Consul Connect GCP Demo Lab

This is a simple demo showing command line operations of Consul Connect using Docker containers

The demo uses docker and Terraform to create the infrastructure and launch the applications.

Prerequisites

Install terraform binary
Install and configure gcloud sdk
Create project in GCP account and set gcloud to that project (i.e. gcloud config set project my-demo)

Installing in GCP (Google Cloud)

Create a new project to house your demo. In this example, I call my project my-demo. The my-demo is a project id, you can use the command gcloud projects list to get the project ID for my-demo.

Create a service account that has the "Compute Instance Admin (v1)" and "Compute Security Admin" roles. Download the account credentials as a JSON file. This can be done through the UI or through the gcloud command line tool, e.g.:

project="my-demo"
account="my-service-account"

gcloud iam service-accounts create ${account} \
    --display-name "Demo Lab Service Account" \
    --project ${project}

for role in iam.serviceAccountUser compute.instanceAdmin.v1 compute.networkAdmin compute.securityAdmin
do
    gcloud projects add-iam-policy-binding ${project} \
        --member serviceAccount:${account}@${project}.iam.gserviceaccount.com \
        --role roles/${role}
done

gcloud iam service-accounts keys create ${account}-key.json \
    --iam-account ${account}@${project}.iam.gserviceaccount.com

Add the credentials to your shell environment so the tools can find them.
```
export GOOGLE_APPLICATION_CREDENTIALS=my-service-account-key.json
```

Modify the variables.tf file to reflect the project id.

variable "project_name" {
  type        = string
  default     = "my-demo"
  description = "Name of the GCP project to create resources in."
}

Use Terraform to create the GCE instances, firewall rules, and Consul Connect intentions.
```
terraform init
terraform plan
terraform apply
```
If successful, the output will end with something similar to this:
```
Apply complete! Resources: 6 added, 0 changed, 0 destroyed.
```

You can see the public IP addresses and URL's for your demo by inspecting the Terraform output:

Outputs:

Consul_Server_HTTP_Address = http://35.243.149.159:8500
Consul_Server_Public_IP = 35.243.149.159

Note: It may take a minute or two for the site to become available, as the JVM needs to create all the database objects.

Demo

For our demo, we will be removing and adding nodes from a Consul Service to demo end to end flow of Check Point and Consul integration

From demo-consul-server

This will show current services and nodes

docker ps -a

Confirm web1 has 3 services

consul webui: https://<consul-server-ip>:8500

Stop the web1 container

- This command will stop the web1 container
- It will deregister the demo_web1_1 service in Consul WebUI
- CTA will also remove this node from the web1 dynamic object in Check Point SmartConsol

docker stop demo_web1_1

Start the web1 container

docker start demo_web_1

- CTA will add this node to the web1 dynamic object in Check Point SmartConsol

docker exec -it demo_web1_1 curl -s -X PUT -d @/web1.json "http://127.0.0.1:8500/v1/agent/service/register"

Registering and Deregistering Services and Intentions

Once Terraform finishes executing, you should have a working consul lab enviroment. You can ssh in to the demo Consul VM that has been deployed into the environent to register or deregister the services.

$ gcloud compute ssh demo-consul-server0 
$ sudo su
$ cd /tmp
$ docker ps -a
CONTAINER ID        IMAGE                                         COMMAND                  CREATED             STATUS              PORTS                                                                      NAMES
e802b501c523        nicholasjackson/consul_connect_agent:latest   "consul agent -confi…"   33 minutes ago      Up 33 minutes       8300-8302/tcp, 8500/tcp, 8301-8302/udp, 8600/tcp, 8600/udp                 demo_web1_1
92d1631390f7        nicholasjackson/consul_connect_agent:latest   "consul agent -confi…"   33 minutes ago      Up 33 minutes       8300-8302/tcp, 8500/tcp, 8301-8302/udp, 8600/tcp, 8600/udp                 demo_db2_1
5fe85d6cc4ee        nicholasjackson/consul_connect_agent:latest   "consul agent -confi…"   33 minutes ago      Up 33 minutes       8300-8302/tcp, 8500/tcp, 8301-8302/udp, 8600/tcp, 8600/udp                 demo_app3_1
e4578ae725ef        nicholasjackson/consul_connect:latest         "/bin/sh -c 'consul …"   33 minutes ago      Up 33 minutes       8300-8302/tcp, 8301-8302/udp, 8600/tcp, 8600/udp, 0.0.0.0:8500->8500/tcp   demo_consul_server_1
b36914ea2335        nicholasjackson/consul_connect_agent:latest   "consul agent -confi…"   33 minutes ago      Up 33 minutes       8300-8302/tcp, 8500/tcp, 8301-8302/udp, 8600/tcp, 8600/udp                 demo_db1_1
108254b3039f        nicholasjackson/consul_connect_agent:latest   "consul agent -confi…"   33 minutes ago      Up 33 minutes       8300-8302/tcp, 8500/tcp, 8301-8302/udp, 8600/tcp, 8600/udp                 demo_web2_1
8edffe0a66c3        nicholasjackson/consul_connect_agent:latest   "consul agent -confi…"   33 minutes ago      Up 33 minutes       8300-8302/tcp, 8500/tcp, 8301-8302/udp, 8600/tcp, 8600/udp                 demo_web3_1
472438a815d9        nicholasjackson/consul_connect_agent:latest   "consul agent -confi…"   33 minutes ago      Up 33 minutes       8300-8302/tcp, 8500/tcp, 8301-8302/udp, 8600/tcp, 8600/udp                 demo_app2_1
5b8951940d35        nicholasjackson/consul_connect_agent:latest   "consul agent -confi…"   33 minutes ago      Up 33 minutes       8300-8302/tcp, 8500/tcp, 8301-8302/udp, 8600/tcp, 8600/udp                 demo_app1_1

Registering services

# Register Web services
docker exec -it demo_web1_1 curl -s -X PUT -d @/web1.json "http://127.0.0.1:8500/v1/agent/service/register"
docker exec -it demo_web2_1 curl -s -X PUT -d @/web2.json "http://127.0.0.1:8500/v1/agent/service/register"
docker exec -it demo_web3_1 curl -s -X PUT -d @/web3.json "http://127.0.0.1:8500/v1/agent/service/register"
# Register App services
docker exec -it demo_app1_1 curl -s -X PUT -d @/app1.json "http://127.0.0.1:8500/v1/agent/service/register"
docker exec -it demo_app2_1 curl -s -X PUT -d @/app2.json "http://127.0.0.1:8500/v1/agent/service/register"
docker exec -it demo_app3_1 curl -s -X PUT -d @/app3.json "http://127.0.0.1:8500/v1/agent/service/register"
# Register DB services
docker exec -it demo_db1_1 curl -s -X PUT -d @/db1.json "http://127.0.0.1:8500/v1/agent/service/register"
docker exec -it demo_db2_1 curl -s -X PUT -d @/db2.json "http://127.0.0.1:8500/v1/agent/service/register"

Deregister services

# Deregister Web service
docker exec -it demo_web1_1 curl -s -X PUT "http://127.0.0.1:8500/v1/agent/service/deregister/web"
docker exec -it demo_web2_1 curl -s -X PUT "http://127.0.0.1:8500/v1/agent/service/deregister/web"
docker exec -it demo_web3_1 curl -s -X PUT "http://127.0.0.1:8500/v1/agent/service/deregister/web"

# Deregister App services
docker exec -it demo_app1_1 curl -s -X PUT "http://127.0.0.1:8500/v1/agent/service/deregister/app"
docker exec -it demo_app2_1 curl -s -X PUT "http://127.0.0.1:8500/v1/agent/service/deregister/app"
docker exec -it demo_app3_1 curl -s -X PUT "http://127.0.0.1:8500/v1/agent/service/deregister/app"

# Deregister DB services
docker exec -it demo_db1_1 curl -s -X PUT "http://127.0.0.1:8500/v1/agent/service/deregister/db"
docker exec -it demo_db2_1 curl -s -X PUT "http://127.0.0.1:8500/v1/agent/service/deregister/db"

If the above does not work, you will need to stop the container that the service lives

- Stop the containers
docker stop demo_web1_1
docker stop demo_app1_1
docker stop demo_db1_1

- Start the containers
docker start demo_web1_1
docker start demo_app1_1
docker start demo_db1_1

Run the register services command from above

Adding intentions

consul intention create -allow service1 service2
consul intention create -allow service1 postgres

Re-deploying Consul Container Stack

In order to re-deploy all of the containers on the demo host, run the following: