Modify `consul.hcl` template to support `Consul Connect`.

This commit is contained in:
Kazuhiro MUSASHI 2022-07-10 14:31:18 +09:00
parent 43fbbe1f18
commit 94489f71d5
2 changed files with 46 additions and 78 deletions

View File

@ -19,8 +19,10 @@ dns = run_command(cmd).stdout.chomp
node.reverse_merge!({ node.reverse_merge!({
'consul' => { 'consul' => {
'manager' => false, 'manager' => false,
'manager_hosts' => '["192.168.10.101", "192.168.10.251", "192.168.10.252"]', 'manager_hosts' => '"192.168.10.101", "192.168.10.251", "192.168.10.252", "192.168.10.253"',
'ipaddr' => ipaddr, 'ipaddr' => ipaddr,
'dns' => dns 'dns' => dns,
'encrypt' => 's2T3XUTb9MjHYOw8I820O5YkN2G6eJrjLjJRTnEAKoM=',
'token' => 'acb7096c-dcda-775a-b52c-b47c96b38d0e'
} }
}) })

View File

@ -1,85 +1,51 @@
# Full configuration options can be found at https://www.consul.io/docs/agent/options.html datacenter = "dc1"
data_dir = "/opt/consul"
# datacenter encrypt = "<%= @encrypt %>"
# This flag controls the datacenter in which the agent is running. If not provided, verify_incoming = true
# it defaults to "dc1". Consul has first-class support for multiple datacenters, but verify_outgoing = true
# it relies on proper configuration. Nodes in the same datacenter should be on a verify_server_hostname = true
# single LAN.
#datacenter = "aws"
# data_dir ca_file = "/etc/consul.d/certs/consul-agent-ca.pem"
# This flag provides a data directory for the agent to store state. This is required
# for all agents. The directory should be durable across reboots. This is especially
# critical for agents that are running in server mode as they must be able to persist
# cluster state. Additionally, the directory must support the use of filesystem
# locking, meaning some types of mounted folders (e.g. VirtualBox shared folders) may
# not be suitable.
data_dir = "/opt/consul"
# client_addr bind_addr = "0.0.0.0"
# The address to which Consul will bind client interfaces, including the HTTP and DNS client_addr = "0.0.0.0"
# servers. By default, this is "127.0.0.1", allowing only loopback connections. In advertise_addr = "<%= @ipaddr %>"
# Consul 1.0 and later this can be set to a space-separated list of addresses to bind
# to, or a go-sockaddr template that can potentially resolve to multiple addresses.
client_addr = "0.0.0.0"
# ui performance {
# Enables the built-in web UI server and the required HTTP routes. This eliminates raft_multiplier = 1
# the need to maintain the Consul web UI files separately from the binary. }
ui = false
# server disable_update_check = false
# This flag is used to control if an agent is in server or client mode. When provided,
# an agent will act as a Consul server. Each Consul cluster must have at least one
# server and ideally no more than 5 per datacenter. All servers participate in the Raft
# consensus algorithm to ensure that transactions occur in a consistent, linearizable
# manner. Transactions modify cluster state, which is maintained on all server nodes to
# ensure availability in the case of node failure. Server nodes also participate in a
# WAN gossip pool with server nodes in other datacenters. Servers act as gateways to
# other datacenters and forward traffic as appropriate.
#server = true
# bootstrap_expect
# This flag provides the number of expected servers in the datacenter. Either this value
# should not be provided or the value must agree with other servers in the cluster. When
# provided, Consul waits until the specified number of servers are available and then
# bootstraps the cluster. This allows an initial leader to be elected automatically.
# This cannot be used in conjunction with the legacy -bootstrap flag. This flag requires
# -server mode.
#bootstrap_expect=3
# encrypt
# Specifies the secret key to use for encryption of Consul network traffic. This key must
# be 32-bytes that are Base64-encoded. The easiest way to create an encryption key is to
# use consul keygen. All nodes within a cluster must share the same encryption key to
# communicate. The provided key is automatically persisted to the data directory and loaded
# automatically whenever the agent is restarted. This means that to encrypt Consul's gossip
# protocol, this option only needs to be provided once on each agent's initial startup
# sequence. If it is provided after Consul has been initialized with an encryption key,
# then the provided key is ignored and a warning will be displayed.
encrypt = "LPKrNBQZnJIc8tJpViI4ug=="
# retry_join
# Similar to -join but allows retrying a join until it is successful. Once it joins
# successfully to a member in a list of members it will never attempt to join again.
# Agents will then solely maintain their membership via gossip. This is useful for
# cases where you know the address will eventually be available. This option can be
# specified multiple times to specify multiple agents to join. The value can contain
# IPv4, IPv6, or DNS addresses. In Consul 1.1.0 and later this can be set to a go-sockaddr
# template. If Consul is running on the non-default Serf LAN port, this must be specified
# as well. IPv6 must use the "bracketed" syntax. If multiple values are given, they are
# tried and retried in the order listed until the first succeeds. Here are some examples:
retry_join = <%= @manager_hosts %>
bind_addr = "<%= @ipaddr %>"
disable_remote_exec = false
disable_update_check = false
enable_local_script_checks = true enable_local_script_checks = true
log_file = "/var/log/consul/" log_file = "/var/log/consul/"
log_rotate_max_files = -1 log_rotate_max_files = -1
log_level = "INFO" log_level = "INFO"
log_json = false log_json = false
log_rotate_bytes = 1000000 log_rotate_bytes = 1000000
rejoin_after_leave = true enable_central_service_config = true
ports {
grpc = 8502
}
connect {
enabled = true
}
telemetry {
prometheus_retention_time = "24h"
disable_hostname = true
}
auto_config {
enabled = true
intro_token_file = "/etc/consul.d/tokens/jwt"
server_addresses = [ <%= @manager_hosts %> ]
}
acl {
tokens {
default = "<%= @token %>"
}
}