Create a gist now

Instantly share code, notes, and snippets.

What would you like to do?
Example Chef recipe to install Consul Template
{{
# /opt/my-app/consul.ctmpl
#
# This file is read by Consul Template and rendered onto disk using
# the configuration placed in /etc/consul-template.d.
}}
{{ with vault "postgresql/creds/readonly" }}
[config]
username = "{{ .Data.username }}"
password = "{{ .Data.password }}"
{{ end }}
# NOTE: This recipe is designed to be informational and is not a copy-paste
# implementation. Please see the following blog post for more information:
#
# https://www.hashicorp.com/blog/using-hashicorp-vault-with-chef.html
#
# Install the unzip package because Consul and Consul Template are
# published as ZIP files.
package "unzip"
# Download the latest version of Consul Template using the remote_file
# resource in Chef and trigger an extraction.
remote_file "/tmp/consul-template.zip" do
source "https://releases.hashicorp.com/consul-template/0.12.1/consul-template_0.12.1_linux_amd64.zip"
owner "root"
group "root"
mode "0755"
backup false
action :create_if_missing
notifies :run, "execute[extract_consul_template]", :immediately
end
# Unzips the binary.
execute "extract_consul_template" do
command <<-EOH
unzip /tmp/consul-template.zip
mv consul-template /usr/local/bin/consul-template
chmod +x /usr/local/bin/consul-template
EOH
action :nothing
end
# Create the configuration directory where the template configurations
# will reside.
directory "/etc/consul-template.d" do
owner "root"
group "root"
action :create
end
# Create an upstart script - this could also be systemd or some other
# init system of your preference.
template "/etc/init/consul-template.conf" do
source "upstart-consul-template.conf"
owner "root"
group "root"
mode "0644"
end
# Start the service and register it with Chef.
service "consul-template" do
provider Chef::Provider::Service::Upstart
action :enable
end
# This writes the Consul Template template that Consul Template will
# read, parse, communicate with Vault, and render as the application
# configuration. Since Consul Template is running as a process, it
# will read all files in /etc/consul-template.d as configured in the
# upstart script above.
template "/etc/consul-template.d/my-app.hcl" do
source "my-app-ct.hcl"
owner "root"
group "root"
mode "0644"
notifies :reload, "service[consul-template]", :delayed
end
# templates/my-app.hcl
#
# This file is used to configure an instance of the Consul
# Template process. This tells Consul Template to ingress
# the file at /etc/my-app/config.ctmpl, communicate with Vault,
# and then write the resulting contents to /opt/my-app/config.
# If the template changes, Consul Template will restart the
# application.
template {
source = "/opt/my-app/config.ctmpl"
destination = "/opt/my-app/config"
command = "service my-app reload"
}
# templates/upstart-consul-template.conf
#
# This is a sample upstart configuration template for Consul
# Template that tells Consul Template to read all configuration
# from /etc/consul-template.d.
description "consul-template"
start on runlevel [2345]
stop on runlevel [!2345]
respawn
script
/usr/local/bin/consul-template \
-config="/etc/consul-template.d/" \
>> /var/log/consul-template.log 2>&1
end script
post-stop exec sleep 10

Ginja commented Feb 29, 2016

Great gist!

Possible typo? Should line #5 of my-app.hcl be /opt/my-app/config.ctmpl? And I'm assuming it's the source that source "my-app-ct.hcl is referring too, despite the different file names?

Reading the page that directed me to here, it makes mention that the advantage of this mechanism is that no secrets touch Chef. I like that idea, but Consul Template will need to be configured to allow it to talk with Vault. So, I'm assuming somewhere there is a token, username/pass, or something that give Consul Template the appropriate permissions to retrieve those secrets. Is that correct?

legal90 commented May 17, 2016

@aschneid75 Yes, that's correct. And it appears to be a bigger problem than fetching secrets from Vault, since it doesn't have a simple solution. These articles could be useful to figure out how to authenticate Chef nodes on Vault:
https://www.vaultproject.io/docs/auth/app-id.html
https://www.hashicorp.com/blog/vault-cubbyhole-principles.html

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment