自分備忘録用メモ。ACL を有効化しないで立ち上げたConsul クラスタをACL有効化した際の手順です。
Bootstrap token を作成します。
$ consul acl bootstrap
AccessorID: 5e6ee273-0be2-f06f-d1cd-f9a025eac468
SecretID: ********-****-****-****-************
Description: Bootstrap Token (Global Management)
Local: false
Create Time: 2021-10-10 16:48:46.447519148 +0900 JST
Policies:
00000000-0000-0000-0000-000000000001 - global-management
Agent token を作成します。
export CONSUL_HTTP_TOKEN=<BOOTSTRAP_TOKEN>
$ cat << EOF > node-hashi-policy.hcl
node "hashi" {
policy = "write"
}
EOF
$ consul acl policy create \
-name hashi \
-rules @node-hashi-policy.hcl
ID: 64484775-4798-8f81-4de3-96022e17134c
Name: hashi
Description:
Datacenters:
Rules:
node "hashi" {
policy = "write"
}
$ consul acl token create -description "consul agent token for hashi node" \
-policy-name hashi
AccessorID: 52f02c9b-0026-f9ce-baff-cb7488b6edc2
SecretID: ********-****-****-****-************
Description: consul agent token for hashi node
Local: false
Create Time: 2021-10-10 16:59:00.003105772 +0900 JST
Policies:
64484775-4798-8f81-4de3-96022e17134c - hashi
$ consul acl set-agent-token agent ********-****-****-****-************
ACL token "agent" set successfully
Consul のconfig を作成します。
$ cat config.hcl
bind_addr = "127.0.0.1"
bootstrap_expect = 1
ui = true
client_addr = "127.0.0.1"
datacenter = "lab"
data_dir = "/home/demo/consul/localdata"
server = true
ports {
dns = 8600
}
acl {
enabled = true
default_policy = "allow"
enable_token_persistence = true
tokens {
agent = "********-****-****-****-************"
}
}
connect {
enabled = true
}
log_level = "INFO"
Consul を起動させます。
$ consul agent -config-file=/home/demo/consul/config.hcl
参考リンク
