hashipi

Raspberry Pi Test Cluster for HashiCorp Vault, Nomad and Consul
git clone https://git.in0rdr.ch/hashipi.git
Log | Files | Refs | README
commit 3e0fe47847031156866721df1f33fbc442a01d3d
parent 482416df282f743b336f824e0ab3f500c62501d4
Author: Andreas Gruhler <andreas.gruhler@adfinis.com>
Date:   Wed, 10 Jul 2024 14:07:44 +0200

feat(bao): disable bao on nomad clients

Diffstat:

MREADME.md | 26+++++++++++++-------------


Mhashi-pi.pkr.hcl | 1+


Mopenbao.sh | 19++++---------------


3 files changed, 18 insertions(+), 28 deletions(-)

diff --git a/README.md b/README.md
@@ -1,6 +1,6 @@
 # HashiPi
 
-A RaspberryPi test cluster for HashiCorp Vault and Nomad with Consul storage backend.
+A RaspberryPi test cluster for HashiCorp Nomad with Consul and OpenBao.
 
 ![HashiPi](./img/HashiPi-small.jpg)
 
@@ -11,13 +11,13 @@ For 5 nodes, it is recommended to only have 3 server nodes for Nomad and Consul 
 
 Example architecture with 5 RaspberyPi nodes:
 
-| Node | RAM | Nomad function | Consul function |
-|------|-----|----------------|-----------------|
-| 00   | 4GB | client/server  | client/server   |
-| 01   | 4GB | client         | client          |
-| 02   | 4GB | client/server  | client/server   |
-| 03   | 4GB | client         | client          |
-| 04   | 4GB | client/server  | client/server   |
+| Node | RAM | Nomad function | Consul function | Bao function |
+|------|-----|----------------|-----------------|--------------|
+| 00   | 4GB | client/server  | client/server   | server       |
+| 01   | 4GB | client         | client          | n/a          |
+| 02   | 4GB | client/server  | client/server   | server       |
+| 03   | 4GB | client         | client          | n/a          |
+| 04   | 4GB | client/server  | client/server   | server       |
 
 For best performance on low power devices, the [`raft_multiplier`](https://developer.hashicorp.com/consul/docs/install/performance) is set to the default value 5 (or higher):
 
@@ -64,17 +64,17 @@ Then run the script from the projects root directory to create a new set of cert
 
 The script can be run after each flashed Raspberry Pi image to create a fresh set of certificates for "server", "client" and "cli" usage.
 
-### Vault
+### OpenBao
 
-To create a new self-signed CA certificate for Vault:
+To create a new self-signed CA certificate for Bao:
 ```bash
-# create Vault self-signed CA certificate in ./tls/vault/
+# create bao self-signed CA certificate in ./tls/vault/
 ./vault-tls.sh
 ```
 
-A new self-signed server certificate is created in the Vault provisioning stage.
+A new self-signed server certificate is created in the Bao provisioning stage.
 
-The Packer JSON supports a few arguments for Vault server certificates:
+The Packer JSON supports a few arguments for Bao server certificates:
 ```json
     "vault_tls_ca_cert": "./tls/vault/ca/vault_ca.pem",
     "vault_tls_ca_key": "./tls/vault/ca/vault_ca.key",
diff --git a/hashi-pi.pkr.hcl b/hashi-pi.pkr.hcl
@@ -260,6 +260,7 @@ build {
     environment_vars = [
       "USERNAME=${var.username}",
       "HOSTNAME=${var.hostname}",
+      "NOMAD_SERVER=${var.nomad_server}",
       "VAULT_TLS_CA_CERT=/tmp/vault_ca.pem",
       "VAULT_TLS_CA_KEY=/tmp/vault_ca.key",
       "VAULT_TLS_SUBJ_ALT_NAME=${var.vault_tls_subj_alt_name}",
diff --git a/openbao.sh b/openbao.sh
@@ -88,13 +88,6 @@ storage "raft" {
     leader_client_key_file = "/opt/openbao/tls/$HOSTNAME.key"
   } 
   retry_join {
-    leader_api_addr = "https://pi1.lan:8200"
-    leader_tls_servername = "vault.in0rdr.ch"
-    leader_ca_cert_file = "/opt/openbao/tls/$HOSTNAME.pem"
-    leader_client_cert_file = "/opt/openbao/tls/$HOSTNAME.pem"
-    leader_client_key_file = "/opt/openbao/tls/$HOSTNAME.key"
-  } 
-  retry_join {
     leader_api_addr = "https://pi2.lan:8200"
     leader_tls_servername = "vault.in0rdr.ch"
     leader_ca_cert_file = "/opt/openbao/tls/$HOSTNAME.pem"
@@ -102,13 +95,6 @@ storage "raft" {
     leader_client_key_file = "/opt/openbao/tls/$HOSTNAME.key"
   } 
   retry_join {
-    leader_api_addr = "https://pi3.lan:8200"
-    leader_tls_servername = "vault.in0rdr.ch"
-    leader_ca_cert_file = "/opt/openbao/tls/$HOSTNAME.pem"
-    leader_client_cert_file = "/opt/openbao/tls/$HOSTNAME.pem"
-    leader_client_key_file = "/opt/openbao/tls/$HOSTNAME.key"
-  } 
-  retry_join {
     leader_api_addr = "https://pi4.lan:8200"
     leader_tls_servername = "vault.in0rdr.ch"
     leader_ca_cert_file = "/opt/openbao/tls/$HOSTNAME.pem"
@@ -130,7 +116,10 @@ echo "VAULT_TOKEN=$VAULT_TRANSIT_TOKEN" > /etc/openbao/openbao.env
 
 chmod 640 /etc/openbao/openbao.hcl
 
-systemctl enable openbao
+# only enable openbao on the Nomad servers
+if [[ "$NOMAD_SERVER" = true ]]; then
+ systemctl enable openbao
+fi
 
 # Configure .bashrc
 cat << EOF >> "/home/${USERNAME}/.bashrc"