From c10d556038a02c482bd591dbd23594fa221e0ff9 Mon Sep 17 00:00:00 2001 From: Sven Ketelsen Date: Wed, 7 Apr 2021 11:11:06 +0200 Subject: [PATCH] chore: setup docker-registry --- group_vars/all/plain.yml | 2 +- roles/_deploy/tasks/caddy_config.yml | 39 ---- roles/_deploy/tasks/configs.yml | 6 +- roles/_digitalocean/tasks/domain.yml | 3 - roles/docker-registry/defaults/main.yml | 137 ++++++++++++++ .../handlers/main.yml | 0 .../meta/main.yml | 0 roles/docker-registry/tasks/main.yml | 171 ++++++++++++++++++ .../vars/main.yml | 0 .../defaults/main.yml | 0 roles/node-exporter/handlers/main.yml | 1 + roles/node-exporter/meta/main.yml | 1 + .../tasks/main.yml | 0 roles/node-exporter/vars/main.yml | 1 + setup.yml | 4 +- smardigo.yml | 17 ++ stage-dev | 8 + templates/docker-registry/registry/config.yml | 12 ++ templates/docker-registry/registry/init | 7 + templates/docker-registry/secrets/.gitignore | 1 + 20 files changed, 362 insertions(+), 48 deletions(-) delete mode 100644 roles/_deploy/tasks/caddy_config.yml create mode 100644 roles/docker-registry/defaults/main.yml rename roles/{node_exporter => docker-registry}/handlers/main.yml (100%) rename roles/{node_exporter => docker-registry}/meta/main.yml (100%) create mode 100644 roles/docker-registry/tasks/main.yml rename roles/{node_exporter => docker-registry}/vars/main.yml (100%) rename roles/{node_exporter => node-exporter}/defaults/main.yml (100%) create mode 100644 roles/node-exporter/handlers/main.yml create mode 100644 roles/node-exporter/meta/main.yml rename roles/{node_exporter => node-exporter}/tasks/main.yml (100%) create mode 100644 roles/node-exporter/vars/main.yml create mode 100644 smardigo.yml create mode 100644 templates/docker-registry/registry/config.yml create mode 100644 templates/docker-registry/registry/init create mode 100644 templates/docker-registry/secrets/.gitignore diff --git a/group_vars/all/plain.yml b/group_vars/all/plain.yml index cdaeca6..f5b5312 100644 --- a/group_vars/all/plain.yml +++ b/group_vars/all/plain.yml @@ -1,6 +1,6 @@ --- -send_status_messages: true +send_status_messages: false domain: smardigo.digital diff --git a/roles/_deploy/tasks/caddy_config.yml b/roles/_deploy/tasks/caddy_config.yml deleted file mode 100644 index 59bc5ba..0000000 --- a/roles/_deploy/tasks/caddy_config.yml +++ /dev/null @@ -1,39 +0,0 @@ ---- - -- name: 'Insert/Update caddy configuration in {{ caddy_config_file_path_full }}' - blockinfile: - marker: '# {mark} managed by ansible (reverse proxy config for {{ current_service }})' - path: '{{ caddy_config_file_path_full }}' - state: "{{ 'present' if reverse_proxy == 'caddy' else 'absent' }}" - create: yes - block: | - {% for service in current_services %} - {{ http_s }}://{{ service.external }} { - proxy / {{ service.internal }} { - transparent - } - tls {{ caddy_tls }} - {% if service.basicauth is defined %} - basicauth {{ service.basicauth }} - {% endif %} - } - {% endfor %} - tags: - - update_deployment - -- name: "Stop caddy" - shell: docker-compose down - args: - chdir: '{{ service_base_path }}/caddy' - ignore_errors: yes - when: reverse_proxy == 'caddy' - tags: - - update_deployment - -- name: "Start caddy" - shell: docker-compose up -d - args: - chdir: '{{ service_base_path }}/caddy' - when: reverse_proxy == 'caddy' - tags: - - update_deployment diff --git a/roles/_deploy/tasks/configs.yml b/roles/_deploy/tasks/configs.yml index 0b4f022..1c91f57 100644 --- a/roles/_deploy/tasks/configs.yml +++ b/roles/_deploy/tasks/configs.yml @@ -20,7 +20,7 @@ tags: - update_config -- name: Ensure docker files are populated from templates +- name: Ensure docker files are populated from templates/_docker template: src: "{{ item.src }}" dest: "{{ current_base_path }}/{{ current_destination }}/{{ item.path | regex_replace('\\.j2$', '') }}" @@ -33,7 +33,7 @@ - update_deployment - update_config -- name: Ensure config template files are populated from templates +- name: Ensure config template files are populated from templates/{{ current_config }} template: src: "{{ item.src }}" dest: "{{ current_base_path }}/{{ current_destination }}/{{ item.path | regex_replace('\\.j2$', '') }}" @@ -45,7 +45,7 @@ tags: - update_config -- name: Ensure config files are populated from templates +- name: Ensure config files are populated from from templates/{{ current_config }} copy: src: "{{ item.src }}" dest: "{{ current_base_path }}/{{ current_destination }}/{{ item.path }}" diff --git a/roles/_digitalocean/tasks/domain.yml b/roles/_digitalocean/tasks/domain.yml index 75d7ba0..28ee469 100644 --- a/roles/_digitalocean/tasks/domain.yml +++ b/roles/_digitalocean/tasks/domain.yml @@ -8,7 +8,6 @@ authorization: Bearer {{ digitalocean_authentication_token }} return_content: yes register: domain_records_response - delegate_to: 127.0.0.1 - name: Save DNS entry as variable (fact) set_fact: @@ -35,7 +34,6 @@ when: domain_record.ip != '-' and record_data != domain_record.ip - delegate_to: 127.0.0.1 - name: Create DNS entry for <{{ record_name }}> if necessary uri: @@ -57,4 +55,3 @@ domain_record.ip == '-' or record_data != domain_record.ip or record_name != domain_record.name - delegate_to: 127.0.0.1 \ No newline at end of file diff --git a/roles/docker-registry/defaults/main.yml b/roles/docker-registry/defaults/main.yml new file mode 100644 index 0000000..f18f0f2 --- /dev/null +++ b/roles/docker-registry/defaults/main.yml @@ -0,0 +1,137 @@ +--- + +docker_registry_id: "{{ service_name }}-registry" + +docker_registry_image_name: "library/registry" +docker_registry_image_version: "2.7" + + + +docker_portus_secret_key_base: docker-portus-secret-key-base +docker_portus_password: docker-portus-admin + + +docker_postgres_portus_image_name: "postgres" +docker_postgres_portus_image_version: "12" + +docker_portus_postgres_database: docker-portus-postgres +docker_portus_postgres_username: docker-portus-postgres-admin +docker_portus_postgres_password: docker-portus-postgres-admin + +docker_registry_docker: { + networks: [ + { + name: front-tier, + external: true, + }, + { + name: back-tier, + external: true, + }, + ], + volumes: [ + { + name: "{{ service_name }}-registry-data", + }, + { + name: "{{ service_name }}-postgres-portus-data" + } + ], + services: [ + { + name: "{{ service_name }}-portus", + image_name: "opensuse/portus", + image_version: "2.4", + environment: [ + "PORTUS_MACHINE_FQDN_VALUE: \"{{ stage_server_url_host }}\"", + "PORTUS_DB_HOST: \"{{ service_name }}-postgres-portus\"", + "PORTUS_DB_DATABASE: \"{{ docker_portus_postgres_database }}\"", + "PORTUS_DB_USERNAME: \"{{ docker_portus_postgres_username }}\"", + "PORTUS_DB_PASSWORD: \"{{ docker_portus_postgres_password }}\"", + "PORTUS_DB_POOL: \"5\"", + "PORTUS_SECRET_KEY_BASE: \"{{ docker_portus_secret_key_base }}\"", + "PORTUS_KEY_PATH: \"/certificates/portus.key\"", + "PORTUS_PASSWORD: \"{{ docker_portus_password }}\"", + "PORTUS_PUMA_TLS_KEY: \"/certificates/portus.key\"", + "PORTUS_PUMA_TLS_CERT: \"/certificates/portus.crt\"", + "RAILS_SERVE_STATIC_FILES: \"true\"", + ], + volumes: [ + '"{{ service_name }}-postgres-portus-data:/var/lib/postgresql/data"', + ], + networks: [ + '"front-tier"', + '"back-tier"', + ] + }, + { + name: "{{ service_name }}-portus-background", + image_name: "opensuse/portus", + image_version: "2.4", + environment: [ + "CCONFIG_PREFIX: \"PORTUS\"", + "PORTUS_MACHINE_FQDN_VALUE: \"{{ stage_server_url_host }}\"", + "PORTUS_DB_HOST: \"{{ service_name }}-postgres-portus\"", + "PORTUS_DB_DATABASE: \"{{ docker_portus_postgres_database }}\"", + "PORTUS_DB_USERNAME: \"{{ docker_portus_postgres_username }}\"", + "PORTUS_DB_PASSWORD: \"{{ docker_portus_postgres_password }}\"", + "PORTUS_DB_POOL: \"5\"", + "PORTUS_SECRET_KEY_BASE: \"{{ docker_portus_secret_key_base }}\"", + "PORTUS_KEY_PATH: \"/certificates/portus.key\"", + "PORTUS_PASSWORD: \"{{ docker_portus_password }}\"", + "PORTUS_BACKGROUND: \"true\"", + ], + volumes: [ + '"./secrets:/certificates:ro"', + ], + networks: [ + '"back-tier"', + ] + }, + { + name: "{{ service_name }}-postgres-portus", + image_name: "{{ docker_postgres_portus_image_name }}", + image_version: "{{ docker_postgres_portus_image_version }}", + environment: [ + 'POSTGRES_DB: "{{ docker_portus_postgres_database }}"', + 'POSTGRES_USER: "{{ docker_portus_postgres_username }}"', + 'POSTGRES_PASSWORD: "{{ docker_portus_postgres_password }}"', + ], + volumes: [ + '"{{ service_name }}-postgres-portus-data:/var/lib/postgresql/data"', + ], + networks: [ + '"back-tier"', + ], + ports: "{{ docker_registry_postgres_ports | default([]) }}", + }, + { + name: "{{ service_name }}-registry", + image_name: "{{ docker_registry_image_name }}", + image_version: "{{ docker_registry_image_version }}", + command: [ + '"/bin/sh"', + '"/etc/docker/registry/init"', + ], + environment: [ + "REGISTRY_HTTP_SECRET: \"3a025df1-c7df-4c63-9ec4-103ffe3bde42\"", + "REGISTRY_AUTH_TOKEN_REALM: \"{{ stage_server_url }}/v2/token\"", + "REGISTRY_AUTH_TOKEN_SERVICE: \"{{ stage_server_url_host }}\"", + "REGISTRY_AUTH_TOKEN_ISSUER: \"{{ stage_server_url_host }}\"", + "REGISTRY_AUTH_TOKEN_ROOTCERTBUNDLE: \"/secrets/portus.crt\"", + "REGISTRY_HTTP_TLS_CERTIFICATE: \"/secrets/portus.crt\"", + "REGISTRY_HTTP_TLS_KEY: \"/secrets/portus.key\"", + ], + volumes: [ + '"{{ service_name }}-registry-data:/var/lib/registry"', + '"./secrets:/secrets:ro"', + '"./registry/init:/etc/docker/registry/init:ro"', + '"./registry/config.yml:/etc/docker/registry/config.yml:ro"', + ], + networks: [ + '"front-tier"' + ], + ports: "{{ docker_registry_ports | default([]) }}", + } + ] +} diff --git a/roles/node_exporter/handlers/main.yml b/roles/docker-registry/handlers/main.yml similarity index 100% rename from roles/node_exporter/handlers/main.yml rename to roles/docker-registry/handlers/main.yml diff --git a/roles/node_exporter/meta/main.yml b/roles/docker-registry/meta/main.yml similarity index 100% rename from roles/node_exporter/meta/main.yml rename to roles/docker-registry/meta/main.yml diff --git a/roles/docker-registry/tasks/main.yml b/roles/docker-registry/tasks/main.yml new file mode 100644 index 0000000..d44ea52 --- /dev/null +++ b/roles/docker-registry/tasks/main.yml @@ -0,0 +1,171 @@ +--- + +### tags: +### update_deployment + +- name: "Send mattermost message" + uri: + url: "{{ mattermost_hook_smardigo }}" + method: POST + body: "{{ lookup('template','mattermost-deploy-start.json.j2') }}" + body_format: json + headers: + Content-Type: "application/json" + delegate_to: 127.0.0.1 + become: false + when: + - send_status_messages + +- name: Gather current server infos + hcloud_server_info: + api_token: "{{ hetzner_authentication_token }}" + register: hetzner_server_infos + delegate_to: 127.0.0.1 + become: false + +- name: Save current server infos as variable (fact) + set_fact: + hetzner_server_infos_json: "{{ hetzner_server_infos.hcloud_server_info }}" + delegate_to: 127.0.0.1 + become: false + +- name: Read ip for {{ inventory_hostname }} + set_fact: + stage_server_ip: "{{ item.ipv4_address }}" + when: item.name == inventory_hostname + with_items: "{{ hetzner_server_infos_json }}" + delegate_to: 127.0.0.1 + become: false + +- name: "Setup DNS configuration for {{ service_name }}" + include_role: + name: _digitalocean + tasks_from: domain + vars: + record_data: "{{ stage_server_ip }}" + record_name: "{{ service_name }}" + +- name: "Setup public DNS configuration for {{ service_name }}" + include_role: + name: _digitalocean + tasks_from: domain + vars: + record_data: "{{ item.ip }}" + record_name: "{{ item.name }}" + loop: "{{ docker_registry_public_dns_entries }}" + when: docker_registry_public_dns_entries is defined + +- name: "Check docker networks" + include_role: + name: _docker + tasks_from: networks + +- name: "Check if {{ service_name }}/docker-compose.yml exists" + stat: + path: '{{ service_base_path }}/{{ service_name }}/docker-compose.yml' + register: check_docker_compose_file + tags: + - update_deployment + +- name: "Stop {{ service_name }}" + shell: docker-compose down + args: + chdir: '{{ service_base_path }}/{{ service_name }}' + when: check_docker_compose_file.stat.exists + ignore_errors: yes + tags: + - update_deployment + +- name: "Deploy service configuration for {{ service_name }}" + include_role: + name: _deploy + tasks_from: configs + vars: + current_config: "docker-registry" + current_base_path: "{{ service_base_path }}" + current_destination: "{{ service_name }}" + current_owner: "{{ docker_owner }}" + current_group: "{{ docker_group }}" + current_docker: "{{ docker_registry_docker }}" + +- name: "Update {{ service_name }}" + shell: docker-compose pull + args: + chdir: '{{ service_base_path }}/{{ service_name }}' + tags: + - update_deployment + +- name: "Start {{ service_name }}" + shell: docker-compose up -d + args: + chdir: '{{ service_base_path }}/{{ service_name }}' + tags: + - update_deployment + +- name: "Update landing page entries for {{ service_name }}" + include_role: + name: _deploy + tasks_from: caddy_landing_page + vars: + current_services: [ + { + current_name: "{{ service_name }}", + current_url: "{{ http_s }}://{{ service_url }}", + current_version: "{{ docker_registry_image_version }}", + current_date: "{{ ansible_date_time.iso8601 }}", + management: "{{ http_s }}://{{ service_url }}:{{ monitor_port_service }}/management", + }, + ] + tags: + - update_deployment + +- name: "Update landing page with public entries {{ service_name }}" + include_role: + name: _deploy + tasks_from: caddy_landing_page + vars: + current_services: [ + { + current_name: "{{ item.name }}", + current_url: "{{ http_s }}://{{ item.name }}.{{ domain }}", + current_version: "{{ docker_registry_image_version }}", + current_date: "{{ ansible_date_time.iso8601 }}", + management: "{{ http_s }}://{{ service_url }}:{{ monitor_port_service }}/management", + }, + ] + loop: "{{ docker_registry_public_dns_entries }}" + when: docker_registry_public_dns_entries is defined + tags: + - update_deployment + +- name: "Update landing page with extra entries for {{ service_name }}" + include_role: + name: _deploy + tasks_from: caddy_landing_page + vars: + current_services: [ + { + current_name: "{{ item.name }}", + current_url: "{{ item.domain }}", + current_version: "{{ docker_registry_image_version }}", + current_date: "{{ ansible_date_time.iso8601 }}", + management: "{{ http_s }}://{{ service_url }}:{{ monitor_port_service }}/management", + }, + ] + loop: "{{ docker_registry_extra_domain_entries }}" + when: docker_registry_extra_domain_entries is defined + tags: + - update_deployment + +- name: "Send mattermost messsge" + uri: + url: "{{ mattermost_hook_smardigo }}" + method: POST + body: "{{ lookup('template','mattermost-deploy-end.json.j2') }}" + body_format: json + headers: + Content-Type: "application/json" + delegate_to: 127.0.0.1 + become: false + when: + - send_status_messages diff --git a/roles/node_exporter/vars/main.yml b/roles/docker-registry/vars/main.yml similarity index 100% rename from roles/node_exporter/vars/main.yml rename to roles/docker-registry/vars/main.yml diff --git a/roles/node_exporter/defaults/main.yml b/roles/node-exporter/defaults/main.yml similarity index 100% rename from roles/node_exporter/defaults/main.yml rename to roles/node-exporter/defaults/main.yml diff --git a/roles/node-exporter/handlers/main.yml b/roles/node-exporter/handlers/main.yml new file mode 100644 index 0000000..ed97d53 --- /dev/null +++ b/roles/node-exporter/handlers/main.yml @@ -0,0 +1 @@ +--- diff --git a/roles/node-exporter/meta/main.yml b/roles/node-exporter/meta/main.yml new file mode 100644 index 0000000..ed97d53 --- /dev/null +++ b/roles/node-exporter/meta/main.yml @@ -0,0 +1 @@ +--- diff --git a/roles/node_exporter/tasks/main.yml b/roles/node-exporter/tasks/main.yml similarity index 100% rename from roles/node_exporter/tasks/main.yml rename to roles/node-exporter/tasks/main.yml diff --git a/roles/node-exporter/vars/main.yml b/roles/node-exporter/vars/main.yml new file mode 100644 index 0000000..ed97d53 --- /dev/null +++ b/roles/node-exporter/vars/main.yml @@ -0,0 +1 @@ +--- diff --git a/setup.yml b/setup.yml index 99ba43f..d35cb70 100644 --- a/setup.yml +++ b/setup.yml @@ -40,10 +40,10 @@ tags: - common - - role: node_exporter + - role: node-exporter when: node_exporter_enabled | default(True) tags: - - node_exporter + - node-exporter - role: traefik when: traefik_enabled | default(True) diff --git a/smardigo.yml b/smardigo.yml new file mode 100644 index 0000000..37e3af9 --- /dev/null +++ b/smardigo.yml @@ -0,0 +1,17 @@ +--- +- name: 'apply setup to {{ host | default("all") }}' + hosts: '{{ host | default("all") }}' + serial: "{{ serial_number|default(1) }}" + become: yes + + pre_tasks: + - name: "Check if ansible version is at least 2.10.x" + assert: + that: + - ansible_version.major >= 2 + - ansible_version.minor >= 10 + msg: "The ansible version has to be at least ({{ ansible_version.full }})" + + roles: + - role: docker-registry + when: "'docker_registry' in group_names" diff --git a/stage-dev b/stage-dev index 80b4429..c3aef02 100644 --- a/stage-dev +++ b/stage-dev @@ -1,12 +1,20 @@ [hcloud] +dev-docker-registry-01 dev-elastic-stack-01 dev-elastic-stack-02 dev-elastic-stack-03 +dev-prometheus-01 + +[docker_registry] dev-docker-registry-01 + +[prometheus] dev-prometheus-01 [stage_dev:children] hcloud +docker_registry +prometheus [all:children] stage_dev diff --git a/templates/docker-registry/registry/config.yml b/templates/docker-registry/registry/config.yml new file mode 100644 index 0000000..f840f3d --- /dev/null +++ b/templates/docker-registry/registry/config.yml @@ -0,0 +1,12 @@ +version: 0.1 + +storage: + filesystem: + rootdirectory: /var/lib/registry + delete: + enabled: true + +http: + addr: 0.0.0.0:5000 + debug: + addr: 0.0.0.0:5001 diff --git a/templates/docker-registry/registry/init b/templates/docker-registry/registry/init new file mode 100644 index 0000000..ef43eba --- /dev/null +++ b/templates/docker-registry/registry/init @@ -0,0 +1,7 @@ +#!/bin/sh + +set -x + +cp /secrets/portus.crt /usr/local/share/ca-certificates +update-ca-certificates +registry serve /etc/docker/registry/config.yml \ No newline at end of file diff --git a/templates/docker-registry/secrets/.gitignore b/templates/docker-registry/secrets/.gitignore new file mode 100644 index 0000000..612227a --- /dev/null +++ b/templates/docker-registry/secrets/.gitignore @@ -0,0 +1 @@ +portus.* \ No newline at end of file