feat/major-revamp #11
@ -1,3 +1,4 @@
|
||||
---
|
||||
repos:
|
||||
- repo: https://github.com/pre-commit/pre-commit-hooks
|
||||
rev: v4.5.0
|
||||
|
@ -1,9 +1,10 @@
|
||||
---
|
||||
# hashistack deployment playbook
|
||||
- name: "Deploy"
|
||||
hosts: all, !deployment
|
||||
hosts: "{{ target | default('all, !deployment') }}"
|
||||
strategy: linear
|
||||
gather_facts: true
|
||||
any_errors_fatal: true
|
||||
become: true
|
||||
tasks:
|
||||
- name: "Import variables"
|
||||
@ -12,57 +13,42 @@
|
||||
tags:
|
||||
- always
|
||||
|
||||
# Consul nodes deployment
|
||||
- name: "Deploy Consul"
|
||||
tags:
|
||||
- consul
|
||||
when:
|
||||
- enable_consul | bool
|
||||
block:
|
||||
- name: "Deploy Consul Control Plane"
|
||||
ansible.builtin.import_tasks:
|
||||
file: tasks/consul/consul_deploy.yml
|
||||
when:
|
||||
- "'consul_servers' in group_names"
|
||||
|
||||
- name: "Deploy Consul Agents"
|
||||
ansible.builtin.include_role:
|
||||
name: ednz_cloud.hashicorp_consul
|
||||
# Haproxy nodes deployment
|
||||
- name: "Deploy Proxies"
|
||||
tags:
|
||||
- haproxy
|
||||
when:
|
||||
- "'consul_agents' in group_names"
|
||||
|
||||
- enable_haproxy | bool
|
||||
block:
|
||||
- name: "Deploy Haproxy & Keepalived"
|
||||
ansible.builtin.import_tasks:
|
||||
file: tasks/haproxy/haproxy_deploy.yml
|
||||
when:
|
||||
- enable_haproxy | bool
|
||||
- "'haproxy_servers' in group_names"
|
||||
tags:
|
||||
- haproxy
|
||||
|
||||
# Vault nodes deployment
|
||||
- name: "Deploy Vault"
|
||||
ansible.builtin.import_tasks:
|
||||
file: tasks/vault/vault_deploy.yml
|
||||
when:
|
||||
- enable_vault | bool
|
||||
- "'vault_servers' in group_names"
|
||||
tags:
|
||||
- vault
|
||||
when:
|
||||
- enable_vault | bool
|
||||
ansible.builtin.import_tasks:
|
||||
file: tasks/vault/vault_deploy.yml
|
||||
|
||||
# Nomad nodes deployment
|
||||
- name: "Deploy Nomad"
|
||||
tags:
|
||||
- nomad
|
||||
when:
|
||||
- enable_nomad | bool
|
||||
block:
|
||||
- name: "Deploy Nomad Control Plane"
|
||||
ansible.builtin.import_tasks:
|
||||
file: tasks/nomad/nomad_deploy.yml
|
||||
when:
|
||||
- "('nomad_servers' in group_names)"
|
||||
|
||||
- name: "Deploy Nomad Clients"
|
||||
ansible.builtin.include_role:
|
||||
name: ednz_cloud.hashicorp_nomad
|
||||
when:
|
||||
- "('nomad_clients' in group_names)"
|
||||
- "('nomad_servers' not in group_names)"
|
||||
|
6
playbooks/tasks/consul/consul_agents.yml
Normal file
6
playbooks/tasks/consul/consul_agents.yml
Normal file
@ -0,0 +1,6 @@
|
||||
---
|
||||
- name: "Consul agents"
|
||||
block:
|
||||
- name: "Deploy Consul Agents"
|
||||
ansible.builtin.include_role:
|
||||
name: ednz_cloud.hashicorp_consul
|
78
playbooks/tasks/consul/consul_control_plane.yml
Normal file
78
playbooks/tasks/consul/consul_control_plane.yml
Normal file
@ -0,0 +1,78 @@
|
||||
---
|
||||
- name: "Consul control plane"
|
||||
block:
|
||||
- name: "Include ednz_cloud.hashicorp_consul"
|
||||
ansible.builtin.include_role:
|
||||
name: ednz_cloud.hashicorp_consul
|
||||
|
||||
- name: "Wait for consul cluster to initialize" # noqa: run-once[task]
|
||||
block:
|
||||
- name: "Wait for consul nodes to stabilize"
|
||||
ansible.builtin.wait_for:
|
||||
host: "{{ api_interface_address }}"
|
||||
port: "{{ consul_api_port[consul_api_scheme] }}"
|
||||
delay: 10
|
||||
|
||||
- name: "Waiting for consul api to respond"
|
||||
ansible.builtin.uri:
|
||||
url: "{{ consul_api_addr }}"
|
||||
validate_certs: no
|
||||
return_content: yes
|
||||
status_code:
|
||||
- 200
|
||||
until: uri_output.status == 200
|
||||
retries: 24
|
||||
delay: 5
|
||||
register: uri_output
|
||||
|
||||
- name: "Initialize consul cluster" # noqa: run-once[task]
|
||||
community.general.consul_acl_bootstrap:
|
||||
bootstrap_secret: "{{ _credentials.consul.root_token.secret_id }}"
|
||||
host: "{{ api_interface_address }}"
|
||||
port: "{{ consul_api_port[consul_api_scheme] }}"
|
||||
scheme: "{{ consul_api_scheme }}"
|
||||
state: present
|
||||
register: _consul_init_secret
|
||||
when:
|
||||
- consul_init_server
|
||||
- hashicorp_consul_configuration.acl.enabled
|
||||
|
||||
- name: "Create consul agents token"
|
||||
when:
|
||||
- consul_init_server
|
||||
- hashicorp_consul_configuration.acl.enabled
|
||||
block:
|
||||
- name: "Create consul agents token" # noqa: run-once[task] no-handler
|
||||
block:
|
||||
- name: "Create consul agent policy"
|
||||
community.general.consul_policy:
|
||||
token: "{{ _credentials.consul.root_token.secret_id }}"
|
||||
host: "{{ api_interface_address }}"
|
||||
port: "{{ consul_api_port[consul_api_scheme] }}"
|
||||
scheme: "{{ consul_api_scheme }}"
|
||||
validate_certs: false
|
||||
state: present
|
||||
name: agents-policy
|
||||
rules: "{{ consul_default_agent_policy }}"
|
||||
register: _consul_agent_policy
|
||||
|
||||
- name: "Create consul agents token"
|
||||
community.general.consul_token:
|
||||
token: "{{ _credentials.consul.root_token.secret_id }}"
|
||||
host: "{{ api_interface_address }}"
|
||||
port: "{{ consul_api_port[consul_api_scheme] }}"
|
||||
scheme: "{{ consul_api_scheme }}"
|
||||
validate_certs: false
|
||||
accessor_id: "{{ _credentials.consul.tokens.agent.accessor_id }}"
|
||||
secret_id: "{{ _credentials.consul.tokens.agent.secret_id }}"
|
||||
policies:
|
||||
- id: "{{ _consul_agent_policy.policy.ID }}"
|
||||
state: present
|
||||
register: _consul_agent_token
|
||||
|
||||
- name: "Restart consul service" # noqa: no-handler
|
||||
ansible.builtin.service:
|
||||
name: "{{ hashicorp_consul_service_name }}"
|
||||
state: restarted
|
||||
throttle: 1
|
||||
when: _consul_agent_token.changed
|
@ -1,78 +1,19 @@
|
||||
---
|
||||
- name: "Consul"
|
||||
block:
|
||||
- name: "Include ednz_cloud.hashicorp_consul"
|
||||
ansible.builtin.include_role:
|
||||
name: ednz_cloud.hashicorp_consul
|
||||
|
||||
- name: "Wait for consul cluster to initialize" # noqa: run-once[task]
|
||||
block:
|
||||
- name: "Wait for consul nodes to stabilize"
|
||||
ansible.builtin.wait_for:
|
||||
host: "{{ api_interface_address }}"
|
||||
port: "{{ consul_api_port[consul_api_scheme] }}"
|
||||
delay: 10
|
||||
|
||||
- name: "Waiting for consul api to respond"
|
||||
ansible.builtin.uri:
|
||||
url: "{{ consul_api_addr }}"
|
||||
validate_certs: no
|
||||
return_content: yes
|
||||
status_code:
|
||||
- 200
|
||||
until: uri_output.status == 200
|
||||
retries: 24
|
||||
delay: 5
|
||||
register: uri_output
|
||||
|
||||
- name: "Initialize consul cluster" # noqa: run-once[task]
|
||||
community.general.consul_acl_bootstrap:
|
||||
bootstrap_secret: "{{ _credentials.consul.root_token.secret_id }}"
|
||||
host: "{{ api_interface_address }}"
|
||||
port: "{{ consul_api_port[consul_api_scheme] }}"
|
||||
scheme: "{{ consul_api_scheme }}"
|
||||
state: present
|
||||
register: _consul_init_secret
|
||||
- name: "Deploy Consul Control Plane"
|
||||
ansible.builtin.import_tasks:
|
||||
file: consul_control_plane.yml
|
||||
when:
|
||||
- consul_init_server
|
||||
- hashicorp_consul_configuration.acl.enabled
|
||||
- "'consul_servers' in group_names"
|
||||
tags:
|
||||
- consul_servers
|
||||
|
||||
- name: "Create consul agents token"
|
||||
- name: "Deploy Consul Agents"
|
||||
ansible.builtin.import_tasks:
|
||||
file: consul_agents.yml
|
||||
when:
|
||||
- consul_init_server
|
||||
- hashicorp_consul_configuration.acl.enabled
|
||||
block:
|
||||
- name: "Create consul agents token" # noqa: run-once[task] no-handler
|
||||
block:
|
||||
- name: "Create consul agent policy"
|
||||
community.general.consul_policy:
|
||||
token: "{{ _credentials.consul.root_token.secret_id }}"
|
||||
host: "{{ api_interface_address }}"
|
||||
port: "{{ consul_api_port[consul_api_scheme] }}"
|
||||
scheme: "{{ consul_api_scheme }}"
|
||||
validate_certs: false
|
||||
state: present
|
||||
name: agents-policy
|
||||
rules: "{{ consul_default_agent_policy }}"
|
||||
register: _consul_agent_policy
|
||||
|
||||
- name: "Create consul agents token"
|
||||
community.general.consul_token:
|
||||
token: "{{ _credentials.consul.root_token.secret_id }}"
|
||||
host: "{{ api_interface_address }}"
|
||||
port: "{{ consul_api_port[consul_api_scheme] }}"
|
||||
scheme: "{{ consul_api_scheme }}"
|
||||
validate_certs: false
|
||||
accessor_id: "{{ _credentials.consul.tokens.agent.accessor_id }}"
|
||||
secret_id: "{{ _credentials.consul.tokens.agent.secret_id }}"
|
||||
policies:
|
||||
- id: "{{ _consul_agent_policy.policy.ID }}"
|
||||
state: present
|
||||
register: _consul_agent_token
|
||||
|
||||
- name: "Restart consul service" # noqa: no-handler
|
||||
ansible.builtin.service:
|
||||
name: "{{ hashicorp_consul_service_name }}"
|
||||
state: restarted
|
||||
throttle: 1
|
||||
when: _consul_agent_token.changed
|
||||
- "'consul_agents' in group_names"
|
||||
- "'consul_servers' not in group_names"
|
||||
tags:
|
||||
- consul_agents
|
||||
|
11
playbooks/tasks/nomad/nomad_clients.yml
Normal file
11
playbooks/tasks/nomad/nomad_clients.yml
Normal file
@ -0,0 +1,11 @@
|
||||
---
|
||||
- name: "Nomad clients"
|
||||
block:
|
||||
- name: "Install docker driver"
|
||||
ansible.builtin.include_role:
|
||||
name: ednz_cloud.install_docker
|
||||
when: nomad_driver_enable_docker
