Name: svalbard-vault-cookbook
Owner: Fred Hutchinson Cancer Research Center
Description: Configure a Hashicorp Vault cluster with Consul backend
Created: 2016-10-28 00:03:52.0
Updated: 2017-08-05 20:19:02.0
Pushed: 2016-12-21 19:04:10.0
Homepage: null
Size: 64
Language: Ruby
GitHub Committers
User | Most Recent Commit | # Commits |
---|
Other Committers
User | Most Recent Commit | # Commits |
---|
c.f. http://www.seedvault.no/
Configure hashicorp vault and consul back-end servers.
e bootstrap \
role[cit-base]','role[scicomp-base]','role[svalbard-consul-server]' \
otstrap-vault-item svalbard-certs:root_cert \
otstrap-vault-item svalbard-certs:<hostname> \
fqdn> <fqdn>
SSL certificates are required for encryption and authentication of nodes/services in the Consul/Vault infrastructure. For this application we'll be creating a private CA and using that for signing host certificates.
This process is documented in many places- the most applicable reference is here.
Note that there is a custom OpenSSL config file that is necessary for generating these certificates- it has some attributes not present in the stock config file.
ssl req -config <configfile> -newkey rsa:2048 -days 3650 -x509 \
es -out <cert> -keyout <key>
The key needs to be kept safe.
ssl req -config <configfile> -newkey rsa:1024 -nodes \
<node>.csr -keyout <node>.key
Note that the server certificate needs to have a hostname like
nodename.datacenter.consul
where nodename
is the hostname of the server and
datacenter
is the Consul “datacenter” (or group) for the cluster.
ssl ca -config <configfile> -batch -notext \
<node>.csr -out <node>.pem
Copy node certificate and key (node.pem
, node.key
) as well as the root
certificate to the node.
Download and extract (unzip). I'm creating a heirarchy like this:
/hashicorp/consul
/bin
/etc
/etc/ssl
extract the consul
binary to .../bin
and move the certificates into
.../etc/ssl
Install config.json
into ..../etc
. Configure `systemd
to start the
consul service
When configured as a server (i.e. has Chef role svalbard-console-server
),
Chef will deliver a file called config.bootstrap.json
into consul/etc/
.
This is the config file we'll use for the bootstrapping as it contains the
nodes in the cluster.
config.bootstrap.json
, removing the line with start_join
bin/consul agent -bootstrap-expect 3 -config-file
etc/config.bootstrap.json
. Adjust the value for bootstrap-expect
to
match the number of servers in the cluster.bin/consul agent -config-file etc/config.bootstrap.json
When all servers have completed the join to the cluster:
service consul-agent start
consul members
and consul monitor
Repeat these steps for each of the other consul servers. The servers will all then be on equal footing and running in HA mode.