This repository houses the Github Action workflows and Ansible playbooks that automate the deployment and teardown of the TraceIT infrastructure.
Triggering a Github Action workflow is really simple:
- Browse to the
Actionspage - Click on the target workflow on the left
- Click on
Run workflowon the right - Fill in the required information
- Hit the green
Run workflowbutton - Wait for a new workflow run to appear in the list with the yellow status
Once the status of the workflow run turns green ✔️, it means that the workflow had ran successfully. If the status turns red ❌, it means that a step in the workflow might have failed.
The Vault becomes sealed when the Vault service is stopped, which is normally when the machine shuts down or restarts. Therefore, when the machine is first booted up again, the Vault would require unsealing to be performed.
Steps:
- Run the
Unseal Vaultworkflow while specifying which environment to run it in and the corresponding unseal key for that environment.
Steps:
- Run the
Teardown from environmentworkflow while specifying which environment to execute it in.
It is highly recommended to perform the teardown of the
TraceITinfrastructure first before attempting to deploy it. This is because the deployment workflow was designed to run on a clean environment (i.e no files / configurations / installations / processes from the previous deployment that may potentially affect the next).
Steps:
- Perform Unsealing the Vault if the Vault is not already unsealed.
- Perform Tearing down the
TraceITInfrastructure if this is not the first deployment or it is unclear whether the environment is clean. - Run the
Deploy to environmentworkflow while specifying which environment to execute it in.
Any Ubuntu environment completely separate from the virtual machines in the
prodanddevenvironment can serve as the operator workstation. The operator workstation is used to runAnsibleplaybooks that are normally executed once or pertains to really really sensitive operations. Each environment should have their own separate operator workstation.
The operator workstation will also house the
SSHkeypair whose private key is the exact same as the one stored asSSH_PRIVATE_KEYin theGithub Actionsecrets of this repository. This also implies that the sameSSHkeypair is used in both theprodanddevenvironment.
Steps:
-
Install
ansibleby running thesetup_ansible.shscript../setup_ansible.sh
-
If there is no existing
SSHkeypair yet, generate a new one.ssh-keygen -t ed25519 -f $HOME/.ssh/id_ed25519 -q -N ""
If there is already an existing
SSHkeypair, ensure that it meets the following requirements:- Located in the
$HOME/.sshdirectory with the nameid_ed25519and configured with the right permissions. - Has no passphrase configured on it
- Located in the
-
Add the contents of the private key to
Github Actionsecrets asSSH_PRIVATE_KEY.
Ensure that all hosts have a user called
sadmthat hassudorights to run any commands asrootand can be remotely logged in viaSSH.
Steps:
- Execute the
setup_hosts.ymlplaybook:ANSIBLE_HOST_KEY_CHECKING=false ansible-playbook \ -i hosts_prod.yml \ -Kk \ playbooks/setup_hosts.yml
Ensure the previous instance of
Vault(if any) has been uninstalled.
Steps:
-
Deploy
Vaultto the server:ansible-playbook \ -i hosts_prod.yml \ playbooks/deploy_vault.yml -
Save the unseal key offline outputted from step 1.
-
Save the initial root token to
Github Actionsecrets as:VAULT_TOKEN_DEVif you are deploying in thedevenvironmentVAULT_TOKEN_PRODif you are deploying in theprodenvironment
-
Setup the PKI and configure Vault:
export UNSEAL_KEY=<UNSEAL KEY 1> VAULT_TOKEN=<INITIAL ROOT TOKEN> ansible-playbook \ -i hosts_prod.yml \ playbooks/configure_pki.yml && \ ansible-playbook \ -i hosts_prod.yml \ playbooks/certify_vault.yml && \ ansible-playbook \ -i hosts_prod.yml \ playbooks/mount_vault.yml
- Save the PAT (Personal Access Token) of the Github user that has read-only access to the organization, as
PAT.