Vagrant-based testing environment #111

Merged
valberg merged 15 commits from vagrant into main 2022-11-25 13:07:10 +00:00
Owner

The purpose of this PR is to provide a way to test our setup locally, since we don't have a staging server (yet).

I have fixed the existing Vagrantfile to work with our Ansible setup, and then I have refactored the Ansible setup a bit to work with Vagrant. I have also fixed a couple errors preventing deployment in general. The fixes include:

  • Moving postfix up in the services-list so that the postfix Docker network exist when the other services need it
  • Removing config_path from the docker_login task, so that when deployed in Vagrant, it can connect to the remote registry running on the production server
  • Adding tasks to change the port sshd is listening on if not already configured
  • Only installing Dell OpenManage when not running in a VM

The only thing I would like some input on is, that when trying to deploy Mailu, it fails to link the TLS certificate files from nginx-proxy, since they don't exists due to missing DNS records to the Vagrant VM (of course). How should we handle that? One way would be to add ignore_errors: true to said tasks, but that would cause ignored errors in production as well, which is undesirable. Or maybe we could skip the aforementioned tasks only if it's running in a VM, the same way I have done it with Dell OpenManage. Other suggestions are welcomed.

The purpose of this PR is to provide a way to test our setup locally, since we don't have a staging server (yet). I have fixed the existing Vagrantfile to work with our Ansible setup, and then I have refactored the Ansible setup a bit to work with Vagrant. I have also fixed a couple errors preventing deployment in general. The fixes include: - Moving postfix up in the services-list so that the `postfix` Docker network exist when the other services need it - Removing `config_path` from the `docker_login` task, so that when deployed in Vagrant, it can connect to the remote registry running on the production server - Adding tasks to change the port sshd is listening on if not already configured - Only installing Dell OpenManage when not running in a VM The only thing I would like some input on is, that when trying to deploy Mailu, it fails to link the TLS certificate files from nginx-proxy, since they don't exists due to missing DNS records to the Vagrant VM (of course). How should we handle that? One way would be to add `ignore_errors: true` to said tasks, but that would cause ignored errors in production as well, which is undesirable. Or maybe we could skip the aforementioned tasks only if it's running in a VM, the same way I have done it with Dell OpenManage. Other suggestions are welcomed.
samsapti added 8 commits 2022-11-14 20:59:48 +00:00
Added logic to change the sshd port if not already configured,
configued Vagrantfile to work properly and fixed a couple of deploy
errors.
Only install Dell OpenManage if not running in a VM, and fix SSH port
logic.
It doesn't work when deploying in Vagrant :(
samsapti changed title from Vagrant-based testing environment to WIP: Vagrant-based testing environment 2022-11-15 19:58:13 +00:00
Author
Owner

@valberg suggested using vagrant-dns with a custom base_domain (e.g. datacoop.devel) for accessing services from Vagrant. We still need to figure out the TLS problem though.

TODO: Allocate time to look into it.

UPDATE: Unfortunately it only works on macOS :(

@valberg suggested using [vagrant-dns](https://github.com/BerlinVagrant/vagrant-dns) with a custom `base_domain` (e.g. `datacoop.devel`) for accessing services from Vagrant. We still need to figure out the TLS problem though. TODO: Allocate time to look into it. UPDATE: Unfortunately it only works on macOS :(
Owner

Regarding the certificate issue I think we should do the following:

  • Have a tag called ssl_certs_enabled which defaults to ansible_virtualization_role != guest (this probably means that we can move virtualization.yml into playbook.yml because it becomes a core task that always should run)
  • Put the nginx letsencrypt container task in `nginx-proxy.yml behind that tag
  • Put the hard link to Let's Encrypt TLS (certificate|key) in mailu.yml behind that tag

We might have other places where ssl can be switched on/off, we can find and fix these as we go along.

Regarding the certificate issue I think we should do the following: - Have a tag called `ssl_certs_enabled` which defaults to `ansible_virtualization_role != guest` (this probably means that we can move `virtualization.yml` into `playbook.yml` because it becomes a core task that always should run) - Put the `nginx letsencrypt container` task in `nginx-proxy.yml behind that tag - Put the `hard link to Let's Encrypt TLS (certificate|key)` in `mailu.yml` behind that tag We might have other places where ssl can be switched on/off, we can find and fix these as we go along.
Owner

We should consider adding some documentation on how to use the vagrant setup - in fact we need a README.md for the whole repo. This is as good a time as any to add that.

We should consider adding some documentation on how to use the vagrant setup - in fact we need a README.md for the whole repo. This is as good a time as any to add that.
valberg added 1 commit 2022-11-15 22:06:40 +00:00
valberg force-pushed vagrant from 5d0c913c2a to 253a21432e 2022-11-15 22:06:54 +00:00 Compare
Owner

@samsapti I just implemented my idea of how to do the SSL part. I then realized that the variable is more a letsencrypt_enabled and we could do some "self signed certs" if that variable is set to True. But it feels like quite the effort.

@samsapti I just implemented my idea of how to do the SSL part. I then realized that the variable is more a `letsencrypt_enabled` and we could do some "self signed certs" if that variable is set to True. But it feels like quite the effort.
Author
Owner

this probably means that we can move virtualization.yml into playbook.yml because it becomes a core task that always should run

No, we can't do that, because the SSH port needs to be configured before it can run. When running in Vagrant, ansible_port is set to 2222 regardless of what the inventory file says.

> this probably means that we can move virtualization.yml into playbook.yml because it becomes a core task that always should run No, we can't do that, because the SSH port needs to be configured before it can run. When running in Vagrant, `ansible_port` is set to 2222 regardless of what the inventory file says.
Owner

this probably means that we can move virtualization.yml into playbook.yml because it becomes a core task that always should run

No, we can't do that, because the SSH port needs to be configured before it can run. When running in Vagrant, ansible_port is set to 2222 regardless of what the inventory file says.

I have moved it already. I think we should just not do the SSH port stuff if vagrant == true

> > this probably means that we can move virtualization.yml into playbook.yml because it becomes a core task that always should run > > No, we can't do that, because the SSH port needs to be configured before it can run. When running in Vagrant, `ansible_port` is set to 2222 regardless of what the inventory file says. I have moved it already. I think we should just not do the SSH port stuff if `vagrant == true`
Author
Owner

@samsapti I just implemented my idea of how to do the SSL part. I then realized that the variable is more a letsencrypt_enabled and we could do some "self signed certs" if that variable is set to True. But it feels like quite the effort.

I think you mean if it's set to False, but I get your point. Could we perhaps drop TLS entirely when running in Vagrant? I can't really see why we would need it.

> @samsapti I just implemented my idea of how to do the SSL part. I then realized that the variable is more a `letsencrypt_enabled` and we could do some "self signed certs" if that variable is set to True. But it feels like quite the effort. I think you mean if it's set to False, but I get your point. Could we perhaps drop TLS entirely when running in Vagrant? I can't really see why we would need it.
Owner

@samsapti I just implemented my idea of how to do the SSL part. I then realized that the variable is more a letsencrypt_enabled and we could do some "self signed certs" if that variable is set to True. But it feels like quite the effort.

I think you mean if it's set to False, but I get your point. Could we perhaps drop TLS entirely when running in Vagrant? I can't really see why we would need it.

Ah yes of course 😊 well I mostly agree, but being able to run the whole infrastructure with self signed certs could make sense - somehow. But let's not spend time on that now.

> > @samsapti I just implemented my idea of how to do the SSL part. I then realized that the variable is more a `letsencrypt_enabled` and we could do some "self signed certs" if that variable is set to True. But it feels like quite the effort. > > I think you mean if it's set to False, but I get your point. Could we perhaps drop TLS entirely when running in Vagrant? I can't really see why we would need it. Ah yes of course 😊 well I mostly agree, but being able to run the whole infrastructure with self signed certs could make sense - somehow. But let's not spend time on that now.
Author
Owner

I think we should just not do the SSH port stuff if vagrant == true

We still need to change the port, because Gitea needs port 22. The Vagrant VM's internal SSH port is default 22, it's only the forwarded port to the host that's 2222. Also, the point of running in Vagrant is to be able to test as much of the infrastructure as possible, so I disagree here.

> I think we should just not do the SSH port stuff if vagrant == true We still need to change the port, because Gitea needs port 22. The Vagrant VM's internal SSH port is default 22, it's only the forwarded port to the host that's 2222. Also, the point of running in Vagrant is to be able to test as much of the infrastructure as possible, so I disagree here.
samsapti added 1 commit 2022-11-16 19:36:30 +00:00
- Added a separate role that first configures SSH, and after that
  gathers the ansible_virtualization_role fact, due to gathering facts
  requiring an SSH connection
- Renamed ssl_certs_enabled to letsencrypt_enabled and moved that
  and the vagrant variable to the be supplied directly to the last two
  roles in playbook.yml
- Added tags base_only and setup_services to the new role
  ssh_and_vagrant so that it will always be run before anything else
  when using deploy.sh
Author
Owner

I've implemented a different approach. According to Vagrant, this works as it should.

I've implemented a different approach. According to Vagrant, this works as it should.
Author
Owner

We should consider adding some documentation on how to use the vagrant setup - in fact we need a README.md for the whole repo. This is as good a time as any to add that.

Just referencing #59 here.

> We should consider adding some documentation on how to use the vagrant setup - in fact we need a README.md for the whole repo. This is as good a time as any to add that. Just referencing #59 here.
valberg added 1 commit 2022-11-17 07:54:33 +00:00
Author
Owner

@valberg, looks good! I haven't tested it yet though.

@valberg, looks good! I haven't tested it yet though.
samsapti added 1 commit 2022-11-17 21:16:05 +00:00
Now that the Vagrantfile supplies SSH port information to Ansible, we no
longer need to figure it out in Ansible. Also, since gather_facts (which
requires an SSH connection) is set to true in playbook.yml, one needs to
supply --extra-vars "ansible_port=22" on the commandline when
provisioning for the first time on real hardware, because the port is
hardcoded in the inventory file.
samsapti added 1 commit 2022-11-17 21:17:58 +00:00
samsapti added 1 commit 2022-11-18 19:53:34 +00:00
samsapti force-pushed vagrant from c802e53858 to d48e684647 2022-11-18 19:55:42 +00:00 Compare
samsapti added 1 commit 2022-11-18 22:35:34 +00:00
- Always use the new port if the VM is already provisioned
- We're not using a multi-VM setup, so no need to define VM "datacoop"
- Increase minimum required Vagrant version
- Add static IP for hopefully implementing some sort of DNS in the
  future
- Hardcode registry domain to use the real registry in Vagrant
samsapti added 1 commit 2022-11-22 21:11:01 +00:00
samsapti changed title from WIP: Vagrant-based testing environment to Vagrant-based testing environment 2022-11-24 07:54:52 +00:00
Author
Owner

I think this is ready to be merged.

I think this is ready to be merged.
valberg approved these changes 2022-11-25 13:06:50 +00:00
valberg merged commit 5a63e8e1a8 into main 2022-11-25 13:07:10 +00:00
samsapti deleted branch vagrant 2022-11-25 20:33:30 +00:00
Sign in to join this conversation.
No description provided.