
|
||||||
file: tasks/nomad/nomad_deploy.yml
|
file: tasks/nomad/nomad_deploy.yml
|
||||||
|
|
||||||
# - fail:
|
# - fail:
|
||||||
|
@ -7,363 +7,15 @@
|
|||||||
become: true
|
become: true
|
||||||
tasks:
|
tasks:
|
||||||
- name: "Import variables"
|
- name: "Import variables"
|
||||||
ansible.builtin.import_role:
|
ansible.builtin.include_role:
|
||||||
name: ednz_cloud.hashistack.hashistack
|
name: ednz_cloud.hashistack.hashistack
|
||||||
tags:
|
tags:
|
||||||
- always
|
- always
|
||||||
|
|
||||||
- name: "Create temporary cert directory in {{ hashistack_sub_configuration_directories['certificates'] }}" # noqa: run-once[task]
|
- name: "Create Certificate Authority"
|
||||||
ansible.builtin.file:
|
ansible.builtin.include_role:
|
||||||
path: "{{ hashistack_sub_configuration_directories['certificates'] }}/external"
|
name: ednz_cloud.hashistack.hashistack_ca
|
||||||
state: directory
|
apply:
|
||||||
owner: "{{ lookup('env', 'USER') }}"
|
delegate_to: localhost
|
||||||
group: "{{ lookup('env', 'USER') }}"
|
|
||||||
mode: "0755"
|
|
||||||
delegate_to: localhost
|
|
||||||
run_once: true
|
|
||||||
tags:
|
tags:
|
||||||
- always
|
- always
|
||||||
|
|
||||||
- name: "Generate external certificates" # noqa: run-once[task]
|
|
||||||
tags:
|
|
||||||
- always
|
|
||||||
delegate_to: localhost
|
|
||||||
run_once: true
|
|
||||||
block:
|
|
||||||
- name: "Create temporary cert directory in {{ hashistack_sub_configuration_directories['certificates'] }}" # noqa: run-once[task]
|
|
||||||
ansible.builtin.file:
|
|
||||||
path: "{{ hashistack_sub_configuration_directories['certificates'] }}/external"
|
|
||||||
state: directory
|
|
||||||
owner: "{{ lookup('env', 'USER') }}"
|
|
||||||
group: "{{ lookup('env', 'USER') }}"
|
|
||||||
mode: "0755"
|
|
||||||
|
|
||||||
- name: "Create private keys"
|
|
||||||
community.crypto.openssl_privatekey:
|
|
||||||
path: "{{ hashistack_sub_configuration_directories['certificates'] }}/external/{{ item.fqdn }}.pem.key"
|
|
||||||
owner: "{{ lookup('env', 'USER') }}"
|
|
||||||
group: "{{ lookup('env', 'USER') }}"
|
|
||||||
loop:
|
|
||||||
- name: nomad
|
|
||||||
fqdn: "{{ nomad_fqdn }}"
|
|
||||||
- name: vault
|
|
||||||
fqdn: "{{ vault_fqdn }}"
|
|
||||||
- name: consul
|
|
||||||
fqdn: "{{ consul_fqdn }}"
|
|
||||||
|
|
||||||
- name: "Create certificate signing request"
|
|
||||||
community.crypto.openssl_csr_pipe:
|
|
||||||
privatekey_path: "{{ hashistack_sub_configuration_directories['certificates'] }}/external/{{ item.fqdn }}.pem.key"
|
|
||||||
common_name: "{{ item.fqdn }}"
|
|
||||||
organization_name: EDNZ Cloud
|
|
||||||
register: csr
|
|
||||||
loop:
|
|
||||||
- name: nomad
|
|
||||||
fqdn: "{{ nomad_fqdn }}"
|
|
||||||
- name: vault
|
|
||||||
fqdn: "{{ vault_fqdn }}"
|
|
||||||
- name: consul
|
|
||||||
fqdn: "{{ consul_fqdn }}"
|
|
||||||
|
|
||||||
- name: "Create self-signed certificate from CSR"
|
|
||||||
community.crypto.x509_certificate:
|
|
||||||
path: "{{ hashistack_sub_configuration_directories['certificates'] }}/external/{{ item.item.fqdn }}.pem"
|
|
||||||
csr_content: "{{ item.csr }}"
|
|
||||||
privatekey_path: "{{ hashistack_sub_configuration_directories['certificates'] }}/external/{{ item.item.fqdn }}.pem.key"
|
|
||||||
provider: selfsigned
|
|
||||||
owner: "{{ lookup('env', 'USER') }}"
|
|
||||||
group: "{{ lookup('env', 'USER') }}"
|
|
||||||
loop: "{{ csr.results }}"
|
|
||||||
|
|
||||||
- name: "Generate internal certificates"
|
|
||||||
tags:
|
|
||||||
- never
|
|
||||||
- internal
|
|
||||||
delegate_to: localhost
|
|
||||||
vars:
|
|
||||||
hashistack_ca_key_path: "{{ hashistack_sub_configuration_directories['certificates'] }}/ca/ca.key"
|
|
||||||
hashistack_ca_cert_path: "{{ hashistack_sub_configuration_directories['certificates'] }}/ca/ca.crt"
|
|
||||||
block:
|
|
||||||
- name: "Create internal CA" # noqa: run-once[task]
|
|
||||||
run_once: true
|
|
||||||
block:
|
|
||||||
- name: "Create temporary cert directory in {{ hashistack_sub_configuration_directories['certificates'] }}" # noqa: run-once[task]
|
|
||||||
ansible.builtin.file:
|
|
||||||
path: "{{ hashistack_sub_configuration_directories['certificates'] }}/ca"
|
|
||||||
state: directory
|
|
||||||
owner: "{{ lookup('env', 'USER') }}"
|
|
||||||
group: "{{ lookup('env', 'USER') }}"
|
|
||||||
mode: "0755"
|
|
||||||
|
|
||||||
- name: "Create CA private key"
|
|
||||||
community.crypto.openssl_privatekey:
|
|
||||||
path: "{{ hashistack_ca_key_path }}"
|
|
||||||
owner: "{{ lookup('env', 'USER') }}"
|
|
||||||
group: "{{ lookup('env', 'USER') }}"
|
|
||||||
|
|
||||||
- name: "Create CA signing request"
|
|
||||||
community.crypto.openssl_csr_pipe:
|
|
||||||
privatekey_path: "{{ hashistack_ca_key_path }}"
|
|
||||||
common_name: "CA"
|
|
||||||
organization_name: EDNZ Cloud
|
|
||||||
use_common_name_for_san: false
|
|
||||||
basic_constraints:
|
|
||||||
- CA:TRUE
|
|
||||||
basic_constraints_critical: true
|
|
||||||
key_usage:
|
|
||||||
- keyCertSign
|
|
||||||
key_usage_critical: true
|
|
||||||
register: ca_csr
|
|
||||||
|
|
||||||
- name: "Create self-signed CA certificate from CSR"
|
|
||||||
community.crypto.x509_certificate:
|
|
||||||
path: "{{ hashistack_ca_cert_path }}"
|
|
||||||
csr_content: "{{ ca_csr.csr }}"
|
|
||||||
privatekey_path: "{{ hashistack_ca_key_path }}"
|
|
||||||
provider: selfsigned
|
|
||||||
owner: "{{ lookup('env', 'USER') }}"
|
|
||||||
group: "{{ lookup('env', 'USER') }}"
|
|
||||||
|
|
||||||
- name: "Create Vault certificates"
|
|
||||||
when:
|
|
||||||
- "'vault_servers' in group_names"
|
|
||||||
vars:
|
|
||||||
vault_private_key_path: "{{ hashistack_sub_configuration_directories['certificates'] }}/vault/{{ inventory_hostname }}/key.pem"
|
|
||||||
vault_certificate_path: "{{ hashistack_sub_configuration_directories['certificates'] }}/vault/{{ inventory_hostname }}/cert.pem"
|
|
||||||
block:
|
|
||||||
- name: "Create temporary cert directory in {{ hashistack_sub_configuration_directories['certificates'] }}" # noqa: run-once[task]
|
|
||||||
ansible.builtin.file:
|
|
||||||
path: "{{ hashistack_sub_configuration_directories['certificates'] }}/vault/{{ inventory_hostname }}"
|
|
||||||
state: directory
|
|
||||||
owner: "{{ lookup('env', 'USER') }}"
|
|
||||||
group: "{{ lookup('env', 'USER') }}"
|
|
||||||
mode: "0755"
|
|
||||||
|
|
||||||
- name: "Create Vault certificate keys"
|
|
||||||
community.crypto.openssl_privatekey:
|
|
||||||
path: "{{ vault_private_key_path }}"
|
|
||||||
owner: "{{ lookup('env', 'USER') }}"
|
|
||||||
group: "{{ lookup('env', 'USER') }}"
|
|
||||||
|
|
||||||
- name: "Create CSRs for Vault servers"
|
|
||||||
community.crypto.openssl_csr_pipe:
|
|
||||||
privatekey_path: "{{ vault_private_key_path }}"
|
|
||||||
common_name: "{{ inventory_hostname }}"
|
|
||||||
subject_alt_name:
|
|
||||||
- "DNS:{{ inventory_hostname }}"
|
|
||||||
- "DNS:active.vault.service.consul"
|
|
||||||
- "DNS:standby.vault.service.consul"
|
|
||||||
- "DNS:vault.service.consul"
|
|
||||||
- "DNS:localhost"
|
|
||||||
- "IP:{{ api_interface_address }}"
|
|
||||||
- "IP:127.0.0.1"
|
|
||||||
key_usage_critical: true
|
|
||||||
key_usage:
|
|
||||||
- Digital Signature
|
|
||||||
- Key Encipherment
|
|
||||||
- Key Agreement
|
|
||||||
extended_key_usage:
|
|
||||||
- TLS Web Server Authentication
|
|
||||||
- TLS Web Client Authentication
|
|
||||||
organization_name: EDNZ Cloud
|
|
||||||
use_common_name_for_san: false
|
|
||||||
register: vault_csr
|
|
||||||
|
|
||||||
- name: "Sign certificates with internal CA"
|
|
||||||
community.crypto.x509_certificate:
|
|
||||||
path: "{{ vault_certificate_path }}"
|
|
||||||
csr_content: "{{ vault_csr.csr }}"
|
|
||||||
provider: ownca
|
|
||||||
ownca_path: "{{ hashistack_ca_cert_path }}"
|
|
||||||
ownca_privatekey_path: "{{ hashistack_ca_key_path }}"
|
|
||||||
ownca_not_after: "+365d"
|
|
||||||
ownca_not_before: "-1d"
|
|
||||||
|
|
||||||
- name: "Concatenate CA and Child certificates"
|
|
||||||
block:
|
|
||||||
- name: "Read content of ca.crt"
|
|
||||||
ansible.builtin.slurp:
|
|
||||||
src: "{{ hashistack_ca_cert_path }}"
|
|
||||||
register: ca_crt_content
|
|
||||||
|
|
||||||
- name: "Read content of cert.pem"
|
|
||||||
ansible.builtin.slurp:
|
|
||||||
src: "{{ vault_certificate_path }}"
|
|
||||||
register: cert_pem_content
|
|
||||||
|
|
||||||
- name: "Concatenate certificates"
|
|
||||||
ansible.builtin.copy:
|
|
||||||
content: |
|
|
||||||
{{ cert_pem_content['content'] | b64decode }}{{ ca_crt_content['content'] | b64decode }}
|
|
||||||
dest: "{{ vault_certificate_path }}"
|
|
||||||
owner: "{{ lookup('env', 'USER') }}"
|
|
||||||
group: "{{ lookup('env', 'USER') }}"
|
|
||||||
mode: "0644"
|
|
||||||
|
|
||||||
- name: "Create Consul certificates"
|
|
||||||
when:
|
|
||||||
- "('consul_servers' in group_names) or ('consul_agents' in group_names)"
|
|
||||||
vars:
|
|
||||||
consul_private_key_path: "{{ hashistack_sub_configuration_directories['certificates'] }}/consul/{{ inventory_hostname }}/key.pem"
|
|
||||||
consul_certificate_path: "{{ hashistack_sub_configuration_directories['certificates'] }}/consul/{{ inventory_hostname }}/cert.pem"
|
|
||||||
block:
|
|
||||||
- name: "Create temporary cert directory in {{ hashistack_sub_configuration_directories['certificates'] }}" # noqa: run-once[task]
|
|
||||||
ansible.builtin.file:
|
|
||||||
path: "{{ hashistack_sub_configuration_directories['certificates'] }}/consul/{{ inventory_hostname }}"
|
|
||||||
state: directory
|
|
||||||
owner: "{{ lookup('env', 'USER') }}"
|
|
||||||
group: "{{ lookup('env', 'USER') }}"
|
|
||||||
mode: "0755"
|
|
||||||
|
|
||||||
- name: "Create Consul certificate keys"
|
|
||||||
community.crypto.openssl_privatekey:
|
|
||||||
path: "{{ consul_private_key_path }}"
|
|
||||||
owner: "{{ lookup('env', 'USER') }}"
|
|
||||||
group: "{{ lookup('env', 'USER') }}"
|
|
||||||
|
|
||||||
- name: "Create CSRs for Consul servers"
|
|
||||||
vars:
|
|
||||||
consul_csr_sans: >-
|
|
||||||
{%- set sans_list = [
|
|
||||||
'DNS:' + inventory_hostname,
|
|
||||||
'DNS:consul.service.consul',
|
|
||||||
'DNS:localhost',
|
|
||||||
'IP:' + api_interface_address,
|
|
||||||
'IP:127.0.0.1'
|
|
||||||
] -%}
|
|
||||||
{%- if consul_enable_server -%}
|
|
||||||
{%- set _ = sans_list.append('DNS:server.' ~ consul_datacenter ~ '.' ~ consul_domain) -%}
|
|
||||||
{%- endif -%}
|
|
||||||
{{ sans_list }}
|
|
||||||
community.crypto.openssl_csr_pipe:
|
|
||||||
privatekey_path: "{{ consul_private_key_path }}"
|
|
||||||
common_name: "{{ inventory_hostname }}"
|
|
||||||
subject_alt_name: "{{ consul_csr_sans }}"
|
|
||||||
key_usage_critical: true
|
|
||||||
key_usage:
|
|
||||||
- Digital Signature
|
|
||||||
- Key Encipherment
|
|
||||||
- Key Agreement
|
|
||||||
extended_key_usage:
|
|
||||||
- TLS Web Server Authentication
|
|
||||||
- TLS Web Client Authentication
|
|
||||||
organization_name: EDNZ Cloud
|
|
||||||
use_common_name_for_san: false
|
|
||||||
register: consul_csr
|
|
||||||
|
|
||||||
- name: "Sign certificates with internal CA"
|
|
||||||
community.crypto.x509_certificate:
|
|
||||||
path: "{{ consul_certificate_path }}"
|
|
||||||
csr_content: "{{ consul_csr.csr }}"
|
|
||||||
provider: ownca
|
|
||||||
ownca_path: "{{ hashistack_ca_cert_path }}"
|
|
||||||
ownca_privatekey_path: "{{ hashistack_ca_key_path }}"
|
|
||||||
ownca_not_after: "+365d"
|
|
||||||
ownca_not_before: "-1d"
|
|
||||||
|
|
||||||
- name: "Concatenate CA and Child certificates"
|
|
||||||
block:
|
|
||||||
- name: "Read content of ca.crt"
|
|
||||||
ansible.builtin.slurp:
|
|
||||||
src: "{{ hashistack_ca_cert_path }}"
|
|
||||||
register: ca_crt_content
|
|
||||||
|
|
||||||
- name: "Read content of cert.pem"
|
|
||||||
ansible.builtin.slurp:
|
|
||||||
src: "{{ consul_certificate_path }}"
|
|
||||||
register: cert_pem_content
|
|
||||||
|
|
||||||
- name: "Concatenate certificates"
|
|
||||||
ansible.builtin.copy:
|
|
||||||
content: |
|
|
||||||
{{ cert_pem_content['content'] | b64decode }}{{ ca_crt_content['content'] | b64decode }}
|
|
||||||
dest: "{{ consul_certificate_path }}"
|
|
||||||
owner: "{{ lookup('env', 'USER') }}"
|
|
||||||
group: "{{ lookup('env', 'USER') }}"
|
|
||||||
mode: "0644"
|
|
||||||
|
|
||||||
- name: "Create Nomad certificates"
|
|
||||||
when:
|
|
||||||
- "('nomad_servers' in group_names) or ('nomad_clients' in group_names)"
|
|
||||||
vars:
|
|
||||||
nomad_private_key_path: "{{ hashistack_sub_configuration_directories['certificates'] }}/nomad/{{ inventory_hostname }}/key.pem"
|
|
||||||
nomad_certificate_path: "{{ hashistack_sub_configuration_directories['certificates'] }}/nomad/{{ inventory_hostname }}/cert.pem"
|
|
||||||
block:
|
|
||||||
- name: "Create temporary cert directory in {{ hashistack_sub_configuration_directories['certificates'] }}" # noqa: run-once[task]
|
|
||||||
ansible.builtin.file:
|
|
||||||
path: "{{ hashistack_sub_configuration_directories['certificates'] }}/nomad/{{ inventory_hostname }}"
|
|
||||||
state: directory
|
|
||||||
owner: "{{ lookup('env', 'USER') }}"
|
|
||||||
group: "{{ lookup('env', 'USER') }}"
|
|
||||||
mode: "0755"
|
|
||||||
|
|
||||||
- name: "Create Nomad certificate keys"
|
|
||||||
community.crypto.openssl_privatekey:
|
|
||||||
path: "{{ nomad_private_key_path }}"
|
|
||||||
owner: "{{ lookup('env', 'USER') }}"
|
|
||||||
group: "{{ lookup('env', 'USER') }}"
|
|
||||||
|
|
||||||
- name: "Create CSRs for Nomad servers"
|
|
||||||
vars:
|
|
||||||
nomad_csr_sans: >-
|
|
||||||
{%- set sans_list = [
|
|
||||||
'DNS:' + inventory_hostname,
|
|
||||||
'DNS:localhost',
|
|
||||||
'IP:' + api_interface_address,
|
|
||||||
'IP:127.0.0.1'
|
|
||||||
] -%}
|
|
||||||
{%- if nomad_enable_server -%}
|
|
||||||
{%- set _ = sans_list.append('DNS:server.' ~ nomad_region ~ '.nomad') -%}
|
|
||||||
{%- if (enable_consul | bool) -%}
|
|
||||||
{%- set _ = sans_list.append('DNS:nomad.service.consul') -%}
|
|
||||||
{%- endif -%}
|
|
||||||
{%- endif -%}
|
|
||||||
{%- if nomad_enable_client -%}
|
|
||||||
{%- set _ = sans_list.append('DNS:client.' ~ nomad_region ~ '.nomad') -%}
|
|
||||||
{%- endif -%}
|
|
||||||
{{ sans_list }}
|
|
||||||
community.crypto.openssl_csr_pipe:
|
|
||||||
privatekey_path: "{{ nomad_private_key_path }}"
|
|
||||||
common_name: "{{ inventory_hostname }}"
|
|
||||||
subject_alt_name: "{{ nomad_csr_sans }}"
|
|
||||||
key_usage_critical: true
|
|
||||||
key_usage:
|
|
||||||
- Digital Signature
|
|
||||||
- Key Encipherment
|
|
||||||
extended_key_usage:
|
|
||||||
- TLS Web Server Authentication
|
|
||||||
- TLS Web Client Authentication
|
|
||||||
organization_name: EDNZ Cloud
|
|
||||||
use_common_name_for_san: false
|
|
||||||
register: nomad_csr
|
|
||||||
|
|
||||||
- name: "Sign certificates with internal CA"
|
|
||||||
community.crypto.x509_certificate:
|
|
||||||
path: "{{ nomad_certificate_path }}"
|
|
||||||
csr_content: "{{ nomad_csr.csr }}"
|
|
||||||
provider: ownca
|
|
||||||
ownca_path: "{{ hashistack_ca_cert_path }}"
|
|
||||||
ownca_privatekey_path: "{{ hashistack_ca_key_path }}"
|
|
||||||
ownca_not_after: "+365d"
|
|
||||||
ownca_not_before: "-1d"
|
|
||||||
|
|
||||||
- name: "Concatenate CA and Child certificates"
|
|
||||||
block:
|
|
||||||
- name: "Read content of ca.crt"
|
|
||||||
ansible.builtin.slurp:
|
|
||||||
src: "{{ hashistack_ca_cert_path }}"
|
|
||||||
register: ca_crt_content
|
|
||||||
|
|
||||||
- name: "Read content of cert.pem"
|
|
||||||
ansible.builtin.slurp:
|
|
||||||
src: "{{ nomad_certificate_path }}"
|
|
||||||
register: cert_pem_content
|
|
||||||
|
|
||||||
- name: "Concatenate certificates"
|
|
||||||
ansible.builtin.copy:
|
|
||||||
content: |
|
|
||||||
{{ cert_pem_content['content'] | b64decode }}{{ ca_crt_content['content'] | b64decode }}
|
|
||||||
dest: "{{ nomad_certificate_path }}"
|
|
||||||
owner: "{{ lookup('env', 'USER') }}"
|
|
||||||
group: "{{ lookup('env', 'USER') }}"
|
|
||||||
mode: "0644"
|
|
||||||
|
@ -33,6 +33,17 @@ nomad_clients
|
|||||||
[deployment]
|
[deployment]
|
||||||
localhost ansible_connection=local
|
localhost ansible_connection=local
|
||||||
|
|
||||||
|
[consul:children]
|
||||||
|
consul_servers
|
||||||
|
consul_agents
|
||||||
|
|
||||||
|
[nomad:children]
|
||||||
|
nomad_servers
|
||||||
|
nomad_clients
|
||||||
|
|
||||||
|
[vault:children]
|
||||||
|
vault_servers
|
||||||
|
|
||||||
[common:children]
|
[common:children]
|
||||||
haproxy_servers
|
haproxy_servers
|
||||||
vault_servers
|
vault_servers
|
||||||
|
@ -3,4 +3,4 @@
|
|||||||
block:
|
block:
|
||||||
- name: "Deploy Consul Agents"
|
- name: "Deploy Consul Agents"
|
||||||
ansible.builtin.include_role:
|
ansible.builtin.include_role:
|
||||||
name: ednz_cloud.hashicorp_consul
|
name: ednz_cloud.hashistack.consul
|
||||||
|
@ -1,19 +1,19 @@
|
|||||||
---
|
---
|
||||||
- name: "Consul control plane"
|
- name: "Consul control plane"
|
||||||
block:
|
block:
|
||||||
- name: "Include ednz_cloud.hashicorp_consul"
|
- name: "Include ednz_cloud.hashistack.consul"
|
||||||
ansible.builtin.include_role:
|
ansible.builtin.include_role:
|
||||||
name: ednz_cloud.hashicorp_consul
|
name: ednz_cloud.hashistack.consul
|
||||||
|
|
||||||
- name: "Wait for consul cluster to initialize" # noqa: run-once[task]
|
- name: "Consul | Wait for consul cluster to initialize" # noqa: run-once[task]
|
||||||
block:
|
block:
|
||||||
- name: "Wait for consul nodes to stabilize"
|
- name: "Consul | Wait for consul nodes to stabilize"
|
||||||
ansible.builtin.wait_for:
|
ansible.builtin.wait_for:
|
||||||
host: "{{ api_interface_address }}"
|
host: "{{ api_interface_address }}"
|
||||||
port: "{{ consul_api_port[consul_api_scheme] }}"
|
port: "{{ consul_api_port[consul_api_scheme] }}"
|
||||||
delay: 10
|
delay: 10
|
||||||
|
|
||||||
- name: "Waiting for consul api to respond"
|
- name: "Consul | Waiting for consul api to respond"
|
||||||
ansible.builtin.uri:
|
ansible.builtin.uri:
|
||||||
url: "{{ consul_api_addr }}"
|
url: "{{ consul_api_addr }}"
|
||||||
validate_certs: no
|
validate_certs: no
|
||||||
@ -25,7 +25,7 @@
|
|||||||
delay: 5
|
delay: 5
|
||||||
register: uri_output
|
register: uri_output
|
||||||
|
|
||||||
- name: "Initialize consul cluster" # noqa: run-once[task]
|
- name: "Consul | Initialize consul cluster" # noqa: run-once[task]
|
||||||
community.general.consul_acl_bootstrap:
|
community.general.consul_acl_bootstrap:
|
||||||
bootstrap_secret: "{{ _credentials.consul.root_token.secret_id }}"
|
bootstrap_secret: "{{ _credentials.consul.root_token.secret_id }}"
|
||||||
host: "{{ api_interface_address }}"
|
host: "{{ api_interface_address }}"
|
||||||
@ -35,16 +35,16 @@
|
|||||||
register: _consul_init_secret
|
register: _consul_init_secret
|
||||||
when:
|
when:
|
||||||
- consul_init_server
|
- consul_init_server
|
||||||
- hashicorp_consul_configuration.acl.enabled
|
- consul_configuration.acl.enabled
|
||||||
|
|
||||||
- name: "Create consul agents token"
|
- name: "Consul | Create consul agents token"
|
||||||
when:
|
when:
|
||||||
- consul_init_server
|
- consul_init_server
|
||||||
- hashicorp_consul_configuration.acl.enabled
|
- consul_configuration.acl.enabled
|
||||||
block:
|
block:
|
||||||
- name: "Create consul agents token" # noqa: run-once[task] no-handler
|
- name: "Consul | Create consul agents token" # noqa: run-once[task] no-handler
|
||||||
block:
|
block:
|
||||||
- name: "Create consul agent policy"
|
- name: "Consul | Create consul agent policy"
|
||||||
community.general.consul_policy:
|
community.general.consul_policy:
|
||||||
token: "{{ _credentials.consul.root_token.secret_id }}"
|
token: "{{ _credentials.consul.root_token.secret_id }}"
|
||||||
host: "{{ api_interface_address }}"
|
host: "{{ api_interface_address }}"
|
||||||
@ -56,7 +56,7 @@
|
|||||||
rules: "{{ consul_default_agent_policy }}"
|
rules: "{{ consul_default_agent_policy }}"
|
||||||
register: _consul_agent_policy
|
register: _consul_agent_policy
|
||||||
|
|
||||||
- name: "Create consul agents token"
|
- name: "Consul | Create consul agents token"
|
||||||
community.general.consul_token:
|
community.general.consul_token:
|
||||||
token: "{{ _credentials.consul.root_token.secret_id }}"
|
token: "{{ _credentials.consul.root_token.secret_id }}"
|
||||||
host: "{{ api_interface_address }}"
|
host: "{{ api_interface_address }}"
|
||||||
@ -69,10 +69,3 @@
|
|||||||
- id: "{{ _consul_agent_policy.policy.ID }}"
|
- id: "{{ _consul_agent_policy.policy.ID }}"
|
||||||
state: present
|
state: present
|
||||||
register: _consul_agent_token
|
register: _consul_agent_token
|
||||||
|
|
||||||
- name: "Restart consul service" # noqa: no-handler
|
|
||||||
ansible.builtin.service:
|
|
||||||
name: "{{ hashicorp_consul_service_name }}"
|
|
||||||
state: restarted
|
|
||||||
throttle: 1
|
|
||||||
when: _consul_agent_token.changed
|
|
||||||
|
@ -1,67 +0,0 @@
|
|||||||
---
|
|
||||||
# hashistack configuration merging for consul
|
|
||||||
- name: "Consul | Merge stringified configuration"
|
|
||||||
vars:
|
|
||||||
_config_to_merge: "{{ hashicorp_consul_configuration_string }}"
|
|
||||||
ansible.builtin.set_fact:
|
|
||||||
hashicorp_consul_configuration: "{{
|
|
||||||
hashicorp_consul_configuration |
|
|
||||||
combine(_config_to_merge|from_yaml, recursive=true)
|
|
||||||
}}"
|
|
||||||
when:
|
|
||||||
- hashicorp_consul_configuration_string is defined
|
|
||||||
|
|
||||||
- name: "Consul | Merge servers specific stringified configuration"
|
|
||||||
vars:
|
|
||||||
_config_to_merge: "{{ hashicorp_consul_servers_configuration_string }}"
|
|
||||||
ansible.builtin.set_fact:
|
|
||||||
hashicorp_consul_configuration: "{{
|
|
||||||
hashicorp_consul_configuration |
|
|
||||||
combine(_config_to_merge|from_yaml, recursive=true)
|
|
||||||
}}"
|
|
||||||
when:
|
|
||||||
- hashicorp_consul_configuration_string is defined
|
|
||||||
- "'consul_servers' in group_names"
|
|
||||||
|
|
||||||
- name: "Consul | Merge addresses configuration"
|
|
||||||
vars:
|
|
||||||
_config_to_merge: "{{ consul_address_configuration }}"
|
|
||||||
ansible.builtin.set_fact:
|
|
||||||
hashicorp_consul_configuration: "{{
|
|
||||||
hashicorp_consul_configuration |
|
|
||||||
combine(_config_to_merge, recursive=true)
|
|
||||||
}}"
|
|
||||||
when: consul_address_configuration is defined
|
|
||||||
|
|
||||||
- name: "Consul | Merge TLS configuration"
|
|
||||||
vars:
|
|
||||||
_config_to_merge:
|
|
||||||
tls: "{{ consul_tls_configuration }}"
|
|
||||||
ansible.builtin.set_fact:
|
|
||||||
hashicorp_consul_configuration: "{{
|
|
||||||
hashicorp_consul_configuration |
|
|
||||||
combine(_config_to_merge, recursive=true)
|
|
||||||
}}"
|
|
||||||
when: consul_enable_tls
|
|
||||||
|
|
||||||
- name: "Consul | Merge token configuration"
|
|
||||||
delegate_to: localhost
|
|
||||||
block:
|
|
||||||
- name: "Consul | Merge token configuration"
|
|
||||||
vars:
|
|
||||||
_config_to_merge:
|
|
||||||
acl:
|
|
||||||
tokens:
|
|
||||||
agent: "{{ _credentials.consul.tokens.agent.secret_id }}"
|
|
||||||
ansible.builtin.set_fact:
|
|
||||||
hashicorp_consul_configuration: "{{ hashicorp_consul_configuration | default({}) | combine(_config_to_merge, recursive=true) }}"
|
|
||||||
|
|
||||||
- name: "Consul | Merge extra configuration settings"
|
|
||||||
vars:
|
|
||||||
_config_to_merge: "{{ consul_extra_configuration }}"
|
|
||||||
ansible.builtin.set_fact:
|
|
||||||
hashicorp_consul_configuration: "{{
|
|
||||||
hashicorp_consul_configuration |
|
|
||||||
combine(_config_to_merge, recursive=true)
|
|
||||||
}}"
|
|
||||||
when: consul_extra_configuration is defined
|
|
@ -1,205 +0,0 @@
|
|||||||
---
|
|
||||||
# hashistack variable injection playbook
|
|
||||||
- name: "Load global variables"
|
|
||||||
block:
|
|
||||||
- name: "Stat global configuration file"
|
|
||||||
ansible.builtin.stat:
|
|
||||||
path: "{{ configuration_directory }}/{{ configuration_global_vars_file }}"
|
|
||||||
register: _global_config_file
|
|
||||||
delegate_to: localhost
|
|
||||||
|
|
||||||
- name: "Make sure global configuration file exists"
|
|
||||||
ansible.builtin.assert:
|
|
||||||
that:
|
|
||||||
- _global_config_file.stat.exists
|
|
||||||
fail_msg: >-
|
|
||||||
Main configuration file {{ _global_config_file.stat.path }} was not found, cannot continue without it.
|
|
||||||
delegate_to: localhost
|
|
||||||
|
|
||||||
- name: "Load global variables"
|
|
||||||
ansible.builtin.include_vars:
|
|
||||||
dir: "{{ configuration_directory }}"
|
|
||||||
files_matching: "{{ configuration_global_vars_file }}"
|
|
||||||
depth: 1
|
|
||||||
delegate_to: localhost
|
|
||||||
|
|
||||||
- name: "Load credentials variables"
|
|
||||||
block:
|
|
||||||
- name: "Stat credentials file"
|
|
||||||
ansible.builtin.stat:
|
|
||||||
path: "{{ sub_configuration_directories['secrets'] }}/{{ configuration_credentials_vars_file }}"
|
|
||||||
register: _credentials_file
|
|
||||||
delegate_to: localhost
|
|
||||||
|
|
||||||
- name: "Stat vault credentials file"
|
|
||||||
ansible.builtin.stat:
|
|
||||||
path: "{{ sub_configuration_directories['secrets'] }}/vault.yml"
|
|
||||||
register: _vault_credentials_file
|
|
||||||
delegate_to: localhost
|
|
||||||
|
|
||||||
- name: "Make sure credentials file exists"
|
|
||||||
ansible.builtin.assert:
|
|
||||||
that:
|
|
||||||
- _credentials_file.stat.exists
|
|
||||||
fail_msg: >-
|
|
||||||
Credentials file {{ _credentials_file.stat.path }} was not found, cannot continue without it.
|
|
||||||
delegate_to: localhost
|
|
||||||
|
|
||||||
- name: "Load credentials variables"
|
|
||||||
ansible.builtin.include_vars:
|
|
||||||
dir: "{{ sub_configuration_directories['secrets'] }}"
|
|
||||||
files_matching: "{{ configuration_credentials_vars_file }}"
|
|
||||||
depth: 1
|
|
||||||
name: _credentials
|
|
||||||
delegate_to: localhost
|
|
||||||
|
|
||||||
- name: "Load vault credentials if vault.yml exists"
|
|
||||||
ansible.builtin.include_vars:
|
|
||||||
dir: "{{ sub_configuration_directories['secrets'] }}"
|
|
||||||
files_matching: "vault.yml"
|
|
||||||
depth: 1
|
|
||||||
name: _vault_credentials
|
|
||||||
when: _vault_credentials_file.stat.exists
|
|
||||||
delegate_to: localhost
|
|
||||||
|
|
||||||
- name: "Merge vault credentials into _credentials"
|
|
||||||
vars:
|
|
||||||
_config_to_merge:
|
|
||||||
vault: "{{ _vault_credentials }}"
|
|
||||||
ansible.builtin.set_fact:
|
|
||||||
_credentials: "{{ _credentials | combine(_vault_credentials, recursive=true) }}"
|
|
||||||
when: _vault_credentials_file.stat.exists
|
|
||||||
delegate_to: localhost
|
|
||||||
|
|
||||||
- name: "Load group specific variables"
|
|
||||||
block:
|
|
||||||
- name: "Stat group specific config file"
|
|
||||||
ansible.builtin.stat:
|
|
||||||
path: "{{ configuration_directory }}/{{ group_name }}/{{ configuration_global_vars_file }}"
|
|
||||||
register: _group_config_file
|
|
||||||
loop: "{{ group_names }}"
|
|
||||||
loop_control:
|
|
||||||
loop_var: group_name
|
|
||||||
|
|
||||||
- name: Load group specific variables
|
|
||||||
ansible.builtin.include_vars:
|
|
||||||
dir: "{{ configuration_directory }}/{{ item.group_name }}"
|
|
||||||
files_matching: "{{ configuration_global_vars_file }}"
|
|
||||||
depth: 1
|
|
||||||
loop: "{{ _group_config_file.results }}"
|
|
||||||
when: item.stat.exists
|
|
||||||
and item.group_name in group_names
|
|
||||||
loop_control:
|
|
||||||
loop_var: item
|
|
||||||
delegate_to: localhost
|
|
||||||
|
|
||||||
- name: "Load host specific variables"
|
|
||||||
block:
|
|
||||||
- name: "Stat host specific config file"
|
|
||||||
ansible.builtin.stat:
|
|
||||||
path: "{{ configuration_directory }}/{{ group_name }}/{{ inventory_hostname }}/{{ configuration_global_vars_file }}"
|
|
||||||
register: _host_config_file
|
|
||||||
loop: "{{ group_names }}"
|
|
||||||
loop_control:
|
|
||||||
loop_var: group_name
|
|
||||||
delegate_to: localhost
|
|
||||||
|
|
||||||
- name: Load host specific variables
|
|
||||||
ansible.builtin.include_vars:
|
|
||||||
dir: "{{ configuration_directory }}/{{ item.group_name }}/{{ inventory_hostname }}"
|
|
||||||
files_matching: "{{ configuration_global_vars_file }}"
|
|
||||||
loop: "{{ _host_config_file.results }}"
|
|
||||||
when: item.stat.exists
|
|
||||||
loop_control:
|
|
||||||
loop_var: item
|
|
||||||
delegate_to: localhost
|
|
||||||
|
|
||||||
- name: "Ensure remote directories exists"
|
|
||||||
ansible.builtin.file:
|
|
||||||
path: "{{ item }}"
|
|
||||||
state: directory
|
|
||||||
owner: root
|
|
||||||
group: root
|
|
||||||
mode: 0755
|
|
||||||
loop:
|
|
||||||
- "{{ hashistack_remote_config_dir }}"
|
|
||||||
- "{{ hashistack_remote_data_dir }}"
|
|
||||||
|
|
||||||
- name: "Load custom CA certificates"
|
|
||||||
block:
|
|
||||||
- name: "Check if CA directory exists"
|
|
||||||
ansible.builtin.stat:
|
|
||||||
path: "{{ sub_configuration_directories['certificates'] }}/ca"
|
|
||||||
register: _hashistack_ca_directory
|
|
||||||
delegate_to: localhost
|
|
||||||
|
|
||||||
- name: "Find custom ca certificates to copy"
|
|
||||||
ansible.builtin.find:
|
|
||||||
paths: "{{ sub_configuration_directories['certificates'] }}/ca"
|
|
||||||
patterns: "*.crt"
|
|
||||||
register: _hashistack_cacert_files
|
|
||||||
delegate_to: localhost
|
|
||||||
when: _hashistack_ca_directory.stat.exists and _hashistack_ca_directory.stat.isdir
|
|
||||||
|
|
||||||
- name: "Ensure remote ca directory exists"
|
|
||||||
ansible.builtin.file:
|
|
||||||
path: "{{ hashistack_remote_config_dir }}/ca"
|
|
||||||
state: directory
|
|
||||||
owner: root
|
|
||||||
group: root
|
|
||||||
mode: 0755
|
|
||||||
|
|
||||||
- name: "Copy custom ca certificates"
|
|
||||||
ansible.builtin.copy:
|
|
||||||
src: "{{ item.path }}"
|
|
||||||
dest: "{{ hashistack_remote_config_dir }}/ca/{{ item.path | basename }}"
|
|
||||||
owner: root
|
|
||||||
group: root
|
|
||||||
mode: 0644
|
|
||||||
loop: "{{ _hashistack_cacert_files.files }}"
|
|
||||||
register: _hashistack_copied_ca
|
|
||||||
|
|
||||||
- name: "Copy and update trust store"
|
|
||||||
block:
|
|
||||||
- name: "Copy ca certificates to /usr/loca/share/ca-certificates"
|
|
||||||
ansible.builtin.file:
|
|
||||||
state: link
|
|
||||||
src: "{{ item.dest }}"
|
|
||||||
dest: "/usr/local/share/ca-certificates/hashistack-customca-{{ item.dest | basename }}"
|
|
||||||
owner: root
|
|
||||||
group: root
|
|
||||||
loop: "{{ _hashistack_copied_ca.results }}"
|
|
||||||
register: _hashistack_usr_local_share_ca_certificates
|
|
||||||
|
|
||||||
- name: "Update the trust store"
|
|
||||||
ansible.builtin.command: update-ca-certificates
|
|
||||||
changed_when: false
|
|
||||||
when: _hashistack_usr_local_share_ca_certificates.changed
|
|
||||||
|
|
||||||
# - name: "Initialize list of CA certificates"
|
|
||||||
# ansible.builtin.set_fact:
|
|
||||||
# hashistack_cacert_extra_files: []
|
|
||||||
# delegate_to: localhost
|
|
||||||
|
|
||||||
# - name: "Add custom CA to list of extra certificates"
|
|
||||||
# ansible.builtin.set_fact:
|
|
||||||
# hashistack_cacert_extra_files: "{{
|
|
||||||
# hashistack_cacert_extra_files | default([])
|
|
||||||
# + [{'src': item.path, 'dest': '/etc/ssl/certs/hashistack-custom-' + item.path | basename}] }}"
|
|
||||||
# loop: "{{ _hashistack_cacert_files.files }}"
|
|
||||||
# delegate_to: localhost
|
|
||||||
# when: _hashistack_cacert_files.matched > 0
|
|
||||||
|
|
||||||
- name: "Merge consul configurations"
|
|
||||||
ansible.builtin.import_tasks:
|
|
||||||
file: "consul/consul_vars.yml"
|
|
||||||
when:
|
|
||||||
- enable_consul | bool
|
|
||||||
- "('consul_servers' in group_names) or ('consul_agents' in group_names)"
|
|
||||||
|
|
||||||
- name: "Merge vault configurations"
|
|
||||||
ansible.builtin.import_tasks:
|
|
||||||
file: "vault/vault_vars.yml"
|
|
||||||
when:
|
|
||||||
- enable_vault | bool
|
|
||||||
- "'vault_servers' in group_names"
|
|
@ -1,51 +0,0 @@
|
|||||||
---
|
|
||||||
- name: "Check if CA directory exists"
|
|
||||||
ansible.builtin.stat:
|
|
||||||
path: "{{ sub_configuration_directories['certificates'] }}/ca"
|
|
||||||
register: _hashistack_ca_directory
|
|
||||||
delegate_to: localhost
|
|
||||||
|
|
||||||
- name: "Find custom ca certificates to copy"
|
|
||||||
ansible.builtin.find:
|
|
||||||
paths: "{{ sub_configuration_directories['certificates'] }}/ca"
|
|
||||||
patterns: "*.crt"
|
|
||||||
register: _hashistack_cacert_files
|
|
||||||
delegate_to: localhost
|
|
||||||
when: _hashistack_ca_directory.stat.exists and _hashistack_ca_directory.stat.isdir
|
|
||||||
|
|
||||||
- name: "Ensure remote ca directory exists"
|
|
||||||
ansible.builtin.file:
|
|
||||||
path: "{{ hashistack_remote_config_dir }}/ca"
|
|
||||||
state: directory
|
|
||||||
owner: root
|
|
||||||
group: root
|
|
||||||
mode: 0755
|
|
||||||
|
|
||||||
- name: "Copy custom ca certificates"
|
|
||||||
ansible.builtin.copy:
|
|
||||||
src: "{{ item.path }}"
|
|
||||||
dest: "{{ hashistack_remote_config_dir }}/ca/{{ item.path | basename }}"
|
|
||||||
owner: root
|
|
||||||
group: root
|
|
||||||
mode: 0644
|
|
||||||
loop: "{{ _hashistack_cacert_files.files }}"
|
|
||||||
register: _hashistack_copied_ca
|
|
||||||
when: not _hashistack_cacert_files.skipped | default(False)
|
|
||||||
|
|
||||||
- name: "Copy and update trust store"
|
|
||||||
when: not _hashistack_copied_ca.skipped | default(False)
|
|
||||||
block:
|
|
||||||
- name: "Copy ca certificates to /usr/local/share/ca-certificates"
|
|
||||||
ansible.builtin.file:
|
|
||||||
state: link
|
|
||||||
src: "{{ item.dest }}"
|
|
||||||
dest: "/usr/local/share/ca-certificates/hashistack-customca-{{ item.dest | basename }}"
|
|
||||||
owner: root
|
|
||||||
group: root
|
|
||||||
loop: "{{ _hashistack_copied_ca.results }}"
|
|
||||||
register: _hashistack_usr_local_share_ca_certificates
|
|
||||||
|
|
||||||
- name: "Update the trust store" # noqa: no-handler
|
|
||||||
ansible.builtin.command: update-ca-certificates
|
|
||||||
changed_when: false
|
|
||||||
when: _hashistack_usr_local_share_ca_certificates.changed
|
|
@ -1,46 +0,0 @@
|
|||||||
---
|
|
||||||
- name: "Stat credentials file"
|
|
||||||
ansible.builtin.stat:
|
|
||||||
path: "{{ sub_configuration_directories['secrets'] }}/{{ configuration_credentials_vars_file }}"
|
|
||||||
register: _credentials_file
|
|
||||||
delegate_to: localhost
|
|
||||||
|
|
||||||
- name: "Stat vault credentials file"
|
|
||||||
ansible.builtin.stat:
|
|
||||||
path: "{{ sub_configuration_directories['secrets'] }}/vault.yml"
|
|
||||||
register: _vault_credentials_file
|
|
||||||
delegate_to: localhost
|
|
||||||
|
|
||||||
- name: "Make sure credentials file exists"
|
|
||||||
ansible.builtin.assert:
|
|
||||||
that:
|
|
||||||
- _credentials_file.stat.exists
|
|
||||||
fail_msg: >-
|
|
||||||
Credentials file {{ _credentials_file.stat.path }} was not found, cannot continue without it.
|
|
||||||
delegate_to: localhost
|
|
||||||
|
|
||||||
- name: "Load credentials variables"
|
|
||||||
ansible.builtin.include_vars:
|
|
||||||
dir: "{{ sub_configuration_directories['secrets'] }}"
|
|
||||||
files_matching: "{{ configuration_credentials_vars_file }}"
|
|
||||||
depth: 1
|
|
||||||
name: _credentials
|
|
||||||
delegate_to: localhost
|
|
||||||
|
|
||||||
- name: "Load vault credentials if vault.yml exists"
|
|
||||||
ansible.builtin.include_vars:
|
|
||||||
dir: "{{ sub_configuration_directories['secrets'] }}"
|
|
||||||
files_matching: "vault.yml"
|
|
||||||
depth: 1
|
|
||||||
name: _vault_credentials
|
|
||||||
when: _vault_credentials_file.stat.exists
|
|
||||||
delegate_to: localhost
|
|
||||||
|
|
||||||
- name: "Merge vault credentials into _credentials"
|
|
||||||
vars:
|
|
||||||
_config_to_merge:
|
|
||||||
vault: "{{ _vault_credentials }}"
|
|
||||||
ansible.builtin.set_fact:
|
|
||||||
_credentials: "{{ _credentials | combine(_config_to_merge, recursive=true) }}"
|
|
||||||
when: _vault_credentials_file.stat.exists
|
|
||||||
delegate_to: localhost
|
|
@ -1,28 +0,0 @@
|
|||||||
---
|
|
||||||
- name: "Include all default variables"
|
|
||||||
ansible.builtin.include_vars:
|
|
||||||
dir: "../../group_vars/all"
|
|
||||||
depth: 1
|
|
||||||
extensions: ["yml"]
|
|
||||||
delegate_to: localhost
|
|
||||||
|
|
||||||
- name: "Stat global configuration file"
|
|
||||||
ansible.builtin.stat:
|
|
||||||
path: "{{ configuration_directory }}/{{ configuration_global_vars_file }}"
|
|
||||||
register: _global_config_file
|
|
||||||
delegate_to: localhost
|
|
||||||
|
|
||||||
- name: "Make sure global configuration file exists"
|
|
||||||
ansible.builtin.assert:
|
|
||||||
that:
|
|
||||||
- _global_config_file.stat.exists
|
|
||||||
fail_msg: >-
|
|
||||||
Main configuration file {{ _global_config_file.stat.path }} was not found, cannot continue without it.
|
|
||||||
delegate_to: localhost
|
|
||||||
|
|
||||||
- name: "Load global variables"
|
|
||||||
ansible.builtin.include_vars:
|
|
||||||
dir: "{{ configuration_directory }}"
|
|
||||||
files_matching: "{{ configuration_global_vars_file }}"
|
|
||||||
depth: 1
|
|
||||||
delegate_to: localhost
|
|
@ -1,20 +0,0 @@
|
|||||||
---
|
|
||||||
- name: "Stat group specific config file"
|
|
||||||
ansible.builtin.stat:
|
|
||||||
path: "{{ configuration_directory }}/{{ group_name }}/{{ configuration_global_vars_file }}"
|
|
||||||
register: _group_config_file
|
|
||||||
loop: "{{ group_names }}"
|
|
||||||
loop_control:
|
|
||||||
loop_var: group_name
|
|
||||||
|
|
||||||
- name: Load group specific variables
|
|
||||||
ansible.builtin.include_vars:
|
|
||||||
dir: "{{ configuration_directory }}/{{ item.group_name }}"
|
|
||||||
files_matching: "{{ configuration_global_vars_file }}"
|
|
||||||
depth: 1
|
|
||||||
loop: "{{ _group_config_file.results }}"
|
|
||||||
when: item.stat.exists
|
|
||||||
and item.group_name in group_names
|
|
||||||
loop_control:
|
|
||||||
loop_var: item
|
|
||||||
delegate_to: localhost
|
|
@ -1,19 +0,0 @@
|
|||||||
---
|
|
||||||
- name: "Stat host specific config file"
|
|
||||||
ansible.builtin.stat:
|
|
||||||
path: "{{ configuration_directory }}/{{ group_name }}/{{ inventory_hostname }}/{{ configuration_global_vars_file }}"
|
|
||||||
register: _host_config_file
|
|
||||||
loop: "{{ group_names }}"
|
|
||||||
loop_control:
|
|
||||||
loop_var: group_name
|
|
||||||
delegate_to: localhost
|
|
||||||
|
|
||||||
- name: Load host specific variables
|
|
||||||
ansible.builtin.include_vars:
|
|
||||||
dir: "{{ configuration_directory }}/{{ item.group_name }}/{{ inventory_hostname }}"
|
|
||||||
files_matching: "{{ configuration_global_vars_file }}"
|
|
||||||
loop: "{{ _host_config_file.results }}"
|
|
||||||
when: item.stat.exists
|
|
||||||
loop_control:
|
|
||||||
loop_var: item
|
|
||||||
delegate_to: localhost
|
|
@ -1,11 +1,15 @@
|
|||||||
---
|
---
|
||||||
- name: "Nomad clients"
|
- name: "Nomad clients"
|
||||||
block:
|
block:
|
||||||
- name: "Install docker driver"
|
- name: "Nomad | Install docker driver"
|
||||||
ansible.builtin.include_role:
|
ansible.builtin.include_role:
|
||||||
name: ednz_cloud.install_docker
|
name: ednz_cloud.install_docker
|
||||||
when: nomad_driver_enable_docker
|
when: nomad_driver_enable_docker
|
||||||
|
|
||||||
- name: "Deploy Nomad Clients"
|
- name: "Include ednz_cloud.hashistack.cni"
|
||||||
ansible.builtin.include_role:
|
ansible.builtin.include_role:
|
||||||
name: ednz_cloud.hashicorp_nomad
|
name: ednz_cloud.hashistack.cni
|
||||||
|
|
||||||
|
- name: "Nomad | Deploy Clients"
|
||||||
|
ansible.builtin.include_role:
|
||||||
|
name: ednz_cloud.hashistack.nomad
|
||||||
|
@ -1,7 +1,7 @@
|
|||||||
---
|
---
|
||||||
- name: "Nomad control plane"
|
- name: "Nomad control plane"
|
||||||
block:
|
block:
|
||||||
- name: "Create consul tokens for service registration"
|
- name: "Nomad | Create consul tokens for service registration"
|
||||||
when:
|
when:
|
||||||
- nomad_init_server
|
- nomad_init_server
|
||||||
- enable_consul
|
- enable_consul
|
||||||
@ -11,9 +11,9 @@
|
|||||||
_consul_port: "{{ hostvars[groups['consul_servers'][0]].consul_api_port[hostvars[groups['consul_servers'][0]].consul_api_scheme] }}"
|
_consul_port: "{{ hostvars[groups['consul_servers'][0]].consul_api_port[hostvars[groups['consul_servers'][0]].consul_api_scheme] }}"
|
||||||
_consul_scheme: "{{ hostvars[groups['consul_servers'][0]].consul_api_scheme }}"
|
_consul_scheme: "{{ hostvars[groups['consul_servers'][0]].consul_api_scheme }}"
|
||||||
block:
|
block:
|
||||||
- name: "Create server credentials"
|
- name: "Nomad | Create server credentials"
|
||||||
block:
|
block:
|
||||||
- name: "Create consul server policy"
|
- name: "Nomad | Create consul server policy"
|
||||||
community.general.consul_policy:
|
community.general.consul_policy:
|
||||||
token: "{{ _credentials.consul.root_token.secret_id }}"
|
token: "{{ _credentials.consul.root_token.secret_id }}"
|
||||||
host: "{{ _consul_host }}"
|
host: "{{ _consul_host }}"
|
||||||
@ -25,7 +25,7 @@
|
|||||||
rules: "{{ nomad_consul_integration_server_policy }}"
|
rules: "{{ nomad_consul_integration_server_policy }}"
|
||||||
register: _consul_nomad_server_policy
|
register: _consul_nomad_server_policy
|
||||||
|
|
||||||
- name: "Create consul server token" # noqa: no-handler
|
- name: "Nomad | Create consul server token" # noqa: no-handler
|
||||||
community.general.consul_token:
|
community.general.consul_token:
|
||||||
token: "{{ _credentials.consul.root_token.secret_id }}"
|
token: "{{ _credentials.consul.root_token.secret_id }}"
|
||||||
host: "{{ _consul_host }}"
|
host: "{{ _consul_host }}"
|
||||||
@ -39,9 +39,9 @@
|
|||||||
state: present
|
state: present
|
||||||
when: _consul_nomad_server_policy.changed
|
when: _consul_nomad_server_policy.changed
|
||||||
|
|
||||||
- name: "Create client credentials"
|
- name: "Nomad | Create client credentials"
|
||||||
block:
|
block:
|
||||||
- name: "Create consul client policy"
|
- name: "Nomad | Create consul client policy"
|
||||||
community.general.consul_policy:
|
community.general.consul_policy:
|
||||||
token: "{{ _credentials.consul.root_token.secret_id }}"
|
token: "{{ _credentials.consul.root_token.secret_id }}"
|
||||||
host: "{{ _consul_host }}"
|
host: "{{ _consul_host }}"
|
||||||
@ -53,7 +53,7 @@
|
|||||||
rules: "{{ nomad_consul_integration_client_policy }}"
|
rules: "{{ nomad_consul_integration_client_policy }}"
|
||||||
register: _consul_nomad_client_policy
|
register: _consul_nomad_client_policy
|
||||||
|
|
||||||
- name: "Create consul client token" # noqa: no-handler
|
- name: "Nomad | Create consul client token" # noqa: no-handler
|
||||||
community.general.consul_token:
|
community.general.consul_token:
|
||||||
token: "{{ _credentials.consul.root_token.secret_id }}"
|
token: "{{ _credentials.consul.root_token.secret_id }}"
|
||||||
host: "{{ _consul_host }}"
|
host: "{{ _consul_host }}"
|
||||||
@ -67,11 +67,16 @@
|
|||||||
state: present
|
state: present
|
||||||
when: _consul_nomad_client_policy.changed
|
when: _consul_nomad_client_policy.changed
|
||||||
|
|
||||||
- name: "Include ednz_cloud.hashicorp_nomad"
|
- name: "Include ednz_cloud.hashistack.cni"
|
||||||
ansible.builtin.include_role:
|
ansible.builtin.include_role:
|
||||||
name: ednz_cloud.hashicorp_nomad
|
name: ednz_cloud.hashistack.cni
|
||||||
|
when: nomad_enable_client
|
||||||
|
|
||||||
- name: "Initialize nomad cluster" # noqa: run-once[task]
|
- name: "Include ednz_cloud.hashistack.nomad"
|
||||||
|
ansible.builtin.include_role:
|
||||||
|
name: ednz_cloud.hashistack.nomad
|
||||||
|
|
||||||
|
- name: "Nomad | Initialize nomad cluster" # noqa: run-once[task]
|
||||||
ednz_cloud.hashistack.nomad_acl_bootstrap:
|
ednz_cloud.hashistack.nomad_acl_bootstrap:
|
||||||
bootstrap_secret: "{{ _credentials.nomad.root_token.secret_id }}"
|
bootstrap_secret: "{{ _credentials.nomad.root_token.secret_id }}"
|
||||||
api_url: "{{ nomad_api_addr }}"
|
api_url: "{{ nomad_api_addr }}"
|
||||||
@ -79,4 +84,4 @@
|
|||||||
register: _nomad_init_secret
|
register: _nomad_init_secret
|
||||||
when:
|
when:
|
||||||
- nomad_init_server
|
- nomad_init_server
|
||||||
- hashicorp_nomad_configuration.acl.enabled
|
- nomad_configuration.acl.enabled
|
||||||
|
@ -5,7 +5,7 @@
|
|||||||
ansible.builtin.import_tasks:
|
ansible.builtin.import_tasks:
|
||||||
file: nomad_control_plane.yml
|
file: nomad_control_plane.yml
|
||||||
when:
|
when:
|
||||||
- "'nomad_servers' in group_names"
|
- nomad_enable_server
|
||||||
tags:
|
tags:
|
||||||
- nomad_servers
|
- nomad_servers
|
||||||
|
|
||||||
@ -13,7 +13,7 @@
|
|||||||
ansible.builtin.import_tasks:
|
ansible.builtin.import_tasks:
|
||||||
file: nomad_clients.yml
|
file: nomad_clients.yml
|
||||||
when:
|
when:
|
||||||
- "'nomad_clients' in group_names"
|
- nomad_enable_client
|
||||||
- "'nomad_servers' not in group_names"
|
- not nomad_enable_server
|
||||||
tags:
|
tags:
|
||||||
- nomad_clients
|
- nomad_clients
|
||||||
|
@ -1,125 +0,0 @@
|
|||||||
---
|
|
||||||
# hashistack configuration merging for nomad
|
|
||||||
- name: "Nomad | Merge stringified configuration"
|
|
||||||
vars:
|
|
||||||
_config_to_merge: "{{ hashicorp_nomad_configuration_string }}"
|
|
||||||
ansible.builtin.set_fact:
|
|
||||||
hashicorp_nomad_configuration: "{{
|
|
||||||
hashicorp_nomad_configuration |
|
|
||||||
combine(_config_to_merge|from_yaml, recursive=true)
|
|
||||||
}}"
|
|
||||||
when:
|
|
||||||
- hashicorp_nomad_configuration_string is defined
|
|
||||||
- "'nomad_servers' in group_names"
|
|
||||||
|
|
||||||
- name: "Nomad | Merge addresses configuration"
|
|
||||||
vars:
|
|
||||||
_config_to_merge: "{{ nomad_address_configuration }}"
|
|
||||||
ansible.builtin.set_fact:
|
|
||||||
hashicorp_nomad_configuration: "{{
|
|
||||||
hashicorp_nomad_configuration |
|
|
||||||
combine(_config_to_merge, recursive=true)
|
|
||||||
}}"
|
|
||||||
when: nomad_address_configuration is defined
|
|
||||||
|
|
||||||
- name: "Nomad | Merge consul integration configuration"
|
|
||||||
when:
|
|
||||||
- enable_consul | bool
|
|
||||||
- nomad_enable_consul_integration | bool
|
|
||||||
block:
|
|
||||||
- name: "Nomad | Merge consul tls configuration"
|
|
||||||
when:
|
|
||||||
- nomad_consul_integration_configuration.ssl is defined
|
|
||||||
- nomad_consul_integration_configuration.ssl | bool
|
|
||||||
block:
|
|
||||||
- name: "Nomad | Merge consul default client configuration"
|
|
||||||
vars:
|
|
||||||
_config_to_merge: "{{ nomad_consul_integration_tls_configuration }}"
|
|
||||||
ansible.builtin.set_fact:
|
|
||||||
nomad_consul_integration_configuration: "{{
|
|
||||||
nomad_consul_integration_configuration |
|
|
||||||
combine(_config_to_merge, recursive=true)
|
|
||||||
}}"
|
|
||||||
|
|
||||||
- name: "Nomad | Merge consul configuration for nomad servers"
|
|
||||||
when:
|
|
||||||
- nomad_enable_server
|
|
||||||
block:
|
|
||||||
- name: "Nomad | Merge consul default server configuration"
|
|
||||||
vars:
|
|
||||||
_config_to_merge: "{{ nomad_consul_integration_server_configuration }}"
|
|
||||||
ansible.builtin.set_fact:
|
|
||||||
nomad_consul_integration_configuration: "{{
|
|
||||||
nomad_consul_integration_configuration |
|
|
||||||
combine(_config_to_merge, recursive=true)
|
|
||||||
}}"
|
|
||||||
|
|
||||||
- name: "Nomad | Merge consul configuration for nomad clients"
|
|
||||||
when:
|
|
||||||
- nomad_enable_client
|
|
||||||
block:
|
|
||||||
- name: "Nomad | Merge consul default client configuration"
|
|
||||||
vars:
|
|
||||||
_config_to_merge: "{{ nomad_consul_integration_client_configuration }}"
|
|
||||||
ansible.builtin.set_fact:
|
|
||||||
nomad_consul_integration_configuration: "{{
|
|
||||||
nomad_consul_integration_configuration |
|
|
||||||
combine(_config_to_merge, recursive=true)
|
|
||||||
}}"
|
|
||||||
|
|
||||||
- name: "Nomad | Merge consul tls client configuration"
|
|
||||||
vars:
|
|
||||||
_config_to_merge: "{{ nomad_consul_integration_client_tls_configuration }}"
|
|
||||||
ansible.builtin.set_fact:
|
|
||||||
nomad_consul_integration_configuration: "{{
|
|
||||||
nomad_consul_integration_configuration |
|
|
||||||
combine(_config_to_merge, recursive=true)
|
|
||||||
}}"
|
|
||||||
when:
|
|
||||||
- nomad_consul_integration_configuration.ssl is defined
|
|
||||||
- nomad_consul_integration_configuration.ssl | bool
|
|
||||||
|
|
||||||
- name: "Nomad | Merge consul block into main configuration"
|
|
||||||
vars:
|
|
||||||
_config_to_merge:
|
|
||||||
consul: "{{ nomad_consul_integration_configuration }}"
|
|
||||||
ansible.builtin.set_fact:
|
|
||||||
hashicorp_nomad_configuration: "{{
|
|
||||||
hashicorp_nomad_configuration |
|
|
||||||
combine(_config_to_merge, recursive=true)
|
|
||||||
}}"
|
|
||||||
|
|
||||||
- name: "Nomad | Merge TLS configuration"
|
|
||||||
vars:
|
|
||||||
_config_to_merge:
|
|
||||||
tls: "{{ nomad_tls_configuration }}"
|
|
||||||
ansible.builtin.set_fact:
|
|
||||||
hashicorp_nomad_configuration: "{{
|
|
||||||
hashicorp_nomad_configuration |
|
|
||||||
combine(_config_to_merge, recursive=true)
|
|
||||||
}}"
|
|
||||||
when: nomad_enable_tls
|
|
||||||
|
|
||||||
- name: "Nomad | Merge plugin configuration"
|
|
||||||
vars:
|
|
||||||
_config_to_merge:
|
|
||||||
plugin: "{{
|
|
||||||
nomad_driver_configuration |
|
|
||||||
combine(nomad_driver_extra_configuration, recursive=true)
|
|
||||||
}}"
|
|
||||||
ansible.builtin.set_fact:
|
|
||||||
hashicorp_nomad_configuration: "{{
|
|
||||||
hashicorp_nomad_configuration |
|
|
||||||
combine(_config_to_merge, recursive=true)
|
|
||||||
}}"
|
|
||||||
when: "'nomad_clients' in group_names"
|
|
||||||
|
|
||||||
- name: "Nomad | Merge extra configuration settings"
|
|
||||||
vars:
|
|
||||||
_config_to_merge: "{{ nomad_extra_configuration }}"
|
|
||||||
ansible.builtin.set_fact:
|
|
||||||
hashicorp_nomad_configuration: "{{
|
|
||||||
hashicorp_nomad_configuration |
|
|
||||||
combine(_config_to_merge, recursive=true)
|
|
||||||
}}"
|
|
||||||
when: nomad_extra_configuration is defined
|
|
@ -1,7 +1,7 @@
|
|||||||
---
|
---
|
||||||
- name: "Vault control plane"
|
- name: "Vault control plane"
|
||||||
block:
|
block:
|
||||||
- name: "Create consul token for service registration"
|
- name: "Vault | Create consul token for service registration"
|
||||||
when:
|
when:
|
||||||
- vault_init_server
|
- vault_init_server
|
||||||
- enable_consul
|
- enable_consul
|
||||||
@ -11,7 +11,7 @@
|
|||||||
_consul_vault_sr_port: "{{ hostvars[groups['consul_servers'][0]].consul_api_port[hostvars[groups['consul_servers'][0]].consul_api_scheme] }}"
|
_consul_vault_sr_port: "{{ hostvars[groups['consul_servers'][0]].consul_api_port[hostvars[groups['consul_servers'][0]].consul_api_scheme] }}"
|
||||||
_consul_vault_sr_scheme: "{{ hostvars[groups['consul_servers'][0]].consul_api_scheme }}"
|
_consul_vault_sr_scheme: "{{ hostvars[groups['consul_servers'][0]].consul_api_scheme }}"
|
||||||
block:
|
block:
|
||||||
- name: "Create consul vault policy"
|
- name: "Vault | Create consul vault policy"
|
||||||
community.general.consul_policy:
|
community.general.consul_policy:
|
||||||
token: "{{ _credentials.consul.root_token.secret_id }}"
|
token: "{{ _credentials.consul.root_token.secret_id }}"
|
||||||
host: "{{ _consul_vault_sr_host }}"
|
host: "{{ _consul_vault_sr_host }}"
|
||||||
@ -23,7 +23,7 @@
|
|||||||
rules: "{{ vault_service_registration_policy }}"
|
rules: "{{ vault_service_registration_policy }}"
|
||||||
register: _consul_vault_policy
|
register: _consul_vault_policy
|
||||||
|
|
||||||
- name: "Create consul vault token" # noqa: no-handler
|
- name: "Vault | Create consul vault token" # noqa: no-handler
|
||||||
community.general.consul_token:
|
community.general.consul_token:
|
||||||
token: "{{ _credentials.consul.root_token.secret_id }}"
|
token: "{{ _credentials.consul.root_token.secret_id }}"
|
||||||
host: "{{ _consul_vault_sr_host }}"
|
host: "{{ _consul_vault_sr_host }}"
|
||||||
@ -37,14 +37,19 @@
|
|||||||
state: present
|
state: present
|
||||||
when: _consul_vault_policy.changed
|
when: _consul_vault_policy.changed
|
||||||
|
|
||||||
- name: "Include ednz_cloud.hashicorp_consul"
|
- name: "Vault | Stat vault secret file"
|
||||||
ansible.builtin.include_role:
|
ansible.builtin.stat:
|
||||||
name: ednz_cloud.hashicorp_vault
|
path: "{{ hashistack_sub_configuration_directories.secrets }}/vault.yml"
|
||||||
|
register: _vault_needs_early_unseal
|
||||||
|
|
||||||
- name: "Initialize vault cluster" # noqa: run-once[task]
|
- name: "Include ednz_cloud.hashistack.vault"
|
||||||
|
ansible.builtin.include_role:
|
||||||
|
name: ednz_cloud.hashistack.vault
|
||||||
|
|
||||||
|
- name: "Vault | Initialize vault cluster" # noqa: run-once[task]
|
||||||
ednz_cloud.hashistack.vault_init:
|
ednz_cloud.hashistack.vault_init:
|
||||||
api_url: "{{ hashicorp_vault_configuration['api_addr'] }}"
|
api_url: "{{ vault_configuration['api_addr'] }}"
|
||||||
tls_verify: "{{ vault_tls_verify }}"
|
tls_verify: false
|
||||||
key_shares: "{{ vault_seal_configuration['key_shares'] }}"
|
key_shares: "{{ vault_seal_configuration['key_shares'] }}"
|
||||||
key_threshold: "{{ vault_seal_configuration['key_threshold'] }}"
|
key_threshold: "{{ vault_seal_configuration['key_threshold'] }}"
|
||||||
retries: 5
|
retries: 5
|
||||||
@ -53,10 +58,10 @@
|
|||||||
until: not _vault_init_secret.failed
|
until: not _vault_init_secret.failed
|
||||||
when: vault_init_server
|
when: vault_init_server
|
||||||
|
|
||||||
- name: "Write vault configuration to file" # noqa: run-once[task] no-handler
|
- name: "Vault | Write vault configuration to file" # noqa: run-once[task] no-handler
|
||||||
ansible.builtin.copy:
|
ansible.builtin.copy:
|
||||||
content: "{{ _vault_init_secret.state | to_nice_yaml(indent=2) }}"
|
content: "{{ _vault_init_secret.state | to_nice_yaml(indent=2) }}"
|
||||||
dest: "{{ sub_configuration_directories.secrets }}/vault.yml"
|
dest: "{{ hashistack_sub_configuration_directories.secrets }}/vault.yml"
|
||||||
owner: "{{ lookup('env', 'USER') }}"
|
owner: "{{ lookup('env', 'USER') }}"
|
||||||
group: "{{ lookup('env', 'USER') }}"
|
group: "{{ lookup('env', 'USER') }}"
|
||||||
mode: "0644"
|
mode: "0644"
|
||||||
@ -66,23 +71,25 @@
|
|||||||
delegate_to: localhost
|
delegate_to: localhost
|
||||||
|
|
||||||
- name: "Load vault cluster variables necessary for unseal operation"
|
- name: "Load vault cluster variables necessary for unseal operation"
|
||||||
ansible.builtin.import_tasks:
|
ansible.builtin.import_role:
|
||||||
file: ../misc/load_credentials_vars.yml
|
name: ednz_cloud.hashistack.hashistack
|
||||||
|
vars:
|
||||||
|
hashistack_only_load_credentials: true
|
||||||
|
|
||||||
- name: "Unseal the bootstrap node" # noqa: run-once[task] no-handler
|
- name: "Vault | Unseal the bootstrap node" # noqa: run-once[task] no-handler
|
||||||
ednz_cloud.hashistack.vault_unseal:
|
ednz_cloud.hashistack.vault_unseal:
|
||||||
api_url: "{{ hashicorp_vault_configuration['api_addr'] }}"
|
api_url: "{{ vault_configuration['api_addr'] }}"
|
||||||
tls_verify: "{{ vault_tls_verify }}"
|
tls_verify: false
|
||||||
key_shares: "{{ _credentials.vault['keys'] }}"
|
key_shares: "{{ _credentials.vault['keys'] }}"
|
||||||
when:
|
when:
|
||||||
- vault_init_server
|
- vault_init_server
|
||||||
- _vault_init_secret.changed
|
- _vault_init_secret.changed
|
||||||
register: _vault_unseal_secret
|
register: _vault_unseal_secret
|
||||||
|
|
||||||
- name: "Unseal all vault nodes"
|
- name: "Vault | Unseal all vault nodes"
|
||||||
ednz_cloud.hashistack.vault_unseal:
|
ednz_cloud.hashistack.vault_unseal:
|
||||||
api_url: "{{ hashicorp_vault_configuration['api_addr'] }}"
|
api_url: "{{ vault_configuration['api_addr'] }}"
|
||||||
tls_verify: "{{ vault_tls_verify }}"
|
tls_verify: false
|
||||||
key_shares: "{{ _credentials.vault['keys'] }}"
|
key_shares: "{{ _credentials.vault['keys'] }}"
|
||||||
retries: 5
|
retries: 5
|
||||||
delay: 5
|
delay: 5
|
||||||
|
@ -1,51 +0,0 @@
|
|||||||
---
|
|
||||||
# hashistack configuration merging for vault
|
|
||||||
- name: "Vault | Merge listener configuration"
|
|
||||||
ansible.builtin.set_fact:
|
|
||||||
vault_listener_configuration: "{{
|
|
||||||
vault_listener_configuration |
|
|
||||||
combine((vault_enable_tls | bool) | ternary(vault_tls_listener_configuration, {}), recursive=True) |
|
|
||||||
combine(vault_extra_listener_configuration | default({}), recursive=True)
|
|
||||||
}}"
|
|
||||||
|
|
||||||
- name: "Vault | Merge service registration configuration"
|
|
||||||
vars:
|
|
||||||
_config_to_merge:
|
|
||||||
service_registration: "{{ vault_service_registration_configuration }}"
|
|
||||||
ansible.builtin.set_fact:
|
|
||||||
hashicorp_vault_configuration: "{{
|
|
||||||
hashicorp_vault_configuration |
|
|
||||||
combine(_config_to_merge)
|
|
||||||
}}"
|
|
||||||
when: vault_enable_service_registration
|
|
||||||
|
|
||||||
- name: "Vault | Merge plugins configuration"
|
|
||||||
vars:
|
|
||||||
_config_to_merge:
|
|
||||||
plugin_directory: "{{ vault_plugin_directory }}"
|
|
||||||
ansible.builtin.set_fact:
|
|
||||||
hashicorp_vault_configuration: "{{
|
|
||||||
hashicorp_vault_configuration |
|
|
||||||
combine(_config_to_merge)
|
|
||||||
}}"
|
|
||||||
when: vault_enable_plugins
|
|
||||||
|
|
||||||
- name: "Vault | Merge logging configuration"
|
|
||||||
vars:
|
|
||||||
_config_to_merge: "{{ vault_logging_configuration }}"
|
|
||||||
ansible.builtin.set_fact:
|
|
||||||
hashicorp_vault_configuration: "{{
|
|
||||||
hashicorp_vault_configuration |
|
|
||||||
combine(_config_to_merge)
|
|
||||||
}}"
|
|
||||||
when: vault_enable_log_to_file
|
|
||||||
|
|
||||||
- name: "Vault | Merge extra configuration settings"
|
|
||||||
vars:
|
|
||||||
_config_to_merge: "{{ vault_extra_configuration }}"
|
|
||||||
ansible.builtin.set_fact:
|
|
||||||
hashicorp_vault_configuration: "{{
|
|
||||||
hashicorp_vault_configuration |
|
|
||||||
combine(_config_to_merge)
|
|
||||||
}}"
|
|
||||||
when: vault_extra_configuration is defined
|
|
Loading…
Reference in New Issue
Block a user