diff --git a/consul/config/service-intentions/mariadb.hcl b/consul/config/service-intentions/mariadb.hcl index 168c1e2..9d0f460 100644 --- a/consul/config/service-intentions/mariadb.hcl +++ b/consul/config/service-intentions/mariadb.hcl @@ -1,16 +1,16 @@ Kind = "service-intentions" -Name = "[[ .mariadb.instance ]][[ .consul.suffix ]]" +Name = "[[ .instance ]][[ .consul.suffix ]]" Sources = [ { - Name = "[[ (merge .mariadb.server.traefik .traefik).instance ]]" + Name = "[[ (merge .mariadb.server .).traefik.instance ]]" Action = "allow" }, { - Name = "[[ .mariadb.instance ]]-manage[[ .consul.suffix ]]" + Name = "[[ .instance ]]-manage[[ .consul.suffix ]]" Action = "allow" }, { - Name = "[[ .mariadb.instance ]]-backup[[ .consul.suffix ]]" + Name = "[[ .instance ]]-backup[[ .consul.suffix ]]" Action = "allow" } ] diff --git a/init/vault-database b/init/vault-database index 9463b23..c6c929f 100755 --- a/init/vault-database +++ b/init/vault-database @@ -6,14 +6,14 @@ if [ "$(vault secrets list -format json | jq -r '.["[[ .vault.prefix ]]database/ vault secrets enable -path [[ .vault.prefix ]]database database fi -if [ "$(vault list -format json [[ .vault.prefix ]]database/config | jq '.[] | test("^[[ .mariadb.instance ]]$")')" = "false" ]; then - vault write [[ .vault.prefix ]]database/config/[[ .mariadb.instance ]] \ +if [ "$(vault list -format json [[ .vault.prefix ]]database/config | jq '.[] | test("^[[ .instance ]]$")')" = "false" ]; then + vault write [[ .vault.prefix ]]database/config/[[ .instance ]] \ plugin_name="mysql-database-plugin" \ connection_url="{{username}}:{{password}}@tcp([[ (urlParse .mariadb.server.public_address).Host ]])/" \ allowed_roles="*" \ username=vault \ - password="$(vault kv get -field vault_initial_pwd [[ .vault.prefix ]]kv/service/[[ .mariadb.instance ]])" \ + password="$(vault kv get -field vault_initial_pwd [[ .vault.prefix ]]kv/service/[[ .instance ]])" \ disable_escaping=true - vault write -force [[ .vault.prefix ]]database/rotate-root/[[ .mariadb.instance ]] + vault write -force [[ .vault.prefix ]]database/rotate-root/[[ .instance ]] fi diff --git a/manage.nomad.hcl b/manage.nomad.hcl index bf432d2..01dfec2 100644 --- a/manage.nomad.hcl +++ b/manage.nomad.hcl @@ -1,5 +1,5 @@ [[ $c := merge .mariadb.manage . -]] -job "[[ .mariadb.instance ]]-manage" { +job "[[ .instance ]]-manage" { type = "batch" [[ template "common/job_start.tpl" $c ]] @@ -14,7 +14,7 @@ job "[[ .mariadb.instance ]]-manage" { } service { - name = "[[ .mariadb.instance ]]-manage[[ $c.consul.suffix ]]" + name = "[[ .instance ]]-manage[[ $c.consul.suffix ]]" [[ template "common/connect.tpl" $c ]] } @@ -34,7 +34,7 @@ job "[[ .mariadb.instance ]]-manage" { } vault { - policies = ["[[ .mariadb.instance ]][[ $c.consul.suffix ]]"] + policies = ["[[ .instance ]][[ $c.consul.suffix ]]"] } env { @@ -97,7 +97,7 @@ _EOT [client] host = 127.0.0.1 user = root -password = {{ with secret "[[ .vault.prefix ]]kv/service/[[ .mariadb.instance ]]" }}{{ .Data.data.root_pwd }}{{ end }} +password = {{ with secret "[[ .vault.prefix ]]kv/service/[[ .instance ]]" }}{{ .Data.data.root_pwd }}{{ end }} _EOT destination = "secrets/my.cnf" uid = 100100 @@ -107,7 +107,7 @@ _EOT template { data = <<_EOT -{{ with secret "[[ .vault.prefix ]]kv/service/[[ .mariadb.instance ]]" }} +{{ with secret "[[ .vault.prefix ]]kv/service/[[ .instance ]]" }} VAULT_INITIAL_PASSWORD={{ .Data.data.vault_initial_pwd }} BACKUP_PASSWORD={{ .Data.data.backup_pwd }} {{ end }} diff --git a/mariadb.nomad.hcl b/mariadb.nomad.hcl index a096368..dc81631 100644 --- a/mariadb.nomad.hcl +++ b/mariadb.nomad.hcl @@ -1,7 +1,7 @@ [[- $c := merge .mariadb.server . -]] -job [[ .mariadb.instance | toJSON ]] { +job [[ .instance | toJSON ]] { -[[ template "common/job_start.tpl" $c ]] +[[ template "common/job_start" $c ]] group "server" { @@ -18,10 +18,10 @@ job [[ .mariadb.instance | toJSON ]] { } service { - name = "[[ .mariadb.instance ]][[ $c.consul.suffix ]]" + name = "[[ .instance ]][[ $c.consul.suffix ]]" port = 3306 -[[ template "common/connect.tpl" $c ]] +[[ template "common/connect" $c ]] check { name = "alive" @@ -38,9 +38,9 @@ job [[ .mariadb.instance | toJSON ]] { [[- if $c.traefik.enabled ]] tags = [ "[[ $c.traefik.instance ]].enable=true", - "[[ $c.traefik.instance ]].tcp.routers.[[ .mariadb.instance ]][[ $c.consul.suffix ]].rule=HostSNI(`*`)", - "[[ $c.traefik.instance ]].tcp.routers.[[ .mariadb.instance ]][[ $c.consul.suffix ]].entrypoints=[[ join $c.traefik.entrypoints "," ]]", - "[[ $c.traefik.instance ]].tcp.routers.[[ .mariadb.instance ]][[ $c.consul.suffix ]].middlewares=[[ join $c.traefik.middlewares "," ]]" + "[[ $c.traefik.instance ]].tcp.routers.[[ .instance ]][[ $c.consul.suffix ]].rule=HostSNI(`*`)", + "[[ $c.traefik.instance ]].tcp.routers.[[ .instance ]][[ $c.consul.suffix ]].entrypoints=[[ join $c.traefik.entrypoints "," ]]", + "[[ $c.traefik.instance ]].tcp.routers.[[ .instance ]][[ $c.consul.suffix ]].middlewares=[[ join $c.traefik.middlewares "," ]]" ] [[- end ]] } @@ -60,7 +60,7 @@ job [[ .mariadb.instance | toJSON ]] { } vault { - policies = ["[[ .mariadb.instance ]][[ .consul.suffix ]]"] + policies = ["[[ .instance ]][[ .consul.suffix ]]"] env = false disable_file = true } @@ -70,7 +70,7 @@ job [[ .mariadb.instance | toJSON ]] { [client] user = root host = 127.0.0.1 -password = {{ with secret "[[ .vault.prefix ]]kv/service/[[ .mariadb.instance ]]" }}{{ .Data.data.root_pwd }}{{ end }} +password = {{ with secret "[[ .vault.prefix ]]kv/service/[[ .instance ]]" }}{{ .Data.data.root_pwd }}{{ end }} _EOT destination = "secrets/.my.cnf" uid = 100100 @@ -115,19 +115,19 @@ _EOT } vault { - policies = ["[[ .mariadb.instance ]][[ .consul.suffix ]]"] + policies = ["[[ .instance ]][[ .consul.suffix ]]"] env = false disable_file = true } env { MYSQL_CONF_11_bind-address = "127.0.0.1" -[[ template "common/env.tpl" $c.env ]] +[[ template "common/env" $c.env ]] } template { data = <<_EOT -{{ with secret "[[ .vault.prefix ]]kv/service/[[ .mariadb.instance ]]" }} +{{ with secret "[[ .vault.prefix ]]kv/service/[[ .instance ]]" }} MYSQL_ROOT_PASSWORD={{ .Data.data.root_pwd }} {{ end }} _EOT @@ -142,7 +142,7 @@ _EOT data = <<_EOT [client] user = root -password = {{ with secret "[[ .vault.prefix ]]kv/service/[[ .mariadb.instance ]]" }}{{ .Data.data.root_pwd }}{{ end }} +password = {{ with secret "[[ .vault.prefix ]]kv/service/[[ .instance ]]" }}{{ .Data.data.root_pwd }}{{ end }} _EOT destination = "secrets/my.conf" uid = 100100 @@ -155,7 +155,7 @@ _EOT destination = "/data" } -[[ template "common/resources.tpl" .mariadb.server.resources ]] +[[ template "common/resources" .mariadb.server.resources ]] } } @@ -176,11 +176,11 @@ _EOT } service { - name = "[[ .mariadb.instance ]]-backup[[ $c.consul.suffix ]]" -[[ template "common/connect.tpl" $c ]] + name = "[[ .instance ]]-backup[[ $c.consul.suffix ]]" +[[ template "common/connect" $c ]] } -[[ template "common/task.wait_for.tpl" $c ]] +[[ template "common/task.wait_for" $c ]] task "backup" { driver = [[ $c.nomad.driver | toJSON ]] @@ -196,7 +196,7 @@ _EOT } vault { - policies = ["[[ .mariadb.instance ]][[ $c.consul.suffix ]]"] + policies = ["[[ .instance ]][[ $c.consul.suffix ]]"] env = false disable_file = true } @@ -206,7 +206,7 @@ _EOT [client] user = root host = 127.0.0.1 -password = {{ with secret "[[ .vault.prefix ]]kv/service/[[ .mariadb.instance ]]" }}{{ .Data.data.root_pwd }}{{ end }} +password = {{ with secret "[[ .vault.prefix ]]kv/service/[[ .instance ]]" }}{{ .Data.data.root_pwd }}{{ end }} _EOT destination = "secrets/.my.cnf" uid = 100000 @@ -234,7 +234,7 @@ _EOT destination = "/backup" } -[[ template "common/resources.tpl" .mariadb.backup.resources ]] +[[ template "common/resources" .mariadb.backup.resources ]] } } diff --git a/prep.d/10-rand-pwd.sh b/prep.d/10-rand-pwd.sh index 400666a..3bcaa2e 100755 --- a/prep.d/10-rand-pwd.sh +++ b/prep.d/10-rand-pwd.sh @@ -2,15 +2,15 @@ set -euo pipefail -if ! vault kv list [[ .vault.prefix ]]kv/service 2>/dev/null | grep -q -E '^[[ .mariadb.instance ]]$'; then - vault kv put [[ .vault.prefix ]]kv/service/[[ .mariadb.instance ]] \ +if ! vault kv list [[ .vault.prefix ]]kv/service 2>/dev/null | grep -q -E '^[[ .instance ]]$'; then + vault kv put [[ .vault.prefix ]]kv/service/[[ .instance ]] \ root_pwd=$(pwgen -s -n 50 1) \ vault_initial_pwd=$(pwgen -s -n 50 1) fi for PWD in root_pwd vault_initial_pwd; do - if ! vault kv get -field ${PWD} [[ .vault.prefix ]]kv/service/[[ .mariadb.instance ]] >/dev/null 2>&1; then - vault kv patch [[ .vault.prefix ]]kv/service/[[ .mariadb.instance ]] \ + if ! vault kv get -field ${PWD} [[ .vault.prefix ]]kv/service/[[ .instance ]] >/dev/null 2>&1; then + vault kv patch [[ .vault.prefix ]]kv/service/[[ .instance ]] \ ${PWD}=$(pwgen -s -n 50 1) fi done diff --git a/prep.d/mv_conf.sh b/prep.d/mv_conf.sh index a02b162..e992f59 100755 --- a/prep.d/mv_conf.sh +++ b/prep.d/mv_conf.sh @@ -1 +1 @@ -[[ template "common/mv_conf.sh.tpl" dict "ctx" . "services" (dict "mariadb" .mariadb.instance) ]] +[[ template "common/mv_conf.sh" dict "ctx" . "services" (dict "mariadb" .instance) ]] diff --git a/variables.yml b/variables.yml index af0348a..340420f 100644 --- a/variables.yml +++ b/variables.yml @@ -1,19 +1,19 @@ --- -mariadb: +# Name of the instance. Will be used for the job name, and the services names +instance: mariadb - # Name of the instance. Will be used for the job name, and the services names - instance: mariadb +mariadb: # MariaDB server settings server: # The image to use - image: danielberteaud/mariadb:23.10-2 + image: '[[ .docker.repo ]]mariadb:23.12-1' # Resource allocation resources: - cpu: 200 + cpu: 1000 memory: 512 # Custom env var to pass to the container @@ -49,12 +49,12 @@ mariadb: # Resource allocation resources: - cpu: 10 + cpu: 20 memory: 64 # Service to wait for wait_for: - - service: '[[ .mariadb.instance ]]' + - service: '[[ .instance ]]' # Custom env vars to pass to the container env: {} @@ -70,7 +70,7 @@ mariadb: # users: # kimai: # host: % - # password: '{{ with secret "[[ .vault.prefix ]]kv/service/[[ .mariadb.instance ]]" }}{{ .Data.data.kimai_pwd }}{{ end }}' + # password: '{{ with secret "[[ .vault.prefix ]]kv/service/[[ .instance ]]" }}{{ .Data.data.kimai_pwd }}{{ end }}' # grants: # - 'ALL PRIVILEGES ON kimai.*' users: {} @@ -80,27 +80,28 @@ mariadb: connect: upstreams: # Connect to the mariadb service from the service mesh - - destination_name: '[[ .mariadb.instance ]][[ .consul.suffix ]]' + - destination_name: '[[ .instance ]][[ .consul.suffix ]]' local_bind_port: 3306 # Backup service, which can create regular dumps of the databases backup: - image: danielberteaud/mariadb-backup:23.10-1 + image: '[[ .docker.repo ]]mariadb-backup:23.12-1' # Resource allocation resources: - cpu: 200 + cpu: 300 memory: 128 + memory_max: 256 wait_for: - - service: '[[ .mariadb.instance ]]' + - service: '[[ .instance ]]' # Consul settings consul: connect: upstreams: # Connect to MariaDB in the service mesh - - destination_name: '[[ .mariadb.instance ]][[ .consul.suffix ]]' + - destination_name: '[[ .instance ]][[ .consul.suffix ]]' local_bind_port: 3306 # mysqldump cron @@ -117,10 +118,10 @@ mariadb: # You need to create at least mariadb-data[0] data: type: csi - source: '[[ .mariadb.instance ]]-data' + source: '[[ .instance ]]-data' # Volume which holds database dumps # will be opened as multi-node-multi-writer (can be NFS for example) backup: type: csi - source: '[[ .mariadb.instance ]]-backup' + source: '[[ .instance ]]-backup' diff --git a/vault/policies/mariadb.hcl b/vault/policies/mariadb.hcl index 29e924a..b37a3c2 100644 --- a/vault/policies/mariadb.hcl +++ b/vault/policies/mariadb.hcl @@ -1,3 +1,3 @@ -path "[[ .vault.prefix ]]kv/data/service/[[ .mariadb.instance ]]" { +path "[[ .vault.prefix ]]kv/data/service/[[ .instance ]]" { capabilities = ["read"] }