From 73f7ec44b710164fb3ff8331d6f5ee1c2e0d7dea Mon Sep 17 00:00:00 2001
From: Kazuhiro MUSASHI <simoom634@yahoo.co.jp>
Date: Sun, 10 Jul 2022 14:45:53 +0900
Subject: [PATCH] Enable `Consul Connect` for client side.

---
 .../files/etc/default/consul-template         |  1 +
 cookbooks/consul/consul-connect-prep.rb       | 54 +++++++++++++++++++
 cookbooks/consul/default.rb                   |  1 +
 .../consul-template.d/conf/consul-jwt.conf    | 12 +++++
 .../templates/consul-jwt.tmpl                 |  1 +
 .../etc/consul.d/certs/consul-agent-ca.pem    | 24 +++++++++
 .../files/etc/default/vault-agent-consul-jwt  |  1 +
 .../system/vault-agent-consul-jwt.service     | 13 +++++
 .../files/etc/vault.d/agent/consul-jwt.hcl    | 19 +++++++
 .../consul/files/etc/vault.d/tokens/roleid    |  1 +
 .../consul/files/etc/vault.d/tokens/secretid  |  1 +
 cookbooks/consul/setup.rb                     | 24 +++++++++
 roles/base.rb                                 |  2 +-
 13 files changed, 153 insertions(+), 1 deletion(-)
 create mode 100644 cookbooks/consul/consul-connect-prep.rb
 create mode 100644 cookbooks/consul/files/etc/consul-template.d/conf/consul-jwt.conf
 create mode 100644 cookbooks/consul/files/etc/consul-template.d/templates/consul-jwt.tmpl
 create mode 100644 cookbooks/consul/files/etc/consul.d/certs/consul-agent-ca.pem
 create mode 100644 cookbooks/consul/files/etc/default/vault-agent-consul-jwt
 create mode 100644 cookbooks/consul/files/etc/systemd/system/vault-agent-consul-jwt.service
 create mode 100644 cookbooks/consul/files/etc/vault.d/agent/consul-jwt.hcl
 create mode 100644 cookbooks/consul/files/etc/vault.d/tokens/roleid
 create mode 100644 cookbooks/consul/files/etc/vault.d/tokens/secretid

diff --git a/cookbooks/consul-template/files/etc/default/consul-template b/cookbooks/consul-template/files/etc/default/consul-template
index 769569a..cdf1c6c 100644
--- a/cookbooks/consul-template/files/etc/default/consul-template
+++ b/cookbooks/consul-template/files/etc/default/consul-template
@@ -1 +1,2 @@
 OPTIONS="-syslog -syslog-name=consul-template"
+VAULT_ADDR="http://192.168.10.142:8200"
diff --git a/cookbooks/consul/consul-connect-prep.rb b/cookbooks/consul/consul-connect-prep.rb
new file mode 100644
index 0000000..39e41e2
--- /dev/null
+++ b/cookbooks/consul/consul-connect-prep.rb
@@ -0,0 +1,54 @@
+# Use Vault to retrieve the token to generate jwt.
+%w( roleid secretid ).each do |f|
+  encrypted_remote_file "/etc/vault.d/tokens/#{f}" do
+    owner 'root'
+    group 'root'
+    mode '0644'
+
+    source   "files/etc/vault.d/tokens/#{f}"
+    password ENV['ITAMAE_PASSWORD']
+  end
+end
+
+remote_file '/etc/vault.d/agent/consul-jwt.hcl' do
+  owner 'vault'
+  group 'vault'
+  mode  '0644'
+
+  notifies :restart, 'service[vault-agent-consul-jwt]'
+end
+
+remote_file '/etc/default/vault-agent-consul-jwt' do
+  owner 'vault'
+  group 'vault'
+  mode '0644'
+end
+
+remote_file '/etc/systemd/system/vault-agent-consul-jwt.service' do
+  owner 'root'
+  group 'root'
+  mode '0644'
+
+  notifies :restart, 'service[vault-agent-consul-jwt]'
+end
+
+service 'vault-agent-consul-jwt' do
+  action [:enable, :start]
+end
+
+# Use consul-template to retrieve the JWT token.
