/hashicorp-webinar

Simplifying Infrastructure and Networking Automation with HashiCorp and Traefik

Primary LanguageHCL

Simplifying Infrastructure and Networking Automation with HashiCorp and Traefik

This repository is the companion material for the Simplifying Infrastructure and Network Automation with HashiCorp and Traefik webinar.

In this event, we demonstrate how to:

  • Use Traefik as the ingress gateway in Nomad
  • Leverage Traefik’s Consul Catalog provider for dynamic configuration
  • Integrate Traefik with Consul Connect for service mesh capabilities
  • Manage TLS certificates in Traefik Enterprise using Vault’s PKI engine and KV store

Getting Started

You can use Vagrant to set up the lab environment used in this webinar. Vagrant is a tool for building and managing virtual machine environments.

~> NOTE: To use the Vagrant environment, first install Vagrant following these instructions. You also need a virtualization tool, such as VirtualBox.

From a terminal in this folder, you may create the virtual machines with the vagrant up command.

$ vagrant up

This takes a few minutes as the base Ubuntu box must be downloaded and provisioned with Docker, Nomad, Consul, and Vault. Once this completes, you should see this output.

Bringing machine 'primary' up with 'virtualbox' provider...
Bringing machine 'secondary' up with 'virtualbox' provider...
==> primary: Importing base box 'hashicorp/bionic64'...
...
==> primary: Running provisioner: shell...

Once this provisioning completes, use the vagrant ssh command to start a shell session on it.

$ vagrant ssh

If you connect to the virtual machine properly, you should find yourself at a shell prompt for vagrant@traefik-webinar-1:~$

Please note that in this lab environment Nomad, Consul, and Vault are configured in dev mode. This mode is useful for developing or testing because it doesn't require any extra configuration, and does not persist any state to disk.

Warning: Never run -dev mode in production.

Accessing the environment

You may view the Nomad, Consul, and Vault interfaces with a web browser. Please access here:

Note: If any of these do not work, please check your Vagrant output. If there is a port collision on your system Vagrant may assign a different port.

Demo

Nomad

Will be shown together with Consul below.

Consul

Consul Catalog

nomad run jobs/whoami.nomad
nomad run jobs/traefik.nomad

nomad status

curl localhost/whoami

Visit http://localhost:8080/whoami from your desktop. Take note of the value RemoteAddr.

Consul Connect

nomad run jobs/whoami-connect.nomad

nomad status

curl localhost/whoami

Visit http://localhost:8080/whoami from your desktop. What happens?

consul intention match whoami

consul intention create traefik whoami

curl localhost/whoami

Now try again. Take note of the value RemoteAddr. What is it now? What was it before? What's changed and why?

Use the following command to view the certificate, replacing the port with the mapped port of the proxy sidecar.

nomad alloc exec -task connect-proxy-whoami -job whoami curl -kv https://localhost:23628

Note: Traefik Connect integration requires the parameter connectAware be set to true in the consulCatalog provider section of your Traefik configuration.

Set up TraefikEE

Note: These steps require a Traefik Enterprise license. If you don't have a license, you may request a free 30-day trial here.

These steps begin from your desktop machine, not the vagrant host.

You'll need to download teectl using the appropriate download link at https://doc.traefik.io/traefik-enterprise/installing/teectl-cli/. (Please note that on recent versions of macOS, you will need to Allow it to run in the Security & Privacy System Preferences.)

Run the following command to create the bundle.zip:

teectl setup --onpremise.hosts="192.168.88.4,192.168.88.5" --cluster nomad --force

Next we will transfer the bundle.zip to the primary vagrant host. To accomplish this use the vagrant scp plugin to transfer the file with the command:

vagrant scp bundle.zip /home/vagrant/bundle.zip

Alternatively, you can uncomment line 112 in the Vagrantfile and then run vagrant reload --provision. The Vagrant reload will take several minutes.

Use the vagrant ssh command to start a shell session on it.

If you connect to the virtual machine properly, you should find yourself at a shell prompt for vagrant@traefik-webinar-1:~$

export TRAEFIKEE_LICENSE=<your license key>

# stop previous jobs
nomad stop traefik
nomad stop countdash
nomad stop whoami

# move bundle.zip to controller data volume
sudo mv ./bundle.zip /opt/traefikee/
sudo chown root:root /opt/traefikee/bundle.zip

# create vault secrets for traefikee license and plugin registry token (assuming your license is the TRAEFIKEE_LICENSE environment variable)
vault kv put secret/traefikee/license license_key=$TRAEFIKEE_LICENSE
vault kv put secret/traefikee/plugin token=$(openssl rand -base64 10)

# run traefikee nomad job
nomad job run jobs/traefikee.nomad

# get proxy join token
nomad alloc exec -task controllers -job traefikee /traefikee tokens --socket local/cluster.sock
# export provided TRAEFIKEE_PROXY_TOKEN

# add proxy token to vault
vault kv put secret/traefikee/proxy token=$TRAEFIKEE_PROXY_TOKEN

On your host (outside of Vagrant), let's verify the TraefikEE cluster with teectl.

# switch contexts
teectl cluster use --name nomad

# verify all nodes are running
teectl get nodes

Vault PKI

# Enable Vault PKI and create role (inside VM)
vault secrets enable pki

vault write pki/root/generate/internal common_name="VAULT PKI CERT"
vault write pki/roles/traefikee allowed_domains=localhost allow_bare_domains=true allow_subdomains=false max_ttl=10h

# apply static and dynamic config (outside of VM)
teectl apply --file traefikee/static.yaml
teectl apply --file traefikee/dynamic.yaml

# update whoami job (inside of VM)
nomad run jobs/whoami-pki.nomad

# curl and note TLS certificate
curl -kv https://localhost/whoami-pki

Vault TLS KV Store

# generate self-signed certificate
openssl req -x509 -newkey rsa:2048 -keyout localhost.key.pem -out localhost.cert.pem -nodes -subj '/CN=tls.localhost'

# Add TLS cert to Vault KV store
vault kv put secret/localhost cert="$(cat localhost.cert.pem | base64 -w0)" key="$(cat localhost.key.pem | base64 -w0)"

# update whoami job
nomad run jobs/whoami-tls.nomad

# curl and note TLS certificate
curl -kv https://tls.localhost/

Cleaning up

Halt the VMs

Stop running jobs and exit any shell sessions that you made to the virtual machine. Use the vagrant halt command to stop the running VMs.

$ vagrant halt

At this point, you can start the VMs again without having to provision it.

De-provision the VMs

If you don't anticipate using the training VMs for a while, and don't mind the time necessary to provision them, you can deprovision the VMs. From this folder, use the vagrant destroy command to deprovision the environment your created. The command verifies that you intend to perform this activity; enter Y at both prompts to confirm that you do.

$ vagrant destroy
    secondary: Are you sure you want to destroy the 'secondary' VM? [y/N] y
==> secondary: Forcing shutdown of VM...
==> secondary: Destroying VM and associated drives...
    primary: Are you sure you want to destroy the 'primary' VM? [y/N] y
==> primary: Forcing shutdown of VM...
==> primary: Destroying VM and associated drives...

De-provisioning the environment deletes the VMs that were created based on the base box.

Remove the base box

If you don't intend to use the Vagrant environment ever again, you can also delete the downloaded Vagrant base box used to create the VM by running the vagrant box remove command. Don't worry, if you decide to use the environment again later, Vagrant re-downloads the base box when you need it.

$ vagrant box remove hashicorp/bionic64
Removing box 'hashicorp/bionic64' (v1.0.282) with provider 'virtualbox'...

At this point, you have removed all of the parts that are added by starting up the Vagrantfile.

Documentation and References