dani
/
ansible-roles
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity
ansible-roles/roles/consul/defaults/main.yml

203 lines
5.8 KiB
YAML
Raw Blame History

---
# user account under which consul will run (will be created if needed)
consul_user: consul
# Root directory where consul will be installed
consul_root_dir: /opt/consul
# List of Unix group which will be consul admins
# Used for example to grant access to cli cert with ACL
consul_admin_groups: "{{ system_admin_groups | default([]) }}"
# An optional CONSUL_HTTP_TOKEN to use to take a snapshot of raft logs during pre-backup
# for example:
# consul_backup_token: 1677848e-1fcd-b24a-6fb0-56b503d75651
# or a more advanced use
# # consul_backup_token: $(VAULT_TOKEN=$(cat /run/vault_agent/vault.token) vault read -field=secret_id consul/creds/admin ttl=1m)
# List of consul servers name or IP
consul_servers: []
# Consul configuration (which will be converted to JSON)
# The configuration is splited in a base conf and an extra conf, so you can override part of the config easily
consul_base_conf:
client_addr: 0.0.0.0
log_level: INFO
bind_addr: 0.0.0.0
# Recursive DNS resolver to which non authoritative queries will be sent
recursors: "{{ ansible_dns.nameservers }}"
# Domain handled by consul, on which services will be published
# All queries in this domain are assumed to be handled by Consul and will not be recursively resolved
# domain: consul.
# An optional alternative domain
# alt_domain: consul.example.org.
# Address that is advertised to the other nodes
advertise_addr: "{{ ansible_default_ipv4.address }}"
# You can also advertise the WAN addr
# advertise_addr_wan: x.x.x.x
# You can define the datacenter in which this agent is running. The default value is dc1
# datacenter: dc1
# When several DC are used, one must be set as the primary. This DC will be used as the
# source for ACL replication
# primary_datacenter: dc1
# Node name, which should be uniq in the region. Default is the hostname
# node_name: consule-fr-zone-c
# Arbitrary metadata
# node_meta:
# instance_type: t2.medium
# env: staging
node_meta: {}
# Optional encryption key for the gossip protocol
# You can generate one with cinsul keygen. The key should be the same on all the members
# encrypt: WSnGbK30nI6K/xk9w+AAtk0Y3RMXKoAlsj4VEICqi0I=
retry_join: "{{ consul_servers }}"
bootstrap_expect: "{{ consul_servers | length }}"
server: "{{ (inventory_hostname in consul_servers | map('regex_replace', ':\\d+$', '')) | ternary(True, False) }}"
ui_config:
enabled: "{{ (inventory_hostname in consul_servers | map('regex_replace', ':\\d+$', '')) | ternary(True, False) }}"
performance:
raft_multiplier: 1
telemetry:
prometheus_retention_time: 1h
connect:
# Enable consul service mesh on servers
enabled: "{{ (inventory_hostname in consul_servers | map('regex_replace', ':\\d+$', '')) | ternary(True, False) }}"
# ca_provider: vault
ca_config:
# address: https://active.vault.service.consul:8200
root_pki_path: pki/root
intermediate_pki_path: pki/connect
#auth_method:
# approle:
# role_id: XXXX
# secret_id: YYYY
acl:
enabled: False
# The default_policy is also used for intentions in the service mesh
default_policy: deny
enable_token_persistence: True
# You can set tokens used by the agent
# tokens:
# default: ab47bc38-d97f-19af-93a5-17b528d154c9
# agent: 5459979a-3f23-8b1f-ff8a-2478856e9216
tokens: {}
tls:
# No TLS will be stup unless this is set to True
enabled: False
# Default TLS settings
defaults:
ca_file: "{{ consul_root_dir }}/tls/ca.crt"
cert_file: "{{ consul_root_dir }}/tls/consul.crt"
key_file: "{{ consul_root_dir }}/tls/consul.key"
verify_incoming: True
verify_outgoing: True
# TLS settings for interal RPC
internal_rpc:
verify_server_hostname: True
# Limits
limits: {}
# http_max_conns_per_client: 200
# raft_logstore:
# backend: wal
# disable_log_cache: true
# boltdb:
# no_freelist_sync: true
# wal:
# segment_size_mb: 64
# raft_snapshot_interval: 1m
# raft_snapshot_threshold: 16384
consul_extra_conf: {}
consul_host_conf: {}
consul_conf: "{{ consul_base_conf | combine(consul_extra_conf, recursive=True) | combine(consul_host_conf, recursive=True) }}"
# For example
# consul_extra_conf:
# datacenter: my-dc
# domain: dev.example.org
# encrypt: WSnGbK30nI6K/xk9w+AAtk0Y3RMXKoAlsj4VEICqi0I=
# ui_config:
# enabled: False
# List of services exposed by consul, the ports they use, and the list of IP
# for which the service is accessible at the firewall level (if iptables_manage == True)
consul_base_services:
dns:
port: 8600
src_ip: []
proto: [tcp,udp]
http:
port: 8500
src_ip: []
proto: [tcp]
https:
port: 8501
src_ip: []
proto: [tcp]
grpc:
port: 8502
src_ip: []
proto: [tcp]
grpc_tls:
port: 8503
src_ip: []
proto: [tcp]
serf_lan:
port: 8301
src_ip: []
proto: [tcp,udp]
serf_wan:
port: 8302
src_ip: []
proto: [tcp,udp]
server:
port: 8300
src_ip: []
proto: [tcp]
sidecar:
port: 21000:21255
src_ip: []
proto: [tcp]
expose:
port: 21500:21755
src_ip: []
proto: [tcp]
consul_extra_services: {}
consul_host_services: {}
consul_services: "{{ consul_base_services | combine(consul_extra_services, recursive=True) | combine(consul_host_services, recursive=True) }}"
# Services can be manually registered on the catalog
# consul_extra_catalog_services:
# service-id:
# name: my-service
# address: 10.1.0.26
# port: 8080
consul_base_catalog_services: {}
consul_extra_catalog_services: {}
consul_host_catalog_services: {}
consul_catalog_services: "{{ consul_base_catalog_services | combine(consul_extra_catalog_services, recursive=True) | combine(consul_host_catalog_services, recursive=True) }}"
# Control memory of the service
consul_memory_max: 1024M
consul_swap_max: 0M
Reference in New Issue View Git Blame Copy Permalink