From c4e89fdb88547120b557f03442e8ea3903727e72 Mon Sep 17 00:00:00 2001 From: John Wong <62568830+jswongF5@users.noreply.github.com> Date: Wed, 8 Mar 2023 21:27:15 -0800 Subject: [PATCH] Initial commit to add nms ansible role (#4) * Initial commit to add nms install role * Update defaults/main.yml, remove comment from init Co-authored-by: Alessandro Fael Garcia * Removing 'nginx_remove_license', not needed. Co-authored-by: Alessandro Fael Garcia * Update tasks/main.yml Co-authored-by: Alessandro Fael Garcia * Update vars/main.yml Co-authored-by: Alessandro Fael Garcia * Update tasks/cleanup.yml Co-authored-by: Alessandro Fael Garcia * Update tasks/check-controller-support.yml Co-authored-by: Alessandro Fael Garcia * Removing 'example' directory * Remove 'roles' directory * Updates to align with nginx role * Changing 'NIM' to 'NMS', replace 'with_items' with 'loop', and reference ansible_facts using dictionary format. * Moving rpm specific repo from defaults/main.yml to vars/main.yml * Changing from 'with_items' to 'loop' * Updating galaxy_info with proper information * Removing comments and updating supported versions * Use ansible_fact dictionary format * Removing workaround for RHEL7 install and hardcoding ssl cert location * Also install latest when nms_clickhouse_version or nms_version are absent * Hardcode https://nginx.org/keys/nginx_signing.key * Splitting out tasks so they are Debian and RedHat 'os_family' specific. * Changing task to hardcode contents in /etc/apt/apt.conf.d/90nginx * Need to also include os_family support check * Enabling anisble-lint when running 'molecule' * Resolve linting fails * Adding 'nms_remove_certs: false' to work around idempotence check * Added workflow and dependabot updates * Updating common md files for project * Check if firewalld is installed on RH distro families and nginx must be last to restart * AL2 is failing, disable for now, issue created for tracking * SECURITY.md is moved to .github directory * Fix Molecule tests in CI and README.md updates. * Suspect latest CI used older commit? * Elaborate on this role's requirements * Updating nginxinc.nginx version * Add note to rename certs for nms repo * Install 'pip' on all distros, install 'cryptography' and 'passlib' via pip * Changing nms username and password variables to match with Mark's nms collection * Updating nms support check for OracleLinux, version 8 is supported * Fixing bug so firewalld rules need to be reloaded on RedHat OS Family * Update * Update requirements_molecule.txt * Update release-drafter.yml * Fix mis-spelling in CONTRIBUTING.md Co-authored-by: Alessandro Fael Garcia * Update copyright year in README.md Co-authored-by: Alessandro Fael Garcia * Fix link to Apache License in README.md Co-authored-by: Alessandro Fael Garcia * Update meta/main.yml Co-authored-by: Alessandro Fael Garcia * Renaming to pip2.yml and pip3.yml in tasks/prerequisites * Update file name to include * Add lablels.. * Only one requirement.yml file needed, need to define 'role' section within yml. * Update requirememnt file example and remove survey. * No not need the entire 'nginxinc.nginx_core' collection, just the nginxinc.nginx role * Resolve ansible-lint errors * Moving clickhouse and nms install tasks to directories * NMS and Clickhouse file renaming * Prefix 'nms_' on clickhouse variables * Organizied files in tasks/ and consolidated validation checks to 1 task (from nginxinc.nginx) * Adding RHEL9 as a supported version * Adding abilty to configure nms_gpgcheck for dev purpose when installing nms. * Updates! * Resolving ansible-lint fails in 'molecule' directory * Update .github/workflows/galaxy.yml Co-authored-by: Alessandro Fael Garcia * Update README.md Co-authored-by: Alessandro Fael Garcia * Update .github/workflows/release-drafter.yml Co-authored-by: Alessandro Fael Garcia * Update CHANGELOG.md Co-authored-by: Alessandro Fael Garcia * Update .github/workflows/molecule.yml Co-authored-by: Alessandro Fael Garcia * Update .github/release-drafter.yml Co-authored-by: Alessandro Fael Garcia * Update .github/release-drafter.yml Co-authored-by: Alessandro Fael Garcia * Update CONTRIBUTING.md Co-authored-by: Alessandro Fael Garcia * Update CONTRIBUTING.md Co-authored-by: Alessandro Fael Garcia * Update CONTRIBUTING.md Co-authored-by: Alessandro Fael Garcia * Update CONTRIBUTING.md Co-authored-by: Alessandro Fael Garcia * Update CONTRIBUTING.md Co-authored-by: Alessandro Fael Garcia * Updates per PR * Preparing for git project name change * README updates and prereq name changes * Update versions in README * Bug fixes in tasks and README * Fix in nms redhat install * Fix linting error * Updates to README --------- Co-authored-by: Alessandro Fael Garcia --- .ansible-lint | 4 + .github/CODEOWNERS | 4 +- .github/ISSUE_TEMPLATE/bug_report.md | 16 +- .github/ISSUE_TEMPLATE/feature_request.md | 7 +- .github/SECURITY.md | 26 +++ .github/dependabot.yml | 9 + .github/pull_request_template.md | 4 +- .github/release-drafter.yml | 103 ++++++++++ .github/workflows/galaxy.yml | 25 +++ .github/workflows/molecule.yml | 48 +++++ .github/workflows/release-drafter.yml | 20 ++ .../requirements/requirements_ansible.yml | 13 ++ .../requirements/requirements_galaxy.txt | 1 + .../requirements/requirements_molecule.txt | 7 + .gitignore | 9 + CHANGELOG.md | 7 +- CONTRIBUTING.md | 30 ++- README.md | 179 +++++++++++++++--- SECURITY.md | 14 -- defaults/main.yml | 30 +++ files/license/.gitkeep | 0 handlers/main.yml | 11 ++ meta/main.yml | 43 +++++ molecule/common/Dockerfile.j2 | 34 ++++ molecule/default/converge.yml | 16 ++ molecule/default/molecule.yml | 121 ++++++++++++ molecule/default/prepare.yml | 18 ++ molecule/default/verify.yml | 45 +++++ molecule/plus/converge.yml | 18 ++ molecule/plus/molecule.yml | 121 ++++++++++++ molecule/plus/prepare.yml | 18 ++ molecule/plus/verify.yml | 45 +++++ molecule/upgrade/converge.yml | 15 ++ molecule/upgrade/molecule.yml | 112 +++++++++++ molecule/upgrade/prepare.yml | 36 ++++ molecule/upgrade/verify.yml | 51 +++++ tasks/clickhouse/install-debian.yml | 29 +++ tasks/clickhouse/install-redhat.yml | 26 +++ tasks/extras/nms-password.yml | 28 +++ tasks/main.yml | 35 ++++ tasks/nms/install-debian.yml | 36 ++++ tasks/nms/install-redhat.yml | 59 ++++++ tasks/nms/remove-certs.yml | 18 ++ tasks/prerequisites/pip2.yml | 19 ++ tasks/prerequisites/pip3.yml | 7 + tasks/prerequisites/prereq-debian.yml | 11 ++ tasks/prerequisites/prereq-redhat.yml | 10 + tasks/prerequisites/setup-certs.yml | 37 ++++ tasks/validate/validate.yml | 17 ++ vars/main.yml | 77 ++++++++ 50 files changed, 1605 insertions(+), 64 deletions(-) create mode 100644 .ansible-lint create mode 100644 .github/SECURITY.md create mode 100644 .github/release-drafter.yml create mode 100644 .github/workflows/galaxy.yml create mode 100644 .github/workflows/molecule.yml create mode 100644 .github/workflows/release-drafter.yml create mode 100644 .github/workflows/requirements/requirements_ansible.yml create mode 100644 .github/workflows/requirements/requirements_galaxy.txt create mode 100644 .github/workflows/requirements/requirements_molecule.txt delete mode 100644 SECURITY.md create mode 100644 defaults/main.yml create mode 100644 files/license/.gitkeep create mode 100644 handlers/main.yml create mode 100644 meta/main.yml create mode 100644 molecule/common/Dockerfile.j2 create mode 100644 molecule/default/converge.yml create mode 100644 molecule/default/molecule.yml create mode 100644 molecule/default/prepare.yml create mode 100644 molecule/default/verify.yml create mode 100644 molecule/plus/converge.yml create mode 100644 molecule/plus/molecule.yml create mode 100644 molecule/plus/prepare.yml create mode 100644 molecule/plus/verify.yml create mode 100644 molecule/upgrade/converge.yml create mode 100644 molecule/upgrade/molecule.yml create mode 100644 molecule/upgrade/prepare.yml create mode 100644 molecule/upgrade/verify.yml create mode 100644 tasks/clickhouse/install-debian.yml create mode 100644 tasks/clickhouse/install-redhat.yml create mode 100644 tasks/extras/nms-password.yml create mode 100644 tasks/main.yml create mode 100644 tasks/nms/install-debian.yml create mode 100644 tasks/nms/install-redhat.yml create mode 100644 tasks/nms/remove-certs.yml create mode 100644 tasks/prerequisites/pip2.yml create mode 100644 tasks/prerequisites/pip3.yml create mode 100644 tasks/prerequisites/prereq-debian.yml create mode 100644 tasks/prerequisites/prereq-redhat.yml create mode 100644 tasks/prerequisites/setup-certs.yml create mode 100644 tasks/validate/validate.yml create mode 100644 vars/main.yml diff --git a/.ansible-lint b/.ansible-lint new file mode 100644 index 0000000..00efb2e --- /dev/null +++ b/.ansible-lint @@ -0,0 +1,4 @@ +--- +skip_list: + - name[template] + - yaml[line-length] diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS index dec7980..2bbd47e 100644 --- a/.github/CODEOWNERS +++ b/.github/CODEOWNERS @@ -1,3 +1,5 @@ # Main global owner # ##################### -* +* @jswongf5 +/.github/workflows/ +*.md diff --git a/.github/ISSUE_TEMPLATE/bug_report.md b/.github/ISSUE_TEMPLATE/bug_report.md index e3d7e5a..4f2cf05 100644 --- a/.github/ISSUE_TEMPLATE/bug_report.md +++ b/.github/ISSUE_TEMPLATE/bug_report.md @@ -1,10 +1,11 @@ --- name: Bug report about: Create a report to help us improve -title: '' -labels: '' -assignees: '' +title: "" +labels: "" +assignees: "" --- + ### Describe the bug A clear and concise description of what the bug is. @@ -13,8 +14,8 @@ A clear and concise description of what the bug is. Steps to reproduce the behavior: -1. Deploy ansible_role_nginx_management_suite using -2. View output/logs/configuration on '...' +1. Deploy the Ansible NGINX Management Suite role using `playbook.yml` +2. View output/logs/configuration on ... 3. See error ### Expected behavior @@ -23,8 +24,9 @@ A clear and concise description of what you expected to happen. ### Your environment -- Version of the ansible_role_nginx_management_suite or specific commit - +- Version of the Ansible NGINX Management Suite role or specific commit +- Version of Ansible +- Version of Jinja2 (if you are using any templating capability) - Target deployment platform ### Additional context diff --git a/.github/ISSUE_TEMPLATE/feature_request.md b/.github/ISSUE_TEMPLATE/feature_request.md index d27aba8..e2242ab 100644 --- a/.github/ISSUE_TEMPLATE/feature_request.md +++ b/.github/ISSUE_TEMPLATE/feature_request.md @@ -1,10 +1,11 @@ --- name: Feature request about: Suggest an idea for this project -title: '' -labels: '' -assignees: '' +title: "" +labels: "" +assignees: "" --- + ### Is your feature request related to a problem? Please describe A clear and concise description of what the problem is. Ex. I'm always frustrated when ... diff --git a/.github/SECURITY.md b/.github/SECURITY.md new file mode 100644 index 0000000..c521596 --- /dev/null +++ b/.github/SECURITY.md @@ -0,0 +1,26 @@ +# Security Policy + +## Versions + +### Latest Versions + +We advise users to run or update to the most recent release of the Ansible NGINX Management Suite role. Older versions of this role may not have all enhancements and/or bug fixes applied to them. + +### Supported Versions + +This codebase mainly consists of an Ansible role, sprinkled with a dose of GitHub actions for CI/CD. Ansible applies security fixes to the most recent three releases. Please find more information in [the Ansible docs](https://docs.ansible.com/ansible/devel/reference_appendices/release_and_maintenance.html#release-status). + +## Reporting a Vulnerability + +### Ansible + +If you find a security vulnerability that affects Ansible directly, we encourage you to report it according to the [Ansible guidelines](https://docs.ansible.com/ansible/devel/community/reporting_bugs_and_features.html#reporting-a-bug). + +### Codebase + +If you find a security vulnerability that affects the codebase, we encourage you to report it to the F5 Security Incident Response Team (F5 SIRT): + +- If you’re an F5 customer with an active support contract, please contact [F5 Technical Support](https://www.f5.com/services/support). +- If you aren’t an F5 customer, please report any potential or current instances of security vulnerabilities to the F5 SIRT at . + +For more information visit [https://www.f5.com/services/support/report-a-vulnerability](https://www.f5.com/services/support/report-a-vulnerability) diff --git a/.github/dependabot.yml b/.github/dependabot.yml index 4450376..27d0550 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -7,3 +7,12 @@ updates: interval: weekly day: monday time: "00:00" + labels: + - "dependencies" + - "skip-changelog" + - package-ecosystem: pip + directory: /.github/workflows/requirements + schedule: + interval: weekly + day: monday + time: "00:00" diff --git a/.github/pull_request_template.md b/.github/pull_request_template.md index 083d739..49eb80b 100644 --- a/.github/pull_request_template.md +++ b/.github/pull_request_template.md @@ -6,7 +6,7 @@ Describe the use case and detail of the change. If this PR addresses an issue on Before creating a PR, run through this checklist and mark each as complete. -- [ ] I have read the [`CONTRIBUTING`](https://github.com/nginxinc/ansible-role-nginx-management-suite/blob/main/CONTRIBUTING.md) document +- [ ] I have read the [`CONTRIBUTING`](https://github.com/nginxinc/ansible-role-nms/blob/main/CONTRIBUTING.md) document - [ ] If applicable, I have added tests that prove my fix is effective or that my feature works - [ ] If applicable, I have checked that any relevant tests pass after adding my changes -- [ ] I have updated any relevant documentation ([`README.md`](https://github.com/nginxinc/ansible-role-nginx-management-suite/blob/main/README.md) and [`CHANGELOG.md`](https://github.com/nginxinc/ansible-role-nginx-management-suite/blob/main/CHANGELOG.md)) +- [ ] I have updated any relevant documentation ([`README.md`](https://github.com/nginxinc/ansible-role-nms/blob/main/README.md) and [`CHANGELOG.md`](https://github.com/nginxinc/ansible-role-nms/blob/main/CHANGELOG.md)) diff --git a/.github/release-drafter.yml b/.github/release-drafter.yml new file mode 100644 index 0000000..56df1f8 --- /dev/null +++ b/.github/release-drafter.yml @@ -0,0 +1,103 @@ +--- +name-template: "$RESOLVED_VERSION" +tag-template: "$RESOLVED_VERSION" +include-pre-releases: true +categories: + - title: "💣 Breaking Changes" + labels: + - "breaking change" + - title: "🔔 Deprecation Warnings" + labels: + - "deprecation" + - title: "🚀 Features" + labels: + - "feature" + - title: "🎉 Enhancements" + labels: + - "enhancement" + - title: "🐛 Bug Fixes" + labels: + - "bug" + - title: "🧪 Tests" + labels: + - "tests" + - title: "📝 Documentation" + labels: + - "documentation" + - title: "⬆️ Dependencies" + labels: + - "dependencies" +exclude-labels: + - "skip-changelog" +version-resolver: + minor: + labels: + - "breaking change" + - "deprecation" + patch: + labels: + - "bug" + - "dependencies" + - "documentation" + - "feature" + - "enhancement" + default: patch +autolabeler: + - label: "breaking change" + body: + - "/breaking/i" + - label: "deprecation" + branch: + - "/deprecate\/.+/" + title: + - "/deprecate/i" + - label: "feature" + branch: + - "/feat\/.+/" + - "/feature\/.+/" + title: + - "/feat/i" + - "/feature/i" + - label: "enhancement" + branch: + - "/enhancement\/.+/" + title: + - "/enhancement/i" + - label: "bug" + branch: + - "/fix\/.+/" + title: + - "/fix/i" + - label: "tests" + branch: + - "/molecule\/.+/" + title: + - "/molecule/i" + - label: "documentation" + branch: + - "/docs\/.+/" + files: + - "**/!(changelog).md" + title: + - "/docs/i" + - "/documentation/i" + - label: "dependencies" + files: + - ".github/workflows/requirements/*" +template: | + ## What's new in NGINX Management Suite's Ansible role $RESOLVED_VERSION! + + $CHANGES + + ## Install & Upgrade + + - To install the Ansible NGINX Management Suite role on a fresh environment, run `ansible-galaxy install nginxinc.nms`. + - To upgrade the Ansible NGINX Management Suite role to the latest release, run `ansible-galaxy install -f nginxinc.nms`. + - To install or upgrade to this specific Ansible NGINX Management Suite role release ($RESOLVED_VERSION), run `ansible-galaxy install -f nginxinc.nms,v$RESOLVED_VERSION`. + + ## Resources + + - Functional configuration examples (check `converge.yml` under each `molecule` scenario) -- [github.com/nginxinc/ansible-role-nms/tree/$RESOLVED_VERSION/molecule](https://github.com/nginxinc/ansible-role-nms/tree/$RESOLVED_VERSION/molecule). + - Ansible Galaxy repository -- [galaxy.ansible.com/nginxinc/nginx](https://galaxy.ansible.com/nginxinc/nginx). + - NGINX Ansible role & collection introductory blog -- [nginx.com/blog/announcing-nginx-core-collection-ansible](https://www.nginx.com/blog/announcing-nginx-core-collection-ansible). + - NGINX: Better with Ansible demo -- [github.com/alessfg/nginx-ansible-demo](https://github.com/alessfg/nginx-ansible-demo). diff --git a/.github/workflows/galaxy.yml b/.github/workflows/galaxy.yml new file mode 100644 index 0000000..b4a56b2 --- /dev/null +++ b/.github/workflows/galaxy.yml @@ -0,0 +1,25 @@ +--- +name: Ansible Galaxy import +on: + release: + types: + - published + workflow_dispatch: +jobs: + galaxy: + name: Galaxy + runs-on: ubuntu-22.04 + steps: + - name: Check out the codebase + uses: actions/checkout@v3 + + - name: Set up Python 3 + uses: actions/setup-python@v4 + with: + python-version: 3.x + + - name: Install Ansible + run: pip3 install -r .github/workflows/requirements/requirements_galaxy.txt + + - name: Import release to Ansible Galaxy + run: ansible-galaxy role import --api-key ${{ secrets.GALAXY_API_KEY }} $(echo ${{ github.repository }} | cut -d/ -f1) $(echo ${{ github.repository }} | cut -d/ -f2) diff --git a/.github/workflows/molecule.yml b/.github/workflows/molecule.yml new file mode 100644 index 0000000..a96bc81 --- /dev/null +++ b/.github/workflows/molecule.yml @@ -0,0 +1,48 @@ +--- +name: Molecule CI/CD +on: + pull_request: + branches: + - main + push: + branches: + - main + ignore-tags: + - "*" + schedule: + - cron: "0 0 1 * *" + workflow_dispatch: +jobs: + molecule: + name: Molecule + runs-on: ubuntu-22.04 + env: + NGINX_CRT: ${{ secrets.NGINX_CRT }} + NGINX_KEY: ${{ secrets.NGINX_KEY }} + strategy: + fail-fast: false + matrix: + scenario: + - default + - plus + - upgrade + steps: + - name: Check out the codebase + uses: actions/checkout@v3 + + - name: Set up Python 3 + uses: actions/setup-python@v4 + with: + python-version: 3.x + + - name: Install Molecule dependencies + run: pip3 install -r .github/workflows/requirements/requirements_molecule.txt + + - name: Install Ansible core dependencies + run: ansible-galaxy install -r .github/workflows/requirements/requirements_ansible.yml + + - name: Run Molecule tests + run: molecule test -s ${{ matrix.scenario }} + env: + PY_COLORS: 1 + ANSIBLE_FORCE_COLOR: 1 diff --git a/.github/workflows/release-drafter.yml b/.github/workflows/release-drafter.yml new file mode 100644 index 0000000..ef4a7d0 --- /dev/null +++ b/.github/workflows/release-drafter.yml @@ -0,0 +1,20 @@ +--- +name: Release Drafter +on: + pull_request: + types: + - opened + - reopened + - synchronize + push: + branches: + - main + workflow_dispatch: +jobs: + update_release_draft: + name: Update release draft + runs-on: ubuntu-22.04 + steps: + - uses: release-drafter/release-drafter@v5 + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/requirements/requirements_ansible.yml b/.github/workflows/requirements/requirements_ansible.yml new file mode 100644 index 0000000..84d55bb --- /dev/null +++ b/.github/workflows/requirements/requirements_ansible.yml @@ -0,0 +1,13 @@ +--- +roles: + - name: nginxinc.nginx + version: 0.24.0 +collections: + - name: ansible.posix + version: 1.5.1 + - name: community.general + version: 6.4.0 + - name: community.crypto # Only required if you plan to install NGINX Plus + version: 2.11.0 + - name: community.docker # Only required if you plan to use Molecule + version: 3.4.2 diff --git a/.github/workflows/requirements/requirements_galaxy.txt b/.github/workflows/requirements/requirements_galaxy.txt new file mode 100644 index 0000000..f41e7e2 --- /dev/null +++ b/.github/workflows/requirements/requirements_galaxy.txt @@ -0,0 +1 @@ +ansible-core==2.14.3 diff --git a/.github/workflows/requirements/requirements_molecule.txt b/.github/workflows/requirements/requirements_molecule.txt new file mode 100644 index 0000000..f322311 --- /dev/null +++ b/.github/workflows/requirements/requirements_molecule.txt @@ -0,0 +1,7 @@ +ansible-core==2.14.3 +jinja2==3.1.2 +ansible-lint==6.14.1 +yamllint==1.29.0 +molecule==4.0.4 +molecule-plugins[docker]==23.0.0 +docker==6.0.1 diff --git a/.gitignore b/.gitignore index a60260e..b671d1b 100644 --- a/.gitignore +++ b/.gitignore @@ -11,6 +11,15 @@ Thumbs.db .DS_Store .vscode +# Ansible specific # +#################### +.cache +*.retry + +# Python specific # +################### +__pycache__ + # Logs # ######## *.log diff --git a/CHANGELOG.md b/CHANGELOG.md index da02d36..9816395 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,8 @@ # Changelog -## 1.0.0 (Month Date, Year) +## 0.1.0 - Initial release (Month Date, Year) -Initial release of the NGINX template repository. +Initial release of the NGINX Management Suite Ansible role. Features include: + +* Install NGINX Management Suite (NMS). +* Create initial NMS password diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md index 0aff1e1..833ed42 100644 --- a/CONTRIBUTING.md +++ b/CONTRIBUTING.md @@ -10,11 +10,26 @@ The following is a set of guidelines for contributing to the ansible_role_nginx_ [Code Guidelines](#code-guidelines) -[Code of Conduct](https://github.com/nginxinc/ansible-role-nginx-management-suite/blob/main/CODE_OF_CONDUCT.md) +* [Git Guidelines](#git-guidelines) +* [Ansible Guidelines](#ansible-guidelines) + +[Code of Conduct](https://github.com/nginxinc/ansible-role-nms/blob/main/CODE_OF_CONDUCT.md) ## Getting Started -Follow our [Installation Guide](https://github.com/nginxinc/ansible-role-nginx-management-suite/blob/main/README.md#Installation) to get the ansible_role_nginx_management_suite up and running. +Follow our [Installation Guide](https://github.com/nginxinc/ansible-role-nms/blob/main/README.md#Installation) to get the ansible_role_nginx_management_suite up and running. + +### Project Structure + +* The NGINX Management Suite Ansible role is written in `yaml` and supports NGINX Management Suite (NMS) Installation. + * An NGINX Plus license is required in order to install NMS. +* The project follows the standard [Ansible role directory structure](https://docs.ansible.com/ansible/latest/user_guide/playbooks_reuse_roles.html): + * The main code is found in [`tasks/`](https://github.com/nginxinc/ansible-role-nms/blob/main/tasks/). + * Variables can be found in [`defaults/main/`](https://github.com/nginxinc/ansible-role-nms/blob/main/defaults/main/). + * "Constant" variables can be found in [`vars/main.yml`](https://github.com/nginxinc/ansible-role-nms/blob/main/vars/main.yml). + * [Molecule](https://molecule.readthedocs.io/) tests can be found in [`molecule/`](https://github.com/nginxinc/ansible-role-nms/blob/main/molecule/). + * CI/CD is done via GitHub actions using the workflow files found in [`.github/workflows/`](https://github.com/nginxinc/ansible-role-nms/blob/main/.github/workflows/). + @@ -31,13 +46,20 @@ To suggest a feature or enhancement, please create an issue on GitHub with the l ### Open a Pull Request * Fork the repo, create a branch, implement your changes, add any relevant tests, submit a PR when your changes are **tested** and ready for review. -* Fill in [our pull request template](https://github.com/nginxinc/ansible-role-nginx-management-suite/blob/main/.github/pull_request_template.md). +* Fill in [our pull request template](https://github.com/nginxinc/ansible-role-nms/blob/main/.github/pull_request_template.md). Note: if you'd like to implement a new feature, please consider creating a feature request issue first to start a discussion about the feature. ## Code Guidelines - +### Ansible Guidelines + +* You need an NGINX Plus license in order to install NMS, you will need to procure an NGINX Plus license (check out the [NGINX Plus developer license FAQ](https://www.nginx.com/developer-license-faqs/) to find out how to request one). +* Run `molecule lint` over your code to automatically resolve a lot of `yaml` and Ansible style issues. +* Run `molecule test` on your code before you submit a PR to catch any potential issues. If you are testing a specific molecule scenario, run `molecule test -s `. +* Follow these guides on some good practices for Ansible: + * + * ### Git Guidelines diff --git a/README.md b/README.md index 654822b..683dba7 100644 --- a/README.md +++ b/README.md @@ -1,54 +1,171 @@ -# NGINX Template Repository + +[![Molecule CI/CD](https://github.com/nginxinc/ansible-role-nms/workflows/Molecule%20CI/CD/badge.svg)](https://github.com/nginxinc/ansible-role-nms/actions) +[![License](https://img.shields.io/badge/License-Apache--2.0-blue.svg)](https://opensource.org/licenses/Apache-2.0) -## How do I use this template? +# Ansible NGINX Management Suite Role -**DO NOT FORK** -- this template is meant to be used from the **[`Use this template`](https://github.com/nginxinc/template-repository/generate)** feature. +This role only installs NGINX Management Suite (NMS). -1. Click on **[`Use this template`](https://github.com/nginxinc/template-repository/generate)** -2. Give a name to your project -3. Wait until the first run of CI finishes (Github Actions will process the template and commit to your new repo) -4. Clone your new project and happy coding! +**Note:** This role is still in active development. There may be unidentified issues and the role variables may change as development continues. -**NOTE**: **WAIT** until the first CI run on GitHub Actions before cloning your new project. +## Requirements -## What is included on this template? +1. NGINX Management Suite License Files +2. [NGINX Ansible Role (**nginxinc.nginx**)](https://github.com/nginxinc/ansible-role-nginx) -This template includes all the scaffolding you need to get started on a standards compliant NGINX repository: +### NGINX Management Suite Certificate Files -* Issue and PR templates -* Contributing guidelines -* Support guidelines -* Security guidelines for reporting major vulnerabilities -* Standard `.gitignore` with minimal defaults -* NGINX Code of Conduct -* Standard license for NGINX OSS projects -* Changelog placeholder -* Codeowners placeholder +Installing NMS requires the NMS certificate files to access the repository. Log in to [MyF5](https://account.f5.com/myf5) or follow the link in the trial activation email to download the NMS repo .crt and .key files: +* nginx-mgmt-suite-trial.key +* nginx-mgmt-suite-trial.crt ---- +**NOTE:** Be sure to rename these files to `nginx-repo.key` and `nginx-repo.crt`, respectively. - +### NGINX Instance -# ansible_role_nginx_management_suite +NMS requires an NGINX instance, either NGINX OSS or NGINX Plus as a frontend only. This role handles this by defining a dependency to the [NGINX Ansible Role](https://github.com/nginxinc/ansible-role-nginx), named **nginxinc.nginx**. Because of this dependance, you can set variables related to **nginxinc.nginx** when using this role. For example, `nginx_type` is an **nginxinc.nginx** variable that can be [set like how you would any other Ansible variable](https://docs.ansible.com/ansible/latest/playbook_guide/playbooks_variables.html#where-to-set-variables). So if your playbook defines `nginx_type: plus`, the **nginxinc.nginx** role will install NGINX Plus. Refer to the [Ansible Role NGINX](https://github.com/nginxinc/ansible-role-nginx) for more details. -## Requirements +Main difference between using NGINX OSS or NGINX Plus depends on which [Authentication Options](https://docs.nginx.com/nginx-management-suite/admin-guides/access-control/configure-authentication/#auth-options) you plan to use. + +### Ansible + +* This role is developed and tested with [maintained](https://docs.ansible.com/ansible/devel/reference_appendices/release_and_maintenance.html) versions of Ansible core (above `2.14`). +* This role was developed and tested using **nginxinc.nginx** version **0.24.0**. +* When using this role, you will also need to install the following collections below. Additional information installing these collections is below in [Installation](#installation) section + * ansible.posix + * community.general + * community.crypto + * community.docker (Only required if you plan to use Molecule) + + +* You will need to run this role as a root user using Ansible's `become` parameter. Make sure you have set up the appropriate permissions on your target hosts. +* Instructions on how to install Ansible can be found in the [Ansible website](https://docs.ansible.com/ansible/latest/installation_guide/intro_installation.html#upgrading-ansible-from-version-2-9-and-older-to-version-2-10-or-later). + +### Jinja2 + +* This role uses Jinja2 templates. Ansible core installs Jinja2 by default, but depending on your install and/or upgrade path, you might be running an outdated version of Jinja2. The minimum version of Jinja2 required for the role to properly function is `3.1`. +* Instructions on how to install Jinja2 can be found in the [Jinja2 website](https://jinja.palletsprojects.com/en/2.11.x/intro/#installation). + +### Molecule (Optional) -Lorem ipsum dolor sit amet, consectetur adipiscing elit. Nullam elit turpis, varius et arcu elementum, viverra rhoncus sem. Aliquam nec sodales magna, et egestas enim. Mauris lobortis ultrices euismod. Pellentesque in arcu lacus. Mauris cursus laoreet nulla, ac vehicula est. Vestibulum eu mauris quis lorem consectetur aliquam ac nec quam. Vestibulum commodo pharetra mi, at bibendum neque faucibus ut. Mauris et tortor sed sem consectetur eleifend ut non magna. Praesent feugiat placerat nibh, varius viverra orci bibendum sed. Vestibulum dapibus ex ut pulvinar facilisis. Quisque sodales enim et augue tempor mattis. Suspendisse finibus congue felis, ac blandit ligula. Praesent condimentum ultrices odio quis semper. Nunc ultrices, nibh quis mattis pellentesque, elit nulla bibendum felis, quis dapibus erat turpis ac urna. +* Molecule is used to test the various functionalities of the role. The recommended version of Molecule to test this role is `4.0.1`. +* Instructions on how to install Molecule can be found in the [Molecule website](https://molecule.readthedocs.io/en/latest/installation.html). *You will also need to install the Molecule Docker driver.* +* To run the Molecule tests, you must copy your NGINX Plus license to the role's [`files/license`](https://github.com/nginxinc/ansible-role-nms/blob/main/files/license/) folder. + + You can alternatively add your NGINX Management Suite repository certificate and key to the local environment. Run the following commands to export these files as base64-encoded variables and execute the Molecule tests: + + ```bash + export NGINX_CRT=$( cat | base64 ) + export NGINX_KEY=$( cat | base64 ) + molecule test -s plus + ``` ## Installation -Duis sit amet sapien vel velit ornare vulputate. Nulla rutrum euismod risus ac efficitur. Curabitur in sagittis elit, a semper leo. Suspendisse malesuada aliquam velit, eu suscipit lorem vehicula at. Proin turpis lacus, semper in placerat in, accumsan non ipsum. Cras euismod, elit eget pretium laoreet, tortor nulla finibus tortor, nec hendrerit elit turpis ut eros. Quisque congue nisi id mauris molestie, eu condimentum dolor rutrum. Nullam eleifend elit ac lobortis tristique. Pellentesque nec tellus non mauris aliquet commodo a eu elit. Ut at feugiat metus, at tristique mauris. Vestibulum ante ipsum primis in faucibus orci luctus et ultrices posuere cubilia curae; +### Ansible Galaxy + +1. Create a yaml file, such as `requirements.yml`, with the following content below. + ```yaml + --- + roles: + - name: nginxinc.nms + version: 0.1.0 + collections: + - name: ansible.posix + version: 1.5.1 + - name: community.general + version: 6.4.0 + - name: community.crypto + version: 2.11.0 + - name: community.docker # Only required if you plan to use Molecule (see below) + version: 3.4.2 + ``` +1. Run `ansible-galaxy install -r requirements.yml` to install this role along with the required collections. If you already have these installed but need to update to newer versions, use `ansible-galaxy install -fr requirements.yml`. + +#### Using Latest Edge + +There is a couple methods if you want to use the latest edge from this role. + +1. Use the following snippet in your `requirement.yml`. + ```yaml + roles: + - src: https://github.com/nginxinc/ansible-role-nms.git + version: main + ``` + +1. Use `git clone https://github.com/nginxinc/ansible-role-nms.git` to pull the latest edge commit of the role from GitHub. + +## Platforms -## Usage +This Ansible role supports all platforms supported by [NGINX Management Suite](https://docs.nginx.com/nginx-management-suite/overview/tech-specs/#supported-distributions): -Maecenas at vehicula justo. Suspendisse posuere elementum elit vel posuere. Etiam quis pulvinar massa. Integer tempor semper risus, vitae maximus eros ullamcorper vitae. In egestas, ex vitae gravida sodales, ipsum dolor varius est, et cursus lorem dui a mi. Morbi faucibus ut nisi id faucibus. Sed quis ullamcorper ex. In et dolor id nunc interdum suscipit. +### NGINX Management Suite -## Development +```yaml +Amazon Linux 2: + - any +CentOS: + - 7.4+ +Debian: + - buster (10) + - bullseye (11) +Oracle Linux: + - 7.4+ + - 8 +Red Hat: + - 7.4+ + - 8 + - 9 +Ubuntu: + - bionic (18.04) + - focal (20.04) + - jammy (22.04) +``` -Read the [`CONTRIBUTING.md`](https://github.com/nginxinc/ansible-role-nginx-management-suite/blob/main/CONTRIBUTING.md) file. +**Note:** You can also use this role to install NGINX Management Suite on compatible yet unsupported platforms at your own risk. + +## Role Variables + +This role has multiple variables. The descriptions and defaults for all these variables can be found in the **[`defaults/main/`](https://github.com/nginxinc/ansible-role-nms/blob/main/defaults/main/)** folder in the following files: + +| Name | Description | +| ---- | ----------- | +| **[`main.yml`](https://github.com/nginxinc/ansible-role-nms/blob/main/defaults/main/main.yml)** | NMS installation variables | + +Similarly, descriptions and defaults for preset variables can be found in the **[`vars/`](https://github.com/nginxinc/ansible-role-nms/blob/main/vars/)** folder in the following files: + +| Name | Description | +| ---- | ----------- | +| **[`main.yml`](https://github.com/nginxinc/ansible-role-nms/blob/main/vars/main.yml)** | List of supported NMS installation variables | + +## Example Playbooks + +Working functional playbook examples can be found in the **[`molecule/`](https://github.com/nginxinc/ansible-role-nms/blob/main/molecule/)** folder in the following files: + +| Name | Description | +| ---- | ----------- | +| **[`default/converge.yml`](https://github.com/nginxinc/ansible-role-nms/blob/main/molecule/default/converge.yml)** | Install NGINX OSS and NMS | +| **[`plus/converge.yml`](https://github.com/nginxinc/ansible-role-nms/blob/main/molecule/plus/converge.yml)** | Install NGINX Plus and NMS | +| **[`upgrade/converge.yml`](https://github.com/nginxinc/ansible-role-nms/blob/main/molecule/upgrade/converge.yml)** | Upgrade NMS | + +Do note that if you install this repository via Ansible Galaxy, you will have to replace the role variable in the sample playbooks from `ansible-role-nms` to `nginxinc.nms`. + +## Other NGINX Ansible Collections and Roles + +You can find the Ansible NGINX Core collection of roles to install and configure NGINX Open Source, NGINX Plus, and NGINX App Protect [here](https://github.com/nginxinc/ansible-collection-nginx). + +You can find the Ansible NGINX configuration role to configure NGINX [here](https://github.com/nginxinc/ansible-role-nginx-config). + +You can find the Ansible NGINX Unit role to install NGINX Unit [here](https://github.com/nginxinc/ansible-role-nginx-unit). ## License -[Apache License, Version 2.0](https://github.com/nginxinc/ansible-role-nginx-management-suite/blob/main/LICENSE) +[Apache License, Version 2.0](https://github.com/nginxinc/ansible-role-nms/blob/main/LICENSE) + +## Author Information + +[John Wong](https://github.com/jswongf5) + +[Alessandro Fael Garcia](https://github.com/alessfg) -© [F5 Networks, Inc.](https://www.f5.com/) 2022 +© [F5, Inc.](https://www.f5.com/) 2023 diff --git a/SECURITY.md b/SECURITY.md deleted file mode 100644 index 3d44ccb..0000000 --- a/SECURITY.md +++ /dev/null @@ -1,14 +0,0 @@ -# Security Policy - -## Latest Versions - -We advise users to run or update to the most recent release of the ansible_role_nginx_management_suite. Older versions of the ansible_role_nginx_management_suite may not have all enhancements and/or bug fixes applied to them. - -## Reporting a Vulnerability - -The F5 Security Incident Response Team (F5 SIRT) has an email alias that makes it easy to report potential security vulnerabilities. - -* If you’re an F5 customer with an active support contract, please contact [F5 Technical Support](https://www.f5.com/services/support). -* If you aren’t an F5 customer, please report any potential or current instances of security vulnerabilities with any F5 product to the F5 Security Incident Response Team at F5SIRT@f5.com - -For more information visit [https://www.f5.com/services/support/report-a-vulnerability](https://www.f5.com/services/support/report-a-vulnerability) diff --git a/defaults/main.yml b/defaults/main.yml new file mode 100644 index 0000000..2fe6004 --- /dev/null +++ b/defaults/main.yml @@ -0,0 +1,30 @@ +--- +# To force a admin credential change. Disabled by default. +nms_force_password: false + +# Initial NMS password +nms_user_passwd: '' + +# Intiail NMS username +nms_user_name: admin + +# Location where htpasswd file path +nms_cred_path: /etc/nms/nginx/.htpasswd + +# NMS installation defaults to the latest version. You can specify a specific version using the proper glob +# nms_version: 2.4.0* +nms_version: '' + +# Clickhouse is an external database required for NMS. That is a third party app that changes fast. As a result, we are pinning it to version 22.9.2.7. +## Clickhouse installation is enabled by default +nms_clickhouse_install: true + +## If you want to use the latest, it can be commented out or specify a blank string. +## nms_clickhouse_version: '' +nms_clickhouse_version: '22.8.5.29' + +## Default to long term support. You can use either 'lts' or 'stable'. +nms_clickhouse_release_kind: lts + +## By default, NMS certificates are removed by default +nms_remove_certs: true diff --git a/files/license/.gitkeep b/files/license/.gitkeep new file mode 100644 index 0000000..e69de29 diff --git a/handlers/main.yml b/handlers/main.yml new file mode 100644 index 0000000..09689df --- /dev/null +++ b/handlers/main.yml @@ -0,0 +1,11 @@ +--- +- name: Restart NGINX Management Suite + ansible.builtin.systemd: + name: "{{ item }}" + state: restarted + loop: "{{ nms_services | flatten(levels=1) }}" + +- name: Restart NGINX + ansible.builtin.service: + name: nginx + state: restarted diff --git a/meta/main.yml b/meta/main.yml new file mode 100644 index 0000000..b37b6f3 --- /dev/null +++ b/meta/main.yml @@ -0,0 +1,43 @@ +galaxy_info: + role_name: nms + author: nginxinc + description: Official Ansible role for installing NGINX Management Suite + company: F5, Inc. + + license: Apache License, Version 2.0 + + min_ansible_version: "2.13" + + platforms: + - name: Amazon Linux 2 + versions: + - all + - name: Debian + versions: + - buster + - bullseye + - name: EL + versions: + - "7" + - "8" + - "9" + - name: Ubuntu + versions: + - bionic + - focal + - jammy + + galaxy_tags: + - nms + - development + - install + +dependencies: + - role: nginxinc.nginx + tags: + - nms_nginx_prerequisite + +collections: + - ansible.posix + - community.crypto + - community.general diff --git a/molecule/common/Dockerfile.j2 b/molecule/common/Dockerfile.j2 new file mode 100644 index 0000000..2f94e22 --- /dev/null +++ b/molecule/common/Dockerfile.j2 @@ -0,0 +1,34 @@ +# Molecule managed + +{% if item.registry is defined %} +FROM {{ item.registry.url }}/{{ item.image }} +{% else %} +FROM {{ item.image }} +{% endif %} + +{% if item.env is defined %} +{% for var, value in item.env.items() %} +{% if value %} +ENV {{ var }} {{ value }} +{% endif %} +{% endfor %} +{% endif %} + +RUN \ + if [ $(command -v apt-get) ]; then \ + apt-get update \ + && DEBIAN_FRONTEND=noninteractive apt-get install -y aptitude bash curl dirmngr iproute2 python3 python3-apt procps sudo systemd systemd-sysv vim \ + && apt-get clean; \ + elif [ $(command -v dnf) ]; then \ + dnf makecache \ + && dnf --assumeyes install bash iproute sudo /usr/bin/dnf-3 /usr/bin/python3 /usr/bin/python3-config vim \ + && dnf clean all; \ + elif [ $(command -v yum) ]; then \ + yum makecache fast \ + && yum install -y bash iproute initscripts sudo /usr/bin/python /usr/bin/python2-config vim yum-plugin-ovl \ + && yum install -y http://mirror.centos.org/centos/7/os/x86_64/Packages/yum-plugin-copr-1.1.31-54.el7_8.noarch.rpm http://mirror.centos.org/centos/7/os/x86_64/Packages/libseccomp-2.3.1-4.el7.x86_64.rpm \ + && yum copr enable -y jsynacek/systemd-backports-for-centos-7 \ + && yum update --disableplugin=priorities -y systemd \ + && sed -i 's/plugins=0/plugins=1/g' /etc/yum.conf \ + && yum clean all; \ + fi diff --git a/molecule/default/converge.yml b/molecule/default/converge.yml new file mode 100644 index 0000000..43d6606 --- /dev/null +++ b/molecule/default/converge.yml @@ -0,0 +1,16 @@ +--- +- name: Converge + hosts: all + tasks: + - name: Install NMS + ansible.builtin.include_role: + name: ansible-role-nms + vars: + nms_setup: install + nms_user_passwd: 'Password123' + nginx_selinux: true + nginx_selinux_enforcing: false + nms_remove_certs: false + nginx_license: + certificate: license/nginx-repo.crt + key: license/nginx-repo.key diff --git a/molecule/default/molecule.yml b/molecule/default/molecule.yml new file mode 100644 index 0000000..9582aaf --- /dev/null +++ b/molecule/default/molecule.yml @@ -0,0 +1,121 @@ +--- +driver: + name: docker +lint: | + set -e + ansible-lint --force-color . +platforms: + - name: amazonlinux-2 + image: amazonlinux:2 + platform: x86_64 + dockerfile: ../common/Dockerfile.j2 + privileged: true + cgroupns_mode: host + volumes: + - /sys/fs/cgroup:/sys/fs/cgroup:rw + command: /usr/sbin/init + - name: oraclelinux-7 + image: oraclelinux:7 + platform: x86_64 + dockerfile: ../common/Dockerfile.j2 + privileged: true + cgroupns_mode: host + volumes: + - /sys/fs/cgroup:/sys/fs/cgroup:rw + command: /usr/sbin/init + - name: oraclelinux-8 + image: oraclelinux:8 + platform: x86_64 + dockerfile: ../common/Dockerfile.j2 + privileged: true + cgroupns_mode: host + volumes: + - /sys/fs/cgroup:/sys/fs/cgroup:rw + command: /usr/sbin/init + - name: centos-7 + image: centos:7 + platform: x86_64 + dockerfile: ../common/Dockerfile.j2 + privileged: true + cgroupns_mode: host + volumes: + - /sys/fs/cgroup:/sys/fs/cgroup:rw + command: /usr/sbin/init + - name: rhel-7 + image: registry.access.redhat.com/ubi7/ubi:7.9 + platform: x86_64 + dockerfile: ../common/Dockerfile.j2 + privileged: true + cgroupns_mode: host + volumes: + - /sys/fs/cgroup:/sys/fs/cgroup:rw + command: /usr/sbin/init + - name: rhel-8 + image: redhat/ubi8:8.7 + dockerfile: ../common/Dockerfile.j2 + privileged: true + platform: x86_64 + cgroupns_mode: host + volumes: + - /sys/fs/cgroup:/sys/fs/cgroup:rw + command: /usr/sbin/init + - name: rhel-9 + image: redhat/ubi9:9.1.0 + platform: x86_64 + dockerfile: ../common/Dockerfile.j2 + privileged: true + cgroupns_mode: host + volumes: + - /sys/fs/cgroup:/sys/fs/cgroup:rw + command: /usr/sbin/init + - name: debian-buster + image: debian:buster-slim + platform: x86_64 + dockerfile: ../common/Dockerfile.j2 + privileged: true + cgroupns_mode: host + volumes: + - /sys/fs/cgroup:/sys/fs/cgroup:rw + command: /sbin/init + - name: debian-bullseye + image: debian:bullseye-slim + platform: x86_64 + dockerfile: ../common/Dockerfile.j2 + privileged: true + cgroupns_mode: host + volumes: + - /sys/fs/cgroup:/sys/fs/cgroup:rw + command: /sbin/init + - name: ubuntu-bionic + image: ubuntu:bionic + platform: x86_64 + dockerfile: ../common/Dockerfile.j2 + privileged: true + cgroupns_mode: host + volumes: + - /sys/fs/cgroup:/sys/fs/cgroup:rw + command: /sbin/init + - name: ubuntu-focal + image: ubuntu:focal + platform: x86_64 + dockerfile: ../common/Dockerfile.j2 + privileged: true + cgroupns_mode: host + volumes: + - /sys/fs/cgroup:/sys/fs/cgroup:rw + command: /sbin/init + - name: ubuntu-jammy + image: ubuntu:jammy + platform: x86_64 + dockerfile: ../common/Dockerfile.j2 + privileged: true + cgroupns_mode: host + volumes: + - /sys/fs/cgroup:/sys/fs/cgroup:rw + command: /sbin/init +provisioner: + name: ansible + playbooks: + prepare: prepare.yml + converge: converge.yml + verify: verify.yml diff --git a/molecule/default/prepare.yml b/molecule/default/prepare.yml new file mode 100644 index 0000000..42445dd --- /dev/null +++ b/molecule/default/prepare.yml @@ -0,0 +1,18 @@ +--- +- name: Prepare + hosts: localhost + gather_facts: false + tasks: + - name: Create ephemeral license certificate file from b64 decoded env var # noqa template-instead-of-copy + ansible.builtin.copy: + content: "{{ lookup('env', 'NGINX_CRT') | b64decode }}" + dest: ../../files/license/nginx-repo.crt + force: false + mode: "0444" + + - name: Create ephemeral license key file from b64 decoded env var # noqa template-instead-of-copy + ansible.builtin.copy: + content: "{{ lookup('env', 'NGINX_KEY') | b64decode }}" + dest: ../../files/license/nginx-repo.key + force: false + mode: "0444" diff --git a/molecule/default/verify.yml b/molecule/default/verify.yml new file mode 100644 index 0000000..7552fd4 --- /dev/null +++ b/molecule/default/verify.yml @@ -0,0 +1,45 @@ +--- +- name: Verify + hosts: all + tasks: + - name: Check if NGINX is installed + ansible.builtin.package: + name: nginx + state: present + check_mode: true + register: install + failed_when: (install is changed) or (install is failed) + + - name: Check if NGINX service is running + ansible.builtin.service: + name: nginx + state: started + enabled: true + check_mode: true + register: service + failed_when: (service is changed) or (service is failed) + + - name: Verify NGINX is up and running + ansible.builtin.uri: + url: http://localhost + status_code: 200 + + - name: Check if NGINX Management Suite services are installed + ansible.builtin.systemd: + name: "{{ item }}" + state: started + check_mode: true + register: install + failed_when: (install is changed) or (install is failed) + loop: + - nms + - nms-core + - nms-dpm + - nms-ingestion + - nms-integrations + + - name: Verify NGINX Management Suite is up and running + ansible.builtin.uri: + url: https://localhost + status_code: 200 + validate_certs: false diff --git a/molecule/plus/converge.yml b/molecule/plus/converge.yml new file mode 100644 index 0000000..71c0527 --- /dev/null +++ b/molecule/plus/converge.yml @@ -0,0 +1,18 @@ +--- +- name: Converge + hosts: all + tasks: + - name: Install NMS + ansible.builtin.include_role: + name: ansible-role-nms + vars: + nms_setup: install + nms_user_passwd: 'Password123' + nginx_selinux: true + nginx_selinux_enforcing: false + nginx_type: plus + nms_remove_certs: false + nginx_remove_license: false + nginx_license: + certificate: license/nginx-repo.crt + key: license/nginx-repo.key diff --git a/molecule/plus/molecule.yml b/molecule/plus/molecule.yml new file mode 100644 index 0000000..118e910 --- /dev/null +++ b/molecule/plus/molecule.yml @@ -0,0 +1,121 @@ +--- +driver: + name: docker +lint: | + set -e + ansible-lint --force-color . +platforms: + - name: amazonlinux-2 + image: amazonlinux:2 + platform: x86_64 + dockerfile: ../common/Dockerfile.j2 + privileged: true + cgroupns_mode: host + volumes: + - /sys/fs/cgroup:/sys/fs/cgroup:rw + command: /usr/sbin/init + - name: oraclelinux-7 + image: oraclelinux:7 + platform: x86_64 + dockerfile: ../common/Dockerfile.j2 + privileged: true + cgroupns_mode: host + volumes: + - /sys/fs/cgroup:/sys/fs/cgroup:rw + command: /usr/sbin/init + - name: oraclelinux-8 + image: oraclelinux:8 + platform: x86_64 + dockerfile: ../common/Dockerfile.j2 + privileged: true + cgroupns_mode: host + volumes: + - /sys/fs/cgroup:/sys/fs/cgroup:rw + command: /usr/sbin/init + - name: centos-7 + image: centos:7 + platform: x86_64 + dockerfile: ../common/Dockerfile.j2 + privileged: true + cgroupns_mode: host + volumes: + - /sys/fs/cgroup:/sys/fs/cgroup:rw + command: /usr/sbin/init + - name: rhel-7 + image: registry.access.redhat.com/ubi7/ubi:7.9 + platform: x86_64 + dockerfile: ../common/Dockerfile.j2 + privileged: true + cgroupns_mode: host + volumes: + - /sys/fs/cgroup:/sys/fs/cgroup:rw + command: /usr/sbin/init + - name: rhel-8 + image: redhat/ubi8:8.7 + platform: x86_64 + dockerfile: ../common/Dockerfile.j2 + privileged: true + cgroupns_mode: host + volumes: + - /sys/fs/cgroup:/sys/fs/cgroup:rw + command: /usr/sbin/init + - name: rhel-9 + image: redhat/ubi9:9.1.0 + platform: x86_64 + dockerfile: ../common/Dockerfile.j2 + privileged: true + cgroupns_mode: host + volumes: + - /sys/fs/cgroup:/sys/fs/cgroup:rw + command: /usr/sbin/init + - name: debian-buster + image: debian:buster-slim + platform: x86_64 + dockerfile: ../common/Dockerfile.j2 + privileged: true + cgroupns_mode: host + volumes: + - /sys/fs/cgroup:/sys/fs/cgroup:rw + command: /sbin/init + - name: debian-bullseye + image: debian:bullseye-slim + platform: x86_64 + dockerfile: ../common/Dockerfile.j2 + privileged: true + cgroupns_mode: host + volumes: + - /sys/fs/cgroup:/sys/fs/cgroup:rw + command: /sbin/init + - name: ubuntu-bionic + image: ubuntu:bionic + platform: x86_64 + dockerfile: ../common/Dockerfile.j2 + privileged: true + cgroupns_mode: host + volumes: + - /sys/fs/cgroup:/sys/fs/cgroup:rw + command: /sbin/init + - name: ubuntu-focal + image: ubuntu:focal + platform: x86_64 + dockerfile: ../common/Dockerfile.j2 + privileged: true + cgroupns_mode: host + volumes: + - /sys/fs/cgroup:/sys/fs/cgroup:rw + command: /sbin/init + - name: ubuntu-jammy + image: ubuntu:jammy + platform: x86_64 + dockerfile: ../common/Dockerfile.j2 + privileged: true + cgroupns_mode: host + volumes: + - /sys/fs/cgroup:/sys/fs/cgroup:rw + command: /sbin/init +provisioner: + name: ansible + playbooks: + prepare: prepare.yml + converge: converge.yml + verify: verify.yml diff --git a/molecule/plus/prepare.yml b/molecule/plus/prepare.yml new file mode 100644 index 0000000..42445dd --- /dev/null +++ b/molecule/plus/prepare.yml @@ -0,0 +1,18 @@ +--- +- name: Prepare + hosts: localhost + gather_facts: false + tasks: + - name: Create ephemeral license certificate file from b64 decoded env var # noqa template-instead-of-copy + ansible.builtin.copy: + content: "{{ lookup('env', 'NGINX_CRT') | b64decode }}" + dest: ../../files/license/nginx-repo.crt + force: false + mode: "0444" + + - name: Create ephemeral license key file from b64 decoded env var # noqa template-instead-of-copy + ansible.builtin.copy: + content: "{{ lookup('env', 'NGINX_KEY') | b64decode }}" + dest: ../../files/license/nginx-repo.key + force: false + mode: "0444" diff --git a/molecule/plus/verify.yml b/molecule/plus/verify.yml new file mode 100644 index 0000000..ad97b89 --- /dev/null +++ b/molecule/plus/verify.yml @@ -0,0 +1,45 @@ +--- +- name: Verify + hosts: all + tasks: + - name: Check if NGINX Plus is installed + ansible.builtin.package: + name: nginx-plus + state: present + check_mode: true + register: install + failed_when: (install is changed) or (install is failed) + + - name: Check if NGINX service is running + ansible.builtin.service: + name: nginx + state: started + enabled: true + check_mode: true + register: service + failed_when: (service is changed) or (service is failed) + + - name: Verify NGINX is up and running + ansible.builtin.uri: + url: http://localhost + status_code: 200 + + - name: Check if NGINX Management Suite services are installed + ansible.builtin.systemd: + name: "{{ item }}" + state: started + check_mode: true + register: install + failed_when: (install is changed) or (install is failed) + loop: + - nms + - nms-core + - nms-dpm + - nms-ingestion + - nms-integrations + + - name: Verify NGINX Management Suite is up and running + ansible.builtin.uri: + url: https://localhost + status_code: 200 + validate_certs: false diff --git a/molecule/upgrade/converge.yml b/molecule/upgrade/converge.yml new file mode 100644 index 0000000..9e3fae9 --- /dev/null +++ b/molecule/upgrade/converge.yml @@ -0,0 +1,15 @@ +--- +- name: Converge + hosts: all + tasks: + - name: Upgrade NMS + ansible.builtin.include_role: + name: ansible-role-nms + vars: + nms_setup: upgrade + nms_user_passwd: 'Password123' + nms_remove_certs: false + nginx_remove_license: false + nginx_license: + certificate: license/nginx-repo.crt + key: license/nginx-repo.key diff --git a/molecule/upgrade/molecule.yml b/molecule/upgrade/molecule.yml new file mode 100644 index 0000000..896f0fa --- /dev/null +++ b/molecule/upgrade/molecule.yml @@ -0,0 +1,112 @@ +--- +driver: + name: docker +lint: | + set -e + ansible-lint --force-color . +platforms: + - name: amazonlinux-2 + image: amazonlinux:2 + platform: x86_64 + dockerfile: ../common/Dockerfile.j2 + privileged: true + cgroupns_mode: host + volumes: + - /sys/fs/cgroup:/sys/fs/cgroup:rw + command: /usr/sbin/init + - name: oraclelinux-7 + image: oraclelinux:7 + platform: x86_64 + dockerfile: ../common/Dockerfile.j2 + privileged: true + cgroupns_mode: host + volumes: + - /sys/fs/cgroup:/sys/fs/cgroup:rw + command: /usr/sbin/init + - name: oraclelinux-8 + image: oraclelinux:8 + platform: x86_64 + dockerfile: ../common/Dockerfile.j2 + privileged: true + cgroupns_mode: host + volumes: + - /sys/fs/cgroup:/sys/fs/cgroup:rw + command: /usr/sbin/init + - name: centos-7 + image: centos:7 + platform: x86_64 + dockerfile: ../common/Dockerfile.j2 + privileged: true + cgroupns_mode: host + volumes: + - /sys/fs/cgroup:/sys/fs/cgroup:rw + command: /usr/sbin/init + - name: rhel-7 + image: registry.access.redhat.com/ubi7/ubi:7.9 + platform: x86_64 + dockerfile: ../common/Dockerfile.j2 + privileged: true + cgroupns_mode: host + volumes: + - /sys/fs/cgroup:/sys/fs/cgroup:rw + command: /usr/sbin/init + - name: rhel-8 + image: redhat/ubi8:8.7 + platform: x86_64 + dockerfile: ../common/Dockerfile.j2 + privileged: true + cgroupns_mode: host + volumes: + - /sys/fs/cgroup:/sys/fs/cgroup:rw + command: /usr/sbin/init + - name: debian-buster + image: debian:buster-slim + platform: x86_64 + dockerfile: ../common/Dockerfile.j2 + privileged: true + cgroupns_mode: host + volumes: + - /sys/fs/cgroup:/sys/fs/cgroup:rw + command: /sbin/init + - name: debian-bullseye + image: debian:bullseye-slim + platform: x86_64 + dockerfile: ../common/Dockerfile.j2 + privileged: true + cgroupns_mode: host + volumes: + - /sys/fs/cgroup:/sys/fs/cgroup:rw + command: /sbin/init + - name: ubuntu-bionic + image: ubuntu:bionic + platform: x86_64 + dockerfile: ../common/Dockerfile.j2 + privileged: true + cgroupns_mode: host + volumes: + - /sys/fs/cgroup:/sys/fs/cgroup:rw + command: /sbin/init + - name: ubuntu-focal + image: ubuntu:focal + platform: x86_64 + dockerfile: ../common/Dockerfile.j2 + privileged: true + cgroupns_mode: host + volumes: + - /sys/fs/cgroup:/sys/fs/cgroup:rw + command: /sbin/init + - name: ubuntu-jammy + image: ubuntu:jammy + platform: x86_64 + dockerfile: ../common/Dockerfile.j2 + privileged: true + cgroupns_mode: host + volumes: + - /sys/fs/cgroup:/sys/fs/cgroup:rw + command: /sbin/init +provisioner: + name: ansible + playbooks: + prepare: prepare.yml + converge: converge.yml + verify: verify.yml diff --git a/molecule/upgrade/prepare.yml b/molecule/upgrade/prepare.yml new file mode 100644 index 0000000..0e433f7 --- /dev/null +++ b/molecule/upgrade/prepare.yml @@ -0,0 +1,36 @@ +--- +- name: Prepare License + hosts: localhost + gather_facts: false + tasks: + - name: Create ephemeral license certificate file from b64 decoded env var # noqa template-instead-of-copy + ansible.builtin.copy: + content: "{{ lookup('env', 'NGINX_CRT') | b64decode }}" + dest: ../../files/license/nginx-repo.crt + force: false + mode: "0444" + + - name: Create ephemeral license key file from b64 decoded env var # noqa template-instead-of-copy + ansible.builtin.copy: + content: "{{ lookup('env', 'NGINX_KEY') | b64decode }}" + dest: ../../files/license/nginx-repo.key + force: false + mode: "0444" + +- name: Prepare NMS + hosts: all + tasks: + - name: Install NMS + ansible.builtin.include_role: + name: ansible-role-nms + vars: + nms_version: 2.4.0* + nms_setup: install + nms_user_passwd: 'Password123' + nginx_selinux: true + nginx_selinux_enforcing: false + nginx_remove_license: false + nms_remove_certs: false + nginx_license: + certificate: license/nginx-repo.crt + key: license/nginx-repo.key diff --git a/molecule/upgrade/verify.yml b/molecule/upgrade/verify.yml new file mode 100644 index 0000000..0689135 --- /dev/null +++ b/molecule/upgrade/verify.yml @@ -0,0 +1,51 @@ +--- +- name: Verify + hosts: all + tasks: + - name: Check if NGINX is installed + ansible.builtin.package: + name: nginx + state: present + check_mode: true + register: install + failed_when: (install is changed) or (install is failed) + + - name: Check if NGINX service is running + ansible.builtin.service: + name: nginx + state: started + enabled: true + check_mode: true + register: service + failed_when: (service is changed) or (service is failed) + + - name: Verify NGINX is up and running + ansible.builtin.uri: + url: http://localhost + status_code: 200 + + - name: Check if NGINX Management Suite services are installed + ansible.builtin.systemd: + name: "{{ item }}" + state: started + check_mode: true + register: install + failed_when: (install is changed) or (install is failed) + loop: + - nms + - nms-core + - nms-dpm + - nms-ingestion + - nms-integrations + + - name: Verify NGINX Management Suite is up and running + ansible.builtin.uri: + url: https://localhost + status_code: 200 + validate_certs: false + + - name: Verify correct version of NGINX has been installed + ansible.builtin.package_facts: + manager: auto + register: output + failed_when: output.ansible_facts.packages['nms-instance-manager'][0]['version'] is search('2.4.0') diff --git a/tasks/clickhouse/install-debian.yml b/tasks/clickhouse/install-debian.yml new file mode 100644 index 0000000..5dfa4a6 --- /dev/null +++ b/tasks/clickhouse/install-debian.yml @@ -0,0 +1,29 @@ +--- +- name: (Debian/Ubuntu) Install required packages for ClickHouse + ansible.builtin.apt: + pkg: "{{ nms_clickhouse_debian_dependencies }}" + +- name: (Debian/Ubuntu) Add an apt key by id from a keyserver + ansible.builtin.apt_key: + keyserver: "{{ nms_clickhouse_apt_keyserver }}" + id: "{{ nms_clickhouse_apt_id }}" + +- name: (Debian/Ubuntu) Add Clickhouse repository to APT sources list + ansible.builtin.apt_repository: + repo: "{{ nms_clickhouse_apt_repo }}" + state: present + filename: clickhouse + +- name: (Debian/Ubuntu) Install ClickHouse + ansible.builtin.apt: + pkg: + - "clickhouse-server{{ (nms_clickhouse_version is not defined or nms_clickhouse_version == '') | ternary('', '=' + nms_clickhouse_version) }}" + - "clickhouse-client{{ (nms_clickhouse_version is not defined or nms_clickhouse_version == '') | ternary('', '=' + nms_clickhouse_version) }}" + - "clickhouse-common-static{{ (nms_clickhouse_version is not defined or nms_clickhouse_version == '') | ternary('', '=' + nms_clickhouse_version) }}" + update_cache: true + +- name: (Debian/Ubuntu) Start and enable ClickHouse + ansible.builtin.service: + state: started + name: clickhouse-server + enabled: true diff --git a/tasks/clickhouse/install-redhat.yml b/tasks/clickhouse/install-redhat.yml new file mode 100644 index 0000000..d39f45d --- /dev/null +++ b/tasks/clickhouse/install-redhat.yml @@ -0,0 +1,26 @@ +--- +- name: (Amazon Linux/CentOS/Oracle Linux/RHEL) Install required packages for ClickHouse + ansible.builtin.yum: + name: "{{ nms_clickhouse_redhat_dependencies }}" + +- name: (Amazon Linux/CentOS/Oracle Linux/RHEL) Add ClickHouse Repository + ansible.builtin.yum_repository: + name: clickhouse + description: "Clickhouse repo" + baseurl: "{{ nms_clickhouse_yum_repo }}" + gpgcheck: false + enabled: true + tags: [install] + +- name: (Amazon Linux/CentOS/Oracle Linux/RHEL) Install ClickHouse + ansible.builtin.yum: + name: + - "clickhouse-server{{ (nms_clickhouse_version is not defined or nms_clickhouse_version == '') | ternary('', '-' + nms_clickhouse_version) }}" + - "clickhouse-client{{ (nms_clickhouse_version is not defined or nms_clickhouse_version == '') | ternary('', '-' + nms_clickhouse_version) }}" + disable_gpg_check: true + +- name: (Amazon Linux/CentOS/Oracle Linux/RHEL) Start and enable ClickHouse + ansible.builtin.service: + state: started + name: clickhouse-server + enabled: true diff --git a/tasks/extras/nms-password.yml b/tasks/extras/nms-password.yml new file mode 100644 index 0000000..6250b42 --- /dev/null +++ b/tasks/extras/nms-password.yml @@ -0,0 +1,28 @@ +--- +- name: Install 'passlib' pip package + ansible.builtin.pip: + name: passlib + tags: + - nms_config_password + +- name: Generate a random string with 1 lower, 1 upper, 1 number and 1 special char (atleast) + when: nms_force_password | bool or nms_install_state is defined and nms_install_state.changed | bool + tags: + - nms_config_password + block: + - name: Generate 'nms_user_passwd' + ansible.builtin.set_fact: + nms_user_passwd: "{{ (nms_user_passwd | length > 0) | ternary(nms_user_passwd, lookup('community.general.random_string', override_special='!#$%&()*+,-./:;<=>?@[]^_{|}~', min_lower=1, min_upper=1, min_special=1, min_numeric=1, length=12)) }}" + + - name: Add a user to a password file and ensure permissions are set + community.general.htpasswd: + path: "{{ nms_cred_path }}" + name: "{{ nms_user_name }}" + password: "{{ nms_user_passwd }}" + mode: "0644" + notify: + - Restart NGINX Management Suite + + - name: Login credentials + ansible.builtin.debug: + msg: "The login for {{ ansible_host }}: {{ nms_user_name }} / {{ nms_user_passwd }}" diff --git a/tasks/main.yml b/tasks/main.yml new file mode 100644 index 0000000..9983c34 --- /dev/null +++ b/tasks/main.yml @@ -0,0 +1,35 @@ +--- +- name: Validate NGINX Management Suite + ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate/validate.yml" + tags: + - nms_validate + +- name: Setup NGINX Management Suite prerequisites + ansible.builtin.include_tasks: "{{ role_path }}/tasks/prerequisites/prereq-{{ ansible_facts['os_family'] | lower }}.yml" + tags: + - nms_setup_certs + +- name: Install ClickHouse + ansible.builtin.include_tasks: "{{ role_path }}/tasks/clickhouse/install-{{ ansible_facts['os_family'] | lower }}.yml" + when: nms_clickhouse_install | bool + tags: + - nms_install_db + +- name: Install NGINX Management Suite + ansible.builtin.include_tasks: "{{ role_path }}/tasks/nms/install-{{ ansible_facts['os_family'] | lower }}.yml" + tags: + - install_nms + +- name: Create NMS password + ansible.builtin.include_tasks: "{{ role_path }}/tasks/extras/nms-password.yml" + tags: + - nms_config_password + +- name: Remove NMS Certificates + ansible.builtin.include_tasks: "{{ role_path }}/tasks/nms/remove-certs.yml" + when: nms_remove_certs | bool + tags: + - nms_cleanup + +- name: Restart NGINX Services (if needed) + ansible.builtin.meta: flush_handlers diff --git a/tasks/nms/install-debian.yml b/tasks/nms/install-debian.yml new file mode 100644 index 0000000..1b3c1d0 --- /dev/null +++ b/tasks/nms/install-debian.yml @@ -0,0 +1,36 @@ +--- +- name: (Debian/Ubuntu) {{ (nms_cleanup_status is defined) | ternary('Remove', 'Configure') }} NGINX Management Suite Apt repository + ansible.builtin.apt_repository: + repo: "{{ nms_debian_signing_key_repo }}" + state: "{{ nms_cleanup_status | default((nms_setup == 'uninstall') | ternary('absent', 'present')) }}" + update_cache: false + filename: nms + +- name: (Debian/Ubuntu) {{ nms_cleanup_status is defined | ternary('Remove', 'Configure') }} NGINX Plus license verification + ansible.builtin.blockinfile: + path: /etc/apt/apt.conf.d/90nginx + create: true + block: | + Acquire::https::{{ (nginx_repository | default(nginx_plus_default_repository_debian)) | regex_search('(?<=https://)[^/]*') }}::Verify-Peer "true"; + Acquire::https::{{ (nginx_repository | default(nginx_plus_default_repository_debian)) | regex_search('(?<=https://)[^/]*') }}::Verify-Host "true"; + Acquire::https::{{ (nginx_repositorynsibl | default(nginx_plus_default_repository_debian)) | regex_search('(?<=https://)[^/]*') }}::SslCert "/etc/ssl/nginx/nginx-repo.crt"; + Acquire::https::{{ (nginx_repository | default(nginx_plus_default_repository_debian)) | regex_search('(?<=https://)[^/]*') }}::SslKey "/etc/ssl/nginx/nginx-repo.key"; + state: "{{ nms_cleanup_status | default((nms_setup == 'uninstall') | ternary('absent', 'present')) }}" + mode: "0444" + +- name: (Debian/Ubuntu) {{ nms_setup | capitalize }} NGINX Instance Manager + ansible.builtin.apt: + name: "nms-instance-manager{{ (nms_version is not defined or nms_version == '') | ternary('', '=' + nms_version) }}" + update_cache: true + allow_downgrade: "{{ omit if ansible_version.full is version('2.12', '<') else true }}" + state: "{{ nms_state }}" + register: nms_install_state + when: nms_cleanup_status is not defined + +- name: (Debian/Ubuntu) Make sure NGINX Instance Manager is running + ansible.builtin.systemd: + state: started + name: nms + enabled: true + notify: Restart NGINX + when: nms_cleanup_status is not defined diff --git a/tasks/nms/install-redhat.yml b/tasks/nms/install-redhat.yml new file mode 100644 index 0000000..5bd724c --- /dev/null +++ b/tasks/nms/install-redhat.yml @@ -0,0 +1,59 @@ +--- +- name: (CentOS/Oracle Linux/RHEL) {{ (nms_cleanup_status is defined) | ternary('Remove', 'Configure') }} NGINX Management Suite Yum repository + ansible.builtin.yum_repository: + name: nms + description: NGINX Management Suite + baseurl: "{{ nms_centos_yum_repo }}" + enabled: true + gpgcheck: "{{ omit if nms_gpgcheck is not defined else nms_gpgcheck }}" + sslclientcert: "/etc/ssl/nginx/nginx-repo.crt" + sslclientkey: "/etc/ssl/nginx/nginx-repo.key" + state: "{{ nms_cleanup_status | default('present') }}" + when: ansible_facts['distribution'] != "Amazon" + +- name: (Amazon) {{ (nms_cleanup_status is defined) | ternary('Remove', 'Configure') }} NGINX Management Suite Yum repository + ansible.builtin.yum_repository: + name: nms + description: NGINX Management Suite + baseurl: "{{ nms_amazon_yum_repo }}" + enabled: true + gpgcheck: "{{ omit if nms_gpgcheck is not defined else nms_gpgcheck }}" + sslclientcert: "/etc/ssl/nginx/nginx-repo.crt" + sslclientkey: "/etc/ssl/nginx/nginx-repo.key" + state: "{{ nms_cleanup_status | default('present') }}" + when: ansible_facts['distribution'] == "Amazon" + +- name: (Amazon Linux/CentOS/Oracle Linux/RHEL) {{ nms_setup | capitalize }} NGINX Instance Manager + ansible.builtin.yum: + name: "nms-instance-manager{{ (nms_version is not defined or nms_version == '') | ternary('', '-' + nms_version) }}" + update_cache: true + allow_downgrade: "{{ omit if ansible_version.full is version('2.12', '<') else true }}" + state: "{{ nms_state }}" + update_only: "{{ nms_setup | lower == 'upgrade' }}" + register: nms_install_state + when: nms_cleanup_status is not defined + +- name: (Amazon Linux/CentOS/Oracle Linux/RHEL) Make sure NGINX Management Suite is running + ansible.builtin.systemd: + state: started + name: "{{ item }}" + enabled: true + notify: Restart NGINX + loop: "{{ nms_services | flatten(levels=1) }}" + when: nms_cleanup_status is not defined + +- name: (Amazon Linux/CentOS/Oracle Linux/RHEL) Get list of installed packages + ansible.builtin.yum: + list: installed + register: firewalld_status + +- name: (Amazon Linux/CentOS/Oracle Linux/RHEL) Permit traffic in default zone for https and http service if 'firewalld' is installed + ansible.posix.firewalld: + service: "{{ item }}" + permanent: true + immediate: true + state: enabled + when: nms_cleanup_status is not defined and 'firewalld' in (firewalld_status.results | map(attribute='name') | list) + loop: + - https + - http diff --git a/tasks/nms/remove-certs.yml b/tasks/nms/remove-certs.yml new file mode 100644 index 0000000..b22f5f2 --- /dev/null +++ b/tasks/nms/remove-certs.yml @@ -0,0 +1,18 @@ +--- +- name: Set 'nms_cleanup_status' state to absent + ansible.builtin.set_fact: + nms_cleanup_status: absent + tags: + - nms_cleanup + +- name: (Debian/Red Hat) Delete NGINX Management Suite SSL Certs + ansible.builtin.file: + path: /etc/ssl/nginx + state: absent + tags: + - nms_cleanup + +- name: Cleanup NGINX Management Suite repository + ansible.builtin.include_tasks: "{{ role_path }}/tasks/nms/install-{{ ansible_facts['os_family'] | lower }}.yml" + tags: + - nms_cleanup diff --git a/tasks/prerequisites/pip2.yml b/tasks/prerequisites/pip2.yml new file mode 100644 index 0000000..1dbbbcf --- /dev/null +++ b/tasks/prerequisites/pip2.yml @@ -0,0 +1,19 @@ +- name: (Python 2) Get version 2.7 'pip' script + ansible.builtin.get_url: + url: "{{ nms_pip27 }}" + dest: "/tmp/get-pip.py" + mode: "0755" + +- name: (Python 2) Check if 'pip' binary exists + ansible.builtin.stat: + path: /usr/bin/pip + ignore_errors: true + register: pip + +- name: (Python 2) Install 'pip' version 2.7 + ansible.builtin.command: "python get-pip.py" + args: + chdir: /tmp/ + when: not pip.stat.exists + register: pip_install + changed_when: pip_install.changed diff --git a/tasks/prerequisites/pip3.yml b/tasks/prerequisites/pip3.yml new file mode 100644 index 0000000..dc325ae --- /dev/null +++ b/tasks/prerequisites/pip3.yml @@ -0,0 +1,7 @@ +- name: (Python 3) Install 'pip' package + ansible.builtin.package: + name: python3-pip + +- name: (Python 3) Ensure 'pip' is updated + ansible.builtin.pip: + name: pip>=21.2.4 diff --git a/tasks/prerequisites/prereq-debian.yml b/tasks/prerequisites/prereq-debian.yml new file mode 100644 index 0000000..4064909 --- /dev/null +++ b/tasks/prerequisites/prereq-debian.yml @@ -0,0 +1,11 @@ +- name: (Debian) Install pip + ansible.builtin.include_tasks: "{{ role_path }}/tasks/prerequisites/pip{{ ansible_python['version']['major'] }}.yml" + +- name: (Debian) Setup NGINX Management Suite Repo Certs + ansible.builtin.include_tasks: "{{ role_path }}/tasks/prerequisites/setup-certs.yml" + +- name: (Debian) Import NGINX signing key from url + ansible.builtin.apt_key: + id: "{{ nms_debian_signing_key_id }}" + keyring: "{{ nms_debian_signing_key_keyring_path }}" + url: "https://nginx.org/keys/nginx_signing.key" diff --git a/tasks/prerequisites/prereq-redhat.yml b/tasks/prerequisites/prereq-redhat.yml new file mode 100644 index 0000000..fadae80 --- /dev/null +++ b/tasks/prerequisites/prereq-redhat.yml @@ -0,0 +1,10 @@ +- name: (RedHat) Install pip + ansible.builtin.include_tasks: "{{ role_path }}/tasks/prerequisites/pip{{ ansible_python['version']['major'] }}.yml" + +- name: (RedHat) Setup NGINX Management Suite Repo Certs + ansible.builtin.include_tasks: "{{ role_path }}/tasks/prerequisites/setup-certs.yml" + +- name: (RedHat) Import NGINX signing key from url + ansible.builtin.rpm_key: + state: "{{ nmn_cleanup_status | default((nms_setup == 'uninstall') | ternary('absent', 'present')) }}" + key: "https://nginx.org/keys/nginx_signing.key" diff --git a/tasks/prerequisites/setup-certs.yml b/tasks/prerequisites/setup-certs.yml new file mode 100644 index 0000000..9a379ce --- /dev/null +++ b/tasks/prerequisites/setup-certs.yml @@ -0,0 +1,37 @@ +- name: (Debian/Red Hat) Create SSL directory + ansible.builtin.file: + path: /etc/ssl/nginx + state: directory + mode: "0755" + +- name: (Debian/Red Hat) Copy NGINX Plus certificate and license key + ansible.builtin.copy: + src: "{{ item }}" + dest: /etc/ssl/nginx + decrypt: true + mode: "0444" + loop: + - "{{ nginx_license['certificate'] }}" + - "{{ nginx_license['key'] }}" + +- name: (Debian/Red Hat) Install cryptography package + ansible.builtin.pip: + name: cryptography + +- name: (Debian/Red Hat) Check that NGINX Plus certificate is valid + community.crypto.x509_certificate_info: + path: /etc/ssl/nginx/nginx-repo.crt + register: cert + +- name: (Debian/Red Hat) Check that NGINX Plus key is valid + community.crypto.openssl_privatekey_info: + path: /etc/ssl/nginx/nginx-repo.key + register: key + +- name: (Debian/Red Hat) Check that NGINX Plus license is valid + ansible.builtin.assert: + that: + - cert.expired == false + - cert.public_key == key.public_key + success_msg: Your NGINX Plus license is valid! + fail_msg: Something went wrong! Make sure your NGINX Plus license is valid! diff --git a/tasks/validate/validate.yml b/tasks/validate/validate.yml new file mode 100644 index 0000000..6e88119 --- /dev/null +++ b/tasks/validate/validate.yml @@ -0,0 +1,17 @@ +--- +- name: Check whether you are using a supported NGINX distribution + ansible.builtin.assert: + that: + - "{{ ansible_facts['distribution'] | lower in nms_supported_distributions.keys() | list }}" + - "{{ (ansible_facts['distribution_version'] | regex_search('\\d+\\.?\\d*') in nms_supported_distributions[ansible_facts['distribution'] | lower]['versions'] | string) + if ansible_facts['distribution'] | lower in ['ubuntu'] else ansible_facts['distribution_major_version'] in nms_supported_distributions[ansible_facts['distribution'] | lower]['versions'] | string }}" + - "{{ ansible_facts['architecture'] in nms_supported_distributions[ansible_facts['distribution'] | lower]['architectures'] }}" + success_msg: Your distribution, {{ nms_supported_distributions[ansible_facts['distribution'] | lower]['name'] }} {{ ansible_facts['distribution_version'] }} ({{ ansible_facts['architecture'] }}), is supported by NMS. + fail_msg: Your distribution, {{ nms_supported_distributions[ansible_facts['distribution'] | lower]['name'] }} {{ ansible_facts['distribution_version'] }} ({{ ansible_facts['architecture'] }}), is not supported by NMS. + ignore_errors: true # noqa ignore-errors + +- name: Check if 'nms_setup' is an allowed value + ansible.builtin.assert: + that: nms_setup in nms_setup_vars + fail_msg: The value {{ nms_setup }} you used for `nms_setup` is not allowed. Try one of {{ nms_setup_vars | join(', ') }}. + tags: nms_check_support diff --git a/vars/main.yml b/vars/main.yml new file mode 100644 index 0000000..491013e --- /dev/null +++ b/vars/main.yml @@ -0,0 +1,77 @@ +--- +nms_setup_vars: [ + install, upgrade, +] + +# This role defaults to an setup type. +nms_default_setup: install + +# Setup type to package installation state map (internal variable) +nms_state_vals: + install: present + uninstall: absent + upgrade: latest + +# Package installation state +nms_state: "{{ nms_state_vals[nms_setup] | default(nms_state_vals[nms_default_setup]) }}" + +# Supported NMS distributions +# https://docs.nginx.com/nginx-management-suite/overview/tech-specs/#supported-distributions +nms_supported_distributions: + amazon: + name: Amazon Linux + versions: [2] + architectures: [x86_64] + centos: + name: CentOS + versions: [7] + architectures: [x86_64] + debian: + name: Debian + versions: [10, 11] + architectures: [x86_64] + oraclelinux: + name: Oracle Linux + versions: [7, 8] + architectures: [x86_64] + redhat: + name: Red Hat Enterprise Linux + versions: [7, 8, 9] + architectures: [x86_64] + ubuntu: + name: Ubuntu + versions: [18.04, 20.04, 22.04] + architectures: [x86_64] + +# Debian specific repo for NMS install +nms_debian_signing_key_id: 573BFD6B3D8FBC641079A6ABABF5BD827BD9BF62 +nms_debian_signing_key_keyring_path: /usr/share/keyrings/nginx-archive-keyring.gpg +nms_debian_signing_key_repo: deb [signed-by={{ nms_debian_signing_key_keyring_path }}] https://pkgs.nginx.com/nms/{{ ansible_distribution | lower }} {{ ansible_distribution_release }} nginx-plus + +# RPM specific repo for NMS install +nms_centos_yum_repo: https://pkgs.nginx.com/nms/centos/$releasever/$basearch/ +nms_amazon_yum_repo: https://pkgs.nginx.com/nms/amzn2/$releasever/$basearch/ +# # For development purposes for disabling gpg check when installing on OS with RPM repo. +# nms_gpgcheck: false + +# All NMS services. +nms_services: [ + nms, nms-core, nms-dpm, nms-ingestion, nms-integrations +] + +nms_pip27: https://bootstrap.pypa.io/pip/2.7/get-pip.py + +# Clickhouse specific variables for this ansible role. +## Debian specific variables for Clickhouse install. +nms_clickhouse_debian_dependencies: [ + apt-transport-https, ca-certificates, dirmngr, +] +nms_clickhouse_apt_keyserver: hkp://keyserver.ubuntu.com:80 +nms_clickhouse_apt_id: 3A9EA1193A97B548BE1457D48919F6BD2B48D754 +nms_clickhouse_apt_repo: deb https://packages.clickhouse.com/deb {{ nms_clickhouse_release_kind }} main + +## RedHat specific variables for Clickhouse install. +nms_clickhouse_redhat_dependencies: [ + yum-utils, +] +nms_clickhouse_yum_repo: https://packages.clickhouse.com/rpm/{{ nms_clickhouse_release_kind }}/