Skip to content

Instantly share code, notes, and snippets.

@akhayyat

akhayyat/ansible.cfg

Last active February 25, 2024 22:02
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 1 You must be signed in to fork a gist
  • Save akhayyat/4a6a5718425ac4addfef3fa9bb932c65 to your computer and use it in GitHub Desktop.
Save akhayyat/4a6a5718425ac4addfef3fa9bb932c65 to your computer and use it in GitHub Desktop.
Download ZIP
Test Consul Connect and Envoy
Raw
ansible.cfg
[defaults]
interpreter_python = /usr/bin/python3
Raw
consul.yml
# Requires an Ansible inventory with three Debian 10 machines named consul-1, consul-2, and consul-3,
# as members of a group named "consul_servers"
- name: Generate certificates
hosts: localhost
connection: local
tasks:
- name: Create directory for certificates
file:
path: certs
state: directory
- name: Generate CA private key
openssl_privatekey:
path: certs/ca.key
mode: 0644
- name: Create CA CSR
openssl_csr:
path: certs/ca.csr
privatekey_path: certs/ca.key
key_usage_critical: yes
basic_constraints_critical: yes
key_usage:
- Digital Signature
- Certificate Sign
- CRL Sign
basic_constraints:
- "CA:TRUE"
common_name: Consul CA
- name: Generate CA certificate
openssl_certificate:
path: certs/ca.crt
provider: selfsigned #ownca
csr_path: certs/ca.csr
privatekey_path: certs/ca.key
- name: Generate Consul private key
openssl_privatekey:
path: certs/{{ item }}.key
mode: 0644
loop: "{{ groups['consul_servers'] }}"
- name: Create Consul CSR
openssl_csr:
path: certs/{{ item }}.csr
privatekey_path: certs/{{ item }}.key
key_usage_critical: yes
basic_constraints_critical: yes
key_usage:
- Digital Signature
- Key Encipherment
extended_key_usage:
- TLS Web Server Authentication
- TLS Web Client Authentication
basic_constraints:
- "CA:FALSE"
subject_alt_name:
- "DNS:server.test.consul"
- "DNS:consul.test.lan"
- "DNS:localhost"
- "IP:127.0.0.1"
common_name: server.test.consul
loop: "{{ groups['consul_servers'] }}"
- name: Generate Consul certificate
openssl_certificate:
path: certs/{{ item }}.crt
provider: ownca
csr_path: certs/{{ item }}.csr
ownca_path: certs/ca.crt
ownca_privatekey_path: certs/ca.key
loop: "{{ groups['consul_servers'] }}"
###################################################
- name: Generate Consul Client private key
openssl_privatekey:
path: certs/{{ item }}-cli.key
mode: 0644
loop: "{{ groups['consul_servers'] }}"
- name: Create Consul CLI CSR
openssl_csr:
path: certs/{{ item }}-cli.csr
privatekey_path: certs/{{ item }}-cli.key
key_usage_critical: yes
basic_constraints_critical: yes
key_usage:
- Digital Signature
- Key Encipherment
extended_key_usage:
- TLS Web Client Authentication
basic_constraints:
- "CA:FALSE"
common_name: client.test.consul
loop: "{{ groups['consul_servers'] }}"
- name: Generate Consul CLI certificate
openssl_certificate:
path: certs/{{ item }}-cli.crt
provider: ownca
csr_path: certs/{{ item }}-cli.csr
ownca_path: certs/ca.crt
ownca_privatekey_path: certs/ca.key
loop: "{{ groups['consul_servers'] }}"
- name: Consul
hosts: consul_servers
become: yes
vars:
is_server: yes
consul_config:
datacenter: test
server: "{{ is_server }}"
bootstrap_expect: 3
retry_join: "{{ groups['consul_servers'] | map('extract', hostvars, ['ansible_default_ipv4','address']) | list }}"
ui: true
encrypt: ZZO4qpUnd+I3UQ19NdfljujGDD97+jS19FWt2kvamxw=
verify_incoming: true
verify_incoming_rpc: true
verify_outgoing: true
verify_server_hostname: true
ca_file: /consul/certs/ca.crt
cert_file: /consul/certs/{{ inventory_hostname }}.crt
key_file: /consul/certs/{{ inventory_hostname }}.key
ports:
http: 8500
https: 8501
grpc: 8502
performance:
raft_multiplier: 1
connect:
enabled: true
ca_provider: consul
tasks:
- name: Install GPG and curl
apt:
name:
- gpg
- curl
state: present
- name: Install Docker APT key
apt_key:
id: "9DC858229FC7DD38854AE2D88D81803C0EBFCD88"
url: https://download.docker.com/linux/debian/gpg
state: present
- name: Install Docker APT repository
copy:
content: "deb [arch=amd64] https://download.docker.com/linux/debian buster stable\n"
dest: /etc/apt/sources.list.d/docker.list
owner: root
group: root
mode: 0644
- name: Install Docker and Ansible Docker support
apt:
update_cache: yes
name:
- docker-ce
- python3-docker
state: present
- name: Create Consul directories
file:
path: "{{ item }}"
state: directory
owner: root
group: root
mode: 0755
loop:
- /consul/data
- /consul/certs
- /consul/config
- name: Install certificates and keys
copy:
src: certs/{{ item }}
dest: /consul/certs/{{ item }}
owner: root
group: root
mode: 0644
loop:
- "{{ inventory_hostname }}.key"
- "{{ inventory_hostname }}.crt"
- "{{ inventory_hostname }}-cli.key"
- "{{ inventory_hostname }}-cli.crt"
- ca.crt
notify: Restart Consul
- name: Install CA
copy:
src: certs/ca.crt
dest: /usr/local/share/ca-certificates/ca.crt
owner: root
group: root
mode: 0644
notify: Update CAs
- name: Configure Consul agent
copy:
content: "{{ consul_config | to_nice_json }}"
dest: /consul/config/agent.json
owner: root
group: root
mode: 0644
notify: Restart Consul
- name: Start Consul container
docker_container:
name: consul
image: consul:1.7.1
network_mode: host
command: agent -server -bind={{ ansible_default_ipv4.address }}
volumes:
- /consul/data:/consul/data:rw
- /consul/certs:/consul/certs:ro
- /consul/config:/consul/config:rw
register: start_consul
- name: Install Dockerfile for consul-envoy
copy:
content: |
FROM consul:1.7.1
FROM envoyproxy/envoy:v1.13.0
COPY --from=0 /bin/consul /bin/consul
ENTRYPOINT ["consul", "connect", "envoy"]
dest: /tmp/Dockerfile
- name: Build consul-envoy Docker image
docker_image:
name: consul-envoy
build:
path: /tmp
source: build
handlers:
- name: Update CAs
command: update-ca-certificates
- name: Restart Consul
docker_container:
name: consul
restart: yes
when: not start_consul.changed
###################################################
- name: Add services to consul-1
hosts: consul-1
become: yes
tasks:
- name: Install web server
apt: name=apache2 state=present
- name: Add web service to consul-1
copy:
content: "{{ web_service_config | to_nice_json }}"
dest: /consul/config/web.json
owner: root
group: root
mode: 0644
vars:
web_service_config:
service:
name: web
port: 80
connect:
sidecar_service: {}
register: add_service_web
tags: add-service
- name: Restart Consul
docker_container:
name: consul
restart: yes
when: add_service_web.changed
- name: Run web service proxy
docker_container:
name: web-proxy
image: consul-envoy
# auto_remove: yes
command: -sidecar-for web -- -l debug
network_mode: host
volumes:
- /consul/certs:/consul/certs:ro
env:
# CONSUL_HTTP_SSL: "true"
CONSUL_HTTP_ADDR: https://127.0.0.1:8501
CONSUL_CACERT: /consul/certs/ca.crt
CONSUL_CLIENT_CERT: /consul/certs/consul-1-cli.crt
CONSUL_CLIENT_KEY: /consul/certs/consul-1-cli.key
###################################################
- name: Make web service available to consul-2
hosts: consul-2
become: yes
tasks:
- name: Configure web client service
copy:
content: "{{ web_client_config | to_nice_json }}"
dest: /consul/config/web-client.json
owner: root
group: root
mode: 0644
vars:
web_client_config:
service:
name: web-client
port: 8888
connect:
sidecar_service:
proxy:
upstreams:
- destination_name: web
local_bind_port: 8889
register: add_service_web_client
- name: Restart Consul
docker_container:
name: consul
restart: yes
when: add_service_web_client.changed
- name: Run web client service proxy
docker_container:
name: web-client-proxy
image: consul-envoy
# auto_remove: yes
command: -sidecar-for web-client -- -l debug
network_mode: host
volumes:
- /consul/certs:/consul/certs:ro
env:
# CONSUL_HTTP_SSL: "true"
CONSUL_HTTP_ADDR: https://127.0.0.1:8501
CONSUL_CACERT: /consul/certs/ca.crt
CONSUL_CLIENT_CERT: /consul/certs/consul-2-cli.crt
CONSUL_CLIENT_KEY: /consul/certs/consul-2-cli.key
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment