nomad
/
mariadb
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Cleanup

This commit is contained in:
Daniel Berteaud 2023-12-21 22:47:19 +01:00
parent f5e09c4ffd
commit 78ea6b1f46
8 changed files with 55 additions and 54 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
consul/config/service-intentions/mariadb.hcl
View File

@ -1,16 +1,16 @@
Kind = "service-intentions" Kind = "service-intentions"
Name = "[[ .mariadb.instance ]][[ .consul.suffix ]]" Name = "[[ .instance ]][[ .consul.suffix ]]"
Sources = [ Sources = [
{ {
Name = "[[ (merge .mariadb.server.traefik .traefik).instance ]]" Name = "[[ (merge .mariadb.server .).traefik.instance ]]"
Action = "allow" Action = "allow"
}, },
{ {
Name = "[[ .mariadb.instance ]]-manage[[ .consul.suffix ]]" Name = "[[ .instance ]]-manage[[ .consul.suffix ]]"
Action = "allow" Action = "allow"
}, },
{ {
Name = "[[ .mariadb.instance ]]-backup[[ .consul.suffix ]]" Name = "[[ .instance ]]-backup[[ .consul.suffix ]]"
Action = "allow" Action = "allow"
} }
] ]

8
init/vault-database
View File

@ -6,14 +6,14 @@ if [ "$(vault secrets list -format json | jq -r '.["[[ .vault.prefix ]]database/
vault secrets enable -path [[ .vault.prefix ]]database database vault secrets enable -path [[ .vault.prefix ]]database database
fi fi
if [ "$(vault list -format json [[ .vault.prefix ]]database/config | jq '.[] | test("^[[ .mariadb.instance ]]$")')" = "false" ]; then if [ "$(vault list -format json [[ .vault.prefix ]]database/config | jq '.[] | test("^[[ .instance ]]$")')" = "false" ]; then
vault write [[ .vault.prefix ]]database/config/[[ .mariadb.instance ]] \ vault write [[ .vault.prefix ]]database/config/[[ .instance ]] \
plugin_name="mysql-database-plugin" \ plugin_name="mysql-database-plugin" \
connection_url="{{username}}:{{password}}@tcp([[ (urlParse .mariadb.server.public_address).Host ]])/" \ connection_url="{{username}}:{{password}}@tcp([[ (urlParse .mariadb.server.public_address).Host ]])/" \
allowed_roles="*" \ allowed_roles="*" \
username=vault \ username=vault \
password="$(vault kv get -field vault_initial_pwd [[ .vault.prefix ]]kv/service/[[ .mariadb.instance ]])" \ password="$(vault kv get -field vault_initial_pwd [[ .vault.prefix ]]kv/service/[[ .instance ]])" \
disable_escaping=true disable_escaping=true
vault write -force [[ .vault.prefix ]]database/rotate-root/[[ .mariadb.instance ]] vault write -force [[ .vault.prefix ]]database/rotate-root/[[ .instance ]]
fi fi

10
manage.nomad.hcl
View File

@ -1,5 +1,5 @@
[[ $c := merge .mariadb.manage . -]] [[ $c := merge .mariadb.manage . -]]
job "[[ .mariadb.instance ]]-manage" { job "[[ .instance ]]-manage" {
type = "batch" type = "batch"
[[ template "common/job_start.tpl" $c ]] [[ template "common/job_start.tpl" $c ]]
@ -14,7 +14,7 @@ job "[[ .mariadb.instance ]]-manage" {
} }
service { service {
name = "[[ .mariadb.instance ]]-manage[[ $c.consul.suffix ]]" name = "[[ .instance ]]-manage[[ $c.consul.suffix ]]"
[[ template "common/connect.tpl" $c ]] [[ template "common/connect.tpl" $c ]]
} }
@ -34,7 +34,7 @@ job "[[ .mariadb.instance ]]-manage" {
} }
vault { vault {
policies = ["[[ .mariadb.instance ]][[ $c.consul.suffix ]]"] policies = ["[[ .instance ]][[ $c.consul.suffix ]]"]
} }
env { env {
@ -97,7 +97,7 @@ _EOT
[client] [client]
host = 127.0.0.1 host = 127.0.0.1
user = root user = root
password = {{ with secret "[[ .vault.prefix ]]kv/service/[[ .mariadb.instance ]]" }}{{ .Data.data.root_pwd }}{{ end }} password = {{ with secret "[[ .vault.prefix ]]kv/service/[[ .instance ]]" }}{{ .Data.data.root_pwd }}{{ end }}
_EOT _EOT
destination = "secrets/my.cnf" destination = "secrets/my.cnf"
uid = 100100 uid = 100100
@ -107,7 +107,7 @@ _EOT
template { template {
data = <<_EOT data = <<_EOT
{{ with secret "[[ .vault.prefix ]]kv/service/[[ .mariadb.instance ]]" }} {{ with secret "[[ .vault.prefix ]]kv/service/[[ .instance ]]" }}
VAULT_INITIAL_PASSWORD={{ .Data.data.vault_initial_pwd }} VAULT_INITIAL_PASSWORD={{ .Data.data.vault_initial_pwd }}
BACKUP_PASSWORD={{ .Data.data.backup_pwd }} BACKUP_PASSWORD={{ .Data.data.backup_pwd }}
{{ end }} {{ end }}

40
mariadb.nomad.hcl
View File

@ -1,7 +1,7 @@
[[- $c := merge .mariadb.server . -]] [[- $c := merge .mariadb.server . -]]
job [[ .mariadb.instance | toJSON ]] { job [[ .instance | toJSON ]] {
[[ template "common/job_start.tpl" $c ]] [[ template "common/job_start" $c ]]
group "server" { group "server" {
@ -18,10 +18,10 @@ job [[ .mariadb.instance | toJSON ]] {
} }
service { service {
name = "[[ .mariadb.instance ]][[ $c.consul.suffix ]]" name = "[[ .instance ]][[ $c.consul.suffix ]]"
port = 3306 port = 3306
[[ template "common/connect.tpl" $c ]] [[ template "common/connect" $c ]]
check { check {
name = "alive" name = "alive"
@ -38,9 +38,9 @@ job [[ .mariadb.instance | toJSON ]] {
[[- if $c.traefik.enabled ]] [[- if $c.traefik.enabled ]]
tags = [ tags = [
"[[ $c.traefik.instance ]].enable=true", "[[ $c.traefik.instance ]].enable=true",
"[[ $c.traefik.instance ]].tcp.routers.[[ .mariadb.instance ]][[ $c.consul.suffix ]].rule=HostSNI(`*`)", "[[ $c.traefik.instance ]].tcp.routers.[[ .instance ]][[ $c.consul.suffix ]].rule=HostSNI(`*`)",
"[[ $c.traefik.instance ]].tcp.routers.[[ .mariadb.instance ]][[ $c.consul.suffix ]].entrypoints=[[ join $c.traefik.entrypoints "," ]]", "[[ $c.traefik.instance ]].tcp.routers.[[ .instance ]][[ $c.consul.suffix ]].entrypoints=[[ join $c.traefik.entrypoints "," ]]",
"[[ $c.traefik.instance ]].tcp.routers.[[ .mariadb.instance ]][[ $c.consul.suffix ]].middlewares=[[ join $c.traefik.middlewares "," ]]" "[[ $c.traefik.instance ]].tcp.routers.[[ .instance ]][[ $c.consul.suffix ]].middlewares=[[ join $c.traefik.middlewares "," ]]"
] ]
[[- end ]] [[- end ]]
} }
@ -60,7 +60,7 @@ job [[ .mariadb.instance | toJSON ]] {
} }
vault { vault {
policies = ["[[ .mariadb.instance ]][[ .consul.suffix ]]"] policies = ["[[ .instance ]][[ .consul.suffix ]]"]
env = false env = false
disable_file = true disable_file = true
} }
@ -70,7 +70,7 @@ job [[ .mariadb.instance | toJSON ]] {
[client] [client]
user = root user = root
host = 127.0.0.1 host = 127.0.0.1
password = {{ with secret "[[ .vault.prefix ]]kv/service/[[ .mariadb.instance ]]" }}{{ .Data.data.root_pwd }}{{ end }} password = {{ with secret "[[ .vault.prefix ]]kv/service/[[ .instance ]]" }}{{ .Data.data.root_pwd }}{{ end }}
_EOT _EOT
destination = "secrets/.my.cnf" destination = "secrets/.my.cnf"
uid = 100100 uid = 100100
@ -115,19 +115,19 @@ _EOT
} }
vault { vault {
policies = ["[[ .mariadb.instance ]][[ .consul.suffix ]]"] policies = ["[[ .instance ]][[ .consul.suffix ]]"]
env = false env = false
disable_file = true disable_file = true
} }
env { env {
MYSQL_CONF_11_bind-address = "127.0.0.1" MYSQL_CONF_11_bind-address = "127.0.0.1"
[[ template "common/env.tpl" $c.env ]] [[ template "common/env" $c.env ]]
} }
template { template {
data = <<_EOT data = <<_EOT
{{ with secret "[[ .vault.prefix ]]kv/service/[[ .mariadb.instance ]]" }} {{ with secret "[[ .vault.prefix ]]kv/service/[[ .instance ]]" }}
MYSQL_ROOT_PASSWORD={{ .Data.data.root_pwd }} MYSQL_ROOT_PASSWORD={{ .Data.data.root_pwd }}
{{ end }} {{ end }}
_EOT _EOT
@ -142,7 +142,7 @@ _EOT
data = <<_EOT data = <<_EOT
[client] [client]
user = root user = root
password = {{ with secret "[[ .vault.prefix ]]kv/service/[[ .mariadb.instance ]]" }}{{ .Data.data.root_pwd }}{{ end }} password = {{ with secret "[[ .vault.prefix ]]kv/service/[[ .instance ]]" }}{{ .Data.data.root_pwd }}{{ end }}
_EOT _EOT
destination = "secrets/my.conf" destination = "secrets/my.conf"
uid = 100100 uid = 100100
@ -155,7 +155,7 @@ _EOT
destination = "/data" destination = "/data"
} }
[[ template "common/resources.tpl" .mariadb.server.resources ]] [[ template "common/resources" .mariadb.server.resources ]]
} }
} }
@ -176,11 +176,11 @@ _EOT
} }
service { service {
name = "[[ .mariadb.instance ]]-backup[[ $c.consul.suffix ]]" name = "[[ .instance ]]-backup[[ $c.consul.suffix ]]"
[[ template "common/connect.tpl" $c ]] [[ template "common/connect" $c ]]
} }
[[ template "common/task.wait_for.tpl" $c ]] [[ template "common/task.wait_for" $c ]]
task "backup" { task "backup" {
driver = [[ $c.nomad.driver | toJSON ]] driver = [[ $c.nomad.driver | toJSON ]]
@ -196,7 +196,7 @@ _EOT
} }
vault { vault {
policies = ["[[ .mariadb.instance ]][[ $c.consul.suffix ]]"] policies = ["[[ .instance ]][[ $c.consul.suffix ]]"]
env = false env = false
disable_file = true disable_file = true
} }
@ -206,7 +206,7 @@ _EOT
[client] [client]
user = root user = root
host = 127.0.0.1 host = 127.0.0.1
password = {{ with secret "[[ .vault.prefix ]]kv/service/[[ .mariadb.instance ]]" }}{{ .Data.data.root_pwd }}{{ end }} password = {{ with secret "[[ .vault.prefix ]]kv/service/[[ .instance ]]" }}{{ .Data.data.root_pwd }}{{ end }}
_EOT _EOT
destination = "secrets/.my.cnf" destination = "secrets/.my.cnf"
uid = 100000 uid = 100000
@ -234,7 +234,7 @@ _EOT
destination = "/backup" destination = "/backup"
} }
[[ template "common/resources.tpl" .mariadb.backup.resources ]] [[ template "common/resources" .mariadb.backup.resources ]]
} }
} }

8
prep.d/10-rand-pwd.sh
View File

@ -2,15 +2,15 @@
set -euo pipefail set -euo pipefail
if ! vault kv list [[ .vault.prefix ]]kv/service 2>/dev/null | grep -q -E '^[[ .mariadb.instance ]]$'; then if ! vault kv list [[ .vault.prefix ]]kv/service 2>/dev/null | grep -q -E '^[[ .instance ]]$'; then
vault kv put [[ .vault.prefix ]]kv/service/[[ .mariadb.instance ]] \ vault kv put [[ .vault.prefix ]]kv/service/[[ .instance ]] \
root_pwd=$(pwgen -s -n 50 1) \ root_pwd=$(pwgen -s -n 50 1) \
vault_initial_pwd=$(pwgen -s -n 50 1) vault_initial_pwd=$(pwgen -s -n 50 1)
fi fi
for PWD in root_pwd vault_initial_pwd; do for PWD in root_pwd vault_initial_pwd; do
if ! vault kv get -field ${PWD} [[ .vault.prefix ]]kv/service/[[ .mariadb.instance ]] >/dev/null 2>&1; then if ! vault kv get -field ${PWD} [[ .vault.prefix ]]kv/service/[[ .instance ]] >/dev/null 2>&1; then
vault kv patch [[ .vault.prefix ]]kv/service/[[ .mariadb.instance ]] \ vault kv patch [[ .vault.prefix ]]kv/service/[[ .instance ]] \
${PWD}=$(pwgen -s -n 50 1) ${PWD}=$(pwgen -s -n 50 1)
fi fi
done done

2
prep.d/mv_conf.sh
View File

@ -1 +1 @@
[[ template "common/mv_conf.sh.tpl" dict "ctx" . "services" (dict "mariadb" .mariadb.instance) ]] [[ template "common/mv_conf.sh" dict "ctx" . "services" (dict "mariadb" .instance) ]]

31
variables.yml
View File

@ -1,19 +1,19 @@
--- ---
mariadb: # Name of the instance. Will be used for the job name, and the services names
instance: mariadb
# Name of the instance. Will be used for the job name, and the services names mariadb:
instance: mariadb
# MariaDB server settings # MariaDB server settings
server: server:
# The image to use # The image to use
image: danielberteaud/mariadb:23.10-2 image: '[[ .docker.repo ]]mariadb:23.12-1'
# Resource allocation # Resource allocation
resources: resources:
cpu: 200 cpu: 1000
memory: 512 memory: 512
# Custom env var to pass to the container # Custom env var to pass to the container
@ -49,12 +49,12 @@ mariadb:
# Resource allocation # Resource allocation
resources: resources:
cpu: 10 cpu: 20
memory: 64 memory: 64
# Service to wait for # Service to wait for
wait_for: wait_for:
- service: '[[ .mariadb.instance ]]' - service: '[[ .instance ]]'
# Custom env vars to pass to the container # Custom env vars to pass to the container
env: {} env: {}
@ -70,7 +70,7 @@ mariadb:
# users: # users:
# kimai: # kimai:
# host: % # host: %
# password: '{{ with secret "[[ .vault.prefix ]]kv/service/[[ .mariadb.instance ]]" }}{{ .Data.data.kimai_pwd }}{{ end }}' # password: '{{ with secret "[[ .vault.prefix ]]kv/service/[[ .instance ]]" }}{{ .Data.data.kimai_pwd }}{{ end }}'
# grants: # grants:
# - 'ALL PRIVILEGES ON kimai.*' # - 'ALL PRIVILEGES ON kimai.*'
users: {} users: {}
@ -80,27 +80,28 @@ mariadb:
connect: connect:
upstreams: upstreams:
# Connect to the mariadb service from the service mesh # Connect to the mariadb service from the service mesh
- destination_name: '[[ .mariadb.instance ]][[ .consul.suffix ]]' - destination_name: '[[ .instance ]][[ .consul.suffix ]]'
local_bind_port: 3306 local_bind_port: 3306
# Backup service, which can create regular dumps of the databases # Backup service, which can create regular dumps of the databases
backup: backup:
image: danielberteaud/mariadb-backup:23.10-1 image: '[[ .docker.repo ]]mariadb-backup:23.12-1'
# Resource allocation # Resource allocation
resources: resources:
cpu: 200 cpu: 300
memory: 128 memory: 128
memory_max: 256
wait_for: wait_for:
- service: '[[ .mariadb.instance ]]' - service: '[[ .instance ]]'
# Consul settings # Consul settings
consul: consul:
connect: connect:
upstreams: upstreams:
# Connect to MariaDB in the service mesh # Connect to MariaDB in the service mesh
- destination_name: '[[ .mariadb.instance ]][[ .consul.suffix ]]' - destination_name: '[[ .instance ]][[ .consul.suffix ]]'
local_bind_port: 3306 local_bind_port: 3306
# mysqldump cron # mysqldump cron
@ -117,10 +118,10 @@ mariadb:
# You need to create at least mariadb-data[0] # You need to create at least mariadb-data[0]
data: data:
type: csi type: csi
source: '[[ .mariadb.instance ]]-data' source: '[[ .instance ]]-data'
# Volume which holds database dumps # Volume which holds database dumps
# will be opened as multi-node-multi-writer (can be NFS for example) # will be opened as multi-node-multi-writer (can be NFS for example)
backup: backup:
type: csi type: csi
source: '[[ .mariadb.instance ]]-backup' source: '[[ .instance ]]-backup'

2
vault/policies/mariadb.hcl
View File

@ -1,3 +1,3 @@
path "[[ .vault.prefix ]]kv/data/service/[[ .mariadb.instance ]]" { path "[[ .vault.prefix ]]kv/data/service/[[ .instance ]]" {
capabilities = ["read"] capabilities = ["read"]
} }