Enable `Consul Connect` for client side.

2022-07-10 14:45:53 +09:00 · 2022-07-10 14:45:53 +09:00 · 73f7ec44b7
parent 37d51b5ed5
commit 73f7ec44b7
13 changed files with 153 additions and 1 deletions
--- a/cookbooks/consul-template/files/etc/default/consul-template
+++ b/cookbooks/consul-template/files/etc/default/consul-template
@ -1 +1,2 @@
 OPTIONS="-syslog -syslog-name=consul-template"
+VAULT_ADDR="http://192.168.10.142:8200"
--- a/cookbooks/consul/consul-connect-prep.rb
+++ b/cookbooks/consul/consul-connect-prep.rb
@ -0,0 +1,54 @@
+# Use Vault to retrieve the token to generate jwt.
+%w( roleid secretid ).each do |f|
+  encrypted_remote_file "/etc/vault.d/tokens/#{f}" do
+    owner 'root'
+    group 'root'
+    mode '0644'
+
+    source   "files/etc/vault.d/tokens/#{f}"
+    password ENV['ITAMAE_PASSWORD']
+  end
+end
+
+remote_file '/etc/vault.d/agent/consul-jwt.hcl' do
+  owner 'vault'
+  group 'vault'
+  mode  '0644'
+
+  notifies :restart, 'service[vault-agent-consul-jwt]'
+end
+
+remote_file '/etc/default/vault-agent-consul-jwt' do
+  owner 'vault'
+  group 'vault'
+  mode '0644'
+end
+
+remote_file '/etc/systemd/system/vault-agent-consul-jwt.service' do
+  owner 'root'
+  group 'root'
+  mode '0644'
+
+  notifies :restart, 'service[vault-agent-consul-jwt]'
+end
+
+service 'vault-agent-consul-jwt' do
+  action [:enable, :start]
+end
+
+# Use consul-template to retrieve the JWT token.
+remote_file '/etc/consul-template.d/conf/consul-jwt.conf' do
+  owner 'root'
+  group 'root'
+  mode '0644'
+
+  notifies :restart, 'service[consul-template]'
+end
+
+remote_file '/etc/consul-template.d/templates/consul-jwt.tmpl' do
+  owner 'root'
+  group 'root'
+  mode '0644'
+
+  notifies :restart, 'service[consul-template]'
+end
--- a/cookbooks/consul/default.rb
+++ b/cookbooks/consul/default.rb
@ -2,6 +2,7 @@ include_recipe './attributes.rb'

 include_recipe './install.rb'

+include_recipe './consul-connect-prep.rb'
 include_recipe './setup.rb'

 include_recipe './dnsmasq.rb'
--- a/cookbooks/consul/files/etc/consul-template.d/conf/consul-jwt.conf
+++ b/cookbooks/consul/files/etc/consul-template.d/conf/consul-jwt.conf
@ -0,0 +1,12 @@
+vault {
+  address                = "http://192.168.10.142:8200"
+
+  vault_agent_token_file = "/etc/consul-template.d/tokens/consul-jwt-vault-token"
+  renew_token            = true
+}
+
+template {
+  source      = "/etc/consul-template.d/templates/consul-jwt.tmpl"
+  destination = "/etc/consul.d/tokens/jwt"
+  perms       = 0666
+}
--- a/cookbooks/consul/files/etc/consul-template.d/templates/consul-jwt.tmpl
+++ b/cookbooks/consul/files/etc/consul-template.d/templates/consul-jwt.tmpl
@ -0,0 +1 @@
+{{with secret "identity/oidc/token/oidc-role"}}{{.Data.token}}{{end}}
--- a/cookbooks/consul/files/etc/consul.d/certs/consul-agent-ca.pem
+++ b/cookbooks/consul/files/etc/consul.d/certs/consul-agent-ca.pem
@ -0,0 +1,24 @@
+md5:4f683f562e56d8663a72584dfa67b247:salt:104-7-237-106-15-219-15-45:aes-256-cfb:/IYVG1CC7S1/KK5iEO1BUrlqH8/OddDGctvAzUZ8IVolFnt5C5e3evwjYjJ5
+F3sh4uVIMwEq2QSWjn+ZX54zaol/tAGLV18lb9fxIuPNL+bZqoUsM7w4nGL4
+s6uNSvbzku+YJ0iDNI38i2h0WpR/3PYfL0cnLsgt/I+cB7nzfY1HCwaUXj7V
+52IwwMtpIKxXVPyAF974Auwx7ar43IGDGXyYumgIeueJ7wP1dKi8NEb777Bz
+T6TMnauGWVJagMn7FQxXyNojui7qjzqJjnIZaE18ztObA9co9dgfuSE4TOhr
+nuZ0hvZ3bEIYt0B8QTBEoUR+mRoKCeUvc15kGU4aZNesg4GKa8lPMonQnrj2
+f6sOfru4UzHrkJNIHcgeFT+vSYo0s5co27y1oqtijWpnZ0oUd8brBP9KI+rB
+sdWaXltx+sEJKWULZRspFRGWvJl/QPTTRMJtSKBKfa4xo66LkZatVGgr5+HP
+1a6S/m6QW0d9J/Bcd9LYO2RRZSDYYC3DJgXNwPhd9EQ2m7nLl6fZbt3uFzYa
+rFdgmlPwugrvm4IZOjAT5msf6BC3BLxbYR2TvM+TKaID/ZuzRmsxEmosBRmo
+Qp2fLJsm32kgDiY11oRHD2q+MZdxI6YZ2ht87j4ZNHYwTsvsqxMKfcAaXQ4z
+Jb/IwTYNWxLYFSSNMJEaWnIrOOun0sqtb8ne0Y32ZKdy2us2ntR3segvKkt4
+h7En4rhKHxAwxiv9HAs6aOgafqdOX9OeTfqfhmxALJUgwg3GlNrvT5VD+Jz5
+67/AsMaOiu+3k/VxyBMijmRXR6mOxwNR75AuynfIBg7TLjfzDu3FrEDdyS0F
+AzYr9OW88ch3jTvQ67rfZ1TyFIpe1a99+I8ia7FVyVNxowL/uXkepdLqTCsg
+lMcWIFRJWsDelVJ8YFBe9DgtzWXzEWgujwMD9A3G1y8KL7aS/5dDC8vX5/fj
+xPIzEyQ2L/Knf+UVlsFzAs2K2vZVIDYkLVnoF7RRB2JSR9AdVAhRYGZR3igZ
+9yArvqb1eybAlEOT6rGqnQY+WL7ICCz0oyP0QWUhctt6bzPwHA1wqMnpGfuS
+GD6Kr5+ePhheEvBg23AfcrmZPr30MVa0IHomeQlT4qik6zc239mge1r45Ru0
+5zvSj/EvfcN8hq/Ds8byURgE2oOXal1EgIvuuQ3dQk4ePETKonJp3LtZCHk2
+yqBQHBbYpzdmKaR4TCecOf0O3Q3IvIE1CpTDhGtN0JbWit8VBBm43VXf6b8S
+o50fwoVgroRSjoN5LpaTmUWhM+Z9fKIZsPeGNP8W4fhKRCaME3WL5W2T6t8T
+0/wEl5izZx9/oLlzHzdqCLCoZZCiVN/E9BlgbzrT/3aFYadBvJ2C2FS5q2Ip
+1/CPwO3V3CW7cQp575PY/ZfbnmPsF68ZBPOC0MPcOySi9ikICmOT
--- a/cookbooks/consul/files/etc/default/vault-agent-consul-jwt
+++ b/cookbooks/consul/files/etc/default/vault-agent-consul-jwt
@ -0,0 +1 @@
+VAULT_ADDR="http://192.168.10.142:8200"
--- a/cookbooks/consul/files/etc/systemd/system/vault-agent-consul-jwt.service
+++ b/cookbooks/consul/files/etc/systemd/system/vault-agent-consul-jwt.service
@ -0,0 +1,13 @@
+[Unit]
+Description=Vault Agent
+Requires=network-online.target
+After=network-online.target
+
+[Service]
+EnvironmentFile=-/etc/default/vault-agent-consul-jwt
+Restart=on-failure
+ExecStart=/usr/bin/vault agent -config=/etc/vault.d/agent/consul-jwt.hcl
+KillSignal=SIGINT
+
+[Install]
+WantedBy=multi-user.target
--- a/cookbooks/consul/files/etc/vault.d/agent/consul-jwt.hcl
+++ b/cookbooks/consul/files/etc/vault.d/agent/consul-jwt.hcl
@ -0,0 +1,19 @@
+auto_auth {
+  method {
+    type = "approle"
+
+    config = {
+      role_id_file_path = "/etc/vault.d/tokens/roleid"
+      secret_id_file_path = "/etc/vault.d/tokens/secretid"
+      remove_secret_id_file_after_reading = false
+    }
+  }
+
+  sink {
+    type = "file"
+
+    config = {
+      path = "/etc/consul-template.d/tokens/consul-jwt-vault-token"
+    }
+  }
+}
--- a/cookbooks/consul/files/etc/vault.d/tokens/roleid
+++ b/cookbooks/consul/files/etc/vault.d/tokens/roleid
@ -0,0 +1 @@
+md5:3589fac78cfe7ae33551d6478f20e2cd:salt:229-185-78-119-188-9-161-204:aes-256-cfb:aqhITLoIN7UEBZRyMeO+xwAqfZrz7VXUVcre+Fip/RhqzfWZaQ==
--- a/cookbooks/consul/files/etc/vault.d/tokens/secretid
+++ b/cookbooks/consul/files/etc/vault.d/tokens/secretid
@ -0,0 +1 @@
+md5:98b157199b9f17446254894788740c7d:salt:233-189-165-36-170-54-151-47:aes-256-cfb:gB1Ml+Bg2iNwwd76Qn7C8+mVlzKT9Ndb0W3R0g2PTQyF7ejNJg==
--- a/cookbooks/consul/setup.rb
+++ b/cookbooks/consul/setup.rb
@ -1,3 +1,25 @@
+# Create directories
+%w( certs howto misc policies tokens ).each do |d|
+  directory "/etc/consul.d/#{d}" do
+    owner 'consul'
+    group 'consul'
+    mode  '0755'
+  end
+end
+
+# deploy certificates
+if node['consul']['manager']
+else
+  encrypted_remote_file '/etc/consul.d/certs/consul-agent-ca.pem' do
+    owner 'consul'
+    group 'consul'
+    mode '0444'
+
+    source   'files/etc/consul.d/certs/consul-agent-ca.pem'
+    password ENV['ITAMAE_PASSWORD']
+  end
+end
+
 if node['consul']['manager']
  SRC = 'consul-server.hcl.erb'
 else
@ -12,6 +34,8 @@ template '/etc/consul.d/consul.hcl' do
  variables(manager: node['consul']['manager'],
            manager_hosts: node['consul']['manager_hosts'],
            ipaddr: node['consul']['ipaddr'],
+            encrypt: node['consul']['encrypt'],
+            token: node['consul']['token'],
           )

  source "templates/etc/consul.d/#{SRC}"
--- a/roles/base.rb
+++ b/roles/base.rb
@ -2,8 +2,8 @@ include_recipe '../cookbooks/base/default.rb'
 include_recipe '../cookbooks/kazu634/default.rb'
 include_recipe '../cookbooks/supervisor/default.rb'
 include_recipe '../cookbooks/vault/default.rb'
-include_recipe '../cookbooks/consul/default.rb'
 include_recipe '../cookbooks/consul-template/default.rb'
+include_recipe '../cookbooks/consul/default.rb'
 include_recipe '../cookbooks/fzf/default.rb'
 include_recipe '../cookbooks/promtail/default.rb'
 include_recipe '../cookbooks/vector/default.rb'
				`@ -0,0 +1 @@`
				`{{with secret "identity/oidc/token/oidc-role"}}{{.Data.token}}{{end}}`
				`@ -0,0 +1 @@`
				`md5:3589fac78cfe7ae33551d6478f20e2cd:salt:229-185-78-119-188-9-161-204:aes-256-cfb:aqhITLoIN7UEBZRyMeO+xwAqfZrz7VXUVcre+Fip/RhqzfWZaQ==`
				`@ -0,0 +1 @@`
				`md5:98b157199b9f17446254894788740c7d:salt:233-189-165-36-170-54-151-47:aes-256-cfb:gB1Ml+Bg2iNwwd76Qn7C8+mVlzKT9Ndb0W3R0g2PTQyF7ejNJg==`