From d52b987624667261fbb1fd35931267e015215acf Mon Sep 17 00:00:00 2001 From: danielehc Date: Thu, 17 Nov 2022 15:54:25 +0100 Subject: [PATCH] Senario with Consul 1.14 and new TLS config --- .../README.md | 3 + .../certs/consul-agent-ca-key.pem | 5 ++ .../certs/consul-agent-ca.pem | 18 ++++++ .../certs/dc1-server-consul-0-key.pem | 5 ++ .../certs/dc1-server-consul-0.pem | 17 ++++++ .../client.json | 28 ++++++++++ .../consul-acl.json | 9 +++ .../docker-compose.yml | 56 +++++++++++++++++++ .../server1.json | 39 +++++++++++++ .../server1_old.json | 22 ++++++++ .../server2.json | 38 +++++++++++++ .../server3.json | 38 +++++++++++++ 12 files changed, 278 insertions(+) create mode 100644 datacenter-deploy-secure-auto_encrypt/README.md create mode 100644 datacenter-deploy-secure-auto_encrypt/certs/consul-agent-ca-key.pem create mode 100644 datacenter-deploy-secure-auto_encrypt/certs/consul-agent-ca.pem create mode 100644 datacenter-deploy-secure-auto_encrypt/certs/dc1-server-consul-0-key.pem create mode 100644 datacenter-deploy-secure-auto_encrypt/certs/dc1-server-consul-0.pem create mode 100644 datacenter-deploy-secure-auto_encrypt/client.json create mode 100644 datacenter-deploy-secure-auto_encrypt/consul-acl.json create mode 100644 datacenter-deploy-secure-auto_encrypt/docker-compose.yml create mode 100644 datacenter-deploy-secure-auto_encrypt/server1.json create mode 100644 datacenter-deploy-secure-auto_encrypt/server1_old.json create mode 100644 datacenter-deploy-secure-auto_encrypt/server2.json create mode 100644 datacenter-deploy-secure-auto_encrypt/server3.json diff --git a/datacenter-deploy-secure-auto_encrypt/README.md b/datacenter-deploy-secure-auto_encrypt/README.md new file mode 100644 index 0000000..3a8526b --- /dev/null +++ b/datacenter-deploy-secure-auto_encrypt/README.md @@ -0,0 +1,3 @@ +## Tutorial URL + +https://learn.hashicorp.com/tutorials/consul/docker-compose-datacenter diff --git a/datacenter-deploy-secure-auto_encrypt/certs/consul-agent-ca-key.pem b/datacenter-deploy-secure-auto_encrypt/certs/consul-agent-ca-key.pem new file mode 100644 index 0000000..6a0364f --- /dev/null +++ b/datacenter-deploy-secure-auto_encrypt/certs/consul-agent-ca-key.pem @@ -0,0 +1,5 @@ +-----BEGIN EC PRIVATE KEY----- +MHcCAQEEIGAr7PBGzNzcz4dYtRDoa+eMc79lxOSxDCZMdkOUBDcZoAoGCCqGSM49 +AwEHoUQDQgAEchBXs6484r99s6qdn0LFohhw8LCK4aIhdNyJ8FOQRcgOpbEk+hRS ++4AoE50i8JdMF7NvSN+Vz7NrXQ+UtjgWBw== +-----END EC PRIVATE KEY----- diff --git a/datacenter-deploy-secure-auto_encrypt/certs/consul-agent-ca.pem b/datacenter-deploy-secure-auto_encrypt/certs/consul-agent-ca.pem new file mode 100644 index 0000000..c4068f9 --- /dev/null +++ b/datacenter-deploy-secure-auto_encrypt/certs/consul-agent-ca.pem @@ -0,0 +1,18 @@ +-----BEGIN CERTIFICATE----- +MIIC7TCCApOgAwIBAgIQWawP5QPjUL03fdVIJBCZsDAKBggqhkjOPQQDAjCBuTEL +MAkGA1UEBhMCVVMxCzAJBgNVBAgTAkNBMRYwFAYDVQQHEw1TYW4gRnJhbmNpc2Nv +MRowGAYDVQQJExExMDEgU2Vjb25kIFN0cmVldDEOMAwGA1UEERMFOTQxMDUxFzAV +BgNVBAoTDkhhc2hpQ29ycCBJbmMuMUAwPgYDVQQDEzdDb25zdWwgQWdlbnQgQ0Eg +MTE5MTk0Njg5MDY1MTIyMDM2MDUyNDA0MTQzOTQ1NDU5NzM0OTYwMB4XDTIyMDgw +MjE1MjkyNVoXDTI1MDgwMTE1MjkyNVowgbkxCzAJBgNVBAYTAlVTMQswCQYDVQQI +EwJDQTEWMBQGA1UEBxMNU2FuIEZyYW5jaXNjbzEaMBgGA1UECRMRMTAxIFNlY29u +ZCBTdHJlZXQxDjAMBgNVBBETBTk0MTA1MRcwFQYDVQQKEw5IYXNoaUNvcnAgSW5j +LjFAMD4GA1UEAxM3Q29uc3VsIEFnZW50IENBIDExOTE5NDY4OTA2NTEyMjAzNjA1 +MjQwNDE0Mzk0NTQ1OTczNDk2MDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABHIQ +V7OuPOK/fbOqnZ9CxaIYcPCwiuGiIXTcifBTkEXIDqWxJPoUUvuAKBOdIvCXTBez +b0jflc+za10PlLY4FgejezB5MA4GA1UdDwEB/wQEAwIBhjAPBgNVHRMBAf8EBTAD +AQH/MCkGA1UdDgQiBCA7njEdiBtNpBtHIPtzRx3Zo6u+D6PJ15hFZI3HBSU1sTAr +BgNVHSMEJDAigCA7njEdiBtNpBtHIPtzRx3Zo6u+D6PJ15hFZI3HBSU1sTAKBggq +hkjOPQQDAgNIADBFAiEA3Zv6j6Gu75SeTpoQSVoj7QEDbSiBoxn3Hobs1BM5v5UC +IH8OJjm2xU5hlnUQ3OAysPR34Y6YKYhGk7Zq6Lou0ykO +-----END CERTIFICATE----- diff --git a/datacenter-deploy-secure-auto_encrypt/certs/dc1-server-consul-0-key.pem b/datacenter-deploy-secure-auto_encrypt/certs/dc1-server-consul-0-key.pem new file mode 100644 index 0000000..41fc663 --- /dev/null +++ b/datacenter-deploy-secure-auto_encrypt/certs/dc1-server-consul-0-key.pem @@ -0,0 +1,5 @@ +-----BEGIN EC PRIVATE KEY----- +MHcCAQEEINeksduKNCRqxY9BBmMrns5TXNY7VpkQ6vWPupMtFaMpoAoGCCqGSM49 +AwEHoUQDQgAEH6mHO6VgbHd9RnMiYLLY7JJsDcsPsKVK1OBnhw1QhrDtvYwsNYoH +RetYAUI367IxJCgL1e/cA/zHi3YCry348Q== +-----END EC PRIVATE KEY----- diff --git a/datacenter-deploy-secure-auto_encrypt/certs/dc1-server-consul-0.pem b/datacenter-deploy-secure-auto_encrypt/certs/dc1-server-consul-0.pem new file mode 100644 index 0000000..63fcff9 --- /dev/null +++ b/datacenter-deploy-secure-auto_encrypt/certs/dc1-server-consul-0.pem @@ -0,0 +1,17 @@ +-----BEGIN CERTIFICATE----- +MIICnTCCAkKgAwIBAgIQHrdj7+qoJ98tRDWigbKc/TAKBggqhkjOPQQDAjCBuTEL +MAkGA1UEBhMCVVMxCzAJBgNVBAgTAkNBMRYwFAYDVQQHEw1TYW4gRnJhbmNpc2Nv +MRowGAYDVQQJExExMDEgU2Vjb25kIFN0cmVldDEOMAwGA1UEERMFOTQxMDUxFzAV +BgNVBAoTDkhhc2hpQ29ycCBJbmMuMUAwPgYDVQQDEzdDb25zdWwgQWdlbnQgQ0Eg +MTE5MTk0Njg5MDY1MTIyMDM2MDUyNDA0MTQzOTQ1NDU5NzM0OTYwMB4XDTIyMDgw +MjE1MjkzMVoXDTI1MDgwMTE1MjkzMVowHDEaMBgGA1UEAxMRc2VydmVyLmRjMS5j +b25zdWwwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQfqYc7pWBsd31GcyJgstjs +kmwNyw+wpUrU4GeHDVCGsO29jCw1igdF61gBQjfrsjEkKAvV79wD/MeLdgKvLfjx +o4HHMIHEMA4GA1UdDwEB/wQEAwIFoDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYB +BQUHAwIwDAYDVR0TAQH/BAIwADApBgNVHQ4EIgQgST91pQU5cCcGpHvM8Q62AfLN +DXZxUrXfVtFaqQAr3K0wKwYDVR0jBCQwIoAgO54xHYgbTaQbRyD7c0cd2aOrvg+j +ydeYRWSNxwUlNbEwLQYDVR0RBCYwJIIRc2VydmVyLmRjMS5jb25zdWyCCWxvY2Fs +aG9zdIcEfwAAATAKBggqhkjOPQQDAgNJADBGAiEA+1jEcho9qVPMiw+SK5EbYS9z ++ez0lBz6WGsGqsYymrwCIQCqDgPzmBgXRCqR/p18aq4gYhEb6St4k9GRMoJHCI/p +sA== +-----END CERTIFICATE----- diff --git a/datacenter-deploy-secure-auto_encrypt/client.json b/datacenter-deploy-secure-auto_encrypt/client.json new file mode 100644 index 0000000..90e9d33 --- /dev/null +++ b/datacenter-deploy-secure-auto_encrypt/client.json @@ -0,0 +1,28 @@ +{ + "node_name": "consul-client", + "data_dir": "/consul/data", + "retry_join":[ + "consul-server1", + "consul-server2", + "consul-server3" + ], + "encrypt": "aPuGh+5UDskRAbkLaXRzFoSOcSM+5vAK+NEYOWHJH7w=", + + "tls": { + "defaults": { + "ca_file" : "/consul/config/certs/consul-agent-ca.pem", + "verify_outgoing" : true, + "verify_incoming" : true + }, + "https": { + "verify_incoming" : false + }, + "internal_rpc": { + "verify_server_hostname" : true + } + }, + + "auto_encrypt": { + "tls" : true + } +} diff --git a/datacenter-deploy-secure-auto_encrypt/consul-acl.json b/datacenter-deploy-secure-auto_encrypt/consul-acl.json new file mode 100644 index 0000000..438ab4d --- /dev/null +++ b/datacenter-deploy-secure-auto_encrypt/consul-acl.json @@ -0,0 +1,9 @@ +{ + "acl": { + "enabled": true, + "default_policy": "deny", + "down_policy": "extend-cache", + "enable_token_persistence": true + } +} + \ No newline at end of file diff --git a/datacenter-deploy-secure-auto_encrypt/docker-compose.yml b/datacenter-deploy-secure-auto_encrypt/docker-compose.yml new file mode 100644 index 0000000..7724276 --- /dev/null +++ b/datacenter-deploy-secure-auto_encrypt/docker-compose.yml @@ -0,0 +1,56 @@ +version: '3.7' + +services: + + consul-server1: + image: hashicorp/consul:1.14.0 + container_name: consul-server1 + restart: always + volumes: + - ./server1.json:/consul/config/server1.json + - ./certs/:/consul/config/certs/ + networks: + - consul + ports: + - "8500:8500" + - "8600:8600/tcp" + - "8600:8600/udp" + command: "agent -bootstrap-expect=3" + + consul-server2: + image: hashicorp/consul:1.14.0 + container_name: consul-server2 + restart: always + volumes: + - ./server2.json:/consul/config/server2.json + - ./certs/:/consul/config/certs/ + networks: + - consul + command: "agent -bootstrap-expect=3" + + consul-server3: + image: hashicorp/consul:1.14.0 + container_name: consul-server3 + restart: always + volumes: + - ./server3.json:/consul/config/server3.json + - ./certs/:/consul/config/certs/ + networks: + - consul + command: "agent -bootstrap-expect=3" + + consul-client: + image: hashicorp/consul:1.14.0 + container_name: consul-client + restart: always + volumes: + - ./client.json:/consul/config/client.json + - ./certs/:/consul/config/certs/ + networks: + - consul + command: "agent" + +networks: + consul: + driver: bridge + diff --git a/datacenter-deploy-secure-auto_encrypt/server1.json b/datacenter-deploy-secure-auto_encrypt/server1.json new file mode 100644 index 0000000..e5407fa --- /dev/null +++ b/datacenter-deploy-secure-auto_encrypt/server1.json @@ -0,0 +1,39 @@ +{ + "node_name": "consul-server1", + "server": true, + "ui_config": { + "enabled" : true + }, + "data_dir": "/consul/data", + "addresses": { + "http" : "0.0.0.0" + }, + "retry_join":[ + "consul-server2", + "consul-server3" + ], + + "encrypt": "aPuGh+5UDskRAbkLaXRzFoSOcSM+5vAK+NEYOWHJH7w=", + + "tls": { + "defaults": { + "ca_file" : "/consul/config/certs/consul-agent-ca.pem", + "cert_file" : "/consul/config/certs/dc1-server-consul-0.pem", + "key_file" : "/consul/config/certs/dc1-server-consul-0-key.pem", + + "verify_outgoing" : true, + "verify_incoming" : true + }, + + "https": { + "verify_incoming" : false + }, + "internal_rpc": { + "verify_server_hostname" : true + } + }, + + "auto_encrypt": { + "allow_tls" : true + } +} diff --git a/datacenter-deploy-secure-auto_encrypt/server1_old.json b/datacenter-deploy-secure-auto_encrypt/server1_old.json new file mode 100644 index 0000000..b2d118d --- /dev/null +++ b/datacenter-deploy-secure-auto_encrypt/server1_old.json @@ -0,0 +1,22 @@ +{ + "node_name": "consul-server1", + "server": true, + "ui_config": { + "enabled" : true + }, + "data_dir": "/consul/data", + "addresses": { + "http" : "0.0.0.0" + }, + "retry_join":[ + "consul-server2", + "consul-server3" + ], + "encrypt": "aPuGh+5UDskRAbkLaXRzFoSOcSM+5vAK+NEYOWHJH7w=", + "verify_incoming": true, + "verify_outgoing": true, + "verify_server_hostname": true, + "ca_file": "/consul/config/certs/consul-agent-ca.pem", + "cert_file": "/consul/config/certs/dc1-server-consul-0.pem", + "key_file": "/consul/config/certs/dc1-server-consul-0-key.pem" +} diff --git a/datacenter-deploy-secure-auto_encrypt/server2.json b/datacenter-deploy-secure-auto_encrypt/server2.json new file mode 100644 index 0000000..145d45c --- /dev/null +++ b/datacenter-deploy-secure-auto_encrypt/server2.json @@ -0,0 +1,38 @@ +{ + "node_name": "consul-server2", + "server": true, + "ui_config": { + "enabled" : true + }, + "data_dir": "/consul/data", + "addresses": { + "http" : "0.0.0.0" + }, + "retry_join":[ + "consul-server1", + "consul-server3" + ], + "encrypt": "aPuGh+5UDskRAbkLaXRzFoSOcSM+5vAK+NEYOWHJH7w=", + + "tls": { + "defaults": { + "ca_file" : "/consul/config/certs/consul-agent-ca.pem", + "cert_file" : "/consul/config/certs/dc1-server-consul-0.pem", + "key_file" : "/consul/config/certs/dc1-server-consul-0-key.pem", + + "verify_outgoing" : true, + "verify_incoming" : true + }, + + "https": { + "verify_incoming" : false + }, + "internal_rpc": { + "verify_server_hostname" : true + } + }, + + "auto_encrypt": { + "allow_tls" : true + } +} diff --git a/datacenter-deploy-secure-auto_encrypt/server3.json b/datacenter-deploy-secure-auto_encrypt/server3.json new file mode 100644 index 0000000..32d680d --- /dev/null +++ b/datacenter-deploy-secure-auto_encrypt/server3.json @@ -0,0 +1,38 @@ +{ + "node_name": "consul-server3", + "server": true, + "ui_config": { + "enabled" : true + }, + "data_dir": "/consul/data", + "addresses": { + "http" : "0.0.0.0" + }, + "retry_join":[ + "consul-server1", + "consul-server2" + ], + "encrypt": "aPuGh+5UDskRAbkLaXRzFoSOcSM+5vAK+NEYOWHJH7w=", + + "tls": { + "defaults": { + "ca_file" : "/consul/config/certs/consul-agent-ca.pem", + "cert_file" : "/consul/config/certs/dc1-server-consul-0.pem", + "key_file" : "/consul/config/certs/dc1-server-consul-0-key.pem", + + "verify_outgoing" : true, + "verify_incoming" : true + }, + + "https": { + "verify_incoming" : false + }, + "internal_rpc": { + "verify_server_hostname" : true + } + }, + + "auto_encrypt": { + "allow_tls" : true + } +}