scs/system-config
3
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
system-config/README.rst
Artem Goncharov ab29626444 Initial data
2023-03-29 13:35:19 +02:00

2.4 KiB
Raw Blame History

OpenTelekomCloud SCS System Configuration

This is the machinery that drives the configuration, testing, continuous integration and deployment of services provided by the OpenTelekomCloud project. It heavily copies OpenDev configuration approach with some extensions and deviations.

Services are driven by Ansible playbooks and associated roles stored here. If you are interested in the configuration of a particular service, starting at playbooks/service-<name>.yaml will show you how it is configured.

Most services are deployed via containers; many of them are built or customised in this repository; see docker/.

Bootstrap

Bootstraping new installation is connected with usual chicken-egg problem. Generally having system up and running it is required to maintain certain secrets. But providing those secrets requires infrastructure to be up and running. Addressing this requres certain steps.

TLS Certificates

Most systems require valid TLS certificates. Initial bootstraping also requires valid TLS certificates. System that require those will typically support providing of initial certificates through inventory variables.

Vault

Managing secrets securely is possible in few different ways. Ansible vault is a good tool, but it is complex to manage unseal and to implement rotations (of both vault password as well as secrets inside the vault). HashiCorp Vault is in that sense a much more flexible system that also provides support for infrastructure based authorization.

Deploying Vault on the other side is also requiring SSL certificates. Since during bootstraping it is most likely not possible to rely on the playbooks/acme-certs.yaml since it requires bootstrapped bridge host first it is required to provide initial valid certificates through host variables (vault_tls_cert_content and vault_tls_key_content). It makes sense not to commit those variables under the git and only provide them during the bootstraping phase.

Bootstraping Vault therefore requires following steps

  1. Login to the host having access to all nodes which will host HashiCorp vault
  2. Checkout this repository and ensure inventory/service/hosts.yaml contain proper IP addresses as well as those hosts are member of vault group as inventory/service/groups.yaml
  3. execute ansible-playbook playbooks/service-vault.yaml playbook.