Bastion+ / WebSocket / Multi Provision / Portal / API
Présentation d’une mise en place type Bastion+ mode WebSocket avec 3 zones de provision ayant leur zone de relayws dédiée, une DMZ avec le portal, un cluster API avec NDBCluster
Prérequis
Récupérer les différents roles Ansible suivants:
reemo-infra
reemo-provision
reemo-relayws
Avoir un clé license
Architecture
Matrice de flux
DESCRIPTION |
TRANSPORT |
SOURCE IP |
SOURCE PORT |
DESTINATION IP |
DESTINATION PORT |
SERVICES |
|---|---|---|---|---|---|---|
PORTAL -> API |
TCP |
10.1.1.1 |
1024:65535 |
10.9.1.1,10.9.1.2,10.9.1.3 |
443 |
HTTPS |
API -> PROVISION1 |
TCP |
10.9.1.1,10.9.1.2,10.9.1.3 |
1024:65535 |
10.4.1.1 |
8443 |
HTTPS |
API -> PROVISION2 |
TCP |
10.9.1.1,10.9.1.2,10.9.1.3 |
1024:65535 |
10.7.1.1 |
8443 |
HTTPS |
API -> PROVISION3 |
TCP |
10.9.1.1,10.9.1.2,10.9.1.3 |
1024:65535 |
10.8.1.1 |
8443 |
HTTPS |
API -> RELAY1 |
TCP |
10.9.1.1,10.9.1.2,10.9.1.3 |
1024:65535 |
10.2.1.1 |
443,8443 |
HTTPS |
API -> RELAY2 |
TCP |
10.9.1.1,10.9.1.2,10.9.1.3 |
1024:65535 |
10.5.1.1 |
443,8443 |
HTTPS |
API -> RELAY3 |
TCP |
10.9.1.1,10.9.1.2,10.9.1.3 |
1024:65535 |
10.6.1.1 |
443,8443 |
HTTPS |
PROVISION1 -> PORTAL |
TCP |
10.4.1.0/24 |
1024:65535 |
10.1.1.1 |
8443 |
HTTPS |
PROVISION1 -> RELAY1 |
TCP |
10.4.1.0/24 |
1024:65535 |
10.2.1.1 |
443 |
HTTPS |
PROVISION2 -> PORTAL |
TCP |
10.7.1.0/24 |
1024:65535 |
10.1.1.1 |
8443 |
HTTPS |
PROVISION2 -> RELAY2 |
TCP |
10.7.1.0/24 |
1024:65535 |
10.5.1.1 |
443 |
HTTPS |
PROVISION3 -> PORTAL |
TCP |
10.8.1.0/24 |
1024:65535 |
10.1.1.1 |
8443 |
HTTPS |
PROVISION3 -> RELAY3 |
TCP |
10.8.1.0/24 |
1024:65535 |
10.6.1.1 |
443 |
HTTPS |
UTILISATEUR -> RELAY1 |
TCP |
WAN |
1024:65535 |
10.2.1.1 |
443 |
HTTPS |
UTILISATEUR -> RELAY2 |
TCP |
WAN |
1024:65535 |
10.5.1.1 |
443 |
HTTPS |
UTILISATEUR -> RELAY3 |
TCP |
WAN |
1024:65535 |
10.6.1.1 |
443 |
HTTPS |
UTILISATEUR -> PORTAL |
TCP |
WAN |
1024:65535 |
10.1.1.1 |
443 |
HTTPS |
Fichier inventaire Ansible
all:
vars:
INIT_TYPE: "bastion"
API_LICENSE: "ewogICAg ... Uw5NXhGVDF0NFU2TkxOdjQvZU53PT0iCiAgICC9Cn0="
REGISTRY_URL: "registry.reemo.io"
REGISTRY_ENV: "reemoinfra"
REGISTRY_USERNAME: "< login >"
REGISTRY_PASSWORD: "< mot de passe >"
HMACSECRET: "< HMAC entre API et PORTAL >"
portal_manager:
children:
portaluser_manager:
vars:
PORTAL_URL: "url.domain.tld"
TRAEFIK_SSL_CERTS:
- cert_file: "/localpath/to/cert_domain.tld.crt"
key_file: "/localpath/to/key_domain.tld.key"
API_IP:
- ip: "10.9.1.1"
- ip: "10.9.1.2"
- ip: "10.9.1.3"
hosts:
portaluser1:
ansible_host: "10.1.1.1"
api_manager:
vars:
DB_DIALECT: "NDBCLUSTER"
MYSQL_NODE_HOSTNAME_DB1: "< hostname api1 >"
MYSQL_NODE_HOSTNAME_DB2: "< hostname api2 >"
MYSQL_NODE_HOSTNAME_DB3: "< hostname api3 >"
PROVISION_SIGNAL_IP:
- ip: "10.1.1.1"
INIT_PROVISION:
provision1:
relayws: "relayws1"
type: "SWARM"
ip:
- 10.4.1.1
provision2:
relayws: "relayws2"
type: "SWARM"
ip:
- 10.7.1.1
provision3:
relayws: "relayws3"
type: "SWARM"
ip:
- 10.8.1.1
INIT_RELAYWS:
relayws1:
type: "WS_SWARM"
url: "val8-relayws1.reemo.io"
ip:
- 10.2.1.1
relayws2:
type: "WS_SWARM"
url: "val8-relayws2.reemo.io"
ip:
- 10.5.1.1
relayws3:
type: "WS_SWARM"
url: "val8-relayws3.reemo.io"
ip:
- 10.6.1.1
hosts:
api1:
ansible_host: "10.9.1.1"
api2:
ansible_host: "10.9.1.2"
api3:
ansible_host: "10.9.1.3"
relayws_manager:
vars:
TRAEFIK_SSL_CERTS:
- cert_file: "/localpath/to/relay.domain.tld.crt"
key_file: "/localpath/to/relay_domain.tld.key"
children:
relayws1:
hosts:
relayws1_manager1:
ansible_host: "10.2.1.1"
relayws2:
hosts:
relayws2_manager1:
ansible_host: "10.5.1.1"
relayws3:
hosts:
relayws3_manager1:
ansible_host: "10.6.1.1"
Fichiers inventaire pour les environnements provision
all:
vars:
PROVISION_REGISTRY_URL: "registry.reemo.io"
PROVISION_REGISTRY_USERNAME: "< login >"
PROVISION_REGISTRY_PASSWORD: "< mot de passe >"
provision:
children:
provision_manager:
hosts:
provision1_manager1:
ansible_host: "10.4.1.1"
all:
vars:
PROVISION_REGISTRY_URL: "registry.reemo.io"
PROVISION_REGISTRY_USERNAME: "< login >"
PROVISION_REGISTRY_PASSWORD: "< mot de passe >"
provision:
children:
provision_manager:
hosts:
provision2_manager1:
ansible_host: "10.7.1.1"
all:
vars:
PROVISION_REGISTRY_URL: "registry.reemo.io"
PROVISION_REGISTRY_USERNAME: "< login >"
PROVISION_REGISTRY_PASSWORD: "< mot de passe >"
provision:
children:
provision_manager:
hosts:
provision3_manager1:
ansible_host: "10.8.1.1"
Fichiers playbook
reemo-infra.yml
- name: Reemo Infra
hosts: portal_manager,api_manager
gather_facts: yes
roles:
- role: reemo-infra
become: yes
reemo-provision.yml
- name: Reemo Provision
hosts: provision,provision_manager
gather_facts: yes
roles:
- role: reemo-provision
become: yes
reemo-relayws.yml
- name: Reemo Relayws
hosts: relayws_manager
gather_facts: yes
roles:
- role: reemo-relayws
become: yes
Commande pour l’installation
ansible-playbook -i inventory.yml playbooks/reemo-infra.yml --limit api_manager --extra-vars "INIT_DB=true" --extra-vars "INSTALL_DOCKER=true"
ansible-playbook -i inventory.yml playbooks/reemo-infra.yml --limit portaluser_manager --extra-vars "INSTALL_DOCKER=true"
ansible-playbook -i inv_provision1.yml playbooks/reemo-provision.yml --extra-vars "PROVISION_INSTALL_DOCKER=true"
ansible-playbook -i inv_provision2.yml playbooks/reemo-provision.yml --extra-vars "PROVISION_INSTALL_DOCKER=true"
ansible-playbook -i inv_provision3.yml playbooks/reemo-provision.yml --extra-vars "PROVISION_INSTALL_DOCKER=true"
ansible-playbook -i inventory.yml playbooks/reemo-relayws.yml --extra-vars "RELAYWS_INSTALL_DOCKER=true" --limit relayws1
ansible-playbook -i inventory.yml playbooks/reemo-relayws.yml --extra-vars "RELAYWS_INSTALL_DOCKER=true" --limit relayws2
ansible-playbook -i inventory.yml playbooks/reemo-relayws.yml --extra-vars "RELAYWS_INSTALL_DOCKER=true" --limit relayws3