diff options
Diffstat (limited to 'fdio.infra.ansible/roles/consul')
9 files changed, 360 insertions, 0 deletions
diff --git a/fdio.infra.ansible/roles/consul/defaults/main.yaml b/fdio.infra.ansible/roles/consul/defaults/main.yaml new file mode 100644 index 0000000000..9ea38efb56 --- /dev/null +++ b/fdio.infra.ansible/roles/consul/defaults/main.yaml @@ -0,0 +1,87 @@ +--- +# file: defaults/main.yaml + +# Inst - Prerequisites. +packages: "{{ packages_base + packages_by_distro[ansible_distribution | lower] + packages_by_arch[ansible_machine] }}" +packages_base: + - "curl" + - "unzip" +packages_by_distro: + ubuntu: + - [] +packages_by_arch: + aarch64: + - [] + x86_64: + - [] + +# Inst - Consul Map. +consul_architecture_map: + amd64: "amd64" + x86_64: "amd64" + armv7l: "arm" + aarch64: "arm64" + 32-bit: "386" + 64-bit: "amd64" +consul_architecture: "{{ consul_architecture_map[ansible_architecture] }}" +consul_version: "1.16.1" +consul_pkg: "consul_{{ consul_version }}_linux_{{ consul_architecture }}.zip" +consul_zip_url: "https://releases.hashicorp.com/consul/{{ consul_version }}/{{ consul_pkg }}" +consul_force_update: false + +# Inst - System paths. +consul_bin_dir: "/usr/local/bin" +consul_config_dir: "/etc/consul.d" +consul_data_dir: "/var/consul" +consul_inst_dir: "/opt" +consul_lockfile: "/var/lock/subsys/consul" +consul_run_dir: "/var/run/consul" +consul_ssl_dir: "/etc/consul.d/ssl" + +# Conf - Service. +consul_node_role: "both" +consul_restart_handler_state: "restarted" +nomad_restart_handler_state: "restarted" +systemd_resolved_state: "stopped" +consul_service_mgr: "" + +# Conf - User and group. +consul_group: "consul" +consul_user: "consul" + +# Conf - base.hcl +consul_allow_tls: true +consul_bind_addr: "{{ ansible_default_ipv4.address }}" +consul_bootstrap_expect: 1 +consul_client_addr: "0.0.0.0" +consul_datacenter: "dc1" +consul_disable_update_check: true +consul_enable_debug: false +consul_enable_syslog: true +consul_encrypt: "" +consul_log_level: "INFO" +consul_node_name: "{{ inventory_hostname }}" +consul_recursors: + - 1.1.1.1 + - 8.8.8.8 +consul_retry_join: false +consul_ui_config: + enabled: true +consul_verify_incoming: true +consul_verify_outgoing: true +consul_vefify_server_hostname: false +consul_ca_file: "{{ consul_ssl_dir }}/ca.pem" +consul_cert_file: "{{ consul_ssl_dir }}/consul.pem" +consul_key_file: "{{ consul_ssl_dir }}/consul-key.pem" + +# Conf - ports.hcl +consul_port_dns: 53 +consul_port_http: 8500 +consul_port_https: 8501 +consul_port_grpc: 8502 +consul_port_serf_lan: 8301 +consul_port_serf_wan: 8302 +consul_port_server: 8300 + +# Conf - services.json +consul_services: false diff --git a/fdio.infra.ansible/roles/consul/handlers/main.yaml b/fdio.infra.ansible/roles/consul/handlers/main.yaml new file mode 100644 index 0000000000..a9de4d1439 --- /dev/null +++ b/fdio.infra.ansible/roles/consul/handlers/main.yaml @@ -0,0 +1,16 @@ +--- +# file handlers/main.yaml + +- name: Restart Nomad + ansible.builtin.systemd: + daemon_reload: true + enabled: true + name: "nomad" + state: "{{ nomad_restart_handler_state }}" + +- name: Restart Consul + ansible.builtin.systemd: + daemon_reload: true + enabled: true + name: "consul" + state: "{{ consul_restart_handler_state }}" diff --git a/fdio.infra.ansible/roles/consul/meta/main.yaml b/fdio.infra.ansible/roles/consul/meta/main.yaml new file mode 100644 index 0000000000..673c3b738d --- /dev/null +++ b/fdio.infra.ansible/roles/consul/meta/main.yaml @@ -0,0 +1,21 @@ +--- +# file: meta/main.yaml + +dependencies: [] + +galaxy_info: + role_name: "consul" + author: "pmikus" + description: "Hashicorp Consul." + company: "none" + license: "license (Apache)" + min_ansible_version: "2.9" + platforms: + - name: "Ubuntu" + versions: + - "focal" + - "jammy" + - "kinetic" + galaxy_tags: + - "consul" + - "hashicorp" diff --git a/fdio.infra.ansible/roles/consul/tasks/main.yaml b/fdio.infra.ansible/roles/consul/tasks/main.yaml new file mode 100644 index 0000000000..6dd430754b --- /dev/null +++ b/fdio.infra.ansible/roles/consul/tasks/main.yaml @@ -0,0 +1,145 @@ +--- +# file: tasks/main.yaml + +- name: Update Repositories Cache + ansible.builtin.apt: + update_cache: true + when: + - ansible_os_family == 'Debian' + tags: + - consul-inst-package + +- name: Dependencies + ansible.builtin.apt: + name: "{{ packages | flatten(levels=1) }}" + state: "present" + cache_valid_time: 3600 + install_recommends: false + when: + - ansible_os_family == 'Debian' + tags: + - consul-inst-dependencies + +- name: Add Consul Group + ansible.builtin.group: + name: "{{ consul_group }}" + state: "present" + tags: + - consul-conf-user + +- name: Add Consul user + ansible.builtin.user: + name: "{{ consul_user }}" + group: "{{ consul_group }}" + state: "present" + system: true + tags: + - consul-conf-user + +- name: Download Consul + ansible.builtin.get_url: + url: "{{ consul_zip_url }}" + dest: "{{ consul_inst_dir }}/{{ consul_pkg }}" + tags: + - consul-inst-package + +- name: Clean Consul + ansible.builtin.file: + path: "{{ consul_inst_dir }}/consul" + state: "absent" + when: + - consul_force_update | bool + tags: + - consul-inst-package + +- name: Unarchive Consul + ansible.builtin.unarchive: + src: "{{ consul_inst_dir }}/{{ consul_pkg }}" + dest: "{{ consul_inst_dir }}/" + remote_src: true + tags: + - consul-inst-package + +- name: Consul + ansible.builtin.copy: + src: "{{ consul_inst_dir }}/consul" + dest: "{{ consul_bin_dir }}" + owner: "{{ consul_user }}" + group: "{{ consul_group }}" + force: true + mode: 0755 + remote_src: true + tags: + - consul-inst-package + +- name: Create Directories + ansible.builtin.file: + dest: "{{ item }}" + state: "directory" + owner: "{{ consul_user }}" + group: "{{ consul_group }}" + mode: 0755 + with_items: + - "{{ consul_config_dir }}" + - "{{ consul_ssl_dir }}" + - "{{ consul_data_dir }}" + - "{{ nomad_config_dir }}" + - "{{ nomad_ssl_dir }}" + tags: + - consul-conf + +- name: Base Configuration + ansible.builtin.template: + src: "{{ item }}.hcl.j2" + dest: "{{ consul_config_dir }}/{{ item }}.hcl" + owner: "{{ consul_user }}" + group: "{{ consul_group }}" + mode: 0644 + with_items: + - "base" + - "ports" + - "telemetry" + tags: + - consul-conf + +- name: Copy Certificates And Keys + ansible.builtin.copy: + content: "{{ item.src }}" + dest: "{{ item.dest }}" + owner: "{{ consul_user }}" + group: "{{ consul_group }}" + mode: 0600 + no_log: true + loop: "{{ consul_certificates | flatten(levels=1) }}" + when: + - consul_certificates is defined + tags: + - consul-conf + +- name: Stop Systemd-resolved + ansible.builtin.systemd: + daemon_reload: true + enabled: false + name: "systemd-resolved" + state: "{{ systemd_resolved_state }}" + when: + - consul_service_mgr == "systemd" + tags: + - consul-conf + +- name: System.d Script + ansible.builtin.template: + src: "consul_systemd.service.j2" + dest: "/lib/systemd/system/consul.service" + owner: "root" + group: "root" + mode: 0644 + notify: + - "Restart Consul" + when: + - consul_service_mgr == "systemd" + tags: + - consul-conf + +- name: Flush handlers + ansible.builtin.meta: flush_handlers diff --git a/fdio.infra.ansible/roles/consul/templates/base.hcl.j2 b/fdio.infra.ansible/roles/consul/templates/base.hcl.j2 new file mode 100644 index 0000000000..15104b2710 --- /dev/null +++ b/fdio.infra.ansible/roles/consul/templates/base.hcl.j2 @@ -0,0 +1,56 @@ +node_name = "{{ consul_node_name }}" +datacenter = "{{ consul_datacenter }}" + +bind_addr = "{{ consul_bind_addr }}" +client_addr = "{{ consul_client_addr }}" +data_dir = "{{ consul_data_dir }}" + +enable_syslog = {{ consul_enable_syslog | bool | lower }} +enable_debug = {{ consul_enable_debug | bool | lower }} +disable_update_check = {{ consul_disable_update_check | bool | lower }} +log_level = "{{ consul_log_level }}" + +server = {{ consul_node_server | bool | lower }} +encrypt = "{{ consul_encrypt }}" +{% if consul_node_server | bool == True %} +bootstrap_expect = {{ consul_bootstrap_expect }} +verify_incoming = {{ consul_verify_incoming | bool | lower }} +verify_outgoing = {{ consul_verify_outgoing | bool | lower }} +verify_server_hostname = {{ consul_vefify_server_hostname | bool | lower }} +ca_file = "{{ consul_ca_file }}" +cert_file = "{{ consul_cert_file }}" +key_file = "{{ consul_key_file }}" +auto_encrypt { + allow_tls = {{ consul_allow_tls | bool | lower }} +} +{% else %} +verify_incoming = {{ consul_verify_incoming | bool | lower }} +verify_outgoing = {{ consul_verify_outgoing | bool | lower }} +verify_server_hostname = {{ consul_vefify_server_hostname | bool | lower }} +ca_file = "{{ consul_ca_file }}" +auto_encrypt { + tls = {{ consul_allow_tls | bool | lower }} +} +{% endif %} +{% if consul_retry_join | bool -%} +retry_join = [ {% for ip_port in consul_retry_servers -%} "{{ ip_port }}"{% if not loop.last %}, {% endif %}{%- endfor -%} ] +{%- endif %} + +{% if consul_ui_config -%} +ui_config { +{% for key, value in consul_ui_config.items() %} + {%- if value|bool %} + {{ key }} = {{ value | bool | lower }} + {%- elif value|string or value == "" %} + {{ key }} = "{{ value }}" + {%- else %} + {{ key }} = {{ value }} + {%- endif %} +{% endfor %} + +} +{%- endif %} + +{% if consul_recursors -%} +recursors = [ {% for server in consul_recursors -%} "{{ server }}"{% if not loop.last %}, {% endif %}{%- endfor -%} ] +{%- endif %}
\ No newline at end of file diff --git a/fdio.infra.ansible/roles/consul/templates/consul_systemd.service.j2 b/fdio.infra.ansible/roles/consul/templates/consul_systemd.service.j2 new file mode 100644 index 0000000000..16874f213e --- /dev/null +++ b/fdio.infra.ansible/roles/consul/templates/consul_systemd.service.j2 @@ -0,0 +1,18 @@ +[Unit] +Description="HashiCorp Consul - A service mesh solution" +Documentation=https://www.consul.io/ +Requires=network-online.target +After=network-online.target + +[Service] +User=root +Group=root +ExecStart={{ consul_bin_dir }}/consul agent -config-dir={{ consul_config_dir }} +ExecReload=/bin/kill --signal HUP $MAINPID +KillMode=process +KillSignal=SIGTERM +Restart=on-failure +LimitNOFILE=infinity + +[Install] +WantedBy=multi-user.target
\ No newline at end of file diff --git a/fdio.infra.ansible/roles/consul/templates/ports.hcl.j2 b/fdio.infra.ansible/roles/consul/templates/ports.hcl.j2 new file mode 100644 index 0000000000..02932bf6dc --- /dev/null +++ b/fdio.infra.ansible/roles/consul/templates/ports.hcl.j2 @@ -0,0 +1,9 @@ +ports { + dns = {{ consul_port_dns }} + http = {{ consul_port_http }} + https = {{ consul_port_https }} + grpc_tls = {{ consul_port_grpc }} + serf_lan = {{ consul_port_serf_lan }} + serf_wan = {{ consul_port_serf_wan }} + server = {{ consul_port_server }} +}
\ No newline at end of file diff --git a/fdio.infra.ansible/roles/consul/templates/telemetry.hcl.j2 b/fdio.infra.ansible/roles/consul/templates/telemetry.hcl.j2 new file mode 100644 index 0000000000..ec7fabc9da --- /dev/null +++ b/fdio.infra.ansible/roles/consul/templates/telemetry.hcl.j2 @@ -0,0 +1,3 @@ +telemetry { + prometheus_retention_time = "24h" +}
\ No newline at end of file diff --git a/fdio.infra.ansible/roles/consul/vars/main.yaml b/fdio.infra.ansible/roles/consul/vars/main.yaml new file mode 100644 index 0000000000..5d813dffc7 --- /dev/null +++ b/fdio.infra.ansible/roles/consul/vars/main.yaml @@ -0,0 +1,5 @@ +--- +# file: vars/main.yaml + +consul_node_client: "{{ (consul_node_role == 'client') or (consul_node_role == 'both') }}" +consul_node_server: "{{ (consul_node_role == 'server') or (consul_node_role == 'both') }}" |