Skip to content

Commit

Permalink
updated for automate ha 4.10.29+ release
Browse files Browse the repository at this point in the history 
Signed-off-by: Corey Hemminger <[email protected]>
  • Loading branch information
@Stromweld
Stromweld committed Oct 26, 2023
1 parent 3466b9b commit 71869b2
Show file tree
Hide file tree
Showing 9 changed files with 164 additions and 141 deletions.
30 changes: 16 additions & 14 deletions README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -8,8 +8,10 @@ Use of this cookbook for installing Chef Automate means you agree to the license

- Please see <https://docs.chef.io/automate/ha_platform_support/> for server hardware requirements
- Latest chef-workstation installed
- For test-kitchen testing locally you'll need about 22GB of local ram for the VM's themselves
- For test-kitchen testing locally you'll need about 48GB of local ram for the VM's themselves
- When using test-kitchen run the `start_kitchen_test.sh` in a bash window to automate the creation of the machines, gathering of the IP's, and writing out kitchen_nodes.json with the IP's for the config.toml file generation
- For test-kitchen to run in AWS use `saml2aws login` and `export KITCHEN_LOCAL_YAML="kitchen.ec2.yml"` before the `start_kitchen_test.sh` script
- kitchen.ec2.yml is configured to use a subnet and security group pre-built in us-west-2 for aws account 'chef-success-aws'

### Platforms

Expand All @@ -19,19 +21,19 @@ Use of this cookbook for installing Chef Automate means you agree to the license

### default attributes

| Attribute | Default | Type | Comment |
|-----------|---------|------|---------|
| ['automate_ha']['accept_license'] | true | Boolean | Consents to the license agreement at <https://www.chef.io/end-user-license-agreement> |
| ['automate_ha']['version'] | 'latest' | String | Version of Automate to install. HA requires version 4.3.x or newer |
| ['automate_ha']['username'] | 'automate_ha' | String | Username for SSH access to nodes in cluster |
| ['automate_ha']['ssh_key'] | see attribute file | String | SSH private key used for access to nodes, this should be replaced by one preferably from a secrets manager, this one is ok for testing with test-kitchen locally
| ['automate_ha']['ssh_authorize_key'] | see attribute file | String | SSH public key added to the user's authorized_keys file for ssh key based access to nodes |
| ['automate_ha']['dns_configured'] | false | boolean | Specifies if /etc/hosts needs to be modified if automate and chef dns entries aren't configured and resolvable locally |
| ['automate_ha']['automate_dns_entry'] | 'chef-automate.example.com' | String | Url used to resolve connection to the automate frontends |
| ['automate_ha']['infra-server_dns_entry'] | 'chef-server.example.com' | String | Url used to resolve connection to the chef infra server frontends |
| ['automate_ha']['instance_ips'] | {chef_frontend: %w(10.0.0.1), automate_frontend: %w(10.0.0.2), postgres_backend: %w(10.0.0.3 10.0.0.4 10.0.0.5), opensearch_backend: %w(10.0.0.6 10.0.0.7 10.0.0.8)} | Hash | Key value pairs defining all IP's of nodes in the cluster |
| ['automate_ha']['initial_config_toml_template'] | See attribute file | Hash | Hash of values used to generate the config.toml file for initial deployment of Automate HA across all nodes in the cluster, not to be used for patch config changes |
| ['automate_ha']['patch_config_toml_template'] | nil | Hash | Hash of values used to generate a patch_config.toml file for modifying cluster configuration after initial deployment |
| Attribute | Default | Type | Comment |
|---------------------------------------------------|-----------------------------|---------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| \['automate_ha']\['accept_license'] | true | Boolean | Consents to the license agreement at <https://www.chef.io/end-user-license-agreement> |
| \['automate_ha']\['version'] | 'latest' | String | Version of Automate to install. HA requires version 4.3.x or newer |
| \['automate_ha']\['username'] | 'chef' | String | Username for SSH access to nodes in cluster |
| \['automate_ha']\['ssh_key'] | See attribute file | String | SSH private key used for access to nodes, this should be replaced by one preferably from a secrets manager, this one is ok for testing with test-kitchen locally |
| \['automate_ha']\['ssh_authorize_key'] | See attribute file | String | SSH public key added to the user's authorized_keys file for ssh key based access to nodes |
| \['automate_ha']\['dns_configured'] | false | boolean | Specifies if /etc/hosts needs to be modified if automate and chef dns entries aren't configured and resolvable locally |
| \['automate_ha']\['automate_dns_entry'] | 'chef-automate.example.com' | String | Url used to resolve connection to the automate frontends |
| \['automate_ha']\['infra-server_dns_entry'] | 'chef-server.example.com' | String | Url used to resolve connection to the chef infra server frontends |
| \['automate_ha']\['instance_ips'] | See attribute file | Hash | Key value pairs defining all IP's of nodes in the cluster |
| \['automate_ha']\['initial_config_toml_template'] | See attribute file | Hash | Hash of values used to generate the config.toml file for initial deployment of Automate HA across all nodes in the cluster, not to be used for patch config changes |
| \['automate_ha']\['patch_config_toml_template'] | nil | Hash | Hash of values used to generate a patch_config.toml file for modifying cluster configuration after initial deployment |

## Recipes

Expand Down
107 changes: 79 additions & 28 deletions attributes/default.rb
View file
Original file line number Diff line number Diff line change
Expand Up @@ -21,12 +21,13 @@
default['automate_ha']['accept_license'] = true
default['automate_ha']['version'] = 'latest'

default['automate_ha']['username'] = 'automate_ha'
default['automate_ha']['username'] = 'chef'
default['automate_ha']['ssh_key'] = lazy { secrets[node['automate_ha']['username']] } # For testing purposes only please change, preferably get through your secrets manager
default['automate_ha']['ssh_authorize_key'] = {
automate_ha: {
key: 'AAAAB3NzaC1yc2EAAAADAQABAAABAQC8Izt8mEkJt4o3qVDsWcBQ265QRQGi0z3A5QTnm0CMgiyPjHj9KpZbuNShY2gGa1uZ/V7n4oQLRDoVX9fCOri4n9Bf6klYCAlQRyvBtZSi86FJ1EZwiU9O9Abbbc39vkWJBqrX3mfd+txNBN+A1y+6gCjOaaA26jGEMibKVWWKBv22Ja7XWosHwcgXuzO3rsgr+Y3B8cVnQBUQG77iSzW4RAL9vJ1M1ETzCGJ+RAoQ9064AjFnYu0PB/7NcKWH05GdzmEz+xPD4N6qp6OXVPJO0AUwMAVyxPOHIUAUvBixSXIvTKnD1S/L4/aUoGdMF2hXX/96Qcwxfw4CQBzhRAaf', # For testing purposes only please change, preferably get through your secrets manager
key: 'AAAAC3NzaC1lZDI1NTE5AAAAIH7peqKl6c5BVpsnFDZi092wMwu9oonUHNz4oEQ4evn2', # For testing purposes only please change, preferably get through your secrets manager
user: lazy { node['automate_ha']['username'] },
keytype: 'ssh-ed25519',
options: nil,
},
}
Expand All @@ -42,7 +43,7 @@
chef_frontend: %w(10.0.0.1),
automate_frontend: %w(10.0.0.2),
postgres_backend: %w(10.0.0.3 10.0.0.4 10.0.0.5),
opensearch_backend: %w(10.0.0.6 10.0.0.7 10.0.0.8),
opensearch_backend: %w(10.0.0.3 10.0.0.4 10.0.0.5),
}
end

Expand All @@ -51,9 +52,9 @@
architecture: {
existing_infra: {
ssh_user: lazy { node['automate_ha']['username'] },
ssh_key_file: "#{Chef::Config[:file_cache_path]}/automate_ha.key",
ssh_group_name: lazy { node['automate_ha']['username'] },
ssh_key_file: lazy { "#{Chef::Config[:file_cache_path]}/#{node['automate_ha']['username']}.key" },
ssh_port: '22',
sudo_password: '', # Provide Password if needed to run sudo commands.
secrets_key_file: '/hab/a2_deploy_workspace/secrets.key',
secrets_store_file: '/hab/a2_deploy_workspace/secrets.json',
architecture: 'existing_nodes',
Expand All @@ -65,6 +66,8 @@
# If backup_config = "object_storage" fill out [object_storage.config] as well
object_storage: {
config: {
google_service_account_file: '',
location: '',
bucket_name: '',
access_key: '',
secret_key: '',
Expand All @@ -76,40 +79,63 @@
config: {
admin_password: 'Test1234!',
fqdn: lazy { node['automate_ha']['automate_dns_entry'] }, # Automate Load Balancer FQDN
instance_count: lazy { node['automate_ha']['instance_ips']['automate_frontend'].length.to_s }, # No. of Automate Frontend Machine or VM
# teams_port: "",
# root_ca: 'automate_lb_root_ca_contents',
instance_count: lazy { node['automate_ha']['instance_ips']['automate_frontend'].length.to_s }, # No. of Automate Frontend Machines or VMs
# teams_port: '',
config_file: 'configs/automate.toml',
root_ca: '',
public_key: '',
private_key: '',
custom_certs_enabled: false,
enable_custom_certs: false,
# private_key: 'private_key_contents',
# public_key: 'public_key_contents',
# certs_by_ip: {
# ip: '',
# private_key: 'private_key_contents',
# public_key: 'public_key_contents',
# },
},
},
chef_server: {
chef_server: {
config: {
instance_count: lazy { node['automate_ha']['instance_ips']['chef_frontend'].length.to_s }, # No. of Chef Server Frontend Machine or VM
root_ca: '',
public_key: '',
private_key: '',
custom_certs_enabled: false,
fqdn: lazy { node['automate_ha']['infra-server_dns_entry'] }, # Chefserver Load Balancer FQDN
# lb_root_ca: 'chef_server_lb_root_ca_contents',
instance_count: lazy { node['automate_ha']['instance_ips']['chef_frontend'].length.to_s }, # No. of Chef Server Frontend Machines or VMs
enable_custom_certs: false,
# private_key: 'private_key_contents',
# public_key: 'public_key_contents',
# certs_by_ip: {
# ip: '',
# private_key: 'private_key_contents',
# public_key: 'public_key_contents',
# },
},
},
},
opensearch: {
config: {
instance_count: lazy { node['automate_ha']['instance_ips']['opensearch_backend'].length.to_s }, # No. of OpenSearch DB Backend Machine or VM
root_ca: '',
public_key: '',
private_key: '',
custom_certs_enabled: false,
instance_count: lazy { node['automate_ha']['instance_ips']['opensearch_backend'].length.to_s }, # No. of OpenSearch DB Backend Machines or VMs
enable_custom_certs: false,
# root_ca: 'opensearch_root_ca_contents',
# admin_key: 'admin_private_key_contents',
# admin_cert: 'admin_public_key_contents',
# private_key: 'private_key_contents',
# public_key: 'public_key_contents',
# certs_by_ip: {
# ip: '',
# private_key: 'private_key_contents',
# public_key: 'public_key_contents',
# },
},
},
postgresql: {
config: {
instance_count: lazy { node['automate_ha']['instance_ips']['postgres_backend'].length.to_s }, # No. of Postgresql DB Backend Machine or VM
root_ca: '',
public_key: '',
private_key: '',
custom_certs_enabled: false,
instance_count: lazy { node['automate_ha']['instance_ips']['postgres_backend'].length.to_s }, # No. of Postgresql DB Backend Machines or VMs
enable_custom_certs: false,
# root_ca: 'postgresql_root_ca_contents',
# private_key: 'private_key_contents',
# public_key: 'public_key_contents',
# certs_by_ip: {
# ip: '',
# private_key: 'private_key_contents',
# public_key: 'public_key_contents',
# },
},
},
existing_infra: {
Expand All @@ -120,6 +146,31 @@
postgresql_private_ips: lazy { node['automate_ha']['instance_ips']['opensearch_backend'] },
},
},
external: {
database: {
type: '', # eg type = "aws" or "self-managed"
postgresql: {
instance_url: '',
superuser_username: '',
superuser_password: '',
dbuser_username: '',
dbuser_password: '',
postgresql_root_cert: '',
},
open_search: {
opensearch_domain_name: '',
opensearch_domain_url: '',
opensearch_username: '',
opensearch_user_password: '',
opensearch_root_cert: '',
aws: {
aws_os_snapshot_role_arn: '',
os_snapshot_user_access_key_id: '',
os_snapshot_user_access_key_secret: '',
},
},
},
},
}

# Used for patch changes to the system
Expand Down
14 changes: 7 additions & 7 deletions kitchen.ec2.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -12,7 +12,7 @@ driver:
- device_name: /dev/sda1
ebs:
volume_type: gp3
volume_size: 150
volume_size: 200
delete_on_termination: true
shared_credentials_profile: saml
skip_cost_warning: true
Expand All @@ -23,29 +23,29 @@ platforms:
- name: amazon2
driver:
tags:
Name: <%= ENV['USER'] %>-tk-<%= ENV['KITCHEN_PLATFORM_NAME'] %>
Name: <%= ENV['USER'] %>-tk-amazon2

- name: rhel-7
driver:
tags:
Name: <%= ENV['USER'] %>-tk-<%= ENV['KITCHEN_PLATFORM_NAME'] %>
Name: <%= ENV['USER'] %>-tk-rhel-7

- name: rhel-8
driver:
tags:
Name: <%= ENV['USER'] %>-tk-<%= ENV['KITCHEN_PLATFORM_NAME'] %>
Name: <%= ENV['USER'] %>-tk-rhel-8

- name: rhel-9
driver:
tags:
Name: <%= ENV['USER'] %>-tk-<%= ENV['KITCHEN_PLATFORM_NAME'] %>
Name: <%= ENV['USER'] %>-tk-rhel-9

- name: ubuntu-20.04
driver:
tags:
Name: <%= ENV['USER'] %>-tk-<%= ENV['KITCHEN_PLATFORM_NAME'] %>
Name: <%= ENV['USER'] %>-tk-ubuntu-20.04

- name: ubuntu-22.04
driver:
tags:
Name: <%= ENV['USER'] %>-tk-<%= ENV['KITCHEN_PLATFORM_NAME'] %>
Name: <%= ENV['USER'] %>-tk-ubuntu-22.04
38 changes: 14 additions & 24 deletions kitchen.yml
View file
Original file line number Diff line number Diff line change
@@ -1,8 +1,11 @@
---
driver:
name: vagrant
# provider: parallels
box_auto_update: true
box_auto_prune: true
network:
- [ "private_network", type: dhcp ]

provisioner:
name: chef_infra
Expand Down Expand Up @@ -32,41 +35,28 @@ platforms:
- name: ubuntu-22.04

suites:
- name: chef-frontend-1
- name: frontend-1
driver:
customize:
memory: 2196
- name: automate-frontend-1
memory: 8192
- name: frontend-2
driver:
customize:
memory: 2196
- name: postgres-backend-1
memory: 8192
- name: backend-1
driver:
customize:
memory: 3072
- name: postgres-backend-2
memory: 8192
- name: backend-2
driver:
customize:
memory: 3072
- name: postgres-backend-3
memory: 8192
- name: backend-3
driver:
customize:
memory: 3072
- name: opensearch-backend-1
driver:
customize:
memory: 2196
- name: opensearch-backend-2
driver:
customize:
memory: 2196
- name: opensearch-backend-3
driver:
customize:
memory: 2196
memory: 8192
- name: bastion
driver:
customize:
memory: 2196
cpus: 4
memory: 8196
named_run_list: bastion
2 changes: 1 addition & 1 deletion metadata.rb
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@
maintainer_email '[email protected]'
license 'Apache-2.0'
description 'Installs/Configures automate_ha'
version '0.1.1'
version '0.2.0'
chef_version '>= 18.0'

issues_url 'https://github.com/Stromweld/automate_ha/issues'
Expand Down
6 changes: 3 additions & 3 deletions recipes/bastion.rb
View file
Original file line number Diff line number Diff line change
Expand Up @@ -17,7 +17,7 @@
# limitations under the License.

# Create automate_ha user ssh private key in root's .ssh folder
file "#{Chef::Config[:file_cache_path]}/automate_ha.key" do
file "#{Chef::Config[:file_cache_path]}/#{node['automate_ha']['username']}.key" do
content node['automate_ha']['ssh_key']
owner 'root'
group 'root'
Expand Down Expand Up @@ -62,12 +62,12 @@
end

execute 'Run Deployment Command' do
command "chef-automate deploy #{Chef::Config[:file_cache_path]}/deploy-config.toml --airgap-bundle #{Chef::Config[:file_cache_path]}/automate-#{node['automate_ha']['version']}.aib #{'--accept-terms-and-mlsa' if node['automate_ha']['accept_license']}"
command "chef-automate deploy #{Chef::Config[:file_cache_path]}/deploy-config.toml --skip-verify --airgap-bundle #{Chef::Config[:file_cache_path]}/automate-#{node['automate_ha']['version']}.aib #{'--accept-terms-and-mlsa' if node['automate_ha']['accept_license']}"
cwd Chef::Config[:file_cache_path]
live_stream true
user 'root'
timeout 7200
action :nothing
not_if 'chef-automate status'
notifies :run, 'execute[chef-automate status]', :delayed
end

Expand Down
16 changes: 1 addition & 15 deletions recipes/default.rb
View file
Original file line number Diff line number Diff line change
Expand Up @@ -21,20 +21,6 @@

user user_name

# Gather any existing authorized_keys entries if they exist
if ::File.exist?("/home/#{user_name}/.ssh/authorized_keys")
pub_key = ::File.read("/home/#{user_name}/.ssh/authorized_keys").split.max_by(&:length)
node.force_override['automate_ha']['ssh_authorize_key'] = node['automate_ha']['ssh_authorize_key'].merge(
{
"#{user_name}" => {
key: pub_key,
user: user_name,
options: nil,
},
}
).unique
end

# Create Authorized Keys entries
node['automate_ha']['ssh_authorize_key']&.each do |name, hash|
ssh_authorize_key name do
Expand Down Expand Up @@ -69,6 +55,6 @@

# Set SElinux to permissive mode
selinux_state 'default' do
# automatic_reboot true
automatic_reboot true
action :permissive
end
Loading

0 comments on commit 71869b2

Please sign in to comment.