Skip to content

Commit

Permalink
Merge pull request #130 from ripienaar/0100
Browse files Browse the repository at this point in the history
(misc) Release 0.10.0
  • Loading branch information
ripienaar authored Jul 21, 2021
2 parents 3fc24f5 + 69a371c commit e9bf13c
Show file tree
Hide file tree
Showing 5 changed files with 212 additions and 160 deletions.
2 changes: 2 additions & 0 deletions CHANGELOG.md
Original file line number Diff line number Diff line change
@@ -1,5 +1,7 @@
|Date |Issue |Description |
|----------|------|---------------------------------------------------------------------------------------------------------|
|2021/07/21| |Release 0.10.0 |
|2021/04/19|127 |Move the agent to go-choria repository |
|2020/09/28| |Release 0.9.0 |
|2020/07/06|122 |Allow the provisioning component name to be configured |
|2020/07/01| |Release 0.8.0 |
Expand Down
124 changes: 12 additions & 112 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -28,125 +28,25 @@ This project includes a provisioner that you can use, it will call a `helper` th

## Configuring Choria Server

Provisioning is off and cannot be enabled in the version of Choria shipped to the Open Source community, to use it you need to perform a custom build and make your own packages. Choria provides the tools to do this.
Provisioning is enabled in the Open Source server by means of a JWT token that you create during provisioning. The JWT token holds all of the information the server
needs to find it's provisioning server and will present that token also to the provisioning server for authentication.

The following section guides you through setting up a custom build that will produce a `acme-choria` RPM with completely custom paths etc. It will have provisioning enabled and whenever it detects `plugin.choria.server.provision` is not set to `false` will enter provisioning mode by connecting to `choria-provision.example.net:4222`.
The token is signed using a trusted private key, the provisioner will only provision nodes presenting a trusted key.

### Creating a custom build specification

The build specification is in the `go-choria` repository in `packager/buildspec.yaml`, lets see a custom one:

```yaml
flags_map:
TLS: github.com/choria-io/go-choria/build.TLS
maxBrokerClients: github.com/choria-io/go-choria/build.maxBrokerClients
Secure: github.com/choria-io/go-choria/vendor/github.com/choria-io/go-protocol/protocol.Secure
Version: github.com/choria-io/go-choria/build.Version
SHA: github.com/choria-io/go-choria/build.SHA
BuildTime: github.com/choria-io/go-choria/build.BuildDate
ProvisionBrokerURLs: github.com/choria-io/go-choria/build.ProvisionBrokerURLs
ProvisionModeDefault: github.com/choria-io/go-choria/build.ProvisionModeDefault
ProvisionAgent: github.com/choria-io/go-choria/build.ProvisionAgent
ProvisionSecure: github.com/choria-io/go-choria/build.ProvisionSecure
ProvisionRegistrationData: github.com/choria-io/go-choria/build.ProvisionRegistrationData
ProvisionFacts: github.com/choria-io/go-choria/build.ProvisionFacts
ProvisionToken: github.com/choria-io/go-choria/build.ProvisionToken
ProvisionJWTFile: github.com/choria-io/go-choria/build.ProvisionJWTFile
ProvisioningBrokerUsername: github.com/choria-io/go-choria/build.ProvisioningBrokerUsername
ProvisioningBrokerPassword: github.com/choria-io/go-choria/build.ProvisioningBrokerPassword

foss:
compile_targets:
defaults:
output: choria-{{version}}-{{os}}-{{arch}}
pre:
- rm additional_agent_*.go || true
- go generate
flags:
ProvisionModeDefault: "true"
ProvisionBrokerURLs: "choria-provision.example.net:4222"
ProvisionSecure: "false"
ProvisionRegistrationData: "/opt/acme/etc/node-metadata.json"
ProvisionFacts: "/opt/acme/etc/node-metadata.json"
ProvisionToken: "toomanysecrets"

64bit_linux:
os: linux
arch: amd64

packages:
defaults:
name: acme-choria
bindir: /opt/acme-choria/sbin
etcdir: /opt/acme-choria/etc
release: 1
manage_conf: 1
contact: admins@example.net
rpm_group: Acme/Tools

el7_64:
template: el/el7
dist: el7
target_arch: x86_64
binary: 64bit_linux
```
This is a stripped down packaging config based on the stock one, it will:
* Build only a 64bit Linux binary
* Package a el7 64bit RPM with the name `acme-choria` and custom paths
* Provisioning is on by default unless specifically disabled in the configuration
* It will use this agent by default to enable provisioning, you can supply your own see below
* It will connect to `choria-provision.example.net:4222` with TLS disabled
* It will publish regularly the file `/opt/acme/etc/node-metadata.json` to `choria.provisioning_data` on the middleware
* It will use `/opt/acme/etc/node-metadata.json` as a fact source so you can discover it or retrieve its facts using `rpcutil#inventory` action

In this case you will have a static broker that will be connected to, this might be too limiting for your needs - perhaps you wish to use a regional or client appropriate provisioner host instead. You can implement the `provtarget.TargetResolver` interface and then compile that into your binary by placing the following YAML in your go-choria `packager` directory:

```yaml
# packager/provision_target_provider.yaml
---
name: MyCorp Provisioning Target Provider
repo: github.com/mycorp/ec2provtarget
```nohighlight
$ choria tool jwt provisioning.jwt key.pem --srv choria.example.net --token toomanysecrets
```

In the above repo should be a method `ec2provtarget.Provisioner()` that returns an instance of your provisioner that implements `provtarget.TargetResolver`. See the [default one](https://github.com/choria-io/go-choria/tree/master/provtarget/builddefaults) for an example.

You can verify the resulting build with: `acme-choria buildinfo` and it should have a line like: `Provisioning Target Resolver: MyCorp Provisioning Target Provider`

### Using your own agent
Here we create a `provisioning.jwt` that will instruct Choria to look for `_choria-provisioner._tcp.choria.example.net` SRV
records to find the server to connect to.

You might not like the provisioning flow exposed by this agent, no problem you can supply your own.
Other options can be set for example to hard code provisioning URLs, username and passwords and more.

Create `packaging/user_plugins.yaml`

```yaml
---
choria_provision: github.com/acme/prov_agent
```

Arrange for this to be in the project using `glide get` and in the `buildspec.yaml` set `ProvisionAgent: "false"` in the flag section, it will now not activate this agent and instead use yours.
It also need to implement the `plugin.Pluggable` interface that the Choria plugin system needs.

### Building

Do a `rake build` (needs docker) and after some work you'll have a rpm tailored to your own paths, name and with Provisioning enabled.

```
$ choria buildinfo
# ...
Server Settings:
Provisioning Brokers: choria-provision.example.net:4222
Provisioning Default: true
Default Provisioning Agent: true
Provisioning TLS: false
Provisioning Registration Data: /opt/acme/etc/node-metadata.json
Provisioning Facts: /opt/acme/etc/node-metadata.json
# ...
```
When this file is placed in `/etc/choria/provisioning.jwt` and Choria starts without a configuration it will provision
via these settings.

If you just want the binary and no packages use `rake build_binaries`.
Choria also support provisioning plugins to resolve this information dynamically but this requires custom binaries and should
in general be avoided.

## Provisioning nodes

Expand Down
14 changes: 7 additions & 7 deletions go.mod
Original file line number Diff line number Diff line change
@@ -1,16 +1,16 @@
module github.com/choria-io/provisioning-agent

go 1.14
go 1.16

require (
github.com/choria-io/go-backplane v1.2.2-0.20210419093051-1cba8056dc51
github.com/choria-io/go-choria v0.21.1-0.20210419092041-62e718089d95
github.com/dgrijalva/jwt-go v3.2.1-0.20200107013213-dc14462fd587+incompatible
github.com/choria-io/go-choria v0.22.1-0.20210721091802-fc47b6926222
github.com/ghodss/yaml v1.0.0
github.com/nats-io/nats-server/v2 v2.2.2-0.20210408165533-36e18c20ff39
github.com/onsi/ginkgo v1.16.1
github.com/onsi/gomega v1.11.0
github.com/prometheus/client_golang v1.10.0
github.com/golang-jwt/jwt v3.2.1+incompatible
github.com/nats-io/nats-server/v2 v2.3.2
github.com/onsi/ginkgo v1.16.4
github.com/onsi/gomega v1.14.0
github.com/prometheus/client_golang v1.11.0
github.com/sirupsen/logrus v1.8.1
gopkg.in/alecthomas/kingpin.v2 v2.2.6
)
Loading

0 comments on commit e9bf13c

Please sign in to comment.