288 lines
7.6 KiB
YAML
288 lines
7.6 KiB
YAML
---
|
|
##########################
|
|
# General options ########
|
|
##########################
|
|
|
|
enable_vault: "yes"
|
|
enable_consul: "yes"
|
|
enable_nomad: "no"
|
|
|
|
nomad_version: latest
|
|
consul_version: latest
|
|
vault_version: latest
|
|
|
|
deployment_method: "host"
|
|
api_interface: "eth0"
|
|
api_interface_address: "{{ ansible_facts[api_interface]['ipv4']['address'] }}"
|
|
|
|
##########################
|
|
# Helper options #########
|
|
##########################
|
|
|
|
vault_versions:
|
|
host: "{{ vault_version }}{% '*' if vault_version != 'latest' %}"
|
|
docker: "{{ vault_version }}"
|
|
|
|
consul_versions:
|
|
host: "{{ consul_version }}{% '*' if consul_version != 'latest' %}"
|
|
docker: "{{ consul_version }}"
|
|
|
|
nomad_versions:
|
|
host: "{{ nomad_version }}{% '*' if nomad_version != 'latest' %}"
|
|
docker: "{{ nomad_version }}"
|
|
|
|
configuration_directory: "{{ lookup('env', 'PWD') }}/etc/hashistack"
|
|
sub_configuration_directories:
|
|
nomad_servers: "{{ configuration_directory }}/nomad_servers"
|
|
vault_servers: "{{ configuration_directory }}/vault_servers"
|
|
consul_servers: "{{ configuration_directory }}/consul_servers"
|
|
|
|
configuration_global_vars_file: "globals.yml"
|
|
|
|
default_container_extra_volumes:
|
|
- "/etc/timezone:/etc/timezone"
|
|
- "/etc/localtime:/etc/localtime"
|
|
|
|
#################
|
|
# Support options
|
|
#################
|
|
|
|
hashistack_supported_distributions:
|
|
- ubuntu
|
|
- debian
|
|
|
|
hashistack_supported_distribution_versions:
|
|
debian:
|
|
- "11"
|
|
- "12"
|
|
ubuntu:
|
|
- "20.04"
|
|
- "22.04"
|
|
|
|
preflight_enable_host_ntp_checks: true
|
|
vault_required_ports: [8200, 8201]
|
|
consul_required_ports: [8300, 8301, 8302, 8500, 8501, 8502, 8503, 8600]
|
|
nomad_required_ports: []
|
|
|
|
##########################
|
|
# Nomad options ##########
|
|
##########################
|
|
|
|
hashi_nomad_cni_plugins_install: true
|
|
hashi_nomad_start_service: true
|
|
hashi_nomad_cni_plugins_version: latest
|
|
hashi_nomad_cni_plugins_install_path: /opt/cni/bin
|
|
hashi_nomad_version: latest
|
|
hashi_nomad_deploy_method: host # deployment method, either host or docker
|
|
hashi_nomad_env_variables: {}
|
|
hashi_nomad_data_dir: /opt/nomad
|
|
hashi_nomad_extra_files: false
|
|
hashi_nomad_extra_files_src: /tmp/extra_files
|
|
hashi_nomad_extra_files_dst: /etc/nomad.d/extra_files
|
|
hashi_nomad_configuration: {}
|
|
|
|
##########################
|
|
# Consul options #########
|
|
##########################
|
|
|
|
consul_domain: consul
|
|
consul_datacenter: dc1
|
|
consul_primary_datacenter: dc1
|
|
consul_leave_on_terminate: true
|
|
consul_rejoin_after_leave: true
|
|
consul_enable_script_checks: true
|
|
|
|
##############################
|
|
# consul address configuration
|
|
##############################
|
|
|
|
consul_address_configuration:
|
|
# The address to which Consul will bind client interfaces,
|
|
# including the HTTP and DNS servers.
|
|
client_addr: "0.0.0.0"
|
|
# The address that should be bound to for internal cluster communications.
|
|
bind_addr: "{{ api_interface_address }}"
|
|
# The advertise address is used to change the address that we advertise to other nodes in the cluster.
|
|
advertise_addr: "{{ api_interface_address }}"
|
|
|
|
##########################
|
|
# consul ACL configuration
|
|
##########################
|
|
|
|
consul_acl_configuration:
|
|
enabled: true
|
|
default_policy: "deny" # can be allow or deny
|
|
enable_token_persistence: true
|
|
|
|
#####################
|
|
# extra configuration
|
|
#####################
|
|
|
|
consul_extra_configuration: {}
|
|
|
|
##########################
|
|
# consul DNS configuration
|
|
##########################
|
|
|
|
consul_dns_configuration:
|
|
allow_stale: true
|
|
enable_truncate: true
|
|
only_passing: true
|
|
|
|
hashi_consul_start_service: true
|
|
hashi_consul_version: latest
|
|
hashi_consul_deploy_method: "{{ deployment_method }}"
|
|
hashi_consul_env_variables: {}
|
|
hashi_cosul_config_dir: "/etc/consul.d"
|
|
hashi_consul_data_dir: "/opt/consul"
|
|
hashi_consul_extra_files: false
|
|
hashi_consul_extra_files_src: "{{ sub_configuration_directories.consul_servers }}/config"
|
|
hashi_consul_extra_files_dst: "{{ hashi_consul_config_dir }}/config"
|
|
hashi_consul_envoy_install: false
|
|
hashi_consul_envoy_version: latest
|
|
hashi_consul_configuration:
|
|
domain: "{{ consul_domain }}"
|
|
datacenter: "{{ consul_datacenter }}"
|
|
primary_datacenter: "{{ consul_primary_datacenter }}"
|
|
data_dir: "{{ hashi_consul_data_dir }}"
|
|
encrypt: "{{ 'mysupersecretgossipencryptionkey'|b64encode }}"
|
|
server: "{{ 'consul_servers' in group_names }}"
|
|
retry_join: "{{
|
|
groups['consul_servers'] |
|
|
map('extract', hostvars, ['consul_address_configuration', 'bind_addr']) |
|
|
list |
|
|
to_json |
|
|
from_json
|
|
}}"
|
|
ui_config:
|
|
enabled: true
|
|
connect:
|
|
enabled: false
|
|
leave_on_terminate: true
|
|
rejoin_after_leave: true
|
|
enable_script_checks: true
|
|
enable_syslog: true
|
|
log_level: INFO
|
|
acl: "{{ consul_acl_configuration }}"
|
|
dns_config: "{{ consul_dns_configuration }}"
|
|
ports:
|
|
dns: 8600
|
|
http: 8500
|
|
https: -1
|
|
grpc: 8502
|
|
grpc_tls: 8503
|
|
server: 8300
|
|
serf_lan: 8301
|
|
serf_wan: 8302
|
|
sidecar_min_port: 21000
|
|
sidecar_max_port: 21255
|
|
expose_min_port: 21500
|
|
expose_max_port: 21755
|
|
|
|
# this is used to circumvent jinja limitation to convert string to integer
|
|
hashi_consul_configuration_string: |
|
|
bootstrap_expect: {{ (groups['consul_servers'] | length) }}
|
|
|
|
##########################
|
|
# Vault options ##########
|
|
##########################
|
|
|
|
vault_cluster_name: vault
|
|
vault_enable_ui: true
|
|
vault_seal_configuration:
|
|
key_shares: 3
|
|
key_threshold: 2
|
|
|
|
#########
|
|
# storage
|
|
#########
|
|
vault_storage_configuration:
|
|
raft:
|
|
path: "{{ hashi_vault_data_dir }}/data"
|
|
node_id: "{{ ansible_hostname }}"
|
|
retry_join: |
|
|
[
|
|
{% for host in groups['vault_servers'] %}
|
|
{
|
|
'leader_api_addr': 'http://{{ hostvars[host].api_interface_address }}:8200'
|
|
}{% if not loop.last %},{% endif %}
|
|
{% endfor %}
|
|
]
|
|
|
|
##########
|
|
# listener
|
|
##########
|
|
vault_enable_tls: false
|
|
vault_listener_configuration:
|
|
tcp:
|
|
address: "0.0.0.0:8200"
|
|
tls_disable: true
|
|
|
|
vault_tls_listener_configuration:
|
|
tcp:
|
|
tls_disable: false
|
|
tls_cert_file: "{{ hashi_vault_extra_files_dst }}/tls/cert.pem"
|
|
tls_key_file: "{{ hashi_vault_extra_files_dst }}/tls/key.pem"
|
|
|
|
vault_extra_listener_configuration: {}
|
|
|
|
######################
|
|
# service registration
|
|
######################
|
|
|
|
vault_enable_service_registration: false
|
|
vault_service_registration_configuration:
|
|
consul:
|
|
address: "127.0.0.1:8500"
|
|
scheme: "http"
|
|
|
|
#########
|
|
# plugins
|
|
#########
|
|
vault_enable_plugins: true
|
|
vault_plugin_directory: "{{ hashi_vault_extra_files_dst }}/plugin"
|
|
|
|
#########
|
|
# logging
|
|
#########
|
|
vault_enable_log_to_file: false
|
|
vault_logging_configuration:
|
|
log_level: info
|
|
log_format: standard
|
|
log_rotate_duration: 24h
|
|
log_rotate_max_files: 30
|
|
|
|
#########################
|
|
# vault container volumes
|
|
#########################
|
|
extra_vault_container_volumes: []
|
|
|
|
#####################
|
|
# extra configuration
|
|
#####################
|
|
|
|
vault_extra_configuration: {}
|
|
|
|
###############
|
|
# configuration
|
|
###############
|
|
hashi_vault_start_service: true
|
|
hashi_vault_version: latest
|
|
hashi_vault_deploy_method: "{{ deployment_method }}"
|
|
hashi_vault_env_variables: {}
|
|
hashi_vault_config_dir: "/etc/vault.d"
|
|
hashi_vault_data_dir: "/opt/vault"
|
|
hashi_vault_extra_files: true
|
|
hashi_vault_extra_files_src: "{{ sub_configuration_directories.vault_servers }}/config"
|
|
hashi_vault_extra_files_dst: "{{ hashi_vault_config_dir }}/config"
|
|
hashi_vault_extra_container_volumes: "{{ default_container_extra_volumes | union(extra_vault_container_volumes) | unique }}"
|
|
hashi_vault_configuration:
|
|
cluster_name: "{{ vault_cluster_name }}"
|
|
cluster_addr: "http://{{ api_interface_address }}:8201"
|
|
api_addr: "http://{{ api_interface_address }}:8200"
|
|
ui: "{{ vault_enable_ui }}"
|
|
disable_mlock: false
|
|
disable_cache: false
|
|
listener: "{{ vault_listener_configuration }}"
|
|
storage: "{{ vault_storage_configuration }}"
|