/lets-encrypt-ansible-uber-demo

Primary LanguageShellGNU General Public License v3.0GPL-3.0

ansible-uber-demo

A comprehensive demonstration Ansible-based solution to quickly build and deploy an application in a public cloud using F5 and NGINX technology

Featuring

Dependencies

Prerequisites

  • This demo assumes an environment build using http://github.com/el-coder/terraform-azure-bigip. Connect to the jumphost using the information and credentials provided by the environment build.

  • The jumphost must be able to connect to your specified BIG-IP. Run the following from within the jumphost to validate configuration and connectivity.

inspec exec demo-setup --input bigip_host=[hostname of bigip] bigip_mgmt_port=[mgmt port of bigip]
  • Both the BIG-IP and Ubuntu server require outbound conectivity to github.com and npmjs.com

  • Make sure to update lets-encrypt-as3.yml in the /ansible/roles/big-ip/tasks/ directory with your domain name.

Usage

  • before connecting to your jumphost, place the private key on the jumphost with the following command
scp -i <path to privatekeyfile> ubuntu@<ubuntuserver>:~/privatekeyfile
  • ssh into your jumphost with the following command
ssh -i <path to privatekeyfile> ubuntu@<ubuntuserver>
  • prepare the jumphost to run the ansible playbook with the follow commands
git clone https://github.com/el-coder/lets-encrypt-ansible-uber-demo.git 
cp ~/inventory.yml ~/lets-encrypt-ansible-uber-demo/ansible/inventory.yml
cd ansible-uber-demo
./install-ubuntu-dependencies.sh # This will install the linux dependencies required to run Docker and Ansible.
  • run the ansible playboook with the following command
./deploy.sh
  • If you would like to generate traffic to the Juice Shop site, use following command from the jumphost. The first argument is the destination Virtual Server configured for Juice Shop. The second argument is the number of times the traffic generation script should run.
./run-load.sh http://10.1.10.20 10
  • run the ansible playboook with the following command to lets encrypt certificate
./letsencrypt.sh
  • Be mindful of lets encrypt rate limits
https://letsencrypt.org/docs/rate-limits/

Pinning to specific BIG-IP Package Versions

The F5 Automation Toolchain packages used in this project are Application Services 3, Declarative Onboarding and Telemetry Streaming. The default variables in the Ansible Playbook are configured to use specific tagged releases for each of these packages. The default values can be seen here. You can also specify that you would like Ansible to fetch the latest release, no matter the tag using the <package name>_use_latest variables per package.

Playbook Flow

The following is a high-level flow of the steps taken when preparing for and executing this playbook. (* denotes steps that are not currently implemented for you):

  1. Git pull Ansible workbooks *
  2. Build Ubuntu host *
  3. Install Ubuntu dependencies
  4. Build BIG-IPs
    1. Install Declarative Onboarding (DO)
    2. Install Application Services 3 (AS3)
    3. Install Telemetry Streaming (TS)
  5. Build containers
    1. Grafana
      1. API call to install GeoLocation map plugin
      2. API call to add datasources
      3. API call to import JSON dashboard
    2. Graphite & StatsD
    3. ElasticSearch
      1. API call to build the index
      2. API call to set the query size and fieldsize
      3. API call to set field settings
  6. Configure AS3 TS common log entities
  7. Configure AS3 Juice Shop VS
  8. Send TS Declaration to BIG-IP
  9. Intial Environment
    1. Show working Juice Shop web site with invalid certificate
  10. Demo Lets Encrypt Certificate
    1. Show webiste with Juice Shop and valid lets encrypt certificate

Demo Flow

The following are the actual steps needed to execute the demo:

  1. Boot up images
  2. Ssh into BIG-IP and run the following
    1. tmsh
    2. modify auth user admin prompt-for-password
    3. save sys config
    4. quit
  3. Ssh into Ubuntu server and run the following
    1. git clone https://github.com/el-coder/lets-encrypt-ansible-uber-demo.git
    2. cd lets-encrypt-ansible-uber-demo
    3. Run ./install-ubuntu-dependencies.sh
    4. Run ./deploy.sh
    5. Run lets encrypt script: ./letsencrypt.sh http://10.1.10.20

Variable Reference

Variables can be overridden in a number of locations in the playbooks. Primarily, the variables are set in the inventory.yml file. To learn about variable precendence in Ansible, see the user guide.

Common variables (applied to all hosts in inventory)

Variable Name Description Required
ansible_connection Connection type used when connecting to the Ubuntu host. *
ansible_user User name with which to login to the Ubuntu server via ssh. *
ansible_become determines if privilege escalation is used while issuing Ansible tasks on the Ubuntu server. *
app_server_address The address that is assigned to the Juice Shop and Grafana Virtual Server pool members.
If the add_ubuntu_interface variable is set to true, this address will also be assigned to the eth1 interface
of the Ubuntu server.
*

Server host variables

Variable Name Description Required
ansible_connection Instructs ansible to suppress the use of ssh when
connecting to this host. More info here.
*
app_server_gateway The gateway address to be used when creating the additional
interface on the Ubuntu server.
add_ubuntu_interface Boolean to add an optional network interface (eth1) to the Ubuntu server using the NetPlan role.

BIG-IP host variables

Variable Name Description Required
bigip_provider BIG-IP management connection information.
Documented here.
*
bigip_validate_certs Determines whether or not a TLS certificate is validated
when connecting to the BIG-IP's management API for the scope of the Ansible plays.
*
bigip_domain Used when building the FQDN portion of the BIG-IP host
name as well as the DNS search suffix.
*
bigip_hostname Fully qualified host name of the BIG-IP. *
bigip_ntp_server A comma-separated double-quoted list of NTP servers that the BIG-IP should use. *
bigip_ntp_timezone The name of the NTP timezone. See the TZ database name
column on this page for examples.
*
bigip_dns_server A quoted IP address of your DNS server. *
bigip_dns_search The DNS search domain. *
bigip_external_self_ip The BIG-IPs self-ip address on the external interface. *
bigip_internal_self_ip The BIG-IPs self-ip address on the internal interface. *
juiceshop_virtual_address The IP address of the Juice Shop Virtual Server that will be created. *
grafana_virtual_address The IP address of the Grafana Virtual Server that will be created. *
log_pool The IP address of the Virtual Server and looging pool that the LTM Request Policy and ASM Logs will target.
Recommended to use an IP address on the Internal network, as it is not needed to be accessed publically.
*
bigip_license The license key for the BIG-IP. If not specified, the BIG-IP will not be licensed when the playbook runs.

Attributions