feat/major-revamp #11
@ -1,3 +1,4 @@
|
|||||||
|
---
|
||||||
repos:
|
repos:
|
||||||
- repo: https://github.com/pre-commit/pre-commit-hooks
|
- repo: https://github.com/pre-commit/pre-commit-hooks
|
||||||
rev: v4.5.0
|
rev: v4.5.0
|
||||||
|
@ -1,9 +1,10 @@
|
|||||||
---
|
---
|
||||||
# hashistack deployment playbook
|
# hashistack deployment playbook
|
||||||
- name: "Deploy"
|
- name: "Deploy"
|
||||||
hosts: all, !deployment
|
hosts: "{{ target | default('all, !deployment') }}"
|
||||||
strategy: linear
|
strategy: linear
|
||||||
gather_facts: true
|
gather_facts: true
|
||||||
|
any_errors_fatal: true
|
||||||
become: true
|
become: true
|
||||||
tasks:
|
tasks:
|
||||||
- name: "Import variables"
|
- name: "Import variables"
|
||||||
@ -12,57 +13,42 @@
|
|||||||
tags:
|
tags:
|
||||||
- always
|
- always
|
||||||
|
|
||||||
|
# Consul nodes deployment
|
||||||
- name: "Deploy Consul"
|
- name: "Deploy Consul"
|
||||||
tags:
|
tags:
|
||||||
- consul
|
- consul
|
||||||
when:
|
when:
|
||||||
- enable_consul | bool
|
- enable_consul | bool
|
||||||
block:
|
|
||||||
- name: "Deploy Consul Control Plane"
|
|
||||||
ansible.builtin.import_tasks:
|
ansible.builtin.import_tasks:
|
||||||
file: tasks/consul/consul_deploy.yml
|
file: tasks/consul/consul_deploy.yml
|
||||||
when:
|
|
||||||
- "'consul_servers' in group_names"
|
|
||||||
|
|
||||||
- name: "Deploy Consul Agents"
|
# Haproxy nodes deployment
|
||||||
ansible.builtin.include_role:
|
- name: "Deploy Proxies"
|
||||||
name: ednz_cloud.hashicorp_consul
|
tags:
|
||||||
|
- haproxy
|
||||||
when:
|
when:
|
||||||
- "'consul_agents' in group_names"
|
- enable_haproxy | bool
|
||||||
|
block:
|
||||||
- name: "Deploy Haproxy & Keepalived"
|
- name: "Deploy Haproxy & Keepalived"
|
||||||
ansible.builtin.import_tasks:
|
ansible.builtin.import_tasks:
|
||||||
file: tasks/haproxy/haproxy_deploy.yml
|
file: tasks/haproxy/haproxy_deploy.yml
|
||||||
when:
|
when:
|
||||||
- enable_haproxy | bool
|
|
||||||
- "'haproxy_servers' in group_names"
|
- "'haproxy_servers' in group_names"
|
||||||
tags:
|
|
||||||
- haproxy
|
|
||||||
|
|
||||||
|
# Vault nodes deployment
|
||||||
- name: "Deploy Vault"
|
- name: "Deploy Vault"
|
||||||
ansible.builtin.import_tasks:
|
|
||||||
file: tasks/vault/vault_deploy.yml
|
|
||||||
when:
|
|
||||||
- enable_vault | bool
|
|
||||||
- "'vault_servers' in group_names"
|
|
||||||
tags:
|
tags:
|
||||||
- vault
|
- vault
|
||||||
|
when:
|
||||||
|
- enable_vault | bool
|
||||||
|
ansible.builtin.import_tasks:
|
||||||
|
file: tasks/vault/vault_deploy.yml
|
||||||
|
|
||||||
|
# Nomad nodes deployment
|
||||||
- name: "Deploy Nomad"
|
- name: "Deploy Nomad"
|
||||||
tags:
|
tags:
|
||||||
- nomad
|
- nomad
|
||||||
when:
|
when:
|
||||||
- enable_nomad | bool
|
- enable_nomad | bool
|
||||||
block:
|
|
||||||
- name: "Deploy Nomad Control Plane"
|
|
||||||
ansible.builtin.import_tasks:
|
ansible.builtin.import_tasks:
|
||||||
file: tasks/nomad/nomad_deploy.yml
|
file: tasks/nomad/nomad_deploy.yml
|
||||||
when:
|
|
||||||
- "('nomad_servers' in group_names)"
|
|
||||||
|
|
||||||
- name: "Deploy Nomad Clients"
|
|
||||||
ansible.builtin.include_role:
|
|
||||||
name: ednz_cloud.hashicorp_nomad
|
|
||||||
when:
|
|
||||||
- "('nomad_clients' in group_names)"
|
|
||||||
- "('nomad_servers' not in group_names)"
|
|
||||||
|
6
playbooks/tasks/consul/consul_agents.yml
Normal file
6
playbooks/tasks/consul/consul_agents.yml
Normal file
@ -0,0 +1,6 @@
|
|||||||
|
---
|
||||||
|
- name: "Consul agents"
|
||||||
|
block:
|
||||||
|
- name: "Deploy Consul Agents"
|
||||||
|
ansible.builtin.include_role:
|
||||||
|
name: ednz_cloud.hashicorp_consul
|
78
playbooks/tasks/consul/consul_control_plane.yml
Normal file
78
playbooks/tasks/consul/consul_control_plane.yml
Normal file
@ -0,0 +1,78 @@
|
|||||||
|
---
|
||||||
|
- name: "Consul control plane"
|
||||||
|
block:
|
||||||
|
- name: "Include ednz_cloud.hashicorp_consul"
|
||||||
|
ansible.builtin.include_role:
|
||||||
|
name: ednz_cloud.hashicorp_consul
|
||||||
|
|
||||||
|
- name: "Wait for consul cluster to initialize" # noqa: run-once[task]
|
||||||
|
block:
|
||||||
|
- name: "Wait for consul nodes to stabilize"
|
||||||
|
ansible.builtin.wait_for:
|
||||||
|
host: "{{ api_interface_address }}"
|
||||||
|
port: "{{ consul_api_port[consul_api_scheme] }}"
|
||||||
|
delay: 10
|
||||||
|
|
||||||
|
- name: "Waiting for consul api to respond"
|
||||||
|
ansible.builtin.uri:
|
||||||
|
url: "{{ consul_api_addr }}"
|
||||||
|
validate_certs: no
|
||||||
|
return_content: yes
|
||||||
|
status_code:
|
||||||
|
- 200
|
||||||
|
until: uri_output.status == 200
|
||||||
|
retries: 24
|
||||||
|
delay: 5
|
||||||
|
register: uri_output
|
||||||
|
|
||||||
|
- name: "Initialize consul cluster" # noqa: run-once[task]
|
||||||
|
community.general.consul_acl_bootstrap:
|
||||||
|
bootstrap_secret: "{{ _credentials.consul.root_token.secret_id }}"
|
||||||
|
host: "{{ api_interface_address }}"
|
||||||
|
port: "{{ consul_api_port[consul_api_scheme] }}"
|
||||||
|
scheme: "{{ consul_api_scheme }}"
|
||||||
|
state: present
|
||||||
|
register: _consul_init_secret
|
||||||
|
when:
|
||||||
|
- consul_init_server
|
||||||
|
- hashicorp_consul_configuration.acl.enabled
|
||||||
|
|
||||||
|
- name: "Create consul agents token"
|
||||||
|
when:
|
||||||
|
- consul_init_server
|
||||||
|
- hashicorp_consul_configuration.acl.enabled
|
||||||
|
block:
|
||||||
|
- name: "Create consul agents token" # noqa: run-once[task] no-handler
|
||||||
|
block:
|
||||||
|
- name: "Create consul agent policy"
|
||||||
|
community.general.consul_policy:
|
||||||
|
token: "{{ _credentials.consul.root_token.secret_id }}"
|
||||||
|
host: "{{ api_interface_address }}"
|
||||||
|
port: "{{ consul_api_port[consul_api_scheme] }}"
|
||||||
|
scheme: "{{ consul_api_scheme }}"
|
||||||
|
validate_certs: false
|
||||||
|
state: present
|
||||||
|
name: agents-policy
|
||||||
|
rules: "{{ consul_default_agent_policy }}"
|
||||||
|
register: _consul_agent_policy
|
||||||
|
|
||||||
|
- name: "Create consul agents token"
|
||||||
|
community.general.consul_token:
|
||||||
|
token: "{{ _credentials.consul.root_token.secret_id }}"
|
||||||
|
host: "{{ api_interface_address }}"
|
||||||
|
port: "{{ consul_api_port[consul_api_scheme] }}"
|
||||||
|
scheme: "{{ consul_api_scheme }}"
|
||||||
|
validate_certs: false
|
||||||
|
accessor_id: "{{ _credentials.consul.tokens.agent.accessor_id }}"
|
||||||
|
secret_id: "{{ _credentials.consul.tokens.agent.secret_id }}"
|
||||||
|
policies:
|
||||||
|
- id: "{{ _consul_agent_policy.policy.ID }}"
|
||||||
|
state: present
|
||||||
|
register: _consul_agent_token
|
||||||
|
|
||||||
|
- name: "Restart consul service" # noqa: no-handler
|
||||||
|
ansible.builtin.service:
|
||||||
|
name: "{{ hashicorp_consul_service_name }}"
|
||||||
|
state: restarted
|
||||||
|
throttle: 1
|
||||||
|
when: _consul_agent_token.changed
|
@ -1,78 +1,19 @@
|
|||||||
---
|
---
|
||||||
- name: "Consul"
|
- name: "Consul"
|
||||||
block:
|
block:
|
||||||
- name: "Include ednz_cloud.hashicorp_consul"
|
- name: "Deploy Consul Control Plane"
|
||||||
ansible.builtin.include_role:
|
ansible.builtin.import_tasks:
|
||||||
name: ednz_cloud.hashicorp_consul
|
file: consul_control_plane.yml
|
||||||
|
|
||||||
- name: "Wait for consul cluster to initialize" # noqa: run-once[task]
|
|
||||||
block:
|
|
||||||
- name: "Wait for consul nodes to stabilize"
|
|
||||||
ansible.builtin.wait_for:
|
|
||||||
host: "{{ api_interface_address }}"
|
|
||||||
port: "{{ consul_api_port[consul_api_scheme] }}"
|
|
||||||
delay: 10
|
|
||||||
|
|
||||||
- name: "Waiting for consul api to respond"
|
|
||||||
ansible.builtin.uri:
|
|
||||||
url: "{{ consul_api_addr }}"
|
|
||||||
validate_certs: no
|
|
||||||
return_content: yes
|
|
||||||
status_code:
|
|
||||||
- 200
|
|
||||||
until: uri_output.status == 200
|
|
||||||
retries: 24
|
|
||||||
delay: 5
|
|
||||||
register: uri_output
|
|
||||||
|
|
||||||
- name: "Initialize consul cluster" # noqa: run-once[task]
|
|
||||||
community.general.consul_acl_bootstrap:
|
|
||||||
bootstrap_secret: "{{ _credentials.consul.root_token.secret_id }}"
|
|
||||||
host: "{{ api_interface_address }}"
|
|
||||||
port: "{{ consul_api_port[consul_api_scheme] }}"
|
|
||||||
scheme: "{{ consul_api_scheme }}"
|
|
||||||
state: present
|
|
||||||
register: _consul_init_secret
|
|
||||||
when:
|
when:
|
||||||
- consul_init_server
|
- "'consul_servers' in group_names"
|
||||||
- hashicorp_consul_configuration.acl.enabled
|
tags:
|
||||||
|
- consul_servers
|
||||||
|
|
||||||
- name: "Create consul agents token"
|
- name: "Deploy Consul Agents"
|
||||||
|
ansible.builtin.import_tasks:
|
||||||
|
file: consul_agents.yml
|
||||||
when:
|
when:
|
||||||
- consul_init_server
|
- "'consul_agents' in group_names"
|
||||||
- hashicorp_consul_configuration.acl.enabled
|
- "'consul_servers' not in group_names"
|
||||||
block:
|
tags:
|
||||||
- name: "Create consul agents token" # noqa: run-once[task] no-handler
|
- consul_agents
|
||||||
block:
|
|
||||||
- name: "Create consul agent policy"
|
|
||||||
community.general.consul_policy:
|
|
||||||
token: "{{ _credentials.consul.root_token.secret_id }}"
|
|
||||||
host: "{{ api_interface_address }}"
|
|
||||||
port: "{{ consul_api_port[consul_api_scheme] }}"
|
|
||||||
scheme: "{{ consul_api_scheme }}"
|
|
||||||
validate_certs: false
|
|
||||||
state: present
|
|
||||||
name: agents-policy
|
|
||||||
rules: "{{ consul_default_agent_policy }}"
|
|
||||||
register: _consul_agent_policy
|
|
||||||
|
|
||||||
- name: "Create consul agents token"
|
|
||||||
community.general.consul_token:
|
|
||||||
token: "{{ _credentials.consul.root_token.secret_id }}"
|
|
||||||
host: "{{ api_interface_address }}"
|
|
||||||
port: "{{ consul_api_port[consul_api_scheme] }}"
|
|
||||||
scheme: "{{ consul_api_scheme }}"
|
|
||||||
validate_certs: false
|
|
||||||
accessor_id: "{{ _credentials.consul.tokens.agent.accessor_id }}"
|
|
||||||
secret_id: "{{ _credentials.consul.tokens.agent.secret_id }}"
|
|
||||||
policies:
|
|
||||||
- id: "{{ _consul_agent_policy.policy.ID }}"
|
|
||||||
state: present
|
|
||||||
register: _consul_agent_token
|
|
||||||
|
|
||||||
- name: "Restart consul service" # noqa: no-handler
|
|
||||||
ansible.builtin.service:
|
|
||||||
name: "{{ hashicorp_consul_service_name }}"
|
|
||||||
state: restarted
|
|
||||||
throttle: 1
|
|
||||||
when: _consul_agent_token.changed
|
|
||||||
|
11
playbooks/tasks/nomad/nomad_clients.yml
Normal file
11
playbooks/tasks/nomad/nomad_clients.yml
Normal file
@ -0,0 +1,11 @@
|
|||||||
|
---
|
||||||
|
- name: "Nomad clients"
|
||||||
|
block:
|
||||||
|
- name: "Install docker driver"
|
||||||
|
ansible.builtin.include_role:
|
||||||
|
name: ednz_cloud.install_docker
|
||||||
|
when: nomad_driver_enable_docker
|
||||||
|
|
||||||
|
- name: "Deploy Nomad Clients"
|
||||||
|
ansible.builtin.include_role:
|
||||||
|
name: ednz_cloud.hashicorp_nomad
|
82
playbooks/tasks/nomad/nomad_control_plane.yml
Normal file
82
playbooks/tasks/nomad/nomad_control_plane.yml
Normal file
@ -0,0 +1,82 @@
|
|||||||
|
---
|
||||||
|
- name: "Nomad control plane"
|
||||||
|
block:
|
||||||
|
- name: "Create consul tokens for service registration"
|
||||||
|
when:
|
||||||
|
- nomad_init_server
|
||||||
|
- enable_consul
|
||||||
|
- nomad_enable_consul_integration
|
||||||
|
vars:
|
||||||
|
_consul_host: "{{ hostvars[groups['consul_servers'][0]].api_interface_address }}"
|
||||||
|
_consul_port: "{{ hostvars[groups['consul_servers'][0]].consul_api_port[hostvars[groups['consul_servers'][0]].consul_api_scheme] }}"
|
||||||
|
_consul_scheme: "{{ hostvars[groups['consul_servers'][0]].consul_api_scheme }}"
|
||||||
|
block:
|
||||||
|
- name: "Create server credentials"
|
||||||
|
block:
|
||||||
|
- name: "Create consul server policy"
|
||||||
|
community.general.consul_policy:
|
||||||
|
token: "{{ _credentials.consul.root_token.secret_id }}"
|
||||||
|
host: "{{ _consul_host }}"
|
||||||
|
port: "{{ _consul_port }}"
|
||||||
|
scheme: "{{ _consul_scheme }}"
|
||||||
|
validate_certs: false
|
||||||
|
state: present
|
||||||
|
name: nomad-server-policy
|
||||||
|
rules: "{{ nomad_consul_integration_server_policy }}"
|
||||||
|
register: _consul_nomad_server_policy
|
||||||
|
|
||||||
|
- name: "Create consul server token" # noqa: no-handler
|
||||||
|
community.general.consul_token:
|
||||||
|
token: "{{ _credentials.consul.root_token.secret_id }}"
|
||||||
|
host: "{{ _consul_host }}"
|
||||||
|
port: "{{ _consul_port }}"
|
||||||
|
scheme: "{{ _consul_scheme }}"
|
||||||
|
validate_certs: false
|
||||||
|
accessor_id: "{{ _credentials.consul.tokens.nomad.server.accessor_id }}"
|
||||||
|
secret_id: "{{ _credentials.consul.tokens.nomad.server.secret_id }}"
|
||||||
|
policies:
|
||||||
|
- id: "{{ _consul_nomad_server_policy.policy.ID }}"
|
||||||
|
state: present
|
||||||
|
when: _consul_nomad_server_policy.changed
|
||||||
|
|
||||||
|
- name: "Create client credentials"
|
||||||
|
block:
|
||||||
|
- name: "Create consul client policy"
|
||||||
|
community.general.consul_policy:
|
||||||
|
token: "{{ _credentials.consul.root_token.secret_id }}"
|
||||||
|
host: "{{ _consul_host }}"
|
||||||
|
port: "{{ _consul_port }}"
|
||||||
|
scheme: "{{ _consul_scheme }}"
|
||||||
|
validate_certs: false
|
||||||
|
state: present
|
||||||
|
name: nomad-client-policy
|
||||||
|
rules: "{{ nomad_consul_integration_client_policy }}"
|
||||||
|
register: _consul_nomad_client_policy
|
||||||
|
|
||||||
|
- name: "Create consul client token" # noqa: no-handler
|
||||||
|
community.general.consul_token:
|
||||||
|
token: "{{ _credentials.consul.root_token.secret_id }}"
|
||||||
|
host: "{{ _consul_host }}"
|
||||||
|
port: "{{ _consul_port }}"
|
||||||
|
scheme: "{{ _consul_scheme }}"
|
||||||
|
validate_certs: false
|
||||||
|
accessor_id: "{{ _credentials.consul.tokens.nomad.client.accessor_id }}"
|
||||||
|
secret_id: "{{ _credentials.consul.tokens.nomad.client.secret_id }}"
|
||||||
|
policies:
|
||||||
|
- id: "{{ _consul_nomad_client_policy.policy.ID }}"
|
||||||
|
state: present
|
||||||
|
when: _consul_nomad_client_policy.changed
|
||||||
|
|
||||||
|
- name: "Include ednz_cloud.hashicorp_nomad"
|
||||||
|
ansible.builtin.include_role:
|
||||||
|
name: ednz_cloud.hashicorp_nomad
|
||||||
|
|
||||||
|
- name: "Initialize nomad cluster" # noqa: run-once[task]
|
||||||
|
ednz_cloud.hashistack.nomad_acl_bootstrap:
|
||||||
|
bootstrap_secret: "{{ _credentials.nomad.root_token.secret_id }}"
|
||||||
|
api_url: "{{ nomad_api_addr }}"
|
||||||
|
tls_verify: false
|
||||||
|
register: _nomad_init_secret
|
||||||
|
when:
|
||||||
|
- nomad_init_server
|
||||||
|
- hashicorp_nomad_configuration.acl.enabled
|
@ -1,82 +1,19 @@
|
|||||||
---
|
---
|
||||||
- name: "Nomad"
|
- name: "Nomad"
|
||||||
block:
|
block:
|
||||||
- name: "Create consul tokens for service registration"
|
- name: "Deploy Nomad Control Plane"
|
||||||
|
ansible.builtin.import_tasks:
|
||||||
|
file: nomad_control_plane.yml
|
||||||
when:
|
when:
|
||||||
- nomad_init_server
|
- "'nomad_servers' in group_names"
|
||||||
- enable_consul
|
tags:
|
||||||
- nomad_enable_consul_integration
|
- nomad_servers
|
||||||
vars:
|
|
||||||
_consul_host: "{{ hostvars[groups['consul_servers'][0]].api_interface_address }}"
|
|
||||||
_consul_port: "{{ hostvars[groups['consul_servers'][0]].consul_api_port[hostvars[groups['consul_servers'][0]].consul_api_scheme] }}"
|
|
||||||
_consul_scheme: "{{ hostvars[groups['consul_servers'][0]].consul_api_scheme }}"
|
|
||||||
block:
|
|
||||||
- name: "Create server credentials"
|
|
||||||
block:
|
|
||||||
- name: "Create consul server policy"
|
|
||||||
community.general.consul_policy:
|
|
||||||
token: "{{ _credentials.consul.root_token.secret_id }}"
|
|
||||||
host: "{{ _consul_host }}"
|
|
||||||
port: "{{ _consul_port }}"
|
|
||||||
scheme: "{{ _consul_scheme }}"
|
|
||||||
validate_certs: false
|
|
||||||
state: present
|
|
||||||
name: nomad-server-policy
|
|
||||||
rules: "{{ nomad_consul_integration_server_policy }}"
|
|
||||||
register: _consul_nomad_server_policy
|
|
||||||
|
|
||||||
- name: "Create consul server token"
|
- name: "Deploy Nomad Clients"
|
||||||
community.general.consul_token:
|
ansible.builtin.import_tasks:
|
||||||
token: "{{ _credentials.consul.root_token.secret_id }}"
|
file: nomad_clients.yml
|
||||||
host: "{{ _consul_host }}"
|
|
||||||
port: "{{ _consul_port }}"
|
|
||||||
scheme: "{{ _consul_scheme }}"
|
|
||||||
validate_certs: false
|
|
||||||
accessor_id: "{{ _credentials.consul.tokens.nomad.server.accessor_id }}"
|
|
||||||
secret_id: "{{ _credentials.consul.tokens.nomad.server.secret_id }}"
|
|
||||||
policies:
|
|
||||||
- id: "{{ _consul_nomad_server_policy.policy.ID }}"
|
|
||||||
state: present
|
|
||||||
when: _consul_nomad_server_policy.changed
|
|
||||||
|
|
||||||
- name: "Create client credentials"
|
|
||||||
block:
|
|
||||||
- name: "Create consul client policy"
|
|
||||||
community.general.consul_policy:
|
|
||||||
token: "{{ _credentials.consul.root_token.secret_id }}"
|
|
||||||
host: "{{ _consul_host }}"
|
|
||||||
port: "{{ _consul_port }}"
|
|
||||||
scheme: "{{ _consul_scheme }}"
|
|
||||||
validate_certs: false
|
|
||||||
state: present
|
|
||||||
name: nomad-client-policy
|
|
||||||
rules: "{{ nomad_consul_integration_client_policy }}"
|
|
||||||
register: _consul_nomad_client_policy
|
|
||||||
|
|
||||||
- name: "Create consul client token"
|
|
||||||
community.general.consul_token:
|
|
||||||
token: "{{ _credentials.consul.root_token.secret_id }}"
|
|
||||||
host: "{{ _consul_host }}"
|
|
||||||
port: "{{ _consul_port }}"
|
|
||||||
scheme: "{{ _consul_scheme }}"
|
|
||||||
validate_certs: false
|
|
||||||
accessor_id: "{{ _credentials.consul.tokens.nomad.client.accessor_id }}"
|
|
||||||
secret_id: "{{ _credentials.consul.tokens.nomad.client.secret_id }}"
|
|
||||||
policies:
|
|
||||||
- id: "{{ _consul_nomad_client_policy.policy.ID }}"
|
|
||||||
state: present
|
|
||||||
when: _consul_nomad_client_policy.changed
|
|
||||||
|
|
||||||
- name: "Include ednz_cloud.hashicorp_nomad"
|
|
||||||
ansible.builtin.include_role:
|
|
||||||
name: ednz_cloud.hashicorp_nomad
|
|
||||||
|
|
||||||
- name: "Initialize nomad cluster" # noqa: run-once[task]
|
|
||||||
ednz_cloud.hashistack.nomad_acl_bootstrap:
|
|
||||||
bootstrap_secret: "{{ _credentials.nomad.root_token.secret_id }}"
|
|
||||||
api_url: "{{ nomad_api_addr }}"
|
|
||||||
tls_verify: false
|
|
||||||
register: _nomad_init_secret
|
|
||||||
when:
|
when:
|
||||||
- nomad_init_server
|
- "'nomad_clients' in group_names"
|
||||||
- hashicorp_nomad_configuration.acl.enabled
|
- "'nomad_servers' not in group_names"
|
||||||
|
tags:
|
||||||
|
- nomad_clients
|
||||||
|
@ -123,7 +123,3 @@
|
|||||||
combine(_config_to_merge, recursive=true)
|
combine(_config_to_merge, recursive=true)
|
||||||
}}"
|
}}"
|
||||||
when: nomad_extra_configuration is defined
|
when: nomad_extra_configuration is defined
|
||||||
|
|
||||||
- name: "Print nomad configuration"
|
|
||||||
ansible.builtin.debug:
|
|
||||||
msg: "{{ hashicorp_nomad_configuration }}"
|
|
||||||
|
90
playbooks/tasks/vault/vault_control_plane.yml
Normal file
90
playbooks/tasks/vault/vault_control_plane.yml
Normal file
@ -0,0 +1,90 @@
|
|||||||
|
---
|
||||||
|
- name: "Vault control plane"
|
||||||
|
block:
|
||||||
|
- name: "Create consul token for service registration"
|
||||||
|
when:
|
||||||
|
- vault_init_server
|
||||||
|
- enable_consul
|
||||||
|
- vault_enable_service_registration
|
||||||
|
vars:
|
||||||
|
_consul_vault_sr_host: "{{ hostvars[groups['consul_servers'][0]].api_interface_address }}"
|
||||||
|
_consul_vault_sr_port: "{{ hostvars[groups['consul_servers'][0]].consul_api_port[hostvars[groups['consul_servers'][0]].consul_api_scheme] }}"
|
||||||
|
_consul_vault_sr_scheme: "{{ hostvars[groups['consul_servers'][0]].consul_api_scheme }}"
|
||||||
|
block:
|
||||||
|
- name: "Create consul vault policy"
|
||||||
|
community.general.consul_policy:
|
||||||
|
token: "{{ _credentials.consul.root_token.secret_id }}"
|
||||||
|
host: "{{ _consul_vault_sr_host }}"
|
||||||
|
port: "{{ _consul_vault_sr_port }}"
|
||||||
|
scheme: "{{ _consul_vault_sr_scheme }}"
|
||||||
|
validate_certs: false
|
||||||
|
state: present
|
||||||
|
name: vault-policy
|
||||||
|
rules: "{{ vault_service_registration_policy }}"
|
||||||
|
register: _consul_vault_policy
|
||||||
|
|
||||||
|
- name: "Create consul vault token" # noqa: no-handler
|
||||||
|
community.general.consul_token:
|
||||||
|
token: "{{ _credentials.consul.root_token.secret_id }}"
|
||||||
|
host: "{{ _consul_vault_sr_host }}"
|
||||||
|
port: "{{ _consul_vault_sr_port }}"
|
||||||
|
scheme: "{{ _consul_vault_sr_scheme }}"
