job "[[ .instance ]]-jikkou" {

[[- $c := merge .kafka . ]]
[[ template "common/job_start" $c ]]

  type = "batch"

  meta {
    # Force job to be different for each execution
    run_uuid = "${uuidv4()}"
  }

  group "jikkou" {

[[- $c := merge $c.jikkou $c ]]

    network {
      mode = "bridge"
    }

[[ template "common/task.wait_for" $c ]]

    task "jikkou" {
      driver = "[[ $c.nomad.driver ]]"

      config {
        image           = "[[ $c.image ]]"
        readonly_rootfs = true
        pids_limit      = 100
        command         = "/local/jikkou"
[[ template "common/tmpfs" "/root" ]]
      }

[[ template "common/vault.policies" $c ]]

      env {
        PEM_KEY_FILE  = "/secrets/jikkou.bundle.pem"
        PEM_CERT_FILE = "/secrets/jikkou.bundle.pem"
        P12_FILE      = "/secrets/jikkou.p12"
      }

[[ template "common/file_env" $c ]]

      template {
        data        = <<_EOT
KAFKA_BOOTSTRAP_SERVERS=
{{- range $index, $instance := service "[[ .instance ]]-broker[[ .consul.suffix ]]" -}}
{{ if ne $index 0 }},{{ end }}{{ $instance.Address }}:{{ $instance.Port }}
{{- end -}}
_EOT
        change_mode = "noop"
        destination = "secrets/.jikkou.env"
        env         = true
      }

      # A wrapper script to apply topic definition and ACL
      template {
        data = <<_EOT
[[ template "kafka/jikkou/jikkou" $c ]]
_EOT
        destination = "local/jikkou"
        perms = 755
      }

      # The jikkou configuration file
      template {
        data = <<_EOT
[[ template "kafka/jikkou/jikkou.conf" $c ]]
_EOT
        destination = "local/jikkou.conf"
        perms       = 755
      }

      # Kafka topics definition
      template {
        data = <<_EOT
[[- if isKind "string" $c.topics ]]
[[ $c.topics ]]
[[- else ]]
# Invalid kafka topics definition
[[- end ]]
_EOT
        destination = "local/kafka-topics.yml"
      }

      # Kafka ACL definition
      template {
        data = <<_EOT
[[- if isKind "string" $c.acls ]]
[[ $c.acls ]]
[[- else ]]
# Invalid kafka ACL definition
[[- end ]]
_EOT
        destination = "local/kafka-acls.yml"
      }

      # Client cert used by Jikkou to connect on kafka brokers
      template {
        data        = <<_EOT
{{- with pkiCert "[[ $c.vault.pki.path ]]/issue/[[ .instance ]]-jikkou" "common_name=[[ .instance ]]-jikkou" "ttl=15m" }}
{{ .Cert }}
{{ .Key }}
{{- end }}
_EOT
        destination = "secrets/jikkou.bundle.pem"
        uid         = 100000
        gid         = 100000
        perms       = "0400"
      }

      # CA certificate to validate brokers' cert
      template {
        data        = <<_EOT
{{ with secret "[[ $c.vault.pki.path ]]/cert/ca_chain" }}{{ .Data.ca_chain }}{{ end }}
_EOT
        destination = "secrets/jikkou.ca.pem"
      }

[[ template "common/resources" $c ]]
    }
  }
}