From 9fbc184c9a0585d0fb81d8e76c8f09a77f4e530a Mon Sep 17 00:00:00 2001 From: Brian Shumate Date: Wed, 26 Oct 2016 11:38:00 -0400 Subject: [PATCH] New features and fixes - Initial ACL support - Initial Atlas support - Streamline main tasks - Update documentation - Update variables --- CHANGELOG.md | 8 ++++ README.md | 36 ++++++++++------ defaults/main.yml | 34 ++++++++++----- examples/README_VAGRANT.md | 4 +- examples/Vagrantfile | 2 +- tasks/RedHat.yml | 5 --- tasks/Ubuntu.yml | 5 --- tasks/dnsmasq.yml | 8 ++-- tasks/main.yml | 81 +++++++++++++++++++----------------- templates/config_acl.json.j2 | 7 ++++ templates/config_atlas.json | 4 ++ version.txt | 2 +- 12 files changed, 116 insertions(+), 80 deletions(-) create mode 100644 templates/config_acl.json.j2 create mode 100644 templates/config_atlas.json diff --git a/CHANGELOG.md b/CHANGELOG.md index a0bbebe7..4118b5d3 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -192,3 +192,11 @@ - Clean up variables (thanks @jessedefer) - Update documentation (thanks @jessedefer) - Update CONTRIBUTORS + +## v1.3.0 + +- Initial ACL support +- Initial Atlas support +- Streamline main tasks +- Update documentation +- Update variables diff --git a/README.md b/README.md index 0d944fde..ccf5911a 100644 --- a/README.md +++ b/README.md @@ -21,6 +21,7 @@ software and versions: * Ansible: 2.1.2.0 * Consul: 0.7.0 * Debian: 8 +* CentOS: 7 ## Role Variables @@ -28,7 +29,7 @@ The role specifies variables in `defaults/main.yml` and `vars/*.yml`. | Name | Default Value | Description | | -------------- | ------------- | -----------------------------------| -| `consul_version` | `0.7.0` | Version to install | +| `consul_version` | *0.7.0* | Version to install | | `consul_zip_url` | `https://releases.hashicorp.com/consul/{{ consul_version }}/consul_{{ consul_version }}_linux_amd64.zip` | Download URL | | `consul_zip_sha256` | SHA256 SUM | Archive SHA256 summary | | `consul_bin_path` | `/usr/local/bin` | Binary installation path | @@ -37,21 +38,30 @@ The role specifies variables in `defaults/main.yml` and `vars/*.yml`. | `consul_log_path` | `/var/log/consul` | Log path | | `consul_user` | `consul` | OS user | | `consul_group` | `bin` | OS group | -| `consul_group_name` | `cluster_nodes` | Inventory group name | -| `consul_datacenter` | `dc1` | Datacenter label | +| `consul_group_name` | *cluster_nodes* | Inventory group name | +| `consul_datacenter` | *dc1* | Datacenter label | | `consul_domain` | `consul` | Consul domain name | | `consul_log_level` | `INFO` | Log level | -| `consul_syslog_enable` | `true` | Log to syslog | +| `consul_syslog_enable` | *true* | Log to syslog | | `consul_iface` | `eth1` | Consul network interface | -| `consul_bind_address` | `127.0.0.1` | Bind address | +| `consul_bind_address` | *127.0.0.1* | Bind address | | `consul_bootstrap_address` | `{{ hostvars[groups[consul_group_name][0]]['ansible_'+consul_iface]['ipv4']['address'] }}` | The server interface that additional server nodes will join to for bootstrapping | -| `consul_dns_bind_address` | `127.0.0.1` | DNS API bind address | -| `consul_http_bind_address` | `0.0.0.0` | HTTP API bind address | -| `consul_https_bind_address` | `0.0.0.0` | HTTPS API bind address | -| `consul_rpc_bind_address` | `0.0.0.0` | RPC bind address | +| `consul_dns_bind_address` | *127.0.0.1* | DNS API bind address | +| `consul_http_bind_address` | *0.0.0.0* | HTTP API bind address | +| `consul_https_bind_address` | *0.0.0.0* | HTTPS API bind address | +| `consul_rpc_bind_address` | *0.0.0.0* | RPC bind address | | `consul_node_name` | `{{ inventory_hostname_short }}` | Node name (should not include dots) | | `consul_bind_address` | dynamic from hosts inventory | The interface address to bind to -| `consul_dnsmasq` | `false` | Whether to install and configure DNS API forwarding on port 53 using dnsmasq | +| `consul_dnsmasq_enable` | *false* | Whether to install and configure DNS API forwarding on port 53 using dnsmasq | +| `consul_acl_enable` | *false* | Enable ACLs | +| `consul_acl_datacenter` | *dc1* | ACL authoritative datacenter name | +| `consul_acl_default_policy` | *allow* | Default ACL policy | +| `consul_acl_down_policy` | *allow* | Default ACL down policy | +| `consul_acl_master_token` | UUID | ACL master token | +| `consul_acl_replication_token` | UUID | ACL replication token | +| `consul_atlas_enable` | *false* | Enable Atlas support | +| `consul_atlas_infrastructure` | Environment variable | Atlas infrastructure name | +| `consul_atlas_token` | environment variable | Atlas token | ### OS Distribution Variables @@ -106,14 +116,14 @@ Be aware that for clustering, the included `site.yml` does the following: 2. Reconfigures bootstrap node to run without bootstrap-expect setting 3. Restarts bootstrap node -### DNSMasq Support +### DNSMasq Forwarding Support -The role now includes support for DNS forwarding with dnsmasq. +The role now includes support for [DNS forwarding](https://www.consul.io/docs/guides/forwarding.html) with [Dnsmasq](http://www.thekelleys.org.uk/dnsmasq/doc.html). Enable like this: ``` -ansible-playbook -i hosts site.yml --extra-vars "consul_dnsmasq=true" +ansible-playbook -i hosts site.yml --extra-vars "consul_dnsmasq_enable=true" ``` Then, you can query any of the agents via DNS directly via port 53, diff --git a/defaults/main.yml b/defaults/main.yml index 23b9953a..0ba06b48 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -1,6 +1,7 @@ --- -# File: defaults/main.yml - Main default variables for Consul +# File: defaults/main.yml - Default variables for Consul +## Core consul_version: "0.7.0" consul_zip_url: "https://releases.hashicorp.com/consul/{{ consul_version }}/consul_{{ consul_version }}_linux_amd64.zip" consul_zip_sha256: "b350591af10d7d23514ebaa0565638539900cdb3aaa048f077217c4c46653dd8" @@ -15,9 +16,6 @@ consul_datacenter: "dc1" consul_domain: "consul" consul_log_level: "INFO" consul_syslog_enable: "true" -consul_ui_url: "https://releases.hashicorp.com/consul/{{ consul_version }}/consul_{{ consul_version }}_web_ui.zip" -consul_ui_pkg: "{{ consul_version }}_web_ui.zip" -consul_ui_sha256: "5f8841b51e0e3e2eb1f1dc66a47310ae42b0448e77df14c83bb49e0e0d5fa4b7" consul_iface: "eth1" consul_bind_address: "{{ hostvars[inventory_hostname]['ansible_'+consul_iface]['ipv4']['address'] }}" consul_dns_bind_address: "127.0.0.1" @@ -26,13 +24,24 @@ consul_https_bind_address: "0.0.0.0" consul_rpc_bind_address: "0.0.0.0" consul_bootstrap_address: "{{ hostvars[groups[consul_group_name][0]]['ansible_'+consul_iface]['ipv4']['address'] }}" consul_node_name: "{{ inventory_hostname_short }}" + +## ACL consul_acl_enable: "false" consul_acl_datacenter: "{{ consul_datacenter }}" consul_acl_default_policy: "allow" -consul_acl_replication_token: "" -consul_dnsmasq: "false" +consul_acl_down_policy: "allow" +consul_acl_master_token: "{{ ansible_date_time.iso8601_micro | to_uuid }}" +consul_acl_replication_token: "{{ ansible_date_time.iso8601_micro | to_uuid }}" + +# Options +consul_dnsmasq_enable: "false" +consul_atlas_enable: "false" +consul_atlas_infrastructure: "{{ lookup('env','ATLAS_INFRA') }}" +consul_atlas_token: "{{ lookup('env','ATLAS_TOKEN') }}" -# CentOS vars +## Distribution + +### CentOS consul_centos_pkg: "consul_{{ consul_version }}_linux_amd64.zip" consul_centos_url: "{{ consul_zip_url }}" consul_centos_sha256: "{{ consul_zip_sha256 }}" @@ -42,7 +51,7 @@ consul_centos_os_packages: - git - unzip -# Debian vars +### Debian consul_debian_pkg: "consul_{{ consul_version }}_linux_amd64.zip" consul_debian_url: "{{ consul_zip_url }}" consul_debian_sha256: "{{ consul_zip_sha256 }}" @@ -51,7 +60,7 @@ consul_debian_os_packages: - git - unzip -# Red Hat vars +### Red Hat consul_redhat_pkg: "consul_{{ consul_version }}_linux_amd64.zip" consul_redhat_url: "{{ consul_zip_url }}" consul_redhat_sha256: "{{ consul_zip_sha256 }}" @@ -61,7 +70,7 @@ consul_redhat_os_packages: - git - unzip -# Ubuntu vars +### Ubuntu consul_ubuntu_pkg: "consul_{{ consul_version }}_linux_amd64.zip" consul_ubuntu_url: "{{ consul_zip_url }}" consul_ubuntu_sha256: "{{ consul_zip_sha256 }}" @@ -69,3 +78,8 @@ consul_ubuntu_sha256: "{{ consul_zip_sha256 }}" consul_ubuntu_os_packages: - git - unzip + +## Deprecated +consul_ui_url: "https://releases.hashicorp.com/consul/{{ consul_version }}/consul_{{ consul_version }}_web_ui.zip" +consul_ui_pkg: "{{ consul_version }}_web_ui.zip" +consul_ui_sha256: "5f8841b51e0e3e2eb1f1dc66a47310ae42b0448e77df14c83bb49e0e0d5fa4b7" diff --git a/examples/README_VAGRANT.md b/examples/README_VAGRANT.md index d2d95eb3..3a09498d 100644 --- a/examples/README_VAGRANT.md +++ b/examples/README_VAGRANT.md @@ -108,9 +108,9 @@ BOX_NAME="chef/centos-7.0" vagrant up 4. If you notice an error like *vm: The '' provisioner could not be found.* make sure you have vagrant-hosts plugin installed -### DNSMasq Forwarding +### Dnsmasq Forwarding -The role includes support for DNS forwarding with dnsmasq. +The role includes support for DNS forwarding with Dnsmasq. Install like this: diff --git a/examples/Vagrantfile b/examples/Vagrantfile index 2fcaa9e1..53cc75df 100644 --- a/examples/Vagrantfile +++ b/examples/Vagrantfile @@ -77,7 +77,7 @@ Vagrant.configure(VAGRANTFILE_API_VERSION) do |config| ansible.inventory_path = CLUSTER_HOSTS # Extra Ansible variables can be defined here ansible.extra_vars = { - consul_dnsmasq: DNSMASQ, + consul_dnsmasq_enable: DNSMASQ, consul_log_level: LOGLEVEL } ansible.playbook = ANSIBLE_PLAYBOOK diff --git a/tasks/RedHat.yml b/tasks/RedHat.yml index e69fd12f..b11e7e31 100644 --- a/tasks/RedHat.yml +++ b/tasks/RedHat.yml @@ -6,11 +6,6 @@ with_items: "{{ consul_redhat_os_packages }}" tags: installation -- name: dnsmasq package - yum: name=dnsmasq state=present - when: "consul_dnsmasq == true" - tags: installation - - name: Download Consul become: no connection: local diff --git a/tasks/Ubuntu.yml b/tasks/Ubuntu.yml index c3bb9f67..e7805a16 100644 --- a/tasks/Ubuntu.yml +++ b/tasks/Ubuntu.yml @@ -6,11 +6,6 @@ with_items: "{{ consul_ubuntu_os_packages }}" tags: installation -- name: dnsmasq package - apt: name=dnsmasq state=present - when: "consul_dnsmasq == true" - tags: installation - - name: Download Consul become: no connection: local diff --git a/tasks/dnsmasq.yml b/tasks/dnsmasq.yml index c908114a..2bb480c9 100644 --- a/tasks/dnsmasq.yml +++ b/tasks/dnsmasq.yml @@ -1,19 +1,19 @@ --- # File: tasks/main.yml - dnsmasq tasks for Consul -- name: dnsmasq package +- name: Dnsmasq package yum: name=dnsmasq state=present when: ansible_distribution == "CentOS" or ansible_distribution == "RedHat" tags: dnsmasq,installation -- name: dnsmasq package +- name: Dnsmasq package apt: name=dnsmasq state=present when: ansible_distribution == "Debian" or ansible_distribution == "Ubuntu" tags: dnsmasq,installation -- name: Stop dnsmasq +- name: Stop Dnsmasq service: name=dnsmasq state=stopped -- name: "dnsmasq setup" +- name: "Dnsmasq setup" copy: src=../files/dnsmasq-10-consul dest=/etc/dnsmasq.d/10-consul owner=root group=root mode=0644 tags: dnsmasq diff --git a/tasks/main.yml b/tasks/main.yml index 51cfb29d..11c8274d 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -12,12 +12,12 @@ when: ansible_lsb.id|lower == "debian" and ansible_distribution_version|version_compare(8.5, '<') - name: Create cluster groupings - group_by: key={{ consul_node_role }} + group_by: "key={{ consul_node_role }}" -- group_by: key=os_{{ ansible_os_family }} +- group_by: "key=os_{{ ansible_os_family }}" - name: "Add Consul user" - user: name=consul comment="Consul user" uid=1042 group=bin + user: "name=consul comment='Consul user' uid=1042 group=bin" - name: "CentOS tasks" include: CentOS.yml @@ -35,43 +35,46 @@ include: Ubuntu.yml when: ansible_distribution == "Ubuntu" -- name: Generate Consul key - shell: PATH=/usr/local/bin:$PATH consul keygen +- name: Generate gossip encryption key + shell: "PATH=/usr/local/bin:$PATH consul keygen" register: consul_raw_key run_once: true -- name: Consul directory - file: "dest=/opt/consul state=directory owner={{ consul_user }} group={{ consul_group}}" - -- name: Consul data directory - file: "dest=/var/consul state=directory owner={{ consul_user }} group={{ consul_group}}" - -- name: Consul log directory - file: "dest=/var/log/consul state=directory owner={{ consul_user }} group={{ consul_group}}" - -- name: Consul PID directory - file: "dest=/var/run/consul state=directory owner={{ consul_user }} group={{ consul_group}}" - -- name: Consul dot d directory - file: "dest=/etc/consul.d state=directory owner={{ consul_user }} group={{ consul_group}}" - -- name: Consul bootstrap directory - file: "dest=/etc/consul.d/bootstrap state=directory owner={{ consul_user }} group={{ consul_group}}" - -- name: Consul server directory - file: "dest=/etc/consul.d/server state=directory owner={{ consul_user }} group={{ consul_group}}" - -- name: Consul client directory - file: "dest=/etc/consul.d/client state=directory owner={{ consul_user }} group={{ consul_group}}" - -- name: Consul bootstrap configuration - template: src=server_bootstrap_config.json.j2 dest={{ consul_config_path }}/bootstrap/config.json +- name: Directories + file: "dest={{ item }} state=directory owner={{ consul_user }} group={{ consul_group}}" + with_items: + - /opt/consul + - /var/consul + - /var/log/consul + - /var/run/consul + - /etc/consul.d + - /etc/consul.d/bootstrap + - /etc/consul.d/client + - /etc/consul.d/server + +- name: Bootstrap configuration + template: "src=server_bootstrap_config.json.j2 dest={{ consul_config_path }}/bootstrap/config.json" + +- name: Client configuration + template: src=client_config.json.j2 dest={{ consul_config_path }}/client/config.json -- name: Consul server configuration +- name: Server configuration template: src=server_config.json.j2 dest={{ consul_config_path }}/server/config.json -- name: Consul client configuration - template: src=client_config.json.j2 dest={{ consul_config_path }}/client/config.json +- name: ACL bootstrap configuration + template: src=config_acl.json.j2 dest={{ consul_config_path }}/{{ item }}/config_acl.json + with_items: + - bootstrap + - client + - server + when: consul_acl_enable == "true" + +- name: Atlas configuration + template: src=config_atlas.json.j2 dest={{ consul_config_path }}/{{ item }}/config_atlas.json + with_items: + - bootstrap + - server + when: consul_atlas_enable == "true" - name: SYSV init script template: src=consul_sysvinit.j2 dest=/etc/init.d/consul owner=root group=root mode=755 @@ -88,7 +91,7 @@ - name: Start Consul service: name=consul state=started enabled=yes -- name: Consul running? +- name: Consul up? wait_for: delay=5 path=/var/run/consul/consul.pid state=present - name: Stop Consul @@ -110,10 +113,10 @@ - name: Start Consul service: name=consul state=started -- name: "Enable dnsmasq" +- name: "Enable Dnsmasq" include: ../tasks/dnsmasq.yml - when: consul_dnsmasq == "true" + when: consul_dnsmasq_enable == "true" -- name: "Restart dnsmasq" +- name: "Restart Dnsmasq" service: name=dnsmasq state=restarted - when: consul_dnsmasq == "true" + when: consul_dnsmasq_enable == "true" diff --git a/templates/config_acl.json.j2 b/templates/config_acl.json.j2 new file mode 100644 index 00000000..60717212 --- /dev/null +++ b/templates/config_acl.json.j2 @@ -0,0 +1,7 @@ +{ + "acl_datacenter": "{{ consul_acl_datacenter }}", + "acl_default_policy": "{{ consul_acl_default_policy }}", + "acl_down_policy": "{{ consul_acl_down_policy }}", + "acl_master_token": "{{ consul_acl_master_token }}", + "acl_replication_token": "{{ consul_acl_replication_token }}" +} diff --git a/templates/config_atlas.json b/templates/config_atlas.json new file mode 100644 index 00000000..f8aba38f --- /dev/null +++ b/templates/config_atlas.json @@ -0,0 +1,4 @@ +{ + "atlas_token": "{{ consul_atlas_token }}", + "atlas_infratstructure": "{{ consul_atlas_infrastructure }}" +} diff --git a/version.txt b/version.txt index d90bd18e..18fa8e74 100644 --- a/version.txt +++ b/version.txt @@ -1 +1 @@ -v1.2.16 +v1.3.0