~damien/infrastructure

3419d81b163736c43d15e0e214f153a9f2ae2888 — Damien Radtke 9 months ago 3922a67
Add process for UI access
M .gitignore => .gitignore +2 -0
@@ 2,3 2,5 @@
.terraform
*.backup
secrets.tfvars
*.pem
*.p12

M README.md => README.md +12 -0
@@ 20,6 20,18 @@ Terraform and running on Linode with openSUSE.
- `terraform`: Terraform definition files, used for provisioning.
- `tools`: Scripts to be used on a support box.

# Viewing the UIs

In order to view the UIs for Consul, Nomad, and Vault, you need to generate a certificate bundle with the CA's private key for each one, then `scp` it to your desktop and import it into your browser. In Firefox, you can go to **Preferences** -> **Privacy & Security** -> **Certificates** -> **View Certificates** and then import client certificates from the "Your Certificates" pane.

For example, to generate a bundle suitable for use with Nomad, run:

```bash
$ generate-client-cert-bundle nomad
```

OpenSSL will prompt you for a passphrase, and then you should see `nomad.p12` in the current directory. This is the file that should be imported to Firefox.

# Notes

## Issuing Certificates

M terraform/consul-server/outputs.tf => terraform/consul-server/outputs.tf +3 -3
@@ 1,4 1,4 @@
output "ips" {
  description = "Consul server IP addresses"
  value       = linode_instance.servers[*].ipv6
output "instances" {
  description = "Consul server instances"
  value       = linode_instance.servers
}

A terraform/domain-address/main.tf => terraform/domain-address/main.tf +19 -0
@@ 0,0 1,19 @@
data "linode_domain" "d" {
	domain = var.domain
}

resource "linode_domain_record" "a" {
	for_each = toset(var.instances[*].ip_address)
	domain_id = data.linode_domain.d.id
	name = var.name
	record_type = "A"
	target = each.value
}

resource "linode_domain_record" "aaaa" {
	for_each = toset([for ip in var.instances[*].ipv6: split("/", ip)[0]])
	domain_id = data.linode_domain.d.id
	name = var.name
	record_type = "AAAA"
	target = each.value
}

A terraform/domain-address/variables.tf => terraform/domain-address/variables.tf +15 -0
@@ 0,0 1,15 @@
variable domain {
	type = string
}

variable name {
	type = string
	default = ""
}

variable instances {
	type = list(object({
		ip_address = string
		ipv6 = string
	}))
}

M terraform/domains.tf => terraform/domains.tf +23 -31
@@ 1,41 1,33 @@
data "linode_domain" "damienradtkecom" {
module "damienradtke-com" {
	source = "./domain-address"
	domain = "damienradtke.com"
	instances = module.nomad-client-load-balancer.instances
}

resource "linode_domain_record" "damienradtkecom_root_a" {
	for_each = toset([
		for ip in flatten(module.nomad-client-load-balancer.instances[*].ipv4[*]):
			ip if substr(ip, 0, 8) != "192.168."  // doesn't look like terraform supports "starts with"
	])
	domain_id = data.linode_domain.damienradtkecom.id
	name = ""
	record_type = "A"
	target = each.value
module "www-damienradtke-com" {
	source = "./domain-address"
	domain = "damienradtke.com"
	name = "www"
	instances = module.nomad-client-load-balancer.instances
}

resource "linode_domain_record" "damienradtkecom_root_aaaa" {
	for_each = toset(module.nomad-client-load-balancer.instances[*].ipv6)
	domain_id = data.linode_domain.damienradtkecom.id
	name = ""
	record_type = "AAAA"
	target = split("/", each.value)[0]
module "consul-damienradtke-com" {
	source = "./domain-address"
	domain = "damienradtke.com"
	name = "consul"
	instances = [module.consul-server.instances[0]]
}

resource "linode_domain_record" "damienradtkecom_www_a" {
	for_each = toset([
		for ip in flatten(module.nomad-client-load-balancer.instances[*].ipv4[*]):
			ip if substr(ip, 0, 8) != "192.168."  // doesn't look like terraform supports "starts with"
	])
	domain_id = data.linode_domain.damienradtkecom.id
	name = "www"
	record_type = "A"
	target = each.value
module "nomad-damienradtke-com" {
	source = "./domain-address"
	domain = "damienradtke.com"
	name = "nomad"
	instances = [module.nomad-server.instances[0]]
}

resource "linode_domain_record" "damienradtkecom_www_aaaa" {
	for_each = toset(module.nomad-client-load-balancer.instances[*].ipv6)
	domain_id = data.linode_domain.damienradtkecom.id
	name = "www"
	record_type = "AAAA"
	target = split("/", each.value)[0]
module "vault-damienradtke-com" {
	source = "./domain-address"
	domain = "damienradtke.com"
	name = "vault"
	instances = [module.vault-server.instances[0]]
}

M terraform/main.tf => terraform/main.tf +4 -4
@@ 41,7 41,7 @@ module "nomad-server" {
  servers           = 1
  consul_version    = "1.7.2"
  nomad_version     = "0.11.3"
  consul_server_ips = module.consul-server.ips
  consul_server_ips = module.consul-server.instances[*].ipv6

  datacenter       = local.region
  image            = local.image


@@ 59,7 59,7 @@ module "nomad-client" {
  clients           = 1
  consul_version    = "1.7.2"
  nomad_version     = "0.11.3"
  consul_server_ips = module.consul-server.ips
  consul_server_ips = module.consul-server.instances[*].ipv6

  datacenter       = local.region
  image            = local.image


@@ 77,7 77,7 @@ module "nomad-client-load-balancer" {
  consul_version    = "1.7.2"
  nomad_version     = "0.11.3"
	node_class        = "load-balancer"
  consul_server_ips = module.consul-server.ips
  consul_server_ips = module.consul-server.instances[*].ipv6

  datacenter       = local.region
  image            = local.image


@@ 94,7 94,7 @@ module "vault-server" {
  servers           = 1
  consul_version    = "1.7.2"
  vault_version     = "1.4.0"
  consul_server_ips = module.consul-server.ips
  consul_server_ips = module.consul-server.instances[*].ipv6

  datacenter       = local.region
  image            = local.image

M terraform/nomad-server/main.tf => terraform/nomad-server/main.tf +1 -1
@@ 168,7 168,7 @@ resource "linode_instance" "servers" {
    connection { host = split("/", self.ipv6)[0] }
    inline = [
      "/usr/local/bin/issue-cert.sh --user consul --ca consul --name consul",
      "/usr/local/bin/issue-cert.sh --user nomad --ca nomad --name nomad --hostnames nomad.service.consul,server.global.nomad,${split("/", self.ipv6)[0]}",
      "/usr/local/bin/issue-cert.sh --user nomad --ca nomad --name nomad --hostnames nomad.service.consul,server.global.nomad,${split("/", self.ipv6)[0]},${self.ipv4}",
      "/usr/local/bin/issue-cert.sh --user nomad --ca nomad --name cli",
      "/usr/local/bin/issue-cert.sh --user nomad --ca consul --name consul",
      "/usr/local/bin/issue-cert.sh --user nomad --ca vault --name vault",

M terraform/nomad-server/outputs.tf => terraform/nomad-server/outputs.tf +3 -3
@@ 1,4 1,4 @@
output "ips" {
  description = "Nomad server IP addresses"
  value       = linode_instance.servers[*].ipv6
output "instances" {
  description = "Nomad server instances"
  value       = linode_instance.servers
}

M terraform/vault-server/outputs.tf => terraform/vault-server/outputs.tf +3 -3
@@ 1,4 1,4 @@
output "ips" {
  description = "Vault server IP addresses"
  value       = linode_instance.servers[*].ipv6
output "instances" {
  description = "Vault server instances"
  value       = linode_instance.servers
}

A tools/generate-client-cert-bundle => tools/generate-client-cert-bundle +15 -0
@@ 0,0 1,15 @@
#!/usr/bin/env bash

if [[ $# -ne 1 ]]; then
	echo "usage: $0 <app>"
	exit 1
fi

generated="$(echo '{}' | sudo `which cfssl` gencert -ca "/etc/ssl/$1/ca.pem" -ca-key "/etc/ssl/$1/ca-key.pem" -)"

echo "${generated}" | jq -r .cert > cert.pem
echo "${generated}" | jq -r .key > key.pem

openssl pkcs12 -export -out "$1.p12" -in cert.pem -inkey key.pem -certfile "/etc/ssl/$1/ca.pem"

rm -f cert.pem key.pem