· 6 years ago · Feb 05, 2020, 03:28 PM
1---
2# .. vim: foldmarker=[[[,]]]:foldmethod=marker
3
4# .. _consul__ref_defaults:
5
6# debops.consul default variables
7# ===============================
8
9# .. contents:: Sections
10# :local:
11#
12# .. include:: ../../../../includes/global.rst
13
14# UNIX environment [[[
15# --------------------
16
17# .. envvar:: consul__user [[[
18#
19# The name of the UNIX system account used by the Consul service.
20consul__user: 'consul'
21
22 # ]]]
23# .. envvar:: consul__group [[[
24#
25# The name of the UNIX system group used by the Consul service.
26consul__group: 'consul'
27
28 # ]]]
29# .. envvar:: consul__additional_groups [[[
30#
31# List of additional UNIX groups to add to the Consul UNIX account, required for
32# access to additional resources.
33consul__additional_groups: []
34
35 # ]]]
36# .. envvar:: consul__home [[[
37#
38# The absolute path of the Consul UNIX account home directory.
39consul__home: '{{ (ansible_local.root.home
40 if (ansible_local|d() and ansible_local.root|d() and
41 ansible_local.root.home|d())
42 else "/var/local") + "/" + consul__user }}'
43
44 # ]]]
45# .. envvar:: consul__shell [[[
46#
47# The UNIX shell used by the Consul account.
48consul__shell: '/usr/sbin/nologin'
49
50 # ]]]
51# .. envvar:: consul__comment [[[
52#
53# The GECOS field set on the Consul UNIX account.
54consul__comment: 'Consul'
55 # ]]]
56 # ]]]
57# Go application deployment [[[
58# -----------------------------
59
60# These variables control how the :command:`consul` binary is installed on the
61# host. The installation is performed by the :ref:`debops.golang` role, refer
62# to its documentation for details. The installation definition can be found in
63# the :envvar:`consul__golang__dependent_packages` variable.
64
65# .. envvar:: consul__cluster_name [[[
66#
67# The cluster identifier. Change it when there are multiple :command:`consul`
68# clusters managed by the same inventory file (ex: test, prod, stage).
69# This variable is used to save the encrypt key in separate folders by
70# the :ref:`debops.secret` role
71consul__cluster_name: 'default'
72
73 # ]]]
74# .. envvar:: consul__datacenter [[[
75#
76# The datacenter identifier. Usefull when you deploy a :command:`consul`
77# cluster in multiple datacenters
78consul__datacenter: 'dc1'
79
80 # ]]]
81# .. envvar:: consul__domain [[[
82#
83# The DNS domain used by the role to get the consul servers from
84# external DNS server
85consul__domain: '{{ ansible_local.core.domain
86 if (ansible_local|d() and ansible_local.core|d() and
87 ansible_local.core.domain|d())
88 else ansible_domain }}'
89
90 # ]]]
91# .. envvar:: consul__server_nodes_srv_rr [[[
92#
93# List which contains the result of the :command:`dig` query for consul
94# servers ``SRV`` resource records in the host's domain.
95# See :rfc:`6186` for details.
96consul__server_nodes_srv_rr: '{{ q("dig", "_consul._tcp."
97 + consul__domain + "./SRV", "flat=0") }}'
98 # ]]]
99# .. envvar:: consul__server_nodes [[[
100#
101# List of server nodes that will be part of the cluster
102consul__server_nodes: '{{ (consul__server_nodes_srv_rr | selectattr("target", "defined")
103 | map(attribute="target")
104 | map("regex_replace", "\.$","")
105 | list )
106 if ("NXDOMAIN" not in consul__server_nodes_srv_rr)
107 else [] }}'
108
109 # ]]]
110# .. envvar:: consul__service_ports [[[
111#
112# This variable is a YAML dictionary which defines all port numbers
113# used by :command:`consul`.
114# See https://www.consul.io/docs/install/ports.html
115consul__service_ports:
116 'consul.dns': 8600
117 'consul.http': 8500
118 'consul.https': -1
119 'consul.gRPC': -1
120 'consul.serf_lan': 8301
121 'consul.serf_wan': 8302
122 'consul.rpc': '{{ (consul__server_nodes_srv_rr | selectattr("target", "defined")
123 | map(attribute="port") | list | sort | first)
124 if ("NXDOMAIN" not in consul__server_nodes_srv_rr and
125 consul__server_nodes_srv_rr[0])
126 else 8300 }}'
127
128 # ]]]
129# .. envvar:: consul__upstream_enabled [[[
130#
131# If consul should be installed from upstream or from apt packages.
132consul__upstream_enabled: '{{ True
133 if (ansible_distribution_release in
134 [ "jessie", "stretch",
135 "xenial", "bionic" ])
136 else False }}'
137
138 # ]]]
139# .. envvar:: consul__upstream_version [[[
140#
141# The version that will be installed from upstream
142consul__upstream_version: '1.6.2'
143
144 # ]]]
145# .. envvar:: consul__upstream_gpg_key [[[
146#
147# The fingerprint of the GPG key which is used to sign the Consul releases. It
148# will be used to verify the downloaded signature file.
149# As tags are not signed, it will n't be used for :command:`git`
150consul__upstream_gpg_key: '91A6 E7F8 5D05 C656 30BE F189 5185 2D87 348F FC4C'
151
152 # ]]]
153# .. envvar:: consul__upstream_type [[[
154#
155# Specify the method which should be used to install Consul binary. Either
156# ``url`` to download the configured binary directly and virify it using the
157# specified GPG key, or ``git`` to clone the Consul :command:`git` repository
158# and build the specified version from source.
159consul__upstream_type: 'url'
160
161 # ]]]
162# .. envvar:: consul__upstream_url_mirror [[[
163#
164# The base URL of the Consul download page, should end with the ``/`` character.
165consul__upstream_url_mirror: 'https://releases.hashicorp.com/consul/'
166
167 # ]]]
168# .. envvar:: consul__upstream_platform [[[
169#
170# Specify the OS type and platform architecture to use for installation. The
171# list of supported architectures and OS types can be found on the
172# https://www.consul.io/downloads.html page.
173consul__upstream_platform: 'linux_amd64'
174
175 # ]]]
176# .. envvar:: consul__upstream_git_repository [[[
177#
178# The URL of the upstream :command:`git` repository which contains Consul source
179# code.
180consul__upstream_git_repository: 'https://github.com/hashicorp/consul'
181
182 # ]]]
183# .. envvar:: consul__upstream_git_release [[[
184#
185# The version of Consul to build from source on a given host.
186consul__upstream_git_release: 'v1.6.2'
187
188 # ]]]
189# .. envvar:: consul__binary [[[
190#
191# Absolute path to the :command:`consul` Go binary installed on the host.
192# See the :ref:`debops.golang` role for more details.
193consul__binary: '{{ ansible_local.golang.binaries["consul"]
194 if (ansible_local|d() and ansible_local.golang|d() and
195 ansible_local.golang.binaries|d() and
196 ansible_local.golang.binaries.consul|d())
197 else "" }}'
198 # ]]]
199 # ]]]
200# Filesystem layout [[[
201# ---------------------
202
203# .. envvar:: consul__config_dir [[[
204#
205# The directory which contains Consul configuration files
206consul__config_dir: '/etc/consul.d/'
207
208 # ]]]
209# .. envvar:: consul__data_dir [[[
210#
211# The directory where consul will store state.
212# The directory should be durable across reboots.
213consul__data_dir: '/var/consul/'
214
215 # ]]]
216# .. envvar:: consul__run_dir [[[
217#
218# The directory for process identifier (PID) file
219consul__run_dir: '/var/run/consul/'
220
221 # ]]]
222# .. envvar:: consul__log_dir [[[
223#
224# The directory where logs are saved
225consul__log_dir: '/var/log/consul/'
226
227 # ]]]
228 # ]]]
229# Transport Layer Security (TLS) support [[[
230# ------------------------------------------
231
232# These variables are used to configure the `TLS support in MinIO`__.
233# The :ref:`debops.pki` Ansible is used to manage the private keys and X.509
234# certificates.
235#
236# .. __: https://docs.min.io/docs/how-to-secure-access-to-minio-server-with-tls.html
237
238# .. envvar:: minio__pki_enabled [[[
239#
240# Enable or disable support for encrypted communication between MinIO instances
241# via TLS. The support will be enabled in the :ref:`debops.pki` Ansible role is
242# configured on a host.
243#minio__pki_enabled: '{{ ansible_local.pki.enabled
244# if (ansible_local|d() and ansible_local.pki|d() and
245# ansible_local.pki.enabled is defined)
246# else False }}'
247
248 # ]]]
249# .. envvar:: minio__pki_base_path [[[
250#
251# The absolute path to the directory which contains the PKI realm
252# subdirectories.
253#minio__pki_base_path: '{{ ansible_local.pki.base_path
254# if (ansible_local|d() and ansible_local.pki|d() and
255# ansible_local.pki.base_path|d())
256# else "/etc/pki/realms" }}'
257
258 # ]]]
259# .. envvar:: minio__pki_realm [[[
260#
261# Name of the PKI realm to use by the MinIO service.
262#minio__pki_realm: '{{ ansible_local.pki.realm
263# if (ansible_local|d() and ansible_local.pki|d() and
264# ansible_local.pki.realm|d())
265# else "domain" }}'
266
267 # ]]]
268# .. envvar:: minio__pki_key [[[
269#
270# The name of the file which contains the private key used by the X.509
271# certificate, relative to the PKI realm directory.
272#minio__pki_key: '{{ ansible_local.pki.key
273# if (ansible_local|d() and ansible_local.pki|d() and
274# ansible_local.pki.key|d())
275# else "default.key" }}'
276
277 # ]]]
278# .. envvar:: minio__pki_crt [[[
279#
280# The name of the file which contains the X.509 certificate chain used by
281# MinIO, relative to the PKI realm directory.
282#
283# MinIO requires a full X.509 chain with the intermediate CA and the Root
284# Certificate Authority included. Otherwise you will see the error message
285# "Unable to load the TLS configuration: Invalid TLS certificate".
286#minio__pki_crt: 'public/full.pem'
287
288 # ]]]
289# .. envvar:: minio__tls_certs_dir [[[
290#
291# Absolute path to the directory where the :ref:`debops.minio` role will create
292# symlinks to the private key and X.509 certificate chain used by MinIO for TLS
293# connections.
294#minio__tls_certs_dir: '{{ minio__home + "/.minio/certs" }}'
295
296 # ]]]
297# .. envvar:: minio__tls_private_key [[[
298#
299# Absolute path to the private key used by MinIO which will be symlinked as the
300# :file:`private.key` file inside of the :file:`certs/` directory.
301#minio__tls_private_key: '{{ minio__pki_base_path + "/" + minio__pki_realm + "/" + minio__pki_key }}'
302
303 # ]]]
304# .. envvar:: minio__tls_public_crt [[[
305#
306# Absolute path to the X.509 certificate chain used by MinIO which will be
307# symlinked as the :file:`public.crt` file inside of the :file:`certs/`
308# directory.
309#minio__tls_public_crt: '{{ minio__pki_base_path + "/" + minio__pki_realm + "/" + minio__pki_crt }}'
310 # ]]]
311 # ]]]
312# Consul configuration files [[[
313# ------------------------------
314
315# These variables define the contents of the :command:`consul` configuration
316# files located in the :file:`/etc/consul.d/` directory.
317
318# .. envvar:: consul__default_configuration [[[
319#
320# The configuration defined by the role by default.
321# See https://www.consul.io/docs/agent/options.html
322consul__default_configuration:
323
324 - name: 'common'
325 config:
326 addresses:
327 dns: 127.0.0.1
328 grpc: 127.0.0.1
329 http: 127.0.0.1
330 https: 127.0.0.1
331 # advertise_addr: '{{ hostvars[inventory_hostname]["ansible_eth1"]["ipv4"]["address"] }}'
332 # advertise_addr: '{{ "{{" }} getPrivateIP {{ "}}" }}'
333 alt_domain: '{{ consul__domain }}'
334 # bind_addr: '{{ hostvars[inventory_hostname]["ansible_eth1"]["ipv4"]["address"] }}'
335 bind_addr: '{{ "{{" }} getPrivateIP {{ "}}" }}'
336 client_addr: 127.0.0.1
337 data_dir: '{{ consul__data_dir }}'
338 datacenter: '{{ consul__datacenter }}'
339 disable_update_check: false
340 enable_local_script_checks: false
341 enable_script_checks: false
342 encrypt: '{{ consul__raw_key }}'
343 performance:
344 leave_drain_time: '5s'
345 raft_multiplier: 1
346 rpc_hold_timeout: '7s'
347 ports:
348 dns: '{{ consul__service_ports["consul.dns"] | int }}'
349 grpc: '{{ consul__service_ports["consul.gRPC"] | int }}'
350 http: '{{ consul__service_ports["consul.http"] | int }}'
351 https: '{{ consul__service_ports["consul.https"] | int }}'
352 serf_lan: '{{ consul__service_ports["consul.serf_lan"] | int }}'
353 serf_wan: '{{ consul__service_ports["consul.serf_wan"] | int }}'
354 server: '{{ consul__service_ports["consul.rpc"] | int }}'
355 raft_protocol: 3
356 retry_interval: '30s'
357 retry_interval_wan: '30s'
358 retry_join: '{{ consul__server_nodes }}'
359 retry_max: 0
360 retry_max_wan: 0
361 server: '{{ True if ("debops_service_consul_server" in group_names) else False }}'
362 ui: true
363
364 - name: 'bootstrap'
365 state: '{{ "present" if consul__bootstrap|d(False) else "absent" }}'
366 config:
367 bootstrap: '{{ consul__bootstrap|d(False) }}'
368
369 - name: 'bootstrap_expect'
370 state: '{{ "present" if not consul__bootstrap|d(False) else "absent" }}'
371 config:
372 bootstrap_expect: 3
373
374 - name: 'logs'
375 config:
376 log_file: '/var/log/consul/consul.log'
377 log_level: 'INFO'
378 log_rotate_bytes: 0
379 log_rotate_duration: '24h'
380 log_rotate_max_files: 0
381
382 # ]]]
383# .. envvar:: consul__configuration [[[
384#
385# The configuration which should be present on all hosts in the Ansible
386# inventory.
387consul__configuration: []
388
389 # ]]]
390# .. envvar:: consul__group_configuration [[[
391#
392# The configuration which should be present on hosts in a specific Ansible
393# inventory group.
394consul__group_configuration: []
395
396 # ]]]
397# .. envvar:: consul__host_configuration [[[
398#
399# The configuration which should be present on specific hosts in the Ansible
400# inventory.
401consul__host_configuration: []
402
403 # ]]]
404# .. envvar:: consul__combined_configuration [[[
405#
406# The variable which combines all of the other configuration variables and is
407# used in the Ansible tasks.
408consul__combined_configuration: '{{ consul__default_configuration
409 + consul__configuration
410 + consul__group_configuration
411 + consul__host_configuration }}'
412 # ]]]
413 # ]]]
414# Configuration for other Ansible roles [[[
415# -----------------------------------------
416
417# .. envvar:: consul__golang__dependent_packages [[[
418#
419# Configuration for the :ref:`debops.golang` Ansible role.
420consul__golang__dependent_packages:
421
422 - name: 'consul'
423 apt_packages: consul
424 apt_required_packages: 'unzip'
425 upstream: '{{ consul__upstream_enabled }}'
426 upstream_type: '{{ consul__upstream_type }}'
427 gpg: '{{ consul__upstream_gpg_key }}'
428 url:
429
430 - src: '{{ consul__upstream_url_mirror + consul__upstream_version + "/"
431 + "consul_" + consul__upstream_version + "_" + consul__upstream_platform + ".zip" }}'
432 dest: '{{ "releases/" + consul__upstream_platform + "/consul/"
433 + consul__upstream_version + "/consul_" + consul__upstream_version + ".zip" }}'
434 unarchive_creates: '{{ "releases/" + consul__upstream_platform + "/consul/"
435 + consul__upstream_version + "/consul" }}'
436 checksum: 'sha256:{{ consul__upstream_url_mirror + consul__upstream_version + "/"
437 + "consul_" + consul__upstream_version }}_SHA256SUMS'
438 unarchive: True
439
440 - src: '{{ consul__upstream_url_mirror + consul__upstream_version + "/"
441 + "consul_" + consul__upstream_version }}_SHA256SUMS'
442 dest: '{{ "releases/" + consul__upstream_platform + "/consul/"
443 + consul__upstream_version + "/consul_" + consul__upstream_version + "_SHA256SUMS" }}'
444
445 - src: '{{ consul__upstream_url_mirror + consul__upstream_version + "/"
446 + "consul_" + consul__upstream_version }}_SHA256SUMS.sig'
447 dest: 'releases/{{ consul__upstream_platform }}/consul/{{ consul__upstream_version }}/consul_{{ consul__upstream_version }}_SHA256SUMS.sig'
448 gpg_verify: True
449
450 url_binaries:
451 - src: '{{ "releases/" + consul__upstream_platform + "/consul/"
452 + consul__upstream_version + "/consul" }}'
453 dest: 'consul'
454 notify: 'Restart consul'
455 git:
456 - repo: '{{ consul__upstream_git_repository }}'
457 version: '{{ consul__upstream_git_release }}'
458 build_script: |
459 make tools
460 git_binaries:
461 - src: '{{ consul__upstream_git_repository.split("://")[1] + "/bin/consul" }}'
462 dest: 'consul'
463 notify: 'Restart consul'
464
465 # ]]]
466# .. envvar:: consul__secret__directories [[[
467#
468# Configuration for the :ref:`debops.secret` Ansible role
469consul__secret__directories:
470 - '{{ "consul/dependent_config/" + consul__cluster_name }}'
471
472 # ]]]
473# .. envvar:: consul__etc_services__dependent_list [[[
474#
475# Configuration for the :ref:`debops.etc_services` Ansible role
476consul__etc_services__dependent_list:
477 - name: 'consul.dns'
478 port: '{{ consul__service_ports["consul.dns"] }}'
479 comment: 'DNS: The DNS server'
480
481 - name: 'consul.http'
482 port: '{{ consul__service_ports["consul.http"] }}'
483 comment: 'HTTP: The HTTP API'
484
485 - name: 'consul.https'
486 port: '{{ consul__service_ports["consul.https"] }}'
487 comment: 'HTTPS: The HTTPs API'
488 state: '{{ "present" if consul__service_ports["consul.https"] > 0 else "absent" }}'
489
490 - name: 'consul.gRPC'
491 port: '{{ consul__service_ports["consul.gRPC"] }}'
492 comment: 'gRPC: The gRPC API'
493 state: '{{ "present" if consul__service_ports["consul.gRPC"] > 0 else "absent" }}'
494
495 - name: 'consul.serf_lan'
496 port: '{{ consul__service_ports["consul.serf_lan"] }}'
497 comment: 'LAN Serf: The Serf LAN port'
498
499 - name: 'consul.wan-serf'
500 port: '{{ consul__service_ports["consul.wan-serf"] }}'
501 comment: 'WAN Serf: The Serf LAN port'
502
503 - name: 'consul.rpc'
504 port: '{{ consul__service_ports["consul.rpc"] }}'
505 comment: 'server: Server RPC address'
506
507 # ]]]
508# .. envvar:: consul__ferm__dependent_rules [[[
509#
510# Configuration for the :ref:`debops.ferm` Ansible role
511# TODO - Find a way to enable firewall foreach port
512consul__ferm__dependent_rules: []
513
514 # ]]]
515 # ]]]