# Setting Up Your Lab Environment

This guide shows you how to setup a Hashi environment for testing features in Consul, Vault, and Nomad.

Things to note:
* If you use Enterprise binaries
  * Enterprise binaries (`+ent`) need to be licensed - set in `docker-compose*.yml`
  * Consul 1.9, Nomad 1.0, Vault 1.7 has a starter license of 6 hours.
  * Consul 1.10+, Nomad 1.1+, and Vault 1.8+ requires a license file or it won't start
  * `Prem` images have their licenses baked in.


## Prerequisites

### Set Key Variables for your environment

Customize `CONSUL_DC` and `CONSUL_DC_2` if desired.

In [1]:
export CONSUL_DC=west CONSUL_DC_2=east
export COMPOSE_PROJECT_NAME=hashi
export COMPOSE_FILE=docker-compose-hashi.yml:docker-compose-proxy.yml:docker-compose-vault.yml:docker-compose.yml

In [2]:
printf "$CONSUL_DC \n$CONSUL_DC_2 \n$COMPOSE_PROJECT_NAME \n$COMPOSE_FILE"

west 
east 
hashi 
docker-compose-hashi.yml:docker-compose-proxy.yml:docker-compose-vault.yml:docker-compose.yml

* `CONSUL_DC*` - is used for Consul config files, docker-compose files, and more.
* `COMPOSE_FILE` - specifies the docker-compose files to work with

### Install software

#### Hashi software

Customize the versions, architecture, and os for your environment. It's currently set for Ubuntu on Pi.

In [None]:
VAULT_VER=1.8.5+ent #// +ent for enterprise
CONSUL_VER=1.10.4+ent
NOMAD_VER=1.1.7+ent
ARCH=arm64 #// arm64
OS=linux #// darwin, linux

curl -o /tmp/vault.zip \
  https://releases.hashicorp.com/vault/${VAULT_VER}/vault_${VAULT_VER}_${OS}_${ARCH}.zip
curl -o /tmp/consul.zip \
  https://releases.hashicorp.com/consul/${CONSUL_VER}/consul_${CONSUL_VER}_${OS}_${ARCH}.zip
curl -o /tmp/nomad.zip \
  https://releases.hashicorp.com/nomad/${NOMAD_VER}/nomad_${NOMAD_VER}_${OS}_${ARCH}.zip

In [None]:
for bin in consul vault nomad; do
sudo unzip -od /usr/local/bin /tmp/${bin}.zip && ${bin} version
done

#### Linux
* Docker and Docker Compose - Ubuntu and Raspbian
  * https://dev.to/elalemanyo/how-to-install-docker-and-docker-compose-on-raspberry-pi-1mo

## Consul Setup - Primary

### Create Consul Configs

Create needed directories.

In [118]:
mkdir -p consul/config
mkdir -p consul/cert/{server,client}

### Consul Gossip Encryption Key

Generate encryption key for Gossip - UDP; same key for all agents

In [121]:
CONSUL_KEY=$(consul keygen) && echo $CONSUL_KEY

myitl5HKsxyTfnDoC3+wUPxho392dbLyn0IOxeHDJLg=


Sample Output: `qDOPBEr+/oUVeOFQOnVypxwDaHzLrD+lvjo5vCEBbZ0=`

### Create CA and Certs

Create Certificate Authority

In [122]:
consul tls ca create

consul-agent-ca.pem already exists.


: 1

Copy CA Public Key to shared `client` and `server` folders.

In [123]:
for dir in client server; do
cp -r consul-agent-ca.pem consul/cert/${dir}/
done

Create server certificate and move it to shared `server` folder.

In [128]:
consul tls cert create -server -dc ${CONSUL_DC}
mv ${CONSUL_DC}-server-consul-*.pem consul/cert/server/

    server and access all state in the cluster including root keys
    and all ACL tokens. Do not distribute them to production hosts
    that are not server nodes. Store them as securely as CA keys.
==> Using consul-agent-ca.pem and consul-agent-ca-key.pem
==> Saved west-server-consul-0.pem
==> Saved west-server-consul-0-key.pem


In [129]:
consul tls cert create -server -dc ${CONSUL_DC_2}
mv ${CONSUL_DC_2}-server-consul-*.pem consul/cert/server/

    server and access all state in the cluster including root keys
    and all ACL tokens. Do not distribute them to production hosts
    that are not server nodes. Store them as securely as CA keys.
==> Using consul-agent-ca.pem and consul-agent-ca-key.pem
==> Saved east-server-consul-0.pem
==> Saved east-server-consul-0-key.pem


Create client certificate and move it to shared `client` folder.

In [130]:
consul tls cert create -client -dc ${CONSUL_DC} && \
  mv ${CONSUL_DC}-client-consul-*.pem consul/cert/client

==> Using consul-agent-ca.pem and consul-agent-ca-key.pem
==> Saved west-client-consul-0.pem
==> Saved west-client-consul-0-key.pem


In [131]:
consul tls cert create -client -dc ${CONSUL_DC_2} && \
  mv ${CONSUL_DC_2}-client-consul-*.pem consul/cert/client

==> Using consul-agent-ca.pem and consul-agent-ca-key.pem
==> Saved east-client-consul-0.pem
==> Saved east-client-consul-0-key.pem


Create Core Consul config - Server

In [132]:
# for i in {0..5}; do
tee consul/config/server.hcl <<-EOF
# datacenter  = "dc1" # in CLI
# node_name   = "ConsulServer${i}" # in CLI
bind_addr   = "0.0.0.0" #default
client_addr = "0.0.0.0" #default 127.0.0.1
data_dir    = "/consul/data"
log_level   = "DEBUG"

encrypt     = "${CONSUL_KEY}"
ca_file     = "/consul/cert/consul-agent-ca.pem"
cert_file   = "/consul/cert/${CONSUL_DC}-server-consul-0.pem"
key_file    = "/consul/cert/${CONSUL_DC}-server-consul-0-key.pem"
verify_incoming = true
verify_outgoing = true
verify_server_hostname = true

# server           =  true # in CLI
ui_config { enabled = true } 
bootstrap_expect = 3
retry_join  = [
  "consul-server-0",
  "consul-server-1",
  "consul-server-2"
]

#// 5 is default multiplier
performance {
  raft_multiplier = 2
}

telemetry {
    prometheus_retention_time = "30s",
    disable_hostname = true
}

connect {
    enabled = true
}
EOF
# done

# datacenter  = "dc1" # in CLI
# node_name   = "ConsulServer2" # in CLI
bind_addr   = "0.0.0.0" #default
client_addr = "0.0.0.0" #default 127.0.0.1
data_dir    = "/consul/data"
log_level   = "DEBUG"

encrypt     = "myitl5HKsxyTfnDoC3+wUPxho392dbLyn0IOxeHDJLg="
ca_file     = "/consul/cert/consul-agent-ca.pem"
cert_file   = "/consul/cert/west-server-consul-0.pem"
key_file    = "/consul/cert/west-server-consul-0-key.pem"
verify_incoming = true
verify_outgoing = true
verify_server_hostname = true

# server           =  true # in CLI
ui_config { enabled = true } 
bootstrap_expect = 3
retry_join  = [
  "consul-server-0",
  "consul-server-1",
  "consul-server-2"
]

#// 5 is default multiplier
performance {
  raft_multiplier = 2
}

telemetry {
    prometheus_retention_time = "30s",
    disable_hostname = true
}

connect {
    enabled = true
}


Create Core Consul config - Client

In [133]:
# for i in {0..5}; do
tee consul/config/client.hcl <<-EOF
# datacenter  = "dc1" # in CLI
# node_name   = "ConsulServer${i}" # in CLI
bind_addr   = "0.0.0.0" #default
client_addr = "0.0.0.0" #default 127.0.0.1
data_dir    = "/consul/data"

encrypt     = "${CONSUL_KEY}"
ca_file     = "/consul/cert/consul-agent-ca.pem"
cert_file   = "/consul/cert/${CONSUL_DC}-client-consul-0.pem"
key_file    = "/consul/cert/${CONSUL_DC}-client-consul-0-key.pem"
verify_incoming = true
verify_outgoing = true
verify_server_hostname = true

ui               = true
retry_join  = [
  "consul-server-0",
  "consul-server-1",
  "consul-server-2"
]

telemetry {
    prometheus_retention_time = "30s",
    disable_hostname = true
}

EOF
# done

# datacenter  = "dc1" # in CLI
# node_name   = "ConsulServer2" # in CLI
bind_addr   = "0.0.0.0" #default
client_addr = "0.0.0.0" #default 127.0.0.1
data_dir    = "/consul/data"

encrypt     = "myitl5HKsxyTfnDoC3+wUPxho392dbLyn0IOxeHDJLg="
ca_file     = "/consul/cert/consul-agent-ca.pem"
cert_file   = "/consul/cert/west-client-consul-0.pem"
key_file    = "/consul/cert/west-client-consul-0-key.pem"
verify_incoming = true
verify_outgoing = true
verify_server_hostname = true

ui               = true
retry_join  = [
  "consul-server-0",
  "consul-server-1",
  "consul-server-2"
]

telemetry {
    prometheus_retention_time = "30s",
    disable_hostname = true
}



Create Consul config for misc features eg `acl`, `performance multiplier`, etc

In [158]:
cat > consul/config/acl.hcl << EOF
# acl = {
#   enabled = true
#   default_policy = "allow"
#   enable_token_persistence = true
#   tokens = {
#     master = "49792521-8362-f878-5a32-7405f1783838"
#   }
# }
EOF

### Consul docker-compose up

We will now bring up the three Consul servers and one client for our first Datacenter. I use `--force-recreate` to have Docker recreate the containers. This is handy for a fresh start when testing code bits.

In [585]:
#// Check your docker-compose configuration
# docker-compose config

In [206]:
export CONSUL_DC=west CONSUL_DC_2=east
docker-compose \
  up --force-recreate -d \
  consul-server-0 consul-server-1 consul-server-2 consul-agent-1

Creating network "hashi_vpcbr" with driver "bridge"
Creating network "hashi_default" with the default driver
Creating consul-agent-1 ... 
Creating consul-server-0 ... 
Creating consul-server-2 ... 
Creating consul-server-1 ... 
[3Bting consul-server-0 ... [32mdone[0m

> NOTE: We specify only the containers we want to bring up. If you don't specify something, then everything comes up.

### Verify Consul

Quick check to make sure your Consul environment is running correctly.

In [207]:
printf "#==> List Members\n"
consul members
# curl http://127.0.0.1:8500/v1/agent/members | jq -c .[]
printf "\n#==> List Raft Peers\n"
consul operator raft list-peers
printf "\n#==> List services from Consul catalog\n"
consul catalog services

#==> List Members
Node             Address         Status  Type    Build       Protocol  DC    Segment
consul-server-0  10.5.0.2:8301   alive   server  1.9.11+ent  2         west  <all>
consul-server-1  10.5.0.3:8301   alive   server  1.9.11+ent  2         west  <all>
consul-server-2  10.5.0.4:8301   alive   server  1.9.11+ent  2         west  <all>
App1             10.5.0.12:8301  alive   client  1.9.11+ent  2         west  <default>

#==> List Raft Peers
Node             ID                                    Address        State     Voter  RaftProtocol
consul-server-2  c9579a8b-1d94-412a-775c-b7c933340beb  10.5.0.4:8300  leader    true   3
consul-server-1  e79d2f7e-8497-dc29-3d42-a8ef52dbaf9a  10.5.0.3:8300  follower  true   3
consul-server-0  e806a53e-6df4-bbb0-b437-ff6363dfa248  10.5.0.2:8300  follower  true   3

#==> List services from Consul catalog
consul


You should see something like the following.

* There should be three servers. `DC` should match

```#==> List Members
Node             Address        Status  Type    Build       Protocol  DC    Segment
consul-server-0  10.5.0.2:8301  alive   server  1.9.11+ent  2         west  <all>
consul-server-1  10.5.0.3:8301  alive   server  1.9.11+ent  2         west  <all>
consul-server-2  10.5.0.4:8301  alive   server  1.9.11+ent  2         west  <all>
```

* There should be a leader and two followers.

```
#==> List Raft Peers
Node             ID                                    Address        State     Voter  RaftProtocol
consul-server-2  08f89457-d9db-b025-c65e-185246fe577c  10.5.0.4:8300  leader    true   3
consul-server-1  f4c7057f-83ec-11ac-2027-ca85eccfce89  10.5.0.3:8300  follower  true   3
consul-server-0  2c965ad0-5042-424c-259c-a5781d001d28  10.5.0.2:8300  follower  true   3
```

```
#==> List services from Consul catalog
consul
```

## Vault Setup - Primary

### Create Vault Configs

In [240]:
# Create Vault Directories
for node in {1..5}; do
mkdir -p vault/config/vault_s${node}
mkdir -p vault/logs/vault_s${node}
done

In [227]:
# Create Vault Server Config
for i in {1..3}; do
cat > vault/config/vault_s${i}/server${i}.hcl <<-EOF
# Note: this file will be re-written by script
api_addr     = "http://10.5.0.10${i}:8200"
cluster_addr = "https://10.5.0.10${i}:8201"
cluster_name = "${CONSUL_DC}"
disable_mlock = true

# Base Configuration
listener "tcp" {
  address = "0.0.0.0:8200"
  tls_disable = "true"
#   #tls_cert_file = "/etc/ssl/certs/vault-server.crt"
#   #tls_key_file  = "/etc/ssl/vault-server.key"
}

ui = "true"
log_level="INFO"

# Raft configuration
storage "raft" {
  path    = "/vault/file"
  node_id = "vault_s${i}"
  retry_join {
    leader_api_addr = "http://vault_s1:8200"
  }
  retry_join {
    leader_api_addr = "http://vault_s2:8200"
  }
  retry_join {
    leader_api_addr = "http://vault_s3:8200"
  }
}

service_registration "consul" {
  address = "consul-server-0:8500"
}

telemetry {
  prometheus_retention_time = "30s"
  disable_hostname          = true
}
# raw_storage_endpoint = true #//for debugging
EOF
done

### Vault docker-compose up

In [4]:
# Restart Vault Cluster
docker-compose up --force-recreate -d \
  vault_s1 vault_s2 vault_s3

Recreating vault_s1 ... 
[1BRecreating vault_s2 ... mdone[0m
Recreating vault_s3 ... 
[2Beating vault_s2 ... [32mdone[0m

### Init Vault `init.sh`

In [5]:
export VAULT_ADDR=http://localhost:8200

In [6]:
printf "Init vault_s1 \n"
#// Confirm that vault_s1 is listening on port 8200
# while ! nc -w 1 127.0.0.1 8200 </dev/null; do sleep 1; done
time vault operator init -format=json -n 1 -t 1 > /tmp/vault.init

Init vault_s1 

real	0m0.849s
user	0m0.001s
sys	0m0.012s

real	0m39.723s
user	0m0.316s
sys	0m0.447s


In [7]:
export VAULT_TOKEN_PRIMARY=$(jq -r '.root_token' /tmp/vault.init)
printf "\nRoot VAULT TOKEN is: $VAULT_TOKEN_PRIMARY \n"
printf "\n*** Please Run: export VAULT_TOKEN=${VAULT_TOKEN_PRIMARY} \n"
export unseal_key=$(jq -r '.unseal_keys_b64[0]' /tmp/vault.init)
printf "\nUnseal Key is: ${unseal_key}\n"
export VAULT_TOKEN=${VAULT_TOKEN_PRIMARY}


Root VAULT TOKEN is: s.lesaeIIhcge9zUo6V48gnwHI 

*** Please Run: export VAULT_TOKEN=s.lesaeIIhcge9zUo6V48gnwHI 

Unseal Key is: CdC2P4XYp1oY1XLpkdyBd8y/x8Mw/yPKwop0INyc3bw=


### Unseal Vault `unseal.sh`

In [8]:
vault operator unseal ${unseal_key}

[0mKey                     Value
---                     -----
Seal Type               shamir
Initialized             true
Sealed                  false
Total Shares            1
Threshold               1
Version                 1.8.5+ent
Storage Type            raft
Cluster Name            west
Cluster ID              ca4be067-5a95-748c-c331-db95ca2f6d3c
HA Enabled              true
HA Cluster              n/a
HA Mode                 standby
Active Node Address     <none>
Raft Committed Index    56
Raft Applied Index      56[0m


In [36]:
vault operator raft list-peers
vault operator raft autopilot state

[0mNode        Address            State     Voter
----        -------            -----     -----
vault_s1    10.5.0.101:8201    leader    true[0m
[0mHealthy:                      true
Failure Tolerance:            0
Leader:                       vault_s1
Voters:
   vault_s1
Servers:
   vault_s1
      Name:            vault_s1
      Address:         10.5.0.101:8201
      Status:          leader
      Node Status:     alive
      Healthy:         true
      Last Contact:    0s
      Last Term:       3
      Last Index:      60
[0m


In [10]:
for i in {2..3}; do
docker exec -i vault_s${i} sh <<EOM
export VAULT_ADDR=http://localhost:8200
vault operator unseal ${unseal_key}
EOM
if [ $i == 1 ]; then sleep 10; fi
done

Key                Value
---                -----
Seal Type          shamir
Initialized        true
Sealed             true
Total Shares       1
Threshold          1
Unseal Progress    0/1
Unseal Nonce       n/a
Version            1.8.5+ent
Storage Type       raft
HA Enabled         true
Key                Value
---                -----
Seal Type          shamir
Initialized        true
Sealed             true
Total Shares       1
Threshold          1
Unseal Progress    0/1
Unseal Nonce       n/a
Version            1.8.5+ent
Storage Type       raft
HA Enabled         true


### Verify Vault

In [251]:
vault token lookup
vault version
vault status

In [38]:
printf "#==> List Peers\n"
vault operator raft list-peers
printf "\n#==> Show autopilot state\n"
vault operator raft autopilot state || true
printf "\n#==> Show autopilot settings\n"
vault operator raft autopilot get-config || true

#==> List Peers
[0mNode        Address            State       Voter
----        -------            -----       -----
vault_s1    10.5.0.101:8201    leader      true
vault_s2    10.5.0.102:8201    follower    false
vault_s3    10.5.0.103:8201    follower    false[0m

#==> Show autopilot state
[0mHealthy:                      true
Failure Tolerance:            0
Leader:                       vault_s1
Voters:
   vault_s1
Servers:
   vault_s1
      Name:            vault_s1
      Address:         10.5.0.101:8201
      Status:          leader
      Node Status:     alive
      Healthy:         true
      Last Contact:    0s
      Last Term:       3
      Last Index:      77
   vault_s2
      Name:            vault_s2
      Address:         10.5.0.102:8201
      Status:          non-voter
      Node Status:     alive
      Healthy:         true
      Last Contact:    60.734723ms
      Last Term:       3
      Last Index:      77
   vault_s3
      Name:            vault_s3
      Address:  

In [35]:
vault secrets list
vault read sys/license

[0mPath          Type         Accessor              Description
----          ----         --------              -----------
cubbyhole/    cubbyhole    cubbyhole_68f88a5c    per-token private secret storage
identity/     identity     identity_d819d9ac     identity store
sys/          system       system_deec1f16       system endpoints used for control, policy and debugging[0m
[0m
[93m  * time left on license is 566h22m43s[0m
[93m[0m
[93m  * The GET sys/license API is deprecated and will be removed in a future
  release, use sys/license/status instead.[0m
[93m[0m
[0mKey                          Value
---                          -----
expiration_time              2021-12-12T18:14:11Z
features                     [HSM Performance Replication DR Replication MFA Sentinel Seal Wrapping Control Groups Performance Standby Namespaces KMIP Entropy Augmentation Transform Secrets Engine Lease Count Quotas Key Management Secrets Engine Automated Snapshots]
license_id                   

In [34]:
vault write sys/license text=@vault/config/vault.hclic && \
vault read sys/license

[91mError writing data to sys/license: Error making API request.

URL: PUT http://localhost:8200/v1/sys/license
Code: 400. Errors:

* unable to update stored license. autoloading is in effect and force=true not provided[0m


: 2

In [273]:
vault secrets enable kv
# vault write kv/game/account username=foo password=bar

[0mSuccess! Enabled the kv secrets engine at: kv/[0m


In [274]:
vault secrets list

[0mPath          Type         Accessor              Description
----          ----         --------              -----------
cubbyhole/    cubbyhole    cubbyhole_6eaa11f9    per-token private secret storage
identity/     identity     identity_afd3cddb     identity store
kv/           kv           kv_b050a90b           n/a
sys/          system       system_efd35649       system endpoints used for control, policy and debugging[0m


## Monitoring

In this scenario, you will use Docker containers to deploy a Vault server, Prometheus monitoring, and a Grafana dashboard.

You will configure Vault to enable Prometheus metrics, and deploy the containers using the command line in a terminal session. You will also use the Grafana web interface to create a dashboard for visualizing metrics.

Begin the scenario by preparing your environment.

### Prerequisites

* [Vault Cluster](#Vault-Setup---Primary)

In [None]:
mkdir -p grafana/provisioning/{datasources,dashboards} \
grafana/dashboards prometheus

### Vault configuration

Prometheus metrics are not enabled by default. Setting the `prometheus_retention_time` to a non-zero value enables them.

```
telemetry {
  prometheus_retention_time = "1h"
  disable_hostname          = true
}
```

* `prometheus_retention_time = "1h"` retain in memory for 1 hour
* `disable_hostname = true` - do not emit Prometheus metrics prefixed with host names, which is not desirable in most cases
* Go to [telemetry parameters](https://www.vaultproject.io/docs/configuration/telemetry#telemetry-parameters) documentation for more details.


This configuration was already included in the prerequisite sections.

### Prometheus Configuration

In [260]:
cat > prometheus/prometheus.yml << EOF
global:
  scrape_interval: 5s
  scrape_timeout: 10s

scrape_configs:
  - job_name: services
    metrics_path: /metrics
    static_configs:
      - targets:
          - 'prometheus:9090'
  - job_name: node
    metrics_path: /metrics
    static_configs:
      - targets:
          - 'node-exporter:9100'
  - job_name: 'consul-server'
    metrics_path: '/v1/agent/metrics'
    params:
      format: ['prometheus']
    static_configs:
      - targets: ['consul-server:8500']
  - job_name: 'tempo'
    static_configs:
    - targets: ['tempo:3100']
  - job_name: vault
    metrics_path: /v1/sys/metrics
    params:
      format: ['prometheus']
    scheme: http
    # authorization:
    #   credentials_file: /etc/prometheus/prometheus-token
    static_configs:
    - targets: ['vault_s1:8200']
EOF

In [261]:
# Restart Vault Cluster
docker-compose up --force-recreate -d prometheus

Recreating prometheus ... 
[1Beating prometheus ... [32mdone[0m

In [259]:
docker logs -n 1 prometheus

level=info ts=2021-11-20T01:29:46.330Z caller=main.go:767 msg="Server is ready to receive web requests."


The log should contain an entry like this one.
```shell
level=info ts=2021-11-20T01:29:46.330Z caller=main.go:767 msg="Server is ready to receive web requests."
```

### Grafana Configuration

In [None]:
cat > grafana/datasource.yml << EOF
# config file version
apiVersion: 1

datasources:
- name: vault
  type: prometheus
  access: server
  orgId: 1
  url: http://10.42.74.110:9090
  password:
  user:
  database:
  basicAuth:
  basicAuthUser:
  basicAuthPassword:
  withCredentials:
  isDefault:
  jsonData:
     graphiteVersion: "1.1"
     tlsAuth: false
     tlsAuthWithCACert: false
  secureJsonData:
    tlsCACert: ""
    tlsClientCert: ""
    tlsClientKey: ""
  version: 1
  editable: true
EOF

In [281]:
chmod 755 grafana/provisioning/datasources/datasource.yml
chmod -R 755 grafana/provisioning
chmod -R 755 grafana/dashboards

In [279]:
ll grafana/dashboards consul/config/

consul/config/:
total 48
drwxr-x--- 3 ubuntu ubuntu 4096 Nov 19 01:42 ./
drwxr-x--- 7 ubuntu ubuntu 4096 Nov 16 18:24 ../
drwxr-x--- 2 ubuntu ubuntu 4096 Nov 19 01:53 .ipynb_checkpoints/
-rw-rw-r-- 1 ubuntu ubuntu  132 Nov 15 19:48 acl.hcl
-rw-rw-r-- 1 ubuntu ubuntu  664 Nov 19 19:19 client.hcl
-rwxr-xr-x 1 ubuntu ubuntu  586 Nov 15 16:19 consul.hcl*
-rw-rw-r-- 1 ubuntu ubuntu   76 Nov 19 19:53 rz-0.hcl
-rw-rw-r-- 1 ubuntu ubuntu   76 Nov 19 19:53 rz-1.hcl
-rw-rw-r-- 1 ubuntu ubuntu   76 Nov 19 19:53 rz-2.hcl
-rw-rw-r-- 1 ubuntu ubuntu   76 Nov 15 17:51 rz-3.hcl
-rw-rw-r-- 1 ubuntu ubuntu  847 Nov 19 19:18 server.hcl
-rw-rw-r-- 1 ubuntu ubuntu  847 Nov 19 23:23 server_dc2.hcl

grafana/dashboards:
total 652
drwxr-xr-x 2 ubuntu ubuntu   4096 Nov 12 00:23 ./
drwxr-x--- 4 ubuntu ubuntu   4096 Nov 12 00:23 ../
-rwxr-xr-x 1 ubuntu ubuntu   2798 Nov 12 00:17 alerts.yaml*
-rwxr-xr-x 1 ubuntu ubuntu  44457 Nov 12 00:17 consul-server-monitoring_rev3.json*
-rwxr-xr-x 1 ubuntu ubuntu 374660 Nov 12

* `grafana/dashboards:/var/lib/grafana/dashboards` - preconfigured dashboards

In [282]:
# Restart Vault Cluster
docker-compose up --force-recreate -d grafana

Recreating grafana ... 
[1Beating grafana ... [32mdone[0m

## Vault Performance Nodes

optional - Vault Performance Nodes
* main difference here is that it does not auto-join
* joining manually as non-voter from CLI
* https://learn.hashicorp.com/tutorials/vault/performance-standbys?in=vault/enterprise

In [257]:
# Create Vault Server Config
for i in {4..5}; do
cat > vault/config/vault_s${i}/server${i}.hcl <<-EOF
# Note: this file will be re-written by script
api_addr     = "http://10.5.0.10${i}:8200"
cluster_addr = "https://10.5.0.10${i}:8201"
disable_mlock = true

# Base Configuration
listener "tcp" {
  address = "0.0.0.0:8200"
  tls_disable = "true"
}

ui = "true"
log_level="INFO"

# Raft configuration
storage "raft" {
  path    = "/vault/file"
  node_id = "vault_s${i}"
}

service_registration "consul" {
  address = "consul-server-0:8500"
}
EOF
done

### Vault Performance Nodes docker-compose up

In [258]:
# Restart Vault Cluster
docker-compose -f docker-compose-hashi.yml up --force-recreate -d \
  vault_s4

Recreating vault_s1 ... 
[1BCreating vault_s4   ... mdone[0m
[1Bting vault_s4   ... [32mdone[0m

In [267]:
docker exec -i vault_s4 sh -s <<EOM
export VAULT_ADDR=http://127.0.0.1:8200
vault operator raft join -non-voter http://vault_s1:8200
EOM

Key       Value
---       -----
Joined    true


In [268]:
export unseal_key=$(cat /tmp/vault.init | jq -r '.unseal_keys_b64[0]')
printf "${unseal_key}\n"

for i in {4..4}; do
docker exec -i vault_s${i} sh <<EOM
export VAULT_ADDR=http://localhost:8200
vault operator unseal ${unseal_key}
EOM
done

gNbB3iXOkoKaTWZ0/+IdPAHFEyeO2Yrdx0r4NxIHAs8=
Key                Value
---                -----
Seal Type          shamir
Initialized        true
Sealed             true
Total Shares       1
Threshold          1
Unseal Progress    0/1
Unseal Nonce       n/a
Version            1.7.5+ent
Storage Type       raft
HA Enabled         true


In [320]:
vault operator raft list-peers

[91mError reading the raft cluster configuration: Error making API request.

URL: GET http://localhost:8200/v1/sys/storage/raft/configuration
Code: 503. Errors:

* Vault is sealed[0m


: 2

* `vault_s4` is not a voter.

## Vault Replication

optional - Vault Performance Nodes
* main difference here is that it does not auto-join
* joining manually as non-voter from CLI
* https://learn.hashicorp.com/tutorials/vault/performance-standbys?in=vault/enterprise

If you want the secondary Vault Cluster to register with a secondary Consul Cluster, the do this [step](#Consul-Federation-Using-WAN-Gossip) as well.

### Create Vault Configuration - Secondary

Change service registration from `consul-server-0` to `consul-server-4` if desired.

In [39]:
# Create Vault Server Config
for i in {4..6}; do
cat > vault/config/vault_s${i}/server${i}.hcl <<-EOF
# Note: this file will be re-written by script
api_addr     = "http://10.5.0.10${i}:8200"
cluster_addr = "https://10.5.0.10${i}:8201"
disable_mlock = true

# Base Configuration
listener "tcp" {
  address = "0.0.0.0:8200"
  tls_disable = "true"
}

ui = "true"
log_level="INFO"

# Raft configuration
storage "raft" {
  path    = "/vault/file"
  node_id = "vault_s${i}"
}

service_registration "consul" {
  address = "consul-server-3:8500"
}
EOF
done

### Vault DR Nodes docker-compose up

In [47]:
# Restart Vault Cluster
docker-compose up --force-recreate -d \
  vault_s4 vault_s5 vault_s6

Recreating vault_s6 ... 
Recreating vault_s5 ... 
Recreating vault_s4 ... 
[2Beating vault_s5 ... [32mdone[0m

In [105]:
# Restart Vault Cluster
docker-compose up --force-recreate -d \
  vault_s5

Recreating vault_s5 ... 
[1Beating vault_s5 ... [32mdone[0m

### Init Vault `init.sh` - PR Secondary

In [48]:
printf "Init vault_s4 \n"
docker exec \
  -e VAULT_ADDR=http://localhost:8200 \
  vault_s4 vault operator init -format=json -n 1 -t 1 > /tmp/vault_secondary.init

Init vault_s4 


In [49]:
export root_token2=$(jq -r '.root_token' /tmp/vault_secondary.init)
printf "Root VAULT TOKEN 2 is: $root_token2 \n"

export unseal_key2=$(cat /tmp/vault_secondary.init | jq -r '.unseal_keys_b64[0]')
printf "Unseal Key 2 is:       ${unseal_key2}\n"

Root VAULT TOKEN 2 is: s.ExFEvNDjkTBaL2rOkLzqo6Xp 
Unseal Key 2 is:       CdC2P4XYp1oY1XLpkdyBd8y/x8Mw/yPKwop0INyc3bw=


### Unseal Vault `unseal.sh` - PR Secondary

In [50]:
for i in {4..4}; do
docker exec -i vault_s${i} sh <<EOM
export VAULT_ADDR=http://localhost:8200
vault operator unseal ${unseal_key2}
EOM
done

Key                     Value
---                     -----
Seal Type               shamir
Initialized             true
Sealed                  false
Total Shares            1
Threshold               1
Version                 1.8.5+ent
Storage Type            raft
Cluster Name            vault-cluster-d1e9cf76
Cluster ID              901ecde2-f9b6-b853-7ca2-c145be3f0f70
HA Enabled              true
HA Cluster              n/a
HA Mode                 standby
Active Node Address     <none>
Raft Committed Index    55
Raft Applied Index      55


### Verify Vault

In [24]:
docker exec -i vault_s4 sh <<EOM
export VAULT_TOKEN=$root_token2
vault token lookup
vault status
vault version
vault operator raft list-peers
EOM

Key                 Value
---                 -----
accessor            1tXl5AFDjLYB1KQFSt8dCX4o
creation_time       1637603499
creation_ttl        0s
display_name        root
entity_id           n/a
expire_time         <nil>
explicit_max_ttl    0s
id                  s.bkCXKxx7By8fbRVgG8pTvuyZ
meta                <nil>
num_uses            0
orphan              true
path                auth/token/root
policies            [root]
ttl                 0s
type                service
Key                     Value
---                     -----
Seal Type               shamir
Initialized             true
Sealed                  false
Total Shares            1
Threshold               1
Version                 1.8.5+ent
Storage Type            raft
Cluster Name            vault-cluster-3b66a1dd
Cluster ID              2166a0a2-52a2-d6bc-5907-e91db5fb4273
HA Enabled              true
HA Cluster              https://10.5.0.104:8201
HA Mode                 active
Active Since            2021-11-22T1

### Enable Replication on Primary - PR and DR

In [11]:
export VAULT_TOKEN=${VAULT_TOKEN_PRIMARY}
printf "#==> Enable Performance Replication as primary\n"
vault write -f sys/replication/performance/primary/enable
printf "#==> Enable Disaster Replication as secondary\n"
vault write -f sys/replication/dr/primary/enable

#==> Enable Performance Replication as primary
[0m
[93m  * This cluster is being enabled as a primary for replication. Vault will be
  unavailable for a brief period and will resume service shortly.[0m
[93m[0m
#==> Enable Disaster Replication as secondary
[0m
[93m  * This cluster is being enabled as a primary for replication. Vault will be
  unavailable for a brief period and will resume service shortly.[0m
[93m[0m


Revoke **Performance** Secondary Token

In [62]:
vault write sys/replication/performance/primary/revoke-secondary id=perfsec || true

[0m
[93m  * The given secondary has been revoked, but the secondary cluster still
  uses the replicated cluster's keyring. You should rekey the local cluster,
  but note that previous keys will still be available to decrypt previously
  written data.[0m
[93m[0m


In [63]:
printf "#==> Generate a PR secondary token.\n"
vault write -field wrapping_token sys/replication/performance/primary/secondary-token id=perfsec \
  > /tmp/secondaryToken.out && cat /tmp/secondaryToken.out

In [63]:
secondaryToken=$(cat /tmp/secondaryToken.out)

#==> Generate a PR secondary token.
eyJhbGciOiJFUzUxMiIsInR5cCI6IkpXVCJ9.eyJhY2Nlc3NvciI6IiIsImFkZHIiOiJodHRwOi8vMTAuNS4wLjEwMTo4MjAwIiwiZXhwIjoxNjM3NjEzMjk3LCJpYXQiOjE2Mzc2MTE0OTcsImp0aSI6InMuZnI1WENnNHJwdWxoMFVxck9jc1pBdDQ3IiwibmJmIjoxNjM3NjExNDkyLCJ0eXBlIjoid3JhcHBpbmcifQ.AJWTK_h5nkO3SFMlvNn4KTcmg_wizeVibAngY6LXKRjw2LzdC7-65MQFDiaR493j5bj1sWAXH6FfUpOL8dEnMMXGATm1DmyoAm5q0a98RT_G8EjqhqvT_DSwtLpVSn0lr-NlNHN3rtIt6fo4Oa5YCI21K40InuqfXgDSS8OujWbBqaE0

Revoke **DR** Secondary Token

In [102]:
vault write sys/replication/dr/primary/revoke-secondary id=drsec || true

[0m
[93m  * The given secondary has been revoked, but the secondary cluster still
  uses the replicated cluster's keyring. You should rekey the local cluster,
  but note that previous keys will still be available to decrypt previously
  written data.[0m
[93m[0m


Generate **DR** Secondary Token

In [103]:
printf "#==> Generate a DR secondary token.\n"
vault write -field wrapping_token sys/replication/dr/primary/secondary-token id=drsec \
  > /tmp/drSecondaryToken.out && cat /tmp/drSecondaryToken.out

drSecondaryToken=$(cat /tmp/drSecondaryToken.out)

#==> Generate a DR secondary token.
eyJhbGciOiJFUzUxMiIsInR5cCI6IkpXVCJ9.eyJhY2Nlc3NvciI6IiIsImFkZHIiOiJodHRwOi8vMTAuNS4wLjEwMTo4MjAwIiwiZXhwIjoxNjM3NjE2MzA0LCJpYXQiOjE2Mzc2MTQ1MDQsImp0aSI6InMuZTdTSEJRNUk2QnBwek1OcDZjd2RTVjBmIiwibmJmIjoxNjM3NjE0NDk5LCJ0eXBlIjoid3JhcHBpbmcifQ.AWHGWmQEz8pX7nIu3LXS5LuJyVbquboIBGxUyJYx1d6dParCqWCJJBqVy-WnGIa22xVDopcTU5lDg3dxph9GiJosADN7iyS4iR4s-6Eo9lkpzNAYHZW7G3d69gZ4iL_y4zLEvJxBpFUD0QSOMvoxOwbT7eUPjze5aOicXvbQWaV3SiTG

### Enable Replication on Secondary - PR

In [65]:
echo $root_token2
echo $secondaryToken

s.ExFEvNDjkTBaL2rOkLzqo6Xp
eyJhbGciOiJFUzUxMiIsInR5cCI6IkpXVCJ9.eyJhY2Nlc3NvciI6IiIsImFkZHIiOiJodHRwOi8vMTAuNS4wLjEwMTo4MjAwIiwiZXhwIjoxNjM3NjA0OTY5LCJpYXQiOjE2Mzc2MDMxNjksImp0aSI6InMud2ZyTDdYRU1pZjFCeDlGdHlzN2dJdnM0IiwibmJmIjoxNjM3NjAzMTY1LCJ0eXBlIjoid3JhcHBpbmcifQ.ADdmmzU0tGnEKDa5Ki4nqyzaS70lXrPuZnuQvP3KlRH85U3BYYMg2Lgn3UJLBFI_P7Su_aqBgx7MjF9XzY9fbh0YACMwyP7A4LcG7SLGzLJrlvoqGDwbsLJUshsmxMe9Zn7e2pUCHJeRZYAtg3QkfzkmvedkNUqbyoCqwAmlMChq-jo0


In [67]:
docker exec -i vault_s4 sh <<EOM
printf "#==> Enable Performance Replication as secondary\n"
export VAULT_TOKEN=$root_token2
vault write sys/replication/performance/secondary/enable token=$secondaryToken
EOM

#==> Enable Performance Replication as secondary

  * Vault has successfully found secondary information; it may take a while to
  perform setup tasks. Vault will be unavailable until these tasks and initial
  sync complete.



In [69]:
printf "\n#==> Status of PR Primary\n"
vault read sys/replication/performance/status || true
printf "\n#==> Status of PR Secondary\n"
docker exec vault_s4 sh -c "vault read sys/replication/performance/status || true"
printf "\n#==> Status of DR Primary\n"
vault read sys/replication/dr/status || true
printf "\n#==> Status of DR Secondary\n"
docker exec vault_s5 sh -c "vault read sys/replication/dr/status || true"


#==> Status of PR Primary
[0mKey                     Value
---                     -----
cluster_id              f7356c57-ddfd-16c5-49ed-0f608e2e7ef0
known_secondaries       [perfsec]
last_performance_wal    29
last_reindex_epoch      0
last_wal                408
merkle_root             27ad69c4d174ce072fe9726c41b1daeb4df37030
mode                    primary
primary_cluster_addr    n/a
secondaries             [map[api_address:http://10.5.0.104:8200 cluster_address:https://10.5.0.104:8201 connection_status:connected last_heartbeat:2021-11-22T20:21:04Z node_id:perfsec]]
state                   running[0m

#==> Status of PR Secondary
Key                            Value
---                            -----
cluster_id                     f7356c57-ddfd-16c5-49ed-0f608e2e7ef0
connection_state               ready
known_primary_cluster_addrs    [https://10.5.0.101:8201 https://10.5.0.102:8201 https://10.5.0.103:8201]
last_reindex_epoch             1637611594
last_remote_wal                

### DR Secondary

#### Init Vault `init.sh` - DR Secondary

In [106]:
printf "Init vault_s5 \n"
docker exec \
  -e VAULT_ADDR=http://localhost:8200 \
  vault_s5 vault operator init -format=json -n 1 -t 1 > /tmp/vault_drsecondary.init

Init vault_s5 


In [107]:
export root_token3=$(jq -r '.root_token' /tmp/vault_drsecondary.init)
printf "Root VAULT TOKEN 3 is: $root_token3 \n"

export unseal_key3=$(cat /tmp/vault_drsecondary.init | jq -r '.unseal_keys_b64[0]')
printf "Unseal Key 3 is:       ${unseal_key3}\n"

Root VAULT TOKEN 3 is: s.Zcti5gBesh1VQhjd1Cz5Yslw 
Unseal Key 3 is:       28tg4cIQJJfbmhbj9ALRMD7XWLwSuPT7fEaVgxpL5pA=


#### Unseal Vault `unseal.sh` - DR Secondary

In [108]:
for i in {5..5}; do
docker exec -i vault_s${i} sh <<EOM
export VAULT_ADDR=http://localhost:8200
vault operator unseal ${unseal_key3}
EOM
done

Key                     Value
---                     -----
Seal Type               shamir
Initialized             true
Sealed                  false
Total Shares            1
Threshold               1
Version                 1.8.5+ent
Storage Type            raft
Cluster Name            vault-cluster-a09cb24f
Cluster ID              d48be479-ec63-2e05-dac3-fd767d63e419
HA Enabled              true
HA Cluster              n/a
HA Mode                 standby
Active Node Address     <none>
Raft Committed Index    55
Raft Applied Index      55


#### Verify Vault - DR Secondary

In [109]:
docker exec -i vault_s5 sh <<EOM
export VAULT_TOKEN=$root_token3
vault token lookup
vault status
vault version
vault operator raft list-peers
EOM

Key                 Value
---                 -----
accessor            a2tTLsYDD6GFhxdovJpp7F8y
creation_time       1637614705
creation_ttl        0s
display_name        root
entity_id           n/a
expire_time         <nil>
explicit_max_ttl    0s
id                  s.Zcti5gBesh1VQhjd1Cz5Yslw
meta                <nil>
num_uses            0
orphan              true
path                auth/token/root
policies            [root]
ttl                 0s
type                service
Key                     Value
---                     -----
Seal Type               shamir
Initialized             true
Sealed                  false
Total Shares            1
Threshold               1
Version                 1.8.5+ent
Storage Type            raft
Cluster Name            vault-cluster-a09cb24f
Cluster ID              d48be479-ec63-2e05-dac3-fd767d63e419
HA Enabled              true
HA Cluster              https://10.5.0.105:8201
HA Mode                 active
Active Since            2021-11-22T2

### Enable Replication on Secondary - DR

In [110]:
echo $root_token3
echo $drSecondaryToken

s.Zcti5gBesh1VQhjd1Cz5Yslw
eyJhbGciOiJFUzUxMiIsInR5cCI6IkpXVCJ9.eyJhY2Nlc3NvciI6IiIsImFkZHIiOiJodHRwOi8vMTAuNS4wLjEwMTo4MjAwIiwiZXhwIjoxNjM3NjE2MzA0LCJpYXQiOjE2Mzc2MTQ1MDQsImp0aSI6InMuZTdTSEJRNUk2QnBwek1OcDZjd2RTVjBmIiwibmJmIjoxNjM3NjE0NDk5LCJ0eXBlIjoid3JhcHBpbmcifQ.AWHGWmQEz8pX7nIu3LXS5LuJyVbquboIBGxUyJYx1d6dParCqWCJJBqVy-WnGIa22xVDopcTU5lDg3dxph9GiJosADN7iyS4iR4s-6Eo9lkpzNAYHZW7G3d69gZ4iL_y4zLEvJxBpFUD0QSOMvoxOwbT7eUPjze5aOicXvbQWaV3SiTG


In [111]:
docker exec -i vault_s5 sh <<EOM
printf "#==> Enable DR as secondary\n"
export VAULT_TOKEN=$root_token3
vault write sys/replication/dr/secondary/enable token=$drSecondaryToken
EOM

#==> Enable DR as secondary

  * Vault has successfully found secondary information; it may take a while to
  perform setup tasks. Vault will be unavailable until these tasks and initial
  sync complete.



In [112]:
printf "\n#==> Status of PR Primary\n"
vault read sys/replication/performance/status || true
printf "\n#==> Status of PR Secondary\n"
docker exec vault_s4 sh -c "vault read sys/replication/performance/status || true"
printf "\n#==> Status of DR Primary\n"
vault read sys/replication/dr/status || true
printf "\n#==> Status of DR Secondary\n"
docker exec vault_s5 sh -c "vault read sys/replication/dr/status || true"


#==> Status of PR Primary
[0mKey                     Value
---                     -----
cluster_id              f7356c57-ddfd-16c5-49ed-0f608e2e7ef0
known_secondaries       [perfsec]
last_performance_wal    462
last_reindex_epoch      0
last_wal                521
merkle_root             8308d4f0c8bfd70a678ffe9f4ab27ebebeae093f
mode                    primary
primary_cluster_addr    n/a
secondaries             [map[api_address:http://10.5.0.104:8200 cluster_address:https://10.5.0.104:8201 connection_status:connected last_heartbeat:2021-11-22T20:59:49Z node_id:perfsec]]
state                   running[0m

#==> Status of PR Secondary
Key                            Value
---                            -----
cluster_id                     f7356c57-ddfd-16c5-49ed-0f608e2e7ef0
connection_state               ready
known_primary_cluster_addrs    [https://10.5.0.101:8201 https://10.5.0.102:8201 https://10.5.0.103:8201]
last_reindex_epoch             1637611594
last_remote_wal               

### Promote Secondary - DR

#### Batch Token for Replication Operations

Create a policy named "`dr-secondary-promotion`".

https://learn.hashicorp.com/tutorials/vault/disaster-recovery#dr-operation-token-strategy

In [83]:
vault policy write dr-secondary-promotion - <<EOF
path "sys/replication/dr/secondary/promote" {
  capabilities = [ "update" ]
}

# To update the primary to connect
path "sys/replication/dr/secondary/update-primary" {
    capabilities = [ "update" ]
}

# Only if using integrated storage (raft) as the storage backend
# To read the current autopilot status
path "sys/storage/raft/autopilot/state" {
    capabilities = [ "update" , "read" ]
}
EOF

[0mSuccess! Uploaded policy: dr-secondary-promotion[0m


Create a token role named "`failover-handler`" with the `dr-secondary-promotion` policy attached and its type should be `batch`.

In [85]:
vault write auth/token/roles/failover-handler \
    allowed_policies=dr-secondary-promotion \
    orphan=true \
    renewable=false \
    token_type=batch

[0mSuccess! Data written to: auth/token/roles/failover-handler[0m


Create a token for role, "`failover-handler`" with time-to-live (TTL) set to 8 hours.

In [94]:
vault token create -format=json -role=failover-handler -ttl=8h | tee /tmp/bToken.out | jq .auth
bToken=$(jq -r .auth.client_token /tmp/bToken.out)

[1;39m{
  [0m[34;1m"client_token"[0m[1;39m: [0m[0;32m"b.AAAAAQIyecRVPBJv0HOsym8L-8Pxcu1qxF7FuPdf14lbMFl-_3rGP7SYOzWDIKkEHdFVIdt4-eX4Xwycpoi-Klogbq_KdgIWGvmKRvN6zh_-cK6GxvtuYr_iLXaXEqKBRobE_uNuer246-C9d2YMzC4VTWL5MOzuqRGhcJsD2NKVvxBd0id0zTN4g2lKiuxxuV-1pggR2Q"[0m[1;39m,
  [0m[34;1m"accessor"[0m[1;39m: [0m[0;32m""[0m[1;39m,
  [0m[34;1m"policies"[0m[1;39m: [0m[1;39m[
    [0;32m"default"[0m[1;39m,
    [0;32m"dr-secondary-promotion"[0m[1;39m
  [1;39m][0m[1;39m,
  [0m[34;1m"token_policies"[0m[1;39m: [0m[1;39m[
    [0;32m"default"[0m[1;39m,
    [0;32m"dr-secondary-promotion"[0m[1;39m
  [1;39m][0m[1;39m,
  [0m[34;1m"identity_policies"[0m[1;39m: [0m[1;30mnull[0m[1;39m,
  [0m[34;1m"metadata"[0m[1;39m: [0m[1;30mnull[0m[1;39m,
  [0m[34;1m"orphan"[0m[1;39m: [0m[0;39mtrue[0m[1;39m,
  [0m[34;1m"entity_id"[0m[1;39m: [0m[0;32m""[0m[1;39m,
  [0m[34;1m"lease_duration"[0m[1;39m: [0m[0;39m28800[0m[1;39m,
  [0m[34;1m"re

Promote the DR secondary (Cluster B) to become the new primary. The request must pass the DR operation token.

In [113]:
docker exec vault_s5 \
  sh -c "vault write sys/replication/dr/secondary/promote dr_operation_token=$bToken"


  * This cluster is being promoted to a replication primary. Vault will be
  unavailable for a brief period and will resume service shortly.



Sample Output:
```
WARNING! The following warnings were returned from Vault:

  * This cluster is being promoted to a replication primary. Vault will be
  unavailable for a brief period and will resume service shortly.
```

## haproxy - Load Balancer

In this section, we will set up haproxy to provide performance and high-availability for Vault. Client requests sent to haproxy for Vault will treated the following way:

* `GET` requests will be round-robined to all Vault nodes
* Non-`GET` requests will be sent only to the active Vault node.

### Prerequisites

* [Vault Cluster](#Vault-Setup---Primary)

### Bring up the load balancer

In [271]:
docker-compose -f docker-compose-hashi.yml \
  -f docker-compose-proxy.yml up --force-recreate -d \
  haproxy

Creating haproxy ... 
[1Bting haproxy ... [32mdone[0m

### Validate

In [19]:
export VAULT_TOKEN=$(cat /tmp/vault.init | jq -r '.root_token')

#### Write test

Send POST (Write) request - Should go to "active" backend

In [275]:
curl -H "X-Vault-Token: ${VAULT_TOKEN}" \
  -X POST \
  -d '{"data":{"foo":"bar"}}' \
  http://127.0.0.1:18200/v1/kv/data/game/account | jq -c
docker logs haproxy 2>&1 | tail -n 1

  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100    22    0     0  100    22      0    107 --:--:-- --:--:-- --:--:--   107
10.5.0.1:47272 [16/Nov/2021:00:12:46.754] primary_cluster_api primary_cluster_active_api/vault-active 0/1/203 289 -- 1/1/0/0/0 0/0


This should go to active server from `primary_cluster_active_api` backend.
```
... primary_cluster_api primary_cluster_active_api/vault-active 0/1/252 389 -- 1/1/0/0/0 0/0
```

#### Read test

Send several GET (Read) requests - Should go to different nodes in "read" backend.

In [276]:
for i in {1..9}; do
curl -s -H "X-Vault-Token: ${VAULT_TOKEN}" \
  -X GET \
  http://127.0.0.1:18200/v1/kv/data/game/account | jq -c .data.data
docker logs haproxy 2>&1 | tail -n 1
done

[1;39m{[0m[34;1m"foo"[0m[1;39m:[0m[0;32m"bar"[0m[1;39m[1;39m}[0m
10.5.0.1:47534 [16/Nov/2021:00:13:15.847] primary_cluster_api vault_read/vault-any1 0/1/3 319 -- 1/1/0/0/0 0/0
[1;39m{[0m[34;1m"foo"[0m[1;39m:[0m[0;32m"bar"[0m[1;39m[1;39m}[0m
10.5.0.1:47540 [16/Nov/2021:00:13:16.081] primary_cluster_api vault_read/vault-any2 0/1/3 319 -- 1/1/0/0/0 0/0
[1;39m{[0m[34;1m"foo"[0m[1;39m:[0m[0;32m"bar"[0m[1;39m[1;39m}[0m
10.5.0.1:47548 [16/Nov/2021:00:13:16.315] primary_cluster_api vault_read/vault-any3 0/0/2 319 -- 1/1/0/0/0 0/0
[1;39m{[0m[34;1m"foo"[0m[1;39m:[0m[0;32m"bar"[0m[1;39m[1;39m}[0m
10.5.0.1:47556 [16/Nov/2021:00:13:16.555] primary_cluster_api vault_read/vault-any1 0/1/3 319 -- 1/1/0/0/0 0/0
[1;39m{[0m[34;1m"foo"[0m[1;39m:[0m[0;32m"bar"[0m[1;39m[1;39m}[0m
10.5.0.1:47562 [16/Nov/2021:00:13:16.787] primary_cluster_api vault_read/vault-any2 0/0/2 319 -- 1/1/0/0/0 0/0
[1;39m{[0m[34;1m"foo"[0m[1;39m:[0m[0;32m"bar"[0m[1;39m[

This should go to any server from `vault_read` backend
```
... primary_cluster_api vault_read/vault_s2 0/0/6 423 -- 1/1/0/0/0 0/0
```

More info:

* https://learn.hashicorp.com/tutorials/consul/load-balancing-haproxy

### Reload haproxy

If you make changes to `haproxy.cfg`, you can reload `haproxy`.

In [183]:
docker kill -s HUP haproxy

haproxy


## Clean Up

If you are done with your tests, you might want to shut everything down to reduce your heating bills.

### docker-compose down - everything

In [100]:
CONSUL_DC=west
CONSUL_DC_2=east
export COMPOSE_PROJECT_NAME=hashi
export COMPOSE_FILE=docker-compose-hashi.yml:docker-compose-proxy.yml:docker-compose-vault.yml:docker-compose.yml

In [205]:
docker-compose down

Stopping consul-server-4 ... 
Stopping consul-server-5 ... 
Stopping consul-server-3 ... 
Stopping consul-agent-1  ... 
Stopping consul-server-0 ... 
Stopping consul-server-1 ... 
Stopping consul-server-2 ... 
[5BRemoving consul-server-4 ... mdone[0m
Removing consul-server-5 ... 
Removing consul-server-3 ... 
Removing consul-agent-1  ... 
Removing consul-server-0 ... 
Removing consul-server-1 ... 
Removing consul-server-2 ... 
[1BRemoving network hashi_vpcbr2mdone[0m
Removing network hashi_default


## DEBUGGING

### Review logs

Review consul logs - for docker

In [49]:
for i in {0..3}; do
printf "docker logs consul-server-${i}\n"
docker logs consul-server-${i} | { head ; tail -n 3;}
printf "\n"
done

docker logs consul-server-0
==> Starting Consul agent...
           Version: '1.9.11+ent'
           Node ID: '2c965ad0-5042-424c-259c-a5781d001d28'
         Node name: 'consul-server-0'
        Datacenter: 'west' (Segment: '<all>')
            Server: true (Bootstrap: false)
       Client Addr: [0.0.0.0] (HTTP: 8500, HTTPS: -1, gRPC: -1, DNS: 8600)
      Cluster Addr: 10.5.0.2 (LAN: 8301, WAN: 8302)
           Encrypt: Gossip: true, TLS-Outgoing: true, TLS-Incoming: true, Auto-Encrypt-TLS: false

2021-11-15T17:05:52.955Z [WARN]  agent: Check socket connection failed: check=default/_nomad-check-01bd2cc7d206e8b625724dc0222789c02df5c4af error="dial tcp 0.0.0.0:4648: connect: connection refused"
2021-11-15T17:05:52.955Z [WARN]  agent: Check is now critical: check=default/_nomad-check-01bd2cc7d206e8b625724dc0222789c02df5c4af
2021-11-15T17:05:52.957Z [WARN]  agent: Check is now critical: check=default/_nomad-check-30f7971e26a03d0e2767122f7edfaaca35f8e001

docker logs consul-server-1
==> Sta

## Appendix

### Addresses


| Name | Address | Description |
| :--- | --- | --- |
| Consul | http://192.168.17.101:8500 | Consul Dashboard
| Nomad | http://192.168.17.101:4646 | Nomad Dashboard
| Vault | http://192.168.17.101:8200 | Vault Dashboard
| haproxy stats | http://192.168.17.101:11936 | haproxy Consul Dashboard
| haproxy - Consul | http://192.168.17.101:18500 | haproxy Consul Dashboard
| haproxy - Nomad | http://192.168.17.101:14646 | haproxy Nomad Dashboard
| haproxy - Vault | http://192.168.17.101:18200 | haproxy Vault Dashboard
| | |
| demo-webapp | http://192.168.17.101:8080 | web - shows db creds
| Consul 2 | http://192.168.17.101:8520 | Consul Dashboard
| Vault PR Secondary | http://192.168.17.101:8210 | Vault Dashboard
| Vault DR Secondary | http://192.168.17.101:8220 | Vault Dashboard
| Prometheus | http://192.168.17.101:9090 | Prometheus Dashboard
| Grafana | http://192.168.17.101:3000 | Grafana Dashboard

### Passwords

In [449]:
printf "\n*** Please Run: export VAULT_TOKEN=${VAULT_TOKEN} \n"


*** Please Run: export VAULT_TOKEN=s.jmfqk77VgiiecID6jlrcgygq 


### Directory Structure

In [5]:
tree

.
├── README.md
├── apache
│   ├── 1
│   │   ├── Dockerfile
│   │   └── index.html
│   └── 2
│       ├── Dockerfile
│       └── index.html
├── consul
│   ├── cert
│   │   ├── client
│   │   │   ├── consul-agent-ca.pem
│   │   │   ├── west-client-consul-0-key.pem
│   │   │   └── west-client-consul-0.pem
│   │   └── server
│   │       ├── consul-agent-ca.pem
│   │       ├── consul.hclic
│   │       ├── west-server-consul-0-key.pem
│   │       └── west-server-consul-0.pem
│   ├── config
│   │   ├── acl.hcl
│   │   ├── server.hcl
│   │   ├── server0.hcl
│   │   ├── server1.hcl
│   │   ├── server2.hcl
│   │   ├── server4.hcl
│   │   └── server5.hcl
│   └── policies
├── consul-agent-ca-key.pem
├── consul-agent-ca.pem
├── docker
│   └── haproxy
│       └── haproxy.cfg
├── docker-compose-app.yml
├── docker-compose-consul-app.yml
├── docker-compose-hashi.yml
├── docker-compose-proxy.yml
├── docker-compose-scratch.yml
├── docker-compose.yml
├── grafana
│   ├── dashboards
│   │   ├── alerts.yaml


Sample Output for tree
<details><summary></summary>

```
.
├── README.md
├── consul
│   ├── cert
│   │   ├── client
│   │   │   ├── consul-agent-ca.pem
│   │   │   ├── west-client-consul-0-key.pem
│   │   │   └── west-client-consul-0.pem
│   │   └── server
│   │       ├── consul-agent-ca.pem
│   │       ├── consul.hclic
│   │       ├── west-server-consul-0-key.pem
│   │       └── west-server-consul-0.pem
│   ├── config
│   │   ├── acl.hcl
│   │   ├── server.hcl
│   │   ├── server0.hcl
│   │   ├── server1.hcl
│   │   ├── server2.hcl
│   │   ├── server4.hcl
│   │   └── server5.hcl
│   └── policies
├── consul-agent-ca-key.pem
├── consul-agent-ca.pem
├── docker
│   └── haproxy
│       └── haproxy.cfg
├── docker-compose-app.yml
├── docker-compose-consul-app.yml
├── docker-compose-hashi.yml
├── docker-compose-proxy.yml
├── docker-compose-scratch.yml
├── docker-compose.yml
├── grafana
│   ├── dashboards
│   │   ├── alerts.yaml
│   │   ├── consul-server-monitoring_rev3.json
│   │   ├── node-exporter-full_rev22.json
│   │   ├── rules.yaml
│   │   ├── tempo-operational.json
│   │   ├── tempo-reads.json
│   │   ├── tempo-resources.json
│   │   └── tempo-writes.json
│   └── provisioning
│       ├── dashboards
│       │   └── dashboards.yaml
│       └── datasources
│           └── datasource.yml
├── haproxy
│   ├── haproxy.cfg
│   └── haproxy.cfg.txt2
├── hashi_troubleshooting.ipynb
└── vault
    ├── config
    │   ├── vault_s1
    │   │   └── server1.hcl
    │   ├── vault_s2
    │   │   └── server2.hcl
    │   └── vault_s3
    │       └── server3.hcl
    └── logs
        ├── vault_s1
        ├── vault_s2
        ├── vault_s3
        └── vaults_s3
```
</details>

### Resources

* https://learn.hashicorp.com/tutorials/consul/deployment-guide

Vault
* [Vault DR Operation Token Strategy](https://learn.hashicorp.com/tutorials/vault/disaster-recovery#dr-operation-token-strategy)

# Advanced Use Cases

## Consul Auto Upgrade

Modify `docker-compose-hashi.yml`. For consul-server-3, 4, and 5, comment the image parameter for `1.9` and uncomment the one for `latest`.

```yaml
    # image: hashicorp/consul-enterprise:1.9-ent
    image: hashicorp/consul-enterprise:latest
```

Start consul-server-3 consul-server-4 consul-server-5

In [99]:
docker-compose -f docker-compose-hashi.yml up --force-recreate -d \
  consul-server-3 consul-server-4 consul-server-5

Recreating consul-server-4 ... 
Recreating consul-server-3 ... 
Recreating consul-server-5 ... 
[3Beating consul-server-4 ... [32mdone[0m

Verify Consul

In [103]:
printf "#==> List Members\n"
consul members
# curl http://127.0.0.1:8500/v1/agent/members | jq -c .[]
printf "\n#==> List Raft Peers\n"
consul operator raft list-peers

#==> List Members
Node             Address         Status  Type    Build       Protocol  DC    Segment
consul-server-0  10.5.0.2:8301   alive   server  1.9.11+ent  2         west  <all>
consul-server-1  10.5.0.3:8301   alive   server  1.9.11+ent  2         west  <all>
consul-server-2  10.5.0.4:8301   alive   server  1.9.11+ent  2         west  <all>
consul-server-3  10.5.0.5:8301   alive   server  1.10.4+ent  2         west  <all>
consul-server-4  10.5.0.6:8301   alive   server  1.10.4+ent  2         west  <all>
consul-server-5  10.5.0.7:8301   alive   server  1.10.4+ent  2         west  <all>
App1             10.5.0.12:8301  alive   client  1.9.11+ent  2         west  <default>

#==> List Raft Peers
Node             ID                                    Address        State     Voter  RaftProtocol
consul-server-0  bf8054d2-57da-128c-1a0e-b81ab694105d  10.5.0.2:8300  follower  false  3
consul-server-2  3c60ff6c-3836-9f3a-627c-80370f71b172  10.5.0.4:8300  follower  false  3
consul-serve

## Consul Redundancy Zones

> NOTE: This is an Enterprise only feature.

You will configure fault resiliency for Consul using redundancy zones.

Redunancy zones is a Consul autopilot feature that makes it possible to run:
* **one voter** and any number of non-voters in each defined zone.

You will set up one voter and one non-voter in three regions.
* If one zone is completely lost, both the the voter and non-voters will be lost.
  * However, the the cluster will remain available.
* If only the voter is lost in a zone, autopilot will promote the non-voter to voter automatically.
  * Puts the hot standby server into service quickly.

You will implement isolated failure domains such as AWS Availability Zones to obtain redundancy within an AZ with less overhead sustained by a larger quorum.

#### Prerequisites

You will need:
* A Consul Enterprise cluster with three servers. See `Consul Setup`.
* Three extre nodes to be used as non-voters.

#### Create Consul config for Redundancy Zone.

This is for the three servers currently running. 

In [208]:
for i in {0..2}; do
docker exec -i consul-server-${i} sh <<EOM
cat > /consul/config/rz.hcl <<EOF
node_meta {
  zone = "zone${i}"
}
EOF
cat /consul/config/rz.hcl
consul reload
EOM
done

node_meta {
  zone = "zone0"
}
Configuration reload triggered
node_meta {
  zone = "zone1"
}
Configuration reload triggered
node_meta {
  zone = "zone2"
}
Configuration reload triggered


* `node_meta` allows us to add a tag `zone` to a server
* `consul reload` triggers a reload of the configuration files. 

Verify the configuration is in place using the `/agent/self` API endpoint.

In [209]:
for i in {0..2}; do
docker exec consul-server-${i} curl -s localhost:8500/v1/agent/self | jq ". | .Config, .Meta"
done

[1;39m{
  [0m[34;1m"Datacenter"[0m[1;39m: [0m[0;32m"west"[0m[1;39m,
  [0m[34;1m"NodeName"[0m[1;39m: [0m[0;32m"consul-server-0"[0m[1;39m,
  [0m[34;1m"NodeID"[0m[1;39m: [0m[0;32m"e806a53e-6df4-bbb0-b437-ff6363dfa248"[0m[1;39m,
  [0m[34;1m"Revision"[0m[1;39m: [0m[0;32m"3879c342"[0m[1;39m,
  [0m[34;1m"Server"[0m[1;39m: [0m[0;39mtrue[0m[1;39m,
  [0m[34;1m"Version"[0m[1;39m: [0m[0;32m"1.9.11+ent"[0m[1;39m
[1;39m}[0m
[1;39m{
  [0m[34;1m"consul-network-segment"[0m[1;39m: [0m[0;32m""[0m[1;39m,
  [0m[34;1m"zone"[0m[1;39m: [0m[0;32m"zone0"[0m[1;39m
[1;39m}[0m
[1;39m{
  [0m[34;1m"Datacenter"[0m[1;39m: [0m[0;32m"west"[0m[1;39m,
  [0m[34;1m"NodeName"[0m[1;39m: [0m[0;32m"consul-server-1"[0m[1;39m,
  [0m[34;1m"NodeID"[0m[1;39m: [0m[0;32m"e79d2f7e-8497-dc29-3d42-a8ef52dbaf9a"[0m[1;39m,
  [0m[34;1m"Revision"[0m[1;39m: [0m[0;32m"3879c342"[0m[1;39m,
  [0m[34;1m"Server"[0m[1;39m: [0m[0;39mtrue[0m[

We check all three servers. We use `docker exec` since only one server container is exposing ports.

Expected Output
```json
...
{
  "consul-network-segment": "",
  "zone": "zone0"
}
...
```

#### Update Consul autopilot configuration

Update Consul autopilot configuration so it knows which `node_meta` tag is used for `-redundancy-zone-tag`.

In [210]:
#// Confirm nothing is currently set.
consul operator autopilot get-config | grep Redundancy

RedundancyZoneTag = ""


```
RedundancyZoneTag = ""
```

In [211]:
consul operator autopilot set-config -redundancy-zone-tag=zone

Configuration updated!


#### Verify autopilot updates

In [212]:
consul operator autopilot get-config

CleanupDeadServers = true
LastContactThreshold = 200ms
MaxTrailingLogs = 250
MinQuorum = 0
ServerStabilizationTime = 10s
RedundancyZoneTag = "zone"
DisableUpgradeMigration = false
UpgradeVersionTag = ""


Sample Output
```shell
CleanupDeadServers = true
LastContactThreshold = 200ms
MaxTrailingLogs = 250
MinQuorum = 0
ServerStabilizationTime = 10s
RedundancyZoneTag = "zone"   <==---
DisableUpgradeMigration = false
UpgradeVersionTag = ""
```

#### Create Consul config - Redundancy Zone for new nodes

In [145]:
for i in {0..2}; do
cat > consul/config/rz-${i}.hcl <<-EOF
node_meta {
  zone = "zone${i}"
}
autopilot {
  redundancy_zone_tag = "zone"
}
EOF
done

Server 3, 4, and 5 are used for various scenarios. In this scenario, we can reuse the configs from the first cluster.

In [213]:
cp consul/config/server.hcl consul/config/server_dc2.hcl

Click here if you want to view the config files.
* [server.hcl](./consul/config/server.hcl)
* [server_dc2.hcl](./consul/config/server_dc2.hcl)

Modify [docker-compose-hashi.yml](docker-compose-hashi.yml). For `consul-server-3`, uncomment the image parameter for `1.9` and comment the one for `latest`. Servers 4 and 5 will inherit the settings.

```yaml
    image: hashicorp/consul-enterprise:1.9-ent
    # image: hashicorp/consul-enterprise:latest
```

#### Bring up new Consul nodes

Start consul-server-3 consul-server-4 consul-server-5

In [215]:
CONSUL_DC=west CONSUL_DC_2=west
docker-compose up --force-recreate -d \
  consul-server-3 consul-server-4 consul-server-5

Recreating consul-server-3 ... 
[1BRecreating consul-server-5 ... mdone[0m
Recreating consul-server-4 ... 
[2Beating consul-server-5 ... [32mdone[0m

Verify Consul with `operator` subcommand.

In [217]:
printf "#==> List Members\n"
consul members
# curl http://127.0.0.1:8500/v1/agent/members | jq -c .[]
printf "\n#==> List Raft Peers\n"
consul operator raft list-peers

#==> List Members
Node             Address         Status  Type    Build       Protocol  DC    Segment
consul-server-0  10.5.0.2:8301   alive   server  1.9.11+ent  2         west  <all>
consul-server-1  10.5.0.3:8301   alive   server  1.9.11+ent  2         west  <all>
consul-server-2  10.5.0.4:8301   alive   server  1.9.11+ent  2         west  <all>
consul-server-3  10.5.1.2:8301   alive   server  1.9.11+ent  2         west  <all>
consul-server-4  10.5.1.3:8301   alive   server  1.9.11+ent  2         west  <all>
consul-server-5  10.5.1.4:8301   alive   server  1.9.11+ent  2         west  <all>
App1             10.5.0.12:8301  alive   client  1.9.11+ent  2         west  <default>

#==> List Raft Peers
Node             ID                                    Address        State     Voter  RaftProtocol
consul-server-2  c9579a8b-1d94-412a-775c-b7c933340beb  10.5.0.4:8300  leader    true   3
consul-server-1  e79d2f7e-8497-dc29-3d42-a8ef52dbaf9a  10.5.0.3:8300  follower  true   3
consul-serve

Sample Output
```
#==> List Members
Node             Address         Status  Type    Build       Protocol  DC    Segment
consul-server-0  10.5.0.2:8301   alive   server  1.9.11+ent  2         west  <all>
consul-server-1  10.5.0.3:8301   alive   server  1.9.11+ent  2         west  <all>
consul-server-2  10.5.0.4:8301   alive   server  1.9.11+ent  2         west  <all>
consul-server-3  10.5.0.7:8301   alive   server  1.9.11+ent  2         west  <all>
consul-server-4  10.5.0.6:8301   alive   server  1.9.11+ent  2         west  <all>
consul-server-5  10.5.0.5:8301   alive   server  1.9.11+ent  2         west  <all>
App1             10.5.0.12:8301  alive   client  1.9.11+ent  2         west  <default>

#==> List Raft Peers
Node             ID                                    Address        State     Voter  RaftProtocol
consul-server-0  bf8054d2-57da-128c-1a0e-b81ab694105d  10.5.0.2:8300  follower  true   3
consul-server-1  d7e82aa0-2fa0-9308-5970-44e839786d2b  10.5.0.3:8300  leader    true   3
consul-server-2  3c60ff6c-3836-9f3a-627c-80370f71b172  10.5.0.4:8300  follower  true   3
consul-server-5  b9c2c042-b161-3085-f417-d5739e6cbb50  10.5.0.5:8300  follower  false  3
consul-server-4  21c6c18d-b89d-edca-4f8e-011cbb244036  10.5.0.6:8300  follower  false  3
consul-server-3  524afd65-feea-79f2-1431-09b6dbbb8c05  10.5.0.7:8300  follower  false  3
```

* **NOTE:** All the new servers, once started, are added to the datacenter as non-voters (`Voter` = `false`). You can reference the Voter column in the output to verify it.

#### Test fault tolerance

Stop one of the voters. We use `consul-server-1` from `zone1`.

In [218]:
docker stop consul-server-1

consul-server-1


Verify that the correspondent non-voter in its redundancy zone gets promoted as a voter as soon as the server gets declared unhealthy.

In [221]:
consul operator raft list-peers

Node             ID                                    Address        State     Voter  RaftProtocol
consul-server-2  c9579a8b-1d94-412a-775c-b7c933340beb  10.5.0.4:8300  leader    true   3
consul-server-0  e806a53e-6df4-bbb0-b437-ff6363dfa248  10.5.0.2:8300  follower  true   3
consul-server-3  db77eacd-74e8-61a0-76ff-57e58e5e19c1  10.5.1.2:8300  follower  false  3
consul-server-5  4973271d-ac29-982d-f4fb-ccf709259f04  10.5.1.4:8300  follower  false  3
consul-server-4  7dac748a-00cc-5c8d-1bbd-a6d214909407  10.5.1.3:8300  follower  true   3


```shell
Node             ID                                    Address        State     Voter  RaftProtocol
consul-server-0  bf8054d2-57da-128c-1a0e-b81ab694105d  10.5.0.2:8300  leader    true   3
consul-server-2  3c60ff6c-3836-9f3a-627c-80370f71b172  10.5.0.4:8300  follower  true   3
consul-server-5  b9c2c042-b161-3085-f417-d5739e6cbb50  10.5.0.5:8300  follower  false  3
consul-server-4  21c6c18d-b89d-edca-4f8e-011cbb244036  10.5.0.6:8300  follower  true   3   <==---
consul-server-3  524afd65-feea-79f2-1431-09b6dbbb8c05  10.5.0.7:8300  follower  false  3
```

* `consul-server-4` from `zone1` is now a voter

Once `server-server-4` gets promoted as a voter you can start Consul on `consul-server-1` again and verify the one voter per redundancy zone rule is still respected.

In [222]:
docker start consul-server-1

consul-server-1


In [223]:
consul operator raft list-peers

Node             ID                                    Address        State     Voter  RaftProtocol
consul-server-2  c9579a8b-1d94-412a-775c-b7c933340beb  10.5.0.4:8300  leader    true   3
consul-server-0  e806a53e-6df4-bbb0-b437-ff6363dfa248  10.5.0.2:8300  follower  true   3
consul-server-3  db77eacd-74e8-61a0-76ff-57e58e5e19c1  10.5.1.2:8300  follower  false  3
consul-server-5  4973271d-ac29-982d-f4fb-ccf709259f04  10.5.1.4:8300  follower  false  3
consul-server-4  7dac748a-00cc-5c8d-1bbd-a6d214909407  10.5.1.3:8300  follower  true   3
consul-server-1  e79d2f7e-8497-dc29-3d42-a8ef52dbaf9a  10.5.0.3:8300  follower  false  3


```shell
Node             ID                                    Address        State     Voter  RaftProtocol
consul-server-0  bf8054d2-57da-128c-1a0e-b81ab694105d  10.5.0.2:8300  leader    true   3
consul-server-2  3c60ff6c-3836-9f3a-627c-80370f71b172  10.5.0.4:8300  follower  true   3
consul-server-5  b9c2c042-b161-3085-f417-d5739e6cbb50  10.5.0.5:8300  follower  false  3
consul-server-4  21c6c18d-b89d-edca-4f8e-011cbb244036  10.5.0.6:8300  follower  true   3
consul-server-3  524afd65-feea-79f2-1431-09b6dbbb8c05  10.5.0.7:8300  follower  false  3
consul-server-1  d7e82aa0-2fa0-9308-5970-44e839786d2b  10.5.0.3:8300  follower  false  3   <==---
```

**NOTE:** `consul-server` is up as a `follower`, but is no longer a `voter`.

If you no longer need these nodes you can stop them.

Stop consul-server-3 consul-server-4 consul-server-5

In [224]:
for i in {3..5}; do
echo "#==> Stopping consul-server-${i}"
docker-compose stop consul-server-${i}
consul operator raft list-peers
sleep 2
done

#==> Stopping consul-server-3
Stopping consul-server-3 ... 
[1BNode             ID                                    Address        State     Voter  RaftProtocol
consul-server-2  c9579a8b-1d94-412a-775c-b7c933340beb  10.5.0.4:8300  leader    true   3
consul-server-0  e806a53e-6df4-bbb0-b437-ff6363dfa248  10.5.0.2:8300  follower  true   3
consul-server-3  db77eacd-74e8-61a0-76ff-57e58e5e19c1  10.5.1.2:8300  follower  false  3
consul-server-5  4973271d-ac29-982d-f4fb-ccf709259f04  10.5.1.4:8300  follower  false  3
consul-server-4  7dac748a-00cc-5c8d-1bbd-a6d214909407  10.5.1.3:8300  follower  true   3
consul-server-1  e79d2f7e-8497-dc29-3d42-a8ef52dbaf9a  10.5.0.3:8300  follower  false  3
#==> Stopping consul-server-4
Stopping consul-server-4 ... 
[1BNode             ID                                    Address        State     Voter  RaftProtocol
consul-server-2  c9579a8b-1d94-412a-775c-b7c933340beb  10.5.0.4:8300  leader    true   3
consul-server-0  e806a53e-6df4-bbb0-b437-ff6363df

In [225]:
consul operator raft list-peers

Node             ID                                    Address        State     Voter  RaftProtocol
consul-server-2  c9579a8b-1d94-412a-775c-b7c933340beb  10.5.0.4:8300  leader    true   3
consul-server-0  e806a53e-6df4-bbb0-b437-ff6363dfa248  10.5.0.2:8300  follower  true   3
consul-server-1  e79d2f7e-8497-dc29-3d42-a8ef52dbaf9a  10.5.0.3:8300  follower  true   3


Troubleshooting

* https://learn.hashicorp.com/tutorials/consul/gossip-encryption-rotate

In [200]:
export CONSUL_HTTP_ADDR="http://localhost:8500"
export NEW_KEY=`consul keygen`
echo $NEW_KEY

for i in {0..5}; do
docker exec -i consul-server-${i} sh <<EOM
# Install the key
consul keyring -install ${NEW_KEY}

# Set as primary
consul keyring -use ${NEW_KEY}
EOM
done

/Sg6cdBFNLj3umIiEEb56Bebv86PhAYYYS3XV2Z+9I4=
==> Installing new gossip encryption key...
==> Changing primary gossip encryption key...
==> Installing new gossip encryption key...
==> Changing primary gossip encryption key...
==> Installing new gossip encryption key...
==> Changing primary gossip encryption key...
==> Installing new gossip encryption key...
==> Changing primary gossip encryption key...
==> Installing new gossip encryption key...
==> Changing primary gossip encryption key...
==> Installing new gossip encryption key...
==> Changing primary gossip encryption key...


In [204]:
for i in {0..5}; do
docker exec -i \
  -e CONSUL_HTTP_ADDR=$CONSUL_HTTP_ADDR \
  -e NEW_KEY=$NEW_KEY \
  consul-server-${i} \
  sh -s <<"EOM"
echo "#==> Retrieve all keys used by Consul"
echo "Host: $(hostname)"
KEYS=$(curl -s http://localhost:8500/v1/operator/keyring)
#echo Keys: $KEYS #DEBUGGING 
ALL_KEYS=$(echo ${KEYS} | jq -r '.[].Keys| to_entries[].key' | sort | uniq)

echo "#==> Delete all older keys used by Consul"
for i in `echo ${ALL_KEYS}`; do
  # echo $i #DEBUGGING
  if [ $i != ${NEW_KEY} ] ; then
    echo consul keyring -remove $i
    consul keyring -remove $i
  fi
done
EOM
done

#==> Retrieve all keys used by Consul
Host: consul-server-0
#==> Delete all older keys used by Consul
#==> Retrieve all keys used by Consul
Host: consul-server-1
#==> Delete all older keys used by Consul
#==> Retrieve all keys used by Consul
Host: consul-server-2
#==> Delete all older keys used by Consul
#==> Retrieve all keys used by Consul
Host: consul-server-3
#==> Delete all older keys used by Consul
#==> Retrieve all keys used by Consul
Host: consul-server-4
#==> Delete all older keys used by Consul
#==> Retrieve all keys used by Consul
Host: consul-server-5
jq: error (at <stdin>:1): Cannot iterate over number (1)
parse error: Invalid numeric literal at line 1, column 8
#==> Delete all older keys used by Consul


`last_log_index` and `commit_index`


## Consul Federation Using WAN Gossip

Create Core Consul config - Server

In [564]:
# for i in {3..5}; do
tee consul/config/server_dc2.hcl <<-EOF
# datacenter  = "dc1" # in CLI
# node_name   = "ConsulServer${i}" # in CLI
bind_addr   = "0.0.0.0" #default
client_addr = "0.0.0.0" #default 127.0.0.1
data_dir    = "/consul/data"

encrypt     = "${CONSUL_KEY}"
ca_file     = "/consul/cert/consul-agent-ca.pem"
cert_file   = "/consul/cert/${CONSUL_DC_2}-server-consul-0.pem"
key_file    = "/consul/cert/${CONSUL_DC_2}-server-consul-0-key.pem"
verify_incoming = true
verify_outgoing = true
verify_server_hostname = true

# server           =  true # in CLI
ui               = true
bootstrap_expect = 1
retry_join  = [
  "consul-server-3",
  "consul-server-4",
  "consul-server-5"
]
EOF
# done

# datacenter  = "dc1" # in CLI
# node_name   = "ConsulServer4" # in CLI
bind_addr   = "0.0.0.0" #default
client_addr = "0.0.0.0" #default 127.0.0.1
data_dir    = "/consul/data"

encrypt     = "WS/1KjlJkRNwSvrv1TXRvYaouwEw5+x8IvYrg9+5PjE="
ca_file     = "/consul/cert/consul-agent-ca.pem"
cert_file   = "/consul/cert/east-server-consul-0.pem"
key_file    = "/consul/cert/east-server-consul-0-key.pem"
verify_incoming = true
verify_outgoing = true
verify_server_hostname = true

# server           =  true # in CLI
ui               = true
bootstrap_expect = 1
retry_join  = [
  "consul-server-3",
  "consul-server-4",
  "consul-server-5"
]


#### Consul docker-compose up

We will now bring up the three Consul servers in a second Consul Cluster. You can use `--force-recreate` to have Docker recreate the containers.

In [567]:
export CONSUL_DC=west
export CONSUL_DC_2=east
docker-compose \
  up --force-recreate -d \
  consul-server-3 #consul-server-4 consul-server-5

Removing consul-server-3
Recreating 67f1ec0ca74e_consul-server-3 ... 
[1Beating 67f1ec0ca74e_consul-server-3 ... [32mdone[0m

#### Verify Consul

Quick check to make sure your Consul environment is running correctly.

In [575]:
docker exec -i consul-server-3 sh <<EOM
printf "#==> List Members\n"
consul members
# curl http://127.0.0.1:8500/v1/agent/members | jq -c .[]
printf "\n#==> List Raft Peers\n"
consul operator raft list-peers
printf "\n#==> List services from Consul catalog\n"
consul catalog services
EOM

#==> List Members
Node             Address        Status  Type    Build       Protocol  DC    Segment
consul-server-3  10.5.1.2:8301  alive   server  1.10.4+ent  2         east  <all>

#==> List Raft Peers
Node             ID                                    Address        State   Voter  RaftProtocol
consul-server-3  72b6b7a7-f253-f215-285d-0b6fb35923cb  10.5.1.2:8300  leader  true   3

#==> List services from Consul catalog
consul
vault


You should see something like the following.
```#==> List Members
Node             Address        Status  Type    Build       Protocol  DC    Segment
consul-server-3  10.5.1.2:8301  alive   server  1.10.4+ent  2         east  <all>
consul-server-4  10.5.1.3:8301  alive   server  1.10.4+ent  2         east  <all>
consul-server-5  10.5.1.4:8301  alive   server  1.10.4+ent  2         east  <all>
```

* There should be three servers. `DC` should match

```
#==> List Raft Peers
Node             ID                                    Address        State     Voter  RaftProtocol
consul-server-3  cff9fe90-1bfe-84a9-72cb-84f132297c32  10.5.1.2:8300  leader    true   3
consul-server-4  7b7d6e78-fc82-9ea7-4c99-e17d2be86439  10.5.1.3:8300  follower  true   3
consul-server-5  dd9fc878-7cd5-3b86-a122-bb2000c446f2  10.5.1.4:8300  follower  true   3
```

* There should be a leader and two followers.

```
#==> List services from Consul catalog
consul
```

In [576]:
consul members -wan

Node                  Address        Status  Type    Build       Protocol  DC    Segment
consul-server-0.west  10.5.0.2:8302  alive   server  1.9.11+ent  2         west  <all>
consul-server-1.west  10.5.0.3:8302  alive   server  1.9.11+ent  2         west  <all>
consul-server-2.west  10.5.0.4:8302  alive   server  1.9.11+ent  2         west  <all>


Join the servers

In [578]:
consul join -wan consul-server-3

Successfully joined cluster by contacting 1 nodes.


#### Verify Consul Federation

Once the join is complete, the members command can be used to verify that all server nodes gossiping over WAN.

In [579]:
consul members -wan

Node                  Address        Status  Type    Build       Protocol  DC    Segment
consul-server-0.west  10.5.0.2:8302  alive   server  1.9.11+ent  2         west  <all>
consul-server-1.west  10.5.0.3:8302  alive   server  1.9.11+ent  2         west  <all>
consul-server-2.west  10.5.0.4:8302  alive   server  1.9.11+ent  2         west  <all>
consul-server-3.east  10.5.1.2:8302  alive   server  1.10.4+ent  2         east  <all>


In [580]:
curl http://localhost:8500/v1/catalog/datacenters

["west","east"]

Query the nodes in each datacenter

In [355]:
docker exec consul-server-0 \
  curl -s http://localhost:8500/v1/catalog/nodes?dc=${CONSUL_DC} | jq -c .[]

[1;39m{[0m[34;1m"ID"[0m[1;39m:[0m[0;32m"4ff9a376-9b1e-50f4-c820-f0f70455c681"[0m[1;39m,[0m[34;1m"Node"[0m[1;39m:[0m[0;32m"App1"[0m[1;39m,[0m[34;1m"Address"[0m[1;39m:[0m[0;32m"10.5.0.12"[0m[1;39m,[0m[34;1m"Datacenter"[0m[1;39m:[0m[0;32m"west"[0m[1;39m,[0m[34;1m"TaggedAddresses"[0m[1;39m:[0m[1;39m{[0m[34;1m"lan"[0m[1;39m:[0m[0;32m"10.5.0.12"[0m[1;39m,[0m[34;1m"lan_ipv4"[0m[1;39m:[0m[0;32m"10.5.0.12"[0m[1;39m,[0m[34;1m"wan"[0m[1;39m:[0m[0;32m"10.5.0.12"[0m[1;39m,[0m[34;1m"wan_ipv4"[0m[1;39m:[0m[0;32m"10.5.0.12"[0m[1;39m[1;39m}[0m[1;39m,[0m[34;1m"Meta"[0m[1;39m:[0m[1;39m{[0m[34;1m"consul-network-segment"[0m[1;39m:[0m[0;32m""[0m[1;39m[1;39m}[0m[1;39m,[0m[34;1m"CreateIndex"[0m[1;39m:[0m[0;39m1651[0m[1;39m,[0m[34;1m"ModifyIndex"[0m[1;39m:[0m[0;39m1651[0m[1;39m[1;39m}[0m
[1;39m{[0m[34;1m"ID"[0m[1;39m:[0m[0;32m"7e1300bd-c6fd-cfca-1c92-f9fa13ee6287"[0m[1;39m,[0m[34;1m"Node"[0m

In [356]:
docker exec consul-server-0 \
  curl -s http://localhost:8500/v1/catalog/nodes?dc=${CONSUL_DC_2} | jq -c .[]

[1;39m{[0m[34;1m"ID"[0m[1;39m:[0m[0;32m"cff9fe90-1bfe-84a9-72cb-84f132297c32"[0m[1;39m,[0m[34;1m"Node"[0m[1;39m:[0m[0;32m"consul-server-3"[0m[1;39m,[0m[34;1m"Address"[0m[1;39m:[0m[0;32m"10.5.0.6"[0m[1;39m,[0m[34;1m"Datacenter"[0m[1;39m:[0m[0;32m"east"[0m[1;39m,[0m[34;1m"TaggedAddresses"[0m[1;39m:[0m[1;39m{[0m[34;1m"lan"[0m[1;39m:[0m[0;32m"10.5.0.6"[0m[1;39m,[0m[34;1m"lan_ipv4"[0m[1;39m:[0m[0;32m"10.5.0.6"[0m[1;39m,[0m[34;1m"wan"[0m[1;39m:[0m[0;32m"10.5.0.6"[0m[1;39m,[0m[34;1m"wan_ipv4"[0m[1;39m:[0m[0;32m"10.5.0.6"[0m[1;39m[1;39m}[0m[1;39m,[0m[34;1m"Meta"[0m[1;39m:[0m[1;39m{[0m[34;1m"consul-network-segment"[0m[1;39m:[0m[0;32m""[0m[1;39m,[0m[34;1m"zone"[0m[1;39m:[0m[0;32m"zone0"[0m[1;39m[1;39m}[0m[1;39m,[0m[34;1m"CreateIndex"[0m[1;39m:[0m[0;39m10[0m[1;39m,[0m[34;1m"ModifyIndex"[0m[1;39m:[0m[0;39m15[0m[1;39m[1;39m}[0m
[1;39m{[0m[34;1m"ID"[0m[1;39m:[0m[0;32m"7b7d6e78-

Query for service in both datacenters - `consul.service.west.consul` and `consul.service.east.consul` 

In [387]:
dig @127.0.0.1 -p 8600 consul.service.west.consul | grep -A3 "ANSWER SECTION"

;; ANSWER SECTION:
consul.service.west.consul. 0	IN	A	10.5.0.3
consul.service.west.consul. 0	IN	A	10.5.0.2
consul.service.west.consul. 0	IN	A	10.5.0.4


In [388]:
dig @127.0.0.1 -p 8600 consul.service.east.consul | grep -A3 "ANSWER SECTION"

;; ANSWER SECTION:
consul.service.east.consul. 0	IN	A	10.5.0.7
consul.service.east.consul. 0	IN	A	10.5.0.5
consul.service.east.consul. 0	IN	A	10.5.0.6


NOTES:

* All server nodes must be able to talk to each other; Else gossip and RPC forwarding will not work
* Data is not replicated between Consul Clusters
  * Request made for resource in another datacenter is forwarded to remote Consul Servers
  

### Additional Consul Steps

Setup Consul environment variables - Notice that since TLS encryption is enabled, you will now need to use the server certificates to complete all other tasks.

In [None]:
export CONSUL_CACERT=/etc/consul.d/consul-agent-ca.pem
export CONSUL_CLIENT_CERT=/etc/consul.d/<dc-name>-<server/ client>-consul-<cert-number>.pem
export CONSUL_CLIENT_KEY=/etc/consul.d/<dc-name>-<server/   client>-consul-<cert-number>-key.pem

## Vault DR and PR

## Debug - Network

In [39]:
docker exec -i consul-server-0 sh <<EOM
hostname
ping -qc 1 consul-server-1
ping -qc 1 consul-server-2
EOM

consul-server-0
PING consul-server-1 (10.5.0.3) 56(84) bytes of data.

--- consul-server-1 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.260/0.260/0.260/0.000 ms
PING consul-server-2 (10.5.0.4) 56(84) bytes of data.

--- consul-server-2 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.218/0.218/0.218/0.000 ms


### docker-compose restart

In [16]:
docker-compose -f docker-compose-hashi.yml restart

Restarting consul-server-0 ... 
Restarting consul-server-1 ... 
[2Barting consul-server-0 ... [32mdone[0m

### docker-compose down

In [394]:
docker-compose -f docker-compose-hashi.yml down

Stopping consul-server-3 ... 
Stopping consul-server-4 ... 
Stopping consul-server-5 ... 
Stopping vault_s3        ... 
Stopping vault_s2        ... 
Stopping vault_s1        ... 
Stopping vault_s4        ... 
[2BRemoving consul-server-3 ... mdone[0m
Removing consul-server-4 ... 
Removing consul-server-5 ... 
Removing consul-agent-1  ... 
Removing consul-server-0 ... 
Removing consul-server-1 ... 
Removing consul-server-2 ... 
Removing vault_s3        ... 
Removing vault_s2        ... 
Removing vault_s1        ... 
Removing vault_s4        ... 
[3BRemoving network hashi_defaultdone[0m
Removing network hashi_vpcbr


In [3]:
docker-compose stop grafana prometheus

Stopping grafana    ... 
Stopping prometheus ... 
[1Bping prometheus ... [32mdone[0m

### Restart Vault Cluster

In [70]:
docker-compose -f docker-compose-hashi.yml restart vault_s1 vault_s2 vault_s3

Restarting vault_s3 ... 
Restarting vault_s2 ... 
Restarting vault_s1 ... 
[1Barting vault_s1 ... [32mdone[0m

## Vault DB

In [444]:
# This script configures a Postgres Dynamic Database credential database for benchmarking
vault secrets enable database

vault write database/config/postgres \
  plugin_name=postgresql-database-plugin \
  allowed_roles="*" \
  connection_url="postgresql://{{username}}:{{password}}@db:5432/products?sslmode=disable" \
  username="postgres" \
  password="password"

vault write database/roles/benchmarking \
    db_name=postgres \
    creation_statements="CREATE ROLE \"{{name}}\" WITH LOGIN PASSWORD '{{password}}' VALID UNTIL '{{expiration}}'; \
        GRANT SELECT ON ALL TABLES IN SCHEMA public TO \"{{name}}\";" \
    default_ttl="24h" \
    max_ttl="48h"

vault read database/creds/benchmarking

[0mSuccess! Enabled the database secrets engine at: database/[0m
[0mSuccess! Data written to: database/roles/benchmarking[0m
[0mKey                Value
---                -----
lease_id           database/creds/benchmarking/fBBRKSNF3hxSNGhzweLExZ0K
lease_duration     24h
lease_renewable    true
password           hGUuZHbk-jH1p-7BIf2S
username           v-root-benchmar-1Y4jjO875N1OcC2DXoUg-1637091589[0m


Admin token (optional): You may prefer using an admin token instead of root (for example if you’re using an existing cluster). If so, create an admin token using the vault-admin.hcl policy file shown below. This admin policy is authored based on the Vault Policies guide.

In [None]:
# Assuming that VAULT_TOKEN is set with root or higher Admin token
vault policy write learn-admin admin-policy.hcl
vault token create -policy=learn-adminexport
VAULT_TOKEN=<token-from-above command>
vault token lookup

In [111]:
consul members
consul operator raft list-peers
consul operator autopilot get-config
vault operator raft list-peers

Node            Address         Status  Type    Build   Protocol  DC   Segment
ConsulServer0   10.5.0.2:8301   alive   server  1.10.4  2         dc1  <all>
ConsulServer1   10.5.0.3:8301   alive   server  1.10.4  2         dc1  <all>
ConsulServer2   10.5.0.4:8301   alive   server  1.10.4  2         dc1  <all>
consul-agent-0  10.5.0.12:8301  alive   client  1.10.4  2         dc1  <default>
Node           ID                                    Address        State     Voter  RaftProtocol
ConsulServer2  09a93096-bcd7-2841-1bcd-3dcbdf2f4efb  10.5.0.4:8300  leader    true   3
ConsulServer1  6076ceb7-6135-7beb-ef21-ca31e271b705  10.5.0.3:8300  follower  true   3
ConsulServer0  b771e8f4-fbf8-bd7d-32ac-25389354602f  10.5.0.2:8300  follower  true   3
CleanupDeadServers = true
LastContactThreshold = 200ms
MaxTrailingLogs = 250
MinQuorum = 0
ServerStabilizationTime = 10s
RedundancyZoneTag = ""
DisableUpgradeMigration = false
UpgradeVersionTag = ""
[0mNode        Address            State       Vote

## Onboarding App

In [502]:
vault secrets list
vault read database/config/postgres

[0mPath          Type         Accessor              Description
----          ----         --------              -----------
cubbyhole/    cubbyhole    cubbyhole_cc6da3b9    per-token private secret storage
database/     database     database_f7f84d8f     n/a
identity/     identity     identity_8e5491a2     identity store
kv/           kv           kv_d70a9797           Key value secrets engine created by terraform
postgres/     database     database_368592e8     n/a
sys/          system       system_75b145ea       system endpoints used for control, policy and debugging[0m
[0mKey                                   Value
---                                   -----
allowed_roles                         [*]
connection_details                    map[connection_url:postgresql://{{username}}:{{password}}@db:5432/products?sslmode=disable username:postgres]
password_policy                       n/a
plugin_name                           postgresql-database-plugin
root_credentials_rotate_state

### Vault Onboarding docker-compose up

We will now bring up the three Consul servers and one client. You can use `--force-recreate` to have Docker recreate the containers.

In [501]:
export CONSUL_DC=west CONSUL_DC_2=east
docker-compose \
  up --force-recreate -d \
  db web vault-agent haproxy

Recreating demo-webapp ... 
Recreating db          ... 
Recreating vault-agent ... 
Creating haproxy       ... 
[3Beating db          ... [32mdone[0m

In [420]:
git clone https://github.com/hashicorp/vault-guides.git tmp/vault-guides

Cloning into 'tmp/vault-guides'...
remote: Enumerating objects: 9450, done.        
remote: Counting objects: 100% (5161/5161), done.        
remote: Compressing objects: 100% (4029/4029), done.        
remote: Total 9450 (delta 977), reused 5033 (delta 931), pack-reused 4289        
Receiving objects: 100% (9450/9450), 108.57 MiB | 14.28 MiB/s, done.
Resolving deltas: 100% (3123/3123), done.


In [424]:
cp tmp/vault-guides/operations/onboarding/terraform/*.* terraform/

In [432]:
cp -r tmp/vault-guides/operations/onboarding/docker-compose/vault-agent .

### Vault administration with Terraform

Modifications: 

* I modified the `auth.tf`. Changed the local file destination since `vault-agent` folder is not under `docker-compose` folder.

In [446]:
TF_CLI_ARGS="-input=false"

In [426]:
terraform -chdir=terraform init


[0m[1mInitializing the backend...[0m

[0m[1mInitializing provider plugins...[0m
- Reusing previous version of hashicorp/vault from the dependency lock file
- Finding latest version of hashicorp/time...
- Reusing previous version of hashicorp/local from the dependency lock file
- Using previously-installed hashicorp/vault v2.24.1
- Installing hashicorp/time v0.7.2...
- Installed hashicorp/time v0.7.2 (signed by HashiCorp)
- Using previously-installed hashicorp/local v2.1.0

Terraform has made some changes to the provider dependency selections recorded
in the .terraform.lock.hcl file. Review those changes and commit them to your
version control system if they represent changes you intended to make.

[0m[1m[32mTerraform has been successfully initialized![0m[32m[0m
[0m[32m
You may now begin working with Terraform. Try running "terraform plan" to see
any changes that are required for your infrastructure. All Terraform commands
should now work.

If you ever set or change modul

In [427]:
terraform -chdir=terraform plan


Terraform used the selected providers to generate the following execution plan.
Resource actions are indicated with the following symbols:
  [32m+[0m create
[0m
Terraform will perform the following actions:

[1m  # local_file.nginx_role_id[0m will be created[0m[0m
[0m  [32m+[0m[0m resource "local_file" "nginx_role_id" {
      [32m+[0m [0m[1m[0mcontent[0m[0m              = (known after apply)
      [32m+[0m [0m[1m[0mdirectory_permission[0m[0m = "0777"
      [32m+[0m [0m[1m[0mfile_permission[0m[0m      = "0777"
      [32m+[0m [0m[1m[0mfilename[0m[0m             = "./../docker-compose/vault-agent/nginx-role_id"
      [32m+[0m [0m[1m[0mid[0m[0m                   = (known after apply)
    }

[1m  # local_file.nginx_secret_id[0m will be created[0m[0m
[0m  [32m+[0m[0m resource "local_file" "nginx_secret_id" {
      [32m+[0m [0m[1m[0mcontent[0m[0m              = (sensitive)
      [32m+[0m [0m[1m[0mdirectory_permission[0m[0m =

In [448]:
terraform -chdir=terraform apply -auto-approve

[0m[1mtime_sleep.wait_2_seconds: Refreshing state... [id=2021-11-16T17:07:17Z][0m
[0m[1mvault_mount.kvv2: Refreshing state... [id=kv][0m
[0m[1mvault_mount.postgres: Refreshing state... [id=postgres][0m
[0m[1mvault_policy.postgres_creds_policy: Refreshing state... [id=postgres_creds_policy][0m
[0m[1mvault_auth_backend.approle: Refreshing state... [id=approle][0m
[0m[1mvault_policy.kv_rw_policy: Refreshing state... [id=kv_rw_policy][0m
[0m[1mvault_database_secret_backend_connection.postgres: Refreshing state... [id=postgres/config/postgres][0m
[0m[1mvault_identity_entity.entity["app100"]: Refreshing state... [id=9d72d5a2-5512-ae44-1c47-01dbc5d32325][0m
[0m[1mvault_identity_entity.entity["nginx"]: Refreshing state... [id=b9a65285-93ef-9889-7a22-eedc24a6b097][0m
[0m[1mvault_generic_secret.example["nginx"]: Refreshing state... [id=kv/nginx/static][0m
[0m[1mvault_generic_secret.example["app100"]: Refreshing state... [id=kv/app100/static][0m
[0m[1mvault_toke

In [441]:
docker restart vault-agent

vault-agent


Access http://localhost:8080 on your browser, and you should be able to see the nginx application display a dynamic PostgreSQL database credential provided by Vault as shown below. Also try accessing http://localhost:8080/kv.html to see example static secret values.



<img src="https://www.datocms-assets.com/2885/1624893789-vtf-onboarding-2.png?fit=max&fm=webp&q=80&w=2500" width=640 />

The Terraform configurations for this demo are described in more detail below along with the corresponding source file names:

* "**Application entity**" — `entity.tf`:
  * Pre-creating the application entity is optional but encouraged.
  * It allows easier auditing and more flexibility in attaching ACL policies.
  1. Please log in to the Vault UI on http://localhost:8200 with the root token
  1. Then click `Access` > `Entities`. You should see two created entities: `nginx` and `app100`.
  1. Clicking into these entities will display
      * an alias for the AppRole authentication method 
      * and the mapped entity ACL policies.
* "Authentication method" — `auth.tf`:
  * This demo uses the AppRole auth method, which is a type of “trusted orchestrator” secure introduction pattern.
  * An authentication method alias links the entity to the AppRole role.
* "ACL policy" — `entity.tf`: We recommend using templated policies to reduce the overhead of policy management.
  * This demo uses two templated policies:
    * `kv_rw_policy` for accessing key-value secrets
    * `postgres_creds_policy` for accessing dynamic Postgres credentials.

These elements are represented as a Terraform graph diagram snippet, shown below:

Terraform graph snippet for authentication, entity, and ACL policy.

<img src="https://www.datocms-assets.com/2885/1624893793-vtf-onboarding-3.png?fit=max&fm=webp&q=80&w=2500" width=640 />

### Application Integration with Vault

Now that the Vault configurations are built, we need the application to log in to Vault using AppRole credentials and fetch a secret. The demo uses Vault Agent to achieve this (see App Integration for more patterns).
Vault Agent workflow.

Vault Agent workflow.

<img src="https://www.datocms-assets.com/2885/1624893810-vtf-onboarding-5.png?fit=max&fm=webp&q=80&w=2500" width=640 />

The file `nginx-vault-agent.hcl` specifies how to authenticate the `nginx` container using AppRole. It also links two template files, `kv.tpl` and `postgres.tpl`, that tell Vault Agent how to render secrets from a KV and Database Secrets Engine respectively.

### Register a service

In [None]:
docker exec -i consul-server-1 sh <<EOM
cat > /consul/config/webapp.hcl <<EOF
service {
  name = "webapp",
  port = 80,
  check {
    http = "http://demo-webapp",
    interval = "5s"
  }
}
EOM

In [None]:
docker exec consul-server-1 consul reload

Configuration reload triggered


### Onboarding the Next Application

To onboard another application, simply add its name to the default value of the entities variable in `variables.tf` as shown below for `app200`.

# Snippet from variables.tf after adding app200

In [457]:
cat > terraform/terraform.tfvars <<EOF
entities = [
    "nginx",
    "app100",
    "app200"
]
EOF

Then run `terraform apply` to create the additional Vault configurations for this application:

NOTE: Ensure that `VAULT_TOKEN` was set from before

In [458]:
terraform -chdir=terraform validate && \
terraform -chdir=terraform apply -auto-approve

[32m[1mSuccess![0m The configuration is valid.
[0m
[0m[1mtime_sleep.wait_2_seconds: Refreshing state... [id=2021-11-16T17:07:17Z][0m
[0m[1mvault_mount.kvv2: Refreshing state... [id=kv][0m
[0m[1mvault_mount.postgres: Refreshing state... [id=postgres][0m
[0m[1mvault_auth_backend.approle: Refreshing state... [id=approle][0m
[0m[1mvault_policy.kv_rw_policy: Refreshing state... [id=kv_rw_policy][0m
[0m[1mvault_policy.postgres_creds_policy: Refreshing state... [id=postgres_creds_policy][0m
[0m[1mvault_database_secret_backend_connection.postgres: Refreshing state... [id=postgres/config/postgres][0m
[0m[1mvault_generic_secret.example["nginx"]: Refreshing state... [id=kv/nginx/static][0m
[0m[1mvault_generic_secret.example["app100"]: Refreshing state... [id=kv/app100/static][0m
[0m[1mvault_approle_auth_backend_role.entity-role["nginx"]: Refreshing state... [id=auth/approle/role/nginx][0m
[0m[1mvault_token.entity_token[0]: Refreshing state... [id=MW1KDAFwRduX9l

Verify from the Vault UI that there is a new entity called `app200` with an alias to the AppRole auth method:

Vault screenshot showing a new app200 entity being added.

Vault screenshot showing a new app200 entity being added.

A new Role ID and Secret ID have also been created, which you can find by running the terraform output command. We can use this to test authentication and secret access as shown below. Note that the Role ID, Secret ID, and Vault token will be unique in your case.

In [475]:
terraform -chdir=terraform output -json > /tmp/approle_200.txt

In [480]:
ROLE_ID=$(jq -r .role_ids.value.app200 /tmp/approle_200.txt)
SECRET_ID=$(jq -r .secret_ids.value.app200 /tmp/approle_200.txt)

In [None]:
Login using AppRole

In [493]:
vault write -format=json auth/approle/login \
  role_id=${ROLE_ID} \
  secret_id=${SECRET_ID} | tee /tmp/approle_200.token

{
  "request_id": "4947ddee-c9c1-1d08-228f-00f8b919eaef",
  "lease_id": "",
  "lease_duration": 0,
  "renewable": false,
  "data": null,
  "auth": {
    "client_token": "s.HvzS2X14mzuHgH9cocr3TA1s",
    "accessor": "A2ElImsXxYlTtAeNOgEaA4mm",
    "policies": [
      "default",
      "kv_rw_policy",
      "postgres_creds_policy"
    ],
    "token_policies": [
      "default",
      "kv_rw_policy",
      "postgres_creds_policy"
    ],
    "identity_policies": [
      "kv_rw_policy",
      "postgres_creds_policy"
    ],
    "metadata": {
      "role_name": "app200"
    },
    "orphan": true,
    "entity_id": "3fbb356c-eeb1-3ce0-769d-c53ecf5d11a5",
    "lease_duration": 2764800,
    "renewable": true
  }
}


In [494]:
VAULT_TOKEN_APP200=$(jq -r .auth.client_token /tmp/approle_200.token) && echo $VAULT_TOKEN_APP200

s.HvzS2X14mzuHgH9cocr3TA1s


Read KV secret

In [495]:
VAULT_TOKEN=${VAULT_TOKEN_APP200} vault kv get kv/app200/static

[0mKey              Value
---              -----
created_time     2021-11-16T20:49:58.138197524Z
deletion_time    n/a
destroyed        false
version          1[0m
[0m[0m
[0mKey         Value
---         -----
app         app200
password    cheese
username    app200[0m


Sample Output
```
====== Metadata ======
Key              Value
---              -----
created_time     2021-11-16T20:49:58.138197524Z
deletion_time    n/a
destroyed        false
version          1

====== Data ======
Key         Value
---         -----
app         app200
password    cheese
username    app200
```

To de-board an application, simply remove the entity from the same variable and re-rerun `terraform apply`.