Add Settings for secured consul connection.
adragoset opened this issue · 9 comments
Im looking at deploying gluu into an environment that already has a consul and nomad implementation present. However my consul implementation is secured with tls client server authentication in addition to ACL tokens.
For the python consul client to be able to communicate with consul it will need the necessary client server certificates as well as the acl token set.
Additionally i would consider a Vault option for users with a vault implementation and have secrets be stored in vault rather than in consul since consul's KV store isnt really considered to be a secure store.
Additionally i would consider a Vault option for users with a vault implementation and have secrets be stored in vault rather than in consul since consul's KV store isnt really considered to be a secure store.
We're currently trying to deploy differentiation between secrets and standard config #40.
For the python consul client to be able to communicate with consul it will need the necessary client server certificates as well as the acl token set.
Do you have a proposal/methodology on how to implement this?
Typically for my consul clients in container deploys i have a set of env varables like so:
CONSUL_ADDR=https://${attr.unique.network.ip-address}:8501
CONSUL_ACL_TOKEN=82b42ad2-b146-4c47-a63f-6cf2c4791093
CONSUL_HTTP_SSL_VERIFY=1
CONSUL_HTTP_SSL=1
CONSUL_CACERT=/local/ca.pem
CONSUL_CLIENT_CERT=/local/consul_hashiui_cert.pem
CONSUL_CLIENT_KEY=/local/consul_hashiui_key.pem
Consuls go api can then be configured with these values, im not as familiar with the python api but i suspect it can be configured there as well or if using curl you specify the options when you run a request.
I mount a config folder with the certificates to the container when it runs. This allows a couple of possibilities. In a manual/compose deploy situation you mount the config folder with the certs by hand during run or specify in docker compose. In a situation where im deploying through nomad or some other orchestrator i can set the path to a folder the orchestrator automounts with the allocation. Now if these options arent set you can test with conditionals to configure your consul api client correctly.
Consuls go api can then be configured with these values, im not as familiar with the python api but i suspect it can be configured there as well or if using curl you specify the options when you run a request.
We're using python-consul library which has support for secure connection to Consul, though we only have HTTP support (not HTTPS yet) at this moment. What we can do is adding options via env vars to allow client to connect to secured Consul, for example:
GLUU_CONSUL_SCHEME=https
GLUU_CONSUL_VERIFY=true
GLUU_CONSUL_CACERT_FILE=/run/secrets/consul_ca.pem
GLUU_CONSUL_CERT_FILE=/run/secrets/consul_cert.pem
GLUU_CONSUL_KEY_FILE=/run/secrets/consul_key.pem
GLUU_CONSUL_ACL_TOKEN_FILE=/run/secrets/consul_token
Based on those env vars, the client then can be configured to connect to Consul securely.
GLUU_CONSUL_ACL_TOKEN_FILE=/run/secrets/consul_token
@iromli will it be able to pull this token from a text file.
@afroDC the entrypoint will read the content of this token file. We don't want to pass token in env var directly.
Settings for secured consul connection have been added. Please refer to https://gluu.org/docs/ce/3.1.3/docker/technical/ for details.
NOTE: deploying secure Consul and Registrator is out of the scope of documentation. Please open ticket at http://support.gluu.org/ for implementation example.
Additionally i would consider a Vault option for users with a vault implementation and have secrets be stored in vault rather than in consul since consul's KV store isnt really considered to be a secure store.
We should discuss it in #40 instead.
Closing this issue. Feel free to re-open.