186 lines
5.5 KiB
YAML
186 lines
5.5 KiB
YAML
---
|
|
|
|
# Version of consul to deploy
|
|
consul_version: 1.14.3
|
|
# URL from where the consul archive will be downloaded
|
|
consul_archive_url: https://releases.hashicorp.com/consul/{{ consul_version }}/consul_{{ consul_version }}_linux_amd64.zip
|
|
# Expected sha256 of the archive
|
|
consul_archive_sha256: 2971959d50fae1aa3f6b624219c85e0a4f34cd7232ea14d77d3cfb05f9ce7b8f
|
|
|
|
# user account under which consul will run (will be created if needed)
|
|
consul_user: consul
|
|
|
|
# Root directory where consul will be installed
|
|
consul_root_dir: /opt/consul
|
|
|
|
# List of Unix group which will be consul admins
|
|
# Used for example to grant access to cli cert with ACL
|
|
consul_admin_groups: "{{ system_admin_groups | default([]) }}"
|
|
|
|
# If ACL are enabled, you need to set a management token for ansible
|
|
# to be able to manage Consul (eg snapshot before upgrades)
|
|
# consul_mgm_token: XXXXXXXXX
|
|
|
|
# List of consul servers name or IP
|
|
consul_servers: []
|
|
|
|
# Consul configuration (which will be converted to JSON)
|
|
# The configuration is splited in a base conf and an extra conf, so you can override part of the config easily
|
|
consul_base_conf:
|
|
client_addr: 0.0.0.0
|
|
log_level: INFO
|
|
bind_addr: 0.0.0.0
|
|
|
|
# Recursive DNS resolver to which non authoritative queries will be sent
|
|
recursors: "{{ ansible_dns.nameservers }}"
|
|
|
|
# Domain handled by consul, on which services will be published
|
|
# All queries in this domain are assumed to be handled by Consul and will not be recursively resolved
|
|
# domain: consul.
|
|
|
|
# An optional alternative domain
|
|
# alt_domain: consul.example.org.
|
|
|
|
# Address that is advertised to the other nodes
|
|
advertise_addr: "{{ ansible_default_ipv4.address }}"
|
|
# You can also advertise the WAN addr
|
|
# advertise_addr_wan: x.x.x.x
|
|
|
|
# You can define the datacenter in which this agent is running. The default value is dc1
|
|
# datacenter: dc1
|
|
|
|
# When several DC are used, one must be set as the primary. This DC will be used as the
|
|
# source for ACL replication
|
|
# primary_datacenter: dc1
|
|
|
|
# Node name, which should be uniq in the region. Default is the hostname
|
|
# node_name: consule-fr-zone-c
|
|
|
|
# Arbitrary metadata
|
|
# node_meta:
|
|
# instance_type: t2.medium
|
|
# env: staging
|
|
node_meta: {}
|
|
|
|
# Optional encryption key for the gossip protocol
|
|
# You can generate one with cinsul keygen. The key should be the same on all the members
|
|
# encrypt: WSnGbK30nI6K/xk9w+AAtk0Y3RMXKoAlsj4VEICqi0I=
|
|
|
|
retry_join: "{{ consul_servers }}"
|
|
bootstrap_expect: "{{ consul_servers | length }}"
|
|
|
|
server: "{{ (inventory_hostname in consul_servers | map('regex_replace', ':\\d+$', '')) | ternary(True, False) }}"
|
|
|
|
ui_config:
|
|
enabled: "{{ (inventory_hostname in consul_servers | map('regex_replace', ':\\d+$', '')) | ternary(True, False) }}"
|
|
|
|
performance:
|
|
raft_multiplier: 1
|
|
|
|
telemetry:
|
|
prometheus_retention_time: 1h
|
|
|
|
connect:
|
|
# Enable consul service mesh on servers
|
|
enabled: "{{ (inventory_hostname in consul_servers | map('regex_replace', ':\\d+$', '')) | ternary(True, False) }}"
|
|
|
|
acl:
|
|
enabled: False
|
|
# The default_policy is also used for intentions in the service mesh
|
|
default_policy: deny
|
|
enable_token_persistence: True
|
|
# You can set tokens used by the agent
|
|
# tokens:
|
|
# default: ab47bc38-d97f-19af-93a5-17b528d154c9
|
|
# agent: 5459979a-3f23-8b1f-ff8a-2478856e9216
|
|
tokens: {}
|
|
|
|
tls:
|
|
# No TLS will be stup unless this is set to True
|
|
enabled: False
|
|
# Default TLS settings
|
|
defaults:
|
|
ca_file: "{{ consul_root_dir }}/tls/ca.crt"
|
|
cert_file: "{{ consul_root_dir }}/tls/consul.crt"
|
|
key_file: "{{ consul_root_dir }}/tls/consul.key"
|
|
verify_incoming: True
|
|
verify_outgoing: True
|
|
# TLS settings for interal RPC
|
|
internal_rpc:
|
|
verify_server_hostname: True
|
|
|
|
consul_extra_conf: {}
|
|
consul_host_conf: {}
|
|
consul_conf: "{{ consul_base_conf | combine(consul_extra_conf, recursive=True) | combine(consul_host_conf, recursive=True) }}"
|
|
|
|
# TLS certs and token retrival from vault
|
|
consul_base_vault_secrets:
|
|
# vault_address: https://active.vault.service.consul:8200
|
|
# vault_token: XXXXXX
|
|
pki:
|
|
enabled: False
|
|
path: /pki/consul
|
|
role: consul-{{ consul_conf.server | ternary('server', 'client') }}
|
|
tokens:
|
|
enabled: False
|
|
path: /consul
|
|
role: consul-agent
|
|
consul_extra_vault_secrets: {}
|
|
consul_host_vault_secrets: {}
|
|
consul_vault_secrets: "{{ consul_base_vault_secrets | combine(consul_extra_vault_secrets, recursive=True) | combine(consul_host_vault_secrets, recursive=True) }}"
|
|
|
|
# For example
|
|
# consul_extra_conf:
|
|
# datacenter: my-dc
|
|
# domain: dev.example.org
|
|
# encrypt: WSnGbK30nI6K/xk9w+AAtk0Y3RMXKoAlsj4VEICqi0I=
|
|
# ui_config:
|
|
# enabled: False
|
|
|
|
# List of services exposed by consul, the ports they use, and the list of IP
|
|
# for which the service is accessible at the firewall level (if iptables_manage == True)
|
|
consul_base_services:
|
|
dns:
|
|
port: 8600
|
|
src_ip: []
|
|
proto: [tcp,udp]
|
|
http:
|
|
port: 8500
|
|
src_ip: []
|
|
proto: [tcp]
|
|
https:
|
|
port: 8501
|
|
src_ip: []
|
|
proto: [tcp]
|
|
grpc:
|
|
port: 8502
|
|
src_ip: []
|
|
proto: [tcp]
|
|
grpc_tls:
|
|
port: 8503
|
|
src_ip: []
|
|
proto: [tcp]
|
|
serf_lan:
|
|
port: 8301
|
|
src_ip: []
|
|
proto: [tcp,udp]
|
|
serf_wan:
|
|
port: 8302
|
|
src_ip: []
|
|
proto: [tcp,udp]
|
|
server:
|
|
port: 8300
|
|
src_ip: []
|
|
proto: [tcp]
|
|
sidecar:
|
|
port: 21000:21255
|
|
src_ip: []
|
|
proto: [tcp]
|
|
expose:
|
|
port: 21500:21755
|
|
src_ip: []
|
|
proto: [tcp]
|
|
consul_extra_services: {}
|
|
consul_host_services: {}
|
|
consul_services: "{{ consul_base_services | combine(consul_extra_services, recursive=True) | combine(consul_host_services, recursive=True) }}"
|