Skip to content

mjhumkhawala-ias/docker-compose-ha-consul-vault-ui

BranchesTags
 
 

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

67 Commits
scripts
scripts
 
 
templates
templates
 
 
.gitignore
.gitignore
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
docker-compose.yml
docker-compose.yml
 
 
vault-for-humans.md
vault-for-humans.md
 
 

Repository files navigation

HA Consul + Vault + Vault UI

Docker Logo Consul Logo Vault Logo VaultBoy Logo

This project is an example of using Consul, Vault, and Vault UI in a high availability (HA) configuration. Conveniently packaged as Docker services for provisioning via Docker Compose.

Features:

  • dnsmasq makes Consul DNS available to all containers. A secondary dnsmasq server is provided which grants HA to the DNS available to all containers. This allows consul-template to update DNS with zero DNS downtime. consul-template will create a lock to ensure it is not possible for both primary and secondary DNS servers to be down during DNS configuration updates as part of service discovery.
  • consul-template updates dnsmasq configuration and restarts dnsmasq when the configuration has changed (e.g. consul cluster size is increased on the fly). This makes consul DNS lookups HA.
  • Vault and Vault UI is registered via service discovery which is exposed via Consul DNS.
  • Vault UI makes use of Consul DNS to log into Vault. This means Vault UI does not necessarily need to know where Vault is because Consul service discovery takes care of that.

Prerequisites

Supplemental reading material:

Getting started

Start the cluster

Remove --scale vault=3 if you want to start one instance of Vault. docker-compose up -d would bring only Consul up in HA configuration.

./scripts/consul-agent.sh --bootstrap
docker-compose up --scale vault=3 -d

Configure your web browser

Configure your browser to use the SOCKS5 proxy listening on localhost:1080. With your browser configured to use the proxy visit http://consul.service.consul:8500/ and wait for the cluster to be ready. After the vault service has all nodes available, it is time to initialize vault.

Initialize Vault

./scripts/initialize-vault.sh

The credentials for vault are located in the file secret.txt which is created when Vault is initialized.

Note: the Root Token will be used to log into the Vault UI.

Visit the web UI

Configure your browser

Configure your web browser to use the SOCKS5 proxy listening on localhost:1080.

In Firefox, do the following:

  1. Edit connections settings
  2. Set Manual proxy configuration
  3. Set SOCKS host to localhost, set Port to 1080, and check SOCKS v5 boolean.

Alternately install FoxyProxy extension which is an extension for quickly switching proxies on or off.

For other browsers, web search how to configure proxy settings or see what extensions are available for managing proxy settings.

Visit the URL

Visit http://portal.service.consul/. It provides links to other web UIs and if you configure additional portal services, then they will also show up automatically.

Other portal services

For playing around with service discovery I have created other docker-compose files which will automatically register with this consul cluster. Here's a list of what I have created so far.

Experiment

With HA enabled, container instances of consul and vault can be terminated with minor disruptions.

Consul can be scaled up on the fly. consul-template will automatically update dnsmasq to include new services. dnsmasq will experience zero downtime.

docker-compose up --scale vault=3 --scale consul-worker=6 -d

To play with failover for killing consul instances, it is recommended to review fault tolerance for consul HA deployments.

Starting and stopping

Because high availability clusters have to gossip across nodes you can't execute a simple docker-compose down without corrupting the clusters. Instead, you have to gracefully shut down all clusters that depend on consul and then gracefully shutdown consul itself. For this, I have provided a script.

Stop consul and vault cluster safely.

./scripts/graceful-shutdown.sh

Start the consul and vault clusters.

docker-compose up -d

Troubleshooting

DNS

Currently, output from the dnsmasq and dnsmasq-secondary servers are minimal. Verbosity of output can be increased for troubleshooting. Edit docker-compose.yml and add --log-queries to the dnsmasq command.

DNS client troubleshooting using Docker.

docker-compose run dns-troubleshoot

Using the dig command inside of the container.

# rely on the internal container DNS
dig consul.service.consul

# specify the dnsmasq hostname as the DNS server
dig @dnsmasq vault.service.consul

# reference vault DNS by tags
dig active.vault.service.consul
dig standby.vault.service.consul

Logs

View vault logs.

docker-compose logs vault

User docker exec to log into container names. It allows you to poke around the runtime of the container.

SOCKS5 proxy

Run a SOCKS5 proxy for use with your browser.

docker run --network docker-compose-ha-consul-vault-ui_internal --dns 172.16.238.2 --init -p 127.0.0.1:1080:1080 --rm serjs/go-socks5-proxy

Configure your browser to use SOCKS proxy at 127.0.0.1:1080.

Screenshots

show portal before services are available

show portal after services are available

consul screenshot of all discovered services

consul screenshot of service metadata

License

MIT License

About

A docker-compose example of HA Consul + Vault + Vault UI

Resources

Readme

License

MIT license
Activity

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages

  • Shell 70.1%
  • HTML 29.9%