Grafana always up, teleport restart, register-ca

Make sure Teleport is restarted upon configuration change.

Make sure grafana is up before moving on (fixes an issue where the
prometheus role would fail if grafana was down).

register-ca refactor to speed up the process.

buildconfig.yml

@@ -41,7 +41,7 @@ binary:
   name: "dawn"
 
   # The current version of the binary
-  version: "0.12.8"
+  version: "0.12.9"
 
   # (Optional) URLs to call when attempting auto-update.
   # Defaults:
@@ -78,7 +78,7 @@ image:
   name: dawn
 
   # Current image version
-  version: "0.12.8"
+  version: "0.12.9"
 
   # Root folder where most files will be uploaded or mounted
   root_folder: /dawn

docker-image/ansible/roles/grafana/tasks/main.yml

@@ -18,9 +18,16 @@
     src: "grafana_stack.yml.j2"
   register: grafana_stack_file_status
 
+- name: "Check if grafana is running"
+  shell: "docker stack ps {{ grafana_stack }}"
+  changed_when: grafana_running_state.rc != 0
+  ignore_errors: yes
+  register: grafana_running_state
+
 - name: "Start grafana on the cluster"
   when: >
-    grafana_config_file_status.changed|bool
+    grafana_running_state.changed|bool
+    or grafana_config_file_status.changed|bool
     or grafana_ldap_file_status.changed|bool
     or grafana_stack_file_status.changed|bool
   shell: "docker stack deploy -c '{{ grafana_stack_file }}' {{ grafana_stack }}"

docker-image/ansible/roles/prometheus/tasks/main.yml

@@ -10,6 +10,14 @@
     src: "prometheus_stack.yml.j2"
   register: prometheus_stack_file_status
 
+- name: "Check if prometheus is running"
+  shell: "docker stack ps {{ prometheus_stack }}"
+  changed_when: prometheus_running_state.rc != 0
+  ignore_errors: yes
+  register: prometheus_running_state
+
 - name: "Start prometheus on the cluster"
-  when: prometheus_stack_file_status.changed|bool
+  when: >
+    prometheus_stack_file_status.changed|bool
+    or prometheus_running_state.changed|bool
   shell: "docker stack deploy -c '{{ prometheus_stack_file }}' {{ prometheus_stack }}"

docker-image/ansible/roles/register-ca/tasks/main.yml

@@ -1,5 +1,44 @@
----
-- name: "Register CA on all hosts"
-  include_tasks: register_ca.yml target_host="{{ item }}"
-  with_items: "{{ groups['control'] | union(groups['edge']) | union(groups['worker']) }}"
+- name: "Create distribution group"
+  set_fact:
+    register_ca_control: "{{ groups['control'][0] }}"
+    register_ca_group: "{{ groups['control'] | union(groups['edge']) | union(groups['worker']) }}"
+
+- name: "Fetch remote CA"
+  uri:
+    headers:
+      X-Vault-Token: "{{ vault_token }}"
+    url: "http://127.0.0.1:8200/v1/{{ backend }}/pki/ca/pem"
+    method: GET
+    return_content: yes
+  delegate_to: "{{ register_ca_control }}"
+  register: ca_cert
+
+- name: "Save {{ backend }} CA to anchors folder"
+  copy:
+    content: "{{ ca_cert.content }}"
+    dest: "/etc/pki/ca-trust/source/anchors/{{ backend }}.pem"
+  register: anchors_copy
+  delegate_to: "{{ item }}"
+  with_items: "{{ register_ca_group }}"
   run_once: true
+
+- name: "Regenerate CAs"
+  when: anchors_copy.changed|bool
+  shell: update-ca-trust
+  delegate_to: "{{ item }}"
+  with_items: "{{ register_ca_group }}"
+  run_once: true
+  loop_control:
+    label: "{{ item }}"
+  register: cas_regeneration
+  async: 7200
+  poll: 0
+
+- name: "Wait for CAs to be regenerated"
+  when: anchors_copy.changed|bool
+  async_status:
+    jid: "{{ item.ansible_job_id }}"
+  register: cas_jobs
+  until: cas_jobs.finished
+  retries: 300
+  with_items: cas_regeneration.results

docker-image/ansible/roles/teleport/handlers/main.yml

@@ -0,0 +1,4 @@
+- name: "Restart teleport"
+  service:
+    name: teleport
+    state: restarted

docker-image/ansible/roles/teleport/tasks/main.yml

@@ -47,10 +47,11 @@
     src: teleport.service.j2
     dest: /usr/lib/systemd/system/teleport.service
     mode: "0644"
+  notify: "Restart teleport"
 
 - name: "Start teleport"
   systemd:
     daemon_reload: yes
     name: teleport
     state: started
-    enabled: yes
+    enabled: yes