ansible

It’s time now to provision the hosts with Ansible.

Go here to see how Ansible will use the bastion to create and provision hosts.

Terraform created the inventories/demo/hosts_echo_socat_blue.lst and inventories/demo/hosts_echo_haproxy_blue.lst files (in both echo and infrasecrets directories) with everything Ansible needs:

  • the private IP addresses of the hosts

Terraform also created the inventories/demo/extra_vars_terraform_echo_haproxy_blue.yml files (in both echo and infrasecrets directories) with everything Ansible needs for the HAProxy hosts:

  • consul_cluster_custom_default_policy: the HAProxy hosts need some special permissions in their Agent Default Policy to be allowed ro request socat service through Connect

To execute Ansible, you will need to replace the following Ansible extra-vars parameters:

  • my_vault_a_create_approle_password: this is the password of the a-create-approle user
  • my_vault_a_deploy_echo_role_password: this is the password of the a-deploy-echo-role user
  • my_vault_a_deploy_echo_secret_password: this is the password of the a-deploy-echo-secret user

1. The Consul Agent provisioning

We first have to deploy the Consul agent: of course each host needs to be in the Consul cluster because we want them to use it (especially to test the Connect features).

For the socat hosts:

[bastion] (ansible_virtualenv) ~/
$ cd ~/ansible_playbooks/infrasecrets

[bastion] (ansible_virtualenv) ~/ansible_playbooks/infrasecrets
$ ansible-playbook TERRAFORM_consul_approles_creation.yml \
-i inventories/demo/hosts_echo_socat_blue.lst \
-D --force-handlers \
-e @inventories/demo/extra_vars_terraform.yml \
-e @inventories/demo/extra_vars_terraform_echo_socat_blue_one.yml \
-e "my_vault_a_create_approle_password=CHANGE_WITH_CREATE_APPROLE_PASSWORD"

[bastion] (ansible_virtualenv) ~/ansible_playbooks/infrasecrets
$ ansible-playbook TERRAFORM_consul_approles_roleid.yml \
-i inventories/demo/hosts_echo_socat_blue.lst \
-D --force-handlers \
-e @inventories/demo/extra_vars_terraform.yml \
-e @inventories/demo/extra_vars_terraform_echo_socat_blue_one.yml \
-e "my_vault_a_deploy_role_username=a-deploy-echo-role" \
-e "my_vault_a_deploy_role_password=CHANGE_WITH_DEPLOY_ECHO_ROLE_PASSWORD"

[bastion] (ansible_virtualenv) ~/ansible_playbooks/infrasecrets
$ ansible-playbook TERRAFORM_consul_agent.yml \
-i inventories/demo/hosts_echo_socat_blue.lst \
-D --force-handlers \
-e @inventories/demo/extra_vars_terraform.yml \
-e @inventories/demo/extra_vars_terraform_echo_socat_blue_one.yml \
-e "my_vault_a_deploy_secret_username=a-deploy-echo-secret" \
-e "my_vault_a_deploy_secret_password=CHANGE_WITH_DEPLOY_ECHO_SECRET_PASSWORD"

For the HAProxy hosts:

[bastion] (ansible_virtualenv) ~/
$ cd ~/ansible_playbooks/infrasecrets

[bastion] (ansible_virtualenv) ~/ansible_playbooks/infrasecrets
$ ansible-playbook TERRAFORM_consul_approles_creation.yml \
-i inventories/demo/hosts_echo_haproxy_blue.lst \
-D --force-handlers \
-e @inventories/demo/extra_vars_terraform_echo_haproxy_blue.yml \
-e @inventories/demo/extra_vars_terraform.yml \
-e "my_vault_a_create_approle_password=CHANGE_WITH_CREATE_APPROLE_PASSWORD"

[bastion] (ansible_virtualenv) ~/ansible_playbooks/infrasecrets
$ ansible-playbook TERRAFORM_consul_approles_roleid.yml \
-i inventories/demo/hosts_echo_haproxy_blue.lst \
-D --force-handlers \
-e @inventories/demo/extra_vars_terraform.yml \
-e @inventories/demo/extra_vars_terraform_echo_haproxy_blue.yml \
-e "my_vault_a_deploy_role_username=a-deploy-echo-role" \
-e "my_vault_a_deploy_role_password=CHANGE_WITH_DEPLOY_ECHO_ROLE_PASSWORD"

[bastion] (ansible_virtualenv) ~/ansible_playbooks/infrasecrets
$ ansible-playbook TERRAFORM_consul_agent.yml \
-i inventories/demo/hosts_echo_haproxy_blue.lst \
-D --force-handlers \
-e @inventories/demo/extra_vars_terraform.yml \
-e @inventories/demo/extra_vars_terraform_echo_haproxy_blue.yml \
-e "my_vault_a_deploy_secret_username=a-deploy-echo-secret" \
-e "my_vault_a_deploy_secret_password=CHANGE_WITH_DEPLOY_ECHO_SECRET_PASSWORD"

The main idea behind the use of diffrent users is to be able to make a workflow with different responsibilities and tools.

2. The echo project specific provisioning

Then we will deploy the specific parts of the echo project: socat and HAProxy:

[bastion] (ansible_virtualenv) ~/ansible_playbooks/infrasecrets
$ cd ../echo

[bastion] (ansible_virtualenv) ~/ansible_playbooks/echo
$ ansible-playbook TERRAFORM_socat.yml \
-i inventories/demo/hosts_echo_socat_blue.lst \
-D --force-handlers \
-e @inventories/demo/extra_vars_terraform_echo_socat_blue.yml \
-e "my_vault_a_deploy_echo_secret_password=CHANGE_WITH_DEPLOY_ECHO_SECRET_PASSWORD"

[bastion] (ansible_virtualenv) ~/ansible_playbooks/echo
$ ansible-playbook TERRAFORM_haproxy.yml \
-i inventories/demo/hosts_echo_haproxy_blue.lst \
-D --force-handlers \
-e @inventories/demo/extra_vars_terraform_echo_haproxy_blue.yml \
-e "my_vault_a_deploy_echo_secret_password=CHANGE_WITH_DEPLOY_ECHO_SECRET_PASSWORD"

3. Results

You can now check in Consul services and nodes:

Consul Services

The DNS Load-Balancer: Consul Nodes

There are some special services named sidecar-proxy: they show that some services are ready to be contacted by other services or can contact other services.

4. Next page!

And we are done, let’s activate our service.