Hello everyone and thanks for reading.
I'm pretty new to the Consul. I have been reading and practicing the documentation for some time so that I was able to properly configure the consul in some nodes.
Now I want to enable ACLs so that I can manage the security of my Consul cluster, but I can not get it up and running. I follow this guide: https://learn.hashicorp.com/consul/security-networking/production-acls#create-the-agent-policy.
- Node 1: the & # 39; bootstrap & # 39; node. IP: 172.20.10.41.
- Node 2: the "slave" node. IP: 172.20.10.40
What I expect:
- Set up and run ACLs to control which processes / nodes connect to the cluster and read / write information.
I can enable ACLs for a consul agent and run with the following command:
consul agent -server -bootstrap-config-dir = / etc / consul / conf.d / agent.json -data-dir = / tmp / consul / -ui -client = 0.0.0.0
Here is my agent.json file:
As soon as the Consul is running, I run
# consul acl bootstrap
what gives me
Description: Bootstrap Tokens (Global Management)
Time to create: 2019-05-03 12: 41: 18.038389106 -0300 -03
00000000-0000-0000-00000000000001 - global administration
I'll create a policy and a token to allow all node things:
# consul acl policy create -name "Agent-write-policy" -description "Write Agent Generating Policy" Rules @ agent_write_policy.hcl -token "1e026ae6-8902-eae2-6a18-6b0fb36bbed4"
# consul acl token create -description "agent write token" -policy-name "agent-write-policy" -token "1e026ae6-8902-eae2-6a18-6b0fb36bbed4"
Description: Agent write token
Time to create: 2019-05-03 12: 30: 11.292590345 -0300 -03
0171cfc2-06f3-6702-9c46-df117eb1bd53 - Agent Write Policy
Then I go to my second server node and start the consul
# consul agent -server -data-dir = / tmp / consul-config-dir = / etc / consul / conf.d / agent.json
My agent.json file:
I run with my second knot
# Join Consul 172.20.10.41
Error occurred when entering the address & # 39; 172.20.10.41 & # 39 ;: Unexpected Response Code: 403 (ACL not found)
Nodes could not be connected.
I also tried adding -token = "" to the join command.
If I disable acl in node 2, I can join the cluster, but node / service information is not synchronized.
2019/05/03 12:35:26 [WARN] agent: Update of node information blocked by ACLs
2019/05/03 12:35:51 [WARN] agent: Coordinates update blocked by ACLs
What am I doing wrong?
Maybe there are many things that I am doing wrong. If one of you has a beginner companion for me, I am very grateful.
Thanks for your time. (and sorry for my bad english)