feat/major-revamp #11
@ -8,7 +8,7 @@
|
||||
become: true
|
||||
tasks:
|
||||
- name: "Import variables"
|
||||
ansible.builtin.import_role:
|
||||
ansible.builtin.include_role:
|
||||
name: ednz_cloud.hashistack.hashistack
|
||||
tags:
|
||||
- always
|
||||
@ -19,7 +19,7 @@
|
||||
- consul
|
||||
when:
|
||||
- enable_consul | bool
|
||||
ansible.builtin.import_tasks:
|
||||
ansible.builtin.include_tasks:
|
||||
file: tasks/consul/consul_deploy.yml
|
||||
|
||||
# Vault nodes deployment
|
||||
@ -28,7 +28,7 @@
|
||||
- vault
|
||||
when:
|
||||
- enable_vault | bool
|
||||
ansible.builtin.import_tasks:
|
||||
ansible.builtin.include_tasks:
|
||||
file: tasks/vault/vault_deploy.yml
|
||||
|
||||
# Nomad nodes deployment
|
||||
@ -37,7 +37,7 @@
|
||||
- nomad
|
||||
when:
|
||||
- enable_nomad | bool
|
||||
ansible.builtin.import_tasks:
|
||||
ansible.builtin.include_tasks:
|
||||
file: tasks/nomad/nomad_deploy.yml
|
||||
|
||||
# - fail:
|
||||
|
@ -7,363 +7,15 @@
|
||||
become: true
|
||||
tasks:
|
||||
- name: "Import variables"
|
||||
ansible.builtin.import_role:
|
||||
ansible.builtin.include_role:
|
||||
name: ednz_cloud.hashistack.hashistack
|
||||
tags:
|
||||
- always
|
||||
|
||||
- name: "Create temporary cert directory in {{ hashistack_sub_configuration_directories['certificates'] }}" # noqa: run-once[task]
|
||||
ansible.builtin.file:
|
||||
path: "{{ hashistack_sub_configuration_directories['certificates'] }}/external"
|
||||
state: directory
|
||||
owner: "{{ lookup('env', 'USER') }}"
|
||||
group: "{{ lookup('env', 'USER') }}"
|
||||
mode: "0755"
|
||||
- name: "Create Certificate Authority"
|
||||
ansible.builtin.include_role:
|
||||
name: ednz_cloud.hashistack.hashistack_ca
|
||||
apply:
|
||||
delegate_to: localhost
|
||||
run_once: true
|
||||
tags:
|
||||
- always
|
||||
|
||||
- name: "Generate external certificates" # noqa: run-once[task]
|
||||
tags:
|
||||
- always
|
||||
delegate_to: localhost
|
||||
run_once: true
|
||||
block:
|
||||
- name: "Create temporary cert directory in {{ hashistack_sub_configuration_directories['certificates'] }}" # noqa: run-once[task]
|
||||
ansible.builtin.file:
|
||||
path: "{{ hashistack_sub_configuration_directories['certificates'] }}/external"
|
||||
state: directory
|
||||
owner: "{{ lookup('env', 'USER') }}"
|
||||
group: "{{ lookup('env', 'USER') }}"
|
||||
mode: "0755"
|
||||
|
||||
- name: "Create private keys"
|
||||
community.crypto.openssl_privatekey:
|
||||
path: "{{ hashistack_sub_configuration_directories['certificates'] }}/external/{{ item.fqdn }}.pem.key"
|
||||
owner: "{{ lookup('env', 'USER') }}"
|
||||
group: "{{ lookup('env', 'USER') }}"
|
||||
loop:
|
||||
- name: nomad
|
||||
fqdn: "{{ nomad_fqdn }}"
|
||||
- name: vault
|
||||
fqdn: "{{ vault_fqdn }}"
|
||||
- name: consul
|
||||
fqdn: "{{ consul_fqdn }}"
|
||||
|
||||
- name: "Create certificate signing request"
|
||||
community.crypto.openssl_csr_pipe:
|
||||
privatekey_path: "{{ hashistack_sub_configuration_directories['certificates'] }}/external/{{ item.fqdn }}.pem.key"
|
||||
common_name: "{{ item.fqdn }}"
|
||||
organization_name: EDNZ Cloud
|
||||
register: csr
|
||||
loop:
|
||||
- name: nomad
|
||||
fqdn: "{{ nomad_fqdn }}"
|
||||
- name: vault
|
||||
fqdn: "{{ vault_fqdn }}"
|
||||
- name: consul
|
||||
fqdn: "{{ consul_fqdn }}"
|
||||
|
||||
- name: "Create self-signed certificate from CSR"
|
||||
community.crypto.x509_certificate:
|
||||
path: "{{ hashistack_sub_configuration_directories['certificates'] }}/external/{{ item.item.fqdn }}.pem"
|
||||
csr_content: "{{ item.csr }}"
|
||||
privatekey_path: "{{ hashistack_sub_configuration_directories['certificates'] }}/external/{{ item.item.fqdn }}.pem.key"
|
||||
provider: selfsigned
|
||||
owner: "{{ lookup('env', 'USER') }}"
|
||||
group: "{{ lookup('env', 'USER') }}"
|
||||
loop: "{{ csr.results }}"
|
||||
|
||||
- name: "Generate internal certificates"
|
||||
tags:
|
||||
- never
|
||||
- internal
|
||||
delegate_to: localhost
|
||||
vars:
|
||||
hashistack_ca_key_path: "{{ hashistack_sub_configuration_directories['certificates'] }}/ca/ca.key"
|
||||
hashistack_ca_cert_path: "{{ hashistack_sub_configuration_directories['certificates'] }}/ca/ca.crt"
|
||||
block:
|
||||
- name: "Create internal CA" # noqa: run-once[task]
|
||||
run_once: true
|
||||
block:
|
||||
- name: "Create temporary cert directory in {{ hashistack_sub_configuration_directories['certificates'] }}" # noqa: run-once[task]
|
||||
ansible.builtin.file:
|
||||
path: "{{ hashistack_sub_configuration_directories['certificates'] }}/ca"
|
||||
state: directory
|
||||
owner: "{{ lookup('env', 'USER') }}"
|
||||
group: "{{ lookup('env', 'USER') }}"
|
||||
mode: "0755"
|
||||
|
||||
- name: "Create CA private key"
|
||||
community.crypto.openssl_privatekey:
|
||||
path: "{{ hashistack_ca_key_path }}"
|
||||
owner: "{{ lookup('env', 'USER') }}"
|
||||
group: "{{ lookup('env', 'USER') }}"
|
||||
|
||||
- name: "Create CA signing request"
|
||||
community.crypto.openssl_csr_pipe:
|
||||
privatekey_path: "{{ hashistack_ca_key_path }}"
|
||||
common_name: "CA"
|
||||
organization_name: EDNZ Cloud
|
||||
use_common_name_for_san: false
|
||||
basic_constraints:
|
||||
- CA:TRUE
|
||||
basic_constraints_critical: true
|
||||
key_usage:
|
||||
- keyCertSign
|
||||
key_usage_critical: true
|
||||
register: ca_csr
|
||||
|
||||
- name: "Create self-signed CA certificate from CSR"
|
||||
community.crypto.x509_certificate:
|
||||
path: "{{ hashistack_ca_cert_path }}"
|
||||
csr_content: "{{ ca_csr.csr }}"
|
||||
privatekey_path: "{{ hashistack_ca_key_path }}"
|
||||
provider: selfsigned
|
||||
owner: "{{ lookup('env', 'USER') }}"
|
||||
group: "{{ lookup('env', 'USER') }}"
|
||||
|
||||
- name: "Create Vault certificates"
|
||||
when:
|
||||
- "'vault_servers' in group_names"
|
||||
vars:
|
||||
vault_private_key_path: "{{ hashistack_sub_configuration_directories['certificates'] }}/vault/{{ inventory_hostname }}/key.pem"
|
||||
vault_certificate_path: "{{ hashistack_sub_configuration_directories['certificates'] }}/vault/{{ inventory_hostname }}/cert.pem"
|
||||
block:
|
||||
- name: "Create temporary cert directory in {{ hashistack_sub_configuration_directories['certificates'] }}" # noqa: run-once[task]
|
||||
ansible.builtin.file:
|
||||
path: "{{ hashistack_sub_configuration_directories['certificates'] }}/vault/{{ inventory_hostname }}"
|
||||
state: directory
|
||||
owner: "{{ lookup('env', 'USER') }}"
|
||||
group: "{{ lookup('env', 'USER') }}"
|
||||
mode: "0755"
|
||||
|
||||
- name: "Create Vault certificate keys"
|
||||
community.crypto.openssl_privatekey:
|
||||
path: "{{ vault_private_key_path }}"
|
||||
owner: "{{ lookup('env', 'USER') }}"
|
||||
group: "{{ lookup('env', 'USER') }}"
|
||||
|
||||
- name: "Create CSRs for Vault servers"
|
||||
community.crypto.openssl_csr_pipe:
|
||||
privatekey_path: "{{ vault_private_key_path }}"
|
||||
common_name: "{{ inventory_hostname }}"
|
||||
subject_alt_name:
|
||||
- "DNS:{{ inventory_hostname }}"
|
||||
- "DNS:active.vault.service.consul"
|
||||
- "DNS:standby.vault.service.consul"
|
||||
- "DNS:vault.service.consul"
|
||||
- "DNS:localhost"
|
||||
- "IP:{{ api_interface_address }}"
|
||||
- "IP:127.0.0.1"
|
||||
key_usage_critical: true
|
||||
key_usage:
|
||||
- Digital Signature
|
||||
- Key Encipherment
|
||||
- Key Agreement
|
||||
extended_key_usage:
|
||||
- TLS Web Server Authentication
|
||||
- TLS Web Client Authentication
|
||||
organization_name: EDNZ Cloud
|
||||
use_common_name_for_san: false
|
||||
register: vault_csr
|
||||
|
||||
- name: "Sign certificates with internal CA"
|
||||
community.crypto.x509_certificate:
|
||||
path: "{{ vault_certificate_path }}"
|
||||
csr_content: "{{ vault_csr.csr }}"
|
||||
provider: ownca
|
||||
ownca_path: "{{ hashistack_ca_cert_path }}"
|
||||
ownca_privatekey_path: "{{ hashistack_ca_key_path }}"
|
||||
ownca_not_after: "+365d"
|
||||
ownca_not_before: "-1d"
|
||||
|
||||
- name: "Concatenate CA and Child certificates"
|
||||
block:
|
||||
- name: "Read content of ca.crt"
|
||||
ansible.builtin.slurp:
|
||||
src: "{{ hashistack_ca_cert_path }}"
|
||||
register: ca_crt_content
|
||||
|
||||
- name: "Read content of cert.pem"
|
||||
ansible.builtin.slurp:
|
||||
src: "{{ vault_certificate_path }}"
|
||||
register: cert_pem_content
|
||||
|
||||
- name: "Concatenate certificates"
|
||||
ansible.builtin.copy:
|
||||
content: |
|
||||
{{ cert_pem_content['content'] | b64decode }}{{ ca_crt_content['content'] | b64decode }}
|
||||
dest: "{{ vault_certificate_path }}"
|
||||
owner: "{{ lookup('env', 'USER') }}"
|
||||
group: "{{ lookup('env', 'USER') }}"
|
||||
mode: "0644"
|
||||
|
||||
- name: "Create Consul certificates"
|
||||
when:
|
||||
- "('consul_servers' in group_names) or ('consul_agents' in group_names)"
|
||||
vars:
|
||||
consul_private_key_path: "{{ hashistack_sub_configuration_directories['certificates'] }}/consul/{{ inventory_hostname }}/key.pem"
|
||||
consul_certificate_path: "{{ hashistack_sub_configuration_directories['certificates'] }}/consul/{{ inventory_hostname }}/cert.pem"
|
||||
block:
|
||||
- name: "Create temporary cert directory in {{ hashistack_sub_configuration_directories['certificates'] }}" # noqa: run-once[task]
|
||||
ansible.builtin.file:
|
||||
path: "{{ hashistack_sub_configuration_directories['certificates'] }}/consul/{{ inventory_hostname }}"
|
||||
state: directory
|
||||
owner: "{{ lookup('env', 'USER') }}"
|
||||
group: "{{ lookup('env', 'USER') }}"
|
||||
mode: "0755"
|
||||
|
||||
- name: "Create Consul certificate keys"
|
||||
community.crypto.openssl_privatekey:
|
||||
path: "{{ consul_private_key_path }}"
|
||||
owner: "{{ lookup('env', 'USER') }}"
|
||||
group: "{{ lookup('env', 'USER') }}"
|
||||
|
||||
- name: "Create CSRs for Consul servers"
|
||||
vars:
|
||||
consul_csr_sans: >-
|
||||
{%- set sans_list = [
|
||||
'DNS:' + inventory_hostname,
|
||||
'DNS:consul.service.consul',
|
||||
'DNS:localhost',
|
||||
'IP:' + api_interface_address,
|
||||
'IP:127.0.0.1'
|
||||
] -%}
|
||||
{%- if consul_enable_server -%}
|
||||
{%- set _ = sans_list.append('DNS:server.' ~ consul_datacenter ~ '.' ~ consul_domain) -%}
|
||||
{%- endif -%}
|
||||
{{ sans_list }}
|
||||
community.crypto.openssl_csr_pipe:
|
||||
privatekey_path: "{{ consul_private_key_path }}"
|
||||
common_name: "{{ inventory_hostname }}"
|
||||
subject_alt_name: "{{ consul_csr_sans }}"
|
||||
key_usage_critical: true
|
||||
key_usage:
|
||||
- Digital Signature
|
||||
- Key Encipherment
|
||||
- Key Agreement
|
||||
extended_key_usage:
|
||||
- TLS Web Server Authentication
|
||||
- TLS Web Client Authentication
|
||||
organization_name: EDNZ Cloud
|
||||
use_common_name_for_san: false
|
||||
register: consul_csr
|
||||
|
||||
- name: "Sign certificates with internal CA"
|
||||
community.crypto.x509_certificate:
|
||||
path: "{{ consul_certificate_path }}"
|
||||
csr_content: "{{ consul_csr.csr }}"
|
||||
provider: ownca
|
||||
ownca_path: "{{ hashistack_ca_cert_path }}"
|
||||
ownca_privatekey_path: "{{ hashistack_ca_key_path }}"
|
||||
ownca_not_after: "+365d"
|
||||
ownca_not_before: "-1d"
|
||||
|
||||
- name: "Concatenate CA and Child certificates"
|
||||
block:
|
||||
- name: "Read content of ca.crt"
|
||||
ansible.builtin.slurp:
|
||||
src: "{{ hashistack_ca_cert_path }}"
|
||||
register: ca_crt_content
|
||||
|
||||
- name: "Read content of cert.pem"
|
||||
ansible.builtin.slurp:
|
||||
src: "{{ consul_certificate_path }}"
|
||||
register: cert_pem_content
|
||||
|
||||
- name: "Concatenate certificates"
|
||||
ansible.builtin.copy:
|
||||
content: |
|
||||
{{ cert_pem_content['content'] | b64decode }}{{ ca_crt_content['content'] | b64decode }}
|
||||
dest: "{{ consul_certificate_path }}"
|
||||
owner: "{{ lookup('env', 'USER') }}"
|
||||
group: "{{ lookup('env', 'USER') }}"
|
||||
mode: "0644"
|
||||
|
||||
- name: "Create Nomad certificates"
|
||||
when:
|
||||
- "('nomad_servers' in group_names) or ('nomad_clients' in group_names)"
|
||||
vars:
|
||||
nomad_private_key_path: "{{ hashistack_sub_configuration_directories['certificates'] }}/nomad/{{ inventory_hostname }}/key.pem"
|
||||
nomad_certificate_path: "{{ hashistack_sub_configuration_directories['certificates'] }}/nomad/{{ inventory_hostname }}/cert.pem"
|
||||
block:
|
||||
- name: "Create temporary cert directory in {{ hashistack_sub_configuration_directories['certificates'] }}" # noqa: run-once[task]
|
||||
ansible.builtin.file:
|
||||
path: "{{ hashistack_sub_configuration_directories['certificates'] }}/nomad/{{ inventory_hostname }}"
|
||||
state: directory
|
||||
owner: "{{ lookup('env', 'USER') }}"
|
||||
group: "{{ lookup('env', 'USER') }}"
|
||||
mode: "0755"
|
||||
|
||||
- name: "Create Nomad certificate keys"
|
||||
community.crypto.openssl_privatekey:
|
||||
path: "{{ nomad_private_key_path }}"
|
||||
owner: "{{ lookup('env', 'USER') }}"
|
||||
group: "{{ lookup('env', 'USER') }}"
|
||||
|
||||
- name: "Create CSRs for Nomad servers"
|
||||
vars:
|
||||
nomad_csr_sans: >-
|
||||
{%- set sans_list = [
|
||||
'DNS:' + inventory_hostname,
|
||||
'DNS:localhost',
|
||||
'IP:' + api_interface_address,
|
||||
'IP:127.0.0.1'
|
||||
] -%}
|
||||
{%- if nomad_enable_server -%}
|
||||
{%- set _ = sans_list.append('DNS:server.' ~ nomad_region ~ '.nomad') -%}
|
||||
{%- if (enable_consul | bool) -%}
|
||||
{%- set _ = sans_list.append('DNS:nomad.service.consul') -%}
|
||||
{%- endif -%}
|
||||
{%- endif -%}
|
||||
{%- if nomad_enable_client -%}
|
||||
{%- set _ = sans_list.append('DNS:client.' ~ nomad_region ~ '.nomad') -%}
|
||||
{%- endif -%}
|
||||
{{ sans_list }}
|
||||
community.crypto.openssl_csr_pipe:
|
||||
privatekey_path: "{{ nomad_private_key_path }}"
|
||||
common_name: "{{ inventory_hostname }}"
|
||||
subject_alt_name: "{{ nomad_csr_sans }}"
|
||||
key_usage_critical: true
|
||||
key_usage:
|
||||
- Digital Signature
|
||||
- Key Encipherment
|
||||
extended_key_usage:
|
||||
- TLS Web Server Authentication
|
||||
- TLS Web Client Authentication
|
||||
organization_name: EDNZ Cloud
|
||||
use_common_name_for_san: false
|
||||
register: nomad_csr
|
||||
|
||||
- name: "Sign certificates with internal CA"
|
||||
community.crypto.x509_certificate:
|
||||
path: "{{ nomad_certificate_path }}"
|
||||
csr_content: "{{ nomad_csr.csr }}"
|
||||
provider: ownca
|
||||
ownca_path: "{{ hashistack_ca_cert_path }}"
|
||||
ownca_privatekey_path: "{{ hashistack_ca_key_path }}"
|
||||
ownca_not_after: "+365d"
|
||||
ownca_not_before: "-1d"
|
||||
|
||||
- name: "Concatenate CA and Child certificates"
|
||||
block:
|
||||
- name: "Read content of ca.crt"
|
||||
ansible.builtin.slurp:
|
||||
src: "{{ hashistack_ca_cert_path }}"
|
||||
register: ca_crt_content
|
||||
|
||||
- name: "Read content of cert.pem"
|
||||
ansible.builtin.slurp:
|
||||
src: "{{ nomad_certificate_path }}"
|
||||
register: cert_pem_content
|
||||
|
||||
- name: "Concatenate certificates"
|
||||
ansible.builtin.copy:
|
||||
content: |
|
||||
{{ cert_pem_content['content'] | b64decode }}{{ ca_crt_content['content'] | b64decode }}
|
||||
dest: "{{ nomad_certificate_path }}"
|
||||
owner: "{{ lookup('env', 'USER') }}"
|
||||
group: "{{ lookup('env', 'USER') }}"
|
||||
mode: "0644"
|
||||
|
@ -33,6 +33,17 @@ nomad_clients
|
||||
[deployment]
|
||||
localhost ansible_connection=local
|
||||
|
||||
[consul:children]
|
||||
consul_servers
|
||||
consul_agents
|
||||
|
||||
[nomad:children]
|
||||
nomad_servers
|
||||
nomad_clients
|
||||
|
||||
[vault:children]
|
||||
vault_servers
|
||||
|
||||
[common:children]
|
||||
haproxy_servers
|
||||
vault_servers
|
||||
|
@ -3,4 +3,4 @@
|
||||
block:
|
||||
- name: "Deploy Consul Agents"
|
||||
ansible.builtin.include_role:
|
||||
name: ednz_cloud.hashicorp_consul
|
||||
name: ednz_cloud.hashistack.consul
|
||||
|
@ -1,19 +1,19 @@
|
||||
---
|
||||
- name: "Consul control plane"
|
||||
block:
|
||||
- name: "Include ednz_cloud.hashicorp_consul"
|
||||
- name: "Include ednz_cloud.hashistack.consul"
|
||||
ansible.builtin.include_role:
|
||||
name: ednz_cloud.hashicorp_consul
|
||||
name: ednz_cloud.hashistack.consul
|
||||
|
||||
- name: "Wait for consul cluster to initialize" # noqa: run-once[task]
|
||||
- name: "Consul | Wait for consul cluster to initialize" # noqa: run-once[task]
|
||||
block:
|
||||
- name: "Wait for consul nodes to stabilize"
|
||||
- name: "Consul | Wait for consul nodes to stabilize"
|
||||
ansible.builtin.wait_for:
|
||||
host: "{{ api_interface_address }}"
|
||||
port: "{{ consul_api_port[consul_api_scheme] }}"
|
||||
delay: 10
|
||||
|
||||
- name: "Waiting for consul api to respond"
|
||||
- name: "Consul | Waiting for consul api to respond"
|
||||
ansible.builtin.uri:
|
||||
url: "{{ consul_api_addr }}"
|
||||
validate_certs: no
|
||||
@ -25,7 +25,7 @@
|
||||
delay: 5
|
||||
register: uri_output
|
||||
|
||||
- name: "Initialize consul cluster" # noqa: run-once[task]
|
||||
- name: "Consul | Initialize consul cluster" # noqa: run-once[task]
|
||||
community.general.consul_acl_bootstrap:
|
||||
bootstrap_secret: "{{ _credentials.consul.root_token.secret_id }}"
|
||||
host: "{{ api_interface_address }}"
|
||||
@ -35,16 +35,16 @@
|
||||
register: _consul_init_secret
|
||||
when:
|
||||
- consul_init_server
|
||||
- hashicorp_consul_configuration.acl.enabled
|
||||
- consul_configuration.acl.enabled
|
||||
|
||||
- name: "Create consul agents token"
|
||||
- name: "Consul | Create consul agents token"
|
||||
when:
|
||||
- consul_init_server
|
||||
- hashicorp_consul_configuration.acl.enabled
|
||||
- consul_configuration.acl.enabled
|
||||
block:
|
||||
- name: "Create consul agents token" # noqa: run-once[task] no-handler
|
||||
- name: "Consul | Create consul agents token" # noqa: run-once[task] no-handler
|
||||
block:
|
||||
- name: "Create consul agent policy"
|
||||
- name: "Consul | Create consul agent policy"
|
||||
community.general.consul_policy:
|
||||
token: "{{ _credentials.consul.root_token.secret_id }}"
|
||||
host: "{{ api_interface_address }}"
|
||||
@ -56,7 +56,7 @@
|
||||
rules: "{{ consul_default_agent_policy }}"
|
||||
register: _consul_agent_policy
|
||||
|
||||
- name: "Create consul agents token"
|
||||
- name: "Consul | Create consul agents token"
|
||||
community.general.consul_token:
|
||||
token: "{{ _credentials.consul.root_token.secret_id }}"
|
||||
host: "{{ api_interface_address }}"
|
||||
@ -69,10 +69,3 @@
|
||||
- id: "{{ _consul_agent_policy.policy.ID }}"
|
||||
state: present
|
||||
register: _consul_agent_token
|
||||
|
||||
- name: "Restart consul service" # noqa: no-handler
|
||||
ansible.builtin.service:
|
||||
name: "{{ hashicorp_consul_service_name }}"
|
||||
state: restarted
|
||||
throttle: 1
|
||||
when: _consul_agent_token.changed
|
||||
|
@ -1,67 +0,0 @@
|
||||
---
|
||||
# hashistack configuration merging for consul
|
||||
- name: "Consul | Merge stringified configuration"
|
||||
vars:
|
||||
_config_to_merge: "{{ hashicorp_consul_configuration_string }}"
|
||||
ansible.builtin.set_fact:
|
||||
hashicorp_consul_configuration: "{{
|
||||
hashicorp_consul_configuration |
|
||||
combine(_config_to_merge|from_yaml, recursive=true)
|
||||
}}"
|
||||
when:
|
||||
- hashicorp_consul_configuration_string is defined
|
||||
|
||||
- name: "Consul | Merge servers specific stringified configuration"
|
||||
vars:
|
||||
_config_to_merge: "{{ hashicorp_consul_servers_configuration_string }}"
|
||||
ansible.builtin.set_fact:
|
||||
hashicorp_consul_configuration: "{{
|
||||
hashicorp_consul_configuration |
|
||||
combine(_config_to_merge|from_yaml, recursive=true)
|
||||
}}"
|
||||
when:
|
||||
- hashicorp_consul_configuration_string is defined
|
||||
- "'consul_servers' in group_names"
|
||||
|
||||
- name: "Consul | Merge addresses configuration"
|
||||
vars:
|
||||
_config_to_merge: "{{ consul_address_configuration }}"
|
||||
ansible.builtin.set_fact:
|
||||
hashicorp_consul_configuration: "{{
|
||||
hashicorp_consul_configuration |
|
||||
combine(_config_to_merge, recursive=true)
|
||||
}}"
|
||||
when: consul_address_configuration is defined
|
||||
|
||||
- name: "Consul | Merge TLS configuration"
|
||||
vars:
|
||||
_config_to_merge:
|
||||
tls: "{{ consul_tls_configuration }}"
|
||||
ansible.builtin.set_fact:
|
||||
hashicorp_consul_configuration: "{{
|
||||
hashicorp_consul_configuration |
|
||||
combine(_config_to_merge, recursive=true)
|
||||
}}"
|
||||
when: consul_enable_tls
|
||||
|
||||
- name: "Consul | Merge token configuration"
|
||||
delegate_to: localhost
|
||||
block:
|
||||
- name: "Consul | Merge token configuration"
|
||||
vars:
|
||||
_config_to_merge:
|
||||
acl:
|
||||
tokens:
|
||||
agent: "{{ _credentials.consul.tokens.agent.secret_id }}"
|
||||
ansible.builtin.set_fact:
|
||||
hashicorp_consul_configuration: "{{ hashicorp_consul_configuration | default({}) | combine(_config_to_merge, recursive=true) }}"
|
||||
|
||||
- name: "Consul | Merge extra configuration settings"
|
||||
vars:
|
||||
_config_to_merge: "{{ consul_extra_configuration }}"
|
||||
ansible.builtin.set_fact:
|
||||
hashicorp_consul_configuration: "{{
|
||||
hashicorp_consul_configuration |
|
||||
combine(_config_to_merge, recursive=true)
|
||||
}}"
|
||||
when: consul_extra_configuration is defined
|
@ -1,205 +0,0 @@
|
||||
---
|
||||
# hashistack variable injection playbook
|
||||
- name: "Load global variables"
|
||||
block:
|
||||
- name: "Stat global configuration file"
|
||||
ansible.builtin.stat:
|
||||
path: "{{ configuration_directory }}/{{ configuration_global_vars_file }}"
|
||||
register: _global_config_file
|
||||
delegate_to: localhost
|
||||
|
||||
- name: "Make sure global configuration file exists"
|
||||
ansible.builtin.assert:
|
||||
that:
|
||||
- _global_config_file.stat.exists
|
||||
fail_msg: >-
|
||||
Main configuration file {{ _global_config_file.stat.path }} was not found, cannot continue without it.
|
||||
delegate_to: localhost
|
||||
|
||||
- name: "Load global variables"
|
||||
ansible.builtin.include_vars:
|
||||
dir: "{{ configuration_directory }}"
|
||||
files_matching: "{{ configuration_global_vars_file }}"
|
||||
depth: 1
|
||||
delegate_to: localhost
|
||||
|
||||
- name: "Load credentials variables"
|
||||
block:
|
||||
- name: "Stat credentials file"
|
||||
ansible.builtin.stat:
|
||||
path: "{{ sub_configuration_directories['secrets'] }}/{{ configuration_credentials_vars_file }}"
|
||||
register: _credentials_file
|
||||
delegate_to: localhost
|
||||
|
||||
- name: "Stat vault credentials file"
|
||||
ansible.builtin.stat:
|
||||
path: "{{ sub_configuration_directories['secrets'] }}/vault.yml"
|
||||
register: _vault_credentials_file
|
||||
delegate_to: localhost
|
||||
|
||||
- name: "Make sure credentials file exists"
|
||||
ansible.builtin.assert:
|
||||
that:
|
||||
- _credentials_file.stat.exists
|
||||
fail_msg: >-
|
||||
Credentials file {{ _credentials_file.stat.path }} was not found, cannot continue without it.
|
||||
delegate_to: localhost
|
||||
|
||||
- name: "Load credentials variables"
|
||||
ansible.builtin.include_vars:
|
||||
dir: "{{ sub_configuration_directories['secrets'] }}"
|
||||
files_matching: "{{ configuration_credentials_vars_file }}"
|
||||
depth: 1
|
||||
name: _credentials
|
||||
delegate_to: localhost
|
||||
|
||||
- name: "Load vault credentials if vault.yml exists"
|
||||
ansible.builtin.include_vars:
|
||||
dir: "{{ sub_configuration_directories['secrets'] }}"
|
||||
files_matching: "vault.yml"
|
||||
depth: 1
|
||||
name: _vault_credentials
|
||||
when: _vault_credentials_file.stat.exists
|
||||
delegate_to: localhost
|
||||
|
||||
- name: "Merge vault credentials into _credentials"
|
||||
vars:
|
||||
_config_to_merge:
|
||||
vault: "{{ _vault_credentials }}"
|
||||
ansible.builtin.set_fact:
|
||||
_credentials: "{{ _credentials | combine(_vault_credentials, recursive=true) }}"
|
||||
when: _vault_credentials_file.stat.exists
|
||||
delegate_to: localhost
|
||||
|
||||
- name: "Load group specific variables"
|
||||
block:
|
||||
- name: "Stat group specific config file"
|
||||
ansible.builtin.stat:
|
||||
path: "{{ configuration_directory }}/{{ group_name }}/{{ configuration_global_vars_file }}"
|
||||
register: _group_config_file
|
||||
loop: "{{ group_names }}"
|
||||
loop_control:
|
||||
loop_var: group_name
|
||||
|
||||
- name: Load group specific variables
|
||||
ansible.builtin.include_vars:
|
||||
dir: "{{ configuration_directory }}/{{ item.group_name }}"
|
||||
files_matching: "{{ configuration_global_vars_file }}"
|
||||
depth: 1
|
||||
loop: "{{ _group_config_file.results }}"
|
||||
when: item.stat.exists
|
||||
and item.group_name in group_names
|
||||
loop_control:
|
||||
loop_var: item
|
||||
delegate_to: localhost
|
||||
|
||||
- name: "Load host specific variables"
|
||||
block:
|
||||
- name: "Stat host specific config file"
|
||||
ansible.builtin.stat:
|
||||
path: "{{ configuration_directory }}/{{ group_name }}/{{ inventory_hostname }}/{{ configuration_global_vars_file }}"
|
||||
register: _host_config_file
|
||||
loop: "{{ group_names }}"
|
||||
loop_control:
|
||||
loop_var: group_name
|
||||
delegate_to: localhost
|
||||
|
||||
- name: Load host specific variables
|
||||
ansible.builtin.include_vars:
|
||||
dir: "{{ configuration_directory }}/{{ item.group_name }}/{{ inventory_hostname }}"
|
||||
files_matching: "{{ configuration_global_vars_file }}"
|
||||
loop: "{{ _host_config_file.results }}"
|
||||
when: item.stat.exists
|
||||
loop_control:
|
||||
loop_var: item
|
||||
delegate_to: localhost
|
||||
|
||||
- name: "Ensure remote directories exists"
|
||||
ansible.builtin.file:
|
||||
path: "{{ item }}"
|
||||
state: directory
|
||||
owner: root
|
||||
group: root
|
||||
mode: 0755
|
||||
loop:
|
||||
- "{{ hashistack_remote_config_dir }}"
|
||||
- "{{ hashistack_remote_data_dir }}"
|
||||
|
||||
- name: "Load custom CA certificates"
|
||||
block:
|
||||
- name: "Check if CA directory exists"
|
||||
ansible.builtin.stat:
|
||||
path: "{{ sub_configuration_directories['certificates'] }}/ca"
|
||||
register: _hashistack_ca_directory
|
||||
delegate_to: localhost
|
||||
|
||||
- name: "Find custom ca certificates to copy"
|
||||
ansible.builtin.find:
|
||||
paths: "{{ sub_configuration_directories['certificates'] }}/ca"
|
||||
patterns: "*.crt"
|
||||
register: _hashistack_cacert_files
|
||||
delegate_to: localhost
|
||||
when: _hashistack_ca_directory.stat.exists and _hashistack_ca_directory.stat.isdir
|
||||
|
||||
- name: "Ensure remote ca directory exists"
|
||||
ansible.builtin.file:
|
||||
path: "{{ hashistack_remote_config_dir }}/ca"
|
||||
state: directory
|
||||
owner: root
|
||||
group: root
|
||||
mode: 0755
|
||||
|
||||
- name: "Copy custom ca certificates"
|
||||
ansible.builtin.copy:
|
||||
src: "{{ item.path }}"
|
||||
dest: "{{ hashistack_remote_config_dir }}/ca/{{ item.path | basename }}"
|
||||
owner: root
|
||||
group: root
|
||||
mode: 0644
|
||||
loop: "{{ _hashistack_cacert_files.files }}"
|
||||
register: _hashistack_copied_ca
|
||||
|
||||
- name: "Copy and update trust store"
|
||||
block:
|
||||
- name: "Copy ca certificates to /usr/loca/share/ca-certificates"
|
||||
ansible.builtin.file:
|
||||
state: link
|
||||
src: "{{ item.dest }}"
|
||||
dest: "/usr/local/share/ca-certificates/hashistack-customca-{{ item.dest | basename }}"
|
||||
owner: root
|
||||
group: root
|
||||
loop: "{{ _hashistack_copied_ca.results }}"
|
||||
register: _hashistack_usr_local_share_ca_certificates
|
||||
|
||||
- name: "Update the trust store"
|
||||
ansible.builtin.command: update-ca-certificates
|
||||
changed_when: false
|
||||
when: _hashistack_usr_local_share_ca_certificates.changed
|
||||
|
||||
# - name: "Initialize list of CA certificates"
|
||||
# ansible.builtin.set_fact:
|
||||
# hashistack_cacert_extra_files: []
|
||||
# delegate_to: localhost
|
||||
|
||||
# - name: "Add custom CA to list of extra certificates"
|
||||
# ansible.builtin.set_fact:
|
||||
# hashistack_cacert_extra_files: "{{
|
||||
# hashistack_cacert_extra_files | default([])
|
||||
# + [{'src': item.path, 'dest': '/etc/ssl/certs/hashistack-custom-' + item.path | basename}] }}"
|
||||
# loop: "{{ _hashistack_cacert_files.files }}"
|
||||
# delegate_to: localhost
|
||||
# when: _hashistack_cacert_files.matched > 0
|
||||
|
||||
- name: "Merge consul configurations"
|
||||
ansible.builtin.import_tasks:
|
||||
file: "consul/consul_vars.yml"
|
||||
when:
|
||||
- enable_consul | bool
|
||||
- "('consul_servers' in group_names) or ('consul_agents' in group_names)"
|
||||
|
||||
- name: "Merge vault configurations"
|
||||
ansible.builtin.import_tasks:
|
||||
file: "vault/vault_vars.yml"
|
||||
when:
|
||||
- enable_vault | bool
|
||||
- "'vault_servers' in group_names"
|
@ -1,51 +0,0 @@
|
||||
---
|
||||
- name: "Check if CA directory exists"
|
||||
ansible.builtin.stat:
|
||||
path: "{{ sub_configuration_directories['certificates'] }}/ca"
|
||||
register: _hashistack_ca_directory
|
||||
delegate_to: localhost
|
||||
|
||||
- name: "Find custom ca certificates to copy"
|
||||
ansible.builtin.find:
|
||||
paths: "{{ sub_configuration_directories['certificates'] }}/ca"
|
||||
patterns: "*.crt"
|
||||
register: _hashistack_cacert_files
|
||||
delegate_to: localhost
|
||||
when: _hashistack_ca_directory.stat.exists and _hashistack_ca_directory.stat.isdir
|
||||
|
||||
- name: "Ensure remote ca directory exists"
|
||||
ansible.builtin.file:
|
||||
path: "{{ hashistack_remote_config_dir }}/ca"
|
||||
state: directory
|
||||
owner: root
|
||||
group: root
|
||||
mode: 0755
|
||||
|
||||
- name: "Copy custom ca certificates"
|
||||
ansible.builtin.copy:
|
||||
src: "{{ item.path }}"
|
||||
dest: "{{ hashistack_remote_config_dir }}/ca/{{ item.path | basename }}"
|
||||
owner: root
|
||||
group: root
|
||||
mode: 0644
|
||||
loop: "{{ _hashistack_cacert_files.files }}"
|
||||
register: _hashistack_copied_ca
|
||||
when: not _hashistack_cacert_files.skipped | default(False)
|
||||
|
||||
- name: "Copy and update trust store"
|
||||
when: not _hashistack_copied_ca.skipped | default(False)
|
||||
block:
|
||||
- name: "Copy ca certificates to /usr/local/share/ca-certificates"
|
||||
ansible.builtin.file:
|
||||
state: link
|
||||
src: "{{ item.dest }}"
|
||||
dest: "/usr/local/share/ca-certificates/hashistack-customca-{{ item.dest | basename }}"
|
||||
owner: root
|
||||
group: root
|
||||
loop: "{{ _hashistack_copied_ca.results }}"
|
||||
register: _hashistack_usr_local_share_ca_certificates
|
||||
|
||||
- name: "Update the trust store" # noqa: no-handler
|
||||
ansible.builtin.command: update-ca-certificates
|
||||
changed_when: false
|
||||
when: _hashistack_usr_local_share_ca_certificates.changed
|
@ -1,46 +0,0 @@
|
||||
---
|
||||
- name: "Stat credentials file"
|
||||
ansible.builtin.stat:
|
||||
path: "{{ sub_configuration_directories['secrets'] }}/{{ configuration_credentials_vars_file }}"
|
||||
register: _credentials_file
|
||||
delegate_to: localhost
|
||||
|
||||
- name: "Stat vault credentials file"
|
||||
ansible.builtin.stat:
|
||||
path: "{{ sub_configuration_directories['secrets'] }}/vault.yml"
|
||||
register: _vault_credentials_file
|
||||
delegate_to: localhost
|
||||
|
||||
- name: "Make sure credentials file exists"
|
||||
ansible.builtin.assert:
|
||||
that:
|
||||
- _credentials_file.stat.exists
|
||||
fail_msg: >-
|
||||
Credentials file {{ _credentials_file.stat.path }} was not found, cannot continue without it.
|
||||
delegate_to: localhost
|
||||
|
||||
- name: "Load credentials variables"
|
||||
ansible.builtin.include_vars:
|
||||
dir: "{{ sub_configuration_directories['secrets'] }}"
|
||||
files_matching: "{{ configuration_credentials_vars_file }}"
|
||||
depth: 1
|
||||
name: _credentials
|
||||
delegate_to: localhost
|
||||
|
||||
- name: "Load vault credentials if vault.yml exists"
|
||||
ansible.builtin.include_vars:
|
||||
dir: "{{ sub_configuration_directories['secrets'] }}"
|
||||
files_matching: "vault.yml"
|
||||
depth: 1
|
||||
name: _vault_credentials
|
||||
when: _vault_credentials_file.stat.exists
|
||||
delegate_to: localhost
|
||||
|
||||
- name: "Merge vault credentials into _credentials"
|
||||
vars:
|
||||
_config_to_merge:
|
||||
vault: "{{ _vault_credentials }}"
|
||||
ansible.builtin.set_fact:
|
||||
_credentials: "{{ _credentials | combine(_config_to_merge, recursive=true) }}"
|
||||
when: _vault_credentials_file.stat.exists
|
||||
delegate_to: localhost
|
@ -1,28 +0,0 @@
|
||||
---
|
||||
- name: "Include all default variables"
|
||||
ansible.builtin.include_vars:
|
||||
dir: "../../group_vars/all"
|
||||
depth: 1
|
||||
extensions: ["yml"]
|
||||
delegate_to: localhost
|
||||
|
||||
- name: "Stat global configuration file"
|
||||
ansible.builtin.stat:
|
||||
path: "{{ configuration_directory }}/{{ configuration_global_vars_file }}"
|
||||
register: _global_config_file
|
||||
delegate_to: localhost
|
||||
|
||||
- name: "Make sure global configuration file exists"
|
||||
ansible.builtin.assert:
|
||||
that:
|
||||
- _global_config_file.stat.exists
|
||||
fail_msg: >-
|
||||
Main configuration file {{ _global_config_file.stat.path }} was not found, cannot continue without it.
|
||||
delegate_to: localhost
|
||||
|
||||
- name: "Load global variables"
|
||||
ansible.builtin.include_vars:
|
||||
dir: "{{ configuration_directory }}"
|
||||
files_matching: "{{ configuration_global_vars_file }}"
|
||||
depth: 1
|
||||
delegate_to: localhost
|
@ -1,20 +0,0 @@
|
||||
---
|
||||
- name: "Stat group specific config file"
|
||||
ansible.builtin.stat:
|
||||
path: "{{ configuration_directory }}/{{ group_name }}/{{ configuration_global_vars_file }}"
|
||||
register: _group_config_file
|
||||
loop: "{{ group_names }}"
|
||||
loop_control:
|
||||
loop_var: group_name
|
||||
|
||||
- name: Load group specific variables
|
||||
ansible.builtin.include_vars:
|
||||
dir: "{{ configuration_directory }}/{{ item.group_name }}"
|
||||
files_matching: "{{ configuration_global_vars_file }}"
|
||||
depth: 1
|
||||
loop: "{{ _group_config_file.results }}"
|
||||
when: item.stat.exists
|
||||
and item.group_name in group_names
|
||||
loop_control:
|
||||
loop_var: item
|
||||
delegate_to: localhost
|
@ -1,19 +0,0 @@
|
||||
---
|
||||
- name: "Stat host specific config file"
|
||||
ansible.builtin.stat:
|
||||
path: "{{ configuration_directory }}/{{ group_name }}/{{ inventory_hostname }}/{{ configuration_global_vars_file }}"
|
||||
register: _host_config_file
|
||||
loop: "{{ group_names }}"
|
||||
loop_control:
|
||||
loop_var: group_name
|
||||
delegate_to: localhost
|
||||
|
||||
- name: Load host specific variables
|
||||
ansible.builtin.include_vars:
|
||||
dir: "{{ configuration_directory }}/{{ item.group_name }}/{{ inventory_hostname }}"
|
||||
files_matching: "{{ configuration_global_vars_file }}"
|
||||
loop: "{{ _host_config_file.results }}"
|
||||
when: item.stat.exists
|
||||
loop_control:
|
||||
loop_var: item
|
||||
delegate_to: localhost
|
@ -1,11 +1,15 @@
|
||||
---
|
||||
- name: "Nomad clients"
|
||||
block:
|
||||
- name: "Install docker driver"
|
||||
- name: "Nomad | Install docker driver"
|
||||
ansible.builtin.include_role:
|
||||
name: ednz_cloud.install_docker
|
||||
when: nomad_driver_enable_docker
|
||||
|
||||
- name: "Deploy Nomad Clients"
|
||||
- name: "Include ednz_cloud.hashistack.cni"
|
||||
ansible.builtin.include_role:
|
||||
name: ednz_cloud.hashicorp_nomad
|
||||
name: ednz_cloud.hashistack.cni
|
||||
|
||||
- name: "Nomad | Deploy Clients"
|
||||
ansible.builtin.include_role:
|
||||
name: ednz_cloud.hashistack.nomad
|
||||
|
@ -1,7 +1,7 @@
|
||||
---
|
||||
- name: "Nomad control plane"
|
||||
block:
|
||||
- name: "Create consul tokens for service registration"
|
||||
- name: "Nomad | Create consul tokens for service registration"
|
||||
when:
|
||||
- nomad_init_server
|
||||
- enable_consul
|
||||
@ -11,9 +11,9 @@
|
||||
_consul_port: "{{ hostvars[groups['consul_servers'][0]].consul_api_port[hostvars[groups['consul_servers'][0]].consul_api_scheme] }}"
|
||||
_consul_scheme: "{{ hostvars[groups['consul_servers'][0]].consul_api_scheme }}"
|
||||
block:
|
||||
- name: "Create server credentials"
|
||||
- name: "Nomad | Create server credentials"
|
||||
block:
|
||||
- name: "Create consul server policy"
|
||||
- name: "Nomad | Create consul server policy"
|
||||
community.general.consul_policy:
|
||||
token: "{{ _credentials.consul.root_token.secret_id }}"
|
||||
host: "{{ _consul_host }}"
|
||||
@ -25,7 +25,7 @@
|
||||
rules: "{{ nomad_consul_integration_server_policy }}"
|
||||
register: _consul_nomad_server_policy
|
||||
|
||||
- name: "Create consul server token" # noqa: no-handler
|
||||
- name: "Nomad | Create consul server token" # noqa: no-handler
|
||||
community.general.consul_token:
|
||||
token: "{{ _credentials.consul.root_token.secret_id }}"
|
||||
host: "{{ _consul_host }}"
|
||||
@ -39,9 +39,9 @@
|
||||
state: present
|
||||
when: _consul_nomad_server_policy.changed
|
||||
|
||||
- name: "Create client credentials"
|
||||
- name: "Nomad | Create client credentials"
|
||||
block:
|
||||
- name: "Create consul client policy"
|
||||
- name: "Nomad | Create consul client policy"
|
||||
community.general.consul_policy:
|
||||
token: "{{ _credentials.consul.root_token.secret_id }}"
|
||||
host: "{{ _consul_host }}"
|
||||
@ -53,7 +53,7 @@
|
||||
rules: "{{ nomad_consul_integration_client_policy }}"
|
||||
register: _consul_nomad_client_policy
|
||||
|
||||
- name: "Create consul client token" # noqa: no-handler
|
||||
- name: "Nomad | Create consul client token" # noqa: no-handler
|
||||
community.general.consul_token:
|
||||
token: "{{ _credentials.consul.root_token.secret_id }}"
|
||||
host: "{{ _consul_host }}"
|
||||
@ -67,11 +67,16 @@
|
||||
state: present
|
||||
when: _consul_nomad_client_policy.changed
|
||||
|
||||
- name: "Include ednz_cloud.hashicorp_nomad"
|
||||
- name: "Include ednz_cloud.hashistack.cni"
|
||||
ansible.builtin.include_role:
|
||||
name: ednz_cloud.hashicorp_nomad
|
||||
name: ednz_cloud.hashistack.cni
|
||||
when: nomad_enable_client
|
||||
|
||||
- name: "Initialize nomad cluster" # noqa: run-once[task]
|
||||
- name: "Include ednz_cloud.hashistack.nomad"
|
||||
ansible.builtin.include_role:
|
||||
name: ednz_cloud.hashistack.nomad
|
||||
|
||||
- name: "Nomad | Initialize nomad cluster" # noqa: run-once[task]
|
||||
ednz_cloud.hashistack.nomad_acl_bootstrap:
|
||||
bootstrap_secret: "{{ _credentials.nomad.root_token.secret_id }}"
|
||||
api_url: "{{ nomad_api_addr }}"
|
||||
@ -79,4 +84,4 @@
|
||||
register: _nomad_init_secret
|
||||
when:
|
||||
- nomad_init_server
|
||||
- hashicorp_nomad_configuration.acl.enabled
|
||||
- nomad_configuration.acl.enabled
|
||||
|
@ -5,7 +5,7 @@
|
||||
ansible.builtin.import_tasks:
|
||||
file: nomad_control_plane.yml
|
||||
when:
|
||||
- "'nomad_servers' in group_names"
|
||||
- nomad_enable_server
|
||||
tags:
|
||||
- nomad_servers
|
||||
|
||||
@ -13,7 +13,7 @@
|
||||
ansible.builtin.import_tasks:
|
||||
file: nomad_clients.yml
|
||||
when:
|
||||
- "'nomad_clients' in group_names"
|
||||
- "'nomad_servers' not in group_names"
|
||||
- nomad_enable_client
|
||||
- not nomad_enable_server
|
||||
tags:
|
||||
- nomad_clients
|
||||
|
@ -1,125 +0,0 @@
|
||||
---
|
||||
# hashistack configuration merging for nomad
|
||||
- name: "Nomad | Merge stringified configuration"
|
||||
vars:
|
||||
_config_to_merge: "{{ hashicorp_nomad_configuration_string }}"
|
||||
ansible.builtin.set_fact:
|
||||
hashicorp_nomad_configuration: "{{
|
||||
hashicorp_nomad_configuration |
|
||||
combine(_config_to_merge|from_yaml, recursive=true)
|
||||
}}"
|
||||
when:
|
||||
- hashicorp_nomad_configuration_string is defined
|
||||
- "'nomad_servers' in group_names"
|
||||
|
||||
- name: "Nomad | Merge addresses configuration"
|
||||
vars:
|
||||
_config_to_merge: "{{ nomad_address_configuration }}"
|
||||
ansible.builtin.set_fact:
|
||||
hashicorp_nomad_configuration: "{{
|
||||
hashicorp_nomad_configuration |
|
||||
combine(_config_to_merge, recursive=true)
|
||||
}}"
|
||||
when: nomad_address_configuration is defined
|
||||
|
||||
- name: "Nomad | Merge consul integration configuration"
|
||||
when:
|
||||
- enable_consul | bool
|
||||
- nomad_enable_consul_integration | bool
|
||||
block:
|
||||
- name: "Nomad | Merge consul tls configuration"
|
||||
when:
|
||||
- nomad_consul_integration_configuration.ssl is defined
|
||||
- nomad_consul_integration_configuration.ssl | bool
|
||||
block:
|
||||
- name: "Nomad | Merge consul default client configuration"
|
||||
vars:
|
||||
_config_to_merge: "{{ nomad_consul_integration_tls_configuration }}"
|
||||
ansible.builtin.set_fact:
|
||||
nomad_consul_integration_configuration: "{{
|
||||
nomad_consul_integration_configuration |
|
||||
combine(_config_to_merge, recursive=true)
|
||||
}}"
|
||||
|
||||
- name: "Nomad | Merge consul configuration for nomad servers"
|
||||
when:
|
||||
- nomad_enable_server
|
||||
block:
|
||||
- name: "Nomad | Merge consul default server configuration"
|
||||
vars:
|
||||
_config_to_merge: "{{ nomad_consul_integration_server_configuration }}"
|
||||
ansible.builtin.set_fact:
|
||||
nomad_consul_integration_configuration: "{{
|
||||
nomad_consul_integration_configuration |
|
||||
combine(_config_to_merge, recursive=true)
|
||||
}}"
|
||||
|
||||
- name: "Nomad | Merge consul configuration for nomad clients"
|
||||
when:
|
||||
- nomad_enable_client
|
||||
block:
|
||||
- name: "Nomad | Merge consul default client configuration"
|
||||
vars:
|
||||
_config_to_merge: "{{ nomad_consul_integration_client_configuration }}"
|
||||
ansible.builtin.set_fact:
|
||||
nomad_consul_integration_configuration: "{{
|
||||
nomad_consul_integration_configuration |
|
||||
combine(_config_to_merge, recursive=true)
|
||||
}}"
|
||||
|
||||
- name: "Nomad | Merge consul tls client configuration"
|
||||
vars:
|
||||
_config_to_merge: "{{ nomad_consul_integration_client_tls_configuration }}"
|
||||
ansible.builtin.set_fact:
|
||||
nomad_consul_integration_configuration: "{{
|
||||
nomad_consul_integration_configuration |
|
||||
combine(_config_to_merge, recursive=true)
|
||||
}}"
|
||||
when:
|
||||
- nomad_consul_integration_configuration.ssl is defined
|
||||
- nomad_consul_integration_configuration.ssl | bool
|
||||
|
||||
- name: "Nomad | Merge consul block into main configuration"
|
||||
vars:
|
||||
_config_to_merge:
|
||||
consul: "{{ nomad_consul_integration_configuration }}"
|
||||
ansible.builtin.set_fact:
|
||||
hashicorp_nomad_configuration: "{{
|
||||
hashicorp_nomad_configuration |
|
||||
combine(_config_to_merge, recursive=true)
|
||||
}}"
|
||||
|
||||
- name: "Nomad | Merge TLS configuration"
|
||||
vars:
|
||||
_config_to_merge:
|
||||
tls: "{{ nomad_tls_configuration }}"
|
||||
ansible.builtin.set_fact:
|
||||
hashicorp_nomad_configuration: "{{
|
||||
hashicorp_nomad_configuration |
|
||||
combine(_config_to_merge, recursive=true)
|
||||
}}"
|
||||
when: nomad_enable_tls
|
||||
|
||||
- name: "Nomad | Merge plugin configuration"
|
||||
vars:
|
||||
_config_to_merge:
|
||||
plugin: "{{
|
||||
nomad_driver_configuration |
|
||||
combine(nomad_driver_extra_configuration, recursive=true)
|
||||
}}"
|
||||
ansible.builtin.set_fact:
|
||||
hashicorp_nomad_configuration: "{{
|
||||
hashicorp_nomad_configuration |
|
||||
combine(_config_to_merge, recursive=true)
|
||||
}}"
|
||||
when: "'nomad_clients' in group_names"
|
||||
|
||||
- name: "Nomad | Merge extra configuration settings"
|
||||
vars:
|
||||
_config_to_merge: "{{ nomad_extra_configuration }}"
|
||||
ansible.builtin.set_fact:
|
||||
hashicorp_nomad_configuration: "{{
|
||||
hashicorp_nomad_configuration |
|
||||
combine(_config_to_merge, recursive=true)
|
||||
}}"
|
||||
when: nomad_extra_configuration is defined
|
@ -1,7 +1,7 @@
|
||||
---
|
||||
- name: "Vault control plane"
|
||||
block:
|
||||
- name: "Create consul token for service registration"
|
||||
- name: "Vault | Create consul token for service registration"
|
||||
when:
|
||||
- vault_init_server
|
||||
- enable_consul
|
||||
@ -11,7 +11,7 @@
|
||||
_consul_vault_sr_port: "{{ hostvars[groups['consul_servers'][0]].consul_api_port[hostvars[groups['consul_servers'][0]].consul_api_scheme] }}"
|
||||
_consul_vault_sr_scheme: "{{ hostvars[groups['consul_servers'][0]].consul_api_scheme }}"
|
||||
block:
|
||||
- name: "Create consul vault policy"
|
||||
- name: "Vault | Create consul vault policy"
|
||||
community.general.consul_policy:
|
||||
token: "{{ _credentials.consul.root_token.secret_id }}"
|
||||
host: "{{ _consul_vault_sr_host }}"
|
||||
@ -23,7 +23,7 @@
|
||||
rules: "{{ vault_service_registration_policy }}"
|
||||
register: _consul_vault_policy
|
||||
|
||||
- name: "Create consul vault token" # noqa: no-handler
|
||||
- name: "Vault | Create consul vault token" # noqa: no-handler
|
||||
community.general.consul_token:
|
||||
token: "{{ _credentials.consul.root_token.secret_id }}"
|
||||
host: "{{ _consul_vault_sr_host }}"
|
||||
@ -37,14 +37,19 @@
|
||||
state: present
|
||||
when: _consul_vault_policy.changed
|
||||
|
||||
- name: "Include ednz_cloud.hashicorp_consul"
|
||||
ansible.builtin.include_role:
|
||||
name: ednz_cloud.hashicorp_vault
|
||||
- name: "Vault | Stat vault secret file"
|
||||
ansible.builtin.stat:
|
||||
path: "{{ hashistack_sub_configuration_directories.secrets }}/vault.yml"
|
||||
register: _vault_needs_early_unseal
|
||||
|
||||
- name: "Initialize vault cluster" # noqa: run-once[task]
|
||||
- name: "Include ednz_cloud.hashistack.vault"
|
||||
ansible.builtin.include_role:
|
||||
name: ednz_cloud.hashistack.vault
|
||||
|
||||
- name: "Vault | Initialize vault cluster" # noqa: run-once[task]
|
||||
ednz_cloud.hashistack.vault_init:
|
||||
api_url: "{{ hashicorp_vault_configuration['api_addr'] }}"
|
||||
tls_verify: "{{ vault_tls_verify }}"
|
||||
api_url: "{{ vault_configuration['api_addr'] }}"
|
||||
tls_verify: false
|
||||
key_shares: "{{ vault_seal_configuration['key_shares'] }}"
|
||||
key_threshold: "{{ vault_seal_configuration['key_threshold'] }}"
|
||||
retries: 5
|
||||
@ -53,10 +58,10 @@
|
||||
until: not _vault_init_secret.failed
|
||||
when: vault_init_server
|
||||
|
||||
- name: "Write vault configuration to file" # noqa: run-once[task] no-handler
|
||||
- name: "Vault | Write vault configuration to file" # noqa: run-once[task] no-handler
|
||||
ansible.builtin.copy:
|
||||
content: "{{ _vault_init_secret.state | to_nice_yaml(indent=2) }}"
|
||||
dest: "{{ sub_configuration_directories.secrets }}/vault.yml"
|
||||
dest: "{{ hashistack_sub_configuration_directories.secrets }}/vault.yml"
|
||||
owner: "{{ lookup('env', 'USER') }}"
|
||||
group: "{{ lookup('env', 'USER') }}"
|
||||
mode: "0644"
|
||||
@ -66,23 +71,25 @@
|
||||
delegate_to: localhost
|
||||
|
||||
- name: "Load vault cluster variables necessary for unseal operation"
|
||||
ansible.builtin.import_tasks:
|
||||
file: ../misc/load_credentials_vars.yml
|
||||
ansible.builtin.import_role:
|
||||
name: ednz_cloud.hashistack.hashistack
|
||||
vars:
|
||||
hashistack_only_load_credentials: true
|
||||
|
||||
- name: "Unseal the bootstrap node" # noqa: run-once[task] no-handler
|
||||
- name: "Vault | Unseal the bootstrap node" # noqa: run-once[task] no-handler
|
||||
ednz_cloud.hashistack.vault_unseal:
|
||||
api_url: "{{ hashicorp_vault_configuration['api_addr'] }}"
|
||||
tls_verify: "{{ vault_tls_verify }}"
|
||||
api_url: "{{ vault_configuration['api_addr'] }}"
|
||||
tls_verify: false
|
||||
key_shares: "{{ _credentials.vault['keys'] }}"
|
||||
when:
|
||||
- vault_init_server
|
||||
- _vault_init_secret.changed
|
||||
register: _vault_unseal_secret
|
||||
|
||||
- name: "Unseal all vault nodes"
|
||||
- name: "Vault | Unseal all vault nodes"
|
||||
ednz_cloud.hashistack.vault_unseal:
|
||||
api_url: "{{ hashicorp_vault_configuration['api_addr'] }}"
|
||||
tls_verify: "{{ vault_tls_verify }}"
|
||||
api_url: "{{ vault_configuration['api_addr'] }}"
|
||||
tls_verify: false
|
||||
key_shares: "{{ _credentials.vault['keys'] }}"
|
||||
retries: 5
|
||||
delay: 5
|
||||
|
@ -1,51 +0,0 @@
|
||||
---
|
||||
# hashistack configuration merging for vault
|
||||
- name: "Vault | Merge listener configuration"
|
||||
ansible.builtin.set_fact:
|
||||
vault_listener_configuration: "{{
|
||||
vault_listener_configuration |
|
||||
combine((vault_enable_tls | bool) | ternary(vault_tls_listener_configuration, {}), recursive=True) |
|
||||
combine(vault_extra_listener_configuration | default({}), recursive=True)
|
||||
}}"
|
||||
|
||||
- name: "Vault | Merge service registration configuration"
|
||||
vars:
|
||||
_config_to_merge:
|
||||
service_registration: "{{ vault_service_registration_configuration }}"
|
||||
ansible.builtin.set_fact:
|
||||
hashicorp_vault_configuration: "{{
|
||||
hashicorp_vault_configuration |
|
||||
combine(_config_to_merge)
|
||||
}}"
|
||||
when: vault_enable_service_registration
|
||||
|
||||
- name: "Vault | Merge plugins configuration"
|
||||
vars:
|
||||
_config_to_merge:
|
||||
plugin_directory: "{{ vault_plugin_directory }}"
|
||||
ansible.builtin.set_fact:
|
||||
hashicorp_vault_configuration: "{{
|
||||
hashicorp_vault_configuration |
|
||||
combine(_config_to_merge)
|
||||
}}"
|
||||
when: vault_enable_plugins
|
||||
|
||||
- name: "Vault | Merge logging configuration"
|
||||
vars:
|
||||
_config_to_merge: "{{ vault_logging_configuration }}"
|
||||
ansible.builtin.set_fact:
|
||||
hashicorp_vault_configuration: "{{
|
||||
hashicorp_vault_configuration |
|
||||
combine(_config_to_merge)
|
||||
}}"
|
||||
when: vault_enable_log_to_file
|
||||
|
||||
- name: "Vault | Merge extra configuration settings"
|
||||
vars:
|
||||
_config_to_merge: "{{ vault_extra_configuration }}"
|
||||
ansible.builtin.set_fact:
|
||||
hashicorp_vault_configuration: "{{
|
||||
hashicorp_vault_configuration |
|
||||
combine(_config_to_merge)
|
||||
}}"
|
||||
when: vault_extra_configuration is defined
|
Loading…
Reference in New Issue
Block a user