|
||||
|
||||
- name: "Deploy Nomad Clients"
|
||||
ansible.builtin.include_role:
|
||||
name: ednz_cloud.hashicorp_nomad
|
82
playbooks/tasks/nomad/nomad_control_plane.yml
Normal file
82
playbooks/tasks/nomad/nomad_control_plane.yml
Normal file
@ -0,0 +1,82 @@
|
||||
---
|
||||
- name: "Nomad control plane"
|
||||
block:
|
||||
- name: "Create consul tokens for service registration"
|
||||
when:
|
||||
- nomad_init_server
|
||||
- enable_consul
|
||||
- nomad_enable_consul_integration
|
||||
vars:
|
||||
_consul_host: "{{ hostvars[groups['consul_servers'][0]].api_interface_address }}"
|
||||
_consul_port: "{{ hostvars[groups['consul_servers'][0]].consul_api_port[hostvars[groups['consul_servers'][0]].consul_api_scheme] }}"
|
||||
_consul_scheme: "{{ hostvars[groups['consul_servers'][0]].consul_api_scheme }}"
|
||||
block:
|
||||
- name: "Create server credentials"
|
||||
block:
|
||||
- name: "Create consul server policy"
|
||||
community.general.consul_policy:
|
||||
token: "{{ _credentials.consul.root_token.secret_id }}"
|
||||
host: "{{ _consul_host }}"
|
||||
port: "{{ _consul_port }}"
|
||||
scheme: "{{ _consul_scheme }}"
|
||||
validate_certs: false
|
||||
state: present
|
||||
name: nomad-server-policy
|
||||
rules: "{{ nomad_consul_integration_server_policy }}"
|
||||
register: _consul_nomad_server_policy
|
||||
|
||||
- name: "Create consul server token" # noqa: no-handler
|
||||
community.general.consul_token:
|
||||
token: "{{ _credentials.consul.root_token.secret_id }}"
|
||||
host: "{{ _consul_host }}"
|
||||
port: "{{ _consul_port }}"
|
||||
scheme: "{{ _consul_scheme }}"
|
||||
validate_certs: false
|
||||
accessor_id: "{{ _credentials.consul.tokens.nomad.server.accessor_id }}"
|
||||
secret_id: "{{ _credentials.consul.tokens.nomad.server.secret_id }}"
|
||||
policies:
|
||||
- id: "{{ _consul_nomad_server_policy.policy.ID }}"
|
||||
state: present
|
||||
when: _consul_nomad_server_policy.changed
|
||||
|
||||
- name: "Create client credentials"
|
||||
block:
|
||||
- name: "Create consul client policy"
|
||||
community.general.consul_policy:
|
||||
token: "{{ _credentials.consul.root_token.secret_id }}"
|
||||
host: "{{ _consul_host }}"
|
||||
port: "{{ _consul_port }}"
|
||||
scheme: "{{ _consul_scheme }}"
|
||||
validate_certs: false
|
||||
state: present
|
||||
name: nomad-client-policy
|
||||
rules: "{{ nomad_consul_integration_client_policy }}"
|
||||
register: _consul_nomad_client_policy
|
||||
|
||||
- name: "Create consul client token" # noqa: no-handler
|
||||
community.general.consul_token:
|
||||
token: "{{ _credentials.consul.root_token.secret_id }}"
|
||||
host: "{{ _consul_host }}"
|
||||
port: "{{ _consul_port }}"
|
||||
scheme: "{{ _consul_scheme }}"
|
||||
validate_certs: false
|
||||
accessor_id: "{{ _credentials.consul.tokens.nomad.client.accessor_id }}"
|
||||
secret_id: "{{ _credentials.consul.tokens.nomad.client.secret_id }}"
|
||||
policies:
|
||||
- id: "{{ _consul_nomad_client_policy.policy.ID }}"
|
||||
state: present
|
||||
when: _consul_nomad_client_policy.changed
|
||||
|
||||
- name: "Include ednz_cloud.hashicorp_nomad"
|
||||
ansible.builtin.include_role:
|
||||
name: ednz_cloud.hashicorp_nomad
|
||||
|
||||
- name: "Initialize nomad cluster" # noqa: run-once[task]
|
||||
ednz_cloud.hashistack.nomad_acl_bootstrap:
|
||||
bootstrap_secret: "{{ _credentials.nomad.root_token.secret_id }}"
|
||||
api_url: "{{ nomad_api_addr }}"
|
||||
tls_verify: false
|
||||
register: _nomad_init_secret
|
||||
when:
|
||||
- nomad_init_server
|
||||
- hashicorp_nomad_configuration.acl.enabled
|
@ -1,82 +1,19 @@
|
||||
---
|
||||
- name: "Nomad"
|
||||
block:
|
||||
- name: "Create consul tokens for service registration"
|
||||
- name: "Deploy Nomad Control Plane"
|
||||
ansible.builtin.import_tasks:
|
||||
file: nomad_control_plane.yml
|
||||
when:
|
||||
- nomad_init_server
|
||||
- enable_consul
|
||||
- nomad_enable_consul_integration
|
||||
vars:
|
||||
_consul_host: "{{ hostvars[groups['consul_servers'][0]].api_interface_address }}"
|
||||
_consul_port: "{{ hostvars[groups['consul_servers'][0]].consul_api_port[hostvars[groups['consul_servers'][0]].consul_api_scheme] }}"
|
||||
_consul_scheme: "{{ hostvars[groups['consul_servers'][0]].consul_api_scheme }}"
|
||||
block:
|
||||
- name: "Create server credentials"
|
||||
block:
|
||||
- name: "Create consul server policy"
|
||||
community.general.consul_policy:
|
||||
token: "{{ _credentials.consul.root_token.secret_id }}"
|
||||
host: "{{ _consul_host }}"
|
||||
port: "{{ _consul_port }}"
|
||||
scheme: "{{ _consul_scheme }}"
|
||||
validate_certs: false
|
||||
state: present
|
||||
name: nomad-server-policy
|
||||
rules: "{{ nomad_consul_integration_server_policy }}"
|
||||
register: _consul_nomad_server_policy
|
||||
- "'nomad_servers' in group_names"
|
||||
tags:
|
||||
- nomad_servers
|
||||
|
||||
- name: "Create consul server token"
|
||||
community.general.consul_token:
|
||||
token: "{{ _credentials.consul.root_token.secret_id }}"
|
||||
host: "{{ _consul_host }}"
|
||||
port: "{{ _consul_port }}"
|
||||
scheme: "{{ _consul_scheme }}"
|
||||
validate_certs: false
|
||||
accessor_id: "{{ _credentials.consul.tokens.nomad.server.accessor_id }}"
|
||||
secret_id: "{{ _credentials.consul.tokens.nomad.server.secret_id }}"
|
||||
policies:
|
||||
- id: "{{ _consul_nomad_server_policy.policy.ID }}"
|
||||
state: present
|
||||
when: _consul_nomad_server_policy.changed
|
||||
|
||||
- name: "Create client credentials"
|
||||
block:
|
||||
- name: "Create consul client policy"
|
||||
community.general.consul_policy:
|
||||
token: "{{ _credentials.consul.root_token.secret_id }}"
|
||||
host: "{{ _consul_host }}"
|
||||
port: "{{ _consul_port }}"
|
||||
scheme: "{{ _consul_scheme }}"
|
||||
validate_certs: false
|
||||
state: present
|
||||
name: nomad-client-policy
|
||||
rules: "{{ nomad_consul_integration_client_policy }}"
|
||||
register: _consul_nomad_client_policy
|
||||
|
||||
- name: "Create consul client token"
|
||||
community.general.consul_token:
|
||||
token: "{{ _credentials.consul.root_token.secret_id }}"
|
||||
host: "{{ _consul_host }}"
|
||||
port: "{{ _consul_port }}"
|
||||
scheme: "{{ _consul_scheme }}"
|
||||
validate_certs: false
|
||||
accessor_id: "{{ _credentials.consul.tokens.nomad.client.accessor_id }}"
|
||||
secret_id: "{{ _credentials.consul.tokens.nomad.client.secret_id }}"
|
||||
policies:
|
||||
- id: "{{ _consul_nomad_client_policy.policy.ID }}"
|
||||
state: present
|
||||
when: _consul_nomad_client_policy.changed
|
||||
|
||||
- name: "Include ednz_cloud.hashicorp_nomad"
|
||||
ansible.builtin.include_role:
|
||||
name: ednz_cloud.hashicorp_nomad
|
||||
|
||||
- name: "Initialize nomad cluster" # noqa: run-once[task]
|
||||
ednz_cloud.hashistack.nomad_acl_bootstrap:
|
||||
bootstrap_secret: "{{ _credentials.nomad.root_token.secret_id }}"
|
||||
api_url: "{{ nomad_api_addr }}"
|
||||
tls_verify: false
|
||||
register: _nomad_init_secret
|
||||
- name: "Deploy Nomad Clients"
|
||||
ansible.builtin.import_tasks:
|
||||
file: nomad_clients.yml
|
||||
when:
|
||||
- nomad_init_server
|
||||
- hashicorp_nomad_configuration.acl.enabled
|
||||
- "'nomad_clients' in group_names"
|
||||
- "'nomad_servers' not in group_names"
|
||||
tags:
|
||||
- nomad_clients
|
||||
|
@ -123,7 +123,3 @@
|
||||
combine(_config_to_merge, recursive=true)
|
||||
}}"
|
||||
when: nomad_extra_configuration is defined
|
||||
|
||||
- name: "Print nomad configuration"
|
||||
ansible.builtin.debug:
|
||||
msg: "{{ hashicorp_nomad_configuration }}"
|
||||
|
90
playbooks/tasks/vault/vault_control_plane.yml
Normal file
90
playbooks/tasks/vault/vault_control_plane.yml
Normal file
@ -0,0 +1,90 @@
|
||||
---
|
||||
- name: "Vault control plane"
|
||||
block:
|
||||
- name: "Create consul token for service registration"
|
||||
when:
|
||||
- vault_init_server
|
||||
- enable_consul
|
||||
- vault_enable_service_registration
|
||||
vars:
|
||||
_consul_vault_sr_host: "{{ hostvars[groups['consul_servers'][0]].api_interface_address }}"
|
||||
_consul_vault_sr_port: "{{ hostvars[groups['consul_servers'][0]].consul_api_port[hostvars[groups['consul_servers'][0]].consul_api_scheme] }}"
|
||||
_consul_vault_sr_scheme: "{{ hostvars[groups['consul_servers'][0]].consul_api_scheme }}"
|
||||
block:
|
||||
- name: "Create consul vault policy"
|
||||
community.general.consul_policy:
|
||||
token: "{{ _credentials.consul.root_token.secret_id }}"
|
||||
host: "{{ _consul_vault_sr_host }}"
|
||||
port: "{{ _consul_vault_sr_port }}"
|
||||
scheme: "{{ _consul_vault_sr_scheme }}"
|
||||
validate_certs: false
|
||||
state: present
|
||||
name: vault-policy
|
||||
rules: "{{ vault_service_registration_policy }}"
|
||||
register: _consul_vault_policy
|
||||
|
||||
- name: "Create consul vault token" # noqa: no-handler
|
||||
community.general.consul_token:
|
||||
token: "{{ _credentials.consul.root_token.secret_id }}"
|
||||
host: "{{ _consul_vault_sr_host }}"
|
||||
port: "{{ _consul_vault_sr_port }}"
|
||||
scheme: "{{ _consul_vault_sr_scheme }}"
|
||||
validate_certs: false
|
||||
accessor_id: "{{ _credentials.consul.tokens.vault.accessor_id }}"
|
||||
secret_id: "{{ _credentials.consul.tokens.vault.secret_id }}"
|
||||
policies:
|
||||
- id: "{{ _consul_vault_policy.policy.ID }}"
|
||||
state: present
|
||||
when: _consul_vault_policy.changed
|
||||
|
||||
- name: "Include ednz_cloud.hashicorp_consul"
|
||||
ansible.builtin.include_role:
|
||||
name: ednz_cloud.hashicorp_vault
|
||||
|
||||
- name: "Initialize vault cluster" # noqa: run-once[task]
|
||||
ednz_cloud.hashistack.vault_init:
|
||||
api_url: "{{ hashicorp_vault_configuration['api_addr'] }}"
|
||||
tls_verify: "{{ vault_tls_verify }}"
|
||||
key_shares: "{{ vault_seal_configuration['key_shares'] }}"
|
||||
key_threshold: "{{ vault_seal_configuration['key_threshold'] }}"
|
||||
retries: 5
|
||||
delay: 5
|
||||
register: _vault_init_secret
|
||||
until: not _vault_init_secret.failed
|
||||
when: vault_init_server
|
||||
|
||||
- name: "Write vault configuration to file" # noqa: run-once[task] no-handler
|
||||
ansible.builtin.copy:
|
||||
content: "{{ _vault_init_secret.state | to_nice_yaml(indent=2) }}"
|
||||
dest: "{{ sub_configuration_directories.secrets }}/vault.yml"
|
||||
owner: "{{ lookup('env', 'USER') }}"
|
||||
group: "{{ lookup('env', 'USER') }}"
|
||||
mode: "0644"
|
||||
when:
|
||||
- vault_init_server
|
||||
- _vault_init_secret.changed
|
||||
delegate_to: localhost
|
||||
|
||||
- name: "Load vault cluster variables necessary for unseal operation"
|
||||
ansible.builtin.import_tasks:
|
||||
file: ../misc/load_credentials_vars.yml
|
||||
|
||||
- name: "Unseal the bootstrap node" # noqa: run-once[task] no-handler
|
||||
ednz_cloud.hashistack.vault_unseal:
|
||||
api_url: "{{ hashicorp_vault_configuration['api_addr'] }}"
|
||||
tls_verify: "{{ vault_tls_verify }}"
|
||||
key_shares: "{{ _credentials.vault['keys'] }}"
|
||||
when:
|
||||
- vault_init_server
|
||||
- _vault_init_secret.changed
|
||||
register: _vault_unseal_secret
|
||||
|
||||
- name: "Unseal all vault nodes"
|
||||
ednz_cloud.hashistack.vault_unseal:
|
||||
api_url: "{{ hashicorp_vault_configuration['api_addr'] }}"
|
||||
tls_verify: "{{ vault_tls_verify }}"
|
||||
key_shares: "{{ _credentials.vault['keys'] }}"
|
||||
retries: 5
|
||||
delay: 5
|
||||
until: _unseal_status.changed or not _unseal_status.failed
|
||||
register: _unseal_status
|
@ -1,90 +1,10 @@
|
||||
---
|
||||
- name: "Vault"
|
||||
block:
|
||||
- name: "Create consul token for service registration"
|
||||
when:
|
||||
- vault_init_cluster
|
||||
- enable_consul
|
||||
- vault_enable_service_registration
|
||||
vars:
|
||||
_consul_vault_sr_host: "{{ hostvars[groups['consul_servers'][0]].api_interface_address }}"
|
||||
_consul_vault_sr_port: "{{ hostvars[groups['consul_servers'][0]].consul_api_port[hostvars[groups['consul_servers'][0]].consul_api_scheme] }}"
|
||||
_consul_vault_sr_scheme: "{{ hostvars[groups['consul_servers'][0]].consul_api_scheme }}"
|
||||
block:
|
||||
- name: "Create consul vault policy"
|
||||
community.general.consul_policy:
|
||||
token: "{{ _credentials.consul.root_token.secret_id }}"
|
||||
host: "{{ _consul_vault_sr_host }}"
|
||||
port: "{{ _consul_vault_sr_port }}"
|
||||
scheme: "{{ _consul_vault_sr_scheme }}"
|
||||
validate_certs: false
|
||||
state: present
|
||||
name: vault-policy
|
||||
rules: "{{ vault_service_registration_policy }}"
|
||||
register: _consul_vault_policy
|
||||
|
||||
- name: "Create consul vault token"
|
||||
community.general.consul_token:
|
||||
token: "{{ _credentials.consul.root_token.secret_id }}"
|
||||
host: "{{ _consul_vault_sr_host }}"
|
||||
port: "{{ _consul_vault_sr_port }}"
|
||||
scheme: "{{ _consul_vault_sr_scheme }}"
|
||||
validate_certs: false
|
||||
accessor_id: "{{ _credentials.consul.tokens.vault.accessor_id }}"
|
||||
secret_id: "{{ _credentials.consul.tokens.vault.secret_id }}"
|
||||
policies:
|
||||
- id: "{{ _consul_vault_policy.policy.ID }}"
|
||||
state: present
|
||||
when: _consul_vault_policy.changed
|
||||
|
||||
- name: "Include ednz_cloud.hashicorp_consul"
|
||||
ansible.builtin.include_role:
|
||||
name: ednz_cloud.hashicorp_vault
|
||||
|
||||
- name: "Initialize vault cluster" # noqa: run-once[task]
|
||||
ednz_cloud.hashistack.vault_init:
|
||||
api_url: "{{ hashicorp_vault_configuration['api_addr'] }}"
|
||||
tls_verify: "{{ vault_tls_verify }}"
|
||||
key_shares: "{{ vault_seal_configuration['key_shares'] }}"
|
||||
key_threshold: "{{ vault_seal_configuration['key_threshold'] }}"
|
||||
retries: 5
|
||||
delay: 5
|
||||
register: _vault_init_secret
|
||||
until: not _vault_init_secret.failed
|
||||
when: vault_init_cluster
|
||||
|
||||
- name: "Write vault configuration to file" # noqa: run-once[task] no-handler
|
||||
ansible.builtin.copy:
|
||||
content: "{{ _vault_init_secret.state | to_nice_yaml(indent=2) }}"
|
||||
dest: "{{ sub_configuration_directories.secrets }}/vault.yml"
|
||||
owner: "{{ lookup('env', 'USER') }}"
|
||||
group: "{{ lookup('env', 'USER') }}"
|
||||
mode: "0644"
|
||||
when:
|
||||
- vault_init_cluster
|
||||
- _vault_init_secret.changed
|
||||
delegate_to: localhost
|
||||
|
||||
- name: "Load vault cluster variables necessary for unseal operation"
|
||||
- name: "Deploy Vault Control Plane"
|
||||
ansible.builtin.import_tasks:
|
||||
file: ../misc/load_credentials_vars.yml
|
||||
|
||||
- name: "Unseal the bootstrap node" # noqa: run-once[task] no-handler
|
||||
ednz_cloud.hashistack.vault_unseal:
|
||||
api_url: "{{ hashicorp_vault_configuration['api_addr'] }}"
|
||||
tls_verify: "{{ vault_tls_verify }}"
|
||||
key_shares: "{{ _credentials.vault['keys'] }}"
|
||||
file: vault_control_plane.yml
|
||||
when:
|
||||
- vault_init_cluster
|
||||
- _vault_init_secret.changed
|
||||
register: _vault_unseal_secret
|
||||
|
||||
- name: "Unseal all vault nodes"
|
||||
ednz_cloud.hashistack.vault_unseal:
|
||||
api_url: "{{ hashicorp_vault_configuration['api_addr'] }}"
|
||||
tls_verify: "{{ vault_tls_verify }}"
|
||||
key_shares: "{{ _credentials.vault['keys'] }}"
|
||||
retries: 5
|
||||
delay: 5
|
||||
until: _unseal_status.changed or not _unseal_status.failed
|
||||
register: _unseal_status
|
||||
- "'vault_servers' in group_names"
|
||||
tags:
|
||||
- vault_servers
|
||||
|
Loading…
Reference in New Issue
Block a user