Last active
February 25, 2024 22:02
-
-
Save akhayyat/4a6a5718425ac4addfef3fa9bb932c65 to your computer and use it in GitHub Desktop.
Test Consul Connect and Envoy
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
[defaults] | |
interpreter_python = /usr/bin/python3 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Requires an Ansible inventory with three Debian 10 machines named consul-1, consul-2, and consul-3, | |
# as members of a group named "consul_servers" | |
- name: Generate certificates | |
hosts: localhost | |
connection: local | |
tasks: | |
- name: Create directory for certificates | |
file: | |
path: certs | |
state: directory | |
- name: Generate CA private key | |
openssl_privatekey: | |
path: certs/ca.key | |
mode: 0644 | |
- name: Create CA CSR | |
openssl_csr: | |
path: certs/ca.csr | |
privatekey_path: certs/ca.key | |
key_usage_critical: yes | |
basic_constraints_critical: yes | |
key_usage: | |
- Digital Signature | |
- Certificate Sign | |
- CRL Sign | |
basic_constraints: | |
- "CA:TRUE" | |
common_name: Consul CA | |
- name: Generate CA certificate | |
openssl_certificate: | |
path: certs/ca.crt | |
provider: selfsigned #ownca | |
csr_path: certs/ca.csr | |
privatekey_path: certs/ca.key | |
- name: Generate Consul private key | |
openssl_privatekey: | |
path: certs/{{ item }}.key | |
mode: 0644 | |
loop: "{{ groups['consul_servers'] }}" | |
- name: Create Consul CSR | |
openssl_csr: | |
path: certs/{{ item }}.csr | |
privatekey_path: certs/{{ item }}.key | |
key_usage_critical: yes | |
basic_constraints_critical: yes | |
key_usage: | |
- Digital Signature | |
- Key Encipherment | |
extended_key_usage: | |
- TLS Web Server Authentication | |
- TLS Web Client Authentication | |
basic_constraints: | |
- "CA:FALSE" | |
subject_alt_name: | |
- "DNS:server.test.consul" | |
- "DNS:consul.test.lan" | |
- "DNS:localhost" | |
- "IP:127.0.0.1" | |
common_name: server.test.consul | |
loop: "{{ groups['consul_servers'] }}" | |
- name: Generate Consul certificate | |
openssl_certificate: | |
path: certs/{{ item }}.crt | |
provider: ownca | |
csr_path: certs/{{ item }}.csr | |
ownca_path: certs/ca.crt | |
ownca_privatekey_path: certs/ca.key | |
loop: "{{ groups['consul_servers'] }}" | |
################################################### | |
- name: Generate Consul Client private key | |
openssl_privatekey: | |
path: certs/{{ item }}-cli.key | |
mode: 0644 | |
loop: "{{ groups['consul_servers'] }}" | |
- name: Create Consul CLI CSR | |
openssl_csr: | |
path: certs/{{ item }}-cli.csr | |
privatekey_path: certs/{{ item }}-cli.key | |
key_usage_critical: yes | |
basic_constraints_critical: yes | |
key_usage: | |
- Digital Signature | |
- Key Encipherment | |
extended_key_usage: | |
- TLS Web Client Authentication | |
basic_constraints: | |
- "CA:FALSE" | |
common_name: client.test.consul | |
loop: "{{ groups['consul_servers'] }}" | |
- name: Generate Consul CLI certificate | |
openssl_certificate: | |
path: certs/{{ item }}-cli.crt | |
provider: ownca | |
csr_path: certs/{{ item }}-cli.csr | |
ownca_path: certs/ca.crt | |
ownca_privatekey_path: certs/ca.key | |
loop: "{{ groups['consul_servers'] }}" | |
- name: Consul | |
hosts: consul_servers | |
become: yes | |
vars: | |
is_server: yes | |
consul_config: | |
datacenter: test | |
server: "{{ is_server }}" | |
bootstrap_expect: 3 | |
retry_join: "{{ groups['consul_servers'] | map('extract', hostvars, ['ansible_default_ipv4','address']) | list }}" | |
ui: true | |
encrypt: ZZO4qpUnd+I3UQ19NdfljujGDD97+jS19FWt2kvamxw= | |
verify_incoming: true | |
verify_incoming_rpc: true | |
verify_outgoing: true | |
verify_server_hostname: true | |
ca_file: /consul/certs/ca.crt | |
cert_file: /consul/certs/{{ inventory_hostname }}.crt | |
key_file: /consul/certs/{{ inventory_hostname }}.key | |
ports: | |
http: 8500 | |
https: 8501 | |
grpc: 8502 | |
performance: | |
raft_multiplier: 1 | |
connect: | |
enabled: true | |
ca_provider: consul | |
tasks: | |
- name: Install GPG and curl | |
apt: | |
name: | |
- gpg | |
- curl | |
state: present | |
- name: Install Docker APT key | |
apt_key: | |
id: "9DC858229FC7DD38854AE2D88D81803C0EBFCD88" | |
url: https://download.docker.com/linux/debian/gpg | |
state: present | |
- name: Install Docker APT repository | |
copy: | |
content: "deb [arch=amd64] https://download.docker.com/linux/debian buster stable\n" | |
dest: /etc/apt/sources.list.d/docker.list | |
owner: root | |
group: root | |
mode: 0644 | |
- name: Install Docker and Ansible Docker support | |
apt: | |
update_cache: yes | |
name: | |
- docker-ce | |
- python3-docker | |
state: present | |
- name: Create Consul directories | |
file: | |
path: "{{ item }}" | |
state: directory | |
owner: root | |
group: root | |
mode: 0755 | |
loop: | |
- /consul/data | |
- /consul/certs | |
- /consul/config | |
- name: Install certificates and keys | |
copy: | |
src: certs/{{ item }} | |
dest: /consul/certs/{{ item }} | |
owner: root | |
group: root | |
mode: 0644 | |
loop: | |
- "{{ inventory_hostname }}.key" | |
- "{{ inventory_hostname }}.crt" | |
- "{{ inventory_hostname }}-cli.key" | |
- "{{ inventory_hostname }}-cli.crt" | |
- ca.crt | |
notify: Restart Consul | |
- name: Install CA | |
copy: | |
src: certs/ca.crt | |
dest: /usr/local/share/ca-certificates/ca.crt | |
owner: root | |
group: root | |
mode: 0644 | |
notify: Update CAs | |
- name: Configure Consul agent | |
copy: | |
content: "{{ consul_config | to_nice_json }}" | |
dest: /consul/config/agent.json | |
owner: root | |
group: root | |
mode: 0644 | |
notify: Restart Consul | |
- name: Start Consul container | |
docker_container: | |
name: consul | |
image: consul:1.7.1 | |
network_mode: host | |
command: agent -server -bind={{ ansible_default_ipv4.address }} | |
volumes: | |
- /consul/data:/consul/data:rw | |
- /consul/certs:/consul/certs:ro | |
- /consul/config:/consul/config:rw | |
register: start_consul | |
- name: Install Dockerfile for consul-envoy | |
copy: | |
content: | | |
FROM consul:1.7.1 | |
FROM envoyproxy/envoy:v1.13.0 | |
COPY --from=0 /bin/consul /bin/consul | |
ENTRYPOINT ["consul", "connect", "envoy"] | |
dest: /tmp/Dockerfile | |
- name: Build consul-envoy Docker image | |
docker_image: | |
name: consul-envoy | |
build: | |
path: /tmp | |
source: build | |
handlers: | |
- name: Update CAs | |
command: update-ca-certificates | |
- name: Restart Consul | |
docker_container: | |
name: consul | |
restart: yes | |
when: not start_consul.changed | |
################################################### | |
- name: Add services to consul-1 | |
hosts: consul-1 | |
become: yes | |
tasks: | |
- name: Install web server | |
apt: name=apache2 state=present | |
- name: Add web service to consul-1 | |
copy: | |
content: "{{ web_service_config | to_nice_json }}" | |
dest: /consul/config/web.json | |
owner: root | |
group: root | |
mode: 0644 | |
vars: | |
web_service_config: | |
service: | |
name: web | |
port: 80 | |
connect: | |
sidecar_service: {} | |
register: add_service_web | |
tags: add-service | |
- name: Restart Consul | |
docker_container: | |
name: consul | |
restart: yes | |
when: add_service_web.changed | |
- name: Run web service proxy | |
docker_container: | |
name: web-proxy | |
image: consul-envoy | |
# auto_remove: yes | |
command: -sidecar-for web -- -l debug | |
network_mode: host | |
volumes: | |
- /consul/certs:/consul/certs:ro | |
env: | |
# CONSUL_HTTP_SSL: "true" | |
CONSUL_HTTP_ADDR: https://127.0.0.1:8501 | |
CONSUL_CACERT: /consul/certs/ca.crt | |
CONSUL_CLIENT_CERT: /consul/certs/consul-1-cli.crt | |
CONSUL_CLIENT_KEY: /consul/certs/consul-1-cli.key | |
################################################### | |
- name: Make web service available to consul-2 | |
hosts: consul-2 | |
become: yes | |
tasks: | |
- name: Configure web client service | |
copy: | |
content: "{{ web_client_config | to_nice_json }}" | |
dest: /consul/config/web-client.json | |
owner: root | |
group: root | |
mode: 0644 | |
vars: | |
web_client_config: | |
service: | |
name: web-client | |
port: 8888 | |
connect: | |
sidecar_service: | |
proxy: | |
upstreams: | |
- destination_name: web | |
local_bind_port: 8889 | |
register: add_service_web_client | |
- name: Restart Consul | |
docker_container: | |
name: consul | |
restart: yes | |
when: add_service_web_client.changed | |
- name: Run web client service proxy | |
docker_container: | |
name: web-client-proxy | |
image: consul-envoy | |
# auto_remove: yes | |
command: -sidecar-for web-client -- -l debug | |
network_mode: host | |
volumes: | |
- /consul/certs:/consul/certs:ro | |
env: | |
# CONSUL_HTTP_SSL: "true" | |
CONSUL_HTTP_ADDR: https://127.0.0.1:8501 | |
CONSUL_CACERT: /consul/certs/ca.crt | |
CONSUL_CLIENT_CERT: /consul/certs/consul-2-cli.crt | |
CONSUL_CLIENT_KEY: /consul/certs/consul-2-cli.key |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment