From cb66b7eed3d03dd3f44a72e9a6df1a9eaf9f1863 Mon Sep 17 00:00:00 2001 From: Kazuhiro MUSASHI Date: Sun, 10 Jul 2022 14:09:33 +0900 Subject: [PATCH 1/7] Install `Vault` before `Consul`. --- roles/base.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/base.rb b/roles/base.rb index 48ea9eb..bb1c47e 100644 --- a/roles/base.rb +++ b/roles/base.rb @@ -1,6 +1,7 @@ include_recipe '../cookbooks/base/default.rb' include_recipe '../cookbooks/kazu634/default.rb' include_recipe '../cookbooks/supervisor/default.rb' +include_recipe '../cookbooks/vault/default.rb' include_recipe '../cookbooks/consul/default.rb' include_recipe '../cookbooks/consul-template/default.rb' include_recipe '../cookbooks/fzf/default.rb' @@ -8,4 +9,3 @@ include_recipe '../cookbooks/promtail/default.rb' include_recipe '../cookbooks/vector/default.rb' include_recipe '../cookbooks/prometheus-exporters/default.rb' include_recipe '../cookbooks/nomad/default.rb' -include_recipe '../cookbooks/vault/default.rb' From 43fbbe1f184622138c174ad33686f16381e4ff43 Mon Sep 17 00:00:00 2001 From: Kazuhiro MUSASHI Date: Sun, 10 Jul 2022 14:29:24 +0900 Subject: [PATCH 2/7] Support `Ubuntu 22.04`. --- cookbooks/consul/attributes.rb | 2 +- cookbooks/consul/dnsmasq.rb | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/cookbooks/consul/attributes.rb b/cookbooks/consul/attributes.rb index 4d8fdb8..1862167 100644 --- a/cookbooks/consul/attributes.rb +++ b/cookbooks/consul/attributes.rb @@ -2,7 +2,7 @@ # Specifying the default settings: # ------------------------------------------- case run_command('grep VERSION_ID /etc/os-release | awk -F\" \'{print $2}\'').stdout.chomp -when "20.04" +when "20.04", "22.04" cmd = 'LANG=C ip a | grep "inet " | grep -v -E "(127|172)" | cut -d" " -f6 | perl -pe "s/\/.+//g"' when "18.04" diff --git a/cookbooks/consul/dnsmasq.rb b/cookbooks/consul/dnsmasq.rb index 92286db..e0ae13a 100644 --- a/cookbooks/consul/dnsmasq.rb +++ b/cookbooks/consul/dnsmasq.rb @@ -7,7 +7,7 @@ package 'dnsmasq' end case run_command('grep VERSION_ID /etc/os-release | awk -F\" \'{print $2}\'').stdout.chomp -when "20.04" +when "20.04", "22.04" template '/etc/systemd/resolved.conf' do owner 'root' group 'root' From 94489f71d510fe64498b471dd324d9c842171b2d Mon Sep 17 00:00:00 2001 From: Kazuhiro MUSASHI Date: Sun, 10 Jul 2022 14:31:18 +0900 Subject: [PATCH 3/7] Modify `consul.hcl` template to support `Consul Connect`. --- cookbooks/consul/attributes.rb | 6 +- .../etc/consul.d/consul-agent.hcl.erb | 118 +++++++----------- 2 files changed, 46 insertions(+), 78 deletions(-) diff --git a/cookbooks/consul/attributes.rb b/cookbooks/consul/attributes.rb index 1862167..26c1599 100644 --- a/cookbooks/consul/attributes.rb +++ b/cookbooks/consul/attributes.rb @@ -19,8 +19,10 @@ dns = run_command(cmd).stdout.chomp node.reverse_merge!({ 'consul' => { 'manager' => false, - 'manager_hosts' => '["192.168.10.101", "192.168.10.251", "192.168.10.252"]', + 'manager_hosts' => '"192.168.10.101", "192.168.10.251", "192.168.10.252", "192.168.10.253"', 'ipaddr' => ipaddr, - 'dns' => dns + 'dns' => dns, + 'encrypt' => 's2T3XUTb9MjHYOw8I820O5YkN2G6eJrjLjJRTnEAKoM=', + 'token' => 'acb7096c-dcda-775a-b52c-b47c96b38d0e' } }) diff --git a/cookbooks/consul/templates/etc/consul.d/consul-agent.hcl.erb b/cookbooks/consul/templates/etc/consul.d/consul-agent.hcl.erb index ab8e22f..e72a197 100644 --- a/cookbooks/consul/templates/etc/consul.d/consul-agent.hcl.erb +++ b/cookbooks/consul/templates/etc/consul.d/consul-agent.hcl.erb @@ -1,85 +1,51 @@ -# Full configuration options can be found at https://www.consul.io/docs/agent/options.html +datacenter = "dc1" +data_dir = "/opt/consul" -# datacenter -# This flag controls the datacenter in which the agent is running. If not provided, -# it defaults to "dc1". Consul has first-class support for multiple datacenters, but -# it relies on proper configuration. Nodes in the same datacenter should be on a -# single LAN. -#datacenter = "aws" +encrypt = "<%= @encrypt %>" +verify_incoming = true +verify_outgoing = true +verify_server_hostname = true -# data_dir -# This flag provides a data directory for the agent to store state. This is required -# for all agents. The directory should be durable across reboots. This is especially -# critical for agents that are running in server mode as they must be able to persist -# cluster state. Additionally, the directory must support the use of filesystem -# locking, meaning some types of mounted folders (e.g. VirtualBox shared folders) may -# not be suitable. -data_dir = "/opt/consul" +ca_file = "/etc/consul.d/certs/consul-agent-ca.pem" -# client_addr -# The address to which Consul will bind client interfaces, including the HTTP and DNS -# servers. By default, this is "127.0.0.1", allowing only loopback connections. In -# Consul 1.0 and later this can be set to a space-separated list of addresses to bind -# to, or a go-sockaddr template that can potentially resolve to multiple addresses. -client_addr = "0.0.0.0" +bind_addr = "0.0.0.0" +client_addr = "0.0.0.0" +advertise_addr = "<%= @ipaddr %>" -# ui -# Enables the built-in web UI server and the required HTTP routes. This eliminates -# the need to maintain the Consul web UI files separately from the binary. -ui = false +performance { + raft_multiplier = 1 +} -# server -# This flag is used to control if an agent is in server or client mode. When provided, -# an agent will act as a Consul server. Each Consul cluster must have at least one -# server and ideally no more than 5 per datacenter. All servers participate in the Raft -# consensus algorithm to ensure that transactions occur in a consistent, linearizable -# manner. Transactions modify cluster state, which is maintained on all server nodes to -# ensure availability in the case of node failure. Server nodes also participate in a -# WAN gossip pool with server nodes in other datacenters. Servers act as gateways to -# other datacenters and forward traffic as appropriate. -#server = true - -# bootstrap_expect -# This flag provides the number of expected servers in the datacenter. Either this value -# should not be provided or the value must agree with other servers in the cluster. When -# provided, Consul waits until the specified number of servers are available and then -# bootstraps the cluster. This allows an initial leader to be elected automatically. -# This cannot be used in conjunction with the legacy -bootstrap flag. This flag requires -# -server mode. -#bootstrap_expect=3 - -# encrypt -# Specifies the secret key to use for encryption of Consul network traffic. This key must -# be 32-bytes that are Base64-encoded. The easiest way to create an encryption key is to -# use consul keygen. All nodes within a cluster must share the same encryption key to -# communicate. The provided key is automatically persisted to the data directory and loaded -# automatically whenever the agent is restarted. This means that to encrypt Consul's gossip -# protocol, this option only needs to be provided once on each agent's initial startup -# sequence. If it is provided after Consul has been initialized with an encryption key, -# then the provided key is ignored and a warning will be displayed. -encrypt = "LPKrNBQZnJIc8tJpViI4ug==" - -# retry_join -# Similar to -join but allows retrying a join until it is successful. Once it joins -# successfully to a member in a list of members it will never attempt to join again. -# Agents will then solely maintain their membership via gossip. This is useful for -# cases where you know the address will eventually be available. This option can be -# specified multiple times to specify multiple agents to join. The value can contain -# IPv4, IPv6, or DNS addresses. In Consul 1.1.0 and later this can be set to a go-sockaddr -# template. If Consul is running on the non-default Serf LAN port, this must be specified -# as well. IPv6 must use the "bracketed" syntax. If multiple values are given, they are -# tried and retried in the order listed until the first succeeds. Here are some examples: -retry_join = <%= @manager_hosts %> - -bind_addr = "<%= @ipaddr %>" -disable_remote_exec = false -disable_update_check = false +disable_update_check = false enable_local_script_checks = true -log_file = "/var/log/consul/" +log_file = "/var/log/consul/" log_rotate_max_files = -1 -log_level = "INFO" -log_json = false -log_rotate_bytes = 1000000 +log_level = "INFO" +log_json = false +log_rotate_bytes = 1000000 -rejoin_after_leave = true +enable_central_service_config = true +ports { + grpc = 8502 +} +connect { + enabled = true +} + +telemetry { + prometheus_retention_time = "24h" + disable_hostname = true +} + +auto_config { + enabled = true + intro_token_file = "/etc/consul.d/tokens/jwt" + server_addresses = [ <%= @manager_hosts %> ] +} + +acl { + tokens { + default = "<%= @token %>" + } +} From c15c2f3de82f3f8a988b344a261adcab144a77ca Mon Sep 17 00:00:00 2001 From: Kazuhiro MUSASHI Date: Sun, 10 Jul 2022 14:33:47 +0900 Subject: [PATCH 4/7] Start `Consul` after `Vault` generates the jwt token. ``` --- a/cookbooks/consul/files/etc/systemd/system/consul.service +++ b/cookbooks/consul/files/etc/systemd/system/consul.service @@ -2,7 +2,7 @@ Description="HashiCorp Consul - A service mesh solution" Documentation=https://www.consul.io/ Requires=network-online.target -After=network-online.target +After=network-online.target vault-agent-consul-jwt.target ConditionFileNotEmpty=/etc/consul.d/consul.hcl [Service] ``` --- cookbooks/consul/files/etc/systemd/system/consul.service | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cookbooks/consul/files/etc/systemd/system/consul.service b/cookbooks/consul/files/etc/systemd/system/consul.service index ae0cb84..f0d743d 100644 --- a/cookbooks/consul/files/etc/systemd/system/consul.service +++ b/cookbooks/consul/files/etc/systemd/system/consul.service @@ -2,7 +2,7 @@ Description="HashiCorp Consul - A service mesh solution" Documentation=https://www.consul.io/ Requires=network-online.target -After=network-online.target +After=network-online.target vault-agent-consul-jwt.target ConditionFileNotEmpty=/etc/consul.d/consul.hcl [Service] From 48702191fe4524c60ab7498689a1ecf30d3f388c Mon Sep 17 00:00:00 2001 From: Kazuhiro MUSASHI Date: Sun, 10 Jul 2022 14:35:04 +0900 Subject: [PATCH 5/7] Allow `Consul` gcp port to communicate. ``` --- a/cookbooks/consul/setup.rb +++ b/cookbooks/consul/setup.rb @@ -44,7 +44,7 @@ service 'consul' do end # iptables settings here: -%w( 8300/tcp 8301/tcp 8301/udp 8500/tcp ).each do |port| +%w( 8300/tcp 8301/tcp 8301/udp 8500/tcp 8502/tcp ).each do |port| execute "ufw allow #{port}" do user 'root' ``` --- cookbooks/consul/setup.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cookbooks/consul/setup.rb b/cookbooks/consul/setup.rb index 2edc097..8df65c2 100644 --- a/cookbooks/consul/setup.rb +++ b/cookbooks/consul/setup.rb @@ -44,7 +44,7 @@ service 'consul' do end # iptables settings here: -%w( 8300/tcp 8301/tcp 8301/udp 8500/tcp ).each do |port| +%w( 8300/tcp 8301/tcp 8301/udp 8500/tcp 8502/tcp ).each do |port| execute "ufw allow #{port}" do user 'root' From 37d51b5ed5a4bec50f72111b487b4835cd4c95d3 Mon Sep 17 00:00:00 2001 From: Kazuhiro MUSASHI Date: Sun, 10 Jul 2022 14:42:25 +0900 Subject: [PATCH 6/7] Create `/etc/vault.d/agent` & `/etc/vault.d/tokens` directory. ``` --- a/cookbooks/vault/default.rb +++ b/cookbooks/vault/default.rb @@ -2,6 +2,14 @@ include_recipe './attributes.rb' include_recipe './install.rb' +%w( agent tokens ).each do |d| + directory "/etc/vault.d/#{d}" do + owner 'vault' + group 'vault' + mode '0755' + end +end + if node['vault']['manager'] include_recipe './setup.rb' end ``` --- cookbooks/vault/default.rb | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/cookbooks/vault/default.rb b/cookbooks/vault/default.rb index 33e6a83..7f9bcc1 100644 --- a/cookbooks/vault/default.rb +++ b/cookbooks/vault/default.rb @@ -2,6 +2,14 @@ include_recipe './attributes.rb' include_recipe './install.rb' +%w( agent tokens ).each do |d| + directory "/etc/vault.d/#{d}" do + owner 'vault' + group 'vault' + mode '0755' + end +end + if node['vault']['manager'] include_recipe './setup.rb' end From 73f7ec44b710164fb3ff8331d6f5ee1c2e0d7dea Mon Sep 17 00:00:00 2001 From: Kazuhiro MUSASHI Date: Sun, 10 Jul 2022 14:45:53 +0900 Subject: [PATCH 7/7] Enable `Consul Connect` for client side. --- .../files/etc/default/consul-template | 1 + cookbooks/consul/consul-connect-prep.rb | 54 +++++++++++++++++++ cookbooks/consul/default.rb | 1 + .../consul-template.d/conf/consul-jwt.conf | 12 +++++ .../templates/consul-jwt.tmpl | 1 + .../etc/consul.d/certs/consul-agent-ca.pem | 24 +++++++++ .../files/etc/default/vault-agent-consul-jwt | 1 + .../system/vault-agent-consul-jwt.service | 13 +++++ .../files/etc/vault.d/agent/consul-jwt.hcl | 19 +++++++ .../consul/files/etc/vault.d/tokens/roleid | 1 + .../consul/files/etc/vault.d/tokens/secretid | 1 + cookbooks/consul/setup.rb | 24 +++++++++ roles/base.rb | 2 +- 13 files changed, 153 insertions(+), 1 deletion(-) create mode 100644 cookbooks/consul/consul-connect-prep.rb create mode 100644 cookbooks/consul/files/etc/consul-template.d/conf/consul-jwt.conf create mode 100644 cookbooks/consul/files/etc/consul-template.d/templates/consul-jwt.tmpl create mode 100644 cookbooks/consul/files/etc/consul.d/certs/consul-agent-ca.pem create mode 100644 cookbooks/consul/files/etc/default/vault-agent-consul-jwt create mode 100644 cookbooks/consul/files/etc/systemd/system/vault-agent-consul-jwt.service create mode 100644 cookbooks/consul/files/etc/vault.d/agent/consul-jwt.hcl create mode 100644 cookbooks/consul/files/etc/vault.d/tokens/roleid create mode 100644 cookbooks/consul/files/etc/vault.d/tokens/secretid diff --git a/cookbooks/consul-template/files/etc/default/consul-template b/cookbooks/consul-template/files/etc/default/consul-template index 769569a..cdf1c6c 100644 --- a/cookbooks/consul-template/files/etc/default/consul-template +++ b/cookbooks/consul-template/files/etc/default/consul-template @@ -1 +1,2 @@ OPTIONS="-syslog -syslog-name=consul-template" +VAULT_ADDR="http://192.168.10.142:8200" diff --git a/cookbooks/consul/consul-connect-prep.rb b/cookbooks/consul/consul-connect-prep.rb new file mode 100644 index 0000000..39e41e2 --- /dev/null +++ b/cookbooks/consul/consul-connect-prep.rb @@ -0,0 +1,54 @@ +# Use Vault to retrieve the token to generate jwt. +%w( roleid secretid ).each do |f| + encrypted_remote_file "/etc/vault.d/tokens/#{f}" do + owner 'root' + group 'root' + mode '0644' + + source "files/etc/vault.d/tokens/#{f}" + password ENV['ITAMAE_PASSWORD'] + end +end + +remote_file '/etc/vault.d/agent/consul-jwt.hcl' do + owner 'vault' + group 'vault' + mode '0644' + + notifies :restart, 'service[vault-agent-consul-jwt]' +end + +remote_file '/etc/default/vault-agent-consul-jwt' do + owner 'vault' + group 'vault' + mode '0644' +end + +remote_file '/etc/systemd/system/vault-agent-consul-jwt.service' do + owner 'root' + group 'root' + mode '0644' + + notifies :restart, 'service[vault-agent-consul-jwt]' +end + +service 'vault-agent-consul-jwt' do + action [:enable, :start] +end + +# Use consul-template to retrieve the JWT token. +remote_file '/etc/consul-template.d/conf/consul-jwt.conf' do + owner 'root' + group 'root' + mode '0644' + + notifies :restart, 'service[consul-template]' +end + +remote_file '/etc/consul-template.d/templates/consul-jwt.tmpl' do + owner 'root' + group 'root' + mode '0644' + + notifies :restart, 'service[consul-template]' +end diff --git a/cookbooks/consul/default.rb b/cookbooks/consul/default.rb index 0320fb8..c18b94b 100644 --- a/cookbooks/consul/default.rb +++ b/cookbooks/consul/default.rb @@ -2,6 +2,7 @@ include_recipe './attributes.rb' include_recipe './install.rb' +include_recipe './consul-connect-prep.rb' include_recipe './setup.rb' include_recipe './dnsmasq.rb' diff --git a/cookbooks/consul/files/etc/consul-template.d/conf/consul-jwt.conf b/cookbooks/consul/files/etc/consul-template.d/conf/consul-jwt.conf new file mode 100644 index 0000000..f7519ce --- /dev/null +++ b/cookbooks/consul/files/etc/consul-template.d/conf/consul-jwt.conf @@ -0,0 +1,12 @@ +vault { + address = "http://192.168.10.142:8200" + + vault_agent_token_file = "/etc/consul-template.d/tokens/consul-jwt-vault-token" + renew_token = true +} + +template { + source = "/etc/consul-template.d/templates/consul-jwt.tmpl" + destination = "/etc/consul.d/tokens/jwt" + perms = 0666 +} diff --git a/cookbooks/consul/files/etc/consul-template.d/templates/consul-jwt.tmpl b/cookbooks/consul/files/etc/consul-template.d/templates/consul-jwt.tmpl new file mode 100644 index 0000000..d9e97b2 --- /dev/null +++ b/cookbooks/consul/files/etc/consul-template.d/templates/consul-jwt.tmpl @@ -0,0 +1 @@ +{{with secret "identity/oidc/token/oidc-role"}}{{.Data.token}}{{end}} diff --git a/cookbooks/consul/files/etc/consul.d/certs/consul-agent-ca.pem b/cookbooks/consul/files/etc/consul.d/certs/consul-agent-ca.pem new file mode 100644 index 0000000..7e561d2 --- /dev/null +++ b/cookbooks/consul/files/etc/consul.d/certs/consul-agent-ca.pem @@ -0,0 +1,24 @@ +md5:4f683f562e56d8663a72584dfa67b247:salt:104-7-237-106-15-219-15-45:aes-256-cfb:/IYVG1CC7S1/KK5iEO1BUrlqH8/OddDGctvAzUZ8IVolFnt5C5e3evwjYjJ5 +F3sh4uVIMwEq2QSWjn+ZX54zaol/tAGLV18lb9fxIuPNL+bZqoUsM7w4nGL4 +s6uNSvbzku+YJ0iDNI38i2h0WpR/3PYfL0cnLsgt/I+cB7nzfY1HCwaUXj7V +52IwwMtpIKxXVPyAF974Auwx7ar43IGDGXyYumgIeueJ7wP1dKi8NEb777Bz +T6TMnauGWVJagMn7FQxXyNojui7qjzqJjnIZaE18ztObA9co9dgfuSE4TOhr +nuZ0hvZ3bEIYt0B8QTBEoUR+mRoKCeUvc15kGU4aZNesg4GKa8lPMonQnrj2 +f6sOfru4UzHrkJNIHcgeFT+vSYo0s5co27y1oqtijWpnZ0oUd8brBP9KI+rB +sdWaXltx+sEJKWULZRspFRGWvJl/QPTTRMJtSKBKfa4xo66LkZatVGgr5+HP +1a6S/m6QW0d9J/Bcd9LYO2RRZSDYYC3DJgXNwPhd9EQ2m7nLl6fZbt3uFzYa +rFdgmlPwugrvm4IZOjAT5msf6BC3BLxbYR2TvM+TKaID/ZuzRmsxEmosBRmo +Qp2fLJsm32kgDiY11oRHD2q+MZdxI6YZ2ht87j4ZNHYwTsvsqxMKfcAaXQ4z +Jb/IwTYNWxLYFSSNMJEaWnIrOOun0sqtb8ne0Y32ZKdy2us2ntR3segvKkt4 +h7En4rhKHxAwxiv9HAs6aOgafqdOX9OeTfqfhmxALJUgwg3GlNrvT5VD+Jz5 +67/AsMaOiu+3k/VxyBMijmRXR6mOxwNR75AuynfIBg7TLjfzDu3FrEDdyS0F +AzYr9OW88ch3jTvQ67rfZ1TyFIpe1a99+I8ia7FVyVNxowL/uXkepdLqTCsg +lMcWIFRJWsDelVJ8YFBe9DgtzWXzEWgujwMD9A3G1y8KL7aS/5dDC8vX5/fj +xPIzEyQ2L/Knf+UVlsFzAs2K2vZVIDYkLVnoF7RRB2JSR9AdVAhRYGZR3igZ +9yArvqb1eybAlEOT6rGqnQY+WL7ICCz0oyP0QWUhctt6bzPwHA1wqMnpGfuS +GD6Kr5+ePhheEvBg23AfcrmZPr30MVa0IHomeQlT4qik6zc239mge1r45Ru0 +5zvSj/EvfcN8hq/Ds8byURgE2oOXal1EgIvuuQ3dQk4ePETKonJp3LtZCHk2 +yqBQHBbYpzdmKaR4TCecOf0O3Q3IvIE1CpTDhGtN0JbWit8VBBm43VXf6b8S +o50fwoVgroRSjoN5LpaTmUWhM+Z9fKIZsPeGNP8W4fhKRCaME3WL5W2T6t8T +0/wEl5izZx9/oLlzHzdqCLCoZZCiVN/E9BlgbzrT/3aFYadBvJ2C2FS5q2Ip +1/CPwO3V3CW7cQp575PY/ZfbnmPsF68ZBPOC0MPcOySi9ikICmOT \ No newline at end of file diff --git a/cookbooks/consul/files/etc/default/vault-agent-consul-jwt b/cookbooks/consul/files/etc/default/vault-agent-consul-jwt new file mode 100644 index 0000000..2fc3ddc --- /dev/null +++ b/cookbooks/consul/files/etc/default/vault-agent-consul-jwt @@ -0,0 +1 @@ +VAULT_ADDR="http://192.168.10.142:8200" diff --git a/cookbooks/consul/files/etc/systemd/system/vault-agent-consul-jwt.service b/cookbooks/consul/files/etc/systemd/system/vault-agent-consul-jwt.service new file mode 100644 index 0000000..05052a7 --- /dev/null +++ b/cookbooks/consul/files/etc/systemd/system/vault-agent-consul-jwt.service @@ -0,0 +1,13 @@ +[Unit] +Description=Vault Agent +Requires=network-online.target +After=network-online.target + +[Service] +EnvironmentFile=-/etc/default/vault-agent-consul-jwt +Restart=on-failure +ExecStart=/usr/bin/vault agent -config=/etc/vault.d/agent/consul-jwt.hcl +KillSignal=SIGINT + +[Install] +WantedBy=multi-user.target diff --git a/cookbooks/consul/files/etc/vault.d/agent/consul-jwt.hcl b/cookbooks/consul/files/etc/vault.d/agent/consul-jwt.hcl new file mode 100644 index 0000000..2d78139 --- /dev/null +++ b/cookbooks/consul/files/etc/vault.d/agent/consul-jwt.hcl @@ -0,0 +1,19 @@ +auto_auth { + method { + type = "approle" + + config = { + role_id_file_path = "/etc/vault.d/tokens/roleid" + secret_id_file_path = "/etc/vault.d/tokens/secretid" + remove_secret_id_file_after_reading = false + } + } + + sink { + type = "file" + + config = { + path = "/etc/consul-template.d/tokens/consul-jwt-vault-token" + } + } +} diff --git a/cookbooks/consul/files/etc/vault.d/tokens/roleid b/cookbooks/consul/files/etc/vault.d/tokens/roleid new file mode 100644 index 0000000..37cce95 --- /dev/null +++ b/cookbooks/consul/files/etc/vault.d/tokens/roleid @@ -0,0 +1 @@ +md5:3589fac78cfe7ae33551d6478f20e2cd:salt:229-185-78-119-188-9-161-204:aes-256-cfb:aqhITLoIN7UEBZRyMeO+xwAqfZrz7VXUVcre+Fip/RhqzfWZaQ== \ No newline at end of file diff --git a/cookbooks/consul/files/etc/vault.d/tokens/secretid b/cookbooks/consul/files/etc/vault.d/tokens/secretid new file mode 100644 index 0000000..330c158 --- /dev/null +++ b/cookbooks/consul/files/etc/vault.d/tokens/secretid @@ -0,0 +1 @@ +md5:98b157199b9f17446254894788740c7d:salt:233-189-165-36-170-54-151-47:aes-256-cfb:gB1Ml+Bg2iNwwd76Qn7C8+mVlzKT9Ndb0W3R0g2PTQyF7ejNJg== \ No newline at end of file diff --git a/cookbooks/consul/setup.rb b/cookbooks/consul/setup.rb index 8df65c2..4e631af 100644 --- a/cookbooks/consul/setup.rb +++ b/cookbooks/consul/setup.rb @@ -1,3 +1,25 @@ +# Create directories +%w( certs howto misc policies tokens ).each do |d| + directory "/etc/consul.d/#{d}" do + owner 'consul' + group 'consul' + mode '0755' + end +end + +# deploy certificates +if node['consul']['manager'] +else + encrypted_remote_file '/etc/consul.d/certs/consul-agent-ca.pem' do + owner 'consul' + group 'consul' + mode '0444' + + source 'files/etc/consul.d/certs/consul-agent-ca.pem' + password ENV['ITAMAE_PASSWORD'] + end +end + if node['consul']['manager'] SRC = 'consul-server.hcl.erb' else @@ -12,6 +34,8 @@ template '/etc/consul.d/consul.hcl' do variables(manager: node['consul']['manager'], manager_hosts: node['consul']['manager_hosts'], ipaddr: node['consul']['ipaddr'], + encrypt: node['consul']['encrypt'], + token: node['consul']['token'], ) source "templates/etc/consul.d/#{SRC}" diff --git a/roles/base.rb b/roles/base.rb index bb1c47e..fc33af1 100644 --- a/roles/base.rb +++ b/roles/base.rb @@ -2,8 +2,8 @@ include_recipe '../cookbooks/base/default.rb' include_recipe '../cookbooks/kazu634/default.rb' include_recipe '../cookbooks/supervisor/default.rb' include_recipe '../cookbooks/vault/default.rb' -include_recipe '../cookbooks/consul/default.rb' include_recipe '../cookbooks/consul-template/default.rb' +include_recipe '../cookbooks/consul/default.rb' include_recipe '../cookbooks/fzf/default.rb' include_recipe '../cookbooks/promtail/default.rb' include_recipe '../cookbooks/vector/default.rb'