Cleanup
This commit is contained in:
parent
aefedaaab1
commit
0b2aef51fb
|
@ -1,3 +1,4 @@
|
|||
Kind = "service-defaults"
|
||||
Name = "[[ .instance ]][[ .consul.suffix ]]"
|
||||
Protocol = "http"
|
||||
LocalRequestTimeoutMs = "300000"
|
||||
|
|
|
@ -1,3 +1,3 @@
|
|||
Kind = "service-resolver"
|
||||
Name = "[[ .instance ]][[ .consul.suffix ]]"
|
||||
RequestTimeout = "60m"
|
||||
RequestTimeout = "5m"
|
||||
|
|
|
@ -44,23 +44,7 @@ job "[[ .instance ]]" {
|
|||
|
||||
tags = [
|
||||
"[[ .instance ]]-${NOMAD_ALLOC_INDEX}",
|
||||
[[- if $c.traefik.enabled ]]
|
||||
|
||||
"[[ $c.traefik.instance ]].enable=true",
|
||||
"[[ $c.traefik.instance ]].http.routers.[[ .instance ]][[ .consul.suffix ]].rule=Host(`[[ (urlParse $c.public_url).Hostname ]]`)
|
||||
[[- if not (regexp.Match "^/?$" (urlParse $c.public_url).Path) ]] && PathPrefix(`[[ (urlParse $c.public_url).Path ]]`)[[ end ]]",
|
||||
"[[ $c.traefik.instance ]].http.routers.[[ .instance ]][[ .consul.suffix ]].entrypoints=[[ join $c.traefik.entrypoints "," ]]",
|
||||
|
||||
[[- if not (regexp.Match "^/?$" (urlParse $c.public_url).Path) ]]
|
||||
# ES is exposed by traefik on a subpath. Define a middleware to strip the prefix before passing the request to the backend
|
||||
"[[ $c.traefik.instance ]].http.middlewares.[[ .instance ]]-prefix[[ .consul.suffix ]].stripprefix.prefixes=[[ (urlParse $c.public_url).Path ]]",
|
||||
"[[ $c.traefik.instance ]].http.routers.[[ .instance ]][[ .consul.suffix ]].middlewares=[[ .instance ]]-prefix[[ .consul.suffix ]],[[ template "common/traefik_middlewares" $c ]]",
|
||||
[[- else ]]
|
||||
"[[ $c.traefik.instance ]].http.routers.[[ .instance ]][[ .consul.suffix ]].middlewares=[[ template "common/traefik_middlewares" $c ]]"
|
||||
[[- end ]]
|
||||
|
||||
|
||||
[[- end ]]
|
||||
[[ template "common/traefik_tags" $c ]]
|
||||
]
|
||||
}
|
||||
|
||||
|
|
|
@ -1 +0,0 @@
|
|||
[[ template "common/mv_conf.sh" dict "ctx" . "services" (dict "elasticsearch" .instance) ]]
|
|
@ -2,9 +2,10 @@
|
|||
|
||||
set -euo pipefail
|
||||
|
||||
[[ template "common/vault.rand_secrets" dict "ctx" . "keys" (coll.Slice "es_bootstrap_pwd" "exporter_pwd" "elastic_pwd") ]]
|
||||
[[- $pass_to_gen := .elasticsearch.vault.rand_secrets.fields ]]
|
||||
[[- range $k, $v := .elasticsearch.server.users ]]
|
||||
[[- if not (has $v "password") ]]
|
||||
[[ template "common/vault.rand_secrets" dict "ctx" $ "keys" (coll.Slice (printf "%s_pwd" ($k | regexp.Replace "\\-" "_"))) ]]
|
||||
[[- $pass_to_gen = append (printf "%s_pwd" ($k | regexp.Replace "\\-" "_")) $pass_to_gen ]]
|
||||
[[- end ]]
|
||||
[[- end ]]
|
||||
[[ template "common/vault.rand_secrets" merge (dict "vault" (dict "rand_secrets" (dict "fields" $pass_to_gen))) . ]]
|
||||
|
|
|
@ -11,14 +11,14 @@ unset JAVA_HOME
|
|||
|
||||
echo "Adding elastic bootstrap password in the keystore"
|
||||
[ -f config/elasticsearch.keystore ] || elasticsearch-keystore create
|
||||
echo '{{ with secret "[[ $c.vault.kv.path ]]" }}{{ .Data.data.es_bootstrap_pwd }}{{ end }}' | elasticsearch-keystore add -x 'bootstrap.password'
|
||||
echo '{{ with secret "[[ .vault.root ]]kv/service/[[ .instance ]]" }}{{ .Data.data.es_bootstrap_pwd }}{{ end }}' | elasticsearch-keystore add -x 'bootstrap.password'
|
||||
|
||||
{{ with secret "[[ $c.vault.kv.path ]]" -}}
|
||||
{{ with secret "[[ .vault.root ]]kv/service/[[ .instance ]]" -}}
|
||||
echo "Creating exporter user"
|
||||
(elasticsearch-users list | grep -qE '^exporter$') || elasticsearch-users useradd exporter -r monitor -p '{{ .Data.data.exporter_pwd }}'
|
||||
{{- end }}
|
||||
|
||||
[[- range $k, $v := $c.users ]]
|
||||
echo "Creating user [[ $k ]]"
|
||||
(elasticsearch-users list | grep -qE '^[[ $k ]]$') || elasticsearch-users useradd [[ $k ]] -p '[[ if has $v "password" ]][[ $v.password ]][[ else ]]{{ with secret "[[ $c.vault.kv.path ]]" }}{{ .Data.data.[[ $k | regexp.Replace "\\-" "_" ]]_pwd }}{{ end }}[[ end ]]' [[- if gt (len $v.roles) 0 ]] -r [[ join $v.roles "," ]][[ end ]]
|
||||
(elasticsearch-users list | grep -qE '^[[ $k ]]$') || elasticsearch-users useradd [[ $k ]] -p '[[ if has $v "password" ]][[ $v.password ]][[ else ]]{{ with secret "[[ $.vault.root ]]kv/service/[[ $.instance ]]" }}{{ .Data.data.[[ $k | regexp.Replace "\\-" "_" ]]_pwd }}{{ end }}[[ end ]]' [[- if gt (len $v.roles) 0 ]] -r [[ join $v.roles "," ]][[ end ]]
|
||||
[[- end ]]
|
||||
|
|
|
@ -10,6 +10,11 @@ elasticsearch:
|
|||
vault:
|
||||
policies:
|
||||
- '[[ .instance ]][[ .consul.suffix ]]'
|
||||
rand_secrets:
|
||||
fields:
|
||||
- elastic_pwd
|
||||
- es_bootstrap_pwd
|
||||
- exporter_pwd
|
||||
|
||||
# ES server settings
|
||||
server:
|
||||
|
@ -17,7 +22,7 @@ elasticsearch:
|
|||
version: 8.12.0
|
||||
|
||||
# Docker image to use
|
||||
image: '[[ .docker.repo ]]elasticsearch:[[ .elasticsearch.server.version ]]-3'
|
||||
image: '[[ .docker.repo ]]elasticsearch:[[ .elasticsearch.server.version ]]-5'
|
||||
|
||||
# Number of instances
|
||||
count: 3
|
||||
|
@ -28,9 +33,8 @@ elasticsearch:
|
|||
# Vault PKI (mTLS between the different nodes
|
||||
vault:
|
||||
pki:
|
||||
path: '[[ .vault.prefix ]]pki/[[ .instance ]]'
|
||||
path: '[[ .vault.root ]]pki/[[ .instance ]]'
|
||||
ou: Elasticsearch Cluster
|
||||
issuer: '[[ .vault.prefix ]]pki/root'
|
||||
|
||||
# Resource allocation
|
||||
resources:
|
||||
|
@ -44,7 +48,8 @@ elasticsearch:
|
|||
traefik:
|
||||
enabled: false
|
||||
middlewares:
|
||||
- ip-trusted@file
|
||||
csp: false
|
||||
src-ip: ip-trusted@file
|
||||
|
||||
# List of roles and users to create. Eg
|
||||
# roles:
|
||||
|
@ -90,12 +95,12 @@ elasticsearch:
|
|||
version: 1.7.0
|
||||
|
||||
# Docker image to use
|
||||
image: '[[ .docker.repo ]]elasticsearch-exporter:[[ .elasticsearch.exporter.version ]]-2'
|
||||
image: '[[ .docker.repo ]]elasticsearch-exporter:[[ .elasticsearch.exporter.version ]]-3'
|
||||
|
||||
# Environment var to set in the container
|
||||
env:
|
||||
ES_USERNAME: exporter
|
||||
ES_PASSWORD: '{{ with secret "[[ .vault.kv.path ]]" }}{{ .Data.data.exporter_pwd }}{{ end }}'
|
||||
ES_PASSWORD: '{{ with secret "[[ .vault.root ]]kv/service/ [[ .instance ]]" }}{{ .Data.data.exporter_pwd }}{{ end }}'
|
||||
|
||||
# Resource allocation
|
||||
resources:
|
||||
|
|
Loading…
Reference in New Issue