From ad473789430e12b5c7903f6274518770b41270b7 Mon Sep 17 00:00:00 2001 From: Oliver O'Mahony Date: Wed, 14 Jun 2023 11:51:59 +0100 Subject: [PATCH 1/5] added default nginx-agent --- CONTRIBUTING.md | 2 +- README.md | 44 ++++++++++++++++++++++++++++++++++- defaults/main/agent.yml | 6 +++++ tasks/agent/install-agent.yml | 17 ++++++++++++++ tasks/agent/setup-debian.yml | 9 +++++++ tasks/agent/setup-redhat.yml | 9 +++++++ tasks/main.yml | 6 +++++ 7 files changed, 91 insertions(+), 2 deletions(-) create mode 100644 defaults/main/agent.yml create mode 100644 tasks/agent/install-agent.yml create mode 100644 tasks/agent/setup-debian.yml create mode 100644 tasks/agent/setup-redhat.yml diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md index 5a59e5171..8a5d93ab5 100644 --- a/CONTRIBUTING.md +++ b/CONTRIBUTING.md @@ -27,7 +27,7 @@ Follow our [Installation Guide](https://github.com/nginxinc/ansible-role-nginx/b ### Project Structure -- The NGINX Ansible role is written in `yaml` and supports NGINX Open Source, NGINX Plus, and NGINX Amplify. +- The NGINX Ansible role is written in `yaml` and supports NGINX Open Source, NGINX Plus, NGINX Agent and NGINX Amplify. - The project follows the standard [Ansible role directory structure](https://docs.ansible.com/ansible/latest/user_guide/playbooks_reuse_roles.html): - The main code is found in [`tasks/`](https://github.com/nginxinc/ansible-role-nginx/blob/main/tasks/). - Variables can be found in [`defaults/main/`](https://github.com/nginxinc/ansible-role-nginx/blob/main/defaults/main/). diff --git a/README.md b/README.md index 80ea042fe..cfa468379 100644 --- a/README.md +++ b/README.md @@ -6,7 +6,7 @@ # Ansible NGINX Role -This role installs NGINX Open Source, NGINX Plus, or the NGINX Amplify agent on your target host. +This role installs NGINX Open Source, NGINX Plus, NGINX Agent or the NGINX Amplify agent on your target host. **Note:** This role is still in active development. There may be unidentified issues and the role variables may change as development continues. @@ -177,6 +177,48 @@ Ubuntu: - focal ``` +### NGINX Agent + +```yaml +AlmaLinux: + - 8 + - 9 +Alpine: + - 3.13 + - 3.14 + - 3.15 + - 3.16 + - 3.17 +Amazon Linux 2: + - any +Debian: + - buster (10) + - bullseye (11) +CentOS: + - 7.4+ +FreeBSD: + - 12.1+ + - 13 +Oracle Linux: + - 7.4+ + - 8 + - 9 +Red Hat: + - 7 + - 8 + - 9 +Rocky Linux: + - 8 + - 9 +SUSE/SLES: + - 12 + - 15 +Ubuntu: + - bionic + - focal + - jammy +``` + **Note:** You can also use this role to compile NGINX Open Source from source, install NGINX Open Source on compatible yet unsupported platforms, or install NGINX Open Source on BSD systems at your own risk. ## Role Variables diff --git a/defaults/main/agent.yml b/defaults/main/agent.yml new file mode 100644 index 000000000..4571bc3c1 --- /dev/null +++ b/defaults/main/agent.yml @@ -0,0 +1,6 @@ +--- +# Install NGINX Agent. +# Requires access to either the NGINX stub_status or the NGINX Plus REST API. +# Default is null. +nginx_agent_enable: false +nginx_agent_repo: packages.nginx.org diff --git a/tasks/agent/install-agent.yml b/tasks/agent/install-agent.yml new file mode 100644 index 000000000..a8807cfec --- /dev/null +++ b/tasks/agent/install-agent.yml @@ -0,0 +1,17 @@ +--- +- name: Configure NGINX Agent repository + ansible.builtin.include_tasks: "{{ role_path }}/tasks/agent/setup-{{ ansible_facts['os_family'] | lower }}.yml" + when: ansible_facts['os_family'] in ['Debian', 'RedHat'] + +- name: Install NGINX Agent + ansible.builtin.package: + name: nginx-agent + state: present + +- name: Copy NGINX configurator Agent configuration template + ansible.builtin.copy: + remote_src: true + src: /etc/nginx-agent/nginx-agent.conf.default + dest: /etc/nginx-agent/nginx-agent.conf + mode: "0644" + diff --git a/tasks/agent/setup-debian.yml b/tasks/agent/setup-debian.yml new file mode 100644 index 000000000..a640d7356 --- /dev/null +++ b/tasks/agent/setup-debian.yml @@ -0,0 +1,9 @@ +--- +- name: (Debian/Ubuntu) Add NGINX Agent repository + ansible.builtin.apt_repository: + filename: nginx-agent + repo: deb [arch=amd64 signed-by=/usr/share/keyrings/nginx-archive-keyring.gpg] https://pkgs.nginx.com/nginx-agent/{{ ansible_facts['distribution'] | lower }}/{{ ansible_facts['distribution_release'] | lower }} nginx-agent + update_cache: true + mode: "0644" + +# TODO conditional on arch and nginx_agent_repo for URL in repo \ No newline at end of file diff --git a/tasks/agent/setup-redhat.yml b/tasks/agent/setup-redhat.yml new file mode 100644 index 000000000..031e08b07 --- /dev/null +++ b/tasks/agent/setup-redhat.yml @@ -0,0 +1,9 @@ +--- +- name: (Amazon Linux/CentOS/RHEL) Add NGINX Agent repository + ansible.builtin.yum_repository: + name: nginx-amplify + baseurl: https://pkgs.nginx.com/nginx-agent/{{ (ansible_facts['distribution_major_version'] is version('7', '==')) }}{{ (ansible_facts['distribution'] == 'Amazon') | ternary('amzn', 'centos') }}/$releasever/$basearch/ + description: NGINX Amplify Agent + enabled: true + gpgcheck: true + mode: "0644" diff --git a/tasks/main.yml b/tasks/main.yml index 9f988a63b..64399736f 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -81,3 +81,9 @@ - nginx_amplify_api_key is defined - nginx_amplify_api_key | length > 0 tags: nginx_install_amplify + +- name: Install NGINX Agent + ansible.builtin.include_tasks: "{{ role_path }}/tasks/agent/install-agent.yml" + when: + - nginx_agent_enable | bool + tags: nginx_install_agent From eef234a341b93c0dfa351e3d8101949254ffbfae Mon Sep 17 00:00:00 2001 From: Chris Adams Date: Wed, 14 Jun 2023 16:05:05 +0100 Subject: [PATCH 2/5] NGINX Agent RH install flow --- handlers/main.yml | 6 ++++++ tasks/agent/install-agent.yml | 18 ++++++++++++------ tasks/agent/setup-debian.yml | 12 ++++++------ tasks/agent/setup-redhat.yml | 11 +++++++---- 4 files changed, 31 insertions(+), 16 deletions(-) diff --git a/handlers/main.yml b/handlers/main.yml index abe5ada91..d8b6f530b 100644 --- a/handlers/main.yml +++ b/handlers/main.yml @@ -42,6 +42,12 @@ name: amplify-agent state: started +- name: (Handler) Start NGINX Agent + ansible.builtin.service: + name: nginx-agent + state: started + enabled: true + - name: (Handler) Start logrotate ansible.builtin.command: cmd: logrotate -f /etc/logrotate.d/nginx diff --git a/tasks/agent/install-agent.yml b/tasks/agent/install-agent.yml index a8807cfec..4839688ea 100644 --- a/tasks/agent/install-agent.yml +++ b/tasks/agent/install-agent.yml @@ -8,10 +8,16 @@ name: nginx-agent state: present -- name: Copy NGINX configurator Agent configuration template - ansible.builtin.copy: - remote_src: true - src: /etc/nginx-agent/nginx-agent.conf.default - dest: /etc/nginx-agent/nginx-agent.conf - mode: "0644" +# TODO - after installing NGINX Agent /etc/nginx-agent/nginx-agent.conf.default does not exist +#- name: Copy NGINX configurator Agent configuration template +# ansible.builtin.copy: +# remote_src: true +# src: /etc/nginx-agent/nginx-agent.conf.default +# dest: /etc/nginx-agent/nginx-agent.conf +# mode: "0644" +- name: Start NGINX Agent + ansible.builtin.service: + name: nginx-agent + state: started + enabled: true \ No newline at end of file diff --git a/tasks/agent/setup-debian.yml b/tasks/agent/setup-debian.yml index a640d7356..28c3b2e9d 100644 --- a/tasks/agent/setup-debian.yml +++ b/tasks/agent/setup-debian.yml @@ -1,9 +1,9 @@ --- -- name: (Debian/Ubuntu) Add NGINX Agent repository - ansible.builtin.apt_repository: - filename: nginx-agent - repo: deb [arch=amd64 signed-by=/usr/share/keyrings/nginx-archive-keyring.gpg] https://pkgs.nginx.com/nginx-agent/{{ ansible_facts['distribution'] | lower }}/{{ ansible_facts['distribution_release'] | lower }} nginx-agent - update_cache: true - mode: "0644" +#- name: (Debian/Ubuntu) Add NGINX Agent repository +# ansible.builtin.apt_repository: +# filename: nginx-agent +# repo: deb [arch=amd64 signed-by=/usr/share/keyrings/nginx-archive-keyring.gpg] https://pkgs.nginx.com/nginx-agent/{{ ansible_facts['distribution'] | lower }}/{{ ansible_facts['distribution_release'] | lower }} nginx-agent +# update_cache: true +# mode: "0644" # TODO conditional on arch and nginx_agent_repo for URL in repo \ No newline at end of file diff --git a/tasks/agent/setup-redhat.yml b/tasks/agent/setup-redhat.yml index 031e08b07..89ad35de1 100644 --- a/tasks/agent/setup-redhat.yml +++ b/tasks/agent/setup-redhat.yml @@ -1,9 +1,12 @@ --- -- name: (Amazon Linux/CentOS/RHEL) Add NGINX Agent repository +- name: (RHEL/CentOS/Rocky Linux/AlmaLinux/Oracle Linux) Add NGINX Agent repository ansible.builtin.yum_repository: - name: nginx-amplify - baseurl: https://pkgs.nginx.com/nginx-agent/{{ (ansible_facts['distribution_major_version'] is version('7', '==')) }}{{ (ansible_facts['distribution'] == 'Amazon') | ternary('amzn', 'centos') }}/$releasever/$basearch/ - description: NGINX Amplify Agent + name: nginx-agent + file: nginx-agent + baseurl: https://{{ nginx_agent_repo }}/nginx-agent/{{ (ansible_facts['distribution'] == 'Amazon') | ternary('amzn', 'centos') }}/$releasever/$basearch/ + description: NGINX Agent enabled: true gpgcheck: true + gpgkey: https://nginx.org/keys/nginx_signing.key + module_hotfixes: true mode: "0644" From 81ddda8e8909a00d4585f915b7e8171976c119d6 Mon Sep 17 00:00:00 2001 From: Chris Adams Date: Wed, 14 Jun 2023 18:15:19 +0100 Subject: [PATCH 3/5] Add NGINX Agent config fragment for NGINX Management suite --- handlers/main.yml | 4 +-- tasks/agent/install-agent.yml | 17 ++++++++---- templates/nginx-agent/nms-nginx-agent.conf.j2 | 26 +++++++++++++++++++ 3 files changed, 40 insertions(+), 7 deletions(-) create mode 100644 templates/nginx-agent/nms-nginx-agent.conf.j2 diff --git a/handlers/main.yml b/handlers/main.yml