Consul Variables and Stuff (2015 11 20)

Here's a detailed account of all the values in Consul and Vault required for all environments:

Automation

There's a few playbooks that can help you manage consul and vault:

• consul.yml deploys consul to api, web, and services
• vault.yml deploys vault to services
• consul-values.yml inserts a bunch of seed data into consul
  • write_values set to yes to actually write values
• vault-values.yml inserts a bunch of seed data into vault
  • write_values set to yes to actually write values
  • write_root_creds set to yes to actually write root credentials for the AWS backend

Key/Values

• node/env (e.g. production)
• api/hostname (e.g. api.runnable.io)

Keys/Values, Software Versions

note: these are still key/value pairs, but separating them out for clarity

• image-builder/version
• docker-listener/version
• filibuster/version
• krain/version
• sauron/version
• charon/version

Secrets

• secret/loggly
  • token=[token]
• secret/rabbitmq
  • username=[username]
  • password=[password]
• secret/github/hellorunnable
  • token=[github-token]
• secret/swarm
  • token=[swarm-token]

Services

• rabbitmq
• redis
• datadog
• registry

Vault Backends

• New Vault Backends for new Environments
  • Need to be initialized with TLS disabled.
  • ssh <box-running-vault>
  • sudo docker exec -it $(sudo docker ps | grep 'vault' | awk '{print $1}') sh
  • vault init -address=http://127.0.0.1:8200
  • Record the values output somewhere (they will be used to setup the variables for ansible)
• aws
  • mount the backend

  vault mount aws

  • configure the root:

  vault write aws/config/root \
    access_key=[access-key] \
    secret_key=[secret-key] \
    region=[region (e.g. us-west-2)]

  • configure the dock-init role

  vault write aws/roles/dock-init \
    [email protected]

  • policy.json can be found in the dock-init repo (link may be out of date, but path should be correct)
  • can test this by doing vault read aws/creds/dock-init