serxoz
/
ansible-hashistack
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

first commit

main
sergio 2023-09-11 18:31:03 +02:00
commit c32a303998
15 changed files with 304 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

17
README.md Normal file
View File

@ -0,0 +1,17 @@
# Ansible HashiStack
Instalación del stack de Hashicorp usando Ansible:
- Consul
Por hacer:
- Nomad
- Vault
## Configuración
Comprueba el contenido del archivo **proxmox-inv/hosts**.
## Ejecución
Aplica el rol consul:
```bash
ansible-playbook consul.yml
```

2
ansible.cfg Normal file
View File

@ -0,0 +1,2 @@
[defaults]
inventory = proxmox-inv

7
consul.yml Normal file
View File

@ -0,0 +1,7 @@
- name: Instala Consul
hosts: consul_node
any_errors_fatal: true
become: true
become_user: root
roles:
- consul

11
proxmox-inv/hosts Normal file
View File

@ -0,0 +1,11 @@
[all:vars]
ansible_connection=ssh
ansible_user=alpine
ansible_ssh_private_key_file=~/.ssh/alpine-cloud
[consul_node]
192.168.1.71 consul_iface=eth0 consul_node_role=server vm_name=hashi-1 vm_ip=192.168.1.71
192.168.1.72 consul_iface=eth0 consul_node_role=client vm_name=hashi-2 vm_ip=192.168.1.72
[consul_node:vars]
consul_dc_name=tr4ck

4
roles/consul/defaults/main.yml Normal file
View File

@ -0,0 +1,4 @@
---
consul_version: v1.16.1
consul_install_path: /opt/consul
consul_data_path: "{{ consul_install_path }}/data"

6
roles/consul/handlers/main.yml Normal file
View File

@ -0,0 +1,6 @@
---
- name: restart consul
ansible.builtin.service:
name: consul
state: restarted
become: true

7
roles/consul/tasks/install_alpine_binary.yml Normal file
View File

@ -0,0 +1,7 @@
---
- name: install consul apk package
community.general.apk:
name: consul
state: present
update_cache: yes
become: true

70
roles/consul/tasks/main.yml Normal file
View File

@ -0,0 +1,70 @@
---
- name: setup prerequisites
ansible.builtin.include_tasks: "prereq_{{ ansible_distribution|lower }}.yml"
- name: setup python-consul
ansible.builtin.pip:
name: python-consul
state: latest
executable: /usr/bin/pip3
become: true
- name: check if consul is the correct version
ansible.builtin.command:
cmd: "/usr/bin/consul"
register: consul_installed_version
changed_when: false
failed_when: false
- block:
- name: Include base install
include_tasks: "install_{{ ansible_distribution|lower }}_binary.yml"
when: consul_installed_version is not defined or consul_version not in consul_installed_version.stdout
- name: ensure the consul folders exist
ansible.builtin.file:
path: "{{ item }}"
state: directory
owner: consul
group: consul
mode: 0755
with_items:
- "{{ consul_install_path }}"
- "{{ consul_data_path }}"
- "/etc/consul/"
become: true
- name: touch env file
ansible.builtin.file:
path: "/etc/consul/consul.env"
state: touch
owner: consul
group: consul
mode: 0770
become: true
- name: setup key for encryption
include_tasks: "setup_encrypt_key.yml"
run_once: true
- name: setup consul ca
include_tasks: "setup_ca.yml"
run_once: true
- name: setup server cert
include_tasks: "setup_server_cert.yml"
- name: setup client cert
include_tasks: "setup_client_cert.yml"
- name: setup consul config
include_tasks: "setup_consul_config.yml"
- name: enable and start consul
ansible.builtin.service:
name: consul
enabled: true
state: restarted
async: 600
poll: 5
become: true

7
roles/consul/tasks/prereq_alpine.yml Normal file
View File

@ -0,0 +1,7 @@
---
- name: setup pip3
community.general.apk:
name: py3-pip
state: present
update_cache: yes
become: true

46
roles/consul/tasks/setup_ca.yml Normal file
View File

@ -0,0 +1,46 @@
---
- name: generate the consul CA
ansible.builtin.command:
cmd: consul tls ca create
args:
chdir: /etc/consul
creates: /etc/consul/consul-agent-ca.pem
become: true
- name: set the key as fact
ansible.builtin.command:
cmd: cat /etc/consul/consul-agent-ca-key.pem
changed_when: false
register: ca_key
become: true
- name: set the pem as fact
ansible.builtin.command:
cmd: cat /etc/consul/consul-agent-ca.pem
changed_when: false
register: ca_pem
become: true
- name: store key onto other systems
ansible.builtin.copy:
content: "{{ ca_key.stdout }}"
mode: 0640
owner: consul
group: consul
dest: /etc/consul/consul-agent-ca-key.pem
delegate_to: "{{ item }}"
become: true
loop: "{{ groups['consul_node'] }}"
when: ansible_fqdn != item
- name: store ca cert onto other systems
ansible.builtin.copy:
content: "{{ ca_pem.stdout }}"
mode: 0640
owner: consul
group: consul
dest: /etc/consul/consul-agent-ca.pem
delegate_to: "{{ item }}"
become: true
loop: "{{ groups['consul_node'] }}"
when: ansible_fqdn != item

19
roles/consul/tasks/setup_client_cert.yml Normal file
View File

@ -0,0 +1,19 @@
---
- name: generate the client dc cert
ansible.builtin.command:
cmd: consul tls cert create -client -dc {{ consul_dc_name }} -ca /etc/consul/consul-agent-ca.pem
args:
chdir: /etc/consul
creates: "/etc/consul/{{consul_dc_name}}-client-consul-0.pem"
become: true
- name: set permissions on generated files
ansible.builtin.file:
path: "{{ item }}"
mode: 0640
owner: consul
group: consul
become: true
loop:
- "/etc/consul/{{ consul_dc_name }}-client-consul-0.pem"
- "/etc/consul/{{ consul_dc_name }}-client-consul-0-key.pem"

15
roles/consul/tasks/setup_consul_config.yml Normal file
View File

@ -0,0 +1,15 @@
---
- name: get the encrypt_key
ansible.builtin.command:
cmd: cat /etc/consul/gossip.key
register: gossip
become: true
changed_when: false
- name: set the consul.json config file
ansible.builtin.template:
src: consul.json.j2
dest: /etc/consul/consul.json
mode: 0600
owner: consul
become: true

39
roles/consul/tasks/setup_encrypt_key.yml Normal file
View File

@ -0,0 +1,39 @@
---
- name: debug
ansible.builtin.debug:
msg: "{{ groups['consul_node'] }}"
- name: check whether keygen has already ran
ansible.builtin.stat:
path: /etc/consul/gossip.key
become: true
register: keygen_stat
- block:
- name: ensure /etc/consul is exists
ansible.builtin.file:
path: /etc/consul
state: directory
mode: 0755
delegate_to: "{{ item }}"
become: true
loop: "{{ groups['consul_node'] }}"
when: ansible_fqdn != item
- name: setup the key for encryption
ansible.builtin.command:
cmd: consul keygen
register: consul_keygen
run_once: true
- name: store key onto system
ansible.builtin.copy:
content: "{{ consul_keygen.stdout }}"
mode: 0600
dest: /etc/consul/gossip.key
owner: consul
delegate_to: "{{ item }}"
loop: "{{ groups['consul_node'] }}"
run_once: true
when: keygen_stat.stat.exists == false
become: true

19
roles/consul/tasks/setup_server_cert.yml Normal file
View File

@ -0,0 +1,19 @@
---
- name: generate the server dc cert
ansible.builtin.command:
cmd: consul tls cert create -server -dc {{ consul_dc_name }} -ca /etc/consul/consul-agent-ca.pem
args:
chdir: /etc/consul
creates: "/etc/consul/{{ consul_dc_name }}-server-consul-0.pem"
become: true
- name: set permissions on generated files
ansible.builtin.file:
path: "{{ item }}"
mode: 0640
owner: consul
group: consul
become: true
loop:
- "/etc/consul/{{ consul_dc_name }}-server-consul-0.pem"
- "/etc/consul/{{ consul_dc_name }}-server-consul-0-key.pem"

35
roles/consul/templates/consul.json.j2 Normal file
View File

@ -0,0 +1,35 @@
{
"datacenter": "{{ consul_dc_name }}",
"node_name": "{{ vm_name }}",
"data_dir": "/opt/consul",
"encrypt": "{{ gossip.stdout }}",
"ca_file": "/etc/consul/consul-agent-ca.pem",
"cert_file": "/etc/consul/{{ consul_dc_name }}-server-consul-0.pem",
"key_file": "/etc/consul/{{ consul_dc_name }}-server-consul-0-key.pem",
"verify_incoming": false,
"verify_outgoing": true,
"verify_server_hostname": false,
"bind_addr": "{{ vm_ip }}",
"addresses": {
"https": "{{ vm_ip }}",
"http": "{{ vm_ip }}",
"dns": "{{ vm_ip }}",
"grpc": "{{ vm_ip }}"
},
"ports": {
"grpc_tls": 8502
},
{% if 'server' in consul_node_role %}
"server": true,
{% if consul_bootstrap_node is defined %}
"bootstrap": true,
{% endif %}
{% endif %}
"retry_join": [{% for host in groups['consul_node'] %}"{{ hostvars[host]['vm_ip'] }}"{% if not loop.last %},{% endif %}{% endfor %}],
"ui_config": {
"enabled": true
},
"connect": {
"enabled": true
}
}