Skip to content

Instantly share code, notes, and snippets.

@fboukezzoula

fboukezzoula/generate_consul_server_tokens.sh

Created March 26, 2023 19:59
Show Gist options
  • Save fboukezzoula/a4b6fd56c45fcca955724624deaea73e to your computer and use it in GitHub Desktop.
Save fboukezzoula/a4b6fd56c45fcca955724624deaea73e to your computer and use it in GitHub Desktop.
Download ZIP
Bootstrap ACLs
Raw
generate_consul_server_tokens.sh
#!/usr/bin/env bash
WORKDIR="/home/app/"
ASSETS="${WORKDIR}assets/"
# LOGS="${WORKDIR}logs/"
mkdir -p ${ASSETS}
export DATACENTER=${DATACENTER:-"dc1"}
export DOMAIN=${DOMAIN:-"consul"}
export CONSUL_DATA_DIR=${CONSUL_DATA_DIR:-"/etc/consul/data"}
export CONSUL_CONFIG_DIR=${CONSUL_CONFIG_DIR:-"/etc/consul/config"}
export CONSUL_HTTP_ADDR="https://consul${FQDN_SUFFIX}:8443"
export CONSUL_HTTP_SSL=true
export CONSUL_CACERT="${CONSUL_CONFIG_DIR}/consul-agent-ca.pem"
export CONSUL_TLS_SERVER_NAME="server.${DATACENTER}.${DOMAIN}"
export CONSUL_FQDN_ADDR="consul${FQDN_SUFFIX}"
export CONSUL_HTTP_TOKEN=`cat ./acl-token-bootstrap.json | jq -r ".SecretID"`
echo "Create ACL policies and tokens"
tee ${ASSETS}acl-policy-dns.hcl > /dev/null << EOF
## dns-request-policy.hcl
node_prefix "" {
policy = "read"
}
service_prefix "" {
policy = "read"
}
# only needed if using prepared queries
query_prefix "" {
policy = "read"
}
EOF
tee ${ASSETS}acl-policy-server-node.hcl > /dev/null << EOF
## consul-server-one-policy.hcl
node_prefix "consul" {
policy = "write"
}
EOF
consul acl policy create -name 'acl-policy-dns' -description 'Policy for DNS endpoints' -rules @${ASSETS}acl-policy-dns.hcl > /dev/null 2>&1
consul acl policy create -name 'acl-policy-server-node' -description 'Policy for Server nodes' -rules @${ASSETS}acl-policy-server-node.hcl > /dev/null 2>&1
consul acl token create -description 'DNS - Default token' -policy-name acl-policy-dns --format json > ${ASSETS}acl-token-dns.json 2> /dev/null
DNS_TOK=`cat ${ASSETS}acl-token-dns.json | jq -r ".SecretID"`
## Create one agent token per server
echo "Setup ACL tokens for Server"
consul acl token create -description "server agent token" -policy-name acl-policy-server-node --format json > ${ASSETS}server-acl-token.json 2> /dev/null
SERV_TOK=`cat ${ASSETS}server-acl-token.json | jq -r ".SecretID"`
consul acl set-agent-token agent ${SERV_TOK}
consul acl set-agent-token default ${DNS_TOK}
@fboukezzoula
Copy link
Author

  • Setup to interact with Consul
export CONSUL_HTTP_ADDR="https://consul:8443" \
export CONSUL_HTTP_SSL=true \
export CONSUL_CACERT="${CONSUL_CONFIG_DIR}/consul-agent-ca.pem" \
export CONSUL_TLS_SERVER_NAME="server.${DATACENTER}.${DOMAIN}" \
export CONSUL_FQDN_ADDR="consul

Bootstrap ACL system

consul acl bootstrap --format json > ./acl-token-bootstrap.json**
cat ./acl-token-bootstrap.json**

 {
    "CreateIndex": 22,
    "ModifyIndex": 22,
    "AccessorID": "4da16104-3d81-2a77-e188-fd7128be56e2",
    "SecretID": "f7df60c9-a40d-f27e-55f2-59b431d45f34",
    "Description": "Bootstrap Token (Global Management)",
    "Policies": [
        {
            "ID": "00000000-0000-0000-0000-000000000001",
            "Name": "global-management"
        }
    ],
    "Local": false,
    "CreateTime": "2023-03-26T19:22:28.163124566Z",
    "Hash": "X2AgaFhnQGRhSSF/h0m6qpX1wj/HJWbyXcxkEM/5GrY="
}
  • Extract the management token from the file and set it to the CONSUL_HTTP_TOKEN environment variable
export CONSUL_HTTP_TOKEN=`cat ./acl-token-bootstrap.json | jq -r ".SecretID"`

Create server tokens

  • Generate tokens for Consul server
./generate_consul_server_tokens.sh

Create ACL policies and tokens
Setup ACL tokens for Server
ACL token "agent" set successfully
ACL token "default" set successfully

Interact with Consul server

  • Use the Consul CLI to retrieve members in Consul datacenter
consul members

Node Address Status Type Build Protocol DC Partition Segment
consul 10.2.80.162:8301 alive server 1.12.4 2 dc1 default

Interact with Consul KV

  • Create a key named db_port with a value of 5432
consul kv put consul/configuration/db_port 5432

Success! Data written to: consul/configuration/db_port

  • Then, retrieve the value
consul kv get consul/configuration/db_port

5432

  • Interact with Consul DNS
dig @127.0.0.1 -p 8600 consul.service.consul

; <<>> DiG 9.16.33-Debian <<>> @127.0.0.1 -p 8600 consul.service.consul
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 1685
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;consul.service.consul. IN A
;; ANSWER SECTION:
consul.service.consul. 0 IN A 10.2.80.162
;; Query time: 2 msec
;; SERVER: 127.0.0.1#8600(127.0.0.1)
;; WHEN: Sun Mar 26 19:31:14 UTC 2023
;; MSG SIZE rcvd: 66

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment