Bastion+ / WebSocket / Multi Provision
Présentation d’une mise en place type Bastion+ mode WebSocket avec 3 zones de provision ayant leur zone de relayws dédiée
Prérequis
Récupérer les différents roles Ansible suivants:
reemo-infra
reemo-provision
reemo-relayws
Avoir un clé license
Architecture
Matrice de flux
DESCRIPTION |
TRANSPORT |
SOURCE IP |
SOURCE PORT |
DESTINATION IP |
DESTINATION PORT |
SERVICES |
|---|---|---|---|---|---|---|
INFRA -> PROVISION1 |
TCP |
10.1.1.1 |
1024:65535 |
10.4.1.1 |
8443 |
HTTPS |
INFRA -> PROVISION2 |
TCP |
10.1.1.1 |
1024:65535 |
10.7.1.1 |
8443 |
HTTPS |
INFRA -> PROVISION3 |
TCP |
10.1.1.1 |
1024:65535 |
10.8.1.1 |
8443 |
HTTPS |
INFRA -> RELAY1 |
TCP |
10.1.1.1 |
1024:65535 |
10.2.1.1 |
443,8443 |
HTTPS |
INFRA -> RELAY2 |
TCP |
10.1.1.1 |
1024:65535 |
10.5.1.1 |
443,8443 |
HTTPS |
INFRA -> RELAY3 |
TCP |
10.1.1.1 |
1024:65535 |
10.6.1.1 |
443,8443 |
HTTPS |
PROVISION1 -> INFRA |
TCP |
10.4.1.0/24 |
1024:65535 |
10.1.1.1 |
8443 |
HTTPS |
PROVISION1 -> RELAY1 |
TCP |
10.4.1.0/24 |
1024:65535 |
10.2.1.1 |
443 |
HTTPS |
PROVISION2 -> INFRA |
TCP |
10.7.1.0/24 |
1024:65535 |
10.1.1.1 |
8443 |
HTTPS |
PROVISION2 -> RELAY2 |
TCP |
10.7.1.0/24 |
1024:65535 |
10.5.1.1 |
443 |
HTTPS |
PROVISION3 -> INFRA |
TCP |
10.8.1.0/24 |
1024:65535 |
10.1.1.1 |
8443 |
HTTPS |
PROVISION3 -> RELAY3 |
TCP |
10.8.1.0/24 |
1024:65535 |
10.6.1.1 |
443 |
HTTPS |
UTILISATEUR -> RELAY1 |
TCP |
WAN |
1024:65535 |
10.2.1.1 |
443 |
HTTPS |
UTILISATEUR -> RELAY2 |
TCP |
WAN |
1024:65535 |
10.5.1.1 |
443 |
HTTPS |
UTILISATEUR -> RELAY3 |
TCP |
WAN |
1024:65535 |
10.6.1.1 |
443 |
HTTPS |
UTILISATEUR -> INFRA |
TCP |
WAN |
1024:65535 |
10.1.1.1 |
443 |
HTTPS |
Fichier inventaire Ansible
all:
vars:
INIT_TYPE: "bastion"
API_LICENSE: "ewogICAg ... Uw5NXhGVDF0NFU2TkxOdjQvZU53PT0iCiAgICC9Cn0="
REGISTRY_URL: "registry.reemo.io"
REGISTRY_ENV: "reemoinfra"
REGISTRY_USERNAME: "< login >"
REGISTRY_PASSWORD: "< mot de passe >"
infra_manager:
vars:
PORTAL_URL: "url.domain.tld"
TRAEFIK_SSL_CERTS:
- cert_file: "/localpath/to/cert_domain.tld.crt"
key_file: "/localpath/to/key_domain.tld.key"
PROVISION_SIGNAL_IP:
- ip: "10.1.1.1"
INIT_PROVISION:
provision1:
relayws: "relayws1"
type: "SWARM"
ip:
- 10.4.1.1
provision2:
relayws: "relayws2"
type: "SWARM"
ip:
- 10.7.1.1
provision3:
relayws: "relayws3"
type: "SWARM"
ip:
- 10.8.1.1
INIT_RELAYWS:
relayws1:
type: "WS_SWARM"
url: "val8-relayws1.reemo.io"
ip:
- 10.2.1.1
relayws2:
type: "WS_SWARM"
url: "val8-relayws2.reemo.io"
ip:
- 10.5.1.1
relayws3:
type: "WS_SWARM"
url: "val8-relayws3.reemo.io"
ip:
- 10.6.1.1
hosts:
INFRA1:
ansible_host: "10.1.1.1"
relayws_manager:
vars:
TRAEFIK_SSL_CERTS:
- cert_file: "/localpath/to/relay.domain.tld.crt"
key_file: "/localpath/to/relay_domain.tld.key"
children:
relayws1:
hosts:
relayws1_manager1:
ansible_host: "10.2.1.1"
relayws2:
hosts:
relayws2_manager1:
ansible_host: "10.5.1.1"
relayws3:
hosts:
relayws3_manager1:
ansible_host: "10.6.1.1"
Fichiers inventaire pour les environnements provision
all:
vars:
PROVISION_REGISTRY_URL: "registry.reemo.io"
PROVISION_REGISTRY_USERNAME: "< login >"
PROVISION_REGISTRY_PASSWORD: "< mot de passe >"
provision:
children:
provision_manager:
hosts:
provision1_manager1:
ansible_host: "10.4.1.1"
all:
vars:
PROVISION_REGISTRY_URL: "registry.reemo.io"
PROVISION_REGISTRY_USERNAME: "< login >"
PROVISION_REGISTRY_PASSWORD: "< mot de passe >"
provision:
children:
provision_manager:
hosts:
provision2_manager1:
ansible_host: "10.7.1.1"
all:
vars:
PROVISION_REGISTRY_URL: "registry.reemo.io"
PROVISION_REGISTRY_USERNAME: "< login >"
PROVISION_REGISTRY_PASSWORD: "< mot de passe >"
provision:
children:
provision_manager:
hosts:
provision3_manager1:
ansible_host: "10.8.1.1"
Fichiers playbook
reemo-infra.yml
- name: Reemo Infra
hosts: infra_manager
gather_facts: yes
roles:
- role: reemo-infra
become: yes
reemo-provision.yml
- name: Reemo Provision
hosts: provision,provision_manager
gather_facts: yes
roles:
- role: reemo-provision
become: yes
reemo-relayws.yml
- name: Reemo Relayws
hosts: relayws_manager
gather_facts: yes
roles:
- role: reemo-relayws
become: yes
Commande pour l’installation
ansible-playbook -i inventory.yml playbooks/reemo-infra.yml --extra-vars "INIT_DB=true" --extra-vars "INSTALL_DOCKER=true"
ansible-playbook -i inv_provision1.yml playbooks/reemo-provision.yml --extra-vars "PROVISION_INSTALL_DOCKER=true"
ansible-playbook -i inv_provision2.yml playbooks/reemo-provision.yml --extra-vars "PROVISION_INSTALL_DOCKER=true"
ansible-playbook -i inv_provision3.yml playbooks/reemo-provision.yml --extra-vars "PROVISION_INSTALL_DOCKER=true"
ansible-playbook -i inventory.yml playbooks/reemo-relayws.yml --extra-vars "RELAYWS_INSTALL_DOCKER=true" --limit relayws1
ansible-playbook -i inventory.yml playbooks/reemo-relayws.yml --extra-vars "RELAYWS_INSTALL_DOCKER=true" --limit relayws2
ansible-playbook -i inventory.yml playbooks/reemo-relayws.yml --extra-vars "RELAYWS_INSTALL_DOCKER=true" --limit relayws3