2023-07-05 15:28:07 +02:00
|
|
|
#!/usr/bin/env bash
|
|
|
|
|
|
|
|
# Print current environnement
|
|
|
|
current_env(){
|
2023-07-11 21:39:23 +02:00
|
|
|
if [ -z "${CTCTL_DOMAIN}" ]; then
|
2023-07-05 15:28:07 +02:00
|
|
|
echo "Unknown container domain"
|
|
|
|
kill -INT $$
|
|
|
|
fi
|
2023-07-11 21:39:23 +02:00
|
|
|
echo "${CTCTL_DOMAIN}"
|
|
|
|
if [ -z "${CTCTL_ENV}" ]; then
|
2023-07-05 15:28:07 +02:00
|
|
|
echo "Unknown container environment"
|
|
|
|
fi
|
|
|
|
}
|
|
|
|
|
|
|
|
check_env() {
|
2023-07-11 21:39:23 +02:00
|
|
|
if [ -n "${CTCTL_DOMAIN}" -a -n "${CTCTL_ENV}" ]; then
|
2023-07-05 15:28:07 +02:00
|
|
|
echo 1
|
|
|
|
else
|
|
|
|
echo 0
|
|
|
|
fi
|
|
|
|
}
|
|
|
|
|
|
|
|
# Switch to a target environment (either from no current, or from another current env)
|
|
|
|
switch_env(){
|
|
|
|
TARGET_DOM=$1
|
|
|
|
TARGET_ENV=$2
|
2023-07-11 22:10:52 +02:00
|
|
|
|
2023-07-05 15:28:07 +02:00
|
|
|
if [ -z "${TARGET_DOM}" ]; then
|
2023-07-11 22:10:52 +02:00
|
|
|
echo "Select the container install you want to work on"
|
|
|
|
select T_DOM in $(ls_env); do
|
|
|
|
if [ "${REPLY}" -ge 1 ] && [ "${REPLY}" -le $(ls_env | wc -w) ]; then
|
|
|
|
TARGET_DOM=${T_DOM}
|
|
|
|
break
|
|
|
|
else
|
|
|
|
echo "Invalid selection"
|
|
|
|
fi
|
|
|
|
done
|
|
|
|
elif [ ! -e ~/.ctctl/${TARGET_DOM}/ctctl.conf ]; then
|
2023-07-05 15:28:07 +02:00
|
|
|
echo "Env ${TARGET_DOM} doesn't exist"
|
|
|
|
kill -INT $$
|
|
|
|
fi
|
|
|
|
|
2023-07-11 22:10:52 +02:00
|
|
|
# Clean any variable
|
|
|
|
for VAR in $(printenv | perl -ne '/^((CTCTL|CONSUL|VAULT|NOMAD)_[^=]+)=.*/ && print "$1\n"'); do
|
2023-07-05 15:28:07 +02:00
|
|
|
unset $VAR
|
|
|
|
done
|
2023-07-11 22:10:52 +02:00
|
|
|
|
|
|
|
export CTCTL_DOMAIN=${TARGET_DOM}
|
|
|
|
|
2023-07-12 16:18:56 +02:00
|
|
|
# Load pre login env configuration
|
|
|
|
set -o allexport
|
2023-07-11 22:10:52 +02:00
|
|
|
source ~/.ctctl/${CTCTL_DOMAIN}/ctctl.conf
|
2023-07-12 16:18:56 +02:00
|
|
|
set +o allexport
|
2023-07-09 22:48:32 +02:00
|
|
|
|
2023-07-05 15:28:07 +02:00
|
|
|
if [ -z "${TARGET_ENV}" ]; then
|
|
|
|
echo "Select the env you are working in"
|
|
|
|
select T_ENV in $(echo -n ${CT_VALID_ENV} | sed 's/,/ /g'); do
|
|
|
|
if [ "${REPLY}" -ge 1 ] && [ "${REPLY}" -le $(echo -n ${CT_VALID_ENV} | sed 's/,/ /g' | wc -w) ]; then
|
|
|
|
TARGET_ENV=${T_ENV}
|
|
|
|
break
|
|
|
|
else
|
|
|
|
echo "Invalid selection, please select the env you'll be working in"
|
|
|
|
fi
|
|
|
|
done
|
|
|
|
fi
|
2023-07-11 21:39:23 +02:00
|
|
|
export CTCTL_ENV=${TARGET_ENV}
|
2023-07-11 22:10:52 +02:00
|
|
|
|
|
|
|
# Load env configuration
|
|
|
|
if [ -e ~/.ctctl/${TARGET_DOM}/${CTCTL_ENV}.conf ]; then
|
2023-07-12 16:18:56 +02:00
|
|
|
set -o allexport
|
2023-07-11 22:10:52 +02:00
|
|
|
source ~/.ctctl/${TARGET_DOM}/${CTCTL_ENV}.conf
|
2023-07-12 16:18:56 +02:00
|
|
|
set +o allexport
|
|
|
|
fi
|
|
|
|
|
|
|
|
# Load pre login env configuration
|
|
|
|
if [ -e ~/.ctctl/${CTCTL_DOMAIN}/pre-login.conf ]; then
|
|
|
|
set -o allexport
|
|
|
|
source ~/.ctctl/${CTCTL_DOMAIN}/pre-login.conf
|
|
|
|
set +o allexport
|
2023-07-11 22:10:52 +02:00
|
|
|
fi
|
|
|
|
|
2023-07-05 15:28:07 +02:00
|
|
|
export NOMAD_VAR_env=${TARGET_ENV}
|
2023-07-11 22:10:52 +02:00
|
|
|
|
|
|
|
# Change color of the prompt
|
2023-07-11 21:39:23 +02:00
|
|
|
case ${CTCTL_ENV} in
|
2023-07-05 15:28:07 +02:00
|
|
|
prd|PRD|production)
|
|
|
|
COLOR="1;31" # Red
|
|
|
|
;;
|
|
|
|
stg|STG|stage|staging)
|
|
|
|
COLOR="1;33" # Yellow/Orange
|
|
|
|
;;
|
|
|
|
qa|qal|QA|QAL)
|
|
|
|
COLOR="1;35" # Purple
|
|
|
|
;;
|
|
|
|
dev|DEV|devel)
|
|
|
|
COLOR="1;36" # Cyan
|
|
|
|
;;
|
|
|
|
*)
|
|
|
|
COLOR="1;32" # Green
|
|
|
|
;;
|
|
|
|
esac
|
2023-07-11 22:10:52 +02:00
|
|
|
|
2023-07-05 15:28:07 +02:00
|
|
|
auth_env
|
2023-07-12 16:18:56 +02:00
|
|
|
|
|
|
|
# Load post login configuration
|
|
|
|
if [ -e ~/.ctctl/${CTCTL_DOMAIN}/ctctl.local.conf ]; then
|
|
|
|
set -o allexport
|
|
|
|
source ~/.ctctl/${CTCTL_DOMAIN}/ctctl.local.conf
|
|
|
|
set +o allexport
|
|
|
|
fi
|
2023-07-11 21:39:23 +02:00
|
|
|
export PS1="[${CTCTL_DOMAIN} \[\e[${COLOR}m\](${CTCTL_ENV})\[\e[m\] \W]\$ "
|
2023-07-05 15:28:07 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
# Check if we have a valid token for vault
|
|
|
|
check_vault_token(){
|
|
|
|
vault read auth/token/lookup-self > /dev/null 2>&1
|
|
|
|
if [ $? == 0 ]; then
|
|
|
|
echo 1
|
|
|
|
else
|
|
|
|
echo 0
|
|
|
|
fi
|
|
|
|
}
|
|
|
|
|
|
|
|
# Check if we have a valid token for consul
|
|
|
|
check_consul_token(){
|
|
|
|
CONSUL_TOKEN_VALID=0
|
|
|
|
if [ -n "${CONSUL_HTTP_TOKEN}" ]; then
|
|
|
|
consul acl token read -self > /dev/null 2>&1
|
|
|
|
if [ $? == 0 ]; then
|
|
|
|
echo 1
|
|
|
|
else
|
|
|
|
echo 0
|
|
|
|
fi
|
|
|
|
else
|
|
|
|
echo 0
|
|
|
|
fi
|
|
|
|
}
|
|
|
|
|
|
|
|
# Check if we have a valid token for nomad
|
|
|
|
check_nomad_token(){
|
|
|
|
if [ -n "${NOMAD_TOKEN}" ]; then
|
|
|
|
nomad acl token self > /dev/null 2>&1
|
|
|
|
if [ $? == 0 ]; then
|
|
|
|
echo 1
|
|
|
|
else
|
|
|
|
echo 0
|
|
|
|
fi
|
|
|
|
else
|
|
|
|
echo 0
|
|
|
|
fi
|
|
|
|
}
|
|
|
|
|
|
|
|
# Auth on vault, consul and nomad on the current env
|
|
|
|
auth_env(){
|
2023-07-11 21:39:23 +02:00
|
|
|
if [ -z "${CTCTL_DOMAIN}" ]; then
|
2023-07-05 15:28:07 +02:00
|
|
|
echo "Unknown environment"
|
|
|
|
kill -INT $$
|
|
|
|
fi
|
|
|
|
if [ "$(check_vault_token)" != "1" ]; then
|
2023-07-11 21:39:23 +02:00
|
|
|
echo "You're not connected on vault. Please enter your account password"
|
2023-07-12 16:18:56 +02:00
|
|
|
export VAULT_TOKEN=$(vault login -field=token ${VAULT_AUTH_CONFIG:--method=ldap username=${CTCTL_USER}} || kill -INT $$)
|
2023-07-11 21:39:23 +02:00
|
|
|
echo "Logged on vault successfuly"
|
2023-07-05 15:28:07 +02:00
|
|
|
else
|
2023-07-11 21:39:23 +02:00
|
|
|
echo "Your vault token is valid"
|
2023-07-05 15:28:07 +02:00
|
|
|
vault token renew > /dev/null 2>&1
|
|
|
|
fi
|
|
|
|
VAULT_TOKEN_INFO=$(vault read -format=json auth/token/lookup-self)
|
2023-07-05 17:11:49 +02:00
|
|
|
if [ "$(echo $VAULT_TOKEN_INFO | jq '.data.policies | any(. == "admin-policy" or .== "admin")')" == "true" ]; then
|
2023-07-05 15:28:07 +02:00
|
|
|
NOMAD_ROLE=admin
|
|
|
|
CONSUL_ROLE=admin
|
|
|
|
else
|
|
|
|
NOMAD_ROLE=user
|
|
|
|
CONSUL_ROLE=user
|
|
|
|
fi
|
|
|
|
|
|
|
|
# Root CA
|
2023-07-11 21:39:23 +02:00
|
|
|
vault read -field certificate pki/root/cert/ca > ~/.ctctl/${CTCTL_DOMAIN}/root_ca.crt
|
2023-07-05 15:28:07 +02:00
|
|
|
|
|
|
|
# Consul certificate
|
|
|
|
# Get/renew cert if required.
|
|
|
|
# Note 1: as the template is using pkiCert, the cert won't be renewed, unless necessary
|
2023-07-11 21:39:23 +02:00
|
|
|
# Note 2: don't pass CONSUL_CLIENT_CERT CONSUL_CLIENT_KEY and CONSUL_CACERT because they would prevent consul-template from starting
|
2023-07-05 15:28:07 +02:00
|
|
|
# to get/renew the cert if they are absent, or expired
|
2023-07-11 21:39:23 +02:00
|
|
|
env -u CONSUL_CLIENT_CERT -u CONSUL_CLIENT_KEY -u CONSUL_CACERT consul-template -config ~/.ctctl/${CTCTL_DOMAIN}/consul/consul-template.hcl -once
|
2023-07-05 15:28:07 +02:00
|
|
|
|
|
|
|
# Get/renew cert for Nomad now
|
2023-07-11 21:39:23 +02:00
|
|
|
consul-template -config ~/.ctctl/${CTCTL_DOMAIN}/nomad/consul-template.hcl -once
|
2023-07-05 15:28:07 +02:00
|
|
|
|
|
|
|
# Check if we have a valid nomad token already
|
|
|
|
if [ "$(check_nomad_token)" != "1" ]; then
|
2023-07-11 21:39:23 +02:00
|
|
|
echo "Fecthing a Nomad token from vault"
|
2023-07-09 22:12:27 +02:00
|
|
|
NOMAD_CREDS=$(vault read -format=json nomad/creds/${NOMAD_ROLE})
|
|
|
|
export NOMAD_TOKEN=$(echo -n ${NOMAD_CREDS} | jq -r .data.secret_id)
|
|
|
|
export NOMAD_LEASE=$(echo -n ${NOMAD_CREDS} | jq -r .lease_id)
|
|
|
|
unset NOMAD_CREDS
|
2023-07-05 15:28:07 +02:00
|
|
|
else
|
2023-07-11 21:39:23 +02:00
|
|
|
echo "Nomad token is valid, renewing lease"
|
|
|
|
vault lease renew ${NOMAD_LEASE} >/dev/null
|
2023-07-05 15:28:07 +02:00
|
|
|
fi
|
|
|
|
# Check if we have a valid consul token already
|
|
|
|
if [ "$(check_consul_token)" != "1" ]; then
|
2023-07-11 21:39:23 +02:00
|
|
|
echo "Fetching a Consul token from vault"
|
2023-07-09 22:12:27 +02:00
|
|
|
CONSUL_CREDS=$(vault read -format=json consul/creds/${CONSUL_ROLE})
|
|
|
|
export CONSUL_HTTP_TOKEN=$(echo -n ${CONSUL_CREDS} | jq -r .data.token)
|
|
|
|
export CONSUL_LEASE=$(echo -n ${CONSUL_CREDS} | jq -r .lease_id)
|
|
|
|
unset CONSUL_CREDS
|
2023-07-05 15:28:07 +02:00
|
|
|
else
|
2023-07-11 21:39:23 +02:00
|
|
|
echo "Consul token is valid, renewing lease"
|
|
|
|
vault lease renew ${CONSUL_LEASE} >/dev/null
|
2023-07-05 15:28:07 +02:00
|
|
|
fi
|
|
|
|
}
|
|
|
|
|
2023-07-09 22:12:27 +02:00
|
|
|
renew_leases(){
|
|
|
|
# Renew vault token
|
2023-07-11 21:39:23 +02:00
|
|
|
[ -n "${VAULT_TOKEN}" ] && vault token renew >/dev/null
|
|
|
|
[ -n "${NOMAD_LEASE}" ] && vault lease renew ${NOMAD_LEASE} >/dev/null
|
|
|
|
[ -n "${CONSUL_LEASE}" ] && vault lease renew ${CONSUL_LEASE} > /dev/null
|
2023-07-09 22:12:27 +02:00
|
|
|
}
|
|
|
|
|
2023-07-05 15:28:07 +02:00
|
|
|
# Logout from the current env
|
|
|
|
logout_env(){
|
2023-07-11 21:39:23 +02:00
|
|
|
if [ -z "${CTCTL_DOMAIN}" ]; then
|
2023-07-05 15:28:07 +02:00
|
|
|
echo "Unknown environment"
|
|
|
|
kill -INT $$
|
|
|
|
fi
|
2023-07-11 21:39:23 +02:00
|
|
|
echo "Disconecting from ${CTCTL_DOMAIN} environment"
|
2023-07-05 15:28:07 +02:00
|
|
|
vault token revoke -self
|
2023-07-12 16:18:56 +02:00
|
|
|
for VAR in $(printenv | perl -ne '/^((CTCTL|CONSUL|VAULT|NOMAD|LOKI)_[^=]+)=.*/ && print "$1\n"'); do
|
2023-07-05 15:28:07 +02:00
|
|
|
unset $VAR
|
|
|
|
done
|
|
|
|
rm -f ~/.vault-token
|
|
|
|
}
|
|
|
|
|
|
|
|
# List available env
|
|
|
|
ls_env(){
|
2023-07-11 21:39:23 +02:00
|
|
|
find ~/.ctctl/ -name ctctl.conf | xargs dirname | xargs basename -a
|
2023-07-05 15:28:07 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
# Load policies for vault, Consul and Nomad
|
|
|
|
load_policies(){
|
|
|
|
if [ "$(check_env)" = "0" ]; then
|
|
|
|
echo "Not currently in a valid env. Run ctctl (with no argument) and select your env first"
|
|
|
|
kill -INT $$
|
|
|
|
fi
|
|
|
|
if [ -d "./vault/policies" ]; then
|
|
|
|
if [ "$(check_vault_token)" != "1" ]; then
|
|
|
|
echo "No valid vault token. You have to authenticate first"
|
|
|
|
kill -INT $$
|
|
|
|
fi
|
|
|
|
for PFILE in $(ls ./vault/policies/*.hcl 2>/dev/null); do
|
2023-07-11 21:39:23 +02:00
|
|
|
PNA=$(basename ${PFILE} .hcl)$(get_conf "env_suffix")
|
|
|
|
echo "Loading vault policy ${PNA}"
|
|
|
|
replace_conf_var ${PFILE} | vault policy write ${PNA} -
|
2023-07-05 15:28:07 +02:00
|
|
|
done
|
|
|
|
fi
|
|
|
|
if [ -d "./consul/policies" ]; then
|
|
|
|
if [ "$(check_consul_token)" != "1" ]; then
|
|
|
|
echo "No valid consul token. You have to authenticate first"
|
|
|
|
kill -INT $$
|
|
|
|
fi
|
|
|
|
CONSUL_CUR_POLICIES=$(consul acl policy list -format=json)
|
|
|
|
for PFILE in $(ls ./consul/policies/*.hcl 2>/dev/null); do
|
2023-07-11 23:45:50 +02:00
|
|
|
PNAME=$(basename ${PFILE} .hcl)$(get_conf "env_suffix")
|
2023-07-05 15:28:07 +02:00
|
|
|
# Consul do not use the same command to create a new policy and to update an existing one
|
|
|
|
# so we need to detect if the policy already exists
|
2023-07-11 23:45:50 +02:00
|
|
|
if [ "$(echo ${CONSUL_CUR_POLICIES} | jq -r '.[] | select(.Name=='\"${PNAME}\"') | .Name')" == "${PNAME}" ]; then
|
|
|
|
echo "Updating consul policy ${PNAME}"
|
2023-07-12 16:18:56 +02:00
|
|
|
replace_conf_var ${PFILE} | consul acl policy update -name=${PNAME} -rules=-
|
2023-07-05 15:28:07 +02:00
|
|
|
else
|
2023-07-11 23:45:50 +02:00
|
|
|
echo "Adding new consul policy ${PNAME}"
|
|
|
|
replace_conf_var ${PFILE} | consul acl policy create -name=${PNAME} -rules=-
|
2023-07-05 15:28:07 +02:00
|
|
|
fi
|
|
|
|
done
|
|
|
|
fi
|
|
|
|
if [ -d "./nomad/policies" ]; then
|
|
|
|
if [ "$(check_nomad_token)" != "1" ]; then
|
|
|
|
echo "No valid nomad token. You have to authenticate first"
|
|
|
|
kill -INT $$
|
|
|
|
fi
|
|
|
|
for PFILE in $(ls ./nomad/policies/*.hcl 2>/dev/null); do
|
2023-07-11 23:45:50 +02:00
|
|
|
PNAME=$(basename ${PFILE} .hcl)$(get_conf "env_suffix")
|
|
|
|
echo "Loading Nomad policy ${PNAME}"
|
|
|
|
replace_conf_var ${PFILE} | nomad acl policy apply ${PNAME} -
|
2023-07-05 15:28:07 +02:00
|
|
|
done
|
|
|
|
fi
|
|
|
|
}
|
|
|
|
|
|
|
|
# Load consul services
|
|
|
|
load_consul_services(){
|
|
|
|
if [ -d "./consul/services" ]; then
|
|
|
|
if [ "$(check_consul_token)" != "1" ]; then
|
|
|
|
echo "No valid consul token. You have to authenticate first"
|
|
|
|
kill -INT $$
|
|
|
|
fi
|
|
|
|
for FILE in $(ls ./consul/services/*.hcl 2>/dev/null); do
|
|
|
|
echo "Registering service from ${FILE}"
|
|
|
|
TEMP=$(mktemp).hcl
|
|
|
|
replace_conf_var ${FILE} > ${TEMP}
|
|
|
|
consul services register ${TEMP}
|
|
|
|
rm -f ${TEMP}
|
|
|
|
done
|
|
|
|
fi
|
|
|
|
}
|
|
|
|
|
|
|
|
# Load consul config
|
|
|
|
load_consul_conf(){
|
|
|
|
if [ -d "./consul/config" ]; then
|
|
|
|
if [ "$(check_consul_token)" != "1" ]; then
|
|
|
|
echo "No valid consul token. You have to authenticate first"
|
|
|
|
kill -INT $$
|
|
|
|
fi
|
|
|
|
# Note : service-defaults should be loaded before the others
|
|
|
|
# but that should be the case
|
|
|
|
for FILE in $(ls ./consul/config/*.hcl 2>/dev/null); do
|
|
|
|
echo "Loading consul conf from ${FILE}"
|
|
|
|
TEMP=$(mktemp)
|
|
|
|
replace_conf_var ${FILE} > ${TEMP}
|
|
|
|
consul config write ${TEMP}
|
|
|
|
rm -f ${TEMP}
|
|
|
|
done
|
|
|
|
fi
|
|
|
|
}
|
|
|
|
|
|
|
|
# Build Docker images
|
|
|
|
build_images(){
|
|
|
|
IMAGE=$1
|
|
|
|
FORCE=$2
|
|
|
|
NO_CACHE=$3
|
|
|
|
export DOCKER_BUILDKIT=1
|
|
|
|
for DOCKER_IMAGE in $(
|
|
|
|
(for JOB in $(find . -maxdepth 1 \( -name \*.nomad -o -name \*.nomad.hcl \)); do
|
|
|
|
nomad run -output $JOB | jq '.Job.TaskGroups' | jq '.[] | .Tasks' | jq -r '.[] | .Config.image' 2>/dev/null
|
2023-07-11 21:39:23 +02:00
|
|
|
done) | grep -E ${DOCKER_BUILD_REPO_REGEX:-docker-repo.ehtrace.com} | sort -u); do
|
2023-07-11 22:10:52 +02:00
|
|
|
if [ "${FORCE}" != "" ] || ! docker manifest inspect ${DOCKER_IMAGE} > /dev/null 2>&1; then
|
2023-07-05 15:28:07 +02:00
|
|
|
echo "Building image ${DOCKER_IMAGE}"
|
2023-07-11 22:10:52 +02:00
|
|
|
# Extract the basename of the image, removing the repo and the tag
|
2023-07-09 22:48:32 +02:00
|
|
|
DIR=$(echo -n ${DOCKER_IMAGE} | sed -E 's/.+\/([^\/]+):.*/\1/')
|
2023-07-11 22:10:52 +02:00
|
|
|
if [ "${IMAGE}" != "" -a "${DIR}" != "${IMAGE}" ]; then
|
2023-07-05 15:28:07 +02:00
|
|
|
echo "Skipping ${DIR}"
|
|
|
|
else
|
|
|
|
export DOCKER_IMAGE=${DOCKER_IMAGE}
|
|
|
|
LATEST=$(echo ${DOCKER_IMAGE} | sed 's/:.*/:latest/')
|
|
|
|
if [ "${NO_CACHE}" != "" ]; then
|
|
|
|
NO_CACHE="--no-cache"
|
|
|
|
else
|
|
|
|
NO_CACHE=""
|
|
|
|
fi
|
2023-07-11 22:10:52 +02:00
|
|
|
docker build ${NO_CACHE} -t ${DOCKER_IMAGE} -t ${LATEST} ${CTCTL_DOCKER_BUILD_OPTS:-} --progress=plain images/$DIR &&
|
2023-07-05 15:28:07 +02:00
|
|
|
docker push ${DOCKER_IMAGE}
|
|
|
|
docker push ${LATEST}
|
|
|
|
fi
|
|
|
|
else
|
|
|
|
echo "Image ${DOCKER_IMAGE} already available"
|
|
|
|
fi
|
|
|
|
done
|
|
|
|
unset DOCKER_BUILDKIT
|
|
|
|
}
|
|
|
|
|
|
|
|
# Run all executable in the prep.d directory
|
|
|
|
handle_prep_scripts(){
|
|
|
|
if [ -d prep.d ]; then
|
|
|
|
for H in $(find prep.d -type f -o -type l | sort); do
|
|
|
|
if [ -x "${H}" ]; then
|
|
|
|
echo "Running script ${H}"
|
|
|
|
$H $1
|
|
|
|
else
|
|
|
|
echo "Skiping $H (not executable)"
|
|
|
|
fi
|
|
|
|
done
|
|
|
|
fi
|
|
|
|
}
|
|
|
|
|
|
|
|
# Render templates using levant
|
|
|
|
render_templates(){
|
2023-07-11 21:39:23 +02:00
|
|
|
RGED_CONF=$(mktemp tmp.XXXXXXXX.yml)
|
|
|
|
get_merged_conf > ${RGED_CONF}
|
2023-07-05 15:28:07 +02:00
|
|
|
|
2023-07-11 21:39:23 +02:00
|
|
|
handle_prep_scripts ${RGED_CONF}
|
2023-07-05 15:28:07 +02:00
|
|
|
|
|
|
|
for TEMPLATE in $(find . -type f -name \*.tpl ! -path "*templates/*"); do
|
|
|
|
DIR=$(dirname ${TEMPLATE})
|
|
|
|
FILE=$(basename ${TEMPLATE} .tpl)
|
|
|
|
DEST=${DIR}/${FILE}
|
|
|
|
echo "Rendering ${TEMPLATE} into ${DEST}"
|
2023-07-11 21:39:23 +02:00
|
|
|
levant render -var-file ${RGED_CONF} -log-level=WARN ${TEMPLATE} > ${DEST}
|
2023-07-05 15:28:07 +02:00
|
|
|
nomad fmt ${DEST}
|
|
|
|
done
|
|
|
|
|
2023-07-11 21:39:23 +02:00
|
|
|
rm -f ${RGED_CONF}
|
2023-07-05 15:28:07 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
# Print Consul and Nomad tokens (not vault, for security reasons)
|
|
|
|
print_tokens(){
|
|
|
|
if [ "$(check_nomad_token)" == "1" ]; then
|
|
|
|
echo "Nomad token: ${NOMAD_TOKEN}"
|
|
|
|
else
|
|
|
|
echo "No valid Nomad token, you should auth with ctctl auth"
|
|
|
|
fi
|
|
|
|
if [ "$(check_consul_token)" == "1" ]; then
|
|
|
|
echo "Consul token: ${CONSUL_HTTP_TOKEN}"
|
|
|
|
else
|
|
|
|
echo "No valid Consul token, you should auth with ctctl auth"
|
|
|
|
fi
|
|
|
|
}
|
|
|
|
|
|
|
|
# Handle CSI volumes definition
|
|
|
|
handle_volumes(){
|
|
|
|
if [ -d ./volumes ]; then
|
|
|
|
for FILE in $(ls ./volumes/*.hcl 2>/dev/null); do
|
|
|
|
echo "Handling volume definition ${FILE}"
|
|
|
|
# Linstor volumes are just registered, while the other are created
|
|
|
|
if [[ "$FILE" =~ ^linstor-.* ]]; then
|
|
|
|
replace_conf_var ${FILE} | nomad volume register -
|
|
|
|
else
|
|
|
|
replace_conf_var ${FILE} | nomad volume create -
|
|
|
|
fi
|
|
|
|
done
|
|
|
|
fi
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
# Follow current jobs logs
|
|
|
|
job_logs(){
|
|
|
|
# Remove the first arg passed to ctctl, which is logs
|
|
|
|
shift
|
|
|
|
local SELECTOR
|
|
|
|
local LOGCLI_CMD
|
|
|
|
|
2023-07-12 16:18:56 +02:00
|
|
|
if [ -z "${LOKI_ADDR}" ]; then
|
|
|
|
echo "You need to configure loki first (LOKI_ADDR, LOKI_USERNAME and LOKI_PASSWORD or LOKI_PWD_CMD"
|
|
|
|
kill -INT $$
|
|
|
|
fi
|
2023-07-11 21:39:23 +02:00
|
|
|
|
2023-07-12 16:18:56 +02:00
|
|
|
if [ -n "${LOKI_PWD_CMD}" ]; then
|
|
|
|
export LOKI_PASSWORD=$(${LOKI_PWD_CMD})
|
2023-07-11 21:39:23 +02:00
|
|
|
fi
|
|
|
|
|
2023-07-05 15:28:07 +02:00
|
|
|
LOGCLI_CMD="logcli query --include-label=job --include-label=group --include-label=task"
|
|
|
|
|
|
|
|
echo -n "$*" | grep -qP '\{.+\}' >/dev/null 2>&1
|
|
|
|
# If a logcli filter was given, use it. Else, build one for jobs in the current dir
|
|
|
|
if [ $? == 0 ]; then
|
|
|
|
echo "Running ${LOGCLI_CMD} $@"
|
|
|
|
${LOGCLI_CMD} $@
|
|
|
|
else
|
|
|
|
# Build a job name selection string like job1|job2|job3 etc.
|
|
|
|
for JOB in $(find . -maxdepth 1 \( -name \*.nomad -o -name \*.nomad.hcl \)); do
|
|
|
|
SELECTOR=$SELECTOR"|"$(nomad run -output $JOB | jq -r '.Job.Name')
|
|
|
|
done
|
|
|
|
# We need to remove the leading |
|
|
|
|
# Exclude connect-proxy logs as it's often not wanted
|
|
|
|
SELECTOR='{job=~"'$(echo -n ${SELECTOR} | sed -e 's/^|//')'", task!~"connect-proxy-.+|tls-proxy|metrics-proxy"}'
|
|
|
|
echo "Running ${LOGCLI_CMD} $@ ${SELECTOR}"
|
|
|
|
${LOGCLI_CMD} $@ "${SELECTOR}"
|
|
|
|
fi
|
2023-07-11 21:39:23 +02:00
|
|
|
unset LOKI_PASSWORD
|
2023-07-05 15:28:07 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
### Helpers ###
|
|
|
|
|
|
|
|
# Merge the configuration files for the current env and return the result (as string)
|
|
|
|
get_merged_conf() {
|
|
|
|
CONF_FILES=""
|
|
|
|
if [ -e "./vars/defaults.yml" ]; then
|
|
|
|
CONF_FILES="./vars/defaults.yml"
|
|
|
|
fi
|
2023-07-11 21:39:23 +02:00
|
|
|
if [ -e "jobs/common/vars/${CTCTL_ENV}.yml" ]; then
|
|
|
|
CONF_FILES="${CONF_FILES} jobs/common/vars/${CTCTL_ENV}.yml"
|
2023-07-05 15:28:07 +02:00
|
|
|
fi
|
2023-07-11 21:39:23 +02:00
|
|
|
if [ -e "../common/vars/${CTCTL_ENV}.yml" ]; then
|
|
|
|
CONF_FILES="${CONF_FILES} ../common/vars/${CTCTL_ENV}.yml"
|
2023-07-05 15:28:07 +02:00
|
|
|
fi
|
2023-07-11 21:39:23 +02:00
|
|
|
if [ -e "./vars/${CTCTL_ENV}.yml" ]; then
|
|
|
|
CONF_FILES="${CONF_FILES} ./vars/${CTCTL_ENV}.yml"
|
2023-07-05 15:28:07 +02:00
|
|
|
fi
|
|
|
|
if [ "${CONF_FILES}" != "" ]; then
|
|
|
|
echo "---"
|
|
|
|
yq ea '. as $item ireduce ({}; . * $item | ... comments="")' $CONF_FILES
|
|
|
|
else
|
|
|
|
echo -n ""
|
|
|
|
fi
|
|
|
|
}
|
|
|
|
|
|
|
|
# Replace ${local.conf.foo} or ${foo} with the value of foo from the various merged configuration files
|
|
|
|
# This is used to have policies (vault, consul, nomad) and config (consul intentions etc.) with variables
|
|
|
|
replace_conf_var() {
|
2023-07-11 21:39:23 +02:00
|
|
|
RGED_CONF=$(mktemp)
|
|
|
|
get_merged_conf > $RGED_CONF
|
2023-07-05 15:28:07 +02:00
|
|
|
RES=$(cat $1 | \
|
|
|
|
# Replace ${local.conf.foo} or ${foo} with the value of foo from the various merged configuration files \
|
|
|
|
# This is used to have policies (vault, consul, nomad) and config (consul intentions etc.) with variables \
|
2023-07-11 21:39:23 +02:00
|
|
|
perl -pe 'sub replace($) { my $val = shift; chomp(my $res = qx(yq .$val '$RGED_CONF')); return $res; }; s!\$\{(local\.conf\.)?([^\}]+)\}! replace($2) !ge' | \
|
2023-07-05 15:28:07 +02:00
|
|
|
# Replace $(foo) with the output of foo command, mainly used to fetch secrets from vault \
|
|
|
|
perl -pe 'sub replace($) { my $val = shift; chomp(my $res = qx($val)); return $res; }; s!\$\(([^\)]+)\)! replace($1) !ge'
|
|
|
|
)
|
2023-07-11 21:39:23 +02:00
|
|
|
rm -f $RGED_CONF
|
2023-07-05 15:28:07 +02:00
|
|
|
echo "${RES}"
|
|
|
|
}
|
|
|
|
|
|
|
|
# Get a value from the conf
|
|
|
|
get_conf(){
|
|
|
|
get_merged_conf | yq ".$1"
|
|
|
|
}
|
|
|
|
|
2023-07-11 21:39:23 +02:00
|
|
|
|
2023-07-05 15:28:07 +02:00
|
|
|
case $1 in
|
|
|
|
current)
|
|
|
|
current_env
|
2023-07-11 21:39:23 +02:00
|
|
|
renew_leases
|
2023-07-05 15:28:07 +02:00
|
|
|
;;
|
|
|
|
auth)
|
|
|
|
auth_env
|
|
|
|
;;
|
|
|
|
disconnect)
|
|
|
|
logout_env
|
|
|
|
;;
|
|
|
|
ls|list)
|
|
|
|
ls_env
|
2023-07-11 21:39:23 +02:00
|
|
|
renew_leases
|
2023-07-05 15:28:07 +02:00
|
|
|
;;
|
|
|
|
prep)
|
|
|
|
render_templates
|
|
|
|
load_policies
|
|
|
|
load_consul_services
|
|
|
|
load_consul_conf
|
|
|
|
build_images
|
2023-07-11 21:39:23 +02:00
|
|
|
renew_leases
|
2023-07-05 15:28:07 +02:00
|
|
|
;;
|
|
|
|
volumes)
|
|
|
|
handle_volumes
|
2023-07-11 21:39:23 +02:00
|
|
|
renew_leases
|
2023-07-05 15:28:07 +02:00
|
|
|
;;
|
|
|
|
build)
|
|
|
|
build_images "$2" "force"
|
2023-07-11 21:39:23 +02:00
|
|
|
renew_leases
|
2023-07-05 15:28:07 +02:00
|
|
|
;;
|
|
|
|
build-no-cache)
|
|
|
|
build_images "$2" "force" "no-cache"
|
2023-07-11 21:39:23 +02:00
|
|
|
renew_leases
|
2023-07-05 15:28:07 +02:00
|
|
|
;;
|
|
|
|
tokens)
|
|
|
|
print_tokens
|
2023-07-11 21:39:23 +02:00
|
|
|
renew_leases
|
2023-07-05 15:28:07 +02:00
|
|
|
;;
|
|
|
|
logs)
|
2023-07-09 22:12:27 +02:00
|
|
|
renew_leases
|
2023-07-05 15:28:07 +02:00
|
|
|
job_logs "$@"
|
|
|
|
;;
|
|
|
|
conf)
|
2023-07-09 22:12:27 +02:00
|
|
|
renew_leases
|
2023-07-05 15:28:07 +02:00
|
|
|
get_merged_conf
|
|
|
|
;;
|
2023-07-11 21:39:23 +02:00
|
|
|
switch)
|
|
|
|
shift
|
|
|
|
switch_env "$@"
|
|
|
|
;;
|
2023-07-05 15:28:07 +02:00
|
|
|
*)
|
|
|
|
switch_env "$@"
|
|
|
|
;;
|
|
|
|
esac
|