github.com/uchennaokeke444/nomad@v0.11.8/e2e/consulacls/consul-acls-manage.sh

#!/usr/bin/env bash

# must be run from e2e directory

set -o errexit
set -o nounset
set -o pipefail

tfstatefile="terraform/terraform.tfstate"

# Make sure we are running from the e2e/ directory
[ "$(basename "$(pwd)")" == "e2e" ] || (echo "must be run from nomad/e2e directory" && exit 1)

# Make sure one argument was provided (subcommand)
[ ${#} -eq 1 ] || (echo "expect one argument (subcommand)" && exit 1)

# Make sure terraform state file exists
[ -f "${tfstatefile}" ] || (echo "file ${tfstatefile} must exist (run terraform?)" && exit 1)

# Load Linux Client Node IPs from terraform state file
linux_clients=$(jq -r .outputs.linux_clients.value[] <"${tfstatefile}" | xargs)

# Load Windows Client Node IPs from terraform state file
windows_clients=$(jq -r .outputs.windows_clients.value[] <"${tfstatefile}" | xargs)

# Combine all the clients together
# clients="${linux_clients} ${windows_clients}"

# Load Server Node IPs from terraform/terraform.tfstate
servers=$(jq -r .outputs.servers.value[] <"${tfstatefile}" | xargs)

# Use the 0th server as the ACL bootstrap server
server0=$(echo "${servers}" | cut -d' ' -f1)

# Find the .pem file to use
pemfile="terraform/$(jq -r '.resources[] | select(.name=="private_key_pem") | .instances[0].attributes.filename' <"terraform/terraform.tfstate")"

# See AWS service file
consul_configs="/etc/consul.d"
nomad_configs="/etc/nomad.d"

# Not really present in the config
user=ubuntu

# Create a filename based on the TF state file (.serial), where we will store and/or
# lookup the consul master token. The presense of this file is what determines
# whether a full ACL bootstrap must occur, or if we only need to activate ACLs
# whenever the "enable" sub-command is chosen.
token_file="/tmp/e2e-consul-bootstrap-$(jq .serial <${tfstatefile}).token"

# One argument - the subcommand to run which may be: bootstrap, enable, or disable
subcommand="${1}"

echo "==== SETUP configuration ====="
echo "SETUP command is: ${subcommand}"
echo "SETUP token file: ${token_file}"
echo "SETUP servers: ${servers}"
echo "SETUP linux clients: ${linux_clients}"
echo "SETUP windows clients: ${windows_clients}"
echo "SETUP pem file: ${pemfile}"
echo "SETUP consul configs: ${consul_configs}"
echo "SETUP nomad configs: ${nomad_configs}"
echo "SETUP aws user: ${user}"
echo "SETUP bootstrap server: ${server0}"

function doSSH() {
  hostname="$1"
  command="$2"
  echo "-----> will ssh command '${command}' on ${hostname}"
  ssh \
    -o StrictHostKeyChecking=no \
    -o UserKnownHostsFile=/dev/null \
    -i "${pemfile}" \
    "${user}@${hostname}" "${command}"
}

function doSCP() {
  original="$1"
  username="$2"
  hostname="$3"
  destination="$4"
  echo "------> will scp ${original} to ${hostname}"
  scp \
    -o StrictHostKeyChecking=no \
    -o UserKnownHostsFile=/dev/null \
    -i "${pemfile}" \
    "${original}" "${username}@${hostname}:${destination}"
}

function doBootstrap() {
  echo "=== Bootstrap: Consul Configs ==="

  # Stop all Nomad agents.
  stopNomad

  # Run the pre-activation step, which uploads an acl.hcl file (with default:allow)
  # to each Consul configuration directory, then (re)starts each
  # Consul agent.
  doPreActivateACLs

  echo "=== Bootstrap: Consul ACL Bootstrap ==="
  echo "sleeping 2 minutes to let Consul agents settle (avoid Legacy mode error)..."
  sleep 120

  # Bootstrap Consul ACLs on server[0]
  echo "-> bootstrap ACL using ${server0}"
  consul_http_token=$(doSSH "${server0}" "/usr/local/bin/consul acl bootstrap" | grep SecretID | awk '{print $2}')
  consul_http_addr="http://${server0}:8500"
  export CONSUL_HTTP_TOKEN=${consul_http_token}
  export CONSUL_HTTP_ADDR=${consul_http_addr}
  echo "  consul http: ${CONSUL_HTTP_ADDR}"
  echo "  consul root: ${CONSUL_HTTP_TOKEN}"
  echo "${CONSUL_HTTP_TOKEN}" > "${token_file}"

  # Create Consul Server Policy & Consul Server agent tokens
  echo "-> configure consul server policy"
  consul acl policy create -name server-policy -rules @consulacls/consul-server-policy.hcl

  # Create & Set agent token for each Consul Server
  for server in ${servers}; do
    echo "---> will create agent token for server ${server}"
    server_agent_token=$(consul acl token create -description "consul server agent token" -policy-name server-policy | grep SecretID | awk '{print $2}')
    echo "---> setting token for server agent: ${server} -> ${server_agent_token}"
    (export CONSUL_HTTP_ADDR="${server}:8500";  consul acl set-agent-token agent "${server_agent_token}")
    echo "---> done setting agent token for server ${server}"
  done

  # Wait 30s before continuing with configuring consul clients.
  echo "-> sleep 3s before continuing with clients"
  sleep 3

  # Create Consul Client Policy & Client agent tokens
  echo "-> configure consul client policy"
  consul acl policy create -name client-policy -rules @consulacls/consul-client-policy.hcl

  # Create & Set agent token for each Consul Client (excluding Windows)
  for linux_client in ${linux_clients}; do
    echo "---> will create consul agent token for client ${linux_client}"
    client_agent_token=$(consul acl token create -description "consul client agent token" -policy-name client-policy | grep SecretID | awk '{print $2}')
    echo "---> setting consul token for consul client ${linux_client} -> ${client_agent_token}"
    (export CONSUL_HTTP_ADDR="${linux_client}:8500"; consul acl set-agent-token agent "${client_agent_token}")
    echo "---> done setting agent token for client ${linux_client}"
  done

  # Now, upload the ACL policy file with default:deny so that ACL are actually
  # enforced.
  doActivateACLs

  echo "=== Bootstrap: Nomad Configs ==="

  # Create Nomad Server consul Policy and Nomad Server consul tokens
  echo "-> configure nomad server policy & consul token"
  consul acl policy create -name nomad-server-policy -rules @consulacls/nomad-server-policy.hcl
  nomad_server_consul_token=$(consul acl token create -description "nomad server consul token" -policy-name nomad-server-policy | grep SecretID | awk '{print $2}')
  nomad_server_consul_token_tmp=$(mktemp)
  cp consulacls/nomad-server-consul.hcl "${nomad_server_consul_token_tmp}"
  sed -i "s/CONSUL_TOKEN/${nomad_server_consul_token}/g" "${nomad_server_consul_token_tmp}"
  for server in ${servers}; do
    echo "---> upload nomad-server-consul.hcl to ${server}"
    doSCP "${nomad_server_consul_token_tmp}" "${user}" "${server}" "/tmp/nomad-server-consul.hcl"
    doSSH "${server}" "sudo mv /tmp/nomad-server-consul.hcl ${nomad_configs}/nomad-server-consul.hcl"
  done

  # Create Nomad Client consul Policy and Nomad Client consul token
  echo "-> configure nomad client policy & consul token"
  consul acl policy create -name nomad-client-policy -rules @consulacls/nomad-client-policy.hcl
  nomad_client_consul_token=$(consul acl token create -description "nomad client consul token" -policy-name nomad-client-policy | grep SecretID | awk '{print $2}')
  nomad_client_consul_token_tmp=$(mktemp)
  cp consulacls/nomad-client-consul.hcl "${nomad_client_consul_token_tmp}"
  sed -i "s/CONSUL_TOKEN/${nomad_client_consul_token}/g" "${nomad_client_consul_token_tmp}"
  for linux_client in ${linux_clients}; do
    echo "---> upload nomad-client-token.hcl to ${linux_client}"
    doSCP "${nomad_client_consul_token_tmp}" "${user}" "${linux_client}" "/tmp/nomad-client-consul.hcl"
    doSSH "${linux_client}" "sudo mv /tmp/nomad-client-consul.hcl ${nomad_configs}/nomad-client-consul.hcl"
  done

  startNomad

  export NOMAD_ADDR="http://${server0}:4646"

  echo "=== Activate: DONE ==="
}

function doSetAllowUnauthenticated {
  value="${1}"
  [ "${value}" == "true" ] || [ "${value}" == "false" ] || ( echo "allow_unauthenticated must be 'true' or 'false'" && exit 1)
  for server in ${servers}; do
    if [ "${value}" == "true" ]; then
      echo "---> setting consul.allow_unauthenticated=true on ${server}"
      doSSH "${server}" "sudo sed -i 's/allow_unauthenticated = false/allow_unauthenticated = true/g' ${nomad_configs}/nomad-server-consul.hcl"
    else
      echo "---> setting consul.allow_unauthenticated=false on ${server}"
      doSSH "${server}" "sudo sed -i 's/allow_unauthenticated = true/allow_unauthenticated = false/g' ${nomad_configs}/nomad-server-consul.hcl"
    fi
    doSSH "${server}" "sudo systemctl restart nomad"
  done

  for linux_client in ${linux_clients}; do
    if [ "${value}" == "true" ]; then
      echo "---> comment out consul token for Nomad client ${linux_client}"
      doSSH "${linux_client}" "sudo sed -i 's!token =!// token =!g' ${nomad_configs}/nomad-client-consul.hcl"
    else
      echo "---> un-comment consul token for Nomad client ${linux_client}"
      doSSH "${linux_client}" "sudo sed -i 's!// token =!token =!g' ${nomad_configs}/nomad-client-consul.hcl"
    fi
    doSSH "${linux_client}" "sudo systemctl restart nomad"
  done
}

function doEnable {
  if [ ! -f "${token_file}" ]; then
    echo "ENABLE: token file does not exist, doing a full ACL bootstrap"
    doBootstrap
  else
    echo "ENABLE: token file already exists, will activate ACLs"
    doSetAllowUnauthenticated "false"
    doActivateACLs
  fi

  echo "=== Enable: DONE ==="

  # show the status of all the agents
  echo "---> token file is ${token_file}"
  consul_http_token=$(cat "${token_file}")
  export CONSUL_HTTP_TOKEN="${consul_http_token}"
  echo "export CONSUL_HTTP_TOKEN=${CONSUL_HTTP_TOKEN}"
  doStatus
}

function doDisable {
  if [ ! -f "${token_file}" ]; then
    echo "DISABLE: token file does not exist, did bootstrap ever happen?"
    exit 1
  else
    echo "DISABLE: token file exists, will deactivate ACLs"
    doSetAllowUnauthenticated "true"
    doDeactivateACLs
  fi

  echo "=== Disable: DONE ==="

  # show the status of all the agents
  unset CONSUL_HTTP_TOKEN
  doStatus
}

function doPreActivateACLs {
  echo "=== PreActivate (set default:allow) ==="

  stopConsul

  # Upload acl-pre-enable.hcl to each Consul agent's configuration directory.
  for agent in ${servers} ${linux_clients}; do
    echo " pre-activate: upload acl-pre-enable.hcl to ${agent}::acl.hcl"
    doSCP "consulacls/acl-pre-enable.hcl" "${user}" "${agent}" "/tmp/acl.hcl"
    doSSH "${agent}" "sudo mv /tmp/acl.hcl ${consul_configs}/acl.hcl"
  done

  # Start each Consul agent to pickup the new config.
  for agent in ${servers} ${linux_clients}; do
    echo " pre-activate: start Consul agent on ${agent}"
    doSSH "${agent}" "sudo systemctl start consul"
  done

  echo "=== PreActivate: DONE ==="
}

function doActivateACLs {
  echo "=== Activate (set default:deny) ==="

  stopConsul

  # Upload acl-enable.hcl to each Consul agent's configuration directory.
  for agent in ${servers} ${linux_clients}; do
    echo " activate: upload acl-enable.hcl to ${agent}::acl.hcl"
    doSCP "consulacls/acl-enable.hcl" "${user}" "${agent}" "/tmp/acl.hcl"
    doSSH "${agent}" "sudo mv /tmp/acl.hcl ${consul_configs}/acl.hcl"
  done

  # Start each Consul agent to pickup the new config.
  for agent in ${servers} ${linux_clients}; do
    echo " activate: restart Consul agent on ${agent} ..."
    doSSH "${agent}" "sudo systemctl start consul"
  done

  echo "--> activate ACLs sleep for 2 minutes to let Consul figure things out"
  sleep 120
  echo "=== Activate: DONE ==="
}

function stopNomad {
  echo "=== Stop Nomad agents ==="
  # Stop every Nomad agent (clients and servers) in preperation for Consul ACL
  # bootstrapping.
  for server in ${servers}; do
    echo " stop Nomad Server on ${server}"
    doSSH "${server}" "sudo systemctl stop nomad"
    sleep 1
  done

  for linux_client in ${linux_clients}; do
    echo " stop Nomad Client on ${linux_client}"
    doSSH "${linux_client}" "sudo systemctl stop nomad"
    sleep 1
  done

  echo "... all nomad agents stopped"
}

function startNomad {
  echo "=== Start Nomad agents ==="
  # Start every Nomad agent (clients and servers) after having Consul ACL
  # bootstrapped and configurations set for Nomad.
  for server in ${servers}; do
    echo " start Nomad Server on ${server}"
    doSSH "${server}" "sudo systemctl start nomad"
    sleep 1
  done

  # give the servers a chance to settle
  sleep 10

  for linux_client in ${linux_clients}; do
    echo " start Nomad Client on ${linux_client}"
    doSSH "${linux_client}" "sudo systemctl start nomad"
    sleep 3
  done

  # give the clients a long time to settle
  sleep 30

  echo "... all nomad agents started"
}

function stopConsul {
  echo "=== Stop Consul agents ==="
  # Stop every Nonsul agent (clients and servers) in preperation for Consul ACL
  # bootstrapping.
  for server in ${servers}; do
    echo " stop Consul Server on ${server}"
    doSSH "${server}" "sudo systemctl stop consul"
    sleep 1
  done

  for linux_client in ${linux_clients}; do
    echo " stop Consul Client on ${linux_client}"
    doSSH "${linux_client}" "sudo systemctl stop consul"
    sleep 1
  done

  echo "... all consul agents stopped"
}

function startConsulClients {
    echo "=== Start Consul Clients ==="
    # Start Consul Clients
    for linux_client in ${linux_clients}; do
      echo " start Consul Client on ${linux_client}"
      doSSH "${linux_client}" "sudo systemctl start consul"
      sleep 2
    done

    sleep 5 # let them settle
    echo "... all consul clients started"
}

function doDeactivateACLs {
  echo "=== Deactivate ==="
  # Upload acl-disable.hcl to each Consul agent's configuration directory.
  for agent in ${servers} ${linux_clients}; do
    echo " deactivate: upload acl-disable.hcl to ${agent}::acl.hcl"
    doSCP "consulacls/acl-disable.hcl" "${user}" "${agent}" "/tmp/acl.hcl"
    doSSH "${agent}" "sudo mv /tmp/acl.hcl ${consul_configs}/acl.hcl"
  done

  # Restart each Consul agent to pickup the new config.
  for agent in ${servers} ${linux_clients}; do
    echo " deactivate: restart Consul on ${agent} ..."
    doSSH "${agent}" "sudo systemctl restart consul"
  done

  # Wait 120s before moving on, Consul / Nomad need time to settle down.
  echo " deactivate: sleep 2m ..."
  sleep 120
}

function doStatus {
  # assumes CONSUL_HTTP_TOKEN is set (or not)
  echo "consul members"
  consul members
  echo ""
  echo "nomad server members"
  nomad server members
  echo ""
  echo "nomad node status"
  nomad node status
  echo ""
}

# It's the entrypoint to our script!
case "${subcommand}" in
  enable)
    doEnable
    ;;
  disable)
    doDisable
    ;;
  *)
    echo "incorrect subcommand ${subcommand}"
    exit 1
    ;;
esac