From 8cb41f5246cbb342e97d27172a0aff5ae4d6fccd Mon Sep 17 00:00:00 2001 From: Jim Nicholson Date: Fri, 19 Nov 2021 17:23:06 -0800 Subject: [PATCH] Working config --- .gitignore | 2 + deploy_consul.yaml | 52 +++++++++++++++++++++ files/keys/consul-agent-ca.pem | 18 +++++++ files/keys/dc1-server-consul-cnsl01-key.pem | 5 ++ files/keys/dc1-server-consul-cnsl01.pem | 16 +++++++ files/keys/dc1-server-consul-cnsl02-key.pem | 5 ++ files/keys/dc1-server-consul-cnsl02.pem | 17 +++++++ files/keys/dc1-server-consul-cnsl03-key.pem | 5 ++ files/keys/dc1-server-consul-cnsl03.pem | 16 +++++++ files/server_cfg/acl.hcl | 5 ++ files/server_cfg/encrypt.json | 3 ++ files/server_cfg/server.json | 17 +++++++ policy/cnsl01-node-policy.hcl | 3 ++ policy/cnsl02-node-policy.hcl | 3 ++ policy/cnsl03-node-policy.hcl | 3 ++ policy/node-policy.hcl | 12 +++++ policy/node-token.txt | 7 +++ policy/oort-node-policy.hcl | 3 ++ policy/oort.hcl | 3 ++ templates/agent.json | 19 ++++++++ templates/tls.json | 8 ++++ 21 files changed, 222 insertions(+) create mode 100644 .gitignore create mode 100644 deploy_consul.yaml create mode 100644 files/keys/consul-agent-ca.pem create mode 100644 files/keys/dc1-server-consul-cnsl01-key.pem create mode 100644 files/keys/dc1-server-consul-cnsl01.pem create mode 100644 files/keys/dc1-server-consul-cnsl02-key.pem create mode 100644 files/keys/dc1-server-consul-cnsl02.pem create mode 100644 files/keys/dc1-server-consul-cnsl03-key.pem create mode 100644 files/keys/dc1-server-consul-cnsl03.pem create mode 100644 files/server_cfg/acl.hcl create mode 100644 files/server_cfg/encrypt.json create mode 100644 files/server_cfg/server.json create mode 100644 policy/cnsl01-node-policy.hcl create mode 100644 policy/cnsl02-node-policy.hcl create mode 100644 policy/cnsl03-node-policy.hcl create mode 100644 policy/node-policy.hcl create mode 100644 policy/node-token.txt create mode 100644 policy/oort-node-policy.hcl create mode 100644 policy/oort.hcl create mode 100644 templates/agent.json create mode 100644 templates/tls.json diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..772944e --- /dev/null +++ b/.gitignore @@ -0,0 +1,2 @@ +.envrc +.direnv diff --git a/deploy_consul.yaml b/deploy_consul.yaml new file mode 100644 index 0000000..67550f2 --- /dev/null +++ b/deploy_consul.yaml @@ -0,0 +1,52 @@ +- name: Deploy consul cluster + hosts: + - consul + vars: + + gather_facts: true + tasks: +# - name: Install python +# raw: apk add python3 + + - name: Install packages + community.general.apk: + name: consul + state: present + update_cache: yes + + - name: Create keys directory + file: + path: /etc/consul.keys + state: directory + owner: root + + - name: Deploy keys + copy: + src: "{{ item }}" + dest: /etc/consul.keys/ + loop: + - "files/keys/consul-agent-ca.pem" + - "files/keys/dc1-server-consul-{{ ansible_nodename }}.pem" + - "files/keys/dc1-server-consul-{{ ansible_nodename }}-key.pem" + + - name: Update tls config + template: + src: tls.json + dest: /etc/consul/ + + - name: Copy static config files + copy: + src: files/server_cfg/ + dest: /etc/consul + + - name: Restart server + service: + name: consul + state: restarted + + - name: Enable service + service: + name: consul + enabled: true + runlevel: default + \ No newline at end of file diff --git a/files/keys/consul-agent-ca.pem b/files/keys/consul-agent-ca.pem new file mode 100644 index 0000000..487186d --- /dev/null +++ b/files/keys/consul-agent-ca.pem @@ -0,0 +1,18 @@ +-----BEGIN CERTIFICATE----- +MIIC7TCCApSgAwIBAgIRAJ+pfHI7AaUSwrjOoqBQj8gwCgYIKoZIzj0EAwIwgbkx +CzAJBgNVBAYTAlVTMQswCQYDVQQIEwJDQTEWMBQGA1UEBxMNU2FuIEZyYW5jaXNj +bzEaMBgGA1UECRMRMTAxIFNlY29uZCBTdHJlZXQxDjAMBgNVBBETBTk0MTA1MRcw +FQYDVQQKEw5IYXNoaUNvcnAgSW5jLjFAMD4GA1UEAxM3Q29uc3VsIEFnZW50IENB +IDIxMjIyNzI3MzU2Nzk1Njk5MzEzNjAxNTI2MzkyNjQ5NDIwMzg0ODAeFw0yMTEx +MTIwODQ1NTJaFw0yNjExMTEwODQ1NTJaMIG5MQswCQYDVQQGEwJVUzELMAkGA1UE +CBMCQ0ExFjAUBgNVBAcTDVNhbiBGcmFuY2lzY28xGjAYBgNVBAkTETEwMSBTZWNv +bmQgU3RyZWV0MQ4wDAYDVQQREwU5NDEwNTEXMBUGA1UEChMOSGFzaGlDb3JwIElu +Yy4xQDA+BgNVBAMTN0NvbnN1bCBBZ2VudCBDQSAyMTIyMjcyNzM1Njc5NTY5OTMx +MzYwMTUyNjM5MjY0OTQyMDM4NDgwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQW +hgJCkj2MSVQ0MduzN+gahsxjefgUi/7caK840Z8+nZH9uf+mIFD2MV5GlyH2rUxm +Ob8qzwEorpnEsHltt7Zro3sweTAOBgNVHQ8BAf8EBAMCAYYwDwYDVR0TAQH/BAUw +AwEB/zApBgNVHQ4EIgQgXjMGwMpTJIyi1WN7r+oADAdMh02M70ToNUyD1nR077sw +KwYDVR0jBCQwIoAgXjMGwMpTJIyi1WN7r+oADAdMh02M70ToNUyD1nR077swCgYI +KoZIzj0EAwIDRwAwRAIgfmt0Huh6EXAIB4uRsLtT6oQP4mBBdPz+wWhgGl/8oqkC +IHfpKw05q5g56h63rlpCfCSjx049IEhdQl1BQq7w1wO6 +-----END CERTIFICATE----- diff --git a/files/keys/dc1-server-consul-cnsl01-key.pem b/files/keys/dc1-server-consul-cnsl01-key.pem new file mode 100644 index 0000000..4099a9e --- /dev/null +++ b/files/keys/dc1-server-consul-cnsl01-key.pem @@ -0,0 +1,5 @@ +-----BEGIN EC PRIVATE KEY----- +MHcCAQEEIEVE3laHqkyUawkHzgNXOklVGEIpHeIsVHO9prVxPE9doAoGCCqGSM49 +AwEHoUQDQgAEifAILwrPlw3IZIEBYxGytwQOjtTU7v+p/v17TYj+bqjpFTAzRA8A +ZfAuMmRWYfBgyR+PgvwrCVz0sF4ekisyBQ== +-----END EC PRIVATE KEY----- diff --git a/files/keys/dc1-server-consul-cnsl01.pem b/files/keys/dc1-server-consul-cnsl01.pem new file mode 100644 index 0000000..ec91bc9 --- /dev/null +++ b/files/keys/dc1-server-consul-cnsl01.pem @@ -0,0 +1,16 @@ +-----BEGIN CERTIFICATE----- +MIICnDCCAkKgAwIBAgIQZcUIsW7KEyguQLeakeM+rzAKBggqhkjOPQQDAjCBuTEL +MAkGA1UEBhMCVVMxCzAJBgNVBAgTAkNBMRYwFAYDVQQHEw1TYW4gRnJhbmNpc2Nv +MRowGAYDVQQJExExMDEgU2Vjb25kIFN0cmVldDEOMAwGA1UEERMFOTQxMDUxFzAV +BgNVBAoTDkhhc2hpQ29ycCBJbmMuMUAwPgYDVQQDEzdDb25zdWwgQWdlbnQgQ0Eg +MjEyMjI3MjczNTY3OTU2OTkzMTM2MDE1MjYzOTI2NDk0MjAzODQ4MB4XDTIxMTEx +MjA4NDcyMFoXDTIyMTExMjA4NDcyMFowHDEaMBgGA1UEAxMRc2VydmVyLmRjMS5j +b25zdWwwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAASJ8AgvCs+XDchkgQFjEbK3 +BA6O1NTu/6n+/XtNiP5uqOkVMDNEDwBl8C4yZFZh8GDJH4+C/CsJXPSwXh6SKzIF +o4HHMIHEMA4GA1UdDwEB/wQEAwIFoDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYB +BQUHAwIwDAYDVR0TAQH/BAIwADApBgNVHQ4EIgQgHi5V5f8evpxId4TtQEqMm/Ba +mwB+m+YaRqEbtGUaoOYwKwYDVR0jBCQwIoAgXjMGwMpTJIyi1WN7r+oADAdMh02M +70ToNUyD1nR077swLQYDVR0RBCYwJIIRc2VydmVyLmRjMS5jb25zdWyCCWxvY2Fs +aG9zdIcEfwAAATAKBggqhkjOPQQDAgNIADBFAiEA4R0nOX021RbB3WiwSHT+Lsn+ +gVAh0BvYnSYs7Flr6jwCIHCSkd4Vwq/QoNJEG1ocveHuv0l74tpcdPHhXddmRxa/ +-----END CERTIFICATE----- diff --git a/files/keys/dc1-server-consul-cnsl02-key.pem b/files/keys/dc1-server-consul-cnsl02-key.pem new file mode 100644 index 0000000..7bc23e5 --- /dev/null +++ b/files/keys/dc1-server-consul-cnsl02-key.pem @@ -0,0 +1,5 @@ +-----BEGIN EC PRIVATE KEY----- +MHcCAQEEIExUDPjsTgYUwkij3/76kQmaCNZfTnD7ULncnwMp9+9QoAoGCCqGSM49 +AwEHoUQDQgAEyrnR6O3NTx2tG1RLzi25xhC72/H56tsU+KL7yy8WTv1/eTSfp35A +z8eYI8MVVFlFg6Y6RSB+mWAOK1ZlCAK/iw== +-----END EC PRIVATE KEY----- diff --git a/files/keys/dc1-server-consul-cnsl02.pem b/files/keys/dc1-server-consul-cnsl02.pem new file mode 100644 index 0000000..1c18ada --- /dev/null +++ b/files/keys/dc1-server-consul-cnsl02.pem @@ -0,0 +1,17 @@ +-----BEGIN CERTIFICATE----- +MIICnTCCAkOgAwIBAgIRALtKTylNLn8tcn1f3LwqxqIwCgYIKoZIzj0EAwIwgbkx +CzAJBgNVBAYTAlVTMQswCQYDVQQIEwJDQTEWMBQGA1UEBxMNU2FuIEZyYW5jaXNj +bzEaMBgGA1UECRMRMTAxIFNlY29uZCBTdHJlZXQxDjAMBgNVBBETBTk0MTA1MRcw +FQYDVQQKEw5IYXNoaUNvcnAgSW5jLjFAMD4GA1UEAxM3Q29uc3VsIEFnZW50IENB +IDIxMjIyNzI3MzU2Nzk1Njk5MzEzNjAxNTI2MzkyNjQ5NDIwMzg0ODAeFw0yMTEx +MTMyMjE5MTVaFw0yMjExMTMyMjE5MTVaMBwxGjAYBgNVBAMTEXNlcnZlci5kYzEu +Y29uc3VsMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEyrnR6O3NTx2tG1RLzi25 +xhC72/H56tsU+KL7yy8WTv1/eTSfp35Az8eYI8MVVFlFg6Y6RSB+mWAOK1ZlCAK/ +i6OBxzCBxDAOBgNVHQ8BAf8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsG +AQUFBwMCMAwGA1UdEwEB/wQCMAAwKQYDVR0OBCIEIOXNeOY9OY/iUqY3unTsLW3U +3fDbvWoKJHphyRGUxd8EMCsGA1UdIwQkMCKAIF4zBsDKUySMotVje6/qAAwHTIdN +jO9E6DVMg9Z0dO+7MC0GA1UdEQQmMCSCEXNlcnZlci5kYzEuY29uc3Vsgglsb2Nh +bGhvc3SHBH8AAAEwCgYIKoZIzj0EAwIDSAAwRQIhALliGcXi+IKPGytKslUPHNbO +LYuiQBR4ChW+cy3z3MNrAiBGKqzbfb0O890DFyN4BP/p2MurWXEHADAAwQDlW8fw +vw== +-----END CERTIFICATE----- diff --git a/files/keys/dc1-server-consul-cnsl03-key.pem b/files/keys/dc1-server-consul-cnsl03-key.pem new file mode 100644 index 0000000..aac8eb5 --- /dev/null +++ b/files/keys/dc1-server-consul-cnsl03-key.pem @@ -0,0 +1,5 @@ +-----BEGIN EC PRIVATE KEY----- +MHcCAQEEIPpk6l39vQmXv5PZN4/JC5OYJIKXTVo7vavHRJhUNTiroAoGCCqGSM49 +AwEHoUQDQgAEm+5MaEoPb022EWsQr4z8XBGogtI1Q9avsv7nSVRAgzDBTGv1HYo7 +oi5x98kU+u/lRyKxINK7etthQ3I39g6Vhg== +-----END EC PRIVATE KEY----- diff --git a/files/keys/dc1-server-consul-cnsl03.pem b/files/keys/dc1-server-consul-cnsl03.pem new file mode 100644 index 0000000..4a1da04 --- /dev/null +++ b/files/keys/dc1-server-consul-cnsl03.pem @@ -0,0 +1,16 @@ +-----BEGIN CERTIFICATE----- +MIICnDCCAkKgAwIBAgIQO8BkyzQIkpd070agWUhNzzAKBggqhkjOPQQDAjCBuTEL +MAkGA1UEBhMCVVMxCzAJBgNVBAgTAkNBMRYwFAYDVQQHEw1TYW4gRnJhbmNpc2Nv +MRowGAYDVQQJExExMDEgU2Vjb25kIFN0cmVldDEOMAwGA1UEERMFOTQxMDUxFzAV +BgNVBAoTDkhhc2hpQ29ycCBJbmMuMUAwPgYDVQQDEzdDb25zdWwgQWdlbnQgQ0Eg +MjEyMjI3MjczNTY3OTU2OTkzMTM2MDE1MjYzOTI2NDk0MjAzODQ4MB4XDTIxMTEx +MzIyMTkxOVoXDTIyMTExMzIyMTkxOVowHDEaMBgGA1UEAxMRc2VydmVyLmRjMS5j +b25zdWwwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAASb7kxoSg9vTbYRaxCvjPxc +EaiC0jVD1q+y/udJVECDMMFMa/UdijuiLnH3yRT67+VHIrEg0rt622FDcjf2DpWG +o4HHMIHEMA4GA1UdDwEB/wQEAwIFoDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYB +BQUHAwIwDAYDVR0TAQH/BAIwADApBgNVHQ4EIgQgYWn1nNojLeViJTm/dKAyGpeI ++v8axVVcRDYr/9oVt5MwKwYDVR0jBCQwIoAgXjMGwMpTJIyi1WN7r+oADAdMh02M +70ToNUyD1nR077swLQYDVR0RBCYwJIIRc2VydmVyLmRjMS5jb25zdWyCCWxvY2Fs +aG9zdIcEfwAAATAKBggqhkjOPQQDAgNIADBFAiEAvzkvkOIZYowUocOhY3G6lLbO +v7cflBuK7wCS986fHPcCID6mztj5Ij+bSlE905axemFAesaoego14Go4OEKrMFPI +-----END CERTIFICATE----- diff --git a/files/server_cfg/acl.hcl b/files/server_cfg/acl.hcl new file mode 100644 index 0000000..2b51633 --- /dev/null +++ b/files/server_cfg/acl.hcl @@ -0,0 +1,5 @@ +acl = { + enabled = true + default_policy = "deny" + enable_token_persistence = true +} diff --git a/files/server_cfg/encrypt.json b/files/server_cfg/encrypt.json new file mode 100644 index 0000000..361b76a --- /dev/null +++ b/files/server_cfg/encrypt.json @@ -0,0 +1,3 @@ +{ + "encrypt": "HwOdJKTZXTaqGsCaBs7qRlrPm0msjz/K2WQ1/HbZ+I8=" +} diff --git a/files/server_cfg/server.json b/files/server_cfg/server.json new file mode 100644 index 0000000..bc71f8f --- /dev/null +++ b/files/server_cfg/server.json @@ -0,0 +1,17 @@ +{ + "datacenter": "dc1", + "data_dir": "/var/consul", + "log_level": "INFO", + "server": true, + "bootstrap_expect": 3, + "disable_update_check": true, + "disable_remote_exec": true, + "enable_syslog": true, + "client_addr": "0.0.0.0", + "ui": true, + "retry_join": [ + "10.0.96.80", + "10.0.96.81", + "10.0.96.82" + ] +} diff --git a/policy/cnsl01-node-policy.hcl b/policy/cnsl01-node-policy.hcl new file mode 100644 index 0000000..9ff22be --- /dev/null +++ b/policy/cnsl01-node-policy.hcl @@ -0,0 +1,3 @@ +node "cnsl01" { + policy = "write" +} \ No newline at end of file diff --git a/policy/cnsl02-node-policy.hcl b/policy/cnsl02-node-policy.hcl new file mode 100644 index 0000000..44ad3a7 --- /dev/null +++ b/policy/cnsl02-node-policy.hcl @@ -0,0 +1,3 @@ +node "cnsl02" { + policy = "write" +} \ No newline at end of file diff --git a/policy/cnsl03-node-policy.hcl b/policy/cnsl03-node-policy.hcl new file mode 100644 index 0000000..3026b2a --- /dev/null +++ b/policy/cnsl03-node-policy.hcl @@ -0,0 +1,3 @@ +node "cnsl03" { + policy = "write" +} \ No newline at end of file diff --git a/policy/node-policy.hcl b/policy/node-policy.hcl new file mode 100644 index 0000000..c0e959e --- /dev/null +++ b/policy/node-policy.hcl @@ -0,0 +1,12 @@ +agent_prefix "" { + policy = "write" +} +node_prefix "" { + policy = "write" +} +service_prefix "" { + policy = "read" +} +session_prefix "" { + policy = "read" +} diff --git a/policy/node-token.txt b/policy/node-token.txt new file mode 100644 index 0000000..71a9716 --- /dev/null +++ b/policy/node-token.txt @@ -0,0 +1,7 @@ +AccessorID: 34eb7622-fb31-c2ac-68c0-f1de090c220a +SecretID: a3ffb2c1-a218-5b02-c4ae-6b2e73050a7c +Description: node token +Local: false +Create Time: 2021-11-14 03:38:58.055421799 +0000 UTC +Policies: + 90a72d92-8c2f-475d-1db3-b44ac409be6d - node-policy diff --git a/policy/oort-node-policy.hcl b/policy/oort-node-policy.hcl new file mode 100644 index 0000000..f194821 --- /dev/null +++ b/policy/oort-node-policy.hcl @@ -0,0 +1,3 @@ +node "oort" { + policy = "write" +} \ No newline at end of file diff --git a/policy/oort.hcl b/policy/oort.hcl new file mode 100644 index 0000000..f194821 --- /dev/null +++ b/policy/oort.hcl @@ -0,0 +1,3 @@ +node "oort" { + policy = "write" +} \ No newline at end of file diff --git a/templates/agent.json b/templates/agent.json new file mode 100644 index 0000000..d8548bf --- /dev/null +++ b/templates/agent.json @@ -0,0 +1,19 @@ +{ + "datacenter": "dc1", + "data_dir": "/opt/consul", + "log_level": "INFO", + "server": false, + "disable_update_check": true, + "disable_remote_exec": true, + "enable_syslog": true, + "encrypt": "HwOdJKTZXTaqGsCaBs7qRlrPm0msjz/K2WQ1/HbZ+I8=", + "ca_file": "/etc/consul/consul-agent-ca.pem", + "cert_file": "/etc/consul/dc1-agent-consul-0.pem", + "key_file": "/etc/consul/dc1-agent-consul-0-key.pem", + "verify_incoming": true, + "verify_outgoing": true, + "verify_server_hostname": true, + "client_addr": "0.0.0.0", + "ui": true, + "retry_join": ["10.0.96.80","10.0.96.81","10.0.96.82"] +} diff --git a/templates/tls.json b/templates/tls.json new file mode 100644 index 0000000..26f8c7a --- /dev/null +++ b/templates/tls.json @@ -0,0 +1,8 @@ +{ + "ca_file": "/etc/consul.keys/consul-agent-ca.pem", + "cert_file": "/etc/consul.keys/dc1-server-consul-{{ ansible_nodename }}.pem", + "key_file": "/etc/consul.keys/dc1-server-consul-{{ ansible_nodename }}-key.pem", + "verify_incoming": true, + "verify_outgoing": true, + "verify_server_hostname": true +} \ No newline at end of file