From 62a6478060cea8773fc87c4d949438b3c12b1743 Mon Sep 17 00:00:00 2001 From: friedrich goerz Date: Thu, 17 Nov 2022 15:47:34 +0100 Subject: [PATCH] DEV-607: added missing ufw rules + added automationgit statusgit status --- .gitlab-ci.yml | 99 +++++++++++++++++++++++++---------------- external_monitoring.yml | 16 +++++-- 2 files changed, 73 insertions(+), 42 deletions(-) diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index a1e66e8..63d2594 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -93,28 +93,6 @@ builder-job: except: - schedules -run-setup-digitalocean: - extends: .run-ansible - stage: run-setup - before_script: - - export STAGE=dev - - echo "${ANSIBLE_VAULT_PASS_DEV}" > /tmp/vault-pass - script: - - 'command -v ssh-agent >/dev/null || ( apt-get update -y && apt-get install openssh-client -y )' - - eval $(ssh-agent -s) - - 'echo "$GITLAB_SSH_KEY" | tr -d "\r" | ssh-add -' - - mkdir -p ~/.ssh - - chmod 0700 ~/.ssh - - '[[ -f /.dockerenv ]] && echo -e "Host *\n\tStrictHostKeyChecking no\n\n" >> ~/.ssh/config' - - ssh-add -L - - ansible-playbook -i stage-digitalocean setup.yml --vault-password-file /tmp/vault-pass -t common -u gitlabci - after_script: - - rm /tmp/vault-pass - only: - - main - except: - - schedules - run-setup-dev: extends: .run-setup resource_group: dev @@ -315,23 +293,12 @@ run-patchday-dev: rules: - if: $CI_PIPELINE_SOURCE == "schedule" && $CI_COMMIT_BRANCH == "main" -run-patchday-dev-digitalocean: - extends: .run-ansible - stage: run-patchday +run-patchday-devscr: + extends: .run-patchday + resource_group: devscr before_script: - - echo "${ANSIBLE_VAULT_PASS_DEV}" > /tmp/vault-pass - script: - - 'command -v ssh-agent >/dev/null || ( apt-get update -y && apt-get install openssh-client -y )' - - eval $(ssh-agent -s) - - 'echo "$GITLAB_SSH_KEY" | tr -d "\r" | ssh-add -' - - mkdir -p ~/.ssh - - chmod 0700 ~/.ssh - - '[[ -f /.dockerenv ]] && echo -e "Host *\n\tStrictHostKeyChecking no\n\n" >> ~/.ssh/config' - - ssh-add -L - - ansible-playbook -i stage-digitalocean patchday.yml --vault-password-file=/tmp/vault-pass -u gitlabci - after_script: - - rm /tmp/vault-pass - timeout: 2h + - export STAGE=devscr + - echo "${ANSIBLE_VAULT_PASS_DEVSCR}" > /tmp/vault-pass rules: - if: $CI_PIPELINE_SOURCE == "schedule" && $CI_COMMIT_BRANCH == "main" @@ -431,3 +398,59 @@ run-patchday-prodwork01: # - echo "${ANSIBLE_VAULT_PASS_PRODWORK01}" > /tmp/vault-pass # only: # - prodnso + + +######## +### http://patorjk.com/software/taag/#p=display&f=Doom&t=Digitialocean +### +### ______ _ _ _ _ _ +### | _ (_) (_) | (_) | | +### | | | |_ __ _ _| |_ _ __ _| | ___ ___ ___ __ _ _ __ +### | | | | |/ _` | | __| |/ _` | |/ _ \ / __/ _ \/ _` | '_ \ +### | |/ /| | (_| | | |_| | (_| | | (_) | (_| __/ (_| | | | | +### |___/ |_|\__, |_|\__|_|\__,_|_|\___/ \___\___|\__,_|_| |_| +### __/ | +### |___/ + +run-setup-digitalocean: + extends: .run-ansible + stage: run-setup + before_script: + - export STAGE=dev + - echo "${ANSIBLE_VAULT_PASS_DEV}" > /tmp/vault-pass + script: + - 'command -v ssh-agent >/dev/null || ( apt-get update -y && apt-get install openssh-client -y )' + - eval $(ssh-agent -s) + - 'echo "$GITLAB_SSH_KEY" | tr -d "\r" | ssh-add -' + - mkdir -p ~/.ssh + - chmod 0700 ~/.ssh + - '[[ -f /.dockerenv ]] && echo -e "Host *\n\tStrictHostKeyChecking no\n\n" >> ~/.ssh/config' + - ssh-add -L + - ansible-playbook -i stage-digitalocean setup.yml --vault-password-file /tmp/vault-pass -t common -u gitlabci + - ansible-playbook -i stage-digitalocean external_monitoring.yml --vault-password-file /tmp/vault-pass -t common -u gitlabci + after_script: + - rm /tmp/vault-pass + only: + - main + except: + - schedules + +run-patchday-dev-digitalocean: + extends: .run-ansible + stage: run-patchday + before_script: + - echo "${ANSIBLE_VAULT_PASS_DEV}" > /tmp/vault-pass + script: + - 'command -v ssh-agent >/dev/null || ( apt-get update -y && apt-get install openssh-client -y )' + - eval $(ssh-agent -s) + - 'echo "$GITLAB_SSH_KEY" | tr -d "\r" | ssh-add -' + - mkdir -p ~/.ssh + - chmod 0700 ~/.ssh + - '[[ -f /.dockerenv ]] && echo -e "Host *\n\tStrictHostKeyChecking no\n\n" >> ~/.ssh/config' + - ssh-add -L + - ansible-playbook -i stage-digitalocean patchday.yml --vault-password-file=/tmp/vault-pass -u gitlabci + after_script: + - rm /tmp/vault-pass + timeout: 2h + rules: + - if: $CI_PIPELINE_SOURCE == "schedule" && $CI_COMMIT_BRANCH == "main" diff --git a/external_monitoring.yml b/external_monitoring.yml index 779fcb9..9d9555e 100644 --- a/external_monitoring.yml +++ b/external_monitoring.yml @@ -2,18 +2,26 @@ - name: 'apply setup to {{ host | default("all") }}' hosts: '{{ host | default("all") }}' serial: "{{ serial_number | default(5) }}" + become: yes tasks: - - set_fact: - promethues_endpoints_all_stages: + - name: "Set VARs" + set_fact: + prometheus_endpoints_all_stages: - "{{ lookup('community.general.dig', 'dev-prometheus-01.' + domain ) }}" - "{{ lookup('community.general.dig', 'qa-prometheus-01.' + domain ) }}" - "{{ lookup('community.general.dig', 'prodnso-prometheus-01.' + domain ) }}" + k8s_nodes_mobene: + - "{{ lookup('community.general.dig', 'prodwork01-kube-node-01.' + domain ) }}" + - "{{ lookup('community.general.dig', 'prodwork01-kube-node-02.' + domain ) }}" + - "{{ lookup('community.general.dig', 'prodwork01-kube-node-03.' + domain ) }}" - name: "Allow SSH in UFW" ufw: rule: limit port: 22 proto: tcp + src: "{{ item }}" + loop: "{{ ip_whitelist }}" - name: "Allow port 9100 for node-exporter in UFW" ufw: @@ -21,7 +29,7 @@ port: 9100 proto: tcp src: "{{ item }}" - loop: "{{ promethues_endpoints_all_stages }}" + loop: "{{ prometheus_endpoints_all_stages }}" - name: "Allow port 9115 for blackbox-exporter in UFW" ufw: @@ -29,7 +37,7 @@ port: 9115 proto: tcp src: "{{ item }}" - loop: "{{ promethues_endpoints_all_stages + ip_whitelist_admins}}" + loop: "{{ prometheus_endpoints_all_stages + ip_whitelist + ip_whitelist_admins + k8s_nodes_mobene }}" - name: "Set firewall default policy" ufw: