InfraScience
/
ansible-role-minio
24
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Some cleanup. Use secrets.

This commit is contained in:
Andrea Dell'Amico 2021-11-08 19:28:32 +01:00
parent 1db5cc62a5
commit e8e16eab0c
Signed by: andrea.dellamico
GPG Key ID: 147ABE6CEB9E20FF
4 changed files with 81 additions and 75 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

19
README.md
View File

@ -11,11 +11,15 @@ The most important variables are listed below:
``` yaml ``` yaml
minio_compose_dir: '/srv/minio_stack' minio_compose_dir: '/srv/minio_stack'
minio_docker_stack_name: 'minio' minio_docker_stack_name: 'minio'
minio_root_user: minio_admin minio_access_key: 'use a vault'
minio_root_password: 'use a vault' minio_secret_key: 'use a vault'
minio_secrets:
- { name: minio_access_key, data: '{{ minio_access_key }}' }
- { name: minio_secret_key, data: '{{ minio_secret_key }}' }
minio_docker_service_server_name: 'minio' minio_docker_service_server_name: 'minio'
minio_docker_server_image: 'quay.io/minio/minio:RELEASE.2021-10-23T03-28-24Z' minio_docker_server_image: 'quay.io/minio/minio'
minio_docker_network: 'minio_net' minio_docker_network: 'distributed'
minio_docker_swarm_dnsrr: True
minio_server_instances: minio_server_instances:
- 1 - 1
- 2 - 2
@ -25,6 +29,7 @@ minio_server_instances:
- 6 - 6
- 7 - 7
- 8 - 8
# #
minio_data_prefix: /minio minio_data_prefix: /minio
minio_volume_prefix: /min_io minio_volume_prefix: /min_io
@ -33,14 +38,12 @@ minio_disk_volumes:
- 4 - 4
minio_behind_haproxy: True minio_behind_haproxy: True
minio_haproxy_public_net: 'haproxy-public' minio_haproxy_public_net: 'haproxy-public'
# DB #
minio_constraints: '[node.labels.minio==minio1]'
minio_keylocak_auth_url: http://localhost:8080/auth/ minio_keylocak_auth_url: http://localhost:8080/auth/
minio_keycloak_client_secret: 'use a vault' #minio_keycloak_client_secret: 'use a vault'
minio_keycloak_realm: 'realm' minio_keycloak_realm: 'realm'
minio_keycloak_client_name: 'minio_client_name' minio_keycloak_client_name: 'minio_client_name'
minio_keycloak_client_id: 'minio_client_id' minio_keycloak_client_id: 'minio_client_id'
``` ```
Dependencies Dependencies

19
defaults/main.yml
View File

@ -1,11 +1,16 @@
--- ---
minio_compose_dir: '/srv/minio_stack' minio_compose_dir: '/srv/minio_stack'
minio_docker_stack_name: 'minio' minio_docker_stack_name: 'minio'
minio_root_user: minio_admin minio_access_key: 'use a vault'
#minio_root_password: 'use a vault' minio_secret_key: 'use a vault'
minio_secrets:
- { name: minio_access_key, data: '{{ minio_access_key }}' }
- { name: minio_secret_key, data: '{{ minio_secret_key }}' }
minio_docker_service_server_name: 'minio' minio_docker_service_server_name: 'minio'
minio_docker_server_image: 'quay.io/minio/minio:RELEASE.2021-10-23T03-28-24Z' #minio_docker_server_image: 'quay.io/minio/minio:RELEASE.2021-10-23T03-28-24Z'
minio_docker_network: 'minio_net' minio_docker_server_image: 'quay.io/minio/minio'
minio_docker_network: 'distributed'
minio_docker_swarm_dnsrr: True
minio_server_instances: minio_server_instances:
- 1 - 1
- 2 - 2
@ -15,6 +20,7 @@ minio_server_instances:
- 6 - 6
- 7 - 7
- 8 - 8
# #
minio_data_prefix: /minio minio_data_prefix: /minio
minio_volume_prefix: /min_io minio_volume_prefix: /min_io
@ -23,10 +29,9 @@ minio_disk_volumes:
- 4 - 4
minio_behind_haproxy: True minio_behind_haproxy: True
minio_haproxy_public_net: 'haproxy-public' minio_haproxy_public_net: 'haproxy-public'
# DB #
minio_constraints: '[node.labels.minio==minio1]'
minio_keylocak_auth_url: http://localhost:8080/auth/ minio_keylocak_auth_url: http://localhost:8080/auth/
minio_keycloak_client_secret: 'use a vault' #minio_keycloak_client_secret: 'use a vault'
minio_keycloak_realm: 'realm' minio_keycloak_realm: 'realm'
minio_keycloak_client_name: 'minio_client_name' minio_keycloak_client_name: 'minio_client_name'
minio_keycloak_client_id: 'minio_client_id' minio_keycloak_client_id: 'minio_client_id'

84
tasks/main.yml
View File

@ -1,64 +1,50 @@
--- ---
- name: Manage the installation of the OpenASFA configuration of the database - name: Manage the installation of the MinIO configuration of the swarm service
block: block:
- name: Create the directory where the DB init script is going to be installed - name: Add the label that will be used as a constraint for the minio instances
file: dest={{ open_asfa_compose_dir }} state=directory
- name: Install the DB initialization script
template: src=pg-create-user-db.sh.j2 dest={{ open_asfa_compose_dir }}/pg-create-user-db.sh owner=root group=root mode='0555'
run_once: True
when:
- open_asfa_db_docker_host == ansible_fqdn
- open_asfa_db_as_container
tags: [ 'open_asfa', 'open_asfa_swarm', 'open_asfa_db' ]
- name: Manage the installation of the OpenASFA configuration of pgadmin
block:
- name: Create the directory where the pgadmin configuration is going to be installed
file: dest={{ open_asfa_compose_dir }} state=directory
- name: Install the pgadmin configuration files
template: src={{ item }}.j2 dest={{ open_asfa_compose_dir }}/{{ item }} owner=root group=root mode='0444'
loop:
- pgadmin_config_local.py
- pgadmin_servers.json
run_once: True
when: open_asfa_pgadmin_docker_host == ansible_fqdn
tags: [ 'open_asfa', 'open_asfa_swarm', 'open_asfa_db' ]
- name: Manage the installation of the OpenASFA configuration of the swarm service
block:
- name: Add the label that will be used as a constraint for the PostgreSQL DB
docker_node: docker_node:
hostname: '{{ open_asfa_db_docker_host }}' hostname: '{{ item.1 }}'
labels: labels:
asfa_pg_data: 'asfa_server' minio: 'minio{{ item.0 }}'
labels_state: 'merge' labels_state: 'merge'
when: open_asfa_db_as_container loop: "{{ minio_server_instances|zip(groups['minio_docker_swarm_nodes'])|list }}"
ignore_errors: True
- name: Add the label that will be used as a constraint for the Pgadmin service - name: Create the min.io compose directory in the docker swarm manager
docker_node: file:
hostname: '{{ open_asfa_pgadmin_docker_host }}' dest: '{{ minio_compose_dir }}'
labels: state: directory
asfa_pgadmin_data: 'asfa_server' owner: root
labels_state: 'merge' group: root
mode: 0400
tags: [ 'minio', 'minio_docker', minio_docker_stack ]
- name: Install the docker compose file - name: Install the min.io docker compose file
template: src=open-asfa-docker-compose.yml.j2 dest={{ open_asfa_compose_dir }}/docker-open-asfa-stack.yml owner=root group=root mode='0400' template:
src: minio-docker-compose.yml.j2
dest: '{{ minio_compose_dir }}/docker-stack-minio.yml'
owner: root
group: root
mode: 0400
tags: [ 'minio', 'minio_docker', minio_docker_stack ]
- name: Install the docker compose file for postgresql and pgadmin - name: Create the secrets
template: src=open-asfa-db-docker-compose.yml.j2 dest={{ open_asfa_compose_dir }}/docker-open-asfa-stack-db.yml owner=root group=root mode='0400' ansible.builtin.docker_secret:
name: '{{ item.name }}'
data: '{{ item.data }}'
state: present
loop: '{{ minio_secrets }}'
tags: [ 'minio', 'minio_docker', minio_docker_stack ]
- name: Start the OpenAsfa stack - name: Start the min.io stack
docker_stack: docker_stack:
name: open-asfa name: '{{ minio_docker_stack_name }}'
state: present state: present
compose: compose:
- '{{ open_asfa_compose_dir }}/docker-open-asfa-stack-db.yml' - '{{ minio_compose_dir }}/docker-stack-minio.yml'
# - '{{ open_asfa_compose_dir }}/docker-open-asfa-stack.yml' tags: [ 'minio', 'minio_docker', minio_docker_stack ]
run_once: True run_once: True
when: docker_swarm_manager_main_node is defined and docker_swarm_manager_main_node | bool when: docker_swarm_manager_main_node is defined and docker_swarm_manager_main_node | bool
tags: [ 'open_asfa', 'open_asfa_swarm' ] tags: [ 'minio', 'minio_docker' ]

34
templates/minio-docker-compose.yml.j2
View File

@ -1,43 +1,55 @@
version: '3.6' version: '3.7'
networks: networks:
{{ minio_docker_network }}:
{% if minio_behind_haproxy %} {% if minio_behind_haproxy %}
haproxy-public: haproxy-public:
external: true external: true
{% endif %} {% endif %}
{{ minio_docker_network }}:
volumes: secrets:
{% for vol in minio_disk_volumes %} minio_secret_key:
{{ minio_volume_prefix }}/{{ vol }}: external: true
{% endfor %} minio_access_key:
external: true
services: services:
{% for i in minio_server_instances %} {% for i in minio_server_instances %}
{{ minio_docker_service_server_name }}{{ i }}: {{ minio_docker_service_server_name }}{{ i }}:
hostname: {{ minio_docker_service_server_name }}{{ i }}
image: {{ minio_docker_server_image }} image: {{ minio_docker_server_image }}
command: server --console-address ":9001" http://{{ minio_docker_service_server_name }}{1...8}/{{ minio_data_prefix }}{3...4}
{% if not minio_docker_swarm_dnsrr %}
ports:
- 9000
{% endif %}
networks: networks:
- {{ minio_docker_network }} - {{ minio_docker_network }}
{% if minio_behind_haproxy %} {% if minio_behind_haproxy %}
- haproxy-public - haproxy-public
{% endif %} {% endif %}
environment: environment:
MINIO_ROOT_USER: {{ minio_root_user }} MINIO_ROOT_USER_FILE: minio_access_key
MINIO_ROOT_PASSWORD: {{ minio_root_password }} MINIO_ROOT_PASSWORD_FILE: minio_secret_key
secrets:
- minio_access_key
- minio_secret_key
healthcheck: healthcheck:
test: ["CMD", "curl", "-f", "http://localhost:9000/minio/health/live"] test: ["CMD", "curl", "-f", "http://localhost:9000/minio/health/live"]
interval: 30s interval: 30s
timeout: 20s timeout: 20s
retries: 3 retries: 5
volumes: volumes:
{% for vol in minio_disk_volumes %} {% for vol in minio_disk_volumes %}
- {{ minio_volume_prefix }}/{{ vol }}:{{ minio_data_prefix }}{{ vol }} - {{ minio_volume_prefix }}/{{ vol }}:{{ minio_data_prefix }}{{ vol }}
{% endfor %} {% endfor %}
command: server --console-address ":9001" http://{{ minio_docker_service_server_name }}{1...8}/{{ minio_data_prefix }}{1...2}
deploy: deploy:
mode: replicated mode: replicated
replicas: 1 replicas: 1
{% if minio_docker_swarm_dnsrr %}
endpoint_mode: dnsrr endpoint_mode: dnsrr
{% endif %}
placement: placement:
constraints: constraints:
- node.role == worker - node.role == worker
@ -45,7 +57,7 @@ services:
restart_policy: restart_policy:
condition: on-failure condition: on-failure
delay: 5s delay: 5s
max_attempts: 3 max_attempts: 20
window: 120s window: 120s
logging: logging:
driver: 'journald' driver: 'journald'