feat: add rundeck profile
- export mysql user for each rundeck server - ensure the jdbc driver for mariadb is available - exclude jq from default packages (managed by rundeck) - add groups for admin/user for each project in rundeck - add consul service - add vault certificates - add ssh principals - add nginx simpleproxy
This commit is contained in:
@@ -1 +1,202 @@
|
||||
---
|
||||
hiera_include:
|
||||
- profiles::rundeck::server
|
||||
- profiles::nginx::simpleproxy
|
||||
|
||||
profiles::packages::exclude:
|
||||
- jq
|
||||
|
||||
profiles::ssh::sign::principals:
|
||||
- rundeck.main.unkin.net
|
||||
- rundeck.service.consul
|
||||
- rundeck.query.consul
|
||||
|
||||
# manage a simple nginx reverse proxy
|
||||
profiles::nginx::simpleproxy::nginx_vhost: 'rundeck.query.consul'
|
||||
profiles::nginx::simpleproxy::nginx_aliases:
|
||||
- rundeck.main.unkin.net
|
||||
- rundeck.service.consul
|
||||
- rundeck.query.consul
|
||||
- "rundeck.service.%{facts.country}-%{facts.region}.consul"
|
||||
|
||||
profiles::nginx::simpleproxy::proxy_port: 4440
|
||||
profiles::nginx::simpleproxy::proxy_path: '/'
|
||||
nginx::client_max_body_size: 20M
|
||||
# additional altnames
|
||||
profiles::pki::vault::alt_names:
|
||||
- rundeck.main.unkin.net
|
||||
- rundeck.service.consul
|
||||
- rundeck.query.consul
|
||||
- "rundeck.service.%{facts.country}-%{facts.region}.consul"
|
||||
|
||||
# configure consul service
|
||||
consul::services:
|
||||
rundeck:
|
||||
service_name: 'rundeck'
|
||||
tags:
|
||||
- 'automation'
|
||||
- 'rundeck'
|
||||
address: "%{facts.networking.ip}"
|
||||
port: 443
|
||||
checks:
|
||||
- id: 'glauth_http_check'
|
||||
name: 'glauth HTTP Check'
|
||||
http: "http://%{facts.networking.fqdn}:4440"
|
||||
method: 'GET'
|
||||
tls_skip_verify: true
|
||||
interval: '10s'
|
||||
timeout: '1s'
|
||||
profiles::consul::client::node_rules:
|
||||
- resource: service
|
||||
segment: rundeck
|
||||
disposition: write
|
||||
|
||||
profiles::rundeck::server::mysql_backend: true
|
||||
profiles::rundeck::server::mysql_host: mariadb-prod.service.au-syd1.consul
|
||||
profiles::rundeck::server::grails_server_url: https://rundeck.service.consul
|
||||
profiles::rundeck::server::auth_config:
|
||||
file:
|
||||
auth_flag: 'sufficient'
|
||||
jaas_config:
|
||||
file: '/etc/rundeck/realm.properties'
|
||||
realm_config:
|
||||
admin_user: 'admin'
|
||||
admin_password: "%{hiera('rundeck_admin_pass')}"
|
||||
ldap:
|
||||
jaas_config:
|
||||
debug: 'true'
|
||||
providerUrl: 'ldap://ldap.service.consul:389'
|
||||
bindDn: 'cn=svc_rundeck,ou=services,ou=users,dc=main,dc=unkin,dc=net'
|
||||
bindPassword: "%{hiera('ldap_bindpass')}"
|
||||
authenticationMethod: 'simple'
|
||||
forceBindingLogin: 'true'
|
||||
userBaseDn: 'ou=people,ou=users,dc=main,dc=unkin,dc=net'
|
||||
userRdnAttribute: 'uid'
|
||||
userIdAttribute: 'uid'
|
||||
userPasswordAttribute: 'userPassword'
|
||||
userObjectClass: 'posixAccount'
|
||||
roleBaseDn: 'ou=groups,dc=main,dc=unkin,dc=net'
|
||||
roleNameAttribute: 'uid'
|
||||
roleMemberAttribute: 'uniqueMember'
|
||||
roleObjectClass: 'groupOfUniqueNames'
