2024-06-01 14:48:48 +10:00
3 changed files with 28 additions and 15 deletions
--- a/hieradata/common.yaml
+++ b/hieradata/common.yaml
@ -72,6 +72,9 @@ lookup_options:
  consul::check:
    merge:
      strategy: deep
+  profiles::consul::client::node_rules:
+    merge:
+      strategy: deep

 facts_path: '/opt/puppetlabs/facter/facts.d'

@ -96,6 +99,17 @@ profiles::consul::server::members_role: roles::infra::storage::consul
 profiles::consul::token::node_editor::accessor_id: '024e27bd-c5bb-41e7-a578-b766509e11bc'
 profiles::consul::client::members_lookup: true
 profiles::consul::client::members_role: roles::infra::storage::consul
+profiles::consul::client::node_rules:
+  - resource: node
+    segment: "%{facts.networking.hostname}"
+    disposition: write
+  - resource: node
+    segment: "%{facts.networking.fqdn}"
+    disposition: write
+  - resource: node
+    segment: ''
+    disposition: read
+

 profiles::packages::install:
  - bash-completion
--- a/hieradata/country/au/region/syd1/infra/storage/vault.yaml
+++ b/hieradata/country/au/region/syd1/infra/storage/vault.yaml
@ -6,13 +6,17 @@ consul::services:
    tags:
      - 'https'
      - 'secure'
-    address: "%{facts.networking.ip}"  # Dynamically set from the networking facts
+    address: "%{facts.networking.ip}"
    port: 443
    checks:
-      - check_id: 'vault_https_check'
+      - id: 'vault_https_check'
        name: 'Vault HTTPS Check'
        http: "https://%{facts.networking.fqdn}:443/v1/sys/health"
        method: 'GET'
-        tls_skip_verify: true  # Set to false in production for security
+        tls_skip_verify: true
        interval: '10s'
        timeout: '1s'
+profiles::consul::client::node_rules:
+  - resource: service
+    segment: vault
+    disposition: write
--- a/site/profiles/manifests/consul/client.pp
+++ b/site/profiles/manifests/consul/client.pp
@ -9,6 +9,7 @@ class profiles::consul::client (
  String               $members_role       = undef,
  Array                $consul_servers     = [],
  Stdlib::Absolutepath $data_dir           = '/opt/consul',
+  Array[Hash]          $node_rules         = [],
 ) {

  if $facts['enc_role'] != $members_role {
@ -42,6 +43,11 @@ class profiles::consul::client (
        'retry_join'     => $servers_array,
        'bind_addr'      => $::facts['networking']['ip'],
        'advertise_addr' => $::facts['networking']['ip'],
+        'acl'            => {
+          tokens => {
+            default => fqdn_uuid("${facts['networking']['fqdn']}-${secret_id_salt}")
+          }
+        }
      },
    }
  }
@ -49,18 +55,7 @@ class profiles::consul::client (
  # Create ACL policy that allows nodes to update themselves and read others
  consul_policy { $facts['networking']['hostname']:
    description   => "${facts['networking']['fqdn']} puppet-generated-policy",
-    rules         => [
-      {
-        'resource'    => 'node',
-        'segment'     => $facts['networking']['hostname'],
-        'disposition' => 'write'
-      },
-      {
-        'resource'    => 'node',
-        'segment'     => '',
-        'disposition' => 'read'
-      }
-    ],
+    rules         => $node_rules,
    acl_api_token => $consul_api_token,
    hostname      => $consul_hostname,
    protocol      => $consul_protocol,