文件列表:

examples/ (0, 2023-06-27)
examples/local-root-certs/ (0, 2023-06-27)
examples/local-root-certs/backend.tf (448, 2023-06-27)
examples/local-root-certs/main.tf (121, 2023-06-27)
examples/local-root-certs/providers.tf (452, 2023-06-27)
examples/local/ (0, 2023-06-27)
examples/local/backend.tf (773, 2023-06-27)
examples/local/main.tf (17321, 2023-06-27)
examples/local/node_exporter.tf (1661, 2023-06-27)
examples/local/outputs.tf (1027, 2023-06-27)
examples/local/providers.tf (664, 2023-06-27)
examples/local/s3.tf (705, 2023-06-27)
examples/local/services.tf (1665, 2023-06-27)
examples/local/variables.tf (122, 2023-06-27)
modules/ (0, 2023-06-27)
modules/certificate_authority/ (0, 2023-06-27)
modules/certificate_authority/ca_certificate.tf (1262, 2023-06-27)
modules/certificate_authority/connect_ca.tf (800, 2023-06-27)
modules/certificate_authority/default_issuer.tf (552, 2023-06-27)
modules/certificate_authority/outputs.tf (938, 2023-06-27)
modules/certificate_authority/pki_mount.tf (203, 2023-06-27)
modules/certificate_authority/provider.tf (153, 2023-06-27)
modules/certificate_authority/variables.tf (1021, 2023-06-27)
modules/consul/ (0, 2023-06-27)
modules/consul/bootstrap/ (0, 2023-06-27)
modules/consul/bootstrap/init.sh (1696, 2023-06-27)
modules/consul/bootstrap/main.tf (578, 2023-06-27)
modules/consul/bootstrap/outputs.tf (240, 2023-06-27)
modules/consul/bootstrap/variables.tf (693, 2023-06-27)
modules/consul/client/ (0, 2023-06-27)
modules/consul/client/container/ (0, 2023-06-27)
modules/consul/client/container/config.tf (6123, 2023-06-27)
modules/consul/client/container/main.tf (1099, 2023-06-27)
modules/consul/client/container/providers.tf (277, 2023-06-27)
modules/consul/client/container/variables.tf (1875, 2023-06-27)
modules/consul/client/image/ (0, 2023-06-27)
modules/consul/client/image/context/ (0, 2023-06-27)
... ...

# vault-nomad-consul-terraform A self-learning exercise for learning how to setup vault/consul/nomad from scratch and setting up/managing non-cloud resources using Terraform. ## Overview This project attempts to provide an entire vault/consul/nomad stack. It uses the following: * Libvirt for creating virtual machines, using docker * FreeIPA (core DNS) * Minio (s3) (store state, CA certs and bootstrap tokens) * openkms for autounseal on KMS (requires improvement to further secure) * Vault * Consul * Nomad (servers and clients) * Consul connect service mesh * Traefik service for ingress traffic * consul-tiemplate (for provisioning CA certificates) * NFS for shared storage It attempts to provide: * ACLs with minimum required privileges * Root CAs for each stack * Ability to handle multiple datacenter (vault/consul) and regions (nomad) * Absolutely no manual interactions except: * Currently requires several terraform runs with arguments to protect against accidental re-initialisation of services) * Reqiures manual initial SSH connection to new servers to accept host SSH key ## Usage Current setup for local ``` cd examples/local ``` See examples/local/README.md for more information ## Progress * Create virtual machines with cloudinit initial setup - Done * Create/configure FreeIPA - Done * Setup s3 - Done * Create vault cluster/boostrap - Done * Create consul cluster/boostrap - Done * Add vault backups * Complete nomad setup - Done * Complete consul-connect setup - Done * Investigate consul using consul as connect CA * Create NFS server and CSI confguration for nomad - DONE * Further securing of KMS for vault autounseal ## Design ### Consul server Consul server hosts run vault agent - this allows the vault token to be automatically regenerated through the consule-server's consul-template approle. consul template runs in the consul container, which uses the sink from vault-agent to generate SSL certificates. This allows new certificates to be generated and automatically restart the consul container.

近期下载者：

相关文件：

评论：[我要评论] [举报此文件]

收藏者：