Merge pull request 'Consul Connect Support' (#4) from consul-connect-support into master

Reviewed-on: #4

cookbooks/consul-template/files/etc/default/consul-template

@@ -1 +1,2 @@
 OPTIONS="-syslog -syslog-name=consul-template"
+VAULT_ADDR="http://192.168.10.142:8200"

cookbooks/consul/attributes.rb

@@ -2,7 +2,7 @@
 # Specifying the default settings:
 # -------------------------------------------
 case run_command('grep VERSION_ID /etc/os-release | awk -F\" \'{print $2}\'').stdout.chomp
-when "20.04"
+when "20.04", "22.04"
   cmd = 'LANG=C ip a | grep "inet " | grep -v -E "(127|172)" | cut -d" " -f6 | perl -pe "s/\/.+//g"'
 
 when "18.04"
@@ -19,8 +19,10 @@ dns = run_command(cmd).stdout.chomp
 node.reverse_merge!({
   'consul' => {
     'manager' => false,
-    'manager_hosts' => '["192.168.10.101", "192.168.10.251", "192.168.10.252"]',
+    'manager_hosts' => '"192.168.10.101", "192.168.10.251", "192.168.10.252", "192.168.10.253"',
     'ipaddr' => ipaddr,
-    'dns' => dns
+    'dns' => dns,
+    'encrypt' => 's2T3XUTb9MjHYOw8I820O5YkN2G6eJrjLjJRTnEAKoM=',
+    'token' => 'acb7096c-dcda-775a-b52c-b47c96b38d0e'
   }
 })

cookbooks/consul/consul-connect-prep.rb

@@ -0,0 +1,54 @@
+# Use Vault to retrieve the token to generate jwt.
+%w( roleid secretid ).each do |f|
+  encrypted_remote_file "/etc/vault.d/tokens/#{f}" do
+    owner 'root'
+    group 'root'
+    mode '0644'
+
+    source   "files/etc/vault.d/tokens/#{f}"
+    password ENV['ITAMAE_PASSWORD']
+  end
+end
+
+remote_file '/etc/vault.d/agent/consul-jwt.hcl' do
+  owner 'vault'
+  group 'vault'
+  mode  '0644'
+
+  notifies :restart, 'service[vault-agent-consul-jwt]'
+end
+
+remote_file '/etc/default/vault-agent-consul-jwt' do
+  owner 'vault'
+  group 'vault'
+  mode '0644'
+end
+
+remote_file '/etc/systemd/system/vault-agent-consul-jwt.service' do
+  owner 'root'
+  group 'root'
+  mode '0644'
+
+  notifies :restart, 'service[vault-agent-consul-jwt]'
+end
+
+service 'vault-agent-consul-jwt' do
+  action [:enable, :start]
+end
+
+# Use consul-template to retrieve the JWT token.
+remote_file '/etc/consul-template.d/conf/consul-jwt.conf' do
+  owner 'root'
+  group 'root'
+  mode '0644'
+
+  notifies :restart, 'service[consul-template]'
+end
+
+remote_file '/etc/consul-template.d/templates/consul-jwt.tmpl' do
+  owner 'root'
+  group 'root'
+  mode '0644'
+
+  notifies :restart, 'service[consul-template]'
+end

cookbooks/consul/default.rb

@@ -2,6 +2,7 @@ include_recipe './attributes.rb'
 
 include_recipe './install.rb'
 
+include_recipe './consul-connect-prep.rb'
 include_recipe './setup.rb'
 
 include_recipe './dnsmasq.rb'

cookbooks/consul/dnsmasq.rb

@@ -7,7 +7,7 @@ package 'dnsmasq'
 end
 
 case run_command('grep VERSION_ID /etc/os-release | awk -F\" \'{print $2}\'').stdout.chomp
-when "20.04"
+when "20.04", "22.04"
   template '/etc/systemd/resolved.conf' do
     owner 'root'
     group 'root'

cookbooks/consul/files/etc/consul-template.d/conf/consul-jwt.conf

@@ -0,0 +1,12 @@
+vault {
+  address                = "http://192.168.10.142:8200"
+
+  vault_agent_token_file = "/etc/consul-template.d/tokens/consul-jwt-vault-token"
+  renew_token            = true
+}
+
+template {
+  source      = "/etc/consul-template.d/templates/consul-jwt.tmpl"
+  destination = "/etc/consul.d/tokens/jwt"
+  perms       = 0666
+}

cookbooks/consul/files/etc/consul-template.d/templates/consul-jwt.tmpl

@@ -0,0 +1 @@
+{{with secret "identity/oidc/token/oidc-role"}}{{.Data.token}}{{end}}

cookbooks/consul/files/etc/consul.d/certs/consul-agent-ca.pem

@@ -0,0 +1,24 @@
+md5:4f683f562e56d8663a72584dfa67b247:salt:104-7-237-106-15-219-15-45:aes-256-cfb:/IYVG1CC7S1/KK5iEO1BUrlqH8/OddDGctvAzUZ8IVolFnt5C5e3evwjYjJ5
+F3sh4uVIMwEq2QSWjn+ZX54zaol/tAGLV18lb9fxIuPNL+bZqoUsM7w4nGL4
+s6uNSvbzku+YJ0iDNI38i2h0WpR/3PYfL0cnLsgt/I+cB7nzfY1HCwaUXj7V
+52IwwMtpIKxXVPyAF974Auwx7ar43IGDGXyYumgIeueJ7wP1dKi8NEb777Bz
+T6TMnauGWVJagMn7FQxXyNojui7qjzqJjnIZaE18ztObA9co9dgfuSE4TOhr
+nuZ0hvZ3bEIYt0B8QTBEoUR+mRoKCeUvc15kGU4aZNesg4GKa8lPMonQnrj2
+f6sOfru4UzHrkJNIHcgeFT+vSYo0s5co27y1oqtijWpnZ0oUd8brBP9KI+rB
+sdWaXltx+sEJKWULZRspFRGWvJl/QPTTRMJtSKBKfa4xo66LkZatVGgr5+HP
+1a6S/m6QW0d9J/Bcd9LYO2RRZSDYYC3DJgXNwPhd9EQ2m7nLl6fZbt3uFzYa
+rFdgmlPwugrvm4IZOjAT5msf6BC3BLxbYR2TvM+TKaID/ZuzRmsxEmosBRmo
+Qp2fLJsm32kgDiY11oRHD2q+MZdxI6YZ2ht87j4ZNHYwTsvsqxMKfcAaXQ4z
+Jb/IwTYNWxLYFSSNMJEaWnIrOOun0sqtb8ne0Y32ZKdy2us2ntR3segvKkt4
+h7En4rhKHxAwxiv9HAs6aOgafqdOX9OeTfqfhmxALJUgwg3GlNrvT5VD+Jz5
+67/AsMaOiu+3k/VxyBMijmRXR6mOxwNR75AuynfIBg7TLjfzDu3FrEDdyS0F
+AzYr9OW88ch3jTvQ67rfZ1TyFIpe1a99+I8ia7FVyVNxowL/uXkepdLqTCsg
+lMcWIFRJWsDelVJ8YFBe9DgtzWXzEWgujwMD9A3G1y8KL7aS/5dDC8vX5/fj
+xPIzEyQ2L/Knf+UVlsFzAs2K2vZVIDYkLVnoF7RRB2JSR9AdVAhRYGZR3igZ
+9yArvqb1eybAlEOT6rGqnQY+WL7ICCz0oyP0QWUhctt6bzPwHA1wqMnpGfuS
+GD6Kr5+ePhheEvBg23AfcrmZPr30MVa0IHomeQlT4qik6zc239mge1r45Ru0
+5zvSj/EvfcN8hq/Ds8byURgE2oOXal1EgIvuuQ3dQk4ePETKonJp3LtZCHk2
+yqBQHBbYpzdmKaR4TCecOf0O3Q3IvIE1CpTDhGtN0JbWit8VBBm43VXf6b8S
+o50fwoVgroRSjoN5LpaTmUWhM+Z9fKIZsPeGNP8W4fhKRCaME3WL5W2T6t8T
+0/wEl5izZx9/oLlzHzdqCLCoZZCiVN/E9BlgbzrT/3aFYadBvJ2C2FS5q2Ip
+1/CPwO3V3CW7cQp575PY/ZfbnmPsF68ZBPOC0MPcOySi9ikICmOT

cookbooks/consul/files/etc/default/vault-agent-consul-jwt

@@ -0,0 +1 @@
+VAULT_ADDR="http://192.168.10.142:8200"

cookbooks/consul/files/etc/systemd/system/consul.service

@@ -2,7 +2,7 @@
 Description="HashiCorp Consul - A service mesh solution"
 Documentation=https://www.consul.io/
 Requires=network-online.target
-After=network-online.target
+After=network-online.target vault-agent-consul-jwt.target
 ConditionFileNotEmpty=/etc/consul.d/consul.hcl
 
 [Service]

cookbooks/consul/files/etc/systemd/system/vault-agent-consul-jwt.service

@@ -0,0 +1,13 @@
+[Unit]
+Description=Vault Agent
+Requires=network-online.target
+After=network-online.target
+
+[Service]
+EnvironmentFile=-/etc/default/vault-agent-consul-jwt
+Restart=on-failure
+ExecStart=/usr/bin/vault agent -config=/etc/vault.d/agent/consul-jwt.hcl
+KillSignal=SIGINT
+
+[Install]
+WantedBy=multi-user.target

cookbooks/consul/files/etc/vault.d/agent/consul-jwt.hcl

@@ -0,0 +1,19 @@
+auto_auth {
+  method {
+    type = "approle"
+
+    config = {
+      role_id_file_path = "/etc/vault.d/tokens/roleid"
+      secret_id_file_path = "/etc/vault.d/tokens/secretid"
+      remove_secret_id_file_after_reading = false
+    }
+  }
+
+  sink {
+    type = "file"
+
+    config = {
+      path = "/etc/consul-template.d/tokens/consul-jwt-vault-token"
+    }
+  }
+}

cookbooks/consul/files/etc/vault.d/tokens/roleid

@@ -0,0 +1 @@
+md5:3589fac78cfe7ae33551d6478f20e2cd:salt:229-185-78-119-188-9-161-204:aes-256-cfb:aqhITLoIN7UEBZRyMeO+xwAqfZrz7VXUVcre+Fip/RhqzfWZaQ==

cookbooks/consul/files/etc/vault.d/tokens/secretid

@@ -0,0 +1 @@
+md5:98b157199b9f17446254894788740c7d:salt:233-189-165-36-170-54-151-47:aes-256-cfb:gB1Ml+Bg2iNwwd76Qn7C8+mVlzKT9Ndb0W3R0g2PTQyF7ejNJg==

cookbooks/consul/setup.rb

@@ -1,3 +1,25 @@
+# Create directories
+%w( certs howto misc policies tokens ).each do |d|
+  directory "/etc/consul.d/#{d}" do
+    owner 'consul'
+    group 'consul'
+    mode  '0755'
+  end
+end
+
+# deploy certificates
+if node['consul']['manager']
+else
+  encrypted_remote_file '/etc/consul.d/certs/consul-agent-ca.pem' do
+    owner 'consul'
+    group 'consul'
+    mode '0444'
+
+    source   'files/etc/consul.d/certs/consul-agent-ca.pem'
+    password ENV['ITAMAE_PASSWORD']
+  end
+end
+
 if node['consul']['manager']
   SRC = 'consul-server.hcl.erb'
 else
@@ -12,6 +34,8 @@ template '/etc/consul.d/consul.hcl' do
   variables(manager: node['consul']['manager'],
             manager_hosts: node['consul']['manager_hosts'],
             ipaddr: node['consul']['ipaddr'],
+            encrypt: node['consul']['encrypt'],
+            token: node['consul']['token'],
            )
 
   source "templates/etc/consul.d/#{SRC}"
@@ -44,7 +68,7 @@ service 'consul' do
 end
 
 # iptables settings here:
-%w( 8300/tcp 8301/tcp 8301/udp 8500/tcp ).each do |port|
+%w( 8300/tcp 8301/tcp 8301/udp 8500/tcp 8502/tcp ).each do |port|
   execute "ufw allow #{port}" do
     user 'root'
 

cookbooks/consul/templates/etc/consul.d/consul-agent.hcl.erb

@@ -1,85 +1,51 @@
-# Full configuration options can be found at https://www.consul.io/docs/agent/options.html
+datacenter = "dc1"
+data_dir   = "/opt/consul"
 
-# datacenter
-# This flag controls the datacenter in which the agent is running. If not provided,
-# it defaults to "dc1". Consul has first-class support for multiple datacenters, but
-# it relies on proper configuration. Nodes in the same datacenter should be on a
-# single LAN.
-#datacenter = "aws"
+encrypt                = "<%= @encrypt %>"
+verify_incoming        = true
+verify_outgoing        = true
+verify_server_hostname = true
 
-# data_dir
-# This flag provides a data directory for the agent to store state. This is required
-# for all agents. The directory should be durable across reboots. This is especially
-# critical for agents that are running in server mode as they must be able to persist
-# cluster state. Additionally, the directory must support the use of filesystem
-# locking, meaning some types of mounted folders (e.g. VirtualBox shared folders) may
-# not be suitable.
-data_dir = "/opt/consul"
+ca_file   = "/etc/consul.d/certs/consul-agent-ca.pem"
 
-# client_addr
-# The address to which Consul will bind client interfaces, including the HTTP and DNS
-# servers. By default, this is "127.0.0.1", allowing only loopback connections. In
-# Consul 1.0 and later this can be set to a space-separated list of addresses to bind
-# to, or a go-sockaddr template that can potentially resolve to multiple addresses.
-client_addr = "0.0.0.0"
+bind_addr      = "0.0.0.0"
+client_addr    = "0.0.0.0"
+advertise_addr = "<%= @ipaddr %>"
 
-# ui
-# Enables the built-in web UI server and the required HTTP routes. This eliminates
-# the need to maintain the Consul web UI files separately from the binary.
-ui = false
+performance {
+  raft_multiplier = 1
+}
 
