Cleanup, no feature change

2023-10-08 16:12:19 +02:00 · 2023-10-08 16:12:19 +02:00 · 6a785bd5df
parent 02e85a1ce1
commit 6a785bd5df
6 changed files with 25 additions and 24 deletions
--- a/acme-to-vault.nomad.hcl
+++ b/acme-to-vault.nomad.hcl
@ -1,7 +1,9 @@
-job [[ .acme.job_name | toJSON ]] {
-  type        = "[[ if ne "" .acme.cron ]]service[[ else ]]batch[[ end ]]"
+[[ $c := merge .acme . -]]

-[[- template "common/job_start.tpl" dict "nomad" .nomad ]]
+job [[ .acme.instance | toJSON ]] {
+  type = "[[ if ne "" .acme.cron ]]service[[ else ]]batch[[ end ]]"
+
+[[- template "common/job_start.tpl" $c ]]

  group "acme-to-vault" {

@ -14,37 +16,36 @@ job [[ .acme.job_name | toJSON ]] {
    }

    service {
-      name = "[[ .acme.job_name ]][[ .env.suffix ]]"
+      name = "[[ .acme.instance ]][[ $c.consul.suffix ]]"
      port = 8787

-[[ template "common/connect.tpl" dict "ctx" . "config" .acme ]]
+[[ template "common/connect.tpl" merge .acme . ]]

      tags = [
-        "[[ .traefik.instance ]].enable=true",
+        "[[ $c.traefik.instance ]].enable=true",
        # Note : add a fake host in the rule to prevent warnings in Traefik logs
-        "[[ .traefik.instance ]].http.routers.[[ .acme.job_name ]][[ .env.suffix ]].rule=Host(`fake-acme-host`) || PathPrefix(`/.well-known/acme-challenge/`)",
-        "[[ .traefik.instance ]].http.routers.[[ .acme.job_name ]][[ .env.suffix ]].priority=[[ .acme.traefik.priority ]]",
-        "[[ .traefik.instance ]].http.routers.[[ .acme.job_name ]][[ .env.suffix ]].entrypoints=[[ join (merge .acme.traefik .traefik).entrypoints "," ]]",
-        "[[ .traefik.instance ]].http.routers.[[ .acme.job_name ]][[ .env.suffix ]].middlewares=[[ template "common/traefik_middlewares.tpl" merge .acme.traefik .traefik ]]"
+        "[[ $c.traefik.instance ]].http.routers.[[ .acme.instance ]][[ .consul.suffix ]].rule=Host(`fake-acme-host`) || PathPrefix(`/.well-known/acme-challenge/`)",
+        "[[ $c.traefik.instance ]].http.routers.[[ .acme.instance ]][[ .consul.suffix ]].priority=[[ $c.traefik.priority ]]",
+        "[[ $c.traefik.instance ]].http.routers.[[ .acme.instance ]][[ .consul.suffix ]].entrypoints=[[ join $c.traefik.entrypoints "," ]]",
+        "[[ $c.traefik.instance ]].http.routers.[[ .acme.instance ]][[ .consul.suffix ]].middlewares=[[ template "common/traefik_middlewares.tpl" $c.traefik ]]"
      ]
    }

    task "vault-acme-cert" {
-      driver = [[ .acme.driver | toJSON ]]
+      driver = [[ $c.nomad.driver | toJSON ]]

      config {
        image = [[ .acme.image | toJSON ]]
        readonly_rootfs = true
-        pids_limit = 20
+        pids_limit      = 20
      }

      vault {
-        policies = ["[[ .acme.job_name ]][[ .env.suffix ]]"]
+        policies = ["[[ .acme.instance ]][[ $c.consul.suffix ]]"]
      }

      env {
-        TZ          = [[ .locale.tz | toJSON ]]
-        LANG        = [[ .locale.lang | toJSON ]]
+        [[- template "common/env.tpl" $c.env ]]
        [[- if has .acme.vault "service_name" ]]
        VAULT_ADDR  = "http://localhost:8200"
        [[- else ]]
--- a/consul/config/service-defaults/acme-to-vault.hcl
+++ b/consul/config/service-defaults/acme-to-vault.hcl
@ -1,3 +1,3 @@
 Kind     = "service-defaults"
-Name     = "[[ .acme.job_name ]][[ .env.suffix ]]"
+Name     = "[[ .acme.instance ]][[ .consul.suffix ]]"
 Protocol = "http"
--- a/consul/config/service-intentions/acme-to-vault.hcl
+++ b/consul/config/service-intentions/acme-to-vault.hcl
@ -1,5 +1,5 @@
 Kind = "service-intentions"
-Name = "[[ .acme.job_name ]][[ .env.suffix ]]"
+Name = "[[ .acme.instance ]][[ .consul.suffix ]]"
 Sources = [
  {
    Name = "[[ .traefik.instance ]]"
--- a/prep.d/mv_conf.sh
+++ b/prep.d/mv_conf.sh
@ -1 +1 @@
-[[ template "common/mv_conf.sh.tpl" dict "ctx" . "services" (dict "acme-to-vault" .acme.job_name) ]]
+[[ template "common/mv_conf.sh.tpl" dict "ctx" . "services" (dict "acme-to-vault" .acme.instance) ]]
--- a/variables.yml
+++ b/variables.yml
@ -2,7 +2,7 @@

 acme:
  # The name of the Nomad job
-  job_name: acme-to-vault
+  instance: acme-to-vault

  # The Docker image to use
  image: danielberteaud/acme-to-vault:23.09-1
@ -16,9 +16,6 @@ acme:
    cpu: 10
    memory: 128

-  # The driver to use (docker or podman)
-  driver: docker
-
  # Vault related settings
  vault:
    addr: http://localhost:8200
@ -26,6 +23,9 @@ acme:
    # The root in the KV store where the ACME account key and metadata will be stored
    kv_account_root: kv/service/acme-to-vault/account

+  # Additional env
+  env: {}
+
  traefik:
    # List of entrypoints where the http-01 challenges will be exposed
    entrypoints:
--- a/vault/policies/acme-to-vault.hcl
+++ b/vault/policies/acme-to-vault.hcl
@ -5,9 +5,9 @@ path "[[ .vault.prefix ]]kv/metadata/service/traefik/certs" {
  capabilities = ["list","read"]
 }

-path "[[ .vault.prefix ]]kv/data/service/[[ .acme.job_name ]]/account/*" {
+path "[[ .vault.prefix ]]kv/data/service/[[ .acme.instance ]]/account/*" {
  capabilities = ["read","create","update"]
 }
-path "[[ .vault.prefix ]]kv/metadata/service/[[ .acme.job_name ]]/account/*" {
+path "[[ .vault.prefix ]]kv/metadata/service/[[ .acme.instance ]]/account/*" {
  capabilities = ["list","read"]
 }