From 5d3de3ece26313d76eeccf483d9f4496c19d5402 Mon Sep 17 00:00:00 2001 From: "Joshua M. Boniface" Date: Fri, 1 Sep 2023 15:42:21 -0400 Subject: [PATCH] Complete configuration of API via Ansible --- group_vars/default/pvc.yml | 22 ++++++++++------ roles/pvc/tasks/pvc/main.yml | 29 +++++++++++++++----- roles/pvc/templates/pvc/pvc-api.yaml.j2 | 35 ++++++++++++++++++++++--- 3 files changed, 69 insertions(+), 17 deletions(-) diff --git a/group_vars/default/pvc.yml b/group_vars/default/pvc.yml index d4c9877..ae2d27e 100644 --- a/group_vars/default/pvc.yml +++ b/group_vars/default/pvc.yml @@ -1,5 +1,5 @@ --- -# Logging +# Logging configuration pvc_log_to_file: True pvc_log_to_stdout: True pvc_log_keepalives: True @@ -7,18 +7,24 @@ pvc_log_keepalive_cluster_details: True pvc_log_keepalive_storage_details: True pvc_log_console_lines: 1000 -# Client API authentication configuration -# > If the key is left blank, the API will listen UNAUTHENTICATED on all IP addresses of the -# current primary node; use this with care and not in unsecured environments (e.g. if the -# upstream network is untrusted). -pvc_api_authentication_key: "" # Use pwgen to generate +# Client API configuration pvc_api_listen_address: "0.0.0.0" pvc_api_listen_port: "7370" +pvc_api_enable_authentication: False +pvc_api_secret_key: "" +pvc_api_tokens: + - description: "myuser" + token: "" +pvc_api_enable_ssl: False +pvc_api_ssl_cert: > + # A RAW CERTIFICATE FILE, installed to /etc/pvc/api-cert.pem +pvc_api_ssl_key: > + # A RAW KEY FILE, installed to /etc/pvc/api-key.pem -# Ceph storage +# Ceph storage configuration pvc_ceph_storage_secret_uuid: "" # Use uuidgen to generate -# Database configurations +# Database configuration pvc_dns_database_name: "pvcdns" pvc_dns_database_user: "pvcdns" pvc_dns_database_password: "" # Use pwgen to generate diff --git a/roles/pvc/tasks/pvc/main.yml b/roles/pvc/tasks/pvc/main.yml index e701f6e..10f3e7b 100644 --- a/roles/pvc/tasks/pvc/main.yml +++ b/roles/pvc/tasks/pvc/main.yml @@ -12,21 +12,38 @@ - name: install pvc configurations template: - src: pvc/{{ item }}.yaml.j2 - dest: /etc/pvc/{{ item }}.yaml + src: pvc/{{ item }}.j2 + dest: /etc/pvc/{{ item }} notify: - - restart {{ item }} + - restart pvcd with_items: - - pvcd - - pvc-api + - pvcd.yaml + - pvc-api.yaml + +- name: install API SSL certificate file + copy: + content: "{{ pvc_api_ssl_cert }}" + dest: /etc/pvc/api-cert.pem + mode: 0644 + no_log: True + when: pvc_api_enable_ssl + +- name: install API SSL key file + copy: + content: "{{ pvc_api_ssl_key }}" + dest: /etc/pvc/api-key.pem + mode: 0640 + no_log: True + when: pvc_api_enable_ssl - name: stop and disable unneccessary services service: - name: "{{ item }}" + name: "{{item }}" state: stopped enabled: no with_items: - pdns.service + - dnsmasq.service - include: pvc/bootstrap.yml when: bootstrap is defined and bootstrap diff --git a/roles/pvc/templates/pvc/pvc-api.yaml.j2 b/roles/pvc/templates/pvc/pvc-api.yaml.j2 index cb43f1a..e594914 100644 --- a/roles/pvc/templates/pvc/pvc-api.yaml.j2 +++ b/roles/pvc/templates/pvc/pvc-api.yaml.j2 @@ -3,11 +3,40 @@ # {{ ansible_managed }} pvc: coordinators: -{% for node in pvc_nodes if node.is_coordinator %} - - {{ node.hostname }}.{{ pvc_cluster_domain }} -{% endfor %} api: listen_address: "{{ pvc_api_listen_address }}" listen_port: "{{ pvc_api_listen_port }}" authentication: key: "{{ pvc_api_authentication_key }}" + +pvc: + coordinators: +{% for node in pvc_nodes if node.is_coordinator %} + - {{ node.hostname }} +{% endfor %} + # api: Configuration of the API listener + api: + # listen_address: IP address(es) to listen on; use 0.0.0.0 for all interfaces + listen_address: "{{ pvc_api_listen_address }}" + # listen_port: TCP port to listen on, usually 7370 + listen_port: "{{ pvc_api_listen_port }}" + # authentication: Authentication and security settings + authentication: + # enabled: Enable or disable authentication (True/False) + enabled: {{ pvc_api_enable_authentication }} + # secret_key: Per-cluster secret key for API cookies; generate with uuidgen or pwgen + secret_key: "{{ pvc_api_secret_key }}" + # tokens: a list of authentication tokens; leave as an empty list to disable authentication + tokens: +{% for token in pvc_api_tokens %} + - description: "{{ token.description }}" + token: "{{ token.token }}" +{% endfor %} + # ssl: SSL configuration + ssl: + # enabled: Enabled or disable SSL operation (True/False) + enabled: {{ pvc_api_enable_ssl }} + # cert_file: SSL certificate file + cert_file: "/etc/pvc/api-cert.pem" + # key_file: SSL certificate key file + key_file: "/etc/pvc/api-key.pem"