Upgrade nomad, podman driver. Added many features. (#131)

* Update main.yml

* Added host networks

* Added README and exmaple for host networks

* Fixed README for host nets

* Upgraded nomad_version

* Updated readme

* Update README.md

* Update client.hcl.j2

* Added cni support

* Added cni dir creation

* Fixed archiving

* updated readme with cni

* Updated copy

* Added tls

* Fixed a bug

* Fixed a bug

* Fixed a bug

* Added tls copy support

* Added readme

* Minor formatting

* Added new line at end of defaults

* Fixed multiple vars

* Fixed vars

* Fixed vars bug giving appended path

* Updated podman to 0.3.0

* Added tls consul support

* Added readme

* Added ssl consul

Co-authored-by: Hemanth Bollamreddi <hbollamreddi@vmware.com>

Author: blmhemu

README.md

@@ -48,7 +48,7 @@ The role defines most of its variables in `defaults/main.yml`:
 ### `nomad_version`
 
 - Nomad version to install
-- Default value: **0.12.0**
+- Default value: **1.1.1**
 
 ### `nomad_architecture_map`
 
@@ -339,6 +339,22 @@ nomad_host_volumes:
     read_only: false
 ```
 
+### `nomad_host_networks`
+
+- List host_network is used to make different networks available to jobs instead of selecting a default interface. This is very useful especially in case of multiple nics.
+- Default value: **[]**
+- Example:
+
+```yaml
+nomad_host_networks:
+  - name: public
+    cidr: 100.101.102.103/24
+    reserved_ports: 22,80
+  - name: private
+    interface: eth0
+    reserved_ports: 443
+```
+
 ### `nomad_options`
 
 - Driver options
@@ -392,6 +408,11 @@ nomad_host_volumes:
 - Installs the podman plugin
 - Default value: **false**
 
+### `nomad_cni_enable`
+
+- Installs the cni plugins
+- Default value: **false**
+
 ### `nomad_docker_enable`
 
 - Install Docker subsystem on nodes?
@@ -446,9 +467,29 @@ in many Ansible versions, so this feature might not always work.
 
 ### `nomad_consul_address`
 
-- The address of your consul API, use it in combination with nomad_use_consul=True
+- The address of your consul API, use it in combination with nomad_use_consul=True. If you want to use https, use `nomad_consul_ssl`. Do NOT append https.
 - Default value: **localhost:8500**
 
+### `nomad_consul_ssl`
+
+- If `true` then uses https.
+- Default value: **false**
+
+### `nomad_consul_ca_file`
+
+- Public key of consul CA, use in combination with `nomad_consul_cert_file` and `nomad_consul_key_file`.
+- Default value: ""
+
+### `nomad_consul_cert_file`
+
+- The public key which can be used to access consul.
+- Default value: ""
+
+### `nomad_consul_key_file`
+
+- The private key counterpart of `nomad_consul_cert_file`.
+- Default value: ""
+
 ### `nomad_consul_servers_service_name`
 
 - The name of the consul service for your nomad servers
@@ -564,20 +605,35 @@ in many Ansible versions, so this feature might not always work.
 - Enable TLS
 - Default value: false
 
+### `nomad_tls_copy_keys`: false
+
+- Whether to copy certs from local machine (controller).
+- Default value: false
+
+### `nomad_tls_files_remote_src`
+
+- Whether to copy certs from remote machine itself.
+- Default value: false
+
+### `nomad_tls_dir`
+
+- The remote dir where the certs are stored.
+- Default value: `/etc/nomad/ssl`
+
 ### `nomad_ca_file`
 
 - Use a ca for tls connection, nomad_cert_file and nomad_key_file are needed
-- Default value: **""**
+- Default value: ca.cert
 
 ### `nomad_cert_file`
 
 - Use a certificate for tls connection, nomad_ca_file and nomad_key_file are needed
-- Default value: **""**
+- Default value: server.crt
 
 ### `nomad_key_file`
 
 - Use a key for tls connection, nomad_cert_file and nomad_key_file are needed
-- Default value: **""**
+- Default value: server.key
 
 ### `nomad_rpc_upgrade_mode`
 

defaults/main.yml

@@ -32,7 +32,7 @@ nomad_skip_ensure_all_hosts: "{{ lookup('env','NOMAD_SKIP_ENSURE_ALL_HOSTS') | d
 nomad_allow_purge_config: "{{ lookup('env','NOMAD_ALLOW_PURGE_CONFIG') | default('false', true) }}"
 
 ### Package
-nomad_version: "{{ lookup('env','NOMAD_VERSION') | default('1.0.4', true) }}"
+nomad_version: "{{ lookup('env','NOMAD_VERSION') | default('1.1.1', true) }}"
 nomad_architecture_map:
   amd64: amd64
   x86_64: amd64
@@ -45,7 +45,7 @@ nomad_pkg: "nomad_{{ nomad_version }}_linux_{{nomad_architecture}}.zip"
 nomad_zip_url: "https://releases.hashicorp.com/nomad/{{ nomad_version }}/nomad_{{ nomad_version }}_linux_{{nomad_architecture}}.zip"
 nomad_checksum_file_url: "https://releases.hashicorp.com/nomad/{{ nomad_version }}/nomad_{{ nomad_version}}_SHA256SUMS"
 nomad_podman_enable: false
-nomad_podman_version: "{{ lookup('env','NOMAD_PODMAN_VERSION') | default('0.1.0', true) }}"
+nomad_podman_version: "{{ lookup('env','NOMAD_PODMAN_VERSION') | default('0.3.0', true) }}"
 nomad_podman_pkg: "nomad-driver-podman_{{ nomad_podman_version }}_linux_{{nomad_architecture}}.zip"
 nomad_podman_url: "https://releases.hashicorp.com/nomad-driver-podman/{{ nomad_podman_version }}"
 nomad_podman_zip_url: "{{ nomad_podman_url }}/{{ nomad_podman_pkg }}"
@@ -114,6 +114,7 @@ nomad_reserved:
   disk: "{{ nomad_reserved_disk | default('0', true) }}"
   ports: "{{ nomad_reserved_ports | default('22', true) }}"
 nomad_host_volumes: []
+nomad_host_networks: []
 nomad_options: {}
 nomad_meta: {}
 nomad_bootstrap_expect: "{{ nomad_servers | count or 3 }}"
@@ -150,6 +151,10 @@ nomad_gather_server_facts: false
 ### Consul
 nomad_use_consul: false
 nomad_consul_address: "localhost:8500"
+nomad_consul_ssl: false
+nomad_consul_ca_file: ""
+nomad_consul_cert_file: ""
+nomad_consul_key_file: ""
 nomad_consul_token: ""
 nomad_consul_servers_service_name: "nomad-servers"
 nomad_consul_clients_service_name: "nomad-clients"
@@ -180,11 +185,14 @@ nomad_vault_namespace: ""
 nomad_docker_enable: "{{ lookup('env','NOMAD_DOCKER_ENABLE') | default('false', true) }}"
 nomad_docker_dmsetup: true
 
-### Tls
+### TlS
 nomad_tls_enable: false
-nomad_ca_file: ""
-nomad_cert_file: ""
-nomad_key_file: ""
+nomad_tls_copy_keys: false
+nomad_tls_files_remote_src: false
+nomad_tls_dir: "{{ lookup('env','NOMAD_TLS_DIR') | default('/etc/nomad/ssl', true) }}"
+nomad_ca_file: "{{ lookup('env','NOMAD_CA_FILE') | default('ca.crt', true) }}"
+nomad_cert_file: "{{ lookup('env','NOMAD_CERT_FILE') | default('server.crt', true) }}"
+nomad_key_file: "{{ lookup('env','NOMAD_KEY_FILE') | default('server.key', true) }}"
 nomad_rpc_upgrade_mode: false
 nomad_verify_server_hostname: true
 nomad_verify_https_client: true
@@ -194,3 +202,12 @@ nomad_autopilot_cleanup_dead_servers: true
 nomad_autopilot_last_contact_threshold: "200ms"
 nomad_autopilot_max_trailing_logs: 250
 nomad_autopilot_server_stabilization_time: "10s"
+
+### CNI
+nomad_cni_enable: false
+nomad_cni_dir: "/opt/cni/bin"
+nomad_cni_version: "{{ lookup('env','NOMAD_CNI_VERSION') | default('0.9.1', true) }}"
+nomad_cni_pkg: "cni-plugins-linux-{{nomad_architecture}}-v{{ nomad_cni_version }}.tgz"
+nomad_cni_url: "https://github.com/containernetworking/plugins/releases/download/v{{ nomad_cni_version }}"
+nomad_cni_zip_url: "{{ nomad_cni_url }}/{{ nomad_cni_pkg }}"
+nomad_cni_checksum_file_url: "{{ nomad_cni_zip_url }}.sha256"

tasks/cni.yml

@@ -0,0 +1,95 @@
+---
+# File: cni_plugin.yml - package installation tasks for Nomad CNI Plugin
+
+- name: Create cni directory
+  file:
+    dest: "{{ nomad_cni_dir }}"
+    state: directory
+    owner: "{{ nomad_user }}"
+    group: "{{ nomad_group }}"
+
+- name: Check CNI package checksum file
+  stat:
+    path: "{{ role_path }}/files/nomad_cni_{{ nomad_cni_version }}_SHA256SUMS"
+  become: false
+  run_once: true
+  tags: installation
+  register: nomad_cni_checksum
+  delegate_to: 127.0.0.1
+
+- name: Get Nomad CNI package checksum file
+  get_url:
+    url: "{{ nomad_cni_checksum_file_url }}"
+    dest: "{{ role_path }}/files/nomad_cni_{{ nomad_cni_version }}_SHA256SUMS"
+  become: false
+  run_once: true
+  tags: installation
+  when: not nomad_cni_checksum.stat.exists
+  delegate_to: 127.0.0.1
+
+- name: Get Nomad CNI package checksum
+  shell: |
+    set -o pipefail
+    grep "{{ nomad_cni_pkg }}" "{{ role_path }}/files/nomad_cni_{{ nomad_cni_version }}_SHA256SUMS"  | awk '{print $1}'
+  args:
+    executable: /bin/bash
+  become: false
+  register: nomad_cni_sha256
+  tags: installation
+  delegate_to: 127.0.0.1
+
+- name: Check Nomad CNI package file
+  stat:
+    path: "{{ role_path }}/files/{{ nomad_cni_pkg }}"
+  become: false
+  register: nomad_cni_package
+  delegate_to: 127.0.0.1
+
+- name: Download Nomad CNI
+  get_url:
+    url: "{{ nomad_cni_zip_url }}"
+    dest: "{{ role_path }}/files/{{ nomad_cni_pkg }}"
+    checksum: "sha256:{{ nomad_cni_sha256.stdout }}"
+    timeout: "42"
+  become: false
+  tags: installation
+  delegate_to: 127.0.0.1
+  when: not nomad_cni_package.stat.exists
+
+- name: Create Temporary Directory for Extraction
+  tempfile:
+    state: directory
+    prefix: ansible-nomad.
+  become: false
+  register: install_temp
+  tags: installation
+  delegate_to: 127.0.0.1
+
+- name: Unarchive Nomad CNI
+  unarchive:
+    src: "{{ role_path }}/files/{{ nomad_cni_pkg }}"
+    dest: "{{ install_temp.path }}/"
+    creates: "{{ install_temp.path }}/bridge"
+  become: false
+  tags: installation
+  delegate_to: 127.0.0.1
+
+- name: Install Nomad CNI
+  copy:
+    src: "{{ item }}"
+    dest: "{{ nomad_cni_dir }}"
+    owner: "{{ nomad_user }}"
+    group: "{{ nomad_group }}"
+    mode: 0755
+  with_fileglob:
+    - "{{ install_temp.path }}/*"
+  tags: installation
+  notify: restart nomad
+
+- name: Cleanup
+  file:
+    path: "{{ install_temp.path }}"
+    state: "absent"
+  become: false
+  tags: installation
+  delegate_to: 127.0.0.1

tasks/main.yml

@@ -52,6 +52,10 @@
   include: install_podman.yml
   when: nomad_podman_enable | bool
 
+- name: Install CNI plugin
+  include: cni.yml
+  when: nomad_cni_enable | bool
+
 - name: Create config directory
   file:
     dest: "{{ nomad_config_dir }}"
@@ -77,6 +81,10 @@
     - nomad_encrypt_enable | bool
     - nomad_encrypt is not defined
 
+- name: Create TLS configuration
+  include_tasks: tls.yml
+  when: nomad_tls_enable | bool
+
 - name: Server configuration
   template:
     src: server.hcl.j2

tasks/tls.yml

@@ -0,0 +1,43 @@
+---
+# File: tls.yml - TLS tasks for Nomad
+
+- block:
+    - name: Create SSL directory
+      file:
+        dest: "{{ nomad_tls_dir }}"
+        state: directory
+        owner: "{{ nomad_user }}"
+        group: "{{ nomad_group }}"
+        mode: 0755
+
+    - name: Copy CA certificate
+      copy:
+        remote_src: "{{ nomad_tls_files_remote_src }}"
+        src: "{{ nomad_ca_file }}"
+        dest: "{{ nomad_tls_dir }}/{{ nomad_ca_file | basename }}"
+        owner: "{{ nomad_user }}"
+        group: "{{ nomad_group }}"
+        mode: 0644
+      notify: restart nomad
+
+    - name: Copy certificate
+      copy:
+        remote_src: "{{ nomad_tls_files_remote_src }}"
+        src: "{{ nomad_cert_file }}"
+        dest: "{{ nomad_tls_dir }}/{{ nomad_cert_file | basename }}"
+        owner: "{{ nomad_user }}"
+        group: "{{ nomad_group }}"
+        mode: 0644
+      notify: restart nomad
+
+    - name: Copy key
+      copy:
+        remote_src: "{{ nomad_tls_files_remote_src }}"
+        src: "{{ nomad_key_file }}"
+        dest: "{{ nomad_tls_dir }}/{{ nomad_key_file | basename }}"
+        owner: "{{ nomad_user }}"
+        group: "{{ nomad_group }}"
+        mode: 0600
+      notify: restart nomad
+
+  when: nomad_tls_copy_keys | bool

templates/base.hcl.j2

@@ -22,6 +22,10 @@ ports {
 consul {
     # The address to the Consul agent.
     address = "{{ nomad_consul_address }}"
+    ssl = {{ nomad_consul_ssl | bool | lower }}
+    ca_file = "{{ nomad_consul_ca_file }}"
+    cert_file = "{{ nomad_consul_cert_file }}"
+    key_file = "{{ nomad_consul_key_file }}"
     token = "{{ nomad_consul_token }}"
     # The service name to register the server and client with Consul.
     server_service_name = "{{ nomad_consul_servers_service_name }}"
@@ -49,9 +53,9 @@ leave_on_interrupt = {{ nomad_leave_on_interrupt | bool | lower }}
 tls {
     http = true
     rpc = true
-    ca_file = "{{ nomad_ca_file }}"
-    cert_file = "{{ nomad_cert_file }}"
-    key_file = "{{ nomad_key_file }}"
+    ca_file = "{{ nomad_tls_dir }}/{{ nomad_ca_file | basename }}"
+    cert_file = "{{ nomad_tls_dir }}/{{ nomad_cert_file | basename }}"
+    key_file = "{{ nomad_tls_dir }}/{{ nomad_key_file | basename }}"
     rpc_upgrade_mode = {{ nomad_rpc_upgrade_mode | bool | lower }}
     verify_server_hostname = "{{ nomad_verify_server_hostname | bool | lower }}"
     verify_https_client = "{{ nomad_verify_https_client | bool | lower }}"

templates/client.hcl.j2

@@ -38,6 +38,17 @@ client {
     }
 {% endfor %}
 
+{% for nomad_host_network in nomad_host_networks %}
+    host_network "{{ nomad_host_network['name'] }}" {
+    {% if 'cidr' in nomad_host_network %}
+        cidr = "{{ nomad_host_network['cidr'] | default}}"
+    {% else %}
+        interface = "{{ nomad_host_network['interface'] }}"
+    {% endif %}
+        reserved_ports = "{{ nomad_host_network['reserved_ports'] }}"
+    }
+{% endfor %}
+
     {% if nomad_chroot_env != False -%}
     chroot_env = {
     {% for key, value in nomad_chroot_env.items() %}