egress-gateway/egress-gateway.hcl

job "egress-gateway" {
  datacenters = [[ .nomad.datacenters | toJSON ]]

  # Egress GW runs on ddedicated, unrestricted nodes
[[- if has .egress_gw "node_pool" ]]
  node_pool = [[ .egress_gw.node_pool ]]
[[- end ]]

  group "egress-gateway" {

    network {
      mode = "bridge"
    }

    # Terminating gateway definition
    service {
      name = "egress-gateway[[ .env_suffix ]]"
      connect {
        gateway {
          proxy {}
          terminating {
          [[- range $service, $def := .egress_gw.services ]]
            service {
              name    = [[ $service | toJSON ]]
            [[- range $kv, $v := $def ]]
              [[ $k ]] = [[ $v | toJSON ]]
            [[- end ]]
            }
          [[- end ]]
        }
        sidecar_task {
          config {
            # Access the CA certificate
            volumes = ["../alloc/data:/data"]
          }
          resources {
            cpu    = [[ .sidecar_cpu ]]
            memory = [[ .sidecar_memory ]]
          }
        }
      }
    }

    # Dummy task to configure custom CA certificates
    # Needed because template is not supported in sidecar_task
    task "downloader" {
      driver = "exec"

      config {
        command = "/bin/true"
      }

# The task will just quit immediatly, mark it as a prestart hook
      lifecycle {
        hook = "prestart"
      }
[[- range $k, $v := .egress_gw.ca_certs ]]

      template {
        data        =<<_EOF
[[ $v ]]
_EOF
        destination = "${NOMAD_ALLOC_DIR}/data/[[ $k ]].crt"
      }

      # Give just enough resources
      resources {
        cpu        = 10
        memory     = 10
        memory_max = 20
      }
    }
  }
}

# vim: syntax=hcl