Remove traefik for now as it's not a pack
This commit is contained in:
parent
85aedb206c
commit
e01f49a311
|
@ -1,271 +0,0 @@
|
|||
job "traefik" {
|
||||
datacenters = ["dc1"]
|
||||
namespace = local.conf.namespace
|
||||
|
||||
group "traefik" {
|
||||
count = local.conf.traefik_count
|
||||
shutdown_delay = "6s"
|
||||
|
||||
# Un volume NFS est utilisé pour stocker les certificats Let's Encrypt
|
||||
volume "traefik" {
|
||||
type = "csi"
|
||||
source = "traefik${local.conf.env_suffix}"
|
||||
attachment_mode = "file-system"
|
||||
access_mode = "single-node-writer"
|
||||
# Traefik ne permet pas de partager le fichier acme.json entre plusieurs instances
|
||||
# On va donc utiliser un volume séparé pour chaque instance (traefik[0] et traefik[1])
|
||||
per_alloc = true
|
||||
}
|
||||
|
||||
network {
|
||||
mode = "bridge"
|
||||
|
||||
# Traefik utilise un compte non privilégié, et donc ne peut pas binder sur les ports < 1024
|
||||
# On va donc le faire écouter sur les ports 5080 et 5443 et ces ports seronts exposés à l'extérieur sur les ports 80 et 443
|
||||
port "http" {
|
||||
static = 80
|
||||
to = 5080
|
||||
}
|
||||
port "https" {
|
||||
static = 443
|
||||
to = 5443
|
||||
}
|
||||
port "syslog" {
|
||||
static = 514
|
||||
to = 5514
|
||||
}
|
||||
port "metrics" {}
|
||||
}
|
||||
|
||||
service {
|
||||
name = "traefik-sidecar${local.conf.env_suffix}"
|
||||
port = "https"
|
||||
# Pour joindre proxyout et MariaDB via une terminating gateway
|
||||
connect {
|
||||
sidecar_service {
|
||||
proxy {
|
||||
upstreams {
|
||||
destination_name = "proxyout"
|
||||
local_bind_port = 3128
|
||||
}
|
||||
upstreams {
|
||||
destination_name = "db-mysql"
|
||||
local_bind_port = 3306
|
||||
}
|
||||
}
|
||||
}
|
||||
sidecar_task {
|
||||
resources {
|
||||
cpu = local.conf.sidecar_cpu
|
||||
memory = local.conf.sidecar_memory
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
# Définition du service, et des checks
|
||||
service {
|
||||
name = "traefik"
|
||||
port = "https"
|
||||
task = "traefik"
|
||||
|
||||
meta {
|
||||
metrics-port = "${NOMAD_HOST_PORT_metrics}"
|
||||
alloc = "${NOMAD_ALLOC_INDEX}"
|
||||
}
|
||||
|
||||
check_restart {
|
||||
limit = 3
|
||||
grace = "10s"
|
||||
}
|
||||
|
||||
check {
|
||||
type = "tcp"
|
||||
port = "http"
|
||||
interval = "10s"
|
||||
timeout = "2s"
|
||||
}
|
||||
|
||||
check {
|
||||
type = "tcp"
|
||||
port = "https"
|
||||
interval = "10s"
|
||||
timeout = "2s"
|
||||
}
|
||||
|
||||
# Traefik peut se connecter nativement au service mesh de Consul
|
||||
connect {
|
||||
native = true
|
||||
}
|
||||
|
||||
# On permet de rendre l'API et le dashboard de Traefik accessible via lui même
|
||||
# On on obtient un certificat auprès de Let's Encrypt pour ces vhosts
|
||||
tags = [
|
||||
"traefik.enable=true",
|
||||
"traefik.http.routers.traefik-api.rule=Host(`traefik${env_suffix}.service.${local.conf.ct_domain}`,`${local.conf.tools_vhost}`) && PathPrefix(`/api`,`/traefik`)",
|
||||
"traefik.http.routers.traefik-api.entryPoints=https",
|
||||
"traefik.http.routers.traefik-api.service=api@internal",
|
||||
"traefik.http.routers.traefik-api.tls=true",
|
||||
"traefik.http.routers.traefik-api.tls.certresolver=le",
|
||||
|
||||
"traefik.http.routers.traefik-ping.rule=Host(`traefik${env_suffix}.service.${local.conf.ct_domain}`,`${local.conf.tools_vhost}`) && Path(`/ping`) && Method(`GET`)",
|
||||
"traefik.http.routers.traefik-ping.entryPoints=https",
|
||||
"traefik.http.routers.traefik-ping.service=ping@internal",
|
||||
"traefik.http.routers.traefik-ping.tls=true",
|
||||
"traefik.http.routers.traefik-ping.tls.certresolver=le",
|
||||
"traefik.http.routers.traefik-ping.middlewares=${local.conf.traefik_ping_middlewares}",
|
||||
|
||||
"traefik.http.middlewares.traefik-path.replacepathregex.regex=^/traefik/(.*)",
|
||||
"traefik.http.middlewares.traefik-path.replacepathregex.replacement=/dashboard/$${1}",
|
||||
"traefik.http.routers.traefik-api.middlewares=${local.conf.traefik_api_middlewares},traefik-path",
|
||||
]
|
||||
}
|
||||
|
||||
task "llng-handler" {
|
||||
driver = "docker"
|
||||
config {
|
||||
image = local.conf.llng_handler_image
|
||||
volumes = [
|
||||
"secrets/lemonldap-ng.ini:/etc/lemonldap-ng/lemonldap-ng.ini:ro",
|
||||
]
|
||||
}
|
||||
lifecycle {
|
||||
hook = "prestart"
|
||||
sidecar = true
|
||||
}
|
||||
vault {
|
||||
policies = ["traefik${local.conf.env_suffix}"]
|
||||
}
|
||||
template {
|
||||
data = file("templates/lemonldap-ng.ini.tpl")
|
||||
destination = "secrets/lemonldap-ng.ini"
|
||||
perms = "0400"
|
||||
uid = 100048
|
||||
gid = 100048
|
||||
}
|
||||
|
||||
env {
|
||||
LLNG_DB_USER = local.conf.llng_db_user
|
||||
LLNG_DB_NAME = local.conf.llng_db_name
|
||||
LLNG_HANDLER_PORT = local.conf.llng_handler_port
|
||||
}
|
||||
resources {
|
||||
cpu = local.conf.llng_handler_cpu
|
||||
memory = local.conf.llng_handler_memory
|
||||
}
|
||||
}
|
||||
|
||||
task "metrics-proxy" {
|
||||
driver = "docker"
|
||||
config {
|
||||
image = "oci.ehtrace.com/metrics-proxy:latest"
|
||||
}
|
||||
lifecycle {
|
||||
hook = "poststart"
|
||||
sidecar = true
|
||||
}
|
||||
vault {
|
||||
policies = ["metrics${local.conf.env_suffix}"]
|
||||
}
|
||||
env {
|
||||
METRICS_URL = "http://localhost:9500/metrics"
|
||||
PKI_PATH = local.conf.monitoring_vault_pki_path
|
||||
}
|
||||
template {
|
||||
data = file("../common/templates/metrics/cert.tpl")
|
||||
destination = "secrets/metrics.bundle.pem"
|
||||
}
|
||||
template {
|
||||
data = file("../common/templates/metrics/ca.tpl")
|
||||
destination = "local/monitoring.ca.pem"
|
||||
}
|
||||
resources {
|
||||
cpu = 10
|
||||
memory = 12
|
||||
}
|
||||
}
|
||||
|
||||
task "traefik" {
|
||||
driver = "docker"
|
||||
|
||||
# La tâche nécessite une policy vault, qui servira à
|
||||
# - obtenir un token Consul (pour consulter le catalogue)
|
||||
# - obtenir la clé d'API Gandi pour les challenges ACME DNS-01
|
||||
vault {
|
||||
policies = ["traefik${local.conf.env_suffix}"]
|
||||
}
|
||||
|
||||
# On monte le volume NFS sur /storage
|
||||
volume_mount {
|
||||
volume = "traefik"
|
||||
destination = "/storage"
|
||||
}
|
||||
|
||||
config {
|
||||
image = local.conf.traefik_image
|
||||
volumes = [
|
||||
"local/traefik.yml:/etc/traefik/traefik.yml:ro",
|
||||
"local/plugins:/plugins-storage"
|
||||
]
|
||||
}
|
||||
|
||||
env {
|
||||
# Les appels à l'API Gandi doivent passer par le proxy sortant
|
||||
HTTPS_PROXY = "http://localhost:3128"
|
||||
HTTP_PROXY = "http://localhost:3128"
|
||||
NO_PROXY = local.conf.traefik_no_proxy
|
||||
LLNG_HANDLER_PORT = local.conf.llng_handler_port
|
||||
}
|
||||
|
||||
# Ce fichier contient la clé d'API de Gandi
|
||||
template {
|
||||
data = <<-EOF
|
||||
GANDIV5_API_KEY={{ with secret "kv/common/letsencrypt" }}{{ .Data.data.GANDIV5_API_KEY }}{{ end }}
|
||||
EOF
|
||||
destination = "secrets/env"
|
||||
env = true
|
||||
perms = "0400"
|
||||
uid = 100000
|
||||
gid = 100000
|
||||
}
|
||||
|
||||
# Main traefik configuration
|
||||
template {
|
||||
data = file("./templates/traefik.yml.tpl")
|
||||
destination = "local/traefik.yml"
|
||||
perms = "0400"
|
||||
uid = 100000
|
||||
gid = 100000
|
||||
}
|
||||
|
||||
# Traefik config is split into several other config files
|
||||
dynamic "template" {
|
||||
for_each = fileset("templates/config/", "*.yml.tpl")
|
||||
content {
|
||||
data = file("templates/config/${template.value}")
|
||||
destination = "secrets/config/${replace(template.value, ".tpl", "")}"
|
||||
perms = "0400"
|
||||
uid = 100000
|
||||
gid = 100000
|
||||
change_mode = "signal"
|
||||
change_signal = "SIGHUP"
|
||||
}
|
||||
}
|
||||
|
||||
resources {
|
||||
cpu = local.conf.traefik_cpu
|
||||
memory = local.conf.traefik_memory
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
variable "env" {
|
||||
type = string
|
||||
}
|
||||
locals {
|
||||
defaults = yamldecode(file("vars/defaults.yml"))
|
||||
global_env = yamldecode(fileexists("../common/vars/${var.env}.yml") ? file("../common/vars/${var.env}.yml") : "a: b")
|
||||
job_env = yamldecode(fileexists("vars/${var.env}.yml") ? file("vars/${var.env}.yml") : "a: b")
|
||||
conf = merge(local.defaults, local.global_env, local.job_env)
|
||||
}
|
Loading…
Reference in New Issue