From 1f11af92f65ba6a14d3afa3053b6c5ce6e629adf Mon Sep 17 00:00:00 2001
From: Jinn Koriech <jinn@ixydo.com>
Date: Wed, 28 Aug 2019 15:40:45 +0100
Subject: [PATCH 1/4] Add support for enabling auto_encrypt on both server &
 client

We get support for enabling auto_encryption at set up time, allowing
client instances to get their TLS key/cert pairs from the consul
servers.

In order to allow browsers to access the UI we also need to enable the
HTTPS endpoint and disable mTLS on the HTTPS endponit, while keeping
mTLS enabled for RPC connections.
---
 modules/run-consul/run-consul | 37 ++++++++++++++++++++++++++++++++++-
 1 file changed, 36 insertions(+), 1 deletion(-)

diff --git a/modules/run-consul/run-consul b/modules/run-consul/run-consul
index 56c5054f..4f040139 100755
--- a/modules/run-consul/run-consul
+++ b/modules/run-consul/run-consul
@@ -51,6 +51,7 @@ function print_usage {
   echo -e "  --ca-path\t\tPath to the directory of CA files used to verify outgoing connections. Optional. Must be specified with --enable-rpc-encryption."
   echo -e "  --cert-file-path\tPath to the certificate file used to verify incoming connections. Optional. Must be specified with --enable-rpc-encryption and --key-file-path."
   echo -e "  --key-file-path\tPath to the certificate key used to verify incoming connections. Optional. Must be specified with --enable-rpc-encryption and --cert-file-path."
+  echo -e "  --enable-auto-encryption\t\tEnable auto_encrypt setting for servers and clients."
   echo -e "  --environment\t\tA single environment variable in the key/value pair form 'KEY=\"val\"' to pass to Consul as environment variable when starting it up. Repeat this option for additional variables. Optional."
   echo -e "  --skip-consul-config\tIf this flag is set, don't generate a Consul configuration file. Optional. Default is false."
   echo -e "  --recursor\tThis flag provides address of upstream DNS server that is used to recursively resolve queries if they are not inside the service domain for Consul. Repeat this option for additional variables. Optional."
@@ -231,9 +232,10 @@ function generate_consul_config {
   local -r redundancy_zone_tag="${17}"
   local -r disable_upgrade_migration="${18}"
   local -r upgrade_version_tag=${19}
+  local -r enable_auto_encryption="${20}"
   local -r config_path="$config_dir/$CONSUL_CONFIG_FILE"
 
-  shift 19
+  shift 20
   local -r recursors=("$@")
 
   local instance_id=""
@@ -302,11 +304,39 @@ EOF
     rpc_encryption_configuration=$(cat <<EOF
 "verify_outgoing": true,
 "verify_incoming": true,
+"verify_incoming_https": false,
+"verify_server_hostname": true,
+"enable_agent_tls_for_checks": true,
 "ca_path": "$ca_path",
 "cert_file": "$cert_file_path",
 "key_file": "$key_file_path",
+"ports": {
+  "https": 8501,
+  "grpc": 8502
+},
+EOF
+)
+  fi
+
+  local auto_encrypt_configuration=""
+  if [[ "$enable_auto_encryption" == "true" ]]; then
+    if [[ "$server" == "true" ]]; then
+      log_info "Creating RPC auto_encrypt configuration for server"
+      auto_encrypt_configuration=$(cat <<EOF
+"auto_encrypt": {
+    "allow_tls": true
+},
 EOF
 )
+    else
+      log_info "Creating RPC auto_encrypt configuration for client"
+      auto_encrypt_configuration=$(cat <<EOF
+"auto_encrypt": {
+    "tls": true
+},
+EOF
+)
+    fi
   fi
 
   log_info "Creating default Consul configuration"
@@ -323,6 +353,7 @@ EOF
   "server": $server,
   $gossip_encryption_configuration
   $rpc_encryption_configuration
+  $auto_encrypt_configuration
   $autopilot_configuration
   "ui": $ui
 }
@@ -553,6 +584,9 @@ function run {
         key_file_path="$2"
         shift
         ;;
+      --enable-auto-encryption)
+        enable_auto_encryption="true"
+        ;;
       --environment)
         assert_not_empty "$key" "$2"
         environment+=("$2")
@@ -643,6 +677,7 @@ function run {
       "$redundancy_zone_tag" \
       "$disable_upgrade_migration" \
       "$upgrade_version_tag" \
+      "$enable_auto_encryption" \
       "${recursors[@]}"
   fi
 

From eedd81e600cac2ccf5304de648eb3125e66079d1 Mon Sep 17 00:00:00 2001
From: Jinn Koriech <jinn@ixydo.com>
Date: Thu, 5 Sep 2019 14:57:58 +0100
Subject: [PATCH 2/4] Complete configuration of consul client auto-encrypt
 support

When we're running consul in client mode and want it to connect to the
servers we must provide the CA and enable HTTPS.  It's also good
practice to disable plain HTTP.
---
 modules/run-consul/run-consul | 5 +++++
 1 file changed, 5 insertions(+)
 mode change 100755 => 100644 modules/run-consul/run-consul

diff --git a/modules/run-consul/run-consul b/modules/run-consul/run-consul
old mode 100755
new mode 100644
index 4f040139..59b73d98
--- a/modules/run-consul/run-consul
+++ b/modules/run-consul/run-consul
@@ -331,9 +331,14 @@ EOF
     else
       log_info "Creating RPC auto_encrypt configuration for client"
       auto_encrypt_configuration=$(cat <<EOF
+"ca_file": "$ca_path",
 "auto_encrypt": {
     "tls": true
 },
+"ports": {
+    "http": -1,
+    "https": 8501
+},
 EOF
 )
     fi

From d07f412041d0521864215381bd7cbf8286a1f266 Mon Sep 17 00:00:00 2001
From: Jinn Koriech <jinn@ixydo.com>
Date: Thu, 5 Sep 2019 14:59:01 +0100
Subject: [PATCH 3/4] Workaround for v1.6.0 failure to auto-join

There's a known issue[1] in v1.6.0 that prevents consul clients from
contacting the servers when they're configured to auto-join.  This
workaround[2] gets things working.

1: https://github.com/hashicorp/consul/issues/6391
2: https://github.com/hashicorp/consul/issues/6391#issuecomment-525418344
---
 modules/run-consul/run-consul | 7 +++++++
 1 file changed, 7 insertions(+)
 mode change 100644 => 100755 modules/run-consul/run-consul

diff --git a/modules/run-consul/run-consul b/modules/run-consul/run-consul
old mode 100644
new mode 100755
index 59b73d98..92d49589
--- a/modules/run-consul/run-consul
+++ b/modules/run-consul/run-consul
@@ -339,6 +339,13 @@ EOF
     "http": -1,
     "https": 8501
 },
+"connect": {
+  "enabled": true,
+  "ca_config": {
+    "private_key_type": "ec",
+    "private_key_bits": 256
+  }
+},
 EOF
 )
     fi

From ff22f6360395125b323fb36adab2952f738ad087 Mon Sep 17 00:00:00 2001
From: Jinn Koriech <jinn@ixydo.com>
Date: Fri, 6 Sep 2019 12:33:55 +0100
Subject: [PATCH 4/4] Enable HTTP endpoint for local connections on client
 agents

When auto_encrypt is used on the client agents there's still no support
for TLS over the HTTPS API[1].

In order for the client agents to interact with services such as nomad
we need to enable the HTTP API, but to maintain some level of controls
we also restrict write operations to localhost.

1: https://github.com/hashicorp/consul/issues/6403
---
 modules/run-consul/run-consul | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/modules/run-consul/run-consul b/modules/run-consul/run-consul
index 92d49589..fd46bc86 100755
--- a/modules/run-consul/run-consul
+++ b/modules/run-consul/run-consul
@@ -336,9 +336,12 @@ EOF
     "tls": true
 },
 "ports": {
-    "http": -1,
+    "http": 8500,
     "https": 8501
 },
+"http_config": {
+    "allow_write_http_from": ["127.0.0.0/8"]
+},
 "connect": {
   "enabled": true,
   "ca_config": {