diff options
Diffstat (limited to 'fdio.infra.ansible/roles/nomad')
12 files changed, 289 insertions, 183 deletions
diff --git a/fdio.infra.ansible/roles/nomad/defaults/main.yaml b/fdio.infra.ansible/roles/nomad/defaults/main.yaml index b4741f8d43..535db2bb2c 100644 --- a/fdio.infra.ansible/roles/nomad/defaults/main.yaml +++ b/fdio.infra.ansible/roles/nomad/defaults/main.yaml @@ -16,7 +16,7 @@ packages_by_arch: - [] # Package -nomad_version: "{{ lookup('env','NOMAD_VERSION') | default('1.3.1', true) }}" +nomad_version: "1.4.3" nomad_architecture_map: amd64: "amd64" x86_64: "amd64" @@ -28,12 +28,6 @@ nomad_architecture: "{{ nomad_architecture_map[ansible_architecture] }}" nomad_pkg: "nomad_{{ nomad_version }}_linux_{{nomad_architecture}}.zip" nomad_zip_url: "https://releases.hashicorp.com/nomad/{{ nomad_version }}/nomad_{{ nomad_version }}_linux_{{nomad_architecture}}.zip" nomad_checksum_file_url: "https://releases.hashicorp.com/nomad/{{ nomad_version }}/nomad_{{ nomad_version}}_SHA256SUMS" -nomad_podman_enable: false -nomad_podman_version: "{{ lookup('env','NOMAD_PODMAN_VERSION') | default('0.1.0', true) }}" -nomad_podman_pkg: "nomad-driver-podman_{{ nomad_podman_version }}_linux_{{nomad_architecture}}.zip" -nomad_podman_url: "https://releases.hashicorp.com/nomad-driver-podman/{{ nomad_podman_version }}" -nomad_podman_zip_url: "{{ nomad_podman_url }}/{{ nomad_podman_pkg }}" -nomad_podman_checksum_file_url: "{{ nomad_podman_url }}/nomad-driver-podman_{{ nomad_podman_version }}_SHA256SUMS" nomad_force_update: false # Paths @@ -47,23 +41,20 @@ nomad_run_dir: "/var/run/nomad" nomad_ssl_dir: "/etc/nomad.d/ssl" # Initialization and startup script templates -nomad_restart_handler_state: "restarted" nomad_service_mgr: "" # System user and group nomad_group: "nomad" -nomad_group_state: "present" nomad_user: "nomad" -nomad_user_state: "present" # Nomad settings nomad_datacenter: "dc1" nomad_region: "global" nomad_log_level: "INFO" nomad_syslog_enable: true -nomad_iface: "{{ lookup('env','NOMAD_IFACE') | default(ansible_default_ipv4.interface, true) }}" +nomad_iface: "{{ ansible_default_ipv4.interface }}" nomad_node_name: "{{ inventory_hostname }}" -nomad_node_role: "{{ lookup('env','NOMAD_NODE_ROLE') | default('server', true) }}" +nomad_node_role: "server" nomad_leave_on_terminate: true nomad_leave_on_interrupt: false nomad_disable_update_check: true @@ -88,7 +79,7 @@ nomad_eval_gc_threshold: "1h" # Specifies the minimum time a deployment must be in the terminal state before # it is eligible for garbage collection. nomad_deployment_gc_threshold: "1h" -nomad_encrypt_enable: "{{ lookup('env','NOMAD_ENCRYPT_ENABLE') | default('false', true) }}" +nomad_encrypt_enable: false nomad_raft_protocol: 2 # Client settings @@ -127,7 +118,7 @@ nomad_servers: "\ {% set _nomad_servers = [] %}\ {% for host in groups[nomad_group_name] %}\ {% set _nomad_node_role = hostvars[host]['nomad_node_role'] | default('client', true) %}\ - {% if ( _nomad_node_role == 'server' or _nomad_node_role == 'both') %}\ + {% if (_nomad_node_role == 'server' or _nomad_node_role == 'both') %}\ {% if _nomad_servers.append(host) %}{% endif %}\ {% endif %}\ {% endfor %}\ @@ -144,56 +135,59 @@ nomad_consul_token: "" nomad_consul_servers_service_name: "nomad" nomad_consul_clients_service_name: "nomad-client" nomad_consul_tags: {} +nomad_consul_use_ssl: false # ACLs -nomad_acl_enabled: "{{ lookup('env', 'NOMAD_ACL_ENABLED') | default('no', true) }}" +nomad_acl_enabled: false nomad_acl_token_ttl: "30s" nomad_acl_policy_ttl: "30s" nomad_acl_replication_token: "" -# Vault -nomad_vault_enabled: "{{ lookup('env', 'NOMAD_VAULT_ENABLED') | default('no', true) }}" -nomad_vault_address: "{{ vault_address | default('0.0.0.0', true) }}" -nomad_vault_allow_unauthenticated: true -nomad_vault_create_from_role: "" -nomad_vault_task_token_ttl: "" -nomad_vault_ca_file: "" -nomad_vault_ca_path: "" -nomad_vault_cert_file: "" -nomad_vault_key_file: "" -nomad_vault_tls_server_name: "" -nomad_vault_tls_skip_verify: false -nomad_vault_token: "" -nomad_vault_namespace: "" - # Docker -nomad_docker_enable: "{{ lookup('env','NOMAD_DOCKER_ENABLE') | default('false', true) }}" +nomad_docker_enable: false nomad_docker_dmsetup: true -# TLS -nomad_tls_enable: true -nomad_ca_file: "{{ nomad_ssl_dir }}/nomad-ca.pem" -nomad_cert_file: "{{ nomad_ssl_dir }}/nomad.pem" -nomad_key_file: "{{ nomad_ssl_dir }}/nomad-key.pem" -nomad_cli_cert_file: "{{ nomad_ssl_dir }}/nomad-cli.pem" -nomad_cli_key_file: "{{ nomad_ssl_dir }}/nomad-cli-key.pem" -nomad_http: false -nomad_rpc: false -nomad_rpc_upgrade_mode: false -nomad_verify_server_hostname: false -nomad_verify_https_client: false - -# Conf - autopilot.hcl +# Autopilot nomad_autopilot_cleanup_dead_servers: true nomad_autopilot_last_contact_threshold: "200ms" nomad_autopilot_max_trailing_logs: 250 nomad_autopilot_server_stabilization_time: "10s" -# Telemetry -nomad_telemetry: true +# Telemetry. +nomad_use_telemetry: true nomad_telemetry_disable_hostname: false -nomad_telemetry_collection_interval: 60s +nomad_telemetry_collection_interval: "1s" nomad_telemetry_use_node_name: false nomad_telemetry_publish_allocation_metrics: true nomad_telemetry_publish_node_metrics: true nomad_telemetry_prometheus_metrics: true + +# TLS. +nomad_use_tls: true +nomad_tls_ca_file: "{{ nomad_ssl_dir }}/nomad-ca.pem" +nomad_tls_cert_file: "{{ nomad_ssl_dir }}/nomad.pem" +nomad_tls_key_file: "{{ nomad_ssl_dir }}/nomad-key.pem" +nomad_tls_cli_cert_file: "{{ nomad_ssl_dir }}/nomad-cli.pem" +nomad_tls_cli_key_file: "{{ nomad_ssl_dir }}/nomad-cli-key.pem" +nomad_tls_http: false +nomad_tls_rpc: false +nomad_tls_rpc_upgrade_mode: false +nomad_tls_verify_https_client: false +nomad_tls_verify_server_hostname: false + +# Vault +nomad_use_vault: false +nomad_vault_address: "http://vault.service.consul:8200" +nomad_vault_allow_unauthenticated: true +nomad_vault_enabled: false +nomad_vault_create_from_role: "" +nomad_vault_task_token_ttl: "72h" +nomad_vault_use_ssl: false +nomad_vault_ca_file: "" +nomad_vault_ca_path: "" +nomad_vault_cert_file: "" +nomad_vault_key_file: "" +nomad_vault_namespace: "" +nomad_vault_tls_server_name: "" +nomad_vault_tls_skip_verify: false +nomad_vault_token: "" diff --git a/fdio.infra.ansible/roles/nomad/handlers/main.yaml b/fdio.infra.ansible/roles/nomad/handlers/main.yaml index 6263f3dda1..32e5798e3e 100644 --- a/fdio.infra.ansible/roles/nomad/handlers/main.yaml +++ b/fdio.infra.ansible/roles/nomad/handlers/main.yaml @@ -1,9 +1,9 @@ --- -# file roles/nomad/handlers/main.yaml +# file handlers/main.yaml - name: Restart Nomad ansible.builtin.systemd: daemon_reload: true enabled: true name: "nomad" - state: "{{ nomad_restart_handler_state }}" + state: "restarted" diff --git a/fdio.infra.ansible/roles/nomad/meta/main.yaml b/fdio.infra.ansible/roles/nomad/meta/main.yaml index 03396ae6e6..098aafe2fb 100644 --- a/fdio.infra.ansible/roles/nomad/meta/main.yaml +++ b/fdio.infra.ansible/roles/nomad/meta/main.yaml @@ -1,18 +1,21 @@ --- -# file: roles/nomad/meta/main.yaml +# file: meta/main.yaml -dependencies: [docker] +dependencies: ["docker"] galaxy_info: - role_name: nomad - author: fd.io - description: Hashicorp Nomad. - company: none + role_name: "nomad" + author: "pmikus" + description: "Hashicorp Nomad." + company: "none" license: "license (Apache)" - min_ansible_version: 2.9 + min_ansible_version: "2.9" platforms: - - name: Ubuntu - versions: - - jammy + - name: "Ubuntu" + release: + - "focal" + - "jammy" + - "kinetic" galaxy_tags: - - nomad + - "nomad" + - "hashicorp" diff --git a/fdio.infra.ansible/roles/nomad/tasks/main.yaml b/fdio.infra.ansible/roles/nomad/tasks/main.yaml index 0204c0591c..72b78458f8 100644 --- a/fdio.infra.ansible/roles/nomad/tasks/main.yaml +++ b/fdio.infra.ansible/roles/nomad/tasks/main.yaml @@ -1,7 +1,7 @@ --- # file: tasks/main.yaml -- name: Inst - Update Repositories Cache +- name: Update Repositories Cache ansible.builtin.apt: update_cache: true when: @@ -9,7 +9,7 @@ tags: - nomad-inst-package -- name: Inst - Dependencies +- name: Dependencies ansible.builtin.apt: name: "{{ packages | flatten(levels=1) }}" state: "present" @@ -20,30 +20,31 @@ tags: - nomad-inst-dependencies -- name: Conf - Add Nomad Group +- name: Add Nomad Group ansible.builtin.group: name: "{{ nomad_group }}" - state: "{{ nomad_user_state }}" + state: "present" tags: - nomad-conf-user -- name: Conf - Add Nomad user +- name: Add Nomad user ansible.builtin.user: name: "{{ nomad_user }}" group: "{{ nomad_group }}" - state: "{{ nomad_group_state }}" + state: "present" system: true tags: - nomad-conf-user -- name: Inst - Download Nomad +- name: Download Nomad ansible.builtin.get_url: url: "{{ nomad_zip_url }}" dest: "{{ nomad_inst_dir }}/{{ nomad_pkg }}" + mode: 0644 tags: - nomad-inst-package -- name: Inst - Clean Nomad +- name: Clean Nomad ansible.builtin.file: path: "{{ nomad_inst_dir }}/nomad" state: "absent" @@ -52,7 +53,7 @@ tags: - nomad-inst-package -- name: Inst - Unarchive Nomad +- name: Unarchive Nomad ansible.builtin.unarchive: src: "{{ nomad_inst_dir }}/{{ nomad_pkg }}" dest: "{{ nomad_inst_dir }}/" @@ -60,7 +61,7 @@ tags: - nomad-inst-package -- name: Inst - Nomad +- name: Nomad ansible.builtin.copy: src: "{{ nomad_inst_dir }}/nomad" dest: "{{ nomad_bin_dir }}" @@ -72,97 +73,35 @@ tags: - nomad-inst-package -- name: Conf - Create Directories "{{ nomad_data_dir }}" - ansible.builtin.file: - dest: "{{ nomad_data_dir }}" - state: directory - owner: "{{ nomad_user }}" - group: "{{ nomad_group }}" - mode: 0755 - tags: - - nomad-conf - -- name: Conf - Create Directories "{{ nomad_ssl_dir }}" - ansible.builtin.file: - dest: "{{ nomad_ssl_dir }}" - state: directory - owner: "{{ nomad_user }}" - group: "{{ nomad_group }}" - mode: 0755 - tags: - - nomad-conf - -- name: Conf - Create Config Directory +- name: Create Directories ansible.builtin.file: - dest: "{{ nomad_config_dir }}" - state: directory + dest: "{{ item }}" + state: "directory" owner: "{{ nomad_user }}" group: "{{ nomad_group }}" mode: 0755 + with_items: + - "{{ nomad_data_dir }}" + - "{{ nomad_config_dir }}" + - "{{ nomad_ssl_dir }}" tags: - nomad-conf -- name: Conf - Base Configuration - ansible.builtin.template: - src: base.hcl.j2 - dest: "{{ nomad_config_dir }}/base.hcl" - owner: "{{ nomad_user }}" - group: "{{ nomad_group }}" - mode: 0644 - tags: - - nomad-conf - -- name: Conf - Server Configuration +- name: Base Configuration ansible.builtin.template: - src: server.hcl.j2 - dest: "{{ nomad_config_dir }}/server.hcl" - owner: "{{ nomad_user }}" - group: "{{ nomad_group }}" - mode: 0644 - when: - - nomad_node_server | bool - tags: - - nomad-conf - -- name: Conf - Client Configuration - ansible.builtin.template: - src: client.hcl.j2 - dest: "{{ nomad_config_dir }}/client.hcl" - owner: "{{ nomad_user }}" - group: "{{ nomad_group }}" - mode: 0644 - when: - - nomad_node_client | bool - tags: - - nomad-conf - -- name: Conf - TLS Configuration - ansible.builtin.template: - src: tls.hcl.j2 - dest: "{{ nomad_config_dir }}/tls.hcl" - owner: "{{ nomad_user }}" - group: "{{ nomad_group }}" - mode: 0644 - tags: - - nomad-conf - -- name: Conf - Telemetry Configuration - ansible.builtin.template: - src: telemetry.hcl.j2 - dest: "{{ nomad_config_dir }}/telemetry.hcl" - owner: "{{ nomad_user }}" - group: "{{ nomad_group }}" - mode: 0644 - tags: - - nomad-conf - -- name: Conf - Consul Configuration - ansible.builtin.template: - src: consul.hcl.j2 - dest: "{{ nomad_config_dir }}/consul.hcl" + src: "{{ item }}.hcl.j2" + dest: "{{ nomad_config_dir }}/{{ item }}.hcl" owner: "{{ nomad_user }}" group: "{{ nomad_group }}" mode: 0644 + with_items: + - "base" + - "consul" + - "client" + - "server" + - "telemetry" + - "tls" + - "vault" tags: - nomad-conf @@ -180,20 +119,21 @@ tags: - nomad-conf -- name: Conf - Nomad CLI Environment Variables +- name: Nomad CLI Environment Variables ansible.builtin.lineinfile: path: "/etc/profile.d/nomad.sh" line: "{{ item }}" + mode: 0644 create: true loop: - - "export NOMAD_ADDR=http://nomad.service.consul:4646" - - "export NOMAD_CACERT={{ nomad_ca_file }}" -# - "export NOMAD_CLIENT_CERT={{ nomad_cli_cert_file }}" -# - "export NOMAD_CLIENT_KEY={{ nomad_cli_key_file }}" + - "export NOMAD_ADDR=https://nomad-server.service.consul:4646" + - "export NOMAD_CACERT={{ nomad_tls_ca_file }}" + - "export NOMAD_CLIENT_CERT={{ nomad_tls_cli_cert_file }}" + - "export NOMAD_CLIENT_KEY={{ nomad_tls_cli_key_file }}" tags: - nomad-conf -- name: Conf - System.d Script +- name: System.d Script ansible.builtin.template: src: "nomad_systemd.service.j2" dest: "/lib/systemd/system/nomad.service" diff --git a/fdio.infra.ansible/roles/nomad/templates/cfssl.json b/fdio.infra.ansible/roles/nomad/templates/cfssl.json new file mode 100644 index 0000000000..2b603e9b84 --- /dev/null +++ b/fdio.infra.ansible/roles/nomad/templates/cfssl.json @@ -0,0 +1,8 @@ +{ + "signing": { + "default": { + "expiry": "87600h", + "usages": ["signing", "key encipherment", "server auth", "client auth"] + } + } +}
\ No newline at end of file diff --git a/fdio.infra.ansible/roles/nomad/templates/consul.hcl.j2 b/fdio.infra.ansible/roles/nomad/templates/consul.hcl.j2 index 6d30676ca0..a9c1aff7b2 100644 --- a/fdio.infra.ansible/roles/nomad/templates/consul.hcl.j2 +++ b/fdio.infra.ansible/roles/nomad/templates/consul.hcl.j2 @@ -1,18 +1,63 @@ {% if nomad_use_consul | bool == True %} consul { - # The address to the Consul agent. + # Specifies the address to the local Consul agent, given in the format + # host:port. address = "{{ nomad_consul_address }}" - token = "{{ nomad_consul_token }}" - # The service name to register the server and client with Consul. - server_service_name = "{{ nomad_consul_servers_service_name }}" - client_service_name = "{{ nomad_consul_clients_service_name }}" - tags = {{ nomad_consul_tags | to_json }} - # Enables automatically registering the services. + # Specifies if Nomad should advertise its services in Consul. The services + # are named according to server_service_name and client_service_name. Nomad + # servers and clients advertise their respective services, each tagged + # appropriately with either http or rpc tag. Nomad servers also advertise a + # serf tagged service. auto_advertise = true - # Enabling the server and client to bootstrap using Consul. - server_auto_join = true + # Specifies if the Nomad clients should automatically discover servers in + # the same region by searching for the Consul service name defined in the + # server_service_name option. The search occurs if the client is not + # registered with any servers or it is unable to heartbeat to the leader of + # the region, in which case it may be partitioned and searches for other + # servers. client_auto_join = true + + # Specifies the name of the service in Consul for the Nomad clients. + client_service_name = "{{ nomad_consul_clients_service_name }}" + + # Specifies the name of the service in Consul for the Nomad servers. + server_service_name = "{{ nomad_consul_servers_service_name }}" + + # Specifies if the Nomad servers should automatically discover and join + # other Nomad servers by searching for the Consul service name defined in + # the server_service_name option. This search only happens if the server + # does not have a leader. + server_auto_join = true + + # Specifies optional Consul tags to be registered with the Nomad server and + # agent services. + tags = {{ nomad_consul_tags | to_json }} + + # Specifies the token used to provide a per-request ACL token. This option + # overrides the Consul Agent's default token. If the token is not set here + # or on the Consul agent, it will default to Consul's anonymous policy, + # which may or may not allow writes. + token = "{{ nomad_consul_token }}" + + {% if nomad_consul_use_ssl | bool == True -%} + # Specifies if the transport scheme should use HTTPS to communicate with the + # Consul agent. + ssl = true + + # Specifies an optional path to the CA certificate used for Consul + # communication. This defaults to the system bundle if unspecified. + ca_file = "{{ nomad_ca_file }}" + + # Specifies the path to the certificate used for Consul communication. If + # this is set then you need to also set key_file. + cert_file = "{{ nomad_cert_file }}" + + # Specifies the path to the private key used for Consul communication. If + # this is set then you need to also set cert_file. + key_file = "{{ nomad_key_file }}" + {% endif %} + } {% endif %}
\ No newline at end of file diff --git a/fdio.infra.ansible/roles/nomad/templates/nomad_systemd.service.j2 b/fdio.infra.ansible/roles/nomad/templates/nomad_systemd.service.j2 index 61f07df5b6..564505781b 100644 --- a/fdio.infra.ansible/roles/nomad/templates/nomad_systemd.service.j2 +++ b/fdio.infra.ansible/roles/nomad/templates/nomad_systemd.service.j2 @@ -11,6 +11,11 @@ After=network-online.target #After=consul.service [Service] +# Nomad server should be run as the nomad user. Nomad clients +# should be run as root +#User=nomad +#Group=nomad + ExecReload=/bin/kill -HUP $MAINPID ExecStart={{ nomad_bin_dir }}/nomad agent -config {{ nomad_config_dir }} KillMode=process diff --git a/fdio.infra.ansible/roles/nomad/templates/server.hcl.j2 b/fdio.infra.ansible/roles/nomad/templates/server.hcl.j2 index 570d92e0c1..e19dea9e6f 100644 --- a/fdio.infra.ansible/roles/nomad/templates/server.hcl.j2 +++ b/fdio.infra.ansible/roles/nomad/templates/server.hcl.j2 @@ -1,3 +1,4 @@ +{% if nomad_node_server | bool == True %} server { enabled = {{ nomad_node_server | bool | lower }} @@ -54,3 +55,4 @@ server { {%- endif %} } +{% endif %}
\ No newline at end of file diff --git a/fdio.infra.ansible/roles/nomad/templates/telemetry.hcl.j2 b/fdio.infra.ansible/roles/nomad/templates/telemetry.hcl.j2 index 4ad5330d1b..14be0d9548 100644 --- a/fdio.infra.ansible/roles/nomad/templates/telemetry.hcl.j2 +++ b/fdio.infra.ansible/roles/nomad/templates/telemetry.hcl.j2 @@ -1,10 +1,26 @@ -{% if nomad_telemetry | bool == True %} +{% if nomad_use_telemetry | bool == True %} telemetry { - disable_hostname = "{{ nomad_telemetry_disable_hostname | default(false) | bool | lower }}" - collection_interval = "{{ nomad_telemetry_collection_interval | default("1s") }}" - use_node_name = "{{ nomad_telemetry_use_node_name | default(false) | bool | lower }}" - publish_allocation_metrics = "{{ nomad_telemetry_publish_allocation_metrics | default(false) | bool | lower }}" - publish_node_metrics = "{{ nomad_telemetry_publish_node_metrics | default(false) | bool | lower }}" - prometheus_metrics = "{{ nomad_telemetry_prometheus_metrics | default(false) | bool | lower }}" + # Specifies if gauge values should be prefixed with the local hostname. + disable_hostname = {{ nomad_telemetry_disable_hostname | bool | lower }} + + # Specifies the time interval at which the Nomad agent collects telemetry + # data. + collection_interval = "{{ nomad_telemetry_collection_interval }}" + + # Specifies if gauge values should be prefixed with the name of the node, + # instead of the hostname. If set it will override disable_hostname value. + use_node_name = {{ nomad_telemetry_use_node_name | bool | lower }} + + # Specifies if Nomad should publish runtime metrics of allocations. + publish_allocation_metrics = {{ nomad_telemetry_publish_allocation_metrics | bool | lower }} + + # Specifies if Nomad should publish runtime metrics of nodes. + publish_node_metrics = {{ nomad_telemetry_publish_node_metrics | bool | lower }} + + # Specifies whether the agent should make Prometheus formatted metrics + # available at /v1/metrics?format=prometheus.Specifies whether the agent + # should make Prometheus formatted metrics available at + # /v1/metrics?format=prometheus. + prometheus_metrics = {{ nomad_telemetry_prometheus_metrics | bool | lower }} } {% endif %} diff --git a/fdio.infra.ansible/roles/nomad/templates/tls.hcl.j2 b/fdio.infra.ansible/roles/nomad/templates/tls.hcl.j2 index ceccdc8be5..0a1a5b20a4 100644 --- a/fdio.infra.ansible/roles/nomad/templates/tls.hcl.j2 +++ b/fdio.infra.ansible/roles/nomad/templates/tls.hcl.j2 @@ -1,12 +1,36 @@ -{% if nomad_tls_enable | bool %} +{% if nomad_use_tls | bool %} tls { - http = {{ nomad_http | bool | lower }} - rpc = {{ nomad_rpc | bool | lower }} - ca_file = "{{ nomad_ca_file }}" - cert_file = "{{ nomad_cert_file }}" - key_file = "{{ nomad_key_file }}" - rpc_upgrade_mode = {{ nomad_rpc_upgrade_mode | bool | lower }} - verify_server_hostname = {{ nomad_verify_server_hostname | bool | lower }} - verify_https_client = {{ nomad_verify_https_client | bool | lower }} + # Specifies the path to the CA certificate to use for Nomad's TLS + # communication. + ca_file = "{{ nomad_tls_ca_file }}" + + # Specifies the path to the certificate file used for Nomad's TLS + # communication. + cert_file = "{{ nomad_tls_cert_file }}" + + # Specifies the path to the key file to use for Nomad's TLS communication. + key_file = "{{ nomad_tls_key_file }}" + + # Specifies if TLS should be enabled on the HTTP endpoints on the Nomad + # agent, including the API. + http = {{ nomad_tls_http | bool | lower }} + + # Specifies if TLS should be enabled on the RPC endpoints and Raft traffic + # between the Nomad servers. Enabling this on a Nomad client makes the + # client use TLS for making RPC requests to the Nomad servers. + rpc = {{ nomad_tls_rpc | bool | lower }} + + # This option should be used only when the cluster is being upgraded to + # TLS, and removed after the migration is complete. This allows the agent + # to accept both TLS and plaintext traffic. + rpc_upgrade_mode = {{ nomad_tls_rpc_upgrade_mode | bool | lower }} + + # Specifies agents should require client certificates for all incoming + # HTTPS requests. The client certificates must be signed by the same CA + # as Nomad. + verify_https_client = {{ nomad_tls_verify_https_client | bool | lower }} + + # Specifies if outgoing TLS connections should verify the server's hostname. + verify_server_hostname = {{ nomad_tls_verify_server_hostname | bool | lower }} } {% endif %} diff --git a/fdio.infra.ansible/roles/nomad/templates/vault.hcl.j2 b/fdio.infra.ansible/roles/nomad/templates/vault.hcl.j2 new file mode 100644 index 0000000000..7911cbc5c4 --- /dev/null +++ b/fdio.infra.ansible/roles/nomad/templates/vault.hcl.j2 @@ -0,0 +1,69 @@ +{% if nomad_use_tls | bool == True %} +vault { + # Specifies the address to the Vault server. This must include the protocol, + # host/ip, and port given in the format protocol://host:port. If your Vault + # installation is behind a load balancer, this should be the address of the + # load balancer. + address = "{{ nomad_vault_address }}" + + # Specifies if users submitting jobs to the Nomad server should be required + # to provide their own Vault token, proving they have access to the policies + # listed in the job. This option should be disabled in an untrusted + # environment. + allow_unauthenticated = {{ nomad_vault_allow_unauthenticated | bool | lower }} + + # Specifies if the Vault integration should be activated. + enabled = {{ nomad_vault_enabled | bool | lower }} + + # Specifies the role to create tokens from. The token given to Nomad does + # not have to be created from this role but must have "update" capability + # on "auth/token/create/<create_from_role>" path in Vault. If this value is + # unset and the token is created from a role, the value is defaulted to the + # role the token is from. This is largely for backwards compatibility. It + # is recommended to set the create_from_role field if Nomad is deriving + # child tokens from a role. + create_from_role = "{{ nomad_vault_create_from_role }}" + + # Specifies the TTL of created tokens when using a root token. This is + # specified using a label suffix like "30s" or "1h". + task_token_ttl = "{{ nomad_vault_task_token_ttl }}" + + {% if nomad_vault_use_ssl | bool == True -%} + # Specifies an optional path to the CA certificate used for Vault + # communication. If unspecified, this will fallback to the default system + # CA bundle, which varies by OS and version. + ca_file = "{{ nomad_vault_ca_file }}" + + # Specifies an optional path to a folder containing CA certificates to be + # used for Vault communication. If unspecified, this will fallback to the + # default system CA bundle, which varies by OS and version. + ca_path = "{{ nomad_vault_ca_path }}" + + # Specifies the path to the certificate used for Vault communication. This + # must be set if tls_require_and_verify_client_cert is enabled in Vault. + cert_file = "{{ nomad_vault_cert_file }}" + + # Specifies the path to the private key used for Vault communication. If + # this is set then you need to also set cert_file. This must be set if + # tls_require_and_verify_client_cert is enabled in Vault. + key_file = "{{ nomad_vault_key_file }}" + + # Specifies the Vault namespace used by the Vault integration. If non-empty, + # this namespace will be used on all Vault API calls. + namespace = "{{ nomad_vault_namespace }}" + + # Specifies an optional string used to set the SNI host when connecting to + # Vault via TLS. + tls_server_name = "{{ nomad_vault_tls_server_name }}" + + # Specifies if SSL peer validation should be enforced. + tls_skip_verify = {{ nomad_vault_tls_skip_verify | bool | lower }} + {% endif %} + + # Specifies the parent Vault token to use to derive child tokens for jobs + # requesting tokens. Only required on Nomad servers. Nomad client agents + # use the allocation's token when contacting Vault. Visit the Vault + # Integration Guide to see how to generate an appropriate token in Vault. + token = "{{ nomad_vault_token }}" +} +{% endif %}
\ No newline at end of file diff --git a/fdio.infra.ansible/roles/nomad/vars/main.yaml b/fdio.infra.ansible/roles/nomad/vars/main.yaml index a72222c992..791eeadb06 100644 --- a/fdio.infra.ansible/roles/nomad/vars/main.yaml +++ b/fdio.infra.ansible/roles/nomad/vars/main.yaml @@ -1,5 +1,5 @@ --- -# file: roles/nomad/vars/main.yaml +# file: vars/main.yaml nomad_node_client: "{{ (nomad_node_role == 'client') or (nomad_node_role == 'both') }}" nomad_node_server: "{{ (nomad_node_role == 'server') or (nomad_node_role == 'both') }}" |