From 2b10f77b88e9166b1dbd712abdd4cd2c77b4bd5c Mon Sep 17 00:00:00 2001 From: Tomas Valenta Date: Mon, 25 Mar 2024 14:31:52 -0700 Subject: [PATCH 1/7] Chnage permissions --- packages/cluster/scripts/run-consul.sh | 9 +++---- packages/cluster/server/main.tf | 2 +- packages/nomad/main.tf | 35 ++++++++++++++++++++++++++ 3 files changed, 40 insertions(+), 6 deletions(-) diff --git a/packages/cluster/scripts/run-consul.sh b/packages/cluster/scripts/run-consul.sh index f6613fe99..e2bd1cacc 100644 --- a/packages/cluster/scripts/run-consul.sh +++ b/packages/cluster/scripts/run-consul.sh @@ -254,7 +254,7 @@ EOF }, "acl": { "enabled": true, - "default_policy": "allow", + "default_policy": "deny", "enable_token_persistence": true, "tokens": { "initial_management": "$CONSUL_ACL_MASTER_TOKEN" @@ -365,15 +365,15 @@ function start_consul { function bootstrap { log_info "Waiting for Consul to start" while true; do - local readonly consul_leader_addr=$(consul info | grep "leader_addr =" | awk -F'=' '{print $2}' | tr -d ' ') - local readonly consul_leader=$(consul info | grep "leader =" | awk -F'=' '{print $2}' | tr -d ' ') + local readonly consul_leader_addr=$(consul info | grep "leader_addr =" | awk -F'=' '{print $2}' | tr -d ' ') + local readonly consul_leader=$(consul info | grep "leader =" | awk -F'=' '{print $2}' | tr -d ' ') if [[ -n "$consul_leader_addr" ]]; then log_info "Consul leader elected" if [[ "$consul_leader" == "true" ]]; then local readonly consul_token="$1" log_info "Bootstrapping Consul" - echo "${consul_token}" > /tmp/consul.token + echo "${consul_token}" >/tmp/consul.token consul acl bootstrap /tmp/consul.token rm /tmp/consul.token fi @@ -381,7 +381,6 @@ function bootstrap { break fi - log_info "Waiting for Consul to start" sleep 1 done diff --git a/packages/cluster/server/main.tf b/packages/cluster/server/main.tf index 12d5b6cff..d63812a82 100644 --- a/packages/cluster/server/main.tf +++ b/packages/cluster/server/main.tf @@ -52,7 +52,7 @@ resource "google_compute_instance_group_manager" "server_cluster" { auto_healing_policies { health_check = google_compute_health_check.nomad_check.id - initial_delay_sec = 0 + initial_delay_sec = 600 } lifecycle { diff --git a/packages/nomad/main.tf b/packages/nomad/main.tf index 7b88af2e1..a3392a292 100644 --- a/packages/nomad/main.tf +++ b/packages/nomad/main.tf @@ -55,6 +55,41 @@ provider "consul" { token = var.consul_acl_token_secret } +# resource "consul_acl_policy" "agent" { +# name = "agent" +# rules = <<-RULE +# acl = "deny" +# agent_prefix "" { +# policy = "deny" +# } +# event_prefix "" { +# policy = "deny" +# } +# identity_prefix "" { +# policy = "deny" +# } +# key_prefix "" { +# policy = "deny" +# } +# keyring = "deny" +# mesh = "deny" +# node_prefix "" { +# policy = "deny" +# } +# operator = "deny" +# peering = "deny" +# query_prefix "" { +# policy = "deny" +# } +# service_prefix "" { +# policy = "deny" +# } +# session_prefix "" { +# policy = "deny" +# } +# RULE +# } + resource "nomad_job" "api" { jobspec = file("${path.module}/api.hcl") From ce458cf3f8a875e34ca6a99000c969fdf9c7bdce Mon Sep 17 00:00:00 2001 From: Jakub Novak Date: Mon, 25 Mar 2024 14:34:15 -0700 Subject: [PATCH 2/7] Add token for consul check --- packages/cluster/scripts/run-consul.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/packages/cluster/scripts/run-consul.sh b/packages/cluster/scripts/run-consul.sh index e2bd1cacc..8fb00d2b8 100644 --- a/packages/cluster/scripts/run-consul.sh +++ b/packages/cluster/scripts/run-consul.sh @@ -365,8 +365,8 @@ function start_consul { function bootstrap { log_info "Waiting for Consul to start" while true; do - local readonly consul_leader_addr=$(consul info | grep "leader_addr =" | awk -F'=' '{print $2}' | tr -d ' ') - local readonly consul_leader=$(consul info | grep "leader =" | awk -F'=' '{print $2}' | tr -d ' ') + local readonly consul_leader_addr=$(consul info -token="${consul_token}"| grep "leader_addr =" | awk -F'=' '{print $2}' | tr -d ' ') + local readonly consul_leader=$(consul info -token="${consul_token}"| grep "leader =" | awk -F'=' '{print $2}' | tr -d ' ') if [[ -n "$consul_leader_addr" ]]; then log_info "Consul leader elected" From cd88fdd20cd4f2eaf19e1283bffbcf2ac43480b9 Mon Sep 17 00:00:00 2001 From: Jakub Novak Date: Mon, 25 Mar 2024 14:36:46 -0700 Subject: [PATCH 3/7] Remove initial token --- packages/cluster/scripts/run-consul.sh | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/packages/cluster/scripts/run-consul.sh b/packages/cluster/scripts/run-consul.sh index 8fb00d2b8..456ed9d97 100644 --- a/packages/cluster/scripts/run-consul.sh +++ b/packages/cluster/scripts/run-consul.sh @@ -255,10 +255,7 @@ EOF "acl": { "enabled": true, "default_policy": "deny", - "enable_token_persistence": true, - "tokens": { - "initial_management": "$CONSUL_ACL_MASTER_TOKEN" - } + "enable_token_persistence": true }, "telemetry": { "prometheus_retention_time": "24h", From 6c82731d57bb59df7e7eddc8fddddd9eb5df93bb Mon Sep 17 00:00:00 2001 From: Jakub Novak Date: Mon, 25 Mar 2024 14:45:48 -0700 Subject: [PATCH 4/7] Add "Starting on port" print to API server --- packages/api/main.go | 1 + 1 file changed, 1 insertion(+) diff --git a/packages/api/main.go b/packages/api/main.go index 30505aee9..7142be868 100644 --- a/packages/api/main.go +++ b/packages/api/main.go @@ -140,6 +140,7 @@ func main() { s := NewGinServer(apiStore, swagger, *port) + fmt.Printf("Starting server on port %d\n", *port) // And we serve HTTP until the world ends. err = s.ListenAndServe() if err != nil { From 64073783a0632e0f87acb4e9784417fbea1fde23 Mon Sep 17 00:00:00 2001 From: Jakub Novak Date: Mon, 25 Mar 2024 14:46:53 -0700 Subject: [PATCH 5/7] Decrease initial delay --- packages/cluster/server/main.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/packages/cluster/server/main.tf b/packages/cluster/server/main.tf index d63812a82..0b36f2888 100644 --- a/packages/cluster/server/main.tf +++ b/packages/cluster/server/main.tf @@ -52,7 +52,7 @@ resource "google_compute_instance_group_manager" "server_cluster" { auto_healing_policies { health_check = google_compute_health_check.nomad_check.id - initial_delay_sec = 600 + initial_delay_sec = 120 } lifecycle { From accceb12925e21fef08f24dc5a1a7d9fb0ac421c Mon Sep 17 00:00:00 2001 From: Jakub Novak Date: Mon, 25 Mar 2024 14:47:04 -0700 Subject: [PATCH 6/7] Bump version --- VERSION | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/VERSION b/VERSION index e01df2657..cf9f17398 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -0.0.70 \ No newline at end of file +0.0.71 \ No newline at end of file From aaa27df2bb4bc4f94f53bf992d28813e76ca1a02 Mon Sep 17 00:00:00 2001 From: Jakub Novak Date: Mon, 25 Mar 2024 14:47:29 -0700 Subject: [PATCH 7/7] Clean up --- packages/nomad/main.tf | 35 ----------------------------------- 1 file changed, 35 deletions(-) diff --git a/packages/nomad/main.tf b/packages/nomad/main.tf index a3392a292..7b88af2e1 100644 --- a/packages/nomad/main.tf +++ b/packages/nomad/main.tf @@ -55,41 +55,6 @@ provider "consul" { token = var.consul_acl_token_secret } -# resource "consul_acl_policy" "agent" { -# name = "agent" -# rules = <<-RULE -# acl = "deny" -# agent_prefix "" { -# policy = "deny" -# } -# event_prefix "" { -# policy = "deny" -# } -# identity_prefix "" { -# policy = "deny" -# } -# key_prefix "" { -# policy = "deny" -# } -# keyring = "deny" -# mesh = "deny" -# node_prefix "" { -# policy = "deny" -# } -# operator = "deny" -# peering = "deny" -# query_prefix "" { -# policy = "deny" -# } -# service_prefix "" { -# policy = "deny" -# } -# session_prefix "" { -# policy = "deny" -# } -# RULE -# } - resource "nomad_job" "api" { jobspec = file("${path.module}/api.hcl")