@ wrote... (4 months, 3 weeks ago)

I found the otherwise great consul docs to be very obtuse and confusing and maybe even wrong.

I'm running these commands against my home setup which only has a single consul server. In a more realistic setup you'll need to duplicate the config changes on all your consul servers and then restart them one at a time.

Ran against consul 1.4.0

make a master token

does not match my actual cluster you little hacker you

The docs say you should use consul acl bootstrap to do this but it didn't work for me. ACL in legacy mode errors? I don't know, it was yesterday.

Here's how to manually do it.

# make a guid
python -c 'import uuid; print str(uuid.uuid1())'
426f45cc-087b-11e9-9f26-52722ba2bb3e

Edit /etc/consul.hcl and insert the following stanza

acl {
    enabled = true
    default_policy = "allow"
    tokens {
        master = "426f45cc-087b-11e9-9f26-52722ba2bb3e"
    }
}
systemctl restart consul.service
consul monitor # should show errors from nodes and services

make an agent policy

Create file agent-policy.hcl

node_prefix "" {
   policy = "write"
}
service_prefix "" {
   policy = "read"
}

Run the following command to create an agent policy.

consul acl policy create \
    -name 'agent-token' \
    -description "Agent Token Policy" \
    -rules @agent-policy.hcl \
    -token 426f45cc-087b-11e9-9f26-52722ba2bb3e

Gives similar output

AccessorID:   e6977512-087c-11e9-9f26-52722ba2bb3e
SecretID:     26fb7c38-087c-11e9-9f26-52722ba2bb3e
Description:  Agent Token
Local:        false
Create Time:  2018-12-25 12:26:50.30003504 -0700 MST
Policies:
   29f90c7a-087c-11e9-9f26-52722ba2bb3e - agent-token

Note the SecretID.

add agent token

Edit consul.hcl again and insert the agent secret id.

acl {
    enabled = true
    default_policy = "allow"
    tokens {
        master = "426f45cc-087b-11e9-9f26-52722ba2bb3e"
        agent  = "26fb7c38-087c-11e9-9f26-52722ba2bb3e"
    }
}

Restart consul again

consul monitor should show nodes and services being able to connect.

security

Because we're currently in default_policy = "allow" the acl subsystem is enabled but effectively neutered. So assuming all of the above works and you'd actually want some security then investigate changing the default_policy to deny.

I haven't bothered to do that yet but it'll probably look something like this

acl {
    enabled = true
    default_policy = "deny"
    tokens {
        master = "426f45cc-087b-11e9-9f26-52722ba2bb3e"
        agent  = "26fb7c38-087c-11e9-9f26-52722ba2bb3e"
    }
}

Then export a token since all commands will need to be authenticated.

export CONSUL_HTTP_TOKEN="26fb7c38-087c-11e9-9f26-52722ba2bb3e"
consul members
Category: tech, Tags: consul
Comments: 0
Click here to add a comment