Make consul config TLS only and fix TLS consul client bug (#21)

- Fix nil pointer dereference in `attache-control` when configuring mTLS for the Consul client
- Make Consul client mTLS only
- Enable mTLS for Consul in example Terraform file
- Add mTLS Consul and Nomad configs
- Update REAMDE.md

Fixes #19
Fixes #20

Author: beautifulentropy

README.md

@@ -56,29 +56,27 @@ Redis nodes (in the Await Consul Service) to do so.
 $ ./attache-control -help
 Usage of ./attache-control:
   -attempt-interval duration
-    	Duration to wait between attempts to join or create a cluster (default 3s)
+    	Duration to wait between attempts to join or create a cluster (e.g. '1s') (default 3s)
   -attempt-limit int
-    	Number of times to attempt joining or creating a cluster before exiting (default 20)
+    	Number of times to join or create a cluster before exiting (default 20)
   -await-service-name string
     	Consul Service for newly created Redis Cluster Nodes, (required)
   -consul-acl-token string
     	Consul client ACL token
   -consul-addr string
-    	Consul client address (default "127.0.0.1:8500")
+    	Consul client address (default "127.0.0.1:8501")
   -consul-dc string
     	Consul client datacenter (default "dev-general")
-  -consul-tls-ca-cert string
+  -consul-tls-ca-cert string, (required)
     	Consul client CA certificate file
-  -consul-tls-cert string
+  -consul-tls-cert string, (required)
     	Consul client certificate file
-  -consul-tls-enable
-    	Enable mTLS for the Consul client
-  -consul-tls-key string
+  -consul-tls-key string, (required)
     	Consul client key file
   -dest-service-name string
     	Consul Service for healthy Redis Cluster Nodes, (required)
   -lock-kv-path string
-    	Consul KV path used as a distributed lock for operations (default "service/attache/leader")
+    	Consul KV path to use as a leader lock for Redis Cluster operations (default "service/attache/leader")
   -log-level string
     	Set the log level (default "info")
   -redis-auth-password-file string
@@ -106,12 +104,12 @@ $ go build -o attache-check ./cmd/attache-check/main.go && go build -o attache-c
 
 In another shell, start the Consul server in `dev` mode:
 ```shell
-$ consul agent -dev -datacenter dev-general -log-level ERROR
+$ consul agent -dev -config-format=hcl -config-file consul.conf.hcl
 ```
 
 In another shell, start the Nomad server in `dev` mode:
 ```shell
-$ sudo nomad agent -dev -bind 0.0.0.0 -log-level ERROR -dc dev-general
+$ sudo nomad agent -dev -config nomad.conf.hcl
 ```
 
 Start a Nomad job deployment using Terraform:
@@ -125,7 +123,7 @@ terraform apply
 Open the Nomad UI: http://localhost:4646/ui to view information about the Redis
 Cluster deployment
 
-Open the Consul UI: http://localhost:8500/ui to view health check information
+Open the Consul UI: http://localhost:8501/ui to view health check information
 for the Redis Cluster
 
 ### Useful Commands

cmd/attache-control/config.go

@@ -58,22 +58,16 @@ func (c cliOpts) Validate() error {
 		return errors.New("missing required opt: 'await-service-name'")
 	}
 
-	if c.ConsulOpts.EnableTLS {
-		if c.ConsulOpts.TLSCACertFile == "" {
-			return errors.New("missing required opt: 'consul-tls-ca-cert")
-		}
-
-		if c.ConsulOpts.TLSCertFile == "" {
-			return errors.New("missing required opt: 'consul-tls-cert")
-		}
-
-		if c.ConsulOpts.TLSKeyFile == "" {
-			return errors.New("missing required opt: 'consul-tls-key")
-		}
+	if c.ConsulOpts.TLSCACertFile == "" {
+		return errors.New("missing required opt: 'consul-tls-ca-cert")
 	}
 
-	if !c.ConsulOpts.EnableTLS && (c.ConsulOpts.TLSCACertFile != "" || c.ConsulOpts.TLSCertFile != "" || c.ConsulOpts.TLSKeyFile != "") {
-		return errors.New("missing required opt: 'consul-tls-enable")
+	if c.ConsulOpts.TLSCertFile == "" {
+		return errors.New("missing required opt: 'consul-tls-cert")
+	}
+
+	if c.ConsulOpts.TLSKeyFile == "" {
+		return errors.New("missing required opt: 'consul-tls-key")
 	}
 
 	if c.RedisOpts.NodeAddr == "" {
@@ -108,7 +102,7 @@ func ParseFlags() cliOpts {
 	// CLI
 	flag.StringVar(&conf.lockPath, "lock-kv-path", "service/attache/leader", "Consul KV path to use as a leader lock for Redis Cluster operations")
 	flag.DurationVar(&conf.attemptInterval, "attempt-interval", 3*time.Second, "Duration to wait between attempts to join or create a cluster (e.g. '1s')")
-	flag.IntVar(&conf.attemptLimit, "attempt-limit", 20, "Number of times to attempt for or join a cluster before exiting")
+	flag.IntVar(&conf.attemptLimit, "attempt-limit", 20, "Number of times to attempt join or create a cluster before exiting")
 	flag.StringVar(&conf.awaitServiceName, "await-service-name", "", "Consul Service for newly created Redis Cluster Nodes, (required)")
 	flag.StringVar(&conf.destServiceName, "dest-service-name", "", "Consul Service for healthy Redis Cluster Nodes, (required)")
 	flag.StringVar(&conf.logLevel, "log-level", "info", "Set the log level")
@@ -123,12 +117,11 @@ func ParseFlags() cliOpts {
 
 	// Consul
 	flag.StringVar(&conf.ConsulOpts.DC, "consul-dc", "dev-general", "Consul client datacenter")
-	flag.StringVar(&conf.ConsulOpts.Address, "consul-addr", "127.0.0.1:8500", "Consul client address")
+	flag.StringVar(&conf.ConsulOpts.Address, "consul-addr", "127.0.0.1:8501", "Consul client address")
 	flag.StringVar(&conf.ConsulOpts.ACLToken, "consul-acl-token", "", "Consul client ACL token")
-	flag.BoolVar(&conf.ConsulOpts.EnableTLS, "consul-tls-enable", false, "Enable mTLS for the Consul client (requires 'consul-tls-ca-cert', 'consul-tls-cert', 'consul-tls-key')")
-	flag.StringVar(&conf.ConsulOpts.TLSCACertFile, "consul-tls-ca-cert", "", "Consul client CA certificate file")
-	flag.StringVar(&conf.ConsulOpts.TLSCertFile, "consul-tls-cert", "", "Consul client certificate file")
-	flag.StringVar(&conf.ConsulOpts.TLSKeyFile, "consul-tls-key", "", "Consul client key file")
+	flag.StringVar(&conf.ConsulOpts.TLSCACertFile, "consul-tls-ca-cert", "", "Consul client CA certificate file, (required)")
+	flag.StringVar(&conf.ConsulOpts.TLSCertFile, "consul-tls-cert", "", "Consul client certificate file, (required)")
+	flag.StringVar(&conf.ConsulOpts.TLSKeyFile, "consul-tls-key", "", "Consul client key file, (required)")
 
 	flag.Parse()
 	return conf

example/consul.conf.hcl

@@ -0,0 +1,17 @@
+datacenter             = "dev-general"
+log_level              = "ERROR"
+verify_incoming        = false
+verify_outgoing        = true
+verify_server_hostname = true
+ca_file                = "tls/consul/consul-agent-ca.pem"
+cert_file              = "tls/consul/dev-general-server-consul-0.pem"
+key_file               = "tls/consul/dev-general-server-consul-0-key.pem"
+ports {
+  dns      = 8600
+  http     = -1
+  https    = 8501
+  grpc     = 8502
+  serf_lan = 8301
+  serf_wan = -1
+  server   = 8300
+}

example/nomad.conf.hcl

@@ -0,0 +1,14 @@
+datacenter = "dev-general"
+log_level  = "ERROR"
+consul {
+  address   = "localhost:8501"
+  ssl       = true
+  ca_file   = "tls/consul/consul-agent-ca.pem"
+  cert_file = "tls/attache/consul/dev-general-client-consul-0.pem"
+  key_file  = "tls/attache/consul/dev-general-client-consul-0-key.pem"
+}
+
+# Enable CORS, retrieving logs is done via IP so we need CORS
+http_api_response_headers {
+  Access-Control-Allow-Origin = "*"
+}

example/redis-cluster.hcl

@@ -39,18 +39,18 @@ variable "redis-password" {
 }
 
 // redis-tls-cacert is the contents of the CA cert file, in PEM format, used for
-// mutal TLS authentication between Redis Server and Attaché.
+// mutual TLS authentication between Redis Server and Attaché.
 variable "redis-tls-cacert" {
   type = string
 }
 
 // redis-tls-cert is the contents of the cert file, in PEM format, used for
-// mutal TLS authentication between Redis Server and Attaché.
+// mutual TLS authentication between Redis Server and Attaché.
 variable "redis-tls-cert" {
   type = string
 }
 
-// redis-tls-key is the contents of the key file, in PEM format, used for mutal
+// redis-tls-key is the contents of the key file, in PEM format, used for mutual
 // TLS authentication between Redis Server and Attaché.
 variable "redis-tls-key" {
   type = string
@@ -63,17 +63,35 @@ variable "redis-config-template" {
 }
 
 // attache-redis-tls-cert is the contents of the cert file, in PEM format, used
-// for mutal TLS authentication between Attaché and the Redis Server.
+// for mutual TLS authentication between Attaché and the Redis Server.
 variable "attache-redis-tls-cert" {
   type = string
 }
 
 // attache-redis-tls-key is the contents of the key file, in PEM format, used
-// for mutal TLS authentication between Attaché and the Redis Server.
+// for mutual TLS authentication between Attaché and the Redis Server.
 variable "attache-redis-tls-key" {
   type = string
 }
 
+// consul-tls-ca-cert is the contents of the CA cert file, in PEM format, used
+// for mutual TLS authentication between Attaché and the Consul Server.
+variable "consul-tls-ca-cert" {
+  type = string
+}
+
+// attache-consul-tls-cert is the contents of the cert file, in PEM format, used
+// for mutual TLS authentication between Attaché and the Consul Server.
+variable "attache-consul-tls-cert" {
+  type = string
+}
+
+// attache-consul-tls-key is the contents of the key file, in PEM format, used
+// for mutual TLS authentication between Attaché and the Cosnul Server.
+variable "attache-consul-tls-key" {
+  type = string
+}
+
 job "redis-cluster" {
   datacenters = ["dev-general"]
   type        = "service"
@@ -150,12 +168,27 @@ job "redis-cluster" {
       }
       template {
         data        = var.attache-redis-tls-cert
-        destination = "${NOMAD_ALLOC_DIR}/data/attache-tls/cert.pem"
+        destination = "${NOMAD_ALLOC_DIR}/data/attache-redis-tls/cert.pem"
         change_mode = "restart"
       }
       template {
         data        = var.attache-redis-tls-key
-        destination = "${NOMAD_ALLOC_DIR}/data/attache-tls/key.pem"
+        destination = "${NOMAD_ALLOC_DIR}/data/attache-redis-tls/key.pem"
+        change_mode = "restart"
+      }
+      template {
+        data        = var.consul-tls-ca-cert
+        destination = "${NOMAD_ALLOC_DIR}/data/consul-tls/ca-cert.pem"
+        change_mode = "restart"
+      }
+      template {
+        data        = var.attache-consul-tls-cert
+        destination = "${NOMAD_ALLOC_DIR}/data/attache-consul-tls/cert.pem"
+        change_mode = "restart"
+      }
+      template {
+        data        = var.attache-consul-tls-key
+        destination = "${NOMAD_ALLOC_DIR}/data/attache-consul-tls/key.pem"
         change_mode = "restart"
       }
     }
@@ -193,8 +226,11 @@ job "redis-cluster" {
           "-redis-auth-username", "${var.redis-username}",
           "-redis-auth-password-file", "${NOMAD_ALLOC_DIR}/data/password.txt",
           "-redis-tls-ca-cert", "${NOMAD_ALLOC_DIR}/data/redis-tls/ca-cert.pem",
-          "-redis-tls-cert-file", "${NOMAD_ALLOC_DIR}/data/attache-tls/cert.pem",
-          "-redis-tls-key-file", "${NOMAD_ALLOC_DIR}/data/attache-tls/key.pem"
+          "-redis-tls-cert-file", "${NOMAD_ALLOC_DIR}/data/attache-redis-tls/cert.pem",
+          "-redis-tls-key-file", "${NOMAD_ALLOC_DIR}/data/attache-redis-tls/key.pem",
+          "-consul-tls-ca-cert", "${NOMAD_ALLOC_DIR}/data/consul-tls/ca-cert.pem",
+          "-consul-tls-cert", "${NOMAD_ALLOC_DIR}/data/attache-consul-tls/cert.pem",
+          "-consul-tls-key", "${NOMAD_ALLOC_DIR}/data/attache-consul-tls/key.pem"
         ]
       }
     }
@@ -213,8 +249,8 @@ job "redis-cluster" {
           "-redis-auth-username", "${var.redis-username}",
           "-redis-auth-password-file", "${NOMAD_ALLOC_DIR}/data/password.txt",
           "-redis-tls-ca-cert", "${NOMAD_ALLOC_DIR}/data/redis-tls/ca-cert.pem",
-          "-redis-tls-cert-file", "${NOMAD_ALLOC_DIR}/data/attache-tls/cert.pem",
-          "-redis-tls-key-file", "${NOMAD_ALLOC_DIR}/data/attache-tls/key.pem"
+          "-redis-tls-cert-file", "${NOMAD_ALLOC_DIR}/data/attache-redis-tls/cert.pem",
+          "-redis-tls-key-file", "${NOMAD_ALLOC_DIR}/data/attache-redis-tls/key.pem"
         ]
       }
     }