Support postgres pooler

example/lemonldap-ng.nomad.hcl

@@ -42,7 +42,7 @@ job "lemonldap-ng" {
         "traefik.http.routers.lemonldap-ng-portal.middlewares=rate-limit-std@file,inflight-std@file,security-headers@file,hsts@file",
         "traefik.http.routers.lemonldap-ng-manager.rule=Host(`manager.example.org`)",
         "traefik.http.routers.lemonldap-ng-manager.entrypoints=https",
-        "traefik.http.routers.lemonldap-ng-manager.middlewares=rate-limit-std@file,inflight-std@file,security-headers@file,hsts@file,compression@file",
+        "traefik.http.routers.lemonldap-ng-manager.middlewares=rate-limit-std@file,inflight-std@file,security-headers@file,hsts@file,compression@file,map[]",
 
       ]
     }
@@ -76,6 +76,8 @@ job "lemonldap-ng" {
 
 
 
+
+
     task "lemonldap-ng" {
       driver = "docker"
 
@@ -99,6 +101,7 @@ job "lemonldap-ng" {
 
       }
 
+
       vault {
         policies     = ["lemonldap-ng"]
         env          = false
@@ -106,6 +109,7 @@ job "lemonldap-ng" {
       }
 
 
+
       artifact {
         source      = "git::https://git.lapiole.org/nomad/lemonldap-ng.git//files/assets"
         destination = "local/assets/static/common"
@@ -129,12 +133,6 @@ job "lemonldap-ng" {
         data        = <<_EOT
 LANG=fr_FR.utf8
 LLNG_WORKERS=6
-PGDATABASE=lemonldap-ng
-PGHOST=127.0.0.1
-PGPASSWORD={{ with secret "database/creds/lemonldap-ng" }}{{ .Data.password }}{{ end }}
-PGPORT=5432
-PGSSLMODE=disable
-PGUSER={{ with secret "database/creds/lemonldap-ng" }}{{ .Data.username }}{{ end }}
 TZ=Europe/Paris
 _EOT
         destination = "secrets/.env"
@@ -249,6 +247,23 @@ _EOT
         destination = "local/init.ini"
       }
 
+      # Database settings
+      template {
+        data        = <<_EOT
+PGHOST=127.0.0.1
+PGDATABASE=lemonldap-ng
+PGSSLMODE=disable
+PGPORT=5432
+PGUSER={{ with secret "database/creds/lemonldap-ng" }}{{ .Data.username }}{{ end }}
+PGPASSWORD={{ with secret "database/creds/lemonldap-ng" }}{{ .Data.password }}{{ end }}
+_EOT
+        destination = "secrets/.db.env"
+        uid         = 100000
+        gid         = 100000
+        perms       = 400
+        env         = true
+      }
+
       # A small script to handle initialization (create tables, indexes, load initial config in the DB)
       template {
         data        = <<_EOT

lemonldap-ng.nomad.hcl

@@ -3,7 +3,7 @@ job "[[ .instance ]]" {
 [[ template "common/job_start" merge .llng . ]]
 
   group "lemonldap-ng" {
-[[- $c := merge .llng.engine . ]]
+[[- $c := merge .llng.engine .llng . ]]
 
     count = [[ $c.count ]]
 
@@ -53,6 +53,7 @@ job "[[ .instance ]]" {
     }
 
 [[ template "common/task.wait_for" $c ]]
+[[ template "common/postgres_pooler" $c ]]
 
     task "lemonldap-ng" {
       driver = [[ $c.nomad.driver | toJSON ]]
@@ -68,11 +69,7 @@ job "[[ .instance ]]" {
 [[ template "common/tmpfs" dict "size" "5000000" "target" "/tmp" ]]
       }
 
-      vault {
-        policies     = ["[[ .instance ]][[ .consul.suffix ]]"]
-        env          = false
-        disable_file = true
-      }
+[[ template "common/vault.policies" $c ]]
 
 [[ template "common/artifacts" $c ]]
 
@@ -107,6 +104,31 @@ _EOT
         destination = "local/init.ini"
       }
 
+      # Database settings
+      template {
+        data =<<_EOT
+PGHOST=[[ $c.postgres.host ]]
+PGDATABASE=[[ $c.postgres.database ]]
+[[- if ne $c.postgres.pooler.engine "none" ]]
+PGPORT=6432
+PGUSER=[[ .instance ]]
+PGPASSWORD={{ env "NOMAD_ALLOC_ID" }}
+[[- else ]]
+  [[- if and (not (has $c.env "PGSSLMODE")) (regexp.Match "^(127\\.0\\.0\\.1|localhost)$" .postgres.host) ]]
+PGSSLMODE=disable
+  [[- end ]]
+PGPORT=[[ $c.postgres.port ]]
+PGUSER=[[ $c.postgres.user ]]
+PGPASSWORD=[[ $c.postgres.password ]]
+[[- end ]]
+_EOT
+        destination = "secrets/.db.env"
+        uid         = 100000
+        gid         = 100000
+        perms       = 400
+        env         = true
+      }
+
       # A small script to handle initialization (create tables, indexes, load initial config in the DB)
       template {
         data = <<_EOT

variables.yml

@@ -29,16 +29,19 @@ llng:
     wait_for:
       - service: postgres[[ .consul.suffix ]]
 
+    # Vault policices
+    vault:
+      policies:
+        - '[[ .instance ]][[ .consul.suffix ]]'
+
+    # Database settings
+    postgres:
+      database: '[[ .instance ]]'
+      user: '{{ with secret "[[ .vault.prefix ]]database/creds/[[ .instance ]]" }}{{ .Data.username }}{{ end }}'
+      password: '{{ with secret "[[ .vault.prefix ]]database/creds/[[ .instance ]]" }}{{ .Data.password }}{{ end }}'
+
     # Additional env vars to pass to the container
     env:
-      # Database settings
-      PGHOST: 127.0.0.1
-      PGPORT: 5432
-      PGUSER: '{{ with secret "[[ .vault.prefix ]]database/creds/[[ .instance ]]" }}{{ .Data.username }}{{ end }}'
-      PGPASSWORD: '{{ with secret "[[ .vault.prefix ]]database/creds/[[ .instance ]]" }}{{ .Data.password }}{{ end }}'
-      PGDATABASE: '[[ .instance ]]'
-      # No need for SSL if postgres is accessed from the mesh
-      PGSSLMODE: disable
       # Max number of uwsgi workers. You might need to allocation more memory
       # if you need to rise this value (or you can just run several instances instead)
       LLNG_WORKERS: 6
@@ -81,7 +84,7 @@ llng:
         #- compression@file
 
       # List of middlewares to apply
-      middlewares: {}
+      middlewares: []
 
     # Cron jobs
     cron: