From a7e9f1590e323898cf6abf42d4d95fdb2b2f01cc Mon Sep 17 00:00:00 2001 From: Ben Vincent Date: Thu, 25 Apr 2024 00:07:51 +1000 Subject: [PATCH] fix: move primary_datacenter to region/role - set syd1 as primary consul datacentre - add consul.service.consul zone - add nginx reverse proxy for consul webui - set dns zones/acls/views/keys to be deep merged from hiera - update default token - add consul/consul.service.consul/consul.main.unkin.net to vault cert --- hieradata/common.yaml | 24 +++++ .../au/region/drw1/infra/dns/resolver.yaml | 44 +++++++++ .../au/region/drw1/infra/storage/consul.yaml | 1 + .../au/region/syd1/infra/dns/resolver.yaml | 44 +++++++++ .../au/region/syd1/infra/storage/consul.eyaml | 2 +- .../au/region/syd1/infra/storage/consul.yaml | 1 + hieradata/roles/infra/dns/resolver.yaml | 91 ++++++++++------- hieradata/roles/infra/storage/consul.yaml | 7 +- site/profiles/manifests/consul/nginx.pp | 97 +++++++++++++++++++ site/profiles/manifests/consul/server.pp | 6 +- 10 files changed, 276 insertions(+), 41 deletions(-) create mode 100644 hieradata/country/au/region/drw1/infra/dns/resolver.yaml create mode 100644 hieradata/country/au/region/syd1/infra/dns/resolver.yaml create mode 100644 site/profiles/manifests/consul/nginx.pp diff --git a/hieradata/common.yaml b/hieradata/common.yaml index 4b54a2b..c1c6138 100644 --- a/hieradata/common.yaml +++ b/hieradata/common.yaml @@ -39,6 +39,30 @@ lookup_options: profiles::base::groups::local: merge: strategy: deep + profiles::dns::resolver::zones: + merge: + strategy: deep + profiles::dns::resolver::acls: + merge: + strategy: deep + profiles::dns::resolver::views: + merge: + strategy: deep + profiles::dns::resolver::keys: + merge: + strategy: deep + profiles::dns::master::zones: + merge: + strategy: deep + profiles::dns::master::acls: + merge: + strategy: deep + profiles::dns::master::views: + merge: + strategy: deep + profiles::dns::master::keys: + merge: + strategy: deep facts_path: '/opt/puppetlabs/facter/facts.d' diff --git a/hieradata/country/au/region/drw1/infra/dns/resolver.yaml b/hieradata/country/au/region/drw1/infra/dns/resolver.yaml new file mode 100644 index 0000000..49afb06 --- /dev/null +++ b/hieradata/country/au/region/drw1/infra/dns/resolver.yaml @@ -0,0 +1,44 @@ +--- +profiles::dns::resolver::zones: + main.unkin.net-forward: + domain: 'main.unkin.net' + zone_type: 'forward' + forwarders: + - 198.18.17.23 + - 198.18.17.24 + forward: 'only' + 13.18.198.in-addr.arpa-forward: + domain: '13.18.198.in-addr.arpa' + zone_type: 'forward' + forwarders: + - 198.18.17.23 + - 198.18.17.24 + forward: 'only' + 14.18.198.in-addr.arpa-forward: + domain: '14.18.198.in-addr.arpa' + zone_type: 'forward' + forwarders: + - 198.18.17.23 + - 198.18.17.24 + forward: 'only' + 15.18.198.in-addr.arpa-forward: + domain: '15.18.198.in-addr.arpa' + zone_type: 'forward' + forwarders: + - 198.18.17.23 + - 198.18.17.24 + forward: 'only' + 16.18.198.in-addr.arpa-forward: + domain: '16.18.198.in-addr.arpa' + zone_type: 'forward' + forwarders: + - 198.18.17.23 + - 198.18.17.24 + forward: 'only' + 17.18.198.in-addr.arpa-forward: + domain: '17.18.198.in-addr.arpa' + zone_type: 'forward' + forwarders: + - 198.18.17.23 + - 198.18.17.24 + forward: 'only' diff --git a/hieradata/country/au/region/drw1/infra/storage/consul.yaml b/hieradata/country/au/region/drw1/infra/storage/consul.yaml index fef2905..11b6a2f 100644 --- a/hieradata/country/au/region/drw1/infra/storage/consul.yaml +++ b/hieradata/country/au/region/drw1/infra/storage/consul.yaml @@ -1,3 +1,4 @@ --- profiles::consul::server::bootstrap_count: 3 profiles::consul::server::raft_multiplier: 10 +profiles::consul::server::primary_datacenter: 'au-drw1' diff --git a/hieradata/country/au/region/syd1/infra/dns/resolver.yaml b/hieradata/country/au/region/syd1/infra/dns/resolver.yaml new file mode 100644 index 0000000..ddde7f5 --- /dev/null +++ b/hieradata/country/au/region/syd1/infra/dns/resolver.yaml @@ -0,0 +1,44 @@ +--- +profiles::dns::resolver::zones: + main.unkin.net-forward: + domain: 'main.unkin.net' + zone_type: 'forward' + forwarders: + - 198.18.13.14 + - 198.18.13.15 + forward: 'only' + 13.18.198.in-addr.arpa-forward: + domain: '13.18.198.in-addr.arpa' + zone_type: 'forward' + forwarders: + - 198.18.13.14 + - 198.18.13.15 + forward: 'only' + 14.18.198.in-addr.arpa-forward: + domain: '14.18.198.in-addr.arpa' + zone_type: 'forward' + forwarders: + - 198.18.13.14 + - 198.18.13.15 + forward: 'only' + 15.18.198.in-addr.arpa-forward: + domain: '15.18.198.in-addr.arpa' + zone_type: 'forward' + forwarders: + - 198.18.13.14 + - 198.18.13.15 + forward: 'only' + 16.18.198.in-addr.arpa-forward: + domain: '16.18.198.in-addr.arpa' + zone_type: 'forward' + forwarders: + - 198.18.13.14 + - 198.18.13.15 + forward: 'only' + 17.18.198.in-addr.arpa-forward: + domain: '17.18.198.in-addr.arpa' + zone_type: 'forward' + forwarders: + - 198.18.13.14 + - 198.18.13.15 + forward: 'only' diff --git a/hieradata/country/au/region/syd1/infra/storage/consul.eyaml b/hieradata/country/au/region/syd1/infra/storage/consul.eyaml index 948b16f..3d28bc6 100644 --- a/hieradata/country/au/region/syd1/infra/storage/consul.eyaml +++ b/hieradata/country/au/region/syd1/infra/storage/consul.eyaml @@ -1,4 +1,4 @@ --- profiles::consul::server::gossip_key: ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEADwwYLK+fU0M/uLqQpRjHnIAyrt6yPEZSXpUX2jvOGVOA63X8LOYpLVfEGWMmkZ7BHRO0fgr847UUI/xI8otIuiOpgtW2E7QLWs806KUNXz+L8c7kSnQ1XAD5R81/5joDHl4AIxl5fAGryTXH1gfnpTMWh2yjFzU/KYuk2GhrU0M9ewCGJErQG4pT4u3ymGmkLjx6AiZ8r9xb4Eos2bhCCpFWfyb0kKcJqdKU9mzy508byNCfp8lr1DoKxEQrdqSSAQdepn6wCgBZtlAK/k63tOqM9dxyDaCsK8vLG9LlvuEwi3OL2lzTtc1mAcdYxahDo3uBX0/VcCswaXq3nPnu3TBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBCUwXPoMh/dylvFwyRzAsnRgDDvh5CHrzJYdUXWGsauYlifOOukYokkwG3yqqtCByveMqVWfWsQukiDTixdqpCgfzw=] profiles::consul::server::acl_tokens_initial_management: ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAi1UH7AZirJ1PdxWy+KEgS5ufm0wbn2xy9rkg14hKYpcVjBa4pOZpSLMGMiiUpBIqBytDMZM4ezYa/luktpkBImJbM/TE16beGtsacQGA+9eZk2Tihs9GR2qbAQiu5lLITiDlwNnf0GeWdqHM8CTeD68DczQF320d9U14/k6pG/7z+w/MGLcjsQoSuOFTm42JVn1BI46t1CYSCHMXQc/9Tfs+FzI+vumohI8DxAYBIuyzU5HBX/MntAsvD/yixMJS1pZL9WwgqZJC/wK34rVRB39DpxWf/WROrI+WLuSJwr7WBjaeF9Ju+89WKCgsI53EWhFTj8GgDZm/jqPoE478NjBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBAoACRzJdQKNYXZv6cghFIIgDAzB81DMcuY815nb8POtZpiA06jT/068AoZmSctHoFK/zW9tY229N5r1Tb+WHElqLk=] -profiles::consul::server::acl_tokens_default: ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAPRZN7DnYUhVL81p7xC9rUYPutoO3UrF2Sl8DlopfYoAG9omnXZlrut8wIffDZJSiU5XkOGv8x2QsXZc+bWqiplJ0VfzLClxEM2onWaT/GGGg7E+2YhrYuMG7mZYaqRYQ6/AgLDcIMBIdQBdL5mlpy+fVZn7Mu4cmsQYJTIe+yrNQtGMWMiNaHpwLGXvoXgwT6giX6L6VNiN51dAnHAdMYZ9Hf3G5CZEs6x8uOveqf6+qy+df24ItRUcsfQlSwsEaQRY+xjIVYIoiV8l8D8HiO+mVqbxtfQgyJIMv+0hl95zHGlc2W5lb6MvIFcJGu2xKIc00D7YOYgxLUx1aegixxzBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBBnYSZmhDFSDoO1s329ktFegDC2Z7A+TGqTtZXKXaj2qQmowIvTZOVoUyF/5G0aED0wo/h+vfgosSS3Tx1dam0KUl0=] +profiles::consul::server::acl_tokens_default: ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAh4Ag95xgkIZHL0gP9OLnZauih0dB1/2l9Jzw8mP3OiIv7fw23otHYONlS3Emtj7oxW8MKcZGKDCzwCT6T2p+V5wx1n15wr2J+FmL24VbclJwrMPQ4AdgP359B9h21uoyo7Zdy7RuuvLfkU1fWXbs3SeWbi2HJs1Ed1/oI1jzr3OgwMbVtbyzd1VuAXeZ9bHQG3IA8z+w/k5m61th0HTyHjw7eldQulbohDuwv545z9axHEoHKCRT2a3ZwBufV2ST6Dm3g9GERzXE9Adp9DQC5adqM74wfsujOMLK2QFJSSIOj2uCs1CpEnrNrQ8zjP3fudM2z3l7KdSHZazEamCSxTBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBBY/Tn9tzEKYc5dxnzP2rP7gDBWKgVP3lf2T4Q0WPQt3ns0E6RUSO6OtBegb/5qDyohY2nsDeJTnMKOYzYt/J1PhnY=] diff --git a/hieradata/country/au/region/syd1/infra/storage/consul.yaml b/hieradata/country/au/region/syd1/infra/storage/consul.yaml index fef2905..4bd8c14 100644 --- a/hieradata/country/au/region/syd1/infra/storage/consul.yaml +++ b/hieradata/country/au/region/syd1/infra/storage/consul.yaml @@ -1,3 +1,4 @@ --- profiles::consul::server::bootstrap_count: 3 profiles::consul::server::raft_multiplier: 10 +profiles::consul::server::primary_datacenter: 'au-syd1' diff --git a/hieradata/roles/infra/dns/resolver.yaml b/hieradata/roles/infra/dns/resolver.yaml index 18008a4..6be9009 100644 --- a/hieradata/roles/infra/dns/resolver.yaml +++ b/hieradata/roles/infra/dns/resolver.yaml @@ -2,6 +2,7 @@ profiles::dns::resolver::acls: acl-main.unkin.net: addresses: + - 10.10.8.1/32 - 198.18.21.160/27 - 198.18.21.192/27 - 198.18.13.0/24 @@ -11,53 +12,62 @@ profiles::dns::resolver::acls: - 198.18.17.0/24 profiles::dns::resolver::zones: - main.unkin.net-forward: - domain: 'main.unkin.net' + 8.10.10.in-addr.arpa-forward: + domain: '8.10.10.in-addr.arpa' zone_type: 'forward' forwarders: - - 198.18.17.23 - - 198.18.17.24 + - 10.10.16.32 + - 10.10.16.33 + forward: 'only' + 16.10.10.in-addr.arpa-forward: + domain: '16.10.10.in-addr.arpa' + zone_type: 'forward' + forwarders: + - 10.10.16.32 + - 10.10.16.33 + forward: 'only' + 20.10.10.in-addr.arpa-forward: + domain: '20.10.10.in-addr.arpa' + zone_type: 'forward' + forwarders: + - 10.10.16.32 + - 10.10.16.33 + forward: 'only' + unkin.net-forward: + domain: 'unkin.net' + zone_type: 'forward' + forwarders: + - 10.10.16.32 + - 10.10.16.33 + forward: 'only' + dmz.unkin.net-forward: + domain: 'dmz.unkin.net' + zone_type: 'forward' + forwarders: + - 10.10.16.32 + - 10.10.16.33 + forward: 'only' + network.unkin.net-forward: + domain: 'network.unkin.net' + zone_type: 'forward' + forwarders: + - 10.10.16.32 + - 10.10.16.33 forward: 'only' prod.unkin.net-forward: domain: 'prod.unkin.net' zone_type: 'forward' forwarders: - - 10.10.8.1 + - 10.10.16.32 + - 10.10.16.33 forward: 'only' - 13.18.198.in-addr.arpa-forward: - domain: '13.18.198.in-addr.arpa' + consul.service.consul-forward: + domain: 'consul.service.consul' zone_type: 'forward' forwarders: - - 198.18.17.23 - - 198.18.17.24 - forward: 'only' - 14.18.198.in-addr.arpa-forward: - domain: '14.18.198.in-addr.arpa' - zone_type: 'forward' - forwarders: - - 198.18.17.23 - - 198.18.17.24 - forward: 'only' - 15.18.198.in-addr.arpa-forward: - domain: '15.18.198.in-addr.arpa' - zone_type: 'forward' - forwarders: - - 198.18.17.23 - - 198.18.17.24 - forward: 'only' - 16.18.198.in-addr.arpa-forward: - domain: '16.18.198.in-addr.arpa' - zone_type: 'forward' - forwarders: - - 198.18.17.23 - - 198.18.17.24 - forward: 'only' - 17.18.198.in-addr.arpa-forward: - domain: '17.18.198.in-addr.arpa' - zone_type: 'forward' - forwarders: - - 198.18.17.23 - - 198.18.17.24 + - 198.18.13.19 + - 198.18.13.20 + - 198.18.13.21 forward: 'only' profiles::dns::resolver::views: @@ -65,11 +75,18 @@ profiles::dns::resolver::views: recursion: true zones: - main.unkin.net-forward + - unkin.net-forward + - dmz.unkin.net-forward + - network.unkin.net-forward - prod.unkin.net-forward + - consul.service.consul-forward - 13.18.198.in-addr.arpa-forward - 14.18.198.in-addr.arpa-forward - 15.18.198.in-addr.arpa-forward - 16.18.198.in-addr.arpa-forward - 17.18.198.in-addr.arpa-forward + - 8.10.10.in-addr.arpa-forward + - 16.10.10.in-addr.arpa-forward + - 20.10.10.in-addr.arpa-forward match_clients: - acl-main.unkin.net diff --git a/hieradata/roles/infra/storage/consul.yaml b/hieradata/roles/infra/storage/consul.yaml index 855a0f1..1aef9be 100644 --- a/hieradata/roles/infra/storage/consul.yaml +++ b/hieradata/roles/infra/storage/consul.yaml @@ -1,7 +1,6 @@ --- profiles::consul::server::members_lookup: true profiles::consul::server::data_dir: /data/consul -profiles::consul::server::primary_datacenter: 'au-drw1' profiles::consul::server::addresses: dns: "%{::networking.ip}" http: "%{::networking.ip}" @@ -19,3 +18,9 @@ profiles::consul::server::acl: tokens: initial_management: "%{alias('profiles::consul::server::acl_tokens_initial_management')}" default: "%{alias('profiles::consul::server::acl_tokens_default')}" + +# additional altnames +profiles::pki::vault::alt_names: + - consul.main.unkin.net + - consul.service.consul + - consul diff --git a/site/profiles/manifests/consul/nginx.pp b/site/profiles/manifests/consul/nginx.pp new file mode 100644 index 0000000..59d5fad --- /dev/null +++ b/site/profiles/manifests/consul/nginx.pp @@ -0,0 +1,97 @@ +# profiles::consul::nginx +class profiles::consul::nginx ( + String $nginx_vhost = 'consul.service.consul', + Stdlib::Port $nginx_port = 80, + Stdlib::Port $nginx_ssl_port = 443, + Enum['http','https','both'] $nginx_listen_mode = 'https', + Enum['puppet', 'vault'] $nginx_cert_type = 'vault' +) { + + # set the server_names + $server_names = [$facts['networking']['fqdn'], $nginx_vhost, 'consul', 'consul.main.unkin.net'] + + # select the certificates to use based on cert type + case $nginx_cert_type { + 'puppet': { + $selected_ssl_cert = "/etc/pki/tls/puppet/${facts['networking']['fqdn']}.crt" + $selected_ssl_key = "/etc/pki/tls/puppet/${facts['networking']['fqdn']}.key" + } + 'vault': { + $selected_ssl_cert = '/etc/pki/tls/vault/certificate.crt' + $selected_ssl_key = '/etc/pki/tls/vault/private.key' + } + default: { + # enum param prevents this ever being reached + } + } + + # set variables based on the listen_mode + case $nginx_listen_mode { + 'http': { + $enable_ssl = false + $ssl_cert = undef + $ssl_key = undef + $listen_port = $nginx_port + $listen_ssl_port = undef + $extras_hash = {} + } + 'https': { + $enable_ssl = true + $ssl_cert = $selected_ssl_cert + $ssl_key = $selected_ssl_key + $listen_port = $nginx_ssl_port + $listen_ssl_port = $nginx_ssl_port + $extras_hash = { + 'subscribe' => [File[$ssl_cert], File[$ssl_key]], + } + } + 'both': { + $enable_ssl = true + $ssl_cert = $selected_ssl_cert + $ssl_key = $selected_ssl_key + $listen_port = $nginx_port + $listen_ssl_port = $nginx_ssl_port + $extras_hash = { + 'subscribe' => [File[$ssl_cert], File[$ssl_key]], + } + } + default: { + # enum param prevents this ever being reached + } + } + + # define the default parameters for the nginx server + $defaults = { + 'listen_port' => $listen_port, + 'server_name' => $server_names, + 'use_default_location' => true, + 'access_log' => "/var/log/nginx/${nginx_vhost}_access.log", + 'error_log' => "/var/log/nginx/${nginx_vhost}_error.log", + 'autoindex' => 'on', + 'ssl' => $enable_ssl, + 'ssl_cert' => $ssl_cert, + 'ssl_key' => $ssl_key, + 'ssl_port' => $listen_ssl_port, + 'proxy' => "http://${facts['networking']['ip']}:8500/", + } + + # merge the hashes conditionally + $nginx_parameters = merge($defaults, $extras_hash) + + # manage the nginx class + include 'nginx' + + # create the nginx vhost with the merged parameters + create_resources('nginx::resource::server', { $nginx_vhost => $nginx_parameters }) + + # manage selinux + if $::facts['os']['selinux']['config_mode'] == 'enforcing' { + + # make sure nginx can reverse proxy + selboolean { 'httpd_can_network_connect': + persistent => true, + value => 'on', + } + + } +} diff --git a/site/profiles/manifests/consul/server.pp b/site/profiles/manifests/consul/server.pp index 9dbffc0..97137a4 100644 --- a/site/profiles/manifests/consul/server.pp +++ b/site/profiles/manifests/consul/server.pp @@ -102,10 +102,12 @@ class profiles::consul::server ( } } } - - # consul before dnsmasq + # consul before extra services if defined(Class['consul']) { + # setup nginx + include profiles::consul::nginx + # get the dns port from the $ports hash, otherwise use the default $dns_port = pick($ports['dns'], 8600)