scs/system-config
3
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
system-config/README.rst
Artem Goncharov 29a6005ff2 latest updates
2023-06-26 13:55:08 +02:00

51 lines
2.4 KiB
ReStructuredText
Raw Blame History

=========================================
OpenTelekomCloud SCS System Configuration
=========================================
This is the machinery that drives the configuration, testing, continuous
integration and deployment of services provided by the OpenTelekomCloud
project. It heavily copies OpenDev configuration approach with some extensions
and deviations.
Services are driven by Ansible playbooks and associated roles stored here. If
you are interested in the configuration of a particular service, starting at
``playbooks/service-<name>.yaml`` will show you how it is configured.
Most services are deployed via containers; many of them are built or customised
in this repository; see ``docker/``.
Bootstrap
=========
Bootstraping new installation is connected with usual
chicken-egg problem. Generally having system up and running it
is required to maintain certain secrets. But providing those
secrets requires infrastructure to be up and running. Addressing
this requres certain steps.
TLS Certificates
----------------
Most systems require valid TLS certificates. Initial bootstraping also requires valid TLS certificates. System that require those will typically support providing of initial certificates through inventory variables.
Vault
-----
Managing secrets securely is possible in few different ways.
Ansible vault is a good tool, but it is complex to manage unseal
and to implement rotations (of both vault password as well as
secrets inside the vault).
HashiCorp Vault is in that sense a much more flexible system that also provides support for infrastructure based authorization.
Deploying Vault on the other side is also requiring SSL certificates. Since during bootstraping it is most likely not possible to rely on the `playbooks/acme-certs.yaml` since it requires bootstrapped bridge host first it is required to provide initial valid certificates through host variables (`vault_tls_cert_content` and `vault_tls_key_content`). It makes sense not to commit those variables under the git and only provide them during the bootstraping phase.
Bootstraping Vault therefore requires following steps
1. Login to the host having access to all nodes which will host HashiCorp vault
2. Checkout this repository and ensure
`inventory/service/hosts.yaml` contain proper IP addresses as
well as those hosts are member of vault group as `inventory/service/all.yaml`
3. execute `ansible-playbook playbooks/service-vault.yaml` playbook.
Reference in New Issue View Git Blame Copy Permalink