itential · steven-schattenberg-itential · Sep 5, 2025 · Aug 28, 2025 · Sep 3, 2025 · Sep 3, 2025
diff --git a/playbooks/client.yml → playbooks/clients.yml b/playbooks/client.yml → playbooks/clients.yml
@@ -2,8 +2,10 @@
 # GNU General Public License v3.0+ (see LICENSE or https://www.gnu.org/licenses/gpl-3.0.txt)
 ---
 - name: Install and configure IAG5 clients
-  hosts: iag5_client
+  hosts: iag5_clients
   become: true
   roles:
     # Perform a base installation of IAG5 client
-    - role: itential.iag5.client
+    - role: itential.iag5.gateway_client
+      vars:
+        gateway_application_mode: client
diff --git a/playbooks/runners.yml b/playbooks/runners.yml
@@ -0,0 +1,11 @@
+# Copyright (c) 2025, Itential, Inc
+# GNU General Public License v3.0+ (see LICENSE or https://www.gnu.org/licenses/gpl-3.0.txt)
+---
+- name: Install and configure IAG5 runners
+  hosts: iag5_runners
+  become: true
+  roles:
+    # Perform a base installation of IAG5 runner
+    - role: itential.iag5.gateway
+      vars:
+        gateway_application_mode: runner
diff --git a/playbooks/server.yml → playbooks/servers.yml b/playbooks/server.yml → playbooks/servers.yml
@@ -2,8 +2,10 @@
 # GNU General Public License v3.0+ (see LICENSE or https://www.gnu.org/licenses/gpl-3.0.txt)
 ---
 - name: Install and configure IAG5 servers
-  hosts: iag5_server
+  hosts: iag5_servers
   become: true
   roles:
     # Perform a base installation of IAG5 server
-    - role: itential.iag5.server
+    - role: itential.iag5.gateway
+      vars:
+        gateway_application_mode: server
diff --git a/playbooks/site.yml b/playbooks/site.yml
@@ -4,5 +4,8 @@
 - name: Install and configure Gateway5 servers
   import_playbook: itential.iag5.servers
 
+- name: Install and configure Gateway5 runners
+  import_playbook: itential.iag5.runners
+
 - name: Install and configure Gateway5 clients
   import_playbook: itential.iag5.clients
diff --git a/requirements.yml b/requirements.yml
@@ -0,0 +1 @@
+collections: []
diff --git a/roles/client/defaults/main.yml b/roles/client/defaults/main.yml
diff --git a/roles/client/tasks/upload_certs.yml b/roles/client/tasks/upload_certs.yml
diff --git a/roles/client/templates/gateway.conf.j2 b/roles/client/templates/gateway.conf.j2
diff --git a/roles/gateway/defaults/main/application.yml b/roles/gateway/defaults/main/application.yml
@@ -0,0 +1,7 @@
+# Copyright (c) 2025, Itential, Inc
+# GNU General Public License v3.0+ (see LICENSE or https://www.gnu.org/licenses/gpl-3.0.txt)
+---
+# application variables
+gateway_application_cluster_id: cluster_1
+gateway_application_ca_certificate_file: "{{ gateway_cert_dir }}/ca.pem"
+gateway_application_working_dir: "{{ gateway_data_dir }}"
diff --git a/roles/gateway/defaults/main/connect.yml b/roles/gateway/defaults/main/connect.yml
@@ -0,0 +1,10 @@
+# Copyright (c) 2025, Itential, Inc
+# GNU General Public License v3.0+ (see LICENSE or https://www.gnu.org/licenses/gpl-3.0.txt)
+---
+# connect variables
+gateway_connect_enabled: true
+gateway_connect_certificate_file: "{{ gateway_cert_dir }}/gw-manager.pem"
+gateway_connect_private_key_file: "{{ gateway_cert_dir }}/gw-manager-key.pem"
+gateway_connect_insecure_tls: false
+gateway_connect_server_ha_enabled: false
+gateway_connect_server_ha_is_primary: false
diff --git a/roles/gateway/defaults/main/features.yml b/roles/gateway/defaults/main/features.yml
@@ -0,0 +1,8 @@
+# Copyright (c) 2025, Itential, Inc
+# GNU General Public License v3.0+ (see LICENSE or https://www.gnu.org/licenses/gpl-3.0.txt)
+---
+# features variables
+gateway_features_ansible_enabled: true
+gateway_features_hostkeys_enabled: true
+gateway_features_opentofu_enabled: true
+gateway_features_python_enabled: true
diff --git a/roles/gateway/defaults/main/install.yml b/roles/gateway/defaults/main/install.yml
@@ -0,0 +1,30 @@
+# Copyright (c) 2025, Itential, Inc
+# GNU General Public License v3.0+ (see LICENSE or https://www.gnu.org/licenses/gpl-3.0.txt)
+---
+# server user/group
+gateway_user: itential
+gateway_group: itential
+
+gateway_config_dir: /etc/gateway
+gateway_cert_dir: /etc/ssl/gateway
+
+gateway_upload_certs: false
+gateway_use_selfsigned_certs: false
+# TODO: Document these in the README
+# gateway_application_local_ca_certificate_file: ./itential_certs/server.csr
+# gateway_connect_local_certificate_file: ./itential_certs/server.crt
+# gateway_connect_local_private_key_file: ./itential_certs/server.key
+# gateway_server_certificate_file: ./itential_certs/server.crt
+# gateway_server_local_private_key_file: ./itential_certs/server.key
+
+# python installation
+gateway_python_packages:
+  - python3.12
+  - python3.12-pip
+gateway_python_executable: /usr/bin/python3.12
+gateway_pip_executable: /usr/bin/pip3.12
+gateway_local_bin_dir: "/home/{{ gateway_user }}/.local/bin"
+
+# opentofu installation
+gateway_opentofu_packages:
+  - tofu
diff --git a/roles/gateway/defaults/main/log.yml b/roles/gateway/defaults/main/log.yml
@@ -0,0 +1,10 @@
+# Copyright (c) 2025, Itential, Inc
+# GNU General Public License v3.0+ (see LICENSE or https://www.gnu.org/licenses/gpl-3.0.txt)
+---
+# log variables
+gateway_log_console_json: false
+gateway_log_file_enabled: true
+gateway_log_file_json: false
+gateway_log_level: INFO
+gateway_log_server_dir: /var/log/gateway
+gateway_log_timestamp_timezone: utc
diff --git a/roles/gateway/defaults/main/registry.yml b/roles/gateway/defaults/main/registry.yml
@@ -0,0 +1,5 @@
+# Copyright (c) 2025, Itential, Inc
+# GNU General Public License v3.0+ (see LICENSE or https://www.gnu.org/licenses/gpl-3.0.txt)
+---
+# registry variables
+gateway_registry_default_overridable: true
diff --git a/roles/gateway/defaults/main/runner.yml b/roles/gateway/defaults/main/runner.yml
@@ -0,0 +1,11 @@
+# Copyright (c) 2025, Itential, Inc
+# GNU General Public License v3.0+ (see LICENSE or https://www.gnu.org/licenses/gpl-3.0.txt)
+---
+# runner variables
+gateway_runner_listen_address: "{{ gateway_listen_address }}"
+gateway_runner_port: "{{ gateway_port }}"
+gateway_runner_announcement_address:
+gateway_runner_runtime_data_dir: "{{ gateway_data_dir }}"
+gateway_runner_use_tls: "{{ gateway_use_tls }}"
+gateway_runner_certificate_file: "{{ gateway_cert_dir }}/server.pem"
+gateway_runner_private_key_file: "{{ gateway_cert_dir }}/server-key.pem"
diff --git a/roles/gateway/defaults/main/secrets.yml b/roles/gateway/defaults/main/secrets.yml
@@ -0,0 +1,6 @@
+# Copyright (c) 2025, Itential, Inc
+# GNU General Public License v3.0+ (see LICENSE or https://www.gnu.org/licenses/gpl-3.0.txt)
+---
+# secrets variables
+gateway_secrets_encrypt_key_dir: "{{ gateway_data_dir }}/keys"
+gateway_secrets_encrypt_key_file: "{{ gateway_secrets_encrypt_key_dir }}/encryption-key"
diff --git a/roles/gateway/defaults/main/server.yml b/roles/gateway/defaults/main/server.yml
@@ -0,0 +1,14 @@
+# Copyright (c) 2025, Itential, Inc
+# GNU General Public License v3.0+ (see LICENSE or https://www.gnu.org/licenses/gpl-3.0.txt)
+---
+# server variables
+# TODO: Discuss with gateway team. The docs specify 127.0.0.1. But the client cannot connect
+#       unless server is listening on all interfaces, not just localhost.
+gateway_server_listen_address: "{{ gateway_listen_address }}"
+gateway_server_port: "{{ gateway_port }}"
+gateway_server_runtime_data_dir: "{{ gateway_data_dir }}"
+gateway_server_distributed_execution: false
+gateway_server_api_key_expiration: 1440
+gateway_server_use_tls: "{{ gateway_use_tls }}"
+gateway_server_certificate_file: "{{ gateway_cert_dir }}/server.pem"
+gateway_server_private_key_file: "{{ gateway_cert_dir }}/server-key.pem"
diff --git a/roles/gateway/defaults/main/server_runner_common.yml b/roles/gateway/defaults/main/server_runner_common.yml
@@ -0,0 +1,8 @@
+# Copyright (c) 2025, Itential, Inc
+# GNU General Public License v3.0+ (see LICENSE or https://www.gnu.org/licenses/gpl-3.0.txt)
+---
+gateway_data_dir: /var/lib/gateway
+gateway_listen_address: 0.0.0.0
+gateway_port: 50051
+gateway_use_tls: true
+gateway_requirements_file: requirements.txt
diff --git a/roles/gateway/defaults/main/store.yml b/roles/gateway/defaults/main/store.yml
@@ -0,0 +1,16 @@
+# Copyright (c) 2025, Itential, Inc
+# GNU General Public License v3.0+ (see LICENSE or https://www.gnu.org/licenses/gpl-3.0.txt)
+---
+# store variables
+gateway_store_backend: local
+gateway_store_etcd_ca_certificate_file:
+gateway_store_etcd_certificate_file:
+gateway_store_etcd_client_cert_auth: false
+gateway_store_etcd_hosts: localhost:2379
+gateway_store_etcd_private_key_file:
+gateway_store_etcd_use_tls: true
+gateway_store_dynamodb_table_name: itential.gateway5.store
+gateway_store_dynamodb_aws_access_key_id:
+gateway_store_dynamodb_aws_secret_access_key:
+gateway_store_dynamodb_aws_session_token:
+gateway_store_dynamodb_aws_region:
diff --git a/roles/gateway/defaults/main/terminal.yml b/roles/gateway/defaults/main/terminal.yml
@@ -0,0 +1,6 @@
+# Copyright (c) 2025, Itential, Inc
+# GNU General Public License v3.0+ (see LICENSE or https://www.gnu.org/licenses/gpl-3.0.txt)
+---
+# terminal variables
+gateway_terminal_no_color: false
+gateway_terminal_timestamp_timezone: utc
diff --git a/roles/server/files/opentofu.repo → roles/gateway/files/opentofu.repo b/roles/server/files/opentofu.repo → roles/gateway/files/opentofu.repo
diff --git a/roles/server/handlers/main.yml → roles/gateway/handlers/main.yml b/roles/server/handlers/main.yml → roles/gateway/handlers/main.yml
@@ -2,12 +2,13 @@
 # GNU General Public License v3.0+ (see LICENSE or https://www.gnu.org/licenses/gpl-3.0.txt)
 ---
 - name: Enable and start Gateway
-  ansible.builtin.service:
+  ansible.builtin.systemd:
     name: iagctl
     enabled: true
     state: restarted
+    daemon_reload: true
   register: iagctl_service_result
   until: iagctl_service_result.status.ActiveState == "active"
-  retries: 3
-  delay: 15
+  retries: 4
+  delay: 5
   failed_when: iagctl_service_result.status.ActiveState != "active"
diff --git a/roles/gateway/tasks/configure_firewalld.yml b/roles/gateway/tasks/configure_firewalld.yml
@@ -0,0 +1,31 @@
+# Copyright (c) 2025, Itential, Inc
+# GNU General Public License v3.0+ (see LICENSE or https://www.gnu.org/licenses/gpl-3.0.txt)
+---
+- name: Gather service facts
+  ansible.builtin.service_facts:
+
+- name: Open Gateway server port on FirewallD Public Zone
+  ansible.posix.firewalld:
+    port: "{{ gateway_server_port }}/tcp"
+    permanent: true
+    state: enabled
+    zone: public
+    immediate: true
+  when:
+    - gateway_application_mode == 'server'
+    - ansible_facts.services["firewalld.service"] is defined
+    - ansible_facts.services["firewalld.service"].state == "running"
+    - ansible_facts.services["firewalld.service"].status == "enabled"
+
+- name: Open Gateway runner port on FirewallD Public Zone
+  ansible.posix.firewalld:
+    port: "{{ gateway_runner_port }}/tcp"
+    permanent: true
+    state: enabled
+    zone: public
+    immediate: true
+  when:
+    - gateway_application_mode == 'runner'
+    - ansible_facts.services["firewalld.service"] is defined
+    - ansible_facts.services["firewalld.service"].state == "running"
+    - ansible_facts.services["firewalld.service"].status == "enabled"
diff --git a/roles/gateway/tasks/configure_gateway.yml b/roles/gateway/tasks/configure_gateway.yml
@@ -0,0 +1,40 @@
+# Copyright (c) 2025, Itential, Inc
+# GNU General Public License v3.0+ (see LICENSE or https://www.gnu.org/licenses/gpl-3.0.txt)
+---
+- name: Create the gateway server configuration file
+  ansible.builtin.template:
+    src: "server.conf.j2"
+    dest: "{{ gateway_config_dir }}/gateway.conf"
+    mode: "0600"
+    owner: "{{ gateway_user }}"
+    group: "{{ gateway_group }}"
+    lstrip_blocks: true
+    backup: true
+  when: gateway_application_mode == 'server'
+
+- name: Create the gateway runner configuration file
+  ansible.builtin.template:
+    src: "runner.conf.j2"
+    dest: "{{ gateway_config_dir }}/gateway.conf"
+    mode: "0600"
+    owner: "{{ gateway_user }}"
+    group: "{{ gateway_group }}"
+    lstrip_blocks: true
+    backup: true
+  when: gateway_application_mode == 'runner'
+
+- name: Create the gateway systemd file
+  ansible.builtin.template:
+    src: iagctl.service.j2
+    dest: /usr/lib/systemd/system/iagctl.service
+    owner: root
+    group: root
+    mode: "0644"
+
+- name: Create the gateway encryption key file
+  ansible.builtin.copy:
+    content: "{{ gateway_secrets_encrypt_key }}"
+    dest: "{{ gateway_secrets_encrypt_key_file }}"
+    mode: "0600"
+    owner: "{{ gateway_user }}"
+    group: "{{ gateway_group }}"