Deploy Consul server in an existing environment.

generate_consul_server_config.sh

#!/usr/bin/env bash

export DATACENTER=${DATACENTER:-"dc1"}
export DOMAIN=${DOMAIN:-"consul"}
export CONSUL_DATA_DIR=${CONSUL_DATA_DIR:-"/etc/consul/data"}
export CONSUL_CONFIG_DIR=${CONSUL_CONFIG_DIR:-"/etc/consul/config"}

export DNS_RECURSOR=${DNS_RECURSOR:-"1.1.1.1"}
export HTTPS_PORT=${HTTPS_PORT:-"8443"}
export DNS_PORT=${DNS_PORT:-"8600"}

echo "Clean existing configuration"
rm -rf ${CONSUL_DATA_DIR}/
rm -rf ${CONSUL_CONFIG_DIR}/

echo "Generate Consul folders"
mkdir -p ${CONSUL_CONFIG_DIR} && mkdir -p ${CONSUL_DATA_DIR}

STAT=$?

if [ ${STAT} -ne 0 ];  then
  echo "Folder creation failed, exiting."
  exit 1;
fi

cd ${CONSUL_CONFIG_DIR}

echo "Generate agent configuration - agent-server-secure.hcl"
tee ${CONSUL_CONFIG_DIR}/agent-server-secure.hcl > /dev/null << EOF
# agent-server-secure.hcl

# Data Persistence
data_dir = "${CONSUL_DATA_DIR}"

# Logging
log_level = "DEBUG"

# Enable service mesh
connect {
  enabled = true
}

# Addresses and ports
addresses {
  grpc = "127.0.0.1"
  https = "0.0.0.0"
  dns = "0.0.0.0"
}

ports {
  grpc  = 8502
  http  = 8500
  https = ${HTTPS_PORT}
  dns   = ${DNS_PORT}
}

# DNS recursors
recursors = ["${DNS_RECURSOR}"]

# Disable script checks
enable_script_checks = false

# Enable local script checks
enable_local_script_checks = true
EOF

echo "Generate server configuration - agent-server-specific.hcl"
tee ${CONSUL_CONFIG_DIR}/agent-server-specific.hcl > /dev/null << EOF
## Server specific configuration for ${DATACENTER}
server = true
bootstrap_expect = 1
datacenter = "${DATACENTER}"

client_addr = "127.0.0.1"

## UI configuration (1.9+)
ui_config {
  enabled = true
}
EOF

echo "Generate gossip encryption key configuration - agent-gossip-encryption.hcl"
echo encrypt = \"$(consul keygen)\" > ${CONSUL_CONFIG_DIR}/agent-gossip-encryption.hcl

echo "Create CA for Consul datacenter"
consul tls ca create -domain=${DOMAIN}

echo "Create server Certificate and key pair"
consul tls cert create -server -domain ${DOMAIN} -dc=${DATACENTER}

echo "Generate TLS configuration - agent-server-tls.hcl"
tee ${CONSUL_CONFIG_DIR}/agent-server-tls.hcl > /dev/null << EOF
## TLS Encryption (requires cert files to be present on the server nodes)
# tls {
#   defaults {
#     ca_file   = "${CONSUL_CONFIG_DIR}/consul-agent-ca.pem"
#     cert_file = "${CONSUL_CONFIG_DIR}/${DATACENTER}-server-${DOMAIN}-0.pem"
#     key_file  = "${CONSUL_CONFIG_DIR}/${DATACENTER}-server-${DOMAIN}-0-key.pem"

#     verify_outgoing        = true
#     verify_incoming        = true
#   }
#   https {
#     verify_incoming        = false
#   }
#   internal_rpc {
#     verify_server_hostname = true
#   }
# }

## TLS Encryption (requires cert files to be present on the server nodes)
ca_file   = "/etc/consul/config/consul-agent-ca.pem"
cert_file = "${CONSUL_CONFIG_DIR}/${DATACENTER}-server-${DOMAIN}-0.pem"
key_file  = "${CONSUL_CONFIG_DIR}/${DATACENTER}-server-${DOMAIN}-0-key.pem"
verify_incoming        = false
verify_incoming_rpc    = true
verify_outgoing        = true
verify_server_hostname = true

auto_encrypt {
  allow_tls = true
}
EOF

echo "Generate ACL configuration - agent-server-acl.hcl"
tee ${CONSUL_CONFIG_DIR}/agent-server-acl.hcl > /dev/null << EOF
## ACL configuration
acl = {
  enabled = true
  default_policy = "deny"
  enable_token_persistence = true
  enable_token_replication = true
  down_policy = "extend-cache"
}
EOF

echo "Validate configuration"
consul validate ${CONSUL_CONFIG_DIR}

STAT=$?

if [ ${STAT} -ne 0 ];  then
  echo "Configuration invalid. Exiting."
  exit 1;
fi

• Check if Consul is installed on the consul node

consul version

Consul v1.12.4
Revision 94542765
Protocol 2 spoken by default, understands 2 to 3 (agent will automatically use protocol >2 when speaking to compatible agents)

• Generate Consul server configuration

export DATACENTER="dc1" \
export DOMAIN="consul" \
export CONSUL_DATA_DIR="/etc/consul/data" \
export CONSUL_CONFIG_DIR="/etc/consul/config

• Generate all necessary files to configure and run the Consul server agent

./generate_consul_server_config.sh

Clean existing configuration
Generate Consul folders
Generate agent configuration - agent-server-secure.hcl
Generate server configuration - agent-server-specific.hcl
Generate gossip encryption key configuration - agent-gossip-encryption.hcl
Create CA for Consul datacenter
==> Saved consul-agent-ca.pem
==> Saved consul-agent-ca-key.pem
Create server Certificate and key pair
==> WARNING: Server Certificates grants authority to become a
server and access all state in the cluster including root keys
and all ACL tokens. Do not distribute them to production hosts
that are not server nodes. Store them as securely as CA keys.
==> Using consul-agent-ca.pem and consul-agent-ca-key.pem
==> Saved dc1-server-consul-0.pem
==> Saved dc1-server-consul-0-key.pem
Generate TLS configuration - agent-server-tls.hcl
Generate ACL configuration - agent-server-acl.hcl
Validate configuration
skipping file /etc/consul/config/consul-agent-ca-key.pem, extension must be .hcl or .json, or config format must be set
skipping file /etc/consul/config/consul-agent-ca.pem, extension must be .hcl or .json, or config format must be set
skipping file /etc/consul/config/dc1-server-consul-0-key.pem, extension must be .hcl or .json, or config format must be set
skipping file /etc/consul/config/dc1-server-consul-0.pem, extension must be .hcl or .json, or config format must be set
The 'ca_file' field is deprecated. Use the 'tls.defaults.ca_file' field instead.
The 'cert_file' field is deprecated. Use the 'tls.defaults.cert_file' field instead.
The 'key_file' field is deprecated. Use the 'tls.defaults.key_file' field instead.
The 'verify_incoming' field is deprecated. Use the 'tls.defaults.verify_incoming' field instead.
The 'verify_incoming_rpc' field is deprecated. Use the 'tls.internal_rpc.verify_incoming' field instead.
The 'verify_outgoing' field is deprecated. Use the 'tls.defaults.verify_outgoing' field instead.
The 'verify_server_hostname' field is deprecated. Use the 'tls.internal_rpc.verify_server_hostname' field instead.
BootstrapExpect is set to 1; this is the same as Bootstrap mode.
bootstrap = true: do not enable unless necessary
Configuration is valid!

• Start Consul server

consul agent -node=consul -config-dir=${CONSUL_CONFIG_DIR}

==> Starting Consul agent...
Version: '1.12.4'
Node ID: 'de208a33-6b94-3633-9c46-f09aa3e3e824'
Node name: 'consul'
Datacenter: 'dc1' (Segment: '')
Server: true (Bootstrap: true)
Client Addr: [127.0.0.1] (HTTP: 8500, HTTPS: 8443, gRPC: 8502, DNS: 8600)
Cluster Addr: 10.2.80.162 (LAN: 8301, WAN: 8302)
Encrypt: Gossip: true, TLS-Outgoing: true, TLS-Incoming: true, Auto-Encrypt-TLS: true
==> Log data will now stream in as it occurs:
2023-03-26T19:17:08.396Z [WARN] agent: skipping file /etc/consul/config/consul-agent-ca-key.pem, extension must be .hcl or .json, or config format must be set
2023-03-26T19:17:08.396Z [WARN] agent: skipping file /etc/consul/config/consul-agent-ca.pem, extension must be .hcl or .json, or config format must be set
2023-03-26T19:17:08.396Z [WARN] agent: skipping file /etc/consul/config/dc1-server-consul-0-key.pem, extension must be .hcl or .json, or config format must be set
2023-03-26T19:17:08.396Z [WARN] agent: skipping file /etc/consul/config/dc1-server-consul-0.pem, extension must be .hcl or .json, or config format must be set
2023-03-26T19:17:08.396Z [WARN] agent: The 'ca_file' field is deprecated. Use the 'tls.defaults.ca_file' field instead.
2023-03-26T19:17:08.396Z [WARN] agent: The 'cert_file' field is deprecated. Use the 'tls.defaults.cert_file' field instead.
2023-03-26T19:17:08.396Z [WARN] agent: The 'key_file' field is deprecated. Use the 'tls.defaults.key_file' field instead.
2023-03-26T19:17:08.396Z [WARN] agent: The 'verify_incoming' field is deprecated. Use the 'tls.defaults.verify_incoming' field instead.
2023-03-26T19:17:08.396Z [WARN] agent: The 'verify_incoming_rpc' field is deprecated. Use the 'tls.internal_rpc.verify_incoming' field instead.
2023-03-26T19:17:08.396Z [WARN] agent: The 'verify_outgoing' field is deprecated. Use the 'tls.
.....
.....