Some cleanup. Use secrets.

2021-11-08 19:28:32 +01:00 · 2021-11-08 19:28:32 +01:00 · e8e16eab0c
parent 1db5cc62a5
commit e8e16eab0c
4 changed files with 81 additions and 75 deletions
--- a/README.md
+++ b/README.md
@ -11,11 +11,15 @@ The most important variables are listed below:
 ``` yaml
 minio_compose_dir: '/srv/minio_stack'
 minio_docker_stack_name: 'minio'
-minio_root_user: minio_admin
-minio_root_password: 'use a vault'
+minio_access_key: 'use a vault'
+minio_secret_key: 'use a vault'
+minio_secrets:
+  - { name: minio_access_key, data: '{{ minio_access_key }}' }
+  - { name: minio_secret_key, data: '{{ minio_secret_key }}' }
 minio_docker_service_server_name: 'minio'
-minio_docker_server_image: 'quay.io/minio/minio:RELEASE.2021-10-23T03-28-24Z'
-minio_docker_network: 'minio_net'
+minio_docker_server_image: 'quay.io/minio/minio'
+minio_docker_network: 'distributed'
+minio_docker_swarm_dnsrr: True
 minio_server_instances:
  - 1
  - 2
@ -25,6 +29,7 @@ minio_server_instances:
  - 6
  - 7
  - 8
+
 #
 minio_data_prefix: /minio
 minio_volume_prefix: /min_io
@ -33,14 +38,12 @@ minio_disk_volumes:
  - 4
 minio_behind_haproxy: True
 minio_haproxy_public_net: 'haproxy-public'
-# DB
-minio_constraints: '[node.labels.minio==minio1]'
+# 
 minio_keylocak_auth_url: http://localhost:8080/auth/
-minio_keycloak_client_secret: 'use a vault'
+#minio_keycloak_client_secret: 'use a vault'
 minio_keycloak_realm: 'realm'
 minio_keycloak_client_name: 'minio_client_name'
 minio_keycloak_client_id: 'minio_client_id'
-
 ```

 Dependencies
--- a/defaults/main.yml
+++ b/defaults/main.yml
@ -1,11 +1,16 @@
 ---
 minio_compose_dir: '/srv/minio_stack'
 minio_docker_stack_name: 'minio'
-minio_root_user: minio_admin
-#minio_root_password: 'use a vault'
+minio_access_key: 'use a vault'
+minio_secret_key: 'use a vault'
+minio_secrets:
+  - { name: minio_access_key, data: '{{ minio_access_key }}' }
+  - { name: minio_secret_key, data: '{{ minio_secret_key }}' }
 minio_docker_service_server_name: 'minio'
-minio_docker_server_image: 'quay.io/minio/minio:RELEASE.2021-10-23T03-28-24Z'
-minio_docker_network: 'minio_net'
+#minio_docker_server_image: 'quay.io/minio/minio:RELEASE.2021-10-23T03-28-24Z'
+minio_docker_server_image: 'quay.io/minio/minio'
+minio_docker_network: 'distributed'
+minio_docker_swarm_dnsrr: True
 minio_server_instances:
  - 1
  - 2
@ -15,6 +20,7 @@ minio_server_instances:
  - 6
  - 7
  - 8
+
 #
 minio_data_prefix: /minio
 minio_volume_prefix: /min_io
@ -23,10 +29,9 @@ minio_disk_volumes:
  - 4
 minio_behind_haproxy: True
 minio_haproxy_public_net: 'haproxy-public'
-# DB
-minio_constraints: '[node.labels.minio==minio1]'
+# 
 minio_keylocak_auth_url: http://localhost:8080/auth/
-minio_keycloak_client_secret: 'use a vault'
+#minio_keycloak_client_secret: 'use a vault'
 minio_keycloak_realm: 'realm'
 minio_keycloak_client_name: 'minio_client_name'
 minio_keycloak_client_id: 'minio_client_id'
--- a/tasks/main.yml
+++ b/tasks/main.yml
@ -1,64 +1,50 @@
 ---
- name: Manage the installation of the OpenASFA configuration of the database
+- name: Manage the installation of the MinIO configuration of the swarm service
  block:
-    - name: Create the directory where the DB init script is going to be installed
-      file: dest={{ open_asfa_compose_dir }} state=directory
-
-    - name: Install the DB initialization script
-      template: src=pg-create-user-db.sh.j2 dest={{ open_asfa_compose_dir }}/pg-create-user-db.sh owner=root group=root mode='0555'
-
-  run_once: True
-  when:
-    - open_asfa_db_docker_host == ansible_fqdn
-    - open_asfa_db_as_container
-  tags: [ 'open_asfa', 'open_asfa_swarm', 'open_asfa_db' ]
-
- name: Manage the installation of the OpenASFA configuration of pgadmin
-  block:
-    - name: Create the directory where the pgadmin configuration is going to be installed
-      file: dest={{ open_asfa_compose_dir }} state=directory
-
-    - name: Install the pgadmin configuration files
-      template: src={{ item }}.j2 dest={{ open_asfa_compose_dir }}/{{ item }} owner=root group=root mode='0444'
-      loop:
-        - pgadmin_config_local.py
-        - pgadmin_servers.json
-
-  run_once: True
-  when: open_asfa_pgadmin_docker_host == ansible_fqdn
-  tags: [ 'open_asfa', 'open_asfa_swarm', 'open_asfa_db' ]
-
- name: Manage the installation of the OpenASFA configuration of the swarm service
-  block:
-    - name: Add the label that will be used as a constraint for the PostgreSQL DB
+    - name: Add the label that will be used as a constraint for the minio instances
      docker_node:
-        hostname: '{{ open_asfa_db_docker_host }}'
+        hostname: '{{ item.1 }}'
        labels:
-          asfa_pg_data: 'asfa_server'
+          minio: 'minio{{ item.0 }}'
        labels_state: 'merge'
-      when: open_asfa_db_as_container
+      loop: "{{ minio_server_instances|zip(groups['minio_docker_swarm_nodes'])|list }}"
+      ignore_errors: True

-    - name: Add the label that will be used as a constraint for the Pgadmin service
-      docker_node:
-        hostname: '{{ open_asfa_pgadmin_docker_host }}'
-        labels:
-          asfa_pgadmin_data: 'asfa_server'
-        labels_state: 'merge'
+    - name: Create the min.io compose directory in the docker swarm manager
+      file:
+        dest: '{{ minio_compose_dir }}'
+        state: directory
+        owner: root
+        group: root
+        mode: 0400
+      tags: [ 'minio', 'minio_docker', minio_docker_stack ]

-    - name: Install the docker compose file
-      template: src=open-asfa-docker-compose.yml.j2 dest={{ open_asfa_compose_dir }}/docker-open-asfa-stack.yml owner=root group=root mode='0400'
+    - name: Install the min.io docker compose file
+      template:
+        src: minio-docker-compose.yml.j2
+        dest: '{{ minio_compose_dir }}/docker-stack-minio.yml'
+        owner: root
+        group: root
+        mode: 0400
+      tags: [ 'minio', 'minio_docker', minio_docker_stack ]

-    - name: Install the docker compose file for postgresql and pgadmin
-      template: src=open-asfa-db-docker-compose.yml.j2 dest={{ open_asfa_compose_dir }}/docker-open-asfa-stack-db.yml owner=root group=root mode='0400'
+    - name: Create the secrets
+      ansible.builtin.docker_secret:
+        name: '{{ item.name }}'
+        data: '{{ item.data }}'
+        state: present
+      loop: '{{ minio_secrets }}'
+      tags: [ 'minio', 'minio_docker', minio_docker_stack ]

-    - name: Start the OpenAsfa stack 
+    - name: Start the min.io stack 
      docker_stack:
-        name: open-asfa
+        name: '{{ minio_docker_stack_name }}'
        state: present
        compose:
-          - '{{ open_asfa_compose_dir }}/docker-open-asfa-stack-db.yml'
-#          - '{{ open_asfa_compose_dir }}/docker-open-asfa-stack.yml'
+          - '{{ minio_compose_dir }}/docker-stack-minio.yml'
+      tags: [ 'minio', 'minio_docker', minio_docker_stack ]
+

  run_once: True
  when: docker_swarm_manager_main_node is defined and docker_swarm_manager_main_node | bool
-  tags: [ 'open_asfa', 'open_asfa_swarm' ]
+  tags: [ 'minio', 'minio_docker' ]
--- a/templates/minio-docker-compose.yml.j2
+++ b/templates/minio-docker-compose.yml.j2
@ -1,43 +1,55 @@
-version: '3.6'
+version: '3.7'

 networks:
+  {{ minio_docker_network }}:
 {% if minio_behind_haproxy %}
  haproxy-public:
    external: true
 {% endif %}
-  {{ minio_docker_network }}:

-volumes:
-{% for vol in minio_disk_volumes %}
-  {{ minio_volume_prefix }}/{{ vol }}:
-{% endfor %}
+secrets:
+  minio_secret_key:
+    external: true
+  minio_access_key:
+    external: true

 services:
 {% for i in minio_server_instances %}
  {{ minio_docker_service_server_name }}{{ i }}:
+    hostname: {{ minio_docker_service_server_name }}{{ i }}
    image: {{ minio_docker_server_image }}
+    command: server --console-address ":9001" http://{{ minio_docker_service_server_name }}{1...8}/{{ minio_data_prefix }}{3...4}
+{% if not minio_docker_swarm_dnsrr %}
+    ports:
+      - 9000
+{% endif %}
    networks:
      - {{ minio_docker_network }}
 {% if minio_behind_haproxy %}
      - haproxy-public
 {% endif %}
    environment:
-      MINIO_ROOT_USER: {{ minio_root_user }}
-      MINIO_ROOT_PASSWORD: {{ minio_root_password }}
+      MINIO_ROOT_USER_FILE: minio_access_key
+      MINIO_ROOT_PASSWORD_FILE: minio_secret_key
+    secrets:
+      - minio_access_key
+      - minio_secret_key
    healthcheck:
      test: ["CMD", "curl", "-f", "http://localhost:9000/minio/health/live"]
      interval: 30s
      timeout: 20s
-      retries: 3
+      retries: 5
    volumes:
    {% for vol in minio_disk_volumes %}
      - {{ minio_volume_prefix }}/{{ vol }}:{{ minio_data_prefix }}{{ vol }}
    {% endfor %}
-    command: server --console-address ":9001" http://{{ minio_docker_service_server_name }}{1...8}/{{ minio_data_prefix }}{1...2}
+
    deploy:
      mode: replicated
      replicas: 1
+{% if minio_docker_swarm_dnsrr %}
      endpoint_mode: dnsrr
+{% endif %}
      placement:
        constraints:
          - node.role == worker
@ -45,7 +57,7 @@ services:
      restart_policy:
        condition: on-failure
        delay: 5s
-        max_attempts: 3
+        max_attempts: 20
        window: 120s
    logging:
      driver: 'journald'