From 52e5d1748668ce99ca9e060adbbb9d9253bc62c7 Mon Sep 17 00:00:00 2001 From: Asara Date: Thu, 27 Aug 2020 15:23:27 -0400 Subject: [PATCH] add consul server configuration --- ansible/roles/consul_server/defaults/main.yml | 3 ++ .../consul_server/files/consul-agent-ca.pem | 18 +++++++++ .../consul_server/files/consul-server.pem | 17 +++++++++ ansible/roles/consul_server/tasks/Debian.yml | 34 ++++++++++++++++- ansible/roles/consul_server/tasks/FreeBSD.yml | 36 +++++++++++++++++- .../templates/consul-server.key.j2 | 1 + .../consul_server/templates/consul.hcl.j2 | 38 ++++++++++++++++--- 7 files changed, 138 insertions(+), 9 deletions(-) create mode 100644 ansible/roles/consul_server/defaults/main.yml create mode 100644 ansible/roles/consul_server/files/consul-agent-ca.pem create mode 100644 ansible/roles/consul_server/files/consul-server.pem create mode 100644 ansible/roles/consul_server/templates/consul-server.key.j2 diff --git a/ansible/roles/consul_server/defaults/main.yml b/ansible/roles/consul_server/defaults/main.yml new file mode 100644 index 0000000..f5f06b0 --- /dev/null +++ b/ansible/roles/consul_server/defaults/main.yml @@ -0,0 +1,3 @@ +--- +consul_config_path: /etc/consul.d +... diff --git a/ansible/roles/consul_server/files/consul-agent-ca.pem b/ansible/roles/consul_server/files/consul-agent-ca.pem new file mode 100644 index 0000000..f22fc45 --- /dev/null +++ b/ansible/roles/consul_server/files/consul-agent-ca.pem @@ -0,0 +1,18 @@ +-----BEGIN CERTIFICATE----- +MIIC6jCCApGgAwIBAgIQME5Go459u5LlhDqirL54aTAKBggqhkjOPQQDAjCBuDEL +MAkGA1UEBhMCVVMxCzAJBgNVBAgTAkNBMRYwFAYDVQQHEw1TYW4gRnJhbmNpc2Nv +MRowGAYDVQQJExExMDEgU2Vjb25kIFN0cmVldDEOMAwGA1UEERMFOTQxMDUxFzAV +BgNVBAoTDkhhc2hpQ29ycCBJbmMuMT8wPQYDVQQDEzZDb25zdWwgQWdlbnQgQ0Eg +NjQyMDkzNzU2Nzk2MDMyOTY4MTA4MDI5ODk2NTUzNjQ4OTI3NzcwHhcNMjAwODI3 +MTYxOTE4WhcNMjUwODI2MTYxOTE4WjCBuDELMAkGA1UEBhMCVVMxCzAJBgNVBAgT +AkNBMRYwFAYDVQQHEw1TYW4gRnJhbmNpc2NvMRowGAYDVQQJExExMDEgU2Vjb25k +IFN0cmVldDEOMAwGA1UEERMFOTQxMDUxFzAVBgNVBAoTDkhhc2hpQ29ycCBJbmMu +MT8wPQYDVQQDEzZDb25zdWwgQWdlbnQgQ0EgNjQyMDkzNzU2Nzk2MDMyOTY4MTA4 +MDI5ODk2NTUzNjQ4OTI3NzcwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAASUDPnD +lfeWaTrJHZ9JzovcEXTGh2VKOaq4a1GceAqYNg1Jj2A6+6Je9Nm5+tvVn939ZS0z +NQGjuL3vdxJN96sYo3sweTAOBgNVHQ8BAf8EBAMCAYYwDwYDVR0TAQH/BAUwAwEB +/zApBgNVHQ4EIgQg7s5SJjjgtyy/XUHwQk43iXapCXQIIFqOivTddv6RGacwKwYD +VR0jBCQwIoAg7s5SJjjgtyy/XUHwQk43iXapCXQIIFqOivTddv6RGacwCgYIKoZI +zj0EAwIDRwAwRAIgGj3Z1yyMTcdsZiFu89Si0E9ueX2CAAztWabhbvzMOl4CIHIv +DhH1LG5/DHuJCQA4MAKLiDzt1/XQoS1FJiguyorb +-----END CERTIFICATE----- diff --git a/ansible/roles/consul_server/files/consul-server.pem b/ansible/roles/consul_server/files/consul-server.pem new file mode 100644 index 0000000..1cc6ba4 --- /dev/null +++ b/ansible/roles/consul_server/files/consul-server.pem @@ -0,0 +1,17 @@ +-----BEGIN CERTIFICATE----- +MIICpzCCAkygAwIBAgIRAP+zqvMlaJNYzixVwgrrYrkwCgYIKoZIzj0EAwIwgbgx +CzAJBgNVBAYTAlVTMQswCQYDVQQIEwJDQTEWMBQGA1UEBxMNU2FuIEZyYW5jaXNj +bzEaMBgGA1UECRMRMTAxIFNlY29uZCBTdHJlZXQxDjAMBgNVBBETBTk0MTA1MRcw +FQYDVQQKEw5IYXNoaUNvcnAgSW5jLjE/MD0GA1UEAxM2Q29uc3VsIEFnZW50IENB +IDY0MjA5Mzc1Njc5NjAzMjk2ODEwODAyOTg5NjU1MzY0ODkyNzc3MB4XDTIwMDgy +NzE3MjcxMVoXDTIxMDgyNzE3MjcxMVowITEfMB0GA1UEAxMWc2VydmVyLmNvbHVt +YmlhLmNvbnN1bDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABJ/z9e9ctu6x4GqX +Gmrc69JeusbmpEEkO35LIVngEc4fqF0eup2/txiQZhmyDuYKN8ObcLzQ9/6OJkRD +a47UTzCjgcwwgckwDgYDVR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMB +BggrBgEFBQcDAjAMBgNVHRMBAf8EAjAAMCkGA1UdDgQiBCB85H1w+4sYpvxg7b5x +Yr8/psiaIxNGDioU4OXxAMUabTArBgNVHSMEJDAigCDuzlImOOC3LL9dQfBCTjeJ +dqkJdAggWo6K9N12/pEZpzAyBgNVHREEKzApghZzZXJ2ZXIuY29sdW1iaWEuY29u +c3Vsgglsb2NhbGhvc3SHBH8AAAEwCgYIKoZIzj0EAwIDSQAwRgIhALqDdmHhRnos +BTc5zpSdnv1NUU+DkGqG8bfisN9YYhf3AiEAoiaT7DBzgHv2Po37P/YZm2nMjMdd +W2dTCuysw+L3Syk= +-----END CERTIFICATE----- diff --git a/ansible/roles/consul_server/tasks/Debian.yml b/ansible/roles/consul_server/tasks/Debian.yml index 99b6c04..5ee16b3 100644 --- a/ansible/roles/consul_server/tasks/Debian.yml +++ b/ansible/roles/consul_server/tasks/Debian.yml @@ -20,6 +20,38 @@ group: consul mode: 0755 +- name: ensure consul config dir + file: + path: /etc/consul.d/certs/ + state: directory + owner: consul + group: consul + mode: 0744 + +- name: ensure consul agent ca cert + copy: + src: files/consul-agent-ca.pem + dest: /etc/consul.d/certs/consul-agent-ca.pem + owner: consul + group: consul + mode: 0644 + +- name: ensure consul server cert + copy: + src: files/consul-server.pem + dest: /etc/consul.d/certs/consul-server.pem + owner: consul + group: consul + mode: 0600 + +- name: ensure consul server key + template: + src: templates/consul-server.key.j2 + dest: /etc/consul.d/certs/consul-server.key + owner: consul + group: consul + mode: 0600 + - name: ensure consul data dir file: path: /opt/consul @@ -35,7 +67,7 @@ executable: /bin/bash changed_when: False register: installed_consul_version - check_mode: false + check_mode: False - name: get consul unarchive: diff --git a/ansible/roles/consul_server/tasks/FreeBSD.yml b/ansible/roles/consul_server/tasks/FreeBSD.yml index 0520e87..be803fd 100644 --- a/ansible/roles/consul_server/tasks/FreeBSD.yml +++ b/ansible/roles/consul_server/tasks/FreeBSD.yml @@ -20,6 +20,38 @@ group: consul mode: 0755 +- name: ensure consul config dir + file: + path: /usr/local/etc/consul.d/certs + state: directory + owner: consul + group: consul + mode: 0744 + +- name: ensure consul agent ca cert + copy: + src: files/consul-agent-ca.pem + dest: /usr/local/etc/consul.d/certs/consul-agent-ca.pem + owner: consul + group: consul + mode: 0644 + +- name: ensure consul server cert + copy: + src: files/consul-server.pem + dest: /usr/local/etc/consul.d/certs/consul-server.pem + owner: consul + group: consul + mode: 0600 + +- name: ensure consul server key + template: + src: templates/consul-server.key.j2 + dest: /usr/local/etc/consul.d/certs/consul-server.key + owner: consul + group: consul + mode: 0600 + - name: ensure consul data dir file: path: /opt/consul @@ -36,7 +68,7 @@ changed_when: False failed_when: False register: installed_consul_version - check_mode: false + check_mode: False - name: get consul pkgng: @@ -56,4 +88,4 @@ service: name: consul state: started - enabled: yes + enabled: True diff --git a/ansible/roles/consul_server/templates/consul-server.key.j2 b/ansible/roles/consul_server/templates/consul-server.key.j2 new file mode 100644 index 0000000..5991a43 --- /dev/null +++ b/ansible/roles/consul_server/templates/consul-server.key.j2 @@ -0,0 +1 @@ +{{ lookup('hashi_vault', 'secret=kv/data/consul:data')['consul-server-key'] }} diff --git a/ansible/roles/consul_server/templates/consul.hcl.j2 b/ansible/roles/consul_server/templates/consul.hcl.j2 index 6d3d450..0a96cb0 100644 --- a/ansible/roles/consul_server/templates/consul.hcl.j2 +++ b/ansible/roles/consul_server/templates/consul.hcl.j2 @@ -1,16 +1,42 @@ datacenter = "{{ consul_dc }}" -domain = "minhas.io" -bind_addr = "{{ ansible_default_ipv4.address }}" -start_join = ["{{ groups['consul_server'] | map('extract', hostvars, ['ansible_default_ipv4', 'address']) | join('","') }}"] -data_dir = "/opt/consul" -log_level = "INFO" -raft_protocol = 3 +domain = "consul" server = true bootstrap_expect = 3 ui = true + +encrypt = "{{ lookup('hashi_vault', 'secret=kv/data/consul:data')['gossip'] }}" + +verify_incoming = true +verify_outgoing = true +verify_server_hostname = true +ca_file = "{{ consul_config_path }}/certs/consul-agent-ca.pem" +cert_file = "{{ consul_config_path }}/certs/consul-server.pem" +key_file = "{{ consul_config_path }}/certs/consul-server.key" + +auto_encrypt { + allow_tls = true +} + +bind_addr = "{{ ansible_default_ipv4.address }}" +start_join = ["{{ groups['consul_server'] | map('extract', hostvars, ['ansible_default_ipv4', 'address']) | join('","') }}"] + +data_dir = "/opt/consul" +log_level = "INFO" +raft_protocol = 3 + addresses { http = "0.0.0.0" } + performance { raft_multiplier = 1 } + +acl { + enabled = true + default_policy = "deny" + enable_token_persistence = true + tokens { + agent = "{{ lookup('hashi_vault', 'secret=kv/data/consul:data')['server-acl-token'] }}" + } +}