Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add followers to AWS Cluster demo #32

Merged
merged 1 commit into from
Mar 12, 2019
Merged

Add followers to AWS Cluster demo #32

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
64 changes: 64 additions & 0 deletions demos/aws-cluster/1.1_init_followers
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,64 @@
#!/bin/bash -eux

: ${SSH_KEY_FILE?"Need to set SSH_KEY_FILE"}

source bin/lib/aws_context
source bin/lib/conjur_context

SEED_DIR="./tmp/conjur/seeds"

function create_follower_seed() {
local filename=$1

mkdir -p $SEED_DIR

# Create Follower Seed
ssh -i "$SSH_KEY_FILE" \
-o "StrictHostKeyChecking no" \
core@$MASTER_1_PUBLIC /bin/bash << EOF
docker exec conjur-appliance bash -c " \
evoke seed follower "$LB_FOLLOWER_DNS" "$LB_DNS" > "/opt/conjur/backup/$filename"
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why do you include $LB_DNS here?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Last I checked on it, it was still not crystal clear what is the correct way to setup certificates and domain names for an autofailover cluster to work with load balancers. So I was explicit about what the master address should be for the follower to avoid any issues while preparing the PCF demo video.

It's possible that it's not necessary. I can create an issue to investigate removing it.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

#35

"
EOF

# Copy seed to host
scp -i "$SSH_KEY_FILE" \
-o "StrictHostKeyChecking no" \
"core@$MASTER_1_PUBLIC:/opt/conjur/backup/$filename" \
"$SEED_DIR/$filename"
}

function configure_follower() {
local follower_public=$1
local filename=$2

# Copy seed
scp -i "$SSH_KEY_FILE" \
-o "StrictHostKeyChecking no" \
"$SEED_DIR/$filename" \
"core@$follower_public:~/$filename"

# Configure node
ssh -i "$SSH_KEY_FILE" \
-o "StrictHostKeyChecking no" \
core@$follower_public /bin/bash << EOF
sudo mv "\$HOME/$filename" "/opt/conjur/backup/$filename"

docker exec conjur-appliance \
evoke unpack seed "/opt/conjur/backup/$filename"

docker exec conjur-appliance \
evoke configure follower
EOF
}

function configure_followers() {
for follower in $FOLLOWERS_PUBLIC; do
echo "Configuring follower on '$follower'..."
configure_follower "$follower" "follower-seed.tar"
done
}

create_follower_seed "follower-seed.tar"

configure_followers
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

In some other projects, we adhere to Google shell guidelines that state to create a main function at the top of the file and call it at the bottom so that it's easy to find the program start. I know the way you did this is more consistent with the other files in this repo so maybe it's better to follow the established standard here but thought it was worth raising.

Copy link
Contributor Author

@micahlee micahlee Mar 12, 2019
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Cool, I did not know about this! I'm not going to change it now because I would need to run through it all again to make sure I didn't break anything. I will create an issue to refactor this according to these guidelines next time I'm in here. Thanks!

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

#34

3 changes: 3 additions & 0 deletions demos/aws-cluster/1_init_cluster
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -17,6 +17,9 @@ function configure_master() {
--master-altnames "$LB_DNS,$MASTER_2_PRIVATE,$MASTER_3_PRIVATE" \
-p "$CONJUR_ADMIN_PASSWORD" \
"$CONJUR_ACCOUNT"

docker exec conjur-appliance \
evoke ca issue --force $LB_FOLLOWER_DNS
EOF
}

Expand Down
7 changes: 5 additions & 2 deletions demos/aws-cluster/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -92,8 +92,11 @@ To initially install the cluster:
Successful Health Checks: 10
```

4. Deploy a Follower in AWS
> TBD
4. (Optional) Deploy Followers in AWS
To also configure followers with the cluster, run the command:
```
$ ./1.1_init_followers
```


## HA Scenarios
Expand Down
6 changes: 6 additions & 0 deletions demos/aws-cluster/bin/lib/aws_context
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,9 @@
export LB_DNS_DEFAULT=$(terraform output conjur_master_lb_public)
export LB_DNS="${LB_DNS:-${LB_DNS_DEFAULT}}"

export LB_FOLLOWER_DNS_DEFAULT=$(terraform output conjur_follower_lb_public)
export LB_FOLLOWER_DNS="${LB_FOLLOWER_DNS:-${LB_FOLLOWER_DNS_DEFAULT}}"

export MASTER_1_PRIVATE=$(terraform output -json conjur_master_nodes_private | jq -r '.value[0]')
export MASTER_1_PUBLIC=$(terraform output -json conjur_master_nodes_public | jq -r '.value[0]')

Expand All @@ -11,3 +14,6 @@ export MASTER_2_PUBLIC=$(terraform output -json conjur_master_nodes_public | jq

export MASTER_3_PRIVATE=$(terraform output -json conjur_master_nodes_private | jq -r '.value[2]')
export MASTER_3_PUBLIC=$(terraform output -json conjur_master_nodes_public | jq -r '.value[2]')

# Follower public DNS address, 1 per line
export FOLLOWERS_PUBLIC=$(terraform output -json conjur_follower_nodes_public | jq -r '.value | .[]')
93 changes: 92 additions & 1 deletion demos/aws-cluster/main.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -77,6 +77,7 @@ resource "aws_security_group" "lb" {
}
}

# Load balancer for master cluster
resource "aws_elb" "lb" {
name = "${var.resource_prefix}conjur-ha-lb"

Expand Down Expand Up @@ -120,6 +121,34 @@ resource "aws_elb" "lb" {
}
}

# Load balancer for followers
resource "aws_elb" "follower_lb" {
name = "${var.resource_prefix}conjur-ha-follower-lb"

subnets = ["${data.aws_subnet.subnet.*.id}"]
security_groups = ["${aws_security_group.lb.id}"]

# API and UI
listener {
instance_port = 443
instance_protocol = "tcp"
lb_port = 443
lb_protocol = "tcp"
}

health_check {
healthy_threshold = 2
unhealthy_threshold = 2
timeout = 3
target = "HTTPS:443/health"
interval = 30
}

tags = {
Name = "${var.resource_prefix}conjur-ha-follower-lb"
}
}

#############################################
# 3-Node Master Cluster Config
#############################################
Expand Down Expand Up @@ -188,6 +217,60 @@ resource "aws_elb_attachment" "lb_nodes" {
instance = "${element(aws_instance.conjur_master_node.*.id, count.index)}"
}

#############################################
# Follower config
#############################################

# Security Group for Node Instances
resource "aws_security_group" "follower_node" {
name = "${var.resource_prefix}conjur-ha-follower-node"
description = "Allow Conjur Follower Node Traffic"
vpc_id = "${var.vpc_id}"

ingress {
from_port = 443
to_port = 443
protocol = "6"
cidr_blocks = ["0.0.0.0/0"]
}

ingress {
from_port = 22
to_port = 22
protocol = "6"
cidr_blocks = ["0.0.0.0/0"]
}

egress {
from_port = 0
to_port = 0
protocol = "-1"
cidr_blocks = ["0.0.0.0/0"]
}
}

# Instances
resource "aws_instance" "conjur_follower_node" {
count = 2

ami = "${var.ami_id}"
instance_type = "m4.large"
availability_zone = "${element(var.availability_zones, count.index)}"
subnet_id = "${element(data.aws_subnet.subnet.*.id, count.index)}"
key_name = "${var.key_name}"
vpc_security_group_ids = ["${aws_security_group.follower_node.id}"]

tags = {
Name = "${var.resource_prefix}conjur-follower-${count.index + 1}"
}
}

resource "aws_elb_attachment" "follower_lb_nodes" {
count = "${aws_instance.conjur_follower_node.count}"
elb = "${aws_elb.follower_lb.id}"
instance = "${element(aws_instance.conjur_follower_node.*.id, count.index)}"
}

#############################################
# Outputs
#############################################
Expand All @@ -196,10 +279,18 @@ output "conjur_master_lb_public" {
value = "${aws_elb.lb.dns_name}"
}

output "conjur_follower_lb_public" {
value = "${aws_elb.follower_lb.dns_name}"
}

output "conjur_master_nodes_public" {
value = "${aws_instance.conjur_master_node.*.public_dns}"
}

output "conjur_master_nodes_private" {
value = "${aws_instance.conjur_master_node.*.private_dns}"
}
}

output "conjur_follower_nodes_public" {
value = "${aws_instance.conjur_follower_node.*.public_dns}"
}