1.8 KiB
1.8 KiB
Consul
Server setup
Create a server keypair <<create_keypair>>
Decrypt the CA (from the agenix secrets)
agenix -i ~/.ssh/id_reykjavik -d consul.d/consul-agent-ca.pem.age > ~/tmp/consul-agent-ca.pem
agenix -i ~/.ssh/id_reykjavik -d consul.d/consul-agent-ca-key.pem.age > ~/tmp/consul-agent-ca-key.pemCreate the keypair using consul:
nix-shell -p consul
consul tls cert create -server -dc samfelagACLs
Policies
Node Policy
Policy for agent tokens
agent_prefix "" {
policy = "write"
}
node_prefix "" {
policy = "write"
}
service_prefix "" {
policy = "read"
}
session_prefix "" {
policy = "read"
}Nomad client
Policy for nomad clients (to be added in the consul.token field in the nomad config)
agent_prefix "" {
policy = "read"
}
node_prefix "" {
policy = "read"
}
service_prefix "" {
policy = "write"
}Nomad server
Policy for nomad servers (to be added in the consul.token field in the nomad config)
agent_prefix "" {
policy = "read"
}
node_prefix "" {
policy = "read"
}
service_prefix "" {
policy = "write"
}
acl = "write"Node Agent Token
Create a token at http://hvannadal:8500/ui/samfelag/acls/tokens with the node policy. Create the consul config file and encrypt it via agenix:
agenix -e consul.d/agent-token-<host>.json.ageJSON config:
{
"acl": {
"tokens": {
"default": "<AGENT_TOKEN>",
"agent": "<AGENT_TOKEN>"
}
}
}Renew expired certificates
Find the expired certificate
openssl x509 -in /etc/consul.d/certs/samfelag-server-consul.pem -enddate -nooutFollow the steps described in Create a server keypair.