May 15, 2017 by Eugen
As you may know, previously we announced availability of Ansible production-friendly playbooks to install & configure StackStorm for cases when our demo bash installer wasn’t sufficient.
With the new release github.com/StackStorm/ansible-st2 v0.7.0 you can do even more!
This version includes new bwc and st2chatops roles, features like passing settings to st2.conf, enhancements to use custom SSL certificate for st2web, more documentation use-cases, some breaking changes and of course, bug fixes.
StackStorm ChatOps is rocking, but it wasn’t available as a playbook. Now you can configure ChatOps via Ansible with the new st2chatops role. Thanks to stormer Anirudh Rekhi, you can do this:
- name: Install st2chatops with "slack" hubot adapter
role: st2chatops
vars:
st2chatops_version: latest
st2chatops_hubot_adapter: slack
st2chatops_config:
HUBOT_SLACK_TOKEN: xoxb-CHANGE-ME-PLEASE
^^ So slick!
Our own Lakshmi Kannan has a serious case of FOMO, and didn’t want to miss the fun others were having with Ansible. So he created a new bwc role.
Here is an example to customize Brocade Workflow Composer (BWC) with LDAP auth backend and RBAC configuration to allow/restrict/limit different StackStorm functionality to specific users.
That’s the power of StackStorm Enterprise:
- name: Install StackStorm Enterprise
hosts: all
roles:
- name: Install and configure StackStorm Enterprise (BWC)
role: bwc
vars:
bwc_repo: enterprise
bwc_license: CHANGE-ME-PLEASE
bwc_version: latest
# Configure LDAP backend
# See: https://bwc-docs.brocade.com/authentication.html#ldap
bwc_ldap:
backend_kwargs:
bind_dn: "cn=Administrator,cn=users,dc=change-you-org,dc=net"
bind_password: "foobar123"
base_ou: "dc=example,dc=net"
group_dns:
- "CN=stormers,OU=groups,DC=example,DC=net"
host: identity.example.net
port: 389
id_attr: "samAccountName"
# Configure RBAC
# See: https://bwc-docs.brocade.com/rbac.html
bwc_rbac:
# Define BWC roles and permissions
# https://bwc-docs.brocade.com/rbac.html#defining-roles-and-permission-grants
roles:
- name: core_local_only
description: "This role has access only to action core.local in pack 'core'"
enabled: true
permission_grants:
- resource_uid: "action:core:local"
permission_types:
- action_execute
- action_view
- permission_types:
- runner_type_list
# Assign roles to specific users
# https://bwc-docs.brocade.com/rbac.html#defining-user-role-assignments
assignments:
- name: test_user
roles:
- core_local_only
- name: stanley
roles:
- admin
- name: chuck_norris
roles:
- system_admin
Massive thing for our enterprise customers. Community users, you can request a trial license here and try it now!
st2.conf & mistral.conf settingsWith the new st2_config var it’s possible to adjust any st2.conf configuration setting by passing a dict of values to the st2 role, like this:
- name: Install st2, configure with external MongoDB and RabbitMQ
role: st2
vars:
# https://github.com/StackStorm/st2/blob/master/conf/st2.conf.sample
st2_config:
auth:
enable: True
database:
host: st2-remote-mongo-node
port: 27017
db_name: st2
username: st2
password: random-password123
messaging:
url: amqp://st2:[email protected]:5672/
The Mistral role var st2mistral_config works in the same way.
Super helpful long-waited feature!
This will be especially beneficial for those wanting to configure StackStorm with external services like RabbitMQ, MongoDB. We’ll focus on HA-friendly deployments more in next releases, see for example: ansible-st2/issues/17.
By default we generate a self-signed certificate for nginx in st2web role. That’s good just to try it out, but doesn’t work well in real-world production deployments.
If you have a custom, signed SSL certificate, you can pass it now:
- name: Configure st2web with custom certificate
role: st2web
vars:
st2web_ssl_certificate: "{{ lookup('file', 'local/path/to/domain-name.crt') }}"
st2web_ssl_certificate_key: "{{ lookup('file', 'local/path/to/domain-name.key') }}"
One more step forward to production-friendly configurations.
If you are installing from behind a proxy, you can use the environment variables http_proxy, https_proxy, and no_proxy in the playbook. They will be passed through during the execution.
Thanks John Hogenmiller for sharing his discoveries and providing the documentation example:
---
- name: Install st2 behind a proxy
hosts: all
environment:
http_proxy: http://proxy.example.net:8080
https_proxy: https://proxy.example.net:8080
no_proxy: 127.0.0.1,localhost
roles:
- st2
I would like to additionally thank our power user Hiroyasu OHYAMA who contributed really nice feature requests and fixes for this release. Shout out to everyone in our growing Slack community for asking questions, helping others, committing Pull Requests.
If you are aware of using Ansible with StackStorm, here is the full ansible-st2 v0.7.0 CHANGELOG.