WIP: Begin config to bootstrap ACLs
Following guide here: https://learn.hashicorp.com/tutorials/consul/vault-consul-secrets?in=consul/vault-secure Unsure of how this will actually authenticate though.
This commit is contained in:
parent
25ec582eaf
commit
ce2d2bb6cd
23
nomad/acls/consul_vault.tf
Normal file
23
nomad/acls/consul_vault.tf
Normal file
@ -0,0 +1,23 @@
|
||||
resource "vault_consul_secret_backend" "config" {
|
||||
path = "consul"
|
||||
description = "Manages the Consul backend"
|
||||
|
||||
address = "http://127.0.0.1:8500"
|
||||
token = var.consul_token
|
||||
}
|
||||
|
||||
resource "consul_acl_policy" "server_policy" {
|
||||
name = "consul-servers"
|
||||
rules = <<EOH
|
||||
node_prefix "server-" {
|
||||
policy = "write"
|
||||
}
|
||||
node_prefix "" {
|
||||
policy = "read"
|
||||
}
|
||||
service_prefix "" {
|
||||
policy = "read"
|
||||
}
|
||||
|
||||
EOH
|
||||
}
|
@ -3,15 +3,19 @@ variable "consul_address" {
|
||||
default = "http://n1.thefij:8500"
|
||||
}
|
||||
|
||||
variable "consul_token" {
|
||||
type = string
|
||||
description = "Token for setting up consul"
|
||||
sensitive = true
|
||||
}
|
||||
|
||||
variable "nomad_secret_id" {
|
||||
type = string
|
||||
description = "Secret ID for ACL bootstrapped Nomad"
|
||||
sensitive = true
|
||||
default = ""
|
||||
}
|
||||
|
||||
variable "vault_token" {
|
||||
type = string
|
||||
sensitive = true
|
||||
default = ""
|
||||
}
|
||||
|
@ -3,9 +3,6 @@
|
||||
hosts: consul_instances
|
||||
any_errors_fatal: true
|
||||
|
||||
vars_files:
|
||||
- consul_values.yml
|
||||
|
||||
roles:
|
||||
- role: ansible-consul
|
||||
vars:
|
||||
@ -32,6 +29,9 @@
|
||||
consul_ports_grpc: 8502
|
||||
consul_client_address: "0.0.0.0"
|
||||
|
||||
consul_acl_enabled: true
|
||||
consul_acl_default_policy: "deny"
|
||||
|
||||
# Enable metrics
|
||||
consul_config_custom:
|
||||
telemetry:
|
||||
@ -52,6 +52,7 @@
|
||||
become: true
|
||||
|
||||
tasks:
|
||||
# Bootstrap ACLs
|
||||
- name: Start Consul
|
||||
systemd:
|
||||
state: started
|
||||
@ -61,35 +62,28 @@
|
||||
# If DNS is broken after dnsmasq, then need to set /etc/resolv.conf to something
|
||||
# pointing to 127.0.0.1 and possibly restart Docker and Nomad
|
||||
|
||||
- name: Add values
|
||||
- name: Boostrap ACLs
|
||||
command:
|
||||
argv:
|
||||
- "consul"
|
||||
- "acl"
|
||||
- "bootstrap"
|
||||
- "-format=json"
|
||||
run_once: true
|
||||
ignore_errors: true
|
||||
register: bootstrap_result
|
||||
|
||||
- name: Save bootstrap result
|
||||
copy:
|
||||
content: "{{ bootstrap_result.stdout }}"
|
||||
dest: "./consul_bootstrap.json"
|
||||
when: bootstrap_result is succeeded
|
||||
delegate_to: localhost
|
||||
run_once: true
|
||||
block:
|
||||
- name: Install python-consul
|
||||
pip:
|
||||
name: python-consul
|
||||
extra_args: --index-url https://pypi.org/simple
|
||||
|
||||
- name: Set hostname
|
||||
consul_kv:
|
||||
host: "{{ inventory_hostname }}"
|
||||
key: global/base_hostname
|
||||
# TODO: propogate this through via Consul and Nomad templates rather than Terraform
|
||||
value: dev.homelab
|
||||
|
||||
- name: Write values
|
||||
consul_kv:
|
||||
host: "{{ inventory_hostname }}"
|
||||
key: "{{ item.key }}"
|
||||
value: "{{ item.value }}"
|
||||
loop: "{{ consul_values | default({}) | dict2items }}"
|
||||
|
||||
- name: Setup Vault cluster
|
||||
hosts: vault_instances
|
||||
|
||||
vars_files:
|
||||
- ./vault_hashi_vault_values.yml
|
||||
|
||||
roles:
|
||||
- name: ansible-vault
|
||||
vars:
|
||||
|
Loading…
Reference in New Issue
Block a user