---

# Name of this instance
instance: elasticsearch

# ES settings
elasticsearch:

  # Vault policies (for the server and the exporter)
  vault:
    policies:
      - '[[ .instance ]][[ .consul.suffix ]]'
    rand_secrets:
      fields:
        - elastic_pwd
        - es_bootstrap_pwd
        - exporter_pwd

  # ES server settings
  server:

    # Docker image to use
    image: '[[ .docker.repo ]][[ .docker.base_images.elasticsearch8.image ]]'

    # Number of instances
    count: 3

    # Env var to set in the container
    env:
      JVM_XMX_RATIO: 0.4

    # Vault PKI (mTLS between the different nodes
    vault:
      pki:
        path: '[[ .vault.root ]]pki/[[ .instance ]]'
        ou: Elasticsearch Cluster

    consul:
      meta:
        # Publish the node addr in the metadata of the service
        addr: 'es-${NOMAD_ALLOC_INDEX}.[[ .instance ]][[ .consul.suffix ]].service.[[ .consul.domain ]]'

    nomad:
      constraints:
        - operator: distinct_hosts
          value: true

    # Resource allocation
    resources:
      cpu: 300
      memory: 2048

    # Public URL (only used if exposed by Traefik)
    public_url: https://es.example.org

    # Should Traefik expose Elasticsearch API ?
    traefik:
      enabled: false
      middlewares:
        csp: false
        src-ip: ip-trusted@file

    # List of roles and users to create. Eg
    # roles:
    #   my_role:
    #     order-processor:
    #       indices:
    #         - names:
    #             - order
    #             - devices
    #           privileges:
    #             - all
    # # For users, the password attr is optional. If set, it can be a raw password (not recommended of course)
    # # a consul-template snippet (which can fetch secrets from vault), or omitted. If ommited, default is to fetch it from vault
    # # at kv/service/elasticsearch with the key <user with - replaced with _>_pwd
    # users:
    #   order-dc1:
    #     roles:
    #       - order-processor
    #     password: s3cr3t
    #   order-dc2:
    #     roles:
    #       - order-processor
    #     password: '{{ with secret "kv/service/order" }}{{ .Data.data.es_password }}{{ end }}'
    # # No password specified : it'll be fetched from vault at kv/service/elasticsearch under the key order_dc3_pwd
    #   order-dc3:
    #     roles:
    #       - order-processor
    #
    roles: {}
    users: {}

    # Volumes for data persistence
    volumes:
      data:
        type: csi
        source: '[[ .instance ]]-data'
        per_alloc: true

  # Prometheus exporter settings
  exporter:

    # Version of the exporter
    version: 1.7.0

    # Docker image to use
    image: '[[ .docker.repo ]]elasticsearch-exporter:[[ .elasticsearch.exporter.version ]]-3'

    # Environment var to set in the container
    env:
      ES_USERNAME: exporter
      ES_PASSWORD: '{{ with secret "[[ .vault.root ]]kv/service/[[ .instance ]]" }}{{ .Data.data.exporter_pwd }}{{ end }}'

    # Resource allocation
    resources:
      cpu: 50
      memory: 64

  # Prometheus settings
  prometheus:
    enabled: '[[ .prometheus.available ]]'
    # Metrics URL, as seen from inside the alloc
    metrics_url: http://127.0.0.1:9114/metrics


docker:

  # Define base_images so we can easily build 7 and 8 variants of the image
  base_images:
    elasticsearch7:
      image: elasticsearch:[[ .docker.base_images.elasticsearch7.build_args.ES_VERSION ]]-1
      build_args:
        ES_VERSION: 7.17.20
      tags:
        - elasticsearch:7
        - elasticsearch7:latest

    elasticsearch8:
      image: elasticsearch:[[ .docker.base_images.elasticsearch8.build_args.ES_VERSION ]]-1
      build_args:
        ES_VERSION: 8.13.2
      tags:
        - elasticsearch:8
        - elasticsearch8:latest