Let's prepare our environment with Vault and RabbitMQ.
The Vault will do the Vault function and also provide Dynamic Secrets for both our RabbitMQ stack and our Cassandra DB stack.
We will add the generated token in Consul to the Vault in 3 files:
modules/vault/vault.tf -> Add token in "CONSUL_HTTP_TOKEN"
Later add some token in:
data/vault-server-01/config/vault-config.json
data/vault-server-02/config/vault-config.json
Both "Parameter Token".
After that we will execute the module called vault cluster.
terraform apply -target=module.vault_cluster
See that it already appears registered at the Consul but with "Sealed" status.
Let's go to the Unseal process on Vault Server 1:
docker exec -it vault-server-1 /bin/sh
vault operator init
vault operator unseal
vault status
Key Value
--- -----
Seal Type shamir
Initialized true
Sealed false
Total Shares 5
Threshold 3
Version 1.3.2
Cluster Name vault-cluster-9be77481
Cluster ID 684b9232-19b4-9fb9-1b2e-8fd1ad08fdb7
HA Enabled true
HA Cluster https://10.5.0.2:8201
HA Mode active
Now let's run the Unseal process on Vault Server 2
docker exec -it vault-server-2 /bin/sh
vault operator unseal
vault status
Key Value
--- -----
Seal Type shamir
Initialized true
Sealed false
Total Shares 5
Threshold 3
Version 1.3.2
Cluster Name vault-cluster-9be77481
Cluster ID 684b9232-19b4-9fb9-1b2e-8fd1ad08fdb7
HA Enabled true
HA Cluster https://10.5.0.2:8201
HA Mode standby
Active Node Address http://10.5.0.2:8200
Now we will prepare the image of rabbitmq in the docker with the acl generated in the Consul and then execute the build.
cd /redstack_terraform_public/docker-images/rabbitmq
vim config/rabbitmq.conf
docker build -t rabbimq .
cd ../../redstack
vim modules/rabbitmq/rabbitmq.tf
Add ACL Token "CONSUL_HTTP_TOKEN"
After completing the build of the Docker image we will run the rabbitmq_cluster module.
terraform apply -target=module.rabbitmq_cluster
We can already see the Rabbitmq stack, our Queue manager at Consul.
The rabbitmq_runtime module has the function of creating an example queue called "hello" an administrator user to access RabbitMQ's Web management.
It should be executed after deploying the rabbitmq_cluster module
terraform apply -target=module.rabbitmq_runtime
Now let's run the vault_rabbitmq_runtime module.
The function of this module is to create on the Vault Server the feature Dynamic Secrets for random user on Rabbitmq.
terraform apply -target=module.vault_rabbitmq_runtime
After applying the vault_rabbitmq_runtime module we will test the feature.
docker exec -it vault-server-1 /bin/sh
vault read rabbitmq/creds/rabbitmq_access_role
Key Value
--- -----
lease_id rabbitmq/creds/rabbitmq_access_role/Ff0fZcIj1SRAWeoQNHX21RzF
lease_duration 768h
lease_renewable true
password ea070a9f-9306-9f82-9cad-c42ab7553d02
username root-bd54ff95-eec1-d07c-c966-6ad02ee725b4
See that the vault creates a username and password so that you can authenticate with Rabbitmq.
And it has an expiration time that can be set according to your business.
In the next Post we will deploy the Cassandra DB Stack with dynamic Secret active in the Vault and using the Consul as a Discovery service :)
Top comments (0)