diff --git a/README.md b/README.md index 3b0ce8be..eb7baa67 100644 --- a/README.md +++ b/README.md @@ -179,6 +179,7 @@ The **Ansible Control Node** must have the following installed: - **Ansible** - ansible-core >= 2.11, < 2.17 + - ansible: >=9.x.x To see which Ansible version is currently installed, execute the `ansible --version` command as shown below. @@ -316,7 +317,8 @@ On your control node, execute the following command to install the Itential Depl ansible-galaxy collection install itential.deployer ``` -When a new version of the Deployer is available, you can upgrade using the following command: +This should also install the required ansible dependencies. When a new version of the Deployer is +available, you can upgrade using the following command: ```bash ansible-galaxy collection install itential.deployer --upgrade diff --git a/roles/gateway/tasks/main.yml b/roles/gateway/tasks/main.yml index ca430fa4..52770452 100644 --- a/roles/gateway/tasks/main.yml +++ b/roles/gateway/tasks/main.yml @@ -8,6 +8,7 @@ ansible.builtin.include_vars: file: "{{ item }}" with_first_found: + - "gateway-release-{{ gateway_release }}.yml" # Prefer this new format - "{{ gateway_release }}-{{ ansible_distribution | lower }}-{{ ansible_distribution_major_version }}.yml" - "release-undefined.yml" diff --git a/roles/gateway/templates/properties.4.3.yml.j2 b/roles/gateway/templates/properties.4.3.yml.j2 new file mode 100644 index 00000000..da1fc83e --- /dev/null +++ b/roles/gateway/templates/properties.4.3.yml.j2 @@ -0,0 +1,450 @@ +--- +# Notes: +# +# While many customizations can be made based on your environment and which integrations you +# would like enabled, this file is meant to mimic the installation process found at +# https://docs.itential.io/ as closely as possible so the user can use as many defaults as possible. +# +# This configuration file accepts any valid YAML syntax including the bash-like syntax for lists, +# etc. + +########## +# System # +########## + +# INVENTORY ENCRYPTION +# Set the Fernet encryption key to have IAG encrypt device variables['password'] +# ANYONE THAT HAS THIS KEY CAN DECRYPT YOUR PASSWORDS - PROTECT IT! +# WHICH ALSO MEANS PROTECT YOUR properties.yml file `chmod 600 properties.yml` +# and validate the file's ownership. +#fernet_key: "" + +# The port on which Automation Gateway server will listen for requests. +# Mutually exclusive with bind_list +{% if gateway_https %} +port: {{ gateway_https_port }} +{% else %} +port: {{ gateway_port }} +{% endif %} + +# The gunicorn bind_address string.. +# For ipv4 only use "0.0.0.0", for ipv6 and ipv4 use "[::]" +# Mutually exclusive with bind_list +# +# You can also bind to a linux socket using "unix://" +# if you want to front-end automation-gateway with nginx or another proxy server. +# +# bind_address: "unix:///tmp/gunicorn.sock" +# bind_address: "[::]" +bind_address: {{ inventory_hostname }} + +# List of addresses and ports to bind to. +# This setting will override both 'port' and 'bind_address' +#bind_list: +# - "{{ inventory_hostname }}:{{ gateway_port }}" + +# Base of url for external proxy, used for generating redirects: +# external_address: 'http://automation-gateway.example.com:8080' + +# The number of http server threads for handling requests. +# A good starting point is 2-4 x NUM_CORES then adjust based on observed workload. +http_server_threads: {{ gateway_http_server_threads }} + +# A flag that determines whether authentication is disabled or not. +# Warning: only disable authentication for temporary, non production testing. +authentication_disabled: false + +# The maximum number of concurrent sessions allowed. +authentication_max_sessions: 5000 + +# The idle timeout of each session (in seconds). +authentication_idle_timeout: 600 + +# A boolean flag that enables password reset support (default=false if absent/misconfigured). +password_reset_enabled: false + +# Directory to write global log files to +global_log_directory: '{{ gateway_log_dir }}' + +# Maximum log files kept in rotation +# Valid range of values is 1-100. If value is set to 1, log file will not be limited in size. +max_log_files: 5 + +# NOTE: Log levels for Automation Gateway Server are as follows. +# In order of ascending severity: DEBUG, INFO, WARNING, ERROR, or CRITICAL. +# Log messages of equal and greater severity will be displayed in the relevant log. +# Example: logging_level INFO will display log messages with a severity of INFO -> CRITICAL. +# (default=INFO if absent/misconfigured) + +# Automation Gateway Server Logging Level +logging_level: INFO + +# Automation Gateway HTTP Server Logging Level +# NOTE: request details are DEBUG level log messages, it may be useful to set this to DEBUG +http_logging_level: INFO + +# A flag that enables/disables parameter schema validation for content decorations. +# Generally enabled when using multiple types per parameter, or when testing decorations. +# Example: "commands" could be a literal list of commands, or a string representing a jinja +# variable from your host's variables "{% raw %}{{commands}}{% endraw %}", etc. +strict_args: true + +################ +# SSL Settings # +################ + +# To start the server using SSL/TLS please fill out the following properties. +{% if gateway_https %} +server_certfile: "{{ gateway_ssl_cert_dest }}" + +# Note: gunicorn does not currently support encrypted key files. +server_keyfile: "{{ gateway_ssl_key_dest }}" + +server_cabundle: "{{ gateway_ssl_rootca_dest }}" +{% else %} +#server_certfile: "{{ gateway_ssl_cert_dest }}" + +# Note: gunicorn does not currently support encrypted key files. +#server_keyfile: "{{ gateway_ssl_key_dest }}" + +# server_cabundle: "{{ gateway_ssl_rootca_dest }}" +{% endif %} + +# TLSv1_2 +{% if gateway_https and gateway_tlsv1_2 %} +server_ssl_version: "TLSv1_2" +{% else %} +#server_ssl_version: "TLSv1_2" +{% endif %} + +# You may also set custom SSL Ciphers. +# +# https://docs.gunicorn.org/en/20.x/settings.html#ciphers +# +{% if server_ssl_ciphers is defined %} +server_ssl_ciphers: "{{ server_ssl_ciphers }}" +{% else %} +# server_ssl_ciphers: "ECDHE-ECDSA-AES128-GCM-SHA256:..."" +{% endif %} + +############# +# Databases # +############# + +# Path to the main Automation Gateway sqlite database file. +data_file: 'sqlite:///{{ gateway_data_dir }}/automation-gateway.db' + +# A flag which determines whether or not audit logging is enabled. (default=true if +# absent/misconfigured) +audit: true + +# The number of days (days >= 0) worth of data to retain in the audit log database +# Records earlier than the specified days will be deleted. (default=None if absent/misconfigured) +audit_retention_days: 30 + +# Path to the auxillary Automation Gateway sqlite database file for audit logs. +audit_db_file: 'sqlite:///{{ gateway_data_dir }}/automation-gateway_audit.db' + +# Path to the auxillary Automation Gateway sqlite database file for execution logs. +exec_history_db_file: 'sqlite:///{{ gateway_data_dir }}/automation-gateway_exec_history.db' + +####################### +# LDAP Authentication # +####################### + +# +# LDAP Basic SETTINGS +# + +# Enable LDAP authentication globally +ldap_auth_enabled: false + +# LDAP server hostname or IP address +ldap_server: 'ldap.example.com' + +# LDAP BASE DN +ldap_base_dn: 'DC=example,DC=com' + +# LDAP BIND Username +ldap_bind_user_dn: 'CN=admin,CN=users,DC=example,DC=com' + +# LDAP BIND Password +ldap_bind_user_password: '' + +# +# LDAP Securitry +# + +# Enable LDAPS +ldap_secure_enabled: false + +# Validate the servers TLS certificate +ldap_secure_validation_enabled: true + +# TLS version to use when connection to LDAP server (default: TLSv1.2) +# Options ["1", "1.1", "1.2"] +ldap_secure_validation_tls_version: '1.2' + +# Location of local CA certificate file for server validation +ldap_ca_certs_file: '/etc/ssl/certs/ca.crt' + +# +# LDAP User Search +# CN=SvcLveINA,OU=Service Accounts,OU=Protected Accounts,OU=SEC,DC=mid,DC=dom + +# Search LDAP for the username before doing a bind +ldap_always_search_bind: true + +# LDAP user search filter +ldap_user_search_filter: '(objectclass=person)' + +# LDAP user search scope +# Options "LEVEL" or "SUBTREE" +ldap_user_search_scope: 'SUBTREE' + +# User login attribute +ldap_user_login_attr: 'sAMAccountName' + +# User login RDN (relative directory name) attribute +# uid=testuser,ou=users,dc=example,dc=com = 'uid' +# cn=testuser,ou=users,dc=example,dc=com = 'cn' +ldap_user_rdn_attr: 'cn' + +# LDAP user DN used to be prepended to the base DN to limit the scope when searching for users +ldap_user_dn : '' # OU=users + +# +# LDAP GROUP OPTIONS +# + +# Group search filter +ldap_group_search_filter: '(objectClass=group)' + +# Group search scope +# Options "LEVEL" or "SUBTREE" +ldap_group_search_scope: 'SUBTREE' + +# Group members attribute +ldap_group_members_attr: 'member' + +# LDAP group DN used to be prepended to the base DN to limit the scope when searching for groups +ldap_group_dn : '' # OU=groups + +########### +# Ansible # +########### + +# A boolean flag that enables Ansible support (default=true if absent/misconfigured). +ansible_enabled: {{ gateway_enable_ansible }} + +# A boolean which logs additional debug messages when executing Ansible modules, roles, or +# playbooks. Set the ansible_debug property to true to log additional debug messages when +# executing Ansible modules, roles, or playbooks. (default=false if absent/misconfigured) +ansible_debug: false + +# A flag to prevent deletion of the temporary files generated by executing +# Ansible content (modules, collections, roles, playbooks). (default=false if absent/misconfigured) +no_cleanup: false + +# Path of the file that contains a password used by ansible-vault to encrypt sensitive data. +# Uncomment this property if you will be using Ansible vault encrypted variables. +# Be sure to secure this file with permissions of 0200 or 0400. +#vault_password_file: "/opt/automation-gateway/conf/.vault_password_file" + +# Path to the Ansible external inventory file (folders not valid). +# A valid file will disable Ansible Internal inventory and instead use only this Ansible External +# inventory. +inventory_file: '{{ gateway_install_dir }}/ansible/inventory/hosts' + +# Path(s) to the Ansible modules that should be discovered by Automation Gateway and appended to +# Ansible's execution environment. All non-collection paths (see Ansible 2.10 notes below) known to +# Ansible are already included and do not need to be specified. # Additionally, this parameter needs +# to be configured if the path reported by 'ansible --version' is incorrect or you would like to +# customize/trim down the set of Ansible modules that will be discovered (see Ansible<=2.9 notes +# below). +# Trim example for ansible 2.9: "/usr/local/lib/python3.9/site-packages/ansible/modules/network" +# NOTE: Use only the site-packages paths you need for your installation to avoid +# cross environment issues in the case where multiple of these paths exist +module_path: + - "{{ gateway_install_dir }}/venv/lib/python{{ gateway_python_version }}/site-packages/ansible/modules/network" + - "{{ gateway_install_dir }}/venv/lib/python{{ gateway_python_version }}/site-packages/ansible/modules" + +# Path(s) to the Ansible collections that should be discovered by Automation Gateway and +# exclusively used in Ansible's execution environment. Due to differences in collections +# before/after Ansible 2.9, these will be the only paths relevant during discovery AND execution. +collection_path: + - "{{ gateway_install_dir }}/ansible/collections" + - "{{ gateway_install_dir }}/venv/lib/python{{ gateway_python_version }}/site-packages/ansible_collections" + +# Path(s) to the Ansible roles that should be discovered by Automation Gateway and appended to +# Ansible's execution environment. +role_path: + - "{{ gateway_install_dir }}/venv/lib/python{{ gateway_python_version }}/site-packages/automation_gateway/integrations/roles" + +# Path(s) to customized roles that extend device support of the Itential roles found in the release, +# i.e., itential_cli, itential_get_config. +extended_device_role_path: + # This path will enable connecting to devices that use Netmiko + - "{{ gateway_install_dir }}/venv/lib/python{{ gateway_python_version }}/site-packages/automation_gateway/integrations/extensible_device_roles/ansible_netmiko" + +# Discovery behavior for Ansible playbooks. Determines whether or not to +# recursively search the directories found in the 'playbook_path' parameter, or +# to only search those directories and no deeper. (default=true if absent/misconfigured) +playbook_recursive: true + +# Path(s) to the Ansible playbooks that should be discovered by Automation Gateway and appended to +# Ansible's execution environment. +playbook_path: + - "{{ gateway_install_dir }}/venv/lib/python{{ gateway_python_version }}/site-packages/automation_gateway/integrations/playbooks" + +################# +# HTTP_Requests # +################# + +# A boolean flag that enables HTTP_Requests support (default=true if absent/misconfigured). +http_requests_enabled: {{ gateway_enable_httpreq }} + +########### +# NETCONF # +########### + +# A boolean flag that enables Netconf support (default=false if absent/misconfigured). +netconf_enabled: {{ gateway_enable_netconf }} + +########### +# Netmiko # +########### + +# A boolean flag that enables Netmiko support (default=false if absent/misconfigured). +netmiko_enabled: {{ gateway_enable_netmiko }} + +########## +# Nornir # +########## + +# A boolean flag that enables Nornir support (default=false if absent/misconfigured). +nornir_enabled: {{ gateway_enable_nornir }} + +# Path to the Nornir configuration file. +# A valid file will allows the use of Nornir External inventory. +nornir_config_file: '{{ gateway_install_dir }}/nornir/config.yml' + +# Discovery behavior for Nornir modules. Determines whether or not to +# recursively search the directories found in the 'nornir_module_path' parameter, or +# to only search those directories and no deeper. (default=true if absent/misconfigured) +nornir_module_recursive: true + +# Path(s) to the Nornir modules that should be discovered by Automation Gateway. +nornir_module_path: + # Default location for custom content per the setup script + - '{{ gateway_install_dir }}/nornir/modules' + +########### +# Scripts # +########### + +# A boolean flag that enables Scripts support (default=true if absent/misconfigured). +scripts_enabled: {{ gateway_enable_scripts }} + +# Discovery behavior for standalone scripts. Determines whether or not to +# recursively search the directories found in the 'script_path' parameter, or +# to only search those directories and no deeper. (default=true if absent/misconfigured) +script_recursive: true + +# Path(s) to the standalone scripts that should be discovered by Automation Gateway. +script_path: + - "{{ gateway_install_dir }}/scripts" + +################ +# Python Venvs # +################ + +# Enable python venv support +python_venv_enabled: {{ gateway_enable_python_venv }} + +# Paths to python venvs for use in scripts +python_venv_paths: + - "{{ gateway_install_dir }}/venvs/" + +################## +# GRPC gNMI/gNOI # +################## + +# Grpc requires grpcio and pygnmi to be installed +grpc_enabled: {{ gateway_enable_grpc }} + +############# +# Terraform # +############# + +# A boolean flag that enables Terraform support (default=false if absent/misconfigured). +terraform_enabled: false + +# Discovery behavior for Terraform modules. Determines whether or not to +# recursively search the directories found in the 'terraform_path' parameter, or +# to only search those directories and no deeper. (default=true if absent/misconfigured) +terraform_recursive: true + +# Path(s) to the Terraform modules that should be discovered by Automation Gateway. +terraform_path: + # Default location for custom content per the setup script + - '/usr/share/automation-gateway/terraform' + # Legacy path for backwards compatibility + - '/usr/share/automation-gateway/terraform/scripts' + +################### +# Hashicorp Vault # +################### + +# A flag that enables Hashicorp Vault support. (default=false if absent/misconfigured) +vault_enabled: false + +# The URL to the Hashicorp Vault server. +#vault_server: "https://localhost:8200" + +# The mount point on which the Hashicorp Vault KV-V2 secret engine is enabled. +#vault_mount_point: secret + +# The path to a file containing the vault access token used by the AG Server for +# Hashicorp Vault operations. The file should be secured with 0400 permissions. +#vault_access_token: "{{ gateway_install_dir }}/conf/.vault_token_file" + +# A flag that enables TLS certificate verification when sending reqests to the Hashicorp +# Vault Server. (default=false if absent/misconfigured) +#vault_cert_verification: false + +# The path to a CA (Certificate Authority) file. This file is used to perform TLS certificate +# verification when sending requests to a Hashicorp Vault Server configured with a self-signed +# certificate. This parameter is not required when sending requests to a Hashicorp Vault Server +# configured with a certificate signed by a trusted authority. +#vault_ca_file: "{{ gateway_install_dir }}/conf/certs/cert.pem" + +# The path to a client certificate PEM file used for performing TLS authentication of the AG +# vault client with the Hashicorp Vault Server. Both a client certificate file and a key file +# must be configured for TLS authentication to be utilized. +#vault_client_cert_file: "{{ gateway_install_dir }}/conf/certs/cert.pem" + +# The path to a client key PEM file used for performing TLS authentication of the AG vault +# client with the Hashicorp Vault Server. Both a client certificate file and a key file +# must be configured for TLS authentication to be utilized. +#vault_client_key_file: "{{ gateway_install_dir }}/conf/certs/key.pem" + +################### +# Git Integration # +################### + +git_enabled: {{ gateway_enable_git }} + +# The parent folder to use for ssh key storage. +git_key_path: {{ gateway_install_dir }}/ssh/ + +# The parent path for all git repositories added via Git Integration +git_repo_path: {{ gateway_install_dir }}/repos/ + +# If you do not specify a git_exec path we will look for the first +# git executable in the environment. +# git_exec: /usr/local/bin/git + +# Strict host key checking +# +git_strict_host_check: false \ No newline at end of file diff --git a/roles/gateway/vars/gateway-release-4.3.yml b/roles/gateway/vars/gateway-release-4.3.yml new file mode 100644 index 00000000..5b7f7960 --- /dev/null +++ b/roles/gateway/vars/gateway-release-4.3.yml @@ -0,0 +1,54 @@ +# Copyright (c) 2024, Itential, Inc +# GNU General Public License v3.0+ (see LICENSE or https://www.gnu.org/licenses/gpl-3.0.txt) +--- +gateway_packages: + - gcc-c++ + - make + - selinux-policy + - selinux-policy-targeted + +gateway_build_packages: + - gcc-c++ + - make + - python3-devel + +gateway_python_version: 3.9 +gateway_python_executable: "/usr/bin/python{{ gateway_python_version }}" +gateway_pip_executable: "/usr/bin/pip{{ gateway_python_version }}" + +gateway_python_packages_map: + "8": + - python39 + - python39-pip + - python39-devel + "9": + - python3 + - python3-pip + - python3-devel + "2023": + - python3 + - python3-pip + - python3-devel + +# Backwards compatible variable name references the appropriate list from the map +gateway_python_packages: "{{ gateway_python_packages_map[ansible_distribution_major_version] }}" + +gateway_python_base_dependencies: + - pip==24.0 + - setuptools==69.0.3 + - wheel==0.42.0 + +gateway_python_app_dependencies: + - ansible-pylibssh==1.1.0 + - flask-ldap3-login==0.9.18 + - grpcio==1.53.0 + - hvac==1.0.2 + - ldap3==2.9.1 + - ncclient==0.6.10 + - netmiko==4.1.2 + - nornir==3.3.0 + - nornir-netmiko==0.2.0 + - nornir-utils==0.2.0 + - pygnmi==0.8.9 + +gateway_ansible_version: ansible==8.7.0