feat: nomad cni additions

- add consul-cni package
- enable grpc for consul servers
- enable consul connect for consul servers
- set recursors for consul
- add ports to consul agent (grpc, dns, http for nomad)

hieradata/roles/infra/nomad/agent.yaml

@@ -39,6 +39,7 @@ profiles::ceph::client::keyrings:
 profiles::packages::include:
   nomad: {}
   cni-plugins: {}
+  consul-cni: {}
 
 profiles::nomad::node::client: true
 

hieradata/roles/infra/nomad/agentv2.yaml

@@ -22,6 +22,7 @@ networking::interfaces:
 profiles::packages::include:
   nomad: {}
   cni-plugins: {}
+  consul-cni: {}
 
 profiles::nomad::node::client: true
 
@@ -34,6 +35,10 @@ profiles::pki::vault::alt_names:
   - "nomad-client.service.%{facts.country}-%{facts.region}.consul"
 
 # configure consul service
+profiles::consul::client::ports:
+  grpc: 8502
+  dns: 8600
+  http: 8500
 profiles::consul::client::node_rules:
   - resource: service
     segment: nomad-client

hieradata/roles/infra/storage/consul.yaml

@@ -8,6 +8,7 @@ profiles::consul::server::addresses:
   grpc: "%{::networking.ip}"
   grpc_tls: "%{::networking.ip}"
 profiles::consul::server::ports:
+  grpc: 8502
   dns: 8600
   http: 8500
   https: -1

site/profiles/manifests/consul/client.pp

@@ -10,6 +10,7 @@ class profiles::consul::client (
   Array                $consul_servers     = [],
   Stdlib::Absolutepath $data_dir           = '/opt/consul',
   Array[Hash]          $node_rules         = [],
+  Hash                 $ports              = {},
 ) {
 
   if $facts['enc_role'] != $members_role {
@@ -44,6 +45,7 @@ class profiles::consul::client (
         'bind_addr'            => $::facts['networking']['ip'],
         'advertise_addr'       => $::facts['networking']['ip'],
         'enable_script_checks' => true,
+        'ports'                => $ports,
         'acl'                  => {
           tokens => {
             default => fqdn_uuid("${facts['networking']['fqdn']}-${secret_id_salt}")

site/profiles/manifests/consul/server.pp

@@ -119,6 +119,8 @@ class profiles::consul::server (
           'advertise_addr'       => $advertise_addr,
           'retry_join'           => $servers_array,
           'retry_join_wan'       => $remote_servers_array,
+          'connect'              => { 'enabled' => true },
+          'recursors'            => ['198.18.19.16'],
         },
       }
     }