[T&C] Automate Application Delivery Operation Tasks with A10 and HashiCorp NIA
tmitsuhata
Member, Administrator, A10ers admin
This article describes how you can use Thunder ADC integrating with HashiCorp Network Infrastructure Automation (NIA) solution which focuses on Day-2 networking tasks automation that can reduce the burden on operators caused by manual ticketing systems.
This solution consists of four components including HashiCorp Terraform, Consul, Consul-Terraform-Sync (CTS) and A10 Thunder ADC. The CTS is a tool to track and monitor the service status via Consul service catalog and push the change (e.g., new service node added/ delete from the service list) dynamically to your network infrastructure using Terraform.
Prerequisites
- You should have basic understanding and experience with HashiCorp Consul, Terraform and A10 Thunder ADC
- Run a Consul for monitoring web servers
- A single Consul datacenter with the two or more agent nodes hosting services to be monitored and discovered.
- Run Consul agent on web servers and register services (e.g., HTTP port 80)
- Download and Install Consul-Terraform-Sync
- Refer Consul Setup section on Automated Service Discovery using HashiCorp Consul
- Refer Consul tutorials for more details on Consul setup and operation
- Topology
- Two (or more) standard web servers running web (HTTP) service on port 80
- Setup Thunder ADC with minimal SLB configuration
- Thunder ADC (virtual, container, bare metal or hardware) running ACOS version 4.1.4-GR1-P3 / 5.2.x or above
- Configure system, network interface, routing via CLI, GUI or API. Terraform with A10 Thunder provider can be used instead.
- Get vThunder free trial
Original Thunder ADC Configuration
Currently the Thunder ADC has 1 virtual server (VIP 10.64.4.111) associated with 2 active web servers (192.168.0.10 and .11).
vThunder#show slb virtual-server bind Total Number of Virtual Services configured: 1 --------------------------------------------------------------------------------- *Virtual Server :vip-web80 10.64.4.111 All Up +port 80 http ====>web80 State :All Up +192.168.0.10:80 192.168.0.10 State :Up +192.168.0.11:80 192.168.0.11 State :Up
Note: For Thunder ADC and NIA integration to work, you at least need to have the following slb configuration as a starting point.
vThunder#show running-config slb slb service-group web80 tcp ! slb virtual-server vip-web80 10.64.4.111 port 80 http source-nat auto service-group web80
Consul-Terraform-Sync
After installing the CTS, you will define a set of tasks for CTS to execute whenever a service is registered or removed on the Consul. As shown below sample, the HCL configuration file for CTS contains several blocks such as driver, terraform provider, consul and task.
The driver defines all Terraform providers required to execute the task. In this case, source = a10networks/thunder is listed. The terraform provider specifies the options and variables to interface with network infrastructure such as ADC. The example below includes IP address of A10 Thunder ADC, alias, and login credential.
Note: For security’s sake, you may want to separate login credential and load dynamically via shell (Env), Consul KV or Vault.
The task block configures which task to run in automation for the selected services. The task named as slb_auto_config and the services are the list of logical service names that should match the service name(s) registered on the Consul catalog. The providers lists the network infrastructure (e.g., Thunder ADC) with alias (if applicable). The source specifies a path to the Thunder Terraform module defined for CTS that allows Thunder ADC to dynamically manage ADC configuration (e.g., SLB server and SLB service group) for the services monitored on the Consul catalog.
$ cat tasks.hcl
log_level = "info"
driver "terraform" {
log = true
required_providers {
thunder = {
source = "a10networks/thunder"
version = "0.4.14"
}
}
}
terraform_provider "thunder" {
address = "10.64.4.104"
username = "{{ env \"THUNDER_USER\" }}"
password = "{{ env \"THUNDER_PASSWORD\" }}"
alias = "adc-1"
}
consul {
address = "192.168.0.201:8500"
}
task {
name = "slb_auto_config"
description = "Automate SLB Config on A10 Thunder"
source = "a10networks/service-group-sync-nia/thunder"
providers = ["thunder.adc-1"]
services = ["web80"]
variable_files = []
}
Note: For more detail of the configuration, refer Consul NIA Configuration.
Note: For more detail of Terraform NIA module for A10 Thunder, refer Terraform Registry or GitHub.
Run Consul-Terraform-Sync
$ consul-terraform-sync -config-file=tasks.hcl
Once the CTS is started by running consul-terraform-sync -config-file=tasks.hcl, it will download and install Terraform providers and modules per HCL config file, create TF files for the tasks defined and connect to Consul.
$ ls
tasks.hcl
$ consul-terraform-sync -config-file=tasks.hcl
2021/04/10 06:40:12.364475 [INFO] v0.1.0 (354ce7a)
2021/04/10 06:40:12.365844 [INFO] (driver.terraform) installing terraform to path '/root/nia'
2021/04/10 06:40:16.009060 [INFO] (driver.terraform) successfully installed terraform
2021/04/10 06:40:16.009118 [INFO] (ctrl) initializing Consul client and testing connection
2021/04/10 06:40:16.012301 [INFO] (cli) initializing controller
2021/04/10 06:40:16.012357 [INFO] (ctrl) initializing driver
2021/04/10 06:40:16.012513 [INFO] (templates.hcltmpl) evaluating dynamic configuration for "thunder"
2021/04/10 06:40:16.013164 [INFO] (ctrl) initializing all tasks
2021/04/10 06:40:16.013605 [INFO] (driver.terraform) retrieved 0 Terraform handlers for task 'slb_auto_config'
:
Terraform has been successfully initialized!
2021/04/10 06:40:20.512676 [INFO] running Terraform command: /root/nia/terraform workspace select -no-color slb_auto_config
Switched to workspace "slb_auto_config".
2021/04/10 06:40:20.853882 [INFO] running Terraform command: /root/nia/terraform apply -no-color -auto-approve -input=false -var-file=terraform.tfvars -var-file=providers.tfvars -lock=true -parallelism=10 -refresh=true
module.slb_auto_config.thunder_service_group.service-group["web80"]: Refreshing state... [id=web80]
Apply complete! Resources: 0 added, 0 changed, 0 destroyed.
2021/04/10 06:40:22.636456 [INFO] (ctrl) task completed slb_auto_config
2021/04/10 06:40:22.637694 [INFO] (ctrl) all tasks completed once
2021/04/10 06:40:22.637722 [INFO] (cli) running controller in daemon mode
2021/04/10 06:40:22.638563 [INFO] (api) starting server at '8558'
:
$ ls
sync-tasks tasks.hcl terraform
$ ls sync-tasks/slb_auto_config/
main.tf providers.tfvars terraform.tfvars terraform.tfvars.tmpl thunder.log variables.tf
$ curl localhost:8558/v1/status/tasks
{"slb_auto_config":{"task_name":"slb_auto_config","status":"successful","enabled":true,"providers":["thunder"],"services":["web80"],"events_url":"/v1/status/tasks/slb_auto_config?include=events"}}
During the CTS initialization process, CTS attempts to login to the Thunder ADC (provider) and check the presence of service-group “web80” (services) as shown in the Thunder ADC audit log.
vThunder#show audit Apr 10 2021 07:44:58 [devops] axapi: [28:10.64.4.201:46114] RESP HTTP status 200 OK Apr 10 2021 07:44:58 [devops] axapi: [28:10.64.4.201:46114] GET: /axapi/v3/slb/service-group/web80 Apr 10 2021 07:44:58 [devops] axapi: [28:10.64.4.201:46112] RESP HTTP status 200 OK Apr 10 2021 07:44:58 [devops] axapi: [28:10.64.4.201:46112] POST: /axapi/v3/auth Apr 10 2021 07:44:58 A aXAPI session[28] opened, username: devops, remote host: 10.64.4.201
NIA In Action
Now, let’s add a new server (S3: 192.168.0.12) with a service (port 80) and reload Consul on the server.
$ cat /etc/consul.d/web.json
{"services": {
"name": "web80",
"id": "web80-s3",
"tags": ["web-s1"],
"address": "192.168.0.12",
"port": 80,
"check": {
"http":
"http://localhost:80/",
"interval": "15s"
}
}}
$ consul reload
Configuration reload triggered
This change is picked up by Consul and it updated the service catalog, and followed by CTS executing the task slb_auto_config. In this process, CTS automatically creates a new slb server and add it into the service-group named web80 using Terraform on the Thunder ADC.
2021/04/10 07:12:14.768063 [INFO] (ctrl) executing task slb_auto_config 2021/04/10 07:12:14.768147 [INFO] running Terraform command: /root/nia/terraform apply -no-color -auto-approve -input=false -var-file=terraform.tfvars -var-file=providers.tfvars -lock=true -parallelism=10 -refresh=true module.slb_auto_config.thunder_service_group.service-group["web80"]: Refreshing state... [id=web80] module.slb_auto_config.thunder_service_group.service-group["web80"]: Modifying... [id=web80] module.slb_auto_config.thunder_service_group.service-group["web80"]: Modifications complete after 1s [id=web80] Apply complete! Resources: 0 added, 1 changed, 0 destroyed. 2021/04/10 07:12:16.605068 [INFO] (ctrl) task completed slb_auto_config
On vThunder ADC, a new server 192.168.0.12 was successfully added with service port 80 as shown below.
vThunder#show slb virtual-server bind Total Number of Virtual Services configured: 1 --------------------------------------------------------------------------------- *Virtual Server :vip-web80 10.64.4.111 All Up +port 80 http ====>web80 State :All Up +192.168.0.10:80 192.168.0.10 State :Up +192.168.0.11:80 192.168.0.11 State :Up +192.168.0.12:80 192.168.0.12 State :Up /* <<< Newly Added by CTS*/ vThunder#diff startup-config running-config | section slb slb server 192.168.0.10 192.168.0.10 ( port 80 tcp ( slb server 192.168.0.11 192.168.0.11 ( port 80 tcp ( > slb server 192.168.0.12 192.168.0.12 > port 80 tcp > ! slb service-group web80 tcp ( member 192.168.0.10 80 ( member 192.168.0.11 80 ( > member 192.168.0.12 80 slb virtual-server vip-web80 10.64.4.111 ( port 80 http ( source-nat auto ( service-group web80 (
Even if more services are added, Thunder ADC’s SLB configuration are automatically updated accordingly.
Learn More
Webinar with Demo: Automating Network Infrastructure Tasks with A10 and HashiCorp
Tech Talk: A10 & HashiCorp Network Infrastructure Automation with Consul-Terraform-Sync