Are you searching for service discovery or a service mesh tool for a distributed environment?
Did you find any with easy installation? Not yet!! Think fast….It’s just a piece of cake.YES! NO! Calm down because I got it !!!!
A few days back we got a requirement where we had to setup multiple services on multiple servers and in a cluster mode….So now the question arises how will the services be auto discovered? how will we get to know the health check of the service? and above all how to restrict users on different services. After a lot of research, I came across a tool named as consul. But now another stumbling block arises HOW TO SETUP IT?
Your answer might be just go ahead and download the binary on every server, if that’s what you’re thinking…then STOP! Because doing it manually on plenty of servers is time-consuming and also not an efficient way. So, I thought of using a configuration management tool that is none other than ansible. Then there were roles that were already present in the market but some have the hard coded encryption key, some were not generating the bootstrap token and also they were not easy to understand. None of the roles fulfilled the requirement.
So, I thought of creating an ansible role with features like, enabling ACL and generating a bootstrap token, and an encryption key with easy-to-understand language.
In this blog, I have explained the OT-OSM consul ansible role.
Without any delay let’s get started!!!
Now you might be thinking what is consul?
What is Consul?
So, Consul is a hashicorp tool that is known for service discovery, does regular health checks of the services, load balancing, key/value store for dynamic configuration, and provides an interactive web UI. It also comes with a built-in feature to detect failing nodes (which is a pretty hectic task in a distributed environment) and distribute this information across the whole cluster. And still, the list doesn’t end here, it is a platform-independent tool also.
Consul with OSM Ansible Role
Now firstly, let’s make you familiar with OT-OSM i.e., It is an open source project of Opstree where people from our organization contribute to it so that anybody can use it.
Our OT-OSM ansible role will automate the installation and configuration of Consul Server on Ubuntu 18 and above.
Running this role will perform the following tasks on Ansible hosts:
- Install consul with 1.8.4 version and above
- Cluster configuration for consul server on host machines
- Standalone setup for consul server
- Generating encryption key
- Enabling ACL and generating the bootstrap token
THINGS TO BE KEPT IN MIND BEFORE RUNNING ROLE
Role has defined variables at vars or default location to externalize some configuration and make the role more reusable.
Variables present in vars/main.yml are dynamic and can be modified by the user.
consul_version: 1.8.4 consul_data_path: /var/lib/consul consul_datacenter: dc1 acl_enable: false consul_acl_default_policy: deny consul_keygenerate_file: /opt/consul_keygenerate consul_acl_file: /opt/acl_token local_acl_dest: /tmp/consul_acl local_key_dest: /tmp/consul_key
For ACL feature i.e., Access Control List (ACL)
Consul uses Access Control Lists (ACLs) to secure access to the UI, API, CLI, service communications, and agent communications. For securing the data centers ACLs are used.
So, by default in this ansible role the ACL feature is disabled. It can be enabled based on user requirements, for enabling it you have to change the acl_enable variable value from false to true in vars/main.yml.
After this, a bootstrap token will be generated on one master node and the same token will be saved on the controller machine for the later requirement.
For using role the inventory must be in the format of :
[consul-server] server1 ansible_host=ip/dns server2 ansible_host=ip/dns server3 ansible_host=ip/dns [consul-server:vars] ansible_user=ubuntu ansible_ssh_private_key_file=path
USAGE:
- For running the role execute the below command :
ansible-playbook -i inventory playbook.yml
CONCLUSION
The scope of the role is a basic implementation of the Consul cluster and standalone setup with best practices for installation, configuration, ACL, and encryption key. For more information, you can go through README.md of the role.
Further, many more features will be added to the role like client setup and policies.
And if anyone has any requirement that this role fails to fulfill, feel free to raise an issue on the GitHub repository or you can drop comments here as well. Let us know about your experience with the role and your suggestions.
Au revoir, bonne journee!!
Blog Pundit: Bhupender rawat and Sandeep Rawat
Opstree is an End to End DevOps solution provider.
Connect with Us