+remote_file '/etc/consul-template.d/conf/consul-jwt.conf' do
+  owner 'root'
+  group 'root'
+  mode '0644'
+
+  notifies :restart, 'service[consul-template]'
+end
+
+remote_file '/etc/consul-template.d/templates/consul-jwt.tmpl' do
+  owner 'root'
+  group 'root'
+  mode '0644'
+
+  notifies :restart, 'service[consul-template]'
+end
diff --git a/cookbooks/consul/default.rb b/cookbooks/consul/default.rb
index 0320fb8..c18b94b 100644
--- a/cookbooks/consul/default.rb
+++ b/cookbooks/consul/default.rb
@@ -2,6 +2,7 @@ include_recipe './attributes.rb'
 
 include_recipe './install.rb'
 
+include_recipe './consul-connect-prep.rb'
 include_recipe './setup.rb'
 
 include_recipe './dnsmasq.rb'
diff --git a/cookbooks/consul/files/etc/consul-template.d/conf/consul-jwt.conf b/cookbooks/consul/files/etc/consul-template.d/conf/consul-jwt.conf
new file mode 100644
index 0000000..f7519ce
--- /dev/null
+++ b/cookbooks/consul/files/etc/consul-template.d/conf/consul-jwt.conf
@@ -0,0 +1,12 @@
+vault {
+  address                = "http://192.168.10.142:8200"
+
+  vault_agent_token_file = "/etc/consul-template.d/tokens/consul-jwt-vault-token"
+  renew_token            = true
+}
+
+template {
+  source      = "/etc/consul-template.d/templates/consul-jwt.tmpl"
+  destination = "/etc/consul.d/tokens/jwt"
+  perms       = 0666
+}
diff --git a/cookbooks/consul/files/etc/consul-template.d/templates/consul-jwt.tmpl b/cookbooks/consul/files/etc/consul-template.d/templates/consul-jwt.tmpl
new file mode 100644
index 0000000..d9e97b2
--- /dev/null
+++ b/cookbooks/consul/files/etc/consul-template.d/templates/consul-jwt.tmpl
@@ -0,0 +1 @@
+{{with secret "identity/oidc/token/oidc-role"}}{{.Data.token}}{{end}}
diff --git a/cookbooks/consul/files/etc/consul.d/certs/consul-agent-ca.pem b/cookbooks/consul/files/etc/consul.d/certs/consul-agent-ca.pem
new file mode 100644
index 0000000..7e561d2
--- /dev/null
+++ b/cookbooks/consul/files/etc/consul.d/certs/consul-agent-ca.pem
@@ -0,0 +1,24 @@
+md5:4f683f562e56d8663a72584dfa67b247:salt:104-7-237-106-15-219-15-45:aes-256-cfb:/IYVG1CC7S1/KK5iEO1BUrlqH8/OddDGctvAzUZ8IVolFnt5C5e3evwjYjJ5
+F3sh4uVIMwEq2QSWjn+ZX54zaol/tAGLV18lb9fxIuPNL+bZqoUsM7w4nGL4
+s6uNSvbzku+YJ0iDNI38i2h0WpR/3PYfL0cnLsgt/I+cB7nzfY1HCwaUXj7V
+52IwwMtpIKxXVPyAF974Auwx7ar43IGDGXyYumgIeueJ7wP1dKi8NEb777Bz
+T6TMnauGWVJagMn7FQxXyNojui7qjzqJjnIZaE18ztObA9co9dgfuSE4TOhr
+nuZ0hvZ3bEIYt0B8QTBEoUR+mRoKCeUvc15kGU4aZNesg4GKa8lPMonQnrj2
+f6sOfru4UzHrkJNIHcgeFT+vSYo0s5co27y1oqtijWpnZ0oUd8brBP9KI+rB
+sdWaXltx+sEJKWULZRspFRGWvJl/QPTTRMJtSKBKfa4xo66LkZatVGgr5+HP
+1a6S/m6QW0d9J/Bcd9LYO2RRZSDYYC3DJgXNwPhd9EQ2m7nLl6fZbt3uFzYa
+rFdgmlPwugrvm4IZOjAT5msf6BC3BLxbYR2TvM+TKaID/ZuzRmsxEmosBRmo
+Qp2fLJsm32kgDiY11oRHD2q+MZdxI6YZ2ht87j4ZNHYwTsvsqxMKfcAaXQ4z
+Jb/IwTYNWxLYFSSNMJEaWnIrOOun0sqtb8ne0Y32ZKdy2us2ntR3segvKkt4
+h7En4rhKHxAwxiv9HAs6aOgafqdOX9OeTfqfhmxALJUgwg3GlNrvT5VD+Jz5
+67/AsMaOiu+3k/VxyBMijmRXR6mOxwNR75AuynfIBg7TLjfzDu3FrEDdyS0F
+AzYr9OW88ch3jTvQ67rfZ1TyFIpe1a99+I8ia7FVyVNxowL/uXkepdLqTCsg
+lMcWIFRJWsDelVJ8YFBe9DgtzWXzEWgujwMD9A3G1y8KL7aS/5dDC8vX5/fj
+xPIzEyQ2L/Knf+UVlsFzAs2K2vZVIDYkLVnoF7RRB2JSR9AdVAhRYGZR3igZ
+9yArvqb1eybAlEOT6rGqnQY+WL7ICCz0oyP0QWUhctt6bzPwHA1wqMnpGfuS
+GD6Kr5+ePhheEvBg23AfcrmZPr30MVa0IHomeQlT4qik6zc239mge1r45Ru0
+5zvSj/EvfcN8hq/Ds8byURgE2oOXal1EgIvuuQ3dQk4ePETKonJp3LtZCHk2
+yqBQHBbYpzdmKaR4TCecOf0O3Q3IvIE1CpTDhGtN0JbWit8VBBm43VXf6b8S
+o50fwoVgroRSjoN5LpaTmUWhM+Z9fKIZsPeGNP8W4fhKRCaME3WL5W2T6t8T
+0/wEl5izZx9/oLlzHzdqCLCoZZCiVN/E9BlgbzrT/3aFYadBvJ2C2FS5q2Ip
+1/CPwO3V3CW7cQp575PY/ZfbnmPsF68ZBPOC0MPcOySi9ikICmOT
\ No newline at end of file
diff --git a/cookbooks/consul/files/etc/default/vault-agent-consul-jwt b/cookbooks/consul/files/etc/default/vault-agent-consul-jwt
new file mode 100644
index 0000000..2fc3ddc
--- /dev/null
+++ b/cookbooks/consul/files/etc/default/vault-agent-consul-jwt
@@ -0,0 +1 @@
+VAULT_ADDR="http://192.168.10.142:8200"
diff --git a/cookbooks/consul/files/etc/systemd/system/vault-agent-consul-jwt.service b/cookbooks/consul/files/etc/systemd/system/vault-agent-consul-jwt.service
new file mode 100644
index 0000000..05052a7
--- /dev/null
+++ b/cookbooks/consul/files/etc/systemd/system/vault-agent-consul-jwt.service
@@ -0,0 +1,13 @@
+[Unit]
+Description=Vault Agent
+Requires=network-online.target
+After=network-online.target
+
+[Service]
+EnvironmentFile=-/etc/default/vault-agent-consul-jwt
+Restart=on-failure
+ExecStart=/usr/bin/vault agent -config=/etc/vault.d/agent/consul-jwt.hcl
+KillSignal=SIGINT
+
+[Install]
+WantedBy=multi-user.target
diff --git a/cookbooks/consul/files/etc/vault.d/agent/consul-jwt.hcl b/cookbooks/consul/files/etc/vault.d/agent/consul-jwt.hcl
new file mode 100644
index 0000000..2d78139
--- /dev/null
+++ b/cookbooks/consul/files/etc/vault.d/agent/consul-jwt.hcl
@@ -0,0 +1,19 @@
+auto_auth {
+  method {
+    type = "approle"
+
+    config = {
+      role_id_file_path = "/etc/vault.d/tokens/roleid"
+      secret_id_file_path = "/etc/vault.d/tokens/secretid"
+      remove_secret_id_file_after_reading = false
+    }
+  }
+
+  sink {
+    type = "file"
+
+    config = {
+      path = "/etc/consul-template.d/tokens/consul-jwt-vault-token"
+    }
+  }
+}
diff --git a/cookbooks/consul/files/etc/vault.d/tokens/roleid b/cookbooks/consul/files/etc/vault.d/tokens/roleid
new file mode 100644
index 0000000..37cce95
--- /dev/null
+++ b/cookbooks/consul/files/etc/vault.d/tokens/roleid
@@ -0,0 +1 @@
+md5:3589fac78cfe7ae33551d6478f20e2cd:salt:229-185-78-119-188-9-161-204:aes-256-cfb:aqhITLoIN7UEBZRyMeO+xwAqfZrz7VXUVcre+Fip/RhqzfWZaQ==
\ No newline at end of file
diff --git a/cookbooks/consul/files/etc/vault.d/tokens/secretid b/cookbooks/consul/files/etc/vault.d/tokens/secretid
new file mode 100644
index 0000000..330c158
--- /dev/null
+++ b/cookbooks/consul/files/etc/vault.d/tokens/secretid
@@ -0,0 +1 @@
+md5:98b157199b9f17446254894788740c7d:salt:233-189-165-36-170-54-151-47:aes-256-cfb:gB1Ml+Bg2iNwwd76Qn7C8+mVlzKT9Ndb0W3R0g2PTQyF7ejNJg==
\ No newline at end of file
diff --git a/cookbooks/consul/setup.rb b/cookbooks/consul/setup.rb
index 8df65c2..4e631af 100644
--- a/cookbooks/consul/setup.rb
+++ b/cookbooks/consul/setup.rb
@@ -1,3 +1,25 @@
+# Create directories
+%w( certs howto misc policies tokens ).each do |d|
+  directory "/etc/consul.d/#{d}" do
+    owner 'consul'
+    group 'consul'
+    mode  '0755'
+  end
+end
+
+# deploy certificates
+if node['consul']['manager']
+else
+  encrypted_remote_file '/etc/consul.d/certs/consul-agent-ca.pem' do
+    owner 'consul'
+    group 'consul'
+    mode '0444'
+
+    source   'files/etc/consul.d/certs/consul-agent-ca.pem'
+    password ENV['ITAMAE_PASSWORD']
+  end
+end
+
 if node['consul']['manager']
   SRC = 'consul-server.hcl.erb'
 else
@@ -12,6 +34,8 @@ template '/etc/consul.d/consul.hcl' do
   variables(manager: node['consul']['manager'],
             manager_hosts: node['consul']['manager_hosts'],
             ipaddr: node['consul']['ipaddr'],
+            encrypt: node['consul']['encrypt'],
+            token: node['consul']['token'],
            )
 
   source "templates/etc/consul.d/#{SRC}"
diff --git a/roles/base.rb b/roles/base.rb
index bb1c47e..fc33af1 100644
--- a/roles/base.rb
+++ b/roles/base.rb
@@ -2,8 +2,8 @@ include_recipe '../cookbooks/base/default.rb'
 include_recipe '../cookbooks/kazu634/default.rb'
 include_recipe '../cookbooks/supervisor/default.rb'
 include_recipe '../cookbooks/vault/default.rb'
-include_recipe '../cookbooks/consul/default.rb'
 include_recipe '../cookbooks/consul-template/default.rb'
+include_recipe '../cookbooks/consul/default.rb'
 include_recipe '../cookbooks/fzf/default.rb'
 include_recipe '../cookbooks/promtail/default.rb'
 include_recipe '../cookbooks/vector/default.rb'