diff --git a/roles/consul/defaults/main.yml b/roles/consul/defaults/main.yml index 9cd6d69..61a4ee3 100644 --- a/roles/consul/defaults/main.yml +++ b/roles/consul/defaults/main.yml @@ -16,63 +16,43 @@ consul_root_dir: /opt/consul # List of consul servers name or IP consul_servers: [] -# List of services exposed by consul, the ports they use, and the list of IP -# for which the service is accessible at the firewall level (if iptables_manage == True) -consul_base_services: - dns: - port: "{{ consul_conf.ports.dns | default(8600) }}" - src_ip: [] - proto: [tcp,udp] - http: - port: "{{ consul_conf.ports.http | default(8500) }}" - src_ip: [] - proto: [tcp] - https: - port: "{{ consul_conf.ports.https | default(8501) }}" - src_ip: [] - proto: [tcp] - grpc: - port: "{{ consul_conf.ports.groc | default(8502) }}" - src_ip: [] - proto: [tcp] - serf_lan: - port: "{{ consul_conf.ports.serf_lan | default(8301) }}" - src_ip: [] - proto: [tcp,udp] - serf_wan: - port: "{{ consul_conf.ports.serf_wan | default(8302) }}" - src_ip: [] - proto: [tcp,udp] - server: - port: "{{ consul_conf.ports.server | default(8300) }}" - src_ip: [] - proto: [tcp] - sidecar_proxy: - port: "{{ consul_conf.ports.sidecar_proxy_min | default(21000) }}:{{ consul_conf.ports.sidecar_proxy_max | default(21255) }}" - src_ip: [] - proto: [tcp] -consul_extra_services: {} -consul_services: "{{ consul_base_services | combine(consul_extra_services, recursive=True) }}" - # Consul configuration (which will be converted to JSON) # The configuration is splited in a base conf and an extra conf, so you can override part of the config easily consul_base_conf: - node_name: "{{ inventory_hostname }}" - data_dir: "{{ consul_root_dir }}/data" client_addr: 0.0.0.0 log_level: INFO bind_addr: 0.0.0.0 + + # Address that is advertised to the other nodes advertise_addr: "{{ ansible_default_ipv4.address }}" + # You can also advertise the WAN addr + # advertise_addr_wan: x.x.x.x + + # You can define the datacenter in which this agent is running. The default value is dc1 + # datacenter: dc1 + + # Node name, which should be uniq in the region. Default is the hostname + # node_name: nomade-fr-zone-c + + # Optional encryption key for the gossip protocol + # You can generate one with cinsul keygen. The key should be the same on all the members + # encrypt: WSnGbK30nI6K/xk9w+AAtk0Y3RMXKoAlsj4VEICqi0I= + retry_join: "{{ consul_servers }}" bootstrap_expect: "{{ consul_servers | length }}" + server: "{{ (inventory_hostname in consul_servers) | ternary(True, False) }}" + ui_config: enabled: "{{ (inventory_hostname in consul_servers) | ternary(True, False) }}" - connect: - enabled: "{{ (inventory_hostname in consul_servers) | ternary(True, False) }}" + performance: raft_multiplier: 1 +consul_extra_conf: {} +consul_host_conf: {} +consul_conf: "{{ consul_base_conf | combine(consul_extra_conf, recursive=True) | combine(consul_host_conf, recursive=True) }}" + # For example # consul_extra_conf: # datacenter: my-dc @@ -81,9 +61,45 @@ consul_base_conf: # ui_config: # enabled: False -consul_extra_conf: {} -# Host conf is just another level of configuration override -consul_host_conf: {} - -# Merge all the conf -consul_conf: "{{ consul_base_conf | combine(consul_extra_conf, recursive=True) | combine(consul_host_conf, recursive=True) }}" +# List of services exposed by consul, the ports they use, and the list of IP +# for which the service is accessible at the firewall level (if iptables_manage == True) +consul_base_services: + dns: + port: 8600 + src_ip: [] + proto: [tcp,udp] + http: + port: 8500 + src_ip: [] + proto: [tcp] + https: + port: 8501 + src_ip: [] + proto: [tcp] + grpc: + port: 8502 + src_ip: [] + proto: [tcp] + serf_lan: + port: 8301 + src_ip: [] + proto: [tcp,udp] + serf_wan: + port: 8302 + src_ip: [] + proto: [tcp,udp] + server: + port: 8300 + src_ip: [] + proto: [tcp] + sidecar: + port: 21000:21255 + src_ip: [] + proto: [tcp] + expose: + port: 21500:21755 + src_ip: [] + proto: [tcp] +consul_extra_services: {} +consul_host_services: {} +consul_services: "{{ consul_base_services | combine(consul_extra_services, recursive=True) | combine(consul_host_services, recursive=True) }}" diff --git a/roles/consul/tasks/conf.yml b/roles/consul/tasks/conf.yml index fd6fc25..38cde13 100644 --- a/roles/consul/tasks/conf.yml +++ b/roles/consul/tasks/conf.yml @@ -2,11 +2,11 @@ - name: Deploy consul configuration template: - src: consul.json.j2 - dest: "{{ consul_root_dir }}/etc/consul.json" + src: consul.hcl.j2 + dest: "{{ consul_root_dir }}/etc/consul.hcl" owner: root group: "{{ consul_user }}" - mode: 640 - validate: consul validate %s + mode: 0640 + #validate: consul validate %s notify: restart consul tags: consul diff --git a/roles/consul/tasks/facts.yml b/roles/consul/tasks/facts.yml index bc8c9b7..be8d5ee 100644 --- a/roles/consul/tasks/facts.yml +++ b/roles/consul/tasks/facts.yml @@ -1,12 +1,26 @@ --- -- name: Detect installed version - block: - - import_tasks: ../includes/webapps_set_install_mode.yml - vars: - - root_dir: "{{ consul_root_dir }}" - - version: "{{ consul_version }}" - - set_fact: consul_install_mode={{ install_mode | default('none') }} - - set_fact: consul_current_version={{ current_version | default('') }} +- set_fact: consul_install_mode='none' tags: consul +- name: Detect if consul is installed + stat: path=/usr/local/bin/consul + register: consul_bin + tags: consul + +- when: not consul_bin.stat.exists + set_fact: consul_install_mode='install' + tags: consul + +- when: consul_bin.stat.exists + block: + - name: Detect installed version + shell: /usr/local/bin/consul version | head -1 | perl -pe 's/Consul v(\d+(\.\d+)*)/$1/' + changed_when: False + register: consul_current_version + - set_fact: consul_current_version={{ consul_current_version.stdout }} + tags: consul + +- when: consul_bin.stat.exists and consul_current_version != consul_version + set_fact: consul_install_mode='upgrade' + diff --git a/roles/consul/tasks/iptables.yml b/roles/consul/tasks/iptables.yml index 16711ab..54e4447 100644 --- a/roles/consul/tasks/iptables.yml +++ b/roles/consul/tasks/iptables.yml @@ -6,10 +6,10 @@ state: "{{ (('tcp' in consul_services[item].proto or 'udp' in consul_services[item].proto) and consul_services[item].src_ip | length > 0) | ternary('present', 'absent') }}" rules: | {% if 'tcp' in consul_services[item].proto %} - -A INPUT -m state --state NEW -p tcp --dport {{ consul_services[item].port }} -j ACCEPT + -A INPUT -m state --state NEW -p tcp --dport {{ consul_services[item].port }} -s {{ consul_services[item].src_ip | join(',') }} -j ACCEPT {% endif %} {% if 'udp' in consul_services[item].proto %} - -A INPUT -m state --state NEW -p udp --dport {{ consul_services[item].port }} -j ACCEPT + -A INPUT -m state --state NEW -p udp --dport {{ consul_services[item].port }} -s {{ consul_services[item].src_ip | join(',') }} -j ACCEPT {% endif %} loop: "{{ consul_services.keys() | list }}" tags: firewall,consul diff --git a/roles/consul/tasks/main.yml b/roles/consul/tasks/main.yml index 109fe72..8963d5c 100644 --- a/roles/consul/tasks/main.yml +++ b/roles/consul/tasks/main.yml @@ -26,9 +26,6 @@ - include_tasks: services.yml tags: always -- include_tasks: write_version.yml - tags: always - - include_tasks: archive_post.yml when: consul_install_mode | default('none') == 'upgrade' tags: always diff --git a/roles/consul/tasks/write_version.yml b/roles/consul/tasks/write_version.yml deleted file mode 100644 index 31d5bc8..0000000 --- a/roles/consul/tasks/write_version.