Ansible playbook
The playbook installs the following components:
RKE2
Rancher
Longhorn
Prometheus (includes Grafana for centralized monitoring)
EFK (for centralized logging)
KEDA CRD
AC application (can be deployed in HA mode with each microservice running 2 replicas)
Prerequisites
Instances/Components
3 Linux VM machines (minimum configuration required for HA configuration)
1 Jumpbox with internet access and SSH connectivity to the above 3 Linux VM machines
Load Balancer on top of 3 Linux VM nodes
Here are the configurations of the 3 Linux VM machines that we used in the development environment:
name | public IP private IP | memory | core | disk (SSD) | os |
---|---|---|---|---|---|
rancher1 | 3.134.212.46 172.31.33.225 | 32 GB | 8 | 100 GB | Ubuntu |
rancher2 | 3.131.224.248 172.31.47.85 | 32 GB | 8 | 100 GB | Ubuntu |
rancher3 | 18.216.242.13 172.31.44.236 | 32 GB | 8 | 100 GB | Ubuntu |
By default, the AC helm chart requires 250 GB for PV configuration. When we used the Linux VM machine with 100 GB SSD, we couldn't deploy the AC helm chart correctly until we reduced the PV configuration to 60 GB. So, the QA team may need to test the Ansible script on Linux VM that have higher disk storage configuration. |
Connectivity
SSH connectivity with administrative privileges between the Jumpbox and each Linux VM node
For SSH connectivity, you should have a private key file in PEM (Privacy Enhanced Mail) format.
|
Software
Instance | OS | Software(s) |
---|---|---|
Jumpbox | Linux (Ubuntu/CentOS) |
Python and PIP come preinstalled on most Linux distributions!
# on Ubuntu/CentOS $ sudo yum install ansible # on fedora $ sudo dnf install ansible |
Ports
We need the following inbound ports to be opened on Load Balancer and 3 Linux VM:
9345 - required for RKE2 nodes clustering
6443 - required for Kubernetes API
DNS
We need 2 different DNS (pointing to Load Balancer) for Ingress traffic routing to different components:
1st DNS for:
managing the RKE2 cluster
routing traffic to the Rancher GUI portal
2nd DNS for routing traffic to:
AC Portal
AC API Gateway (for REST and SOAP API calls)
Kibana dashboard for logging
Grafana dashboard for monitoring
Ideally, we would have used 1 DNS for traffic routing to all components. But Rancher has a limitation in that it only supports Ingress routing based on hostname and not via context path. Therefore, we have to use a separate DNS (hostname) for routing traffic to Rancher. |
Configuration
Before you begin to install, you need to update the following files available in the downloaded package.
inventory file - defines the hosts (or group of hosts) upon which the playbook will run
vars/general-config.yaml - consists of configuration variables to run the playbook
vars/vault-config.yaml - consists of sensitive configuration variables (like passwords) to run the playbook, this file can be encrypted/decrypted using Ansible Vault
Update inventory file
Steps to update the inventory file:
Find the inventory file in the Ansible package.
Edit the file:
Add the server nodes' domain or IP address under the "servers" group, RKE2 server (or master) will be deployed on these nodes.
Add the agent node domain or IP address under the "agents" group, RKE2 agent (or worker) will be deployed on these nodes.
# rke2 cluster master/server nodes # [servers] #172.31.27.98 # rke2 cluster worker/agent nodes # [agents] #172.31.29.19 [k8s:children] servers agents [servers:vars] rke2_type=“server” [agents:vars] rke2_type=“agent” [all:vars] ansible_user={{ ssh_user }} ansible_ssh_private_key_file={{ ssh_key_path }} |
Update vars/general-config.yaml
Find the general-config.yaml file from /vars in the Ansible package.
Define the following properties in general-config.yaml
## SSH configuration to Lunix VM ## # SSH user ssh_user: # SSH private key file (pem) ssh_key_path: # Sudo password ansible_sudo_pass: "{{ vault_ansible_sudo_pass }}" # Rancher domain (domain name mapped with load balancer configured on top of Linux VM) rancher_lb_domain: # Application domain (domain name mapped with load balancer configured on top of Linux VM) app_lb_domain: ## RKE2 configuration ## # Pre-shared secret token for node registration rke2_token: "{{ vault_rke2_token }}" ## Rancher configuration ## # rancher bootstrap password rancher_gui_password: "{{ vault_rancher_gui_password }}" ## AC configuration ## # Global values YAML file path ac_global_values_yaml: "../vars/values-adeptia-connect.yaml" # AC installation mode - set "true" for new AC installation, Or "false" to upgrade the existing environment execute_static_job: true ## AC HA configuration ## # Enable/Disable HA mode - true, false ac_ha_mode: false # backend database configuration # backend database type, possible values are: MySQL, SQL-Server, Oracle backend_db_type: backend_db_url: backend_db_username: "{{vault_backend_db_username}}" backend_db_password: "{{vault_backend_db_password}}" # log database configuration # log database type, possible values are: MySQL, SQL-Server, Oracle log_db_type: log_db_url: log_db_username: "{{vault_log_db_username}}" log_db_password: "{{vault_log_db_password}}" ## Ingress SSL configuration ## # TLS signed certificate in base64 encoding tlsCrt: # TLS private key of certificate in base64 encoding tlsKey: |
Update vars/vault-config.yaml
Find the vault-config.yaml file from /vars in Ansible extracted folder.
Define the sensitive information (like passwords) in the vault-config.yaml.
vault_ansible_sudo_pass: vault_rancher_gui_password: adeptia1243 vault_rke2_token: defaultSecret123456 #envSecret# vault_backend_db_username: vault_backend_db_password: vault_log_db_username: vault_log_db_password: |
For added security, you can encrypt the sensitive information specified inside the vars/vault-config.yaml file. |
Encrypt/Decrypt with Ansible Vault
Encrypting the file
To encrypt with Vault, use the ansible-vault encrypt
command.
$ ansible-vault encrypt vault-config.yaml |
Again, you will be prompted to provide and confirm a password. Afterward, a message will confirm the encryption:
Viewing Encrypted File
The ansible-vault view
command feeds the contents of a file to standard out. By default, this means that the contents are displayed in the terminal.
$ ansible-vault view vault-config.yaml |
You will be asked for the file’s password. After entering it successfully, the contents will be displayed:
As you can see, the password prompt is mixed into the output of file contents.
Decrypting Encrypted Files
To decrypt a vault-encrypted file, use the ansible-vault decrypt
command.
$ ansible-vault decrypt vault-config.yaml |
You will be prompted for the encryption password for the file. Once you enter the correct password, the file will be decrypted and you will see decryption successfully message.
Execution
The package contains a shell file (adeptia-connect.sh) that can be run to execute the Ansible playbook with appropriate arguments.
Install
Login into the Jump Box.
Download and extract the Ansible Playbook package.
Update the Ansible playbook configurations as per the instructions.
Run the shell file (adeptia-connect.sh) to deploy the Rancher and AC application with the required dependencies.
# set RW permission to the ssh private file (pem) $ chmod 0600 <pem file> # set executable permission to the shell file(adeptia-connect.sh) $ chmod +x adeptia-connect.sh # run the shell file $ ./adeptia-connect.sh
You have the flexibility to pass the tag argument during the execution of the shell file to install different components as per requirement. tagComponents--tag=install-all Install all the components including RKE2, Rancher, AC, EFK, Prometheus, etc. This is the default mode (if you don't provide any tag argument during the execution of the shell file) --tag=install-basicInstalls all the components (RKE2, Rancher, AC, EFK, Prometheus, etc.) except the AC application--tag=install-acInstalls only AC application--tag=install-rke2Installs only RKE2 (server/agent)--tag=install-prometheusInstalls only Prometheus (and Grafana)--tag=install-efkInstalls only EFK # to deploy only AC application $ ./adeptia-connect.sh --tag=install-ac # to run multiple tags, provide comma separated values $ ./adeptia-connect.sh --tag=install-basic,install-ac |
Using Ansible Vault encryption
You need to pass the argument --ask-vault-pass with the command to run the shell file (adeptia-connect.sh).
Ansible will prompt you for a password which it will use to decrypt any vault-protected content it finds.
$ ./adeptia-connect.sh --ask-vault-pass |
Uninstall
Description | Command |
---|---|
Uninstall the complete package:
| $ ./adeptia-connect.sh --tag=uninstall-all |
Uninstall only AC | $ ./adeptia-connect.sh --tag=uninstall-ac |
vault-p