This Ansible role allows to setup one or more Redis Sentinel clusters of at least 3 hosts each, starting from a (vanilla) Debian installation with ufw. It will setup a "basic setup with three boxes" as per official documentation: https://redis.io/docs/latest/operate/oss_and_stack/management/sentinel/#example-sentinel-deployments .
The role is inspired by https://github.com/quanhua92/ansible-redis-sentinel , especially with respect to the config templating setup.
How you install the present role in your ansible setup is up to you. The role also depends on the community.general.ufw module from the community.general collection (https://galaxy.ansible.com/ui/repo/published/community/general), which needs to be installed. With ansible-galaxy this could be done as follows:
ansible-galaxy collection install community.general
In your inventory you need to define the variable(s) sentinel_hosts for the hosts that should be part of the Sentinel cluster(s). It is an array of the members of a particular cluster, e.g.:
sentinel_hosts:
- redis-sentinel-01
- redis-sentinel-02
- redis-sentinel-03
Note that these names are meant to be the inventory names, not the hostnames necessarily.
Furthermore, you should consider overriding some of the default variables in defaults/main.yml. Note that sentinel_use_ipv6 means to use IPv6 instead of IPv4 for communication between the sentinels.
Please consider setting the redis_password variable, because this role will default to an unprotected Redis setup. Make sure your installation is sufficiently protected by the means of network isolation and firewalling.
If you don't want to store the redis_password in plaintext in your ansible repository, consider using ansible-vault. You could vault a new password like so:
ansible-vault encrypt_string -J -n 'redis_password' 'p4ssw0rd' (it will ask you for a vault password)
and then store the result in your inventory. Remember to use --ask-vault-password when running your playbooks.
This role has a few assertions in place to prevent accidents. Most notably, the setup part will be skipped if any redis-server or redis-sentinel services are already running.
If you really want to override your setup, please stop these services beforehand. Also consider clearing the configuration part that is automatically generated by Redis Sentinel at the end of /etc/redis/sentinel.conf to allow a clean re-setup.
Alternatively, you can ignore the check for running services by using -e ignore_running=true when running the play.
Also, this role includes an additional task to conveniently ufw-allow a set of Redis Sentinel clients. It expects an dictionary redis_sentinel_clients in the variables, where the keys are the friendly-names of the hosts (used as ufw rule comments) and the keys are the IP addresses (separate entries are required for v4/v6). Please remember to quote keys and values in the dicionary!
A combined example playbook could look like the following:
- name: Setup Redis Sentinel
hosts: redis
tasks:
- name: Setup Redis Sentinel
ansible.builtin.include_role:
name: redis-sentinel
- name: UFW-allow redis clients
ansible.builtin.include_role:
name: redis-sentinel
tasks_from: ufw_allow_clients
where the client dictionary could be defined as follows:
redis_sentinel_clients:
"test1": "1.2.3.4"
"test3": "1:2:3:4:5:6:7:8"