|
||||||
|
validate_certs: false
|
||||||
|
accessor_id: "{{ _credentials.consul.tokens.vault.accessor_id }}"
|
||||||
|
secret_id: "{{ _credentials.consul.tokens.vault.secret_id }}"
|
||||||
|
policies:
|
||||||
|
- id: "{{ _consul_vault_policy.policy.ID }}"
|
||||||
|
state: present
|
||||||
|
when: _consul_vault_policy.changed
|
||||||
|
|
||||||
|
- name: "Include ednz_cloud.hashicorp_consul"
|
||||||
|
ansible.builtin.include_role:
|
||||||
|
name: ednz_cloud.hashicorp_vault
|
||||||
|
|
||||||
|
- name: "Initialize vault cluster" # noqa: run-once[task]
|
||||||
|
ednz_cloud.hashistack.vault_init:
|
||||||
|
api_url: "{{ hashicorp_vault_configuration['api_addr'] }}"
|
||||||
|
tls_verify: "{{ vault_tls_verify }}"
|
||||||
|
key_shares: "{{ vault_seal_configuration['key_shares'] }}"
|
||||||
|
key_threshold: "{{ vault_seal_configuration['key_threshold'] }}"
|
||||||
|
retries: 5
|
||||||
|
delay: 5
|
||||||
|
register: _vault_init_secret
|
||||||
|
until: not _vault_init_secret.failed
|
||||||
|
when: vault_init_server
|
||||||
|
|
||||||
|
- name: "Write vault configuration to file" # noqa: run-once[task] no-handler
|
||||||
|
ansible.builtin.copy:
|
||||||
|
content: "{{ _vault_init_secret.state | to_nice_yaml(indent=2) }}"
|
||||||
|
dest: "{{ sub_configuration_directories.secrets }}/vault.yml"
|
||||||
|
owner: "{{ lookup('env', 'USER') }}"
|
||||||
|
group: "{{ lookup('env', 'USER') }}"
|
||||||
|
mode: "0644"
|
||||||
|
when:
|
||||||
|
- vault_init_server
|
||||||
|
- _vault_init_secret.changed
|
||||||
|
delegate_to: localhost
|
||||||
|
|
||||||
|
- name: "Load vault cluster variables necessary for unseal operation"
|
||||||
|
ansible.builtin.import_tasks:
|
||||||
|
file: ../misc/load_credentials_vars.yml
|
||||||
|
|
||||||
|
- name: "Unseal the bootstrap node" # noqa: run-once[task] no-handler
|
||||||
|
ednz_cloud.hashistack.vault_unseal:
|
||||||
|
api_url: "{{ hashicorp_vault_configuration['api_addr'] }}"
|
||||||
|
tls_verify: "{{ vault_tls_verify }}"
|
||||||
|
key_shares: "{{ _credentials.vault['keys'] }}"
|
||||||
|
when:
|
||||||
|
- vault_init_server
|
||||||
|
- _vault_init_secret.changed
|
||||||
|
register: _vault_unseal_secret
|
||||||
|
|
||||||
|
- name: "Unseal all vault nodes"
|
||||||
|
ednz_cloud.hashistack.vault_unseal:
|
||||||
|
api_url: "{{ hashicorp_vault_configuration['api_addr'] }}"
|
||||||
|
tls_verify: "{{ vault_tls_verify }}"
|
||||||
|
key_shares: "{{ _credentials.vault['keys'] }}"
|
||||||
|
retries: 5
|
||||||
|
delay: 5
|
||||||
|
until: _unseal_status.changed or not _unseal_status.failed
|
||||||
|
register: _unseal_status
|
@ -1,90 +1,10 @@
|
|||||||
---
|
---
|
||||||
- name: "Vault"
|
- name: "Vault"
|
||||||
block:
|
block:
|
||||||
- name: "Create consul token for service registration"
|
- name: "Deploy Vault Control Plane"
|
||||||
when:
|
|
||||||
- vault_init_cluster
|
|
||||||
- enable_consul
|
|
||||||
- vault_enable_service_registration
|
|
||||||
vars:
|
|
||||||
_consul_vault_sr_host: "{{ hostvars[groups['consul_servers'][0]].api_interface_address }}"
|
|
||||||
_consul_vault_sr_port: "{{ hostvars[groups['consul_servers'][0]].consul_api_port[hostvars[groups['consul_servers'][0]].consul_api_scheme] }}"
|
|
||||||
_consul_vault_sr_scheme: "{{ hostvars[groups['consul_servers'][0]].consul_api_scheme }}"
|
|
||||||
block:
|
|
||||||
- name: "Create consul vault policy"
|
|
||||||
community.general.consul_policy:
|
|
||||||
token: "{{ _credentials.consul.root_token.secret_id }}"
|
|
||||||
host: "{{ _consul_vault_sr_host }}"
|
|
||||||
port: "{{ _consul_vault_sr_port }}"
|
|
||||||
scheme: "{{ _consul_vault_sr_scheme }}"
|
|
||||||
validate_certs: false
|
|
||||||
state: present
|
|
||||||
name: vault-policy
|
|
||||||
rules: "{{ vault_service_registration_policy }}"
|
|
||||||
register: _consul_vault_policy
|
|
||||||
|
|
||||||
- name: "Create consul vault token"
|
|
||||||
community.general.consul_token:
|
|
||||||
token: "{{ _credentials.consul.root_token.secret_id }}"
|
|
||||||
host: "{{ _consul_vault_sr_host }}"
|
|
||||||
port: "{{ _consul_vault_sr_port }}"
|
|
||||||
scheme: "{{ _consul_vault_sr_scheme }}"
|
|
||||||
validate_certs: false
|
|
||||||
accessor_id: "{{ _credentials.consul.tokens.vault.accessor_id }}"
|
|
||||||
secret_id: "{{ _credentials.consul.tokens.vault.secret_id }}"
|
|
||||||
policies:
|
|
||||||
- id: "{{ _consul_vault_policy.policy.ID }}"
|
|
||||||
state: present
|
|
||||||
when: _consul_vault_policy.changed
|
|
||||||
|
|
||||||
- name: "Include ednz_cloud.hashicorp_consul"
|
|
||||||
ansible.builtin.include_role:
|
|
||||||
name: ednz_cloud.hashicorp_vault
|
|
||||||
|
|
||||||
- name: "Initialize vault cluster" # noqa: run-once[task]
|
|
||||||
ednz_cloud.hashistack.vault_init:
|
|
||||||
api_url: "{{ hashicorp_vault_configuration['api_addr'] }}"
|
|
||||||
tls_verify: "{{ vault_tls_verify }}"
|
|
||||||
key_shares: "{{ vault_seal_configuration['key_shares'] }}"
|
|
||||||
key_threshold: "{{ vault_seal_configuration['key_threshold'] }}"
|
|
||||||
retries: 5
|
|
||||||
delay: 5
|
|
||||||
register: _vault_init_secret
|
|
||||||
until: not _vault_init_secret.failed
|
|
||||||
when: vault_init_cluster
|
|
||||||
|
|
||||||
- name: "Write vault configuration to file" # noqa: run-once[task] no-handler
|
|
||||||
ansible.builtin.copy:
|
|
||||||
content: "{{ _vault_init_secret.state | to_nice_yaml(indent=2) }}"
|
|
||||||
dest: "{{ sub_configuration_directories.secrets }}/vault.yml"
|
|
||||||
owner: "{{ lookup('env', 'USER') }}"
|
|
||||||
group: "{{ lookup('env', 'USER') }}"
|
|
||||||
mode: "0644"
|
|
||||||
when:
|
|
||||||
- vault_init_cluster
|
|
||||||
- _vault_init_secret.changed
|
|
||||||
delegate_to: localhost
|
|
||||||
|
|
||||||
- name: "Load vault cluster variables necessary for unseal operation"
|
|
||||||
ansible.builtin.import_tasks:
|
ansible.builtin.import_tasks:
|
||||||
file: ../misc/load_credentials_vars.yml
|
file: vault_control_plane.yml
|
||||||
|
|
||||||
- name: "Unseal the bootstrap node" # noqa: run-once[task] no-handler
|
|
||||||
ednz_cloud.hashistack.vault_unseal:
|
|
||||||
api_url: "{{ hashicorp_vault_configuration['api_addr'] }}"
|
|
||||||
tls_verify: "{{ vault_tls_verify }}"
|
|
||||||
key_shares: "{{ _credentials.vault['keys'] }}"
|
|
||||||
when:
|
when:
|
||||||
- vault_init_cluster
|
- "'vault_servers' in group_names"
|
||||||
- _vault_init_secret.changed
|
tags:
|
||||||
register: _vault_unseal_secret
|
- vault_servers
|
||||||
|
|
||||||
- name: "Unseal all vault nodes"
|
|
||||||
ednz_cloud.hashistack.vault_unseal:
|
|
||||||
api_url: "{{ hashicorp_vault_configuration['api_addr'] }}"
|
|
||||||
tls_verify: "{{ vault_tls_verify }}"
|
|
||||||
key_shares: "{{ _credentials.vault['keys'] }}"
|
|
||||||
retries: 5
|
|
||||||
delay: 5
|
|
||||||
until: _unseal_status.changed or not _unseal_status.failed
|
|
||||||
register: _unseal_status
|
|
||||||
|
Loading…
Reference in New Issue
Block a user