Update to 2022-08-01 16:00

2025-10-31 10:51:27 +01:00 · 2022-08-01 16:00:18 +02:00
parent 1650198b44
commit 576eba31fe
11 changed files with 159 additions and 73 deletions
--- a/roles/consul/defaults/main.yml
+++ b/roles/consul/defaults/main.yml
@@ -16,63 +16,43 @@ consul_root_dir: /opt/consul
 # List of consul servers name or IP
 consul_servers: []

-# List of services exposed by consul, the ports they use, and the list of IP
-# for which the service is accessible at the firewall level (if iptables_manage == True)
-consul_base_services:
-  dns:
-    port: "{{ consul_conf.ports.dns | default(8600) }}"
-    src_ip: []
-    proto: [tcp,udp]
-  http:
-    port: "{{ consul_conf.ports.http | default(8500) }}"
-    src_ip: []
-    proto: [tcp]
-  https:
-    port: "{{ consul_conf.ports.https | default(8501) }}"
-    src_ip: []
-    proto: [tcp]
-  grpc:
-    port: "{{ consul_conf.ports.groc | default(8502) }}"
-    src_ip: []
-    proto: [tcp]
-  serf_lan:
-    port: "{{ consul_conf.ports.serf_lan | default(8301) }}"
-    src_ip: []
-    proto: [tcp,udp]
-  serf_wan:
-    port: "{{ consul_conf.ports.serf_wan | default(8302) }}"
-    src_ip: []
-    proto: [tcp,udp]
-  server:
-    port: "{{ consul_conf.ports.server | default(8300) }}"
-    src_ip: []
-    proto: [tcp]
-  sidecar_proxy:
-    port: "{{ consul_conf.ports.sidecar_proxy_min | default(21000) }}:{{ consul_conf.ports.sidecar_proxy_max | default(21255) }}"
-    src_ip: []
-    proto: [tcp]
-consul_extra_services: {}
-consul_services: "{{ consul_base_services | combine(consul_extra_services, recursive=True) }}"
-
 # Consul configuration (which will be converted to JSON)
 # The configuration is splited in a base conf and an extra conf, so you can override part of the config easily
 consul_base_conf:
-  node_name: "{{ inventory_hostname }}"
-  data_dir: "{{ consul_root_dir }}/data"
  client_addr: 0.0.0.0
  log_level: INFO
  bind_addr: 0.0.0.0
+
+  # Address that is advertised to the other nodes
  advertise_addr: "{{ ansible_default_ipv4.address }}"
+  # You can also advertise the WAN addr
+  # advertise_addr_wan: x.x.x.x
+
+  # You can define the datacenter in which this agent is running. The default value is dc1
+  # datacenter: dc1
+
+  # Node name, which should be uniq in the region. Default is the hostname
+  # node_name: nomade-fr-zone-c
+
+  # Optional encryption key for the gossip protocol
+  # You can generate one with cinsul keygen. The key should be the same on all the members
+  # encrypt: WSnGbK30nI6K/xk9w+AAtk0Y3RMXKoAlsj4VEICqi0I=
+
  retry_join: "{{ consul_servers }}"
  bootstrap_expect: "{{ consul_servers | length }}"
+
  server: "{{ (inventory_hostname in consul_servers) | ternary(True, False) }}"
+
  ui_config:
    enabled: "{{ (inventory_hostname in consul_servers) | ternary(True, False) }}"
-  connect:
-    enabled: "{{ (inventory_hostname in consul_servers) | ternary(True, False) }}"
+
  performance:
    raft_multiplier: 1

+consul_extra_conf: {}
+consul_host_conf: {}
+consul_conf: "{{ consul_base_conf | combine(consul_extra_conf, recursive=True) | combine(consul_host_conf, recursive=True) }}"
+
 # For example
 # consul_extra_conf:
 #   datacenter: my-dc
@@ -81,9 +61,45 @@ consul_base_conf:
 #   ui_config:
 #     enabled: False

-consul_extra_conf: {}
-# Host conf is just another level of configuration override
-consul_host_conf: {}
-
-# Merge all the conf
-consul_conf: "{{ consul_base_conf | combine(consul_extra_conf, recursive=True) | combine(consul_host_conf, recursive=True) }}"
+# List of services exposed by consul, the ports they use, and the list of IP
+# for which the service is accessible at the firewall level (if iptables_manage == True)
+consul_base_services:
+  dns:
+    port: 8600
+    src_ip: []
+    proto: [tcp,udp]
+  http:
+    port: 8500
+    src_ip: []
+    proto: [tcp]
+  https:
+    port: 8501
+    src_ip: []
+    proto: [tcp]
+  grpc:
+    port: 8502
+    src_ip: []
+    proto: [tcp]
+  serf_lan:
+    port: 8301
+    src_ip: []
+    proto: [tcp,udp]
+  serf_wan:
+    port: 8302
+    src_ip: []
+    proto: [tcp,udp]
+  server:
+    port: 8300
+    src_ip: []
+    proto: [tcp]
+  sidecar:
+    port: 21000:21255
+    src_ip: []
+    proto: [tcp]
+  expose:
+    port: 21500:21755
+    src_ip: []
+    proto: [tcp]
+consul_extra_services: {}
+consul_host_services: {}
+consul_services: "{{ consul_base_services | combine(consul_extra_services, recursive=True) | combine(consul_host_services, recursive=True) }}"
--- a/roles/consul/tasks/conf.yml
+++ b/roles/consul/tasks/conf.yml
@@ -2,11 +2,11 @@

 - name: Deploy consul configuration
  template:
-    src: consul.json.j2
-    dest: "{{ consul_root_dir }}/etc/consul.json"
+    src: consul.hcl.j2
+    dest: "{{ consul_root_dir }}/etc/consul.hcl"
    owner: root
    group: "{{ consul_user }}"
-    mode: 640
-    validate: consul validate %s
+    mode: 0640
+    #validate: consul validate %s
  notify: restart consul
  tags: consul
--- a/roles/consul/tasks/facts.yml
+++ b/roles/consul/tasks/facts.yml
@@ -1,12 +1,26 @@
 ---

- name: Detect installed version
-  block:
-    - import_tasks: ../includes/webapps_set_install_mode.yml
-      vars:
-        - root_dir: "{{ consul_root_dir }}"
-        - version: "{{ consul_version }}"
-    - set_fact: consul_install_mode={{ install_mode | default('none') }}
-    - set_fact: consul_current_version={{ current_version | default('') }}
+- set_fact: consul_install_mode='none'
  tags: consul

+- name: Detect if consul is installed
+  stat: path=/usr/local/bin/consul
+  register: consul_bin
+  tags: consul
+
+- when: not consul_bin.stat.exists
+  set_fact: consul_install_mode='install'
+  tags: consul
+
+- when: consul_bin.stat.exists
+  block:
+    - name: Detect installed version
+      shell: /usr/local/bin/consul version | head -1 | perl -pe 's/Consul v(\d+(\.\d+)*)/$1/'
+      changed_when: False
+      register: consul_current_version
+    - set_fact: consul_current_version={{ consul_current_version.stdout }}
+  tags: consul
+
+- when: consul_bin.stat.exists and consul_current_version != consul_version
+  set_fact: consul_install_mode='upgrade'
+
--- a/roles/consul/tasks/iptables.yml
+++ b/roles/consul/tasks/iptables.yml
@@ -6,10 +6,10 @@
    state: "{{ (('tcp' in consul_services[item].proto or 'udp' in consul_services[item].proto) and consul_services[item].src_ip | length > 0) | ternary('present', 'absent') }}"
    rules: |
      {% if 'tcp' in consul_services[item].proto %}
-      -A INPUT -m state --state NEW -p tcp --dport {{ consul_services[item].port }} -j ACCEPT
+      -A INPUT -m state --state NEW -p tcp --dport {{ consul_services[item].port }} -s {{ consul_services[item].src_ip | join(',') }} -j ACCEPT
      {% endif %}
      {% if 'udp' in consul_services[item].proto %}
-      -A INPUT -m state --state NEW -p udp --dport {{ consul_services[item].port }} -j ACCEPT
+      -A INPUT -m state --state NEW -p udp --dport {{ consul_services[item].port }} -s {{ consul_services[item].src_ip | join(',') }} -j ACCEPT
      {% endif %}
  loop: "{{ consul_services.keys() | list }}"
  tags: firewall,consul
--- a/roles/consul/tasks/main.yml
+++ b/roles/consul/tasks/main.yml
@@ -26,9 +26,6 @@
 - include_tasks: services.yml
  tags: always

- include_tasks: write_version.yml
-  tags: always
-
 - include_tasks: archive_post.yml
  when: consul_install_mode | default('none') == 'upgrade'
  tags: always
--- a/roles/consul/tasks/write_version.yml
+++ b/roles/consul/tasks/write_version.yml
@@ -1,5 +0,0 @@
---
-
- name: Write installed version
-  copy: content={{ consul_version }} dest={{ consul_root_dir }}/meta/ansible_version
-  tags: consul
--- a/roles/consul/templates/consul.hcl.j2
+++ b/roles/consul/templates/consul.hcl.j2
@@ -0,0 +1,47 @@
+data_dir = "{{ consul_root_dir }}/data"
+log_level = "{{ consul_conf.log_level }}"
+bind_addr = "0.0.0.0"
+client_addr = "0.0.0.0"
+
+advertise_addr = "{{ consul_conf.advertise_addr }}"
+
+{% if consul_conf.datacenter is defined %}
+datacenter = "{{ consul_conf.datacenter }}"
+{% endif %}
+
+{% if consul_conf.node_name is defined %}
+node_name = {{ consul_conf.node_name }}
+{% endif %}
+
+ports {
+{% for service in consul_services.keys() | list %}
+{% if service not in ['sidecar', 'expose'] and consul_services[service].port is defined %}
+  {{ service }} = {{ consul_services[service].port }}
+{% elif service in ['sidecar', 'expose'] %}
+  {{ service }}_min_port = {{ consul_services[service].port | split(':') | first }}
+  {{ service }}_max_port = {{ consul_services[service].port | split(':') | last }}
+{% endif %}
+{% endfor %}
+}
+
+bootstrap_expect = {{ consul_conf.bootstrap_expect }}
+
+performance {
+  raft_multiplier = {{ consul_conf.performance.raft_multiplier }}
+}
+
+retry_join = [
+{% for server in consul_servers %}
+  "{{ server }}",
+{% endfor %}
+]
+
+server = {{ consul_conf.server | ternary('true', 'false') }}
+
+{% if consul_conf.encrypt is defined %}
+encrypt = "{{ consul_conf.encrypt }}"
+{% endif %}
+
+ui_config {
+  enabled = {{ consul_conf.ui_config.enabled | ternary('true', 'false') }}
+}
--- a/roles/consul/templates/consul.json.j2
+++ b/roles/consul/templates/consul.json.j2
@@ -1 +0,0 @@
-{{ consul_conf | to_nice_json(indent=2) }}
--- a/roles/consul/templates/consul.service.j2
+++ b/roles/consul/templates/consul.service.j2
@@ -3,17 +3,18 @@ Description="HashiCorp Consul - A service mesh solution"
 Documentation=https://www.consul.io/
 Requires=network-online.target
 After=network-online.target
-ConditionFileNotEmpty={{ consul_root_dir }}/etc/consul.json
+ConditionFileNotEmpty={{ consul_root_dir }}/etc/consul.hcl

 [Service]
 EnvironmentFile=-{{ consul_root_dir }}/etc/consul.env
 User={{ consul_user }}
 Group={{ consul_user }}
-ExecStart={{ consul_root_dir }}/bin/consul agent -config-dir={{ consul_root_dir }}/etc/
+ExecStart={{ consul_root_dir }}/bin/consul agent -config-file={{ consul_root_dir }}/etc/consul.hcl
 ExecReload=/bin/kill --signal HUP $MAINPID
 KillMode=process
 KillSignal=SIGTERM
 Restart=on-failure
+RestartSec=2
 LimitNOFILE=65536

 [Install]