orchestration-tests/nomad/setup-cluster.yml

---
- name: Build Consul cluster
  hosts: consul_instances
  any_errors_fatal: true

  roles:
    - role: ansible-consul
      vars:
        consul_version: "1.11.3"
        consul_install_remotely: true
        consul_install_upgrade: true

        consul_node_role: server
        consul_bootstrap_expect: true

        consul_user: consul
        consul_manage_user: true
        consul_group: bin
        consul_manage_group: true

        consul_architecture_map:
          x86_64: amd64
          armhfv6: arm
          armv7l: arm

        # consul_tls_enable: true
        consul_connect_enabled: true
        consul_ports_grpc: 8502
        consul_client_address: "0.0.0.0"

        # Enable metrics
        consul_config_custom:
          telemetry:
            prometheus_retention_time: "2h"

      become: true


  tasks:
    - name: Start Consul
      systemd:
        state: started
        name: consul
      become: true

    - name: Add values
      block:
        - name: Install python-consul
          pip:
            name: python-consul
            extra_args: --index-url https://pypi.org/simple

        - name: Add a value to Consul
          consul_kv:
            host: "{{ inventory_hostname }}"
            key: ansible_test
            value: Hello from Ansible!

      delegate_to: localhost
      run_once: true

- name: Setup Vault cluster
  hosts: vault_instances

  roles:
    - name: ansible-vault
      vars:
        # Doesn't support multi-arch installs
        vault_install_hashi_repo: true
        vault_bin_path: /usr/bin
        vault_harden_file_perms: true
        vault_address: 0.0.0.0

        vault_backend: consul
      become: true

  tasks:
    - name: Unseal vault
      command:
        argv:
          - "vault"
          - "operator"
          - "unseal"
          - "-address=http://127.0.0.1:8200/"
          - "{{ item }}"
      loop: "{{ vault_keys }}"
      no_log: true
      when: vault_keys is defined

# Not on Ubuntu 20.04
# - name: Install Podman
#   hosts: nomad_instances
#   become: true
#
#   tasks:
#     - name: Install Podman
#       package:
#         name: podman
#         state: present

- name: Build Nomad cluster
  hosts: nomad_instances
  any_errors_fatal: true
  become: true

  roles:
    - name: ansible-nomad
      vars:
        nomad_version: "1.2.6"
        nomad_install_remotely: true
        nomad_install_upgrade: true
        nomad_allow_purge_config: true

        nomad_user: root
        nomad_manage_user: true
        nomad_group: bin
        nomad_manage_group: true

        # Properly map install arch
        nomad_architecture_map:
          x86_64: amd64
          armhfv6: arm
          armv7l: arm

        nomad_encrypt_enable: true
        # nomad_use_consul: true

        # Metrics
        nomad_telemetry: true
        nomad_telemetry_prometheus_metrics: true
        nomad_telemetry_publish_allocation_metrics: true
        nomad_telemetry_publish_node_metrics: true

        # Enable container plugins
        nomad_cni_enable: true
        nomad_cni_version: 1.0.1
        nomad_docker_enable: true
        nomad_docker_dmsetup: false
        # nomad_podman_enable: true

        # Customize docker plugin
        nomad_plugins:
          docker:
            config:
              volumes:
                enabled: true
                selinuxlabel: "z"
              extra_labels:
                - "job_name"
                - "job_id"
                - "task_group_name"
                - "task_name"
                - "namespace"
                - "node_name"
                - "node_id"

        # Bind nomad
        nomad_bind_address: 0.0.0.0

        # Default interface for binding tasks
        # nomad_network_interface: lo

        # Create networks for binding task ports
        nomad_host_networks:
          # - name: public
          #   interface: eth0
          #   reserved_ports: "22"
          - name: nomad-bridge
            interface: nomad
            reserved_ports: "22"
          - name: loopback
            interface: lo
            reserved_ports: "22"

        # Enable ACLs
        nomad_acl_enabled: true

        # Enable vault integration
        nomad_vault_enabled: "{{ vault_token is defined }}"
        nomad_vault_token: "{{ vault_token | default('') }}"

        nomad_config_custom:
          ui:
            enabled: true
            consul:
              ui_url: "http://{{ ansible_hostname }}:8500/ui"
            vault:
              ui_url: "http://{{ ansible_hostname }}:8200/ui"
          consul:
            tags:
              - "traefik.enable=true"
              - "traefik.consulcatalog.connect=true"
              - "traefik.http.routers.nomadclient.entrypoints=websecure"

  tasks:
    - name: Start Nomad
      systemd:
        state: started
        name: nomad
Add some basic Nomad and k8s tests 2022-02-16 17:56:18 +00:00			`---`
			`- name: Build Consul cluster`
			`hosts: consul_instances`
			`any_errors_fatal: true`

			`roles:`
Update hosts improve bootstrap and move a few things around 2022-03-12 18:07:52 +00:00			`- role: ansible-consul`
			`vars:`
			`consul_version: "1.11.3"`
			`consul_install_remotely: true`
			`consul_install_upgrade: true`

			`consul_node_role: server`
			`consul_bootstrap_expect: true`

			`consul_user: consul`
			`consul_manage_user: true`
			`consul_group: bin`
			`consul_manage_group: true`

			`consul_architecture_map:`
			`x86_64: amd64`
			`armhfv6: arm`
			`armv7l: arm`

			`# consul_tls_enable: true`
			`consul_connect_enabled: true`
			`consul_ports_grpc: 8502`
			`consul_client_address: "0.0.0.0"`

			`# Enable metrics`
			`consul_config_custom:`
			`telemetry:`
			`prometheus_retention_time: "2h"`

			`become: true`
Lots of Nomad updates to support metrics 2022-03-03 17:37:49 +00:00

Update ansible to deploy nomad and consul to Pi host This is broken because the Pi doesn't have the right version of ip-tables 2022-02-27 22:49:00 +00:00			`tasks:`
			`- name: Start Consul`
			`systemd:`
			`state: started`
			`name: consul`
Update hosts improve bootstrap and move a few things around 2022-03-12 18:07:52 +00:00			`become: true`
Update ansible to deploy nomad and consul to Pi host This is broken because the Pi doesn't have the right version of ip-tables 2022-02-27 22:49:00 +00:00
			`- name: Add values`
			`block:`
Update hosts improve bootstrap and move a few things around 2022-03-12 18:07:52 +00:00			`- name: Install python-consul`
Update ansible to deploy nomad and consul to Pi host This is broken because the Pi doesn't have the right version of ip-tables 2022-02-27 22:49:00 +00:00			`pip:`
			`name: python-consul`
Update hosts improve bootstrap and move a few things around 2022-03-12 18:07:52 +00:00			`extra_args: --index-url https://pypi.org/simple`
Update ansible to deploy nomad and consul to Pi host This is broken because the Pi doesn't have the right version of ip-tables 2022-02-27 22:49:00 +00:00
			`- name: Add a value to Consul`
			`consul_kv:`
Update hosts improve bootstrap and move a few things around 2022-03-12 18:07:52 +00:00			`host: "{{ inventory_hostname }}"`
Update ansible to deploy nomad and consul to Pi host This is broken because the Pi doesn't have the right version of ip-tables 2022-02-27 22:49:00 +00:00			`key: ansible_test`
			`value: Hello from Ansible!`
Lots of Nomad updates to support metrics 2022-03-03 17:37:49 +00:00
Update hosts improve bootstrap and move a few things around 2022-03-12 18:07:52 +00:00			`delegate_to: localhost`
Update ansible to deploy nomad and consul to Pi host This is broken because the Pi doesn't have the right version of ip-tables 2022-02-27 22:49:00 +00:00			`run_once: true`
Add some basic Nomad and k8s tests 2022-02-16 17:56:18 +00:00
Add vault setup: Not secured 2022-03-15 18:57:00 +00:00			`- name: Setup Vault cluster`
			`hosts: vault_instances`

			`roles:`
			`- name: ansible-vault`
			`vars:`
			`# Doesn't support multi-arch installs`
			`vault_install_hashi_repo: true`
			`vault_bin_path: /usr/bin`
			`vault_harden_file_perms: true`
			`vault_address: 0.0.0.0`

			`vault_backend: consul`
			`become: true`

			`tasks:`
			`- name: Unseal vault`
			`command:`
			`argv:`
			`- "vault"`
			`- "operator"`
			`- "unseal"`
			`- "-address=http://127.0.0.1:8200/"`
			`- "{{ item }}"`
			`loop: "{{ vault_keys }}"`
Update bootstrap for acls 2022-03-22 03:13:13 +00:00			`no_log: true`
Add vault setup: Not secured 2022-03-15 18:57:00 +00:00			`when: vault_keys is defined`

Update hosts improve bootstrap and move a few things around 2022-03-12 18:07:52 +00:00			`# Not on Ubuntu 20.04`
			`# - name: Install Podman`
			`# hosts: nomad_instances`
			`# become: true`
			`#`
			`# tasks:`
			`# - name: Install Podman`
			`# package:`
			`# name: podman`
			`# state: present`

Update host networks and proxy mapping 2022-02-17 22:03:42 +00:00			`- name: Build Nomad cluster`
Add some basic Nomad and k8s tests 2022-02-16 17:56:18 +00:00			`hosts: nomad_instances`
			`any_errors_fatal: true`
			`become: true`

			`roles:`
			`- name: ansible-nomad`
Update hosts improve bootstrap and move a few things around 2022-03-12 18:07:52 +00:00			`vars:`
			`nomad_version: "1.2.6"`
			`nomad_install_remotely: true`
			`nomad_install_upgrade: true`
			`nomad_allow_purge_config: true`

			`nomad_user: root`
			`nomad_manage_user: true`
			`nomad_group: bin`
			`nomad_manage_group: true`

			`# Properly map install arch`
			`nomad_architecture_map:`
			`x86_64: amd64`
			`armhfv6: arm`
			`armv7l: arm`

			`nomad_encrypt_enable: true`
			`# nomad_use_consul: true`

			`# Metrics`
			`nomad_telemetry: true`
			`nomad_telemetry_prometheus_metrics: true`
			`nomad_telemetry_publish_allocation_metrics: true`
			`nomad_telemetry_publish_node_metrics: true`

			`# Enable container plugins`
			`nomad_cni_enable: true`
			`nomad_cni_version: 1.0.1`
			`nomad_docker_enable: true`
			`nomad_docker_dmsetup: false`
			`# nomad_podman_enable: true`

			`# Customize docker plugin`
			`nomad_plugins:`
			`docker:`
			`config:`
			`volumes:`
			`enabled: true`
			`selinuxlabel: "z"`
			`extra_labels:`
			`- "job_name"`
			`- "job_id"`
			`- "task_group_name"`
			`- "task_name"`
			`- "namespace"`
			`- "node_name"`
			`- "node_id"`

			`# Bind nomad`
			`nomad_bind_address: 0.0.0.0`

Change default bind address to loopback 2022-03-14 22:59:07 +00:00			`# Default interface for binding tasks`
Update bootstrap for acls 2022-03-22 03:13:13 +00:00			`# nomad_network_interface: lo`
Change default bind address to loopback 2022-03-14 22:59:07 +00:00
Update hosts improve bootstrap and move a few things around 2022-03-12 18:07:52 +00:00			`# Create networks for binding task ports`
			`nomad_host_networks:`
Update bootstrap for acls 2022-03-22 03:13:13 +00:00			`# - name: public`
			`# interface: eth0`
			`# reserved_ports: "22"`
Update hosts improve bootstrap and move a few things around 2022-03-12 18:07:52 +00:00			`- name: nomad-bridge`
			`interface: nomad`
			`reserved_ports: "22"`
			`- name: loopback`
			`interface: lo`
			`reserved_ports: "22"`

Update bootstrap for acls 2022-03-22 03:13:13 +00:00			`# Enable ACLs`
			`nomad_acl_enabled: true`

Add vault setup: Not secured 2022-03-15 18:57:00 +00:00			`# Enable vault integration`
Update bootstrap for acls 2022-03-22 03:13:13 +00:00			`nomad_vault_enabled: "{{ vault_token is defined }}"`
			`nomad_vault_token: "{{ vault_token \| default('') }}"`
Add vault setup: Not secured 2022-03-15 18:57:00 +00:00
Update hosts improve bootstrap and move a few things around 2022-03-12 18:07:52 +00:00			`nomad_config_custom:`
			`ui:`
			`enabled: true`
			`consul:`
			`ui_url: "http://{{ ansible_hostname }}:8500/ui"`
Add vault setup: Not secured 2022-03-15 18:57:00 +00:00			`vault:`
			`ui_url: "http://{{ ansible_hostname }}:8200/ui"`
Maybe dynamic nomad? 2022-03-15 19:23:37 +00:00			`consul:`
Update bootstrap for acls 2022-03-22 03:13:13 +00:00			`tags:`
Maybe dynamic nomad? 2022-03-15 19:23:37 +00:00			`- "traefik.enable=true"`
			`- "traefik.consulcatalog.connect=true"`
			`- "traefik.http.routers.nomadclient.entrypoints=websecure"`
Lots of Nomad updates to support metrics 2022-03-03 17:37:49 +00:00
Update ansible to deploy nomad and consul to Pi host This is broken because the Pi doesn't have the right version of ip-tables 2022-02-27 22:49:00 +00:00			`tasks:`
			`- name: Start Nomad`
			`systemd:`
			`state: started`
			`name: nomad`