Skip to content
Permalink
Browse files

Add some ansible roles to deploy repospanner

Signed-off-by: Randy Barlow <randy@electronsweatshop.com>
  • Loading branch information...
bowlofeggs authored and mergify committed Aug 29, 2019
1 parent 2aad5c4 commit 129314317bc05fddc82cce85b58a7c79a2fe2a9a
@@ -23,7 +23,6 @@ vendor/
*.crt
*.key
*.yaml
*.yml
*.tks
!.mergify.yml
!.travis.yml
@@ -0,0 +1,69 @@
# Install by hand

## Build

Make sure you have a Go toolchain available, and run:

$ ./build.sh

## Configuration

A repoSpanner deployment is called a "cluster", which consists of one or
more "regions", which contain one or more "nodes". A cluster contains
all nodes that are under the same deployment, and a region contains all
nodes that talk and synchronize amongst each other.

The `nodename.regionname.clustername` should be the FQDNs the nodes use
to communicate with their peers.

You will need to do a small amount of configuration to get started.
Copy ```config.yml.example``` to ```/etc/repospanner/config.yml``` and
edit a few of the settings to match your environment:

* ```admin.url```
* ```certificates.client.cert```
* ```certificates.client.key```
* ```certificates.server.default.cert```
* ```certificates.server.default.key```

Of course, feel free to stroll through the file and season to taste as
well.


## Certificate authority

The repoSpanner binary contains all the tools needed to create the
Certificate Authority (CA) to perform the pushes. To initiate a
cluster, run: `repospanner ca init <cluster-name>`. E.g.:

$ repospanner ca init repospanner.local.

To create node certificates, run: `repospanner ca node <region>
<nodename>`. E.g.:

$ repospanner ca node regiona nodea


# Join nodes to the cluster

After creating the certificates, deploy them to the nodes, and create
configuration files (default: `/etc/repospanner/config.yml`). Then on
the first node, invoke the following to make it initialize its databases:

$ repospanner serve --spawn

And then, to run it:

$ repospanner serve

Or start the `repospanner.service` unit file. Then on any further nodes,
run: `repospanner serve --join https://<running.node.fqdn>:<rpcport>`, e.g.:

$ repospanner serve --joinnode \
https://nodea.regiona.repospanner.local:8443

And then run:

repospanner serve

Or, again, start the `repospanner.service` unit file.
@@ -14,45 +14,21 @@ push failing due to an attempt to push to the failed node.
*Note*: As a consequence of this, it is strongly suggested to deploy
regions with odd numbers of nodes.

## Build repoSpanner

Make sure you have a Go toolchain available, and run:

$ ./build.sh

## Deployment

A repoSpanner deployment is called a "cluster", which consists of one or
more "regions", which contain one or more "nodes". A cluster contains
all nodes that are under the same deployment, and a region contains all
nodes that talk and synchronize amongst each other.

The `nodename.regionname.clustername` should be the FQDNs the nodes use
to communicate with their peers.

You will need to do a small amount of configuration to get started.
Copy ```config.yml.example``` to ```/etc/repospanner/config.yml``` and
edit a few of the settings to match your environment:
There are two ways to deploy repoSpanner:

* ```admin.url```
* ```certificates.client.cert```
* ```certificates.client.key```
* ```certificates.server.default.cert```
* ```certificates.server.default.key```
* [Ansible](ansible/README.md)
* [Manual](INSTALL.md)

Of course, feel free to stroll through the file and season to taste as
well.

The repoSpanner binary contains all the tools needed to create the
Certificate Authority (CA) to perform the pushes. To initiate a
cluster, run: `repospanner ca init <cluster-name>`. E.g.:
## Repository access

$ repospanner ca init repospanner.local.
After the nodes are installed and running, the service will be available on https://<node.fqdn>/.

To create node certificates, run: `repospanner ca node <region>
<nodename>`. E.g.:

$ repospanner ca node regiona nodea
### Client certificates

To create leaf certificates (for admin and to push/pull), run:

@@ -65,31 +41,6 @@ this certificate is valid (globbing possible), e.g.:
$ repospanner ca leaf admin --admin --write \
--read --region "*" --repo "*"

After creating the certificates, deploy them to the nodes, and create
configuration files (default: `/etc/repospanner/config.yml`). Then on
the first node, invoke the following to make it initialize its databases:

$ repospanner serve --spawn

And then, to run it:

$ repospanner serve

Or start the `repospanner.service` unit file. Then on any further nodes,
run: `repospanner serve --join https://<running.node.fqdn>:<rpcport>`, e.g.:

$ repospanner serve --joinnode \
https://nodea.regiona.repospanner.local:8443

And then run:

repospanner serve

Or, again, start the `repospanner.service` unit file.

## Repository access

After this, the service will be available on https://<node.fqdn>/

### Create

@@ -0,0 +1,95 @@
# repoSpanner Ansible roles

This directory contains three Ansible roles that are useful when deploying a repoSpanner cluster:

* ```ca``` - Used to configure the certificate authority, and to generate node certificates.
* ```install``` - Used to download the repoSpanner source code, build, and install.
* ```node``` - Used to configure the repoSpanner nodes and join them to the cluster.


## Role variables

The following variables can be used to customize your deployment:


### Build/install settings

repoSpanner is currently installed by downloading the source and compiling it. The following
settings pertain to customizing the build or installation.

* ```repospanner_prefix``` (str) - A path prefix to be used when installing repoSpanner to the
nodes. Defaults to ```"/usr"```.
* ```repospanner_repo``` (str) - This is the git repository from which the sources should be pulled.
Defaults to ```"https://github.com/repoSpanner/repoSpanner.git"```.
* ```repospanner_update``` (bool) - Whether or not to update the repospanner deployment on
subsequent runs of the playbook. Defaults to ```true```.
* ```repospanner_version``` (str) - Which git ref to install. Defaults to ```"master"```.
* ```repospanner_build_deps``` (seq of str) - A list of build dependencies for building repoSpanner
on each node. Defaults to ```["golang"]```.
* ```repospanner_clone_path``` (str) - A filesystem path in which to clone the repoSpanner sources.
Defaults to ```"/tmp/repospanner"```.


### Configuration settings

The following settings pertain to configuring repoSpanner itself:

* ```repospanner_admin_address``` (str) - The address that the administrative interface
listens on. Defaults to ```"0.0.0.0"```.
* ```repospanner_client_address``` (str) - The address that the client interface listens
on. Defaults to ```"0.0.0.0"```.
* ```repospanner_admin_port``` (int) - The port that the administrative interface listens on.
Defaults to ```8443```.
* ```repospanner_client_port``` (int) - The port that the client interface listens on. Defaults to
```443```.
* ```repospanner_cluster``` (str) - The top level domain name of the cluster. Defaults to
```"repospanner.example.com"```.
* ```repospanner_region_name``` (str) - The name of the region the node is part of. Defaults to
```"dc0"```.
### CA settings
The CA has one setting:
* ```repospanner_nodes``` (seq of str) - A list of node hostnames. The CA needs to know a list of
the nodes in order to generate their client certificates and keys. This setting should simply be a
list of node hostnames. It defaults to ```"{{ groups['repospanner_nodes'] }}"```), or more simply
stated, the list of hosts in the Ansible group named ```"repospanner_nodes"```.
## Example playbook
Here is an example playbook that deploys a repoSpanner cluster. It assumes you have an Ansible
group called ```repospanner_nodes``` defined that container a list of hosts you want to act as nodes
in your cluster. It also assumes you have a host called repospanner_ca.example.com to act as your
CA.
```
---
- hosts:
- repospanner_ca.example.com
- repospanner_node
become: true
vars:
roles:
- repospanner_install


- hosts:
- repospanner_ca.example.com
become: true
vars:
roles:
- repospanner_ca


- hosts:
- repospanner_node
become: true
vars:
roles:
- repospanner_node
tags:
- node
```
@@ -0,0 +1,40 @@
---
## Install settings

# A list of build dependencies needed for repospanner
repospanner_build_deps:
- golang
# Where to clone the repo to
repospanner_clone_path: /tmp/repospanner
# Where to install repospanner (it will go into a bin/ folder inside this path, so by default it
# will be /usr/bin/{repospanner,repohookrunner,repobridge}
repospanner_prefix: /usr
# Where to clone repospanner from
repospanner_repo: https://github.com/repoSpanner/repoSpanner.git
# Whether to update the repospanner deployment on each run of the playbook. Defaults to true.
repospanner_update: true
# Which git ref to install
repospanner_version: master


## Config file settings

# The address that the repospanner admin interface listens on
repospanner_admin_address: "0.0.0.0"
# The address that the repospanner client interface listens on
repospanner_client_address: "0.0.0.0"
# The port that the repospanner admin interface listens on
repospanner_admin_port: 8443
# The port that the repospanner client interface listens on
repospanner_client_port: 443
# The top level domain name of the repospanner cluster
repospanner_cluster: repospanner.example.com
# The name of this node's region
repospanner_region_name: dc0


# CA settings
# The CA needs to know a list of the nodes in order to generate their client certificates and keys.
# This setting should simply be a list of node hostnames. It defaults to the hosts in the Ansible
# group named repospanner_nodes.
repospanner_nodes: "{{ groups['repospanner_nodes'] }}"
@@ -0,0 +1,53 @@
---
- name: Initialize the CA
command: "{{ repospanner_prefix }}/bin/repospanner ca init {{ repospanner_cluster }}"
args:
creates: "/etc/pki/repospanner/ca.key"

- name: Create node certificates
command: "{{ repospanner_prefix }}/bin/repospanner ca node {{ hostvars[item]['repospanner_region_name'] }} {{ hostvars[item]['ansible_hostname'] }}"
args:
creates: "/etc/pki/repospanner/{{ hostvars[item]['ansible_hostname'] }}.{{ hostvars[item]['repospanner_region_name'] }}.key"
with_items: "{{ repospanner_nodes }}"

- name: Slurp the CA
slurp:
src: /etc/pki/repospanner/ca.crt
register: repospanner_ca_slurp

- name: Slurp node certificates
slurp:
src: "/etc/pki/repospanner/{{ hostvars[item]['ansible_hostname'] }}.{{ hostvars[item]['repospanner_region_name'] }}.crt"
register: "certificates"
with_items: "{{ repospanner_nodes }}"

- name: Slurp node keys
slurp:
src: "/etc/pki/repospanner/{{ hostvars[item]['ansible_hostname'] }}.{{ hostvars[item]['repospanner_region_name'] }}.key"
register: "keys"
with_items: "{{ repospanner_nodes }}"

- name: Set node ca fact
set_fact:
repospanner_ca_cert: "{{ repospanner_ca_slurp.content | b64decode }}"
delegate_to: "{{ item }}"
delegate_facts: true
with_items: "{{ repospanner_nodes }}"

- name: Set node certificate facts
set_fact:
repospanner_node_cert: "{{ item.content | b64decode }}"
delegate_to: "{{ item.item }}"
delegate_facts: true
# We don't want Ansible to print this out to the terminal
no_log: true
with_items: "{{ certificates.results }}"

- name: Set node key facts
set_fact:
repospanner_node_key: "{{ item.content | b64decode }}"
delegate_to: "{{ item.item }}"
delegate_facts: true
# We don't want Ansible to print this out to the terminal
no_log: true
with_items: "{{ keys.results }}"

0 comments on commit 1293143

Please sign in to comment.
You can’t perform that action at this time.