Consul

How to use Templates with Consul

Consul Template is a simple and powerful tool that populates values from consul into the file system. Consul templates can also execute some commands. Generally, consul template run as a daemon, and this daemon can queries a consul cluster and updates any number of specified templates on the filesystem. The consul template is widely used for updating service configuration files.

Prerequisite

  1. A Virtual instance server
  2. A root user
  3. Consul installed on the server

Update System

We recommend you to upgrade all the packages and repositories before installing any new package on the system. Execute the following command and it will do the job for you.

apt-get update

Install Consul Template

In this guide, we assume that you have already installed consul on the server and also created a consul cluster. Now we will be installing and using the consul template but consul agent must be running for using the consul template. The consul template is not by default added in the consul server package, we will need to download it and install it separately. To do so, you will need to download the latest consul template binary from it’s Official download webpage. Execute the following command and it will do the job for you.

curl -o https://releases.hashicorp.com/consul-template/0.20.0/consul
-template_0.20.0_linux_amd64.tgz

Next, you will need to extract the above-downloaded archive using the following command.

tar -zxf consul-template_0.20.0_linux_amd64.tgz

You can also install it locally using docker if you want. Once you have the docker installed on your system, you can clone the official consul template repository using the following command.

git clone https://github.com/hashicorp/consul-template.git

Next, execute the following command to compile the consul template binary. make dev Now you have successfully installed the consul template on your server.

Configuring Consul Template

We have consul template installed on your system now we are ready to use it. Here is a sample configuration file for consul-template ctemplate config.hcl.

consul {
address = "locahost:8500"
retry {
enabled = true
attempts = 12
backoff = "250ms"
}
token = "w94RIMKUtQH1a4VJGN+t+vn1Y0nErc/ch93E1F1ZcHU="
}
reload_signal = "SIGHUP"kill_signal = "SIGINT"max_stale = "10m"log_level = "warn"#
pid_file = "/consul-template/consul-template.pid"wait {
min = "5s"
max = "10s"
}
vault {
address = "
[http://localhost:8200](http://localhost:8200/)"

token = "R/Uf0tYa5YkhPLpNLL807KWJ4ZiJi3clyQEfaMoRSJg"
renew_token = false
}
deduplicate {
enabled = true
# prefix = "consul-template/dedup/"
}
template {
source      = "./vault/templates/pki/cert.ctmpl"
destination = "./vault/output/pki/mpatel.yourdomain.com.crt"
perms = 0400
left_delimiter  = "{{"
right_delimiter = "}}"
wait {
min = "2s"
max = "10s"
}
}
template {
source      = "./vault/templates/pki/ca.ctmpl"
destination = "./vault/output/pki/mpatel.yourdomain.com.ca.crt"
}
template {
source      = "./vault/templates/pki/key.ctmpl"
destination = "./vault/output/pki/mpatel.yourdomain.com.key"
}

In the above configuration file, please change the consul address, vault address, consul token, vault token, source template paths and output file paths with your actual values. Now you can run the consul template using the following command.

./consul-template -config config.hcl

Creating Certificates dynamically with Vault

Vault is a widely known open source tool for managing secret data. Here, we will see another use of the consul template for creating certificates dynamically with vault. Consul template can run more than one template. In order to create certificates programatically, you will need these three templates given below.

  1. ca.ctmpl
{{- /* ./vault/templates/ca.ctmpl */ -}}
{{ with secret "pki-int/issue/cert-generator" "common_name=YourDomain.com" }}
{{ .Data.issuing_ca }}{{ end }}
  1. ctmpl
{{- /* ./vault/templates/cert.ctmpl */ -}}
{{ with secret "pki-int/issue/cert-generator" "common_name=YourDomain.com" }}
{{ .Data.certificate }}{{ end }}
  1. ctmpl
{{- /* ./vault/templates/key.ctmpl */ -}}
{{ with secret "pki-int/issue/cert-generator" "common_name=YourDomain.com" }}
{{ .Data.private_key }}{{ end }}

Please don’t forget to replace com with your actual domain. The above three templates are three different input templates but they will be compressed into a single API call when they run under the same consul template process. Now when you have all the above consul template and configuration ready then you can use it to create certificates dynamically using the following command.

./consul-template -config config.hcl

You can also use the consul template to discover all the services running in your consul cluster. To do so, you will need to create a template saved as all-services.tpl.

all-services.tpl
{{range services}}# {{.Name}}{{range service .Name}}
{{.Address}}{{end}}
{{end}}

Once you have created the template now you will need to run the template. This time we will just specify the template file to run the template. Execute the following command to run the template.

consul-template -template="all-services.tpl:all-services.txt" -once

We have used a flag – once in the above command to run the process once and then it will automatically quit. You will see the following output for the running services:

# consul
35.75.121.88

# redis
35.75.86.171
35.75.109.224
35.75.59.65

# web
192.168.86.205
192.168.109.224
192.168.59.110

Conclusion

In this guide, you have learned how to install and set up a consul template on your server. Now you can use the consul template to perform various operations on your applications. We hope now you have enough knowledge to work with consul template.

About the author

Avatar

Sajid Qureshi

I am Sajid Qureshi, lives in India, working as DevOps Engineer and Technical writer. A passionate engineer who is still learning something new everyday. I enjoy exploring the world of Linux system administration, Installing and configuring and managing open source applications technology.