From 0f0d392fb4f472740c57480caf453a6d50a72675 Mon Sep 17 00:00:00 2001
From: Ben Vincent <ben@unkin.net>
Date: Sun, 28 Apr 2024 01:03:57 +1000
Subject: [PATCH 1/4] feat: deploy consul agent

- install the consul agent on all nodes, except consul servers
---
 hieradata/common.yaml                    |  2 ++
 site/profiles/manifests/consul/client.pp | 39 ++++++++++++++++++++++++
 2 files changed, 41 insertions(+)

diff --git a/hieradata/common.yaml b/hieradata/common.yaml
index 9fa4d12..8be8ee2 100644
--- a/hieradata/common.yaml
+++ b/hieradata/common.yaml
@@ -85,6 +85,8 @@ profiles::dns::base::ns_role: 'roles::infra::dns::resolver'
 profiles::dns::base::use_ns: 'region'
 profiles::consul::server::members_role: roles::infra::storage::consul
 profiles::consul::token::node_editor::accessor_id: '024e27bd-c5bb-41e7-a578-b766509e11bc'
+profiles::consul::client::members_lookup: true
+profiles::consul::client::members_role: roles::infra::storage::consul
 
 profiles::packages::install:
   - bash-completion
diff --git a/site/profiles/manifests/consul/client.pp b/site/profiles/manifests/consul/client.pp
index edfd1ec..684c7b5 100644
--- a/site/profiles/manifests/consul/client.pp
+++ b/site/profiles/manifests/consul/client.pp
@@ -5,8 +5,47 @@ class profiles::consul::client (
   Enum['http','https'] $consul_protocol  = 'http',
   Stdlib::Port         $consul_port      = 8500,
   String               $consul_api_token = lookup('profiles::consul::server::acl_tokens_initial_management'),
+  Boolean              $members_lookup     = false,
+  String               $members_role       = undef,
+  Array                $consul_servers     = [],
+  Stdlib::Absolutepath $data_dir           = '/opt/consul',
 ) {
 
+  if $facts['enc_role'] != $members_role {
+
+    # set a datacentre/cluster name
+    $consul_cluster = "${::facts['country']}-${::facts['region']}"
+
+    # if lookup is enabled, find all the hosts in the specified role and create the servers_array
+    if $members_lookup {
+
+      # check that the role is also set
+      unless !($members_role == undef) {
+        fail("members_role must be provided for ${title} when members_lookup is True")
+      }
+
+      # if it is, find hosts, sort them so they dont cause changes every run
+      $servers_array = sort(query_nodes("enc_role='${members_role}' and region='${::facts['region']}'", 'networking.fqdn'))
+
+    # else use provided array from params
+    }else{
+      $servers_array = $consul_servers
+    }
+
+    # deploy the consul agent
+    class { 'consul':
+      config_hash => {
+        'data_dir'       => $data_dir,
+        'datacenter'     => $consul_cluster,
+        'log_level'      => 'INFO',
+        'node_name'      => $facts['networking']['fqdn'],
+        'retry_join'     => $servers_array,
+        'bind_addr'      => $::facts['networking']['ip'],
+        'advertise_addr' => $::facts['networking']['ip'],
+      },
+    }
+  }
+
   # Create ACL policy that allows nodes to update themselves and read others
   consul_policy { $facts['networking']['hostname']:
     description   => "${facts['networking']['fqdn']} puppet-generated-policy",

From 43afc23535013fd7e4de47b829420098d7dfcb0f Mon Sep 17 00:00:00 2001
From: Ben Vincent <ben@unkin.net>
Date: Sun, 28 Apr 2024 14:06:49 +1000
Subject: [PATCH 2/4] feat: deploy consul services

- add vault.service.consul
---
 hieradata/common.yaml                            |  9 +++++++++
 .../au/region/syd1/infra/storage/vault.yaml      | 16 ++++++++++++++++
 2 files changed, 25 insertions(+)

diff --git a/hieradata/common.yaml b/hieradata/common.yaml
index 8be8ee2..301a017 100644
--- a/hieradata/common.yaml
+++ b/hieradata/common.yaml
@@ -63,6 +63,15 @@ lookup_options:
   profiles::dns::master::keys:
     merge:
       strategy: deep
+  consul::services:
+    merge:
+      strategy: deep
+  consul::watch:
+    merge:
+      strategy: deep
+  consul::check:
+    merge:
+      strategy: deep
 
 facts_path: '/opt/puppetlabs/facter/facts.d'
 
diff --git a/hieradata/country/au/region/syd1/infra/storage/vault.yaml b/hieradata/country/au/region/syd1/infra/storage/vault.yaml
index 2feaac4..28f1a9d 100644
--- a/hieradata/country/au/region/syd1/infra/storage/vault.yaml
+++ b/hieradata/country/au/region/syd1/infra/storage/vault.yaml
@@ -1,2 +1,18 @@
 ---
 profiles::vault::server::primary_datacenter: 'au-syd1'
+consul::services:
+  vault:
+    service_name: 'vault'
+    tags:
+      - 'https'
+      - 'secure'
+    address: "%{facts.networking.ip}"  # Dynamically set from the networking facts
+    port: 443
+    checks:
+      - check_id: 'vault_https_check'
+        name: 'Vault HTTPS Check'
+        http: "https://%{facts.networking.fqdn}:443/v1/sys/health"
+        method: 'GET'
+        tls_skip_verify: true  # Set to false in production for security
+        interval: '10s'
+        timeout: '1s'

From 199e35840f5640a5ecb98b6cd696b43bca8dc40c Mon Sep 17 00:00:00 2001
From: Ben Vincent <ben@unkin.net>
Date: Sun, 28 Apr 2024 00:49:57 +1000
Subject: [PATCH 3/4] fix: fix proxyurl for vault

- change to http://
- change to localhost
---
 hieradata/roles/infra/storage/vault.yaml | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/hieradata/roles/infra/storage/vault.yaml b/hieradata/roles/infra/storage/vault.yaml
index 8785f7c..1209319 100644
--- a/hieradata/roles/infra/storage/vault.yaml
+++ b/hieradata/roles/infra/storage/vault.yaml
@@ -17,5 +17,7 @@ profiles::nginx::simpleproxy::nginx_vhost: 'vault.service.consul'
 profiles::nginx::simpleproxy::nginx_aliases:
   - vault
   - vault.main.unkin.net
+profiles::nginx::simpleproxy::proxy_scheme: 'http'
+profiles::nginx::simpleproxy::proxy_host: '127.0.0.1'
 profiles::nginx::simpleproxy::proxy_port: 8200
 profiles::nginx::simpleproxy::proxy_path: '/'

From 8df927de18e83e610d43833617b1e9e9b4ce9b25 Mon Sep 17 00:00:00 2001
From: Ben Vincent <ben@unkin.net>
Date: Sun, 28 Apr 2024 14:52:38 +1000
Subject: [PATCH 4/4] feat: add node_token to agent config

- move policy rules to hiera array[hash]
- add node_token to agent as the default token
---
 hieradata/common.yaml                         | 14 ++++++++++++++
 .../au/region/syd1/infra/storage/vault.yaml   | 10 +++++++---
 site/profiles/manifests/consul/client.pp      | 19 +++++++------------
 3 files changed, 28 insertions(+), 15 deletions(-)

diff --git a/hieradata/common.yaml b/hieradata/common.yaml
index 301a017..8dd6df7 100644
--- a/hieradata/common.yaml
+++ b/hieradata/common.yaml
@@ -72,6 +72,9 @@ lookup_options:
   consul::check:
     merge:
       strategy: deep
+  profiles::consul::client::node_rules:
+    merge:
+      strategy: deep
 
 facts_path: '/opt/puppetlabs/facter/facts.d'
 
@@ -96,6 +99,17 @@ profiles::consul::server::members_role: roles::infra::storage::consul
 profiles::consul::token::node_editor::accessor_id: '024e27bd-c5bb-41e7-a578-b766509e11bc'
 profiles::consul::client::members_lookup: true
 profiles::consul::client::members_role: roles::infra::storage::consul
+profiles::consul::client::node_rules:
+  - resource: node
+    segment: "%{facts.networking.hostname}"
+    disposition: write
+  - resource: node
+    segment: "%{facts.networking.fqdn}"
+    disposition: write
+  - resource: node
+    segment: ''
+    disposition: read
+
 
 profiles::packages::install:
   - bash-completion
diff --git a/hieradata/country/au/region/syd1/infra/storage/vault.yaml b/hieradata/country/au/region/syd1/infra/storage/vault.yaml
index 28f1a9d..d66aeea 100644
--- a/hieradata/country/au/region/syd1/infra/storage/vault.yaml
+++ b/hieradata/country/au/region/syd1/infra/storage/vault.yaml
@@ -6,13 +6,17 @@ consul::services:
     tags:
       - 'https'
       - 'secure'
-    address: "%{facts.networking.ip}"  # Dynamically set from the networking facts
+    address: "%{facts.networking.ip}"
     port: 443
     checks:
-      - check_id: 'vault_https_check'
+      - id: 'vault_https_check'
         name: 'Vault HTTPS Check'
         http: "https://%{facts.networking.fqdn}:443/v1/sys/health"
         method: 'GET'
-        tls_skip_verify: true  # Set to false in production for security
+        tls_skip_verify: true
         interval: '10s'
         timeout: '1s'
+profiles::consul::client::node_rules:
+  - resource: service
+    segment: vault
+    disposition: write
diff --git a/site/profiles/manifests/consul/client.pp b/site/profiles/manifests/consul/client.pp
index 684c7b5..4524b87 100644
--- a/site/profiles/manifests/consul/client.pp
+++ b/site/profiles/manifests/consul/client.pp
@@ -9,6 +9,7 @@ class profiles::consul::client (
   String               $members_role       = undef,
   Array                $consul_servers     = [],
   Stdlib::Absolutepath $data_dir           = '/opt/consul',
+  Array[Hash]          $node_rules         = [],
 ) {
 
   if $facts['enc_role'] != $members_role {
@@ -42,6 +43,11 @@ class profiles::consul::client (
         'retry_join'     => $servers_array,
         'bind_addr'      => $::facts['networking']['ip'],
         'advertise_addr' => $::facts['networking']['ip'],
+        'acl'            => {
+          tokens => {
+            default => fqdn_uuid("${facts['networking']['fqdn']}-${secret_id_salt}")
+          }
+        }
       },
     }
   }
@@ -49,18 +55,7 @@ class profiles::consul::client (
   # Create ACL policy that allows nodes to update themselves and read others
   consul_policy { $facts['networking']['hostname']:
     description   => "${facts['networking']['fqdn']} puppet-generated-policy",
-    rules         => [
-      {
-        'resource'    => 'node',
-        'segment'     => $facts['networking']['hostname'],
-        'disposition' => 'write'
-      },
-      {
-        'resource'    => 'node',
-        'segment'     => '',
-        'disposition' => 'read'
-      }
-    ],
+    rules         => $node_rules,
     acl_api_token => $consul_api_token,
     hostname      => $consul_hostname,
     protocol      => $consul_protocol,