First try with democratic csi
This commit is contained in:
parent
36c861bd27
commit
1bfd36134c
|
@ -1,9 +1,17 @@
|
|||
variable "vault_prefix" {
|
||||
description = "Prefix to use in vault path"
|
||||
type = string
|
||||
default = ""
|
||||
}
|
||||
|
||||
variable "namespace" {
|
||||
description = "Nomad namespace where job should be submited"
|
||||
type = string
|
||||
default = "default"
|
||||
}
|
||||
|
||||
variable "env_suffix" {
|
||||
description = "Optional suffix to appened to service names, so you can run different env on the same Consul cluster"
|
||||
type = string
|
||||
default = ""
|
||||
}
|
||||
|
|
Binary file not shown.
|
@ -0,0 +1 @@
|
|||
../../common/
|
|
@ -3,7 +3,7 @@ driver: freenas-api-iscsi
|
|||
instance_id:
|
||||
|
||||
httpConnection:
|
||||
protocol: {{ env "TRUENAS_API_SCHEME" }}
|
||||
protocol: [[ .common.namespace ]]
|
||||
host: {{ env "TRUENAS_API_HOST" }}
|
||||
port: {{ env "TRUENAS_API_PORT" }}
|
||||
apiKey: {{ with secret (printf "%skv/service/democratic-csi" (env "VAULT_PREFIX")) }}{{ .Data.data.truenas_api_key }}{{ end }}
|
|
@ -3,10 +3,10 @@ app {
|
|||
}
|
||||
|
||||
pack {
|
||||
name = "democratic_csi_freenas_api"
|
||||
name = "democratic_csi"
|
||||
description = "CSI plugin for Nomad to use storage (NFS and iSCSI) from FreeNAS / TrueNAS"
|
||||
url = "https://git.lapiole.org/infra/nomad/packs/democfratic_csi_freenas_api"
|
||||
version = "0.0.1"
|
||||
url = "https://git.lapiole.org/infra/nomad/packs/democfratic_csi"
|
||||
version = "0.0.1"
|
||||
}
|
||||
|
||||
dependency "common" {
|
|
@ -0,0 +1,166 @@
|
|||
job "democratic-csi-controller" {
|
||||
datacenters = ["dc1"]
|
||||
|
||||
group "iscsi" {
|
||||
count = 1
|
||||
|
||||
task "iscsi-controller" {
|
||||
driver = "docker"
|
||||
|
||||
config {
|
||||
image = "danielberteaud/democratic-csi:latest"
|
||||
|
||||
args = [
|
||||
"--csi-version=1.5.0",
|
||||
"--csi-name=org.democratic-csi.iscsi",
|
||||
"--driver-config-file=${NOMAD_SECRETS_DIR}/config.yml",
|
||||
"--log-level=info",
|
||||
"--csi-mode=controller",
|
||||
"--server-socket=/csi/csi.sock",
|
||||
]
|
||||
|
||||
network_mode = "host"
|
||||
privileged = true
|
||||
userns_mode = "host"
|
||||
}
|
||||
|
||||
vault {
|
||||
policies = ["democratic-csi"]
|
||||
}
|
||||
|
||||
template {
|
||||
data = <<-EOF
|
||||
driver: freenas-api-iscsi
|
||||
instance_id:
|
||||
|
||||
httpConnection:
|
||||
protocol: http
|
||||
host: freenas
|
||||
port: 80
|
||||
apiKey: {{ with secret "kv/service/democratic-csi" }}{{ .Data.data.truenas_api_key }}{{ end }}
|
||||
allowInsecure: false
|
||||
apiVersion: 2
|
||||
|
||||
zfs:
|
||||
datasetParentName: zpool/csi/iscsi
|
||||
detachedSnapshotsDatasetParentName: zpool/csi/iscsisnap
|
||||
zvolEnableReservation: false
|
||||
zvolBlocksize: 16K
|
||||
|
||||
iscsi:
|
||||
targetPortals:
|
||||
- 10.99.3.27:3260
|
||||
interface:
|
||||
|
||||
namePrefix: ""
|
||||
nameSuffix: ""
|
||||
|
||||
targetGroups:
|
||||
- targetGroupPortalGroup: 1
|
||||
targetGroupInitiatorGroup: 1
|
||||
targetGroupAuthType: None
|
||||
targetGroupAuthGroup: 1
|
||||
|
||||
extentInsecureTpc: true
|
||||
extentXenCompat: false
|
||||
extentDisablePhysicalBlocksize: false
|
||||
extentBlocksize: 512
|
||||
extentRpm: "SSD"
|
||||
extentAvailThreshold: 0
|
||||
EOF
|
||||
|
||||
destination = "${NOMAD_SECRETS_DIR}/config.yml"
|
||||
}
|
||||
|
||||
csi_plugin {
|
||||
# must match --csi-name arg
|
||||
id = "org.democratic-csi.iscsi"
|
||||
type = "controller"
|
||||
mount_dir = "/csi"
|
||||
}
|
||||
|
||||
resources {
|
||||
cpu = 100
|
||||
memory = 192
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
group "nfs" {
|
||||
count = 1
|
||||
|
||||
task "nfs-controller" {
|
||||
driver = "docker"
|
||||
|
||||
config {
|
||||
image = "danielberteaud/democratic-csi:latest"
|
||||
|
||||
args = [
|
||||
"--csi-version=1.5.0",
|
||||
"--csi-name=org.democratic-csi.nfs",
|
||||
"--driver-config-file=${NOMAD_SECRETS_DIR}/config.yml",
|
||||
"--log-level=silly",
|
||||
"--csi-mode=controller",
|
||||
"--server-socket=/csi/csi.sock",
|
||||
]
|
||||
|
||||
network_mode = "host"
|
||||
privileged = true
|
||||
userns_mode = "host"
|
||||
}
|
||||
|
||||
vault {
|
||||
policies = ["democratic-csi"]
|
||||
}
|
||||
|
||||
template {
|
||||
data = <<-EOF
|
||||
driver: freenas-api-nfs
|
||||
instance_id:
|
||||
|
||||
httpConnection:
|
||||
protocol: http
|
||||
host: freenas
|
||||
port: 80
|
||||
apiKey: {{ with secret "kv/service/democratic-csi" }}{{ .Data.data.truenas_api_key }}{{ end }}
|
||||
allowInsecure: false
|
||||
apiVersion: 2
|
||||
|
||||
zfs:
|
||||
datasetParentName: zpool/csi/nfs
|
||||
detachedSnapshotsDatasetParentName: zpool/csi/nfssnap
|
||||
datasetEnableQuotas: false
|
||||
datasetEnableReservation: false
|
||||
datasetPermissionsMode: "0770"
|
||||
datasetPermissionsUser: 0
|
||||
datasetPermissionsGroup: 0
|
||||
|
||||
nfs:
|
||||
shareHost: 10.99.3.27
|
||||
shareAlldirs: false
|
||||
shareAllowedHosts: []
|
||||
shareAllowedNetworks:
|
||||
- 10.99.9.0/24
|
||||
shareMaprootUser: root
|
||||
shareMaprootGroup: root
|
||||
shareMapallUser: ""
|
||||
shareMapallGroup: ""
|
||||
EOF
|
||||
|
||||
destination = "${NOMAD_SECRETS_DIR}/config.yml"
|
||||
}
|
||||
|
||||
csi_plugin {
|
||||
# must match --csi-name arg
|
||||
id = "org.democratic-csi.nfs"
|
||||
type = "controller"
|
||||
mount_dir = "/csi"
|
||||
}
|
||||
|
||||
resources {
|
||||
cpu = 100
|
||||
memory = 192
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
|
@ -0,0 +1,39 @@
|
|||
[[- define "iscsi_controller" -]]
|
||||
driver: freenas-api-iscsi
|
||||
instance_id:
|
||||
|
||||
httpConnection:
|
||||
protocol: [[ .democratic_csi.freenas_api_scheme ]]
|
||||
host: [[ .democratic_csi.freenas_api_host ]]
|
||||
port: [[ .democratic_csi.freenas_api_port ]]
|
||||
apiKey: {{ with secret "[[ .common.vault_prefix ]]kv/service/democratic-csi" }}{{ .Data.data.truenas_api_key }}{{ end }}
|
||||
allowInsecure: [[ if eq .democratic_csi.freenas_api_insecure true ]]true[[ else ]]false[[ end ]]
|
||||
apiVersion: 2
|
||||
|
||||
zfs:
|
||||
datasetParentName: [[ .democratic_csi.iscsi_zfs_parent ]]
|
||||
detachedSnapshotsDatasetParentName: [[ .democratic_csi.iscsi_zfs_snap_parent ]]
|
||||
zvolEnableReservation: [[ .democratic_csi.iscsi_zfs_reservation ]]
|
||||
zvolBlocksize: [[ .democratic_csi.iscsi_zfs_blocksize ]]
|
||||
|
||||
iscsi:
|
||||
targetPortals: [[ range $idx, $portal := .democratic_csi.iscsi_portals ]]
|
||||
- [[ $portal ]][[ end ]]
|
||||
interface:
|
||||
|
||||
namePrefix: ""
|
||||
nameSuffix: ""
|
||||
|
||||
targetGroups:
|
||||
- targetGroupPortalGroup: [[ .democratic_csi.iscsi_portal_group_id ]]
|
||||
targetGroupInitiatorGroup: [[ .democratic_csi.iscsi_initiator_group_id ]]
|
||||
targetGroupAuthType: [[ .democratic_csi.iscsi_auth_type ]]
|
||||
targetGroupAuthGroup: [[ .democratic_csi.iscsi_auth_group_id ]]
|
||||
|
||||
extentInsecureTpc: true
|
||||
extentXenCompat: false
|
||||
extentDisablePhysicalBlocksize: false
|
||||
extentBlocksize: 512
|
||||
extentRpm: "SSD"
|
||||
extentAvailThreshold: 0
|
||||
[[- end -]]
|
|
@ -0,0 +1,32 @@
|
|||
[[- define "nfs_controller" -]]
|
||||
driver: freenas-api-nfs
|
||||
instance_id:
|
||||
|
||||
httpConnection:
|
||||
protocol: [[ .democratic_csi.freenas_api_scheme ]]
|
||||
host: [[ .democratic_csi.freenas_api_host ]]
|
||||
port: [[ .democratic_csi.freenas_api_port ]]
|
||||
apiKey: {{ with secret "[[ .common.vault_prefix ]]kv/service/democratic-csi" }}{{ .Data.data.truenas_api_key }}{{ end }}
|
||||
allowInsecure: [[ if eq .democratic_csi.freenas_api_insecure true ]]true[[ else ]]false[[ end ]]
|
||||
apiVersion: 2
|
||||
|
||||
zfs:
|
||||
datasetParentName: [[ .democratic_csi.nfs_zfs_parent ]]
|
||||
detachedSnapshotsDatasetParentName: [[ .democratic_csi.nfs_zfs_snap_parent ]]
|
||||
datasetEnableQuotas: [[ .democratic_csi.nfs_zfs_quota ]]
|
||||
datasetEnableReservation: [[ .democratic_csi.nfs_zfs_reservation ]]
|
||||
datasetPermissionsMode: "0770"
|
||||
datasetPermissionsUser: 0
|
||||
datasetPermissionsGroup: 0
|
||||
|
||||
nfs:
|
||||
shareHost: [[ .democratic_csi.nfs_server ]]
|
||||
shareAlldirs: false
|
||||
shareAllowedHosts: []
|
||||
shareAllowedNetworks:[[ range $idx, $cidr := .democratic_csi.nfs_allowed_networks ]]
|
||||
- [[ $cidr ]][[ end ]]
|
||||
shareMaprootUser: root
|
||||
shareMaprootGroup: root
|
||||
shareMapallUser: ""
|
||||
shareMapallGroup: ""
|
||||
[[- end -]]
|
|
@ -0,0 +1,106 @@
|
|||
job "democratic-csi-controller" {
|
||||
datacenters = ["dc1"]
|
||||
|
||||
[[ if eq .democratic_csi.enable_iscsi true ]]
|
||||
group "iscsi" {
|
||||
|
||||
count = [[ .democratic_csi.ctl_count ]]
|
||||
|
||||
task "iscsi-controller" {
|
||||
|
||||
driver = "docker"
|
||||
|
||||
config {
|
||||
image = "[[ .democratic_csi.image ]]"
|
||||
args = [
|
||||
"--csi-version=1.5.0",
|
||||
"--csi-name=org.democratic-csi.iscsi",
|
||||
"--driver-config-file=${NOMAD_SECRETS_DIR}/config.yml",
|
||||
"--log-level=info",
|
||||
"--csi-mode=controller",
|
||||
"--server-socket=/csi/csi.sock"
|
||||
]
|
||||
|
||||
network_mode = "host"
|
||||
privileged = true
|
||||
userns_mode = "host"
|
||||
}
|
||||
|
||||
vault {
|
||||
policies = ["democratic-csi[[ .common.env_suffix ]]"]
|
||||
}
|
||||
|
||||
template {
|
||||
data =<<-EOF
|
||||
[[ template "iscsi_controller" . ]]
|
||||
EOF
|
||||
destination = "${NOMAD_SECRETS_DIR}/config.yml"
|
||||
}
|
||||
|
||||
csi_plugin {
|
||||
# must match --csi-name arg
|
||||
id = "org.democratic-csi.iscsi"
|
||||
type = "controller"
|
||||
mount_dir = "/csi"
|
||||
}
|
||||
|
||||
resources {
|
||||
cpu = [[ .democratic_csi.ctl_resources.cpu ]]
|
||||
memory = [[ .democratic_csi.ctl_resources.memory ]]
|
||||
}
|
||||
}
|
||||
}
|
||||
[[ end ]]
|
||||
|
||||
[[ if eq .democratic_csi.enable_nfs true ]]
|
||||
group "nfs" {
|
||||
|
||||
count = [[ .democratic_csi.ctl_count ]]
|
||||
|
||||
task "nfs-controller" {
|
||||
|
||||
driver = "docker"
|
||||
|
||||
config {
|
||||
image = "[[ .democratic_csi.image ]]"
|
||||
|
||||
args = [
|
||||
"--csi-version=1.5.0",
|
||||
"--csi-name=org.democratic-csi.nfs",
|
||||
"--driver-config-file=${NOMAD_SECRETS_DIR}/config.yml",
|
||||
"--log-level=silly",
|
||||
"--csi-mode=controller",
|
||||
"--server-socket=/csi/csi.sock"
|
||||
]
|
||||
|
||||
network_mode = "host"
|
||||
privileged = true
|
||||
userns_mode = "host"
|
||||
}
|
||||
|
||||
vault {
|
||||
policies = ["democratic-csi[[ .common.env_suffix ]]"]
|
||||
}
|
||||
|
||||
template {
|
||||
data = <<-EOF
|
||||
[[ template "nfs_controller" . ]]
|
||||
EOF
|
||||
destination = "${NOMAD_SECRETS_DIR}/config.yml"
|
||||
}
|
||||
|
||||
csi_plugin {
|
||||
# must match --csi-name arg
|
||||
id = "org.democratic-csi.nfs"
|
||||
type = "controller"
|
||||
mount_dir = "/csi"
|
||||
}
|
||||
|
||||
resources {
|
||||
cpu = [[ .democratic_csi.node_resources.cpu ]]
|
||||
memory = [[ .democratic_csi.node_resources.memory ]]
|
||||
}
|
||||
}
|
||||
}
|
||||
[[ end ]]
|
||||
}
|
|
@ -0,0 +1,3 @@
|
|||
path "[[ .common.vault_prefix ]]kv/service/democratic-csi" {
|
||||
capabilities = ["read"]
|
||||
}
|
|
@ -0,0 +1,165 @@
|
|||
variable "image" {
|
||||
description = "Docker image to use"
|
||||
type = string
|
||||
default = "danielberteaud/democratic-csi:latest"
|
||||
}
|
||||
|
||||
variable "enable_iscsi" {
|
||||
description = "Enable iSCSI driver"
|
||||
type = bool
|
||||
default = true
|
||||
}
|
||||
|
||||
variable "enable_nfs" {
|
||||
description = "Enable NFS driver"
|
||||
type = bool
|
||||
default = true
|
||||
}
|
||||
|
||||
variable "ctl_resources" {
|
||||
description = "Resources allocation for each controller instance"
|
||||
type = object({
|
||||
cpu = number
|
||||
memory = number
|
||||
})
|
||||
default = {
|
||||
cpu = 100
|
||||
memory = 192
|
||||
}
|
||||
}
|
||||
|
||||
variable "node_resources" {
|
||||
description = "Resources allocation for each node instance"
|
||||
type = object({
|
||||
cpu = number
|
||||
memory = number
|
||||
})
|
||||
default = {
|
||||
cpu = 100
|
||||
memory = 192
|
||||
}
|
||||
}
|
||||
|
||||
variable "ctl_count" {
|
||||
description = "Number of controller instances to run"
|
||||
type = number
|
||||
default = 1
|
||||
}
|
||||
|
||||
variable "freenas_api_scheme" {
|
||||
description = "Scheme to use to connect on FreeNAS API"
|
||||
type = string
|
||||
default = "http"
|
||||
}
|
||||
|
||||
variable "freenas_api_host" {
|
||||
description = "Host to connect to the FreeNAS API"
|
||||
type = string
|
||||
default = "freenas"
|
||||
}
|
||||
|
||||
variable "freenas_api_port" {
|
||||
description = "Port to connect to the FreNAS API"
|
||||
type = number
|
||||
default = 80
|
||||
}
|
||||
|
||||
variable "freenas_api_insecure" {
|
||||
description = "If insecure is enabled, no certificate verification will be done"
|
||||
type = bool
|
||||
default = false
|
||||
}
|
||||
|
||||
variable "iscsi_zfs_parent" {
|
||||
description = "Parent ZFS dataset where zvols will be created"
|
||||
type = string
|
||||
default = "zpool/csi/iscsi"
|
||||
}
|
||||
|
||||
variable "iscsi_zfs_snap_parent" {
|
||||
description = "Parent ZFS dataset where detached snapshots will be stored. Should not be nested with iscsi_zfs_parent"
|
||||
type = string
|
||||
default = "zpool/csi/iscsisnap"
|
||||
}
|
||||
|
||||
variable "iscsi_zfs_reservation" {
|
||||
description = "Should ZFS reservation be used"
|
||||
type = bool
|
||||
default = false
|
||||
}
|
||||
|
||||
variable "iscsi_zfs_blocksize" {
|
||||
description = "volblocksize of the zvol created through the CSI interface"
|
||||
type = string
|
||||
default = "16K"
|
||||
}
|
||||
|
||||
variable "iscsi_portals" {
|
||||
description = "List of portals to connect to (can specify several for multipath)"
|
||||
type = list(string)
|
||||
default = [
|
||||
"10.99.3.27:3260"
|
||||
]
|
||||
}
|
||||
|
||||
variable "iscsi_portal_group_id" {
|
||||
description = "The portal group ID to use on FreeNAS"
|
||||
type = number
|
||||
default = 1
|
||||
}
|
||||
|
||||
variable "iscsi_initiator_group_id" {
|
||||
description = "The initiator group ID to use on FreeNAS"
|
||||
type = number
|
||||
default = 1
|
||||
}
|
||||
|
||||
variable "iscsi_auth_type" {
|
||||
description = "iSCSI auth type : can be None, CHAP or CHAP Mutual"
|
||||
type = string
|
||||
default = "None"
|
||||
}
|
||||
|
||||
variable "iscsi_auth_group_id" {
|
||||
description = "If auth is enabled, define the auth group ID from FreeNAS to use"
|
||||
type = number
|
||||
default = 1
|
||||
}
|
||||
|
||||
variable "nfs_zfs_parent" {
|
||||
description = "ZFS parent dataset where NFS datasets will be created as children"
|
||||
type = string
|
||||
default = "zpool/csi/nfs"
|
||||
}
|
||||
|
||||
variable "nfs_zfs_snap_parent" {
|
||||
description = "Parent ZFS dataset where detached snapshots will be stored. Should not be nested with nfs_zfs_parent"
|
||||
type = string
|
||||
default = "zpool/csi/nfssnap"
|
||||
}
|
||||
|
||||
variable "nfs_zfs_quota" {
|
||||
description = "Should ZFS quota be used on datasets"
|
||||
type = bool
|
||||
default = false
|
||||
}
|
||||
|
||||
variable "nfs_zfs_reservation" {
|
||||
description = "Should ZFS reservation should be used on datasets"
|
||||
type = bool
|
||||
default = false
|
||||
}
|
||||
|
||||
variable "nfs_server" {
|
||||
description = "IP or hostname to reach FreeNAS NFS service"
|
||||
type = string
|
||||
default = "10.99.3.27"
|
||||
}
|
||||
|
||||
variable "nfs_allowed_networks" {
|
||||
description = "List of CIDR allowed to access NFS shared created with the CSI interface"
|
||||
type = list(string)
|
||||
default = [
|
||||
"10.99.9.0/24"
|
||||
]
|
||||
}
|
|
@ -0,0 +1 @@
|
|||
foo = "bar"
|
|
@ -1,87 +0,0 @@
|
|||
job "democratic-csi-controller" {
|
||||
datacenters = ["dc1"]
|
||||
|
||||
group "iscsi" {
|
||||
task "iscsi-controller" {
|
||||
driver = "docker"
|
||||
|
||||
config {
|
||||
image = "danielberteaud/democratic-csi:latest"
|
||||
|
||||
args = [
|
||||
"--csi-version=1.5.0",
|
||||
"--csi-name=org.democratic-csi.iscsi",
|
||||
"--driver-config-file=${NOMAD_SECRETS_DIR}/config.yml",
|
||||
"--log-level=info",
|
||||
"--csi-mode=controller",
|
||||
"--server-socket=/csi/csi.sock",
|
||||
]
|
||||
|
||||
network_mode = "host"
|
||||
privileged = true
|
||||
userns_mode = "host"
|
||||
}
|
||||
|
||||
template {
|
||||
data = <<-EOF
|
||||
driver: freenas-api-iscsi
|
||||
|
||||
instance_id:
|
||||
|
||||
httpConnection:
|
||||
protocol: {{ env "TRUENAS_API_SCHEME" }}
|
||||
host: {{ env "TRUENAS_API_HOST" }}
|
||||
port: {{ env "TRUENAS_API_PORT" }}
|
||||
apiKey: {{ with secret (printf "%skv/service/democratic-csi" (env "VAULT_PREFIX")) }}{{ .Data.data.truenas_api_key }}{{ end }}
|
||||
allowInsecure: {{ env "TRUENAS_API_INSECURE" }}
|
||||
apiVersion: 2
|
||||
|
||||
zfs:
|
||||
datasetParentName: {{ env "ZFS_PARENT" }}
|
||||
detachedSnapshotsDatasetParentName: {{ env "ZFS_SNAP_PARENT" }}
|
||||
zvolCompression:
|
||||
zvolDedup:
|
||||
zvolEnableReservation: {{ env "ZFS_RESERVATION" }}
|
||||
zvolBlocksize: {{ env "ZFS_BLOCKSIZE" }}
|
||||
|
||||
iscsi:
|
||||
targetPortals:
|
||||
{{ range $idx, $portal := (env "ISCSI_PORTALS" | split ",") }}
|
||||
- {{ $portal }}{{ end }}
|
||||
interface:
|
||||
|
||||
namePrefix: ""
|
||||
nameSuffix: ""
|
||||
|
||||
targetGroups:
|
||||
- targetGroupPortalGroup: 1
|
||||
targetGroupInitiatorGroup: 1
|
||||
targetGroupAuthType: None
|
||||
targetGroupAuthGroup:
|
||||
|
||||
extentInsecureTpc: true
|
||||
extentXenCompat: false
|
||||
extentDisablePhysicalBlocksize: false
|
||||
extentBlocksize: 512
|
||||
extentRpm: "SSD"
|
||||
extentAvailThreshold: 0
|
||||
|
||||
EOF
|
||||
|
||||
destination = "${NOMAD_SECRETS_DIR}/config.yml"
|
||||
}
|
||||
|
||||
csi_plugin {
|
||||
# must match --csi-name arg
|
||||
id = "org.democratic-csi.iscsi"
|
||||
type = "controller"
|
||||
mount_dir = "/csi"
|
||||
}
|
||||
|
||||
resources {
|
||||
cpu = 100
|
||||
memory = 192
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
|
@ -1,47 +0,0 @@
|
|||
job "democratic-csi-controller" {
|
||||
datacenters = ["dc1"]
|
||||
|
||||
group "iscsi" {
|
||||
|
||||
task "iscsi-controller" {
|
||||
|
||||
driver = "docker"
|
||||
|
||||
config {
|
||||
image = "[[ .democratic_csi_freenas_api.image ]]"
|
||||
args = [
|
||||
"--csi-version=1.5.0",
|
||||
"--csi-name=org.democratic-csi.iscsi",
|
||||
"--driver-config-file=${NOMAD_SECRETS_DIR}/config.yml",
|
||||
"--log-level=info",
|
||||
"--csi-mode=controller",
|
||||
"--server-socket=/csi/csi.sock"
|
||||
]
|
||||
|
||||
network_mode = "host"
|
||||
privileged = true
|
||||
userns_mode = "host"
|
||||
}
|
||||
|
||||
template {
|
||||
data =<<-EOF
|
||||
[[ fileContents "files/iscsi/controller.yml.tpl" ]]
|
||||
EOF
|
||||
destination = "${NOMAD_SECRETS_DIR}/config.yml"
|
||||
}
|
||||
|
||||
csi_plugin {
|
||||
# must match --csi-name arg
|
||||
id = "org.democratic-csi.iscsi"
|
||||
type = "controller"
|
||||
mount_dir = "/csi"
|
||||
}
|
||||
|
||||
resources {
|
||||
cpu = [[ .democratic_csi_freenas_api.resources.cpu ]]
|
||||
memory = [[ .democratic_csi_freenas_api.resources.memory ]]
|
||||
}
|
||||
|
||||
}
|
||||
}
|
||||
}
|
|
@ -1,3 +0,0 @@
|
|||
path "[[ .democratic_csi_freenas_api.vault_prefix ]]kv/service/democratic-csi" {
|
||||
capabilities = ["read"]
|
||||
}
|
|
@ -1,27 +0,0 @@
|
|||
variable "vault_prefix" {
|
||||
type = string
|
||||
default = ""
|
||||
}
|
||||
|
||||
variable "namespace" {
|
||||
type = string
|
||||
default = "default"
|
||||
}
|
||||
|
||||
variable "image" {
|
||||
description = "Docker image to use"
|
||||
type = string
|
||||
default = "danielberteaud/democratic-csi:latest"
|
||||
}
|
||||
|
||||
variable "resources" {
|
||||
description = "Resources allocation for each instance"
|
||||
type = object({
|
||||
cpu = number
|
||||
memory = number
|
||||
})
|
||||
default = {
|
||||
cpu = 100
|
||||
memory = 192
|
||||
}
|
||||
}
|
|
@ -0,0 +1,271 @@
|
|||
job "traefik" {
|
||||
datacenters = ["dc1"]
|
||||
namespace = local.conf.namespace
|
||||
|
||||
group "traefik" {
|
||||
count = local.conf.traefik_count
|
||||
shutdown_delay = "6s"
|
||||
|
||||
# Un volume NFS est utilisé pour stocker les certificats Let's Encrypt
|
||||
volume "traefik" {
|
||||
type = "csi"
|
||||
source = "traefik${local.conf.env_suffix}"
|
||||
attachment_mode = "file-system"
|
||||
access_mode = "single-node-writer"
|
||||
# Traefik ne permet pas de partager le fichier acme.json entre plusieurs instances
|
||||
# On va donc utiliser un volume séparé pour chaque instance (traefik[0] et traefik[1])
|
||||
per_alloc = true
|
||||
}
|
||||
|
||||
network {
|
||||
mode = "bridge"
|
||||
|
||||
# Traefik utilise un compte non privilégié, et donc ne peut pas binder sur les ports < 1024
|
||||
# On va donc le faire écouter sur les ports 5080 et 5443 et ces ports seronts exposés à l'extérieur sur les ports 80 et 443
|
||||
port "http" {
|
||||
static = 80
|
||||
to = 5080
|
||||
}
|
||||
port "https" {
|
||||
static = 443
|
||||
to = 5443
|
||||
}
|
||||
port "syslog" {
|
||||
static = 514
|
||||
to = 5514
|
||||
}
|
||||
port "metrics" {}
|
||||
}
|
||||
|
||||
service {
|
||||
name = "traefik-sidecar${local.conf.env_suffix}"
|
||||
port = "https"
|
||||
# Pour joindre proxyout et MariaDB via une terminating gateway
|
||||
connect {
|
||||
sidecar_service {
|
||||
proxy {
|
||||
upstreams {
|
||||
destination_name = "proxyout"
|
||||
local_bind_port = 3128
|
||||
}
|
||||
upstreams {
|
||||
destination_name = "db-mysql"
|
||||
local_bind_port = 3306
|
||||
}
|
||||
}
|
||||
}
|
||||
sidecar_task {
|
||||
resources {
|
||||
cpu = local.conf.sidecar_cpu
|
||||
memory = local.conf.sidecar_memory
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
# Définition du service, et des checks
|
||||
service {
|
||||
name = "traefik"
|
||||
port = "https"
|
||||
task = "traefik"
|
||||
|
||||
meta {
|
||||
metrics-port = "${NOMAD_HOST_PORT_metrics}"
|
||||
alloc = "${NOMAD_ALLOC_INDEX}"
|
||||
}
|
||||
|
||||
check_restart {
|
||||
limit = 3
|
||||
grace = "10s"
|
||||
}
|
||||
|
||||
check {
|
||||
type = "tcp"
|
||||
port = "http"
|
||||
interval = "10s"
|
||||
timeout = "2s"
|
||||
}
|
||||
|
||||
check {
|
||||
type = "tcp"
|
||||
port = "https"
|
||||
interval = "10s"
|
||||
timeout = "2s"
|
||||
}
|
||||
|
||||
# Traefik peut se connecter nativement au service mesh de Consul
|
||||
connect {
|
||||
native = true
|
||||
}
|
||||
|
||||
# On permet de rendre l'API et le dashboard de Traefik accessible via lui même
|
||||
# On on obtient un certificat auprès de Let's Encrypt pour ces vhosts
|
||||
tags = [
|
||||
"traefik.enable=true",
|
||||
"traefik.http.routers.traefik-api.rule=Host(`traefik${env_suffix}.service.${local.conf.ct_domain}`,`${local.conf.tools_vhost}`) && PathPrefix(`/api`,`/traefik`)",
|
||||
"traefik.http.routers.traefik-api.entryPoints=https",
|
||||
"traefik.http.routers.traefik-api.service=api@internal",
|
||||
"traefik.http.routers.traefik-api.tls=true",
|
||||
"traefik.http.routers.traefik-api.tls.certresolver=le",
|
||||
|
||||
"traefik.http.routers.traefik-ping.rule=Host(`traefik${env_suffix}.service.${local.conf.ct_domain}`,`${local.conf.tools_vhost}`) && Path(`/ping`) && Method(`GET`)",
|
||||
"traefik.http.routers.traefik-ping.entryPoints=https",
|
||||
"traefik.http.routers.traefik-ping.service=ping@internal",
|
||||
"traefik.http.routers.traefik-ping.tls=true",
|
||||
"traefik.http.routers.traefik-ping.tls.certresolver=le",
|
||||
"traefik.http.routers.traefik-ping.middlewares=${local.conf.traefik_ping_middlewares}",
|
||||
|
||||
"traefik.http.middlewares.traefik-path.replacepathregex.regex=^/traefik/(.*)",
|
||||
"traefik.http.middlewares.traefik-path.replacepathregex.replacement=/dashboard/$${1}",
|
||||
"traefik.http.routers.traefik-api.middlewares=${local.conf.traefik_api_middlewares},traefik-path",
|
||||
]
|
||||
}
|
||||
|
||||
task "llng-handler" {
|
||||
driver = "docker"
|
||||
config {
|
||||
image = local.conf.llng_handler_image
|
||||
volumes = [
|
||||
"secrets/lemonldap-ng.ini:/etc/lemonldap-ng/lemonldap-ng.ini:ro",
|
||||
]
|
||||
}
|
||||
lifecycle {
|
||||
hook = "prestart"
|
||||
sidecar = true
|
||||
}
|
||||
vault {
|
||||
policies = ["traefik${local.conf.env_suffix}"]
|
||||
}
|
||||
template {
|
||||
data = file("templates/lemonldap-ng.ini.tpl")
|
||||
destination = "secrets/lemonldap-ng.ini"
|
||||
perms = "0400"
|
||||
uid = 100048
|
||||
gid = 100048
|
||||
}
|
||||
|
||||
env {
|
||||
LLNG_DB_USER = local.conf.llng_db_user
|
||||
LLNG_DB_NAME = local.conf.llng_db_name
|
||||
LLNG_HANDLER_PORT = local.conf.llng_handler_port
|
||||
}
|
||||
resources {
|
||||
cpu = local.conf.llng_handler_cpu
|
||||
memory = local.conf.llng_handler_memory
|
||||
}
|
||||
}
|
||||
|
||||
task "metrics-proxy" {
|
||||
driver = "docker"
|
||||
config {
|
||||
image = "oci.ehtrace.com/metrics-proxy:latest"
|
||||
}
|
||||
lifecycle {
|
||||
hook = "poststart"
|
||||
sidecar = true
|
||||
}
|
||||
vault {
|
||||
policies = ["metrics${local.conf.env_suffix}"]
|
||||
}
|
||||
env {
|
||||
METRICS_URL = "http://localhost:9500/metrics"
|
||||
PKI_PATH = local.conf.monitoring_vault_pki_path
|
||||
}
|
||||
template {
|
||||
data = file("../common/templates/metrics/cert.tpl")
|
||||
destination = "secrets/metrics.bundle.pem"
|
||||
}
|
||||
template {
|
||||
data = file("../common/templates/metrics/ca.tpl")
|
||||
destination = "local/monitoring.ca.pem"
|
||||
}
|
||||
resources {
|
||||
cpu = 10
|
||||
memory = 12
|
||||
}
|
||||
}
|
||||
|
||||
task "traefik" {
|
||||
driver = "docker"
|
||||
|
||||
# La tâche nécessite une policy vault, qui servira à
|
||||
# - obtenir un token Consul (pour consulter le catalogue)
|
||||
# - obtenir la clé d'API Gandi pour les challenges ACME DNS-01
|
||||
vault {
|
||||
policies = ["traefik${local.conf.env_suffix}"]
|
||||
}
|
||||
|
||||
# On monte le volume NFS sur /storage
|
||||
volume_mount {
|
||||
volume = "traefik"
|
||||
destination = "/storage"
|
||||
}
|
||||
|
||||
config {
|
||||
image = local.conf.traefik_image
|
||||
volumes = [
|
||||
"local/traefik.yml:/etc/traefik/traefik.yml:ro",
|
||||
"local/plugins:/plugins-storage"
|
||||
]
|
||||
}
|
||||
|
||||
env {
|
||||
# Les appels à l'API Gandi doivent passer par le proxy sortant
|
||||
HTTPS_PROXY = "http://localhost:3128"
|
||||
HTTP_PROXY = "http://localhost:3128"
|
||||
NO_PROXY = local.conf.traefik_no_proxy
|
||||
LLNG_HANDLER_PORT = local.conf.llng_handler_port
|
||||
}
|
||||
|
||||
# Ce fichier contient la clé d'API de Gandi
|
||||
template {
|
||||
data = <<-EOF
|
||||
GANDIV5_API_KEY={{ with secret "kv/common/letsencrypt" }}{{ .Data.data.GANDIV5_API_KEY }}{{ end }}
|
||||
EOF
|
||||
destination = "secrets/env"
|
||||
env = true
|
||||
perms = "0400"
|
||||
uid = 100000
|
||||
gid = 100000
|
||||
}
|
||||
|
||||
# Main traefik configuration
|
||||
template {
|
||||
data = file("./templates/traefik.yml.tpl")
|
||||
destination = "local/traefik.yml"
|
||||
perms = "0400"
|
||||
uid = 100000
|
||||
gid = 100000
|
||||
}
|
||||
|
||||
# Traefik config is split into several other config files
|
||||
dynamic "template" {
|
||||
for_each = fileset("templates/config/", "*.yml.tpl")
|
||||
content {
|
||||
data = file("templates/config/${template.value}")
|
||||
destination = "secrets/config/${replace(template.value, ".tpl", "")}"
|
||||
perms = "0400"
|
||||
uid = 100000
|
||||
gid = 100000
|
||||
change_mode = "signal"
|
||||
change_signal = "SIGHUP"
|
||||
}
|
||||
}
|
||||
|
||||
resources {
|
||||
cpu = local.conf.traefik_cpu
|
||||
memory = local.conf.traefik_memory
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
variable "env" {
|
||||
type = string
|
||||
}
|
||||
locals {
|
||||
defaults = yamldecode(file("vars/defaults.yml"))
|
||||
global_env = yamldecode(fileexists("../common/vars/${var.env}.yml") ? file("../common/vars/${var.env}.yml") : "a: b")
|
||||
job_env = yamldecode(fileexists("vars/${var.env}.yml") ? file("vars/${var.env}.yml") : "a: b")
|
||||
conf = merge(local.defaults, local.global_env, local.job_env)
|
||||
}
|
Loading…
Reference in New Issue