Dev (#149)

.github/workflows/stage1_bootstrap_role.yml

@@ -0,0 +1,25 @@
+---
+name: Stage1 Bootstrap role workflow
+on:
+  push:
+    branches:
+      - dev
+  pull_request:
+    branches:
+      - dev
+
+jobs:
+  vault_role:
+    runs-on: ubuntu-latest
+    steps:
+      - name: "Checkout project"
+        uses: "actions/checkout@v4"
+        with:
+          repository: "${{ github.repository }}"
+          path: "./roles/stage1_bootstrap"
+      - name: "Run molecule"
+        run: >-
+          source .envrc &&
+          molecule test
+        env:
+          ANSIBLE_FORCE_COLOR: "1"

.github/workflows/stage1_dns_role.yml

@@ -0,0 +1,25 @@
+---
+name: Stage1 DNS role workflow
+on:
+  push:
+    branches:
+      - dev
+  pull_request:
+    branches:
+      - dev
+
+jobs:
+  vault_role:
+    runs-on: ubuntu-latest
+    steps:
+      - name: "Checkout project"
+        uses: "actions/checkout@v4"
+        with:
+          repository: "${{ github.repository }}"
+          path: "./roles/stage1_dns"
+      - name: "Run molecule"
+        run: >-
+          source .envrc &&
+          molecule test
+        env:
+          ANSIBLE_FORCE_COLOR: "1"

.github/workflows/vault_role.yml

@@ -0,0 +1,30 @@
+---
+name: Stage1 Vault role workflow
+on:
+  push:
+    branches:
+      - dev
+  pull_request:
+    branches:
+      - dev
+
+jobs:
+  vault_role:
+    runs-on: ubuntu-latest
+    steps:
+      - name: "Checkout project"
+        uses: "actions/checkout@v4"
+        with:
+          repository: "${{ github.repository }}"
+
+      - name: "Install project dependencies"
+        run: >-
+          source .envrc &&
+          make prepare
+
+      - name: "Run molecule"
+        run: >-
+          cd ./roles/vault
+          && molecule test
+        env:
+          ANSIBLE_FORCE_COLOR: "1"

.gitignore

@@ -21,3 +21,7 @@ plugins/yaml2md/yaml2md.egg-info
 docs/build
 inventories/*
 .terraform.lock.hcl
+
+# macOS-specific files
+.DS_Store
+*.DS_Store

docs/source/reference/role_consul.md

@@ -4,20 +4,34 @@
 
 ## Defaults
 
-* Consul version to install (Debian package name referring )
+* Version of the consul package to install.
+* Used to determine which archive to install according to the suffix like
+[in the official release repository](https://releases.hashicorp.com/consul/). For example,
+valid values are: '1.16.4', '1.17.0+ent', '1.17.2+ent.fips1402', etc.
 ```
-hs_consul_version: "1.13.7-1"
+hs_consul_version: "1.17.2"
 ```
+
 ### Local paths
 
-* Path to local directory containing secrets to be uploaded to nodes
+* Path to local directory containing secrets to be uploaded to nodes.
 
 ```
-hs_consul_local_secrets_dir: >-
-  {{
-    hs_workspace_secrets_dir
-    | default(inventory_dir + 'group_vars/hashistack/secrets')
-  }}
+hs_consul_local_secrets_dir: "{{ hs_workspace_secrets_dir }}"
+```
+
+* Path to local directory where to download Consul binary before upload.
+
+```
+hs_consul_local_cache_dir: "{{ hs_workspace_root }}"
+```
+
+* [CONSUL ENTREPRISE] Path to local file containing the license.
+
+```
+hs_consul_local_license_file: ""
+
+hs_consul_local_ca_cert: "{{ hs_workspace_secrets_dir }}/ca.cert.pem"
 ```
 * Path to local node certificate.
 ```
@@ -31,45 +45,50 @@ hs_consul_node_cert_fullchain: "{{ hs_consul_local_secrets_dir }}/self.fullchain
 ```
 hs_consul_node_cert_private_key: "{{ hs_consul_local_secrets_dir }}/self.cert.key"
 
-hs_consul_ca_certificate_dir: "/usr/local/share/ca-certificates"
-hs_consul_ca_certificate: "/etc/ssl/certs/ca-certificates.crt"
-
-tf_module_name: "consul_config"
-hs_tf_action: apply
-
-hs_consul_datacenter_name: >-
+hs_consul_terraform_work_dir:
   {{
-    hs_workspace
-    | default('datacenter1')
+    hs_workspace_tf_modules_dir
+    | default(lookup('env', 'PWD') + '/terraform')
   }}
+
+hs_consul_datacenter_name: "{{ hs_workspace | default('datacenter1') }}"
 hs_consul_node_name: "{{ inventory_hostname | regex_replace('_', '-') }}"
 hs_consul_connect_token: ~
 
+hs_consul_https_listen_ipv4: "0.0.0.0"
+hs_consul_api_port: "8501"
+
+hs_consul_grpc_listen_ipv4: "0.0.0.0"
+hs_consul_grpc_port: "8502"
+hs_consul_grpc_tls_port: "8503"
+
 hs_consul_prometheus_enabled: true
 hs_consul_connect_root_pki_path: "consul_connect_pki_root"
 hs_consul_connect_intermediate_pki_path: "consul_connect_pki_inter"
 ```
 * API address of the vault service
 ```
 hs_consul_vault_address: "https://vault.{{ hs_consul_domain }}:8200"
-hs_consul_api_port: "8501"
-hs_consul_grpc_port: "8502"
-hs_consul_grpc_tls_port: "8503"
 
 hs_consul_domain: "{{ public_domain }}"
 hs_consul_node_fqdn: "{{ hs_consul_node_name }}.{{ hs_consul_domain }}"
 
-hs_consul_external_url: https://consul.{{ hs_consul_domain }}
+hs_consul_service_fqdn: "consul.{{ hs_consul_domain }}"
+hs_consul_external_url: "https://{{ hs_consul_service_fqdn }}"
 
 hs_consul_bootstrap_expect: "{{ groups[__hs_consul_inventory_masters_group] | length }}"
 hs_consul_advertise_addr: "{{ ansible_default_ipv4.address }}"
 
 hs_consul_use_custom_ca: false
-hs_consul_local_ca_cert: "{{ hs_workspace_secrets_dir }}/ca.cert.pem"
 
 hs_consul_acl_default_policy: deny
 hs_consul_acl_auto_encrypt_token: ~
+```
 
-hs_consul_packages_list:
-  - "consul={{ hs_consul_version }}"
+Remote location of certificates files for Consul TLS endpoints.
 
+```
+hs_consul_self_private_key: "{{ __hs_consul_tls_dir }}/self.cert.key"
+hs_consul_self_certificate: "{{ __hs_consul_tls_dir }}/self.fullchain.cert.pem"
+hs_consul_ca_certificate: "{{ __hs_consul_certs_truststore_dir }}/consul.ca.crt"
+hs_consul_vault_root_ca_certificate: "{{ __hs_consul_certs_truststore_dir }}/vault.root_ca.crt"

docs/source/reference/role_envoy.md

@@ -5,4 +5,4 @@
 ## Defaults
 
 ```
-envoy_version: "1.23.1"
+envoy_version: "1.27.2"

docs/source/reference/role_stage1_pip.md

@@ -12,3 +12,6 @@ packages_list:
   - cryptography
   - dnspython
   - passlib
+  - duplicity
+
+pip_root_folder_external: '/usr/lib/python3.11/EXTERNALLY-MANAGED'

docs/source/reference/role_stage1_rproxy.md

@@ -4,3 +4,5 @@
 
 ## Role defaults
 
+```
+hs_stage1_rproxy_dns_service: "{{ ansible_default_ipv4.address }}"

docs/source/reference/role_vault.md

@@ -10,7 +10,7 @@
 valid values are: '1.14.4', '1.15.0+ent', '1.14.3+ent.fips1402', etc.
 
 ```
-hs_vault_version: "1.14.2"
+hs_vault_version: "1.15.4"
 ```
 
 * Domain under which vault will be published on the network.

docs/source/reference/role_vault_sidecar.md

@@ -0,0 +1,3 @@
+```
+hs_consul_https_address: "0.0.0.0"
+hs_consul_api_port: "8501"

playbooks/21_consul_install.yml

@@ -7,3 +7,9 @@
   roles:
     - role: "envoy"
     - role: "consul"
+
+  tasks:
+    - name: Include vault-sidecar role if required
+      include_role:
+        name: vault_sidecar
+      when: hs_install_vault_sidecar | bool

playbooks/group_vars/all.yml

@@ -31,3 +31,4 @@ tf_module_dest: "{{ hs_workspace_tf_modules_dir }}/{{ tf_module_name }}"
 
 glxclans_host_service_user_name: "caretaker"
 
+hs_install_vault_sidecar: true

requirements.txt

@@ -1,13 +1,13 @@
 alabaster==0.7.13
 ansible-compat==4.1.10
-ansible-core==2.15.4
+ansible-core==2.16.5
 ansible-lint==6.20.1
 arrow==1.2.3
 attrs==22.2.0
 Babel==2.11.0
 beautifulsoup4==4.11.2
 binaryornot==0.4.4
-black==22.12.0
+black==24.3.0
 bracex==2.3.post1
 build==0.10.0
 certifi==2023.7.22
@@ -17,7 +17,7 @@ charset-normalizer==3.0.1
 click==8.1.3
 click-help-colors==0.9.1
 cookiecutter==2.1.1
-cryptography==41.0.7
+cryptography==42.0.4
 distro==1.8.0
 docker==6.1.3
 docutils==0.19
@@ -29,7 +29,7 @@ idna==3.4
 imagesize==1.4.1
 iniconfig==2.0.0
 ipaddr==2.2.0
-Jinja2==3.1.2
+Jinja2==3.1.3
 jinja2-time==0.2.0
 jmespath==1.0.1
 jsonschema==4.17.3

requirements.yml

@@ -19,4 +19,4 @@ collections:
   - name: cloud.terraform
     version: "1.1.1"
   - name: rtnp.galaxie_clans
-    version: "1.15.3"
+    version: "1.15.5"

roles/consul/defaults/main.yml

@@ -3,60 +3,80 @@
 # ```{include} ../../../roles/consul/README.md
 # ```
 #
-# ## Defaults
+# ## Role variables
 #
 # * Version of the consul package to install.
 # * Used to determine which archive to install according to the suffix like
 # [in the official release repository](https://releases.hashicorp.com/consul/). For example,
 # valid values are: '1.16.4', '1.17.0+ent', '1.17.2+ent.fips1402', etc.
+#
 hs_consul_version: "1.17.2"
 #
 # ### Local paths
 #
-# * Path to local directory containing secrets to be uploaded to nodes
+# * Path to local directory containing secrets to be uploaded to nodes.
 #
-hs_consul_local_secrets_dir: >-
-  {{
-    hs_workspace_secrets_dir
-    | default(inventory_dir + 'group_vars/hashistack/secrets')
-  }}
+hs_consul_local_secrets_dir: "{{ hs_workspace_secrets_dir }}"
+#
+# * Path to local directory where to download Consul binary before upload.
+#
+hs_consul_local_cache_dir: "{{ hs_workspace_root }}"
+#
+# * [CONSUL ENTREPRISE] Path to local file containing the license.
+#
+hs_consul_local_license_file: ""
+
+hs_consul_local_ca_cert: "{{ hs_workspace_secrets_dir }}/ca.cert.pem"
 # * Path to local node certificate.
 hs_consul_node_cert: "{{ hs_consul_local_secrets_dir }}/self.cert.pem"
 # * Path to local node fullchain certificate.
 hs_consul_node_cert_fullchain: "{{ hs_consul_local_secrets_dir }}/self.fullchain.cert.pem"
 # * Path to local node certificate private key.
 hs_consul_node_cert_private_key: "{{ hs_consul_local_secrets_dir }}/self.cert.key"
 
-tf_module_name: "consul_config"
-hs_tf_action: apply
+hs_consul_terraform_work_dir: >-
+  {{
+    hs_workspace_tf_modules_dir
+    | default(lookup('env', 'PWD') + '/terraform')
+  }}
 
 hs_consul_datacenter_name: "{{ hs_workspace | default('datacenter1') }}"
 hs_consul_node_name: "{{ inventory_hostname | regex_replace('_', '-') }}"
 hs_consul_connect_token: ~
+#
+# * HTTPS listener
+#
+hs_consul_https_listen_ipv4: "0.0.0.0"
+hs_consul_api_port: "8501"
+#
+# * GRPC listener
+#
+hs_consul_grpc_listen_ipv4: "0.0.0.0"
+hs_consul_grpc_tls_port: "8503"
 
-hs_consul_grpc_address: "0.0.0.0"
-hs_consul_https_address: "0.0.0.0"
-hs_consul_local_cache_dir: "{{ hs_workspace_root }}"
 hs_consul_prometheus_enabled: true
 hs_consul_connect_root_pki_path: "consul_connect_pki_root"
 hs_consul_connect_intermediate_pki_path: "consul_connect_pki_inter"
 # * API address of the vault service
 hs_consul_vault_address: "https://vault.{{ hs_consul_domain }}:8200"
-hs_consul_api_port: "8501"
-hs_consul_grpc_port: "8502"
-hs_consul_grpc_tls_port: "8503"
 
 hs_consul_domain: "{{ public_domain }}"
 hs_consul_node_fqdn: "{{ hs_consul_node_name }}.{{ hs_consul_domain }}"
 
-hs_consul_external_url: https://consul.{{ hs_consul_domain }}
+hs_consul_service_fqdn: "consul.{{ hs_consul_domain }}"
+hs_consul_external_url: "https://{{ hs_consul_service_fqdn }}"
 
 hs_consul_bootstrap_expect: "{{ groups[__hs_consul_inventory_masters_group] | length }}"
 hs_consul_advertise_addr: "{{ ansible_default_ipv4.address }}"
 
 hs_consul_use_custom_ca: false
-hs_consul_local_ca_cert: "{{ hs_workspace_secrets_dir }}/ca.cert.pem"
 
 hs_consul_acl_default_policy: deny
 hs_consul_acl_auto_encrypt_token: ~
-hs_consul_local_license_file: ""
+#
+# Remote location of certificates files for Consul TLS endpoints.
+#
+hs_consul_self_private_key: "{{ __hs_consul_tls_dir }}/self.cert.key"
+hs_consul_self_certificate: "{{ __hs_consul_tls_dir }}/self.fullchain.cert.pem"
+hs_consul_ca_certificate: "{{ __hs_consul_certs_truststore_dir }}/consul.ca.crt"
+hs_consul_vault_root_ca_certificate: "{{ __hs_consul_certs_truststore_dir }}/vault.root_ca.crt"

roles/consul/handlers/main.yml

@@ -3,6 +3,7 @@
   systemd:
     name: consul
     state: restarted
+    daemon_reload: true
     enabled: true
 
 - name: Update ca trust