ISTI-ansible-roles
/
ansible-role-docker-swarm
5
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

First commit

This commit is contained in:
Andrea Dell'Amico 2020-09-30 17:14:29 +02:00
parent 0e448a95bf
commit 953f282f1b
9 changed files with 256 additions and 69 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

25
README.md
View File

@ -1,31 +1,20 @@
Role Name
=========
A brief description of the role goes here.
Requirements
------------
Any pre-requisites that may not be covered by Ansible itself or the role should be mentioned here. For instance, if the role uses the EC2 module, it may be a good idea to mention in this section that the boto package is required.
A role that configures a docker swarm cluster, adding portainer CE and haproxy
Role Variables
--------------
A description of the settable variables for this role should go here, including any variables that are in defaults/main.yml, vars/main.yml, and any variables that can/should be set via parameters to the role. Any variables that are read from other roles and/or the global scope (ie. hostvars, group vars, etc.) should be mentioned here as well.
The most important variables are listed below:
``` yaml
```
Dependencies
------------
A list of other roles hosted on Galaxy should go here, plus any details in regards to parameters that may need to be set for other roles, or variables that are used from other roles.
Example Playbook
----------------
Including an example of how to use your role (for instance, with variables passed in as parameters) is always nice for users too:
- hosts: servers
roles:
- { role: username.rolename, x: 42 }
docker
License
-------
@ -35,4 +24,4 @@ EUPL-1.2
Author Information
------------------
An optional section for the role authors to include contact information, or a website (HTML is not allowed).
Andrea Dell'Amico, <andrea.dellamico@isti.cnr.it>

22
defaults/main.yml
View File

@ -1,2 +1,22 @@
---
# defaults file for ansible-role-template
docker_swarm_cluster_haproxy_install: True
# mesh, keepalive, global
docker_swarm_haproxy_installation_type: 'keepalive'
docker_swarm_haproxy_networks:
- '{{ docker_swarm_portainer_network }}'
#
docker_swarm_expose_api_via_haproxy: True
docker_swarm_expose_api_hostname: 'swarm.example.com'
# Portainer
docker_swarm_cluster_portainer_install: True
docker_swarm_portainer_hostname: 'portainer-swarm.example.com'
docker_swarm_portainer_additional_constraints: []
# - 'node.hostname != docker01'
docker_swarm_portainer_network: 'agent_network'
docker_swarm_portainer_http_port: '9000'
docker_swarm_portainer_service_port: '8000'
docker_swarm_haproxy_additional_services: []
# - { acl_name: 'service', acl_rule: 'hdr_dom(host) -i service.example.com', service_name: 'service-', service_replica_num: '1', service_port: '9999', service_overlay_network: 'service-network' }

3
handlers/main.yml
View File

@ -1,2 +1,3 @@
---
# handlers file for ansible-role-template
- name: Reload the HAPROXY configuration
shell: docker kill --signal USR2 $(docker container ls --filter name=haproxy --quiet)

69
meta/main.yml
View File

@ -1,61 +1,34 @@
galaxy_info:
author: your name
description: your description
author: Andrea Dell'Amico
description: Systems Architect
company: ISTI-CNR
# If the issue tracker for your role is not on github, uncomment the
# next line and provide a value
issue_tracker_url: https://redmine-s2i2s.isti.cnr.it/projects/provisioning
# Some suggested licenses:
# - BSD (default)
# - MIT
# - GPLv2
# - GPLv3
# - Apache
# - CC-BY
license: EUPL-1.2
license: EUPL 1.2+
min_ansible_version: 2.8
# If this a Container Enabled role, provide the minimum Ansible Container version.
# min_ansible_container_version:
# Optionally specify the branch Galaxy will use when accessing the GitHub
# repo for this role. During role install, if no tags are available,
# Galaxy will use this branch. During import Galaxy will access files on
# this branch. If Travis integration is configured, only notifications for this
# branch will be accepted. Otherwise, in all cases, the repo's default branch
# (usually master) will be used.
#github_branch:
#
# Provide a list of supported platforms, and for each platform a list of versions.
# If you don't wish to enumerate all versions for a particular platform, use 'all'.
# To view available platforms and versions (or releases), visit:
# https://galaxy.ansible.com/api/v1/platforms/
#
# platforms:
# - name: Fedora
# versions:
# - all
# - 25
# - name: SomePlatform
# versions:
# - all
# - 1.0
# - 7
# - 99.99
platforms:
- name: Ubuntu
versions:
- bionic
galaxy_tags: []
# List tags for your role here, one per line. A tag is a keyword that describes
# and categorizes the role. Users find roles by searching for tags. Be sure to
# remove the '[]' above, if you add tags to this list.
#
# NOTE: A tag is limited to a single word comprised of alphanumeric characters.
# Maximum 20 tags per role.
dependencies: []
# List your role dependencies here, one per line. Be sure to remove the '[]' above,
# if you add dependencies to this list.
galaxy_tags:
- docker
- docker-swarm
- containers
dependencies:
- src: git+https://gitea-s2i2s.isti.cnr.it/ISTI-ansible-roles/ansible-role-docker.git
version: master
name: docker
state: latest
- src: git+https://gitea-s2i2s.isti.cnr.it/ISTI-ansible-roles/ansible-role-haproxy.git
version: master
name: haproxy
state: latest
when: docker_swarm_cluster_haproxy_install

12
tasks/haproxy_conf.yml Normal file
View File

@ -0,0 +1,12 @@
---
- name: Manage the haproxy configuration
block:
- name: Create the haproxy configuration directory
file: dest=/etc/haproxy state=directory owner=root group=root mode='0755'
- name: Install the haproxy configuration
template: src=haproxy.cfg.j2 dest=/etc/haproxy/haproxy.cfg owner=root group=root mode='0444'
notify: Reload the HAPROXY configuration
when: docker_swarm_manager_main_node
tags: [ 'haproxy', 'docker_haproxy', 'docker_swarm', 'docker', 'haproxy_conf' ]

5
tasks/main.yml
View File

@ -1,2 +1,5 @@
---
# tasks file for ansible-role-template
- import_tasks: haproxy_conf.yml
when: docker_swarm_cluster_haproxy_install
- import_tasks: portainer.yml
when: docker_swarm_cluster_portainer_install

16
tasks/portainer.yml Normal file
View File

@ -0,0 +1,16 @@
---
- name: Manage the installation of portainer as a stack
block:
- name: Install the portainer docker stack configuration
template: src=portainer-agent-stack.yml.j2 dest=/srv/portainer-agent-stack.yml owner=root group=root mode='0444'
- name: Run the docker stack to start portainer
docker_stack:
state: present
name: portainer
compose:
- /srv/portainer-agent-stack.yml
run_once: True
when: docker_swarm_manager_main_node
tags: [ 'portainer', 'docker_portainer', 'docker_swarm', 'docker' ]

