Add consul clients, DRY up consul_dc

This commit is contained in:
Amarpreet Minhas 2020-08-27 16:29:53 -04:00
parent 0d9e708735
commit 13f08c52e5
15 changed files with 190 additions and 7 deletions

View file

@ -1,5 +1,6 @@
---
# consul
consul_dc: columbia
consul_version: 1.8.3
# vault

View file

@ -1,4 +1,3 @@
---
consul_dc: columbia
consul_config_path: /usr/local/etc/consul.d
...

View file

@ -1,3 +0,0 @@
---
consul_dc: columbia
...

View file

@ -1,3 +0,0 @@
---
consul_dc: columbia
...

View file

@ -1,3 +1,9 @@
[all]
fatman.minhas.io
ivyking.minhas.io
ranger.minhas.io
sedan.minhas.io
[consul_server]
fatman.minhas.io
ivyking.minhas.io

View file

@ -0,0 +1,7 @@
---
- hosts: all
roles:
- { role: consul,
when: '"consul_server" not in group_names'
}
...

View file

@ -5,4 +5,5 @@
- import_playbook: consul-server.yml
- import_playbook: vault-server.yml
- import_playbook: consul-client.yml
...

View file

@ -0,0 +1,3 @@
---
consul_config_path: /etc/consul.d
...

View file

@ -0,0 +1,18 @@
-----BEGIN CERTIFICATE-----
MIIC6jCCApGgAwIBAgIQME5Go459u5LlhDqirL54aTAKBggqhkjOPQQDAjCBuDEL
MAkGA1UEBhMCVVMxCzAJBgNVBAgTAkNBMRYwFAYDVQQHEw1TYW4gRnJhbmNpc2Nv
MRowGAYDVQQJExExMDEgU2Vjb25kIFN0cmVldDEOMAwGA1UEERMFOTQxMDUxFzAV
BgNVBAoTDkhhc2hpQ29ycCBJbmMuMT8wPQYDVQQDEzZDb25zdWwgQWdlbnQgQ0Eg
NjQyMDkzNzU2Nzk2MDMyOTY4MTA4MDI5ODk2NTUzNjQ4OTI3NzcwHhcNMjAwODI3
MTYxOTE4WhcNMjUwODI2MTYxOTE4WjCBuDELMAkGA1UEBhMCVVMxCzAJBgNVBAgT
AkNBMRYwFAYDVQQHEw1TYW4gRnJhbmNpc2NvMRowGAYDVQQJExExMDEgU2Vjb25k
IFN0cmVldDEOMAwGA1UEERMFOTQxMDUxFzAVBgNVBAoTDkhhc2hpQ29ycCBJbmMu
MT8wPQYDVQQDEzZDb25zdWwgQWdlbnQgQ0EgNjQyMDkzNzU2Nzk2MDMyOTY4MTA4
MDI5ODk2NTUzNjQ4OTI3NzcwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAASUDPnD
lfeWaTrJHZ9JzovcEXTGh2VKOaq4a1GceAqYNg1Jj2A6+6Je9Nm5+tvVn939ZS0z
NQGjuL3vdxJN96sYo3sweTAOBgNVHQ8BAf8EBAMCAYYwDwYDVR0TAQH/BAUwAwEB
/zApBgNVHQ4EIgQg7s5SJjjgtyy/XUHwQk43iXapCXQIIFqOivTddv6RGacwKwYD
VR0jBCQwIoAg7s5SJjjgtyy/XUHwQk43iXapCXQIIFqOivTddv6RGacwCgYIKoZI
zj0EAwIDRwAwRAIgGj3Z1yyMTcdsZiFu89Si0E9ueX2CAAztWabhbvzMOl4CIHIv
DhH1LG5/DHuJCQA4MAKLiDzt1/XQoS1FJiguyorb
-----END CERTIFICATE-----

View file

@ -0,0 +1,15 @@
[Unit]
Description=Consul Service Discovery Agent
After=network-online.target
[Service]
Type=simple
Restart=on-failure
User=consul
Group=consul
RestartSec=3
StateDirectory=consul
ExecStart=/usr/local/bin/consul agent -config-dir /etc/consul.d/
[Install]
WantedBy=multi-user.target

View file

@ -0,0 +1,14 @@
---
- name: daemon_reload
systemd:
daemon_reload: True
- name: restart_consul_debian
systemd:
name: consul
state: restarted
- name: restart_consul_fbsd
service:
name: consul
state: restarted

View file

@ -0,0 +1,88 @@
---
- name: ensure consul group
group:
name: consul
state: present
system: True
- name: ensure consul user
user:
name: consul
state: present
group: consul
system: True
- name: ensure consul config dir
file:
path: /etc/consul.d/
state: directory
owner: consul
group: consul
mode: 0755
- name: ensure consul config dir
file:
path: /etc/consul.d/certs/
state: directory
owner: consul
group: consul
mode: 0744
- name: ensure consul agent ca cert
copy:
src: files/consul-agent-ca.pem
dest: /etc/consul.d/certs/consul-agent-ca.pem
owner: consul
group: consul
mode: 0644
- name: ensure consul data dir
file:
path: /opt/consul
state: directory
owner: consul
group: consul
mode: 0755
- name: check consul version
shell:
cmd: "consul --version | head -1 | cut -d'v' -f2"
args:
executable: /bin/bash
changed_when: False
register: installed_consul_version
check_mode: False
- name: get consul
unarchive:
src: "https://releases.hashicorp.com/consul/{{ consul_version }}/consul_{{ consul_version }}_linux_amd64.zip"
dest: /usr/local/bin/
mode: 0755
owner: root
group: root
remote_src: True
when: installed_consul_version.stdout != consul_version
- name: copy consul unit file
copy:
src: files/consul.service
dest: /etc/systemd/system/consul.service
mode: 0755
owner: root
group: root
notify: daemon_reload
- name: template consul config
template:
src: templates/consul.hcl.j2
dest: /etc/consul.d/consul.hcl
owner: root
group: root
mode: 0755
notify: restart_consul_debian
- name: ensure consul is started and enabled
systemd:
name: consul
state: started
enabled: True

View file

@ -0,0 +1,3 @@
---
- include: "{{ ansible_os_family }}.yml"
...

View file

@ -0,0 +1 @@
{{ lookup('hashi_vault', 'secret=kv/data/consul:data')['consul-client-key'] }}

View file

@ -0,0 +1,33 @@
datacenter = "{{ consul_dc }}"
domain = "consul"
encrypt = "{{ lookup('hashi_vault', 'secret=kv/data/consul:data')['gossip'] }}"
verify_incoming = false
verify_outgoing = true
verify_server_hostname = true
ca_file = "{{ consul_config_path }}/certs/consul-agent-ca.pem"
auto_encrypt {
tls = true
}
bind_addr = "{{ ansible_default_ipv4.address }}"
start_join = ["{{ groups['consul_server'] | map('extract', hostvars, ['ansible_default_ipv4', 'address']) | join('","') }}"]
data_dir = "/opt/consul"
log_level = "INFO"
raft_protocol = 3
addresses {
http = "0.0.0.0"
}
acl {
enabled = true
default_policy = "deny"
enable_token_persistence = true
tokens {
agent = "{{ lookup('hashi_vault', 'secret=kv/data/consul:data')['server-acl-token'] }}"
}
}