From 3f500cff7ac46985e52775433d3de10356bc60e3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Aur=C3=A9lien=20Maury?= Date: Mon, 29 Jan 2024 14:16:39 +0100 Subject: [PATCH] Consul binary (#145) * first fresh run of new version - wip * rerun from scratch * added vault rekey playbook * suppress community.general.terraform invocations * fully ported scaleway demo to rocky linux * consul ported to rocky * envoy ported to rocky * envoy port to rocky --- docs/source/explanations/ansible_terraform.md | 3 +- playbooks/01_infra_aws.yml | 2 +- playbooks/13_core_scaleway_dns_delegation.yml | 2 +- playbooks/init.yml | 12 +- playbooks/op_flush_vault_masters.yml | 17 +++ playbooks/vault_dr_secondary.yml | 2 +- playbooks/vault_rekey.yml | 138 ++++++++++++++++++ requirements.yml | 2 +- roles/consul/defaults/main.yml | 21 +-- roles/consul/handlers/main.yml | 2 +- roles/consul/tasks/_tf_configure.yml | 4 +- .../tasks/{debian => common}/_configure.yml | 47 +----- .../{debian => common}/_consul_masters.yml | 1 + .../{debian => common}/_consul_minions.yml | 1 + roles/consul/tasks/common/_install.yml | 20 +++ roles/consul/tasks/common/_prepare.yml | 99 +++++++++++++ roles/consul/tasks/debian/_install.yml | 12 -- roles/consul/tasks/debian/_prepare.yml | 43 ------ roles/consul/tasks/debian/main.yml | 17 ++- roles/consul/tasks/main.yml | 29 +--- roles/consul/tasks/oraclelinux/main.yml | 0 roles/consul/tasks/rocky/main.yml | 31 ++++ roles/consul/templates/consul.hcl.j2 | 11 +- roles/consul/templates/consul.service.j2 | 21 +++ roles/consul/vars/debian.yml | 9 +- roles/consul/vars/main.yml | 33 ++--- roles/consul/vars/rocky.yml | 6 + roles/envoy/defaults/main.yml | 2 +- .../tasks/{debian => common}/_configure.yml | 1 + .../tasks/{debian => common}/_install.yml | 1 + .../tasks/{debian => common}/_prepare.yml | 6 +- roles/envoy/tasks/debian/main.yml | 24 ++- roles/envoy/tasks/rocky/main.yml | 30 ++++ roles/grafana/tasks/debian/_configure.yml | 2 +- roles/stage0/tasks/_terraform.yml | 2 +- .../multi/out.stage0.hashistack.yml.j2 | 4 +- .../multi/out.stage0.hashistack_sre.yml.j2 | 2 +- .../multi/out.stage0.hashistack.yml.j2 | 6 +- .../multi/out.stage0.hashistack_sre.yml.j2 | 2 +- .../tasks/{debian => common}/_normalize.yml | 1 + .../tasks/{debian => common}/_reboot.yml | 1 + roles/stage1_bootstrap/tasks/debian/main.yml | 11 +- .../tasks/rocky/_system_update.yml | 5 + roles/stage1_bootstrap/tasks/rocky/main.yml | 24 +++ roles/stage1_dns/handlers/main.yml | 9 ++ roles/stage1_dns/tasks/_common/_init.yml | 2 +- roles/stage1_dns/tasks/debian_12/main.yml | 2 +- roles/stage1_dns/tasks/rocky/main.yml | 50 +++++++ .../templates/_internal_zone.yml.j2 | 6 +- roles/stage1_dns/vars/rocky.yml | 13 ++ roles/stage1_pip/tasks/oraclelinux/main.yml | 0 roles/stage1_pip/tasks/rocky/_install.yml | 10 ++ roles/stage1_pip/tasks/rocky/_prepare.yml | 12 ++ roles/stage1_pip/tasks/rocky/main.yml | 12 ++ .../tasks/{debian => common}/_configure.yml | 7 + roles/stage1_rproxy/tasks/debian/main.yml | 2 +- roles/stage1_rproxy/tasks/rocky/main.yml | 16 ++ roles/vault/tasks/common/_prepare.yml | 62 ++++---- roles/vault/tasks/main.yml | 2 +- roles/vault_vars/defaults/main.yml | 2 +- roles/vault_vars/vars/main.yml | 5 + 61 files changed, 687 insertions(+), 234 deletions(-) create mode 100644 playbooks/vault_rekey.yml rename roles/consul/tasks/{debian => common}/_configure.yml (66%) rename roles/consul/tasks/{debian => common}/_consul_masters.yml (99%) rename roles/consul/tasks/{debian => common}/_consul_minions.yml (99%) create mode 100644 roles/consul/tasks/common/_install.yml create mode 100644 roles/consul/tasks/common/_prepare.yml delete mode 100644 roles/consul/tasks/debian/_install.yml delete mode 100644 roles/consul/tasks/debian/_prepare.yml create mode 100644 roles/consul/tasks/oraclelinux/main.yml create mode 100644 roles/consul/tasks/rocky/main.yml create mode 100644 roles/consul/templates/consul.service.j2 create mode 100644 roles/consul/vars/rocky.yml rename roles/envoy/tasks/{debian => common}/_configure.yml (98%) rename roles/envoy/tasks/{debian => common}/_install.yml (99%) rename roles/envoy/tasks/{debian => common}/_prepare.yml (59%) create mode 100644 roles/envoy/tasks/rocky/main.yml rename roles/stage1_bootstrap/tasks/{debian => common}/_normalize.yml (99%) rename roles/stage1_bootstrap/tasks/{debian => common}/_reboot.yml (99%) create mode 100644 roles/stage1_bootstrap/tasks/rocky/_system_update.yml create mode 100644 roles/stage1_bootstrap/tasks/rocky/main.yml create mode 100644 roles/stage1_dns/tasks/rocky/main.yml create mode 100644 roles/stage1_dns/vars/rocky.yml create mode 100644 roles/stage1_pip/tasks/oraclelinux/main.yml create mode 100644 roles/stage1_pip/tasks/rocky/_install.yml create mode 100644 roles/stage1_pip/tasks/rocky/_prepare.yml create mode 100644 roles/stage1_pip/tasks/rocky/main.yml rename roles/stage1_rproxy/tasks/{debian => common}/_configure.yml (88%) create mode 100644 roles/stage1_rproxy/tasks/rocky/main.yml diff --git a/docs/source/explanations/ansible_terraform.md b/docs/source/explanations/ansible_terraform.md index a9d10bb5..45f39a29 100644 --- a/docs/source/explanations/ansible_terraform.md +++ b/docs/source/explanations/ansible_terraform.md @@ -22,8 +22,7 @@ disponibility. * Inject configuration into Vault, Consul and Nomad. Every piece of Terraform code is intended to be managed by the -[community.general.terraform](https://docs.ansible.com/ansible/latest/collections/community/general/terraform_module.html) -Ansible module. +[cloud.terraform.terraform](https://github.com/ansible-collections/cloud.terraform/blob/main/docs/cloud.terraform.terraform_module.rst) Ansible module. ## Terraform code diff --git a/playbooks/01_infra_aws.yml b/playbooks/01_infra_aws.yml index 768708ca..cb939f42 100644 --- a/playbooks/01_infra_aws.yml +++ b/playbooks/01_infra_aws.yml @@ -40,7 +40,7 @@ when: tf_action == 'apply' - name: COMMON - Do Terraform - community.general.terraform: + cloud.terraform.terraform: project_path: "{{ tf_module_dest }}" state: "{{ (tf_action == 'destroy') | ternary('absent', 'present') }}" force_init: true diff --git a/playbooks/13_core_scaleway_dns_delegation.yml b/playbooks/13_core_scaleway_dns_delegation.yml index ff89fdfb..f06b6af4 100644 --- a/playbooks/13_core_scaleway_dns_delegation.yml +++ b/playbooks/13_core_scaleway_dns_delegation.yml @@ -23,7 +23,7 @@ when: tf_action == 'apply' - name: COMMON - Do Terraform - community.general.terraform: + cloud.terraform.terraform: project_path: "{{ tf_module_dest }}" state: "{{ (tf_action == 'destroy') | ternary('absent', 'present') }}" force_init: true diff --git a/playbooks/init.yml b/playbooks/init.yml index 8ebb83f1..8bab868d 100644 --- a/playbooks/init.yml +++ b/playbooks/init.yml @@ -39,6 +39,14 @@ loop_control: loop_var: _current_dir + - name: "[MONO] Create directory for inventory" + file: + path: "{{ _output_dir }}/host_vars/{{ hs_workspace }}-{{ hs_archi }}" + state: directory + recurse: true + when: + - hs_archi == 'mono' + - name: Create global variables copy: dest: "{{ _output_dir }}/group_vars/all.yml" @@ -50,7 +58,9 @@ {%- raw %} public_domain: "{{ hs_workspace }}.{{ hs_parent_domain }}" hs_stage0_archi: "{{ hs_archi }}" - hs_stage0_instance_type: "DEV1-L" + hs_stage0_instance_type: "PLAY2-MICRO" + hs_stage0_instance_image: "debian_bookworm" + # hs_stage0_instance_image: "rockylinux_9" {% endraw -%} - name: Create inventory files diff --git a/playbooks/op_flush_vault_masters.yml b/playbooks/op_flush_vault_masters.yml index 8d96a463..b582c52e 100644 --- a/playbooks/op_flush_vault_masters.yml +++ b/playbooks/op_flush_vault_masters.yml @@ -8,6 +8,16 @@ force_flush: false tasks: + - name: "Load vault role variables" + import_role: + name: "vault_vars" + + - name: "Load secret dir" + include_vars: + dir: "{{ hs_vault_local_secret_dir }}" + ignore_unknown_extensions: true + no_log: true + - name: Stop vault systemd: name: vault @@ -28,3 +38,10 @@ group: vault mode: 0750 when: force_flush + + - name: Flush local root_vault + file: + path: "{{ hs_vault_local_secret_dir }}/root_vault.yml" + state: absent + delegate_to: localhost + become: false diff --git a/playbooks/vault_dr_secondary.yml b/playbooks/vault_dr_secondary.yml index 4c284202..3408e9b8 100644 --- a/playbooks/vault_dr_secondary.yml +++ b/playbooks/vault_dr_secondary.yml @@ -138,7 +138,7 @@ run_once: true - name: "Do Terraform" - community.general.terraform: + cloud.terraform.terraform: project_path: "{{ hs_vault_terraform_work_dir }}/dr_secondary_activation" state: "present" # noqa args force_init: true diff --git a/playbooks/vault_rekey.yml b/playbooks/vault_rekey.yml new file mode 100644 index 00000000..f22ad15a --- /dev/null +++ b/playbooks/vault_rekey.yml @@ -0,0 +1,138 @@ +--- +- name: "Rotate the vault root key" + hosts: "{{ hs_vault_inventory_masters_group | default('hashistack_masters[0]') }}" + become: true + gather_facts: true + strategy: linear + + pre_tasks: + - name: "Load vault role variables" + import_role: + name: "vault_vars" + + - name: "Load secret dir" + include_vars: + dir: "{{ hs_vault_local_secret_dir }}" + ignore_unknown_extensions: true + no_log: true + + - name: Variable cooking + set_fact: + __vault_rekey_addr: "{{ __hs_vault_conf_api_addr }}" + __vault_rekey_shares: "{{ hs_vault_unseal_key_shares }}" + __vault_rekey_threshold: "{{ hs_vault_unseal_key_threshold }}" + __vault_rekey_old_keys: "{{ vault_init_content['keys'] }}" + + - name: Variable cooking + set_fact: + __vault_rekey_api_endpoints: + rekey: "{{ __vault_rekey_addr }}/v1/sys/rekey/init" + rekey_update: "{{ __vault_rekey_addr }}/v1/sys/rekey/update" + genroot: "{{ __vault_rekey_addr }}/v1/sys/generate-root/attempt" + genroot_update: "{{ __vault_rekey_addr }}/v1/sys/generate-root/update" + genroot_decode: "{{ __vault_rekey_addr }}/v1/sys/decode-token" + + tasks: + - name: Start vault rekey process + uri: + url: "{{ __vault_rekey_api_endpoints.rekey }}" + method: POST + body_format: json + body: + secret_shares: "{{ __vault_rekey_shares }}" + secret_threshold: "{{ __vault_rekey_threshold }}" + return_content: true + register: _vault_rekey_process + + - name: Rekey steps + uri: + url: "{{ __vault_rekey_api_endpoints.rekey_update }}" + method: POST + body_format: json + body: + key: "{{ _current_key }}" + nonce: "{{ _vault_rekey_process.json.nonce }}" + return_content: true + loop: "{{ __vault_rekey_old_keys[:(__vault_rekey_threshold)] }}" + loop_control: + loop_var: _current_key + register: _vault_rekey_updates + + - name: Variable cooking + set_fact: + _vault_rekey_new_keys: >- + {{ _vault_rekey_updates.results[-1].json['keys'] }} + _vault_rekey_new_keys_base64: >- + {{ _vault_rekey_updates.results[-1].json['keys_base64'] }} + + - name: Start vault genroot process + uri: + url: "{{ __vault_rekey_api_endpoints.genroot }}" + method: POST + body_format: json + return_content: true + register: _vault_rekey_genroot_process + + - name: "Variable cooking" + set_fact: + _vault_rekey_genroot_nonce: "{{ _vault_rekey_genroot_process.json.nonce }}" + _vault_rekey_genroot_otp: "{{ _vault_rekey_genroot_process.json.otp }}" + + - name: Send current seal shards + uri: + url: "{{ __vault_rekey_api_endpoints.genroot_update }}" + method: POST + body_format: json + body: + key: "{{ _current_key }}" + nonce: "{{ _vault_rekey_genroot_nonce }}" + return_content: true + loop: "{{ _vault_rekey_new_keys[:(__vault_rekey_threshold)] }}" + loop_control: + loop_var: _current_key + register: _vault_rekey_genroot_updates + + - name: "Variable cooking" + set_fact: + _vault_rekey_genroot_encoded_root_token: >- + {{ _vault_rekey_genroot_updates.results[-1].json.encoded_token }} + + - name: Decode + uri: + url: "{{ __vault_rekey_api_endpoints.genroot_decode }}" + method: POST + body_format: json + body: + encoded_token: "{{ _vault_rekey_genroot_encoded_root_token }}" + otp: "{{ _vault_rekey_genroot_otp }}" + return_content: true + register: _vault_rekey_genroot_decoded + + - name: Store vault root secrets + copy: + dest: "{{ hs_vault_local_unseal_file }}" + mode: 0600 + content: |- + --- + {{ + { + 'vault_init_content': { + 'keys': _vault_rekey_new_keys, + 'keys_base64': _vault_rekey_new_keys_base64, + 'root_token': _vault_rekey_genroot_decoded.json.data.token + } + } | to_nice_yaml + }} + register: _hs_vault_store_root + become: false + delegate_to: localhost + + - name: Encrypt vault init keys if ANSIBLE_VAULT_PASSWORD_FILE is defined + command: >- + ansible-vault encrypt {{ hs_vault_local_unseal_file }} + become: false + delegate_to: localhost + when: + - _hs_vault_store_root is changed + - (lookup('env', 'ANSIBLE_VAULT_PASSWORD_FILE') | length) > 0 + diff --git a/requirements.yml b/requirements.yml index 99909cc1..1f9acc91 100644 --- a/requirements.yml +++ b/requirements.yml @@ -19,4 +19,4 @@ collections: - name: cloud.terraform version: "1.1.1" - name: rtnp.galaxie_clans - version: "1.15.1" + version: "1.15.3" diff --git a/roles/consul/defaults/main.yml b/roles/consul/defaults/main.yml index 81cb9f0d..7ab65f72 100644 --- a/roles/consul/defaults/main.yml +++ b/roles/consul/defaults/main.yml @@ -5,8 +5,12 @@ # # ## Defaults # -# * Consul version to install (Debian package name referring ) -hs_consul_version: "1.13.7-1" +# * Version of the consul package to install. +# * Used to determine which archive to install according to the suffix like +# [in the official release repository](https://releases.hashicorp.com/consul/). For example, +# valid values are: '1.16.4', '1.17.0+ent', '1.17.2+ent.fips1402', etc. +hs_consul_version: "1.17.2" +# # ### Local paths # # * Path to local directory containing secrets to be uploaded to nodes @@ -23,20 +27,14 @@ hs_consul_node_cert_fullchain: "{{ hs_consul_local_secrets_dir }}/self.fullchain # * Path to local node certificate private key. hs_consul_node_cert_private_key: "{{ hs_consul_local_secrets_dir }}/self.cert.key" -hs_consul_ca_certificate_dir: "/usr/local/share/ca-certificates" -hs_consul_ca_certificate: "/etc/ssl/certs/ca-certificates.crt" - tf_module_name: "consul_config" hs_tf_action: apply -hs_consul_datacenter_name: >- - {{ - hs_workspace - | default('datacenter1') - }} +hs_consul_datacenter_name: "{{ hs_workspace | default('datacenter1') }}" hs_consul_node_name: "{{ inventory_hostname | regex_replace('_', '-') }}" hs_consul_connect_token: ~ +hs_consul_local_cache_dir: "{{ hs_workspace_root }}" hs_consul_prometheus_enabled: true hs_consul_connect_root_pki_path: "consul_connect_pki_root" hs_consul_connect_intermediate_pki_path: "consul_connect_pki_inter" @@ -60,6 +58,3 @@ hs_consul_local_ca_cert: "{{ hs_workspace_secrets_dir }}/ca.cert.pem" hs_consul_acl_default_policy: deny hs_consul_acl_auto_encrypt_token: ~ -hs_consul_packages_list: - - "consul={{ hs_consul_version }}" - diff --git a/roles/consul/handlers/main.yml b/roles/consul/handlers/main.yml index 85cec19f..5b135172 100644 --- a/roles/consul/handlers/main.yml +++ b/roles/consul/handlers/main.yml @@ -7,7 +7,7 @@ - name: Update ca trust command: >- - /usr/sbin/update-ca-certificates + {{ __hs_consul_update_trust_command }} - name: "Restart vault-sidecar" systemd: diff --git a/roles/consul/tasks/_tf_configure.yml b/roles/consul/tasks/_tf_configure.yml index 797c9942..ee5a2266 100644 --- a/roles/consul/tasks/_tf_configure.yml +++ b/roles/consul/tasks/_tf_configure.yml @@ -7,7 +7,7 @@ become: false run_once: true -- name: Validate API avalability +- name: Validate API availability uri: url: "{{ hs_consul_external_url }}/v1/agent/members" headers: @@ -31,7 +31,7 @@ run_once: true - name: "COMMON - Do Terraform (can take up to 30 minutes)" - community.general.terraform: + cloud.terraform.terraform: project_path: "{{ tf_module_dest }}" state: "{{ (tf_action == 'destroy') | ternary('absent', 'present') }}" # noqa args force_init: true diff --git a/roles/consul/tasks/debian/_configure.yml b/roles/consul/tasks/common/_configure.yml similarity index 66% rename from roles/consul/tasks/debian/_configure.yml rename to roles/consul/tasks/common/_configure.yml index d93be287..9b985d9d 100644 --- a/roles/consul/tasks/debian/_configure.yml +++ b/roles/consul/tasks/common/_configure.yml @@ -1,43 +1,11 @@ --- -- name: Check directories exist - file: - path: "{{ _current_expected_dir }}" - owner: consul - group: consul - state: directory - mode: 0700 - loop: "{{ __hs_consul_expected_directories }}" - loop_control: - loop_var: _current_expected_dir - tags: - - configure - -- name: Common private ssl directory - file: - path: "{{ __hs_consul_tls_dir }}" - owner: root - group: "{{ __hs_consul_ssl_cert_group }}" - state: directory - mode: 0750 - tags: - - configure - -- name: Add consul user to ssl-cert group - user: - name: consul - groups: "{{ __hs_consul_ssl_cert_group }}" - append: true - tags: - - configure - - -- name: Explicitly load secret dir +- name: "Explicitly load local secret dir" include_vars: dir: "{{ hs_consul_local_secrets_dir }}" ignore_unknown_extensions: true no_log: true -- name: Upload Vault Root CA +- name: "Add vault ca to truststore" copy: dest: "{{ __hs_consul_vault_root_ca_certificate }}" content: |- @@ -49,7 +17,7 @@ tags: - configure -- name: Upload CA certificate +- name: "Add custom-ca to truststore" copy: src: "{{ hs_consul_local_ca_cert }}" dest: "{{ __hs_consul_ca_certificate }}" @@ -66,7 +34,7 @@ tags: - configure -- name: Upload self certificate +- name: "Upload cert for consul endpoints" copy: src: "{{ _current_cert_part }}" dest: "{{ __hs_consul_tls_dir }}/{{ _current_cert_part.split('/')[-1] }}" @@ -84,7 +52,7 @@ tags: - configure -- name: Generate encrypt key +- name: "[LOCAL] Generate encrypt key" copy: dest: "{{ __hs_consul_encrypt_key_local_path }}" mode: 0600 @@ -100,14 +68,15 @@ tags: - configure -- name: Write consul server configuration +- name: "Render consul server configuration" template: src: "consul.hcl.j2" dest: "{{ __hs_consul_conf_file }}" - owner: consul + owner: root group: consul mode: 0640 notify: Restart consul tags: - configure + diff --git a/roles/consul/tasks/debian/_consul_masters.yml b/roles/consul/tasks/common/_consul_masters.yml similarity index 99% rename from roles/consul/tasks/debian/_consul_masters.yml rename to roles/consul/tasks/common/_consul_masters.yml index b4d8bee2..795ea3d9 100644 --- a/roles/consul/tasks/debian/_consul_masters.yml +++ b/roles/consul/tasks/common/_consul_masters.yml @@ -41,3 +41,4 @@ enabled: true name: vault-sidecar + diff --git a/roles/consul/tasks/debian/_consul_minions.yml b/roles/consul/tasks/common/_consul_minions.yml similarity index 99% rename from roles/consul/tasks/debian/_consul_minions.yml rename to roles/consul/tasks/common/_consul_minions.yml index dc342230..b5d1d552 100644 --- a/roles/consul/tasks/debian/_consul_minions.yml +++ b/roles/consul/tasks/common/_consul_minions.yml @@ -35,3 +35,4 @@ [Install] WantedBy=multi-user.target notify: Restart minion2vault + diff --git a/roles/consul/tasks/common/_install.yml b/roles/consul/tasks/common/_install.yml new file mode 100644 index 00000000..c408b159 --- /dev/null +++ b/roles/consul/tasks/common/_install.yml @@ -0,0 +1,20 @@ +--- +- name: Unarchive + unarchive: + src: "{{ __hs_consul_local_archive_path }}" + dest: "/usr/bin" + creates: "/usr/bin/consul" + +- name: Set permissions on consul binary + file: + path: "/usr/bin/consul" + owner: root + group: consul + mode: 0750 + +- name: Render system service + template: + src: consul.service.j2 + dest: "/lib/systemd/system/consul.service" + mode: 0644 + notify: Restart consul diff --git a/roles/consul/tasks/common/_prepare.yml b/roles/consul/tasks/common/_prepare.yml new file mode 100644 index 00000000..5213645b --- /dev/null +++ b/roles/consul/tasks/common/_prepare.yml @@ -0,0 +1,99 @@ +--- +- name: "[LOCAL] Download Consul release archive" + delegate_to: localhost + run_once: true + become: false + get_url: + url: "{{ __hs_consul_archive_url }}" + dest: "{{ __hs_consul_local_archive_path }}" + mode: 0640 + tags: + - online + +- name: "[LOCAL] Download Terraform Providers" + delegate_to: localhost + run_once: true + become: false + command: > + terraform -chdir={{ role_path }}/files/terraform init + tags: + - online + - prepare-tf-providers + +- name: "[LOCAL] Delete Terraform folder" + delegate_to: localhost + run_once: true + become: false + file: + path: "{{ role_path }}/files/terraform/.terraform/" + state: absent + tags: + - online + - prepare-tf-providers + +- name: Create local facts directory + file: + path: "/etc/ansible/facts.d" + recurse: true + state: directory + +- name: "Create ssl-cert system group" + group: + name: "{{ __hs_consul_ssl_cert_group }}" + system: true + state: present + +- name: "Adjust tls dir permissions" + file: + path: "{{ __hs_consul_tls_dir }}" + owner: root + group: "{{ __hs_consul_ssl_cert_group }}" + mode: 0750 + state: directory + +- name: "Create consul system group" + group: + name: consul + system: true + state: present + +- name: "Create consul system user" + user: + name: consul + system: true + shell: "/usr/sbin/nologin" + groups: + - "consul" + - "{{ __hs_consul_ssl_cert_group }}" + createhome: false + home: "{{ __hs_consul_home_dir }}" + +- name: Create consul home and data directories + file: + path: "{{ _current_dir }}" + state: directory + owner: consul + group: consul + mode: 0700 + loop: + - "{{ __hs_consul_home_dir }}" + - "{{ __hs_consul_data_dir }}" + loop_control: + loop_var: _current_dir + +- name: Create consul configuration directories + file: + path: "{{ __hs_consul_conf_dir }}" + state: directory + owner: root + group: consul + mode: 0750 + +- name: Create consul env file + copy: + content: "" + dest: /etc/consul.d/consul.env + owner: consul + group: consul + mode: 0750 + diff --git a/roles/consul/tasks/debian/_install.yml b/roles/consul/tasks/debian/_install.yml deleted file mode 100644 index cb3f0472..00000000 --- a/roles/consul/tasks/debian/_install.yml +++ /dev/null @@ -1,12 +0,0 @@ ---- -- name: Pin consul release - template: - src: "apt.preferences.j2" - dest: /etc/apt/preferences.d/consul - mode: 0640 - -- name: Install common packages - apt: - name: "{{ hs_consul_packages_list }}" - state: present - allow_downgrade: true diff --git a/roles/consul/tasks/debian/_prepare.yml b/roles/consul/tasks/debian/_prepare.yml deleted file mode 100644 index 083af205..00000000 --- a/roles/consul/tasks/debian/_prepare.yml +++ /dev/null @@ -1,43 +0,0 @@ ---- -- name: Add hashicorp apt key. - apt_key: - url: "{{ __hs_consul_hashicorp_apt_key }}" - state: present - validate_certs: true - tags: - - online - -- name: Add hashicorp repo into sources list - apt_repository: - repo: "{{ __hs_consul_hashicorp_apt_repository }}" - state: present - tags: - - online - -- name: Download common packages # noqa: command-instead-of-module - command: > - apt-get install -y --download-only {{ hs_consul_packages_list | join(' ') }} - changed_when: false - tags: - - online - -- name: Download Terraform Providers - delegate_to: localhost - run_once: true - become: false - shell: > - terraform -chdir={{ role_path }}/files/terraform init - tags: - - online - - prepare-tf-providers - -- name: Delete Terraform folder - delegate_to: localhost - run_once: true - become: false - file: - path: "{{ role_path }}/files/terraform/.terraform/" - state: absent - tags: - - online - - prepare-tf-providers diff --git a/roles/consul/tasks/debian/main.yml b/roles/consul/tasks/debian/main.yml index c4806136..2f83d31c 100644 --- a/roles/consul/tasks/debian/main.yml +++ b/roles/consul/tasks/debian/main.yml @@ -1,17 +1,28 @@ --- - name: Prepare - include_tasks: _prepare.yml + include_tasks: + file: "{{ role_path }}/tasks/common/_prepare.yml" + apply: + tags: prepare tags: - prepare - online + - name: Install - include_tasks: _install.yml + include_tasks: + file: "{{ role_path }}/tasks/common/_install.yml" + apply: + tags: install tags: - install + - online - name: Configure - include_tasks: _configure.yml + include_tasks: + file: "{{ role_path }}/tasks/common/_configure.yml" + apply: + tags: configure when: __hs_consul_is_master tags: - configure diff --git a/roles/consul/tasks/main.yml b/roles/consul/tasks/main.yml index 7e5b8c78..27d99a4b 100644 --- a/roles/consul/tasks/main.yml +++ b/roles/consul/tasks/main.yml @@ -1,10 +1,4 @@ --- -- name: Create local facts directory - file: - path: /etc/ansible/facts.d - recurse: true - state: directory - - name: Load os-specific vars include_vars: "{{ _current_os_vars }}" with_first_found: @@ -48,12 +42,7 @@ include_tasks: _tf_configure.yml - name: "Include _configure tasks" - include_tasks: "{{ _current_os_tasks }}" - with_first_found: - - skip: true - files: "{{ __hs_role_configure_precedence }}" - loop_control: - loop_var: _current_os_tasks + include_tasks: "common/_configure.yml" tags: configure - name: Flush before leaving @@ -68,27 +57,17 @@ when: __hs_consul_is_minion - name: Execute os-specific _consul_masters tasks - include_tasks: "{{ _current_os_tasks }}" - with_first_found: - - skip: true - files: "{{ __hs_role_configure_masters_precedence }}" - loop_control: - loop_var: _current_os_tasks + include_tasks: "common/_consul_masters.yml" when: __hs_consul_is_master tags: - hs_consul_masters - name: Execute os-specific _consul_minions tasks - include_tasks: "{{ _current_os_tasks }}" - with_first_found: - - skip: true - files: "{{ __hs_role_configure_minions_precedence }}" - loop_control: - loop_var: _current_os_tasks + include_tasks: "common/_consul_minions.yml" when: __hs_consul_is_minion tags: - hs_consul_minions -- name: Flush before leaving +- name: "Consul end-role flush" meta: flush_handlers tags: always diff --git a/roles/consul/tasks/oraclelinux/main.yml b/roles/consul/tasks/oraclelinux/main.yml new file mode 100644 index 00000000..e69de29b diff --git a/roles/consul/tasks/rocky/main.yml b/roles/consul/tasks/rocky/main.yml new file mode 100644 index 00000000..c7f596cf --- /dev/null +++ b/roles/consul/tasks/rocky/main.yml @@ -0,0 +1,31 @@ +--- +- name: Prepare + include_tasks: + file: "{{ role_path }}/tasks/common/_prepare.yml" + apply: + tags: prepare + tags: + - prepare + - online + + +- name: Install + include_tasks: + file: "{{ role_path }}/tasks/common/_install.yml" + apply: + tags: install + tags: + - install + - online + +- name: Configure + include_tasks: + file: "{{ role_path }}/tasks/common/_configure.yml" + apply: + tags: configure + when: __hs_consul_is_master + tags: + - configure + +- name: Flush + meta: flush_handlers diff --git a/roles/consul/templates/consul.hcl.j2 b/roles/consul/templates/consul.hcl.j2 index 38124f25..986ef751 100644 --- a/roles/consul/templates/consul.hcl.j2 +++ b/roles/consul/templates/consul.hcl.j2 @@ -7,7 +7,7 @@ tls { {% if hs_consul_use_custom_ca %} ca_file = "{{ __hs_consul_ca_certificate }}" {% else %} - ca_file = "{{ hs_consul_ca_certificate }}" + ca_file = "{{ __hs_consul_system_ca_bundle }}" {% endif %} cert_file = "{{ __hs_consul_self_certificate }}" key_file = "{{ __hs_consul_self_private_key }}" @@ -17,9 +17,6 @@ tls { internal_rpc { verify_server_hostname = false } - grpc { - use_auto_cert = true - } } {% if __hs_consul_is_master %} @@ -77,7 +74,7 @@ advertise_addr = "{{ hs_consul_advertise_addr }}" addresses { dns = "127.0.0.1" - grpc = "0.0.0.0" + grpc = "0.0.0.0" https = "0.0.0.0" } @@ -93,9 +90,9 @@ performance { ports { http = -1 + grpc = -1 dns = 8600 - grpc = {{ hs_consul_grpc_port }} -# grpc_tls = {{ hs_consul_grpc_tls_port}} + grpc_tls = {{ hs_consul_grpc_tls_port}} https = {{ hs_consul_api_port }} } diff --git a/roles/consul/templates/consul.service.j2 b/roles/consul/templates/consul.service.j2 new file mode 100644 index 00000000..1d3b2093 --- /dev/null +++ b/roles/consul/templates/consul.service.j2 @@ -0,0 +1,21 @@ +[Unit] +Description="HashiCorp Consul - A service mesh solution" +Documentation=https://www.consul.io/ +Requires=network-online.target +After=network-online.target +ConditionFileNotEmpty=/etc/consul.d/consul.hcl + +[Service] +Type=notify +EnvironmentFile=-/etc/consul.d/consul.env +User=consul +Group=consul +ExecStart=/usr/bin/consul agent -config-dir=/etc/consul.d/ +ExecReload=/bin/kill --signal HUP $MAINPID +KillMode=process +KillSignal=SIGTERM +Restart=on-failure +LimitNOFILE=65536 + +[Install] +WantedBy=multi-user.target diff --git a/roles/consul/vars/debian.yml b/roles/consul/vars/debian.yml index 9ce7767f..1c316ef9 100644 --- a/roles/consul/vars/debian.yml +++ b/roles/consul/vars/debian.yml @@ -1,5 +1,6 @@ --- -__hs_consul_hashicorp_apt_key: >- - https://apt.releases.hashicorp.com/gpg -__hs_consul_hashicorp_apt_repository: >- - deb [arch=amd64] https://apt.releases.hashicorp.com {{ ansible_distribution_release }} main +__hs_consul_certs_truststore_dir: "/usr/local/share/ca-certificates" +__hs_consul_update_trust_command: >- + update-ca-certificates +__hs_consul_system_ca_bundle: "/etc/ssl/certs/ca-certificates.crt" + diff --git a/roles/consul/vars/main.yml b/roles/consul/vars/main.yml index f32fd23a..12a7eaf5 100644 --- a/roles/consul/vars/main.yml +++ b/roles/consul/vars/main.yml @@ -30,20 +30,6 @@ __hs_role_configure_precedence: - "{{ __hs_consul_precedence_marks[3] }}/_configure.yml" - "{{ __hs_consul_precedence_marks[4] }}/_configure.yml" -__hs_role_configure_masters_precedence: - - "{{ __hs_consul_precedence_marks[0] }}/_consul_masters.yml" - - "{{ __hs_consul_precedence_marks[1] }}/_consul_masters.yml" - - "{{ __hs_consul_precedence_marks[2] }}/_consul_masters.yml" - - "{{ __hs_consul_precedence_marks[3] }}/_consul_masters.yml" - - "{{ __hs_consul_precedence_marks[4] }}/_consul_masters.yml" - -__hs_role_configure_minions_precedence: - - "{{ __hs_consul_precedence_marks[0] }}/_consul_minions.yml" - - "{{ __hs_consul_precedence_marks[1] }}/_consul_minions.yml" - - "{{ __hs_consul_precedence_marks[2] }}/_consul_minions.yml" - - "{{ __hs_consul_precedence_marks[3] }}/_consul_minions.yml" - - "{{ __hs_consul_precedence_marks[4] }}/_consul_minions.yml" - __hs_consul_is_master: >- {{ inventory_hostname in groups[__hs_consul_inventory_masters_group] @@ -59,18 +45,18 @@ __hs_consul_is_multi_nodes: >- __hs_consul_tls_dir: "/etc/ssl/private" __hs_consul_ssl_cert_group: "ssl-cert" -__hs_consul_conf_file: "/etc/consul.d/consul.hcl" -__hs_consul_data_dir: "/opt/consul/data" +__hs_consul_home_dir: "/opt/consul" +__hs_consul_data_dir: "{{ __hs_consul_home_dir }}/data" +__hs_consul_conf_dir: "/etc/consul.d" +__hs_consul_conf_file: "{{ __hs_consul_conf_dir }}/consul.hcl" __hs_consul_expected_directories: - "{{ __hs_consul_data_dir }}" -__hs_consul_home: "/home/consul" __hs_consul_self_private_key: "{{ __hs_consul_tls_dir }}/self.cert.key" __hs_consul_self_certificate: "{{ __hs_consul_tls_dir }}/self.fullchain.cert.pem" -__hs_consul_ca_certificate_dir: "/usr/local/share/ca-certificates" -__hs_consul_ca_certificate: "{{ __hs_consul_ca_certificate_dir }}/consul.ca.crt" -__hs_consul_vault_root_ca_certificate: "{{ __hs_consul_ca_certificate_dir }}/vault.root_ca.crt" +__hs_consul_ca_certificate: "{{ __hs_consul_certs_truststore_dir }}/consul.ca.crt" +__hs_consul_vault_root_ca_certificate: "{{ __hs_consul_certs_truststore_dir }}/vault.root_ca.crt" __hs_consul_encrypt_key_local_path: "{{ hs_consul_local_secrets_dir }}/consul.encrypt_key" __hs_consul_encrypt_key: >- @@ -98,3 +84,10 @@ __hs_consul_bootstrap_is_appliable: >- or not ansible_local.hs_consul.role_applied ) }} + + +__hs_consul_archive_url: >- + https://releases.hashicorp.com/consul/{{ hs_consul_version }}/consul_{{ hs_consul_version }}_linux_amd64.zip +__hs_consul_archive_filename: "consul-{{ hs_consul_version }}.zip" +__hs_consul_local_archive_path: "{{ hs_consul_local_cache_dir }}/{{ __hs_consul_archive_filename }}" +__hs_consul_license_file: "{{ __hs_consul_conf_dir }}/consul.license" diff --git a/roles/consul/vars/rocky.yml b/roles/consul/vars/rocky.yml new file mode 100644 index 00000000..0063a6c0 --- /dev/null +++ b/roles/consul/vars/rocky.yml @@ -0,0 +1,6 @@ +--- +__hs_consul_certs_truststore_dir: "/etc/pki/ca-trust/source/anchors" +__hs_consul_update_trust_command: >- + update-ca-trust extract +__hs_consul_system_ca_bundle: "/etc/ssl/cert.pem" + diff --git a/roles/envoy/defaults/main.yml b/roles/envoy/defaults/main.yml index bffc389c..5ee7b6b6 100644 --- a/roles/envoy/defaults/main.yml +++ b/roles/envoy/defaults/main.yml @@ -5,4 +5,4 @@ # # ## Defaults # -envoy_version: "1.23.1" +envoy_version: "1.27.2" diff --git a/roles/envoy/tasks/debian/_configure.yml b/roles/envoy/tasks/common/_configure.yml similarity index 98% rename from roles/envoy/tasks/debian/_configure.yml rename to roles/envoy/tasks/common/_configure.yml index e2617b34..0e02e4e9 100644 --- a/roles/envoy/tasks/debian/_configure.yml +++ b/roles/envoy/tasks/common/_configure.yml @@ -3,3 +3,4 @@ debug: msg: "Starting role configuration phase" verbosity: 1 + diff --git a/roles/envoy/tasks/debian/_install.yml b/roles/envoy/tasks/common/_install.yml similarity index 99% rename from roles/envoy/tasks/debian/_install.yml rename to roles/envoy/tasks/common/_install.yml index 53cbd946..f5e29cd6 100644 --- a/roles/envoy/tasks/debian/_install.yml +++ b/roles/envoy/tasks/common/_install.yml @@ -10,3 +10,4 @@ dest: /usr/local/bin/envoy mode: 0755 remote_src: true + diff --git a/roles/envoy/tasks/debian/_prepare.yml b/roles/envoy/tasks/common/_prepare.yml similarity index 59% rename from roles/envoy/tasks/debian/_prepare.yml rename to roles/envoy/tasks/common/_prepare.yml index 6f005806..9ddf4f51 100644 --- a/roles/envoy/tasks/debian/_prepare.yml +++ b/roles/envoy/tasks/common/_prepare.yml @@ -1,13 +1,9 @@ --- - name: Prepare debug: - msg: "Starting role preparation phase" + msg: "Starting role configuration phase" verbosity: 1 -- name: Uninstall existing apt packages - apt: - name: "getenvoy-envoy" - state: absent - name: Get envoy binary release get_url: diff --git a/roles/envoy/tasks/debian/main.yml b/roles/envoy/tasks/debian/main.yml index beca7bb5..6ecaaf2c 100644 --- a/roles/envoy/tasks/debian/main.yml +++ b/roles/envoy/tasks/debian/main.yml @@ -1,16 +1,34 @@ --- +- name: Uninstall existing apt packages + apt: + name: "getenvoy-envoy" + state: absent + - name: Prepare - include_tasks: _prepare.yml + include_tasks: + file: "{{ role_path }}/tasks/common/_prepare.yml" + apply: + tags: prepare tags: - prepare - online + - name: Install - include_tasks: _install.yml + include_tasks: + file: "{{ role_path }}/tasks/common/_install.yml" + apply: + tags: install tags: - install + - online - name: Configure - include_tasks: _configure.yml + include_tasks: + file: "{{ role_path }}/tasks/common/_configure.yml" + apply: + tags: configure + when: __hs_consul_is_master tags: - configure + diff --git a/roles/envoy/tasks/rocky/main.yml b/roles/envoy/tasks/rocky/main.yml new file mode 100644 index 00000000..7f44a73c --- /dev/null +++ b/roles/envoy/tasks/rocky/main.yml @@ -0,0 +1,30 @@ +--- +- name: Prepare + include_tasks: + file: "{{ role_path }}/tasks/common/_prepare.yml" + apply: + tags: prepare + tags: + - prepare + - online + + +- name: Install + include_tasks: + file: "{{ role_path }}/tasks/common/_install.yml" + apply: + tags: install + tags: + - install + - online + +- name: Configure + include_tasks: + file: "{{ role_path }}/tasks/common/_configure.yml" + apply: + tags: configure + when: __hs_consul_is_master + tags: + - configure + + diff --git a/roles/grafana/tasks/debian/_configure.yml b/roles/grafana/tasks/debian/_configure.yml index 34ec7b23..18c1a4ee 100644 --- a/roles/grafana/tasks/debian/_configure.yml +++ b/roles/grafana/tasks/debian/_configure.yml @@ -130,7 +130,7 @@ when: tf_action == 'apply' - name: COMMON - Do Terraform - community.general.terraform: + cloud.terraform.terraform: project_path: "{{ tf_module_dest }}" state: "{{ (tf_action == 'destroy') | ternary('absent', 'present') }}" force_init: true diff --git a/roles/stage0/tasks/_terraform.yml b/roles/stage0/tasks/_terraform.yml index 0c592ba4..4f730de5 100644 --- a/roles/stage0/tasks/_terraform.yml +++ b/roles/stage0/tasks/_terraform.yml @@ -7,7 +7,7 @@ - tf - name: "Do Terraform {{ tf_action }}" - community.general.terraform: + cloud.terraform.terraform: project_path: "{{ __hs_stage0_terraform_module_work_dir }}" state: "{{ __hs_stage0_state }}" force_init: "{{ hs_tf_init | default(true) }}" diff --git a/roles/stage0/templates/multi/out.stage0.hashistack.yml.j2 b/roles/stage0/templates/multi/out.stage0.hashistack.yml.j2 index 561bbdc3..38c5bc39 100644 --- a/roles/stage0/templates/multi/out.stage0.hashistack.yml.j2 +++ b/roles/stage0/templates/multi/out.stage0.hashistack.yml.j2 @@ -19,14 +19,14 @@ glxclans_dns_recursion: true glxclans_dns_allow_query: ['any'] glxclans_dns_allow_recursion: ['127.0.0.1'] glxclans_dns_forwarders: - - "{{ hostvars[groups['hashistack_sre'][0]].ansible_ens5.ipv4.address }}" + - "{{ hostvars[groups['hashistack_sre'][0]].ansible_default_ipv4.address }}" glxclans_dns_views: - name: default glxclans_dns_zone_domains: - name: "{{ public_domain }}" type: forward forwarders: - - "{{ hostvars[groups['hashistack_sre'][0]].ansible_ens5.ipv4.address }}" + - "{{ hostvars[groups['hashistack_sre'][0]].ansible_default_ipv4.address }}" - name: "consul" type: forward forwarders: diff --git a/roles/stage0/templates/multi/out.stage0.hashistack_sre.yml.j2 b/roles/stage0/templates/multi/out.stage0.hashistack_sre.yml.j2 index 270ad540..4eb1937a 100644 --- a/roles/stage0/templates/multi/out.stage0.hashistack_sre.yml.j2 +++ b/roles/stage0/templates/multi/out.stage0.hashistack_sre.yml.j2 @@ -3,7 +3,7 @@ public_ipv4: "{{ sre_ipv4 }}" public_ipv6: "{{ sre_ipv6 }}" {% raw %} -_private_cidr: "{{ (ansible_ens5.ipv4.network + '/' + ansible_ens5.ipv4.netmask) | ansible.utils.ipaddr('net') }}" +_private_cidr: "{{ (ansible_default_ipv4.network + '/' + ansible_default_ipv4.netmask) | ansible.utils.ipaddr('net') }}" acme_domains: - cn: "*.{{ public_domain }}" zone: "{{ public_domain }}" diff --git a/roles/stage0_offline/templates/multi/out.stage0.hashistack.yml.j2 b/roles/stage0_offline/templates/multi/out.stage0.hashistack.yml.j2 index 11d1005b..fa8bef56 100644 --- a/roles/stage0_offline/templates/multi/out.stage0.hashistack.yml.j2 +++ b/roles/stage0_offline/templates/multi/out.stage0.hashistack.yml.j2 @@ -19,14 +19,14 @@ bind_recursion: true bind_allow_query: ['any'] bind_allow_recursion: ['127.0.0.1'] bind_forwarders: - - "{{ hostvars[groups['hashistack_sre'][0]].ansible_ens5.ipv4.address }}" + - "{{ hostvars[groups['hashistack_sre'][0]].ansible_default_ipv4.address }}" bind_views: - name: default bind_zone_domains: - name: "{{ public_domain }}" type: forward forwarders: - - "{{ hostvars[groups['hashistack_sre'][0]].ansible_ens5.ipv4.address }}" + - "{{ hostvars[groups['hashistack_sre'][0]].ansible_default_ipv4.address }}" - name: "consul" type: forward forwarders: @@ -62,4 +62,4 @@ hs_vault_use_custom_ca: true hs_consul_use_custom_ca: true hs_nomad_use_custom_ca: true hs_grafana_use_custom_ca: true -{% endraw %} \ No newline at end of file +{% endraw %} diff --git a/roles/stage0_offline/templates/multi/out.stage0.hashistack_sre.yml.j2 b/roles/stage0_offline/templates/multi/out.stage0.hashistack_sre.yml.j2 index b996071c..30f43196 100644 --- a/roles/stage0_offline/templates/multi/out.stage0.hashistack_sre.yml.j2 +++ b/roles/stage0_offline/templates/multi/out.stage0.hashistack_sre.yml.j2 @@ -2,7 +2,7 @@ private_ipv4: "{{ sre_ipv4 }}" public_ipv4: "{{ sre_ipv4 }}" {% raw %} -_private_cidr: "{{ (ansible_ens5.ipv4.network + '/' + ansible_ens5.ipv4.netmask) | ansible.utils.ipaddr('net') }}" +_private_cidr: "{{ (ansible_default_ipv4.network + '/' + ansible_default_ipv4.netmask) | ansible.utils.ipaddr('net') }}" acme_domains: - cn: "*.{{ public_domain }}" zone: "{{ public_domain }}" diff --git a/roles/stage1_bootstrap/tasks/debian/_normalize.yml b/roles/stage1_bootstrap/tasks/common/_normalize.yml similarity index 99% rename from roles/stage1_bootstrap/tasks/debian/_normalize.yml rename to roles/stage1_bootstrap/tasks/common/_normalize.yml index 653dd12f..8858b8e1 100644 --- a/roles/stage1_bootstrap/tasks/debian/_normalize.yml +++ b/roles/stage1_bootstrap/tasks/common/_normalize.yml @@ -18,3 +18,4 @@ } dest: /etc/logrotate.d/system-log.conf mode: 0600 + diff --git a/roles/stage1_bootstrap/tasks/debian/_reboot.yml b/roles/stage1_bootstrap/tasks/common/_reboot.yml similarity index 99% rename from roles/stage1_bootstrap/tasks/debian/_reboot.yml rename to roles/stage1_bootstrap/tasks/common/_reboot.yml index 86118db4..2bfed4b3 100644 --- a/roles/stage1_bootstrap/tasks/debian/_reboot.yml +++ b/roles/stage1_bootstrap/tasks/common/_reboot.yml @@ -9,3 +9,4 @@ - name: Gather facts setup: + diff --git a/roles/stage1_bootstrap/tasks/debian/main.yml b/roles/stage1_bootstrap/tasks/debian/main.yml index d4106746..3c6053cd 100644 --- a/roles/stage1_bootstrap/tasks/debian/main.yml +++ b/roles/stage1_bootstrap/tasks/debian/main.yml @@ -5,7 +5,10 @@ - prepare - name: Normalize - include_tasks: _normalize.yml + include_tasks: + file: "{{ role_path }}/tasks/common/_normalize.yml" + apply: + tags: normalize tags: - normalize @@ -17,6 +20,10 @@ - always - name: Connect with service user and finalize with reboot - include_tasks: _reboot.yml + include_tasks: + file: "{{ role_path }}/tasks/common/_reboot.yml" + apply: + tags: reboot tags: - reboot + diff --git a/roles/stage1_bootstrap/tasks/rocky/_system_update.yml b/roles/stage1_bootstrap/tasks/rocky/_system_update.yml new file mode 100644 index 00000000..574dcff1 --- /dev/null +++ b/roles/stage1_bootstrap/tasks/rocky/_system_update.yml @@ -0,0 +1,5 @@ +--- +- name: Update all system packages + dnf: + name: "*" + state: latest diff --git a/roles/stage1_bootstrap/tasks/rocky/main.yml b/roles/stage1_bootstrap/tasks/rocky/main.yml new file mode 100644 index 00000000..6f0020c7 --- /dev/null +++ b/roles/stage1_bootstrap/tasks/rocky/main.yml @@ -0,0 +1,24 @@ +--- +- name: Normalize + include_tasks: + file: "{{ role_path }}/tasks/common/_normalize.yml" + apply: + tags: normalize + tags: + - normalize + +- name: System Update + include_tasks: _system_update.yml + tags: + - system_update + - online + - always + +- name: Connect with service user and finalize with reboot + include_tasks: + file: "{{ role_path }}/tasks/common/_reboot.yml" + apply: + tags: reboot + tags: + - reboot + diff --git a/roles/stage1_dns/handlers/main.yml b/roles/stage1_dns/handlers/main.yml index ee1c97a1..164e4398 100644 --- a/roles/stage1_dns/handlers/main.yml +++ b/roles/stage1_dns/handlers/main.yml @@ -7,3 +7,12 @@ when: molecule_yml is not defined tags: - restart_networking + +- name: Restart resolved + systemd: + name: "systemd-resolved" + state: restarted + enabled: true + when: molecule_yml is not defined + tags: + - restart_networking diff --git a/roles/stage1_dns/tasks/_common/_init.yml b/roles/stage1_dns/tasks/_common/_init.yml index 5ce583b0..235285c6 100644 --- a/roles/stage1_dns/tasks/_common/_init.yml +++ b/roles/stage1_dns/tasks/_common/_init.yml @@ -7,7 +7,7 @@ | union([ { 'name': (_current_host), - 'ip': (hostvars[_current_host].ansible_ens5.ipv4.address), + 'ip': (hostvars[_current_host].ansible_default_ipv4.address), 'ttl': 300 } ]) diff --git a/roles/stage1_dns/tasks/debian_12/main.yml b/roles/stage1_dns/tasks/debian_12/main.yml index e4320a24..1315bf42 100644 --- a/roles/stage1_dns/tasks/debian_12/main.yml +++ b/roles/stage1_dns/tasks/debian_12/main.yml @@ -10,7 +10,7 @@ tags: - init -- name: System Update +- name: Install DNS authority include_role: name: rtnp.galaxie_clans.dns tags: diff --git a/roles/stage1_dns/tasks/rocky/main.yml b/roles/stage1_dns/tasks/rocky/main.yml new file mode 100644 index 00000000..4eba38ad --- /dev/null +++ b/roles/stage1_dns/tasks/rocky/main.yml @@ -0,0 +1,50 @@ +--- +- name: Init + include_tasks: "{{ role_path }}/tasks/_common/_init.yml" + tags: + - init + +- name: Install DNS authority + include_role: + name: rtnp.galaxie_clans.dns + tags: + - install + +- name: Override dns autoconf + lineinfile: + path: /etc/systemd/resolved.conf + regex: >- + ^DNS=.*$ + line: >- + DNS=127.0.0.1 + insertafter: >- + \[Resolve\] + notify: Restart resolved + +- name: Force networkmanager into resolved + lineinfile: + path: /etc/NetworkManager/NetworkManager.conf + regex: >- + ^dns=.*$ + line: >- + dns=systemd-resolved + insertafter: >- + \[main\] + notify: Restart networking + +- name: Force networkmanager into resolved + file: + src: /run/NetworkManager/resolv.conf + path: /etc/resolv.conf + state: link + force: true + notify: Restart networking + + + +- name: Extract info + include_tasks: "{{ role_path }}/tasks/_common/_extract.yml" + when: inventory_hostname in groups['hashistack_sre'] + tags: + - extract + diff --git a/roles/stage1_dns/templates/_internal_zone.yml.j2 b/roles/stage1_dns/templates/_internal_zone.yml.j2 index 9bea752f..b876b648 100644 --- a/roles/stage1_dns/templates/_internal_zone.yml.j2 +++ b/roles/stage1_dns/templates/_internal_zone.yml.j2 @@ -3,12 +3,12 @@ _internal_zone_hosts: {{ [{ 'name': '', - 'ip': ansible_ens5.ipv4.address, + 'ip': ansible_default_ipv4.address, 'ttl': 300 }, { 'name': 'ns', - 'ip': ansible_ens5.ipv4.address, + 'ip': ansible_default_ipv4.address, 'ttl': 300, 'aliases': ['grafana','loki','prometheus','consul'] }] | union(_local_zone) | to_nice_yaml(indent=2) @@ -25,6 +25,6 @@ internal_zone: - ns allow_query: - "127.0.0.1" - - "{{ (ansible_ens5.ipv4.network + '/' + ansible_ens5.ipv4.netmask) | ansible.utils.ipaddr('net') }}" + - "{{ (ansible_default_ipv4.network + '/' + ansible_default_ipv4.netmask) | ansible.utils.ipaddr('net') }}" hosts: "{{ _internal_zone_hosts }}" {% endraw %} diff --git a/roles/stage1_dns/vars/rocky.yml b/roles/stage1_dns/vars/rocky.yml new file mode 100644 index 00000000..be8bba4f --- /dev/null +++ b/roles/stage1_dns/vars/rocky.yml @@ -0,0 +1,13 @@ +--- +hs_stage1_dns_network_service: NetworkManager +__glxclans_dns_gname: "bind" +bind_packages: + - bind9 + - bind9-utils + - python3-netaddr + +# Localhost zone +__glxclans_dns_default_zone_files: + - /etc/bind/named.conf.default-zones +__glxclans_dns_service_name: "bind9" +__glxclans_dns_config_file: /etc/bind/named.conf diff --git a/roles/stage1_pip/tasks/oraclelinux/main.yml b/roles/stage1_pip/tasks/oraclelinux/main.yml new file mode 100644 index 00000000..e69de29b diff --git a/roles/stage1_pip/tasks/rocky/_install.yml b/roles/stage1_pip/tasks/rocky/_install.yml new file mode 100644 index 00000000..d410e1bd --- /dev/null +++ b/roles/stage1_pip/tasks/rocky/_install.yml @@ -0,0 +1,10 @@ +--- +- name: 'Ensure not exists {{ pip_root_folder_external }}' + file: + path: '{{ pip_root_folder_external }}' + state: absent + +- name: Install Python packages # noqa: command-instead-of-module command-instead-of-shell + shell: > + pip install --no-index --find-links=/var/cache/pip/ {{ packages_list | join(' ') }} + diff --git a/roles/stage1_pip/tasks/rocky/_prepare.yml b/roles/stage1_pip/tasks/rocky/_prepare.yml new file mode 100644 index 00000000..6b6b9e87 --- /dev/null +++ b/roles/stage1_pip/tasks/rocky/_prepare.yml @@ -0,0 +1,12 @@ +--- +- name: Install dependencies for duplicity + package: + name: librsync-devel + state: present + +- name: Download python packages # noqa: command-instead-of-module + shell: > + pip wheel --wheel-dir /var/cache/pip {{ packages_list | join(' ') }} + tags: + - online + diff --git a/roles/stage1_pip/tasks/rocky/main.yml b/roles/stage1_pip/tasks/rocky/main.yml new file mode 100644 index 00000000..3a659714 --- /dev/null +++ b/roles/stage1_pip/tasks/rocky/main.yml @@ -0,0 +1,12 @@ +--- +- name: Prepare + include_tasks: _prepare.yml + tags: + - prepare + - online + +- name: Install + include_tasks: _install.yml + tags: + - install + diff --git a/roles/stage1_rproxy/tasks/debian/_configure.yml b/roles/stage1_rproxy/tasks/common/_configure.yml similarity index 88% rename from roles/stage1_rproxy/tasks/debian/_configure.yml rename to roles/stage1_rproxy/tasks/common/_configure.yml index bdf36204..ca1e8ee2 100644 --- a/roles/stage1_rproxy/tasks/debian/_configure.yml +++ b/roles/stage1_rproxy/tasks/common/_configure.yml @@ -33,3 +33,10 @@ rndc sync -clean {{ public_domain }} IN default when: - molecule_yml is not defined + +- name: Ensure nginx user belong to ssl-cert group + user: + name: nginx + groups: + - ssl-cert + append: true diff --git a/roles/stage1_rproxy/tasks/debian/main.yml b/roles/stage1_rproxy/tasks/debian/main.yml index 4d098e65..44452cb8 100644 --- a/roles/stage1_rproxy/tasks/debian/main.yml +++ b/roles/stage1_rproxy/tasks/debian/main.yml @@ -1,6 +1,6 @@ --- - name: Configure - include_tasks: _configure.yml + include_tasks: "{{ role_path }}/tasks/common/_configure.yml" tags: - configure - rproxy diff --git a/roles/stage1_rproxy/tasks/rocky/main.yml b/roles/stage1_rproxy/tasks/rocky/main.yml new file mode 100644 index 00000000..d514cd3d --- /dev/null +++ b/roles/stage1_rproxy/tasks/rocky/main.yml @@ -0,0 +1,16 @@ +--- +- name: Configure + include_tasks: "{{ role_path }}/tasks/common/_configure.yml" + tags: + - configure + - rproxy + +- name: Set httpd_can_network_connect flag on and keep it persistent across reboots + ansible.posix.seboolean: + name: "{{ _current_selinux_bool }}" + state: true + persistent: true + loop: + - httpd_can_network_connect + loop_control: + loop_var: _current_selinux_bool diff --git a/roles/vault/tasks/common/_prepare.yml b/roles/vault/tasks/common/_prepare.yml index 7ee24913..982f321b 100644 --- a/roles/vault/tasks/common/_prepare.yml +++ b/roles/vault/tasks/common/_prepare.yml @@ -7,14 +7,42 @@ become: false delegate_to: localhost run_once: true + tags: + - online + +- name: "[LOCAL] Download Terraform Providers" + delegate_to: localhost + run_once: true + become: false + shell: > + terraform -chdir={{ role_path }}/files/consul_service_mesh_ca init + tags: + - online + - prepare-tf-providers + +- name: "[LOCAL] Clean Terraform temporary files" + delegate_to: localhost + run_once: true + become: false + file: + path: "{{ _current_tmp_vault_file }}" + state: absent + loop: + - "{{ role_path }}/files/consul_service_mesh_ca/.terraform/" + - "{{ role_path }}/files/consul_service_mesh_ca/.terraform.lock.hcl" + loop_control: + loop_var: _current_tmp_vault_file + tags: + - online + - prepare-tf-providers -- name: Create ssl-cert system group +- name: "Create ssl-cert system group" group: name: "{{ __hs_vault_ssl_cert_group }}" system: true state: present -- name: Adjust tls dir permissions +- name: "Adjust tls dir permissions" file: path: "{{ __hs_vault_tls_dir }}" owner: root @@ -22,13 +50,13 @@ mode: 0750 state: directory -- name: Create vault system group +- name: "Create vault system group" group: name: vault system: true state: present -- name: Create vault system user +- name: "Create vault system user" user: name: vault system: true @@ -66,29 +94,3 @@ group: vault mode: 0750 -- name: "[LOCAL] Download Terraform Providers" - delegate_to: localhost - run_once: true - become: false - shell: > - terraform -chdir={{ role_path }}/files/consul_service_mesh_ca init - tags: - - online - - prepare-tf-providers - -- name: "[LOCAL] Clean Terraform temporary files" - delegate_to: localhost - run_once: true - become: false - file: - path: "{{ _current_tmp_vault_file }}" - state: absent - loop: - - "{{ role_path }}/files/consul_service_mesh_ca/.terraform/" - - "{{ role_path }}/files/consul_service_mesh_ca/.terraform.lock.hcl" - loop_control: - loop_var: _current_tmp_vault_file - tags: - - online - - prepare-tf-providers - diff --git a/roles/vault/tasks/main.yml b/roles/vault/tasks/main.yml index 02457181..4b2d3ae0 100644 --- a/roles/vault/tasks/main.yml +++ b/roles/vault/tasks/main.yml @@ -47,7 +47,7 @@ msg: "Load balancer url checked from localhost: {{ hs_vault_external_url }}" verbosity: 1 -- name: "Check vault API avalability" +- name: "Check vault API availability" uri: url: "{{ hs_vault_external_url }}/v1/auth/token/lookup-self" headers: diff --git a/roles/vault_vars/defaults/main.yml b/roles/vault_vars/defaults/main.yml index ade9f20d..df38420d 100644 --- a/roles/vault_vars/defaults/main.yml +++ b/roles/vault_vars/defaults/main.yml @@ -10,7 +10,7 @@ # [in the official release repository](https://releases.hashicorp.com/vault/). For example, # valid values are: '1.14.4', '1.15.0+ent', '1.14.3+ent.fips1402', etc. # -hs_vault_version: "1.14.2" +hs_vault_version: "1.15.4" # # * Domain under which vault will be published on the network. # diff --git a/roles/vault_vars/vars/main.yml b/roles/vault_vars/vars/main.yml index 5815ca45..28f4f1bd 100644 --- a/roles/vault_vars/vars/main.yml +++ b/roles/vault_vars/vars/main.yml @@ -22,6 +22,11 @@ __hs_vault_api: init: "{{ __hs_vault_conf_api_addr }}/v1/sys/init" unseal: "{{ __hs_vault_conf_api_addr }}/v1/sys/unseal" dr_enable: "{{ __hs_vault_conf_api_addr }}/v1/sys/replication/dr/primary/enable" + rekey: "{{ __hs_vault_conf_api_addr }}/v1/sys/rekey/init" + rekey_update: "{{ __hs_vault_conf_api_addr }}/v1/sys/rekey/update" + genroot: "{{ __hs_vault_conf_api_addr }}/v1/sys/generate-root/attempt" + genroot_update: "{{ __hs_vault_conf_api_addr }}/v1/sys/generate-root/update" + genroot_decode: "{{ __hs_vault_conf_api_addr }}/v1/sys/decode-token" __hs_vault_cluster_protocol: "https"