116
templates/haproxy.cfg.j2 Normal file
View File

@ -0,0 +1,116 @@
#
# https://www.haproxy.com/blog/haproxy-on-docker-swarm-load-balancing-and-dns-service-discovery/
#
global
log fd@2 local2
chroot /var/lib/haproxy
pidfile /var/run/haproxy.pid
maxconn {{ haproxy_maxconns }}
user haproxy
group haproxy
stats socket /var/lib/haproxy/stats expose-fd listeners
master-worker
ca-base /etc/ssl/certs
crt-base /etc/ssl/private
# https://ssl-config.mozilla.org/#server=haproxy&version=2.2&config=intermediate&openssl=1.1.1d&guideline=5.6 tune.ssl.default-dh-param 2048
ssl-default-bind-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
ssl-default-bind-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
ssl-default-bind-options prefer-client-ciphers no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets
ssl-default-server-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
ssl-default-server-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
ssl-default-server-options no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets
resolvers docker
nameserver dns1 127.0.0.11:53
resolve_retries 3
timeout resolve 1s
timeout retry 1s
hold other 10s
hold refused 10s
hold nx 10s
hold timeout 10s
hold valid 10s
hold obsolete 10s
defaults
timeout connect 10s
timeout client 30s
timeout server 30s
log global
mode http
option httplog
monitor-uri /_haproxy_health_check
option http-keep-alive
timeout http-keep-alive {{ haproxy_global_keepalive_timeout }}
timeout connect {{ haproxy_connect_timeout }}
timeout client {{ haproxy_client_timeout }}
timeout server {{ haproxy_server_timeout }}
timeout check {{ haproxy_check_timeout }}
timeout http-request 10s # slowloris protection
default-server inter 3s fall 2 rise 2 slowstart 60s
# Needed to preserve the stick tables
peers mypeers
peer local_haproxy 127.0.0.1:1024
listen stats
bind 0.0.0.0:{{ haproxy_admin_port }} ssl crt {{ haproxy_cert_dir }} alpn h2,http/1.1
stats enable
stats uri /
stats realm HAProxy\ Statistics
stats auth admin:{{ haproxy_admin_pwd }}
stats refresh 15s
stats show-legends
stats show-node
listen local_stats
bind 127.0.0.1:8881
stats enable
stats uri /
stats realm HAProxy\ Statistics
frontend http
bind *:{{ https_port }} ssl crt {{ haproxy_cert_dir }} alpn h2,http/1.1
bind *:{{ haproxy_default_port }}
http-request add-header X-Forwarded-Proto https
redirect scheme https code 301 if !{ ssl_fc }
# HSTS (63072000 seconds)
http-response set-header Strict-Transport-Security max-age=63072000
{% if docker_swarm_cluster_portainer_install %}
acl portainer_srv hdr_dom(host) -i {{ docker_swarm_portainer_hostname }}
use_backend portainer_bck if portainer_srv
{% endif %}
{% if docker_swarm_expose_api_via_haproxy %}
acl swarm_api hdr_dom(host) -i {{ docker_swarm_expose_api_hostname }}
use_backend swarm_api_bck if swarm_api
{% endif %}
{% for srv in docker_swarm_haproxy_additional_services %}
acl {{ srv.acl_name }} {{ srv.acl_rule }}
use_backend {{ srv.acl_name }}_bck if {{ srv.acl_name }}
{% endfor %}
#
# Backends
#
{% if docker_swarm_expose_api_via_haproxy %}
# swarm API
backend swarm_api_bck
balance roundrobin
server swarm 127.0.0.1:{{ docker_api_port }}
{% endif %}
{% if docker_swarm_cluster_portainer_install %}
backend portainer_bck
option httpchk GET / HTTP/1.1\r\nHost:\ localhost
http-check expect rstatus (2|3)[0-9][0-9]
balance roundrobin
server-template portainer- 1 portainer:{{ docker_swarm_portainer_http_port }} check resolvers docker init-addr libc,none
{% endif %}
{% for srv in docker_swarm_haproxy_additional_services %}
option httpchk GET / HTTP/1.1\r\nHost:\ localhost
http-check expect rstatus (2|3)[0-9][0-9]
balance roundrobin
server-template {{ srv.service }}- {{ srv.service_replica_num }} {{ srv.service }}:{{ srv.service_port }} check resolvers docker init-addr libc,none
{% endfor %}

57
templates/portainer-agent-stack.yml.j2 Normal file
View File

@ -0,0 +1,57 @@
version: '3.2'
services:
agent:
image: portainer/agent
volumes:
- /var/run/docker.sock:/var/run/docker.sock
- /var/lib/docker/volumes:/var/lib/docker/volumes
networks:
- '{{ docker_swarm_portainer_network }}'
deploy:
mode: global
placement:
constraints: [node.platform.os == linux]
{% if docker_log_to_journal %}
log_driver: 'journald'
{% endif %}
portainer:
image: portainer/portainer-ce
command: -H tcp://tasks.agent:9001 --tlsskipverify
#ports:
# - "{{ docker_swarm_portainer_http_port }}:9000"
# - "{{ docker_swarm_portainer_service_port }}:8000"
expose:
- "9000"
- "8000"
volumes:
- portainer_data:/data
networks:
- '{{ docker_swarm_portainer_network }}'
deploy:
mode: replicated
replicas: 1
endpoint_mode: dnsrr
restart_policy:
condition: unless-stopped
delay: 5s
max_attempts: 3
window: 120s
placement:
constraints:
- 'node.role == manager'
{% for constraint in docker_swarm_portainer_additional_constraints %}
- '{{ constraint }}'
{% endfor %}
{% if docker_log_to_journal %}
log_driver: 'journald'
{% endif %}
networks:
'{{ docker_swarm_portainer_network }}':
driver: overlay
attachable: true
volumes:
portainer_data: