[[ $c := merge .egress_gw . -]]

job "[[ .instance ]]" {

[[ template "common/job_start" $c ]]

  group "egress-gateway" {

    count = [[ $c.count ]]

    network {
      mode = "bridge"
    }

    # Terminating gateway definition
    service {
      name = "[[ .instance ]][[ $c.consul.suffix ]]"
      connect {
        gateway {
          proxy {}
          terminating {
[[- range $service, $def := .egress_gw.services ]]
            service {
              name    = "[[ $service ]]"
  [[- range $k, $v := $def ]]
              [[ $k ]] = [[ $v | toJSON ]]
  [[- end ]]
            }
[[- end ]]
          }
        }
        sidecar_task {
          logs {
            disabled = [[ .consul.connect.logs.disabled | ternary "true" "false" ]]
          }
[[ template "common/resources" $c.consul.connect.resources ]]
        }
      }
    }

    # Dummy task to configure custom CA certificates
    # Needed because template is not supported in sidecar_task
    task "ca-certs" {
      # Use docker instead of exec as it's broken on EL8. See https://github.com/hashicorp/nomad/issues/20212
      driver = "docker"

      config {
        image           = "[[ .docker.repo ]][[ .docker.base_images.alpine.image ]]"
        readonly_rootfs = true
        pids_limit      = 10
        command         = "/bin/true"
      }

      # The task will just quit immediatly, mark it as a prestart hook
      lifecycle {
        hook = "prestart"
      }
[[- range $k, $v := .egress_gw.ca_certs ]]

      template {
        data        =<<_EOF
[[ $v ]]
_EOF
        destination = "${NOMAD_ALLOC_DIR}/data/[[ $k ]].crt"
      }
[[- end ]]

      # Give just enough resources
      resources {
        cpu        = 10
        memory     = 10
        memory_max = 20
      }
    }
  }
}

# vim: syntax=hcl