index d8b6f530b..99c327fc1 100644 --- a/handlers/main.yml +++ b/handlers/main.yml @@ -42,10 +42,10 @@ name: amplify-agent state: started -- name: (Handler) Start NGINX Agent +- name: (Handler) Start/reloaded NGINX Agent ansible.builtin.service: name: nginx-agent - state: started + state: restarted enabled: true - name: (Handler) Start logrotate diff --git a/tasks/agent/install-agent.yml b/tasks/agent/install-agent.yml index 4839688ea..738bc4744 100644 --- a/tasks/agent/install-agent.yml +++ b/tasks/agent/install-agent.yml @@ -16,8 +16,15 @@ # dest: /etc/nginx-agent/nginx-agent.conf # mode: "0644" -- name: Start NGINX Agent - ansible.builtin.service: - name: nginx-agent - state: started - enabled: true \ No newline at end of file +#TODO - add in when NMS vars are present to both below tasks +- name: Copy NGINX Agent config fragment for NGINX Management Suite + ansible.builtin.template: + src: nginx-agent/nms-nginx-agent.conf.j2 + dest: /etc/nginx-agent/nms-nginx-agent-fragment.conf + mode: "0644" + +- name: Assemble NGINX Agent config fragment + ansible.builtin.assemble: + src: /etc/nginx-agent + dest: /etc/nginx-agent/nginx-agent.conf + notify: (Handler) Start/reloaded NGINX Agent diff --git a/templates/nginx-agent/nms-nginx-agent.conf.j2 b/templates/nginx-agent/nms-nginx-agent.conf.j2 new file mode 100644 index 000000000..e7480ab33 --- /dev/null +++ b/templates/nginx-agent/nms-nginx-agent.conf.j2 @@ -0,0 +1,26 @@ +# specify the server grpc port to connect to +server: + # host of the control plane +{% if nms_server_host is defined %} + host: {{ nms_server_host }} +{% endif %} +{% if nms_server_port is defined %} + grpcPort: {{ nms_server_port }} +{% endif %} + + +# tls options +tls: + # enable tls in the nginx-agent setup for grpcs + # default to enable to connect with tls connection but without client cert for mtls +{% if nms_tls_enable is defined %} + enable: {{ nms_tls_enable }} +{% endif %} +{% if nms_tls_skip_verify is defined %} + skip_verify: {{ nms_tls_skip_verify }} +{% endif %} + # path to ca certificate file used for server cert validation + ca: "" + # path to cert and key files for mTLS + cert: "" + key: "" From 8052f59dc7f1b8fe9e7ae2adfe8bfb543fe00363 Mon Sep 17 00:00:00 2001 From: Chris Adams Date: Fri, 16 Jun 2023 17:40:34 +0100 Subject: [PATCH 4/5] Add setup Debian and add NGINX Management Suite config for NGINX Agent --- defaults/main/agent.yml | 16 ++++++++++++ tasks/agent/config-nms.yml | 25 ++++++++++++++++++ tasks/agent/install-agent.yml | 24 +++-------------- tasks/agent/setup-debian.yml | 14 +++++----- templates/nginx-agent/nms-nginx-agent.conf.j2 | 26 ------------------- 5 files changed, 51 insertions(+), 54 deletions(-) create mode 100644 tasks/agent/config-nms.yml delete mode 100644 templates/nginx-agent/nms-nginx-agent.conf.j2 diff --git a/defaults/main/agent.yml b/defaults/main/agent.yml index 4571bc3c1..111a2fd85 100644 --- a/defaults/main/agent.yml +++ b/defaults/main/agent.yml @@ -4,3 +4,19 @@ # Default is null. nginx_agent_enable: false nginx_agent_repo: packages.nginx.org + +# Specify the grpc server +nms_server_host: null # host of the control plane +nms_server_port: 443 # port of the control plane + +# Enable tls in the nginx-agent setup for grpc +# Default to enable to connect with tls connection but without client cert for mtls +nms_tls_enable: true +nms_tls_skip_verify: true + +# Path to ca certificate file used for server cert validation +nms_tls_ca: "" + +# Path to cert and key files for mTLS +nms_tls_cert: "" +nms_tls_key: "" \ No newline at end of file diff --git a/tasks/agent/config-nms.yml b/tasks/agent/config-nms.yml new file mode 100644 index 000000000..8cf04955a --- /dev/null +++ b/tasks/agent/config-nms.yml @@ -0,0 +1,25 @@ +--- + +- name: Add NGINX Management Suite config to NGINX Agent config + ansible.builtin.blockinfile: + backup: true + mode: "0644" + path: /etc/nginx-agent/nginx-agent.conf + block: | + # specify the server grpc port to connect to + server: + # host of the control plane + host: {{ nms_server_host }} + grpcPort: {{ nms_server_port }} + + # tls options + tls: + # enable tls in the nginx-agent setup for grpcs + # default to enable to connect with tls connection but without client cert for mtls + enable: {{ nms_tls_enable | lower }} + skip_verify: {{ nms_tls_skip_verify | lower }} + # path to ca certificate file used for server cert validation + ca: {{ nms_tls_ca }} + # path to cert and key files for mTLS + cert: {{ nms_tls_cert }} + key: {{ nms_tls_key }} \ No newline at end of file diff --git a/tasks/agent/install-agent.yml b/tasks/agent/install-agent.yml index 738bc4744..70d200baf 100644 --- a/tasks/agent/install-agent.yml +++ b/tasks/agent/install-agent.yml @@ -7,24 +7,8 @@ ansible.builtin.package: name: nginx-agent state: present - -# TODO - after installing NGINX Agent /etc/nginx-agent/nginx-agent.conf.default does not exist -#- name: Copy NGINX configurator Agent configuration template -# ansible.builtin.copy: -# remote_src: true -# src: /etc/nginx-agent/nginx-agent.conf.default -# dest: /etc/nginx-agent/nginx-agent.conf -# mode: "0644" - -#TODO - add in when NMS vars are present to both below tasks -- name: Copy NGINX Agent config fragment for NGINX Management Suite - ansible.builtin.template: - src: nginx-agent/nms-nginx-agent.conf.j2 - dest: /etc/nginx-agent/nms-nginx-agent-fragment.conf - mode: "0644" - -- name: Assemble NGINX Agent config fragment - ansible.builtin.assemble: - src: /etc/nginx-agent - dest: /etc/nginx-agent/nginx-agent.conf notify: (Handler) Start/reloaded NGINX Agent + +- name: Configure NGINX Agent with NGINX Management Suite + ansible.builtin.include_tasks: "{{ role_path }}/tasks/agent/config-nms.yml" + when: nms_server_host is defined \ No newline at end of file diff --git a/tasks/agent/setup-debian.yml b/tasks/agent/setup-debian.yml index 28c3b2e9d..2679663e8 100644 --- a/tasks/agent/setup-debian.yml +++ b/tasks/agent/setup-debian.yml @@ -1,9 +1,7 @@ --- -#- name: (Debian/Ubuntu) Add NGINX Agent repository -# ansible.builtin.apt_repository: -# filename: nginx-agent -# repo: deb [arch=amd64 signed-by=/usr/share/keyrings/nginx-archive-keyring.gpg] https://pkgs.nginx.com/nginx-agent/{{ ansible_facts['distribution'] | lower }}/{{ ansible_facts['distribution_release'] | lower }} nginx-agent -# update_cache: true -# mode: "0644" - -# TODO conditional on arch and nginx_agent_repo for URL in repo \ No newline at end of file +- name: (Debian/Ubuntu) Add NGINX Agent repository + ansible.builtin.apt_repository: + filename: nginx-agent + repo: deb [signed-by=/usr/share/keyrings/nginx-archive-keyring.gpg] https://{{ nginx_agent_repo }}/nginx-agent/{{ ansible_facts['distribution'] | lower }} {{ ansible_facts['distribution_release'] | lower}} agent + update_cache: true + mode: "0644" \ No newline at end of file diff --git a/templates/nginx-agent/nms-nginx-agent.conf.j2 b/templates/nginx-agent/nms-nginx-agent.conf.j2 deleted file mode 100644 index e7480ab33..000000000 --- a/templates/nginx-agent/nms-nginx-agent.conf.j2 +++ /dev/null @@ -1,26 +0,0 @@ -# specify the server grpc port to connect to -server: - # host of the control plane -{% if nms_server_host is defined %} - host: {{ nms_server_host }} -{% endif %} -{% if nms_server_port is defined %} - grpcPort: {{ nms_server_port }} -{% endif %} - - -# tls options -tls: - # enable tls in the nginx-agent setup for grpcs - # default to enable to connect with tls connection but without client cert for mtls -{% if nms_tls_enable is defined %} - enable: {{ nms_tls_enable }} -{% endif %} -{% if nms_tls_skip_verify is defined %} - skip_verify: {{ nms_tls_skip_verify }} -{% endif %} - # path to ca certificate file used for server cert validation - ca: "" - # path to cert and key files for mTLS - cert: "" - key: "" From c32158537d80dec633f78f220131bf168cd5f383 Mon Sep 17 00:00:00 2001 From: Chris Adams Date: Mon, 19 Jun 2023 17:08:02 +0100 Subject: [PATCH 5/5] Address linter issues --- defaults/main/agent.yml | 2 +- tasks/agent/config-nms.yml | 2 +- tasks/agent/install-agent.yml | 2 +- tasks/agent/setup-debian.yml | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/defaults/main/agent.yml b/defaults/main/agent.yml index 111a2fd85..af4bc3b70 100644 --- a/defaults/main/agent.yml +++ b/defaults/main/agent.yml @@ -19,4 +19,4 @@ nms_tls_ca: "" # Path to cert and key files for mTLS nms_tls_cert: "" -nms_tls_key: "" \ No newline at end of file +nms_tls_key: "" diff --git a/tasks/agent/config-nms.yml b/tasks/agent/config-nms.yml index 8cf04955a..3dfe085c9 100644 --- a/tasks/agent/config-nms.yml +++ b/tasks/agent/config-nms.yml @@ -22,4 +22,4 @@ ca: {{ nms_tls_ca }} # path to cert and key files for mTLS cert: {{ nms_tls_cert }} - key: {{ nms_tls_key }} \ No newline at end of file + key: {{ nms_tls_key }} diff --git a/tasks/agent/install-agent.yml b/tasks/agent/install-agent.yml index 70d200baf..c1fdb9fc1 100644 --- a/tasks/agent/install-agent.yml +++ b/tasks/agent/install-agent.yml @@ -11,4 +11,4 @@ - name: Configure NGINX Agent with NGINX Management Suite ansible.builtin.include_tasks: "{{ role_path }}/tasks/agent/config-nms.yml" - when: nms_server_host is defined \ No newline at end of file + when: nms_server_host is defined diff --git a/tasks/agent/setup-debian.yml b/tasks/agent/setup-debian.yml index 2679663e8..7c5f687e8 100644 --- a/tasks/agent/setup-debian.yml +++ b/tasks/agent/setup-debian.yml @@ -4,4 +4,4 @@ filename: nginx-agent repo: deb [signed-by=/usr/share/keyrings/nginx-archive-keyring.gpg] https://{{ nginx_agent_repo }}/nginx-agent/{{ ansible_facts['distribution'] | lower }} {{ ansible_facts['distribution_release'] | lower}} agent update_cache: true - mode: "0644" \ No newline at end of file + mode: "0644"