feat/major-revamp #11

Merged
lanson merged 42 commits from fix/various into main 2024-08-17 14:54:28 +00:00
8 changed files with 583 additions and 544 deletions
Showing only changes of commit 265aa4ce42 - Show all commits

View File

@ -5,25 +5,19 @@
manage_pip_packages_allow_break_system_packages: "{{ ansible_distribution == 'Debian' and ansible_distribution_version == '12' }}" manage_pip_packages_allow_break_system_packages: "{{ ansible_distribution == 'Debian' and ansible_distribution_version == '12' }}"
configuration_directory: "{{ lookup('env', 'PWD') }}/etc/hashistack" hashistack_configuration_directory: "{{ lookup('env', 'PWD') }}/etc/hashistack"
sub_configuration_directories: hashistack_sub_configuration_directories:
secrets: "{{ configuration_directory }}/secrets" secrets: "{{ hashistack_configuration_directory }}/secrets"
certificates: "{{ configuration_directory }}/certificates" certificates: "{{ hashistack_configuration_directory }}/certificates"
nomad_servers: "{{ configuration_directory }}/nomad_servers" nomad_servers: "{{ hashistack_configuration_directory }}/nomad_servers"
vault_servers: "{{ configuration_directory }}/vault_servers" vault_servers: "{{ hashistack_configuration_directory }}/vault_servers"
consul_servers: "{{ configuration_directory }}/consul_servers" consul_servers: "{{ hashistack_configuration_directory }}/consul_servers"
configuration_global_vars_file: "globals.yml" hashistack_configuration_global_vars_file: "globals.yml"
configuration_credentials_vars_file: "credentials.yml" hashistack_configuration_credentials_vars_file: "credentials.yml"
hashistack_remote_config_dir: "/etc/hashistack" hashistack_remote_config_dir: "/etc/hashistack"
hashistack_remote_data_dir: "/opt/hashistack" hashistack_remote_log_dir: "/var/log/hashistack"
hashistack_remote_log_dir: /var/log/hashistack
default_container_extra_volumes:
- "/etc/timezone:/etc/timezone"
- "/etc/localtime:/etc/localtime"
- "/etc/ssl/certs/ca-certificates.crt:/etc/ssl/certs/ca-certificates.crt:ro"
################### ###################
# support options # # support options #

View File

@ -0,0 +1,4 @@
---
cni_plugins_version: "v1.5.1"
cni_plugins_install_path: /opt/cni/bin
cni_plugins_install_consul_cni: true

View File

@ -1,10 +1,4 @@
--- ---
#####################################################
# #
# Non-Editable #
# #
#####################################################
consul_init_server: "{{ (inventory_hostname == groups['consul_servers'][0]) | bool }}" consul_init_server: "{{ (inventory_hostname == groups['consul_servers'][0]) | bool }}"
##################### #####################
@ -16,36 +10,106 @@ consul_api_scheme: "{{ 'https' if consul_enable_tls else 'http' }}"
consul_api_port: consul_api_port:
http: 8500 http: 8500
https: 8501 https: 8501
consul_grpc_port:
http: 8502
https: 8503
########################## ##########
# consul haproxy backend # # Consul #
########################## ##########
consul_haproxy_frontend_options: consul_config_dir: "{{ hashistack_remote_config_dir }}/consul.d"
- acl is_consul hdr(host) -i {{ consul_fqdn }} consul_data_dir: "/opt/consul"
- use_backend consul_external if is_consul consul_certs_dir: "{{ consul_config_dir }}/tls"
consul_logs_dir: "{{ hashistack_remote_log_dir }}/consul"
consul_haproxy_backends: consul_envoy_install: false
- name: consul_external consul_envoy_version: latest
options: "{{ consul_external_backend_options + consul_external_backend_servers }}"
consul_external_backend_options: consul_extra_files: true
- description consul external http backend # consul_extra_files_list: []
- option forwardfor
- option httpchk
- http-check send meth GET uri /
- default-server inter 2s fastinter 1s downinter 1s
consul_external_backend_servers: | consul_env_variables: {}
[
{% for host in groups['consul_servers'] %}
'server consul-{{ hostvars[host].api_interface_address }} {{ hostvars[host].api_interface_address }}:{{ hostvars[host].consul_api_port[consul_api_scheme] }} check {{ 'ssl verify none ' if consul_enable_tls }}inter 5s'{% if not loop.last %},{% endif %}
{% endfor %}
]
############################ #######################
# consul ACL configuration # # extra configuration #
############################ #######################
# You should prioritize adding configuration
# to the configuration entries below, this
# option should be used to add pieces of configuration not
# available through standard variables.
# consul_extra_configuration: {}
###########
# general #
###########
# consul_domain: consul
# consul_datacenter: dc1
# consul_primary_datacenter: "{{ consul_datacenter }}"
# consul_gossip_encryption_key: "{{ _credentials.consul.gossip_encryption_key }}"
# consul_enable_script_checks: false
#######################
# leave configuration #
#######################
consul_leave_on_terminate: true
consul_rejoin_after_leave: true
######################
# join configuration #
######################
consul_join_configuration:
retry_join: |
{{
groups['consul_servers'] |
map('extract', hostvars, ['consul_address_configuration', 'bind_addr']) |
list |
to_json |
from_json
}}
retry_interval: 30s
retry_max: 0
########################
# server configuration #
########################
consul_enable_server: "{{ 'consul_servers' in group_names }}"
consul_bootstrap_expect: "{{ (groups['consul_servers'] | length) }}"
####################
# ui configuration #
####################
consul_ui_configuration:
enabled: "{{ consul_enable_server }}"
#########################
# address configuration #
#########################
consul_bind_addr: "0.0.0.0"
consul_advertise_addr: "{{ api_interface_address }}"
consul_address_configuration:
client_addr: "{{ consul_bind_addr }}"
bind_addr: "{{ consul_advertise_addr }}"
advertise_addr: "{{ consul_advertise_addr }}"
#####################
# ACL configuration #
#####################
consul_acl_configuration:
enabled: true
default_policy: "deny"
enable_token_persistence: true
tokens:
agent: "{{ _credentials.consul.tokens.agent.secret_id }}"
consul_default_agent_policy: | consul_default_agent_policy: |
node_prefix "" { node_prefix "" {
@ -55,84 +119,56 @@ consul_default_agent_policy: |
policy = "read" policy = "read"
} }
####################### ##############################
# consul internal tls # # service mesh configuration #
####################### ##############################
consul_mesh_configuration:
enabled: true
#####################
# DNS configuration #
#####################
consul_dns_configuration:
allow_stale: true
enable_truncate: true
only_passing: true
################
# internal tls #
################
# consul_enable_tls: false
consul_tls_configuration:
defaults:
ca_file: "/etc/ssl/certs/ca-certificates.crt"
cert_file: "{{ consul_certs_dir }}/fullchain.crt"
key_file: "{{ consul_certs_dir }}/cert.key"
verify_incoming: false
verify_outgoing: true
internal_rpc:
verify_server_hostname: true
consul_certificates_directory: "{{ hashicorp_consul_config_dir }}/tls"
consul_certificates_extra_files_dir: consul_certificates_extra_files_dir:
- src: "{{ sub_configuration_directories['certificates'] }}/consul/{{ inventory_hostname }}" - src: "{{ hashistack_sub_configuration_directories['certificates'] }}/consul/{{ inventory_hostname }}"
dest: "{{ consul_certificates_directory }}" dest: "{{ consul_certs_dir }}"
################## ###########################
# consul logging # # telemetry configuration #
################## ###########################
consul_enable_prometheus_metrics: false
consul_prometheus_retention_time: 60s
consul_telemetry_configuration: {}
###########
# logging #
###########
# consul_log_level: info
consul_enable_log_to_file: "{{ enable_log_to_file | bool }}" consul_enable_log_to_file: "{{ enable_log_to_file | bool }}"
consul_logging_configuration: consul_log_to_file_configuration:
log_file: "{{ hashistack_remote_log_dir }}/consul/consul.log" log_file: "{{ consul_logs_dir }}/consul.log"
log_level: info
log_rotate_duration: 24h log_rotate_duration: 24h
log_rotate_max_files: 30 log_rotate_max_files: 30
#########################
# consul role variables #
#########################
hashicorp_consul_start_service: true
hashicorp_consul_service_name: "consul"
hashicorp_consul_version: "{{ consul_version }}"
hashicorp_consul_env_variables: {}
hashicorp_consul_config_dir: "{{ hashistack_remote_config_dir }}/consul.d"
hashicorp_consul_data_dir: "{{ hashistack_remote_data_dir }}/consul"
hashicorp_consul_extra_files: true
hashicorp_consul_extra_files_list: "{{ ([] +
(consul_certificates_extra_files_dir if consul_enable_tls else []) +
consul_extra_files_list)
| unique
| sort
}}"
hashicorp_consul_envoy_install: false
hashicorp_consul_envoy_version: v1.27.2
hashicorp_consul_configuration:
domain: "{{ consul_domain }}"
datacenter: "{{ consul_datacenter }}"
primary_datacenter: "{{ consul_primary_datacenter }}"
data_dir: "{{ hashicorp_consul_data_dir }}"
encrypt: "{{ _credentials.consul.gossip_encryption_key }}"
server: "{{ 'consul_servers' in group_names }}"
retry_join: "{{
groups['consul_servers'] |
map('extract', hostvars, ['consul_address_configuration', 'bind_addr']) |
list |
to_json |
from_json
}}"
ui_config: "{{ consul_ui_configuration }}"
connect: "{{ consul_mesh_configuration }}"
leave_on_terminate: "{{ consul_leave_on_terminate }}"
rejoin_after_leave: "{{ consul_rejoin_after_leave }}"
enable_script_checks: "{{ consul_enable_script_checks }}"
enable_syslog: true
acl: "{{ consul_acl_configuration }}"
dns_config: "{{ consul_dns_configuration }}"
ports:
dns: 8600
server: 8300
serf_lan: 8301
serf_wan: 8302
sidecar_min_port: 21000
sidecar_max_port: 21255
expose_min_port: 21500
expose_max_port: 21755
# this is used to circumvent jinja limitation to convert string to integer
hashicorp_consul_configuration_string: |
ports:
http: {{ (consul_api_port.http|int) if not consul_enable_tls else ('-1' | int) }}
https: {{ (consul_api_port.https|int) if consul_enable_tls else ('-1' | int) }}
grpc: {{ ('8502'|int) if not consul_enable_tls else ('-1' | int) }}
grpc_tls: {{ ('8503'|int) if consul_enable_tls else ('-1' | int) }}
hashicorp_consul_servers_configuration_string: |
bootstrap_expect: {{ (groups['consul_servers'] | length) }}

View File

@ -1,14 +1,13 @@
--- ---
########################## ###################
# General options ######## # General options #
########################## ###################
enable_haproxy: "yes" enable_ingress: "yes"
enable_vault: "yes" enable_vault: "yes"
enable_consul: "yes" enable_consul: "yes"
enable_nomad: "yes" enable_nomad: "yes"
haproxy_version: "2.8"
nomad_version: "1.8.1" nomad_version: "1.8.1"
consul_version: "1.18.1" consul_version: "1.18.1"
vault_version: "1.16.2" vault_version: "1.16.2"
@ -17,10 +16,10 @@ consul_fqdn: consul.ednz.lab
vault_fqdn: vault.ednz.lab vault_fqdn: vault.ednz.lab
nomad_fqdn: nomad.ednz.lab nomad_fqdn: nomad.ednz.lab
hashistack_external_vip_interface: "eth0" # hashistack_external_vip_interface: "eth0"
hashistack_external_vip_addr: "192.168.121.100" # hashistack_external_vip_addr: "192.168.121.100"
hashistack_internal_vip_interface: "{{ hashistack_external_vip_interface }}" # hashistack_internal_vip_interface: "{{ hashistack_external_vip_interface }}"
hashistack_internal_vip_addr: "{{ hashistack_external_vip_addr }}" # hashistack_internal_vip_addr: "{{ hashistack_external_vip_addr }}"
api_interface: "eth0" api_interface: "eth0"
api_interface_address: "{{ ansible_facts[api_interface]['ipv4']['address'] }}" api_interface_address: "{{ ansible_facts[api_interface]['ipv4']['address'] }}"
@ -38,208 +37,56 @@ enable_log_to_file: true
enable_tls_external: false enable_tls_external: false
external_tls_externally_managed_certs: false external_tls_externally_managed_certs: false
##################################################### ##########
# # # Consul #
# Consul # ##########
# #
#####################################################
consul_domain: consul consul_domain: consul
consul_datacenter: dc1 consul_datacenter: dc1
consul_primary_datacenter: "{{ consul_datacenter }}" consul_primary_datacenter: "{{ consul_datacenter }}"
consul_leave_on_terminate: true consul_gossip_encryption_key: "{{ _credentials.consul.gossip_encryption_key }}"
consul_rejoin_after_leave: true consul_enable_script_checks: false
consul_enable_script_checks: true
################################ consul_extra_files_list: []
# consul address configuration # consul_extra_configuration: {}
################################
consul_address_configuration:
client_addr: "0.0.0.0"
bind_addr: "{{ api_interface_address }}"
advertise_addr: "{{ api_interface_address }}"
############################
# consul ACL configuration #
############################
consul_acl_configuration:
enabled: true
default_policy: "deny" # can be allow or deny
enable_token_persistence: true
############################
# consul DNS configuration #
############################
consul_dns_configuration:
allow_stale: true
enable_truncate: true
only_passing: true
###########################
# consul ui configuration #
###########################
consul_ui_configuration:
enabled: "{{ 'consul_servers' in group_names }}"
#####################################
# consul service mesh configuration #
#####################################
consul_mesh_configuration:
enabled: true
############################
# consul tls configuration #
############################
consul_enable_tls: false consul_enable_tls: false
consul_tls_configuration:
defaults:
ca_file: "/etc/ssl/certs/ca-certificates.crt"
cert_file: "{{ consul_certificates_directory }}/cert.pem"
key_file: "{{ consul_certificates_directory }}/key.pem"
verify_incoming: false
verify_outgoing: true
internal_rpc:
verify_server_hostname: true
############################ consul_log_level: info
# consul container volumes #
############################
extra_consul_container_volumes: [] #########
# Vault #
############################## #########
# consul extra configuration #
##############################
consul_extra_configuration: {}
consul_extra_files_list: []
#####################################################
# #
# Vault #
# #
#####################################################
vault_cluster_name: vault vault_cluster_name: vault
vault_bind_addr: "0.0.0.0"
vault_cluster_addr: "{{ api_interface_address }}"
vault_enable_ui: true vault_enable_ui: true
vault_seal_configuration: vault_disable_mlock: false
key_shares: 3 vault_disable_cache: false
key_threshold: 2
################# vault_extra_files_list: []
# vault storage # vault_extra_configuration: {}
#################
vault_storage_configuration:
raft:
path: "{{ hashicorp_vault_data_dir }}"
node_id: "{{ ansible_hostname }}"
retry_join: |
[
{% for host in groups['vault_servers'] %}
{
'leader_api_addr': '{{ "https" if vault_enable_tls else "http"}}://{{ hostvars[host].api_interface_address }}:8200'
}{% if not loop.last %},{% endif %}
{% endfor %}
]
##################
# vault listener #
##################
vault_enable_tls: false vault_enable_tls: false
vault_tls_verify: false
vault_listener_configuration:
tcp:
address: "0.0.0.0:8200"
tls_disable: true
vault_tls_listener_configuration:
tcp:
tls_disable: false
tls_cert_file: "{{ vault_certificates_directory }}/cert.pem"
tls_key_file: "{{ vault_certificates_directory }}/key.pem"
tls_disable_client_certs: true
vault_extra_listener_configuration: {}
########################
# service registration #
########################
vault_enable_service_registration: "{{ enable_consul | bool }}" vault_enable_service_registration: "{{ enable_consul | bool }}"
vault_service_registration_configuration:
consul:
address: "127.0.0.1:{{ hostvars[groups['consul_servers'][0]].consul_api_port[hostvars[groups['consul_servers'][0]].consul_api_scheme] }}"
scheme: "{{ hostvars[groups['consul_servers'][0]].consul_api_scheme }}"
token: "{{ _credentials.consul.tokens.vault.secret_id }}"
#################
# vault plugins #
#################
vault_enable_plugins: false vault_enable_plugins: false
########################### vault_log_level: info
# vault container volumes #
###########################
extra_vault_container_volumes: [] #########
# Nomad #
#########
#############################
# vault extra configuration #
#############################
vault_extra_configuration: {}
vault_extra_files_list: []
#####################################################
# #
# Nomad #
# #
#####################################################
nomad_datacenter: dc1
nomad_region: global nomad_region: global
nomad_datacenter: dc1
########################### nomad_extra_files_list: []
# nomad ACL configuration # nomad_extra_configuration: {}
###########################
nomad_acl_configuration: nomad_autopilot_configuration: {}
enabled: true
token_ttl: 30s
policy_ttl: 60s
role_ttl: 60s
############################
# nomad consul integration #
############################
nomad_enable_consul_integration: "{{ enable_consul | bool }}"
nomad_consul_integration_configuration:
address: "127.0.0.1:{{ hashicorp_consul_configuration.ports.https if consul_enable_tls else hashicorp_consul_configuration.ports.http }}"
auto_advertise: true
ssl: "{{ consul_enable_tls | bool }}"
token: "{{ _credentials.consul.tokens.nomad.server.secret_id if nomad_enable_server else _credentials.consul.tokens.nomad.client.secret_id}}"
tags: []
############################
# nomad vault integration #
############################
nomad_enable_vault_integration: false
nomad_vault_integration_configuration: {}
###############################
# nomad drivers configuration #
###############################
nomad_driver_enable_docker: true nomad_driver_enable_docker: true
nomad_driver_enable_podman: false nomad_driver_enable_podman: false
@ -249,22 +96,6 @@ nomad_driver_enable_qemu: false
nomad_driver_extra_configuration: {} nomad_driver_extra_configuration: {}
###################### nomad_log_level: info
# nomad internal tls #
######################
nomad_enable_tls: false nomad_enable_tls: false
nomad_tls_configuration:
http: true
rpc: true
ca_file: "/etc/ssl/certs/ca-certificates.crt"
cert_file: "{{ nomad_certificates_directory }}/cert.pem"
key_file: "{{ nomad_certificates_directory }}/key.pem"
verify_server_hostname: true
#############################
# nomad extra configuration #
#############################
nomad_extra_configuration: {}
nomad_extra_files_list: []

View File

@ -10,7 +10,7 @@ deploy_haproxy_version: "{{ haproxy_version }}"
deploy_haproxy_env_variables: {} deploy_haproxy_env_variables: {}
deploy_haproxy_start_service: true deploy_haproxy_start_service: true
deploy_haproxy_cert_dir: "{{ sub_configuration_directories['certificates']~'/external' if (enable_tls_external and not external_tls_externally_managed_certs) }}" deploy_haproxy_cert_dir: "{{ hashistack_sub_configuration_directories['certificates']~'/external' if (enable_tls_external and not external_tls_externally_managed_certs) }}"
deploy_haproxy_extra_container_volumes: [] deploy_haproxy_extra_container_volumes: []
deploy_haproxy_global: deploy_haproxy_global:
- log /dev/log local0 - log /dev/log local0

View File

@ -0,0 +1,130 @@
---
# defaults
hashistack_ca_directory: "/etc/hashistack/certificates"
hashistack_ca_use_cryptography: false
hashistack_ca_action: "noop"
hashistack_ca_domain: example.com
hashistack_ca_directory_owner: root
##############################
# Root Certificate Authority #
##############################
hashistack_ca_root_org_name: EDNZ Cloud
hashistack_ca_root_country: FR
hashistack_ca_root_locality: Paris
hashistack_ca_root_common_name: "{{ hashistack_ca_domain }} Root CA"
hashistack_ca_root_email:
hashistack_ca_root_key_usage:
- keyCertSign
- cRLSign
hashistack_ca_root_key_usage_critical: true
hashistack_ca_root_basic_constraints:
- CA:TRUE
hashistack_ca_root_basic_constraints_critical: true
# Optional fields
hashistack_ca_root_state_or_province_name:
hashistack_ca_root_email_address:
# Validity
hashistack_ca_root_valid_for: 1825d
hashistack_ca_root_renew_threshold: 180d
######################################
# Intermediate Certificate Authority #
######################################
hashistack_ca_intermediate_org_name: EDNZ Cloud Intermediate
hashistack_ca_intermediate_country: FR
hashistack_ca_intermediate_locality: Paris
hashistack_ca_intermediate_common_name: "{{ hashistack_ca_domain }} Intermediate CA"
hashistack_ca_intermediate_email:
hashistack_ca_intermediate_key_usage:
- keyCertSign
- cRLSign
hashistack_ca_intermediate_key_usage_critical: true
hashistack_ca_intermediate_basic_constraints:
- CA:TRUE
- pathlen:0
hashistack_ca_intermediate_basic_constraints_critical: true
# Optional fields
hashistack_ca_intermediate_state_or_province_name:
hashistack_ca_intermediate_email_address:
# Validity
hashistack_ca_intermediate_valid_for: 365d
hashistack_ca_intermediate_renew_threshold: 90d
# Name Constraints
hashistack_ca_intermediate_name_constraints_permitted:
- "DNS:.{{ hashistack_ca_domain }}"
- DNS:.nomad
- DNS:.consul
- DNS:localhost
- IP:192.168.0.0/16
- IP:172.16.0.0/16
- IP:10.0.0.0/8
- IP:127.0.0.0/8
hashistack_ca_intermediate_name_constraints_critical: "{{ (hashistack_ca_intermediate_name_constraints_permitted is defined and hashistack_ca_intermediate_name_constraints_permitted | length > 0) }}"
#####################
# Leaf certificates #
#####################
hashistack_ca_leaf_valid_for: 90d
hashistack_ca_leaf_renew_threshold: 30d
############################
# Consul Leaf Certificates #
############################
hashistack_ca_consul_org_name: "{{ hashistack_ca_root_org_name }}"
hashistack_ca_consul_common_name: "{{ inventory_hostname }}"
hashistack_ca_consul_csr_sans: >-
{%- set sans_list = [
'DNS:' + inventory_hostname,
'DNS:consul.service.consul',
'DNS:localhost',
'IP:' + api_interface_address,
'IP:127.0.0.1'
] -%}
{%- if consul_enable_server -%}
{%- set _ = sans_list.append('DNS:server.' ~ consul_datacenter ~ '.' ~ consul_domain) -%}
{%- endif -%}
{{ sans_list }}
###########################
# Nomad Leaf Certificates #
###########################
hashistack_ca_nomad_org_name: "{{ hashistack_ca_root_org_name }}"
hashistack_ca_nomad_common_name: "{{ inventory_hostname }}"
hashistack_ca_nomad_csr_sans: >-
{%- set sans_list = [
'DNS:' + inventory_hostname,
'DNS:localhost',
'IP:' + api_interface_address,
'IP:127.0.0.1'
] -%}
{%- if nomad_enable_server -%}
{%- set _ = sans_list.append('DNS:server.' ~ nomad_region ~ '.nomad') -%}
{%- if (enable_consul | bool) -%}
{%- set _ = sans_list.append('DNS:nomad.service.consul') -%}
{%- endif -%}
{%- endif -%}
{%- if nomad_enable_client -%}
{%- set _ = sans_list.append('DNS:client.' ~ nomad_region ~ '.nomad') -%}
{%- endif -%}
{{ sans_list }}
###########################
# Vault Leaf Certificates #
###########################
hashistack_ca_vault_org_name: "{{ hashistack_ca_root_org_name }}"
hashistack_ca_vault_common_name: "{{ inventory_hostname }}"
hashistack_ca_vault_csr_sans:
- "DNS:{{ inventory_hostname }}"
- "DNS:active.vault.service.consul"
- "DNS:standby.vault.service.consul"
- "DNS:vault.service.consul"
- "DNS:localhost"
- "IP:{{ api_interface_address }}"
- "IP:127.0.0.1"

View File

@ -1,10 +1,4 @@
--- ---
#####################################################
# #
# Non-Editable #
# #
#####################################################
nomad_init_server: "{{ (inventory_hostname == groups['nomad_servers'][0]) | bool }}" nomad_init_server: "{{ (inventory_hostname == groups['nomad_servers'][0]) | bool }}"
#################### ####################
@ -17,60 +11,183 @@ nomad_api_port:
http: "{{ nomad_address_configuration.ports.http }}" http: "{{ nomad_address_configuration.ports.http }}"
https: "{{ nomad_address_configuration.ports.http }}" https: "{{ nomad_address_configuration.ports.http }}"
#########
# Nomad #
#########
nomad_config_dir: "{{ hashistack_remote_config_dir }}/nomad.d"
nomad_data_dir: "/opt/nomad"
nomad_certs_dir: "{{ nomad_config_dir }}/tls"
nomad_logs_dir: "{{ hashistack_remote_log_dir }}/nomad"
nomad_extra_files: true
# nomad_extra_files_list: []
nomad_env_variables: {}
#######################
# extra configuration #
#######################
# You should prioritize adding configuration
# to the configuration entries below, this
# option should be used to add pieces of configuration not
# available through standard variables.
# nomad_extra_configuration: {}
###########
# general #
###########
# nomad_region: global
# nomad_datacenter: dc1
######################### #########################
# nomad haproxy backend # # address configuration #
######################### #########################
nomad_haproxy_frontend_options: nomad_bind_addr: "0.0.0.0"
- acl is_nomad hdr(host) -i {{ nomad_fqdn }} nomad_advertise_addr: "{{ api_interface_address }}"
- use_backend nomad_external if is_nomad
nomad_haproxy_backends:
- name: nomad_external
options: "{{ nomad_external_backend_options + nomad_external_backend_servers }}"
nomad_external_backend_options:
- description nomad external http backend
- option forwardfor
- option httpchk
- http-check send meth GET uri /
- default-server inter 2s fastinter 1s downinter 1s
nomad_external_backend_servers: |
[
{% for host in groups['nomad_servers'] %}
'server nomad-{{ hostvars[host].api_interface_address }} {{ hostvars[host].api_interface_address }}:{{ hostvars[host].nomad_api_port[nomad_api_scheme] }} check {{ 'ssl verify none ' if nomad_enable_tls }}inter 5s'{% if not loop.last %},{% endif %}
{% endfor %}
]
###############################
# nomad address configuration #
###############################
nomad_address_configuration: nomad_address_configuration:
bind_addr: "{{ api_interface_address }}" bind_addr: "{{ nomad_bind_addr }}"
addresses: addresses:
http: "{{ api_interface_address }}" http: "{{ nomad_advertise_addr }}"
rpc: "{{ api_interface_address }}" rpc: "{{ nomad_advertise_addr }}"
serf: "{{ api_interface_address }}" serf: "{{ nomad_advertise_addr }}"
advertise: advertise:
http: "{{ api_interface_address }}" http: "{{ nomad_advertise_addr }}"
rpc: "{{ api_interface_address }}" rpc: "{{ nomad_advertise_addr }}"
serf: "{{ api_interface_address }}" serf: "{{ nomad_advertise_addr }}"
ports: ports:
http: 4646 http: 4646
rpc: 4647 rpc: 4647
serf: 4648 serf: 4648
################################# ###########################
# nomad autopilot configuration # # autopilot configuration #
################################# ###########################
nomad_autopilot_configuration: {} # nomad_autopilot_configuration: {}
############################ #######################
# nomad consul integration # # leave configuration #
############################ #######################
nomad_leave_on_interrupt: false
nomad_leave_on_terminate: false
########################
# server configuration #
########################
nomad_enable_server: "{{ ('nomad_servers' in group_names) | bool }}"
nomad_server_bootstrap_expect: "{{ (groups['nomad_servers'] | length) }}"
nomad_server_configuration:
enabled: "{{ nomad_enable_server }}"
data_dir: "{{ nomad_data_dir }}/server"
encrypt: "{{ _credentials.nomad.gossip_encryption_key }}"
##############################
# client configuration #
##############################
nomad_enable_client: "{{ ('nomad_clients' in group_names) | bool }}"
nomad_client_configuration:
enabled: "{{ nomad_enable_client }}"
state_dir: "{{ nomad_data_dir }}/client"
cni_path: "{{ cni_plugins_install_path | default('/opt/cni/bin') }}"
bridge_network_name: nomad
bridge_network_subnet: "172.26.64.0/20"
####################
# ui configuration #
####################
nomad_ui_configuration:
enabled: "{{ nomad_enable_server }}"
#########################
# drivers configuration #
#########################
nomad_driver_enable_docker: true
nomad_driver_enable_podman: false
nomad_driver_enable_raw_exec: false
nomad_driver_enable_java: false
nomad_driver_enable_qemu: false
nomad_driver_configuration:
raw_exec:
enabled: false
nomad_driver_extra_configuration: {}
###########
# logging #
###########
nomad_log_level: info
nomad_enable_log_to_file: "{{ enable_log_to_file | bool }}"
nomad_log_to_file_configuration:
log_file: "{{ nomad_logs_dir }}/nomad.log"
log_rotate_duration: 24h
log_rotate_max_files: 30
#####################
# ACL configuration #
#####################
nomad_acl_configuration:
enabled: true
token_ttl: 30s
policy_ttl: 60s
role_ttl: 60s
################
# internal tls #
################
nomad_enable_tls: false
nomad_tls_configuration:
http: true
rpc: true
ca_file: "/etc/ssl/certs/ca-certificates.crt"
cert_file: "{{ nomad_certs_dir }}/fullchain.crt"
key_file: "{{ nomad_certs_dir }}/cert.key"
verify_server_hostname: true
nomad_certificates_extra_files_dir:
- src: "{{ hashistack_sub_configuration_directories['certificates'] }}/nomad/{{ inventory_hostname }}"
dest: "{{ nomad_certs_dir }}"
###########################
# telemetry configuration #
###########################
nomad_telemetry_configuration:
collection_interval: 10s
disable_hostname: false
use_node_name: false
publish_allocation_metrics: false
publish_node_metrics: false
prefix_filter: []
disable_dispatched_job_summary_metrics: false
prometheus_metrics: false
######################
# consul integration #
######################
nomad_enable_consul_integration: "{{ enable_consul | bool }}"
nomad_consul_integration_configuration:
address: >-
127.0.0.1:{{ consul_api_port[consul_api_scheme] }}
auto_advertise: true
ssl: "{{ consul_enable_tls | bool }}"
token: >-
{{ _credentials.consul.tokens.nomad.server.secret_id if nomad_enable_server else _credentials.consul.tokens.nomad.client.secret_id }}
tags: []
nomad_consul_integration_tls_configuration: nomad_consul_integration_tls_configuration:
ca_file: "/etc/ssl/certs/ca-certificates.crt" ca_file: "/etc/ssl/certs/ca-certificates.crt"
@ -80,7 +197,8 @@ nomad_consul_integration_server_configuration:
nomad_consul_integration_client_configuration: nomad_consul_integration_client_configuration:
client_auto_join: true client_auto_join: true
grpc_address: "127.0.0.1:{{ hashicorp_consul_configuration.ports.grpc_tls if consul_enable_tls else hashicorp_consul_configuration.ports.grpc }}" grpc_address: >-
127.0.0.1:{{ consul_grpc_port[consul_api_scheme] }}
nomad_consul_integration_client_tls_configuration: nomad_consul_integration_client_tls_configuration:
grpc_ca_file: "/etc/ssl/certs/ca-certificates.crt" grpc_ca_file: "/etc/ssl/certs/ca-certificates.crt"
@ -109,104 +227,9 @@ nomad_consul_integration_client_policy: |
policy = "write" policy = "write"
} }
############################# ############################
# nomad leave configuration # # nomad vault integration #
############################# ############################
# node will leave the cluster if the process is stopped nomad_enable_vault_integration: false
# and if it is only a client nomad_vault_integration_configuration: {}
nomad_leave_on_interrupt: "{{ (('nomad_clients' in group_names) and not ('nomad_servers' in group_names)) | bool }}"
nomad_leave_on_terminate: "{{ (('nomad_clients' in group_names) and not ('nomad_servers' in group_names)) | bool }}"
##########################
# nomad ui configuration #
##########################
nomad_ui_configuration:
enabled: "{{ ('nomad_servers' in group_names) | bool }}"
##############################
# nomad server configuration #
##############################
nomad_enable_server: "{{ ('nomad_servers' in group_names) | bool }}"
nomad_server_configuration:
enabled: "{{ nomad_enable_server }}"
data_dir: "{{ hashicorp_nomad_data_dir }}/server"
encrypt: "{{ _credentials.nomad.gossip_encryption_key }}"
##############################
# nomad client configuration #
##############################
nomad_enable_client: "{{ ('nomad_clients' in group_names) | bool }}"
nomad_client_configuration:
enabled: "{{ nomad_enable_client }}"
state_dir: "{{ hashicorp_nomad_data_dir }}/client"
bridge_network_name: nomad
bridge_network_subnet: "172.26.64.0/20"
###############################
# nomad drivers configuration #
###############################
nomad_driver_configuration:
raw_exec:
enabled: "{{ nomad_driver_enable_raw_exec | bool }}"
######################
# nomad internal tls #
######################
nomad_certificates_directory: "{{ hashicorp_nomad_config_dir }}/tls"
nomad_certificates_extra_files_dir:
- src: "{{ sub_configuration_directories['certificates'] }}/nomad/{{ inventory_hostname }}"
dest: "{{ nomad_certificates_directory }}"
#################
# nomad logging #
#################
nomad_enable_log_to_file: "{{ enable_log_to_file | bool }}"
nomad_logging_configuration:
log_file: "{{ hashistack_remote_log_dir }}/nomad/nomad.log"
log_level: info
log_rotate_duration: 24h
log_rotate_max_files: 30
########################
# nomad role variables #
########################
hashicorp_nomad_start_service: true
hashicorp_nomad_service_name: "nomad"
hashicorp_nomad_cni_plugins_install: true
hashicorp_nomad_cni_plugins_version: latest
hashicorp_nomad_cni_plugins_install_path: /opt/cni/bin
hashicorp_nomad_version: "{{ nomad_version }}"
hashicorp_nomad_env_variables: {}
hashicorp_nomad_config_dir: "{{ hashistack_remote_config_dir }}/nomad.d"
hashicorp_nomad_data_dir: "{{ hashistack_remote_data_dir }}/nomad"
hashicorp_nomad_extra_files: true
hashicorp_nomad_extra_files_list: "{{ ([] +
(nomad_certificates_extra_files_dir if nomad_enable_tls else []) +
nomad_extra_files_list)
| unique
| sort
}}"
hashicorp_nomad_configuration:
datacenter: "{{ nomad_datacenter }}"
region: "{{ nomad_region }}"
bind_addr: "0.0.0.0"
data_dir: "{{ hashicorp_nomad_data_dir }}"
leave_on_interrupt: "{{ nomad_leave_on_interrupt }}"
leave_on_terminate: "{{ nomad_leave_on_terminate }}"
acl: "{{ nomad_acl_configuration }}"
server: "{{ nomad_server_configuration }}"
client: "{{ nomad_client_configuration }}"
ui: "{{ nomad_ui_configuration }}"
# this is used to circumvent jinja limitation to convert string to integer
hashicorp_nomad_configuration_string: |
server:
bootstrap_expect: {{ (groups['nomad_servers'] | length) }}

View File

@ -1,100 +1,121 @@
--- ---
#####################################################
# #
# Non-Editable #
# #
#####################################################
vault_init_server: "{{ (inventory_hostname == groups['vault_servers'][0]) | bool }}" vault_init_server: "{{ (inventory_hostname == groups['vault_servers'][0]) | bool }}"
######################### #########
# vault haproxy backend # # Vault #
######################### #########
vault_haproxy_frontend_options: vault_config_dir: "{{ hashistack_remote_config_dir }}/vault.d"
- acl is_vault hdr(host) -i {{ vault_fqdn }} vault_data_dir: "/opt/vault"
- use_backend vault_external if is_vault vault_certs_dir: "{{ vault_config_dir }}/tls"
vault_logs_dir: "{{ hashistack_remote_log_dir }}/vault"
vault_haproxy_backends: vault_extra_files: true
- name: vault_external # vault_extra_files_list: []
options: "{{ vault_external_backend_options + vault_external_backend_servers }}"
vault_external_backend_options: vault_env_variables: {}
- description vault external http backend
- option forwardfor
- option httpchk GET /v1/sys/health?standbyok=true&sealedcode=200&standbycode=200&uninitcode=200
- http-check expect status 200
- default-server inter 2s fastinter 1s downinter 1s
vault_external_backend_servers: | #######################
[ # extra configuration #
{% for host in groups['vault_servers'] %} #######################
'server vault-{{ hostvars[host].api_interface_address }} {{ hostvars[host].api_interface_address }}:8200 check {{ 'ssl verify none ' if vault_enable_tls }}inter 5s'{% if not loop.last %},{% endif %}
{% endfor %} # You should prioritize adding configuration
] # to the configuration entries below, this
# option should be used to add pieces of configuration not
# available through standard variables.
# vault_extra_configuration: {}
###########
# general #
###########
# vault_cluster_name: vault
# vault_bind_addr: "0.0.0.0"
# vault_cluster_addr: "{{ api_interface_address }}"
# vault_enable_ui: true
# vault_disable_mlock: false
# vault_disable_cache: false
###################### ######################
# vault internal tls # # seal configuration #
###################### ######################
vault_certificates_directory: "{{ hashicorp_vault_config_dir }}/tls" vault_seal_configuration:
key_shares: 3
key_threshold: 2
#########################
# storage configuration #
#########################
vault_storage_configuration:
raft:
path: "{{ vault_data_dir }}"
node_id: "{{ ansible_hostname }}"
retry_join: >-
[
{% for host in groups['vault_servers'] %}
{
'leader_api_addr': '{{ "https" if vault_enable_tls else "http"}}://{{ hostvars[host].api_interface_address }}:8200'
}{% if not loop.last %},{% endif %}
{% endfor %}
]
##########################
# listener configuration #
##########################
# vault_enable_tls: false
vault_listener_configuration:
- tcp:
address: "{{ vault_cluster_addr }}:8200"
tls_disable: true
vault_tls_listener_configuration:
- tcp:
tls_disable: false
tls_cert_file: "{{ vault_certs_dir }}/fullchain.crt"
tls_key_file: "{{ vault_certs_dir }}/cert.key"
tls_disable_client_certs: true
vault_certificates_extra_files_dir: vault_certificates_extra_files_dir:
- src: "{{ sub_configuration_directories['certificates'] }}/vault/{{ inventory_hostname }}" - src: "{{ hashistack_sub_configuration_directories['certificates'] }}/vault/{{ inventory_hostname }}"
dest: "{{ vault_certificates_directory }}" dest: "{{ vault_certs_dir }}"
################# vault_extra_listener_configuration: []
# vault plugins #
#################
vault_plugin_directory: "{{ hashicorp_vault_config_dir }}/plugin" ########################
vault_plugin_extra_files_dir: # service registration #
- src: "{{ sub_configuration_directories['vault_servers'] }}/plugin" ########################
dest: "{{ vault_plugin_directory }}"
############################## # vault_enable_service_registration: "{{ enable_consul | bool }}"
# vault service registration # vault_service_registration_configuration:
############################## consul:
address: >-
127.0.0.1:{{ hostvars[groups['consul_servers'][0]].consul_api_port[hostvars[groups['consul_servers'][0]].consul_api_scheme] }}
scheme: "{{ hostvars[groups['consul_servers'][0]].consul_api_scheme }}"
token: "{{ _credentials.consul.tokens.vault.secret_id }}"
vault_service_registration_policy: | vault_service_registration_policy: |
service "vault" { service "vault" {
policy = "write" policy = "write"
} }
#########################
# plugins configuration #
#########################
# vault_enable_plugins: false
vault_plugins_directory: "{{ vault_config_dir }}/plugins"
################# #################
# vault logging # # vault logging #
################# #################
# vault_log_level: info
vault_enable_log_to_file: "{{ enable_log_to_file | bool }}" vault_enable_log_to_file: "{{ enable_log_to_file | bool }}"
vault_logging_configuration: vault_log_to_file_configuration:
log_file: "{{ hashistack_remote_log_dir }}/vault/vault.log" log_file: "{{ vault_logs_dir }}/vault.log"
log_level: info
log_rotate_duration: 24h log_rotate_duration: 24h
log_rotate_max_files: 30 log_rotate_max_files: 30
########################
# vault role variables #
########################
hashicorp_vault_start_service: true
hashicorp_vault_service_name: "vault"
hashicorp_vault_version: "{{ vault_version }}"
hashicorp_vault_env_variables: {}
hashicorp_vault_config_dir: "{{ hashistack_remote_config_dir }}/vault.d"
hashicorp_vault_data_dir: "{{ hashistack_remote_data_dir }}/vault"
hashicorp_vault_extra_files: true
hashicorp_vault_extra_files_list: "{{ ([] +
(vault_certificates_extra_files_dir if vault_enable_tls else []) +
(vault_plugin_extra_files_dir if vault_enable_plugins else []) +
vault_extra_files_list)
| unique
| sort
}}"
hashicorp_vault_configuration:
cluster_name: "{{ vault_cluster_name }}"
cluster_addr: "{{ 'https' if vault_enable_tls else 'http'}}://{{ api_interface_address }}:8201"
api_addr: "{{ 'https' if vault_enable_tls else 'http'}}://{{ api_interface_address }}:8200"
ui: "{{ vault_enable_ui }}"
disable_mlock: false
disable_cache: false
listener: "{{ vault_listener_configuration }}"
storage: "{{ vault_storage_configuration }}"