Hello people,
Please I am working on a ansible playbook to patch Linux cluster machines. The machines have hashicorp vault installed on them. So I am trying to do a micropatching such that only one node is patched and then rebooted rebooted at a time.
The playbook continues to the next machine only when the first node has been fully up, and the vault application status is validated.
Challenge I am having is that in vault cluster, one server is selected as the “leader” while others are followers. I need to patch the followers first, one after the other. Then patch the leader last.
To determine which is the leader or followers, I will run a command on one of the vault servers which will print all the machine in the cluster and their roles. as follows:
vault operator raft list-peers
Node Address State Voter
vault-001 vault-001.internal:8201 follower true
vault-002 vault-002.internal:8201 follower true
vault-003 vault-003.internal:8201 leader true
I can use grep command with shell module in the ansible playbook to filter out the workers but I don’t know how I can then pass the worker to the next play that will do the patching.
Please see my code below:
- name: Check Seal Status
shell: vault status |grep Sealed
become: yes
become_user: ec2-user
register: vault_status
- debug: msg="{{ vault_status.stdout_lines }}"
- debug: msg="Vault sealed"
when: vault_status|regex_search("false")
# Checking the Vault followers
- name: Get followers
shell: vault operator raft list-peers | grep follower|awk '{print $1}'
become: yes
become_user: ec2-user
register: followers
- debug: msg="{{ followers.stdout_lines }}"
- set_fact:
vault_followers: "{{followers.stdout}}"
- name: Patch the worker nodes
hosts: "{{vault_followers}}"
yum:
name: "*"
state: latest
register: follower_patched
The “Get followers” task provide the following result as expected:
TASK [vault_leader_check : Get followers] ********************************************************************changed: [vault-001]
TASK [vault_leader_check : debug] ****************************************************************************ok: [vault-001] => {
"msg": [
"vault-001",
"vault-002"
Please note that I also have those two hosts in the ansible inventory. but I can not tell which is followers or leader that is why I had to run the command to first grep the followers then patch each of them one at a time first before the leader.
Please help to understand how I can then use the given hosts from the debug message “vault-001” and “vault-002” in the "patch worker