From 0e2086f6f532b127981abc9c21adf23159bd1838 Mon Sep 17 00:00:00 2001 From: Graham Land Date: Fri, 21 Sep 2018 20:55:05 +0100 Subject: [PATCH 01/36] updated consul version and enabled connect --- .DS_Store | Bin 8196 -> 10244 bytes .admin-token | 2 +- .appRoleID | 2 +- .database-token | 2 +- .wrapped-provisioner-token | 2 +- conf/consul.d/consul.hcl | 3 ++ conf/master.redis.conf | 90 ------------------------------------- scripts/install_consul.sh | 8 ++-- scripts/install_nomad.sh | 4 +- 9 files changed, 13 insertions(+), 100 deletions(-) create mode 100644 conf/consul.d/consul.hcl delete mode 100644 conf/master.redis.conf diff --git a/.DS_Store b/.DS_Store index 21ab35c442e1bad6e4421f1e1e11a8cf2f258e1c..c42737f3f25935eb8502b8ecef2387a2d79a4a78 100644 GIT binary patch delta 561 zcmZp1XbF&DU|?W$DortDU{C-uIe-{M3-C-V6q~50$jG`eU^hP_>tr5*pY@r^Wd%t& z`AI+>`;rQBGK)(L4DJgEFfuW-u(GjpaB^|;@bd8s2nq=ciU^8|iU~=GN(xEK#0v-~ zB_?O57v-1cr8wv3QpO#jfS`vZ8js#hkT$G=a6Odn=S(2Hb7a0S# zz9co*GcPTF@&-ZCdJHuYk%>h`iFxU%PL;7aiAkwB{&`OMB_;W}5t%?|gPaPsBDf$i zIWsR^+5Q7Ch!F$C91PkF zjts#-b|FIp!*qtl4C@&VGMr<0%u?sQ- kWr09~8%Vf<6mBg1&ODi4C6I#=qMc!KJkQk4H^tbQ0V>H6j{pDw diff --git a/.admin-token b/.admin-token index 02e0ed4..c37b388 100644 --- a/.admin-token +++ b/.admin-token @@ -1 +1 @@ -41f2405a-e57c-a443-b255-ddb19755879d \ No newline at end of file +320cec82-84fe-0097-5e4a-64e01483ee09 \ No newline at end of file diff --git a/.appRoleID b/.appRoleID index feb36d2..8221a8e 100644 --- a/.appRoleID +++ b/.appRoleID @@ -1 +1 @@ -3c9f5cd0-ca67-eae6-603c-efcad7c8b51e \ No newline at end of file +3fff7597-9572-043f-856d-2e7d3b31351a \ No newline at end of file diff --git a/.database-token b/.database-token index b490146..fe3d009 100644 --- a/.database-token +++ b/.database-token @@ -1 +1 @@ -9e172705-fe89-1970-5416-43a19648ed95 \ No newline at end of file +71083f8c-0b9e-518a-4a87-3e7eefb39ba4 \ No newline at end of file diff --git a/.wrapped-provisioner-token b/.wrapped-provisioner-token index c44d4c2..1c1ed09 100644 --- a/.wrapped-provisioner-token +++ b/.wrapped-provisioner-token @@ -1 +1 @@ -9880ce85-727a-675f-16b2-88132b672641 \ No newline at end of file +09e4cad4-4ba7-3eda-8a47-741d174bbb76 \ No newline at end of file diff --git a/conf/consul.d/consul.hcl b/conf/consul.d/consul.hcl new file mode 100644 index 0000000..c4fa45a --- /dev/null +++ b/conf/consul.d/consul.hcl @@ -0,0 +1,3 @@ +connect { + enabled = true +} \ No newline at end of file diff --git a/conf/master.redis.conf b/conf/master.redis.conf deleted file mode 100644 index 9d5c4e4..0000000 --- a/conf/master.redis.conf +++ /dev/null @@ -1,90 +0,0 @@ -daemonize yes - -pidfile /var/run/redis/redis-server.pid - -port 6379 - -tcp-backlog 511 - -timeout 0 - -tcp-keepalive 60 - -loglevel notice - -logfile /var/log/redis/redis-server.log - -databases 16 - -save 900 1 -save 300 10 -save 60 10000 - -stop-writes-on-bgsave-error yes - -rdbcompression yes - -rdbchecksum yes - -dbfilename dump.rdb - -dir /var/lib/redis - -slave-serve-stale-data yes - -slave-read-only yes - -repl-diskless-sync no - -repl-diskless-sync-delay 5 - -repl-disable-tcp-nodelay no - -slave-priority 100 - -appendonly yes - -# The name of the append only file (default: "appendonly.aof") - -appendfilename "appendonly.aof" - -appendfsync everysec - -no-appendfsync-on-rewrite no - -auto-aof-rewrite-percentage 100 -auto-aof-rewrite-min-size 64mb - -aof-load-truncated yes - -lua-time-limit 5000 - -slowlog-max-len 128 - -latency-monitor-threshold 0 - -notify-keyspace-events "" - -hash-max-ziplist-entries 512 -hash-max-ziplist-value 64 - -list-max-ziplist-entries 512 -list-max-ziplist-value 64 - -set-max-intset-entries 512 - -zset-max-ziplist-entries 128 -zset-max-ziplist-value 64 - -hll-sparse-max-bytes 3000 - -activerehashing yes - -client-output-buffer-limit normal 0 0 0 -client-output-buffer-limit slave 256mb 64mb 60 -client-output-buffer-limit pubsub 32mb 8mb 60 - -hz 10 - -aof-rewrite-incremental-fsync yes -maxmemory-policy noeviction diff --git a/scripts/install_consul.sh b/scripts/install_consul.sh index 82acbdf..50d7c02 100755 --- a/scripts/install_consul.sh +++ b/scripts/install_consul.sh @@ -27,10 +27,10 @@ which ${PKG} &>/dev/null || { # check consul binary [ -f /usr/local/bin/consul ] &>/dev/null || { pushd /usr/local/bin - [ -f consul_1.2.2_linux_amd64.zip ] || { - sudo wget https://releases.hashicorp.com/consul/1.2.2/consul_1.2.2_linux_amd64.zip + [ -f consul_1.2.3_linux_amd64.zip ] || { + sudo wget https://releases.hashicorp.com/consul/1.2.3/consul_1.2.3_linux_amd64.zip } - sudo unzip consul_1.2.2_linux_amd64.zip + sudo unzip consul_1.2.3_linux_amd64.zip sudo chmod +x consul popd } @@ -81,7 +81,7 @@ if [[ "${HOSTNAME}" =~ "leader" ]] || [ "${TRAVIS}" == "true" ]; then fi /usr/local/bin/consul members 2>/dev/null || { - + sudo cp -r /usr/local/bootstrap/conf/consul.d/* /etc/consul.d/. sudo /usr/local/bin/consul agent -server -ui -client=0.0.0.0 -bind=${IP} ${AGENT_CONFIG} -data-dir=/usr/local/consul -bootstrap-expect=1 >${LOG} & sleep 5 diff --git a/scripts/install_nomad.sh b/scripts/install_nomad.sh index 13068b1..ff074a6 100644 --- a/scripts/install_nomad.sh +++ b/scripts/install_nomad.sh @@ -20,8 +20,8 @@ which wget unzip &>/dev/null || { which nomad &>/dev/null || { pushd /usr/local/bin - wget https://releases.hashicorp.com/nomad/0.8.4/nomad_0.8.4_linux_amd64.zip - unzip nomad_0.8.4_linux_amd64.zip + wget https://releases.hashicorp.com/nomad/0.8.5/nomad_0.8.5_linux_amd64.zip + unzip nomad_0.8.5_linux_amd64.zip chmod +x nomad popd } From e5ee8fed5855aa9db8dbc94da7daf305ec2c0a08 Mon Sep 17 00:00:00 2001 From: Graham Land Date: Fri, 21 Sep 2018 21:06:43 +0100 Subject: [PATCH 02/36] removed obsolete files --- .admin-token | 1 - .appRoleID | 1 - .database-token | 1 - .wrapped-provisioner-token | 1 - conf/consul.d/goapp.json | 14 -------------- conf/consul.d/redis.json | 22 ---------------------- conf/consul.d/redisSlave.json | 17 ----------------- conf/consul.d/webtier.json | 22 ---------------------- 8 files changed, 79 deletions(-) delete mode 100644 conf/consul.d/goapp.json delete mode 100644 conf/consul.d/redis.json delete mode 100644 conf/consul.d/redisSlave.json delete mode 100644 conf/consul.d/webtier.json diff --git a/.admin-token b/.admin-token index c37b388..e69de29 100644 --- a/.admin-token +++ b/.admin-token @@ -1 +0,0 @@ -320cec82-84fe-0097-5e4a-64e01483ee09 \ No newline at end of file diff --git a/.appRoleID b/.appRoleID index 8221a8e..e69de29 100644 --- a/.appRoleID +++ b/.appRoleID @@ -1 +0,0 @@ -3fff7597-9572-043f-856d-2e7d3b31351a \ No newline at end of file diff --git a/.database-token b/.database-token index fe3d009..e69de29 100644 --- a/.database-token +++ b/.database-token @@ -1 +0,0 @@ -71083f8c-0b9e-518a-4a87-3e7eefb39ba4 \ No newline at end of file diff --git a/.wrapped-provisioner-token b/.wrapped-provisioner-token index 1c1ed09..e69de29 100644 --- a/.wrapped-provisioner-token +++ b/.wrapped-provisioner-token @@ -1 +0,0 @@ -09e4cad4-4ba7-3eda-8a47-741d174bbb76 \ No newline at end of file diff --git a/conf/consul.d/goapp.json b/conf/consul.d/goapp.json deleted file mode 100644 index b1f5ca7..0000000 --- a/conf/consul.d/goapp.json +++ /dev/null @@ -1,14 +0,0 @@ -{ - "service": { - "name": "PUT_SERVICE_NAME_HERE", - "tags": [], - "address": "", - "meta": { - "meta": "The GoApp Service" - }, - "port": "REPLACE_WITH_PORT", - "enable_tag_override": false, - "checks": [ - ] - } - } \ No newline at end of file diff --git a/conf/consul.d/redis.json b/conf/consul.d/redis.json deleted file mode 100644 index 0a76f52..0000000 --- a/conf/consul.d/redis.json +++ /dev/null @@ -1,22 +0,0 @@ -{ - "service": { - "name": "redis", - "tags": ["primary"], - "address": "", - "meta": { - "meta": "The Redis Service" - }, - "port": 6379, - "enable_tag_override": false, - "checks": [ - { - "args": ["/usr/local/bootstrap/scripts/consul_redis_ping.sh"], - "interval": "10s" - }, - { - "args": ["/usr/local/bootstrap/scripts/consul_redis_verify.sh"], - "interval": "10s" - } - ] - } - } \ No newline at end of file diff --git a/conf/consul.d/redisSlave.json b/conf/consul.d/redisSlave.json deleted file mode 100644 index 6c07d3f..0000000 --- a/conf/consul.d/redisSlave.json +++ /dev/null @@ -1,17 +0,0 @@ -{ - "service": { - "name": "redisSlave", - "tags": ["slave"], - "address": "", - "meta": { - "meta": "The Redis Slave Service" - }, - "port": 6379, - "enable_tag_override": false, - "check": - { - "args": ["/usr/local/bootstrap/scripts/consul_redis_ping.sh"], - "interval": "10s" - } - } - } \ No newline at end of file diff --git a/conf/consul.d/webtier.json b/conf/consul.d/webtier.json deleted file mode 100644 index 113ed6f..0000000 --- a/conf/consul.d/webtier.json +++ /dev/null @@ -1,22 +0,0 @@ -{ - "service": { - "name": "frontend", - "tags": ["elb"], - "address": "", - "meta": { - "meta": "The Traditional Load Balancer" - }, - "port": 9090, - "enable_tag_override": false, - "check": - { - "id": "api", - "name": "HTTP API on port 9090", - "http": "http://192.168.2.250:9090/health", - "tls_skip_verify": true, - "method": "GET", - "interval": "10s", - "timeout": "1s" - } - } - } \ No newline at end of file From 75054e386ee7a59f1d1d2c3a12bc34bb8fe6fa9a Mon Sep 17 00:00:00 2001 From: Graham Land Date: Fri, 21 Sep 2018 21:28:11 +0100 Subject: [PATCH 03/36] travis timing issues - changing default ip to 127.0.0.1 --- .admin-token | 1 + .appRoleID | 1 + .database-token | 1 + .wrapped-provisioner-token | 1 + main.go | 2 +- 5 files changed, 5 insertions(+), 1 deletion(-) diff --git a/.admin-token b/.admin-token index e69de29..29aa9ec 100644 --- a/.admin-token +++ b/.admin-token @@ -0,0 +1 @@ +a48bb7ec-cfb4-eb60-7c0e-a47aa1497d78 \ No newline at end of file diff --git a/.appRoleID b/.appRoleID index e69de29..8aefe17 100644 --- a/.appRoleID +++ b/.appRoleID @@ -0,0 +1 @@ +e66b4460-54f5-f308-e2c4-4829904488ee \ No newline at end of file diff --git a/.database-token b/.database-token index e69de29..cd4aa7c 100644 --- a/.database-token +++ b/.database-token @@ -0,0 +1 @@ +4e00d576-bbf3-c940-0ede-e94ac73a8f46 \ No newline at end of file diff --git a/.wrapped-provisioner-token b/.wrapped-provisioner-token index e69de29..2955763 100644 --- a/.wrapped-provisioner-token +++ b/.wrapped-provisioner-token @@ -0,0 +1 @@ +00996c55-775a-b2a0-822b-a381bd66dfb1 \ No newline at end of file diff --git a/main.go b/main.go index 1b938b6..6d9c41b 100644 --- a/main.go +++ b/main.go @@ -37,7 +37,7 @@ func main() { // set the port that the goapp will listen on - defaults to 8080 portPtr := flag.Int("port", 8080, "Default's to port 8080. Use -port=nnnn to use listen on an alternate port.") - ipPtr := flag.String("ip", "0.0.0.0", "Default's to all interfaces by using 0.0.0.0") + ipPtr := flag.String("ip", "127.0.0.1", "Default's to all interfaces by using 127.0.0.1") factoryIPPtr = flag.String("bootstrapip", "127.0.0.1", "Default's to factory service installed on 127.0.0.1") appRolePtr = flag.String("appRole", "id-factory", "Application Role Name to be used to bootstrap access to Vault's secrets") templatePtr := flag.String("templates", "templates/*.html", "Default's to templates/*.html -templates=????") From 245aee9fcb6511bd4ab307f6857758586c963359 Mon Sep 17 00:00:00 2001 From: Graham Land Date: Fri, 21 Sep 2018 21:50:17 +0100 Subject: [PATCH 04/36] wip --- conf/consul.d/redis.json | 0 1 file changed, 0 insertions(+), 0 deletions(-) create mode 100644 conf/consul.d/redis.json diff --git a/conf/consul.d/redis.json b/conf/consul.d/redis.json new file mode 100644 index 0000000..e69de29 From 032887e9664f069020e9c5d7900dbc77f84f85e9 Mon Sep 17 00:00:00 2001 From: Graham Land Date: Fri, 21 Sep 2018 21:51:09 +0100 Subject: [PATCH 05/36] wp --- conf/consul.d/redis.json | 22 ++++++++++++++++++++++ 1 file changed, 22 insertions(+) diff --git a/conf/consul.d/redis.json b/conf/consul.d/redis.json index e69de29..d1e5d4c 100644 --- a/conf/consul.d/redis.json +++ b/conf/consul.d/redis.json @@ -0,0 +1,22 @@ +{ + "service": { + "name": "redis", + "tags": ["primary"], + "address": "", + "meta": { + "meta": "The Redis Service" + }, + "port": 6379, + "enable_tag_override": false, + "checks": [ + { + "args": ["/usr/local/bootstrap/scripts/consul_redis_ping.sh"], + "interval": "10s" + }, + { + "args": ["/usr/local/bootstrap/scripts/consul_redis_verify.sh"], + "interval": "10s" + } + ] + } +} \ No newline at end of file From c74f99dc668cbf0145f02b80a15b763858afc58a Mon Sep 17 00:00:00 2001 From: Graham Land Date: Fri, 21 Sep 2018 22:27:37 +0100 Subject: [PATCH 06/36] register service with consul via api --- conf/consul.d/redis.json | 22 ---- scripts/install_redis.sh | 49 ++++++++- scripts/vault_basic_role_config.sh | 165 ----------------------------- 3 files changed, 46 insertions(+), 190 deletions(-) delete mode 100644 conf/consul.d/redis.json delete mode 100644 scripts/vault_basic_role_config.sh diff --git a/conf/consul.d/redis.json b/conf/consul.d/redis.json deleted file mode 100644 index d1e5d4c..0000000 --- a/conf/consul.d/redis.json +++ /dev/null @@ -1,22 +0,0 @@ -{ - "service": { - "name": "redis", - "tags": ["primary"], - "address": "", - "meta": { - "meta": "The Redis Service" - }, - "port": 6379, - "enable_tag_override": false, - "checks": [ - { - "args": ["/usr/local/bootstrap/scripts/consul_redis_ping.sh"], - "interval": "10s" - }, - { - "args": ["/usr/local/bootstrap/scripts/consul_redis_verify.sh"], - "interval": "10s" - } - ] - } -} \ No newline at end of file diff --git a/scripts/install_redis.sh b/scripts/install_redis.sh index 06e9c02..665d006 100755 --- a/scripts/install_redis.sh +++ b/scripts/install_redis.sh @@ -3,6 +3,50 @@ set -x source /usr/local/bootstrap/var.env +IP=${LEADER_IP} + +if [ "${TRAVIS}" == "true" ]; then + IP="127.0.0.1" +fi + +register_redis_service_with_consul () { + + echo 'Start to register service with Consul Service Discovery' + + # configure Audit Backend + tee redis_service.json < /usr/local/bootstrap/.admin-token - -sudo chmod ugo+r /usr/local/bootstrap/.admin-token - - -# provisioner policy hcl definition file -tee provisioner_policy.hcl < /usr/local/bootstrap/.wrapped-provisioner-token - -sudo chmod ugo+r /usr/local/bootstrap/.wrapped-provisioner-token - -# # revoke ROOT token now that admin token has been created -# ROOT_TOKEN=`cat /usr/local/bootstrap/.vault-token` -# VAULT_ADDR="http://${IP}:8200" vault token revoke ${ROOT_TOKEN} - -# # Verify root token revoked -# VAULT_ADDR="http://${IP}:8200" vault status - -# # Set new admin vault token & verify -# export VAULT_TOKEN=${ADMIN_TOKEN} -VAULT_ADDR="http://${IP}:8200" vault status - -echo 'Finished Vault Role/Policy Configuration' From d51b812dd8e1a167c1ce9ff31f230e178539c429 Mon Sep 17 00:00:00 2001 From: Graham Land Date: Fri, 21 Sep 2018 22:47:37 +0100 Subject: [PATCH 07/36] use same redis build --- .admin-token | 2 +- .appRoleID | 2 +- .database-token | 2 +- .travis.yml | 2 +- .wrapped-provisioner-token | 2 +- scripts/install_redis.sh | 34 ++++++++++++++-------------------- scripts/travis_run_go_app.sh | 1 + 7 files changed, 20 insertions(+), 25 deletions(-) diff --git a/.admin-token b/.admin-token index 29aa9ec..629b954 100644 --- a/.admin-token +++ b/.admin-token @@ -1 +1 @@ -a48bb7ec-cfb4-eb60-7c0e-a47aa1497d78 \ No newline at end of file +cc88d491-c179-2b54-beef-d4c3dc19c265 \ No newline at end of file diff --git a/.appRoleID b/.appRoleID index 8aefe17..6c214d2 100644 --- a/.appRoleID +++ b/.appRoleID @@ -1 +1 @@ -e66b4460-54f5-f308-e2c4-4829904488ee \ No newline at end of file +5138b0b4-0279-d319-06b6-46a7dfe0736f \ No newline at end of file diff --git a/.database-token b/.database-token index cd4aa7c..721ad27 100644 --- a/.database-token +++ b/.database-token @@ -1 +1 @@ -4e00d576-bbf3-c940-0ede-e94ac73a8f46 \ No newline at end of file +e556b73d-3a01-2b6e-acc2-667c065ad1eb \ No newline at end of file diff --git a/.travis.yml b/.travis.yml index 8d6898a..8dd9df0 100644 --- a/.travis.yml +++ b/.travis.yml @@ -3,7 +3,6 @@ sudo: required addons: apt: packages: - - redis-server - lynx - jq - wget @@ -17,6 +16,7 @@ before_script: - popd - bash scripts/install_consul.sh - bash scripts/install_vault_v2.sh +- bash scripts/install_redis.sh - bash scripts/install_SecretID_Factory.sh - sudo cp /home/travis/.vault-token /usr/local/bootstrap/.vault-token # - sudo cp /home/travis/.database-token /usr/local/bootstrap/.database-token diff --git a/.wrapped-provisioner-token b/.wrapped-provisioner-token index 2955763..21ee76b 100644 --- a/.wrapped-provisioner-token +++ b/.wrapped-provisioner-token @@ -1 +1 @@ -00996c55-775a-b2a0-822b-a381bd66dfb1 \ No newline at end of file +fa20c927-ba28-8d26-35b5-8f22da175c27 \ No newline at end of file diff --git a/scripts/install_redis.sh b/scripts/install_redis.sh index 665d006..f0c82fe 100755 --- a/scripts/install_redis.sh +++ b/scripts/install_redis.sh @@ -3,10 +3,8 @@ set -x source /usr/local/bootstrap/var.env -IP=${LEADER_IP} - if [ "${TRAVIS}" == "true" ]; then - IP="127.0.0.1" + LEADER_IP="127.0.0.1" fi register_redis_service_with_consul () { @@ -16,16 +14,19 @@ register_redis_service_with_consul () { # configure Audit Backend tee redis_service.json </dev/null || { sudo apt-get update sudo apt-get install -y jq } -touch /var/vagrant_redis echo "${REDIS_MASTER_IP} ${REDIS_MASTER_NAME}" >> /etc/hosts sudo VAULT_TOKEN=`cat /usr/local/bootstrap/.database-token` VAULT_ADDR="http://${LEADER_IP}:8200" consul-template -template "/usr/local/bootstrap/conf/master.redis.ctpl:/etc/redis/redis.conf" -once diff --git a/scripts/travis_run_go_app.sh b/scripts/travis_run_go_app.sh index 1cd6652..5309b1a 100755 --- a/scripts/travis_run_go_app.sh +++ b/scripts/travis_run_go_app.sh @@ -3,6 +3,7 @@ # delayed added to ensure consul has started on host - intermittent failures sleep 5 + go get ./... go build -o webcounter main.go ./webcounter & From 2714275fdce7c56a6c8b2b9ff4e3314ce074201a Mon Sep 17 00:00:00 2001 From: Graham Land Date: Fri, 21 Sep 2018 23:40:46 +0100 Subject: [PATCH 08/36] t2 --- scripts/.bananas.sh.swp | Bin 0 -> 12288 bytes scripts/install_redis.sh | 15 ++++++++++----- scripts/redis_service.json | 22 ++++++++++++++++++++++ 3 files changed, 32 insertions(+), 5 deletions(-) create mode 100644 scripts/.bananas.sh.swp create mode 100644 scripts/redis_service.json diff --git a/scripts/.bananas.sh.swp b/scripts/.bananas.sh.swp new file mode 100644 index 0000000000000000000000000000000000000000..ec07681eb9cc870b64a4eec2406bb5ae51ae0593 GIT binary patch literal 12288 zcmeI2O>5LZ7{{kVL9Ml-CqZGFf-hh;iMH039@MHJqAgmzSXpMX)7{u?vd&DRMT+3v zi=cjjUi1TqCq=yZ_60nN-UPu<;6IzB-4?Ayyi}f9ew$?S%+qIn$sCqW&AoR1A|I^` zGqhcdjmAsYpW?K4KVvG6P1gOV))LxCrDQ$OuD4FGlZu8Ck#V%Ig0|64O+@(Uif*nm zif)ksGVpH<^s{3}JvYlWWDW8?yRZJ6w3LMmkO4A42FL&zAOmE843L3MVZgL|*gaIb zrKonKIQFbL7MFA&17v^Cu5(%NAMcF088KzNI?r+0As)gpZghm1D=Ct zU=~aO7aRZ_>;rqjF3=0U??9d4F?ay(gBdUl`avJq4z_`<;49|z0lWv<{N4g;WPl8i z0Wv@a$N(8217zU;F`$!r%;$qJ6k*71kNa_?laMLd2(m4@)y^K>s+KAZd|AC6m}a#I zfrCZH(WKvu`N7M@2wueUES67p((x<#cz!0(ew<3RfE%rLD2+UrrN}^Q8q*$k9Pj98 z#l^=PKQZFEPU<6k+*a zGE(wiygU;V<@+#{t*g19ktoSeCH27Y)54#Z5q?T@w0s3!F+v$`Vx-C!-^P|wX9e*M rtXO{NFw8I=C(4)nm#gKl0E*mwUEZ6IgX literal 0 HcmV?d00001 diff --git a/scripts/install_redis.sh b/scripts/install_redis.sh index f0c82fe..dc34c11 100755 --- a/scripts/install_redis.sh +++ b/scripts/install_redis.sh @@ -26,7 +26,7 @@ register_redis_service_with_consul () { "redis_version": "4.0" }, "EnableTagOverride": false, - "checks": [ + "Checks": [ { "args": ["/usr/local/bootstrap/scripts/consul_redis_ping.sh"], "interval": "10s" @@ -40,20 +40,25 @@ register_redis_service_with_consul () { EOF curl \ + -v \ --request PUT \ --data @redis_service.json \ http://127.0.0.1:8500/v1/agent/service/register + + curl \ + -v \ + http://127.0.0.1:8500/v1/agent/services echo 'Register service with Consul Service Discovery Complete' } -# install this package in base image in the future +#install this package in base image in the future which jq &>/dev/null || { - sudo apt-get update - sudo apt-get install -y jq + sudo apt-get update + sudo apt-get install -y jq } -echo "${REDIS_MASTER_IP} ${REDIS_MASTER_NAME}" >> /etc/hosts +sudo echo "${REDIS_MASTER_IP} ${REDIS_MASTER_NAME}" >> /etc/hosts sudo VAULT_TOKEN=`cat /usr/local/bootstrap/.database-token` VAULT_ADDR="http://${LEADER_IP}:8200" consul-template -template "/usr/local/bootstrap/conf/master.redis.ctpl:/etc/redis/redis.conf" -once sudo chown redis:redis /etc/redis/redis.conf diff --git a/scripts/redis_service.json b/scripts/redis_service.json new file mode 100644 index 0000000..6d1ed90 --- /dev/null +++ b/scripts/redis_service.json @@ -0,0 +1,22 @@ + { + "Name": "redis", + "Tags": [ + "primary", + "v1" + ], + "Port": 6379, + "Meta": { + "redis_version": "4.0" + }, + "EnableTagOverride": false, + "Checks": [ + { + "args": ["/usr/local/bootstrap/scripts/consul_redis_ping.sh"], + "interval": "10s" + }, + { + "args": ["/usr/local/bootstrap/scripts/consul_redis_verify.sh"], + "interval": "10s" + } + ] + } From d8ef5cfbc9cbbe9d73c96e8f54f75d7cd7ff1c0d Mon Sep 17 00:00:00 2001 From: Graham Land Date: Fri, 21 Sep 2018 23:57:02 +0100 Subject: [PATCH 09/36] t2 --- .admin-token | 2 +- .appRoleID | 2 +- .database-token | 2 +- .wrapped-provisioner-token | 2 +- scripts/.bananas.sh.swp | Bin 12288 -> 0 bytes scripts/install_vault_v2.sh | 3 +-- 6 files changed, 5 insertions(+), 6 deletions(-) delete mode 100644 scripts/.bananas.sh.swp diff --git a/.admin-token b/.admin-token index 629b954..8e91d46 100644 --- a/.admin-token +++ b/.admin-token @@ -1 +1 @@ -cc88d491-c179-2b54-beef-d4c3dc19c265 \ No newline at end of file +f7c91abc-4363-009d-b4dc-042d748ea55a \ No newline at end of file diff --git a/.appRoleID b/.appRoleID index 6c214d2..1fee0d3 100644 --- a/.appRoleID +++ b/.appRoleID @@ -1 +1 @@ -5138b0b4-0279-d319-06b6-46a7dfe0736f \ No newline at end of file +06f7128b-dea0-3ac4-87f3-8a2dba162b09 \ No newline at end of file diff --git a/.database-token b/.database-token index 721ad27..68557a0 100644 --- a/.database-token +++ b/.database-token @@ -1 +1 @@ -e556b73d-3a01-2b6e-acc2-667c065ad1eb \ No newline at end of file +8baea52d-db7c-ba60-f34e-af47163f0fe2 \ No newline at end of file diff --git a/.wrapped-provisioner-token b/.wrapped-provisioner-token index 21ee76b..6a189a6 100644 --- a/.wrapped-provisioner-token +++ b/.wrapped-provisioner-token @@ -1 +1 @@ -fa20c927-ba28-8d26-35b5-8f22da175c27 \ No newline at end of file +802684fd-da02-656b-2960-d19111a67f2c \ No newline at end of file diff --git a/scripts/.bananas.sh.swp b/scripts/.bananas.sh.swp deleted file mode 100644 index ec07681eb9cc870b64a4eec2406bb5ae51ae0593..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 12288 zcmeI2O>5LZ7{{kVL9Ml-CqZGFf-hh;iMH039@MHJqAgmzSXpMX)7{u?vd&DRMT+3v zi=cjjUi1TqCq=yZ_60nN-UPu<;6IzB-4?Ayyi}f9ew$?S%+qIn$sCqW&AoR1A|I^` zGqhcdjmAsYpW?K4KVvG6P1gOV))LxCrDQ$OuD4FGlZu8Ck#V%Ig0|64O+@(Uif*nm zif)ksGVpH<^s{3}JvYlWWDW8?yRZJ6w3LMmkO4A42FL&zAOmE843L3MVZgL|*gaIb zrKonKIQFbL7MFA&17v^Cu5(%NAMcF088KzNI?r+0As)gpZghm1D=Ct zU=~aO7aRZ_>;rqjF3=0U??9d4F?ay(gBdUl`avJq4z_`<;49|z0lWv<{N4g;WPl8i z0Wv@a$N(8217zU;F`$!r%;$qJ6k*71kNa_?laMLd2(m4@)y^K>s+KAZd|AC6m}a#I zfrCZH(WKvu`N7M@2wueUES67p((x<#cz!0(ew<3RfE%rLD2+UrrN}^Q8q*$k9Pj98 z#l^=PKQZFEPU<6k+*a zGE(wiygU;V<@+#{t*g19ktoSeCH27Y)54#Z5q?T@w0s3!F+v$`Vx-C!-^P|wX9e*M rtXO{NFw8I=C(4)nm#gKl0E*mwUEZ6IgX diff --git a/scripts/install_vault_v2.sh b/scripts/install_vault_v2.sh index 9d8b21f..11e4778 100755 --- a/scripts/install_vault_v2.sh +++ b/scripts/install_vault_v2.sh @@ -10,11 +10,9 @@ setup_environment () { if [ -d /vagrant ]; then LOG="/vagrant/logs/vault_${HOSTNAME}.log" AUDIT_LOG="/vagrant/logs/vault_audit_${HOSTNAME}.log" - REDIS_MASTER_PASSWORD=`openssl rand -base64 32` else LOG="vault.log" AUDIT_LOG="vault_audit.log" - REDIS_MASTER_PASSWORD="" fi if [ "${TRAVIS}" == "true" ]; then @@ -351,6 +349,7 @@ get_approle_id () { set_test_secret_data () { echo 'Set SECRET Test data in VAULT' + REDIS_MASTER_PASSWORD=`openssl rand -base64 32` # Put Redis Password in Vault sudo VAULT_ADDR="http://${IP}:8200" vault login ${ADMIN_TOKEN} sudo VAULT_ADDR="http://${IP}:8200" vault policy list From 3cbc31bd44c8ecdd8be0d1ac01130fdaf7be5729 Mon Sep 17 00:00:00 2001 From: Graham Land Date: Sat, 22 Sep 2018 00:06:29 +0100 Subject: [PATCH 10/36] travis systemd issue --- scripts/install_redis.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/scripts/install_redis.sh b/scripts/install_redis.sh index dc34c11..e1b83a9 100755 --- a/scripts/install_redis.sh +++ b/scripts/install_redis.sh @@ -65,7 +65,7 @@ sudo chown redis:redis /etc/redis/redis.conf sudo chmod 640 /etc/redis/redis.conf # restart redis, register the service with consul and restart consul agent -sudo systemctl restart redis-server +sudo service redis-server restart register_redis_service_with_consul sudo killall -1 consul From 3c4f86cccbddd5174c72b2896d85d18fdf16539a Mon Sep 17 00:00:00 2001 From: Graham Land Date: Sat, 22 Sep 2018 00:09:36 +0100 Subject: [PATCH 11/36] t4 --- scripts/install_redis.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/scripts/install_redis.sh b/scripts/install_redis.sh index e1b83a9..daa1319 100755 --- a/scripts/install_redis.sh +++ b/scripts/install_redis.sh @@ -67,6 +67,6 @@ sudo chmod 640 /etc/redis/redis.conf # restart redis, register the service with consul and restart consul agent sudo service redis-server restart register_redis_service_with_consul -sudo killall -1 consul +#sudo killall -1 consul From 079a5027acc01d1c7c6849ffaee9822849fcf5c2 Mon Sep 17 00:00:00 2001 From: Graham Land Date: Sat, 22 Sep 2018 00:29:55 +0100 Subject: [PATCH 12/36] register as both catalog and service --- scripts/install_redis.sh | 17 ++++++++++++++++- 1 file changed, 16 insertions(+), 1 deletion(-) diff --git a/scripts/install_redis.sh b/scripts/install_redis.sh index daa1319..5fe6d3d 100755 --- a/scripts/install_redis.sh +++ b/scripts/install_redis.sh @@ -3,6 +3,15 @@ set -x source /usr/local/bootstrap/var.env +echo 'Start Setup of Vault Environment' +IFACE=`route -n | awk '$1 == "192.168.2.0" {print $8}'` +CIDR=`ip addr show ${IFACE} | awk '$2 ~ "192.168.2" {print $2}'` +IP=${CIDR%%/24} + +if [ "${TRAVIS}" == "true" ]; then + IP="127.0.0.1" +fi + if [ "${TRAVIS}" == "true" ]; then LEADER_IP="127.0.0.1" fi @@ -20,7 +29,7 @@ register_redis_service_with_consul () { "primary", "v1" ], - "Address": "127.0.0.1", + "Address": "${IP}", "Port": 6379, "Meta": { "redis_version": "4.0" @@ -45,6 +54,12 @@ EOF --data @redis_service.json \ http://127.0.0.1:8500/v1/agent/service/register + curl \ + -v \ + --request PUT \ + --data @redis_service.json \ + http://127.0.0.1:8500/v1/agent/catalog/register + curl \ -v \ http://127.0.0.1:8500/v1/agent/services From 7584dc7c43a8453296f6a35a0062318e9b1d2844 Mon Sep 17 00:00:00 2001 From: Graham Land Date: Sat, 22 Sep 2018 00:34:30 +0100 Subject: [PATCH 13/36] t10 --- scripts/install_redis.sh | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/scripts/install_redis.sh b/scripts/install_redis.sh index 5fe6d3d..5b8fb55 100755 --- a/scripts/install_redis.sh +++ b/scripts/install_redis.sh @@ -58,11 +58,15 @@ EOF -v \ --request PUT \ --data @redis_service.json \ - http://127.0.0.1:8500/v1/agent/catalog/register + http://${LEADER_IP}:8500/v1/catalog/register curl \ -v \ http://127.0.0.1:8500/v1/agent/services + + curl \ + -v \ + http://${LEADER_IP}:8500/v1/catalog/services echo 'Register service with Consul Service Discovery Complete' } From e7f29673f692663ac33d8a4eb97fc5852938f7d0 Mon Sep 17 00:00:00 2001 From: Graham Land Date: Sat, 22 Sep 2018 00:53:59 +0100 Subject: [PATCH 14/36] remove catalog registration --- .admin-token | 2 +- .appRoleID | 2 +- .database-token | 2 +- .wrapped-provisioner-token | 2 +- scripts/install_redis.sh | 12 ++++++------ 5 files changed, 10 insertions(+), 10 deletions(-) diff --git a/.admin-token b/.admin-token index 8e91d46..1a48381 100644 --- a/.admin-token +++ b/.admin-token @@ -1 +1 @@ -f7c91abc-4363-009d-b4dc-042d748ea55a \ No newline at end of file +e138c2d3-b641-bd2e-2e6d-05ee4924e3eb \ No newline at end of file diff --git a/.appRoleID b/.appRoleID index 1fee0d3..af48b24 100644 --- a/.appRoleID +++ b/.appRoleID @@ -1 +1 @@ -06f7128b-dea0-3ac4-87f3-8a2dba162b09 \ No newline at end of file +9762ec05-4670-2109-a834-6b036a56ec82 \ No newline at end of file diff --git a/.database-token b/.database-token index 68557a0..7ae123e 100644 --- a/.database-token +++ b/.database-token @@ -1 +1 @@ -8baea52d-db7c-ba60-f34e-af47163f0fe2 \ No newline at end of file +d7125d90-2e5d-86e1-9d3d-9f8310344377 \ No newline at end of file diff --git a/.wrapped-provisioner-token b/.wrapped-provisioner-token index 6a189a6..ff8bc76 100644 --- a/.wrapped-provisioner-token +++ b/.wrapped-provisioner-token @@ -1 +1 @@ -802684fd-da02-656b-2960-d19111a67f2c \ No newline at end of file +10b84e2a-2bde-8b18-fbfd-1af0bb358742 \ No newline at end of file diff --git a/scripts/install_redis.sh b/scripts/install_redis.sh index 5b8fb55..a5ade3d 100755 --- a/scripts/install_redis.sh +++ b/scripts/install_redis.sh @@ -54,11 +54,11 @@ EOF --data @redis_service.json \ http://127.0.0.1:8500/v1/agent/service/register - curl \ - -v \ - --request PUT \ - --data @redis_service.json \ - http://${LEADER_IP}:8500/v1/catalog/register + # curl \ + # -v \ + # --request PUT \ + # --data @redis_service.json \ + # http://${LEADER_IP}:8500/v1/catalog/register curl \ -v \ @@ -86,6 +86,6 @@ sudo chmod 640 /etc/redis/redis.conf # restart redis, register the service with consul and restart consul agent sudo service redis-server restart register_redis_service_with_consul -#sudo killall -1 consul +sudo killall -1 consul From 73c7bacc9298a5e2d6357ef10fbc481ac1d1a171 Mon Sep 17 00:00:00 2001 From: Graham Land Date: Sat, 22 Sep 2018 01:29:51 +0100 Subject: [PATCH 15/36] fixed tests --- .admin-token | 2 +- .appRoleID | 2 +- .database-token | 2 +- .wrapped-provisioner-token | 2 +- Vagrantfile | 4 +- scripts/consul_redis_ping.sh | 5 +- scripts/consul_redis_verify.sh | 7 +- scripts/install_redis.sh | 6 -- .../{install_vault_v2.sh => install_vault.sh} | 75 +++++++++---------- 9 files changed, 48 insertions(+), 57 deletions(-) rename scripts/{install_vault_v2.sh => install_vault.sh} (97%) diff --git a/.admin-token b/.admin-token index 1a48381..e9d3fe4 100644 --- a/.admin-token +++ b/.admin-token @@ -1 +1 @@ -e138c2d3-b641-bd2e-2e6d-05ee4924e3eb \ No newline at end of file +40817f2b-3313-af1d-4c8d-fb33ad89c75b \ No newline at end of file diff --git a/.appRoleID b/.appRoleID index af48b24..642c21a 100644 --- a/.appRoleID +++ b/.appRoleID @@ -1 +1 @@ -9762ec05-4670-2109-a834-6b036a56ec82 \ No newline at end of file +f1a72d26-69bb-4423-43b1-fe1643093f11 \ No newline at end of file diff --git a/.database-token b/.database-token index 7ae123e..1c230ea 100644 --- a/.database-token +++ b/.database-token @@ -1 +1 @@ -d7125d90-2e5d-86e1-9d3d-9f8310344377 \ No newline at end of file +320f53e0-83b3-56dd-e7ed-6a75af2e016a \ No newline at end of file diff --git a/.wrapped-provisioner-token b/.wrapped-provisioner-token index ff8bc76..3be8013 100644 --- a/.wrapped-provisioner-token +++ b/.wrapped-provisioner-token @@ -1 +1 @@ -10b84e2a-2bde-8b18-fbfd-1af0bb358742 \ No newline at end of file +90f0a34a-aa3b-28ed-1c81-b04f168dec38 \ No newline at end of file diff --git a/Vagrantfile b/Vagrantfile index 7e2bdd4..90f7390 100644 --- a/Vagrantfile +++ b/Vagrantfile @@ -24,7 +24,8 @@ Vagrant.configure("2") do |config| config.vm.synced_folder ".", "/usr/local/bootstrap" config.vm.box = "allthingscloud/go-counter-demo" config.vm.provision "shell", path: "scripts/install_consul.sh", run: "always" - config.vm.provision "shell", path: "scripts/install_dd_agent.sh", env: {"DD_API_KEY" => ENV['DD_API_KEY']} + config.vm.provision "shell", path: "scripts/install_vault.sh", run: "always" + # config.vm.provision "shell", path: "scripts/install_dd_agent.sh", env: {"DD_API_KEY" => ENV['DD_API_KEY']} config.vm.provider "virtualbox" do |v| v.memory = 1024 @@ -34,7 +35,6 @@ Vagrant.configure("2") do |config| config.vm.define "leader01" do |leader01| leader01.vm.hostname = ENV['LEADER_NAME'] leader01.vm.provision "shell", path: "scripts/install_nomad.sh", run: "always" - leader01.vm.provision "shell", path: "scripts/install_vault_v2.sh", run: "always" leader01.vm.provision "shell", path: "scripts/install_SecretID_Factory.sh", run: "always" leader01.vm.network "private_network", ip: ENV['LEADER_IP'] leader01.vm.network "forwarded_port", guest: 8500, host: 8500 diff --git a/scripts/consul_redis_ping.sh b/scripts/consul_redis_ping.sh index 305e9b9..456334f 100755 --- a/scripts/consul_redis_ping.sh +++ b/scripts/consul_redis_ping.sh @@ -7,12 +7,11 @@ set -x VAULT_TOKEN=`cat /usr/local/bootstrap/.provisioner-token` VAULT_ADDR="http://${LEADER_IP}:8200" -TESTIP=${REDIS_MASTER_IP} -TESTPASSWORD=`sudo VAULT_ADDR="http://${LEADER_IP}:8200" VAULT_TOKEN=${VAULT_TOKEN} vault kv get -field=value kv/development/redispassword` +TESTPASSWORD=`sudo VAULT_ADDR="http://${LEADER_IP}:8200" VAULT_TOKEN=${VAULT_TOKEN} /usr/local/bin/vault kv get -field=value kv/development/redispassword` echo "running client ping test" -RESULT=`redis-cli -h ${TESTIP} -p ${REDIS_HOST_PORT} -a ${TESTPASSWORD} ping` +RESULT=`redis-cli -h 127.0.0.1 -p 6379 -a ${TESTPASSWORD} ping` if [ "$RESULT" == "PONG" ]; then echo 'Success Redis Ping resulted in '$RESULT diff --git a/scripts/consul_redis_verify.sh b/scripts/consul_redis_verify.sh index 4e212ee..5ae2549 100755 --- a/scripts/consul_redis_verify.sh +++ b/scripts/consul_redis_verify.sh @@ -9,14 +9,13 @@ echo "running client test" VAULT_TOKEN=`cat /usr/local/bootstrap/.provisioner-token` VAULT_ADDR="http://${LEADER_IP}:8200" -TESTIP=${REDIS_MASTER_IP} -TESTPASSWORD=`sudo VAULT_ADDR="http://${LEADER_IP}:8200" VAULT_TOKEN=${VAULT_TOKEN} vault kv get -field=value kv/development/redispassword` +TESTPASSWORD=`sudo VAULT_ADDR="http://${LEADER_IP}:8200" VAULT_TOKEN=${VAULT_TOKEN} /usr/local/bin/vault kv get -field=value kv/development/redispassword` -redis-cli -h ${REDIS_MASTER_IP} -p ${REDIS_HOST_PORT} -a ${TESTPASSWORD} set mykey bananas +redis-cli -h 127.0.0.1 -p 6379 -a ${TESTPASSWORD} set mykey bananas # initialise VALUE to ensure correct parameter is received from KV store VALUE="notbananas" -VALUE=`redis-cli -h ${REDIS_MASTER_IP} -p ${REDIS_HOST_PORT} -a ${TESTPASSWORD} get mykey` +VALUE=`redis-cli -h 127.0.0.1 -p 6379 -a ${TESTPASSWORD} get mykey` if [ "${VALUE}" == "bananas" ]; then echo "we got the value ${VALUE}, all good" diff --git a/scripts/install_redis.sh b/scripts/install_redis.sh index a5ade3d..1bf81df 100755 --- a/scripts/install_redis.sh +++ b/scripts/install_redis.sh @@ -54,12 +54,6 @@ EOF --data @redis_service.json \ http://127.0.0.1:8500/v1/agent/service/register - # curl \ - # -v \ - # --request PUT \ - # --data @redis_service.json \ - # http://${LEADER_IP}:8500/v1/catalog/register - curl \ -v \ http://127.0.0.1:8500/v1/agent/services diff --git a/scripts/install_vault_v2.sh b/scripts/install_vault.sh similarity index 97% rename from scripts/install_vault_v2.sh rename to scripts/install_vault.sh index 11e4778..acfcaa4 100755 --- a/scripts/install_vault_v2.sh +++ b/scripts/install_vault.sh @@ -31,34 +31,6 @@ setup_environment () { echo 'End Setup of Vault Environment' } -install_vault () { - - echo 'Start Installation of Vault on Server' - # verify it's either the TRAVIS server or the Vault server - if [[ "${HOSTNAME}" =~ "leader" ]] || [ "${TRAVIS}" == "true" ]; then - #lets kill past instance - sudo killall vault &>/dev/null - - #lets delete old consul storage - sudo consul kv delete -recurse vault - - #delete old token if present - [ -f /usr/local/bootstrap/.vault-token ] && sudo rm /usr/local/bootstrap/.vault-token - - #start vault - sudo /usr/local/bin/vault server -dev -dev-listen-address=${IP}:8200 -config=/usr/local/bootstrap/conf/vault.hcl &> ${LOG} & - echo vault started - sleep 3 - - #copy token to known location - sudo find / -name '.vault-token' -exec cp {} /usr/local/bootstrap/.vault-token \; -quit - sudo chmod ugo+r /usr/local/bootstrap/.vault-token - - fi - - echo 'Installation of Vault Finished' -} - configure_vault_KV_audit_logs () { echo 'Start Vault KV Version Selection and Audit Log Enablement' @@ -411,15 +383,42 @@ EOF } +install_vault () { + + echo 'Start Installation of Vault on Server' + # verify it's either the TRAVIS server or the Vault server + if [[ "${HOSTNAME}" =~ "leader" ]] || [ "${TRAVIS}" == "true" ]; then + #lets kill past instance + sudo killall vault &>/dev/null + + #lets delete old consul storage + sudo consul kv delete -recurse vault + + #delete old token if present + [ -f /usr/local/bootstrap/.vault-token ] && sudo rm /usr/local/bootstrap/.vault-token + + #start vault + sudo /usr/local/bin/vault server -dev -dev-listen-address=${IP}:8200 -config=/usr/local/bootstrap/conf/vault.hcl &> ${LOG} & + echo vault started + sleep 3 + + #copy token to known location + sudo find / -name '.vault-token' -exec cp {} /usr/local/bootstrap/.vault-token \; -quit + sudo chmod ugo+r /usr/local/bootstrap/.vault-token + configure_vault_KV_audit_logs + configure_vault_admin_role + configure_vault_database_role + configure_vault_provisioner_role_wrapped + configure_vault_app_role + #revoke_root_token + set_test_secret_data + get_secret_id + get_approle_id + verify_approle_credentials + fi + + echo 'Installation of Vault Finished' +} + setup_environment install_vault -configure_vault_KV_audit_logs -configure_vault_admin_role -configure_vault_database_role -configure_vault_provisioner_role_wrapped -configure_vault_app_role -#revoke_root_token -set_test_secret_data -get_secret_id -get_approle_id -verify_approle_credentials \ No newline at end of file From 96909a4845dc87b18552656c1a1e9cb66c776cfe Mon Sep 17 00:00:00 2001 From: Graham Land Date: Sat, 22 Sep 2018 01:43:38 +0100 Subject: [PATCH 16/36] fixed token --- scripts/consul_redis_ping.sh | 2 +- scripts/consul_redis_verify.sh | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/scripts/consul_redis_ping.sh b/scripts/consul_redis_ping.sh index 456334f..5f0fdc8 100755 --- a/scripts/consul_redis_ping.sh +++ b/scripts/consul_redis_ping.sh @@ -4,7 +4,7 @@ source /usr/local/bootstrap/var.env set -x # read redis database password from vault -VAULT_TOKEN=`cat /usr/local/bootstrap/.provisioner-token` +VAULT_TOKEN=`cat /usr/local/bootstrap/.database-token` VAULT_ADDR="http://${LEADER_IP}:8200" TESTPASSWORD=`sudo VAULT_ADDR="http://${LEADER_IP}:8200" VAULT_TOKEN=${VAULT_TOKEN} /usr/local/bin/vault kv get -field=value kv/development/redispassword` diff --git a/scripts/consul_redis_verify.sh b/scripts/consul_redis_verify.sh index 5ae2549..0f2df77 100755 --- a/scripts/consul_redis_verify.sh +++ b/scripts/consul_redis_verify.sh @@ -6,7 +6,7 @@ set -x echo "running client test" # read redis database password from vault -VAULT_TOKEN=`cat /usr/local/bootstrap/.provisioner-token` +VAULT_TOKEN=`cat /usr/local/bootstrap/.database-token` VAULT_ADDR="http://${LEADER_IP}:8200" TESTPASSWORD=`sudo VAULT_ADDR="http://${LEADER_IP}:8200" VAULT_TOKEN=${VAULT_TOKEN} /usr/local/bin/vault kv get -field=value kv/development/redispassword` From d9dfc21d783cfbceef1b9cc3cf9126fbb229f21f Mon Sep 17 00:00:00 2001 From: Graham Land Date: Sat, 22 Sep 2018 01:46:22 +0100 Subject: [PATCH 17/36] fixed --- .admin-token | 2 +- .appRoleID | 2 +- .database-token | 2 +- .wrapped-provisioner-token | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/.admin-token b/.admin-token index e9d3fe4..1248b90 100644 --- a/.admin-token +++ b/.admin-token @@ -1 +1 @@ -40817f2b-3313-af1d-4c8d-fb33ad89c75b \ No newline at end of file +09b43426-7c0a-8a60-00be-85c3b29cd159 \ No newline at end of file diff --git a/.appRoleID b/.appRoleID index 642c21a..921da29 100644 --- a/.appRoleID +++ b/.appRoleID @@ -1 +1 @@ -f1a72d26-69bb-4423-43b1-fe1643093f11 \ No newline at end of file +a285bf50-794d-d064-d8d8-a74a9d8773b6 \ No newline at end of file diff --git a/.database-token b/.database-token index 1c230ea..bb377e6 100644 --- a/.database-token +++ b/.database-token @@ -1 +1 @@ -320f53e0-83b3-56dd-e7ed-6a75af2e016a \ No newline at end of file +5a4a57aa-d3f1-deb2-b07c-83714b21352d \ No newline at end of file diff --git a/.wrapped-provisioner-token b/.wrapped-provisioner-token index 3be8013..8cfef9c 100644 --- a/.wrapped-provisioner-token +++ b/.wrapped-provisioner-token @@ -1 +1 @@ -90f0a34a-aa3b-28ed-1c81-b04f168dec38 \ No newline at end of file +f3bb4609-3245-889b-4efe-9fb95e218ade \ No newline at end of file From 7e166a47ab25712dbf97e4d08c4bb5d44ceb8694 Mon Sep 17 00:00:00 2001 From: Graham Land Date: Sat, 22 Sep 2018 01:52:18 +0100 Subject: [PATCH 18/36] travis typo --- .travis.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.travis.yml b/.travis.yml index 8dd9df0..ad6e8a9 100644 --- a/.travis.yml +++ b/.travis.yml @@ -15,7 +15,7 @@ before_script: - if [ $VAGRANT_CLOUD_TOKEN ] ; then packer validate template.json ; fi - popd - bash scripts/install_consul.sh -- bash scripts/install_vault_v2.sh +- bash scripts/install_vault.sh - bash scripts/install_redis.sh - bash scripts/install_SecretID_Factory.sh - sudo cp /home/travis/.vault-token /usr/local/bootstrap/.vault-token From aaf34ffa0b62bf2d288b2ae08de9698adbec327a Mon Sep 17 00:00:00 2001 From: Graham Land Date: Sat, 22 Sep 2018 08:59:07 +0100 Subject: [PATCH 19/36] Ensue to refactor vault into service discovery flow --- readme.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/readme.md b/readme.md index 5601625..a3b2eb9 100644 --- a/readme.md +++ b/readme.md @@ -520,8 +520,9 @@ __WebCounter Application__ ### New Features ### Refactor -1. Move all the application service checks creation process into the application itself rather than relying on external bash scripts +1. Move all the application service checks creation process into the application itself rather than relying on external bash scripts for both redis and webpage counter 2. Ensure the service checks are only deployed to Consul once the application is configured and online +3. Refactor application to leverage consul service discovery for VAULT details 3. Configure a Consul Connect intention to permit the applications to communicate with the new Secret-ID Factory ## Done From 5f10c81a1f02a846eb7a7a13600e673021c24792 Mon Sep 17 00:00:00 2001 From: Graham Land Date: Sat, 22 Sep 2018 13:46:13 +0100 Subject: [PATCH 20/36] remove cruft --- .travis.yml | 3 --- 1 file changed, 3 deletions(-) diff --git a/.travis.yml b/.travis.yml index ad6e8a9..5929ecc 100644 --- a/.travis.yml +++ b/.travis.yml @@ -19,9 +19,6 @@ before_script: - bash scripts/install_redis.sh - bash scripts/install_SecretID_Factory.sh - sudo cp /home/travis/.vault-token /usr/local/bootstrap/.vault-token -# - sudo cp /home/travis/.database-token /usr/local/bootstrap/.database-token -# - sudo cp /home/travis/.provisioner-token /usr/local/bootstrap/.provisioner-token -# - sudo cp /home/travis/.wrapped-provisioner-token /usr/local/bootstrap/.wrapped-provisioner-token script: - source ./var.env - export REDIS_MASTER_IP=127.0.0.1 From ff9a2759771054525b169798c88514eadb9fea37 Mon Sep 17 00:00:00 2001 From: Graham Land Date: Sat, 22 Sep 2018 14:07:14 +0100 Subject: [PATCH 21/36] removed excessive comments from redis deployment template --- conf/master.redis.ctpl | 860 +-------------------------------- scripts/consul_goapp_verify.sh | 2 +- scripts/install_redis.sh | 15 +- 3 files changed, 13 insertions(+), 864 deletions(-) diff --git a/conf/master.redis.ctpl b/conf/master.redis.ctpl index ff632b9..8bbf108 100644 --- a/conf/master.redis.ctpl +++ b/conf/master.redis.ctpl @@ -1,948 +1,94 @@ -# Redis configuration file example. -# GJL - master -# -# Note that in order to read the configuration file, Redis must be -# started with the file path as first argument: -# -# ./redis-server /path/to/redis.conf - -# Note on units: when memory size is needed, it is possible to specify -# it in the usual form of 1k 5GB 4M and so forth: -# -# 1k => 1000 bytes -# 1kb => 1024 bytes -# 1m => 1000000 bytes -# 1mb => 1024*1024 bytes -# 1g => 1000000000 bytes -# 1gb => 1024*1024*1024 bytes -# -# units are case insensitive so 1GB 1Gb 1gB are all the same. - -################################## INCLUDES ################################### - -# Include one or more other config files here. This is useful if you -# have a standard template that goes to all Redis servers but also need -# to customize a few per-server settings. Include files can include -# other files, so use this wisely. -# -# Notice option "include" won't be rewritten by command "CONFIG REWRITE" -# from admin or Redis Sentinel. Since Redis always uses the last processed -# line as value of a configuration directive, you'd better put includes -# at the beginning of this file to avoid overwriting config change at runtime. -# -# If instead you are interested in using includes to override configuration -# options, it is better to use include as the last line. -# -# include /path/to/local.conf -# include /path/to/other.conf - -################################ GENERAL ##################################### - -# By default Redis does not run as a daemon. Use 'yes' if you need it. -# Note that Redis will write a pid file in /var/run/redis.pid when daemonized. daemonize yes -# When running daemonized, Redis writes a pid file in /var/run/redis.pid by -# default. You can specify a custom pid file location here. pidfile /var/run/redis/redis-server.pid -# Accept connections on the specified port, default is 6379. -# If port 0 is specified Redis will not listen on a TCP socket. port 6379 -# TCP listen() backlog. -# -# In high requests-per-second environments you need an high backlog in order -# to avoid slow clients connections issues. Note that the Linux kernel -# will silently truncate it to the value of /proc/sys/net/core/somaxconn so -# make sure to raise both the value of somaxconn and tcp_max_syn_backlog -# in order to get the desired effect. tcp-backlog 511 -# By default Redis listens for connections from all the network interfaces -# available on the server. It is possible to listen to just one or multiple -# interfaces using the "bind" configuration directive, followed by one or -# more IP addresses. -# -# Examples: -# -# bind 192.168.1.100 10.0.0.1 -# Bound to 0.0.0.0 - -# Specify the path for the Unix socket that will be used to listen for -# incoming connections. There is no default, so Redis will not listen -# on a unix socket when not specified. -# -# unixsocket /var/run/redis/redis.sock -# unixsocketperm 700 - -# Close the connection after a client is idle for N seconds (0 to disable) timeout 0 -# TCP keepalive. -# -# If non-zero, use SO_KEEPALIVE to send TCP ACKs to clients in absence -# of communication. This is useful for two reasons: -# -# 1) Detect dead peers. -# 2) Take the connection alive from the point of view of network -# equipment in the middle. -# -# On Linux, the specified value (in seconds) is the period used to send ACKs. -# Note that to close the connection the double of the time is needed. -# On other kernels the period depends on the kernel configuration. -# -# A reasonable value for this option is 60 seconds. tcp-keepalive 60 -# Specify the server verbosity level. -# This can be one of: -# debug (a lot of information, useful for development/testing) -# verbose (many rarely useful info, but not a mess like the debug level) -# notice (moderately verbose, what you want in production probably) -# warning (only very important / critical messages are logged) loglevel notice -# Specify the log file name. Also the empty string can be used to force -# Redis to log on the standard output. Note that if you use standard -# output for logging but daemonize, logs will be sent to /dev/null logfile /var/log/redis/redis-server.log -# To enable logging to the system logger, just set 'syslog-enabled' to yes, -# and optionally update the other syslog parameters to suit your needs. -# syslog-enabled no - -# Specify the syslog identity. -# syslog-ident redis - -# Specify the syslog facility. Must be USER or between LOCAL0-LOCAL7. -# syslog-facility local0 - -# Set the number of databases. The default database is DB 0, you can select -# a different one on a per-connection basis using SELECT where -# dbid is a number between 0 and 'databases'-1 databases 16 -################################ SNAPSHOTTING ################################ -# -# Save the DB on disk: -# -# save -# -# Will save the DB if both the given number of seconds and the given -# number of write operations against the DB occurred. -# -# In the example below the behaviour will be to save: -# after 900 sec (15 min) if at least 1 key changed -# after 300 sec (5 min) if at least 10 keys changed -# after 60 sec if at least 10000 keys changed -# -# Note: you can disable saving completely by commenting out all "save" lines. -# -# It is also possible to remove all the previously configured save -# points by adding a save directive with a single empty string argument -# like in the following example: -# -# save "" - save 900 1 save 300 10 save 60 10000 -# By default Redis will stop accepting writes if RDB snapshots are enabled -# (at least one save point) and the latest background save failed. -# This will make the user aware (in a hard way) that data is not persisting -# on disk properly, otherwise chances are that no one will notice and some -# disaster will happen. -# -# If the background saving process will start working again Redis will -# automatically allow writes again. -# -# However if you have setup your proper monitoring of the Redis server -# and persistence, you may want to disable this feature so that Redis will -# continue to work as usual even if there are problems with disk, -# permissions, and so forth. stop-writes-on-bgsave-error yes -# Compress string objects using LZF when dump .rdb databases? -# For default that's set to 'yes' as it's almost always a win. -# If you want to save some CPU in the saving child set it to 'no' but -# the dataset will likely be bigger if you have compressible values or keys. rdbcompression yes -# Since version 5 of RDB a CRC64 checksum is placed at the end of the file. -# This makes the format more resistant to corruption but there is a performance -# hit to pay (around 10%) when saving and loading RDB files, so you can disable it -# for maximum performances. -# -# RDB files created with checksum disabled have a checksum of zero that will -# tell the loading code to skip the check. rdbchecksum yes -# The filename where to dump the DB dbfilename dump.rdb -# The working directory. -# -# The DB will be written inside this directory, with the filename specified -# above using the 'dbfilename' configuration directive. -# -# The Append Only File will also be created inside this directory. -# -# Note that you must specify a directory here, not a file name. dir /var/lib/redis -################################# REPLICATION ################################# - -# Master-Slave replication. Use slaveof to make a Redis instance a copy of -# another Redis server. A few things to understand ASAP about Redis replication. -# -# 1) Redis replication is asynchronous, but you can configure a master to -# stop accepting writes if it appears to be not connected with at least -# a given number of slaves. -# 2) Redis slaves are able to perform a partial resynchronization with the -# master if the replication link is lost for a relatively small amount of -# time. You may want to configure the replication backlog size (see the next -# sections of this file) with a sensible value depending on your needs. -# 3) Replication is automatic and does not need user intervention. After a -# network partition slaves automatically try to reconnect to masters -# and resynchronize with them. -# -# slaveof - -# If the master is password protected (using the "requirepass" configuration -# directive below) it is possible to tell the slave to authenticate before -# starting the replication synchronization process, otherwise the master will -# refuse the slave request. -# -# masterauth - -# When a slave loses its connection with the master, or when the replication -# is still in progress, the slave can act in two different ways: -# -# 1) if slave-serve-stale-data is set to 'yes' (the default) the slave will -# still reply to client requests, possibly with out of date data, or the -# data set may just be empty if this is the first synchronization. -# -# 2) if slave-serve-stale-data is set to 'no' the slave will reply with -# an error "SYNC with master in progress" to all the kind of commands -# but to INFO and SLAVEOF. -# slave-serve-stale-data yes -# You can configure a slave instance to accept writes or not. Writing against -# a slave instance may be useful to store some ephemeral data (because data -# written on a slave will be easily deleted after resync with the master) but -# may also cause problems if clients are writing to it because of a -# misconfiguration. -# -# Since Redis 2.6 by default slaves are read-only. -# -# Note: read only slaves are not designed to be exposed to untrusted clients -# on the internet. It's just a protection layer against misuse of the instance. -# Still a read only slave exports by default all the administrative commands -# such as CONFIG, DEBUG, and so forth. To a limited extent you can improve -# security of read only slaves using 'rename-command' to shadow all the -# administrative / dangerous commands. slave-read-only yes -# Replication SYNC strategy: disk or socket. -# -# ------------------------------------------------------- -# WARNING: DISKLESS REPLICATION IS EXPERIMENTAL CURRENTLY -# ------------------------------------------------------- -# -# New slaves and reconnecting slaves that are not able to continue the replication -# process just receiving differences, need to do what is called a "full -# synchronization". An RDB file is transmitted from the master to the slaves. -# The transmission can happen in two different ways: -# -# 1) Disk-backed: The Redis master creates a new process that writes the RDB -# file on disk. Later the file is transferred by the parent -# process to the slaves incrementally. -# 2) Diskless: The Redis master creates a new process that directly writes the -# RDB file to slave sockets, without touching the disk at all. -# -# With disk-backed replication, while the RDB file is generated, more slaves -# can be queued and served with the RDB file as soon as the current child producing -# the RDB file finishes its work. With diskless replication instead once -# the transfer starts, new slaves arriving will be queued and a new transfer -# will start when the current one terminates. -# -# When diskless replication is used, the master waits a configurable amount of -# time (in seconds) before starting the transfer in the hope that multiple slaves -# will arrive and the transfer can be parallelized. -# -# With slow disks and fast (large bandwidth) networks, diskless replication -# works better. repl-diskless-sync no -# When diskless replication is enabled, it is possible to configure the delay -# the server waits in order to spawn the child that transfers the RDB via socket -# to the slaves. -# -# This is important since once the transfer starts, it is not possible to serve -# new slaves arriving, that will be queued for the next RDB transfer, so the server -# waits a delay in order to let more slaves arrive. -# -# The delay is specified in seconds, and by default is 5 seconds. To disable -# it entirely just set it to 0 seconds and the transfer will start ASAP. repl-diskless-sync-delay 5 -# Slaves send PINGs to server in a predefined interval. It's possible to change -# this interval with the repl_ping_slave_period option. The default value is 10 -# seconds. -# -# repl-ping-slave-period 10 - -# The following option sets the replication timeout for: -# -# 1) Bulk transfer I/O during SYNC, from the point of view of slave. -# 2) Master timeout from the point of view of slaves (data, pings). -# 3) Slave timeout from the point of view of masters (REPLCONF ACK pings). -# -# It is important to make sure that this value is greater than the value -# specified for repl-ping-slave-period otherwise a timeout will be detected -# every time there is low traffic between the master and the slave. -# -# repl-timeout 60 - -# Disable TCP_NODELAY on the slave socket after SYNC? -# -# If you select "yes" Redis will use a smaller number of TCP packets and -# less bandwidth to send data to slaves. But this can add a delay for -# the data to appear on the slave side, up to 40 milliseconds with -# Linux kernels using a default configuration. -# -# If you select "no" the delay for data to appear on the slave side will -# be reduced but more bandwidth will be used for replication. -# -# By default we optimize for low latency, but in very high traffic conditions -# or when the master and slaves are many hops away, turning this to "yes" may -# be a good idea. repl-disable-tcp-nodelay no -# Set the replication backlog size. The backlog is a buffer that accumulates -# slave data when slaves are disconnected for some time, so that when a slave -# wants to reconnect again, often a full resync is not needed, but a partial -# resync is enough, just passing the portion of data the slave missed while -# disconnected. -# -# The bigger the replication backlog, the longer the time the slave can be -# disconnected and later be able to perform a partial resynchronization. -# -# The backlog is only allocated once there is at least a slave connected. -# -# repl-backlog-size 1mb - -# After a master has no longer connected slaves for some time, the backlog -# will be freed. The following option configures the amount of seconds that -# need to elapse, starting from the time the last slave disconnected, for -# the backlog buffer to be freed. -# -# A value of 0 means to never release the backlog. -# -# repl-backlog-ttl 3600 - -# The slave priority is an integer number published by Redis in the INFO output. -# It is used by Redis Sentinel in order to select a slave to promote into a -# master if the master is no longer working correctly. -# -# A slave with a low priority number is considered better for promotion, so -# for instance if there are three slaves with priority 10, 100, 25 Sentinel will -# pick the one with priority 10, that is the lowest. -# -# However a special priority of 0 marks the slave as not able to perform the -# role of master, so a slave with priority of 0 will never be selected by -# Redis Sentinel for promotion. -# -# By default the priority is 100. slave-priority 100 -# It is possible for a master to stop accepting writes if there are less than -# N slaves connected, having a lag less or equal than M seconds. -# -# The N slaves need to be in "online" state. -# -# The lag in seconds, that must be <= the specified value, is calculated from -# the last ping received from the slave, that is usually sent every second. -# -# This option does not GUARANTEE that N replicas will accept the write, but -# will limit the window of exposure for lost writes in case not enough slaves -# are available, to the specified number of seconds. -# -# For example to require at least 3 slaves with a lag <= 10 seconds use: -# -# min-slaves-to-write 3 -# min-slaves-max-lag 10 -# -# Setting one or the other to 0 disables the feature. -# -# By default min-slaves-to-write is set to 0 (feature disabled) and -# min-slaves-max-lag is set to 10. - -################################## SECURITY ################################### - -# Require clients to issue AUTH before processing any other -# commands. This might be useful in environments in which you do not trust -# others with access to the host running redis-server. -# -# This should stay commented out for backward compatibility and because most -# people do not need auth (e.g. they run their own servers). -# -# Warning: since Redis is pretty fast an outside user can try up to -# 150k passwords per second against a good box. This means that you should -# use a very strong password otherwise it will be very easy to break. -# -# requirepass foobared - -# Command renaming. -# -# It is possible to change the name of dangerous commands in a shared -# environment. For instance the CONFIG command may be renamed into something -# hard to guess so that it will still be available for internal-use tools -# but not available for general clients. -# -# Example: -# -# rename-command CONFIG b840fc02d524045429941cc15f59e41cb7be6c52 -# -# It is also possible to completely kill a command by renaming it into -# an empty string: -# -# rename-command CONFIG "" -# -# Please note that changing the name of commands that are logged into the -# AOF file or transmitted to slaves may cause problems. - -################################### LIMITS #################################### - -# Set the max number of connected clients at the same time. By default -# this limit is set to 10000 clients, however if the Redis server is not -# able to configure the process file limit to allow for the specified limit -# the max number of allowed clients is set to the current file limit -# minus 32 (as Redis reserves a few file descriptors for internal uses). -# -# Once the limit is reached Redis will close all the new connections sending -# an error 'max number of clients reached'. -# -# maxclients 10000 - -# Don't use more memory than the specified amount of bytes. -# When the memory limit is reached Redis will try to remove keys -# according to the eviction policy selected (see maxmemory-policy). -# -# If Redis can't remove keys according to the policy, or if the policy is -# set to 'noeviction', Redis will start to reply with errors to commands -# that would use more memory, like SET, LPUSH, and so on, and will continue -# to reply to read-only commands like GET. -# -# This option is usually useful when using Redis as an LRU cache, or to set -# a hard memory limit for an instance (using the 'noeviction' policy). -# -# WARNING: If you have slaves attached to an instance with maxmemory on, -# the size of the output buffers needed to feed the slaves are subtracted -# from the used memory count, so that network problems / resyncs will -# not trigger a loop where keys are evicted, and in turn the output -# buffer of slaves is full with DELs of keys evicted triggering the deletion -# of more keys, and so forth until the database is completely emptied. -# -# In short... if you have slaves attached it is suggested that you set a lower -# limit for maxmemory so that there is some free RAM on the system for slave -# output buffers (but this is not needed if the policy is 'noeviction'). -# -# maxmemory - -# MAXMEMORY POLICY: how Redis will select what to remove when maxmemory -# is reached. You can select among five behaviors: -# -# volatile-lru -> remove the key with an expire set using an LRU algorithm -# allkeys-lru -> remove any key according to the LRU algorithm -# volatile-random -> remove a random key with an expire set -# allkeys-random -> remove a random key, any key -# volatile-ttl -> remove the key with the nearest expire time (minor TTL) -# noeviction -> don't expire at all, just return an error on write operations -# -# Note: with any of the above policies, Redis will return an error on write -# operations, when there are no suitable keys for eviction. -# -# At the date of writing these commands are: set setnx setex append -# incr decr rpush lpush rpushx lpushx linsert lset rpoplpush sadd -# sinter sinterstore sunion sunionstore sdiff sdiffstore zadd zincrby -# zunionstore zinterstore hset hsetnx hmset hincrby incrby decrby -# getset mset msetnx exec sort -# -# The default is: -# -# maxmemory-policy noeviction - -# LRU and minimal TTL algorithms are not precise algorithms but approximated -# algorithms (in order to save memory), so you can tune it for speed or -# accuracy. For default Redis will check five keys and pick the one that was -# used less recently, you can change the sample size using the following -# configuration directive. -# -# The default of 5 produces good enough results. 10 Approximates very closely -# true LRU but costs a bit more CPU. 3 is very fast but not very accurate. -# -# maxmemory-samples 5 - -############################## APPEND ONLY MODE ############################### - -# By default Redis asynchronously dumps the dataset on disk. This mode is -# good enough in many applications, but an issue with the Redis process or -# a power outage may result into a few minutes of writes lost (depending on -# the configured save points). -# -# The Append Only File is an alternative persistence mode that provides -# much better durability. For instance using the default data fsync policy -# (see later in the config file) Redis can lose just one second of writes in a -# dramatic event like a server power outage, or a single write if something -# wrong with the Redis process itself happens, but the operating system is -# still running correctly. -# -# AOF and RDB persistence can be enabled at the same time without problems. -# If the AOF is enabled on startup Redis will load the AOF, that is the file -# with the better durability guarantees. -# -# Please check http://redis.io/topics/persistence for more information. - appendonly yes -# The name of the append only file (default: "appendonly.aof") - appendfilename "appendonly.aof" -# The fsync() call tells the Operating System to actually write data on disk -# instead of waiting for more data in the output buffer. Some OS will really flush -# data on disk, some other OS will just try to do it ASAP. -# -# Redis supports three different modes: -# -# no: don't fsync, just let the OS flush the data when it wants. Faster. -# always: fsync after every write to the append only log. Slow, Safest. -# everysec: fsync only one time every second. Compromise. -# -# The default is "everysec", as that's usually the right compromise between -# speed and data safety. It's up to you to understand if you can relax this to -# "no" that will let the operating system flush the output buffer when -# it wants, for better performances (but if you can live with the idea of -# some data loss consider the default persistence mode that's snapshotting), -# or on the contrary, use "always" that's very slow but a bit safer than -# everysec. -# -# More details please check the following article: -# http://antirez.com/post/redis-persistence-demystified.html -# -# If unsure, use "everysec". - -# appendfsync always appendfsync everysec -# appendfsync no - -# When the AOF fsync policy is set to always or everysec, and a background -# saving process (a background save or AOF log background rewriting) is -# performing a lot of I/O against the disk, in some Linux configurations -# Redis may block too long on the fsync() call. Note that there is no fix for -# this currently, as even performing fsync in a different thread will block -# our synchronous write(2) call. -# -# In order to mitigate this problem it's possible to use the following option -# that will prevent fsync() from being called in the main process while a -# BGSAVE or BGREWRITEAOF is in progress. -# -# This means that while another child is saving, the durability of Redis is -# the same as "appendfsync none". In practical terms, this means that it is -# possible to lose up to 30 seconds of log in the worst scenario (with the -# default Linux settings). -# -# If you have latency problems turn this to "yes". Otherwise leave it as -# "no" that is the safest pick from the point of view of durability. no-appendfsync-on-rewrite no -# Automatic rewrite of the append only file. -# Redis is able to automatically rewrite the log file implicitly calling -# BGREWRITEAOF when the AOF log size grows by the specified percentage. -# -# This is how it works: Redis remembers the size of the AOF file after the -# latest rewrite (if no rewrite has happened since the restart, the size of -# the AOF at startup is used). -# -# This base size is compared to the current size. If the current size is -# bigger than the specified percentage, the rewrite is triggered. Also -# you need to specify a minimal size for the AOF file to be rewritten, this -# is useful to avoid rewriting the AOF file even if the percentage increase -# is reached but it is still pretty small. -# -# Specify a percentage of zero in order to disable the automatic AOF -# rewrite feature. - auto-aof-rewrite-percentage 100 auto-aof-rewrite-min-size 64mb -# An AOF file may be found to be truncated at the end during the Redis -# startup process, when the AOF data gets loaded back into memory. -# This may happen when the system where Redis is running -# crashes, especially when an ext4 filesystem is mounted without the -# data=ordered option (however this can't happen when Redis itself -# crashes or aborts but the operating system still works correctly). -# -# Redis can either exit with an error when this happens, or load as much -# data as possible (the default now) and start if the AOF file is found -# to be truncated at the end. The following option controls this behavior. -# -# If aof-load-truncated is set to yes, a truncated AOF file is loaded and -# the Redis server starts emitting a log to inform the user of the event. -# Otherwise if the option is set to no, the server aborts with an error -# and refuses to start. When the option is set to no, the user requires -# to fix the AOF file using the "redis-check-aof" utility before to restart -# the server. -# -# Note that if the AOF file will be found to be corrupted in the middle -# the server will still exit with an error. This option only applies when -# Redis will try to read more data from the AOF file but not enough bytes -# will be found. aof-load-truncated yes -################################ LUA SCRIPTING ############################### - -# Max execution time of a Lua script in milliseconds. -# -# If the maximum execution time is reached Redis will log that a script is -# still in execution after the maximum allowed time and will start to -# reply to queries with an error. -# -# When a long running script exceeds the maximum execution time only the -# SCRIPT KILL and SHUTDOWN NOSAVE commands are available. The first can be -# used to stop a script that did not yet called write commands. The second -# is the only way to shut down the server in the case a write command was -# already issued by the script but the user doesn't want to wait for the natural -# termination of the script. -# -# Set it to 0 or a negative value for unlimited execution without warnings. lua-time-limit 5000 -################################ REDIS CLUSTER ############################### -# -# ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ -# WARNING EXPERIMENTAL: Redis Cluster is considered to be stable code, however -# in order to mark it as "mature" we need to wait for a non trivial percentage -# of users to deploy it in production. -# ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ -# -# Normal Redis instances can't be part of a Redis Cluster; only nodes that are -# started as cluster nodes can. In order to start a Redis instance as a -# cluster node enable the cluster support uncommenting the following: -# -# cluster-enabled yes - -# Every cluster node has a cluster configuration file. This file is not -# intended to be edited by hand. It is created and updated by Redis nodes. -# Every Redis Cluster node requires a different cluster configuration file. -# Make sure that instances running in the same system do not have -# overlapping cluster configuration file names. -# -# cluster-config-file nodes-6379.conf - -# Cluster node timeout is the amount of milliseconds a node must be unreachable -# for it to be considered in failure state. -# Most other internal time limits are multiple of the node timeout. -# -# cluster-node-timeout 15000 - -# A slave of a failing master will avoid to start a failover if its data -# looks too old. -# -# There is no simple way for a slave to actually have a exact measure of -# its "data age", so the following two checks are performed: -# -# 1) If there are multiple slaves able to failover, they exchange messages -# in order to try to give an advantage to the slave with the best -# replication offset (more data from the master processed). -# Slaves will try to get their rank by offset, and apply to the start -# of the failover a delay proportional to their rank. -# -# 2) Every single slave computes the time of the last interaction with -# its master. This can be the last ping or command received (if the master -# is still in the "connected" state), or the time that elapsed since the -# disconnection with the master (if the replication link is currently down). -# If the last interaction is too old, the slave will not try to failover -# at all. -# -# The point "2" can be tuned by user. Specifically a slave will not perform -# the failover if, since the last interaction with the master, the time -# elapsed is greater than: -# -# (node-timeout * slave-validity-factor) + repl-ping-slave-period -# -# So for example if node-timeout is 30 seconds, and the slave-validity-factor -# is 10, and assuming a default repl-ping-slave-period of 10 seconds, the -# slave will not try to failover if it was not able to talk with the master -# for longer than 310 seconds. -# -# A large slave-validity-factor may allow slaves with too old data to failover -# a master, while a too small value may prevent the cluster from being able to -# elect a slave at all. -# -# For maximum availability, it is possible to set the slave-validity-factor -# to a value of 0, which means, that slaves will always try to failover the -# master regardless of the last time they interacted with the master. -# (However they'll always try to apply a delay proportional to their -# offset rank). -# -# Zero is the only value able to guarantee that when all the partitions heal -# the cluster will always be able to continue. -# -# cluster-slave-validity-factor 10 - -# Cluster slaves are able to migrate to orphaned masters, that are masters -# that are left without working slaves. This improves the cluster ability -# to resist to failures as otherwise an orphaned master can't be failed over -# in case of failure if it has no working slaves. -# -# Slaves migrate to orphaned masters only if there are still at least a -# given number of other working slaves for their old master. This number -# is the "migration barrier". A migration barrier of 1 means that a slave -# will migrate only if there is at least 1 other working slave for its master -# and so forth. It usually reflects the number of slaves you want for every -# master in your cluster. -# -# Default is 1 (slaves migrate only if their masters remain with at least -# one slave). To disable migration just set it to a very large value. -# A value of 0 can be set but is useful only for debugging and dangerous -# in production. -# -# cluster-migration-barrier 1 - -# By default Redis Cluster nodes stop accepting queries if they detect there -# is at least an hash slot uncovered (no available node is serving it). -# This way if the cluster is partially down (for example a range of hash slots -# are no longer covered) all the cluster becomes, eventually, unavailable. -# It automatically returns available as soon as all the slots are covered again. -# -# However sometimes you want the subset of the cluster which is working, -# to continue to accept queries for the part of the key space that is still -# covered. In order to do so, just set the cluster-require-full-coverage -# option to no. -# -# cluster-require-full-coverage yes - -# In order to setup your cluster make sure to read the documentation -# available at http://redis.io web site. - -################################## SLOW LOG ################################### - -# The Redis Slow Log is a system to log queries that exceeded a specified -# execution time. The execution time does not include the I/O operations -# like talking with the client, sending the reply and so forth, -# but just the time needed to actually execute the command (this is the only -# stage of command execution where the thread is blocked and can not serve -# other requests in the meantime). -# -# You can configure the slow log with two parameters: one tells Redis -# what is the execution time, in microseconds, to exceed in order for the -# command to get logged, and the other parameter is the length of the -# slow log. When a new command is logged the oldest one is removed from the -# queue of logged commands. - -# The following time is expressed in microseconds, so 1000000 is equivalent -# to one second. Note that a negative number disables the slow log, while -# a value of zero forces the logging of every command. -slowlog-log-slower-than 10000 - -# There is no limit to this length. Just be aware that it will consume memory. -# You can reclaim memory used by the slow log with SLOWLOG RESET. slowlog-max-len 128 -################################ LATENCY MONITOR ############################## - -# The Redis latency monitoring subsystem samples different operations -# at runtime in order to collect data related to possible sources of -# latency of a Redis instance. -# -# Via the LATENCY command this information is available to the user that can -# print graphs and obtain reports. -# -# The system only logs operations that were performed in a time equal or -# greater than the amount of milliseconds specified via the -# latency-monitor-threshold configuration directive. When its value is set -# to zero, the latency monitor is turned off. -# -# By default latency monitoring is disabled since it is mostly not needed -# if you don't have latency issues, and collecting data has a performance -# impact, that while very small, can be measured under big load. Latency -# monitoring can easily be enabled at runtime using the command -# "CONFIG SET latency-monitor-threshold " if needed. latency-monitor-threshold 0 -############################# EVENT NOTIFICATION ############################## - -# Redis can notify Pub/Sub clients about events happening in the key space. -# This feature is documented at http://redis.io/topics/notifications -# -# For instance if keyspace events notification is enabled, and a client -# performs a DEL operation on key "foo" stored in the Database 0, two -# messages will be published via Pub/Sub: -# -# PUBLISH __keyspace@0__:foo del -# PUBLISH __keyevent@0__:del foo -# -# It is possible to select the events that Redis will notify among a set -# of classes. Every class is identified by a single character: -# -# K Keyspace events, published with __keyspace@__ prefix. -# E Keyevent events, published with __keyevent@__ prefix. -# g Generic commands (non-type specific) like DEL, EXPIRE, RENAME, ... -# $ String commands -# l List commands -# s Set commands -# h Hash commands -# z Sorted set commands -# x Expired events (events generated every time a key expires) -# e Evicted events (events generated when a key is evicted for maxmemory) -# A Alias for g$lshzxe, so that the "AKE" string means all the events. -# -# The "notify-keyspace-events" takes as argument a string that is composed -# of zero or multiple characters. The empty string means that notifications -# are disabled. -# -# Example: to enable list and generic events, from the point of view of the -# event name, use: -# -# notify-keyspace-events Elg -# -# Example 2: to get the stream of the expired keys subscribing to channel -# name __keyevent@0__:expired use: -# -# notify-keyspace-events Ex -# -# By default all notifications are disabled because most users don't need -# this feature and the feature has some overhead. Note that if you don't -# specify at least one of K or E, no events will be delivered. notify-keyspace-events "" -############################### ADVANCED CONFIG ############################### - -# Hashes are encoded using a memory efficient data structure when they have a -# small number of entries, and the biggest entry does not exceed a given -# threshold. These thresholds can be configured using the following directives. hash-max-ziplist-entries 512 hash-max-ziplist-value 64 -# Similarly to hashes, small lists are also encoded in a special way in order -# to save a lot of space. The special representation is only used when -# you are under the following limits: list-max-ziplist-entries 512 list-max-ziplist-value 64 -# Sets have a special encoding in just one case: when a set is composed -# of just strings that happen to be integers in radix 10 in the range -# of 64 bit signed integers. -# The following configuration setting sets the limit in the size of the -# set in order to use this special memory saving encoding. set-max-intset-entries 512 -# Similarly to hashes and lists, sorted sets are also specially encoded in -# order to save a lot of space. This encoding is only used when the length and -# elements of a sorted set are below the following limits: zset-max-ziplist-entries 128 zset-max-ziplist-value 64 -# HyperLogLog sparse representation bytes limit. The limit includes the -# 16 bytes header. When an HyperLogLog using the sparse representation crosses -# this limit, it is converted into the dense representation. -# -# A value greater than 16000 is totally useless, since at that point the -# dense representation is more memory efficient. -# -# The suggested value is ~ 3000 in order to have the benefits of -# the space efficient encoding without slowing down too much PFADD, -# which is O(N) with the sparse encoding. The value can be raised to -# ~ 10000 when CPU is not a concern, but space is, and the data set is -# composed of many HyperLogLogs with cardinality in the 0 - 15000 range. hll-sparse-max-bytes 3000 -# Active rehashing uses 1 millisecond every 100 milliseconds of CPU time in -# order to help rehashing the main Redis hash table (the one mapping top-level -# keys to values). The hash table implementation Redis uses (see dict.c) -# performs a lazy rehashing: the more operation you run into a hash table -# that is rehashing, the more rehashing "steps" are performed, so if the -# server is idle the rehashing is never complete and some more memory is used -# by the hash table. -# -# The default is to use this millisecond 10 times every second in order to -# actively rehash the main dictionaries, freeing memory when possible. -# -# If unsure: -# use "activerehashing no" if you have hard latency requirements and it is -# not a good thing in your environment that Redis can reply from time to time -# to queries with 2 milliseconds delay. -# -# use "activerehashing yes" if you don't have such hard requirements but -# want to free memory asap when possible. activerehashing yes -# The client output buffer limits can be used to force disconnection of clients -# that are not reading data from the server fast enough for some reason (a -# common reason is that a Pub/Sub client can't consume messages as fast as the -# publisher can produce them). -# -# The limit can be set differently for the three different classes of clients: -# -# normal -> normal clients including MONITOR clients -# slave -> slave clients -# pubsub -> clients subscribed to at least one pubsub channel or pattern -# -# The syntax of every client-output-buffer-limit directive is the following: -# -# client-output-buffer-limit -# -# A client is immediately disconnected once the hard limit is reached, or if -# the soft limit is reached and remains reached for the specified number of -# seconds (continuously). -# So for instance if the hard limit is 32 megabytes and the soft limit is -# 16 megabytes / 10 seconds, the client will get disconnected immediately -# if the size of the output buffers reach 32 megabytes, but will also get -# disconnected if the client reaches 16 megabytes and continuously overcomes -# the limit for 10 seconds. -# -# By default normal clients are not limited because they don't receive data -# without asking (in a push way), but just after a request, so only -# asynchronous clients may create a scenario where data is requested faster -# than it can read. -# -# Instead there is a default limit for pubsub and slave clients, since -# subscribers and slaves receive data in a push fashion. -# -# Both the hard or the soft limit can be disabled by setting them to zero. client-output-buffer-limit normal 0 0 0 client-output-buffer-limit slave 256mb 64mb 60 client-output-buffer-limit pubsub 32mb 8mb 60 -# Redis calls an internal function to perform many background tasks, like -# closing connections of clients in timeout, purging expired keys that are -# never requested, and so forth. -# -# Not all tasks are performed with the same frequency, but Redis checks for -# tasks to perform according to the specified "hz" value. -# -# By default "hz" is set to 10. Raising the value will use more CPU when -# Redis is idle, but at the same time will make Redis more responsive when -# there are many keys expiring at the same time, and timeouts may be -# handled with more precision. -# -# The range is between 1 and 500, however a value over 100 is usually not -# a good idea. Most users should use the default of 10 and raise this up to -# 100 only in environments where very low latency is required. hz 10 -# When a child rewrites the AOF file, if the following option is enabled -# the file will be fsync-ed every 32 MB of data generated. This is useful -# in order to commit the file to the disk more incrementally and avoid -# big latency spikes. aof-rewrite-incremental-fsync yes maxmemory-policy noeviction + +# Consul-Template is used in the redis file at deployment time +# It reads the password from Vault and inserts it into this file {{- with secret "kv/development/redispassword" }} requirepass "{{ .Data.value }}" {{- end}} diff --git a/scripts/consul_goapp_verify.sh b/scripts/consul_goapp_verify.sh index 9649436..7401a3d 100755 --- a/scripts/consul_goapp_verify.sh +++ b/scripts/consul_goapp_verify.sh @@ -1,7 +1,7 @@ #!/usr/bin/env bash source /usr/local/bootstrap/var.env -set -e +set -x echo "running consul goapp client health test" app_health="NOTGOOD" diff --git a/scripts/install_redis.sh b/scripts/install_redis.sh index 1bf81df..2310c45 100755 --- a/scripts/install_redis.sh +++ b/scripts/install_redis.sh @@ -48,19 +48,22 @@ register_redis_service_with_consul () { } EOF + # Register the service in consul via the local Consul agent api curl \ -v \ --request PUT \ --data @redis_service.json \ http://127.0.0.1:8500/v1/agent/service/register - curl \ - -v \ - http://127.0.0.1:8500/v1/agent/services + # List the locally registered services via local Consul api + curl \ + -v \ + http://127.0.0.1:8500/v1/agent/services | jq -r . - curl \ - -v \ - http://${LEADER_IP}:8500/v1/catalog/services + # List the services regestered on the Consul server + curl \ + -v \ + http://${LEADER_IP}:8500/v1/catalog/services | jq -r . echo 'Register service with Consul Service Discovery Complete' } From 729af3665a6deaa267eda472190f39c1536883b8 Mon Sep 17 00:00:00 2001 From: Graham Land Date: Sat, 22 Sep 2018 14:14:37 +0100 Subject: [PATCH 22/36] updated readme --- .admin-token | 2 +- .appRoleID | 2 +- .database-token | 2 +- .wrapped-provisioner-token | 2 +- readme.md | 1 + 5 files changed, 5 insertions(+), 4 deletions(-) diff --git a/.admin-token b/.admin-token index 1248b90..9ecf61c 100644 --- a/.admin-token +++ b/.admin-token @@ -1 +1 @@ -09b43426-7c0a-8a60-00be-85c3b29cd159 \ No newline at end of file +addc74f7-1fdf-317c-60e8-e3923d104c01 \ No newline at end of file diff --git a/.appRoleID b/.appRoleID index 921da29..afb21a2 100644 --- a/.appRoleID +++ b/.appRoleID @@ -1 +1 @@ -a285bf50-794d-d064-d8d8-a74a9d8773b6 \ No newline at end of file +ac058477-f564-4700-1f81-cd2630d89c1d \ No newline at end of file diff --git a/.database-token b/.database-token index bb377e6..5c39d03 100644 --- a/.database-token +++ b/.database-token @@ -1 +1 @@ -5a4a57aa-d3f1-deb2-b07c-83714b21352d \ No newline at end of file +935d0345-37ec-68c7-dedc-880c88ef4038 \ No newline at end of file diff --git a/.wrapped-provisioner-token b/.wrapped-provisioner-token index 8cfef9c..3a1d3b0 100644 --- a/.wrapped-provisioner-token +++ b/.wrapped-provisioner-token @@ -1 +1 @@ -f3bb4609-3245-889b-4efe-9fb95e218ade \ No newline at end of file +b95e2a92-eb1c-48bc-58c0-8ed8bd34c54a \ No newline at end of file diff --git a/readme.md b/readme.md index a3b2eb9..4b4a991 100644 --- a/readme.md +++ b/readme.md @@ -602,6 +602,7 @@ __WebCounter Application__ * Modify the application to request a wrapped secret-id token from the new *Secret-ID Factory* outlined above inorder to obtain its vault token. * Change colour from Red to Blue in hand drawn architecture diagram for statement in Redis boc "Password Stored in Vault" * Remove all comments from redis.conf.ctpl +* Moved Redis service registration from HCL file to API - fixed tests too From 98334b2a4bad3d1f5043631c33aa511a9314b823 Mon Sep 17 00:00:00 2001 From: Graham Land Date: Sat, 22 Sep 2018 14:20:54 +0100 Subject: [PATCH 23/36] wip - building web service config --- scripts/install_redis.sh | 4 +-- scripts/install_webserver.sh | 65 ++++++++++++++++++++++++++++++++++++ 2 files changed, 67 insertions(+), 2 deletions(-) diff --git a/scripts/install_redis.sh b/scripts/install_redis.sh index 2310c45..af549dc 100755 --- a/scripts/install_redis.sh +++ b/scripts/install_redis.sh @@ -3,7 +3,7 @@ set -x source /usr/local/bootstrap/var.env -echo 'Start Setup of Vault Environment' +echo 'Start Setup of Redis Deployment Environment' IFACE=`route -n | awk '$1 == "192.168.2.0" {print $8}'` CIDR=`ip addr show ${IFACE} | awk '$2 ~ "192.168.2" {print $2}'` IP=${CIDR%%/24} @@ -20,7 +20,7 @@ register_redis_service_with_consul () { echo 'Start to register service with Consul Service Discovery' - # configure Audit Backend + # configure redis service definition tee redis_service.json </dev/null || { # potentially add jq to base image sudo apt-get update From 11fb80faeb1f25f091baacc274e5195a6d54d37f Mon Sep 17 00:00:00 2001 From: Graham Land Date: Sat, 22 Sep 2018 20:18:12 +0100 Subject: [PATCH 24/36] added secretid service registration to consul --- .admin-token | 2 +- .appRoleID | 2 +- .database-token | 2 +- .wrapped-provisioner-token | 2 +- scripts/install_SecretID_Factory.sh | 54 +++++++++++++++++++++++++++++ scripts/install_webserver.sh | 41 ++++++++++------------ 6 files changed, 77 insertions(+), 26 deletions(-) diff --git a/.admin-token b/.admin-token index 9ecf61c..420e61c 100644 --- a/.admin-token +++ b/.admin-token @@ -1 +1 @@ -addc74f7-1fdf-317c-60e8-e3923d104c01 \ No newline at end of file +fa70f466-df1e-def5-975e-0b369dd189d7 \ No newline at end of file diff --git a/.appRoleID b/.appRoleID index afb21a2..31d9b6b 100644 --- a/.appRoleID +++ b/.appRoleID @@ -1 +1 @@ -ac058477-f564-4700-1f81-cd2630d89c1d \ No newline at end of file +7e4641f4-e07c-9a2b-c004-cacf105c7a43 \ No newline at end of file diff --git a/.database-token b/.database-token index 5c39d03..fabe533 100644 --- a/.database-token +++ b/.database-token @@ -1 +1 @@ -935d0345-37ec-68c7-dedc-880c88ef4038 \ No newline at end of file +40360175-7b90-2f41-96ac-01ae598049ed \ No newline at end of file diff --git a/.wrapped-provisioner-token b/.wrapped-provisioner-token index 3a1d3b0..3ac5d1b 100644 --- a/.wrapped-provisioner-token +++ b/.wrapped-provisioner-token @@ -1 +1 @@ -b95e2a92-eb1c-48bc-58c0-8ed8bd34c54a \ No newline at end of file +297c9655-523c-5832-6b4c-1d3596514597 \ No newline at end of file diff --git a/scripts/install_SecretID_Factory.sh b/scripts/install_SecretID_Factory.sh index fc7fa1e..f418b4b 100755 --- a/scripts/install_SecretID_Factory.sh +++ b/scripts/install_SecretID_Factory.sh @@ -3,6 +3,58 @@ set -x source /usr/local/bootstrap/var.env +register_secret_id_service_with_consul () { + + echo 'Start to register secret_id service with Consul Service Discovery' + + # configure web service definition + tee secretid_service.json </dev/null || { # remove nginx default website [ -f /etc/nginx/sites-enabled/default ] && sudo rm -f /etc/nginx/sites-enabled/default -# copy a consul service definition directory -sudo mkdir -p /etc/consul.d -sudo cp -p /usr/local/bootstrap/conf/consul.d/webtier.json /etc/consul.d/webtier.json +register_nginx_service_with_consul # make consul reload conf sudo killall -1 consul From da91d4c8e1b326420ac992b0cc8e0b8acec4dbca Mon Sep 17 00:00:00 2001 From: Graham Land Date: Sat, 22 Sep 2018 21:05:02 +0100 Subject: [PATCH 25/36] fixed meta data issue --- .admin-token | 2 +- .appRoleID | 2 +- .database-token | 2 +- .wrapped-provisioner-token | 2 +- scripts/install_SecretID_Factory.sh | 2 +- 5 files changed, 5 insertions(+), 5 deletions(-) diff --git a/.admin-token b/.admin-token index 420e61c..b7425cd 100644 --- a/.admin-token +++ b/.admin-token @@ -1 +1 @@ -fa70f466-df1e-def5-975e-0b369dd189d7 \ No newline at end of file +07aeb4f1-91f3-c05c-5d7e-e9938fa1516f \ No newline at end of file diff --git a/.appRoleID b/.appRoleID index 31d9b6b..f22c6a4 100644 --- a/.appRoleID +++ b/.appRoleID @@ -1 +1 @@ -7e4641f4-e07c-9a2b-c004-cacf105c7a43 \ No newline at end of file +d3285dca-f217-3f72-42e0-e859264c028b \ No newline at end of file diff --git a/.database-token b/.database-token index fabe533..1b1d32a 100644 --- a/.database-token +++ b/.database-token @@ -1 +1 @@ -40360175-7b90-2f41-96ac-01ae598049ed \ No newline at end of file +0b78208a-f2b8-0ffb-6f7e-384e008ad2ea \ No newline at end of file diff --git a/.wrapped-provisioner-token b/.wrapped-provisioner-token index 3ac5d1b..f0b2f58 100644 --- a/.wrapped-provisioner-token +++ b/.wrapped-provisioner-token @@ -1 +1 @@ -297c9655-523c-5832-6b4c-1d3596514597 \ No newline at end of file +8bcedd80-03c2-9bba-9280-06e6f9020b59 \ No newline at end of file diff --git a/scripts/install_SecretID_Factory.sh b/scripts/install_SecretID_Factory.sh index f418b4b..a75b76e 100755 --- a/scripts/install_SecretID_Factory.sh +++ b/scripts/install_SecretID_Factory.sh @@ -18,7 +18,7 @@ register_secret_id_service_with_consul () { "Address": "${IP}", "Port": 8314, "Meta": { - "SecretID Factory Service": "0.0.1" + "SecretID-Factory-Service": "0.0.1" }, "EnableTagOverride": false, "check": From 48c88332955caed28fbca4b7b983266c6d01e642 Mon Sep 17 00:00:00 2001 From: Graham Land Date: Sat, 22 Sep 2018 21:54:58 +0100 Subject: [PATCH 26/36] moved factory and vault to consul --- main.go | 16 ++++++++-------- nomad_job.hcl | 8 ++++---- scripts/install_SecretID_Factory.sh | 2 +- 3 files changed, 13 insertions(+), 13 deletions(-) diff --git a/main.go b/main.go index 6d9c41b..d251b54 100644 --- a/main.go +++ b/main.go @@ -29,7 +29,7 @@ var consulClient *consul.Client var targetPort string var targetIP string var thisServer string -var appRolePtr *string +var appRoleID *string var factoryIPPtr *string var vaultAddress string @@ -38,8 +38,7 @@ func main() { portPtr := flag.Int("port", 8080, "Default's to port 8080. Use -port=nnnn to use listen on an alternate port.") ipPtr := flag.String("ip", "127.0.0.1", "Default's to all interfaces by using 127.0.0.1") - factoryIPPtr = flag.String("bootstrapip", "127.0.0.1", "Default's to factory service installed on 127.0.0.1") - appRolePtr = flag.String("appRole", "id-factory", "Application Role Name to be used to bootstrap access to Vault's secrets") + appRoleID = flag.String("appRole", "id-factory", "Application Role Name to be used to bootstrap access to Vault's secrets") templatePtr := flag.String("templates", "templates/*.html", "Default's to templates/*.html -templates=????") flag.Parse() targetPort = strconv.Itoa(*portPtr) @@ -152,9 +151,9 @@ func getVaultKV(vaultKey string) string { goapphealth = "NOTGOOD" } - // Read in the Vault address from consul - vaultIP := getConsulKV(*consulClient, "LEADER_IP") - vaultAddress = "http://" + vaultIP + ":8200" + // Read in the Vault service details from consul + vaultService := getConsulSVC(*consulClient, "vault") + vaultAddress = "http://" + vaultService fmt.Printf("Secret Store Address : >> %v \n", vaultAddress) // Get a handle to the Vault Secret KV API @@ -166,7 +165,8 @@ func getVaultKV(vaultKey string) string { return "FAIL" } - appRoletoken := getVaultToken(*factoryIPPtr, *appRolePtr) + approleService := getConsulSVC(*consulClient, "approle") + appRoletoken := getVaultToken(approleService, *appRoleID) fmt.Printf("New Application Token : >> %v \n", appRoletoken) vaultClient.SetToken(appRoletoken) @@ -369,7 +369,7 @@ func getVaultToken(factoryAddress string, appRole string) string { // fmt.Println("\nAPP ROLE:>", appRole) // fmt.Println("\nDebug Vars End") - factoryBaseURL := "http://" + factoryAddress + ":8314" + factoryBaseURL := "http://" + factoryAddress healthAPI := factoryBaseURL + "/health" secretAPI := factoryBaseURL + "/approlename" vaultUnwrapAPI := vaultAddress + "/v1/sys/wrapping/unwrap" diff --git a/nomad_job.hcl b/nomad_job.hcl index 9dd3897..3c33aba 100644 --- a/nomad_job.hcl +++ b/nomad_job.hcl @@ -1,13 +1,13 @@ -job "peach" { +job "webpagecounter" { datacenters = ["dc1"] type = "service" - group "example" { + group "webcountergroup" { count = 4 - task "example" { + task "deploy-webcounters" { driver = "raw_exec" config { command = "/usr/local/bin/webcounter" - args = ["-port=${NOMAD_PORT_http}", "-ip=0.0.0.0", "-bootstrapip=192.168.2.11","-templates=/usr/local/bin/templates/*.html"] + args = ["-port=${NOMAD_PORT_http}", "-ip=0.0.0.0","-templates=/usr/local/bin/templates/*.html"] } resources { cpu = 20 diff --git a/scripts/install_SecretID_Factory.sh b/scripts/install_SecretID_Factory.sh index a75b76e..b312c91 100755 --- a/scripts/install_SecretID_Factory.sh +++ b/scripts/install_SecretID_Factory.sh @@ -10,7 +10,7 @@ register_secret_id_service_with_consul () { # configure web service definition tee secretid_service.json < Date: Sun, 23 Sep 2018 20:42:31 +0100 Subject: [PATCH 27/36] removed unnecessary tokens --- .gitignore | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/.gitignore b/.gitignore index 374ac82..09c2fc5 100644 --- a/.gitignore +++ b/.gitignore @@ -5,4 +5,9 @@ main .provisioner-token .approle-id .secret-id -.orchestrator-token \ No newline at end of file +.orchestrator-token +.admin-token +.appRoleID +.database-token +.wrapped-provisioner-token +.DS_Store From 54707ec65fc958b3a32ecb24c2c217c44c77fdfe Mon Sep 17 00:00:00 2001 From: Graham Land Date: Sun, 23 Sep 2018 20:43:39 +0100 Subject: [PATCH 28/36] Delete .DS_Store --- .DS_Store | Bin 10244 -> 0 bytes 1 file changed, 0 insertions(+), 0 deletions(-) delete mode 100644 .DS_Store diff --git a/.DS_Store b/.DS_Store deleted file mode 100644 index c42737f3f25935eb8502b8ecef2387a2d79a4a78..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 10244 zcmeHMTWl0n7(V~f!c2$KY3Y^O%EE%&Dzs85L@wJc4fF!7Y)e~OT4r~q?S$ExWoEXe zlwwVM5;Z=bGxqmm~Xt@$k>6-0SSAPkC1v$A37jax3mzSS+ zI5upK#vIv6+fmu-b>G@$XE^SaJ4{p0l;!wAO&uK&iyKVCku^iLXt1WJ=+f7v8Hza? zHPeP-(|Tgez;Qgs4~XUC|tt&5j>`FhY9aa5A$15oE|8jCoIliQXm!($d)A=Luz#Fur9|{z0HW4j$@)& zQgch|zWr?jqL{YT1F9}N+K9Sac2qk%m0bx_PbUqu6eeUnkw#~=Ue{fSsQ2Ben34Ed zS?WGyo0fy=#mX`u-!oY}e{o6K@>OdedbnCX+Z6+tbxYC8^(SwpF&Bwv=jMmp;O_>Cje4 zdpWMhwbm;Nb}1ZDzoVSUFf_wY3P?Co%_t+f9~+gVnnX!6>BmKHjGQLVlk?Biw>N0yzOb zP{jI~VZ1k$m=-^}im{Z9=22B=l23U1_)`QifRTqA7ekmF)5vu+W#@;D2`9AIYDTSYdvv3YxgqM)Yufl6^F+=6I;T`x8K7lXb z#w_BtPE(dixS37dk(g!ZrZI$;=>`7oApgxrz(>GGz(>GGz(?SIBCvo}7IM%38|VK2 z|9&><*X1MNBQVbpfSld2-BIk+Tp!>8w1x0Kg139Qev?en5PY~UuAUypvOIGD*WRj)tS8;V9W@{(tvpfWQBrcPC!{{{Mg7|NjlPEF7T# From c11f4da69a38ddf992f451e4719517afa71745aa Mon Sep 17 00:00:00 2001 From: Graham Land Date: Sun, 23 Sep 2018 20:43:59 +0100 Subject: [PATCH 29/36] Delete .admin-token --- .admin-token | 1 - 1 file changed, 1 deletion(-) delete mode 100644 .admin-token diff --git a/.admin-token b/.admin-token deleted file mode 100644 index b7425cd..0000000 --- a/.admin-token +++ /dev/null @@ -1 +0,0 @@ -07aeb4f1-91f3-c05c-5d7e-e9938fa1516f \ No newline at end of file From 0f1fc5b251c32d36d8cf0fb26023f512edd4969e Mon Sep 17 00:00:00 2001 From: Graham Land Date: Sun, 23 Sep 2018 20:44:18 +0100 Subject: [PATCH 30/36] Delete .appRoleID --- .appRoleID | 1 - 1 file changed, 1 deletion(-) delete mode 100644 .appRoleID diff --git a/.appRoleID b/.appRoleID deleted file mode 100644 index f22c6a4..0000000 --- a/.appRoleID +++ /dev/null @@ -1 +0,0 @@ -d3285dca-f217-3f72-42e0-e859264c028b \ No newline at end of file From c5ebe2650be55ef4426e62b4e7cca975c14cdccd Mon Sep 17 00:00:00 2001 From: Graham Land Date: Sun, 23 Sep 2018 20:44:30 +0100 Subject: [PATCH 31/36] Delete .database-token --- .database-token | 1 - 1 file changed, 1 deletion(-) delete mode 100644 .database-token diff --git a/.database-token b/.database-token deleted file mode 100644 index 1b1d32a..0000000 --- a/.database-token +++ /dev/null @@ -1 +0,0 @@ -0b78208a-f2b8-0ffb-6f7e-384e008ad2ea \ No newline at end of file From b49acd6263ff3d7ae941be8e44c847d27b553ca6 Mon Sep 17 00:00:00 2001 From: Graham Land Date: Sun, 23 Sep 2018 20:44:55 +0100 Subject: [PATCH 32/36] Delete .wrapped-provisioner-token --- .wrapped-provisioner-token | 1 - 1 file changed, 1 deletion(-) delete mode 100644 .wrapped-provisioner-token diff --git a/.wrapped-provisioner-token b/.wrapped-provisioner-token deleted file mode 100644 index f0b2f58..0000000 --- a/.wrapped-provisioner-token +++ /dev/null @@ -1 +0,0 @@ -8bcedd80-03c2-9bba-9280-06e6f9020b59 \ No newline at end of file From 6c05b6ca25ff2ba1354b1a61166e964b452f71c9 Mon Sep 17 00:00:00 2001 From: Graham Land Date: Sun, 23 Sep 2018 20:48:20 +0100 Subject: [PATCH 33/36] Update .gitignore --- .gitignore | 1 + 1 file changed, 1 insertion(+) diff --git a/.gitignore b/.gitignore index 09c2fc5..0c1ed22 100644 --- a/.gitignore +++ b/.gitignore @@ -11,3 +11,4 @@ main .database-token .wrapped-provisioner-token .DS_Store +*.json From 8f8ba04dc5bab909a05b515e653c56899a592b6e Mon Sep 17 00:00:00 2001 From: Graham Land Date: Sun, 23 Sep 2018 20:48:36 +0100 Subject: [PATCH 34/36] Delete goapp-secret-id-login.json --- goapp-secret-id-login.json | 2 -- 1 file changed, 2 deletions(-) delete mode 100644 goapp-secret-id-login.json diff --git a/goapp-secret-id-login.json b/goapp-secret-id-login.json deleted file mode 100644 index 9e44a1c..0000000 --- a/goapp-secret-id-login.json +++ /dev/null @@ -1,2 +0,0 @@ -{ -"role_id": "84a3fd5d-201b-4aa9-f69b-a6a35d849e74", "secret_id": "0fe36a03-6299-8361-da1f-2ae859541648" } From 38718c753146573a09ddf6591d9d656a400f6894 Mon Sep 17 00:00:00 2001 From: Graham Land Date: Sun, 23 Sep 2018 20:48:51 +0100 Subject: [PATCH 35/36] Delete id-factory-secret-id-login.json --- id-factory-secret-id-login.json | 4 ---- 1 file changed, 4 deletions(-) delete mode 100644 id-factory-secret-id-login.json diff --git a/id-factory-secret-id-login.json b/id-factory-secret-id-login.json deleted file mode 100644 index f6923a1..0000000 --- a/id-factory-secret-id-login.json +++ /dev/null @@ -1,4 +0,0 @@ - { - "role_id": "2c5a4855-cca1-d633-5851-0fde00277e15", - "secret_id": "null" - } From 847cfa7c9d6ce830b11c4bb53bd843c90fe407fa Mon Sep 17 00:00:00 2001 From: Graham Land Date: Sun, 23 Sep 2018 20:53:31 +0100 Subject: [PATCH 36/36] Update readme.md --- readme.md | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/readme.md b/readme.md index 4b4a991..3c972df 100644 --- a/readme.md +++ b/readme.md @@ -520,10 +520,8 @@ __WebCounter Application__ ### New Features ### Refactor -1. Move all the application service checks creation process into the application itself rather than relying on external bash scripts for both redis and webpage counter -2. Ensure the service checks are only deployed to Consul once the application is configured and online -3. Refactor application to leverage consul service discovery for VAULT details -3. Configure a Consul Connect intention to permit the applications to communicate with the new Secret-ID Factory + +*. Configure a Consul Connect intention to permit the applications to communicate with the new Secret-ID Factory ## Done * Build own box using packer with above scripts @@ -603,6 +601,9 @@ __WebCounter Application__ * Change colour from Red to Blue in hand drawn architecture diagram for statement in Redis boc "Password Stored in Vault" * Remove all comments from redis.conf.ctpl * Moved Redis service registration from HCL file to API - fixed tests too +* Move all the application service checks creation process into the application deployment itself rather than relying on external bash scripts for both redis and webpage counter +* Refactor application to leverage consul service discovery for VAULT details +