Add support for Traefik

README.md

@@ -1,3 +1,21 @@
 # elasticsearch
 
-Nomad job template for Elasticsearch cluster
+Nomad job template for Elasticsearch cluster
+
+# Setup initial password
+A random password is generated for the elastic system account (in vault, kv/service/elasticsearch, key elastic_pwd) but is not used automaticaly. You must setup passwords with
+```
+elasticsearch-setup-passwords interactive
+```
+
+# Configure replicas for indices
+Once elastic passwords are OK, you can configure indices to have the desired number of replicas
+```
+for INDEX in inventory stock purchase-requests; do
+  curl --user 'elastic:XXX' \
+    -X PUT \
+    -H 'Content-Type: application/json' \
+    http://localhost:9200/${INDEX}/_settings \
+    -d '{ "index.number_of_replicas" : 2 }'
+done
+```

elasticsearch.nomad.hcl

@@ -42,9 +42,25 @@ job "[[ .instance ]]" {
         timeout  = "8s"
       }
 
-      # TODO : add tags for Traefik if enabled
       tags = [
-        "[[ .instance ]]-${NOMAD_ALLOC_INDEX}"
+        "[[ .instance ]]-${NOMAD_ALLOC_INDEX}",
+[[- if $c.traefik.enabled ]]
+
+        "[[ $c.traefik.instance ]].enable=true",
+        "[[ $c.traefik.instance ]].http.routers.[[ .instance ]][[ .consul.suffix ]].rule=Host(`[[ (urlParse $c.public_url).Hostname ]]`)
+  [[- if not (regexp.Match "^/?$" (urlParse $c.public_url).Path) ]] && PathPrefix(`[[ (urlParse $c.public_url).Path ]]`)[[ end ]]",
+        "[[ $c.traefik.instance ]].http.routers.[[ .instance ]][[ .consul.suffix ]].entrypoints=[[ join $c.traefik.entrypoints "," ]]",
+
+  [[- if not (regexp.Match "^/?$" (urlParse $c.public_url).Path) ]]
+        # ES is exposed by traefik on a subpath. Define a middleware to strip the prefix before passing the request to the backend
+        "[[ $c.traefik.instance ]].http.middlewares.[[ .instance ]]-prefix[[ .consul.suffix ]].stripprefix.prefixes=[[ (urlParse $c.public_url).Path ]]",
+        "[[ $c.traefik.instance ]].http.routers.[[ .instance ]][[ .consul.suffix ]].middlewares=[[ .instance ]]-prefix[[ .consul.suffix ]],[[ template "common/traefik_middlewares" $c ]]",
+  [[- else ]]
+        "[[ $c.traefik.instance ]].http.routers.[[ .instance ]][[ .consul.suffix ]].middlewares=[[ template "common/traefik_middlewares" $c ]]"
+  [[- end ]]
+
+
+[[- end ]]
       ]
     }
 

images/elasticsearch/Dockerfile

@@ -16,8 +16,7 @@ RUN set -eux &&\
     rm -rf /opt/elasticsearch/jdk &&\
     sed -i -e 's/ES_DISTRIBUTION_TYPE=tar/ES_DISTRIBUTION_TYPE=docker/' /opt/elasticsearch/bin/elasticsearch-env &&\
     mkdir -p /opt/elasticsearch/config/jvm.config.d &&\
-    mkdir -p /opt/elasticsearch/.aws &&\
-    touch /opt/elasticsearch/.aws/config &&\
+    mkdir -p /opt/elasticsearch/.aws/config &&\
     chown -R 9200:9200 /opt/elasticsearch/config &&\
     chown -R 9200:9200 /opt/elasticsearch/.aws
 

prep.d/10-rand-secrets.sh

@@ -2,7 +2,7 @@
 
 set -euo pipefail
 
-[[ template "common/vault.rand_secrets" dict "ctx" . "keys" (coll.Slice "es_bootstrap_pwd" "exporter_pwd") ]]
+[[ template "common/vault.rand_secrets" dict "ctx" . "keys" (coll.Slice "es_bootstrap_pwd" "exporter_pwd" "elastic_pwd") ]]
 [[- range $k, $v := .elasticsearch.server.users ]]
   [[- if not (has $v "password") ]]
 [[ template "common/vault.rand_secrets" dict "ctx" $ "keys" (coll.Slice (printf "%s_pwd" ($k | regexp.Replace "\\-" "_"))) ]]

variables.yml

@@ -17,7 +17,7 @@ elasticsearch:
     version: 8.12.0
 
     # Docker image to use
-    image: '[[ .docker.repo ]]elasticsearch:[[ .elasticsearch.server.version ]]-2'
+    image: '[[ .docker.repo ]]elasticsearch:[[ .elasticsearch.server.version ]]-3'
 
     # Number of instances
     count: 3
@@ -37,9 +37,14 @@ elasticsearch:
       cpu: 300
       memory: 2048
 
+    # Public URL (only used if exposed by Traefik)
+    public_url: https://es.example.org
+
     # Should Traefik expose Elasticsearch API ?
     traefik:
       enabled: false
+      middlewares:
+        - ip-trusted@file
 
     # List of roles and users to create. Eg
     # roles: