81 lines
3.1 KiB
YAML
81 lines
3.1 KiB
YAML
---
|
|
# Validate edge ingress readiness for an externally-routed Swarm service.
|
|
# Usage:
|
|
# ansible-playbook -i inventory/hosts.ini playbooks/preflight/validate_edge_ingress.yml \
|
|
# -e "service_fqdn=git.castaldifamily.com" \
|
|
# -e "backend_port=8251"
|
|
|
|
- name: Validate external Traefik ingress path
|
|
hosts: localhost
|
|
connection: local
|
|
gather_facts: false
|
|
vars_files:
|
|
- ../../group_vars/all.yml
|
|
|
|
vars:
|
|
service_fqdn: "git.castaldifamily.com"
|
|
backend_port: 8251
|
|
# backend_host controls which IP Heimdall probes for the backend.
|
|
# Default: swarm.bind_ip — correct for Swarm services (routing mesh exposes published
|
|
# ports on all nodes). Override with edge_routing.integration.bind_ip for services
|
|
# running on Watchtower (Grafana, Dozzle, Uptime Kuma, etc.).
|
|
backend_host: "{{ edge_routing.swarm.bind_ip }}"
|
|
allowed_external_http_codes:
|
|
- "200"
|
|
- "301"
|
|
- "302"
|
|
- "401"
|
|
- "403"
|
|
|
|
tasks:
|
|
- name: Build derived probe URLs
|
|
ansible.builtin.set_fact:
|
|
backend_url: "http://{{ backend_host }}:{{ backend_port }}"
|
|
external_url: "https://{{ service_fqdn }}"
|
|
primary_swarm_manager: "{{ groups['swarm_managers'][0] }}"
|
|
|
|
- name: Validate required variables
|
|
ansible.builtin.assert:
|
|
that:
|
|
- edge_routing.edge_host.name | length > 0
|
|
- edge_routing.integration.bind_ip | length > 0
|
|
- edge_routing.integration.redis_addr | length > 0
|
|
- service_fqdn | length > 0
|
|
fail_msg: "Missing required edge routing or service probe inputs."
|
|
|
|
- name: Probe service backend from edge host
|
|
ansible.builtin.command: >-
|
|
curl -sS -o /dev/null -w %{http_code} --max-time 6 {{ backend_url }}
|
|
delegate_to: "{{ edge_routing.edge_host.name }}"
|
|
register: edge_backend_probe
|
|
changed_when: false
|
|
failed_when: edge_backend_probe.stdout == "000"
|
|
|
|
- name: Probe public service endpoint from controller
|
|
ansible.builtin.command: >-
|
|
curl -sS -k -o /dev/null -w %{http_code} --max-time 10 {{ external_url }}
|
|
register: external_probe
|
|
changed_when: false
|
|
|
|
- name: Check external endpoint health code
|
|
ansible.builtin.assert:
|
|
that:
|
|
- external_probe.stdout in allowed_external_http_codes
|
|
fail_msg: >-
|
|
External endpoint {{ external_url }} returned HTTP {{ external_probe.stdout }}.
|
|
Expected one of {{ allowed_external_http_codes | join(', ') }}.
|
|
|
|
- name: Capture traefik-kop logs for publication hints
|
|
ansible.builtin.command: docker service logs traefik-kop_traefik-kop --tail 120
|
|
delegate_to: "{{ primary_swarm_manager }}"
|
|
register: traefik_kop_logs
|
|
changed_when: false
|
|
failed_when: false
|
|
|
|
- name: Report ingress validation summary
|
|
ansible.builtin.debug:
|
|
msg:
|
|
- "Edge backend probe (from {{ edge_routing.edge_host.name }}): {{ backend_url }} -> HTTP {{ edge_backend_probe.stdout }}"
|
|
- "External probe (from controller): {{ external_url }} -> HTTP {{ external_probe.stdout }}"
|
|
- "Traefik-kop log sample lines: {{ (traefik_kop_logs.stdout_lines | default([]))[:8] }}"
|