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- - -- name: Write installed version - copy: content={{ consul_version }} dest={{ consul_root_dir }}/meta/ansible_version - tags: consul diff --git a/roles/consul/templates/consul.hcl.j2 b/roles/consul/templates/consul.hcl.j2 new file mode 100644 index 0000000..e63201d --- /dev/null +++ b/roles/consul/templates/consul.hcl.j2 @@ -0,0 +1,47 @@ +data_dir = "{{ consul_root_dir }}/data" +log_level = "{{ consul_conf.log_level }}" +bind_addr = "0.0.0.0" +client_addr = "0.0.0.0" + +advertise_addr = "{{ consul_conf.advertise_addr }}" + +{% if consul_conf.datacenter is defined %} +datacenter = "{{ consul_conf.datacenter }}" +{% endif %} + +{% if consul_conf.node_name is defined %} +node_name = {{ consul_conf.node_name }} +{% endif %} + +ports { +{% for service in consul_services.keys() | list %} +{% if service not in ['sidecar', 'expose'] and consul_services[service].port is defined %} + {{ service }} = {{ consul_services[service].port }} +{% elif service in ['sidecar', 'expose'] %} + {{ service }}_min_port = {{ consul_services[service].port | split(':') | first }} + {{ service }}_max_port = {{ consul_services[service].port | split(':') | last }} +{% endif %} +{% endfor %} +} + +bootstrap_expect = {{ consul_conf.bootstrap_expect }} + +performance { + raft_multiplier = {{ consul_conf.performance.raft_multiplier }} +} + +retry_join = [ +{% for server in consul_servers %} + "{{ server }}", +{% endfor %} +] + +server = {{ consul_conf.server | ternary('true', 'false') }} + +{% if consul_conf.encrypt is defined %} +encrypt = "{{ consul_conf.encrypt }}" +{% endif %} + +ui_config { + enabled = {{ consul_conf.ui_config.enabled | ternary('true', 'false') }} +} diff --git a/roles/consul/templates/consul.json.j2 b/roles/consul/templates/consul.json.j2 deleted file mode 100644 index b74fa8b..0000000 --- a/roles/consul/templates/consul.json.j2 +++ /dev/null @@ -1 +0,0 @@ -{{ consul_conf | to_nice_json(indent=2) }} diff --git a/roles/consul/templates/consul.service.j2 b/roles/consul/templates/consul.service.j2 index 3e69385..8b5a2bc 100644 --- a/roles/consul/templates/consul.service.j2 +++ b/roles/consul/templates/consul.service.j2 @@ -3,17 +3,18 @@ Description="HashiCorp Consul - A service mesh solution" Documentation=https://www.consul.io/ Requires=network-online.target After=network-online.target -ConditionFileNotEmpty={{ consul_root_dir }}/etc/consul.json +ConditionFileNotEmpty={{ consul_root_dir }}/etc/consul.hcl [Service] EnvironmentFile=-{{ consul_root_dir }}/etc/consul.env User={{ consul_user }} Group={{ consul_user }} -ExecStart={{ consul_root_dir }}/bin/consul agent -config-dir={{ consul_root_dir }}/etc/ +ExecStart={{ consul_root_dir }}/bin/consul agent -config-file={{ consul_root_dir }}/etc/consul.hcl ExecReload=/bin/kill --signal HUP $MAINPID KillMode=process KillSignal=SIGTERM Restart=on-failure +RestartSec=2 LimitNOFILE=65536 [Install] diff --git a/roles/nomad/defaults/main.yml b/roles/nomad/defaults/main.yml index 978912c..865c41e 100644 --- a/roles/nomad/defaults/main.yml +++ b/roles/nomad/defaults/main.yml @@ -20,6 +20,13 @@ nomad_servers: [] # Nomad configuration nomad_base_conf: log_level: INFO + + # You can define the datacenter in which this agent is running. The default value is dc1 + # datacenter: dc1 + + # Node name, which should be uniq in the region. Default is the hostname + # name: nomade-fr-zone-c + # Client related settings # The default is to act as a client if the hostname is not listed in nomad servers client: diff --git a/roles/nomad/templates/nomad.hcl.j2 b/roles/nomad/templates/nomad.hcl.j2 index 25e8a7e..15fc42a 100644 --- a/roles/nomad/templates/nomad.hcl.j2 +++ b/roles/nomad/templates/nomad.hcl.j2 @@ -2,6 +2,16 @@ data_dir = "{{ nomad_root_dir }}/data" log_level = "{{ nomad_conf.log_level }}" bind_addr = "0.0.0.0" +{% if nomad_conf.datacenter is defined %} +datacenter = "{{ nomad_conf.datacenter }}" +{% endif %} + +{% if nomad_conf.name is defined %} +name = {{ nomad_conf.name }} +{% endif %} + +disable_update_check = true + advertise { {% for service in nomad_services.keys() | list %} {% if nomad_services[service].advertise is defined %}