Create a gist now

Instantly share code, notes, and snippets.

Example Chef recipe to install Consul Template
{{
# /opt/my-app/consul.ctmpl
#
# This file is read by Consul Template and rendered onto disk using
# the configuration placed in /etc/consul-template.d.
}}
{{ with vault "postgresql/creds/readonly" }}
[config]
username = "{{ .Data.username }}"
password = "{{ .Data.password }}"
{{ end }}
# NOTE: This recipe is designed to be informational and is not a copy-paste
# implementation. Please see the following blog post for more information:
#
# https://www.hashicorp.com/blog/using-hashicorp-vault-with-chef.html
#
# Install the unzip package because Consul and Consul Template are
# published as ZIP files.
package "unzip"
# Download the latest version of Consul Template using the remote_file
# resource in Chef and trigger an extraction.
remote_file "/tmp/consul-template.zip" do
source "https://releases.hashicorp.com/consul-template/0.12.1/consul-template_0.12.1_linux_amd64.zip"
owner "root"
group "root"
mode "0755"
backup false
action :create_if_missing
notifies :run, "execute[extract_consul_template]", :immediately
end
# Unzips the binary.
execute "extract_consul_template" do
command <<-EOH
unzip /tmp/consul-template.zip
mv consul-template /usr/local/bin/consul-template
chmod +x /usr/local/bin/consul-template
EOH
action :nothing
end
# Create the configuration directory where the template configurations
# will reside.
directory "/etc/consul-template.d" do
owner "root"
group "root"
action :create
end
# Create an upstart script - this could also be systemd or some other
# init system of your preference.
template "/etc/init/consul-template.conf" do
source "upstart-consul-template.conf"
owner "root"
group "root"
mode "0644"
end
# Start the service and register it with Chef.
service "consul-template" do
provider Chef::Provider::Service::Upstart
action :enable
end
# This writes the Consul Template template that Consul Template will
# read, parse, communicate with Vault, and render as the application
# configuration. Since Consul Template is running as a process, it
# will read all files in /etc/consul-template.d as configured in the
# upstart script above.
template "/etc/consul-template.d/my-app.hcl" do
source "my-app-ct.hcl"
owner "root"
group "root"
mode "0644"
notifies :reload, "service[consul-template]", :delayed
end
# templates/my-app.hcl
#
# This file is used to configure an instance of the Consul
# Template process. This tells Consul Template to ingress
# the file at /etc/my-app/config.ctmpl, communicate with Vault,
# and then write the resulting contents to /opt/my-app/config.
# If the template changes, Consul Template will restart the
# application.
template {
source = "/opt/my-app/config.ctmpl"
destination = "/opt/my-app/config"
command = "service my-app reload"
}
# templates/upstart-consul-template.conf
#
# This is a sample upstart configuration template for Consul
# Template that tells Consul Template to read all configuration
# from /etc/consul-template.d.
description "consul-template"
start on runlevel [2345]
stop on runlevel [!2345]
respawn
script
/usr/local/bin/consul-template \
-config="/etc/consul-template.d/" \
>> /var/log/consul-template.log 2>&1
end script
post-stop exec sleep 10
@Ginja
Ginja commented Feb 29, 2016

Great gist!

Possible typo? Should line #5 of my-app.hcl be /opt/my-app/config.ctmpl? And I'm assuming it's the source that source "my-app-ct.hcl is referring too, despite the different file names?

@aschneid75

Reading the page that directed me to here, it makes mention that the advantage of this mechanism is that no secrets touch Chef. I like that idea, but Consul Template will need to be configured to allow it to talk with Vault. So, I'm assuming somewhere there is a token, username/pass, or something that give Consul Template the appropriate permissions to retrieve those secrets. Is that correct?

@legal90
legal90 commented May 17, 2016

@aschneid75 Yes, that's correct. And it appears to be a bigger problem than fetching secrets from Vault, since it doesn't have a simple solution. These articles could be useful to figure out how to authenticate Chef nodes on Vault:
https://www.vaultproject.io/docs/auth/app-id.html
https://www.hashicorp.com/blog/vault-cubbyhole-principles.html

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment