dani
/
nomad
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

First try with democratic csi

This commit is contained in:
Daniel Berteaud 2023-07-20 18:24:50 +02:00
parent 36c861bd27
commit 1bfd36134c
19 changed files with 796 additions and 168 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
packs/common/variables.hcl
View File

@ -1,9 +1,17 @@
variable "vault_prefix" {
description = "Prefix to use in vault path"
type = string
default = ""
}
variable "namespace" {
description = "Nomad namespace where job should be submited"
type = string
default = "default"
}
variable "env_suffix" {
description = "Optional suffix to appened to service names, so you can run different env on the same Consul cluster"
type = string
default = ""
}

BIN
packs/democratic_csi/.variables.hcl.swp Normal file
View File

Binary file not shown.

1
packs/democratic_csi/deps/common Symbolic link
View File

@ -0,0 +1 @@
../../common/

2
packs/democratic_csi_freenas_api/files/iscsi/controller.yml.tpl → packs/democratic_csi/files/iscsi/controller.yml.tpl
View File

@ -3,7 +3,7 @@ driver: freenas-api-iscsi
instance_id:
httpConnection:
protocol: {{ env "TRUENAS_API_SCHEME" }}
protocol: [[ .common.namespace ]]
host: {{ env "TRUENAS_API_HOST" }}
port: {{ env "TRUENAS_API_PORT" }}
apiKey: {{ with secret (printf "%skv/service/democratic-csi" (env "VAULT_PREFIX")) }}{{ .Data.data.truenas_api_key }}{{ end }}

6
packs/democratic_csi_freenas_api/metadata.hcl → packs/democratic_csi/metadata.hcl
View File

@ -3,10 +3,10 @@ app {
}
pack {
name = "democratic_csi_freenas_api"
name = "democratic_csi"
description = "CSI plugin for Nomad to use storage (NFS and iSCSI) from FreeNAS / TrueNAS"
url = "https://git.lapiole.org/infra/nomad/packs/democfratic_csi_freenas_api"
version = "0.0.1"
url = "https://git.lapiole.org/infra/nomad/packs/democfratic_csi"
version = "0.0.1"
}
dependency "common" {

166
packs/democratic_csi/output/democratic_csi/democratic-csi-controller.nomad.hcl Normal file
View File

@ -0,0 +1,166 @@
job "democratic-csi-controller" {
datacenters = ["dc1"]
group "iscsi" {
count = 1
task "iscsi-controller" {
driver = "docker"
config {
image = "danielberteaud/democratic-csi:latest"
args = [
"--csi-version=1.5.0",
"--csi-name=org.democratic-csi.iscsi",
"--driver-config-file=${NOMAD_SECRETS_DIR}/config.yml",
"--log-level=info",
"--csi-mode=controller",
"--server-socket=/csi/csi.sock",
]
network_mode = "host"
privileged = true
userns_mode = "host"
}
vault {
policies = ["democratic-csi"]
}
template {
data = <<-EOF
driver: freenas-api-iscsi
instance_id:
httpConnection:
protocol: http
host: freenas
port: 80
apiKey: {{ with secret "kv/service/democratic-csi" }}{{ .Data.data.truenas_api_key }}{{ end }}
allowInsecure: false
apiVersion: 2
zfs:
datasetParentName: zpool/csi/iscsi
detachedSnapshotsDatasetParentName: zpool/csi/iscsisnap
zvolEnableReservation: false
zvolBlocksize: 16K
iscsi:
targetPortals:
- 10.99.3.27:3260
interface:
namePrefix: ""
nameSuffix: ""
targetGroups:
- targetGroupPortalGroup: 1
targetGroupInitiatorGroup: 1
targetGroupAuthType: None
targetGroupAuthGroup: 1
extentInsecureTpc: true
extentXenCompat: false
extentDisablePhysicalBlocksize: false
extentBlocksize: 512
extentRpm: "SSD"
extentAvailThreshold: 0
EOF
destination = "${NOMAD_SECRETS_DIR}/config.yml"
}
csi_plugin {
# must match --csi-name arg
id = "org.democratic-csi.iscsi"
type = "controller"
mount_dir = "/csi"
}
resources {
cpu = 100
memory = 192
}
}
}
group "nfs" {
count = 1
task "nfs-controller" {
driver = "docker"
config {
image = "danielberteaud/democratic-csi:latest"
args = [
"--csi-version=1.5.0",
"--csi-name=org.democratic-csi.nfs",
"--driver-config-file=${NOMAD_SECRETS_DIR}/config.yml",
"--log-level=silly",
"--csi-mode=controller",
"--server-socket=/csi/csi.sock",
]
network_mode = "host"
privileged = true
userns_mode = "host"
}
vault {
policies = ["democratic-csi"]
}
template {
data = <<-EOF
driver: freenas-api-nfs
instance_id:
httpConnection:
protocol: http
host: freenas
port: 80
apiKey: {{ with secret "kv/service/democratic-csi" }}{{ .Data.data.truenas_api_key }}{{ end }}
allowInsecure: false
apiVersion: 2
zfs:
datasetParentName: zpool/csi/nfs
detachedSnapshotsDatasetParentName: zpool/csi/nfssnap
datasetEnableQuotas: false
datasetEnableReservation: false
datasetPermissionsMode: "0770"
datasetPermissionsUser: 0
datasetPermissionsGroup: 0
nfs:
shareHost: 10.99.3.27
shareAlldirs: false
shareAllowedHosts: []
shareAllowedNetworks:
- 10.99.9.0/24
shareMaprootUser: root
shareMaprootGroup: root
shareMapallUser: ""
shareMapallGroup: ""
EOF
destination = "${NOMAD_SECRETS_DIR}/config.yml"
}
csi_plugin {
# must match --csi-name arg
id = "org.democratic-csi.nfs"
type = "controller"
mount_dir = "/csi"
}
resources {
cpu = 100
memory = 192
}
}
}
}

0
packs/democratic_csi_freenas_api/output/democratic_csi_freenas_api/vault/policies/democratic-csi.hcl → packs/democratic_csi/output/democratic_csi/vault/policies/democratic-csi.hcl
View File

0
packs/democratic_csi/output/outputs.tpl Normal file
View File

39
packs/democratic_csi/templates/_iscsi_controller.yml.tpl Normal file
View File

@ -0,0 +1,39 @@
[[- define "iscsi_controller" -]]
driver: freenas-api-iscsi
instance_id:
httpConnection:
protocol: [[ .democratic_csi.freenas_api_scheme ]]
host: [[ .democratic_csi.freenas_api_host ]]
port: [[ .democratic_csi.freenas_api_port ]]
apiKey: {{ with secret "[[ .common.vault_prefix ]]kv/service/democratic-csi" }}{{ .Data.data.truenas_api_key }}{{ end }}
allowInsecure: [[ if eq .democratic_csi.freenas_api_insecure true ]]true[[ else ]]false[[ end ]]
apiVersion: 2
zfs:
datasetParentName: [[ .democratic_csi.iscsi_zfs_parent ]]
detachedSnapshotsDatasetParentName: [[ .democratic_csi.iscsi_zfs_snap_parent ]]
zvolEnableReservation: [[ .democratic_csi.iscsi_zfs_reservation ]]
zvolBlocksize: [[ .democratic_csi.iscsi_zfs_blocksize ]]
iscsi:
targetPortals: [[ range $idx, $portal := .democratic_csi.iscsi_portals ]]
- [[ $portal ]][[ end ]]
interface:
namePrefix: ""
nameSuffix: ""
targetGroups:
- targetGroupPortalGroup: [[ .democratic_csi.iscsi_portal_group_id ]]
targetGroupInitiatorGroup: [[ .democratic_csi.iscsi_initiator_group_id ]]
targetGroupAuthType: [[ .democratic_csi.iscsi_auth_type ]]
targetGroupAuthGroup: [[ .democratic_csi.iscsi_auth_group_id ]]
extentInsecureTpc: true
extentXenCompat: false
extentDisablePhysicalBlocksize: false
extentBlocksize: 512
extentRpm: "SSD"
extentAvailThreshold: 0
[[- end -]]

32
packs/democratic_csi/templates/_nfs_controller.yml.tpl Normal file
View File

@ -0,0 +1,32 @@
[[- define "nfs_controller" -]]
driver: freenas-api-nfs
instance_id:
httpConnection:
protocol: [[ .democratic_csi.freenas_api_scheme ]]
host: [[ .democratic_csi.freenas_api_host ]]
port: [[ .democratic_csi.freenas_api_port ]]
apiKey: {{ with secret "[[ .common.vault_prefix ]]kv/service/democratic-csi" }}{{ .Data.data.truenas_api_key }}{{ end }}
allowInsecure: [[ if eq .democratic_csi.freenas_api_insecure true ]]true[[ else ]]false[[ end ]]
apiVersion: 2
zfs:
datasetParentName: [[ .democratic_csi.nfs_zfs_parent ]]
detachedSnapshotsDatasetParentName: [[ .democratic_csi.nfs_zfs_snap_parent ]]
datasetEnableQuotas: [[ .democratic_csi.nfs_zfs_quota ]]
datasetEnableReservation: [[ .democratic_csi.nfs_zfs_reservation ]]
datasetPermissionsMode: "0770"
datasetPermissionsUser: 0
datasetPermissionsGroup: 0
nfs:
shareHost: [[ .democratic_csi.nfs_server ]]
shareAlldirs: false
shareAllowedHosts: []
shareAllowedNetworks:[[ range $idx, $cidr := .democratic_csi.nfs_allowed_networks ]]
- [[ $cidr ]][[ end ]]
shareMaprootUser: root
shareMaprootGroup: root
shareMapallUser: ""
shareMapallGroup: ""
[[- end -]]

106
packs/democratic_csi/templates/democratic-csi-controller.nomad.hcl.tpl Normal file
View File

@ -0,0 +1,106 @@
job "democratic-csi-controller" {
datacenters = ["dc1"]
[[ if eq .democratic_csi.enable_iscsi true ]]
group "iscsi" {
count = [[ .democratic_csi.ctl_count ]]
task "iscsi-controller" {
driver = "docker"
config {
image = "[[ .democratic_csi.image ]]"
args = [
"--csi-version=1.5.0",
"--csi-name=org.democratic-csi.iscsi",
"--driver-config-file=${NOMAD_SECRETS_DIR}/config.yml",
"--log-level=info",
"--csi-mode=controller",
"--server-socket=/csi/csi.sock"
]
network_mode = "host"
privileged = true
userns_mode = "host"
}
vault {
policies = ["democratic-csi[[ .common.env_suffix ]]"]
}
template {
data =<<-EOF
[[ template "iscsi_controller" . ]]
EOF
destination = "${NOMAD_SECRETS_DIR}/config.yml"
}
csi_plugin {
# must match --csi-name arg
id = "org.democratic-csi.iscsi"
type = "controller"
mount_dir = "/csi"
}
resources {
cpu = [[ .democratic_csi.ctl_resources.cpu ]]
memory = [[ .democratic_csi.ctl_resources.memory ]]
}
}
}
[[ end ]]
[[ if eq .democratic_csi.enable_nfs true ]]
group "nfs" {
count = [[ .democratic_csi.ctl_count ]]
task "nfs-controller" {
driver = "docker"
config {
image = "[[ .democratic_csi.image ]]"
args = [
"--csi-version=1.5.0",
"--csi-name=org.democratic-csi.nfs",
"--driver-config-file=${NOMAD_SECRETS_DIR}/config.yml",
"--log-level=silly",
"--csi-mode=controller",
"--server-socket=/csi/csi.sock"
]
network_mode = "host"
privileged = true
userns_mode = "host"
}
vault {
policies = ["democratic-csi[[ .common.env_suffix ]]"]
}
template {
data = <<-EOF
[[ template "nfs_controller" . ]]
EOF
destination = "${NOMAD_SECRETS_DIR}/config.yml"
}
csi_plugin {
# must match --csi-name arg
id = "org.democratic-csi.nfs"
type = "controller"
mount_dir = "/csi"
}
resources {
cpu = [[ .democratic_csi.node_resources.cpu ]]
memory = [[ .democratic_csi.node_resources.memory ]]
}
}
}
[[ end ]]
}

3
packs/democratic_csi/templates/vault/policies/democratic-csi.hcl.tpl Normal file
View File

@ -0,0 +1,3 @@
path "[[ .common.vault_prefix ]]kv/service/democratic-csi" {
capabilities = ["read"]
}

165
packs/democratic_csi/variables.hcl Normal file
View File

@ -0,0 +1,165 @@
variable "image" {
description = "Docker image to use"
type = string
default = "danielberteaud/democratic-csi:latest"
}
variable "enable_iscsi" {
description = "Enable iSCSI driver"
type = bool
default = true
}
variable "enable_nfs" {
description = "Enable NFS driver"
type = bool
default = true
}
variable "ctl_resources" {
description = "Resources allocation for each controller instance"
type = object({
cpu = number
memory = number
})
default = {
cpu = 100
memory = 192
}
}
variable "node_resources" {
description = "Resources allocation for each node instance"
type = object({
cpu = number
memory = number
})
default = {
cpu = 100
memory = 192
}
}
variable "ctl_count" {
description = "Number of controller instances to run"
type = number
default = 1
}
variable "freenas_api_scheme" {
description = "Scheme to use to connect on FreeNAS API"
type = string
default = "http"
}
variable "freenas_api_host" {
description = "Host to connect to the FreeNAS API"
type = string
default = "freenas"
}
variable "freenas_api_port" {
description = "Port to connect to the FreNAS API"
type = number
default = 80
}
variable "freenas_api_insecure" {
description = "If insecure is enabled, no certificate verification will be done"
type = bool
default = false
}
variable "iscsi_zfs_parent" {
description = "Parent ZFS dataset where zvols will be created"
type = string
default = "zpool/csi/iscsi"
}
variable "iscsi_zfs_snap_parent" {
description = "Parent ZFS dataset where detached snapshots will be stored. Should not be nested with iscsi_zfs_parent"
type = string
default = "zpool/csi/iscsisnap"
}
variable "iscsi_zfs_reservation" {
description = "Should ZFS reservation be used"
type = bool
default = false
}
variable "iscsi_zfs_blocksize" {
description = "volblocksize of the zvol created through the CSI interface"
type = string
default = "16K"
}
variable "iscsi_portals" {
description = "List of portals to connect to (can specify several for multipath)"
type = list(string)
default = [
"10.99.3.27:3260"
]
}
variable "iscsi_portal_group_id" {
description = "The portal group ID to use on FreeNAS"
type = number
default = 1
}
variable "iscsi_initiator_group_id" {
description = "The initiator group ID to use on FreeNAS"
type = number
default = 1
}
variable "iscsi_auth_type" {
description = "iSCSI auth type : can be None, CHAP or CHAP Mutual"
type = string
default = "None"
}
variable "iscsi_auth_group_id" {
description = "If auth is enabled, define the auth group ID from FreeNAS to use"
type = number
default = 1
}
variable "nfs_zfs_parent" {
description = "ZFS parent dataset where NFS datasets will be created as children"
type = string
default = "zpool/csi/nfs"
}
variable "nfs_zfs_snap_parent" {
description = "Parent ZFS dataset where detached snapshots will be stored. Should not be nested with nfs_zfs_parent"
type = string
default = "zpool/csi/nfssnap"
}
variable "nfs_zfs_quota" {
description = "Should ZFS quota be used on datasets"
type = bool
default = false
}
variable "nfs_zfs_reservation" {
description = "Should ZFS reservation should be used on datasets"
type = bool
default = false
}
variable "nfs_server" {
description = "IP or hostname to reach FreeNAS NFS service"
type = string
default = "10.99.3.27"
}
variable "nfs_allowed_networks" {
description = "List of CIDR allowed to access NFS shared created with the CSI interface"
type = list(string)
default = [
"10.99.9.0/24"
]
}

1
packs/democratic_csi/vars.hcl Normal file
View File

@ -0,0 +1 @@
foo = "bar"

87
packs/democratic_csi_freenas_api/output/democratic_csi_freenas_api/democratic-csi-controller.nomad.hcl
View File

@ -1,87 +0,0 @@
job "democratic-csi-controller" {
datacenters = ["dc1"]
group "iscsi" {
task "iscsi-controller" {
driver = "docker"
config {
image = "danielberteaud/democratic-csi:latest"
args = [
"--csi-version=1.5.0",
"--csi-name=org.democratic-csi.iscsi",
"--driver-config-file=${NOMAD_SECRETS_DIR}/config.yml",
"--log-level=info",
"--csi-mode=controller",
"--server-socket=/csi/csi.sock",
]
network_mode = "host"
privileged = true
userns_mode = "host"
}
template {
data = <<-EOF
driver: freenas-api-iscsi
instance_id:
httpConnection:
protocol: {{ env "TRUENAS_API_SCHEME" }}
host: {{ env "TRUENAS_API_HOST" }}
port: {{ env "TRUENAS_API_PORT" }}
apiKey: {{ with secret (printf "%skv/service/democratic-csi" (env "VAULT_PREFIX")) }}{{ .Data.data.truenas_api_key }}{{ end }}
allowInsecure: {{ env "TRUENAS_API_INSECURE" }}
apiVersion: 2
zfs:
datasetParentName: {{ env "ZFS_PARENT" }}
detachedSnapshotsDatasetParentName: {{ env "ZFS_SNAP_PARENT" }}
zvolCompression:
zvolDedup:
zvolEnableReservation: {{ env "ZFS_RESERVATION" }}
zvolBlocksize: {{ env "ZFS_BLOCKSIZE" }}
iscsi:
targetPortals:
{{ range $idx, $portal := (env "ISCSI_PORTALS" | split ",") }}
- {{ $portal }}{{ end }}
interface:
namePrefix: ""
nameSuffix: ""
targetGroups:
- targetGroupPortalGroup: 1
targetGroupInitiatorGroup: 1
targetGroupAuthType: None
targetGroupAuthGroup:
extentInsecureTpc: true
extentXenCompat: false
extentDisablePhysicalBlocksize: false
extentBlocksize: 512
extentRpm: "SSD"
extentAvailThreshold: 0
EOF
destination = "${NOMAD_SECRETS_DIR}/config.yml"
}
csi_plugin {
# must match --csi-name arg
id = "org.democratic-csi.iscsi"
type = "controller"
mount_dir = "/csi"
}
resources {
cpu = 100
memory = 192
}
}
}
}

47
packs/democratic_csi_freenas_api/templates/democratic-csi-controller.nomad.hcl.tpl
View File

@ -1,47 +0,0 @@
job "democratic-csi-controller" {
datacenters = ["dc1"]
group "iscsi" {
task "iscsi-controller" {
driver = "docker"
config {
image = "[[ .democratic_csi_freenas_api.image ]]"
args = [
"--csi-version=1.5.0",
"--csi-name=org.democratic-csi.iscsi",
"--driver-config-file=${NOMAD_SECRETS_DIR}/config.yml",
"--log-level=info",
"--csi-mode=controller",
"--server-socket=/csi/csi.sock"
]
network_mode = "host"
privileged = true
userns_mode = "host"
}
template {
data =<<-EOF
[[ fileContents "files/iscsi/controller.yml.tpl" ]]
EOF
destination = "${NOMAD_SECRETS_DIR}/config.yml"
}
csi_plugin {
# must match --csi-name arg
id = "org.democratic-csi.iscsi"
type = "controller"
mount_dir = "/csi"
}
resources {
cpu = [[ .democratic_csi_freenas_api.resources.cpu ]]
memory = [[ .democratic_csi_freenas_api.resources.memory ]]
}
}
}
}

3
packs/democratic_csi_freenas_api/templates/vault/policies/democratic-csi.hcl.tpl
View File

@ -1,3 +0,0 @@
path "[[ .democratic_csi_freenas_api.vault_prefix ]]kv/service/democratic-csi" {
capabilities = ["read"]
}

27
packs/democratic_csi_freenas_api/variables.hcl
View File

@ -1,27 +0,0 @@
variable "vault_prefix" {
type = string
default = ""
}
variable "namespace" {
type = string
default = "default"
}
variable "image" {
description = "Docker image to use"
type = string
default = "danielberteaud/democratic-csi:latest"
}
variable "resources" {
description = "Resources allocation for each instance"
type = object({
cpu = number
memory = number
})
default = {
cpu = 100
memory = 192
}
}

271
packs/traefik/traefik.nomad.hcl Normal file
View File

@ -0,0 +1,271 @@
job "traefik" {
datacenters = ["dc1"]
namespace = local.conf.namespace
group "traefik" {
count = local.conf.traefik_count
shutdown_delay = "6s"
# Un volume NFS est utilisé pour stocker les certificats Let's Encrypt
volume "traefik" {
type = "csi"
source = "traefik${local.conf.env_suffix}"
attachment_mode = "file-system"
access_mode = "single-node-writer"
# Traefik ne permet pas de partager le fichier acme.json entre plusieurs instances
# On va donc utiliser un volume séparé pour chaque instance (traefik[0] et traefik[1])
per_alloc = true
}
network {
mode = "bridge"
# Traefik utilise un compte non privilégié, et donc ne peut pas binder sur les ports < 1024
# On va donc le faire écouter sur les ports 5080 et 5443 et ces ports seronts exposés à l'extérieur sur les ports 80 et 443
port "http" {
static = 80
to = 5080
}
port "https" {
static = 443
to = 5443
}
port "syslog" {
static = 514
to = 5514
}
port "metrics" {}
}
service {
name = "traefik-sidecar${local.conf.env_suffix}"
port = "https"
# Pour joindre proxyout et MariaDB via une terminating gateway
connect {
sidecar_service {
proxy {
upstreams {
destination_name = "proxyout"
local_bind_port = 3128
}
upstreams {
destination_name = "db-mysql"
local_bind_port = 3306
}
}
}
sidecar_task {
resources {
cpu = local.conf.sidecar_cpu
memory = local.conf.sidecar_memory
}
}
}
}
# Définition du service, et des checks
service {
name = "traefik"
port = "https"
task = "traefik"
meta {
metrics-port = "${NOMAD_HOST_PORT_metrics}"
alloc = "${NOMAD_ALLOC_INDEX}"
}
check_restart {
limit = 3
grace = "10s"
}
check {
type = "tcp"
port = "http"
interval = "10s"
timeout = "2s"
}
check {
type = "tcp"
port = "https"
interval = "10s"
timeout = "2s"
}
# Traefik peut se connecter nativement au service mesh de Consul
connect {
native = true
}
# On permet de rendre l'API et le dashboard de Traefik accessible via lui même
# On on obtient un certificat auprès de Let's Encrypt pour ces vhosts
tags = [
"traefik.enable=true",
"traefik.http.routers.traefik-api.rule=Host(`traefik${env_suffix}.service.${local.conf.ct_domain}`,`${local.conf.tools_vhost}`) && PathPrefix(`/api`,`/traefik`)",
"traefik.http.routers.traefik-api.entryPoints=https",
"traefik.http.routers.traefik-api.service=api@internal",
"traefik.http.routers.traefik-api.tls=true",
"traefik.http.routers.traefik-api.tls.certresolver=le",
"traefik.http.routers.traefik-ping.rule=Host(`traefik${env_suffix}.service.${local.conf.ct_domain}`,`${local.conf.tools_vhost}`) && Path(`/ping`) && Method(`GET`)",
"traefik.http.routers.traefik-ping.entryPoints=https",
"traefik.http.routers.traefik-ping.service=ping@internal",
"traefik.http.routers.traefik-ping.tls=true",
"traefik.http.routers.traefik-ping.tls.certresolver=le",
"traefik.http.routers.traefik-ping.middlewares=${local.conf.traefik_ping_middlewares}",
"traefik.http.middlewares.traefik-path.replacepathregex.regex=^/traefik/(.*)",
"traefik.http.middlewares.traefik-path.replacepathregex.replacement=/dashboard/$${1}",
"traefik.http.routers.traefik-api.middlewares=${local.conf.traefik_api_middlewares},traefik-path",
]
}
task "llng-handler" {
driver = "docker"
config {
image = local.conf.llng_handler_image
volumes = [
"secrets/lemonldap-ng.ini:/etc/lemonldap-ng/lemonldap-ng.ini:ro",
]
}
lifecycle {
hook = "prestart"
sidecar = true
}
vault {
policies = ["traefik${local.conf.env_suffix}"]
}
template {
data = file("templates/lemonldap-ng.ini.tpl")
destination = "secrets/lemonldap-ng.ini"
perms = "0400"
uid = 100048
gid = 100048
}
env {
LLNG_DB_USER = local.conf.llng_db_user
LLNG_DB_NAME = local.conf.llng_db_name
LLNG_HANDLER_PORT = local.conf.llng_handler_port
}
resources {
cpu = local.conf.llng_handler_cpu
memory = local.conf.llng_handler_memory
}
}
task "metrics-proxy" {
driver = "docker"
config {
image = "oci.ehtrace.com/metrics-proxy:latest"
}
lifecycle {
hook = "poststart"
sidecar = true
}
vault {
policies = ["metrics${local.conf.env_suffix}"]
}
env {
METRICS_URL = "http://localhost:9500/metrics"
PKI_PATH = local.conf.monitoring_vault_pki_path
}
template {
data = file("../common/templates/metrics/cert.tpl")
destination = "secrets/metrics.bundle.pem"
}
template {
data = file("../common/templates/metrics/ca.tpl")
destination = "local/monitoring.ca.pem"
}
resources {
cpu = 10
memory = 12
}
}
task "traefik" {
driver = "docker"
# La tâche nécessite une policy vault, qui servira à
# - obtenir un token Consul (pour consulter le catalogue)
# - obtenir la clé d'API Gandi pour les challenges ACME DNS-01
vault {
policies = ["traefik${local.conf.env_suffix}"]
}
# On monte le volume NFS sur /storage
volume_mount {
volume = "traefik"
destination = "/storage"
}
config {
image = local.conf.traefik_image
volumes = [
"local/traefik.yml:/etc/traefik/traefik.yml:ro",
"local/plugins:/plugins-storage"
]
}
env {
# Les appels à l'API Gandi doivent passer par le proxy sortant
HTTPS_PROXY = "http://localhost:3128"
HTTP_PROXY = "http://localhost:3128"
NO_PROXY = local.conf.traefik_no_proxy
LLNG_HANDLER_PORT = local.conf.llng_handler_port
}
# Ce fichier contient la clé d'API de Gandi
template {
data = <<-EOF
GANDIV5_API_KEY={{ with secret "kv/common/letsencrypt" }}{{ .Data.data.GANDIV5_API_KEY }}{{ end }}
EOF
destination = "secrets/env"
env = true
perms = "0400"
uid = 100000
gid = 100000
}
# Main traefik configuration
template {
data = file("./templates/traefik.yml.tpl")
destination = "local/traefik.yml"
perms = "0400"
uid = 100000
gid = 100000
}
# Traefik config is split into several other config files
dynamic "template" {
for_each = fileset("templates/config/", "*.yml.tpl")
content {
data = file("templates/config/${template.value}")
destination = "secrets/config/${replace(template.value, ".tpl", "")}"
perms = "0400"
uid = 100000
gid = 100000
change_mode = "signal"
change_signal = "SIGHUP"
}
}
resources {
cpu = local.conf.traefik_cpu
memory = local.conf.traefik_memory
}
}
}
}
variable "env" {
type = string
}
locals {
defaults = yamldecode(file("vars/defaults.yml"))
global_env = yamldecode(fileexists("../common/vars/${var.env}.yml") ? file("../common/vars/${var.env}.yml") : "a: b")
job_env = yamldecode(fileexists("vars/${var.env}.yml") ? file("vars/${var.env}.yml") : "a: b")
conf = merge(local.defaults, local.global_env, local.job_env)
}