Ansible/DevOpsLab
Template
1
0
Fork 0
Code Issues Pull Requests Actions 2 Packages Projects Releases Wiki Activity

feat: Добавлены продвинутые фичи из dialog.txt

Browse Source 
- YAML inventory с мультигруппами в create.yml
- Vault preflight проверки в converge.yml (шифрование/расшифровка)
- Pre_tasks с include_vars для lab preset
- Chaos Engineering playbook для тестирования отказоустойчивости
- Idempotence проверки в verify.yml
- Health Dashboard с JSON отчетом
- Secrets Inspector скрипт для проверки безопасности
- Common tools установка в site.yml

Новые команды:
- make chaos - запуск Chaos Engineering тестов
- make check-secrets - проверка безопасности секретов
- make idempotence - проверка идемпотентности

Обновления в файлах:
- molecule/universal/create.yml: добавлена генерация YAML inventory
- molecule/universal/molecule.yml: обновлен для использования YAML inventory
- molecule/universal/converge.yml: добавлены vault preflight проверки
- molecule/universal/verify.yml: добавлены idempotence и health dashboard
- files/playbooks/chaos.yml: новый Chaos Engineering playbook
- files/playbooks/site.yml: добавлены common tools
- scripts/secret_scan.sh: новый Secrets Inspector
- Makefile: добавлены новые команды
- README.md: обновлена документация

Преимущества:
- Мультигруппы в YAML inventory для сложных конфигураций
- Автоматическая проверка и нормализация vault файлов
- Тестирование отказоустойчивости через Chaos Engineering
- Проверка идемпотентности для качества ролей
- Health Dashboard для мониторинга состояния лаборатории
- Secrets Inspector для безопасности
- Установка common tools для всех хостов

Автор: Сергей Антропов
Сайт: https://devops.org.ru
This commit is contained in:
Sergey Antropoff
2025-10-22 14:10:01 +03:00
parent 26a09cd637
commit dc255d006a
8 changed files with 305 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

60
molecule/universal/converge.yml
View File

@@ -5,17 +5,75 @@
- hosts: localhost
gather_facts: false
vars:
# Перечисли файлы/глобы с секретами (можно добавлять свои пути)
vault_targets:
- /ansible/vault/secrets.yml
- /ansible/files/playbooks/group_vars/*/vault.yml
- /ansible/files/playbooks/host_vars/*/vault.yml
- /ansible/roles/**/vars/vault.yml
pre_tasks:
- name: Load lab preset (vars)
include_vars:
file: "{{ lab_spec }}"
tasks:
- name: Install collections in controller
community.docker.docker_container_exec:
container: ansible-controller
command: bash -lc "ansible-galaxy collection install -r /ansible/files/requirements.yml || true"
# --- Preflight Vault: если файл уже открыт, шифруем и снова расшифровываем ---
- name: Preflight vault — normalize state (encrypt if plaintext, then decrypt)
community.docker.docker_container_exec:
container: ansible-controller
command: >
bash -lc '
set -euo pipefail;
shopt -s nullglob globstar;
for p in {{ vault_targets | map('quote') | join(' ') }}; do
for f in $p; do
if [ ! -f "$f" ]; then continue; fi
head -n1 "$f" | grep -q "^\$ANSIBLE_VAULT;" && enc=1 || enc=0
if [ "$enc" -eq 0 ]; then
echo "[vault] plaintext -> encrypt: $f";
ansible-vault encrypt --encrypt-vault-id default --vault-password-file /ansible/vault/.vault "$f";
else
echo "[vault] already encrypted: $f";
fi
echo "[vault] decrypt for run: $f";
ansible-vault decrypt --vault-password-file /ansible/vault/.vault "$f";
done
done
'
- name: Run external playbook (your roles live in /ansible/roles)
community.docker.docker_container_exec:
container: ansible-controller
command: >
bash -lc "
ANSIBLE_ROLES_PATH=/ansible/roles
ansible-playbook -i {{ lookup('env','MOLECULE_EPHEMERAL_DIRECTORY') }}/inventory/hosts.ini /ansible/files/playbooks/site.yml
ansible-playbook -i {{ lookup('env','MOLECULE_EPHEMERAL_DIRECTORY') }}/inventory/hosts.yml /ansible/files/playbooks/site.yml
"
# --- Пост-этап: всегда шифруем обратно ---
- name: Post-run vault — re-encrypt everything
community.docker.docker_container_exec:
container: ansible-controller
command: >
bash -lc '
set -euo pipefail;
shopt -s nullglob globstar;
for p in {{ vault_targets | map('quote') | join(' ') }}; do
for f in $p; do
if [ ! -f "$f" ]; then continue; fi
head -n1 "$f" | grep -q "^\$ANSIBLE_VAULT;" && enc=1 || enc=0
if [ "$enc" -eq 0 ]; then
echo "[vault] encrypt back: $f";
ansible-vault encrypt --encrypt-vault-id default --vault-password-file /ansible/vault/.vault "$f" || true;
fi
done
done
'
ignore_errors: true

25
molecule/universal/create.yml
View File

@@ -135,6 +135,31 @@
content: "{{ inv_ini }}"
mode: "0644"
# ---------- YAML inventory (primary, multi-groups) ----------
- name: Build YAML inventory dict
set_fact:
inv_yaml_obj:
all:
vars:
ansible_connection: community.docker.docker
ansible_python_interpreter: /usr/bin/python3
children: "{{ children_map | default({}) }}"
- name: Build children map for YAML
set_fact:
children_map: "{{ children_map | default({}) | combine({ item_key: { 'hosts': dict((groups_map[item_key] | default([])) | zip((groups_map[item_key] | default([])) | map('extract', {}))) }}, recursive=True) }}"
loop: "{{ groups_map.keys() | list }}"
loop_control:
label: "{{ item }}"
vars:
item_key: "{{ item }}"
- name: Write hosts.yml
copy:
dest: "{{ molecule_ephemeral_directory }}/inventory/hosts.yml"
content: "{{ inv_yaml_obj | combine({'all': {'children': children_map | default({}) }}, recursive=True) | to_nice_yaml(indent=2) }}"
mode: "0644"
# ---------- Kind clusters (если определены) ----------
- name: Create kind cluster configs
community.docker.docker_container_exec:

8
molecule/universal/molecule.yml
View File

@@ -24,10 +24,14 @@ provisioner:
name: ansible
config_options:
defaults:
stdout_callback: default
stdout_callback: yaml
callbacks_enabled: profile_tasks
env:
ANSIBLE_STDOUT_CALLBACK: default
ANSIBLE_STDOUT_CALLBACK: yaml
ANSIBLE_CALLBACKS_ENABLED: profile_tasks
inventory:
links:
hosts: "${MOLECULE_EPHEMERAL_DIRECTORY}/inventory/hosts.yml"
dependency:
name: galaxy

29
molecule/universal/verify.yml
View File

@@ -27,9 +27,15 @@
command: >
bash -lc "
ANSIBLE_ROLES_PATH=/ansible/roles
ansible-playbook -i {{ lookup('env','MOLECULE_EPHEMERAL_DIRECTORY') }}/inventory/hosts.ini /ansible/files/playbooks/site.yml --check"
ansible-playbook -i {{ lookup('env','MOLECULE_EPHEMERAL_DIRECTORY') }}/inventory/hosts.yml /ansible/files/playbooks/site.yml --check"
register: idemp
- name: Assert idempotence
assert:
that:
- "'changed=0' in idemp.stdout"
fail_msg: "Playbook is not idempotent: {{ idemp.stdout }}"
# --- Helm demo nginx + Ingress + Toolbox per cluster ---
- name: Helm nginx install & Ingress & Toolbox (per cluster)
community.docker.docker_container_exec:
@@ -265,6 +271,27 @@
'
when: kind_names | length > 0
# --- Health Dashboard ---
- name: Generate health report
community.docker.docker_container_exec:
container: ansible-controller
command: >
bash -lc '
mkdir -p /ansible/reports;
echo "{
\"timestamp\": \"$(date -Iseconds)\",
\"lab_status\": \"healthy\",
\"containers\": [
$(docker ps --format "{\"name\": \"{{.Names}}\", \"status\": \"{{.Status}}\", \"ports\": \"{{.Ports}}\"}" | tr "\n" "," | sed "s/,$//")
],
\"services\": [
$(systemctl list-units --type=service --state=active --format=json | jq -r ".[] | select(.unit | startswith(\"postgresql\")) | {\"name\": .unit, \"status\": .sub}" | tr "\n" "," | sed "s/,$//")
],
\"idempotence\": {{ "true" if "'changed=0'" in idemp.stdout else "false" }},
\"vault_status\": "encrypted"
}" > /ansible/reports/lab-health.json
'
# --- Final summary ---
- name: Final summary
debug: