Cleanup
This commit is contained in:
parent
f5e09c4ffd
commit
78ea6b1f46
|
@ -1,16 +1,16 @@
|
||||||
Kind = "service-intentions"
|
Kind = "service-intentions"
|
||||||
Name = "[[ .mariadb.instance ]][[ .consul.suffix ]]"
|
Name = "[[ .instance ]][[ .consul.suffix ]]"
|
||||||
Sources = [
|
Sources = [
|
||||||
{
|
{
|
||||||
Name = "[[ (merge .mariadb.server.traefik .traefik).instance ]]"
|
Name = "[[ (merge .mariadb.server .).traefik.instance ]]"
|
||||||
Action = "allow"
|
Action = "allow"
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
Name = "[[ .mariadb.instance ]]-manage[[ .consul.suffix ]]"
|
Name = "[[ .instance ]]-manage[[ .consul.suffix ]]"
|
||||||
Action = "allow"
|
Action = "allow"
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
Name = "[[ .mariadb.instance ]]-backup[[ .consul.suffix ]]"
|
Name = "[[ .instance ]]-backup[[ .consul.suffix ]]"
|
||||||
Action = "allow"
|
Action = "allow"
|
||||||
}
|
}
|
||||||
]
|
]
|
||||||
|
|
|
@ -6,14 +6,14 @@ if [ "$(vault secrets list -format json | jq -r '.["[[ .vault.prefix ]]database/
|
||||||
vault secrets enable -path [[ .vault.prefix ]]database database
|
vault secrets enable -path [[ .vault.prefix ]]database database
|
||||||
fi
|
fi
|
||||||
|
|
||||||
if [ "$(vault list -format json [[ .vault.prefix ]]database/config | jq '.[] | test("^[[ .mariadb.instance ]]$")')" = "false" ]; then
|
if [ "$(vault list -format json [[ .vault.prefix ]]database/config | jq '.[] | test("^[[ .instance ]]$")')" = "false" ]; then
|
||||||
vault write [[ .vault.prefix ]]database/config/[[ .mariadb.instance ]] \
|
vault write [[ .vault.prefix ]]database/config/[[ .instance ]] \
|
||||||
plugin_name="mysql-database-plugin" \
|
plugin_name="mysql-database-plugin" \
|
||||||
connection_url="{{username}}:{{password}}@tcp([[ (urlParse .mariadb.server.public_address).Host ]])/" \
|
connection_url="{{username}}:{{password}}@tcp([[ (urlParse .mariadb.server.public_address).Host ]])/" \
|
||||||
allowed_roles="*" \
|
allowed_roles="*" \
|
||||||
username=vault \
|
username=vault \
|
||||||
password="$(vault kv get -field vault_initial_pwd [[ .vault.prefix ]]kv/service/[[ .mariadb.instance ]])" \
|
password="$(vault kv get -field vault_initial_pwd [[ .vault.prefix ]]kv/service/[[ .instance ]])" \
|
||||||
disable_escaping=true
|
disable_escaping=true
|
||||||
vault write -force [[ .vault.prefix ]]database/rotate-root/[[ .mariadb.instance ]]
|
vault write -force [[ .vault.prefix ]]database/rotate-root/[[ .instance ]]
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
|
|
@ -1,5 +1,5 @@
|
||||||
[[ $c := merge .mariadb.manage . -]]
|
[[ $c := merge .mariadb.manage . -]]
|
||||||
job "[[ .mariadb.instance ]]-manage" {
|
job "[[ .instance ]]-manage" {
|
||||||
type = "batch"
|
