From 7bc9062d859d7b4572426c24fb7a238ff76f1d37 Mon Sep 17 00:00:00 2001 From: Jim Nicholson Date: Thu, 16 Dec 2021 11:01:42 -0800 Subject: [PATCH] Lots of changes --- deploy_consul.yaml | 117 +++++++++++++----- deploy_python.yaml | 9 ++ files/scripts/consul-server-cert.sh | 21 ++++ files/server_cfg/server.json | 4 +- policy/cnsl02-node-policy.hcl | 3 - policy/cnsl03-node-policy.hcl | 3 - policy/node-policy.hcl | 12 -- policy/node-token.txt | 7 -- policy/oort-node-policy.hcl | 3 - policy/oort.hcl | 3 - requirements.in | 3 + templates/agent.json | 2 - .../node-policy.hcl | 2 +- templates/tls.json | 9 +- 14 files changed, 128 insertions(+), 70 deletions(-) create mode 100644 deploy_python.yaml create mode 100755 files/scripts/consul-server-cert.sh delete mode 100644 policy/cnsl02-node-policy.hcl delete mode 100644 policy/cnsl03-node-policy.hcl delete mode 100644 policy/node-policy.hcl delete mode 100644 policy/node-token.txt delete mode 100644 policy/oort-node-policy.hcl delete mode 100644 policy/oort.hcl create mode 100644 requirements.in rename policy/cnsl01-node-policy.hcl => templates/node-policy.hcl (52%) diff --git a/deploy_consul.yaml b/deploy_consul.yaml index 67550f2..05ad231 100644 --- a/deploy_consul.yaml +++ b/deploy_consul.yaml @@ -5,48 +5,101 @@ gather_facts: true tasks: -# - name: Install python -# raw: apk add python3 - - - name: Install packages - community.general.apk: - name: consul + + - name: Install zip utils + apk: + name: + - unzip + - consul state: present - update_cache: yes - + + - name: Check for upgrade requirement + shell: /usr/sbin/consul version + register: consul_version + changed_when: false + + - name: Apply upgrades if needed + block: + - name: Obtain consul binary + get_url: + url: https://releases.hashicorp.com/consul/1.10.4/consul_1.10.4_linux_amd64.zip + dest: /tmp/consul.zip + - name: Remove old consul binary + file: + path: /usr/sbin/consul + state: absent + - name: Expand binary + unarchive: + src: /tmp/consul.zip + dest: /usr/sbin/ + remote_src: yes + when: consul_version.stdout.find('Consul v1.10.4') == -1 + - name: Create keys directory file: path: /etc/consul.keys state: directory owner: root - - - name: Deploy keys + - name: Set up CA and create certs + block: + - name: Create a CA for key creation + shell: consul tls ca create + args: + chdir: /etc/consul.keys + creates: /etc/consul.keys/consul-agent-ca-key.pem + - name: Retrieve new CA key and certificate + fetch: + src: '/etc/consul.keys/{{item}}' + dest: 'files/keys/{{item}}' + flat: yes + loop: + - consul-agent-ca-key.pem + - consul-agent-ca.pem + - name: Install server certificate script + copy: + src: 'files/scripts/consul-server-cert.sh' + dest: '/usr/sbin/consul-server-cert' + mode: '0700' + - name: Create server certificates + shell: '/usr/sbin/consol-server-cert {{item}}' + args: + chdir: /etc/consul.keys + creates: '/etc/consul.keys/{{item}}.key.pem' + loop: "{{ groups.consul }}" + - name: Retrieve server certificates + fetch: + src: '/etc/consul.keys/{{item}}.pem' + dest: 'files/keys/{{item}}.pem' + flat: yes + loop: "{{ groups.consul }}" + - name: Retrieve server keys + fetch: + src: '/etc/consul.keys/{{item}}.key.pem' + dest: 'files/keys/{{item}}.key.pem' + flat: yes + loop: "{{ groups.consul }}" + when: inventory_hostname in 'cnsl01' + - name: Distribute CA certificate copy: - src: "{{ item }}" - dest: /etc/consul.keys/ - loop: - - "files/keys/consul-agent-ca.pem" - - "files/keys/dc1-server-consul-{{ ansible_nodename }}.pem" - - "files/keys/dc1-server-consul-{{ ansible_nodename }}-key.pem" - - - name: Update tls config + src: keys/consul-agent-ca.pem + dest: /etc/consul.keys/consul-agent-ca.pem + - name: Distribute certificates and keys + block: + - name: Ship certificate + copy: + src: "keys/{{inventory_hostname}}.pem" + dest: "/etc/consul.keys/{{inventory_hostname}}.pem" + - name: Ship key + copy: + src: "keys/{{inventory_hostname}}.key.pem" + dest: "/etc/consul.keys/{{inventory_hostname}}.key.pem" + when: inventory_hostname not in 'cnsl01' + - name: Update server tls config template: src: tls.json dest: /etc/consul/ - - name: Copy static config files + - name: Copy static server config files copy: src: files/server_cfg/ - dest: /etc/consul - - - name: Restart server - service: - name: consul - state: restarted - - - name: Enable service - service: - name: consul - enabled: true - runlevel: default - \ No newline at end of file + dest: /etc/consul \ No newline at end of file diff --git a/deploy_python.yaml b/deploy_python.yaml new file mode 100644 index 0000000..b773944 --- /dev/null +++ b/deploy_python.yaml @@ -0,0 +1,9 @@ +- name: Deploy consul cluster + hosts: + - consul + vars: + + gather_facts: false + tasks: + - name: Install python + raw: apk add python3 \ No newline at end of file diff --git a/files/scripts/consul-server-cert.sh b/files/scripts/consul-server-cert.sh new file mode 100755 index 0000000..f4281da --- /dev/null +++ b/files/scripts/consul-server-cert.sh @@ -0,0 +1,21 @@ +#!/usr/bin/env bash + +RENEW=false + +while getopts r: flag +do + case "${flag}" in + r) RENEW=true + esac +done + +HOSTNAME=$1 + +if [[ -f "$HOSTNAME.key.pem" && renew == 'false' ]]; then + echo "Certificate key for $HOSTNAME exists, use -r to renew it." + exit +fi + +consul tls cert create -server -dc dc1 -additional-dnsname=$HOSTNAME -node=$HOSTNAME +mv dc1-server-consul-0-key.pem $HOSTNAME.key.pem +mv dc1-server-consul-0.pem $HOSTNAME.pem \ No newline at end of file diff --git a/files/server_cfg/server.json b/files/server_cfg/server.json index bc71f8f..c617bd0 100644 --- a/files/server_cfg/server.json +++ b/files/server_cfg/server.json @@ -8,7 +8,9 @@ "disable_remote_exec": true, "enable_syslog": true, "client_addr": "0.0.0.0", - "ui": true, + "ui_config": { + "enabled": true + }, "retry_join": [ "10.0.96.80", "10.0.96.81", diff --git a/policy/cnsl02-node-policy.hcl b/policy/cnsl02-node-policy.hcl deleted file mode 100644 index 44ad3a7..0000000 --- a/policy/cnsl02-node-policy.hcl +++ /dev/null @@ -1,3 +0,0 @@ -node "cnsl02" { - policy = "write" -} \ No newline at end of file diff --git a/policy/cnsl03-node-policy.hcl b/policy/cnsl03-node-policy.hcl deleted file mode 100644 index 3026b2a..0000000 --- a/policy/cnsl03-node-policy.hcl +++ /dev/null @@ -1,3 +0,0 @@ -node "cnsl03" { - policy = "write" -} \ No newline at end of file diff --git a/policy/node-policy.hcl b/policy/node-policy.hcl deleted file mode 100644 index c0e959e..0000000 --- a/policy/node-policy.hcl +++ /dev/null @@ -1,12 +0,0 @@ -agent_prefix "" { - policy = "write" -} -node_prefix "" { - policy = "write" -} -service_prefix "" { - policy = "read" -} -session_prefix "" { - policy = "read" -} diff --git a/policy/node-token.txt b/policy/node-token.txt deleted file mode 100644 index 71a9716..0000000 --- a/policy/node-token.txt +++ /dev/null @@ -1,7 +0,0 @@ -AccessorID: 34eb7622-fb31-c2ac-68c0-f1de090c220a -SecretID: a3ffb2c1-a218-5b02-c4ae-6b2e73050a7c -Description: node token -Local: false -Create Time: 2021-11-14 03:38:58.055421799 +0000 UTC -Policies: - 90a72d92-8c2f-475d-1db3-b44ac409be6d - node-policy diff --git a/policy/oort-node-policy.hcl b/policy/oort-node-policy.hcl deleted file mode 100644 index f194821..0000000 --- a/policy/oort-node-policy.hcl +++ /dev/null @@ -1,3 +0,0 @@ -node "oort" { - policy = "write" -} \ No newline at end of file diff --git a/policy/oort.hcl b/policy/oort.hcl deleted file mode 100644 index f194821..0000000 --- a/policy/oort.hcl +++ /dev/null @@ -1,3 +0,0 @@ -node "oort" { - policy = "write" -} \ No newline at end of file diff --git a/requirements.in b/requirements.in new file mode 100644 index 0000000..b68b295 --- /dev/null +++ b/requirements.in @@ -0,0 +1,3 @@ +ansible +proxmoxer +requests \ No newline at end of file diff --git a/templates/agent.json b/templates/agent.json index d8548bf..60b4703 100644 --- a/templates/agent.json +++ b/templates/agent.json @@ -8,8 +8,6 @@ "enable_syslog": true, "encrypt": "HwOdJKTZXTaqGsCaBs7qRlrPm0msjz/K2WQ1/HbZ+I8=", "ca_file": "/etc/consul/consul-agent-ca.pem", - "cert_file": "/etc/consul/dc1-agent-consul-0.pem", - "key_file": "/etc/consul/dc1-agent-consul-0-key.pem", "verify_incoming": true, "verify_outgoing": true, "verify_server_hostname": true, diff --git a/policy/cnsl01-node-policy.hcl b/templates/node-policy.hcl similarity index 52% rename from policy/cnsl01-node-policy.hcl rename to templates/node-policy.hcl index 9ff22be..9b29368 100644 --- a/policy/cnsl01-node-policy.hcl +++ b/templates/node-policy.hcl @@ -1,3 +1,3 @@ -node "cnsl01" { +node "{{item}}" { policy = "write" } \ No newline at end of file diff --git a/templates/tls.json b/templates/tls.json index 26f8c7a..fdf5d84 100644 --- a/templates/tls.json +++ b/templates/tls.json @@ -1,8 +1,11 @@ { "ca_file": "/etc/consul.keys/consul-agent-ca.pem", - "cert_file": "/etc/consul.keys/dc1-server-consul-{{ ansible_nodename }}.pem", - "key_file": "/etc/consul.keys/dc1-server-consul-{{ ansible_nodename }}-key.pem", + "cert_file": "/etc/consul.keys/{{ ansible_nodename }}.pem", + "key_file": "/etc/consul.keys/{{ ansible_nodename }}.key.pem", "verify_incoming": true, "verify_outgoing": true, - "verify_server_hostname": true + "verify_server_hostname": true, + "auto_encrypt": { + "allow_tls": true + } } \ No newline at end of file