Cleanup
This commit is contained in:
parent
01a44781b7
commit
e16c19a21f
|
@ -2,22 +2,22 @@
|
||||||
|
|
||||||
set -euo pipefail
|
set -euo pipefail
|
||||||
|
|
||||||
if [ "$(vault secrets list -format json | jq -r '.["database/"].type')" != "database" ]; then
|
if [ "$(vault secrets list -format json | jq -r '.["/database/"].type')" != "database" ]; then
|
||||||
vault secrets enable -path database database
|
vault secrets enable -path /database database
|
||||||
fi
|
fi
|
||||||
|
|
||||||
if [ "$(vault list -format json database/config | jq '.[] | test("^mariadb$")')" = "false" ]; then
|
if [ "$(vault list -format json /database/config | jq '.[] | test("^mariadb$")')" = "false" ]; then
|
||||||
vault write database/config/mariadb \
|
vault write /database/config/mariadb \
|
||||||
plugin_name="mysql-database-plugin" \
|
plugin_name="mysql-database-plugin" \
|
||||||
connection_url="{{username}}:{{password}}@tcp(mariadb.example.org:3306)/" \
|
connection_url="{{username}}:{{password}}@tcp(mariadb.example.org:3306)/" \
|
||||||
allowed_roles="*" \
|
allowed_roles="*" \
|
||||||
username=vault \
|
username=vault \
|
||||||
password="$(vault kv get -field vault_initial_pwd kv/service/mariadb)" \
|
password="$(vault kv get -field vault_initial_pwd /kv/service/mariadb)" \
|
||||||
disable_escaping=true
|
disable_escaping=true
|
||||||
vault write -force database/rotate-root/mariadb
|
vault write -force /database/rotate-root/mariadb
|
||||||
fi
|
fi
|
||||||
|
|
||||||
vault write database/roles/mariadb-admin \
|
vault write /database/roles/mariadb-admin \
|
||||||
db_name="mariadb" \
|
db_name="mariadb" \
|
||||||
creation_statements="CREATE USER '{{name}}'@'%' IDENTIFIED BY '{{password}}'; \
|
creation_statements="CREATE USER '{{name}}'@'%' IDENTIFIED BY '{{password}}'; \
|
||||||
GRANT ALL PRIVILEGES ON *.* TO '{{name}}'@'%' WITH GRANT OPTION; \
|
GRANT ALL PRIVILEGES ON *.* TO '{{name}}'@'%' WITH GRANT OPTION; \
|
||||||
|
|
|
@ -26,6 +26,18 @@ job "mariadb-manage" {
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
sidecar_task {
|
sidecar_task {
|
||||||
|
config {
|
||||||
|
args = [
|
||||||
|
"-c",
|
||||||
|
"${NOMAD_SECRETS_DIR}/envoy_bootstrap.json",
|
||||||
|
"-l",
|
||||||
|
"${meta.connect.log_level}",
|
||||||
|
"--concurrency",
|
||||||
|
"${meta.connect.proxy_concurrency}",
|
||||||
|
"--disable-hot-restart"
|
||||||
|
]
|
||||||
|
}
|
||||||
|
|
||||||
resources {
|
resources {
|
||||||
cpu = 50
|
cpu = 50
|
||||||
memory = 64
|
memory = 64
|
||||||
|
@ -78,10 +90,14 @@ job "mariadb-manage" {
|
||||||
]
|
]
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
vault {
|
vault {
|
||||||
policies = ["mariadb"]
|
policies = ["mariadb"]
|
||||||
|
env = false
|
||||||
|
disable_file = true
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
env {
|
env {
|
||||||
|
|
||||||
LANG = "fr_FR.utf8"
|
LANG = "fr_FR.utf8"
|
||||||
|
@ -163,7 +179,7 @@ _EOT
|
||||||
[client]
|
[client]
|
||||||
host = 127.0.0.1
|
host = 127.0.0.1
|
||||||
user = root
|
user = root
|
||||||
password = {{ with secret "kv/service/mariadb" }}{{ .Data.data.root_pwd }}{{ end }}
|
password = {{ with secret "/kv/service/mariadb" }}{{ .Data.data.root_pwd }}{{ end }}
|
||||||
_EOT
|
_EOT
|
||||||
destination = "secrets/my.cnf"
|
destination = "secrets/my.cnf"
|
||||||
uid = 100100
|
uid = 100100
|
||||||
|
@ -173,7 +189,7 @@ _EOT
|
||||||
|
|
||||||
template {
|
template {
|
||||||
data = <<_EOT
|
data = <<_EOT
|
||||||
{{ with secret "kv/service/mariadb" }}
|
{{ with secret "/kv/service/mariadb" }}
|
||||||
VAULT_INITIAL_PASSWORD={{ .Data.data.vault_initial_pwd }}
|
VAULT_INITIAL_PASSWORD={{ .Data.data.vault_initial_pwd }}
|
||||||
BACKUP_PASSWORD={{ .Data.data.backup_pwd }}
|
BACKUP_PASSWORD={{ .Data.data.backup_pwd }}
|
||||||
{{ end }}
|
{{ end }}
|
||||||
|
@ -185,6 +201,7 @@ _EOT
|
||||||
env = true
|
env = true
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
resources {
|
resources {
|
||||||
cpu = 20
|
cpu = 20
|
||||||
memory = 64
|
memory = 64
|
||||||
|
|
|
@ -1,4 +1,5 @@
|
||||||
job "mariadb" {
|
job "mariadb" {
|
||||||
|
|
||||||
datacenters = ["dc1"]
|
datacenters = ["dc1"]
|
||||||
|
|
||||||
|
|
||||||
|
@ -27,6 +28,18 @@ job "mariadb" {
|
||||||
disable_default_tcp_check = true
|
disable_default_tcp_check = true
|
||||||
}
|
}
|
||||||
sidecar_task {
|
sidecar_task {
|
||||||
|
config {
|
||||||
|
args = [
|
||||||
|
"-c",
|
||||||
|
"${NOMAD_SECRETS_DIR}/envoy_bootstrap.json",
|
||||||
|
"-l",
|
||||||
|
"${meta.connect.log_level}",
|
||||||
|
"--concurrency",
|
||||||
|
"${meta.connect.proxy_concurrency}",
|
||||||
|
"--disable-hot-restart"
|
||||||
|
]
|
||||||
|
}
|
||||||
|
|
||||||
resources {
|
resources {
|
||||||
cpu = 50
|
cpu = 50
|
||||||
memory = 64
|
memory = 64
|
||||||
|
@ -47,6 +60,11 @@ job "mariadb" {
|
||||||
timeout = "10s"
|
timeout = "10s"
|
||||||
interval = "5s"
|
interval = "5s"
|
||||||
}
|
}
|
||||||
|
|
||||||
|
tags = [
|
||||||
|
|
||||||
|
|
||||||
|
]
|
||||||
}
|
}
|
||||||
|
|
||||||
# Run mysql_upgrade
|
# Run mysql_upgrade
|
||||||
|
@ -76,7 +94,7 @@ job "mariadb" {
|
||||||
[client]
|
[client]
|
||||||
user = root
|
user = root
|
||||||
host = 127.0.0.1
|
host = 127.0.0.1
|
||||||
password = {{ with secret "kv/service/mariadb" }}{{ .Data.data.root_pwd }}{{ end }}
|
password = {{ with secret "/kv/service/mariadb" }}{{ .Data.data.root_pwd }}{{ end }}
|
||||||
_EOT
|
_EOT
|
||||||
destination = "secrets/.my.cnf"
|
destination = "secrets/.my.cnf"
|
||||||
uid = 100100
|
uid = 100100
|
||||||
|
@ -156,7 +174,7 @@ _EOT
|
||||||
|
|
||||||
template {
|
template {
|
||||||
data = <<_EOT
|
data = <<_EOT
|
||||||
{{ with secret "kv/service/mariadb" }}
|
{{ with secret "/kv/service/mariadb" }}
|
||||||
MYSQL_ROOT_PASSWORD={{ .Data.data.root_pwd }}
|
MYSQL_ROOT_PASSWORD={{ .Data.data.root_pwd }}
|
||||||
{{ end }}
|
{{ end }}
|
||||||
_EOT
|
_EOT
|
||||||
|
@ -171,7 +189,7 @@ _EOT
|
||||||
data = <<_EOT
|
data = <<_EOT
|
||||||
[client]
|
[client]
|
||||||
user = root
|
user = root
|
||||||
password = {{ with secret "kv/service/mariadb" }}{{ .Data.data.root_pwd }}{{ end }}
|
password = {{ with secret "/kv/service/mariadb" }}{{ .Data.data.root_pwd }}{{ end }}
|
||||||
_EOT
|
_EOT
|
||||||
destination = "secrets/my.conf"
|
destination = "secrets/my.conf"
|
||||||
uid = 100100
|
uid = 100100
|
||||||
|
@ -184,6 +202,7 @@ _EOT
|
||||||
destination = "/data"
|
destination = "/data"
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
resources {
|
resources {
|
||||||
cpu = 1000
|
cpu = 1000
|
||||||
memory = 512
|
memory = 512
|
||||||
|
|
|
@ -2,15 +2,22 @@
|
||||||
|
|
||||||
set -euo pipefail
|
set -euo pipefail
|
||||||
|
|
||||||
if ! vault kv list kv/service 2>/dev/null | grep -q -E '^mariadb$'; then
|
# vim: syntax=sh
|
||||||
vault kv put kv/service/mariadb \
|
|
||||||
root_pwd=$(pwgen -s -n 50 1) \
|
|
||||||
vault_initial_pwd=$(pwgen -s -n 50 1)
|
|
||||||
fi
|
|
||||||
|
|
||||||
for PWD in root_pwd vault_initial_pwd; do
|
export LC_ALL=C
|
||||||
if ! vault kv get -field ${PWD} kv/service/mariadb >/dev/null 2>&1; then
|
VAULT_KV_PATH=/kv/service/mariadb
|
||||||
vault kv patch kv/service/mariadb \
|
RAND_CMD="tr -dc A-Za-z0-9\-_\/=~\.+ < /dev/urandom | head -c 50"
|
||||||
${PWD}=$(pwgen -s -n 50 1)
|
if ! vault kv list $(dirname ${VAULT_KV_PATH}) 2>/dev/null | grep -q -E "^$(basename ${VAULT_KV_PATH})\$"; then
|
||||||
|
vault kv put ${VAULT_KV_PATH} \
|
||||||
|
vault_initial_pwd="$(sh -c "${RAND_CMD}")" \
|
||||||
|
root_pwd="$(sh -c "${RAND_CMD}")" \
|
||||||
|
|
||||||
|
fi
|
||||||
|
for SECRET in vault_initial_pwd root_pwd; do
|
||||||
|
if ! vault kv get -field ${SECRET} ${VAULT_KV_PATH} >/dev/null 2>&1; then
|
||||||
|
vault kv patch ${VAULT_KV_PATH} \
|
||||||
|
${SECRET}=$(sh -c "${RAND_CMD}")
|
||||||
fi
|
fi
|
||||||
done
|
done
|
||||||
|
|
||||||
|
|
||||||
|
|
|
@ -1,19 +0,0 @@
|
||||||
#!/bin/sh
|
|
||||||
|
|
||||||
set -eu
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
if [ "mariadb" != "mariadb" ]; then
|
|
||||||
for DIR in vault consul nomad; do
|
|
||||||
if [ -d output/${DIR} ]; then
|
|
||||||
for FILE in $(find output/${DIR} -name "*mariadb*.hcl" -type f); do
|
|
||||||
NEW_FILE=$(echo "${FILE}" | sed -E "s/mariadb/mariadb/g")
|
|
||||||
mv "${FILE}" "${NEW_FILE}"
|
|
||||||
done
|
|
||||||
fi
|
|
||||||
done
|
|
||||||
fi
|
|
||||||
|
|
||||||
|
|
||||||
|
|
|
@ -1,3 +1,3 @@
|
||||||
path "kv/data/service/mariadb" {
|
path "/kv/data/service/mariadb" {
|
||||||
capabilities = ["read"]
|
capabilities = ["read"]
|
||||||
}
|
}
|
||||||
|
|
|
@ -2,22 +2,22 @@
|
||||||
|
|
||||||
set -euo pipefail
|
set -euo pipefail
|
||||||
|
|
||||||
if [ "$(vault secrets list -format json | jq -r '.["[[ .vault.prefix ]]database/"].type')" != "database" ]; then
|
if [ "$(vault secrets list -format json | jq -r '.["[[ .vault.root ]]database/"].type')" != "database" ]; then
|
||||||
vault secrets enable -path [[ .vault.prefix ]]database database
|
vault secrets enable -path [[ .vault.root ]]database database
|
||||||
fi
|
fi
|
||||||
|
|
||||||
if [ "$(vault list -format json [[ .vault.prefix ]]database/config | jq '.[] | test("^[[ .instance ]]$")')" = "false" ]; then
|
if [ "$(vault list -format json [[ .vault.root ]]database/config | jq '.[] | test("^[[ .instance ]]$")')" = "false" ]; then
|
||||||
vault write [[ .vault.prefix ]]database/config/[[ .instance ]] \
|
vault write [[ .vault.root ]]database/config/[[ .instance ]] \
|
||||||
plugin_name="mysql-database-plugin" \
|
plugin_name="mysql-database-plugin" \
|
||||||
connection_url="{{username}}:{{password}}@tcp([[ (urlParse .mariadb.server.public_address).Host ]])/" \
|
connection_url="{{username}}:{{password}}@tcp([[ (urlParse .mariadb.server.public_address).Host ]])/" \
|
||||||
allowed_roles="*" \
|
allowed_roles="*" \
|
||||||
username=vault \
|
username=vault \
|
||||||
password="$(vault kv get -field vault_initial_pwd [[ .vault.prefix ]]kv/service/[[ .instance ]])" \
|
password="$(vault kv get -field vault_initial_pwd [[ .vault.root ]]kv/service/[[ .instance ]])" \
|
||||||
disable_escaping=true
|
disable_escaping=true
|
||||||
vault write -force [[ .vault.prefix ]]database/rotate-root/[[ .instance ]]
|
vault write -force [[ .vault.root ]]database/rotate-root/[[ .instance ]]
|
||||||
fi
|
fi
|
||||||
|
|
||||||
vault write [[ .vault.prefix ]]database/roles/mariadb-admin \
|
vault write [[ .vault.root ]]database/roles/mariadb-admin \
|
||||||
db_name="mariadb" \
|
db_name="mariadb" \
|
||||||
creation_statements="CREATE USER '{{name}}'@'%' IDENTIFIED BY '{{password}}'; \
|
creation_statements="CREATE USER '{{name}}'@'%' IDENTIFIED BY '{{password}}'; \
|
||||||
GRANT ALL PRIVILEGES ON *.* TO '{{name}}'@'%' WITH GRANT OPTION; \
|
GRANT ALL PRIVILEGES ON *.* TO '{{name}}'@'%' WITH GRANT OPTION; \
|
||||||
|
|
|
@ -1,7 +1,8 @@
|
||||||
[[ $c := merge .mariadb.manage . -]]
|
|
||||||
job "[[ .instance ]]-manage" {
|
job "[[ .instance ]]-manage" {
|
||||||
type = "batch"
|
type = "batch"
|
||||||
[[ template "common/job_start.tpl" $c ]]
|
|
||||||
|
[[- $c := merge .mariadb.manage . ]]
|
||||||
|
[[ template "common/job_start" $c ]]
|
||||||
|
|
||||||
meta {
|
meta {
|
||||||
# Force job to run each time
|
# Force job to run each time
|
||||||
|
@ -14,17 +15,17 @@ job "[[ .instance ]]-manage" {
|
||||||
}
|
}
|
||||||
|
|
||||||
service {
|
service {
|
||||||
name = "[[ .instance ]]-manage[[ $c.consul.suffix ]]"
|
name = "[[ .instance ]]-manage[[ .consul.suffix ]]"
|
||||||
[[ template "common/connect.tpl" $c ]]
|
[[ template "common/connect" $c ]]
|
||||||
}
|
}
|
||||||
|
|
||||||
[[ template "common/task.wait_for.tpl" $c ]]
|
[[ template "common/task.wait_for" $c ]]
|
||||||
|
|
||||||
task "manage" {
|
task "manage" {
|
||||||
driver = [[ $c.nomad.driver | toJSON ]]
|
driver = "[[ $c.nomad.driver ]]"
|
||||||
|
|
||||||
config {
|
config {
|
||||||
image = [[ .mariadb.manage.image | toJSON ]]
|
image = "[[ .mariadb.manage.image ]]"
|
||||||
pids_limit = 50
|
pids_limit = 50
|
||||||
readonly_rootfs = true
|
readonly_rootfs = true
|
||||||
command = "/local/manage.sh"
|
command = "/local/manage.sh"
|
||||||
|
@ -33,12 +34,10 @@ job "[[ .instance ]]-manage" {
|
||||||
]
|
]
|
||||||
}
|
}
|
||||||
|
|
||||||
vault {
|
[[ template "common/vault.policies" merge .mariadb . ]]
|
||||||
policies = ["[[ .instance ]][[ $c.consul.suffix ]]"]
|
|
||||||
}
|
|
||||||
|
|
||||||
env {
|
env {
|
||||||
[[ template "common/env.tpl" $c.env ]]
|
[[ template "common/env" $c.env ]]
|
||||||
}
|
}
|
||||||
|
|
||||||
template {
|
template {
|
||||||
|
@ -97,7 +96,7 @@ _EOT
|
||||||
[client]
|
[client]
|
||||||
host = 127.0.0.1
|
host = 127.0.0.1
|
||||||
user = root
|
user = root
|
||||||
password = {{ with secret "[[ .vault.prefix ]]kv/service/[[ .instance ]]" }}{{ .Data.data.root_pwd }}{{ end }}
|
password = {{ with secret "[[ .vault.root ]]kv/service/[[ .instance ]]" }}{{ .Data.data.root_pwd }}{{ end }}
|
||||||
_EOT
|
_EOT
|
||||||
destination = "secrets/my.cnf"
|
destination = "secrets/my.cnf"
|
||||||
uid = 100100
|
uid = 100100
|
||||||
|
@ -107,7 +106,7 @@ _EOT
|
||||||
|
|
||||||
template {
|
template {
|
||||||
data = <<_EOT
|
data = <<_EOT
|
||||||
{{ with secret "[[ .vault.prefix ]]kv/service/[[ .instance ]]" }}
|
{{ with secret "[[ .vault.root ]]kv/service/[[ .instance ]]" }}
|
||||||
VAULT_INITIAL_PASSWORD={{ .Data.data.vault_initial_pwd }}
|
VAULT_INITIAL_PASSWORD={{ .Data.data.vault_initial_pwd }}
|
||||||
BACKUP_PASSWORD={{ .Data.data.backup_pwd }}
|
BACKUP_PASSWORD={{ .Data.data.backup_pwd }}
|
||||||
{{ end }}
|
{{ end }}
|
||||||
|
@ -119,7 +118,7 @@ _EOT
|
||||||
env = true
|
env = true
|
||||||
}
|
}
|
||||||
|
|
||||||
[[ template "common/resources.tpl" .mariadb.manage.resources ]]
|
[[ template "common/resources" $c ]]
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
|
@ -1,7 +1,6 @@
|
||||||
job "[[ .instance ]]" {
|
job "[[ .instance ]]" {
|
||||||
|
|
||||||
[[- $c := merge .mariadb.server .mariadb . -]]
|
[[- $c := merge .mariadb.server .mariadb . ]]
|
||||||
|
|
||||||
[[ template "common/job_start" $c ]]
|
[[ template "common/job_start" $c ]]
|
||||||
|
|
||||||
group "server" {
|
group "server" {
|
||||||
|
@ -13,7 +12,7 @@ job "[[ .instance ]]" {
|
||||||
[[ template "common/volumes" $c ]]
|
[[ template "common/volumes" $c ]]
|
||||||
|
|
||||||
service {
|
service {
|
||||||
name = "[[ .instance ]][[ $c.consul.suffix ]]"
|
name = "[[ .instance ]][[ .consul.suffix ]]"
|
||||||
port = 3306
|
port = 3306
|
||||||
|
|
||||||
[[ template "common/connect" $c ]]
|
[[ template "common/connect" $c ]]
|
||||||
|
@ -30,14 +29,9 @@ job "[[ .instance ]]" {
|
||||||
interval = "5s"
|
interval = "5s"
|
||||||
}
|
}
|
||||||
|
|
||||||
[[- if $c.traefik.enabled ]]
|
|
||||||
tags = [
|
tags = [
|
||||||
"[[ $c.traefik.instance ]].enable=true",
|
[[ template "common/traefik_tags" $c ]]
|
||||||
"[[ $c.traefik.instance ]].tcp.routers.[[ .instance ]][[ $c.consul.suffix ]].rule=HostSNI(`*`)",
|
|
||||||
"[[ $c.traefik.instance ]].tcp.routers.[[ .instance ]][[ $c.consul.suffix ]].entrypoints=[[ join $c.traefik.entrypoints "," ]]",
|
|
||||||
"[[ $c.traefik.instance ]].tcp.routers.[[ .instance ]][[ $c.consul.suffix ]].middlewares=[[ join $c.traefik.middlewares "," ]]"
|
|
||||||
]
|
]
|
||||||
[[- end ]]
|
|
||||||
}
|
}
|
||||||
|
|
||||||
# Run mysql_upgrade
|
# Run mysql_upgrade
|
||||||
|
@ -49,9 +43,9 @@ job "[[ .instance ]]" {
|
||||||
}
|
}
|
||||||
|
|
||||||
config {
|
config {
|
||||||
image = "[[ .mariadb.server.image ]]"
|
image = "[[ .mariadb.server.image ]]"
|
||||||
pids_limit = 100
|
pids_limit = 100
|
||||||
command = "/local/mysql_upgrade.sh"
|
command = "/local/mysql_upgrade.sh"
|
||||||
}
|
}
|
||||||
|
|
||||||
[[ template "common/vault.policies" $c ]]
|
[[ template "common/vault.policies" $c ]]
|
||||||
|
@ -61,7 +55,7 @@ job "[[ .instance ]]" {
|
||||||
[client]
|
[client]
|
||||||
user = root
|
user = root
|
||||||
host = 127.0.0.1
|
host = 127.0.0.1
|
||||||
password = {{ with secret "[[ .vault.prefix ]]kv/service/[[ .instance ]]" }}{{ .Data.data.root_pwd }}{{ end }}
|
password = {{ with secret "[[ .vault.root ]]kv/service/[[ .instance ]]" }}{{ .Data.data.root_pwd }}{{ end }}
|
||||||
_EOT
|
_EOT
|
||||||
destination = "secrets/.my.cnf"
|
destination = "secrets/.my.cnf"
|
||||||
uid = 100100
|
uid = 100100
|
||||||
|
@ -114,7 +108,7 @@ _EOT
|
||||||
|
|
||||||
template {
|
template {
|
||||||
data = <<_EOT
|
data = <<_EOT
|
||||||
{{ with secret "[[ .vault.prefix ]]kv/service/[[ .instance ]]" }}
|
{{ with secret "[[ .vault.root ]]kv/service/[[ .instance ]]" }}
|
||||||
MYSQL_ROOT_PASSWORD={{ .Data.data.root_pwd }}
|
MYSQL_ROOT_PASSWORD={{ .Data.data.root_pwd }}
|
||||||
{{ end }}
|
{{ end }}
|
||||||
_EOT
|
_EOT
|
||||||
|
@ -129,7 +123,7 @@ _EOT
|
||||||
data = <<_EOT
|
data = <<_EOT
|
||||||
[client]
|
[client]
|
||||||
user = root
|
user = root
|
||||||
password = {{ with secret "[[ .vault.prefix ]]kv/service/[[ .instance ]]" }}{{ .Data.data.root_pwd }}{{ end }}
|
password = {{ with secret "[[ .vault.root ]]kv/service/[[ .instance ]]" }}{{ .Data.data.root_pwd }}{{ end }}
|
||||||
_EOT
|
_EOT
|
||||||
destination = "secrets/my.conf"
|
destination = "secrets/my.conf"
|
||||||
uid = 100100
|
uid = 100100
|
||||||
|
@ -186,7 +180,7 @@ _EOT
|
||||||
[client]
|
[client]
|
||||||
user = root
|
user = root
|
||||||
host = 127.0.0.1
|
host = 127.0.0.1
|
||||||
password = {{ with secret "[[ .vault.prefix ]]kv/service/[[ .instance ]]" }}{{ .Data.data.root_pwd }}{{ end }}
|
password = {{ with secret "[[ .vault.root ]]kv/service/[[ .instance ]]" }}{{ .Data.data.root_pwd }}{{ end }}
|
||||||
_EOT
|
_EOT
|
||||||
destination = "secrets/.my.cnf"
|
destination = "secrets/.my.cnf"
|
||||||
uid = 100000
|
uid = 100000
|
||||||
|
|
|
@ -2,15 +2,4 @@
|
||||||
|
|
||||||
set -euo pipefail
|
set -euo pipefail
|
||||||
|
|
||||||
if ! vault kv list [[ .vault.prefix ]]kv/service 2>/dev/null | grep -q -E '^[[ .instance ]]$'; then
|
[[ template "common/vault.rand_secrets" merge .mariadb . ]]
|
||||||
vault kv put [[ .vault.prefix ]]kv/service/[[ .instance ]] \
|
|
||||||
root_pwd=$(pwgen -s -n 50 1) \
|
|
||||||
vault_initial_pwd=$(pwgen -s -n 50 1)
|
|
||||||
fi
|
|
||||||
|
|
||||||
for PWD in root_pwd vault_initial_pwd; do
|
|
||||||
if ! vault kv get -field ${PWD} [[ .vault.prefix ]]kv/service/[[ .instance ]] >/dev/null 2>&1; then
|
|
||||||
vault kv patch [[ .vault.prefix ]]kv/service/[[ .instance ]] \
|
|
||||||
${PWD}=$(pwgen -s -n 50 1)
|
|
||||||
fi
|
|
||||||
done
|
|
||||||
|
|
|
@ -1 +0,0 @@
|
||||||
[[ template "common/mv_conf.sh" dict "ctx" . "services" (dict "mariadb" .instance) ]]
|
|
|
@ -8,6 +8,10 @@ mariadb:
|
||||||
vault:
|
vault:
|
||||||
policies:
|
policies:
|
||||||
- '[[ .instance ]][[ .consul.suffix ]]'
|
- '[[ .instance ]][[ .consul.suffix ]]'
|
||||||
|
rand_secrets:
|
||||||
|
fields:
|
||||||
|
- vault_initial_pwd
|
||||||
|
- root_pwd
|
||||||
|
|
||||||
# MariaDB server settings
|
# MariaDB server settings
|
||||||
server:
|
server:
|
||||||
|
@ -32,11 +36,10 @@ mariadb:
|
||||||
traefik:
|
traefik:
|
||||||
# Toggle if Traefik support is enabled
|
# Toggle if Traefik support is enabled
|
||||||
enabled: false
|
enabled: false
|
||||||
|
proto: tcp
|
||||||
# List of entrypoints to bind the sevrice to. This must be a dedicated TCP entrypoint
|
# List of entrypoints to bind the sevrice to. This must be a dedicated TCP entrypoint
|
||||||
entrypoints:
|
entrypoints:
|
||||||
- mariadb
|
- mariadb
|
||||||
# List of TCP middlewares to apply
|
|
||||||
middlewares: []
|
|
||||||
|
|
||||||
consul:
|
consul:
|
||||||
connect:
|
connect:
|
||||||
|
|
|
@ -1,3 +1,3 @@
|
||||||
path "[[ .vault.prefix ]]kv/data/service/[[ .instance ]]" {
|
path "[[ .vault.root ]]kv/data/service/[[ .instance ]]" {
|
||||||
capabilities = ["read"]
|
capabilities = ["read"]
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in New Issue