81 lines
1.5 KiB
Org Mode
81 lines
1.5 KiB
Org Mode
#+title: Consul
|
|
* Server setup
|
|
** Create a server keypair
|
|
Decrypt the CA (from the agenix secrets)
|
|
#+begin_src bash
|
|
agenix -i ~/.ssh/id_reykjavik -d consul.d/consul-agent-ca.pem.age > ~/tmp/consul-agent-ca.pem
|
|
agenix -i ~/.ssh/id_reykjavik -d consul.d/consul-agent-ca-key.pem.age > ~/tmp/consul-agent-ca-key.pem
|
|
#+end_src
|
|
Create the keypair using consul:
|
|
#+begin_src bash
|
|
nix-shell -p consul
|
|
consul tls cert create -server -dc samfelag
|
|
#+end_src
|
|
* ACLs
|
|
** Policies
|
|
*** Node Policy
|
|
Policy for agent tokens
|
|
#+begin_src hcl
|
|
agent_prefix "" {
|
|
policy = "write"
|
|
}
|
|
node_prefix "" {
|
|
policy = "write"
|
|
}
|
|
service_prefix "" {
|
|
policy = "read"
|
|
}
|
|
session_prefix "" {
|
|
policy = "read"
|
|
}
|
|
#+end_src
|
|
*** Nomad client
|
|
Policy for nomad clients (to be added in the consul.token field in the nomad config)
|
|
#+begin_src hcl
|
|
agent_prefix "" {
|
|
policy = "read"
|
|
}
|
|
|
|
node_prefix "" {
|
|
policy = "read"
|
|
}
|
|
|
|
service_prefix "" {
|
|
policy = "write"
|
|
}
|
|
#+end_src
|
|
*** Nomad server
|
|
Policy for nomad servers (to be added in the consul.token field in the nomad config)
|
|
#+begin_src hcl
|
|
agent_prefix "" {
|
|
policy = "read"
|
|
}
|
|
|
|
node_prefix "" {
|
|
policy = "read"
|
|
}
|
|
|
|
service_prefix "" {
|
|
policy = "write"
|
|
}
|
|
|
|
acl = "write"
|
|
#+end_src
|
|
** Node Agent Token
|
|
Create a token at http://hvannadal:8500/ui/samfelag/acls/tokens with the node policy.
|
|
Create the consul config file and encrypt it via agenix:
|
|
#+begin_src bash
|
|
agenix -e consul.d/agent-token-<host>.json.age
|
|
#+end_src
|
|
JSON config:
|
|
#+begin_src json
|
|
{
|
|
"acl": {
|
|
"tokens": {
|
|
"default": "<AGENT_TOKEN>",
|
|
"agent": "<AGENT_TOKEN>"
|
|
}
|
|
}
|
|
}
|
|
#+end_src
|