• Stars
    star
    120
  • Rank 295,983 (Top 6 %)
  • Language
    Ruby
  • License
    Apache License 2.0
  • Created over 10 years ago
  • Updated about 1 year ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

A Puppet Module to Manage Consul

puppet-consul

Build Status Release Puppet Forge Puppet Forge - downloads Puppet Forge - endorsement Puppet Forge - scores puppetmodule.info docs Apache-2 License Donated by KyleAnderson

This module manages Consul servers and agents.

Compatibility

WARNING: Backwards incompatible changes happen in order to more easily support new versions of consul. Pin to the version that works for your setup!

Consul Version Recommended Puppet Module Version
>= 1.11.x >= 6.0.0
1.1.0-1.10.x 4.0.0-7.0.x
0.9-1.1.0 <= 3.4.2
0.8.x <= 3.2.4
0.7.0 <= 2.1.1
0.6.0 <= 2.1.1
0.5.x 1.0.3
0.4.x 0.4.6

What This Module Affects

  • Installs the consul daemon (via url or package)
    • If installing from zip, you must ensure the unzip utility is available.
    • If installing from docker, you must ensure puppetlabs-docker_platform module is available.
    • If installing on windows, you must install the puppetlabs/powershell module.
  • Optionally installs a user to run it under
    • NOTE: users enabling this and just starting with Consul should consider setting manage_user_home_location to true. It defaults to false for backwards compatibility.
  • Installs a configuration file (/etc/consul/config.json)
  • Manages the consul service via upstart, sysv, systemd, or nssm.
  • Optionally installs the Web UI

Usage

To set up a single consul server, with several agents attached: On the server:

class { 'consul':
  config_hash => {
    'bootstrap_expect' => 1,
    'data_dir'         => '/opt/consul',
    'datacenter'       => 'east-aws',
    'log_level'        => 'INFO',
    'node_name'        => 'server',
    'server'           => true,
  },
}

On the agent(s):

class { 'consul':
  config_hash => {
    'data_dir'   => '/opt/consul',
    'datacenter' => 'east-aws',
    'log_level'  => 'INFO',
    'node_name'  => 'agent',
    'retry_join' => ['172.16.0.1'],
  },
}

Disable install and service components:

class { 'consul':
  install_method => 'none',
  init_style     => false,
  manage_service => false,
  config_hash => {
    'data_dir'   => '/opt/consul',
    'datacenter' => 'east-aws',
    'log_level'  => 'INFO',
    'node_name'  => 'agent',
    'retry_join' => ['172.16.0.1'],
  },
}

Install the (HashiCorp) packages:

class { 'consul':
  install_method  => 'package',
  manage_repo     => $facts['os']['name'] != 'Archlinux',
  init_style      => 'unmanaged',
  manage_data_dir => true,
  manage_group    => false,
  manage_user     => false,
  config_dir      => '/etc/consul.d/',
  config_hash     => {
    'server'   => true,
  },
}
systemd::dropin_file { 'foo.conf':
  unit           => 'consul.service',
  content        => "[Unit]\nConditionFileNotEmpty=\nConditionFileNotEmpty=/etc/consul.d/config.json",
  notify_service => true,
}

Web UI

To install and run the Web UI on the server, include ui => true in the config_hash. You may also want to change the client_addr to 0.0.0.0 from the default 127.0.0.1, for example:

class { 'consul':
  config_hash => {
    'bootstrap_expect' => 1,
    'client_addr'      => '0.0.0.0',
    'data_dir'         => '/opt/consul',
    'datacenter'       => 'east-aws',
    'log_level'        => 'INFO',
    'node_name'        => 'server',
    'server'           => true,
    'ui'               => true,
  },
}

For more security options, consider leaving the client_addr set to 127.0.0.1 and use with a reverse proxy:

$aliases = ['consul', 'consul.example.com']

# Reverse proxy for Web interface
include 'nginx'

$server_names = [$facts['networking']['fqdn'], $aliases]

nginx::resource::vhost { $facts['networking']['fqdn']:
  proxy       => 'http://localhost:8500',
  server_name => $server_names,
}

Service Definition

To declare the availability of a service, you can use the service define. This will register the service through the local consul client agent and optionally configure a health check to monitor its availability.

consul::service { 'redis':
  checks  => [
    {
      script   => '/usr/local/bin/check_redis.py',
      interval => '10s'
    },
  ],
  port    => 6379,
  tags    => ['master'],
  meta    => {
    SLA => '1'
  },
}

See the service.pp docstrings for all available inputs.

You can also use consul::services which accepts a hash of services, and makes it easy to declare in hiera. For example:

consul::services:
  service1:
    address: "%{facts.networking.ip}"
    checks:
      - http: http://localhost:42/status
        interval: 5s
    port: 42
    tags:
      - "foo:%{facts.custom.bar}"
    meta:
      SLA: 1
  service2:
    address: "%{facts.networking.ip}"
    checks:
      - http: http://localhost:43/status
        interval: 5s
    port: 43
    tags:
      - "foo:%{facts.custom.baz}"
    meta:
      SLA: 4

Watch Definitions

consul::watch { 'my_watch':
  handler     => 'handler_path',
  passingonly => true,
  service     => 'serviceName',
  service_tag => 'serviceTagName',
  type        => 'service',
}

See the watch.pp docstrings for all available inputs.

You can also use consul::watches which accepts a hash of watches, and makes it easy to declare in hiera.

Check Definitions

consul::check { 'true_check':
  interval => '30s',
  script   => '/bin/true',
}

See the check.pp docstrings for all available inputs.

You can also use consul::checks which accepts a hash of checks, and makes it easy to declare in hiera.

Removing Service, Check and Watch definitions

Do ensure => absent while removing existing service, check and watch definitions. This ensures consul will be reloaded via SIGHUP. If you have purge_config_dir set to true and simply remove the definition it will cause consul to restart.

ACL Definitions

Policy/Token system

Starting with version 1.4.0, a new ACL system was introduces separating rules (policies) from tokens.

Tokens and policies may be both managed by Puppet:

consul_policy {'test_policy':
  description   => 'test description',
  rules         => [
    {
      'resource'    => 'service_prefix',
      'segment'     => 'test_service',
      'disposition' => 'read'
    },
    {
      'resource'    => 'key',
      'segment'     => 'test_key',
      'disposition' => 'write'
    },
  ],
  acl_api_token => 'e33653a6-0320-4a71-b3af-75f14578e3aa',
}

consul_token {'test_token':
  accessor_id       => '7c4e3f11-786d-44e6-ac1d-b99546a1ccbd',
  policies_by_name  => [
   'test_policy'
  ],
  policies_by_id    => [
    '652f27c9-d08d-412b-8985-9becc9c42fb2'
  ],
}

Here is an example to automatically create a policy and token for each host. For development environments acl_api_token can be the bootstrap token. For production it should be a dedicated token with access to write/read from the acls.

accessor_id must be provided. It is a uuid. It can be generated in several different ways.

  1. Statically generated and assigned to the resource. See /usr/bin/uuidgen on unix systems.
  2. Dynamically derived from the $facts['dmi']['product']['uuid'] fact in puppet (useful when consul_token has 1:1 mapping to hosts).
  3. Dynamically derived from arbitrary string using fqdn_uuid() (useful for giving all instances of a resource unique id).
  # Create ACL policy that allows nodes to update themselves and read others
  consul_policy { $facts['networking']['hostname']:
    description => "${facts['networking']['hostname']}, generated by puppet",
    rules => [
      {
        'resource' => 'node',
        'segment' => "$facts['networking']['hostname']",
        'disposition' => 'write'
      },
      {
        'resource' => 'node',
        'segment' => '',
        'disposition' => 'read'
      }
    ],
    acl_api_token => $acl_api_token,
  }

  consul_token { $facts['networking']['hostname']:
    accessor_id => fqdn_uuid($facts['networking']['hostname']),
    policies_by_name => ["${facts['networking']['hostname']}"],
    acl_api_token => $acl_api_token,
  }

Predefining token secret is supported by setting secret_id property.

Externally created tokens and policies may be used by referencing them by ID (Token: accessor_id property, Policy: ID property, linking: policies_by_id property)

Legacy system

consul_acl { 'ctoken':
  ensure => 'present',
  rules  => {
    'key' => {
      'test' => {
        'policy' => 'read'
      },
    },
  },
  type   => 'client',
}

Do not use duplicate names, and remember that the ACL ID (a read-only property for this type) is used as the token for requests, not the name

Optionally, you may supply an acl_api_token. This will allow you to create ACLs if the anonymous token doesn't permit ACL changes (which is likely). The api token may be the master token, another management token, or any client token with sufficient privileges.

NOTE: This module currently cannot parse ACL tokens generated through means other than this module. Don't mix Puppet and Non-puppet ACLs for best results! (pull requests welcome to allow it to co-exist with ACLs generated with normal HCL)

Prepared Queries and Prepared Query Templates

consul_prepared_query { 'consul':
  ensure               => 'present',
  service_name         => 'consul',
  service_failover_n   => 1,
  service_failover_dcs => [ 'dc1', 'dc2' ],
  service_only_passing => true,
  service_tags         => [ 'tag1', 'tag2' ],
  service_meta         => { 'version' => '1.2.3' },
  ttl                  => 10,
}

or a prepared query template:

consul_prepared_query { 'consul':
  ensure               => 'present',
  service_name         => 'consul',
  service_name         => 'consul-${match(1)}' # lint:ignore:single_quote_string_with_variables
  service_failover_n   => 1,
  service_failover_dcs => [ 'dc1', 'dc2' ],
  service_only_passing => true,
  service_tags         => [ '${match(2)}' ], # lint:ignore:single_quote_string_with_variables
  node_meta            => { 'is_virtual' => 'false' },
  template             => true,
  template_regexp      => '^consul-(.*)-(.*)$',
  template_type        => 'name_prefix_match',
}

Key/Value Objects

Example:

consul_key_value { 'key/path':
  ensure     => 'present',
  value      => 'myvaluestring',
  flags      => 12345,
  datacenter => 'dc1',
}

This provider allows you to manage key/value pairs. It tries to be smart in two ways:

  1. It caches the data accessible from the kv store with the specified acl token.
  2. It does not update the key if the value & flag are already correct.

These parameters are mandatory when using consul_key_value:

  • name Name of the key/value object. Path in key/value store.
  • value value of the key.

The optional parameters only need to be specified if you require changes from default behaviour.

  • flags {Integer} an opaque unsigned integer that can be attached to each entry. Clients can choose to use this however makes sense for their application. Default is 0.
  • acl\_api_token {String} Token for accessing the ACL API. Default is ''.
  • datacenter {String} Use the key/value store in specified datacenter. If '' (default) it will use the datacenter of the Consul agent at the HTTP address.
  • protocol {String} protocol to use. Either 'http' (default) or 'https'.
  • port {Integer} consul port. Defaults to 8500.
  • hostname {String} consul hostname. Defaults to 'localhost'.
  • api_tries {Integer} number of tries when contacting the Consul REST API. Timeouts are not retried because a timeout already takes long. Defaults to 3.

Limitations

Depends on the JSON gem, or a modern ruby. (Ruby 1.8.7 is not officially supported) Current versions of puppetserver are new enough (2.0.3 & greater are known to work).

Windows Experimental Support

Windows service does no longer need [NSSM] to host the service. Consul will be installed as a native windows service using build-in sc.exe. The following caveats apply:

  • By defult eveything will be installed into c:\ProgramData\Consul\ and $consul::config_hash['data_dir'] will default point to that location, so you don't need that in your config_hash
  • The service user needs logon as a service permission to run things as a service(not yet supported by this module). therefore will consul::manage_user and consul::manage_group be default false.
  • consul::user will default be NT AUTHORITY\NETWORK SERVICE (Has by default logon as a service permission).
  • consul::group will default be Administrators

Example:

class { 'consul':
  config_hash => {
    'bootstrap_expect' => 1,
    'datacenter'       => 'dc1',
    'log_level'        => 'INFO',
    'node_name'        => 'server',
    'server'           => true,
  },
}

Telemetry

The Consul agent collects various runtime metrics about the performance of different libraries and subsystems. These metrics are aggregated on a ten second interval and are retained for one minute.

To view this data, you must send a signal to the Consul process: on Unix, this is USR1 while on Windows it is BREAK. Once Consul receives the signal, it will dump the current telemetry information to the agent's stderr.

This telemetry information can be used for debugging or otherwise getting a better view of what Consul is doing.

Example:

class { 'consul':
  config_hash => {
    'bootstrap_expect' => 1,
    'data_dir'         => '/opt/consul',
    'datacenter'       => 'east-aws',
    'log_level'        => 'INFO',
    'node_name'        => 'server',
    'server'           => true,
    'telemetry' => {
      'statsd_address' => 'localhost:9125',
      'prefix_filter' => [
        '+consul.client.rpc',
        '+consul.client.rpc.exceeded',
        '+consul.acl.cache_hit',
        '+consul.acl.cache_miss',
        '+consul.dns.stale_queries',
        '+consul.raft.state.leader',
        '+consul.raft.state.candidate',
        '+consul.raft.apply',
        '+consul.raft.commitTime',
        '+consul.raft.leader.dispatchLog',
        '+consul.raft.replication.appendEntries',
        '+consul.raft.leader.lastContact',
        '+consul.rpc.accept_conn',
        '+consul.catalog.register',
        '+consul.catalog.deregister',
        '+consul.kvs.apply',
        '+consul.leader.barrier',
        '+consul.leader.reconcile',
        '+consul.leader.reconcileMember',
        '+consul.leader.reapTombstones',
        '+consul.rpc.raft_handoff',
        '+consul.rpc.request_error',
        '+consul.rpc.request',
        '+consul.rpc.query',
        '+consul.rpc.consistentRead',
        '+consul.memberlist.msg.suspect',
        '+consul.serf.member.flap',
        '+consul.serf.events',
        '+consul.session_ttl.active',
      ],
    },
  },
}

The metrics for the consul system you can look them in the Official Consul Site with all the description for every metric. Url: https://www.consul.io/docs/agent/telemetry.html

Consul Template

Consul Template is a piece of software to dynamically write out config files using templates that are populated with values from Consul. This module does not configure consul template. See gdhbashton/consul_template for a module that can do that.

Development

Open an issue or fork and open a Pull Request

Transfer Notice

This module was originally authored by solarkennedy. The maintainer preferred that Vox Pupuli take ownership of the module for future improvement and maintenance. Existing pull requests and issues were transferred over, please fork and continue to contribute here instead of KyleAnderson.

Previously: https://github.com/solarkennedy/puppet-consul

More Repositories

1

json-schema

Ruby JSON Schema Validator
Ruby
1,447
star
2

puppetboard

Web frontend for PuppetDB
Python
698
star
3

hiera-eyaml

A backend for Hiera that provides per-value asymmetric encryption of sensitive data
Ruby
528
star
4

puppet-nginx

Puppet Module to manage NGINX on various UNIXes
Ruby
468
star
5

puppet-elasticsearch

Elasticsearch Puppet module
Ruby
406
star
6

beaker

Puppet Acceptance Testing Harness
Ruby
368
star
7

puppet-jenkins

Puppet module for Jenkins
Ruby
276
star
8

puppet-python

Puppet module for installing and managing Python, pip, virtualenvs and Gunicorn virtual hosts.
Ruby
197
star
9

puppet-logstash

Puppet module to manage Logstash
Puppet
192
star
10

puppet-rabbitmq

RabbitMQ Puppet Module
Ruby
174
star
11

onceover

Your gateway drug to automated infrastructure testing with Puppet
Ruby
142
star
12

puppet-mcollective

MCollective Server and Client Puppet Module
Ruby
122
star
13

puppet-openvpn

OpenVPN module for puppet including client config/cert creation
Ruby
113
star
14

puppet-nodejs

Puppet module to install nodejs and global npm packages
Ruby
112
star
15

modulesync

Synchronize common files across your Git repositories.
Ruby
101
star
16

vagrant-librarian-puppet

A Vagrant plugin to install Puppet modules using Librarian-Puppet.
Ruby
101
star
17

puppet-r10k

Setup and configure r10k for use with git based environments in puppet
Ruby
98
star
18

pypuppetdb

Python library for working with the PuppetDB API
Python
93
star
19

puppet-mongodb

mongodb installation
Ruby
92
star
20

puppet-ghostbuster

👻 Dead code detector for Puppet
Ruby
89
star
21

puppet-letsencrypt

A Puppet module to install the Letsencrypt client and request certificates.
Ruby
86
star
22

puppet-php

Generic Puppet module to manage PHP on many platforms
Puppet
85
star
23

puppet-mode

Edit Puppet manifests with GNU Emacs 24
Emacs Lisp
77
star
24

puppet-gitlab

Puppet module to manage Gitlab (Omnibus)
Puppet
74
star
25

puppet-postfix

Puppet postfix module
HTML
72
star
26

puppet-collectd

Collectd module for Puppet
Ruby
70
star
27

puppet-syntax

Syntax checks for Puppet manifests and templates
Ruby
68
star
28

puppet-blacksmith

Ruby Gem with Puppet Module utilities
Ruby
68
star
29

puppet-network

Types and providers to manage network interfaces
Ruby
68
star
30

puppet-augeasproviders

Alternative Augeas-based providers for Puppet
Ruby
65
star
31

puppet-system

Manage Linux system resources and services from hiera configuration
Puppet
64
star
32

puppet-jira

Atlassian JIRA Puppet Module
Ruby
61
star
33

puppet-prometheus

Puppet module for prometheus
Puppet
60
star
34

puppet-archive

Compressed archive file download and extraction with native types/providers for Windows and Unix
Ruby
59
star
35

beaker-rspec

beaker-rspec is a bridge between the puppet acceptance test harness
Ruby
58
star
36

rspec-puppet-facts

Simplify your unit tests by looping on every supported Operating System and populating facts.
Ruby
58
star
37

puppet-puppetboard

Puppet module to install and manage puppetboard
Puppet
53
star
38

puppet-staging

⛔️ Deprecated in favor of puppet-archive
Ruby
51
star
39

puppet-pxe

Puppet module for deploying a PXE boot server
Puppet
49
star
40

hiera-eyaml-gpg

GPG encryption backend for the hiera-eyaml module
Ruby
49
star
41

puppet-systemd

Puppet module to manage systemd
Ruby
49
star
42

puppet-selinux

Puppet Module to manage SELinux on RHEL machines
Ruby
49
star
43

puppet-keepalived

Puppet Module to manage Keepalived
Ruby
48
star
44

puppet-prometheus_reporter

A prometheus Puppet reports exporter for Puppet
Ruby
48
star
45

puppet-iis

Module to mange IIS with Puppet
Ruby
46
star
46

puppet-corosync

Sets up and manages Corosync.
Ruby
45
star
47

puppet-dhcp

Puppet module for deploying dhcp
Ruby
42
star
48

puppet-epel

Setup/configure EPEL (extra repository for enterprise linux) with Puppet
Ruby
41
star
49

puppet-redis

Puppet Module to manage Redis
Ruby
40
star
50

puppet-openssl

Puppet OpenSSL module
Ruby
39
star
51

puppet-pkgng

A Puppet package provider for FreeBSD's PkgNG package manager.
Ruby
39
star
52

puppet-firewalld

Puppet module for managing firewalld
Ruby
39
star
53

puppet-splunk

Manage Splunk servers and forwarders using Puppet
Ruby
39
star
54

puppet-rundeck

Module for managing the installatation and configuration of the rundeck orchestration tool
Ruby
38
star
55

puppet-openldap

Manage OpenLDAP with Puppet
Ruby
35
star
56

puppet-vmwaretools

Puppet module to manage VMware Operating System Specific Packages for VMware tools installation.
Puppet
35
star
57

puppet-snmp

Puppet module to manage Net-SNMP.
Ruby
34
star
58

puppet-unattended_upgrades

Unattended-upgrades for APT
Ruby
33
star
59

puppet-dnsquery

DNS query functions for Puppet
Ruby
32
star
60

puppet-hiera

Hiera hierarchy module for templating `hiera.yaml`
Ruby
32
star
61

puppet-kafka

The kafka module for managing the installation and configuration of Apache Kafka
Puppet
30
star
62

puppet-fail2ban

This module installs, configures and manages the Fail2ban service.
Ruby
30
star
63

ra10ke

Rake tasks related to R10K and Puppetfile
Ruby
29
star
64

puppet-wildfly

Puppet module to install, configure and manage Wildfly (8/9/10+), JBoss EAP (6.1+/7.0+) and some Wildfly based products like apiman, Keycloak and Infinispan.
Ruby
29
star
65

puppet-windowsfeature

Library that uses ServerAdministration api that comes with Windows Server 2008 and Windows Server 2012 to add / remove windows features
Ruby
29
star
66

puppet-catalog-diff-viewer

A viewer for the puppet-catalog-diff tool
JavaScript
28
star
67

puppet-unbound

Puppet module for deploying the swiss-army of DNS, Unbound
Ruby
28
star
68

metadata-json-lint

Tool to check the validity of Puppet metadata.json files
Ruby
27
star
69

hiera-file

File backend for Hiera
Ruby
26
star
70

puppet-vault_lookup

Ruby
25
star
71

puppetdb-ruby

Ruby client library for interacting with PuppetDB API
Ruby
24
star
72

puppet-alternatives

Manage Debian alternatives links
Ruby
24
star
73

puppet-telegraf

A Puppet module for installing and configuring InfluxData's Telegraf
Ruby
24
star
74

puppet-healthcheck

Puppet resources to evaluate the health and status of things.
Ruby
22
star
75

puppet-puppetserver

Puppet module for puppetserver
Ruby
21
star
76

puppet-confluence

A puppet module to install confluence
Ruby
20
star
77

puppet-drbd

Basic module for configuring active-passive drbd resources
Puppet
20
star
78

puppet-stash

A puppet module to install atlassian stash
Ruby
19
star
79

puppet-kmod

manage kernel module with puppet
Ruby
18
star
80

puppet-mrepo

Puppet module for creating and managing RPM based repository mirrors.
Puppet
17
star
81

puppet-ssh_keygen

Generation of ssh keys with ssh-keygen
Ruby
17
star
82

puppet-windows_firewall

puppet module for configuring the windows firewall
Ruby
17
star
83

puppet-nomad

Puppet module for managing Nomad
Ruby
16
star
84

puppet-gluster

Create and manage Gluster pools, volumes, and mounts
Ruby
16
star
85

puppet-kibana

Kibana Puppet module by Elastic.
Ruby
16
star
86

puppet-filemapper

Map files to puppet resources and back
Ruby
15
star
87

puppet-proxysql

Puppet module to configure ProxySQL
Ruby
15
star
88

puppet-cron

Puppet module to manage cron jobs via /etc/cron.d
Ruby
14
star
89

puppet-tea

Puppet 4.6 Types: Abstracted & Extracted
Ruby
14
star
90

puppet-ca_cert

A puppet module for managing (non-system) CA certificates.
Ruby
14
star
91

puppet-minecraft

Puppet - Minecraft: Separately maintained fork of brannan's puppet-module-minecraft
Ruby
14
star
92

puppet-chrony

Puppet module for Chrony with Systemd
Ruby
13
star
93

puppet-smokeping

Puppet module to install and configure smokeping. Including target and slave definition
Puppet
13
star
94

puppet-cassandra

Installs Cassandra & DataStax Agent on RHEL/Ubuntu/Debian.
Ruby
13
star
95

puppet-googleauthenticator

Google-authenticator module for Puppet
Puppet
13
star
96

puppet-bareos

Puppet Module to manage bareos
Puppet
13
star
97

puppet-misp

This module installs and configures MISP (Malware Information Sharing Platform)
HTML
13
star
98

puppet_webhook

Sinatra-based application that triggers puppet-related commands from VCS Webhook calls
Ruby
13
star
99

puppet-extlib

This module provides functions that are out of scope for stdlib.
Ruby
13
star
100

puppet-gitlab_ci_runner

Module to mange gitlab CI runners. Extracted from https://github.com/voxpupuli/puppet-gitlab
Ruby
13
star