Deploy `/etc/consul.d/config.hcl`.

2020-11-22 17:25:09 +09:00 · 2020-11-22 17:25:09 +09:00 · 41f25a9a1c
parent 39f8fc5bc1
commit 41f25a9a1c
6 changed files with 180 additions and 30 deletions
--- a/cookbooks/consul/attributes.rb
+++ b/cookbooks/consul/attributes.rb
@ -18,10 +18,7 @@ dns = run_command(cmd).stdout.chomp

 node.reverse_merge!({
  'consul' => {
-    'base_binary_url' => 'https://releases.hashicorp.com/consul/',
-    'arch' => node['kernel']['machine'] =~ /x86_64/ ? 'amd64' : '386',
-    'tmp_path' => '/tmp/itamae_tmp/consul.zip',
-    'manager' => true,
+    'manager' => false,
    'manager_hosts' => '["192.168.10.110", "192.168.10.101", "192.168.10.111", "192.168.10.115"]',
    'ipaddr' => ipaddr,
    'dns' => dns
--- a/cookbooks/consul/install.rb
+++ b/cookbooks/consul/install.rb
@ -3,7 +3,7 @@ KEYSRV = "https://apt.releases.hashicorp.com/gpg"
 ID = "A3219F7B"

 execute "apt-key adv --keyserver #{KEYSRV} --recv-keys #{ID}" do
-  not_if "apt-key list | grep #{ID}"
+  not_if 'apt-key list | grep HashiCorp'
 end

 # Retrieve the Ubuntu code:
--- a/cookbooks/consul/setup.rb
+++ b/cookbooks/consul/setup.rb
@ -1,4 +1,10 @@
-template '/etc/consul.d/config.json' do
+if node['consul']['manager']
+  SRC = 'consul-server.hcl.erb'
+else
+  SRC = 'consul-agent.hcl.erb'
+end
+
+template '/etc/consul.d/consul.hcl' do
  owner 'consul'
  group 'consul'
  mode '644'
@ -8,7 +14,7 @@ template '/etc/consul.d/config.json' do
            ipaddr: node['consul']['ipaddr'],
           )

-  notifies :restart, 'service[supervisor]'
+  source "templates/etc/consul.d/#{SRC}"
 end

 remote_file '/etc/consul.d/service-consul.json' do
--- a/cookbooks/consul/templates/etc/consul.d/config.json.erb
+++ b/cookbooks/consul/templates/etc/consul.d/config.json.erb
@ -1,23 +0,0 @@
-{
-  "datacenter": "aws",
-  <% if @manager then%>
-  "bootstrap_expect": 3,
-  "addresses": {
-    "http": "0.0.0.0"
-  },
-  "ui": true,
-  <% end %>
-  "bind_addr": "<%= @ipaddr %>",
-  "disable_remote_exec": false,
-  "disable_update_check": true,
-  "leave_on_terminate": true,
-  "retry_interval": "30s",
-  "data_dir": "/var/opt/consul",
-  "log_level": "INFO",
-  "enable_syslog": false,
-  "enable_script_checks": true,
-  "rejoin_after_leave": true,
-  "retry_join": <%= @manager_hosts %>,
-  "encrypt": "LPKrNBQZnJIc8tJpViI4ug==",
-  "server": <%= @manager %>
-}
--- a/cookbooks/consul/templates/etc/consul.d/consul-agent.hcl.erb
+++ b/cookbooks/consul/templates/etc/consul.d/consul-agent.hcl.erb
@ -0,0 +1,85 @@
+# Full configuration options can be found at https://www.consul.io/docs/agent/options.html
+
+# datacenter
+# This flag controls the datacenter in which the agent is running. If not provided,
+# it defaults to "dc1". Consul has first-class support for multiple datacenters, but
+# it relies on proper configuration. Nodes in the same datacenter should be on a
+# single LAN.
+#datacenter = "aws"
+
+# data_dir
+# This flag provides a data directory for the agent to store state. This is required
+# for all agents. The directory should be durable across reboots. This is especially
+# critical for agents that are running in server mode as they must be able to persist
+# cluster state. Additionally, the directory must support the use of filesystem
+# locking, meaning some types of mounted folders (e.g. VirtualBox shared folders) may
+# not be suitable.
+data_dir = "/opt/consul"
+
+# client_addr
+# The address to which Consul will bind client interfaces, including the HTTP and DNS
+# servers. By default, this is "127.0.0.1", allowing only loopback connections. In
+# Consul 1.0 and later this can be set to a space-separated list of addresses to bind
+# to, or a go-sockaddr template that can potentially resolve to multiple addresses.
+client_addr = "0.0.0.0"
+
+# ui
+# Enables the built-in web UI server and the required HTTP routes. This eliminates
+# the need to maintain the Consul web UI files separately from the binary.
+ui = false
+
+# server
+# This flag is used to control if an agent is in server or client mode. When provided,
+# an agent will act as a Consul server. Each Consul cluster must have at least one
+# server and ideally no more than 5 per datacenter. All servers participate in the Raft
+# consensus algorithm to ensure that transactions occur in a consistent, linearizable
+# manner. Transactions modify cluster state, which is maintained on all server nodes to
+# ensure availability in the case of node failure. Server nodes also participate in a
+# WAN gossip pool with server nodes in other datacenters. Servers act as gateways to
+# other datacenters and forward traffic as appropriate.
+#server = true
+
+# bootstrap_expect
+# This flag provides the number of expected servers in the datacenter. Either this value
+# should not be provided or the value must agree with other servers in the cluster. When
+# provided, Consul waits until the specified number of servers are available and then
+# bootstraps the cluster. This allows an initial leader to be elected automatically.
+# This cannot be used in conjunction with the legacy -bootstrap flag. This flag requires
+# -server mode.
+#bootstrap_expect=3
+
+# encrypt
+# Specifies the secret key to use for encryption of Consul network traffic. This key must
+# be 32-bytes that are Base64-encoded. The easiest way to create an encryption key is to
+# use consul keygen. All nodes within a cluster must share the same encryption key to
+# communicate. The provided key is automatically persisted to the data directory and loaded
+# automatically whenever the agent is restarted. This means that to encrypt Consul's gossip
+# protocol, this option only needs to be provided once on each agent's initial startup
+# sequence. If it is provided after Consul has been initialized with an encryption key,
+# then the provided key is ignored and a warning will be displayed.
+encrypt = "LPKrNBQZnJIc8tJpViI4ug=="
+
+# retry_join
+# Similar to -join but allows retrying a join until it is successful. Once it joins
+# successfully to a member in a list of members it will never attempt to join again.
+# Agents will then solely maintain their membership via gossip. This is useful for
+# cases where you know the address will eventually be available. This option can be
+# specified multiple times to specify multiple agents to join. The value can contain
+# IPv4, IPv6, or DNS addresses. In Consul 1.1.0 and later this can be set to a go-sockaddr
+# template. If Consul is running on the non-default Serf LAN port, this must be specified
+# as well. IPv6 must use the "bracketed" syntax. If multiple values are given, they are
+# tried and retried in the order listed until the first succeeds. Here are some examples:
+retry_join = <%= @manager_hosts %>
+
+bind_addr = "<%= @ipaddr %>"
+disable_remote_exec = false
+disable_update_check = false
+enable_local_script_checks = true
+
+log_file = "/var/log/consul/"
+log_rotate_max_files = -1
+log_level = "INFO"
+log_json = false
+log_rotate_bytes = 1000000
+
+rejoin_after_leave = true
--- a/cookbooks/consul/templates/etc/consul.d/consul-server.hcl.erb
+++ b/cookbooks/consul/templates/etc/consul.d/consul-server.hcl.erb
@ -0,0 +1,85 @@
+# Full configuration options can be found at https://www.consul.io/docs/agent/options.html
+
+# datacenter
+# This flag controls the datacenter in which the agent is running. If not provided,
+# it defaults to "dc1". Consul has first-class support for multiple datacenters, but
+# it relies on proper configuration. Nodes in the same datacenter should be on a
+# single LAN.
+#datacenter = "aws"
+
+# data_dir
+# This flag provides a data directory for the agent to store state. This is required
+# for all agents. The directory should be durable across reboots. This is especially
+# critical for agents that are running in server mode as they must be able to persist
+# cluster state. Additionally, the directory must support the use of filesystem
+# locking, meaning some types of mounted folders (e.g. VirtualBox shared folders) may
+# not be suitable.
+data_dir = "/opt/consul"
+
+# client_addr
+# The address to which Consul will bind client interfaces, including the HTTP and DNS
+# servers. By default, this is "127.0.0.1", allowing only loopback connections. In
+# Consul 1.0 and later this can be set to a space-separated list of addresses to bind
+# to, or a go-sockaddr template that can potentially resolve to multiple addresses.
+client_addr = "0.0.0.0"
+
+# ui
+# Enables the built-in web UI server and the required HTTP routes. This eliminates
+# the need to maintain the Consul web UI files separately from the binary.
+ui = true
+
+# server
+# This flag is used to control if an agent is in server or client mode. When provided,
+# an agent will act as a Consul server. Each Consul cluster must have at least one
+# server and ideally no more than 5 per datacenter. All servers participate in the Raft
+# consensus algorithm to ensure that transactions occur in a consistent, linearizable
+# manner. Transactions modify cluster state, which is maintained on all server nodes to
+# ensure availability in the case of node failure. Server nodes also participate in a
+# WAN gossip pool with server nodes in other datacenters. Servers act as gateways to
+# other datacenters and forward traffic as appropriate.
+server = true
+
+# bootstrap_expect
+# This flag provides the number of expected servers in the datacenter. Either this value
+# should not be provided or the value must agree with other servers in the cluster. When
+# provided, Consul waits until the specified number of servers are available and then
+# bootstraps the cluster. This allows an initial leader to be elected automatically.
+# This cannot be used in conjunction with the legacy -bootstrap flag. This flag requires
+# -server mode.
+bootstrap_expect=3
+
+# encrypt
+# Specifies the secret key to use for encryption of Consul network traffic. This key must
+# be 32-bytes that are Base64-encoded. The easiest way to create an encryption key is to
+# use consul keygen. All nodes within a cluster must share the same encryption key to
+# communicate. The provided key is automatically persisted to the data directory and loaded
+# automatically whenever the agent is restarted. This means that to encrypt Consul's gossip
+# protocol, this option only needs to be provided once on each agent's initial startup
+# sequence. If it is provided after Consul has been initialized with an encryption key,
+# then the provided key is ignored and a warning will be displayed.
+encrypt = "LPKrNBQZnJIc8tJpViI4ug=="
+
+# retry_join
+# Similar to -join but allows retrying a join until it is successful. Once it joins
+# successfully to a member in a list of members it will never attempt to join again.
+# Agents will then solely maintain their membership via gossip. This is useful for
+# cases where you know the address will eventually be available. This option can be
+# specified multiple times to specify multiple agents to join. The value can contain
+# IPv4, IPv6, or DNS addresses. In Consul 1.1.0 and later this can be set to a go-sockaddr
+# template. If Consul is running on the non-default Serf LAN port, this must be specified
+# as well. IPv6 must use the "bracketed" syntax. If multiple values are given, they are
+# tried and retried in the order listed until the first succeeds. Here are some examples:
+retry_join = <%= @manager_hosts %>
+
+bind_addr = "<%= @ipaddr %>"
+disable_remote_exec = false
+disable_update_check = false
+enable_local_script_checks = true
+
+log_file = "/var/log/consul/"
+log_rotate_max_files = -1
+log_level = "INFO"
+log_json = false
+log_rotate_bytes = 1000000
+
+rejoin_after_leave = true