feat: add node_token to agent config

- move policy rules to hiera array[hash]
- add node_token to agent as the default token
This commit is contained in:
2024-04-28 14:52:38 +10:00
parent 199e35840f
commit 8df927de18
3 changed files with 28 additions and 15 deletions
+7 -12
View File
@@ -9,6 +9,7 @@ class profiles::consul::client (
String $members_role = undef,
Array $consul_servers = [],
Stdlib::Absolutepath $data_dir = '/opt/consul',
Array[Hash] $node_rules = [],
) {
if $facts['enc_role'] != $members_role {
@@ -42,6 +43,11 @@ class profiles::consul::client (
'retry_join' => $servers_array,
'bind_addr' => $::facts['networking']['ip'],
'advertise_addr' => $::facts['networking']['ip'],
'acl' => {
tokens => {
default => fqdn_uuid("${facts['networking']['fqdn']}-${secret_id_salt}")
}
}
},
}
}
@@ -49,18 +55,7 @@ class profiles::consul::client (
# Create ACL policy that allows nodes to update themselves and read others
consul_policy { $facts['networking']['hostname']:
description => "${facts['networking']['fqdn']} puppet-generated-policy",
rules => [
{
'resource' => 'node',
'segment' => $facts['networking']['hostname'],
'disposition' => 'write'
},
{
'resource' => 'node',
'segment' => '',
'disposition' => 'read'
}
],
rules => $node_rules,
acl_api_token => $consul_api_token,
hostname => $consul_hostname,
protocol => $consul_protocol,