Giters

Neutrollized / hashiconf2023-hug-demo

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

hashiconf-hug-demo

This repo contains some links to various content that was presented at HashiConf HUG @ HQ.

Resources

Packer images

Terraform deployment

Additional setup steps for WAN Federation

You will want to use the same Gossip key across your Consul clusters (but not a requirement for Nomad).

You can perform WAN federation in one of two ways:

  1. To perform WAN federation across clouds, you will need a VPN connection setup between them (HOW-TO: Create HA VPN between GCP and AWS). You will need a VPN if you wish to perform WAN federation in Nomad as well.

  2. If you're just looking to federate your Consul clusters, you can use Mesh Gateways instead of creating a VPN. Mesh gateway WAN federation is not supported on Nomad though!

An optional (easier) approach is to provision both Nomad clusters in separate regions within a Google Cloud VPC. Subnets within the same Google VPC can communicate internally regardless of region (this is not the case with AWS and Azure).

CA & SSL certs (highly recommended)

This is an optional step if you want to try out Consul Connect's features. Consul Connect is a service mesh and hence you will need certs for the mTLS piece. I personally hate having to deal with (generating) certs, but luckily the ability create certs easily built into the Consul and Nomad binaries. This is the approach I will be taking, but if you wish to generate certs the hard way, here's a link to my co-presenter, Jacob Mammoliti's Nomad the Hard Way repo.

Consul

CA certs

consul tls ca create

Server certs

consul tls cert create -server -dc [DATACENTER] -additional-ipaddress=[LOAD_BALANCER_IP] -additional-dnsname="*.[OTHER_DATACENTER].consul"

You will need to then distribute the certs (i.e. scp). On the server you will need to provide the CA cert and the server certs. On the client side, you need only the CA cert as we will be leveraging Consul's Auto-Encryption feature.

Nomad

To join multi-region federation, just do:

nomad server join [SECONDARY_NOMAD_SERVER_INTERNAL_IP]:4648

Replication tokens

For the non-primary DCs, you see to set server.authoritative_region and acl.replication_token, which you can get by running (as an example):

nomad acl token create \
  -type="management" \
  -global=true \
  -name="EU Central cluster replication token"

About

License:Apache License 2.0

Languages

Language:HCL 100.0%