type = "batch"
|
||||||
[[ template "common/job_start.tpl" $c ]]
|
[[ template "common/job_start.tpl" $c ]]
|
||||||
|
|
||||||
|
@ -14,7 +14,7 @@ job "[[ .mariadb.instance ]]-manage" {
|
||||||
}
|
}
|
||||||
|
|
||||||
service {
|
service {
|
||||||
name = "[[ .mariadb.instance ]]-manage[[ $c.consul.suffix ]]"
|
name = "[[ .instance ]]-manage[[ $c.consul.suffix ]]"
|
||||||
[[ template "common/connect.tpl" $c ]]
|
[[ template "common/connect.tpl" $c ]]
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -34,7 +34,7 @@ job "[[ .mariadb.instance ]]-manage" {
|
||||||
}
|
}
|
||||||
|
|
||||||
vault {
|
vault {
|
||||||
policies = ["[[ .mariadb.instance ]][[ $c.consul.suffix ]]"]
|
policies = ["[[ .instance ]][[ $c.consul.suffix ]]"]
|
||||||
}
|
}
|
||||||
|
|
||||||
env {
|
env {
|
||||||
|
@ -97,7 +97,7 @@ _EOT
|
||||||
[client]
|
[client]
|
||||||
host = 127.0.0.1
|
host = 127.0.0.1
|
||||||
user = root
|
user = root
|
||||||
password = {{ with secret "[[ .vault.prefix ]]kv/service/[[ .mariadb.instance ]]" }}{{ .Data.data.root_pwd }}{{ end }}
|
password = {{ with secret "[[ .vault.prefix ]]kv/service/[[ .instance ]]" }}{{ .Data.data.root_pwd }}{{ end }}
|
||||||
_EOT
|
_EOT
|
||||||
destination = "secrets/my.cnf"
|
destination = "secrets/my.cnf"
|
||||||
uid = 100100
|
uid = 100100
|
||||||
|
@ -107,7 +107,7 @@ _EOT
|
||||||
|
|
||||||
template {
|
template {
|
||||||
data = <<_EOT
|
data = <<_EOT
|
||||||
{{ with secret "[[ .vault.prefix ]]kv/service/[[ .mariadb.instance ]]" }}
|
{{ with secret "[[ .vault.prefix ]]kv/service/[[ .instance ]]" }}
|
||||||
VAULT_INITIAL_PASSWORD={{ .Data.data.vault_initial_pwd }}
|
VAULT_INITIAL_PASSWORD={{ .Data.data.vault_initial_pwd }}
|
||||||
BACKUP_PASSWORD={{ .Data.data.backup_pwd }}
|
BACKUP_PASSWORD={{ .Data.data.backup_pwd }}
|
||||||
{{ end }}
|
{{ end }}
|
||||||
|
|
|
@ -1,7 +1,7 @@
|
||||||
[[- $c := merge .mariadb.server . -]]
|
[[- $c := merge .mariadb.server . -]]
|
||||||
job [[ .mariadb.instance | toJSON ]] {
|
job [[ .instance | toJSON ]] {
|
||||||
|
|
||||||
[[ template "common/job_start.tpl" $c ]]
|
[[ template "common/job_start" $c ]]
|
||||||
|
|
||||||
group "server" {
|
group "server" {
|
||||||
|
|
||||||
|
@ -18,10 +18,10 @@ job [[ .mariadb.instance | toJSON ]] {
|
||||||
}
|
}
|
||||||
|
|
||||||
service {
|
service {
|
||||||
name = "[[ .mariadb.instance ]][[ $c.consul.suffix ]]"
|
name = "[[ .instance ]][[ $c.consul.suffix ]]"
|
||||||
port = 3306
|
port = 3306
|
||||||
|
|
||||||
[[ template "common/connect.tpl" $c ]]
|
[[ template "common/connect" $c ]]
|
||||||
|
|
||||||
check {
|
check {
|
||||||
name = "alive"
|
name = "alive"
|
||||||
|
@ -38,9 +38,9 @@ job [[ .mariadb.instance | toJSON ]] {
|
||||||
[[- if $c.traefik.enabled ]]
|
[[- if $c.traefik.enabled ]]
|
||||||
tags = [
|
tags = [
|
||||||
"[[ $c.traefik.instance ]].enable=true",
|
"[[ $c.traefik.instance ]].enable=true",
|
||||||
"[[ $c.traefik.instance ]].tcp.routers.[[ .mariadb.instance ]][[ $c.consul.suffix ]].rule=HostSNI(`*`)",
|
"[[ $c.traefik.instance ]].tcp.routers.[[ .instance ]][[ $c.consul.suffix ]].rule=HostSNI(`*`)",
|
||||||
"[[ $c.traefik.instance ]].tcp.routers.[[ .mariadb.instance ]][[ $c.consul.suffix ]].entrypoints=[[ join $c.traefik.entrypoints "," ]]",
|
"[[ $c.traefik.instance ]].tcp.routers.[[ .instance ]][[ $c.consul.suffix ]].entrypoints=[[ join $c.traefik.entrypoints "," ]]",
|
||||||
"[[ $c.traefik.instance ]].tcp.routers.[[ .mariadb.instance ]][[ $c.consul.suffix ]].middlewares=[[ join $c.traefik.middlewares "," ]]"
|
"[[ $c.traefik.instance ]].tcp.routers.[[ .instance ]][[ $c.consul.suffix ]].middlewares=[[ join $c.traefik.middlewares "," ]]"
|
||||||
]
|
]
|
||||||
[[- end ]]
|
[[- end ]]
|
||||||
}
|
}
|
||||||
|
@ -60,7 +60,7 @@ job [[ .mariadb.instance | toJSON ]] {
|
||||||
}
|
}
|
||||||
|
|
||||||
vault {
|
vault {
|
||||||
policies = ["[[ .mariadb.instance ]][[ .consul.suffix ]]"]
|
policies = ["[[ .instance ]][[ .consul.suffix ]]"]
|
||||||
env = false
|
env = false
|
||||||
disable_file = true
|
disable_file = true
|
||||||
}
|
}
|
||||||
|
@ -70,7 +70,7 @@ job [[ .mariadb.instance | toJSON ]] {
|
||||||
[client]
|
[client]
|
||||||
user = root
|
user = root
|
||||||
host = 127.0.0.1
|
host = 127.0.0.1
|
||||||
password = {{ with secret "[[ .vault.prefix ]]kv/service/[[ .mariadb.instance ]]" }}{{ .Data.data.root_pwd }}{{ end }}
|
password = {{ with secret "[[ .vault.prefix ]]kv/service/[[ .instance ]]" }}{{ .Data.data.root_pwd }}{{ end }}
|
||||||
_EOT
|
_EOT
|
||||||
destination = "secrets/.my.cnf"
|
destination = "secrets/.my.cnf"
|
||||||
uid = 100100
|
uid = 100100
|
||||||
|
@ -115,19 +115,19 @@ _EOT
|
||||||
}
|
}
|
||||||
|
|
||||||
vault {
|
vault {
|
||||||
policies = ["[[ .mariadb.instance ]][[ .consul.suffix ]]"]
|
policies = ["[[ .instance ]][[ .consul.suffix ]]"]
|
||||||
env = false
|
env = false
|
||||||
disable_file = true
|
disable_file = true
|
||||||
}
|
}
|
||||||
|
|
||||||
env {
|
env {
|
||||||
MYSQL_CONF_11_bind-address = "127.0.0.1"
|
MYSQL_CONF_11_bind-address = "127.0.0.1"
|
||||||
[[ template "common/env.tpl" $c.env ]]
|
[[ template "common/env" $c.env ]]
|
||||||
}
|
}
|
||||||
|
|
||||||
template {
|
template {
|
||||||
data = <<_EOT
|
data = <<_EOT
|
||||||
{{ with secret "[[ .vault.prefix ]]kv/service/[[ .mariadb.instance ]]" }}
|
{{ with secret "[[ .vault.prefix ]]kv/service/[[ .instance ]]" }}
|
||||||
MYSQL_ROOT_PASSWORD={{ .Data.data.root_pwd }}
|
MYSQL_ROOT_PASSWORD={{ .Data.data.root_pwd }}
|
||||||
{{ end }}
|
{{ end }}
|
||||||
_EOT
|
_EOT
|
||||||
|
@ -142,7 +142,7 @@ _EOT
|
||||||
data = <<_EOT
|
data = <<_EOT
|
||||||
[client]
|
[client]
|
||||||
user = root
|
user = root
|
||||||
password = {{ with secret "[[ .vault.prefix ]]kv/service/[[ .mariadb.instance ]]" }}{{ .Data.data.root_pwd }}{{ end }}
|
password = {{ with secret "[[ .vault.prefix ]]kv/service/[[ .instance ]]" }}{{ .Data.data.root_pwd }}{{ end }}
|
||||||
_EOT
|
_EOT
|
||||||
destination = "secrets/my.conf"
|
destination = "secrets/my.conf"
|
||||||
uid = 100100
|
uid = 100100
|
||||||
|
@ -155,7 +155,7 @@ _EOT
|
||||||
destination = "/data"
|
destination = "/data"
|
||||||
}
|
}
|
||||||
|
|
||||||
[[ template "common/resources.tpl" .mariadb.server.resources ]]
|
[[ template "common/resources" .mariadb.server.resources ]]
|
||||||
|
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
@ -176,11 +176,11 @@ _EOT
|
||||||
}
|
}
|
||||||
|
|
||||||
service {
|
service {
|
||||||
name = "[[ .mariadb.instance ]]-backup[[ $c.consul.suffix ]]"
|
name = "[[ .instance ]]-backup[[ $c.consul.suffix ]]"
|
||||||
[[ template "common/connect.tpl" $c ]]
|
[[ template "common/connect" $c ]]
|
||||||
}
|
}
|
||||||
|
|
||||||
[[ template "common/task.wait_for.tpl" $c ]]
|
[[ template "common/task.wait_for" $c ]]
|
||||||
|
|
||||||
task "backup" {
|
task "backup" {
|
||||||
driver = [[ $c.nomad.driver | toJSON ]]
|
driver = [[ $c.nomad.driver | toJSON ]]
|
||||||
|
@ -196,7 +196,7 @@ _EOT
|
||||||
}
|
}
|
||||||
|
|
||||||
vault {
|
vault {
|
||||||
policies = ["[[ .mariadb.instance ]][[ $c.consul.suffix ]]"]
|
policies = ["[[ .instance ]][[ $c.consul.suffix ]]"]
|
||||||
env = false
|
env = false
|
||||||
disable_file = true
|
disable_file = true
|
||||||
}
|
}
|
||||||
|
@ -206,7 +206,7 @@ _EOT
|
||||||
[client]
|
[client]
|
||||||
user = root
|
user = root
|
||||||
host = 127.0.0.1
|
host = 127.0.0.1
|
||||||
password = {{ with secret "[[ .vault.prefix ]]kv/service/[[ .mariadb.instance ]]" }}{{ .Data.data.root_pwd }}{{ end }}
|
password = {{ with secret "[[ .vault.prefix ]]kv/service/[[ .instance ]]" }}{{ .Data.data.root_pwd }}{{ end }}
|
||||||
_EOT
|
_EOT
|
||||||
destination = "secrets/.my.cnf"
|
destination = "secrets/.my.cnf"
|
||||||
uid = 100000
|
uid = 100000
|
||||||
|
@ -234,7 +234,7 @@ _EOT
|
||||||
destination = "/backup"
|
destination = "/backup"
|
||||||
}
|
}
|
||||||
|
|
||||||
[[ template "common/resources.tpl" .mariadb.backup.resources ]]
|
[[ template "common/resources" .mariadb.backup.resources ]]
|
||||||
|
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
|
@ -2,15 +2,15 @@
|
||||||
|
|
||||||
set -euo pipefail
|
set -euo pipefail
|
||||||
|
|
||||||
if ! vault kv list [[ .vault.prefix ]]kv/service 2>/dev/null | grep -q -E '^[[ .mariadb.instance ]]$'; then
|
if ! vault kv list [[ .vault.prefix ]]kv/service 2>/dev/null | grep -q -E '^[[ .instance ]]$'; then
|
||||||
vault kv put [[ .vault.prefix ]]kv/service/[[ .mariadb.instance ]] \
|
vault kv put [[ .vault.prefix ]]kv/service/[[ .instance ]] \
|
||||||
root_pwd=$(pwgen -s -n 50 1) \
|
root_pwd=$(pwgen -s -n 50 1) \
|
||||||
vault_initial_pwd=$(pwgen -s -n 50 1)
|
vault_initial_pwd=$(pwgen -s -n 50 1)
|
||||||
fi
|
fi
|
||||||
|
|
||||||
for PWD in root_pwd vault_initial_pwd; do
|
for PWD in root_pwd vault_initial_pwd; do
|
||||||
if ! vault kv get -field ${PWD} [[ .vault.prefix ]]kv/service/[[ .mariadb.instance ]] >/dev/null 2>&1; then
|
if ! vault kv get -field ${PWD} [[ .vault.prefix ]]kv/service/[[ .instance ]] >/dev/null 2>&1; then
|
||||||
vault kv patch [[ .vault.prefix ]]kv/service/[[ .mariadb.instance ]] \
|
vault kv patch [[ .vault.prefix ]]kv/service/[[ .instance ]] \
|
||||||
${PWD}=$(pwgen -s -n 50 1)
|
${PWD}=$(pwgen -s -n 50 1)
|
||||||
fi
|
fi
|
||||||
done
|
done
|
||||||
|
|
|
@ -1 +1 @@
|
||||||
[[ template "common/mv_conf.sh.tpl" dict "ctx" . "services" (dict "mariadb" .mariadb.instance) ]]
|
[[ template "common/mv_conf.sh" dict "ctx" . "services" (dict "mariadb" .instance) ]]
|
||||||
|
|
|
@ -1,19 +1,19 @@
|
||||||
---
|
---
|
||||||
|
|
||||||
mariadb:
|
# Name of the instance. Will be used for the job name, and the services names
|
||||||
|
instance: mariadb
|
||||||
|
|
||||||
# Name of the instance. Will be used for the job name, and the services names
|
mariadb:
|
||||||
instance: mariadb
|
|
||||||
|
|
||||||
# MariaDB server settings
|
# MariaDB server settings
|
||||||
server:
|
server:
|
||||||
|
|
||||||
# The image to use
|
# The image to use
|
||||||
image: danielberteaud/mariadb:23.10-2
|
image: '[[ .docker.repo ]]mariadb:23.12-1'
|
||||||
|
|
||||||
# Resource allocation
|
# Resource allocation
|
||||||
resources:
|
resources:
|
||||||
cpu: 200
|
cpu: 1000
|
||||||
memory: 512
|
memory: 512
|
||||||
|
|
||||||
# Custom env var to pass to the container
|
# Custom env var to pass to the container
|
||||||
|
@ -49,12 +49,12 @@ mariadb:
|
||||||
|
|
||||||
# Resource allocation
|
# Resource allocation
|
||||||
resources:
|
resources:
|
||||||
cpu: 10
|
cpu: 20
|
||||||
memory: 64
|
memory: 64
|
||||||
|
|
||||||
# Service to wait for
|
# Service to wait for
|
||||||
wait_for:
|
wait_for:
|
||||||
- service: '[[ .mariadb.instance ]]'
|
- service: '[[ .instance ]]'
|
||||||
|
|
||||||
# Custom env vars to pass to the container
|
# Custom env vars to pass to the container
|
||||||
env: {}
|
env: {}
|
||||||
|
@ -70,7 +70,7 @@ mariadb:
|
||||||
# users:
|
# users:
|
||||||
# kimai:
|
# kimai:
|
||||||
# host: %
|
# host: %
|
||||||
# password: '{{ with secret "[[ .vault.prefix ]]kv/service/[[ .mariadb.instance ]]" }}{{ .Data.data.kimai_pwd }}{{ end }}'
|
# password: '{{ with secret "[[ .vault.prefix ]]kv/service/[[ .instance ]]" }}{{ .Data.data.kimai_pwd }}{{ end }}'
|
||||||
# grants:
|
# grants:
|
||||||
# - 'ALL PRIVILEGES ON kimai.*'
|
# - 'ALL PRIVILEGES ON kimai.*'
|
||||||
users: {}
|
users: {}
|
||||||
|
@ -80,27 +80,28 @@ mariadb:
|
||||||
connect:
|
connect:
|
||||||
upstreams:
|
upstreams:
|
||||||
# Connect to the mariadb service from the service mesh
|
# Connect to the mariadb service from the service mesh
|
||||||
- destination_name: '[[ .mariadb.instance ]][[ .consul.suffix ]]'
|
- destination_name: '[[ .instance ]][[ .consul.suffix ]]'
|
||||||
local_bind_port: 3306
|
local_bind_port: 3306
|
||||||
|
|
||||||
# Backup service, which can create regular dumps of the databases
|
# Backup service, which can create regular dumps of the databases
|
||||||
backup:
|
backup:
|
||||||
image: danielberteaud/mariadb-backup:23.10-1
|
image: '[[ .docker.repo ]]mariadb-backup:23.12-1'
|
||||||
|
|
||||||
# Resource allocation
|
# Resource allocation
|
||||||
resources:
|
resources:
|
||||||
cpu: 200
|
cpu: 300
|
||||||
memory: 128
|
memory: 128
|
||||||
|
memory_max: 256
|
||||||
|
|
||||||
wait_for:
|
wait_for:
|
||||||
- service: '[[ .mariadb.instance ]]'
|
- service: '[[ .instance ]]'
|
||||||
|
|
||||||
# Consul settings
|
# Consul settings
|
||||||
consul:
|
consul:
|
||||||
connect:
|
connect:
|
||||||
upstreams:
|
upstreams:
|
||||||
# Connect to MariaDB in the service mesh
|
# Connect to MariaDB in the service mesh
|
||||||
- destination_name: '[[ .mariadb.instance ]][[ .consul.suffix ]]'
|
- destination_name: '[[ .instance ]][[ .consul.suffix ]]'
|
||||||
local_bind_port: 3306
|
local_bind_port: 3306
|
||||||
|
|
||||||
# mysqldump cron
|
# mysqldump cron
|
||||||
|
@ -117,10 +118,10 @@ mariadb:
|
||||||
# You need to create at least mariadb-data[0]
|
# You need to create at least mariadb-data[0]
|
||||||
data:
|
data:
|
||||||
type: csi
|
type: csi
|
||||||
source: '[[ .mariadb.instance ]]-data'
|
source: '[[ .instance ]]-data'
|
||||||
|
|
||||||
# Volume which holds database dumps
|
# Volume which holds database dumps
|
||||||
# will be opened as multi-node-multi-writer (can be NFS for example)
|
# will be opened as multi-node-multi-writer (can be NFS for example)
|
||||||
backup:
|
backup:
|
||||||
type: csi
|
type: csi
|
||||||
source: '[[ .mariadb.instance ]]-backup'
|
source: '[[ .instance ]]-backup'
|
||||||
|
|
|
@ -1,3 +1,3 @@
|
||||||
path "[[ .vault.prefix ]]kv/data/service/[[ .mariadb.instance ]]" {
|
path "[[ .vault.prefix ]]kv/data/service/[[ .instance ]]" {
|
||||||
capabilities = ["read"]
|
capabilities = ["read"]
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in New Issue