ansible-collections/hcp-ansible
ansible-collections/hcp-ansible
4
0
Fork 0
Code Issues 3 Pull Requests Actions Packages Projects 1 Releases Wiki Activity
main
hcp-ansible/roles/nomad/README.md
Bertrand Lanson 91c4720740
All checks were successful
build-deploy / Bump version and create changelog with commitizen (push) Successful in 9s
Details
docs(roles): improve documentation for vault,nomad,consul and cni roles
2024-10-27 19:55:56 +01:00

416 lines
15 KiB
Markdown
Raw Permalink Blame History

**Nomad**
=========
This role configures [HashiCorp nomad](https://www.hashicorp.com/products/nomad) on **Debian-based** distributions.
**Requirements**
------------
This role requires that the `unzip` package is installed on the target host.
**Role Variables**
--------------
### Service Configuration
```yaml
nomad_version: latest
```
Specifies the version of Nomad to install. Default is `latest`, which installs the latest stable version. It is recommended to pin the nomad version to install, as setting latest will cause the role to query the github API, andyou might run into rate limiting issues. A pinned version should look like `X.Y.Z`, in accordance with the nomad's [release repository](https://releases.hashicorp.com/nomad/) (just strip out the leading `nomad_`)
```yaml
nomad_start_service: true
```
Indicates whether the Nomad service should start after installation. Defaults to `true`.
```yaml
nomad_config_dir: "/etc/nomad.d"
```
Path to the directory where Nomad's configuration files are stored.
```yaml
nomad_data_dir: "/opt/nomad"
```
Specifies the directory where Nomad will store its data.
```yaml
nomad_certs_dir: "{{ nomad_config_dir }}/tls"
```
Path to the directory where Nomad's TLS certificates should be stored when using internal TLS.
```yaml
nomad_logs_dir: "/var/log/nomad"
```
Directory path where Nomad's log files will be stored if logging to file is enabled.
```yaml
nomad_extra_files: false
```
If `true`, allows additional files to be copied over to the target host by the role.
```yaml
nomad_extra_files_list: []
```
A list of additional files to manage with the role if `nomad_extra_files` is set to `true`. This is a list of objects like:
```yaml
- src: /path/on/deploy/machine
dest: /path/to/copy/over
```
Sources can be any type of file, directory or jinja2 templates. Destination should match the type of the source. Jinja2 templates inside of a directory that would be copied over are also templated, and their `.j2` extensions will be stripped out.
Example:
```yaml
nomad_extra_files_list:
- src: /local/path/to/tls/files
dest: "{{ nomad_certs_dir }}"
- src: /another/single/file.j2
dest: /var/lib/file
```
```yaml
nomad_env_variables: {}
```
Environment variables to be set for the Nomad service, defined as key-value pairs.
### Extra Configuration
```yaml
nomad_extra_configuration: {}
```
Dictionary for any additional Nomad configuration options not covered by other variables. This should be used only for options not provided by existing variables.
### General Configuration
```yaml
nomad_region: global
```
Sets the region of the Nomad cluster. This value is used to define the cluster's region and should match the desired regional configuration.
```yaml
nomad_datacenter: dc1
```
Defines the datacenter name for the Nomad agent. This is used for grouping nodes and services within a specific datacenter.
### Address Configuration
```yaml
nomad_bind_addr: "0.0.0.0"
```
Specifies the address that Nomad will bind to for incoming connections. The default value `0.0.0.0` allows Nomad to listen on all available interfaces.
```yaml
nomad_advertise_addr: "{{ ansible_default_ipv4.address }}"
```
Sets the address that Nomad will advertise to other nodes in the cluster. It typically uses the default IPv4 address of the host.
```yaml
nomad_address_configuration:
bind_addr: "{{ nomad_bind_addr }}"
addresses:
http: "{{ nomad_advertise_addr }}"
rpc: "{{ nomad_advertise_addr }}"
serf: "{{ nomad_advertise_addr }}"
advertise:
http: "{{ nomad_advertise_addr }}"
rpc: "{{ nomad_advertise_addr }}"
serf: "{{ nomad_advertise_addr }}"
ports:
http: 4646
rpc: 4647
serf: 4648
```
Defines the address configuration for the Nomad agent. This block matches the structure specified in the [Nomad documentation](https://developer.hashicorp.com/nomad/docs/configuration#advertise), including:
- **bind_addr**: The address on which Nomad will listen for incoming connections.
- **addresses**: Specifies the addresses used for different communication channels (`http`, `rpc`, and `serf`).
- **advertise**: Lists the addresses that Nomad will advertise to other nodes for the respective channels (`http`, `rpc`, and `serf`).
- **ports**: Defines the ports for the various services, with `http`, `rpc`, and `serf` ports specified.
### Autopilot Configuration
```yaml
nomad_autopilot_configuration: {}
```
This variable defines the Autopilot configuration for the Nomad agent. It should match the structure of the Autopilot stanza as described in the [Nomad documentation](https://developer.hashicorp.com/nomad/docs/configuration/autopilot). The Autopilot configuration allows you to enable and configure features like automatic leader elections and health checks for the Nomad cluster.
Example configuration:
```yaml
nomad_autopilot_configuration:
cleanup_dead_servers: true
last_contact_threshold: "200ms"
max_trailing_logs: 250
server_stabilization_time: "10s"
```
### Leave Configuration
```yaml
nomad_leave_on_interrupt: false
```
Determines whether the Nomad agent should gracefully leave the cluster when it receives an interrupt signal (e.g., SIGINT). Defaults to `false`, meaning the agent will not leave the cluster on interrupt.
```yaml
nomad_leave_on_terminate: false
```
Specifies whether the Nomad agent should leave the cluster when it is terminated (e.g., SIGTERM). Defaults to `false`, indicating the agent will not leave the cluster upon termination.
### Server Configuration
```yaml
nomad_enable_server: true
```
Indicates whether the Nomad agent should operate as a server. Defaults to `true`, enabling the server stanza.
```yaml
nomad_server_bootstrap_expect: 1
```
Specifies the number of servers that should join the cluster before bootstrapping. This value is set outside the server configuration block due to Jinja2's inability to convert strings to integers during dict merging.
```yaml
nomad_server_configuration:
enabled: "{{ nomad_enable_server }}"
data_dir: "{{ nomad_data_dir }}/server"
encrypt: "{{ 'mysupersecretgossipencryptionkey' | b64encode }}"
server_join:
retry_join:
- "{{ ansible_default_ipv4.address }}"
```
Defines the server configuration stanza. Includes:
- `enabled`: References the `nomad_enable_server` variable to enable or disable the server.
- `data_dir`: Path to the directory where server data will be stored.
- `encrypt`: Base64-encoded key for gossip encryption.
- `server_join.retry_join`: A list of addresses to which the server will attempt to join the cluster.
Refer to the Nomad documentation for more details on the server configuration [here](https://developer.hashicorp.com/nomad/docs/configuration/server).
### Client Configuration
```yaml
nomad_enable_client: false
```
Indicates whether the Nomad agent should operate as a client. Defaults to `false`, disabling the client stanza.
```yaml
nomad_client_configuration:
enabled: "{{ nomad_enable_client }}"
state_dir: "{{ nomad_data_dir }}/client"
cni_path: "/opt/cni/bin"
bridge_network_name: nomad
bridge_network_subnet: "172.26.64.0/20"
```
Defines the client configuration stanza. Includes:
- `enabled`: References the `nomad_enable_client` variable to enable or disable the client.
- `state_dir`: Path to the directory where client state data will be stored.
- `cni_path`: Specifies the path to the Container Network Interface (CNI) binaries.
- `bridge_network_name`: The name of the bridge network used by the client.
- `bridge_network_subnet`: The subnet for the bridge network.
Refer to the Nomad documentation for more details on the client configuration [here](https://developer.hashicorp.com/nomad/docs/configuration/client).
### UI Configuration
```yaml
nomad_ui_configuration:
enabled: "{{ nomad_enable_server }}"
```
Configures the Nomad UI. By default, the `enabled` field determines whether the UI is active and is set based on the `nomad_enable_server` variable, meaning the UI will only be enabled if the Nomad server is enabled.
### Drivers Configuration
```yaml
nomad_driver_enable_docker: true
```
Indicates whether the Docker driver should be enabled. Currently, this setting is not functional but is included for future development.
```yaml
nomad_driver_enable_podman: false
```
Indicates whether the Podman driver should be enabled. Currently, this setting is not functional.
```yaml
nomad_driver_enable_raw_exec: false
```
Indicates whether the Raw Exec driver should be enabled. Currently, this setting is not functional.
```yaml
nomad_driver_enable_java: false
```
Indicates whether the Java driver should be enabled. Currently, this setting is not functional.
```yaml
nomad_driver_enable_qemu: false
```
Indicates whether the QEMU driver should be enabled. Currently, this setting is not functional.
```yaml
nomad_driver_configuration:
raw_exec:
enabled: false
```
This block defines the configuration for Nomad drivers. The example shows the configuration for the Raw Exec driver, which is currently disabled.
```yaml
nomad_driver_extra_configuration: {}
```
A dictionary for any additional driver configuration options not covered by other variables. This should be used only for options not provided by existing variables and will be merged with the `nomad_driver_configuration`, taking precedence over existing settings.
### Nomad Logging
```yaml
nomad_log_level: info
```
Sets the logging level for Nomad. Accepted values are `trace`, `debug`, `info`, `warn`, and `error`. See [Nomad documentation on log levels](https://developer.hashicorp.com/nomad/docs/configuration#log_level) for more details.
```yaml
nomad_enable_log_to_file: false
```
Enables logging to a file if set to `true`. When enabled, the settings in `nomad_log_to_file_configuration` will define the log file path, rotation frequency, and retention of logs.
```yaml
nomad_log_to_file_configuration:
log_file: "{{ nomad_logs_dir }}/nomad.log"
log_rotate_duration: 24h
log_rotate_max_files: 30
```
Specifies configuration for file-based logging:
- **`log_file`**: Defines the path to the Nomad log file (e.g., `nomad_logs_dir/nomad.log`). See [Nomad log file configuration](https://developer.hashicorp.com/nomad/docs/configuration#log_file) for details.
- **`log_rotate_duration`**: Sets the duration before log rotation occurs (e.g., `24h` for daily rotation).
- **`log_rotate_max_files`**: Maximum number of rotated log files to retain.
With `nomad_enable_log_to_file` set to `true`, these settings provide a default configuration for logging to a file, allowing Nomad to manage log files and rotation automatically.
### ACL Configuration
```yaml
nomad_acl_configuration:
enabled: false
token_ttl: "30s"
policy_ttl: "60s"
role_ttl: "60s"
```
This variable corresponds to the ACL stanza in the Nomad configuration, defining the following settings:
This configuration mirrors the structure outlined in the [Nomad ACL documentation](https://developer.hashicorp.com/nomad/docs/configuration/acl).
### Internal TLS Configuration
```yaml
nomad_enable_tls: false
```
Indicates whether internal TLS should be enabled for the Nomad cluster.
```yaml
nomad_tls_configuration:
http: true
rpc: true
ca_file: "/etc/ssl/certs/ca-certificates.crt"
cert_file: "{{ nomad_certs_dir }}/cert.pem"
key_file: "{{ nomad_certs_dir }}/key.pem"
verify_server_hostname: true
```
This block defines the TLS configuration for the Nomad cluster. It includes options for enabling TLS for HTTP and RPC, paths to the CA file, certificate file, key file, and verification settings for the server hostname. For detailed information, refer to the [Nomad TLS documentation](https://developer.hashicorp.com/nomad/docs/configuration/tls).
```yaml
nomad_certificates_extra_files_dir: []
```
A list for additional certificate files that can be added to the `nomad_extra_files_list` variable. If used, `nomad_extra_files` should be set to true to ensure the certificates are copied to the target host.
### Telemetry Configuration
```yaml
nomad_telemetry_configuration:
collection_interval: 10s
disable_hostname: false
use_node_name: false
publish_allocation_metrics: false
publish_node_metrics: false
prefix_filter: []
disable_dispatched_job_summary_metrics: false
prometheus_metrics: false
```
This block configures telemetry settings for Nomad. Each option adjusts different aspects of telemetry data collection and publication. For more information, refer to the [Nomad Telemetry documentation](https://developer.hashicorp.com/nomad/docs/configuration/telemetry).
### Consul Integration Configuration
```yaml
nomad_enable_consul_integration: false
```
This variable enables the Consul integration for service registration in Nomad.
```yaml
nomad_consul_integration_configuration:
address: "127.0.0.1:8500"
auto_advertise: true
ssl: false
token: ""
tags: []
```
This block represents the **Consul** stanza, which configures the integration with Consul for service registration. For more details, refer to the [Nomad Consul documentation](https://developer.hashicorp.com/nomad/docs/configuration/consul).
```yaml
nomad_consul_integration_tls_configuration:
ca_file: "/etc/ssl/certs/ca-certificates.crt"
```
If `nomad_consul_integration_configuration.ssl` is defined and set to `true`, the **TLS configuration** will be merged with the `nomad_consul_integration_configuration` for defining TLS-specific settings.
```yaml
nomad_consul_integration_server_configuration:
server_auto_join: true
```
If `nomad_enable_server` is set to `true`, this configuration block will be merged with `nomad_consul_integration_configuration` to provide additional settings for the server's integration with Consul.
```yaml
nomad_consul_integration_client_configuration:
client_auto_join: true
grpc_address: "127.0.0.1:8502"
```
If `nomad_enable_client` is set to `true`, this block will be merged with `nomad_consul_integration_configuration` to define the client configuration for the Consul integration.
```yaml
nomad_consul_integration_client_tls_configuration:
grpc_ca_file: "/etc/ssl/certs/ca-certificates.crt"
```
If both the client is enabled and SSL is enabled, this configuration will be merged with `nomad_consul_integration_client_configuration` for the gRPC connection to Consul.
Here's the refined **Nomad Vault Integration Configuration** section with the correct formatting and linking to the documentation:
### Nomad Vault Integration Configuration
```yaml
nomad_enable_vault_integration: false
```
This variable enables the Vault integration in Nomad.
```yaml
nomad_vault_integration_configuration: {}
```
This block represents the **Vault** stanza, which configures the integration with HashiCorp Vault for managing secrets and sensitive data. For more details, refer to the [Nomad Vault documentation](https://developer.hashicorp.com/nomad/docs/configuration/vault).
Dependencies
------------
None.
Example Playbook
----------------
```yaml
# calling the role inside a playbook with either the default or group_vars/host_vars
- hosts: servers
roles:
- ednz_cloud.hashistack.nomad
```
License
-------
MIT / BSD
Author Information
------------------
This role was created by Bertrand Lanson in 2023.
Reference in New Issue View Git Blame Copy Permalink