Compare commits
3 Commits
8cb41f5246
...
7bc9062d85
| Author | SHA1 | Date | |
|---|---|---|---|
| 7bc9062d85 | |||
| ec601d90b6 | |||
| 9811ebd6bc |
2
.gitignore
vendored
2
.gitignore
vendored
@ -1,2 +1,4 @@
|
||||
.envrc
|
||||
.direnv
|
||||
requirements.txt
|
||||
files/keys/*
|
||||
@ -5,48 +5,101 @@
|
||||
|
||||
gather_facts: true
|
||||
tasks:
|
||||
# - name: Install python
|
||||
# raw: apk add python3
|
||||
|
||||
- name: Install packages
|
||||
community.general.apk:
|
||||
name: consul
|
||||
- name: Install zip utils
|
||||
apk:
|
||||
name:
|
||||
- unzip
|
||||
- consul
|
||||
state: present
|
||||
update_cache: yes
|
||||
|
||||
- name: Check for upgrade requirement
|
||||
shell: /usr/sbin/consul version
|
||||
register: consul_version
|
||||
changed_when: false
|
||||
|
||||
- name: Apply upgrades if needed
|
||||
block:
|
||||
- name: Obtain consul binary
|
||||
get_url:
|
||||
url: https://releases.hashicorp.com/consul/1.10.4/consul_1.10.4_linux_amd64.zip
|
||||
dest: /tmp/consul.zip
|
||||
- name: Remove old consul binary
|
||||
file:
|
||||
path: /usr/sbin/consul
|
||||
state: absent
|
||||
- name: Expand binary
|
||||
unarchive:
|
||||
src: /tmp/consul.zip
|
||||
dest: /usr/sbin/
|
||||
remote_src: yes
|
||||
when: consul_version.stdout.find('Consul v1.10.4') == -1
|
||||
|
||||
- name: Create keys directory
|
||||
file:
|
||||
path: /etc/consul.keys
|
||||
state: directory
|
||||
owner: root
|
||||
|
||||
- name: Deploy keys
|
||||
- name: Set up CA and create certs
|
||||
block:
|
||||
- name: Create a CA for key creation
|
||||
shell: consul tls ca create
|
||||
args:
|
||||
chdir: /etc/consul.keys
|
||||
creates: /etc/consul.keys/consul-agent-ca-key.pem
|
||||
- name: Retrieve new CA key and certificate
|
||||
fetch:
|
||||
src: '/etc/consul.keys/{{item}}'
|
||||
dest: 'files/keys/{{item}}'
|
||||
flat: yes
|
||||
loop:
|
||||
- consul-agent-ca-key.pem
|
||||
- consul-agent-ca.pem
|
||||
- name: Install server certificate script
|
||||
copy:
|
||||
src: 'files/scripts/consul-server-cert.sh'
|
||||
dest: '/usr/sbin/consul-server-cert'
|
||||
mode: '0700'
|
||||
- name: Create server certificates
|
||||
shell: '/usr/sbin/consol-server-cert {{item}}'
|
||||
args:
|
||||
chdir: /etc/consul.keys
|
||||
creates: '/etc/consul.keys/{{item}}.key.pem'
|
||||
loop: "{{ groups.consul }}"
|
||||
- name: Retrieve server certificates
|
||||
fetch:
|
||||
src: '/etc/consul.keys/{{item}}.pem'
|
||||
dest: 'files/keys/{{item}}.pem'
|
||||
flat: yes
|
||||
loop: "{{ groups.consul }}"
|
||||
- name: Retrieve server keys
|
||||
fetch:
|
||||
src: '/etc/consul.keys/{{item}}.key.pem'
|
||||
dest: 'files/keys/{{item}}.key.pem'
|
||||
flat: yes
|
||||
loop: "{{ groups.consul }}"
|
||||
when: inventory_hostname in 'cnsl01'
|
||||
- name: Distribute CA certificate
|
||||
copy:
|
||||
src: "{{ item }}"
|
||||
dest: /etc/consul.keys/
|
||||
loop:
|
||||
- "files/keys/consul-agent-ca.pem"
|
||||
- "files/keys/dc1-server-consul-{{ ansible_nodename }}.pem"
|
||||
- "files/keys/dc1-server-consul-{{ ansible_nodename }}-key.pem"
|
||||
|
||||
- name: Update tls config
|
||||
src: keys/consul-agent-ca.pem
|
||||
dest: /etc/consul.keys/consul-agent-ca.pem
|
||||
- name: Distribute certificates and keys
|
||||
block:
|
||||
- name: Ship certificate
|
||||
copy:
|
||||
src: "keys/{{inventory_hostname}}.pem"
|
||||
dest: "/etc/consul.keys/{{inventory_hostname}}.pem"
|
||||
- name: Ship key
|
||||
copy:
|
||||
src: "keys/{{inventory_hostname}}.key.pem"
|
||||
dest: "/etc/consul.keys/{{inventory_hostname}}.key.pem"
|
||||
when: inventory_hostname not in 'cnsl01'
|
||||
- name: Update server tls config
|
||||
template:
|
||||
src: tls.json
|
||||
dest: /etc/consul/
|
||||
|
||||
- name: Copy static config files
|
||||
- name: Copy static server config files
|
||||
copy:
|
||||
src: files/server_cfg/
|
||||
dest: /etc/consul
|
||||
|
||||
- name: Restart server
|
||||
service:
|
||||
name: consul
|
||||
state: restarted
|
||||
|
||||
- name: Enable service
|
||||
service:
|
||||
name: consul
|
||||
enabled: true
|
||||
runlevel: default
|
||||
|
||||
9
deploy_python.yaml
Normal file
9
deploy_python.yaml
Normal file
@ -0,0 +1,9 @@
|
||||
- name: Deploy consul cluster
|
||||
hosts:
|
||||
- consul
|
||||
vars:
|
||||
|
||||
gather_facts: false
|
||||
tasks:
|
||||
- name: Install python
|
||||
raw: apk add python3
|
||||
@ -1,18 +0,0 @@
|
||||
-----BEGIN CERTIFICATE-----
|
||||
MIIC7TCCApSgAwIBAgIRAJ+pfHI7AaUSwrjOoqBQj8gwCgYIKoZIzj0EAwIwgbkx
|
||||
CzAJBgNVBAYTAlVTMQswCQYDVQQIEwJDQTEWMBQGA1UEBxMNU2FuIEZyYW5jaXNj
|
||||
bzEaMBgGA1UECRMRMTAxIFNlY29uZCBTdHJlZXQxDjAMBgNVBBETBTk0MTA1MRcw
|
||||
FQYDVQQKEw5IYXNoaUNvcnAgSW5jLjFAMD4GA1UEAxM3Q29uc3VsIEFnZW50IENB
|
||||
IDIxMjIyNzI3MzU2Nzk1Njk5MzEzNjAxNTI2MzkyNjQ5NDIwMzg0ODAeFw0yMTEx
|
||||
MTIwODQ1NTJaFw0yNjExMTEwODQ1NTJaMIG5MQswCQYDVQQGEwJVUzELMAkGA1UE
|
||||
CBMCQ0ExFjAUBgNVBAcTDVNhbiBGcmFuY2lzY28xGjAYBgNVBAkTETEwMSBTZWNv
|
||||
bmQgU3RyZWV0MQ4wDAYDVQQREwU5NDEwNTEXMBUGA1UEChMOSGFzaGlDb3JwIElu
|
||||
Yy4xQDA+BgNVBAMTN0NvbnN1bCBBZ2VudCBDQSAyMTIyMjcyNzM1Njc5NTY5OTMx
|
||||
MzYwMTUyNjM5MjY0OTQyMDM4NDgwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQW
|
||||
hgJCkj2MSVQ0MduzN+gahsxjefgUi/7caK840Z8+nZH9uf+mIFD2MV5GlyH2rUxm
|
||||
Ob8qzwEorpnEsHltt7Zro3sweTAOBgNVHQ8BAf8EBAMCAYYwDwYDVR0TAQH/BAUw
|
||||
AwEB/zApBgNVHQ4EIgQgXjMGwMpTJIyi1WN7r+oADAdMh02M70ToNUyD1nR077sw
|
||||
KwYDVR0jBCQwIoAgXjMGwMpTJIyi1WN7r+oADAdMh02M70ToNUyD1nR077swCgYI
|
||||
KoZIzj0EAwIDRwAwRAIgfmt0Huh6EXAIB4uRsLtT6oQP4mBBdPz+wWhgGl/8oqkC
|
||||
IHfpKw05q5g56h63rlpCfCSjx049IEhdQl1BQq7w1wO6
|
||||
-----END CERTIFICATE-----
|
||||
@ -1,5 +0,0 @@
|
||||
-----BEGIN EC PRIVATE KEY-----
|
||||
MHcCAQEEIEVE3laHqkyUawkHzgNXOklVGEIpHeIsVHO9prVxPE9doAoGCCqGSM49
|
||||
AwEHoUQDQgAEifAILwrPlw3IZIEBYxGytwQOjtTU7v+p/v17TYj+bqjpFTAzRA8A
|
||||
ZfAuMmRWYfBgyR+PgvwrCVz0sF4ekisyBQ==
|
||||
-----END EC PRIVATE KEY-----
|
||||
@ -1,16 +0,0 @@
|
||||
-----BEGIN CERTIFICATE-----
|
||||
MIICnDCCAkKgAwIBAgIQZcUIsW7KEyguQLeakeM+rzAKBggqhkjOPQQDAjCBuTEL
|
||||
MAkGA1UEBhMCVVMxCzAJBgNVBAgTAkNBMRYwFAYDVQQHEw1TYW4gRnJhbmNpc2Nv
|
||||
MRowGAYDVQQJExExMDEgU2Vjb25kIFN0cmVldDEOMAwGA1UEERMFOTQxMDUxFzAV
|
||||
BgNVBAoTDkhhc2hpQ29ycCBJbmMuMUAwPgYDVQQDEzdDb25zdWwgQWdlbnQgQ0Eg
|
||||
MjEyMjI3MjczNTY3OTU2OTkzMTM2MDE1MjYzOTI2NDk0MjAzODQ4MB4XDTIxMTEx
|
||||
MjA4NDcyMFoXDTIyMTExMjA4NDcyMFowHDEaMBgGA1UEAxMRc2VydmVyLmRjMS5j
|
||||
b25zdWwwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAASJ8AgvCs+XDchkgQFjEbK3
|
||||
BA6O1NTu/6n+/XtNiP5uqOkVMDNEDwBl8C4yZFZh8GDJH4+C/CsJXPSwXh6SKzIF
|
||||
o4HHMIHEMA4GA1UdDwEB/wQEAwIFoDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYB
|
||||
BQUHAwIwDAYDVR0TAQH/BAIwADApBgNVHQ4EIgQgHi5V5f8evpxId4TtQEqMm/Ba
|
||||
mwB+m+YaRqEbtGUaoOYwKwYDVR0jBCQwIoAgXjMGwMpTJIyi1WN7r+oADAdMh02M
|
||||
70ToNUyD1nR077swLQYDVR0RBCYwJIIRc2VydmVyLmRjMS5jb25zdWyCCWxvY2Fs
|
||||
aG9zdIcEfwAAATAKBggqhkjOPQQDAgNIADBFAiEA4R0nOX021RbB3WiwSHT+Lsn+
|
||||
gVAh0BvYnSYs7Flr6jwCIHCSkd4Vwq/QoNJEG1ocveHuv0l74tpcdPHhXddmRxa/
|
||||
-----END CERTIFICATE-----
|
||||
@ -1,5 +0,0 @@
|
||||
-----BEGIN EC PRIVATE KEY-----
|
||||
MHcCAQEEIExUDPjsTgYUwkij3/76kQmaCNZfTnD7ULncnwMp9+9QoAoGCCqGSM49
|
||||
AwEHoUQDQgAEyrnR6O3NTx2tG1RLzi25xhC72/H56tsU+KL7yy8WTv1/eTSfp35A
|
||||
z8eYI8MVVFlFg6Y6RSB+mWAOK1ZlCAK/iw==
|
||||
-----END EC PRIVATE KEY-----
|
||||
@ -1,17 +0,0 @@
|
||||
-----BEGIN CERTIFICATE-----
|
||||
MIICnTCCAkOgAwIBAgIRALtKTylNLn8tcn1f3LwqxqIwCgYIKoZIzj0EAwIwgbkx
|
||||
CzAJBgNVBAYTAlVTMQswCQYDVQQIEwJDQTEWMBQGA1UEBxMNU2FuIEZyYW5jaXNj
|
||||
bzEaMBgGA1UECRMRMTAxIFNlY29uZCBTdHJlZXQxDjAMBgNVBBETBTk0MTA1MRcw
|
||||
FQYDVQQKEw5IYXNoaUNvcnAgSW5jLjFAMD4GA1UEAxM3Q29uc3VsIEFnZW50IENB
|
||||
IDIxMjIyNzI3MzU2Nzk1Njk5MzEzNjAxNTI2MzkyNjQ5NDIwMzg0ODAeFw0yMTEx
|
||||
MTMyMjE5MTVaFw0yMjExMTMyMjE5MTVaMBwxGjAYBgNVBAMTEXNlcnZlci5kYzEu
|
||||
Y29uc3VsMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEyrnR6O3NTx2tG1RLzi25
|
||||
xhC72/H56tsU+KL7yy8WTv1/eTSfp35Az8eYI8MVVFlFg6Y6RSB+mWAOK1ZlCAK/
|
||||
i6OBxzCBxDAOBgNVHQ8BAf8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsG
|
||||
AQUFBwMCMAwGA1UdEwEB/wQCMAAwKQYDVR0OBCIEIOXNeOY9OY/iUqY3unTsLW3U
|
||||
3fDbvWoKJHphyRGUxd8EMCsGA1UdIwQkMCKAIF4zBsDKUySMotVje6/qAAwHTIdN
|
||||
jO9E6DVMg9Z0dO+7MC0GA1UdEQQmMCSCEXNlcnZlci5kYzEuY29uc3Vsgglsb2Nh
|
||||
bGhvc3SHBH8AAAEwCgYIKoZIzj0EAwIDSAAwRQIhALliGcXi+IKPGytKslUPHNbO
|
||||
LYuiQBR4ChW+cy3z3MNrAiBGKqzbfb0O890DFyN4BP/p2MurWXEHADAAwQDlW8fw
|
||||
vw==
|
||||
-----END CERTIFICATE-----
|
||||
@ -1,5 +0,0 @@
|
||||
-----BEGIN EC PRIVATE KEY-----
|
||||
MHcCAQEEIPpk6l39vQmXv5PZN4/JC5OYJIKXTVo7vavHRJhUNTiroAoGCCqGSM49
|
||||
AwEHoUQDQgAEm+5MaEoPb022EWsQr4z8XBGogtI1Q9avsv7nSVRAgzDBTGv1HYo7
|
||||
oi5x98kU+u/lRyKxINK7etthQ3I39g6Vhg==
|
||||
-----END EC PRIVATE KEY-----
|
||||
@ -1,16 +0,0 @@
|
||||
-----BEGIN CERTIFICATE-----
|
||||
MIICnDCCAkKgAwIBAgIQO8BkyzQIkpd070agWUhNzzAKBggqhkjOPQQDAjCBuTEL
|
||||
MAkGA1UEBhMCVVMxCzAJBgNVBAgTAkNBMRYwFAYDVQQHEw1TYW4gRnJhbmNpc2Nv
|
||||
MRowGAYDVQQJExExMDEgU2Vjb25kIFN0cmVldDEOMAwGA1UEERMFOTQxMDUxFzAV
|
||||
BgNVBAoTDkhhc2hpQ29ycCBJbmMuMUAwPgYDVQQDEzdDb25zdWwgQWdlbnQgQ0Eg
|
||||
MjEyMjI3MjczNTY3OTU2OTkzMTM2MDE1MjYzOTI2NDk0MjAzODQ4MB4XDTIxMTEx
|
||||
MzIyMTkxOVoXDTIyMTExMzIyMTkxOVowHDEaMBgGA1UEAxMRc2VydmVyLmRjMS5j
|
||||
b25zdWwwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAASb7kxoSg9vTbYRaxCvjPxc
|
||||
EaiC0jVD1q+y/udJVECDMMFMa/UdijuiLnH3yRT67+VHIrEg0rt622FDcjf2DpWG
|
||||
o4HHMIHEMA4GA1UdDwEB/wQEAwIFoDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYB
|
||||
BQUHAwIwDAYDVR0TAQH/BAIwADApBgNVHQ4EIgQgYWn1nNojLeViJTm/dKAyGpeI
|
||||
+v8axVVcRDYr/9oVt5MwKwYDVR0jBCQwIoAgXjMGwMpTJIyi1WN7r+oADAdMh02M
|
||||
70ToNUyD1nR077swLQYDVR0RBCYwJIIRc2VydmVyLmRjMS5jb25zdWyCCWxvY2Fs
|
||||
aG9zdIcEfwAAATAKBggqhkjOPQQDAgNIADBFAiEAvzkvkOIZYowUocOhY3G6lLbO
|
||||
v7cflBuK7wCS986fHPcCID6mztj5Ij+bSlE905axemFAesaoego14Go4OEKrMFPI
|
||||
-----END CERTIFICATE-----
|
||||
21
files/scripts/consul-server-cert.sh
Executable file
21
files/scripts/consul-server-cert.sh
Executable file
@ -0,0 +1,21 @@
|
||||
#!/usr/bin/env bash
|
||||
|
||||
RENEW=false
|
||||
|
||||
while getopts r: flag
|
||||
do
|
||||
case "${flag}" in
|
||||
r) RENEW=true
|
||||
esac
|
||||
done
|
||||
|
||||
HOSTNAME=$1
|
||||
|
||||
if [[ -f "$HOSTNAME.key.pem" && renew == 'false' ]]; then
|
||||
echo "Certificate key for $HOSTNAME exists, use -r to renew it."
|
||||
exit
|
||||
fi
|
||||
|
||||
consul tls cert create -server -dc dc1 -additional-dnsname=$HOSTNAME -node=$HOSTNAME
|
||||
mv dc1-server-consul-0-key.pem $HOSTNAME.key.pem
|
||||
mv dc1-server-consul-0.pem $HOSTNAME.pem
|
||||
@ -8,7 +8,9 @@
|
||||
"disable_remote_exec": true,
|
||||
"enable_syslog": true,
|
||||
"client_addr": "0.0.0.0",
|
||||
"ui": true,
|
||||
"ui_config": {
|
||||
"enabled": true
|
||||
},
|
||||
"retry_join": [
|
||||
"10.0.96.80",
|
||||
"10.0.96.81",
|
||||
|
||||
@ -1,3 +0,0 @@
|
||||
node "cnsl02" {
|
||||
policy = "write"
|
||||
}
|
||||
@ -1,3 +0,0 @@
|
||||
node "cnsl03" {
|
||||
policy = "write"
|
||||
}
|
||||
@ -1,12 +0,0 @@
|
||||
agent_prefix "" {
|
||||
policy = "write"
|
||||
}
|
||||
node_prefix "" {
|
||||
policy = "write"
|
||||
}
|
||||
service_prefix "" {
|
||||
policy = "read"
|
||||
}
|
||||
session_prefix "" {
|
||||
policy = "read"
|
||||
}
|
||||
@ -1,7 +0,0 @@
|
||||
AccessorID: 34eb7622-fb31-c2ac-68c0-f1de090c220a
|
||||
SecretID: a3ffb2c1-a218-5b02-c4ae-6b2e73050a7c
|
||||
Description: node token
|
||||
Local: false
|
||||
Create Time: 2021-11-14 03:38:58.055421799 +0000 UTC
|
||||
Policies:
|
||||
90a72d92-8c2f-475d-1db3-b44ac409be6d - node-policy
|
||||
@ -1,3 +0,0 @@
|
||||
node "oort" {
|
||||
policy = "write"
|
||||
}
|
||||
@ -1,3 +0,0 @@
|
||||
node "oort" {
|
||||
policy = "write"
|
||||
}
|
||||
3
requirements.in
Normal file
3
requirements.in
Normal file
@ -0,0 +1,3 @@
|
||||
ansible
|
||||
proxmoxer
|
||||
requests
|
||||
@ -8,8 +8,6 @@
|
||||
"enable_syslog": true,
|
||||
"encrypt": "HwOdJKTZXTaqGsCaBs7qRlrPm0msjz/K2WQ1/HbZ+I8=",
|
||||
"ca_file": "/etc/consul/consul-agent-ca.pem",
|
||||
"cert_file": "/etc/consul/dc1-agent-consul-0.pem",
|
||||
"key_file": "/etc/consul/dc1-agent-consul-0-key.pem",
|
||||
"verify_incoming": true,
|
||||
"verify_outgoing": true,
|
||||
"verify_server_hostname": true,
|
||||
|
||||
@ -1,3 +1,3 @@
|
||||
node "cnsl01" {
|
||||
node "{{item}}" {
|
||||
policy = "write"
|
||||
}
|
||||
@ -1,8 +1,11 @@
|
||||
{
|
||||
"ca_file": "/etc/consul.keys/consul-agent-ca.pem",
|
||||
"cert_file": "/etc/consul.keys/dc1-server-consul-{{ ansible_nodename }}.pem",
|
||||
"key_file": "/etc/consul.keys/dc1-server-consul-{{ ansible_nodename }}-key.pem",
|
||||
"cert_file": "/etc/consul.keys/{{ ansible_nodename }}.pem",
|
||||
"key_file": "/etc/consul.keys/{{ ansible_nodename }}.key.pem",
|
||||
"verify_incoming": true,
|
||||
"verify_outgoing": true,
|
||||
"verify_server_hostname": true
|
||||
"verify_server_hostname": true,
|
||||
"auto_encrypt": {
|
||||
"allow_tls": true
|
||||
}
|
||||
}
|
||||
Loading…
Reference in New Issue
Block a user