Merge pull request #4 from hoeghh/consul_install

Consul install

certificates/consul/consul-agent-ca-key.pem

@@ -0,0 +1,5 @@
+-----BEGIN EC PRIVATE KEY-----
+MHcCAQEEIOX6V9w0TNUJ3HFmYSkb3YNOkfd6Zlisr34M2MnRSnOMoAoGCCqGSM49
+AwEHoUQDQgAEi451QfrtaHDJiF183TdMl8Y3SUhrGn8MkIa4nVeObDhNsw5Apqkw
+27rr0pvI/peUQsQyG0y4AVjQ6ZVpm3RXAQ==
+-----END EC PRIVATE KEY-----

certificates/consul/consul-agent-ca.pem

@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC6zCCApGgAwIBAgIQRGM4yWMl06t3JbNlKPMA+DAKBggqhkjOPQQDAjCBuDEL
+MAkGA1UEBhMCVVMxCzAJBgNVBAgTAkNBMRYwFAYDVQQHEw1TYW4gRnJhbmNpc2Nv
+MRowGAYDVQQJExExMDEgU2Vjb25kIFN0cmVldDEOMAwGA1UEERMFOTQxMDUxFzAV
+BgNVBAoTDkhhc2hpQ29ycCBJbmMuMT8wPQYDVQQDEzZDb25zdWwgQWdlbnQgQ0Eg
+OTA5MDI2OTI4NzI4NTI0NDI5NjMzMDQ0ODcyNzg0NjQ5MjU5NDQwHhcNMjEwNTAz
+MTAyODQ1WhcNMjYwNTAyMTAyODQ1WjCBuDELMAkGA1UEBhMCVVMxCzAJBgNVBAgT
+AkNBMRYwFAYDVQQHEw1TYW4gRnJhbmNpc2NvMRowGAYDVQQJExExMDEgU2Vjb25k
+IFN0cmVldDEOMAwGA1UEERMFOTQxMDUxFzAVBgNVBAoTDkhhc2hpQ29ycCBJbmMu
+MT8wPQYDVQQDEzZDb25zdWwgQWdlbnQgQ0EgOTA5MDI2OTI4NzI4NTI0NDI5NjMz
+MDQ0ODcyNzg0NjQ5MjU5NDQwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAASLjnVB
++u1ocMmIXXzdN0yXxjdJSGsafwyQhridV45sOE2zDkCmqTDbuuvSm8j+l5RCxDIb
+TLgBWNDplWmbdFcBo3sweTAOBgNVHQ8BAf8EBAMCAYYwDwYDVR0TAQH/BAUwAwEB
+/zApBgNVHQ4EIgQgZdCwGxPKRze9x3XMj8CcDSmCaDWi0lIvD/25rLf7PkowKwYD
+VR0jBCQwIoAgZdCwGxPKRze9x3XMj8CcDSmCaDWi0lIvD/25rLf7PkowCgYIKoZI
+zj0EAwIDSAAwRQIgafU6/YXKd674uGN/m3kQ0kSMAgYfU/SH3fXGboi3xkkCIQCM
+hpmLsIoqV6l/cRoRAHpzaZbCl2HgQQUkRoOwrJ2x7A==
+-----END CERTIFICATE-----

certificates/consul/dc1-client-consul-0-key.pem

@@ -0,0 +1,5 @@
+-----BEGIN EC PRIVATE KEY-----
+MHcCAQEEIHUU9IQUegJH39yRRubF0hqKInGlLlnOLKC9KpV45yE2oAoGCCqGSM49
+AwEHoUQDQgAE0BE8fE/50yWKrvnNgfXGPI4FGH7HdkX0g71tgODf3Y53WMMXuyoH
+USeki+LjJxTmDN16RL0/FxtLPmJ1bBnzfQ==
+-----END EC PRIVATE KEY-----

certificates/consul/dc1-client-consul-0.pem

@@ -0,0 +1,16 @@
+-----BEGIN CERTIFICATE-----
+MIICmzCCAkGgAwIBAgIQdvw9OhfqVxbwfDofrkZtNDAKBggqhkjOPQQDAjCBuDEL
+MAkGA1UEBhMCVVMxCzAJBgNVBAgTAkNBMRYwFAYDVQQHEw1TYW4gRnJhbmNpc2Nv
+MRowGAYDVQQJExExMDEgU2Vjb25kIFN0cmVldDEOMAwGA1UEERMFOTQxMDUxFzAV
+BgNVBAoTDkhhc2hpQ29ycCBJbmMuMT8wPQYDVQQDEzZDb25zdWwgQWdlbnQgQ0Eg
+OTA5MDI2OTI4NzI4NTI0NDI5NjMzMDQ0ODcyNzg0NjQ5MjU5NDQwHhcNMjEwNTAz
+MTAzMDIxWhcNMjIwNTAzMTAzMDIxWjAcMRowGAYDVQQDExFjbGllbnQuZGMxLmNv
+bnN1bDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABNARPHxP+dMliq75zYH1xjyO
+BRh+x3ZF9IO9bYDg392Od1jDF7sqB1EnpIvi4ycU5gzdekS9PxcbSz5idWwZ832j
+gccwgcQwDgYDVR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMCBggrBgEF
+BQcDATAMBgNVHRMBAf8EAjAAMCkGA1UdDgQiBCDX1yOKi8dHsX1/Au/xkrspZI6G
+Y9KX4tGmdVcz3n+3UTArBgNVHSMEJDAigCBl0LAbE8pHN73HdcyPwJwNKYJoNaLS
+Ui8P/bmst/s+SjAtBgNVHREEJjAkghFjbGllbnQuZGMxLmNvbnN1bIIJbG9jYWxo
+b3N0hwR/AAABMAoGCCqGSM49BAMCA0gAMEUCIGzzxc8vZzW5GOjY/jzpzfZ5i894
+xhrnaX1sRmpIU5OcAiEAlDSCnsd1dakU8Qf3XCwFrXGsforapNCjRcG6jOTBLiQ=
+-----END CERTIFICATE-----

certificates/consul/dc1-server-consul-0-key.pem

@@ -0,0 +1,5 @@
+-----BEGIN EC PRIVATE KEY-----
+MHcCAQEEICxcOMjZWlWBj6UxtyM7R7uKgY+cx8JwfLCCKelQRJ9moAoGCCqGSM49
+AwEHoUQDQgAE3JCYQfWSFmE5pER5RvEQkL6YRVnI+bjVPwitmOMMdHoUA0Cbtnk0
+cg/K0iCRcMke5H50foOvGsXPGciWd+o8Rg==
+-----END EC PRIVATE KEY-----

certificates/consul/dc1-server-consul-0.pem

@@ -0,0 +1,16 @@
+-----BEGIN CERTIFICATE-----
+MIICnDCCAkKgAwIBAgIRAOVXE/pK7d5u7pZ/mdiS/tUwCgYIKoZIzj0EAwIwgbgx
+CzAJBgNVBAYTAlVTMQswCQYDVQQIEwJDQTEWMBQGA1UEBxMNU2FuIEZyYW5jaXNj
+bzEaMBgGA1UECRMRMTAxIFNlY29uZCBTdHJlZXQxDjAMBgNVBBETBTk0MTA1MRcw
+FQYDVQQKEw5IYXNoaUNvcnAgSW5jLjE/MD0GA1UEAxM2Q29uc3VsIEFnZW50IENB
+IDkwOTAyNjkyODcyODUyNDQyOTYzMzA0NDg3Mjc4NDY0OTI1OTQ0MB4XDTIxMDUw
+MzEwMjk1NFoXDTIyMDUwMzEwMjk1NFowHDEaMBgGA1UEAxMRc2VydmVyLmRjMS5j
+b25zdWwwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAATckJhB9ZIWYTmkRHlG8RCQ
+vphFWcj5uNU/CK2Y4wx0ehQDQJu2eTRyD8rSIJFwyR7kfnR+g68axc8ZyJZ36jxG
+o4HHMIHEMA4GA1UdDwEB/wQEAwIFoDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYB
+BQUHAwIwDAYDVR0TAQH/BAIwADApBgNVHQ4EIgQgpvBvwFYDDu1kYOjso5xVdFHh
+Z6BNIosvTVoCaIbqXPkwKwYDVR0jBCQwIoAgZdCwGxPKRze9x3XMj8CcDSmCaDWi
+0lIvD/25rLf7PkowLQYDVR0RBCYwJIIRc2VydmVyLmRjMS5jb25zdWyCCWxvY2Fs
+aG9zdIcEfwAAATAKBggqhkjOPQQDAgNIADBFAiEAsPHUonEgz//ErkxMnKoXKKWh
+KP8IcOW1+1CF1PoaxDsCICBlPlIo3Llndm7YzzPiujcXG9hLLsGViksyIEOpUalV
+-----END CERTIFICATE-----

certificates/consul/gossip_encryption_key

@@ -0,0 +1 @@
+ahbNCZr1ckSzQp1eeX2PbrCoJPAlOecpaBBYIvRQKLA=

templates/cloud_init_client.cfg

@@ -69,6 +69,38 @@ write_files:
       }
     path: /etc/nomad.d/client.hcl
 
+  - content: |
+      ${GOSSIP_ENCRYPTION_KEY}
+    path: /etc/consul.d/gossip_encryption_key  
+
+  - content: |
+      datacenter = "dc1"
+      data_dir = "/opt/consul"
+      #encrypt = "qDOPBEr+/oUVeOFQOnVypxwDaHzLrD+lvjo5vCEBbZ0="
+      #ca_file = "/etc/consul.d/consul-agent-ca.pem"
+      #cert_file = "/etc/consul.d/dc1-server-consul-0.pem"
+      #key_file = "/etc/consul.d/dc1-server-consul-0-key.pem"
+      verify_incoming = false
+      verify_outgoing = false
+      verify_server_hostname = false
+      retry_join = ["${NOMAD_SERVER_JOIN_IP}"]
+      server = false
+      bootstrap_expect = 0
+      ui = true
+      bind_addr = "0.0.0.0"
+      client_addr = "0.0.0.0"
+
+      ports {
+        grpc = 8502
+      }
+
+      connect {
+        enabled = true
+      }
+
+      advertise_addr = "${NODE_IP}"
+    path: /etc/consul.d/consul.hcl
+
 runcmd:
   # Init Nomad section
   - curl -fsSL https://apt.releases.hashicorp.com/gpg | sudo apt-key add -
@@ -100,6 +132,15 @@ runcmd:
   - systemctl enable nomad
   - systemctl start nomad
 
+  # Intall Consul section
+  - sudo apt-get install consul -y
+  - mkdir --parents /opt/consul
+  - chown --recursive consul:consul /opt/consul
+  - chown --recursive consul:consul /etc/consul.d
+  - chmod 640 /etc/consul.d/consul.hcl
+  - systemctl enable consul
+  - systemctl start consul
+
   # Install Docker section
   - ${NOMAD_DRIVER_DOCKER} && sudo apt-get install docker-ce docker-ce-cli containerd.io -y
   - ${NOMAD_DRIVER_DOCKER} && sudo usermod -aG docker nomad

templates/cloud_init_server.cfg

@@ -74,6 +74,56 @@ write_files:
       }
     path: /etc/nomad.d/client.hcl
 
+  #- content: {CONSUL_AGENT_CA_KEY}
+    # path: /etc/consul.d/consul-agent-ca-key.pem
+
+  #- content: {DC1-CLIENT-CONSUL-0}
+    # path: /etc/consul.d/dc1-client-consul-0.pem
+
+  #- content: {CONSUL_AGENT_CA}
+    # path: /etc/consul.d/consul-agent-ca.pem
+
+  #- content: {DC1_SERVER_CONSUL_0_KEY}
+    # path: /etc/consul.d/dc1-server-consul-0-key.pem        
+
+  #- content: {DC1_CLIENT_CONSUL_0_KEY}
+    # path: /etc/consul.d/dc1-client-consul-0-key.pem  
+
+  #- content: {DC1_SERVER_CONSUL_0}
+    # path: /etc/consul.d/dc1-server-consul-0.pem  
+
+  - content: |
+      ${GOSSIP_ENCRYPTION_KEY}
+    path: /etc/consul.d/gossip_encryption_key   
+
+  - content: |
+      datacenter = "dc1"
+      data_dir = "/opt/consul"
+      #encrypt = "qDOPBEr+/oUVeOFQOnVypxwDaHzLrD+lvjo5vCEBbZ0="
+      #ca_file = "/etc/consul.d/consul-agent-ca.pem"
+      #cert_file = "/etc/consul.d/dc1-server-consul-0.pem"
+      #key_file = "/etc/consul.d/dc1-server-consul-0-key.pem"
+      verify_incoming = false
+      verify_outgoing = false
+      verify_server_hostname = false
+      retry_join = ["${NOMAD_SERVER_JOIN_IP}"]
+      server = true
+      bootstrap_expect = 1
+      ui = true
+      bind_addr = "0.0.0.0"
+      client_addr = "0.0.0.0"
+
+      ports {
+        grpc = 8502
+      }
+
+      connect {
+        enabled = true
+      }
+
+      advertise_addr = "${NODE_IP}"
+    path: /etc/consul.d/consul.hcl
+
 runcmd:
   # Init Nomad section
   - curl -fsSL https://apt.releases.hashicorp.com/gpg | sudo apt-key add -
@@ -105,6 +155,15 @@ runcmd:
   - systemctl enable nomad
   - systemctl start nomad
 
+  # Intall Consul section
+  - sudo apt-get install consul -y
+  - mkdir --parents /opt/consul
+  - chown --recursive consul:consul /opt/consul
+  - chown --recursive consul:consul /etc/consul.d
+  - chmod 640 /etc/consul.d/consul.hcl
+  - systemctl enable consul
+  - systemctl start consul
+
   # Install Docker section
   - ${NOMAD_SERVER_ENABLE_CLIENT} && ${NOMAD_DRIVER_DOCKER} && sudo apt-get install docker-ce docker-ce-cli containerd.io -y
   - ${NOMAD_SERVER_ENABLE_CLIENT} && ${NOMAD_DRIVER_DOCKER} && sudo usermod -aG docker nomad

terraform/nomad-client.tf

@@ -31,7 +31,9 @@ data "template_file" "client_user_data" {
     NOMAD_DRIVER_DOCKER = contains(var.nomad_drivers, "docker"),
     NOMAD_DRIVER_JAVA = contains(var.nomad_drivers, "java"),
     NOMAD_DRIVER_RAW_EXEC = contains(var.nomad_drivers, "raw_exec"),
-    DATACENTER_NAME = var.datacenter_name
+    DATACENTER_NAME = var.datacenter_name,
+    NODE_IP = "${element(var.nomad_client_ips, count.index)}",
+    GOSSIP_ENCRYPTION_KEY = file("${path.cwd}${var.gossip_encryption_key}")
   }
 }
 

terraform/nomad-server.tf

@@ -33,7 +33,15 @@ data "template_file" "server_user_data" {
     NOMAD_DRIVER_DOCKER = contains(var.nomad_drivers, "docker"),
     NOMAD_DRIVER_JAVA = contains(var.nomad_drivers, "java"),
     NOMAD_DRIVER_RAW_EXEC = contains(var.nomad_drivers, "raw_exec"),
+    NODE_IP = "${element(var.nomad_server_ips, count.index)}",
     DATACENTER_NAME = var.datacenter_name
+    #CONSUL_AGENT_CA_KEY = file("${path.cwd}${var.consul-agent-ca-key}"),
+    #DC1-CLIENT-CONSUL-0 = file("${path.cwd}${var.dc1-client-consul-0}"),
+    #CONSUL_AGENT_CA = file("${path.cwd}${var.consul-agent-ca}"),
+    #DC1_SERVER_CONSUL_0_KEY = file("${path.cwd}${var.dc1-server-consul-0-key}"),
+    #DC1_CLIENT_CONSUL_0_KEY = file("${path.cwd}${var.dc1-client-consul-0-key}"),
+    #DC1_SERVER_CONSUL_0 = file("${path.cwd}${var.dc1-server-consul-0}"),
+    GOSSIP_ENCRYPTION_KEY = file("${path.cwd}${var.gossip_encryption_key}")
   }
 }
 

terraform/variables.tf

@@ -69,3 +69,34 @@ variable "nomad_client_disk_size" {
   description = "The size of the disk on Nomad client"
   default = "6442447645" #6gb
 }
+
+
+### Consul configuration ###
+#variable "consul-agent-ca-key" {
+#  description = "The CA key used by Consul"
+#  default = "/certificates/consul/consul-agent-ca-key.pem"
+#}
+#variable "consul-agent-ca" {
+#  description = "The CA used by Consul"
+#  default = "/certificates/consul/consul-agent-ca.pem"
+#}
+#variable "dc1-client-consul-0" {
+#  description = "The TLS cert for DC1"
+#  default = "/certificates/consul/dc1-client-consul-0.pem"
+#}
+#variable "dc1-server-consul-0-key" {
+#  description = "The client TLS Key file"
+#  default = "/certificates/consul/dc1-server-consul-0-key.pem"
+#}
+#variable "dc1-client-consul-0-key" {
+#  description = "The server TLS key file"
+#  default = "/certificates/consul/dc1-client-consul-0-key.pem"
+#}
+#variable "dc1-server-consul-0" {
+#  description = "The server TLS cert"
+#  default = "/certificates/consul/dc1-server-consul-0.pem"
+#}
+variable "gossip_encryption_key" {
+  description = "The gossip encryption key"
+  default = "/certificates/consul/gossip_encryption_key"
+}