Merge pull request 'Consul server setup' (#2) from consul-server-setup into main
Reviewed-on: #2
This commit is contained in:
commit
bd870bce09
|
@ -2,7 +2,7 @@
|
||||||
execute 'apt update'
|
execute 'apt update'
|
||||||
|
|
||||||
# Install the necessary packages:
|
# Install the necessary packages:
|
||||||
%w[build-essential zsh vim-nox debian-keyring screen curl dstat direnv].each do |pkg|
|
%w[build-essential zsh vim-nox debian-keyring screen curl dstat direnv jq avahi-daemon].each do |pkg|
|
||||||
package pkg
|
package pkg
|
||||||
end
|
end
|
||||||
|
|
||||||
|
@ -63,9 +63,6 @@ end
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
# mDNS
|
|
||||||
package 'avahi-daemon'
|
|
||||||
|
|
||||||
execute 'ufw allow 5353/udp' do
|
execute 'ufw allow 5353/udp' do
|
||||||
user 'root'
|
user 'root'
|
||||||
|
|
||||||
|
|
|
@ -23,6 +23,7 @@ node.reverse_merge!({
|
||||||
'ipaddr' => ipaddr,
|
'ipaddr' => ipaddr,
|
||||||
'dns' => dns,
|
'dns' => dns,
|
||||||
'encrypt' => 's2T3XUTb9MjHYOw8I820O5YkN2G6eJrjLjJRTnEAKoM=',
|
'encrypt' => 's2T3XUTb9MjHYOw8I820O5YkN2G6eJrjLjJRTnEAKoM=',
|
||||||
'token' => '39f8fc02-7ec7-ec7b-7bc6-e6e16bb8deca'
|
'token' => '39f8fc02-7ec7-ec7b-7bc6-e6e16bb8deca',
|
||||||
|
'server_token' => '655967fb-8a72-5ba9-b5ae-58c587c853b2'
|
||||||
}
|
}
|
||||||
})
|
})
|
||||||
|
|
|
@ -0,0 +1,24 @@
|
||||||
|
md5:4f683f562e56d8663a72584dfa67b247:salt:116-0-67-185-96-189-235-121:aes-256-cfb:/pbbA5VABbbCOrdOi/C+lfBXQ2v5kTXj7eid4Sh3CaL4fokVqN0txFlLJiqZ
|
||||||
|
Hstgm8GIFK1+33JHrOdbPCszRjyTW18P0pDmZbXilh0kg5otpYrQ67f5E976
|
||||||
|
mJz9Mr9MeBZ7At6H4nnWAAaSQu2MDgBgrkVLL87NYARn0t0qOz4PAU3mN8Ah
|
||||||
|
e/fT1Awr8s4m/cupKAX6q0vZ4w1mfS+oY9tWeDDppvpr9AuYWLofvaB5axIu
|
||||||
|
x54YETl7vvpu+rvkLs9iuzw1Xvws/ztUxS1QBMAlIxBd1ICHMTd0+7hZf/tU
|
||||||
|
bH7gNqMDaTDAZzruDOisS7H6x47G9rOkGeuS/1RsEB8u3qV2IDXEgwfETfH4
|
||||||
|
f1TUq1s3oaNGGTSnUBxjx0iUMZOk6+vy1xX4oa3bq4wa6PVQONdhrbqx4hvQ
|
||||||
|
Y69Q36Q4gpTtI58YDx7U+Nc8TEnL6OCRewGOsBjUv5gjMZbn9wMUzFEvNyr3
|
||||||
|
4gquHT9OARvvmqybm7L8Af7proWAo5Mxy+rB3o0eAjSZ5ND7hQtCMKlMqtkc
|
||||||
|
Z5xBemLKXTBrqt5wZ+MACL51UJX0ngLAESW8vpy19y+kMOkM+kuqT4sqjsFw
|
||||||
|
sHn4mOsg4PCio61zs7aylWLFWZZBfKcD/wuHseL22U3cabyRaUabotSgZrAf
|
||||||
|
uqOJWVUihNSJ8ak6t/6Lrc8ilyLzULvwdiT+ZjavGXi1c6Ext/VmQIUHIjUy
|
||||||
|
dd+ScLvgpKJVztW2sIpOXbUzYDgjMsYR4H6XJw6OFmneuL9z/0qaUs011y2z
|
||||||
|
5kaakT+by7v+czTj0lflTdz55RLPNViYY3rZZiCn2X/UjXhRXFBuVOY4Rm7f
|
||||||
|
hB8MmTyGPf9fQk0aKWEi6QTA+Lt3/4ak9rY5K3I+g1f66Hn8zZmJU+fETXuH
|
||||||
|
RhbXgrhHdH/i44rkDVkJL4obf9JhsBWYAcMhQN/5z91gf45V0J8VWF46vGRR
|
||||||
|
y4N04NifLXuZG7rA3Hw3xY9EyBOAPHII45qSzQM94Exo/Xik/QLfChnaLPQO
|
||||||
|
XcUx32w8f1g0Vm+K4I4g3BEGmztLnoVodW9qqF//4/HmJqHry2znLhI0EAtN
|
||||||
|
CUA270z6tGzuMUgZo7rJX06Pn76HRaBkyWMBcQzN72JaIbZvrsOJJHhVMLmu
|
||||||
|
PBjXyJmF0tNwFtMEwGYJ2T4OfGpCCD+NPS5nEQ6bZ0sX3/qJwhGD8Vz3U4P6
|
||||||
|
3fhRlnjM2KJFQ5CCl95lpTGwsbeP6NNaoCAmLZXcSMDiL6YQDy/rtN3Q4LfO
|
||||||
|
pfgg3hf5a041qSo5FOY+7vjyc9ndYisLxnoAtB90cX8ORnKKZBugqlvarYMR
|
||||||
|
x4tJ6S2h2177eRwIcm7uHCd96ne/g/s0ScEoqHZg0vXs645F+ovi2ymsKxxN
|
||||||
|
CrRkuxP1P8bhK3Bn1ylK4aejktOzy4dcdEmUCwJlPElnJbuQtnjv
|
|
@ -0,0 +1,6 @@
|
||||||
|
md5:3fe62feb81f46bc71cf0e43936d98efa:salt:5-77-73-67-58-107-161-252:aes-256-cfb:6B67412gDFtS5lssg5QCREm5vrWJA2pfLbnqySZHkqEp9xd2rG4S+vak3DAk
|
||||||
|
9ruQRqOZOs5vmzysY6AONeAK0ghGId9olkPDUqxuj0xZ466Yt4BDGnmTl2rU
|
||||||
|
WoKONoX+GZz7zmVxqYfykHCgkHb0bfV7HRWJKiVBTvxlDQtceoTScu2qrlRj
|
||||||
|
aRmsaKvpR2LvNeh+D9tVqmD3+T4924jjO1HqkyAXEu0RENRvwFJIb3Vd9WwC
|
||||||
|
Mp/49miaRSdZ/OkXyu8hG00bqt40Edn9wJSWDHDw5XYYVoBlYYHCfzAuQw3K
|
||||||
|
fL+BxPM=
|
|
@ -0,0 +1,22 @@
|
||||||
|
md5:3a2252bcb411d02014a3e1a14efc1cac:salt:4-79-66-221-55-44-210-100:aes-256-cfb:FoeqpBC4Wrwrmu/9a+Jo9ejvJMoLuqfxXLAi4sJHJowcallU4XWZzDWnJHqj
|
||||||
|
a8gHLk1bx6ysJp/rTD7oEBp3WEbg3wGu2v+ywl+DrHbArS6lR0PQ0U6mu/EX
|
||||||
|
RiqTPiv7HmvExIBVeMCUamkS7HnKLKdf/X2Mo2z/yWca0gORNeElQoCs/UaC
|
||||||
|
AXnlgQzd6sYAzxYIYqOQSzz42f1CqA2yIy38R4j8O/VbQ7MBLuDa6b0nYsjp
|
||||||
|
/gMH7KHdeP+5ZeE+JueJjbgChkmuq6soBfWuxuij1uJFhrnKsf9kX7n0uGOh
|
||||||
|
IHHBMJbm+vORcha/En2KviNwmxQWF3RF+Ba0NazkiEdxvpaozYutSdwn6r2I
|
||||||
|
XlGBg6OTTTXOZVXjB/gFZjBBXQruLw2vHKxEGtR3iNYJbfEA90wbaB8EP4bZ
|
||||||
|
8E2ktbJ/HWD6V9ruQ3wRgh2YQ6WTjEi/a54uZJgWbxDsYIVdHrrwpQrPtZlg
|
||||||
|
1FdpE2dzE8b1Lr+obub6U0Rn2Eo2Pc17leEsGmMxGyyJecCJxW49U4fCgsAM
|
||||||
|
rJC3ky8/38sQh7W5NJdRhUkYW3sSWe8ZcTCFjONMea65DI6bt/pbj+sw+4a1
|
||||||
|
NtJDOWb7yRSI4yqTNYntGZMygDW7PPLAh95lGkHWJgHXOCQcMK4Oyct7ArRl
|
||||||
|
nwt2p5JvPEeJlgj0pbqqXMc3EenOVY2I2PNOb83YThXPEc5HYhciRee7W2TH
|
||||||
|
VIacv30zV5iC/LA9ddHSe0SG00GujYdMLGDCqb4NBn5UUmEVKDQ+YRUcwolS
|
||||||
|
J0triJjN7bDMDZihBrDkR/H+IhEzYE0CwHxwDO0jVzw6JPv72GN5dpabgoCC
|
||||||
|
9Ul+3gM3k3uOUII6VZe85AHew7Ih5a7DJL3O9jlgCNqIla+LWDFsRsO+nXKK
|
||||||
|
0X0l6mBivT1J0xs4WAFWJDMZzoXDhvrQgxPMeYiRVb42P9XgqvBaRzASa3I0
|
||||||
|
VqP8bmgauBddgOPMf36R2U2KlomyDcS1qwncrtRX8Ix2jO7Ei+SBiO7g6jV3
|
||||||
|
34tU9eeUpdY7Q2lc88oGJQ8lGRHppMJEm45U8XBzZBMn6kTtoEUTMSu3tz7s
|
||||||
|
sslPifdBxp9k031DtpI0FRvgf9EDU9CSL3PWuIRkRyllbllpfuPABxe2n41e
|
||||||
|
2X1q9yyMe88YByWy8P44dHT5ObsZWjtLspKFXme4jCRAwIljTBdeuBHPa5rX
|
||||||
|
6awSzdPfwbrBeUNBcHBKxmGAODmkiv4akakYRl7kipcMIY1mx948Rc0XCwvx
|
||||||
|
XGBNhzyQZogKZZUpTqANvqOf7e+RJpHJ
|
|
@ -0,0 +1,7 @@
|
||||||
|
#!/bin/bash
|
||||||
|
|
||||||
|
export TOKEN_DIR=/etc/consul.d/tokens
|
||||||
|
|
||||||
|
consul acl bootstrap --format json | tee -a "${TOKEN_DIR}/token-bootstrap.json"
|
||||||
|
|
||||||
|
exit $?
|
|
@ -0,0 +1,29 @@
|
||||||
|
#!/bin/bash
|
||||||
|
|
||||||
|
export POLICIES=`ls -1 /etc/consul.d/policies/*.hcl`
|
||||||
|
export TOKEN_DIR=/etc/consul.d/tokens
|
||||||
|
export ANONYMOUS_TOKEN="00000000-0000-0000-0000-000000000001"
|
||||||
|
export CONSUL_HTTP_TOKEN=`cat ${TOKEN_DIR}/token-bootstrap.json | jq -r ".SecretID"`
|
||||||
|
|
||||||
|
for conf in ${POLICIES}; do
|
||||||
|
policy=`basename ${conf} .hcl`
|
||||||
|
|
||||||
|
consul acl policy read -name "${policy}" &> /dev/null
|
||||||
|
if [ $? -ne 0 ]; then
|
||||||
|
consul acl policy create -name "${policy}" -rules @${conf}
|
||||||
|
fi
|
||||||
|
|
||||||
|
# anonymousは特別扱い
|
||||||
|
if [ ${policy} = "anonymous" ]; then
|
||||||
|
continue
|
||||||
|
fi
|
||||||
|
|
||||||
|
consul acl token list | grep ${policy} &> /dev/null
|
||||||
|
if [ $? -ne 0 ]; then
|
||||||
|
consul acl token create -description "${policy}" -policy-name ${policy} | tee ${TOKEN_DIR}/${policy}
|
||||||
|
fi
|
||||||
|
done
|
||||||
|
|
||||||
|
consul acl token update -id ${ANONYMOUS_TOKEN} -policy-name "anonymous" -description "Anonymous Token"
|
||||||
|
|
||||||
|
exit 0
|
|
@ -0,0 +1,34 @@
|
||||||
|
acl = "read"
|
||||||
|
|
||||||
|
agent_prefix "" {
|
||||||
|
policy = "read"
|
||||||
|
}
|
||||||
|
|
||||||
|
event_prefix "" {
|
||||||
|
policy = "read"
|
||||||
|
}
|
||||||
|
|
||||||
|
key_prefix "" {
|
||||||
|
policy = "read"
|
||||||
|
}
|
||||||
|
|
||||||
|
keyring = "read"
|
||||||
|
|
||||||
|
node_prefix "" {
|
||||||
|
policy = "read"
|
||||||
|
}
|
||||||
|
|
||||||
|
operator = "read"
|
||||||
|
|
||||||
|
query_prefix "" {
|
||||||
|
policy = "read"
|
||||||
|
}
|
||||||
|
|
||||||
|
service_prefix "" {
|
||||||
|
policy = "read"
|
||||||
|
intentions = "read"
|
||||||
|
}
|
||||||
|
|
||||||
|
session_prefix "" {
|
||||||
|
policy = "read"
|
||||||
|
}
|
|
@ -0,0 +1,15 @@
|
||||||
|
agent_prefix "" {
|
||||||
|
policy = "write"
|
||||||
|
}
|
||||||
|
|
||||||
|
node_prefix "" {
|
||||||
|
policy = "write"
|
||||||
|
}
|
||||||
|
|
||||||
|
service_prefix "" {
|
||||||
|
policy = "write"
|
||||||
|
}
|
||||||
|
|
||||||
|
session_prefix "" {
|
||||||
|
policy = "read"
|
||||||
|
}
|
|
@ -0,0 +1,13 @@
|
||||||
|
agent_prefix "" {
|
||||||
|
policy = "read"
|
||||||
|
}
|
||||||
|
|
||||||
|
node_prefix "" {
|
||||||
|
policy = "read"
|
||||||
|
}
|
||||||
|
|
||||||
|
service_prefix "" {
|
||||||
|
policy = "write"
|
||||||
|
}
|
||||||
|
|
||||||
|
acl = "write"
|
|
@ -0,0 +1,3 @@
|
||||||
|
service_prefix "" {
|
||||||
|
policy = "write"
|
||||||
|
}
|
|
@ -9,17 +9,44 @@ end
|
||||||
|
|
||||||
# deploy certificates
|
# deploy certificates
|
||||||
if node['consul']['manager']
|
if node['consul']['manager']
|
||||||
else
|
encrypted_remote_file '/etc/consul.d/certs/consul-agent-ca-key.pem' do
|
||||||
encrypted_remote_file '/etc/consul.d/certs/consul-agent-ca.pem' do
|
owner 'consul'
|
||||||
|
group 'consul'
|
||||||
|
mode '0444'
|
||||||
|
|
||||||
|
source 'files/etc/consul.d/certs/consul-agent-ca-key.pem'
|
||||||
|
password ENV['ITAMAE_PASSWORD']
|
||||||
|
end
|
||||||
|
|
||||||
|
encrypted_remote_file '/etc/consul.d/certs/dc1-server-consul-1-key.pem' do
|
||||||
|
owner 'consul'
|
||||||
|
group 'consul'
|
||||||
|
mode '0444'
|
||||||
|
|
||||||
|
source 'files/etc/consul.d/certs/dc1-server-consul-1-key.pem'
|
||||||
|
password ENV['ITAMAE_PASSWORD']
|
||||||
|
end
|
||||||
|
|
||||||
|
encrypted_remote_file '/etc/consul.d/certs/dc1-server-consul-1.pem' do
|
||||||
|
owner 'consul'
|
||||||
|
group 'consul'
|
||||||
|
mode '0444'
|
||||||
|
|
||||||
|
source 'files/etc/consul.d/certs/dc1-server-consul-1.pem'
|
||||||
|
password ENV['ITAMAE_PASSWORD']
|
||||||
|
end
|
||||||
|
end
|
||||||
|
|
||||||
|
encrypted_remote_file '/etc/consul.d/certs/consul-agent-ca.pem' do
|
||||||
owner 'consul'
|
owner 'consul'
|
||||||
group 'consul'
|
group 'consul'
|
||||||
mode '0444'
|
mode '0444'
|
||||||
|
|
||||||
source 'files/etc/consul.d/certs/consul-agent-ca.pem'
|
source 'files/etc/consul.d/certs/consul-agent-ca.pem'
|
||||||
password ENV['ITAMAE_PASSWORD']
|
password ENV['ITAMAE_PASSWORD']
|
||||||
end
|
|
||||||
end
|
end
|
||||||
|
|
||||||
|
# Deploy configs
|
||||||
if node['consul']['manager']
|
if node['consul']['manager']
|
||||||
SRC = 'consul-server.hcl.erb'
|
SRC = 'consul-server.hcl.erb'
|
||||||
else
|
else
|
||||||
|
@ -43,6 +70,34 @@ template '/etc/consul.d/consul.hcl' do
|
||||||
notifies :restart, 'service[consul]'
|
notifies :restart, 'service[consul]'
|
||||||
end
|
end
|
||||||
|
|
||||||
|
# Deploy server specific config
|
||||||
|
template '/etc/consul.d/server.hcl' do
|
||||||
|
owner 'consul'
|
||||||
|
group 'consul'
|
||||||
|
mode '644'
|
||||||
|
|
||||||
|
variables(server_token: node['consul']['server_token'])
|
||||||
|
|
||||||
|
notifies :restart, 'service[consul]'
|
||||||
|
end
|
||||||
|
|
||||||
|
%w( 01-bootstrap.sh 02-policy.sh ).each do |sh|
|
||||||
|
remote_file("/etc/consul.d/howto/#{sh}") {
|
||||||
|
owner 'root'
|
||||||
|
group 'root'
|
||||||
|
mode '0755'
|
||||||
|
}
|
||||||
|
end
|
||||||
|
|
||||||
|
%w( anonymous nodes nomad-policy vault-service-registration ).each do |policy|
|
||||||
|
remote_file("/etc/consul.d/policies/#{policy}.hcl") {
|
||||||
|
owner 'root'
|
||||||
|
group 'root'
|
||||||
|
mode '0644'
|
||||||
|
}
|
||||||
|
end
|
||||||
|
|
||||||
|
# misc
|
||||||
directory '/var/log/consul/' do
|
directory '/var/log/consul/' do
|
||||||
owner 'consul'
|
owner 'consul'
|
||||||
group 'consul'
|
group 'consul'
|
||||||
|
|
|
@ -1,77 +1,21 @@
|
||||||
# Full configuration options can be found at https://www.consul.io/docs/agent/options.html
|
datacenter = "dc1"
|
||||||
|
|
||||||
# datacenter
|
|
||||||
# This flag controls the datacenter in which the agent is running. If not provided,
|
|
||||||
# it defaults to "dc1". Consul has first-class support for multiple datacenters, but
|
|
||||||
# it relies on proper configuration. Nodes in the same datacenter should be on a
|
|
||||||
# single LAN.
|
|
||||||
#datacenter = "aws"
|
|
||||||
|
|
||||||
# data_dir
|
|
||||||
# This flag provides a data directory for the agent to store state. This is required
|
|
||||||
# for all agents. The directory should be durable across reboots. This is especially
|
|
||||||
# critical for agents that are running in server mode as they must be able to persist
|
|
||||||
# cluster state. Additionally, the directory must support the use of filesystem
|
|
||||||
# locking, meaning some types of mounted folders (e.g. VirtualBox shared folders) may
|
|
||||||
# not be suitable.
|
|
||||||
data_dir = "/opt/consul"
|
data_dir = "/opt/consul"
|
||||||
|
|
||||||
# client_addr
|
encrypt = "<%= @encrypt %>"
|
||||||
# The address to which Consul will bind client interfaces, including the HTTP and DNS
|
verify_incoming = true
|
||||||
# servers. By default, this is "127.0.0.1", allowing only loopback connections. In
|
verify_outgoing = true
|
||||||
# Consul 1.0 and later this can be set to a space-separated list of addresses to bind
|
verify_server_hostname = true
|
||||||
# to, or a go-sockaddr template that can potentially resolve to multiple addresses.
|
|
||||||
client_addr = "0.0.0.0"
|
|
||||||
|
|
||||||
# ui
|
ca_file = "/etc/consul.d/certs/consul-agent-ca.pem"
|
||||||
# Enables the built-in web UI server and the required HTTP routes. This eliminates
|
|
||||||
# the need to maintain the Consul web UI files separately from the binary.
|
|
||||||
ui = true
|
|
||||||
|
|
||||||
# server
|
|
||||||
# This flag is used to control if an agent is in server or client mode. When provided,
|
|
||||||
# an agent will act as a Consul server. Each Consul cluster must have at least one
|
|
||||||
# server and ideally no more than 5 per datacenter. All servers participate in the Raft
|
|
||||||
# consensus algorithm to ensure that transactions occur in a consistent, linearizable
|
|
||||||
# manner. Transactions modify cluster state, which is maintained on all server nodes to
|
|
||||||
# ensure availability in the case of node failure. Server nodes also participate in a
|
|
||||||
# WAN gossip pool with server nodes in other datacenters. Servers act as gateways to
|
|
||||||
# other datacenters and forward traffic as appropriate.
|
|
||||||
server = true
|
|
||||||
|
|
||||||
# bootstrap_expect
|
|
||||||
# This flag provides the number of expected servers in the datacenter. Either this value
|
|
||||||
# should not be provided or the value must agree with other servers in the cluster. When
|
|
||||||
# provided, Consul waits until the specified number of servers are available and then
|
|
||||||
# bootstraps the cluster. This allows an initial leader to be elected automatically.
|
|
||||||
# This cannot be used in conjunction with the legacy -bootstrap flag. This flag requires
|
|
||||||
# -server mode.
|
|
||||||
bootstrap_expect=3
|
|
||||||
|
|
||||||
# encrypt
|
|
||||||
# Specifies the secret key to use for encryption of Consul network traffic. This key must
|
|
||||||
# be 32-bytes that are Base64-encoded. The easiest way to create an encryption key is to
|
|
||||||
# use consul keygen. All nodes within a cluster must share the same encryption key to
|
|
||||||
# communicate. The provided key is automatically persisted to the data directory and loaded
|
|
||||||
# automatically whenever the agent is restarted. This means that to encrypt Consul's gossip
|
|
||||||
# protocol, this option only needs to be provided once on each agent's initial startup
|
|
||||||
# sequence. If it is provided after Consul has been initialized with an encryption key,
|
|
||||||
# then the provided key is ignored and a warning will be displayed.
|
|
||||||
encrypt = "LPKrNBQZnJIc8tJpViI4ug=="
|
|
||||||
|
|
||||||
# retry_join
|
|
||||||
# Similar to -join but allows retrying a join until it is successful. Once it joins
|
|
||||||
# successfully to a member in a list of members it will never attempt to join again.
|
|
||||||
# Agents will then solely maintain their membership via gossip. This is useful for
|
|
||||||
# cases where you know the address will eventually be available. This option can be
|
|
||||||
# specified multiple times to specify multiple agents to join. The value can contain
|
|
||||||
# IPv4, IPv6, or DNS addresses. In Consul 1.1.0 and later this can be set to a go-sockaddr
|
|
||||||
# template. If Consul is running on the non-default Serf LAN port, this must be specified
|
|
||||||
# as well. IPv6 must use the "bracketed" syntax. If multiple values are given, they are
|
|
||||||
# tried and retried in the order listed until the first succeeds. Here are some examples:
|
|
||||||
retry_join = <%= @manager_hosts %>
|
|
||||||
|
|
||||||
bind_addr = "<%= @ipaddr %>"
|
bind_addr = "<%= @ipaddr %>"
|
||||||
|
client_addr = "0.0.0.0"
|
||||||
|
advertise_addr = "<%= @ipaddr %>"
|
||||||
|
|
||||||
|
performance {
|
||||||
|
raft_multiplier = 1
|
||||||
|
}
|
||||||
|
|
||||||
disable_remote_exec = false
|
disable_remote_exec = false
|
||||||
disable_update_check = false
|
disable_update_check = false
|
||||||
enable_local_script_checks = true
|
enable_local_script_checks = true
|
||||||
|
@ -82,4 +26,18 @@ log_level = "INFO"
|
||||||
log_json = false
|
log_json = false
|
||||||
log_rotate_bytes = 1000000
|
log_rotate_bytes = 1000000
|
||||||
|
|
||||||
|
enable_central_service_config = true
|
||||||
|
ports {
|
||||||
|
grpc_tls = 8502
|
||||||
|
}
|
||||||
|
connect {
|
||||||
|
enabled = true
|
||||||
|
}
|
||||||
|
|
||||||
|
telemetry {
|
||||||
|
prometheus_retention_time = "24h"
|
||||||
|
disable_hostname = true
|
||||||
|
}
|
||||||
|
|
||||||
|
retry_join = [<%= @manager_hosts %>]
|
||||||
rejoin_after_leave = true
|
rejoin_after_leave = true
|
||||||
|
|
|
@ -0,0 +1,50 @@
|
||||||
|
server = true
|
||||||
|
bootstrap_expect = 3
|
||||||
|
|
||||||
|
ca_file = "/etc/consul.d/certs/consul-agent-ca.pem"
|
||||||
|
cert_file = "/etc/consul.d/certs/dc1-server-consul-1.pem"
|
||||||
|
key_file = "/etc/consul.d/certs/dc1-server-consul-1-key.pem"
|
||||||
|
|
||||||
|
acl {
|
||||||
|
enabled = true
|
||||||
|
default_policy = "deny"
|
||||||
|
enable_token_persistence = true
|
||||||
|
|
||||||
|
tokens {
|
||||||
|
master = "<%= @manager_hosts %>"
|
||||||
|
agent = "<%= @manager_hosts %>"
|
||||||
|
default = "<%= @manager_hosts %>"
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
ui_config {
|
||||||
|
enabled = true
|
||||||
|
|
||||||
|
metrics_provider = "prometheus"
|
||||||
|
metrics_proxy {
|
||||||
|
base_url = "http://192.168.10.101:9090"
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
config_entries {
|
||||||
|
bootstrap = [
|
||||||
|
{
|
||||||
|
kind = "proxy-defaults"
|
||||||
|
name = "global"
|
||||||
|
config {
|
||||||
|
envoy_prometheus_bind_addr = "0.0.0.0:9102"
|
||||||
|
}
|
||||||
|
}
|
||||||
|
]
|
||||||
|
}
|
||||||
|
|
||||||
|
auto_config {
|
||||||
|
authorization {
|
||||||
|
enabled = true
|
||||||
|
static {
|
||||||
|
oidc_discovery_url = "http://vault.homelab:8200/v1/identity/oidc"
|
||||||
|
bound_issuer = "http://vault.homelab:8200/v1/identity/oidc"
|
||||||
|
bound_audiences = [ "dc1" ]
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
Loading…
Reference in New Issue