Merge branch 'master' into one-last-docker-log-fix

Author: Christopher M. Neill

ansible/delta-hosts/variables

@@ -50,6 +50,7 @@ khronos_canary_logs_instance_id=56f07f5c1e089a200077f2a3
 khronos_canary_rebuild_instance_id=571b39b9d35173300021667d
 khronos_canary_rebuild_navi_url=http://canary-build-staging-runnabletest.runnableapp.com:8000/
 khronos_canary_token=24592325a6f881e77a01e3bacf0952c49f4e9f1c
+khronos_canary_failover_token=84549e76545306de61d47f23b1d1831e1c95a400
 khronos_mongo_auth=api:72192e5a-a5e1-11e5-add9-0270db32f7ad
 khronos_mongo_database=delta
 khronos_mongo_replset_name=delta

ansible/group_vars/alpha-khronos.yml

@@ -22,6 +22,9 @@ canary_cron_queues: "\
   khronos:canary:network \
   khronos:metrics:container-status"
 
+hourly_canary_cron_queues: "\
+  khronos:canary:failover"
+
 # a nice version of the rabbitmq host
 cron_rabbit_host_address: "{{ rabbit_host_address }}:{{ rabbit_port }}"
 # a quick version of authentication for rabbit for cron
@@ -33,6 +36,9 @@ container_envs: >
   -e API_URL={{ api_url }}
   -e CONSUL_HOST={{ consul_host_address }}:{{ consul_api_port }}
   -e CANARY_API_TOKEN={{ khronos_canary_token | default('undefined') }}
+  {% if khronos_canary_failover_token is defined %}
+    -e CANARY_API_FAILOVER_TOKEN={{ khronos_canary_failover_token }}
+  {% endif %}
   -e CANARY_GITHUB_BRANCHES_INSTANCE_ID={{ khronos_canary_github_branches_instance_id | default('undefined') }}
   -e CANARY_LOG_INSTANCE_ID={{ khronos_canary_logs_instance_id | default('undefined') }}
   -e CANARY_LOG_TERMINAL_SLEEP=10
@@ -57,6 +63,7 @@ container_envs: >
   -e RABBITMQ_PORT={{ rabbit_port }}
   -e RABBITMQ_USERNAME={{ rabbit_username }}
   -e SWARM_HOST=http://{{ swarm_host_address }}:{{ swarm_master_port }}
+  -e USER_CONTENT_DOMAIN={{ user_content_domain }}
   -e WORKER_MAX_RETRY_DELAY=3600000
 
 container_run_opts: >

ansible/group_vars/alpha-palantiri.yml

@@ -3,8 +3,8 @@ name: "palantiri"
 container_image: "registry.runnable.com/runnable/{{ name }}"
 container_tag: "{{ git_branch }}"
 repo: "git@github.com:CodeNow/{{ name }}.git"
-node_version: "0.10.38"
-npm_version: "2.1.18"
+node_version: "4.2.2"
+npm_version: "2.14.7"
 
 # container settings
 container_envs: >

ansible/roles/khronos/tasks/main.yml

@@ -8,6 +8,7 @@
   with_items:
   - { cron_queues: "{{ main_cron_queues }}", script: "main-cron.sh"}
   - { cron_queues: "{{ canary_cron_queues }}", script: "canary-cron.sh"}
+  - { cron_queues: "{{ hourly_canary_cron_queues }}", script: "hourly-canary-cron.sh"}
 
 - name: Put Khronos script into crontab
   become: yes
@@ -27,6 +28,10 @@
     minute: "*/5"
     script: canary-cron.sh
     state: "{% if node_env == 'production-delta' %}present{% else %}absent{% endif %}"
+  - name: Khronos CLI - Half-Hourly Canary
+    minute: "*/30"
+    script: hourly-canary-cron.sh
+    state: "{% if node_env == 'production-delta' %}present{% else %}absent{% endif %}"
 
 - name: make directory for mongo certificates
   become: yes

ansible/roles/vault/tasks/main.yml

@@ -21,6 +21,7 @@
     recurse=yes
 
 - name: copy vault config
+  tags: [ deploy ]
   become: true
   template:
     src=vault.hcl

ansible/roles/vault/templates/vault.hcl

@@ -19,3 +19,5 @@ listener "tcp" {
   tls_cert_file = "/opt/vault/server/cert.pem"
   tls_key_file = "/opt/vault/server/key.pem"
 }
+
+max_lease_ttl = "8760h"

ansible/vault-values.yml

@@ -30,7 +30,7 @@
         return_content=yes
       register: mounts
 
-    - name: mount aws backend in vault
+    - name: mount 1h aws backend in vault
       run_once: true
       when: write_values is defined and mounts.json['aws_1h/'] is not defined
       uri:
@@ -47,9 +47,26 @@
             default_lease_ttl: "3600s" # 1 hour, in seconds
             max_lease_ttl: "3600s" # 1 hour, in seconds
 
-    - name: configure aws root credentials
+    - name: mount 1yr aws backend in vault
       run_once: true
-      when: (write_values is defined and write_root_creds is defined) or (write_values is defined and mounts.json['aws/'] is not defined)
+      when: write_values is defined and mounts.json['aws_1yr/'] is not defined
+      uri:
+        method=POST
+        follow_redirects=all
+        url=http://{{ ansible_default_ipv4.address }}:8200/v1/sys/mounts/aws_1yr
+        HEADER_X-Vault-Token="{{ vault_auth_token }}"
+        body_format=json
+        body='{{ item | to_json }}'
+        status_code=204
+      with_items:
+        - type: "aws"
+          config:
+            default_lease_ttl: "8760h" # 1 year, in hours
+            max_lease_ttl: "8760h" # 1 year, in hours
+
+    - name: configure 1h aws root credentials
+      run_once: true
+      when: (write_values is defined and write_root_creds is defined) or (write_values is defined and mounts.json['aws_1h/'] is not defined)
       uri:
         method=POST
         follow_redirects=all
@@ -64,6 +81,23 @@
           secret_key: "{{ vault_aws_secret_key }}"
           region: "{{ vault_aws_region }}"
 
+    - name: configure 1yr aws root credentials
+      run_once: true
+      when: (write_values is defined and write_root_creds is defined) or (write_values is defined and mounts.json['aws_1yr/'] is not defined)
+      uri:
+        method=POST
+        follow_redirects=all
+        url=http://{{ ansible_default_ipv4.address }}:8200/v1/aws_1yr/config/root
+        HEADER_X-Vault-Token="{{ vault_auth_token }}"
+        body_format=json
+        body='{{ item | to_json }}'
+        status_code=204
+      register: creds
+      with_items:
+        - access_key: "{{ vault_aws_access_key_id }}"
+          secret_key: "{{ vault_aws_secret_key }}"
+          region: "{{ vault_aws_region }}"
+
     - name: check for the dock-init role
       run_once: true
       when: write_values is defined

ansible/vault.yml

@@ -10,6 +10,7 @@
 
   tasks:
   - name: get seal status
+    tags: [ deploy ]
     uri:
       method=GET
       url=http://{{ ansible_default_ipv4.address }}:8200/v1/sys/seal-status
@@ -18,6 +19,7 @@
     register: seal_status
 
   - name: unseal vault
+    tags: [ deploy ]
     when: seal_status.json.sealed
     uri:
       method=PUT