a foundational sea of complexity
All the cool kids are making microservices these days and you want in too?
- Install AWSCLI, Terraform, Ansible & Pritunl.
- Log into AWS EC2 console, create a key pair titled "default".
Download the key and add to your ssh-agent:
ssh-add /path/to/key.pem
- Ensure
~/.aws/credentials
has a profile with administrative access keys that matchname
interraform.tfvars
- Provision your infrastructure:
terraform apply
- Copy the private ip of the VPN in the final terraform output
- Enable public management of VPN:
bin/enable-vpn-management
- Provision VPN:
bin/provision-vpn
- Set up VPN:
bin/manage-vpn
(pritunl docs) # TODO: automate using API?- Accept the invalid SSL certificate warning in browser
- Log in as pritunl/pritunl
- Set new administrative user/password
- Click users in top nav
- Click add organization and fill out form
- Click add user and fill out form
- Click servers in top nav
- Click add server and fill out form
- Set VPN port to match
vpn_port
interraform.tfvars
- Set Virtual Network to match
vpn_cidr
interraform.tfvars
- Set DNS to the private IP of the VPN (paste from step #5).
This will give connected operators and developers the ability
to resolve
*.service.consul
domains.
- Set VPN port to match
- Click add route and enter the
vpc_cidr
fromterraform.tfvars
- Click remove route for
0.0.0.0/0
(makes vpn a split tunnel) - Click attach organization
- Click start server
- Click add server and fill out form
- Click users in top nav
- Click chain icon next to your user for "temporary profile links"
- Copy "Temporary uri link for Pritunl Client"
- Open Pritunl client, import profile and connect
- Disable public management of VPN:
bin/disable-vpn-management
- Provision management cluster:
bin/provision-management-cluster
- Provision logging cluster:
bin/provision-logging-cluster
- Provision compute cluster:
bin/provision-compute-cluster
- Initialize vault:
bin/initialize-vault
(save output securely) - Unseal vault (3x):
bin/unseal-vault <key>
- Get log shipping system set up (elastic stack)
- Confirm Fabio working for SSL
- Hook up fabio certificate store for SSL termination
- Get SSL communication going for Vault and Consul.
- Lock down consul a bit:
- Confirm that dnsmasq is the correct approach for integration with consul
- Specifically with regards to caching.
- Confirm Consul cluster is up by running
consul members
on any of the management cluster nodes - Confirm Consul is being used for DNS locally while connected to VPN
with
dig consul.service.consul
- Confirm Consul UI is up: http://consul.service.consul:8500
- Confirm Consul/Vault integration:
dig vault.service.consul
. - Incrementally take out Vault instances w/
systemctl stop vault
on any of the management cluster nodes and watch Consul fail over by runningdig vault.service.consul
(restarting service will require unsealing again). - Test running job on nomad:
scp services/proxy/job.nomad [email protected]:~/
ssh [email protected] "nomad run job.nomad"
- check http://consul.service.consul:8500 for new service
- check http://fabio.service.consul:9998 to see the routing table updated
- check that fabio is forwarding with the following:
telnet fabio.service.consul 80 GET / HTTP/1.1 HOST: gs.loc <hit enter> ctrl+] quit
- confirm HA rollover for fabio by stopping fabio on any management cluster instance and watching EIP association change in aws console
High level explainer to follow.
High level explainer to follow.
High level explainer to follow.
High level explainer to follow.
High level explainer to follow.
High level explainer to follow.
High level explainer to follow.
High level explainer to follow.
High level explainer to follow.
High level explainer to follow.
High level explainer to follow.