samrocketman/docker-compose-ha-consul-vault-ui samrocketman/docker-compose-ha-consul-vault-ui

  • Stars
    star
    201
  • Rank 187,643 (Top 4 %)
  • Language
    Shell
  • License
    MIT License
  • Created over 6 years ago
  • Updated about 3 years ago
Twitter logo Share LinkedIn logo Share Facebook logo Share
samrocketman/docker-compose-ha-consul-vault-ui
github

samrocketman

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

A docker-compose example of HA Consul + Vault + Vault UI

HA Consul + Vault + Vault UI

Docker Logo Consul Logo Vault Logo VaultBoy Logo

This project is an example of using Consul, Vault, and Vault UI in a high availability (HA) configuration. Conveniently packaged as Docker services for provisioning via Docker Compose.

Features:

  • dnsmasq makes Consul DNS available to all containers. A secondary dnsmasq server is provided which grants HA to the DNS available to all containers. This allows consul-template to update DNS with zero DNS downtime. consul-template will create a lock to ensure it is not possible for both primary and secondary DNS servers to be down during DNS configuration updates as part of service discovery.
  • consul-template updates dnsmasq configuration and restarts dnsmasq when the configuration has changed (e.g. consul cluster size is increased on the fly). This makes consul DNS lookups HA.
  • Vault is registered via service discovery which is exposed via Consul DNS.
  • Persists data across restarts as long as the cluster is gracefully shut down. See [Starting and stopping section][#starting-and-stopping].
  • Local docker infrastructure is able to anonymously authenticate with Vault via approle method and its CIDR address.
  • Linux and Mac OS with docker supported.

Prerequisites

Supplemental reading material:

Getting started

Start the cluster

Remove --scale vault=3 if you want to start one instance of Vault. docker-compose up -d would bring only Consul up in HA configuration.

./scripts/consul-agent.sh --bootstrap
docker-compose up --scale vault=3 -d

Configure your web browser

Configure your browser to use the SOCKS5 proxy listening on localhost:1080. With your browser configured to use the proxy visit http://consul.service.consul:8500/ and wait for the cluster to be ready. After the vault service has all nodes available, it is time to initialize vault.

Initialize Vault

If you wish to secure secret.txt with GPG, then set the recipient_list environment variable. For example, the following.

export recipient_list="<gpg fingerprint to your secret gpg key>"

If you do not use GPG or do not want to, then skip setting recipient_list. Initialize vault witht he following command.

./scripts/initialize-vault.sh

The credentials for vault are located in the file secret.txt which is created when Vault is initialized. Alternately, secret.txt.gpg if using GPG encryption.

Visit the web UI

Configure your browser

Configure your web browser to use the SOCKS5 proxy listening on localhost:1080.

In Firefox, do the following:

  1. Edit connections settings
  2. Set Manual proxy configuration
  3. Set SOCKS host to localhost, set Port to 1080, and check SOCKS v5 boolean.

Alternately install FoxyProxy extension which is an extension for quickly switching proxies on or off.

For other browsers, web search how to configure proxy settings or see what extensions are available for managing proxy settings.

Visit services via Consul DNS

Visit http://portal.service.consul/. It provides links to other web UIs and if you configure additional portal services, then they will also show up automatically.

Alternately, you can visit consul and vault directly at:

To log into Vault UI you must generate for yourself an admin token.

./scripts/get-admin-token.sh

The root user token for Vault is stored in secret.txt at the root of this repository after you initialize Vault.

Other portal services

For playing around with service discovery I have created other docker-compose files which will automatically register with this consul cluster. Here's a list of what I have created so far.

Experiment

With HA enabled, container instances of consul and vault can be terminated with minor disruptions.

Consul can be scaled up on the fly. consul-template will automatically update dnsmasq to include new services. dnsmasq will experience zero downtime.

docker-compose up --scale vault=3 --scale consul-worker=6 -d

To play with failover for killing consul instances, it is recommended to review fault tolerance for consul HA deployments.

Starting and stopping

Because high availability clusters have to gossip across nodes you can't execute a simple docker-compose down without corrupting the clusters. Instead, you have to gracefully shut down all clusters that depend on consul and then gracefully shutdown consul itself. For this, I have provided a script.

Stop consul and vault cluster safely.

./scripts/graceful-shutdown.sh

Start the consul and vault clusters.

docker-compose up -d

Troubleshooting

DNS

Currently, output from the dnsmasq and dnsmasq-secondary servers are minimal. Verbosity of output can be increased for troubleshooting. Edit docker-compose.yml and add --log-queries to the dnsmasq command.

DNS client troubleshooting using Docker.

docker-compose run dns-troubleshoot

Using the dig command inside of the container.

# rely on the internal container DNS
dig consul.service.consul

# specify the dnsmasq hostname as the DNS server
dig @dnsmasq vault.service.consul

# reference vault DNS by tags
dig active.vault.service.consul
dig standby.vault.service.consul

Logs

View vault logs.

docker-compose logs vault

User docker exec to log into container names. It allows you to poke around the runtime of the container.

SOCKS5 proxy

Run a SOCKS5 proxy for use with your browser.

docker run --network docker-compose-ha-consul-vault-ui_internal --dns 172.16.238.2 --init -p 127.0.0.1:1080:1080 --rm serjs/go-socks5-proxy

Configure your browser to use SOCKS proxy at 127.0.0.1:1080.

Recovering data

It's possible a cluster was shutdown uncleanly and put into an irrecoverable state with no leader. If you have ever cleanly shut down consul, then it's possible you have a backup in the backups/ directory.

If you're in this leaderless state, then wipe out your old cluster data with the following command (this will permanently delete all old data).

docker-compose down -v

Start a new cluster.

docker-compose up -d

The latest backup can be restored via the following script.

./scripts/restore-consul.sh

If you have a specific backup you wish to restore, then you can call it as an argument.

./scripts/restore-consul.sh backups/backup.snap

Screenshots

show portal before services are available

show portal after services are available

consul screenshot of all discovered services

consul screenshot of service metadata

License

MIT License

More Repositories

1

jenkins-script-console-scripts

A repository of one-off script console scripts for Jenkins.
Groovy
427
star
2

jenkins-bootstrap-shared

Jenkins as immutable infrastructure made easy. A repository of shared scripts meant to be used as a git submodule. Packing Jenkins, plugins, and scripts into immutable packages and images.
Groovy
323
star
3

jervis

Self service Jenkins job generation using Jenkins Job DSL plugin groovy scripts. Reads .jervis.yml and generates a job in Jenkins.
Groovy
268
star
4

git-identity-manager

Git identity manager. It allows you to switch between git identities for user, name, and SSH private key used for authoring and publishing git commits.
Shell
84
star
5

jenkins-bootstrap-jervis

An automated Jenkins CI environment which provisions agent infrastructure on the fly per build.
Shell
75
star
6

nexus3-config-as-code

Configuration as code automation for Nexus Repository Manager v3.
Groovy
60
star
7

ekeyfinder

Archive of my sourceforge project Enchanted Keyfinder. Software key retrieval on Windows.
Pascal
58
star
8

jenkins-bootstrap-slack

Bootstrap a Jenkins instance configured for Jenkins slack plugin testing.
Groovy
41
star
9

home

This is a git repository for my home directory - encryption and other helpful scripts
Scheme
34
star
10

docker-compose-lgsm-rust-dedicated-server

A dockerized LGSM dedicated server for the Facepunch game: Rust.
Shell
30
star
11

demo-jenkins-world-2017

This repository is for a live demo of my Jenkins World 2017 presentation.
HTML
20
star
12

my_internal_ca

A set of basic scripts for managing an internal certificate authority.
Shell
19
star
13

drexel-university

This is a list of scripts I created while formerly working at Drexel University. These scripts were released with permission.
Shell
16
star
14

demo-jenkins-world-2018-jenkins-bootstrap

Groovy
8
star
15

docker-jenkins-jervis

Docker images for jervis.
Dockerfile
7
star
16

cloneable

A Java CLI utility which lists available GitHub repositories under a user or organization.
Groovy
6
star
17

blog

A personal technical blog. Full featured complete with automated peer review.
HTML
5
star
18

sounds-of-endless-sky

Shell
4
star
19

docker-aws-tools

A quick start for AWS infrastructure development in a Dockerized dev environment.
Dockerfile
4
star
20

docker-zoom

Makefile
4
star
21

terraria-dedicated-server

Scripts for running a Terraria dedicated server on Linux.
Shell
4
star
22

yml-install-files

A flexible YAML-based method of downloading multi-arch utilities with checksum validation. Intended for Docker.
Shell
4
star
23

docker-compose-nexus3-proxy

A local Nexus 3 proxy for my laptop whose purpose is to cache dependencies for docker containers and locally provisioned servers.
Shell
3
star
24

docker-production-ready-flask

This is an example app meant to package a Flask REST API in Docker meant for running in production contexts.
Makefile
3
star
25

buildwine

Sometimes I need to build WINE from source. This repository keeps my notes.
Shell
3
star
26

samrocketman.github.io

My personal website.
HTML
2
star
27

repository-secrets

A proof of concept for securing repository secrets for a build ecosystem where the repository is easily scrutinized by unauthorized parties.
Ruby
2
star
28

Spacefarer

Shell
2
star
29

vagrant-windows

Windows development machines on vagrant.
Ruby
2
star
30

consul-mysql

A MySQL relataional DB service backend using consul for service discovery.
Shell
2
star
31

endless-sky-vscode-devcontainer

Portable Development Environments for the Endless Sky community.
Dockerfile
2
star
32

servicenow-servicecatalog-exporter

Exports an entire ServiceCatalog from a ServiceNow instance.
Python
2
star
33

github-backups

A simple set of scripts which helps me keep an offline backup of my GitHub work.
Ruby
2
star
34

docker-webhookrelay

A minimal sidecar container meant to run a webhook relay for a local docker service.
Dockerfile
2
star
35

browser-detect.js

Archive of my sourceforge project to use JavaScript for detecting browsers and platforms.
JavaScript
1
star
36

proxytester

A set of python scripts and libs for testing a flat file list of anonymous proxies for use in a web browser.
Python
1
star
37

software_password_design

An exploration in best practices for storing passwords in a database.
Python
1
star
38

endless-sky-disable-author-ships

An endless sky plugin to remove author ships from the game.
Shell
1
star
39

example-mysql-live-migration

This repository serves as an example of performing a live MySQL database migration.
Shell
1
star
40

consul-kapacitor

A Kapacitor backend for Chronograf using consul service discovery.
1
star
41

docker-compose-emby

Run the Emby Media Server as a containerized service.
Shell
1
star
42

encfs4win

A read only git mirror of https://gitorious.org/encfs4win
C++
1
star
43

globd

Python
1
star
44

jenkins-bootstrap-github-oauth

A bootstrapped Jenkins instance for testing github-oauth plugin pull requests
Shell
1
star
45

docker-distroless

My own flavor of distroless distributions.
C
1
star
46

libgimp.js

Goals: write plugins in JavaScript for GIMP.
Groff
1
star
47

QuaernanHardpointsCarries

Endless Sky game plugin
Shell
1
star
48

docker-jekyll

A development environment for Jekyll which relies on Docker to contain dependencies.
Makefile
1
star
49

babytime-reporter

Turn a BabyTime app data export into JSON time series data for rich dashboards in Grafana.
Python
1
star
50

jenkins-bootstrap-ghprb

An immutable Jenkins instance which helps maintainers easily test the GHPRB plugin.
Shell
1
star
51

monitoring-scripts

A repository for housing scripts I use for monitoring.
Shell
1
star
52

consul-nexus3

A Nexus 3 service meant to be used with Consul service discovery.
Shell
1
star