Asara/infra
1
0
Fork 0
Code Issues Pull requests Releases Wiki Activity

add consul server configuration

Browse source
This commit is contained in:
Amarpreet Minhas 2020-08-27 15:23:27 -04:00
parent f2e657ff8b
commit 52e5d17486
7 changed files with 138 additions and 9 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

3
ansible/roles/consul_server/defaults/main.yml Normal file
View file

@ -0,0 +1,3 @@
---
consul_config_path: /etc/consul.d
...

18
ansible/roles/consul_server/files/consul-agent-ca.pem Normal file
View file

@ -0,0 +1,18 @@
-----BEGIN CERTIFICATE-----
MIIC6jCCApGgAwIBAgIQME5Go459u5LlhDqirL54aTAKBggqhkjOPQQDAjCBuDEL
MAkGA1UEBhMCVVMxCzAJBgNVBAgTAkNBMRYwFAYDVQQHEw1TYW4gRnJhbmNpc2Nv
MRowGAYDVQQJExExMDEgU2Vjb25kIFN0cmVldDEOMAwGA1UEERMFOTQxMDUxFzAV
BgNVBAoTDkhhc2hpQ29ycCBJbmMuMT8wPQYDVQQDEzZDb25zdWwgQWdlbnQgQ0Eg
NjQyMDkzNzU2Nzk2MDMyOTY4MTA4MDI5ODk2NTUzNjQ4OTI3NzcwHhcNMjAwODI3
MTYxOTE4WhcNMjUwODI2MTYxOTE4WjCBuDELMAkGA1UEBhMCVVMxCzAJBgNVBAgT
AkNBMRYwFAYDVQQHEw1TYW4gRnJhbmNpc2NvMRowGAYDVQQJExExMDEgU2Vjb25k
IFN0cmVldDEOMAwGA1UEERMFOTQxMDUxFzAVBgNVBAoTDkhhc2hpQ29ycCBJbmMu
MT8wPQYDVQQDEzZDb25zdWwgQWdlbnQgQ0EgNjQyMDkzNzU2Nzk2MDMyOTY4MTA4
MDI5ODk2NTUzNjQ4OTI3NzcwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAASUDPnD
lfeWaTrJHZ9JzovcEXTGh2VKOaq4a1GceAqYNg1Jj2A6+6Je9Nm5+tvVn939ZS0z
NQGjuL3vdxJN96sYo3sweTAOBgNVHQ8BAf8EBAMCAYYwDwYDVR0TAQH/BAUwAwEB
/zApBgNVHQ4EIgQg7s5SJjjgtyy/XUHwQk43iXapCXQIIFqOivTddv6RGacwKwYD
VR0jBCQwIoAg7s5SJjjgtyy/XUHwQk43iXapCXQIIFqOivTddv6RGacwCgYIKoZI
zj0EAwIDRwAwRAIgGj3Z1yyMTcdsZiFu89Si0E9ueX2CAAztWabhbvzMOl4CIHIv
DhH1LG5/DHuJCQA4MAKLiDzt1/XQoS1FJiguyorb
-----END CERTIFICATE-----

17
ansible/roles/consul_server/files/consul-server.pem Normal file
View file

@ -0,0 +1,17 @@
-----BEGIN CERTIFICATE-----
MIICpzCCAkygAwIBAgIRAP+zqvMlaJNYzixVwgrrYrkwCgYIKoZIzj0EAwIwgbgx
CzAJBgNVBAYTAlVTMQswCQYDVQQIEwJDQTEWMBQGA1UEBxMNU2FuIEZyYW5jaXNj
bzEaMBgGA1UECRMRMTAxIFNlY29uZCBTdHJlZXQxDjAMBgNVBBETBTk0MTA1MRcw
FQYDVQQKEw5IYXNoaUNvcnAgSW5jLjE/MD0GA1UEAxM2Q29uc3VsIEFnZW50IENB
IDY0MjA5Mzc1Njc5NjAzMjk2ODEwODAyOTg5NjU1MzY0ODkyNzc3MB4XDTIwMDgy
NzE3MjcxMVoXDTIxMDgyNzE3MjcxMVowITEfMB0GA1UEAxMWc2VydmVyLmNvbHVt
YmlhLmNvbnN1bDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABJ/z9e9ctu6x4GqX
Gmrc69JeusbmpEEkO35LIVngEc4fqF0eup2/txiQZhmyDuYKN8ObcLzQ9/6OJkRD
a47UTzCjgcwwgckwDgYDVR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMB
BggrBgEFBQcDAjAMBgNVHRMBAf8EAjAAMCkGA1UdDgQiBCB85H1w+4sYpvxg7b5x
Yr8/psiaIxNGDioU4OXxAMUabTArBgNVHSMEJDAigCDuzlImOOC3LL9dQfBCTjeJ
dqkJdAggWo6K9N12/pEZpzAyBgNVHREEKzApghZzZXJ2ZXIuY29sdW1iaWEuY29u
c3Vsgglsb2NhbGhvc3SHBH8AAAEwCgYIKoZIzj0EAwIDSQAwRgIhALqDdmHhRnos
BTc5zpSdnv1NUU+DkGqG8bfisN9YYhf3AiEAoiaT7DBzgHv2Po37P/YZm2nMjMdd
W2dTCuysw+L3Syk=
-----END CERTIFICATE-----

34
ansible/roles/consul_server/tasks/Debian.yml
View file

@ -20,6 +20,38 @@
group: consul group: consul
mode: 0755 mode: 0755
- name: ensure consul config dir
file:
path: /etc/consul.d/certs/
state: directory
owner: consul
group: consul
mode: 0744
- name: ensure consul agent ca cert
copy:
src: files/consul-agent-ca.pem
dest: /etc/consul.d/certs/consul-agent-ca.pem
owner: consul
group: consul
mode: 0644
- name: ensure consul server cert
copy:
src: files/consul-server.pem
dest: /etc/consul.d/certs/consul-server.pem
owner: consul
group: consul
mode: 0600
- name: ensure consul server key
template:
src: templates/consul-server.key.j2
dest: /etc/consul.d/certs/consul-server.key
owner: consul
group: consul
mode: 0600
- name: ensure consul data dir - name: ensure consul data dir
file: file:
path: /opt/consul path: /opt/consul
@ -35,7 +67,7 @@
executable: /bin/bash executable: /bin/bash
changed_when: False changed_when: False
register: installed_consul_version register: installed_consul_version
check_mode: false check_mode: False
- name: get consul - name: get consul
unarchive: unarchive:

36
ansible/roles/consul_server/tasks/FreeBSD.yml
View file

@ -20,6 +20,38 @@
group: consul group: consul
mode: 0755 mode: 0755
- name: ensure consul config dir
file:
path: /usr/local/etc/consul.d/certs
state: directory
owner: consul
group: consul
mode: 0744
- name: ensure consul agent ca cert
copy:
src: files/consul-agent-ca.pem
dest: /usr/local/etc/consul.d/certs/consul-agent-ca.pem
owner: consul
group: consul
mode: 0644
- name: ensure consul server cert
copy:
src: files/consul-server.pem
dest: /usr/local/etc/consul.d/certs/consul-server.pem
owner: consul
group: consul
mode: 0600
- name: ensure consul server key
template:
src: templates/consul-server.key.j2
dest: /usr/local/etc/consul.d/certs/consul-server.key
owner: consul
group: consul
mode: 0600
- name: ensure consul data dir - name: ensure consul data dir
file: file:
path: /opt/consul path: /opt/consul
@ -36,7 +68,7 @@
changed_when: False changed_when: False
failed_when: False failed_when: False
register: installed_consul_version register: installed_consul_version
check_mode: false check_mode: False
- name: get consul - name: get consul
pkgng: pkgng:
@ -56,4 +88,4 @@
service: service:
name: consul name: consul
state: started state: started
enabled: yes enabled: True

1
ansible/roles/consul_server/templates/consul-server.key.j2 Normal file
View file

@ -0,0 +1 @@
{{ lookup('hashi_vault', 'secret=kv/data/consul:data')['consul-server-key'] }}

38
ansible/roles/consul_server/templates/consul.hcl.j2
View file

@ -1,16 +1,42 @@
datacenter = "{{ consul_dc }}" datacenter = "{{ consul_dc }}"
domain = "minhas.io" domain = "consul"
bind_addr = "{{ ansible_default_ipv4.address }}"
start_join = ["{{ groups['consul_server'] | map('extract', hostvars, ['ansible_default_ipv4', 'address']) | join('","') }}"]
data_dir = "/opt/consul"
log_level = "INFO"
raft_protocol = 3
server = true server = true
bootstrap_expect = 3 bootstrap_expect = 3
ui = true ui = true
encrypt = "{{ lookup('hashi_vault', 'secret=kv/data/consul:data')['gossip'] }}"
verify_incoming = true
verify_outgoing = true
verify_server_hostname = true
ca_file = "{{ consul_config_path }}/certs/consul-agent-ca.pem"
cert_file = "{{ consul_config_path }}/certs/consul-server.pem"
key_file = "{{ consul_config_path }}/certs/consul-server.key"
auto_encrypt {
allow_tls = true
}
bind_addr = "{{ ansible_default_ipv4.address }}"
start_join = ["{{ groups['consul_server'] | map('extract', hostvars, ['ansible_default_ipv4', 'address']) | join('","') }}"]
data_dir = "/opt/consul"
log_level = "INFO"
raft_protocol = 3
addresses { addresses {
http = "0.0.0.0" http = "0.0.0.0"
} }
performance { performance {
raft_multiplier = 1 raft_multiplier = 1
} }
acl {
enabled = true
default_policy = "deny"
enable_token_persistence = true
tokens {
agent = "{{ lookup('hashi_vault', 'secret=kv/data/consul:data')['server-acl-token'] }}"
}
}