|
||||
nestedGroups: 'true'
|
||||
|
||||
profiles::rundeck::server::key_storage_config:
|
||||
- type: 'db'
|
||||
path: 'keys'
|
||||
- type: 'vault-storage'
|
||||
path: 'vault'
|
||||
config:
|
||||
prefix: 'rundeck'
|
||||
address: https://vault.query.consul:8200
|
||||
storageBehaviour: 'vault'
|
||||
secretBackend: rundeck
|
||||
engineVersion: '2'
|
||||
authBackend: approle
|
||||
approleAuthMount: approle
|
||||
approleId: "%{hiera('vault::roleid')}"
|
||||
|
||||
profiles::rundeck::server::cli_projects:
|
||||
Self-Service:
|
||||
update_method: 'set'
|
||||
config:
|
||||
project.description: 'self-service tasks'
|
||||
project.disable.executions: 'false'
|
||||
Infrastructure:
|
||||
config:
|
||||
project.description: 'infrastructure management'
|
||||
project.disable.schedule: 'false'
|
||||
|
||||
profiles::rundeck::server::acl_policies:
|
||||
global_admin_policy:
|
||||
acl_policies:
|
||||
- description: 'Global Admin, all access'
|
||||
context:
|
||||
application: "rundeck"
|
||||
for:
|
||||
project:
|
||||
- allow: '*'
|
||||
resource:
|
||||
- allow: '*'
|
||||
storage:
|
||||
- allow: '*'
|
||||
by:
|
||||
- group: ['rundeck_globaladmin']
|
||||
- description: 'Global Admin, all access'
|
||||
context:
|
||||
project: '.*'
|
||||
for:
|
||||
resource:
|
||||
- allow: '*'
|
||||
adhoc:
|
||||
- allow: '*'
|
||||
job:
|
||||
- allow: '*'
|
||||
node:
|
||||
- allow: '*'
|
||||
by:
|
||||
- group: ['rundeck_globaladmin']
|
||||
selfservice_admin_policy:
|
||||
acl_policies:
|
||||
- description: 'Admin, all access for Self-Service project'
|
||||
context:
|
||||
project: 'Self-Service'
|
||||
for:
|
||||
resource:
|
||||
- allow: '*'
|
||||
adhoc:
|
||||
- allow: '*'
|
||||
job:
|
||||
- allow: '*'
|
||||
node:
|
||||
- allow: '*'
|
||||
by:
|
||||
- group: ['rundeck_selfserice_admin']
|
||||
selfservice_user_policy:
|
||||
acl_policies:
|
||||
- description: 'Users can execute tasks but not edit for Self-Service project'
|
||||
context:
|
||||
project: 'Self-Service'
|
||||
for:
|
||||
resource:
|
||||
- allow: ['read']
|
||||
adhoc:
|
||||
- allow: ['run']
|
||||
job:
|
||||
- allow: ['read', 'run']
|
||||
node:
|
||||
- allow: ['read', 'run']
|
||||
by:
|
||||
- group: ['rundeck_selfserice_user']
|
||||
infrastructure_admin_policy:
|
||||
acl_policies:
|
||||
- description: 'Admin, all access for Infrastructure project'
|
||||
context:
|
||||
project: 'Infrastructure'
|
||||
for:
|
||||
resource:
|
||||
- allow: '*'
|
||||
adhoc:
|
||||
- allow: '*'
|
||||
job:
|
||||
- allow: '*'
|
||||
node:
|
||||
- allow: '*'
|
||||
by:
|
||||
- group: ['rundeck_infrastructure_admin']
|
||||
infrastructure_user_policy:
|
||||
acl_policies:
|
||||
- description: 'Users can execute tasks but not edit for Infrastructure project'
|
||||
context:
|
||||
project: 'Infrastructure'
|
||||
for:
|
||||
resource:
|
||||
- allow: ['read']
|
||||
adhoc:
|
||||
- allow: ['run']
|
||||
job:
|
||||
- allow: ['read', 'run']
|
||||
node:
|
||||
- allow: ['read', 'run']
|
||||
by:
|
||||
- group: ['rundeck_infrastructure_user']
|
||||
|
||||
Reference in New Issue
Block a user