From 0ff57276dc496683bfe223ec2e4e8e350f610c44 Mon Sep 17 00:00:00 2001 From: dosera Date: Thu, 21 Mar 2024 14:04:33 +0100 Subject: [PATCH 1/5] Ensure that OS package conflicts can be handled properly --- molecule/_shared/Dockerfile.j2 | 4 ++-- tasks/install.yml | 27 +++++++++++++++++++++++---- vars/Archlinux.yml | 2 +- vars/Debian.yml | 14 +++++++------- vars/RedHat.yml | 15 +++++++++------ vars/VMware Photon OS.yml | 2 +- 6 files changed, 43 insertions(+), 21 deletions(-) diff --git a/molecule/_shared/Dockerfile.j2 b/molecule/_shared/Dockerfile.j2 index 7be7211b..c1ade461 100644 --- a/molecule/_shared/Dockerfile.j2 +++ b/molecule/_shared/Dockerfile.j2 @@ -16,9 +16,9 @@ ENV {{ var }} {{ value }} RUN if [ $(command -v apt-get) ]; then \ if grep -q "Debian GNU/Linux 10" /etc/os-release; then \ - apt-get update && apt-get install -y systemd python sudo bash ca-certificates iproute2 python-apt-common && apt-get clean; \ + apt-get update && apt-get install -y systemd python sudo bash ca-certificates iproute2 python-apt python-apt-common && apt-get clean; \ elif grep -q "Debian GNU/Linux 11" /etc/os-release; then \ - apt-get update && apt-get install -y systemd python sudo bash ca-certificates iproute2 python-apt-common && apt-get clean; \ + apt-get update && apt-get install -y systemd python sudo bash ca-certificates iproute2 python-apt python-apt-common && apt-get clean; \ else \ apt-get update && apt-get install -y systemd python3 sudo bash ca-certificates iproute2 python3-apt && apt-get clean; \ fi \ diff --git a/tasks/install.yml b/tasks/install.yml index 7b9371f4..bcd18406 100644 --- a/tasks/install.yml +++ b/tasks/install.yml @@ -1,17 +1,36 @@ --- # File: install.yml - package installation tasks for Nomad # noqa 106 +- name: Gather the OS packages + ansible.builtin.package_facts: + manager: auto + tags: installation + +- name: Initialize a fact with the OS packages to install + ansible.builtin.set_fact: + nomad_os_packages_fact: [] + tags: installation + +- name: Set a fact with the OS packages to really install + ansible.builtin.set_fact: + nomad_os_packages_fact: "{{ nomad_os_packages_fact + [item] }}" + with_items: "{{ nomad_os_packages }}" + tags: installation + when: + - item.handle is not defined or item.handle != 'skip' + - item.conflicts is not defined or item.conflicts not in ansible_facts.packages + - name: Install OS packages ansible.builtin.package: - name: "{{ item }}" + name: "{{ item.name }}" state: present - with_items: "{{ nomad_os_packages }}" + with_items: "{{ nomad_os_packages_fact }}" tags: installation when: not ansible_facts['os_family'] == "VMware Photon OS" - name: Install OS packages # noqa no-changed-when - ansible.builtin.command: tdnf install {{ item }} - with_items: "{{ nomad_os_packages }}" + ansible.builtin.command: tdnf install {{ item.name }} + with_items: "{{ nomad_os_packages_fact }}" tags: installation when: ansible_facts['os_family'] == "VMware Photon OS" diff --git a/vars/Archlinux.yml b/vars/Archlinux.yml index 3179bc94..e81f1ff8 100644 --- a/vars/Archlinux.yml +++ b/vars/Archlinux.yml @@ -2,6 +2,6 @@ # File: Archlinux.yml - Archlinux variables for Nomad nomad_os_packages: - - unzip + - name: unzip nomad_syslog_enable: false diff --git a/vars/Debian.yml b/vars/Debian.yml index 451afc45..a6b02074 100644 --- a/vars/Debian.yml +++ b/vars/Debian.yml @@ -2,10 +2,10 @@ # File: vars/Debian.yml - Debian OS variables for Nomad nomad_os_packages: - - curl - - git - - "{% if (ansible_distribution == 'Ubuntu' and ansible_distribution_version is version('22.10', '<')) or (ansible_distribution == 'Debian' and ansible_distribution_version - is version('12', '<')) %}libcgroup1{% else %}libcgroup2{% endif %}" - - unzip - - "{% if (ansible_distribution == 'Ubuntu' and ansible_distribution_version is version('19', '<')) or (ansible_distribution == 'Debian' and ansible_distribution_version - is version('11', '<')) %}cgroup-bin{% else %}cgroup-tools{% endif %}" + - name: curl + - name: git + - name: "{% if (ansible_distribution == 'Ubuntu' and ansible_distribution_version is version('22.10', '<')) + or (ansible_distribution == 'Debian' and ansible_distribution_version is version('12', '<')) %}libcgroup1{% else %}libcgroup2{% endif %}" + - name: unzip + - name: "{% if (ansible_distribution == 'Ubuntu' and ansible_distribution_version is version('19', '<')) + or (ansible_distribution == 'Debian' and ansible_distribution_version is version('11', '<')) %}cgroup-bin{% else %}cgroup-tools{% endif %}" diff --git a/vars/RedHat.yml b/vars/RedHat.yml index 115f8929..216bdcaa 100644 --- a/vars/RedHat.yml +++ b/vars/RedHat.yml @@ -2,9 +2,12 @@ # File: vars/RedHat.yml - Red Hat OS variables for Nomad nomad_os_packages: - - "{% if (ansible_distribution == 'AlmaLinux' and ansible_distribution_version is version('9', '>=')) %}curl-minimal{% else %}curl{% endif %}" - - git - - "{% if (ansible_distribution == 'Fedora' and ansible_distribution_version is version('28', '<')) or (ansible_distribution == 'CentOS' and ansible_distribution_version - is version('8', '<')) or (ansible_distribution == 'Amazon' and ansible_distribution_version is version('3', '<')) or (ansible_distribution == 'OracleLinux' and - ansible_distribution_version is version('8', '<')) %}libselinux-python{% else %}python3-libselinux{% endif %}" - - unzip + - name: curl + conflicts: curl-minimal + handle: skip + - name: git + - name: "{% if (ansible_distribution == 'Fedora' and ansible_distribution_version is version('28', '<')) + or (ansible_distribution == 'CentOS' and ansible_distribution_version is version('8', '<')) + or (ansible_distribution == 'Amazon' and ansible_distribution_version is version('3', '<')) + or (ansible_distribution == 'OracleLinux' and ansible_distribution_version is version('8', '<')) %}libselinux-python{% else %}python3-libselinux{% endif %}" + - name: unzip diff --git a/vars/VMware Photon OS.yml b/vars/VMware Photon OS.yml index ccd3a4c0..a80b58f1 100644 --- a/vars/VMware Photon OS.yml +++ b/vars/VMware Photon OS.yml @@ -1,3 +1,3 @@ --- nomad_os_packages: - - unzip + - name: unzip From beca052a3c05a81b025eb9765629b5bf28f5f71f Mon Sep 17 00:00:00 2001 From: dosera Date: Thu, 21 Mar 2024 20:29:56 +0100 Subject: [PATCH 2/5] Use correct 'python3-apt' dependencies in Debian 11 --- molecule/_shared/Dockerfile.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/molecule/_shared/Dockerfile.j2 b/molecule/_shared/Dockerfile.j2 index c1ade461..66d09f05 100644 --- a/molecule/_shared/Dockerfile.j2 +++ b/molecule/_shared/Dockerfile.j2 @@ -18,7 +18,7 @@ RUN if [ $(command -v apt-get) ]; then \ if grep -q "Debian GNU/Linux 10" /etc/os-release; then \ apt-get update && apt-get install -y systemd python sudo bash ca-certificates iproute2 python-apt python-apt-common && apt-get clean; \ elif grep -q "Debian GNU/Linux 11" /etc/os-release; then \ - apt-get update && apt-get install -y systemd python sudo bash ca-certificates iproute2 python-apt python-apt-common && apt-get clean; \ + apt-get update && apt-get install -y systemd python sudo bash ca-certificates iproute2 python3-apt python-apt-common && apt-get clean; \ else \ apt-get update && apt-get install -y systemd python3 sudo bash ca-certificates iproute2 python3-apt && apt-get clean; \ fi \ From 50176e898ffebc28e4a0e0ceca086402161d1bf0 Mon Sep 17 00:00:00 2001 From: dosera Date: Thu, 17 Oct 2024 14:08:48 +0200 Subject: [PATCH 3/5] Add parameter nomad_batch_eval_gc_threshold --- README.md | 5 +++++ defaults/main.yml | 1 + templates/server.hcl.j2 | 1 + 3 files changed, 7 insertions(+) diff --git a/README.md b/README.md index 6aa7ba2a..cf093a49 100644 --- a/README.md +++ b/README.md @@ -222,6 +222,11 @@ The role defines most of its variables in `defaults/main.yml`: - Deployment garbage collection threshold - Default value: **1h** +### `nomad_batch_eval_gc_threshold` + +- Batch job garbage collection threshold +- Default value: **24h** + ### `nomad_encrypt_enable` - Enable Gossip Encryption even if `nomad_encrypt` is not set diff --git a/defaults/main.yml b/defaults/main.yml index e3a72c11..367f65b1 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -101,6 +101,7 @@ nomad_node_gc_threshold: 24h nomad_job_gc_threshold: 4h nomad_eval_gc_threshold: 1h nomad_deployment_gc_threshold: 1h +nomad_batch_eval_gc_threshold: 24h nomad_encrypt_enable: "{{ lookup('env', 'NOMAD_ENCRYPT_ENABLE') | default('false', true) }}" nomad_raft_protocol: 2 nomad_raft_multiplier: 1 diff --git a/templates/server.hcl.j2 b/templates/server.hcl.j2 index 191029e8..d3bdd9d9 100644 --- a/templates/server.hcl.j2 +++ b/templates/server.hcl.j2 @@ -40,6 +40,7 @@ authoritative_region = "{{ nomad_authoritative_region }}" eval_gc_threshold = "{{ nomad_eval_gc_threshold }}" job_gc_threshold = "{{ nomad_job_gc_threshold }}" deployment_gc_threshold = "{{ nomad_deployment_gc_threshold }}" + nomad_batch_eval_gc_threshold = "{{ nomad_batch_eval_gc_threshold }}" encrypt = "{{ nomad_encrypt | default('') }}" From 4befef12a58c9ae6394ec65105d91120ec09f99e Mon Sep 17 00:00:00 2001 From: dosera Date: Tue, 22 Oct 2024 09:37:26 +0200 Subject: [PATCH 4/5] Fix incorrect server variable name --- templates/server.hcl.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/templates/server.hcl.j2 b/templates/server.hcl.j2 index d3bdd9d9..d211a0d6 100644 --- a/templates/server.hcl.j2 +++ b/templates/server.hcl.j2 @@ -40,7 +40,7 @@ authoritative_region = "{{ nomad_authoritative_region }}" eval_gc_threshold = "{{ nomad_eval_gc_threshold }}" job_gc_threshold = "{{ nomad_job_gc_threshold }}" deployment_gc_threshold = "{{ nomad_deployment_gc_threshold }}" - nomad_batch_eval_gc_threshold = "{{ nomad_batch_eval_gc_threshold }}" + batch_eval_gc_threshold = "{{ nomad_batch_eval_gc_threshold }}" encrypt = "{{ nomad_encrypt | default('') }}" From 9095244695419da3bfd22589d60a070cb4f2c26e Mon Sep 17 00:00:00 2001 From: dosera Date: Tue, 10 Jun 2025 16:10:28 +0200 Subject: [PATCH 5/5] Implement support for vault workload identity --- README.md | 35 +++++++++++++++++++++++++++++++++++ defaults/main.yml | 8 ++++++++ templates/base.hcl.j2 | 19 +++++++++++++++---- 3 files changed, 58 insertions(+), 4 deletions(-) diff --git a/README.md b/README.md index cf093a49..fd45c4dd 100644 --- a/README.md +++ b/README.md @@ -637,6 +637,41 @@ in many Ansible versions, so this feature might not always work. - Vault namespace used by nomad - Default value: **""** +### `nomad_vault_identity_enabled` + +- Vault identity enabled will be used by nomad. Mandatory since 1.10. Will only be installed on servers. +- Default value: **true** + +### `nomad_vault_identity_auth_method` + +- Vault identity auth method used by nomad. Will only be installed on servers. +- Default value: **jwt** + +### `nomad_vault_identity_auth_path` + +- Vault identity auth path used by nomad. Will only be installed on servers. +- Default value: **jwt-auth** + +### `nomad_vault_identity_auth_default_aud` + +- Vault identity auth aud used by nomad. Will only be installed on servers. +- Default value: **nomad.staging.4flow-software.com** + +### `nomad_vault_identity_auth_default_ttl` + +- Vault identity auth default ttl used by nomad. Will only be installed on servers. +- Default value: **1h** + +### `nomad_vault_identity_auth_default_env` + +- Specify whether the identity JWT may be include in job environment. Will only be installed on servers. +- Default value: **false** + +### `nomad_vault_identity_auth_default_file` + +- Specify whether the identity JWT may be include in job as file. Will only be installed on servers. +- Default value: **false** + ### `nomad_docker_enable` - Enable docker diff --git a/defaults/main.yml b/defaults/main.yml index 367f65b1..aad00c85 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -180,6 +180,14 @@ nomad_vault_tls_skip_verify: false nomad_vault_token: "" nomad_vault_namespace: "" +nomad_vault_identity_enabled: true +nomad_vault_identity_auth_method: "jwt" +nomad_vault_identity_auth_path: "jwt" +nomad_vault_identity_auth_default_aud: "" +nomad_vault_identity_auth_default_ttl: "1h" +nomad_vault_identity_auth_default_env: false +nomad_vault_identity_auth_default_file: false + ### Docker nomad_docker_enable: "{{ lookup('env', 'NOMAD_DOCKER_ENABLE') | default('false', true) }}" nomad_docker_dmsetup: true diff --git a/templates/base.hcl.j2 b/templates/base.hcl.j2 index 393f72c5..91b2c579 100644 --- a/templates/base.hcl.j2 +++ b/templates/base.hcl.j2 @@ -73,19 +73,30 @@ acl { vault { enabled = {{ nomad_vault_enabled | bool | lower }} address = "{{ nomad_vault_address }}" - allow_unauthenticated = {{ nomad_vault_allow_unauthenticated | bool | lower }} - create_from_role = "{{ nomad_vault_create_from_role }}" - task_token_ttl = "{{ nomad_vault_task_token_ttl }}" ca_file = "{{ nomad_vault_ca_file }}" ca_path = "{{ nomad_vault_ca_path }}" cert_file = "{{ nomad_vault_cert_file }}" key_file = "{{ nomad_vault_key_file }}" + create_from_role = "{{ nomad_vault_create_from_role }}" tls_server_name = "{{ nomad_vault_tls_server_name }}" tls_skip_verify = {{ nomad_vault_tls_skip_verify | bool | lower }} + namespace = "{{ nomad_vault_namespace }}" {%if nomad_node_role != 'client' %} +{% if not nomad_vault_identity_enabled %} + allow_unauthenticated = {{ nomad_vault_allow_unauthenticated | bool | lower }} + task_token_ttl = "{{ nomad_vault_task_token_ttl }}" token = "{{ nomad_vault_token }}" +{% else %} + auth_method = "{{ nomad_vault_identity_auth_method }}" + auth_path = "{{ nomad_vault_identity_auth_path }}" + default_identity { + aud = ["{{ nomad_vault_identity_auth_default_aud }}"] + ttl = "{{ nomad_vault_identity_auth_default_ttl }}" + env = "{{ nomad_vault_identity_auth_default_env | bool | lower }}" + file = "{{ nomad_vault_identity_auth_default_file | bool | lower }}" + } +{% endif %} {% endif %} - namespace = "{{ nomad_vault_namespace }}" } {% if nomad_telemetry | default(False) | bool == True %}