Merge pull request #71 from wiseflat/dev/mgarcia/nomad-eligibility

Fix: Update nomad eligibility strategy

Author: wiseflat

ansible/playbooks/paas/roles/nomad/tasks/04_tls_certs.yml

@@ -60,7 +60,7 @@
       notify: Nomad_restart
 
 - name: Nomad | Copy certificate on client nodes
-  when: nomad_node_role in ['client', 'both']
+  when: nomad_node_role in ['client']
   block:
     - name: "Nomad | Check if TLS cert exists for Client"
       ansible.builtin.stat:
@@ -88,7 +88,9 @@
         certificate_client_privatekey: "{{ nomad_tls_privatekey_client }}"
         certificate_common_name: "{{ nomad_tls_common_name_client }}"
         certificate_subject_alt_name: "{{ nomad_tls_subject_alt_name_client }}"
-      # when: nomad_mode == 'cluster'
+      run_once: true
+      when: not cert_tls_client_present.stat.exists or (cert_tls_client_present.stat.exists and not tls_check_client.valid_at.delay)
+
 
     - name: "Nomad | Copy certificates on client nodes"
       ansible.builtin.copy:

ansible/playbooks/paas/roles/nomad/tasks/06_configuration.yml

@@ -1,7 +1,7 @@
 ---
 - name: Block
   block:
-    - name: "Nomad Install | Read Gossip Encryption Key from PasswordStore"
+    - name: "Nomad Install | Read Gossip Encryption Key"
       ansible.builtin.set_fact:
         nomad_encrypt_key: "{{ lookup('simple-stack-ui', type='secret', key=inventory_hostname, subkey='nomad_encrypt_key', missing='error') }}"
   rescue:
@@ -11,7 +11,7 @@
       changed_when: nomad_encrypt_key_out.rc != 0
       run_once: true
 
-    - name: "Nomad Install | Set Gossip Encryption Key and insert in PasswordStore"
+    - name: "Nomad Install | Save Gossip Encryption Key"
       ansible.builtin.set_fact:
         nomad_encrypt_key: "{{ lookup('simple-stack-ui', type='secret', key=inventory_hostname, subkey='nomad_encrypt_key', missing='create', userpass=nomad_encrypt_key_out.stdout) }}"
 

ansible/playbooks/paas/roles/nomad/tasks/07_autoeligibility.yml

@@ -104,7 +104,7 @@
               - 200
           register: nomad_new_token_name
 
-        - name: "Nomad Install | Set Nomad Autoeligibility token and insert in PasswordStore"
+        - name: "Nomad Install | Save Nomad Autoeligibility token"
           ansible.builtin.set_fact:
             nomad_autoeligibility_token: "{{ lookup('simple-stack-ui', type='secret', key=inventory_hostname, subkey='nomad_autoeligibility_token', missing='create', userpass=nomad_new_token_name.json.SecretID) }}"
 

ansible/playbooks/paas/roles/nomad/tasks/08_systemd_tuning.yml

@@ -6,6 +6,28 @@
     owner: "root"
     group: "root"
 
+- name: "Nomad Policy | Get node id"
+  ansible.builtin.uri:
+    url: "{{ nomad_http_scheme }}://{{ nomad_http_ip }}:{{ nomad_http_port }}/v1/nodes"
+    ca_path: "{{ nomad_tls_host_certificate_dir }}/{{ nomad_tls_ca_pubkey }}"
+    client_cert: "{{ nomad_tls_host_certificate_dir }}/{{ nomad_tls_cert_server }}"
+    client_key: "{{ nomad_tls_host_certificate_dir }}/{{ nomad_tls_privatekey_server }}"
+    method: GET
+    headers:
+      X-Nomad-Token: "{{ lookup('simple-stack-ui', type='secret', key=nomad_primary_master_node | default(inventory_hostname), subkey='nomad_management_token', missing='error') }}"
+    status_code:
+      - 200
+      - 404
+    return_content: true
+  delegate_to: "{{ nomad_primary_master_node | default(inventory_hostname) }}"
+  register: nomad_node_id
+
+- name: Nomad Policy | Set Node id as a fact
+  ansible.builtin.set_fact:
+    node_id: "{{ item.ID }}"
+  loop: "{{ nomad_node_id.json }}"
+  when: item.Name == inventory_hostname
+
 - name: Nomad SystemD tuning | Template for systemd override
   ansible.builtin.template:
     src: "override.conf.j2"

ansible/playbooks/paas/roles/nomad/templates/override.conf.j2

@@ -3,7 +3,7 @@ After=docker.service
 
 [Service]
 ExecReload=/bin/kill --signal HUP $MAINPID
-{% if nomad_mode == 'single' %}
-ExecStartPost=/usr/bin/nomad node eligibility -enable -self -address={{ nomad_http_scheme }}://{{ nomad_http_ip }}:{{ nomad_http_port }} -ca-cert={{ nomad_tls_host_certificate_dir }}/{{ nomad_tls_ca_pubkey }} -client-cert={{ nomad_tls_host_certificate_dir }}/{{ nomad_tls_cert_server }} -client-key={{ nomad_tls_host_certificate_dir }}/{{ nomad_tls_privatekey_server }} -token={{ nomad_autoeligibility_token }}
-ExecStop=/usr/bin/nomad node drain -enable -self -address={{ nomad_http_scheme }}://{{ nomad_http_ip }}:{{ nomad_http_port }} -ca-cert={{ nomad_tls_host_certificate_dir }}/{{ nomad_tls_ca_pubkey }} -client-cert={{ nomad_tls_host_certificate_dir }}/{{ nomad_tls_cert_server }} -client-key={{ nomad_tls_host_certificate_dir }}/{{ nomad_tls_privatekey_server }} -token={{ nomad_autoeligibility_token }}
-{% endif %}
+{% if nomad_node_role in ['both', 'client'] %}
+ExecStartPost=/usr/bin/nomad node eligibility -enable -address={{ nomad_http_scheme }}://{{ hostvars[nomad_primary_master_node | default(inventory_hostname)]['ansible_' + nomad_iface].ipv4.address | default('127.0.0.1') }}:{{ nomad_http_port }} -ca-cert={{ nomad_tls_host_certificate_dir }}/{{ nomad_tls_ca_pubkey }} -client-cert={{ nomad_tls_host_certificate_dir }}/{{ inventory_hostname }}-dc1-client-nomad.pem -client-key={{ nomad_tls_host_certificate_dir }}/{{ inventory_hostname }}-dc1-client-nomad.key -token={{ lookup('simple-stack-ui', type='secret', key=nomad_primary_master_node | default(inventory_hostname), subkey='nomad_management_token', missing='error') }} {{ node_id }}
+ExecStop=/usr/bin/nomad node drain -enable -address={{ nomad_http_scheme }}://{{ hostvars[nomad_primary_master_node | default(inventory_hostname)]['ansible_' + nomad_iface].ipv4.address | default('127.0.0.1') }}:{{ nomad_http_port }} -ca-cert={{ nomad_tls_host_certificate_dir }}/{{ nomad_tls_ca_pubkey }} -client-cert={{ nomad_tls_host_certificate_dir }}/{{ inventory_hostname }}-dc1-client-nomad.pem -client-key={{ nomad_tls_host_certificate_dir }}/{{ inventory_hostname }}-dc1-client-nomad.key -token={{ lookup('simple-stack-ui', type='secret', key=nomad_primary_master_node | default(inventory_hostname), subkey='nomad_management_token', missing='error') }} {{ node_id }}
+{% endif %}