Skip to content

Consul Variables and Stuff (2015 11 20)

Jump to bottom Edit New page
Jorge Silva edited this page Jan 20, 2017 · 7 revisions

Here's a detailed account of all the values in Consul and Vault required for all environments:

Automation

There's a few playbooks that can help you manage consul and vault:

  • consul.yml deploys consul to api, web, and services
  • vault.yml deploys vault to services
  • consul-values.yml inserts a bunch of seed data into consul
    • write_values set to yes to actually write values
  • vault-values.yml inserts a bunch of seed data into vault
    • write_values set to yes to actually write values
    • write_root_creds set to yes to actually write root credentials for the AWS backend

Key/Values

  • node/env (e.g. production)
  • api/hostname (e.g. api.runnable.io)

Keys/Values, Software Versions

note: these are still key/value pairs, but separating them out for clarity

  • image-builder/version
  • docker-listener/version
  • filibuster/version
  • krain/version
  • sauron/version
  • charon/version

Secrets

  • secret/loggly
    • token=[token]
  • secret/rabbitmq
    • username=[username]
    • password=[password]
  • secret/github/hellorunnable
    • token=[github-token]
  • secret/swarm
    • token=[swarm-token]

Services

  • rabbitmq
  • redis
  • datadog
  • registry

Vault Backends (After running values)

  • New Vault Backends for new Environments
    • Need to be initialized with TLS disabled.
    • ssh <box-running-vault>
    • sudo docker exec -it $(sudo docker ps | grep 'vault' | awk '{print $1}') sh
    • vault init -address=http://127.0.0.1:8200
    • Record the output, it will be used for variables in devops-scripts
  • aws
    • Updpate the vault host
    > export VAULT_ADDR=http://127.0.0.1:8200

Successfully authenticated!

- Authenticate user

vault auth $AUTH_TOKEN // (Initial Root Token)

- mount the backend
```bash
vault mount aws
  • configure the root:
vault write aws/config/root \
  access_key=[access-key] \
  secret_key=[secret-key] \
  region=[region (e.g. us-west-2)]
  • configure the dock-init role
vault write aws/roles/dock-init \
  [email protected]
- `policy.json` can be found in the [dock-init repo](https://github.com/CodeNow/dock-init/blob/master/consul-resources/policy.json) (link may be out of date, but path should be correct)
  • can test this by doing vault read aws/creds/dock-init 
/ # vault write aws/roles/dock-init \
>   [email protected]
Success! Data written to: aws/roles/dock-init
/ # vault read aws/creds/dock-init
Key            	Value
lease_id       	aws/creds/dock-init/0eba123a-eef4-86ad-5181-0ba961c78145
lease_duration 	2592000
lease_renewable	true
access_key     	AKIAJ3PJBTH2FTIPOM4Q
secret_key     	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
security_token 	<nil>
Add a custom sidebar
Clone this wiki locally