diff --git a/README.md b/README.md index 2217e7e..57f7544 100644 --- a/README.md +++ b/README.md @@ -1 +1,817 @@ -# itential.iag5 +# Ansible Collection - itential.iag5 + +## Table of contents + +1. [Overview](#overview) +2. [Supported Architectures](#supported-architectures) +3. [Collection Prerequisites](#collection-prerequisites) + 1. [Required Python, Ansible, and Ansible modules](#required-python-ansible-and-ansible-modules) + 2. [Required Public Repositories](#required-public-repositories) + 3. [Ports and Networking](#ports-and-networking) + 4. [TLS Certificates](#tls-certificates) + 6. [Obtaining the Itential Binaries](#obtaining-the-itential-artifacts) +4. [Installing and Upgrading the IAG5 Ansible Collection](#installing-and-upgrading-the-iag5-ansible-collection) + 1. [Online Installation](#online-installation) + 2. [Offline Installation](#offline-installation) +5. [Running the Playbooks](#running-the-playbooks) + 1. [Confirm Requirements](#confirm-requirements) + 2. [Determine the Working and IAG5 Collection Directories](#determine-the-working-and-iag5-collection-directories) + 3. [Create the Inventories Directory](#create-the-inventories-directory) + 4. [Download Installation Artifacts](#download-installation-artifacts) + 5. [Copy Installation Artifacts into the Files Directory](#copy-installation-artifacts-into-the-files-directory) + 6. [Create a Symlink to the Files Directory](#create-a-symlink-to-the-files-directory) + 7. [Create the Inventory File](#create-the-inventory-file) + 8. [Run the IAG5 Site Playbook](#run-the-iag5-site-playbook) + 9. [Confirm Successful Installation](#confirm-successful-installation) + 10. [Running the IAG5 Component Playbooks](#running-the-iag5-component-playbooks) + 1. [Clients Playbook](#clients-playbook) + 2. [Servers Playbook](#servers-playbook) + 3. [Runners Playbook](#runners-playbook) +6. [Sample Inventories](#sample-inventories) + 1. [All-in-one Single Node Inventory](#all-in-one-single-node-inventory) + 2. [All-in-one Active/Standby High Availability Inventory](#all-in-one-activestandby-high-availability-inventory) + 3. [Distributed Service Execution with Single Cluster Inventory](#distributed-service-execution-with-single-cluster-inventory) + 4. [High Availability with Distributed Execution Inventory](#high-availability-with-distributed-execution-inventory) + 5. [Multiple Cluster Architecture Inventories](#multiple-cluster-architecture-inventories) +7. [Reference Guide](#reference-guide) +8. [Patching IAG5](#patching-iag5) + +## Overview + +An IAG5 environment is composed of several applications working in conjunction with one another. + +- IAG5 + - Client + - Server + - Runners +- Etcd +- DynamoDB + +The Itential IAG5 collection can deploy all supported Itential IAG5 architectures. It will only +install and configure the IAG5 components listed above; it does not handle installing/configuring +Etcd or DynamoDB. + +## Supported Architectures + +- [All-in-one Single Node](https://docs.itential.com/docs/architecture-deployment-models#1-allinone-singlenode-deployment) +- [All-in-one Active/Standby High Availability](https://docs.itential.com/docs/architecture-deployment-models#2-allinone-activestandby-high-availability-deployment) +- [Distributed Service Execution with Single Cluster](https://docs.itential.com/docs/architecture-deployment-models#3-distributed-service-execution-with-single-cluster) +- [High Availability with Distributed Execution](https://docs.itential.com/docs/architecture-deployment-models#4-high-availability-with-distributed-execution) +- [Multiple Cluster Architecture](https://docs.itential.com/docs/architecture-deployment-models#5-multiple-cluster-architecture) + +## Collection Prerequisites + +The Itential IAG5 collection is an Ansible collection and as such requires running on a control +node. That node has its own set of dependencies. + +### Control Node Server Specifications + +Itential recommends using a dedicated node running the requirements listed below as the Ansible +control node. That node should meet or exceed the following specifications: + +| Component | Value | +|-----------|----------------------| +| OS | RHEL8/9 or Rocky 8/9 | +| RAM | 4 GB | +| CPUs | 2 | +| Disk | 20 GB | + +### Required Python, Ansible, and Ansible modules + +The **Ansible Control Node** must have the following installed: + +- **Python** + - python >= 3.9 + +- **Ansible** + - ansible-core >= 2.11, < 2.17 + - ansible: >=9.x.x + +To see which Ansible version is currently installed, execute the `ansible --version` command as +shown below. + +#### Example: Confirming Ansible Version + + ```bash + ansible [core 2.15.13] + config file = None + configured module search path = ['/home//.ansible/plugins/modules', '/usr/share/ansible/plugins/modules'] + ansible python module location = /home//.local/lib/python3.9/site-packages/ansible + ansible collection location = /home//.ansible/collections:/usr/share/ansible/collections + executable location = /home//.local/bin/ansible + python version = 3.9.21 (main, Jun 27 2025, 00:00:00) [GCC 11.5.0 20240719 (Red Hat 11.5.0-5)] (/usr/bin/python3) + jinja version = 3.1.6 + libyaml = True + ``` + +- **Ansible Modules**: The following ansible modules are required on the control node for the +IAG5 collection to run. + - 'ansible.posix': '>=0.0.1' + +**ⓘ Note:** +The Itential IAG5 project is an Ansible collection. As such, a familiarity with basic Ansible +concepts is suggested before proceeding. + +### Required Public Repositories + +On the Ansible control node, the Ansible Python module and the IAG5 collection +will need to be installed. + +On the target servers, the IAG5 collection will install RPM packages using the standard YUM +repositories. When packages are not available for the distribution, the IAG collection will either +install the required repository or download the packages. + +| Component | Location | Protocol | Notes | +| :-------- | :------- | :------- | :---- | +| Ansible Control Node | | TCP | | +| Ansible Control Node | | TCP | | +| IAG5 | | TCP | | +| IAG5 | | TCP | | + +> [! WARNING] +> Neither the IAG5 collection nor the maintainers of the project can not know if any of the above +> URLs will result in a redirect. If a customer is using a proxy or other such method to restrict +> access this list may not represent the final URLs that are used. + +### Ports and Networking + +In a clustered environment where components are installed on more than one host, the following +network traffic flows need to be allowed. + +| Source | Destination | Port | Protocol | Description | +| ------ | ----------- | ---- | -------- | ----------- | +| IAG5 | Itential Gateway Manager | 8080 | TCP | IAG5 connection to Itential Gateway Manager (on-prem) | +| IAG5 | Itential Gateway Manager | 443 | TCP | IAG5 connection to Itential Gateway Manager (cloud) | +| IAG5 Client | IAG5 Server | 50051 | TCP | IAG5 Client connection to IAG5 Server | +| IAG5 Server | IAG5 Runner | 50051 | TCP | IAG5 Server connection to IAG5 Runner | +| IAG5 Server/Runner | DynamoDB | 443 | TCP | IAG5 Server/Runner connection to DynamoDB | +| IAG5 Server/Runner | Etcd | 2379 | TCP | IAG5 Server/Runner connection to Etcd | + +Notes + +- Not all ports will need to be open for every supported architecture +- Secure ports are only required when explicitly configured in the inventory + +### TLS Certificates + +The IAG5 collection is not responsible for creating any TLS certificates that may be used to +further tighten security in the Itential ecosystem. However, if these certificates are provided it +can upload and configure the platform to use them. The table below describes the certificates that +can be used and what their purpose is. + +| Certificate | Description | +| :-----------| :-----------| +| Gateway Manager | Enables secure communication with the Itential Gateway Manager. | +| IAG5 Client | | +| IAG5 Server | | +| IAG5 Runner | | + +### Passwords + +The IAG5 collection will create several user accounts in the dependent systems. It uses default +passwords in all cases and those passwords can be overridden with the defined ansible variables. +To override these variables just define the variable in the IAG5 inventory. + +### Obtaining the Itential Artifacts + +The IAG5 artifacts are hosted on the Itential Nexus repository. An account is required to access +Itential Nexus. If you do not have an account, contact your Itential Sales representative. + +## Installing and Upgrading the IAG5 Ansible Collection + +### Online Installation + +The Itential IAG5 collection can be installed via the `ansible-galaxy` utility. + +On your control node, execute the following command to install the collection: + +```bash +ansible-galaxy collection install itential.iag5 +``` + +This should also install the required Ansible dependencies. When a new version of the IAG5 +collection is available, you can upgrade using the following command: + +```bash +ansible-galaxy collection install itential.iag5 --upgrade +``` + +### Offline Installation + +If your control node does not have internet connectivity, the IAG5 collection and its +dependencies can be downloaded via another system, copied to your control node, and installed +manually. + +**ⓘ Note:** +Some of the following collections may already be installed on your control node. To verify, use the +`ansible-galaxy collection list` command. + +1. Download the following collections from the provided links: + +TODO + - [Itential IAG5](https://galaxy.ansible.com/ui/repo/published/itential/iag5/) + +2. Copy the downloaded collections to your control node. +3. Install the collections using the following command: + + ```bash + ansible-galaxy collection install .tar.gz + ``` + +## Running the Playbooks + +Once you have have installed the IAG5 collection, run it to begin deploying IAG5 to your +environment. This section details a basic deployment using required variables only. + +### Confirm Requirements + +Before running the IAG5 collection we must ensure the following: + +- **Compatible OS**: Any managed nodes to be configured by the IAG5 collection must use an +operating system that is compatible with the target version of IAG5. For more information, refer +to the [IAG5 Dependencies](TODO) page. +- **Hostnames**: Any hostnames used by managed nodes must be DNS-resolvable. +- **Administrative Privileges**: The `ansible_user` must have administrative privileges on managed +nodes. +- **SSH Access**: The control node must have SSH connectivity to all managed nodes. + +**ⓘ Note:** +Although the IAG5 collection can be used to configure nodes that use any supported operating +system, it is optimized for Rocky/RHEL 8/9. + +### Determine the Working and IAG5 Collection Directories + +The IAG5 collection will be installed into the user's collection directory. Because the IAG5 +collection will be overwritten when it is upgraded, users should not store any inventory files, +binaries or artifacts in the IAG5 collection directory. Instead, users should create a working +directory to store those files. + +The working directory can be any directory on the control node and will be referred to as the +`WORKING-DIR` in this guide. + +Determine what directory the IAG5 collection is installed to by using the `ansible-galaxy +collection list` command. In the following example, the IAG5 collection directory is +`/home//.ansible/collections/ansible_collections/itential/iag5`. + +#### Example: Determining the IAG5 Collection Directory + +```bash +% ansible-galaxy collection list + +# //home//.ansible/collections/ansible_collections +Collection Version +----------------- ------- +itential.iag5 1.0.0 +``` + +The IAG5 collection directory will be referred to as the `IAG5-DIR` in this guide. + +### Create the Inventories Directory + +The `inventories` directory should be a sub-directory of the working directory. It will contain +the hosts files. + +```bash +cd +mkdir inventories +``` + +### Determine Installation Method + +Choose one of the following installation methods based on your requirements: + +1. **Manual Upload**: Manually download the required files onto the control node in a `files` +directory. The IAG5 collection will move these artifact files to the target nodes. +2. **Repository Download**: Provide a repository download URL with either a username/password or an +API key. The IAG5 collection will make an API request to download the files directly onto the +target nodes. + +### Manual Upload + +#### Create the Files Directory + +The `files` directory should be a sub-directory of the working directory. It will contain the +Itential binaries and artifacts. + +```bash +cd +mkdir files +``` + +#### Download Installation Artifacts + +Download the IAG5 RPMs/tarballs from the [Itential Nexus Repository](TODO) to local storage. + +**ⓘ Note:** +If you are unsure which files should be downloaded for your environment, contact your Itential +Professional Services representative. + +#### Copy Installation Artifacts into the Files Directory + +Next, copy the files downloaded in the previous step to the `files` subdirectory. + +#### Example: Copying to the Files Directory + +```bash +cd /files +cp ~/Downloads/iagctl*.rpm . +``` + +#### Create a Symlink to the Files Directory + +Navigate to the playbooks directory in the IAG5 directory and create a symlink to the files +directory in the working directory. + +```bash +cd /playbooks +ln -s /files . +``` + +### Repository Download + +#### Obtain the Download URL + +You can obtain the download URL from either a **Sonatype Nexus Repository** or **JFrog**. Follow +the steps below based on the repository type: + +- **For Sonatype Nexus**: Navigate to the file you wish to use and locate the **Path** parameter. +Copy the link provided in the **Path** field to obtain the download URL. +- **For JFrog**: Locate the file in the JFrog repository and copy the File URL. + +This download method supports both the IAG5 RPM and tarball files. + +#### Configure Repository Credentials + +Depending on the repository you are using, you will need to provide the appropriate credentials: + +- **For Nexus**: Set the `repository_username` and `repository_password` variables. +- **For JFrog**: Set the `repository_api_key` variable. + +**ⓘ Note:** +To secure sensitive information like passwords or API keys, consider using Ansible Vault to encrypt +these variables. + +### Create the Inventory File + +Using a text editor, create an inventory file that defines your deployment environment. To do this, +assign your managed nodes to the relevant groups according to what components you would like to +install on them. In the following example: + +- All required variables have been defined. + +**ⓘ Note:** +Itential recommends that all inventories follow the best practices outlined in the +[Ansible documentation](https://docs.ansible.com/ansible/latest/getting_started/get_started_inventory.html). + +#### Example: Creating the Inventory File + +```bash +cd +mkdir -p inventories/dev +vi inventories/dev/hosts +``` + +
+ +#### Example: Inventory File (YAML Format) + +```yaml +all: + vars: + ansible_user: + + # Nexus + repository_username: + repository_password: + + children: + gateway_all: + children: + iag5_servers: + iag5_clients: + vars: + gateway_pki_src_dir: + + gateway_servers: + children: + iag5_servers: + vars: + gateway_server_packages: + - + gateway_server_secrets_encrypt_key: + + iag5_servers: + hosts: + : + ansible_host: + vars: + gateway_server_connect_hosts: :8080 + + iag5_clients: + hosts: + : + ansible_host: + vars: + gateway_client_host: + gateway_client_packages: + - +``` + +### Run the IAG5 Site Playbook + +Navigate to the working directory and execute the following run command. + +#### Example: Running the IAG5 Site Playbook + +```bash +cd +ansible-playbook itential.iag5.site -i inventories/dev +``` + +### Confirm Successful Installation + +After the IAG5 playbook is finished running, perform the following checks on each component to +confirm successful installation. + +#### Example Output: IAG5 System Status + +```bash +$ sudo systemctl status iagctl +``` + +### Running the IAG5 Component Playbooks + +In addition to the site playbook, there are playbooks for running the individual components. + +#### Clients Playbook + +```bash +cd +ansible-playbook itential.iag5.clients -i inventories/dev +``` + +#### Servers Playbook + +```bash +cd +ansible-playbook itential.iag5.servers -i inventories/dev +``` + +#### Runners Playbook + +```bash +cd +ansible-playbook itential.iag5.runners -i inventories/dev +``` + +## Sample Inventories + +Below are simplified sample host files that describe the basic configurations to produce the +supported architectures. These are intended to be starting points only. + +### All-in-one Single Node Inventory + +```yaml +all: + vars: + ansible_user: + + # Nexus + repository_username: + repository_password: + + children: + gateway_all: + children: + iag5_servers: + iag5_clients: + vars: + gateway_pki_src_dir: + + gateway_servers: + children: + iag5_servers: + vars: + gateway_server_packages: + - + gateway_server_secrets_encrypt_key: + + iag5_servers: + hosts: + : + ansible_host: + vars: + gateway_server_connect_hosts: :8080 + + iag5_clients: + hosts: + : + ansible_host: + vars: + gateway_client_host: + gateway_client_packages: + - +``` + +### All-in-one Active/Standby High Availability Inventory + +```yaml +all: + vars: + ansible_user: + + # Nexus + repository_username: + repository_password: + + children: + gateway_all: + children: + iag5_servers: + iag5_clients: + vars: + gateway_pki_src_dir: + + gateway_servers: + children: + iag5_servers: + vars: + gateway_server_packages: + - + gateway_server_secrets_encrypt_key: + + # Etcd + gateway_server_store_backend: etcd + gateway_server_store_etcd_hosts: :2379 :2379 :2379 + gateway_server_connect_hosts: :8080 + + iag5_servers: + hosts: + : + ansible_host: + : + ansible_host: + + iag5_clients: + hosts: + : + ansible_host: + vars: + gateway_client_host: + gateway_client_packages: + - +``` + +### Distributed Service Execution with Single Cluster Inventory + +```yaml +all: + vars: + ansible_user: rocky + + # Nexus + repository_username: + repository_password: + + children: + gateway_all: + children: + iag5_servers: + iag5_runners: + iag5_clients: + + gateway_servers: + children: + iag5_servers: + iag5_runners: + vars: + gateway_packages: + - + gateway_secrets_encrypt_key: + + # DynamoDB + gateway_store_backend: dynamodb + gateway_store_dynamodb_table_name: + gateway_store_dynamodb_aws_access_key_id: + gateway_store_dynamodb_aws_secret_access_key: + gateway_store_dynamodb_aws_session_token: + + iag5_servers: + hosts: + : + ansible_host: + vars: + gateway_server_connect_hosts: :8080 + gateway_server_distributed_execution: true + + iag5_runners: + hosts: + : + ansible_host: + : + ansible_host: + : + ansible_host: + + iag5_clients: + hosts: + : + ansible_host: + vars: + gateway_client_host: + gateway_client_packages: + - +``` + +### High Availability with Distributed Execution Inventory + +```yaml +all: + vars: + ansible_user: + + # Nexus + repository_username: + repository_password: + + children: + gateway_all: + children: + iag5_servers: + iag5_clients: + vars: + gateway_pki_src_dir: + + gateway_servers: + children: + iag5_servers: + vars: + gateway_server_packages: + - + gateway_server_secrets_encrypt_key: + gateway_server_store_backend: etcd + gateway_server_store_etcd_hosts: :2379 :2379 :2379 + gateway_server_connect_hosts: :8080 + + iag5_servers: + hosts: + : + ansible_host: + : + ansible_host: + vars: + gateway_server_distributed_execution: true + +iag5_runners: + hosts: + : + ansible_host: + : + ansible_host: + : + ansible_host: + + iag5_clients: + hosts: + : + ansible_host: + vars: + gateway_client_host: + gateway_client_packages: + - +``` + +### Multiple Cluster Architecture Inventories + +Cluster 1: + +```yaml +all: + vars: + ansible_user: rocky + + # Nexus + repository_username: + repository_password: + + children: + gateway_all: + children: + iag5_servers: + iag5_runners: + iag5_clients: + + gateway_servers: + children: + iag5_servers: + iag5_runners: + vars: + gateway_packages: + - + gateway_secrets_encrypt_key: + + # Etcd + gateway_server_store_backend: etcd + gateway_server_store_etcd_hosts: :2379 :2379 :2379 + gateway_server_connect_hosts: :8080 + + iag5_servers: + hosts: + : + ansible_host: + vars: + gateway_server_cluster_id: cluster_1 + gateway_server_connect_hosts: :8080 + gateway_server_distributed_execution: true + + iag5_runners: + hosts: + : + ansible_host: + : + ansible_host: + : + ansible_host: + + iag5_clients: + hosts: + : + ansible_host: + vars: + gateway_client_host: + gateway_client_packages: + - +``` + +Cluster 2: + +```yaml +all: + vars: + ansible_user: rocky + + # Nexus + repository_username: + repository_password: + + children: + gateway_all: + children: + iag5_servers: + iag5_runners: + iag5_clients: + + gateway_servers: + children: + iag5_servers: + iag5_runners: + vars: + gateway_packages: + - + gateway_secrets_encrypt_key: + + # DynamoDB + gateway_store_backend: dynamodb + gateway_store_dynamodb_table_name: + gateway_store_dynamodb_aws_access_key_id: + gateway_store_dynamodb_aws_secret_access_key: + gateway_store_dynamodb_aws_session_token: + + iag5_servers: + hosts: + : + ansible_host: + vars: + gateway_server_cluster_id: cluster_2 + gateway_server_connect_hosts: :8080 + gateway_server_distributed_execution: true + + iag5_runners: + hosts: + : + ansible_host: + : + ansible_host: + : + ansible_host: + + iag5_clients: + hosts: + : + ansible_host: + vars: + gateway_client_host: + gateway_client_packages: + - +``` + +## Reference Guide + +All IAG5 collection variables are documented in the IAG Reference Guide. + +[IAG Reference Guide](docs/reference_guide.md) + +## Patching IAG5 + +To patch IAG5, simply replace the the current artifacts (RPM or tarball) in the inventory with the +new artifacts and re-run the appropriate playbook. diff --git a/docs/reference_guide.md b/docs/reference_guide.md new file mode 100644 index 0000000..68d0690 --- /dev/null +++ b/docs/reference_guide.md @@ -0,0 +1,128 @@ +# IAG5 Reference Guide + +## Common Variables + +The variables in this section are common to the client, server and runner roles. They can be +overridden in the `iag5_clients`, `iag5_servers` or `iag_runners` group vars. + +| Variable | Type | Description | Default Value | +| :------- | :--- | :---------- | :------------ | +| `repository_username` | String | The username for authenticating to the Itential Nexus repository. | N/A | +| `repository_password` | String | The password for authenticating to the Itential Nexus repository. | N/A | +| `gateway_pki_upload` | Boolean | Flag for enabling/disabling upload of PKI certificates and keys. | true | +| `gateway_pki_key_suffix` | String | The default PKI key suffix. | .key | +| `gateway_pki_cert_suffix` | String | The default PKI certificate suffix. | .crt | +| `gateway_pki_src_dir` | String | The PKI source directory on the control node. | N/A (must be defined in inventory) | +| `gateway_secrets_encrypt_key` | String | The secrets encrypt key. | N/A (must be defined in inventory) | +| `gateway_secrets_encrypt_key_dir` | String | The directory where the secrets encrypt key is stored. | "{{ gateway_client_working_dir }}/keys" (clients)
"{{ gateway_server_config_dir }}/keys" (servers/runners) | +| `gateway_secrets_encrypt_key_file` | String | The path to the secrets encrypt key. | "{{ gateway_secrets_encrypt_key_dir }}/encryption-key" | + +## Client Variables + +The variables in this section may be overridden in the inventory in the `iag5_clients` group vars. + +| Variable | Type | Description | Default Value | +| :------- | :--- | :---------- | :------------ | +| `gateway_client_packages` | List of Strings | The gateway client packages to install. | N/A (must be defined in inventory) | +| `gateway_client_user` | String | The user account where the client will be installed. | itential | +| `gateway_client_group` | String | The user group. | itential | +| `gateway_client_install_dir` | String | The location where the client binaries will be installed. | "/home/{{ gateway_client_user }}/.local/bin" | +| `gateway_client_working_dir` | String | The location where the client working files are located. | "/home/{{ gateway_client_user }}/.gateway.d" | +| `gateway_client_host` | String | The hostname or IP of the IAG5 server the client will connect to. | N/A (must be defined in inventory) | +| `gateway_client_port` | Integer | The port of the IAG5 server the client will connect to. | 50051 | +| `gateway_client_log_level` | String | The client logging level. | INFO | +| `gateway_client_use_tls` | Boolena | Flag for enabling/disabling TLS. | true | +| `gateway_client_pki_dir` | String | Path to the client TLS certificates and keys. | "{{ gateway_client_working_dir }}/ssl" | +| `gateway_client_pki_key_file` | String | The name of the client TLS key file. | "{{ inventory_hostname }}{{ gateway_pki_key_suffix }}" | +| `gateway_client_pki_key_src` | String | The path to the source client TLS key file on the control node. | "{{ gateway_pki_src_dir }}/{{ gateway_client_pki_key_file }}" | +| `gateway_client_pki_key_dest` | String | The path to the destination client TLS key. | "{{ gateway_client_pki_dir }}/{{ gateway_client_pki_key_file }}" | +| `gateway_client_pki_cert_file` | String | The name of the client TLS certificate. | "{{ inventory_hostname }}{{ gateway_pki_cert_suffix }}" | +| `gateway_client_pki_cert_src` | String | The path to the source client TLS certificate file on the control node. | "{{ gateway_pki_src_dir }}/{{ gateway_client_pki_cert_file }}" | +| `gateway_client_pki_cert_dest` | String | The path to the destination client TLS certificate. | "{{ gateway_client_pki_dir }}/{{ gateway_client_pki_cert_file }}" | +| `gateway_client_pki_ca_file` | String | The name of the client TLS CA certificate file. | "ca{{ gateway_pki_cert_suffix }}" | +| `gateway_client_pki_ca_cert_src` | String | The path to the source client TLS CA certificate on the control node. | "{{ gateway_pki_src_dir }}/{{ gateway_client_pki_ca_file }}" | +| `gateway_client_pki_ca_cert_dest` | String | The path to the client TLS CA certificate. | "{{ gateway_client_pki_dir }}/{{ gateway_client_pki_ca_file }}" | +| `gateway_client_terminal_timestamp_timezone` | String | Timezones are shown in UTC by default. When you set this to 'local', the client uses your machine's timezone.
You can also set a timezone (tz) identifier such as 'America/New_York'. | utc | + +If `gateway_client_packages` contains links to artifacts in the Itential Nexus repository, the +`repository_username`/`repository_password` must be defined. + +# Common Server/Runner Variables + +The variables in this section are common to the server and runner roles. They can be overridden in +the `iag5_servers` or `iag_runners` group vars. + +| Variable | Type | Description | Default Value | +| :------- | :--- | :---------- | :------------ | +| `gateway_server_packages` | List of Strings | The gateway server packages to install | N/A (must be defined in inventory) | +| `gateway_server_cluster_id` | String | The IAG5 cluster ID. | cluster_1 | +| `gateway_server_listen_address` | String | The server listen address. | 0.0.0.0 | +| `gateway_server_port` | Integer | The server listen port. | 50051 | +| `gateway_server_requirements_file` | String | | requirements.txt | +| `gateway_server_user` | String | The server user. All server files and the service will be owned by this user. | itential | +| `gateway_server_group` | String | The server group. | itential | +| `gateway_server_config_dir` | String | The directory containing the server configuration files. | /etc/gateway | +| `gateway_server_data_dir` | String | The directory containing the server data files. | /var/lib/gateway | +| `gateway_server_python_packages` | List of String | The list of Python packages to install. | - python3.12
- python3.12-pip | +| `gateway_server_python_executable` | String | The path to the Python executable. | /usr/bin/python3.12 | +| `gateway_server_pip_executable` | String | The path to the Pip executable. | /usr/bin/pip3.12 | +| `gateway_server_local_bin_dir` | String | The server local binnary directory. | "/home/{{ gateway_server_user }}/.local/bin" | +| `gateway_server_opentofu_packages` | List of String | The list of OpenTofu packages to install. | - tofu | +| `gateway_server_log_console_json` | Boolean | Flag for enabling/disabling logging to the console in JSON format. | false | +| `gateway_server_log_file_enabled` | Boolean | Flag for enabling/disabling logging. | true | +| `gateway_server_log_file_json` | Boolean | Flag for enabling/disabling logging in JSON format. | false | +| `gateway_server_log_level` | String | The logging level. | INFO | +| `gateway_server_log_server_dir` | String | The directory where log files are written. | /var/log/gateway | +| `gateway_server_log_timestamp_timezone` | String | Sets the timezone for timestamps in gateway logs.
Timezones are shown in UTC by default. When you set this to 'local', the client uses your machine's timezone.
You can also set a timezone (tz) identifier such as 'America/New_York'. | utc | +| `gateway_server_use_tls` | Boolean | Flag for enabling/disabling TLS. | true | +| `gateway_server_pki_dir` | String | The directory where TLS certificates and keys are located. | "{{ gateway_server_config_dir }}/ssl" | +| `gateway_server_pki_key_file` | String | The name of the server TLS key file. | "{{ inventory_hostname }}{{ gateway_pki_key_suffix }}" | +| `gateway_server_pki_key_src` | String | The path to the source server TLS key file on the control node. | "{{ gateway_pki_src_dir }}/{{ gateway_server_pki_key_file }}" | +| `gateway_server_pki_key_dest` | String | The path to the destination server TLS key. | "{{ gateway_server_pki_dir }}/{{ gateway_server_pki_key_file }}" | +| `gateway_server_pki_cert_file` | String | The name of the server TLS certificate. | "{{ inventory_hostname }}{{ gateway_pki_cert_suffix }}" | +| `gateway_server_pki_cert_src` | String | The path to the source server TLS certificate file on the control node. | "{{ gateway_pki_src_dir }}/{{ gateway_server_pki_cert_file }}" | +| `gateway_server_pki_cert_dest` | String | The path to the destination server TLS certificate. | "{{ gateway_server_pki_dir }}/{{ gateway_server_pki_cert_file }}" | +| `gateway_server_pki_ca_file` | String | The name of the server TLS CA certificate file. | "ca{{ gateway_pki_cert_suffix }}" | +| `gateway_server_pki_ca_cert_src` | String | The path to the source server TLS CA certificate on the control node. | "{{ gateway_pki_src_dir }}/{{ gateway_server_pki_ca_file }}" | +| `gateway_server_pki_ca_cert_dest` | String | The path to the server TLS CA certificate. | "{{ gateway_server_pki_dir }}/{{ gateway_server_pki_ca_file }}" | +| `gateway_server_registry_default_overridable` | Boolean | Controls whether users can override the default PyPI or Ansible Galaxy registries when creating a Python or Ansible service. | true | +| `gateway_server_store_backend` | String | Sets the backend type for persistent data storage.
Valid values are 'local', 'memory', 'etc' and 'dynamodb' | local | +| `gateway_server_store_etcd_hosts` | String | Sets the etcd hosts that the gateway connects to for backend storage.
A host entry consists of an address and port: hostname:port.
If there are multiple etcd hosts, enter them as a space separated list: hostname1:port hostname2:port. | localhost:2379 | +| `gateway_server_store_etcd_use_tls` | Boolean | Flag for enabling/disabling TLS connections to Etcd. | true | +| `gateway_server_store_etcd_client_cert_auth` | Boolean | Flag for determining the TLS authentication method used when connecting to an Etcd store backend and gateway_server_store_etcd_use_tls is set to 'true'. | true | +| `gateway_server_store_dynamodb_table_name` | String | Sets the Amazon DynamoDB table name that the gateway connects to for backend storage. | itential.gateway5.store | +| `gateway_server_store_dynamodb_aws_access_key_id` | String | The AWS access key when using DynamoDB. | N/A | +| `gateway_server_store_dynamodb_aws_secret_access_key` | String | The AWS secret access key when using DynamoDB. | N/A | +| `gateway_server_store_dynamodb_aws_session_token` | String | The AWS session token when using DynamoDB. | N/A | +| `gateway_server_store_dynamodb_aws_region` | String | The AWS region when using DynamoDB. | N/A | +| `gateway_server_terminal_no_color` | Boolean | Determines whether the console outputs and logs display in color. | false | + +If `gateway_server_packages` contains links to artifacts in the Itential Nexus repository, the +`repository_username`/`repository_password` must be defined. + +# Server Variables + +The variables in this section may be overridden in the inventory in the `iag5_servers` group vars. + +| Variable | Type | Description | Default Value | +| :------- | :--- | :---------- | :------------ | +| `gateway_server_distributed_execution` | Boolean | Flag for enabling/disabling distributed execution.
Set to 'true' when deploying an architecture utilizing runners. | false | +| `gateway_server_api_key_expiration` | Integer | The amount of time (in minutes) before a user API key expires. | 1440 | +| `gateway_server_connect_enabled` | Boolean | Flag for enabling/disabling the connection to Gateway Manager | true | +| `gateway_server_connect_server_ha_enabled` | Boolean | Enable this configuration variable when you have multiple all in one or core nodes for a particular GATEWAY_APPLICATION_CLUSTER_ID. When you enable High Availability (HA), the system runs in active/standby mode. One server connects to Gateway Manager while the others remain in standby mode. If the active node goes down, a standby node connects to Gateway Manager and begins serving requests. | false | +| `gateway_server_connect_server_ha_is_primary` | Boolean | When you set GATEWAY_CONNECT_SERVER_HA_ENABLED to true, use this configuration variable to designate one node as the primary. When all nodes are online, this node takes the highest precedence and connects to Gateway Manager. Only one core HA node can connect to Gateway Manager at a time. If this node loses connection to Gateway Manager or the database, a standby node takes its place. | false | +| `gateway_server_connect_insecure_tls` | Boolean | Determines whether the gateway verifies TLS certificates when it connects to Itential Platform. When set to true, the gateway skips TLS certificate verification. We strongly recommend enabling TLS certificate verification in production environments. | false | +| `gateway_server_connect_certificate_file` | String | Specifies the full path to the certificate file used to establish a secure connection to Gateway Manager. | "{{ gateway_server_pki_cert_dest }}" | +| `gateway_server_connect_private_key_file` | String | Specifies the full path to the private key file that the gateway uses to connect to Gateway Manager. | "{{ gateway_server_pki_key_dest }}" | +| `gateway_server_features_ansible_enabled` | Boolean | Enables or disables all Ansible features. When you set this variable to false, the gateway disables the management of Ansible playbooks and the execution of Ansible services. | true | +| `gateway_server_features_hostkeys_enabled` | Boolean | Enables or disables the hostkeys feature. When you set this variable to false, the gateway disables the hostkeys managment commands. | true | +| `gateway_server_features_opentofu_enabled` | Boolean | Enables or disables all OpenTofu features. When you set this variable to false, the gateway disables the management of OpenTofu plans and the execution of OpenTofu services. | true | +| `gateway_server_features_python_enabled` | Boolean | Enables or disables all Python features. When you set this variable to false, the gateway disables the management of Python scripts and the execution of Python services. | true | + +# Runner Variables + +The variables in this section may be overridden in the inventory in the `iag5_runners` group vars. + +| Variable | Type | Description | Default Value | +| :------- | :--- | :---------- | :------------ | +| `gateway_server_runner_announcement_address` | IP Address | Sets the address that a gateway runner registers to its cluster when it comes online. When a gateway core server sends a service execution request to a gateway runner, it sends the request to this address. If you don't explicitly set this variable, the gateway runner identifies its own IP address and registers it to the cluster. | N/A (must be defined in inventory when runners are used.) | diff --git a/example_inventories/aio_asa_ha.yml b/example_inventories/aio_asa_ha.yml new file mode 100644 index 0000000..e69de29 diff --git a/example_inventories/aio_single_node.yaml b/example_inventories/aio_single_node.yaml new file mode 100644 index 0000000..b05b1aa --- /dev/null +++ b/example_inventories/aio_single_node.yaml @@ -0,0 +1,34 @@ +all: + vars: + ansible_user: rocky + + # Uncomment and configure the following two variables if you want the playbook to download the + # iactl artifacts from the Itential repository (Nexus). + # Otherwise, the iactl artifacts will need to be downloaded from the Itential repository + # manually and placed in the playbooks/files directory. + # repository_username: + # repository_password: + + # The encrpyt key can be generated using the command: + # 'openssl rand -hex 32' + gateway_secrets_encrypt_key: + tls_pki_local_dir: + gateway_pki_src_dir: "{{ tls_pki_local_dir }}" + + children: + iag5_servers: + hosts: + : + ansible_host: + vars: + gateway_server_packages: + - + + iag5_clients: + hosts: + : + ansible_host: + vars: + gateway_client_packages: + - + gateway_client_host: diff --git a/example_inventories/distributed_service_excution_single_cluster.yaml b/example_inventories/distributed_service_excution_single_cluster.yaml new file mode 100644 index 0000000..e69de29 diff --git a/example_inventories/ha_distributed_execution.yaml b/example_inventories/ha_distributed_execution.yaml new file mode 100644 index 0000000..e69de29 diff --git a/example_inventories/multiple_cluster.yaml b/example_inventories/multiple_cluster.yaml new file mode 100644 index 0000000..e69de29 diff --git a/roles/gateway/defaults/main.yml b/roles/gateway/defaults/main.yml index d3bc1fd..d3ebb0d 100644 --- a/roles/gateway/defaults/main.yml +++ b/roles/gateway/defaults/main.yml @@ -1,12 +1,22 @@ # Copyright (c) 2025, Itential, Inc # GNU General Public License v3.0+ (see LICENSE or https://www.gnu.org/licenses/gpl-3.0.txt) --- -############################### -# Gateway application variables -############################### +########################## +# Gateway common variables +########################## + +# Artifact repository credentials +# Must be defined in the inventory when downloading Gateway artifacts from the Itential +# Nexus repository. +repository_username: # noqa var-naming[no-role-prefix] +repository_password: # noqa var-naming[no-role-prefix] # Gateway TLS gateway_pki_upload: true gateway_pki_key_suffix: .key gateway_pki_cert_suffix: .crt gateway_pki_src_dir: # The local pki directory must be defined in the inventory + +# Secrets encrypt key +gateway_secrets_encrypt_key: +gateway_secrets_encrypt_key_file: "{{ gateway_secrets_encrypt_key_dir }}/encryption-key" diff --git a/roles/gateway_client/defaults/main.yml b/roles/gateway_client/defaults/main.yml index 0cf25e0..99fe3a3 100644 --- a/roles/gateway_client/defaults/main.yml +++ b/roles/gateway_client/defaults/main.yml @@ -5,6 +5,10 @@ # Gateway client variables ########################## +# The list of gateway client packages to install. Currently this is a single tarball. +# Must be defined in the inventory. +gateway_client_packages: + # Gateway client user/group gateway_client_user: itential gateway_client_group: itential @@ -20,6 +24,11 @@ gateway_client_port: 50051 # Gateway client logging variables gateway_client_log_level: INFO +gateway_client_terminal_timestamp_timezone: utc + +# Gateway clients secrets encrypt key directory +gateway_secrets_encrypt_key_dir: "{{ gateway_client_working_dir }}/keys" # noqa var-naming[no-role-prefix] + ############################## # Gateway client TLS variables ############################## @@ -28,14 +37,14 @@ gateway_client_use_tls: true gateway_client_pki_dir: "{{ gateway_client_working_dir }}/ssl" -gateway_client_pki_key_file: '{{ inventory_hostname }}{{ gateway_pki_key_suffix }}' -gateway_client_pki_key_src: '{{ gateway_pki_src_dir }}/{{ gateway_client_pki_key_file }}' -gateway_client_pki_key_dest: '{{ gateway_client_pki_dir }}/{{ gateway_client_pki_key_file }}' +gateway_client_pki_key_file: "{{ inventory_hostname }}{{ gateway_pki_key_suffix }}" +gateway_client_pki_key_src: "{{ gateway_pki_src_dir }}/{{ gateway_client_pki_key_file }}" +gateway_client_pki_key_dest: "{{ gateway_client_pki_dir }}/{{ gateway_client_pki_key_file }}" -gateway_client_pki_cert_file: '{{ inventory_hostname }}{{ gateway_pki_cert_suffix }}' -gateway_client_pki_cert_src: '{{ gateway_pki_src_dir }}/{{ gateway_client_pki_cert_file }}' -gateway_client_pki_cert_dest: '{{ gateway_client_pki_dir }}/{{ gateway_client_pki_cert_file }}' +gateway_client_pki_cert_file: "{{ inventory_hostname }}{{ gateway_pki_cert_suffix }}" +gateway_client_pki_cert_src: "{{ gateway_pki_src_dir }}/{{ gateway_client_pki_cert_file }}" +gateway_client_pki_cert_dest: "{{ gateway_client_pki_dir }}/{{ gateway_client_pki_cert_file }}" -gateway_client_pki_ca_file: 'ca{{ gateway_pki_cert_suffix }}' -gateway_client_pki_ca_cert_src: '{{ gateway_pki_src_dir }}/{{ gateway_client_pki_ca_file }}' -gateway_client_pki_ca_cert_dest: '{{ gateway_client_pki_dir }}/{{ gateway_client_pki_ca_file }}' +gateway_client_pki_ca_file: "ca{{ gateway_pki_cert_suffix }}" +gateway_client_pki_ca_cert_src: "{{ gateway_pki_src_dir }}/{{ gateway_client_pki_ca_file }}" +gateway_client_pki_ca_cert_dest: "{{ gateway_client_pki_dir }}/{{ gateway_client_pki_ca_file }}" diff --git a/roles/gateway_client/defaults/pki.yml b/roles/gateway_client/defaults/pki.yml index 8703bb4..c77b31e 100644 --- a/roles/gateway_client/defaults/pki.yml +++ b/roles/gateway_client/defaults/pki.yml @@ -1,3 +1,8 @@ # Copyright (c) 2025, Itential, Inc # GNU General Public License v3.0+ (see LICENSE or https://www.gnu.org/licenses/gpl-3.0.txt) --- +############################## +# Gateway client TLS variables +############################## + +# TODO - Remove? diff --git a/roles/gateway_client/tasks/configure_gateway_client.yml b/roles/gateway_client/tasks/configure_gateway_client.yml index c820cab..9006ddb 100644 --- a/roles/gateway_client/tasks/configure_gateway_client.yml +++ b/roles/gateway_client/tasks/configure_gateway_client.yml @@ -10,3 +10,11 @@ group: "{{ gateway_client_group }}" lstrip_blocks: true backup: true + +- name: Create the gateway encryption key file + ansible.builtin.copy: + content: "{{ gateway_secrets_encrypt_key }}" + dest: "{{ gateway_secrets_encrypt_key_file }}" + mode: "0600" + owner: "{{ gateway_client_user }}" + group: "{{ gateway_client_group }}" diff --git a/roles/gateway_client/tasks/install_gateway_client.yml b/roles/gateway_client/tasks/install_gateway_client.yml index b63c488..9cc7719 100644 --- a/roles/gateway_client/tasks/install_gateway_client.yml +++ b/roles/gateway_client/tasks/install_gateway_client.yml @@ -22,17 +22,18 @@ with_items: - "{{ gateway_client_install_dir }}" - "{{ gateway_client_working_dir }}" + - "{{ gateway_secrets_encrypt_key_dir }}" - name: Create a temporary download directory ansible.builtin.tempfile: state: directory - register: downloaddir + register: gateway_client_download_dir changed_when: false - name: Download the gateway packages from repository ansible.builtin.get_url: url: "{{ item }}" - dest: "{{ downloaddir.path }}/" + dest: "{{ gateway_client_download_dir.path }}/" mode: '0755' # Sets the appropriate header based on the repository type: # - For JFrog: Uses the "X-JFrog-Art-Api" header with the API key if "repository_api_key" @@ -54,13 +55,13 @@ validate_certs: true loop: "{{ gateway_client_packages }}" when: "'http' in item" - register: download_result + register: gateway_client_download_result changed_when: false - name: Propagate the gateway packages from the control node ansible.builtin.copy: src: "{{ item }}" - dest: "{{ downloaddir.path }}/" + dest: "{{ gateway_client_download_dir.path }}/" owner: "{{ gateway_client_user }}" group: "{{ gateway_client_group }}" mode: "0775" @@ -71,9 +72,9 @@ - name: Find the gateway packages ansible.builtin.find: - paths: "{{ downloaddir.path }}" + paths: "{{ gateway_client_download_dir.path }}" patterns: "*.tar.gz" - register: gateway_packages + register: gateway_client_packages changed_when: false - name: Unarchive the gateway packages @@ -82,11 +83,11 @@ dest: "{{ gateway_client_install_dir }}/" remote_src: true # state: present - loop: "{{ gateway_packages.files }}" - when: gateway_packages | length > 0 + loop: "{{ gateway_client_packages.files }}" + when: gateway_client_packages | length > 0 - name: Remove the temporary download directory ansible.builtin.file: - path: "{{ downloaddir.path }}" + path: "{{ gateway_client_download_dir.path }}" state: absent changed_when: false diff --git a/roles/gateway_client/templates/gateway.conf.j2 b/roles/gateway_client/templates/gateway.conf.j2 index b7eda36..75eb362 100644 --- a/roles/gateway_client/templates/gateway.conf.j2 +++ b/roles/gateway_client/templates/gateway.conf.j2 @@ -10,5 +10,11 @@ use_tls = {{ gateway_client_use_tls | to_json }} private_key_file = {{ gateway_client_pki_key_dest }} certificate_file = {{ gateway_client_pki_cert_dest }} +[secrets] +encrypt_key_file = '{{ gateway_secrets_encrypt_key_file }}' + [log] level = {{ gateway_client_log_level }} + +[terminal] +timestamp_timezone = '{{ gateway_client_terminal_timestamp_timezone }}' diff --git a/roles/gateway_server/defaults/main/application.yml b/roles/gateway_server/defaults/main/application.yml index 2dba165..0dbeb3d 100644 --- a/roles/gateway_server/defaults/main/application.yml +++ b/roles/gateway_server/defaults/main/application.yml @@ -4,3 +4,5 @@ ############################### # Gateway application variables ############################### + +# TODO - Remove? diff --git a/roles/gateway_server/defaults/main/install.yml b/roles/gateway_server/defaults/main/install.yml index 0029eb5..fc4ab2b 100644 --- a/roles/gateway_server/defaults/main/install.yml +++ b/roles/gateway_server/defaults/main/install.yml @@ -5,6 +5,10 @@ # Gateway install variables ############################ +# The list of gateway server packages to install. +# Must be defined in the inventory. +gateway_server_packages: + # Gateway user/group gateway_server_user: itential gateway_server_group: itential diff --git a/roles/gateway_server/defaults/main/secrets.yml b/roles/gateway_server/defaults/main/secrets.yml index 0aa4500..f7e3229 100644 --- a/roles/gateway_server/defaults/main/secrets.yml +++ b/roles/gateway_server/defaults/main/secrets.yml @@ -5,5 +5,4 @@ # Gateway secrets variables ########################### -gateway_server_secrets_encrypt_key_dir: "{{ gateway_server_config_dir }}/keys" -gateway_server_secrets_encrypt_key_file: "{{ gateway_server_secrets_encrypt_key_dir }}/encryption-key" +gateway_secrets_encrypt_key_dir: "{{ gateway_server_config_dir }}/keys" # noqa var-naming[no-role-prefix] diff --git a/roles/gateway_server/defaults/main/store.yml b/roles/gateway_server/defaults/main/store.yml index a5d17ed..dc02c8f 100644 --- a/roles/gateway_server/defaults/main/store.yml +++ b/roles/gateway_server/defaults/main/store.yml @@ -12,9 +12,10 @@ gateway_server_store_backend: local gateway_server_store_etcd_hosts: localhost:2379 gateway_server_store_etcd_use_tls: true gateway_server_store_etcd_client_cert_auth: true -gateway_store_etcd_ca_certificate_filename: "{{ gateway_server_pki_ca_cert_dest }}" -gateway_store_etcd_certificate_filename: "{{ gateway_server_pki_cert_dest }}" -gateway_store_etcd_private_key_filename: "{{ gateway_server_pki_key_dest }}" +# TODO - Remove? +# gateway_server_store_etcd_ca_certificate_filename: "{{ gateway_server_pki_ca_cert_dest }}" +# gateway_server_store_etcd_certificate_filename: "{{ gateway_server_pki_cert_dest }}" +# gateway_server_store_etcd_private_key_filename: "{{ gateway_server_pki_key_dest }}" # Gateway DynamoDB variables gateway_server_store_dynamodb_table_name: itential.gateway5.store diff --git a/roles/gateway_server/defaults/main/terminal.yml b/roles/gateway_server/defaults/main/terminal.yml index 1e98028..78d3a3b 100644 --- a/roles/gateway_server/defaults/main/terminal.yml +++ b/roles/gateway_server/defaults/main/terminal.yml @@ -6,4 +6,3 @@ ############################ gateway_server_terminal_no_color: false -gateway_server_terminal_timestamp_timezone: utc diff --git a/roles/gateway_server/tasks/configure_gateway.yml b/roles/gateway_server/tasks/configure_gateway.yml index a8104d6..684bc52 100644 --- a/roles/gateway_server/tasks/configure_gateway.yml +++ b/roles/gateway_server/tasks/configure_gateway.yml @@ -33,8 +33,8 @@ - name: Create the gateway encryption key file ansible.builtin.copy: - content: "{{ gateway_server_secrets_encrypt_key }}" - dest: "{{ gateway_server_secrets_encrypt_key_file }}" + content: "{{ gateway_secrets_encrypt_key }}" + dest: "{{ gateway_secrets_encrypt_key_file }}" mode: "0600" owner: "{{ gateway_server_user }}" group: "{{ gateway_server_group }}" diff --git a/roles/gateway_server/tasks/install_gateway.yml b/roles/gateway_server/tasks/install_gateway.yml index 9d1dd30..47c9f74 100644 --- a/roles/gateway_server/tasks/install_gateway.yml +++ b/roles/gateway_server/tasks/install_gateway.yml @@ -22,7 +22,7 @@ with_items: - "{{ gateway_server_config_dir }}" - "{{ gateway_server_data_dir }}" - - "{{ gateway_server_secrets_encrypt_key_dir }}" + - "{{ gateway_secrets_encrypt_key_dir }}" - "{{ gateway_server_log_server_dir }}" - name: Create a temporary download directory diff --git a/roles/gateway_server/templates/runner.conf.j2 b/roles/gateway_server/templates/runner.conf.j2 index 10f406d..b7cd3a4 100644 --- a/roles/gateway_server/templates/runner.conf.j2 +++ b/roles/gateway_server/templates/runner.conf.j2 @@ -19,7 +19,7 @@ requirements_file = {{ gateway_server_requirements_file }} default_overridable = {{ gateway_server_registry_default_overridable | to_json }} [secrets] -encrypt_key_file = '{{ gateway_server_secrets_encrypt_key_file }}' +encrypt_key_file = '{{ gateway_secrets_encrypt_key_file }}' [runner] listen_address = '{{ gateway_server_listen_address }}' @@ -30,6 +30,7 @@ use_tls = {{ gateway_server_use_tls | to_json }} certificate_file = '{{ gateway_server_pki_cert_dest }}' private_key_file = '{{ gateway_server_pki_key_dest }}' {% endif %} +runtime_data_dir = '{{ gateway_server_data_dir }}' [store] backend = '{{ gateway_server_store_backend }}' @@ -49,5 +50,4 @@ etcd_private_key_file = '{{ gateway_server_pki_key_dest }}' {% endif %} [terminal] -no_color = {{ gateway_server_terminal_no_color | to_json }} -timestamp_timezone = '{{ gateway_server_terminal_timestamp_timezone }}' +no_color = {{ gateway_server_terminal_no_color | to_json }} diff --git a/roles/gateway_server/templates/server.conf.j2 b/roles/gateway_server/templates/server.conf.j2 index f632c92..9ee7576 100644 --- a/roles/gateway_server/templates/server.conf.j2 +++ b/roles/gateway_server/templates/server.conf.j2 @@ -27,10 +27,10 @@ timestamp_timezone = '{{ gateway_server_log_timestamp_timezone }}' requirements_file = {{ gateway_server_requirements_file }} [registry] -default_overridable = true +default_overridable = {{ gateway_server_registry_default_overridable | to_json }} [secrets] -encrypt_key_file = '{{ gateway_server_secrets_encrypt_key_file }}' +encrypt_key_file = '{{ gateway_secrets_encrypt_key_file }}' [server] listen_address = '{{ gateway_server_listen_address }}' @@ -42,6 +42,7 @@ use_tls = {{ gateway_server_use_tls | to_json }} certificate_file = '{{ gateway_server_pki_cert_dest }}' private_key_file = '{{ gateway_server_pki_key_dest }}' {% endif %} +runtime_data_dir = '{{ gateway_server_data_dir }}' [store] backend = '{{ gateway_server_store_backend }}' @@ -61,5 +62,4 @@ etcd_private_key_file = '{{ gateway_server_pki_key_dest }}' {% endif %} [terminal] -no_color = false -timestamp_timezone = 'utc' +no_color = {{ gateway_server_terminal_no_color }}