boulder/test/consul/config.hcl

# Keep this file in sync with the ports bound in test/startservers.py

client_addr = "0.0.0.0"
bind_addr   = "10.55.55.10"
log_level   = "ERROR"
// When set, uses a subset of the agent's TLS configuration (key_file,
// cert_file, ca_file, ca_path, and server_name) to set up the client for HTTP
// or gRPC health checks. This allows services requiring 2-way TLS to be checked
// using the agent's credentials.
enable_agent_tls_for_checks = true
tls {
  defaults {
    ca_file         = "test/certs/ipki/minica.pem"
    ca_path         = "test/certs/ipki/minica-key.pem"
    cert_file       = "test/certs/ipki/consul.boulder/cert.pem"
    key_file        = "test/certs/ipki/consul.boulder/key.pem"
    verify_incoming = false
  }
}
ui_config {
  enabled = true
}
ports {
  dns      = 53
  grpc_tls = 8503
}

services {
  id      = "akamai-purger-a"
  name    = "akamai-purger"
  address = "10.77.77.77"
  port    = 9399
  tags    = ["tcp"] // Required for SRV RR support in gRPC DNS resolution.
}

services {
  id      = "email-exporter-a"
  name    = "email-exporter"
  address = "10.77.77.77"
  port    = 9603
  tags    = ["tcp"] // Required for SRV RR support in gRPC DNS resolution.
}

services {
  id      = "boulder-a"
  name    = "boulder"
  address = "10.77.77.77"
}

services {
  id      = "boulder-a"
  name    = "boulder"
  address = "10.77.77.77"
}

services {
  id      = "ca-a"
  name    = "ca"
  address = "10.77.77.77"
  port    = 9393
  tags    = ["tcp"] // Required for SRV RR support in gRPC DNS resolution.
}

services {
  id      = "ca-b"
  name    = "ca"
  address = "10.77.77.77"
  port    = 9493
  tags    = ["tcp"] // Required for SRV RR support in gRPC DNS resolution.
}

services {
  id      = "crl-storer-a"
  name    = "crl-storer"
  address = "10.77.77.77"
  port    = 9309
  tags    = ["tcp"] // Required for SRV RR support in gRPC DNS resolution.
}

services {
  id      = "dns-a"
  name    = "dns"
  address = "10.77.77.77"
  port    = 8053
  tags    = ["udp"] // Required for SRV RR support in VA RVA.
}

services {
  id      = "dns-b"
  name    = "dns"
  address = "10.77.77.77"
  port    = 8054
  tags    = ["udp"] // Required for SRV RR support in VA RVA.
}

services {
  id      = "doh-a"
  name    = "doh"
  address = "10.77.77.77"
  port    = 8343
  tags    = ["tcp"]
}

services {
  id      = "doh-b"
  name    = "doh"
  address = "10.77.77.77"
  port    = 8443
  tags    = ["tcp"]
}

# Unlike most components, we have two completely independent nonce services,
# simulating two sets of nonce servers running in two different datacenters:
# taro and zinc.
services {
  id      = "nonce-taro-a"
  name    = "nonce-taro"
  address = "10.77.77.77"
  port    = 9301
  tags    = ["tcp"] // Required for SRV RR support in gRPC DNS resolution.
}

services {
  id      = "nonce-taro-b"
  name    = "nonce-taro"
  address = "10.77.77.77"
  port    = 9501
  tags    = ["tcp"] // Required for SRV RR support in gRPC DNS resolution.
}

services {
  id      = "nonce-zinc"
  name    = "nonce-zinc"
  address = "10.77.77.77"
  port    = 9401
  tags    = ["tcp"] // Required for SRV RR support in gRPC DNS resolution.
}

services {
  id      = "publisher-a"
  name    = "publisher"
  address = "10.77.77.77"
  port    = 9391
  tags    = ["tcp"] // Required for SRV RR support in gRPC DNS resolution.
}

services {
  id      = "publisher-b"
  name    = "publisher"
  address = "10.77.77.77"
  port    = 9491
  tags    = ["tcp"] // Required for SRV RR support in gRPC DNS resolution.
}

services {
  id      = "ra-sct-provider-a"
  name    = "ra-sct-provider"
  address = "10.77.77.77"
  port    = 9594
  tags    = ["tcp"] // Required for SRV RR support in gRPC DNS resolution.
}

services {
  id      = "ra-sct-provider-b"
  name    = "ra-sct-provider"
  address = "10.77.77.77"
  port    = 9694
  tags    = ["tcp"] // Required for SRV RR support in gRPC DNS resolution.
}

services {
  id      = "ra-a"
  name    = "ra"
  address = "10.77.77.77"
  port    = 9394
  tags    = ["tcp"] // Required for SRV RR support in gRPC DNS resolution.
}

services {
  id      = "ra-b"
  name    = "ra"
  address = "10.77.77.77"
  port    = 9494
  tags    = ["tcp"] // Required for SRV RR support in gRPC DNS resolution.
}

services {
  id      = "rva1-a"
  name    = "rva1"
  address = "10.77.77.77"
  port    = 9397
  tags    = ["tcp"] // Required for SRV RR support in gRPC DNS resolution.
}

services {
  id      = "rva1-b"
  name    = "rva1"
  address = "10.77.77.77"
  port    = 9498
  tags    = ["tcp"] // Required for SRV RR support in gRPC DNS resolution.
}

services {
  id      = "rva1-c"
  name    = "rva1"
  address = "10.77.77.77"
  port    = 9499
  tags    = ["tcp"] // Required for SRV RR support in gRPC DNS resolution.
}

# TODO(#5294) Remove rva2-a/b in favor of rva1-a/b
services {
  id      = "rva2-a"
  name    = "rva2"
  address = "10.77.77.77"
  port    = 9897
  tags    = ["tcp"] // Required for SRV RR support in gRPC DNS resolution.
}

services {
  id      = "rva2-b"
  name    = "rva2"
  address = "10.77.77.77"
  port    = 9998
  tags    = ["tcp"] // Required for SRV RR support in gRPC DNS resolution.
}

services {
  id      = "sa-a"
  name    = "sa"
  address = "10.77.77.77"
  port    = 9395
  tags    = ["tcp"] // Required for SRV RR support in gRPC DNS resolution.
  checks = [
    {
      id              = "sa-a-grpc"
      name            = "sa-a-grpc"
      grpc            = "10.77.77.77:9395"
      grpc_use_tls    = true
      tls_server_name = "sa.boulder"
      tls_skip_verify = false
      interval        = "2s"
    },
    {
      id              = "sa-a-grpc-sa"
      name            = "sa-a-grpc-sa"
      grpc            = "10.77.77.77:9395/sa.StorageAuthority"
      grpc_use_tls    = true
      tls_server_name = "sa.boulder"
      tls_skip_verify = false
      interval        = "2s"
    },
    {
      id              = "sa-a-grpc-saro"
      name            = "sa-a-grpc-saro"
      grpc            = "10.77.77.77:9395/sa.StorageAuthorityReadOnly"
      grpc_use_tls    = true
      tls_server_name = "sa.boulder"
      tls_skip_verify = false
      interval        = "2s"
    }
  ]
}

services {
  id      = "sa-b"
  name    = "sa"
  address = "10.77.77.77"
  port    = 9495
  tags    = ["tcp"] // Required for SRV RR support in gRPC DNS resolution.
  checks = [
    {
      id              = "sa-b-grpc"
      name            = "sa-b-grpc"
      grpc            = "10.77.77.77:9495"
      grpc_use_tls    = true
      tls_server_name = "sa.boulder"
      tls_skip_verify = false
      interval        = "2s"
    },
    {
      id              = "sa-b-grpc-sa"
      name            = "sa-b-grpc-sa"
      grpc            = "10.77.77.77:9495/sa.StorageAuthority"
      grpc_use_tls    = true
      tls_server_name = "sa.boulder"
      tls_skip_verify = false
      interval        = "2s"
    },
    {
      id              = "sa-b-grpc-saro"
      name            = "sa-b-grpc-saro"
      grpc            = "10.77.77.77:9495/sa.StorageAuthorityReadOnly"
      grpc_use_tls    = true
      tls_server_name = "sa.boulder"
      tls_skip_verify = false
      interval        = "2s"
    }
  ]
}

services {
  id      = "va-a"
  name    = "va"
  address = "10.77.77.77"
  port    = 9392
  tags    = ["tcp"] // Required for SRV RR support in gRPC DNS resolution.
}

services {
  id      = "va-b"
  name    = "va"
  address = "10.77.77.77"
  port    = 9492
  tags    = ["tcp"] // Required for SRV RR support in gRPC DNS resolution.
}

services {
  id      = "bredis3"
  name    = "redisratelimits"
  address = "10.33.33.4"
  port    = 4218
  tags    = ["tcp"] // Required for SRV RR support in DNS resolution.
}

services {
  id      = "bredis4"
  name    = "redisratelimits"
  address = "10.33.33.5"
  port    = 4218
  tags    = ["tcp"] // Required for SRV RR support in DNS resolution.
}

//
// The following services are used for testing the gRPC DNS resolver in
// test/integration/srv_resolver_test.go and
// test/integration/testdata/srv-resolver-config.json.
//

// CaseOne config will have 2 SRV records. The first will have 0 backends, the
// second will have 1.
services {
  id      = "case1a"
  name    = "case1a"
  address = "10.77.77.77"
  port    = 9301
  tags    = ["tcp"] // Required for SRV RR support in gRPC DNS resolution.
  checks = [
    {
      id       = "case1a-failing"
      name     = "case1a-failing"
      http     = "http://localhost:12345" // invalid url
      method   = "GET"
      interval = "2s"
    }
  ]
}

services {
  id      = "case1b"
  name    = "case1b"
  address = "10.77.77.77"
  port    = 9401
  tags    = ["tcp"] // Required for SRV RR support in gRPC DNS resolution.
}

// CaseTwo config will have 2 SRV records. The first will not be configured in
// Consul, the second will have 1 backend.
services {
  id      = "case2b"
  name    = "case2b"
  address = "10.77.77.77"
  port    = 9401
  tags    = ["tcp"] // Required for SRV RR support in gRPC DNS resolution.
}

// CaseThree config will have 2 SRV records. Neither will be configured in
// Consul.


// CaseFour config will have 2 SRV records. Neither will have backends.
services {
  id      = "case4a"
  name    = "case4a"
  tags    = ["tcp"] // Required for SRV RR support in gRPC DNS resolution.
  address = "10.77.77.77"
  port    = 9301
  tags    = ["tcp"] // Required for SRV RR support in gRPC DNS resolution.
  checks = [
    {
      id       = "case4a-failing"
      name     = "case4a-failing"
      http     = "http://localhost:12345" // invalid url
      method   = "GET"
      interval = "2s"
    }
  ]
}

services {
  id      = "case4b"
  name    = "case4b"
  address = "10.77.77.77"
  port    = 9401
  tags    = ["tcp"] // Required for SRV RR support in gRPC DNS resolution.
  checks = [
    {
      id       = "case4b-failing"
      name     = "case4b-failing"
      http     = "http://localhost:12345" // invalid url
      method   = "GET"
      interval = "2s"
    }
  ]
}