github.com/iqoqo/nomad@v0.11.3-0.20200911112621-d7021c74d101/e2e/consulacls/consul-acls-manage.sh (about) 1 #!/usr/bin/env bash 2 3 # must be run from e2e directory 4 5 set -o errexit 6 set -o nounset 7 set -o pipefail 8 9 tfstatefile="terraform/terraform.tfstate" 10 11 # Make sure we are running from the e2e/ directory 12 [ "$(basename "$(pwd)")" == "e2e" ] || (echo "must be run from nomad/e2e directory" && exit 1) 13 14 # Make sure one argument was provided (subcommand) 15 [ ${#} -eq 1 ] || (echo "expect one argument (subcommand)" && exit 1) 16 17 # Make sure terraform state file exists 18 [ -f "${tfstatefile}" ] || (echo "file ${tfstatefile} must exist (run terraform?)" && exit 1) 19 20 # Load Linux Client Node IPs from terraform state file 21 linux_clients=$(jq -r .outputs.linux_clients.value[] <"${tfstatefile}" | xargs) 22 23 # Load Windows Client Node IPs from terraform state file 24 windows_clients=$(jq -r .outputs.windows_clients.value[] <"${tfstatefile}" | xargs) 25 26 # Combine all the clients together 27 # clients="${linux_clients} ${windows_clients}" 28 29 # Load Server Node IPs from terraform/terraform.tfstate 30 servers=$(jq -r .outputs.servers.value[] <"${tfstatefile}" | xargs) 31 32 # Use the 0th server as the ACL bootstrap server 33 server0=$(echo "${servers}" | cut -d' ' -f1) 34 35 # Find the .pem file to use 36 pemfile="terraform/$(jq -r '.resources[] | select(.name=="private_key_pem") | .instances[0].attributes.filename' <"terraform/terraform.tfstate")" 37 38 # See AWS service file 39 consul_configs="/etc/consul.d" 40 nomad_configs="/etc/nomad.d" 41 42 # Not really present in the config 43 user=ubuntu 44 45 # Create a filename based on the TF state file (.serial), where we will store and/or 46 # lookup the consul master token. The presense of this file is what determines 47 # whether a full ACL bootstrap must occur, or if we only need to activate ACLs 48 # whenever the "enable" sub-command is chosen. 49 token_file="/tmp/e2e-consul-bootstrap-$(jq .serial <${tfstatefile}).token" 50 51 # One argument - the subcommand to run which may be: bootstrap, enable, or disable 52 subcommand="${1}" 53 54 echo "==== SETUP configuration =====" 55 echo "SETUP command is: ${subcommand}" 56 echo "SETUP token file: ${token_file}" 57 echo "SETUP servers: ${servers}" 58 echo "SETUP linux clients: ${linux_clients}" 59 echo "SETUP windows clients: ${windows_clients}" 60 echo "SETUP pem file: ${pemfile}" 61 echo "SETUP consul configs: ${consul_configs}" 62 echo "SETUP nomad configs: ${nomad_configs}" 63 echo "SETUP aws user: ${user}" 64 echo "SETUP bootstrap server: ${server0}" 65 66 function doSSH() { 67 hostname="$1" 68 command="$2" 69 echo "-----> will ssh command '${command}' on ${hostname}" 70 ssh \ 71 -o StrictHostKeyChecking=no \ 72 -o UserKnownHostsFile=/dev/null \ 73 -i "${pemfile}" \ 74 "${user}@${hostname}" "${command}" 75 } 76 77 function doSCP() { 78 original="$1" 79 username="$2" 80 hostname="$3" 81 destination="$4" 82 echo "------> will scp ${original} to ${hostname}" 83 scp \ 84 -o StrictHostKeyChecking=no \ 85 -o UserKnownHostsFile=/dev/null \ 86 -i "${pemfile}" \ 87 "${original}" "${username}@${hostname}:${destination}" 88 } 89 90 function doBootstrap() { 91 echo "=== Bootstrap: Consul Configs ===" 92 93 # Stop all Nomad agents. 94 stopNomad 95 96 # Run the pre-activation step, which uploads an acl.hcl file (with default:allow) 97 # to each Consul configuration directory, then (re)starts each 98 # Consul agent. 99 doPreActivateACLs 100 101 echo "=== Bootstrap: Consul ACL Bootstrap ===" 102 echo "sleeping 2 minutes to let Consul agents settle (avoid Legacy mode error)..." 103 sleep 120 104 105 # Bootstrap Consul ACLs on server[0] 106 echo "-> bootstrap ACL using ${server0}" 107 consul_http_token=$(doSSH "${server0}" "/usr/local/bin/consul acl bootstrap" | grep SecretID | awk '{print $2}') 108 consul_http_addr="http://${server0}:8500" 109 export CONSUL_HTTP_TOKEN=${consul_http_token} 110 export CONSUL_HTTP_ADDR=${consul_http_addr} 111 echo " consul http: ${CONSUL_HTTP_ADDR}" 112 echo " consul root: ${CONSUL_HTTP_TOKEN}" 113 echo "${CONSUL_HTTP_TOKEN}" > "${token_file}" 114 115 # Create Consul Server Policy & Consul Server agent tokens 116 echo "-> configure consul server policy" 117 consul acl policy create -name server-policy -rules @consulacls/consul-server-policy.hcl 118 119 # Create & Set agent token for each Consul Server 120 for server in ${servers}; do 121 echo "---> will create agent token for server ${server}" 122 server_agent_token=$(consul acl token create -description "consul server agent token" -policy-name server-policy | grep SecretID | awk '{print $2}') 123 echo "---> setting token for server agent: ${server} -> ${server_agent_token}" 124 (export CONSUL_HTTP_ADDR="${server}:8500"; consul acl set-agent-token agent "${server_agent_token}") 125 echo "---> done setting agent token for server ${server}" 126 done 127 128 # Wait 30s before continuing with configuring consul clients. 129 echo "-> sleep 3s before continuing with clients" 130 sleep 3 131 132 # Create Consul Client Policy & Client agent tokens 133 echo "-> configure consul client policy" 134 consul acl policy create -name client-policy -rules @consulacls/consul-client-policy.hcl 135 136 # Create & Set agent token for each Consul Client (excluding Windows) 137 for linux_client in ${linux_clients}; do 138 echo "---> will create consul agent token for client ${linux_client}" 139 client_agent_token=$(consul acl token create -description "consul client agent token" -policy-name client-policy | grep SecretID | awk '{print $2}') 140 echo "---> setting consul token for consul client ${linux_client} -> ${client_agent_token}" 141 (export CONSUL_HTTP_ADDR="${linux_client}:8500"; consul acl set-agent-token agent "${client_agent_token}") 142 echo "---> done setting agent token for client ${linux_client}" 143 done 144 145 # Now, upload the ACL policy file with default:deny so that ACL are actually 146 # enforced. 147 doActivateACLs 148 149 echo "=== Bootstrap: Nomad Configs ===" 150 151 # Create Nomad Server consul Policy and Nomad Server consul tokens 152 echo "-> configure nomad server policy & consul token" 153 consul acl policy create -name nomad-server-policy -rules @consulacls/nomad-server-policy.hcl 154 nomad_server_consul_token=$(consul acl token create -description "nomad server consul token" -policy-name nomad-server-policy | grep SecretID | awk '{print $2}') 155 nomad_server_consul_token_tmp=$(mktemp) 156 cp consulacls/nomad-server-consul.hcl "${nomad_server_consul_token_tmp}" 157 sed -i "s/CONSUL_TOKEN/${nomad_server_consul_token}/g" "${nomad_server_consul_token_tmp}" 158 for server in ${servers}; do 159 echo "---> upload nomad-server-consul.hcl to ${server}" 160 doSCP "${nomad_server_consul_token_tmp}" "${user}" "${server}" "/tmp/nomad-server-consul.hcl" 161 doSSH "${server}" "sudo mv /tmp/nomad-server-consul.hcl ${nomad_configs}/nomad-server-consul.hcl" 162 done 163 164 # Create Nomad Client consul Policy and Nomad Client consul token 165 echo "-> configure nomad client policy & consul token" 166 consul acl policy create -name nomad-client-policy -rules @consulacls/nomad-client-policy.hcl 167 nomad_client_consul_token=$(consul acl token create -description "nomad client consul token" -policy-name nomad-client-policy | grep SecretID | awk '{print $2}') 168 nomad_client_consul_token_tmp=$(mktemp) 169 cp consulacls/nomad-client-consul.hcl "${nomad_client_consul_token_tmp}" 170 sed -i "s/CONSUL_TOKEN/${nomad_client_consul_token}/g" "${nomad_client_consul_token_tmp}" 171 for linux_client in ${linux_clients}; do 172 echo "---> upload nomad-client-token.hcl to ${linux_client}" 173 doSCP "${nomad_client_consul_token_tmp}" "${user}" "${linux_client}" "/tmp/nomad-client-consul.hcl" 174 doSSH "${linux_client}" "sudo mv /tmp/nomad-client-consul.hcl ${nomad_configs}/nomad-client-consul.hcl" 175 done 176 177 startNomad 178 179 export NOMAD_ADDR="http://${server0}:4646" 180 181 echo "=== Activate: DONE ===" 182 } 183 184 function doSetAllowUnauthenticated { 185 value="${1}" 186 [ "${value}" == "true" ] || [ "${value}" == "false" ] || ( echo "allow_unauthenticated must be 'true' or 'false'" && exit 1) 187 for server in ${servers}; do 188 if [ "${value}" == "true" ]; then 189 echo "---> setting consul.allow_unauthenticated=true on ${server}" 190 doSSH "${server}" "sudo sed -i 's/allow_unauthenticated = false/allow_unauthenticated = true/g' ${nomad_configs}/nomad-server-consul.hcl" 191 else 192 echo "---> setting consul.allow_unauthenticated=false on ${server}" 193 doSSH "${server}" "sudo sed -i 's/allow_unauthenticated = true/allow_unauthenticated = false/g' ${nomad_configs}/nomad-server-consul.hcl" 194 fi 195 doSSH "${server}" "sudo systemctl restart nomad" 196 done 197 198 for linux_client in ${linux_clients}; do 199 if [ "${value}" == "true" ]; then 200 echo "---> comment out consul token for Nomad client ${linux_client}" 201 doSSH "${linux_client}" "sudo sed -i 's!token =!// token =!g' ${nomad_configs}/nomad-client-consul.hcl" 202 else 203 echo "---> un-comment consul token for Nomad client ${linux_client}" 204 doSSH "${linux_client}" "sudo sed -i 's!// token =!token =!g' ${nomad_configs}/nomad-client-consul.hcl" 205 fi 206 doSSH "${linux_client}" "sudo systemctl restart nomad" 207 done 208 } 209 210 function doEnable { 211 if [ ! -f "${token_file}" ]; then 212 echo "ENABLE: token file does not exist, doing a full ACL bootstrap" 213 doBootstrap 214 else 215 echo "ENABLE: token file already exists, will activate ACLs" 216 doSetAllowUnauthenticated "false" 217 doActivateACLs 218 fi 219 220 echo "=== Enable: DONE ===" 221 222 # show the status of all the agents 223 echo "---> token file is ${token_file}" 224 consul_http_token=$(cat "${token_file}") 225 export CONSUL_HTTP_TOKEN="${consul_http_token}" 226 echo "export CONSUL_HTTP_TOKEN=${CONSUL_HTTP_TOKEN}" 227 doStatus 228 } 229 230 function doDisable { 231 if [ ! -f "${token_file}" ]; then 232 echo "DISABLE: token file does not exist, did bootstrap ever happen?" 233 exit 1 234 else 235 echo "DISABLE: token file exists, will deactivate ACLs" 236 doSetAllowUnauthenticated "true" 237 doDeactivateACLs 238 fi 239 240 echo "=== Disable: DONE ===" 241 242 # show the status of all the agents 243 unset CONSUL_HTTP_TOKEN 244 doStatus 245 } 246 247 function doPreActivateACLs { 248 echo "=== PreActivate (set default:allow) ===" 249 250 stopConsul 251 252 # Upload acl-pre-enable.hcl to each Consul agent's configuration directory. 253 for agent in ${servers} ${linux_clients}; do 254 echo " pre-activate: upload acl-pre-enable.hcl to ${agent}::acl.hcl" 255 doSCP "consulacls/acl-pre-enable.hcl" "${user}" "${agent}" "/tmp/acl.hcl" 256 doSSH "${agent}" "sudo mv /tmp/acl.hcl ${consul_configs}/acl.hcl" 257 done 258 259 # Start each Consul agent to pickup the new config. 260 for agent in ${servers} ${linux_clients}; do 261 echo " pre-activate: start Consul agent on ${agent}" 262 doSSH "${agent}" "sudo systemctl start consul" 263 done 264 265 echo "=== PreActivate: DONE ===" 266 } 267 268 function doActivateACLs { 269 echo "=== Activate (set default:deny) ===" 270 271 stopConsul 272 273 # Upload acl-enable.hcl to each Consul agent's configuration directory. 274 for agent in ${servers} ${linux_clients}; do 275 echo " activate: upload acl-enable.hcl to ${agent}::acl.hcl" 276 doSCP "consulacls/acl-enable.hcl" "${user}" "${agent}" "/tmp/acl.hcl" 277 doSSH "${agent}" "sudo mv /tmp/acl.hcl ${consul_configs}/acl.hcl" 278 done 279 280 # Start each Consul agent to pickup the new config. 281 for agent in ${servers} ${linux_clients}; do 282 echo " activate: restart Consul agent on ${agent} ..." 283 doSSH "${agent}" "sudo systemctl start consul" 284 done 285 286 echo "--> activate ACLs sleep for 2 minutes to let Consul figure things out" 287 sleep 120 288 echo "=== Activate: DONE ===" 289 } 290 291 function stopNomad { 292 echo "=== Stop Nomad agents ===" 293 # Stop every Nomad agent (clients and servers) in preperation for Consul ACL 294 # bootstrapping. 295 for server in ${servers}; do 296 echo " stop Nomad Server on ${server}" 297 doSSH "${server}" "sudo systemctl stop nomad" 298 sleep 1 299 done 300 301 for linux_client in ${linux_clients}; do 302 echo " stop Nomad Client on ${linux_client}" 303 doSSH "${linux_client}" "sudo systemctl stop nomad" 304 sleep 1 305 done 306 307 echo "... all nomad agents stopped" 308 } 309 310 function startNomad { 311 echo "=== Start Nomad agents ===" 312 # Start every Nomad agent (clients and servers) after having Consul ACL 313 # bootstrapped and configurations set for Nomad. 314 for server in ${servers}; do 315 echo " start Nomad Server on ${server}" 316 doSSH "${server}" "sudo systemctl start nomad" 317 sleep 1 318 done 319 320 # give the servers a chance to settle 321 sleep 10 322 323 for linux_client in ${linux_clients}; do 324 echo " start Nomad Client on ${linux_client}" 325 doSSH "${linux_client}" "sudo systemctl start nomad" 326 sleep 3 327 done 328 329 # give the clients a long time to settle 330 sleep 30 331 332 echo "... all nomad agents started" 333 } 334 335 function stopConsul { 336 echo "=== Stop Consul agents ===" 337 # Stop every Nonsul agent (clients and servers) in preperation for Consul ACL 338 # bootstrapping. 339 for server in ${servers}; do 340 echo " stop Consul Server on ${server}" 341 doSSH "${server}" "sudo systemctl stop consul" 342 sleep 1 343 done 344 345 for linux_client in ${linux_clients}; do 346 echo " stop Consul Client on ${linux_client}" 347 doSSH "${linux_client}" "sudo systemctl stop consul" 348 sleep 1 349 done 350 351 echo "... all consul agents stopped" 352 } 353 354 function startConsulClients { 355 echo "=== Start Consul Clients ===" 356 # Start Consul Clients 357 for linux_client in ${linux_clients}; do 358 echo " start Consul Client on ${linux_client}" 359 doSSH "${linux_client}" "sudo systemctl start consul" 360 sleep 2 361 done 362 363 sleep 5 # let them settle 364 echo "... all consul clients started" 365 } 366 367 function doDeactivateACLs { 368 echo "=== Deactivate ===" 369 # Upload acl-disable.hcl to each Consul agent's configuration directory. 370 for agent in ${servers} ${linux_clients}; do 371 echo " deactivate: upload acl-disable.hcl to ${agent}::acl.hcl" 372 doSCP "consulacls/acl-disable.hcl" "${user}" "${agent}" "/tmp/acl.hcl" 373 doSSH "${agent}" "sudo mv /tmp/acl.hcl ${consul_configs}/acl.hcl" 374 done 375 376 # Restart each Consul agent to pickup the new config. 377 for agent in ${servers} ${linux_clients}; do 378 echo " deactivate: restart Consul on ${agent} ..." 379 doSSH "${agent}" "sudo systemctl restart consul" 380 done 381 382 # Wait 120s before moving on, Consul / Nomad need time to settle down. 383 echo " deactivate: sleep 2m ..." 384 sleep 120 385 } 386 387 function doStatus { 388 # assumes CONSUL_HTTP_TOKEN is set (or not) 389 echo "consul members" 390 consul members 391 echo "" 392 echo "nomad server members" 393 nomad server members 394 echo "" 395 echo "nomad node status" 396 nomad node status 397 echo "" 398 } 399 400 # It's the entrypoint to our script! 401 case "${subcommand}" in 402 enable) 403 doEnable 404 ;; 405 disable) 406 doDisable 407 ;; 408 *) 409 echo "incorrect subcommand ${subcommand}" 410 exit 1 411 ;; 412 esac