~damien/infrastructure

c97e0e2b98e4206b8d30448fb5c97f8bd1fce7b8 — Damien Radtke 1 year, 2 months ago 586008a
Prepare for 15.2 upgrade
M stackscripts/cluster-member.sh => stackscripts/cluster-member.sh +6 -6
@@ 27,7 27,7 @@ function set_hostname () {
function install_base_packages () {
  echo "[Installing Base Packages]"
  zypper --non-interactive install \
    sudo wget jq firewalld
    sudo jq firewalld
}
# }}}



@@ 48,10 48,10 @@ function create_user () {
# {{{ install_cfssl
function install_cfssl () {
  echo "[Installing CFSSL]"
  wget --quiet -O /usr/local/bin/cfssl "https://pkg.cfssl.org/R1.2/cfssl_linux-amd64"
  curl -o /usr/local/bin/cfssl "https://pkg.cfssl.org/R1.2/cfssl_linux-amd64"
  chmod +x /usr/local/bin/cfssl

  wget --quiet -O /usr/local/bin/cfssljson "https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64"
  curl -o /usr/local/bin/cfssljson "https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64"
  chmod +x /usr/local/bin/cfssljson
}
# }}}


@@ 104,8 104,8 @@ EOF
    local checksum_sig="${checksum}.sig"
  
    # Download the checksum first and verify that it's signed by Hashicorp.
    wget --quiet "${base}/${checksum}"
    wget --quiet "${base}/${checksum_sig}"
    curl -o "${checksum}" "${base}/${checksum}"
    curl -o "${checksum_sig}" "${base}/${checksum_sig}"
    sync
  
    # Verify that the checksum was signed by Hashicorp.


@@ 115,7 115,7 @@ EOF
    # Note that the checksum comes with sums for every platform,
    # so we need to filter down to 64-bit Linux to avoid failures caused by
    # the other releases not being present.
    wget --quiet "${base}/${archive}"
    curl -o "${archive}" "${base}/${archive}"
    sync
    cat "${checksum}" | grep -E "_${osarch}\\.zip$" | sha256sum --check - || exit 13
  

M stackscripts/update => stackscripts/update +1 -1
@@ 1,2 1,2 @@
#!/bin/bash
linode-cli stackscripts update --label=cluster-member --images=linode/opensuse15.1 --script="$(cat cluster-member.sh)" 535217
linode-cli stackscripts update --label=cluster-member --images=linode/opensuse15.1 --images=linode/opensuse15.2 --script="$(cat cluster-member.sh)" 535217

A terraform/Makefile => terraform/Makefile +2 -0
@@ 0,0 1,2 @@
format:
	find . -name '*.tf' -exec terraform fmt {} \;

M terraform/consul-server/main.tf => terraform/consul-server/main.tf +5 -4
@@ 5,6 5,7 @@ resource "linode_instance" "servers" {
  image            = random_id.servers[count.index].keepers.image
  type             = random_id.servers[count.index].keepers.instance_type
  authorized_users = var.authorized_users
  group            = terraform.workspace

  stackscript_id = var.stackscript_id
  stackscript_data = {


@@ 108,8 109,8 @@ resource "linode_instance" "servers" {
  provisioner "remote-exec" {
    connection { host = split("/", self.ipv6)[0] }
    inline = [
			"/usr/local/bin/issue-cert.sh --user consul --ca consul --name consul --hostnames ${split("/", self.ipv6)[0]}",
		]
      "/usr/local/bin/issue-cert.sh --user consul --ca consul --name consul --hostnames ${split("/", self.ipv6)[0]}",
    ]
  }

  // start services


@@ 122,8 123,8 @@ resource "linode_instance" "servers" {
  provisioner "remote-exec" {
    connection { host = split("/", self.ipv6)[0] }
    inline = [
			"sudo -u damien /usr/local/bin/consul -autocomplete-install",
		]
      "sudo -u damien /usr/local/bin/consul -autocomplete-install",
    ]
  }

  // disable further root ssh

M terraform/domain-address/variables.tf => terraform/domain-address/variables.tf +7 -7
@@ 1,15 1,15 @@
variable domain {
	type = string
  type = string
}

variable name {
	type = string
	default = ""
  type    = string
  default = ""
}

variable instances {
	type = list(object({
		ip_address = string
		ipv6 = string
	}))
  type = list(object({
    ip_address = string
    ipv6       = string
  }))
}

M terraform/main.tf => terraform/main.tf +15 -12
@@ 14,7 14,10 @@ variable vault_token { type = string }
locals {
  region = "ca-central"
  # image = "private/8694776"
  image            = "linode/opensuse15.1"
  image = {
    default = "linode/opensuse15.1"
    next    = "linode/opensuse15.2"
  }
  instance_type    = "g6-nanode-1"
  stackscript_id   = 535217
  authorized_users = [data.linode_profile.me.username]


@@ 27,7 30,7 @@ module "consul-server" {
  consul_version = "1.7.2"

  datacenter       = local.region
  image            = local.image
  image            = local.image[terraform.workspace]
  instance_type    = local.instance_type
  stackscript_id   = local.stackscript_id
  authorized_users = local.authorized_users


@@ 44,7 47,7 @@ module "nomad-server" {
  consul_server_ips = module.consul-server.instances[*].ipv6

  datacenter       = local.region
  image            = local.image
  image            = local.image[terraform.workspace]
  instance_type    = local.instance_type
  stackscript_id   = local.stackscript_id
  authorized_users = local.authorized_users


@@ 62,7 65,7 @@ module "nomad-client" {
  consul_server_ips = module.consul-server.instances[*].ipv6

  datacenter       = local.region
  image            = local.image
  image            = local.image[terraform.workspace]
  instance_type    = local.instance_type
  stackscript_id   = local.stackscript_id
  authorized_users = local.authorized_users


@@ 80,7 83,7 @@ module "nomad-client-load-balancer" {
  consul_server_ips = module.consul-server.instances[*].ipv6

  datacenter       = local.region
  image            = local.image
  image            = local.image[terraform.workspace]
  instance_type    = local.instance_type
  stackscript_id   = local.stackscript_id
  authorized_users = local.authorized_users


@@ 97,7 100,7 @@ module "vault-server" {
  consul_server_ips = module.consul-server.instances[*].ipv6

  datacenter       = local.region
  image            = local.image
  image            = local.image[terraform.workspace]
  instance_type    = local.instance_type
  stackscript_id   = local.stackscript_id
  authorized_users = local.authorized_users


@@ 106,11 109,11 @@ module "vault-server" {
}

resource "null_resource" "nomad_client_firewall" {
	triggers = {
		ips = module.nomad-client.instances[*].ipv6
	}
  triggers = {
    ips = join(",", module.nomad-client.instances[*].ipv6)
  }

	provisioner "local-exec" {
		command = "update-nomad-client-firewall"
	}
  provisioner "local-exec" {
    command = "update-nomad-client-firewall"
  }
}

M terraform/nomad-client/main.tf => terraform/nomad-client/main.tf +6 -5
@@ 15,13 15,14 @@ locals {
}

resource "linode_instance" "clients" {
  count            = var.clients
  label            = "nomad-client-${random_id.clients[count.index].keepers.datacenter}-${replace(random_id.clients[count.index].b64_url, "-", "_")}"
  region           = random_id.clients[count.index].keepers.datacenter
  image            = random_id.clients[count.index].keepers.image
  type             = random_id.clients[count.index].keepers.instance_type
  count  = var.clients
  label  = "nomad-client-${random_id.clients[count.index].keepers.datacenter}-${replace(random_id.clients[count.index].b64_url, "-", "_")}"
  region = random_id.clients[count.index].keepers.datacenter
  image  = random_id.clients[count.index].keepers.image
  type   = random_id.clients[count.index].keepers.instance_type
  // private_ip       = true
  authorized_users = var.authorized_users
  group            = terraform.workspace

  stackscript_id = var.stackscript_id
  stackscript_data = {

M terraform/nomad-client/variables.tf => terraform/nomad-client/variables.tf +4 -4
@@ 14,11 14,11 @@ variable nomad_version { type = string }
variable consul_server_ips { type = list(string) }

variable meta {
	type = map(string)
	default = {}
  type    = map(string)
  default = {}
}

variable node_class {
	type = string
	default = ""
  type    = string
  default = ""
}

M terraform/nomad-server/main.tf => terraform/nomad-server/main.tf +12 -11
@@ 5,6 5,7 @@ resource "linode_instance" "servers" {
  image            = random_id.servers[count.index].keepers.image
  type             = random_id.servers[count.index].keepers.instance_type
  authorized_users = var.authorized_users
  group            = terraform.workspace

  stackscript_id = var.stackscript_id
  stackscript_data = {


@@ 137,20 138,20 @@ resource "linode_instance" "servers" {
    inline = ["service firewalld reload"]
  }

	// set Vault token
	provisioner "remote-exec" {
  // set Vault token
  provisioner "remote-exec" {
    connection { host = split("/", self.ipv6)[0] }
		inline = [
			<<-EOC
    inline = [
      <<-EOC
				SYSTEMD_EDITOR=tee systemctl edit nomad <<EOF
				[Service]
				Environment=VAULT_TOKEN=${var.vault_token}
				EOF
			EOC
			,
			"chmod 0400 /etc/systemd/system/nomad.service.d/override.conf"
		]
	}
      ,
      "chmod 0400 /etc/systemd/system/nomad.service.d/override.conf"
    ]
  }

  // fix permissions
  provisioner "remote-exec" {


@@ 196,9 197,9 @@ resource "linode_instance" "servers" {
  provisioner "remote-exec" {
    connection { host = split("/", self.ipv6)[0] }
    inline = [
			"sudo -u damien /usr/local/bin/consul -autocomplete-install",
			"sudo -u damien /usr/local/bin/nomad -autocomplete-install",
		]
      "sudo -u damien /usr/local/bin/consul -autocomplete-install",
      "sudo -u damien /usr/local/bin/nomad -autocomplete-install",
    ]
  }

  // disable further root ssh

M terraform/outputs.tf => terraform/outputs.tf +3 -3
@@ 1,13 1,13 @@
output "consul_server_ips" {
	value = [for ip in module.consul-server.instances[*].ipv6: split("/", ip)[0]]
  value = [for ip in module.consul-server.instances[*].ipv6 : split("/", ip)[0]]
}

output "nomad_server_ips" {
	value = [for ip in module.nomad-server.instances[*].ipv6: split("/", ip)[0]]
  value = [for ip in module.nomad-server.instances[*].ipv6 : split("/", ip)[0]]
}

output "vault_server_ips" {
	value = [for ip in module.vault-server.instances[*].ipv6: split("/", ip)[0]]
  value = [for ip in module.vault-server.instances[*].ipv6 : split("/", ip)[0]]
}

output "nomad_client_ips" {

M terraform/vault-server/main.tf => terraform/vault-server/main.tf +4 -3
@@ 5,6 5,7 @@ resource "linode_instance" "servers" {
  image            = random_id.servers[count.index].keepers.image
  type             = random_id.servers[count.index].keepers.instance_type
  authorized_users = var.authorized_users
  group            = terraform.workspace

  stackscript_id = var.stackscript_id
  stackscript_data = {


@@ 173,9 174,9 @@ resource "linode_instance" "servers" {
  provisioner "remote-exec" {
    connection { host = split("/", self.ipv6)[0] }
    inline = [
			"sudo -u damien /usr/local/bin/consul -autocomplete-install",
			"sudo -u damien /usr/local/bin/vault -autocomplete-install",
		]
      "sudo -u damien /usr/local/bin/consul -autocomplete-install",
      "sudo -u damien /usr/local/bin/vault -autocomplete-install",
    ]
  }

  // disable further root ssh