151 lines
3.8 KiB
YAML
151 lines
3.8 KiB
YAML
---
|
|
|
|
# Name of this instance
|
|
instance: elasticsearch
|
|
|
|
# ES settings
|
|
elasticsearch:
|
|
|
|
# Vault policies (for the server and the exporter)
|
|
vault:
|
|
policies:
|
|
- '[[ .instance ]][[ .consul.suffix ]]'
|
|
rand_secrets:
|
|
fields:
|
|
- elastic_pwd
|
|
- es_bootstrap_pwd
|
|
- exporter_pwd
|
|
|
|
# ES server settings
|
|
server:
|
|
|
|
# Docker image to use
|
|
image: '[[ .docker.repo ]][[ .docker.base_images.elasticsearch8.image ]]'
|
|
|
|
# Number of instances
|
|
count: 3
|
|
|
|
# Env var to set in the container
|
|
env:
|
|
JVM_XMX_RATIO: 0.4
|
|
|
|
# Vault PKI (mTLS between the different nodes
|
|
vault:
|
|
pki:
|
|
path: '[[ .vault.root ]]pki/[[ .instance ]]'
|
|
ou: Elasticsearch Cluster
|
|
|
|
consul:
|
|
meta:
|
|
# Publish the node addr in the metadata of the service
|
|
addr: 'es-${NOMAD_ALLOC_INDEX}.[[ .instance ]][[ .consul.suffix ]].service.[[ .consul.domain ]]'
|
|
|
|
nomad:
|
|
constraints:
|
|
- operator: distinct_hosts
|
|
value: true
|
|
|
|
# Resource allocation
|
|
resources:
|
|
cpu: 300
|
|
memory: 2048
|
|
|
|
# Public URL (only used if exposed by Traefik)
|
|
public_url: https://es.example.org
|
|
|
|
# Should Traefik expose Elasticsearch API ?
|
|
traefik:
|
|
enabled: false
|
|
middlewares:
|
|
csp: false
|
|
src-ip: ip-trusted@file
|
|
|
|
# List of roles and users to create. Eg
|
|
# roles:
|
|
# my_role:
|
|
# order-processor:
|
|
# indices:
|
|
# - names:
|
|
# - order
|
|
# - devices
|
|
# privileges:
|
|
# - all
|
|
# # For users, the password attr is optional. If set, it can be a raw password (not recommended of course)
|
|
# # a consul-template snippet (which can fetch secrets from vault), or omitted. If ommited, default is to fetch it from vault
|
|
# # at kv/service/elasticsearch with the key <user with - replaced with _>_pwd
|
|
# users:
|
|
# order-dc1:
|
|
# roles:
|
|
# - order-processor
|
|
# password: s3cr3t
|
|
# order-dc2:
|
|
# roles:
|
|
# - order-processor
|
|
# password: '{{ with secret "kv/service/order" }}{{ .Data.data.es_password }}{{ end }}'
|
|
# # No password specified : it'll be fetched from vault at kv/service/elasticsearch under the key order_dc3_pwd
|
|
# order-dc3:
|
|
# roles:
|
|
# - order-processor
|
|
#
|
|
roles: {}
|
|
users: {}
|
|
|
|
# Volumes for data persistence
|
|
volumes:
|
|
data:
|
|
type: csi
|
|
source: '[[ .instance ]]-data'
|
|
per_alloc: true
|
|
|
|
# Prometheus exporter settings
|
|
exporter:
|
|
|
|
# Version of the exporter
|
|
version: 1.7.0
|
|
|
|
# Docker image to use
|
|
image: '[[ .docker.repo ]]elasticsearch-exporter:[[ .elasticsearch.exporter.version ]]-3'
|
|
|
|
# Environment var to set in the container
|
|
env:
|
|
ES_USERNAME: exporter
|
|
ES_PASSWORD: '{{ with secret "[[ .vault.root ]]kv/service/[[ .instance ]]" }}{{ .Data.data.exporter_pwd }}{{ end }}'
|
|
|
|
vault:
|
|
# Vault policies to attach to the task
|
|
policies:
|
|
- '[[ .instance ]][[ .consul.suffix ]]'
|
|
- metrics
|
|
|
|
# Resource allocation
|
|
resources:
|
|
cpu: 50
|
|
memory: 64
|
|
|
|
# Prometheus settings
|
|
prometheus:
|
|
enabled: '[[ .prometheus.available ]]'
|
|
# Metrics URL, as seen from inside the alloc
|
|
metrics_url: http://127.0.0.1:9114/metrics
|
|
|
|
|
|
docker:
|
|
|
|
# Define base_images so we can easily build 7 and 8 variants of the image
|
|
base_images:
|
|
elasticsearch7:
|
|
image: elasticsearch:[[ .docker.base_images.elasticsearch7.build_args.ES_VERSION ]]-1
|
|
build_args:
|
|
ES_VERSION: 7.17.21
|
|
tags:
|
|
- elasticsearch:7
|
|
- elasticsearch7:latest
|
|
|
|
elasticsearch8:
|
|
image: elasticsearch:[[ .docker.base_images.elasticsearch8.build_args.ES_VERSION ]]-1
|
|
build_args:
|
|
ES_VERSION: 8.13.3
|
|
tags:
|
|
- elasticsearch:8
|
|
- elasticsearch8:latest
|