Merge pull request 'Consul Connect Support' (#4) from consul-connect-support into master

Reviewed-on: #4
This commit is contained in:
Kazuhiro MUSASHI 2022-07-10 07:26:33 +00:00
commit b8d053126c
18 changed files with 212 additions and 84 deletions

View File

@ -1 +1,2 @@
OPTIONS="-syslog -syslog-name=consul-template"
VAULT_ADDR="http://192.168.10.142:8200"

View File

@ -2,7 +2,7 @@
# Specifying the default settings:
# -------------------------------------------
case run_command('grep VERSION_ID /etc/os-release | awk -F\" \'{print $2}\'').stdout.chomp
when "20.04"
when "20.04", "22.04"
cmd = 'LANG=C ip a | grep "inet " | grep -v -E "(127|172)" | cut -d" " -f6 | perl -pe "s/\/.+//g"'
when "18.04"
@ -19,8 +19,10 @@ dns = run_command(cmd).stdout.chomp
node.reverse_merge!({
'consul' => {
'manager' => false,
'manager_hosts' => '["192.168.10.101", "192.168.10.251", "192.168.10.252"]',
'manager_hosts' => '"192.168.10.101", "192.168.10.251", "192.168.10.252", "192.168.10.253"',
'ipaddr' => ipaddr,
'dns' => dns
'dns' => dns,
'encrypt' => 's2T3XUTb9MjHYOw8I820O5YkN2G6eJrjLjJRTnEAKoM=',
'token' => 'acb7096c-dcda-775a-b52c-b47c96b38d0e'
}
})

View File

@ -0,0 +1,54 @@
# Use Vault to retrieve the token to generate jwt.
%w( roleid secretid ).each do |f|
encrypted_remote_file "/etc/vault.d/tokens/#{f}" do
owner 'root'
group 'root'
mode '0644'
source "files/etc/vault.d/tokens/#{f}"
password ENV['ITAMAE_PASSWORD']
end
end
remote_file '/etc/vault.d/agent/consul-jwt.hcl' do
owner 'vault'
group 'vault'
mode '0644'
notifies :restart, 'service[vault-agent-consul-jwt]'
end
remote_file '/etc/default/vault-agent-consul-jwt' do
owner 'vault'
group 'vault'
mode '0644'
end
remote_file '/etc/systemd/system/vault-agent-consul-jwt.service' do
owner 'root'
group 'root'
mode '0644'
notifies :restart, 'service[vault-agent-consul-jwt]'
end
service 'vault-agent-consul-jwt' do
action [:enable, :start]
end
# Use consul-template to retrieve the JWT token.
remote_file '/etc/consul-template.d/conf/consul-jwt.conf' do
owner 'root'
group 'root'
mode '0644'
notifies :restart, 'service[consul-template]'
end
remote_file '/etc/consul-template.d/templates/consul-jwt.tmpl' do
owner 'root'
group 'root'
mode '0644'
notifies :restart, 'service[consul-template]'
end

View File

@ -2,6 +2,7 @@ include_recipe './attributes.rb'
include_recipe './install.rb'
include_recipe './consul-connect-prep.rb'
include_recipe './setup.rb'
include_recipe './dnsmasq.rb'

View File

@ -7,7 +7,7 @@ package 'dnsmasq'
end
case run_command('grep VERSION_ID /etc/os-release | awk -F\" \'{print $2}\'').stdout.chomp
when "20.04"
when "20.04", "22.04"
template '/etc/systemd/resolved.conf' do
owner 'root'
group 'root'

View File

@ -0,0 +1,12 @@
vault {
address = "http://192.168.10.142:8200"
vault_agent_token_file = "/etc/consul-template.d/tokens/consul-jwt-vault-token"
renew_token = true
}
template {
source = "/etc/consul-template.d/templates/consul-jwt.tmpl"
destination = "/etc/consul.d/tokens/jwt"
perms = 0666
}

View File

@ -0,0 +1 @@
{{with secret "identity/oidc/token/oidc-role"}}{{.Data.token}}{{end}}

View File

@ -0,0 +1,24 @@
md5:4f683f562e56d8663a72584dfa67b247:salt:104-7-237-106-15-219-15-45:aes-256-cfb:/IYVG1CC7S1/KK5iEO1BUrlqH8/OddDGctvAzUZ8IVolFnt5C5e3evwjYjJ5
F3sh4uVIMwEq2QSWjn+ZX54zaol/tAGLV18lb9fxIuPNL+bZqoUsM7w4nGL4
s6uNSvbzku+YJ0iDNI38i2h0WpR/3PYfL0cnLsgt/I+cB7nzfY1HCwaUXj7V
52IwwMtpIKxXVPyAF974Auwx7ar43IGDGXyYumgIeueJ7wP1dKi8NEb777Bz
T6TMnauGWVJagMn7FQxXyNojui7qjzqJjnIZaE18ztObA9co9dgfuSE4TOhr
nuZ0hvZ3bEIYt0B8QTBEoUR+mRoKCeUvc15kGU4aZNesg4GKa8lPMonQnrj2
f6sOfru4UzHrkJNIHcgeFT+vSYo0s5co27y1oqtijWpnZ0oUd8brBP9KI+rB
sdWaXltx+sEJKWULZRspFRGWvJl/QPTTRMJtSKBKfa4xo66LkZatVGgr5+HP
1a6S/m6QW0d9J/Bcd9LYO2RRZSDYYC3DJgXNwPhd9EQ2m7nLl6fZbt3uFzYa
rFdgmlPwugrvm4IZOjAT5msf6BC3BLxbYR2TvM+TKaID/ZuzRmsxEmosBRmo
Qp2fLJsm32kgDiY11oRHD2q+MZdxI6YZ2ht87j4ZNHYwTsvsqxMKfcAaXQ4z
Jb/IwTYNWxLYFSSNMJEaWnIrOOun0sqtb8ne0Y32ZKdy2us2ntR3segvKkt4
h7En4rhKHxAwxiv9HAs6aOgafqdOX9OeTfqfhmxALJUgwg3GlNrvT5VD+Jz5
67/AsMaOiu+3k/VxyBMijmRXR6mOxwNR75AuynfIBg7TLjfzDu3FrEDdyS0F
AzYr9OW88ch3jTvQ67rfZ1TyFIpe1a99+I8ia7FVyVNxowL/uXkepdLqTCsg
lMcWIFRJWsDelVJ8YFBe9DgtzWXzEWgujwMD9A3G1y8KL7aS/5dDC8vX5/fj
xPIzEyQ2L/Knf+UVlsFzAs2K2vZVIDYkLVnoF7RRB2JSR9AdVAhRYGZR3igZ
9yArvqb1eybAlEOT6rGqnQY+WL7ICCz0oyP0QWUhctt6bzPwHA1wqMnpGfuS
GD6Kr5+ePhheEvBg23AfcrmZPr30MVa0IHomeQlT4qik6zc239mge1r45Ru0
5zvSj/EvfcN8hq/Ds8byURgE2oOXal1EgIvuuQ3dQk4ePETKonJp3LtZCHk2
yqBQHBbYpzdmKaR4TCecOf0O3Q3IvIE1CpTDhGtN0JbWit8VBBm43VXf6b8S
o50fwoVgroRSjoN5LpaTmUWhM+Z9fKIZsPeGNP8W4fhKRCaME3WL5W2T6t8T
0/wEl5izZx9/oLlzHzdqCLCoZZCiVN/E9BlgbzrT/3aFYadBvJ2C2FS5q2Ip
1/CPwO3V3CW7cQp575PY/ZfbnmPsF68ZBPOC0MPcOySi9ikICmOT

View File

@ -0,0 +1 @@
VAULT_ADDR="http://192.168.10.142:8200"

View File

@ -2,7 +2,7 @@
Description="HashiCorp Consul - A service mesh solution"
Documentation=https://www.consul.io/
Requires=network-online.target
After=network-online.target
After=network-online.target vault-agent-consul-jwt.target
ConditionFileNotEmpty=/etc/consul.d/consul.hcl
[Service]

View File

@ -0,0 +1,13 @@
[Unit]
Description=Vault Agent
Requires=network-online.target
After=network-online.target
[Service]
EnvironmentFile=-/etc/default/vault-agent-consul-jwt
Restart=on-failure
ExecStart=/usr/bin/vault agent -config=/etc/vault.d/agent/consul-jwt.hcl
KillSignal=SIGINT
[Install]
WantedBy=multi-user.target

View File

@ -0,0 +1,19 @@
auto_auth {
method {
type = "approle"
config = {
role_id_file_path = "/etc/vault.d/tokens/roleid"
secret_id_file_path = "/etc/vault.d/tokens/secretid"
remove_secret_id_file_after_reading = false
}
}
sink {
type = "file"
config = {
path = "/etc/consul-template.d/tokens/consul-jwt-vault-token"
}
}
}

View File

@ -0,0 +1 @@
md5:3589fac78cfe7ae33551d6478f20e2cd:salt:229-185-78-119-188-9-161-204:aes-256-cfb:aqhITLoIN7UEBZRyMeO+xwAqfZrz7VXUVcre+Fip/RhqzfWZaQ==

View File

@ -0,0 +1 @@
md5:98b157199b9f17446254894788740c7d:salt:233-189-165-36-170-54-151-47:aes-256-cfb:gB1Ml+Bg2iNwwd76Qn7C8+mVlzKT9Ndb0W3R0g2PTQyF7ejNJg==

View File

@ -1,3 +1,25 @@
# Create directories
%w( certs howto misc policies tokens ).each do |d|
directory "/etc/consul.d/#{d}" do
owner 'consul'
group 'consul'
mode '0755'
end
end
# deploy certificates
if node['consul']['manager']
else
encrypted_remote_file '/etc/consul.d/certs/consul-agent-ca.pem' do
owner 'consul'
group 'consul'
mode '0444'
source 'files/etc/consul.d/certs/consul-agent-ca.pem'
password ENV['ITAMAE_PASSWORD']
end
end
if node['consul']['manager']
SRC = 'consul-server.hcl.erb'
else
@ -12,6 +34,8 @@ template '/etc/consul.d/consul.hcl' do
variables(manager: node['consul']['manager'],
manager_hosts: node['consul']['manager_hosts'],
ipaddr: node['consul']['ipaddr'],
encrypt: node['consul']['encrypt'],
token: node['consul']['token'],
)
source "templates/etc/consul.d/#{SRC}"
@ -44,7 +68,7 @@ service 'consul' do
end
# iptables settings here:
%w( 8300/tcp 8301/tcp 8301/udp 8500/tcp ).each do |port|
%w( 8300/tcp 8301/tcp 8301/udp 8500/tcp 8502/tcp ).each do |port|
execute "ufw allow #{port}" do
user 'root'

View File

@ -1,78 +1,21 @@
# Full configuration options can be found at https://www.consul.io/docs/agent/options.html
# datacenter
# This flag controls the datacenter in which the agent is running. If not provided,
# it defaults to "dc1". Consul has first-class support for multiple datacenters, but
# it relies on proper configuration. Nodes in the same datacenter should be on a
# single LAN.
#datacenter = "aws"
# data_dir
# This flag provides a data directory for the agent to store state. This is required
# for all agents. The directory should be durable across reboots. This is especially
# critical for agents that are running in server mode as they must be able to persist
# cluster state. Additionally, the directory must support the use of filesystem
# locking, meaning some types of mounted folders (e.g. VirtualBox shared folders) may
# not be suitable.
datacenter = "dc1"
data_dir = "/opt/consul"
# client_addr
# The address to which Consul will bind client interfaces, including the HTTP and DNS
# servers. By default, this is "127.0.0.1", allowing only loopback connections. In
# Consul 1.0 and later this can be set to a space-separated list of addresses to bind
# to, or a go-sockaddr template that can potentially resolve to multiple addresses.
encrypt = "<%= @encrypt %>"
verify_incoming = true
verify_outgoing = true
verify_server_hostname = true
ca_file = "/etc/consul.d/certs/consul-agent-ca.pem"
bind_addr = "0.0.0.0"
client_addr = "0.0.0.0"
advertise_addr = "<%= @ipaddr %>"
# ui
# Enables the built-in web UI server and the required HTTP routes. This eliminates
# the need to maintain the Consul web UI files separately from the binary.
ui = false
performance {
raft_multiplier = 1
}
# server
# This flag is used to control if an agent is in server or client mode. When provided,
# an agent will act as a Consul server. Each Consul cluster must have at least one
# server and ideally no more than 5 per datacenter. All servers participate in the Raft
# consensus algorithm to ensure that transactions occur in a consistent, linearizable
# manner. Transactions modify cluster state, which is maintained on all server nodes to
# ensure availability in the case of node failure. Server nodes also participate in a
# WAN gossip pool with server nodes in other datacenters. Servers act as gateways to
# other datacenters and forward traffic as appropriate.
#server = true
# bootstrap_expect
# This flag provides the number of expected servers in the datacenter. Either this value
# should not be provided or the value must agree with other servers in the cluster. When
# provided, Consul waits until the specified number of servers are available and then
# bootstraps the cluster. This allows an initial leader to be elected automatically.
# This cannot be used in conjunction with the legacy -bootstrap flag. This flag requires
# -server mode.
#bootstrap_expect=3
# encrypt
# Specifies the secret key to use for encryption of Consul network traffic. This key must
# be 32-bytes that are Base64-encoded. The easiest way to create an encryption key is to
# use consul keygen. All nodes within a cluster must share the same encryption key to
# communicate. The provided key is automatically persisted to the data directory and loaded
# automatically whenever the agent is restarted. This means that to encrypt Consul's gossip
# protocol, this option only needs to be provided once on each agent's initial startup
# sequence. If it is provided after Consul has been initialized with an encryption key,
# then the provided key is ignored and a warning will be displayed.
encrypt = "LPKrNBQZnJIc8tJpViI4ug=="
# retry_join
# Similar to -join but allows retrying a join until it is successful. Once it joins
# successfully to a member in a list of members it will never attempt to join again.
# Agents will then solely maintain their membership via gossip. This is useful for
# cases where you know the address will eventually be available. This option can be
# specified multiple times to specify multiple agents to join. The value can contain
# IPv4, IPv6, or DNS addresses. In Consul 1.1.0 and later this can be set to a go-sockaddr
# template. If Consul is running on the non-default Serf LAN port, this must be specified
# as well. IPv6 must use the "bracketed" syntax. If multiple values are given, they are
# tried and retried in the order listed until the first succeeds. Here are some examples:
retry_join = <%= @manager_hosts %>
bind_addr = "<%= @ipaddr %>"
disable_remote_exec = false
disable_update_check = false
enable_local_script_checks = true
@ -82,4 +25,27 @@ log_level = "INFO"
log_json = false
log_rotate_bytes = 1000000
rejoin_after_leave = true
enable_central_service_config = true
ports {
grpc = 8502
}
connect {
enabled = true
}
telemetry {
prometheus_retention_time = "24h"
disable_hostname = true
}
auto_config {
enabled = true
intro_token_file = "/etc/consul.d/tokens/jwt"
server_addresses = [ <%= @manager_hosts %> ]
}
acl {
tokens {
default = "<%= @token %>"
}
}

View File

@ -2,6 +2,14 @@ include_recipe './attributes.rb'
include_recipe './install.rb'
%w( agent tokens ).each do |d|
directory "/etc/vault.d/#{d}" do
owner 'vault'
group 'vault'
mode '0755'
end
end
if node['vault']['manager']
include_recipe './setup.rb'
end

View File

@ -1,11 +1,11 @@
include_recipe '../cookbooks/base/default.rb'
include_recipe '../cookbooks/kazu634/default.rb'
include_recipe '../cookbooks/supervisor/default.rb'
include_recipe '../cookbooks/consul/default.rb'
include_recipe '../cookbooks/vault/default.rb'
include_recipe '../cookbooks/consul-template/default.rb'
include_recipe '../cookbooks/consul/default.rb'
include_recipe '../cookbooks/fzf/default.rb'
include_recipe '../cookbooks/promtail/default.rb'
include_recipe '../cookbooks/vector/default.rb'
include_recipe '../cookbooks/prometheus-exporters/default.rb'
include_recipe '../cookbooks/nomad/default.rb'
include_recipe '../cookbooks/vault/default.rb'