From 94489f71d510fe64498b471dd324d9c842171b2d Mon Sep 17 00:00:00 2001 From: Kazuhiro MUSASHI Date: Sun, 10 Jul 2022 14:31:18 +0900 Subject: [PATCH] Modify `consul.hcl` template to support `Consul Connect`. --- cookbooks/consul/attributes.rb | 6 +- .../etc/consul.d/consul-agent.hcl.erb | 118 +++++++----------- 2 files changed, 46 insertions(+), 78 deletions(-) diff --git a/cookbooks/consul/attributes.rb b/cookbooks/consul/attributes.rb index 1862167..26c1599 100644 --- a/cookbooks/consul/attributes.rb +++ b/cookbooks/consul/attributes.rb @@ -19,8 +19,10 @@ dns = run_command(cmd).stdout.chomp node.reverse_merge!({ 'consul' => { 'manager' => false, - 'manager_hosts' => '["192.168.10.101", "192.168.10.251", "192.168.10.252"]', + 'manager_hosts' => '"192.168.10.101", "192.168.10.251", "192.168.10.252", "192.168.10.253"', 'ipaddr' => ipaddr, - 'dns' => dns + 'dns' => dns, + 'encrypt' => 's2T3XUTb9MjHYOw8I820O5YkN2G6eJrjLjJRTnEAKoM=', + 'token' => 'acb7096c-dcda-775a-b52c-b47c96b38d0e' } }) diff --git a/cookbooks/consul/templates/etc/consul.d/consul-agent.hcl.erb b/cookbooks/consul/templates/etc/consul.d/consul-agent.hcl.erb index ab8e22f..e72a197 100644 --- a/cookbooks/consul/templates/etc/consul.d/consul-agent.hcl.erb +++ b/cookbooks/consul/templates/etc/consul.d/consul-agent.hcl.erb @@ -1,85 +1,51 @@ -# Full configuration options can be found at https://www.consul.io/docs/agent/options.html +datacenter = "dc1" +data_dir = "/opt/consul" -# datacenter -# This flag controls the datacenter in which the agent is running. If not provided, -# it defaults to "dc1". Consul has first-class support for multiple datacenters, but -# it relies on proper configuration. Nodes in the same datacenter should be on a -# single LAN. -#datacenter = "aws" +encrypt = "<%= @encrypt %>" +verify_incoming = true +verify_outgoing = true +verify_server_hostname = true -# data_dir -# This flag provides a data directory for the agent to store state. This is required -# for all agents. The directory should be durable across reboots. This is especially -# critical for agents that are running in server mode as they must be able to persist -# cluster state. Additionally, the directory must support the use of filesystem -# locking, meaning some types of mounted folders (e.g. VirtualBox shared folders) may -# not be suitable. -data_dir = "/opt/consul" +ca_file = "/etc/consul.d/certs/consul-agent-ca.pem" -# client_addr -# The address to which Consul will bind client interfaces, including the HTTP and DNS -# servers. By default, this is "127.0.0.1", allowing only loopback connections. In -# Consul 1.0 and later this can be set to a space-separated list of addresses to bind -# to, or a go-sockaddr template that can potentially resolve to multiple addresses. -client_addr = "0.0.0.0" +bind_addr = "0.0.0.0" +client_addr = "0.0.0.0" +advertise_addr = "<%= @ipaddr %>" -# ui -# Enables the built-in web UI server and the required HTTP routes. This eliminates -# the need to maintain the Consul web UI files separately from the binary. -ui = false +performance { + raft_multiplier = 1 +} -# server -# This flag is used to control if an agent is in server or client mode. When provided, -# an agent will act as a Consul server. Each Consul cluster must have at least one -# server and ideally no more than 5 per datacenter. All servers participate in the Raft -# consensus algorithm to ensure that transactions occur in a consistent, linearizable -# manner. Transactions modify cluster state, which is maintained on all server nodes to -# ensure availability in the case of node failure. Server nodes also participate in a -# WAN gossip pool with server nodes in other datacenters. Servers act as gateways to -# other datacenters and forward traffic as appropriate. -#server = true - -# bootstrap_expect -# This flag provides the number of expected servers in the datacenter. Either this value -# should not be provided or the value must agree with other servers in the cluster. When -# provided, Consul waits until the specified number of servers are available and then -# bootstraps the cluster. This allows an initial leader to be elected automatically. -# This cannot be used in conjunction with the legacy -bootstrap flag. This flag requires -# -server mode. -#bootstrap_expect=3 - -# encrypt -# Specifies the secret key to use for encryption of Consul network traffic. This key must -# be 32-bytes that are Base64-encoded. The easiest way to create an encryption key is to -# use consul keygen. All nodes within a cluster must share the same encryption key to -# communicate. The provided key is automatically persisted to the data directory and loaded -# automatically whenever the agent is restarted. This means that to encrypt Consul's gossip -# protocol, this option only needs to be provided once on each agent's initial startup -# sequence. If it is provided after Consul has been initialized with an encryption key, -# then the provided key is ignored and a warning will be displayed. -encrypt = "LPKrNBQZnJIc8tJpViI4ug==" - -# retry_join -# Similar to -join but allows retrying a join until it is successful. Once it joins -# successfully to a member in a list of members it will never attempt to join again. -# Agents will then solely maintain their membership via gossip. This is useful for -# cases where you know the address will eventually be available. This option can be -# specified multiple times to specify multiple agents to join. The value can contain -# IPv4, IPv6, or DNS addresses. In Consul 1.1.0 and later this can be set to a go-sockaddr -# template. If Consul is running on the non-default Serf LAN port, this must be specified -# as well. IPv6 must use the "bracketed" syntax. If multiple values are given, they are -# tried and retried in the order listed until the first succeeds. Here are some examples: -retry_join = <%= @manager_hosts %> - -bind_addr = "<%= @ipaddr %>" -disable_remote_exec = false -disable_update_check = false +disable_update_check = false enable_local_script_checks = true -log_file = "/var/log/consul/" +log_file = "/var/log/consul/" log_rotate_max_files = -1 -log_level = "INFO" -log_json = false -log_rotate_bytes = 1000000 +log_level = "INFO" +log_json = false +log_rotate_bytes = 1000000 -rejoin_after_leave = true +enable_central_service_config = true +ports { + grpc = 8502 +} +connect { + enabled = true +} + +telemetry { + prometheus_retention_time = "24h" + disable_hostname = true +} + +auto_config { + enabled = true + intro_token_file = "/etc/consul.d/tokens/jwt" + server_addresses = [ <%= @manager_hosts %> ] +} + +acl { + tokens { + default = "<%= @token %>" + } +}