-# server
-# This flag is used to control if an agent is in server or client mode. When provided,
-# an agent will act as a Consul server. Each Consul cluster must have at least one
-# server and ideally no more than 5 per datacenter. All servers participate in the Raft
-# consensus algorithm to ensure that transactions occur in a consistent, linearizable
-# manner. Transactions modify cluster state, which is maintained on all server nodes to
-# ensure availability in the case of node failure. Server nodes also participate in a
-# WAN gossip pool with server nodes in other datacenters. Servers act as gateways to
-# other datacenters and forward traffic as appropriate.
-#server = true
-
-# bootstrap_expect
-# This flag provides the number of expected servers in the datacenter. Either this value
-# should not be provided or the value must agree with other servers in the cluster. When
-# provided, Consul waits until the specified number of servers are available and then
-# bootstraps the cluster. This allows an initial leader to be elected automatically.
-# This cannot be used in conjunction with the legacy -bootstrap flag. This flag requires
-# -server mode.
-#bootstrap_expect=3
-
-# encrypt
-# Specifies the secret key to use for encryption of Consul network traffic. This key must
-# be 32-bytes that are Base64-encoded. The easiest way to create an encryption key is to
-# use consul keygen. All nodes within a cluster must share the same encryption key to
-# communicate. The provided key is automatically persisted to the data directory and loaded
-# automatically whenever the agent is restarted. This means that to encrypt Consul's gossip
-# protocol, this option only needs to be provided once on each agent's initial startup
-# sequence. If it is provided after Consul has been initialized with an encryption key,
-# then the provided key is ignored and a warning will be displayed.
-encrypt = "LPKrNBQZnJIc8tJpViI4ug=="
-
-# retry_join
-# Similar to -join but allows retrying a join until it is successful. Once it joins
-# successfully to a member in a list of members it will never attempt to join again.
-# Agents will then solely maintain their membership via gossip. This is useful for
-# cases where you know the address will eventually be available. This option can be
-# specified multiple times to specify multiple agents to join. The value can contain
-# IPv4, IPv6, or DNS addresses. In Consul 1.1.0 and later this can be set to a go-sockaddr
-# template. If Consul is running on the non-default Serf LAN port, this must be specified
-# as well. IPv6 must use the "bracketed" syntax. If multiple values are given, they are
-# tried and retried in the order listed until the first succeeds. Here are some examples:
-retry_join = <%= @manager_hosts %>
-
-bind_addr = "<%= @ipaddr %>"
-disable_remote_exec = false
-disable_update_check = false
+disable_update_check       = false
 enable_local_script_checks = true
 
-log_file = "/var/log/consul/"
+log_file             = "/var/log/consul/"
 log_rotate_max_files = -1
-log_level = "INFO"
-log_json = false
-log_rotate_bytes = 1000000
+log_level            = "INFO"
+log_json             = false
+log_rotate_bytes     = 1000000
 
-rejoin_after_leave = true
+enable_central_service_config = true
+ports {
+  grpc = 8502
+}
+connect {
+  enabled = true
+}
+
+telemetry {
+  prometheus_retention_time = "24h"
+  disable_hostname          = true
+}
+
+auto_config {
+  enabled = true
+  intro_token_file = "/etc/consul.d/tokens/jwt"
+  server_addresses = [ <%= @manager_hosts %> ]
+}
+
+acl {
+  tokens {
+    default = "<%= @token %>"
+  }
+}

cookbooks/vault/default.rb

@@ -2,6 +2,14 @@ include_recipe './attributes.rb'
 
 include_recipe './install.rb'
 
+%w( agent tokens ).each do |d|
+  directory "/etc/vault.d/#{d}" do
+    owner 'vault'
+    group 'vault'
+    mode '0755'
+  end
+end
+
 if node['vault']['manager']
   include_recipe './setup.rb'
 end

roles/base.rb

@@ -1,11 +1,11 @@
 include_recipe '../cookbooks/base/default.rb'
 include_recipe '../cookbooks/kazu634/default.rb'
 include_recipe '../cookbooks/supervisor/default.rb'
-include_recipe '../cookbooks/consul/default.rb'
+include_recipe '../cookbooks/vault/default.rb'
 include_recipe '../cookbooks/consul-template/default.rb'
+include_recipe '../cookbooks/consul/default.rb'
 include_recipe '../cookbooks/fzf/default.rb'
 include_recipe '../cookbooks/promtail/default.rb'
 include_recipe '../cookbooks/vector/default.rb'
 include_recipe '../cookbooks/prometheus-exporters/default.rb'
 include_recipe '../cookbooks/nomad/default.rb'
-include_recipe '../cookbooks/vault/default.rb'