Skip to content

Instantly share code, notes, and snippets.

@fboukezzoula
Last active March 26, 2023 21:05
Show Gist options
  • Save fboukezzoula/3e2a347357db430d83c50b89fbd7f0bb to your computer and use it in GitHub Desktop.
Save fboukezzoula/3e2a347357db430d83c50b89fbd7f0bb to your computer and use it in GitHub Desktop.
Deploy Consul server in an existing environment.
#!/usr/bin/env bash
export DATACENTER=${DATACENTER:-"dc1"}
export DOMAIN=${DOMAIN:-"consul"}
export CONSUL_DATA_DIR=${CONSUL_DATA_DIR:-"/etc/consul/data"}
export CONSUL_CONFIG_DIR=${CONSUL_CONFIG_DIR:-"/etc/consul/config"}
export DNS_RECURSOR=${DNS_RECURSOR:-"1.1.1.1"}
export HTTPS_PORT=${HTTPS_PORT:-"8443"}
export DNS_PORT=${DNS_PORT:-"8600"}
echo "Clean existing configuration"
rm -rf ${CONSUL_DATA_DIR}/
rm -rf ${CONSUL_CONFIG_DIR}/
echo "Generate Consul folders"
mkdir -p ${CONSUL_CONFIG_DIR} && mkdir -p ${CONSUL_DATA_DIR}
STAT=$?
if [ ${STAT} -ne 0 ]; then
echo "Folder creation failed, exiting."
exit 1;
fi
cd ${CONSUL_CONFIG_DIR}
echo "Generate agent configuration - agent-server-secure.hcl"
tee ${CONSUL_CONFIG_DIR}/agent-server-secure.hcl > /dev/null << EOF
# agent-server-secure.hcl
# Data Persistence
data_dir = "${CONSUL_DATA_DIR}"
# Logging
log_level = "DEBUG"
# Enable service mesh
connect {
enabled = true
}
# Addresses and ports
addresses {
grpc = "127.0.0.1"
https = "0.0.0.0"
dns = "0.0.0.0"
}
ports {
grpc = 8502
http = 8500
https = ${HTTPS_PORT}
dns = ${DNS_PORT}
}
# DNS recursors
recursors = ["${DNS_RECURSOR}"]
# Disable script checks
enable_script_checks = false
# Enable local script checks
enable_local_script_checks = true
EOF
echo "Generate server configuration - agent-server-specific.hcl"
tee ${CONSUL_CONFIG_DIR}/agent-server-specific.hcl > /dev/null << EOF
## Server specific configuration for ${DATACENTER}
server = true
bootstrap_expect = 1
datacenter = "${DATACENTER}"
client_addr = "127.0.0.1"
## UI configuration (1.9+)
ui_config {
enabled = true
}
EOF
echo "Generate gossip encryption key configuration - agent-gossip-encryption.hcl"
echo encrypt = \"$(consul keygen)\" > ${CONSUL_CONFIG_DIR}/agent-gossip-encryption.hcl
echo "Create CA for Consul datacenter"
consul tls ca create -domain=${DOMAIN}
echo "Create server Certificate and key pair"
consul tls cert create -server -domain ${DOMAIN} -dc=${DATACENTER}
echo "Generate TLS configuration - agent-server-tls.hcl"
tee ${CONSUL_CONFIG_DIR}/agent-server-tls.hcl > /dev/null << EOF
## TLS Encryption (requires cert files to be present on the server nodes)
# tls {
# defaults {
# ca_file = "${CONSUL_CONFIG_DIR}/consul-agent-ca.pem"
# cert_file = "${CONSUL_CONFIG_DIR}/${DATACENTER}-server-${DOMAIN}-0.pem"
# key_file = "${CONSUL_CONFIG_DIR}/${DATACENTER}-server-${DOMAIN}-0-key.pem"
# verify_outgoing = true
# verify_incoming = true
# }
# https {
# verify_incoming = false
# }
# internal_rpc {
# verify_server_hostname = true
# }
# }
## TLS Encryption (requires cert files to be present on the server nodes)
ca_file = "/etc/consul/config/consul-agent-ca.pem"
cert_file = "${CONSUL_CONFIG_DIR}/${DATACENTER}-server-${DOMAIN}-0.pem"
key_file = "${CONSUL_CONFIG_DIR}/${DATACENTER}-server-${DOMAIN}-0-key.pem"
verify_incoming = false
verify_incoming_rpc = true
verify_outgoing = true
verify_server_hostname = true
auto_encrypt {
allow_tls = true
}
EOF
echo "Generate ACL configuration - agent-server-acl.hcl"
tee ${CONSUL_CONFIG_DIR}/agent-server-acl.hcl > /dev/null << EOF
## ACL configuration
acl = {
enabled = true
default_policy = "deny"
enable_token_persistence = true
enable_token_replication = true
down_policy = "extend-cache"
}
EOF
echo "Validate configuration"
consul validate ${CONSUL_CONFIG_DIR}
STAT=$?
if [ ${STAT} -ne 0 ]; then
echo "Configuration invalid. Exiting."
exit 1;
fi
@fboukezzoula
Copy link
Author

fboukezzoula commented Mar 26, 2023

  • Check if Consul is installed on the consul node
consul version

Consul v1.12.4
Revision 94542765
Protocol 2 spoken by default, understands 2 to 3 (agent will automatically use protocol >2 when speaking to compatible agents)

  • Generate Consul server configuration
export DATACENTER="dc1" \
export DOMAIN="consul" \
export CONSUL_DATA_DIR="/etc/consul/data" \
export CONSUL_CONFIG_DIR="/etc/consul/config
  • Generate all necessary files to configure and run the Consul server agent
./generate_consul_server_config.sh

Clean existing configuration
Generate Consul folders
Generate agent configuration - agent-server-secure.hcl
Generate server configuration - agent-server-specific.hcl
Generate gossip encryption key configuration - agent-gossip-encryption.hcl
Create CA for Consul datacenter
==> Saved consul-agent-ca.pem
==> Saved consul-agent-ca-key.pem
Create server Certificate and key pair
==> WARNING: Server Certificates grants authority to become a
server and access all state in the cluster including root keys
and all ACL tokens. Do not distribute them to production hosts
that are not server nodes. Store them as securely as CA keys.
==> Using consul-agent-ca.pem and consul-agent-ca-key.pem
==> Saved dc1-server-consul-0.pem
==> Saved dc1-server-consul-0-key.pem
Generate TLS configuration - agent-server-tls.hcl
Generate ACL configuration - agent-server-acl.hcl
Validate configuration
skipping file /etc/consul/config/consul-agent-ca-key.pem, extension must be .hcl or .json, or config format must be set
skipping file /etc/consul/config/consul-agent-ca.pem, extension must be .hcl or .json, or config format must be set
skipping file /etc/consul/config/dc1-server-consul-0-key.pem, extension must be .hcl or .json, or config format must be set
skipping file /etc/consul/config/dc1-server-consul-0.pem, extension must be .hcl or .json, or config format must be set
The 'ca_file' field is deprecated. Use the 'tls.defaults.ca_file' field instead.
The 'cert_file' field is deprecated. Use the 'tls.defaults.cert_file' field instead.
The 'key_file' field is deprecated. Use the 'tls.defaults.key_file' field instead.
The 'verify_incoming' field is deprecated. Use the 'tls.defaults.verify_incoming' field instead.
The 'verify_incoming_rpc' field is deprecated. Use the 'tls.internal_rpc.verify_incoming' field instead.
The 'verify_outgoing' field is deprecated. Use the 'tls.defaults.verify_outgoing' field instead.
The 'verify_server_hostname' field is deprecated. Use the 'tls.internal_rpc.verify_server_hostname' field instead.
BootstrapExpect is set to 1; this is the same as Bootstrap mode.
bootstrap = true: do not enable unless necessary
Configuration is valid!

  • Start Consul server
consul agent -node=consul -config-dir=${CONSUL_CONFIG_DIR}

==> Starting Consul agent...
Version: '1.12.4'
Node ID: 'de208a33-6b94-3633-9c46-f09aa3e3e824'
Node name: 'consul'
Datacenter: 'dc1' (Segment: '')
Server: true (Bootstrap: true)
Client Addr: [127.0.0.1] (HTTP: 8500, HTTPS: 8443, gRPC: 8502, DNS: 8600)
Cluster Addr: 10.2.80.162 (LAN: 8301, WAN: 8302)
Encrypt: Gossip: true, TLS-Outgoing: true, TLS-Incoming: true, Auto-Encrypt-TLS: true
==> Log data will now stream in as it occurs:
2023-03-26T19:17:08.396Z [WARN] agent: skipping file /etc/consul/config/consul-agent-ca-key.pem, extension must be .hcl or .json, or config format must be set
2023-03-26T19:17:08.396Z [WARN] agent: skipping file /etc/consul/config/consul-agent-ca.pem, extension must be .hcl or .json, or config format must be set
2023-03-26T19:17:08.396Z [WARN] agent: skipping file /etc/consul/config/dc1-server-consul-0-key.pem, extension must be .hcl or .json, or config format must be set
2023-03-26T19:17:08.396Z [WARN] agent: skipping file /etc/consul/config/dc1-server-consul-0.pem, extension must be .hcl or .json, or config format must be set
2023-03-26T19:17:08.396Z [WARN] agent: The 'ca_file' field is deprecated. Use the 'tls.defaults.ca_file' field instead.
2023-03-26T19:17:08.396Z [WARN] agent: The 'cert_file' field is deprecated. Use the 'tls.defaults.cert_file' field instead.
2023-03-26T19:17:08.396Z [WARN] agent: The 'key_file' field is deprecated. Use the 'tls.defaults.key_file' field instead.
2023-03-26T19:17:08.396Z [WARN] agent: The 'verify_incoming' field is deprecated. Use the 'tls.defaults.verify_incoming' field instead.
2023-03-26T19:17:08.396Z [WARN] agent: The 'verify_incoming_rpc' field is deprecated. Use the 'tls.internal_rpc.verify_incoming' field instead.
2023-03-26T19:17:08.396Z [WARN] agent: The 'verify_outgoing' field is deprecated. Use the 'tls.
.....
.....

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment