diff options
| author | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-04-28 16:03:42 +0000 |
|---|---|---|
| committer | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-04-28 16:03:42 +0000 |
| commit | 66cec45960ce1d9c794e9399de15c138acb18aed (patch) | |
| tree | 59cd19d69e9d56b7989b080da7c20ef1a3fe2a5a /ansible_collections/sensu/sensu_go/roles/backend | |
| parent | Initial commit. (diff) | |
| download | ansible-66cec45960ce1d9c794e9399de15c138acb18aed.tar.xz ansible-66cec45960ce1d9c794e9399de15c138acb18aed.zip | |
Adding upstream version 7.3.0+dfsg.upstream/7.3.0+dfsgupstream
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to 'ansible_collections/sensu/sensu_go/roles/backend')
10 files changed, 433 insertions, 0 deletions
diff --git a/ansible_collections/sensu/sensu_go/roles/backend/README.md b/ansible_collections/sensu/sensu_go/roles/backend/README.md new file mode 100644 index 00000000..66702076 --- /dev/null +++ b/ansible_collections/sensu/sensu_go/roles/backend/README.md @@ -0,0 +1,5 @@ +# sensu.sensu_go.backend role + +Visit [the official documentation site][docs] for role documentation. + + [docs]: https://sensu.github.io/sensu-go-ansible/roles/backend.html diff --git a/ansible_collections/sensu/sensu_go/roles/backend/defaults/main.yml b/ansible_collections/sensu/sensu_go/roles/backend/defaults/main.yml new file mode 100644 index 00000000..488a8d87 --- /dev/null +++ b/ansible_collections/sensu/sensu_go/roles/backend/defaults/main.yml @@ -0,0 +1,7 @@ +--- +cluster_admin_username: admin +cluster_admin_password: P@ssw0rd! + +# Related to /etc/sensu/backend.yml, see +# https://docs.sensu.io/sensu-go/latest/reference/backend/#configuration-summary +backend_config: diff --git a/ansible_collections/sensu/sensu_go/roles/backend/handlers/main.yml b/ansible_collections/sensu/sensu_go/roles/backend/handlers/main.yml new file mode 100644 index 00000000..f327f3f1 --- /dev/null +++ b/ansible_collections/sensu/sensu_go/roles/backend/handlers/main.yml @@ -0,0 +1,6 @@ +--- +- name: Restart backend + service: + name: sensu-backend + state: restarted + when: manage_sensu_backend_service | default(False) diff --git a/ansible_collections/sensu/sensu_go/roles/backend/meta/argument_specs.yml b/ansible_collections/sensu/sensu_go/roles/backend/meta/argument_specs.yml new file mode 100644 index 00000000..7f243eaf --- /dev/null +++ b/ansible_collections/sensu/sensu_go/roles/backend/meta/argument_specs.yml @@ -0,0 +1,153 @@ +argument_specs: + + configure: + short_description: Configure Sensu Go backend + description: + - Write the Sensu Go backend configuration file and optionally copy the + keys and certificates over. + + options: + backend_config: &backend_config + description: + - Any option that is valid for the Sensu Go backend version we are + installing. + - All valid options are listed at + U(https://docs.sensu.io/sensu-go/latest/reference/backend/#configuration). + - Role copies the key-value pairs from the I(backend_config) variable + verbatim to the configuration file. This means that we must copy + the key names B(exactly) as they appear in the configuration + reference. In a way, the I(backend_config) variable should contain a + properly indented copy of the C(/etc/sensu/backend.yml) file. + type: dict + + etcd_cert_file: &etcd_cert_file + description: + - Path to the certificate used for SSL/TLS connections B(to) etcd. + This is a client certificate. + type: str + + etcd_key_file: &etcd_key_file + description: + - Path to the private key for the etcd client certificate file. Must + be unencrypted. + type: str + + etcd_trusted_ca_file: &etcd_trusted_ca_file + description: + - Path to the trusted certificate authority for the etcd client + certificates. + type: str + + etcd_peer_cert_file: &etcd_peer_cert_file + description: + - Path to the certificate used for SSL/TLS connections between peers. + This will be used both for listening on the peer address as well as + sending requests to other peers. + type: str + + etcd_peer_key_file: &etcd_peer_key_file + description: + - Path to the peer certificate's key. Must be unencrypted. + type: str + + etcd_peer_trusted_ca_file: &etcd_peer_trusted_ca_file + description: + - Path to the trusted certificate authority for the peer + certificates. + type: str + + api_cert_file: &api_cert_file + description: + - Path to the certificate used to secure the Sensu Go API. + type: str + + api_key_file: &api_key_file + description: + - Path to the private key corresponding to the Sensu Go API + certificate. Must be unencrypted. + type: str + + api_trusted_ca_file: &api_trusted_ca_file + description: + - Path to the trusted certificate authority for the Sensu Go API + certificates. + type: str + + dashboard_cert_file: &dashboard_cert_file + description: + - Path to the certificate used for SSL/TLS connections to the + dashboard. + type: str + + dashboard_key_file: &dashboard_key_file + description: + - Path to the private key corresponding to the dashboard certificate. + Must be unencrypted. + type: str + + start: + short_description: Start Sensu Go backend + description: + - Start the Sensu Go backend service and initialize it on the first run. + + options: + cluster_admin_username: &cluster_admin_username + description: + - Initial admin user to create when initializing backend for the + first time. + type: str + default: admin + + cluster_admin_password: &cluster_admin_password + description: + - Initial admin password to create when initializing backend for the + first time. + type: str + default: P@ssw0rd! + + main: + short_description: Install, configure, and start Sensu Go backend + description: + - Install, configure, and start the Sensu Go backend service and + initialize it on the first run. + + options: + channel: + description: + - Repository channel that serves as a source of packages. + - Visit the packagecloud site to find all available channels. + type: str + default: stable + + version: &version + description: + - Package version to install. + - Can be any valid version string such as C(6.2.5) or special value + C(latest). + type: str + default: latest + + build: + description: + - Package build to install. + - Can be any valid build string such as C(8290) or a special value + latest. + - If the I(version) variable is set to latest, this variable is + ignored and the latest available build is installed. + type: str + default: latest + + backend_config: *backend_config + etcd_cert_file: *etcd_cert_file + etcd_key_file: *etcd_key_file + etcd_trusted_ca_file: *etcd_trusted_ca_file + etcd_peer_cert_file: *etcd_peer_cert_file + etcd_peer_key_file: *etcd_peer_key_file + etcd_peer_trusted_ca_file: *etcd_peer_trusted_ca_file + api_cert_file: *api_cert_file + api_key_file: *api_key_file + api_trusted_ca_file: *api_trusted_ca_file + dashboard_cert_file: *dashboard_cert_file + dashboard_key_file: *dashboard_key_file + cluster_admin_username: *cluster_admin_username + cluster_admin_password: *cluster_admin_password diff --git a/ansible_collections/sensu/sensu_go/roles/backend/meta/main.yml b/ansible_collections/sensu/sensu_go/roles/backend/meta/main.yml new file mode 100644 index 00000000..da85fa57 --- /dev/null +++ b/ansible_collections/sensu/sensu_go/roles/backend/meta/main.yml @@ -0,0 +1,24 @@ +galaxy_info: + author: XLAB Steampunk <steampunk@xlab.si> + description: Configure Sensu Go backend + license: GPL-3.0-or-later + min_ansible_version: 2.8 + + platforms: + - name: EL + versions: + - "7" + - "8" + - name: Ubuntu + versions: + - trusty + - xenial + - bionic + - disco + - name: Debian + versions: + - stretch + - buster + + galaxy_tags: + - sensu diff --git a/ansible_collections/sensu/sensu_go/roles/backend/tasks/configure.yml b/ansible_collections/sensu/sensu_go/roles/backend/tasks/configure.yml new file mode 100644 index 00000000..56102681 --- /dev/null +++ b/ansible_collections/sensu/sensu_go/roles/backend/tasks/configure.yml @@ -0,0 +1,71 @@ +--- +- name: Install etcd communication PKI + copy: + src: "{{ item.source }}" + dest: "/etc/sensu/{{ item.filename }}" + # Keep this in sync with what the backend service is running as from packager + owner: &sensu_user sensu + group: &sensu_group sensu + mode: "{{ item.mode | default('0644') }}" + loop: + - source: "{{ etcd_cert_file }}" + filename: etcd-client.crt + - source: "{{ etcd_key_file }}" + filename: etcd-client.key + mode: '0400' + - source: "{{ etcd_trusted_ca_file }}" + filename: etcd-client-ca.crt + - source: "{{ etcd_peer_cert_file }}" + filename: etcd-peer.crt + - source: "{{ etcd_peer_key_file }}" + filename: etcd-peer.key + mode: '0400' + - source: "{{ etcd_peer_trusted_ca_file }}" + filename: etcd-peer-ca.crt + when: etcd_trusted_ca_file is defined or etcd_cert_file is defined or + etcd_key_file is defined or etcd_peer_cert_file is defined or + etcd_peer_key_file is defined + +- name: Install API communication PKI + copy: + src: "{{ item.source }}" + dest: "/etc/sensu/{{ item.filename }}" + owner: *sensu_user + group: *sensu_group + mode: "{{ item.mode | default('0644') }}" + loop: + - source: "{{ api_cert_file }}" + filename: api.crt + - source: "{{ api_key_file }}" + filename: api.key + mode: '0400' + - source: "{{ api_trusted_ca_file }}" + filename: api-ca.crt + when: api_cert_file is defined or api_key_file is defined or + api_trusted_ca_file is defined + +- name: Install dashboard communication PKI + copy: + src: "{{ item.source }}" + dest: "/etc/sensu/{{ item.filename }}" + owner: *sensu_user + group: *sensu_group + mode: "{{ item.mode }}" + loop: + - source: "{{ dashboard_cert_file }}" + filename: dashboard.crt + mode: '0644' + - source: "{{ dashboard_key_file }}" + filename: dashboard.key + mode: '0400' + when: dashboard_cert_file is defined or dashboard_key_file is defined + +- name: Configure sensu-backend (/etc/sensu/backend.yml) + template: + src: backend.yml.j2 + dest: /etc/sensu/backend.yml + owner: *sensu_user + group: *sensu_group + mode: '0600' + notify: Restart backend + register: configure_result diff --git a/ansible_collections/sensu/sensu_go/roles/backend/tasks/main.yml b/ansible_collections/sensu/sensu_go/roles/backend/tasks/main.yml new file mode 100644 index 00000000..85de418d --- /dev/null +++ b/ansible_collections/sensu/sensu_go/roles/backend/tasks/main.yml @@ -0,0 +1,16 @@ +--- +- name: Install sensu-go-backend binary + include_role: + name: install + vars: + components: [sensu-go-backend] + +- name: Inform restart handler that we are in charge of the backend service + set_fact: + manage_sensu_backend_service: true + +- name: Configure the backend + include_tasks: configure.yml + +- name: Start the backend + include_tasks: start.yml diff --git a/ansible_collections/sensu/sensu_go/roles/backend/tasks/start.yml b/ansible_collections/sensu/sensu_go/roles/backend/tasks/start.yml new file mode 100644 index 00000000..90a8a419 --- /dev/null +++ b/ansible_collections/sensu/sensu_go/roles/backend/tasks/start.yml @@ -0,0 +1,25 @@ +--- +- name: Start sensu-backend + service: + name: sensu-backend + state: started + enabled: true + +- name: Check for sensu-backend init command + command: + cmd: sensu-backend init -h + register: init_command_test + failed_when: false # Never fail, we just want to know if init exists. + changed_when: false # Displaying help is read-only operation. + check_mode: false # We do not modify the system, so we can always run + +- name: Initialize backend + command: + cmd: sensu-backend init + environment: + SENSU_BACKEND_CLUSTER_ADMIN_USERNAME: "{{ cluster_admin_username }}" + SENSU_BACKEND_CLUSTER_ADMIN_PASSWORD: "{{ cluster_admin_password }}" + when: init_command_test.rc == 0 + register: init_command + failed_when: init_command.rc not in (0, 3) # 0 - OK, 3 - already initialized + changed_when: init_command.rc == 0 diff --git a/ansible_collections/sensu/sensu_go/roles/backend/templates/backend.yml.j2 b/ansible_collections/sensu/sensu_go/roles/backend/templates/backend.yml.j2 new file mode 100644 index 00000000..2bda11eb --- /dev/null +++ b/ansible_collections/sensu/sensu_go/roles/backend/templates/backend.yml.j2 @@ -0,0 +1,124 @@ +--- +# +# {{ managed }} +# + +{% if not backend_config or "state-dir" not in backend_config %} +state-dir: "/var/lib/sensu/sensu-backend" +{% endif -%} + +{% set secure_etcd = etcd_trusted_ca_file is defined or etcd_cert_file is defined or + etcd_key_file is defined or etcd_peer_cert_file is defined or + etcd_peer_key_file is defined %} +{% if secure_etcd and + (not backend_config or "etcd-listen-client-urls" not in backend_config) %} +etcd-listen-client-urls: "https://localhost:2379" +{% endif -%} + +{% if secure_etcd and + (not backend_config or "etcd-listen-peer-urls" not in backend_config) %} +etcd-listen-peer-urls: "https://localhost:2380" +{% endif -%} + +{% if secure_etcd and + (not backend_config or "etcd-initial-cluster" not in backend_config) %} +etcd-initial-cluster: "default=https://localhost:2380" +{% endif -%} + +{% if secure_etcd and + (not backend_config or + "etcd-initial-advertise-peer-urls" not in backend_config) %} +etcd-initial-advertise-peer-urls: "https://localhost:2380" +{% endif -%} + +{% if secure_etcd and + (not backend_config or "etcd-cert-file" not in backend_config) %} +etcd-cert-file: "/etc/sensu/etcd-client.crt" +{% endif -%} + +{% if secure_etcd and + (not backend_config or "etcd-key-file" not in backend_config) %} +etcd-key-file: "/etc/sensu/etcd-client.key" +{% endif -%} + +{% if secure_etcd and + (not backend_config or "etcd-client-cert-auth" not in backend_config) %} +etcd-client-cert-auth: true +{% endif -%} + +{% if secure_etcd and + (not backend_config or "etcd-trusted-ca-file" not in backend_config) %} +etcd-trusted-ca-file: "/etc/sensu/etcd-client-ca.crt" +{% endif -%} + +{% if secure_etcd and + (not backend_config or "etcd-peer-cert-file" not in backend_config) %} +etcd-peer-cert-file: "/etc/sensu/etcd-peer.crt" +{% endif -%} + +{% if secure_etcd and + (not backend_config or "etcd-peer-key-file" not in backend_config) %} +etcd-peer-key-file: "/etc/sensu/etcd-peer.key" +{% endif -%} + +{% if secure_etcd and + (not backend_config or + "etcd-peer-client-cert-auth" not in backend_config) %} +etcd-peer-client-cert-auth: true +{% endif -%} + +{% if secure_etcd and + (not backend_config or + "etcd-peer-trusted-ca-file" not in backend_config) %} +etcd-peer-trusted-ca-file: "/etc/sensu/etcd-peer-ca.crt" +{% endif -%} + +{% set secure_api = api_cert_file is defined or api_key_file is defined or + api_trusted_ca_file is defined %} +{% if secure_api and + (not backend_config or "cert-file" not in backend_config) %} +cert-file: "/etc/sensu/api.crt" +{% endif -%} + +{% if secure_api and + (not backend_config or "key-file" not in backend_config) %} +key-file: "/etc/sensu/api.key" +{% endif -%} + +{% if secure_api and + (not backend_config or + "insecure-skip-tls-verify" not in backend_config) %} +insecure-skip-tls-verify: false +{% endif -%} + +{% if secure_api and + (not backend_config or "trusted-ca-file" not in backend_config) %} +trusted-ca-file: "/etc/sensu/api-ca.crt" +{% endif -%} + +{% if secure_api and + (not backend_config or + "insecure-skip-tls-verify" not in backend_config) %} +insecure-skip-tls-verify: false +{% endif -%} + +{% if secure_api and + (not backend_config or "api-url" not in backend_config) %} +api-url: "https://localhost:8080" +{% endif -%} + +{% set secure_dashboard = dashboard_cert_file is defined or + dashboard_key_file is defined %} +{% if secure_dashboard and + (not backend_config or "dashboard-cert-file" not in backend_config) %} +dashboard-cert-file: "/etc/sensu/dashboard.crt" +{% endif -%} + +{% if secure_dashboard and + (not backend_config or "dashboard-key-file" not in backend_config) %} +dashboard-key-file: "/etc/sensu/dashboard.key" +{% endif -%} + +{% if backend_config %} +{{ backend_config | to_nice_yaml }} +{% endif %} diff --git a/ansible_collections/sensu/sensu_go/roles/backend/vars/main.yml b/ansible_collections/sensu/sensu_go/roles/backend/vars/main.yml new file mode 100644 index 00000000..28afcd19 --- /dev/null +++ b/ansible_collections/sensu/sensu_go/roles/backend/vars/main.yml @@ -0,0 +1,2 @@ +--- +managed: Managed by Ansible - do NOT edit this file manually! |