Cleanup, no feature change
This commit is contained in:
parent
02e85a1ce1
commit
6a785bd5df
|
@ -1,7 +1,9 @@
|
|||
job [[ .acme.job_name | toJSON ]] {
|
||||
type = "[[ if ne "" .acme.cron ]]service[[ else ]]batch[[ end ]]"
|
||||
[[ $c := merge .acme . -]]
|
||||
|
||||
[[- template "common/job_start.tpl" dict "nomad" .nomad ]]
|
||||
job [[ .acme.instance | toJSON ]] {
|
||||
type = "[[ if ne "" .acme.cron ]]service[[ else ]]batch[[ end ]]"
|
||||
|
||||
[[- template "common/job_start.tpl" $c ]]
|
||||
|
||||
group "acme-to-vault" {
|
||||
|
||||
|
@ -14,37 +16,36 @@ job [[ .acme.job_name | toJSON ]] {
|
|||
}
|
||||
|
||||
service {
|
||||
name = "[[ .acme.job_name ]][[ .env.suffix ]]"
|
||||
name = "[[ .acme.instance ]][[ $c.consul.suffix ]]"
|
||||
port = 8787
|
||||
|
||||
[[ template "common/connect.tpl" dict "ctx" . "config" .acme ]]
|
||||
[[ template "common/connect.tpl" merge .acme . ]]
|
||||
|
||||
tags = [
|
||||
"[[ .traefik.instance ]].enable=true",
|
||||
"[[ $c.traefik.instance ]].enable=true",
|
||||
# Note : add a fake host in the rule to prevent warnings in Traefik logs
|
||||
"[[ .traefik.instance ]].http.routers.[[ .acme.job_name ]][[ .env.suffix ]].rule=Host(`fake-acme-host`) || PathPrefix(`/.well-known/acme-challenge/`)",
|
||||
"[[ .traefik.instance ]].http.routers.[[ .acme.job_name ]][[ .env.suffix ]].priority=[[ .acme.traefik.priority ]]",
|
||||
"[[ .traefik.instance ]].http.routers.[[ .acme.job_name ]][[ .env.suffix ]].entrypoints=[[ join (merge .acme.traefik .traefik).entrypoints "," ]]",
|
||||
"[[ .traefik.instance ]].http.routers.[[ .acme.job_name ]][[ .env.suffix ]].middlewares=[[ template "common/traefik_middlewares.tpl" merge .acme.traefik .traefik ]]"
|
||||
"[[ $c.traefik.instance ]].http.routers.[[ .acme.instance ]][[ .consul.suffix ]].rule=Host(`fake-acme-host`) || PathPrefix(`/.well-known/acme-challenge/`)",
|
||||
"[[ $c.traefik.instance ]].http.routers.[[ .acme.instance ]][[ .consul.suffix ]].priority=[[ $c.traefik.priority ]]",
|
||||
"[[ $c.traefik.instance ]].http.routers.[[ .acme.instance ]][[ .consul.suffix ]].entrypoints=[[ join $c.traefik.entrypoints "," ]]",
|
||||
"[[ $c.traefik.instance ]].http.routers.[[ .acme.instance ]][[ .consul.suffix ]].middlewares=[[ template "common/traefik_middlewares.tpl" $c.traefik ]]"
|
||||
]
|
||||
}
|
||||
|
||||
task "vault-acme-cert" {
|
||||
driver = [[ .acme.driver | toJSON ]]
|
||||
driver = [[ $c.nomad.driver | toJSON ]]
|
||||
|
||||
config {
|
||||
image = [[ .acme.image | toJSON ]]
|
||||
readonly_rootfs = true
|
||||
pids_limit = 20
|
||||
pids_limit = 20
|
||||
}
|
||||
|
||||
vault {
|
||||
policies = ["[[ .acme.job_name ]][[ .env.suffix ]]"]
|
||||
policies = ["[[ .acme.instance ]][[ $c.consul.suffix ]]"]
|
||||
}
|
||||
|
||||
env {
|
||||
TZ = [[ .locale.tz | toJSON ]]
|
||||
LANG = [[ .locale.lang | toJSON ]]
|
||||
[[- template "common/env.tpl" $c.env ]]
|
||||
[[- if has .acme.vault "service_name" ]]
|
||||
VAULT_ADDR = "http://localhost:8200"
|
||||
[[- else ]]
|
||||
|
|
|
@ -1,3 +1,3 @@
|
|||
Kind = "service-defaults"
|
||||
Name = "[[ .acme.job_name ]][[ .env.suffix ]]"
|
||||
Name = "[[ .acme.instance ]][[ .consul.suffix ]]"
|
||||
Protocol = "http"
|
||||
|
|
|
@ -1,5 +1,5 @@
|
|||
Kind = "service-intentions"
|
||||
Name = "[[ .acme.job_name ]][[ .env.suffix ]]"
|
||||
Name = "[[ .acme.instance ]][[ .consul.suffix ]]"
|
||||
Sources = [
|
||||
{
|
||||
Name = "[[ .traefik.instance ]]"
|
||||
|
|
|
@ -1 +1 @@
|
|||
[[ template "common/mv_conf.sh.tpl" dict "ctx" . "services" (dict "acme-to-vault" .acme.job_name) ]]
|
||||
[[ template "common/mv_conf.sh.tpl" dict "ctx" . "services" (dict "acme-to-vault" .acme.instance) ]]
|
||||
|
|
|
@ -2,7 +2,7 @@
|
|||
|
||||
acme:
|
||||
# The name of the Nomad job
|
||||
job_name: acme-to-vault
|
||||
instance: acme-to-vault
|
||||
|
||||
# The Docker image to use
|
||||
image: danielberteaud/acme-to-vault:23.09-1
|
||||
|
@ -16,9 +16,6 @@ acme:
|
|||
cpu: 10
|
||||
memory: 128
|
||||
|
||||
# The driver to use (docker or podman)
|
||||
driver: docker
|
||||
|
||||
# Vault related settings
|
||||
vault:
|
||||
addr: http://localhost:8200
|
||||
|
@ -26,6 +23,9 @@ acme:
|
|||
# The root in the KV store where the ACME account key and metadata will be stored
|
||||
kv_account_root: kv/service/acme-to-vault/account
|
||||
|
||||
# Additional env
|
||||
env: {}
|
||||
|
||||
traefik:
|
||||
# List of entrypoints where the http-01 challenges will be exposed
|
||||
entrypoints:
|
||||
|
|
|
@ -5,9 +5,9 @@ path "[[ .vault.prefix ]]kv/metadata/service/traefik/certs" {
|
|||
capabilities = ["list","read"]
|
||||
}
|
||||
|
||||
path "[[ .vault.prefix ]]kv/data/service/[[ .acme.job_name ]]/account/*" {
|
||||
path "[[ .vault.prefix ]]kv/data/service/[[ .acme.instance ]]/account/*" {
|
||||
capabilities = ["read","create","update"]
|
||||
}
|
||||
path "[[ .vault.prefix ]]kv/metadata/service/[[ .acme.job_name ]]/account/*" {
|
||||
path "[[ .vault.prefix ]]kv/metadata/service/[[ .acme.instance ]]/account/*" {
|
||||
capabilities = ["list","read"]
|
||||
}
|
||||
|
|
Loading…
Reference in New Issue